Gingko Posted June 23, 2023 Share Posted June 23, 2023 Hello. I am a Spamcop user for more than 20 years. I use to report all spams I receive since I subscribed to it. Among these spams, many come from a host of which I am also a client because I am a tenant of several dedicated servers with them : OVHcloud (actually from their low cost subsidiary company Kimsufi) . One of them hosts a Postfix server for relaying mails, and a Dovecot server for receiving them. For several weeks, many reports that I send to OVHcloud via Spamcop generate emails that OVHcould sends to me stating that I am the spammer and that I should take action against it. Whereas in reality, these are spam messages that are sent by other OVHcloud customers and of which I am the recipient. Here is a sample of the Received: field found in the headers of one of these spams. “xxxxxxx” replaces the domain name of my server. Quote Received: from mail.key-consulting.tech (mail.key-consulting.tech [51.195.100.62]) by xxxxxxx (Postfix) with ESMTPS id 3CE881D600B5 for <x>; Wed, 7 Jun 2023 11:45:58 +0200 (CEST) Received: from 136.169.211.136.dynamic.ufanet.ru (unknown [136.169.211.136]) by mail.key-consulting.tech (Postfix) with ESMTPSA id 0591D1BBBD90; Wed, 7 Jun 2023 09:26:45 +0000 (UTC) Of course, I filed a complaint to the OVHcloud support. The only answers that a got are the following (here translated from French) : Do not use Spamcop for reporting spams (and instead, use another one known as less efficient). If you no longer wish to receive emails from our abuse team, I invite you to contact Spamcop so that it no longer provides your domain name when reporting them, or use our reporting form directly on our site:https://www.ovh.com/abuse/#!/ In the report, a service that belongs to you is identified, which, suddenly, creates a ticket in your name. As indicated, if your service is indicated in the report, then a ticket will be created. I understand there that for them, everything is normal, your server appears in spam and therefore it is normal that you are detected as a spammer. Is there a place other than OVHcloud where I could file a complaint about this ? Regards, Gingko Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted June 23, 2023 Share Posted June 23, 2023 Over 20 years ago I had a admin from a well known university that thought that spam originated from the server found http URL in the body and the admin clearly misread the SpamCop report. I argued with them for some time before I gave up. It is difficult when administrators do not read the reports properly (Even when it says in the tracking URL about the originating IP). Quote Link to comment Share on other sites More sharing options...
petzl Posted June 23, 2023 Share Posted June 23, 2023 8 hours ago, Gingko said: am a Spamcop user for more than 20 years. I use to report all spams I receive since I subscribed to it. Learn how to get a SpamCop Track URL link shown at top of page BEFORE submitted. SpamCop only detects the IP of any weblinks, not the Registrar, times have changedISP's do not act on IP's of weblinks unless they have no Registrar!I use windows program to lookup the/a Registrar There are web based ones not used by me, so take care.https://www.whois.com/whois Quote Link to comment Share on other sites More sharing options...
ninth Posted June 24, 2023 Share Posted June 24, 2023 OVH is a law unto itself. Quote Link to comment Share on other sites More sharing options...
Gingko Posted June 26, 2023 Author Share Posted June 26, 2023 On 6/24/2023 at 1:50 AM, petzl said: Learn how to get a SpamCop Track URL link shown at top of page BEFORE submitted. SpamCop only detects the IP of any weblinks, not the Registrar, times have changedISP's do not act on IP's of weblinks unless they have no Registrar!I use windows program to lookup the/a Registrar There are web based ones not used by me, so take care.https://www.whois.com/whois I don't understand why you write this. I don't have any problem about Spamcop submitting. I have problems with the OVH abuse service which does not correctly interpret Spamcop reports which are correct. Quote Link to comment Share on other sites More sharing options...
petzl Posted June 27, 2023 Share Posted June 27, 2023 (edited) On 6/26/2023 at 10:42 PM, Gingko said: I don't understand why you write this. I don't have any problem about Spamcop submitting. I have problems with the OVH abuse service which does not correctly interpret Spamcop reports which are correct. I don't understand why you wrote that? Some here get their jollies from fake help requests 136.169.211.136 is not OVH? it's Russia Always send a SC track URL in your request makes aid replies easier! OVH used to be black-hat and obnoxious, They have servers in different countries, must have their spammers now trained, not had spam from them for years? When they refused to stop sent complaint to that countries CERT seems OVH didn't like that? Would help if I could see at least one SC track, But your choice! (OVH would have your server from your report)"We offer a completely free and fully functional 2 weeks trial here. No credit card required." 51.195.100.62 OVH have free offer spammers delight you can ask them to reset password but SpamCop should be reporting to the Russian source? But falls over if it does not have it's DNS set up correctly Edited June 27, 2023 by petzl Quote Link to comment Share on other sites More sharing options...
ninth Posted June 28, 2023 Share Posted June 28, 2023 IP is currently on 3 blacklists Quote Link to comment Share on other sites More sharing options...
