Report annotated as “[SUSPECTED spam]” by IronPort

[Warden]

The personal copy of an outgoing report I received today arrived with “[SUSPECTED spam]” injected into the subject line:

X-IronPort-Anti-spam-Filtered: true
Subject: [SUSPECTED spam] [SpamCop (80.94.95.83) id:7253373020]Re: lening
X-IronPort-AV: E=McAfee;i="6600,9927,10671"; a="288091"
X-IronPort-AV: E=Sophos;i="5.98,321,1673942400"; 
   d="scan'208,217";a="288091"
Received: from vmx.spamcop.net ([184.94.240.100])
  by esa2.spamcop.iphmx.com with ESMTP; 05 Apr 2023 06:55:44 -0800

Is this expected? I’m surprised to see SpamCop marking its own outgoing mail as spam.

[Lking]

Check with your email app, security app. For example depending on your settings, Thunderbird or Norton can insert that type of warning into the subject line of what they suspect to be spam or a scam.

I have been getting [SUSPECTED scam] inserted into the subjects of followup emails from stores I have bought something from when they include survey questions.

All part of efforts to protect us from ourselves.

[gnarlymarley]

Also, check for a rule for spam filtering software. Spamassassin (cpanel) can add something like that too if it thinks that spammers actually put "spam" in their hostname.

[Warden]

What is your interpretation of the headers excerpt I provided?

[petzl]

27 minutes ago, Warden said:

What is your interpretation of the headers excerpt I provided?

Don't mean it is SpamCop's IronPort server stamping  "[SUSPECTED scam]" in subject line!
I get a lot email forwarded through SpamCop's email server never happened to me,
including real spam. Gmail do stamp malicious email SpamCop does not filter for spam!
https://ibb.co/RcJbTNY

[gnarlymarley]

I think we need to clarify if you are running ironport at your email host and if were you indicating that it could be that ironport that is adding it.

From what I can see from the headers, it was added after vmx.spamcop.net send it on its way. Something added it after. Edited April 12, 2023 by gnarlymarley

[RobiBue]

Since April 1st I am receiving the occasional spam report (the ones I send to myself from spamcop) which has the [SUSPECTED spam] marking added to the front of the subject line.
I have the feeling that IronPort (SpamCop/Cisco)  itself is adding that stamp, since it is coming directly from there.
I get my mail through google, and only a few of the spam reports since 20230401 have that stamp, and only the spam reports. Not the spam, not other emails, and not even "suspected spam".

As you can see, everything [SUSPECTED spam] is (in my case) added to some reports from SC.

Edited April 15, 2023 by RobiBue
added images

[Lking]

Every email application, host, ISP between the source of an email (IronPort) and your screen can, and does modify the header of a received email.

It does not make much sense to me, for SpamCop to generate an email to you AND mark the subject line as [SUSPECTED spam]

Sense the beginning of time, different ISPs/email apps have marked or blocked email from @spamcop.net as spam. There have been several reasons; some as simple minded as the word 'spam' in the domain name. SpamCop emails also include links which include the work 'spam'. Other links may be to domains that have been identified as sources of spam.

[RobiBue]

and just now, I did another search in my history and found that back in 2009, a mail list running Barracuda had exactly the same add-on. The list manager did remove it "I believe I've turned off the subject mangler." 😁

but that was in 2009...

Edited April 15, 2023 by RobiBue

[RobiBue]

I know that it doesn't make sense, but there is no other explanation... (and also sorry for this "very long dissection")
TL;DR: IronPort mail server changes the Subject: line.

Somehow end of March, SpamCop's servers were moved (at least that's what I understood) and the new flow of reports goes through a different set of mail servers (or at least one additional set.)

Here's one I took apart which is the first [SUSPECTED spam] in over a decade (back between November 2008 and April 2009 I received a few like that marked by Barracuda but it caused more headache than good so the list manager fixed the spam filter to disable the "subject mangler")
Now just to clarify: this is not the one from back in 2008/9; this is the first one I received like this on April 1^st.

