csouter Posted September 15, 2006 Share Posted September 15, 2006 Hello everyone, I have several email accounts, all of which are correctly configured and have been working correctly for SpamCop reporting for almost a year now. One of these accounts is with Gmail, which has also been working correctly, (as far as SpamCop reporting is concerned). The only problem I encountered with Gmail originally was that I have to report by the "paste-into-the-box" method: simple forwarding doesn't seem to work. Once I worked that out, it has been working OK for the last several months, except in this one single instance which occurred only today. I received the following error from SpamCop when I tried reporting the message referred to below: Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust anything beyond this header No source IP address found, cannot proceed. Thinking that my mailhost configuration had somehow gotten messed up, I deleted the Gmail host and then added it back. I received five test messages, all of which were successful. I then submitted (via the "paste-into-the-box" method) two spams I had just received in my Gmail "spam" folder. Both reports went through OK. I then tried the message referred to below once again. The same error was returned again. The Tracking URL from the last filed reporting attempt is as follows: http://www.spamcop.net/sc?id=z1065998506zd...843e1c924c0eabz Now, I'm no expert on the internet email system, (or anything else to do with computers, for that matter), so I can't see what's wrong with the headers in the offending message. If anyone else would care to take a look at the tracking URL, I would appreciate it if they could maybe let me know what the problem is. I particularly wanted to report this message because it is a "pump-and-dump" stock spam. I have already forwarded it to KnujOn, but I think that the originating ISP should know about it as well. (I always do this "double-barrelled" reporting - SpamCop for the originator and KnujOn for the URLs and the stock junk). Also, I would like to mention that I opened the Gmail account last February, and this spam message is the first that has ever gotten past Gmail's spam filters and found its way into my Inbox, (rather than the spam folder, that is). (For that matter, Gmail has never given me a false positive, either. Legitimate emails have never gone to my spam folder). It's just a little frustrating when everything has worked OK for me for almost a year now. What worries me the most is that the spammers may have found some way around SpamCop's parsing engine, or, at least, one particular spammer has managed it. Anyway, if someone here could take the time to look at the URL referred to above and maybe shed a little light on the problem, I, for one, would be very much obliged to you. Thanks in advance for your help. Best regards to all Chris Souter (Sydney, Australia) Link to comment Share on other sites More sharing options...
Farelf Posted September 15, 2006 Share Posted September 15, 2006 ...Thinking that my mailhost configuration had somehow gotten messed up, I deleted the Gmail host and then added it back. I received five test messages, all of which were successful. I then submitted (via the "paste-into-the-box" method) two spams I had just received in my Gmail "spam" folder. Both reports went through OK. I then tried the message referred to below once again. The same error was returned again. The Tracking URL from the last filed reporting attempt is as follows: http://www.spamcop.net/sc?id=z1065998506zd...843e1c924c0eabz Hi Chris. I'm afraid I don't know what Gmail headers usually look like but what I see in the report from your tracking URL (and even in your post above) you seem to have some strange line wrapping (when viewing "entire message"). When you tried pasting in the submission box, did the result look more like this: http://www.spamcop.net/sc?id=z1066339431zf...7905a57bea216ez than like the version in your tracker? How this has happened and why your email submissions might be affected I have no idea but it is the only thing I can see that is "wrong" but, as said, not knowing exactly what Gmail headers should be like. I believe the line wrapping thing has come up before and hopefully someone can comment on whether this is likely to be the problem and how to fix it. Link to comment Share on other sites More sharing options...
Wazoo Posted September 15, 2006 Share Posted September 15, 2006 Second on Farelf's remarks .... additionally, the headers don't show a GMail account in use, rather a GoogleGroups MX in the mix .... though you may have a GMail account and a GoogleGroups address, these aren't the same thing at all .... Link to comment Share on other sites More sharing options...
StevenUnderwood Posted September 15, 2006 Share Posted September 15, 2006 ...what I see in the report from your tracking URL (and even in your post above) you seem to have some strange line wrapping (when viewing "entire message"). But if you look at the tracker analysis, there is no wrapping at all on those lines, so that should not be a problem. Link to comment Share on other sites More sharing options...