Gingko Posted June 30, 2023 Author Share Posted June 30, 2023 On 6/27/2023 at 2:00 AM, petzl said: I don't understand why you wrote that? Some here get their jollies from fake help requests 136.169.211.136 is not OVH? it's Russia Always send a SC track URL in your request makes aid replies easier! OVH used to be black-hat and obnoxious, They have servers in different countries, must have their spammers now trained, not had spam from them for years? When they refused to stop sent complaint to that countries CERT seems OVH didn't like that? Would help if I could see at least one SC track, But your choice! (OVH would have your server from your report)"We offer a completely free and fully functional 2 weeks trial here. No credit card required." 51.195.100.62 OVH have free offer spammers delight you can ask them to reset password but SpamCop should be reporting to the Russian source? But falls over if it does not have it's DNS set up correctly Actually, it looks like you were asking for the tracking URL of my sample. My sample is one out of five, and in all of these cases, spams are reported to OVH, and OVH misunderstood it as sent by myself. For the record, here are the tracking URLs for all of them: Submitted: 07/06/2023 14:35:43 +0200:https://www.spamcop.net/sc?id=z6849854102zed06af770ac057586f0ce80e985399edzSubmitted: 10/06/2023 13:04:22 +0200:https://www.spamcop.net/sc?id=z6850200976z96a521840b9823cf50bcc66986d9950bzSubmitted: 21/06/2023 05:49:43 +0200:https://www.spamcop.net/sc?id=z6851513926z7e5877d656928d255a2174580d8cf21czSubmitted: 22/06/2023 16:34:05 +0200:https://www.spamcop.net/sc?id=z6851713322z1510237a4f610445d6ee38ea4d5bd4f0zhttps://www.spamcop.net/sc?id=z6851713324zf8111491b846f64ad5d3e7c5338e551cz The Received fields quoted above comes from the first one. Quote Link to comment Share on other sites More sharing options...
ninth Posted June 30, 2023 Share Posted June 30, 2023 IP forgery means server has a security problem? Quote Link to comment Share on other sites More sharing options...
petzl Posted June 30, 2023 Share Posted June 30, 2023 (edited) 5 hours ago, Gingko said: Actually, it looks like you were asking for the tracking URL of my sample. My sample is one out of five, and in all of these cases, spams are reported to OVH, and OVH misunderstood it as sent by myself. Yes SpamCop is not reporting the source IP in this case. so you need to do this become better than the BOT SpamCophttps://www.spamcop.net/sc?id=z6849854102zed06af770ac057586f0ce80e985399edz No unique hostname found for source: 136.169.211.136 (abuse[AT]ufanetp[DOT]ru )Possible forgery. Supposed receiving system not associated with any of your mailhosts Which is SC will only send reports to identifiable IP's in this case 51.195.100.62 OVH's free spammer accounthttp://51.195.100.62 or registrar ofhttps://www.plesk.com Registrar Abuse Contact Email: legalservices[AT]eurodns[DOT]comAlso report the or any spammers link to in this case Registrar Abuse Contact Email: abuse[AT]support[DOT]gandi[DOT]nethttp://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd May seem a bit of work but if you do this you become poison to a spammer Edited June 30, 2023 by petzl Quote Link to comment Share on other sites More sharing options...
RobiBue Posted June 30, 2023 Share Posted June 30, 2023 13 hours ago, Gingko said: My sample is one out of five, and in all of these cases, spams are reported to OVH, and OVH misunderstood it as sent by myself. For the record, here are the tracking URLs for all of them: Submitted: 07/06/2023 14:35:43 +0200:https://www.spamcop.net/sc?id=z6849854102zed06af770ac057586f0ce80e985399edz Hello Ginko, you seem to be running into the mailhost problem. on yours, the last received line is claimed to be a forgery (I am not quite sure why) but it's clear that it's complaining about mailhosts: Possible forgery. Supposed receiving system not associated with any of your mailhosts I ran an example from this first one you mentioned and this is the result:https://www.spamcop.net/sc?id=z6852725851zc170c42b2748612531d95d02d1c43095z on mine, without mailhosts set up, it goes straight to the russian IP : whois for 136.169.211.136 : abuse (at) ufanet.ru some people don't have mailhost problems, I never use them since I don't have my own mailhosts I run through... Quote Link to comment Share on other sites More sharing options...