Received: by 2002:a05:6520:144:b0:258:69b6:a43 with SMTP id n4csp534227lku;
        Sat, 1 Apr 2023 11:33:58 -0700 (PDT)
Received: from esa1.spamcop.iphmx.com (esa1.spamcop.iphmx.com. [68.232.142.20])
        by mx.google.com with ESMTP id b11-20020a621b0b000000b0062dabeefa60si5083852pfb.277.2023.04.01.11.33.57
        Sat, 01 Apr 2023 11:33:57 -0700 (PDT)
X-IPAS-Result: [some data]
IronPort-Data: [some more data]
IronPort-HdrOrdr: [a little more data]
X-IronPort-Anti-spam-Filtered: true
Subject: [SUSPECTED spam] [SpamCop (2603:10b6:408:10b:0:0:0:15) id:7252589014]Verification
X-IronPort-AV: E=McAfee;i="6600,9927,10667"; a="154996"
X-IronPort-AV: E=Sophos;i="5.98,311,1673942400";
    d="scan'208,217";a="154996"
Received: from vmx.spamcop.net ([184.94.240.100])
  by esa1.spamcop.iphmx.com with ESMTP; 01 Apr 2023 10:33:55 -0800
IronPort-SDR: [other data]
X-Corpus-CASE-Score: 0
Received: from prod-sc-www02.sv4.ironport.com (HELO prod-sc-www02.spamcop.net) ([10.8.129.226])
  by prod-sc-smtp-vip.sv4.ironport.com with SMTP; 01 Apr 2023 11:33:56 -0700
Received: from [my IP address] by spamcop.net with HTTP; Sat, 01 Apr 2023 18:33:56 GMT

so I send the spam as email and the system registers my IP and the time it received it

• Received: from [my IP address] by spamcop.net with HTTP; Sat, 01 Apr 2023 18:33:56 GMT

then there is some "internal" handling:

• Received: from prod-sc-www02.sv4.ironport.com (HELO prod-sc-www02.spamcop.net) ([10.8.129.226])
    by prod-sc-smtp-vip.sv4.ironport.com with SMTP; 01 Apr 2023 11:33:56 -0700
• Received: from vmx.spamcop.net ([184.94.240.100])
    by esa1.spamcop.iphmx.com with ESMTP; 01 Apr 2023 10:33:55 -0800
  sometimes it's   esa2.spamcop.iphmx.com .

here I have the inkling that esa1.spamcop.iphmx.com is the IronPort server that handles the spam volume and changes (or adds to) the Subject: line, since the Subject: line is right there in between the X-IronPort-... and the IronPort-SDR as well as X-Corpus-CASE-Score headers.

Then Google receives it and places it in my inbox...

reports that are unaffected look like this

Received: by 2002:a05:6520:144:b0:258:69b6:a43 with SMTP id n4csp1220378lku;
        Sat, 15 Apr 2023 12:01:56 -0700 (PDT)
Received: from esa2.spamcop.iphmx.com (esa2.spamcop.iphmx.com. [68.232.143.151])
        by mx.google.com with ESMTP id up37-20020a170907cca500b0094f3b71946dsi558548ejc.870.2023.04.15.12.01.55
        Sat, 15 Apr 2023 12:01:56 -0700 (PDT)
X-IPAS-Result: [some data]
IronPort-Data: [some more data]
IronPort-HdrOrdr: [a little more data]
X-Talos-CUID: [data]
X-Talos-MUID: [data]
X-IronPort-Anti-spam-Filtered: true
X-IronPort-AV: E=McAfee;i="6600,9927,10681"; a="563322"
X-IronPort-AV: E=Sophos;i="5.99,200,1677571200";
    d="scan'208";a="563322"
Received: from vmx.spamcop.net ([184.94.240.100])
  by esa2.spamcop.iphmx.com with ESMTP; 15 Apr 2023 11:01:53 -0800
IronPort-SDR: [other data]
X-Corpus-CASE-Score: 0
Received: from prod-sc-www02.sv4.ironport.com (HELO prod-sc-www02.spamcop.net) ([10.8.129.226])
  by prod-sc-smtp-vip.sv4.ironport.com with SMTP; 15 Apr 2023 12:01:54 -0700
Received: from [my IP address] by spamcop.net with HTTP; Sat, 15 Apr 2023 19:01:54 GMT
From: <me>
To: <me>
Subject: [SpamCop (2001:8d8:81c:9c00:0:0:63:3ff4) id:7255148248]=?UTF-8?Q?[Easy_Litiges]_D=C3=A9tails_de_connexion..