Farelf Posted September 15, 2006 Share Posted September 15, 2006 But if you look at the tracker analysis, there is no wrapping at all on those lines, so that should not be a problem.Truth - but I've not seen such disparity between "views" before, looks sort of mangled. I thought it had to mean something. But I have a feeling Wazoo has put his finger on it. Something has changed, but just what? Chris S, can you dig up a tracker from before you started having troubles? We have to eliminate some possibilities but have only clues as yet. Link to comment Share on other sites More sharing options...
csouter Posted September 16, 2006 Author Share Posted September 16, 2006 Truth - but I've not seen such disparity between "views" before, looks sort of mangled. I thought it had to mean something. But I have a feeling Wazoo has put his finger on it. Something has changed, but just what? Chris S, can you dig up a tracker from before you started having troubles? We have to eliminate some possibilities but have only clues as yet. Hello, everyone, and thanks for reading! I've been looking for some other tracking URLs for recent reports from GMail, and here are the last three: http://www.spamcop.net/sc?id=z1066565885z5...4f57d6c440abe2z http://www.spamcop.net/sc?id=z1066565340zc...ef5b70313abb40z http://www.spamcop.net/sc?id=z1066794963z7...7529f3354ad0eez I'm not sure about the line-wrapping issue, because I just paste the highlighted material straight into the submission box. I have been using the same method ever since I started reporting from Gmail: Gmail and SpamCop should both be open and logged-in at the same time; they will, of course, be in separate browser windows or browser tabs. 1. Open message 2. Click "More options" 3. Click "Show original" (A new browser window will open) 4. From drop-down "Edit" menu, choose "Select all" 5. From drop-down "Edit" menu, choose "Copy" 6. Switch to SpamCop reporting browser window or tab 7. Right-click in submission box 8. Choose "Paste" from right-click popup menu. 9. Press "Process spam" button. 10. Wait for result of parsing 11. Click "Send spam Report(s) Now" button 12. Wait for confirmation of reporting 13. Repeat Steps 1-12 for each subsequent message 14. Quit when finished This method has always worked, even before I re-setup the Gmail host configuration. It still works now, just *not* with this particular message. I am aware that I am not supposed to quote spam messages in this forum, but I think that to make myself clearer, I need to quote this one, rather than simply give the Tracking URL. (You have already visited that URL anyway). So, please accept my apologies in advance. I saved a plain ASCII copy of the offending message, which is quoted below. Please note that it starts with a blank line, which is how the text editor rendered it on opening the file. The first dashed line below represents the top of the text editor's window when the file is opened. Note that the text is not wrapped, which is the text editor's default setting. The dashed line following the last line of text represents the position of the cursor after pressing <Ctrl+End>. ------------------------------------------------------------------ X-Gmail-Received: ff534277618cc2919c30c583020085db34afc23e Delivered-To: csouter[at]gmail.com Received: by 10.90.71.3 with SMTP id t3cs841379aga; Fri, 15 Sep 2006 01:02:02 -0700 (PDT) Received: by 10.35.8.1 with SMTP id l1mr403554pyi; Fri, 15 Sep 2006 01:02:01 -0700 (PDT) Return-Path: <JeromeJeffersonj[at]glwb.net> Received: from pl044.nas937.p-okayama.nttpc.ne.jp (pl044.nas937.p-okayama.nttpc.ne.jp [219.102.50.44]) by mx.googlegroups.com with SMTP id c21si5865532pyc.2006.09.15.01.01.58; Fri, 15 Sep 2006 01:02:01 -0700 (PDT) Received-SPF: neutral (googlegroups.com: 219.102.50.44 is neither permitted nor denied by best guess record for domain of JeromeJeffersonj[at]glwb.net) Received: from [219.102.50.44] (helo=kaabo) by go4-mailrelay.itecnethost.com with smtp (Exim 4.60) (envelope-from <JulietteStuartx[at]itecnethost.com>) id 1JUZXZ-0009O2-1o Message-ID: <13837.148076.5830.982516[at]itecnethost.com> From: "Charlie-Madrid" <HelgaHagerw[at]itecnethost.com> To: csouter[at]gmail.com Cc: francocarlo[at]gmail.com, apdman[at]gmail.com Subject: WARNING HEY Date: Fri, 15 Sep 2006 03:02:16 -0600 