Gingko Posted June 30, 2023 Author Share Posted June 30, 2023 3 hours ago, RobiBue said: Hello Ginko, you seem to be running into the mailhost problem. on yours, the last received line is claimed to be a forgery (I am not quite sure why) but it's clear that it's complaining about mailhosts: Possible forgery. Supposed receiving system not associated with any of your mailhosts I ran an example from this first one you mentioned and this is the result:https://www.spamcop.net/sc?id=z6852725851zc170c42b2748612531d95d02d1c43095z on mine, without mailhosts set up, it goes straight to the russian IP : whois for 136.169.211.136 : abuse (at) ufanet.ru some people don't have mailhost problems, I never use them since I don't have my own mailhosts I run through... I don't think so. My mailhost is kim8.reeves.fr (currently 87.98.218.11), it has been registered for more than 10 years, and there is no recent change on it. None of the 51.195.100.62 or 136.169.211.136 IPs are mine. And this problem came out starting june 2023, whereas I report from this mailhost (which hasn't changed recently) the very same way for much much much much much longer than that without this kind of problem. But 51.195.100.62, although not mine, is also OVH, like my 87.98.218.11. I don't know why 136.169.211.136 is claimed to be forgery. Maybe it is actually forgery, in some way. Otherwise it is likely a Spamcop bug. Gingko Quote Link to comment Share on other sites More sharing options...
ninth Posted July 1, 2023 Share Posted July 1, 2023 It does not matter how long your server has operated if there are vulnerabilities in security system and may have been hacked...report to server admin. I checked all the 6 IPs in the headers and OVH france was the only one not blacklisted and the russian IP was listed but not the source of abuse - likely in a local network of other spammers. All the rest were not consistent DNS and level 2 listed for sending spam. If the messages go to IPs not known to your server it should not go through those routers as Robi explained. This is a case of do not shoot the messenger and expect them to resolve problems for free when they did not cause them. SC is an automatic program that is updated to stay current to report spam not to be a webmaster of all trades and your best bet now is to take the aussies good advice. Quote Link to comment Share on other sites More sharing options...
petzl Posted July 1, 2023 Share Posted July 1, 2023 (edited) 7 hours ago, Gingko said: I don't think so. My mailhost is kim8.reeves.fr (currently 87.98.218.11), it has been registered for more than 10 years, and there is no recent change on it. None of the 51.195.100.62 or 136.169.211.136 IPs are mine. And this problem came out starting june 2023, whereas I report from this mailhost (which hasn't changed recently) the very same way for much much much much much longer than that without this kind of problem. But 51.195.100.62, although not mine, is also OVH, like my 87.98.218.11. I don't know why 136.169.211.136 is claimed to be forgery. Maybe it is actually forgery, in some way. Otherwise it is likely a Spamcop bug. Gingko RobiBue is correct but mailhosts sometimes get confused. Might try to delete your present mailhost and re-register them. SpamCop mailhosts collect a lot of nearby mailhost IP's Maybe Try opening another SpamCop account with no mailhosts setup Becareful you don't report yourself wiyh every submission Edited July 1, 2023 by petzl Quote Link to comment Share on other sites More sharing options...
Gingko Posted July 1, 2023 Author Share Posted July 1, 2023 6 hours ago, ninth said: It does not matter how long your server has operated if there are vulnerabilities in security system and may have been hacked...report to server admin. I checked all the 6 IPs in the headers and OVH france was the only one not blacklisted and the russian IP was listed but not the source of abuse - likely in a local network of other spammers. All the rest were not consistent DNS and level 2 listed for sending spam. If the messages go to IPs not known to your server it should not go through those routers as Robi explained. This is a case of do not shoot the messenger and expect them to resolve problems for free when they did not cause them. SC is an automatic program that is updated to stay current to report spam not to be a webmaster of all trades and your best bet now is to take the aussies good advice. My server is a bare metal dedicated server. No one but myself is administrator of it. I have full listing of its SMTP logs kept for 24 days, I'd know if it has been hacked, at least at this level. Quote Link to comment Share on other sites More sharing options...
Gingko Posted July 1, 2023 Author Share Posted July 1, 2023 2 hours ago, petzl said: RobiBue is correct but mailhosts sometimes get confused. Might try to delete your present mailhost and re-register them. SpamCop mailhosts collect a lot of nearby mailhost IP's Maybe Try opening another SpamCop account with no mailhosts setup Becareful you don't report yourself wiyh every submission I just tried to delete this mail host (I actually have 8 registered), and register it again. The new result looks like very very identical to the previous one. There is a strange point, there, anyway, that I always have wondered about. This registration shows also all former IPs that I used from my previous server (the successive ones that this server now replaces), despite I no longer own them for many years. It doesn't seem this can be deleted in any way. Even after having deleted the mailhost as they comes back when registering again. And my other mailhosts show also many IPs not belonging to me. (they generally concern SMTP servers that I sometimes exceptionally use, like GMail, Hotmail, Yahoo, but which does belong to me) Quote Link to comment Share on other sites More sharing options...