Interesting is that these have X-Talos-... headers and the subject line is after the From: and To: lines.

before the change of end of March:

Received: by 2002:a05:6520:144:b0:258:69b6:a43 with SMTP id n4csp229177lku;
        Mon, 20 Mar 2023 03:02:34 -0700 (PDT)
Received: from vmx.spamcop.net ([184.94.240.100])
        by mx.google.com with ESMTPS id t199-20020a37aad0000000b006fef590aaf1si2538508qke.0.2023.03.20.03.02.33
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 20 Mar 2023 03:02:33 -0700 (PDT)
IronPort-SDR: [other data]
X-Corpus-CASE-Score: 0
Received: from prod-sc-www01.sv4.ironport.com (HELO prod-sc-www01.spamcop.net) ([10.8.129.225])
  by prod-sc-smtp-vip.sv4.ironport.com with SMTP; 20 Mar 2023 03:02:33 -0700
Received: from [my IP address] by spamcop.net with HTTP; Mon, 20 Mar 2023 10:02:32 GMT
From: <me>
To: <me>
Subject: [SpamCop (200.34.164.202) id:7249958650]Your Bitcoin Payment

there is no esa1/2.spamcop.iphmx.com server. Google received them directly from vmx.spamcop.net.

At least these are my findings, so I have a very strong suspicion that Cisco added an extra "outgoing layer of security" to the handling of the emails, and unfortunately, since they "are spam ", they get flagged...

YMMV

 

[Warden]

On 4/12/2023 at 3:33 PM, gnarlymarley said:

I think we need to clarify if you are running ironport at your email host and if were you indicating that it could be that ironport that is adding it.

Statement from my mail provider: “We don't make any changes to the content or existing headers of the email, so the [SUSPECTED spam] was definitely not added by us.”

0.06% of my mail contains the header X-IronPort-Anti-spam-Filtered. Of that, 40% is from government offices and 60% is from SpamCop, with all of the latter dated since 2023-03-31.

[gnarlymarley]

I had this happen twice and both times the message passed through 68.232.143.151 from vmx.spamcop.net. One was a reply from the sent report and the other was a reply from a submission. Looking at the headers, it appears that 68.232.143.151 is adding the "[SUSPECTED spam]" to the subject line. Now 68.232.143.151 has nothing to do with my email provider and does appear to be on rotation for outbound spamcop email being handed off from vmx.spamcop.net. It is a Cisco IP and I suspect that they might be filtering some outbound SpamCop communication through their IronPort scanner device.

 

Received: from esa2.spamcop.iphmx.com ([68.232.143.151]) by xxxx.xxxxxx.net with esmtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1q1XFZ-0008DD-QW for xxx@xxxxxx.net; Tue, 23 May 2023 13:00:53 -0600
Subject: [SUSPECTED spam] [SpamCop] has accepted 1 email for processing
X-IronPort-Anti-spam-Filtered: true
X-IronPort-AV: E=McAfee;i="6600,9927,10719"; a="1353018"
X-IronPort-AV: E=Sophos;i="6.00,187,1681200000";
d="scan'208";a="1353018"
Received: from vmx.spamcop.net ([184.94.240.100])
by esa2.spamcop.iphmx.com with ESMTP; 23 May 2023 11:00:18 -0800
DomainKey-Signature: s=devnull; d=spamcop.net; c=nofws; q=dns;
h=IronPort-SDR:X-Corpus-CASE-Score:Received:From:To:
Subject:Date:Message-ID:Content-type:In-Reply-To:
References;
b=dhBx0X/AzFN6FCrNTBEjQh/deUwupv6xL4TT0N6XmYenoRgvxZQPYHjL
RsbcYBPankAJEY16KErrhF8FRe4sppUP1i+B5vGnXlbSkGwyovvslLBdI
kesba/iz2nw9FOE;
IronPort-SDR: P/bxa4gtAG0V7ydKjrPBeh6A5x58CgwWO7dxx0NExjWGsAFIVAa6EYpnHauLige9TMGYQJp2x8 yPT3gweZ1b2qrxopuNRHfAi1g3Pg50pnYvGf3BopV06WMo5N8t+6pjdXpSH3+7TYfbaIqOVfQn sgsGRsXFxwtF8TarKFc0ilQG2GN38FRXh5PxcBt2ILsytIp3trn3zgCeP5/Tb8pJQH82DKy1+L 00gtJ06lnrZ/I8oDvAX26qyST0N5SFBh0NKDTYzeJyZYw5IlOm03ZhPVDjSJ8DPCkpKJVle5xC h/o=
X-Corpus-CASE-Score: 0
Received: from prod-sc-app008.sv4.ironport.com (HELO prod-sc-app008.spamcop.net) ([10.8.141.28])
by prod-sc-smtp-vip.sv4.ironport.com with SMTP; 23 May 2023 12:00:18 -0700