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit The Bull Report Rep ort Fri, 15 Sep 2006 03:02:16 -0600 HY W I IS GOING TO BLOW UP! WATCH IT TOMORROW MORNING! Compan y ~ H ollywood Intermedia te I nc ~Sym bol~ ~HYW I~ Cur rently at ~ 0.158 O utlook ~ VERYST RONG BU Y Rec ent Ne ws~ Hollywood I n t e r m e d i a t e In c a provider of digital intermediate film mastering services, announced today the world premiere of "The Sensation of Sight" at the San Sebastian Film Festival. Get more info at Yahoo Financ e We strongly urge our members to get in while there's still time. THIS is the one all of you been waiting for!!! again into sound That is the outline of the thing which you will Black smoldring smoke from the green wood expires Charles Sumner was struck down in the United States Senate on ------------------------------------------------------------------ As you can see, nothing is wrapped. (However, maybe it will be after I paste this whole message into the forum window in the browser. I'll just have to see what it looks like after I have previewed the message before submission). [Edit #1: The "Received:" line is wrapped in the preview after the [219.102.50.44]) character sequence; the "Received-SPF: line is wrapped after the words "domain of". Nothing else is wrapped in the preview. The line breaks in the ASCII file correspond exactly to the preview, with the two exceptions I have mentioned above. Everything else corresponds to the ASCII file, even the white space.] [Edit #2: The "Received-SPF:" line unwraps completely if I maximise the browser window. The "Received:" line still breaks at the same spot. Neither the "Received:" line, nor the "Received-SPF:" line is wrapped in the plain ASCII file. BTW, my screen resolution is 1280 X 1024.] Regarding Wazoo's point about Google Groups: I am a member of some Google Groups, and, in fact, I tried to elicit some interest there (and also in the eBay User Forums) about the reporting and investigation of spam, specifically in relation to a case I recently had, of an "eBay PowerSeller" spamming former customers from outside of eBay. It was at around that time that I also started receiving spam in my Gmail account. Basically, the reaction in both forums was: "Get a life! Just delete it! Forget about it!" I referred them to the KnujOn website, which has a lot of *very* convincing material in support of the argument "Don't just delete: report it, too!" I'm sorry to say that nobody gave a damn! I was very disappointed in their attitude towards this growing problem. I have not actually left the groups, but I haven't visited them in a long time. At any rate, I never gave out my email address publicly in these groups, not even my Gmail address to the Google Groups. Anyway, to follow on from Wazoo's point, (using my own cock-eyed reasoning) could it be at all possible that a spam message which was directed to Google Groups (or one of them in particular) could, by some mysterious alchemy within the internet mail system, end up in my particular Gmail Inbox? The email headers also show that the message was cc'd to two other Gmail addresses (probably invalid, if you know what I mean). If the message was directed to the Google Groups server, how did it get to the Gmail server? (I quite realise that some experts might think that this is a stupid question, but I really don't have time to wade through hundreds of pages of RFCs looking for answers, so, please don't flame me, just offer suggestions/theories, if you have any). One other possibility: Could the Google Groups MX have been hacked by a spammer exploit? In this regard, I know that Gmail must have been having big problems one day last week (I can't now remember which day, but about a week or ten days ago). Nothing was getting through for a period of about 24 hours. Then I started receiving messages that were up to 24 hours old. Gmail offered no explanation for this on their website or their login page. Just a thought, although I can't imagine that a DDOS on Gmail could have any hope of succeeding. That's all the information and/or suggestions I can supply at the moment. I would really like to thank you all for the interest you have shown in this problem. Best regards to you all, Chris Souter (Sydney, Australia). Link to comment Share on other sites More sharing options...