Gingko Posted July 1, 2023 Author Share Posted July 1, 2023 Another point : This mailhost do not register IPv6, despite my server has it and (sometimes) use it. I don't know how to force IPv6 in mailhost registering. Only my GMail, Yahoo and Hotmail mailhost have registered IPv6 with IPv4. Quote Link to comment Share on other sites More sharing options...
ninth Posted July 1, 2023 Share Posted July 1, 2023 Ran out of IPv4 addresses 10 years ago so you will need to upgrade SW and HW to access both. Quote Link to comment Share on other sites More sharing options...
Gingko Posted July 1, 2023 Author Share Posted July 1, 2023 46 minutes ago, ninth said: Ran out of IPv4 addresses 10 years ago so you will need to upgrade SW and HW to access both. I just said my servers HAVE IPv6 now. And my home connection too. Want do you want I upgrade? Quote Link to comment Share on other sites More sharing options...
Gingko Posted July 1, 2023 Author Share Posted July 1, 2023 14 hours ago, petzl said: Maybe Try opening another SpamCop account with no mailhosts setup Becareful you don't report yourself wiyh every submission Actually, it is not possible right now to open another SpamCop account. Opening one require to satisfy a captcha, and the captcha is not working. Quote Link to comment Share on other sites More sharing options...
petzl Posted July 1, 2023 Share Posted July 1, 2023 33 minutes ago, Gingko said: Actually, it is not possible right now to open another SpamCop account. Opening one require to satisfy a captcha, and the captcha is not working. This seems to be continually being mentioned. Nothing being done? Quote Link to comment Share on other sites More sharing options...
petzl Posted July 1, 2023 Share Posted July 1, 2023 11 hours ago, Gingko said: I just tried to delete this mail host (I actually have 8 registered), and register it again. The new result looks like very very identical to the previous one. There is a strange point, there, anyway, that I always have wondered about. This registration shows also all former IPs that I used from my previous server (the successive ones that this server now replaces), despite I no longer own them for many years. It doesn't seem this can be deleted in any way. Even after having deleted the mailhost as they comes back when registering again. And my other mailhosts show also many IPs not belonging to me. (they generally concern SMTP servers that I sometimes exceptionally use, like GMail, Hotmail, Yahoo, but which does belong to me) Again SpamCop was sold in 2003 with no or little upgrading since. But as you have probably gathered I use SpamCop as an aid mostly reporting directly to the spam source. I have a Windows operating service use these programs to help attack spammers with withWin32WhoisIPNetInfo The SpamCop parse box is also full of info by pasting info into it Statistics: 114.99.1.229 not listed in bl.spamcop.net More Information. 114.99.1.229 listed in cbl.abuseat.org ( 1 ) Reporting addresses: anti-spam@chinatelecom.cn 114.99.1.229 listed in cbl.abuseat.org ( 1 ) means, The machine using this IP is infected with malware that is emitting spam Reporting addresses: anti-spam[AT]chinatelecom[DOT]cn, which is rubbish (ignored), Chinese spam needs sending as attachment from spammed email to abuse[AT]12321[DOT]cn Quote Link to comment Share on other sites More sharing options...
ninth Posted July 2, 2023 Share Posted July 2, 2023 In the latest SC report the following error was uncovered: MX record pointing to IP address instead of domain name to specify mail exchange which cannot be resolved. As usual spamvertisers will try anything to avoid anti-spam services proving they are bad coders in the process. Quote Link to comment Share on other sites More sharing options...
Gingko Posted July 2, 2023 Author Share Posted July 2, 2023 9 hours ago, petzl said: This seems to be continually being mentioned. Nothing being done? This problem seems to last for at least 5 years. Following this thread: … I finally successfully registered a new account following this protocol: Using the Microsoft Edge browser. Switch it to Internet Explorer mode. To me, it looks like this is the result of general improvements in the HTML/CSS standards implemented in recent browsers, which were not followed by updates in the SpamCop server's HTML coding. Quote Link to comment Share on other sites More sharing options...
petzl Posted July 2, 2023 Share Posted July 2, 2023 21 minutes ago, Gingko said: This problem seems to last for at least 5 years. Following this thread: … I finally successfully registered a new account following this protocol: Using the Microsoft Edge browser. Switch it to Internet Explorer mode. To me, it looks like this is the result of general improvements in the HTML/CSS standards implemented in recent browsers, which were not followed by updates in the SpamCop server's HTML coding. Not seeing a improvement just downgrades Even the headers have increased in size but the spam still is a problem. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.