 

Received: from esa2.spamcop.iphmx.com (esa2.spamcop.iphmx.com. [68.232.143.151])
by mx.google.com with ESMTP id o2-20020a056402038200b0050bd38fcecbsi3104565edv.0.2023.05.10.13.32.59
for ;
Wed, 10 May 2023 13:33:00 -0700 (PDT)
IronPort-HdrOrdr: A9a23:CQ2/RK1c4fKqGjk3wau7VwqjBEAkLtp133Aq2lEZdPU0SK2lfq GV7Y4mPHDP+VIssR0b6La90aS7KhPhHP1OkPIs1NWZLWzbUQKTRekOg/qAsl/d8m/Fh5JgPM FbAtFD4bbLfD9HZKjBkXGFOudl6t+d6byzwc339VsodwttcK0I1W1E432gYzBLbTgDP4MwEL Cb/459qyOkaTA2Y97TPBU4dtmGncTCkJjheFo8CwM68w7LtDu06dfBfCSl4g==
X-Talos-CUID: 9a23:TzXDXWvb3c+PqjpAPyEPrfr56IsrKH7z3nn6EXW4NmpFTr2nTgeA/J5rxp8=
X-Talos-MUID: 9a23:4ZFVNguhHDB/JbWh7M2nngBaFPg4wbySNGNQzbUpofmcCSJAEmLI
X-IronPort-Anti-spam-Filtered: true
Subject: [SUSPECTED spam] [SpamCop (http://mailta.munged) id:munged]hello, gnarlymarley
X-IronPort-AV: E=McAfee;i="6600,9927,10706"; a="1069518"
X-IronPort-AV: E=Sophos;i="5.99,265,1677571200";
    d="scan'208,217";a="1069518"
Received: from vmx.spamcop.net ([184.94.240.100])
  by esa2.spamcop.iphmx.com with ESMTP; 10 May 2023 12:32:56 -0800
IronPort-SDR: Op0qdFbw3qTpzxwzbRYNUslrk/E9HN6qhsfwGOkLfy+KFgW9SAHwsNrTxm5dACzuHB/ydxhX4/ R5aGKLxl7KqFudzghBdoDZ92/cGn1Z5S2e492rA4fu7VZj2gnBY58AczOEGgE3cX0vFPPpkPq8 R10tePPqz2B5mgWQZauTkGQrk6OXarHljROKRnuMHCLSz29LvYUwfyLsoJnpCVjc8zyYXHQAFH kGtfpcGjZaEmslj+uEnUVT/lAFN12oz3PyPTkp7EM5IFhBLxoR/UMfzojiHXlSYWqu2t1TfNWf hzo=
X-Corpus-CASE-Score: 0
Received: from prod-sc-app006.sv4.ironport.com (HELO prod-sc-app006.spamcop.net) ([10.8.141.26])
  by prod-sc-smtp-vip.sv4.ironport.com with SMTP; 10 May 2023 13:32:56 -0700
X-SpamCop-Reply-Ids: 7259510028
X-Spamcop-Return-Path: <abuse+munged@exxxxxxxx.com>
Received: from vmx.spamcop.net (prod-sc-smtp12.sv4.ironport.com [10.8.129.222]) by prod-sc-app006.sv4.ironport.com (Postfix) with ESMTP id 4CB07F70F9 for <munged@reports.spamcop.net>; Wed, 10 May 2023 13:30:26 -0700 (PDT)
Authentication-Results: vmx.spamcop.net; dkim=none (message not signed) header.i=none
IronPort-SDR: LV95eyfrbKKjM6NYLpFr8GfvvFeukZ5l7kwCMf/rRiIGA4v6N4cFJYYVrAH30Sq3qX1qKMhAyD sTSUvIyZk8lrPLnkxWS+EYn6CMWf0VoyUFlSe7TTyGYYpchBs+wLJ8HOxrua0INCwbsye/tGM5 2T/LA/weCilraQAx1uLMp+1+Wh9HGmI8NDhGa7HMvezfpRrB84sxknzu4J3rdM6d4SXj0GzIA3 11ANBctLcOhkxDcYMn+YkBChda+nx/Az3ThRxPeS9Olu1USLNkE38BadRb0NEs2kVzHuKr0Xqu UOI=
Received: from smtp.egihosting.com ([72.13.81.20])
  by vmx.spamcop.net with ESMTP; 10 May 2023 13:30:26 -0700

 

Edited May 23, 2023 by gnarlymarley