Wazoo Posted September 16, 2006 Share Posted September 16, 2006 Having been up for something like 40 hours, that red text is simply too hard to read. Technically, the posting of the spam and all the other "red text" didn't do much to 'further' explain things (to me) ..... So I'm only going to focus on parts of two lines; in your 'problem' spam; Received-SPF: neutral (googlegroups.com: (in addition to the by mx.googlegroups.com ) your other three examples; Received-SPF: neutral (gmail.com: ..... by mx.gmail.com Received-SPF: error (gmail.com: error .... by mx.gmail.com Received-SPF: neutral (gmail.com: .... by mx.gmail.com Bottom line .... I'm saying that you have configured the gmail.com servers as part of your MailHost configuration of your Reporting account .. I don't believe that you have a GoogleGroups server configured in that list ..... not even sure that you can add one of these ... as I'm really, really tired, I can admit to being wrong .. so I'll just toss out here that there's the possibility that some user found one of your posts in one of those GoogleGroups and "made contact" with you from that screen .... thus invoking the use of a GoogleGroups MX server .... Google handled the rest of it 'internally' .... The only thing I can come up with for the odd wrapping would be the window/font size, though noting that I still don't think I saw what tools were in use (again, I gave up trying to focus on all the red text).... just also noting that this 'kind' of issue just came up during the attempted roll-out of the updated Horde/IMP web-mail application .. Mac users really complaining ... A non-MailHost configured parse can be seen at http://www.spamcop.net/sc?id=z1066946900zd...c4217609098b86z Link to comment Share on other sites More sharing options...
csouter Posted September 16, 2006 Author Share Posted September 16, 2006 Having been up for something like 40 hours, that red text is simply too hard to read. Technically, the posting of the spam and all the other "red text" didn't do much to 'further' explain things (to me) ..... So I'm only going to focus on parts of two lines; in your 'problem' spam; Received-SPF: neutral (googlegroups.com: (in addition to the by mx.googlegroups.com ) your other three examples; Received-SPF: neutral (gmail.com: ..... by mx.gmail.com Received-SPF: error (gmail.com: error .... by mx.gmail.com Received-SPF: neutral (gmail.com: .... by mx.gmail.com Bottom line .... I'm saying that you have configured the gmail.com servers as part of your MailHost configuration of your Reporting account .. I don't believe that you have a GoogleGroups server configured in that list ..... not even sure that you can add one of these ... as I'm really, really tired, I can admit to being wrong .. so I'll just toss out here that there's the possibility that some user found one of your posts in one of those GoogleGroups and "made contact" with you from that screen .... thus invoking the use of a GoogleGroups MX server .... Google handled the rest of it 'internally' .... The only thing I can come up with for the odd wrapping would be the window/font size, though noting that I still don't think I saw what tools were in use (again, I gave up trying to focus on all the red text).... just also noting that this 'kind' of issue just came up during the attempted roll-out of the updated Horde/IMP web-mail application .. Mac users really complaining ... A non-MailHost configured parse can be seen at http://www.spamcop.net/sc?id=z1066946900zd...c4217609098b86z Thanks for looking, Wazoo! Now, GET SOME SLEEP!!!!!! Sorry about the red text. I thought it would help to differentiate the message text from the surrounding post. I apologise! I don't really understand what you're saying about the Received-SPF: lines. As I said before, I'm no mail expert... I'll try and research it a bit more in an effort (probably futile, at my age) to increase my highly inadequate technical understanding of the topic. Thanks for your help. Best regards Chris Souter Link to comment Share on other sites More sharing options...
Wazoo Posted September 16, 2006 Share Posted September 16, 2006 I used the SPF lines as they were easy to 'find' ..... the actual 'critical' headr line is above that .. the line that includes the "by mx.googlegroups.com" (that fails) as compared to the parsed samples that show "by mx.gmail.com" ... this is the line line that takes it outside your MailHosted Configurations, as the googlegroups MX server is not in your (or probably anyone else's) database. Link to comment Share on other sites More sharing options...
csouter Posted September 17, 2006 Author Share Posted September 17, 2006 I used the SPF lines as they were easy to 'find' ..... the actual 'critical' headr line is above that .. the line that includes the "by mx.googlegroups.com" (that fails) as compared to the parsed samples that show "by mx.gmail.com" ... this is the line line that takes it outside your MailHosted Configurations, as the googlegroups MX server is not in your (or probably anyone else's) database. Thanks, everyone for your help. The whole thing remains a mystery to me. I'm not really looking forward to it, but I think I'm gong to have to start wading through the RFCs so as to try and gain some understanding of this (to me, at least) very complex topic. Wazoo, I hope you had a GOOD SLEEP! Thanks and regards to all Chris Souter Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.