Reported spam identified as originated from myself by hosting provider

[Gingko]

Hello.

I am a Spamcop user for more than 20 years.

I use to report all spams I receive since I subscribed to it.

Among these spams, many come from a host of which I am also a client because I am a tenant of several dedicated servers with them : OVHcloud (actually from their low cost subsidiary company Kimsufi) .
One of them hosts a Postfix server for relaying mails, and a Dovecot server for receiving them.
For several weeks, many reports that I send to OVHcloud via Spamcop generate emails that OVHcould sends to me stating that I am the spammer and that I should take action against it.

Whereas in reality, these are spam messages that are sent by other OVHcloud customers and of which I am the recipient.

Here is a sample of the Received: field found in the headers of one of these spams. “xxxxxxx” replaces the domain name of my server.

Quote

Received: from mail.key-consulting.tech (mail.key-consulting.tech [51.195.100.62])
	by xxxxxxx (Postfix) with ESMTPS id 3CE881D600B5
	for <x>; Wed,  7 Jun 2023 11:45:58 +0200 (CEST)
Received: from 136.169.211.136.dynamic.ufanet.ru (unknown [136.169.211.136])
	by mail.key-consulting.tech (Postfix) with ESMTPSA id 0591D1BBBD90;
	Wed,  7 Jun 2023 09:26:45 +0000 (UTC)

Of course, I filed a complaint to the OVHcloud support.

The only answers that a got are the following (here translated from French) :

• Do not use Spamcop for reporting spams (and instead, use another one known as less efficient).
• If you no longer wish to receive emails from our abuse team, I invite you to contact Spamcop so that it no longer provides your domain name when reporting them, or use our reporting form directly on our site:
  https://www.ovh.com/abuse/#!/
• In the report, a service that belongs to you is identified, which, suddenly, creates a ticket in your name.
• As indicated, if your service is indicated in the report, then a ticket will be created.

I understand there that for them, everything is normal, your server appears in spam and therefore it is normal that you are detected as a spammer.

Is there a place other than OVHcloud where I could file a complaint about this ?

Regards,

Gingko

[gnarlymarley]

Over 20 years ago I had a admin from a well known university that thought that spam originated from the server found http URL in the body and the admin clearly misread the SpamCop report. I argued with them for some time before I gave up. It is difficult when administrators do not read the reports properly (Even when it says in the tracking URL about the originating IP).

[petzl]

8 hours ago, Gingko said:

am a Spamcop user for more than 20 years.

I use to report all spams I receive since I subscribed to it.

Learn how to get a SpamCop Track URL link shown at top of page BEFORE submitted.
SpamCop only detects the IP of any weblinks, not the Registrar, times have changed
ISP's do not act on IP's of weblinks unless they have no Registrar!
I use windows program to lookup the/a Registrar
There are web based ones not used by me, so take care.
https://www.whois.com/whois

[ninth]

OVH is a law unto itself.

[Gingko]

On 6/24/2023 at 1:50 AM, petzl said:

Learn how to get a SpamCop Track URL link shown at top of page BEFORE submitted.
SpamCop only detects the IP of any weblinks, not the Registrar, times have changed
ISP's do not act on IP's of weblinks unless they have no Registrar!
I use windows program to lookup the/a Registrar
There are web based ones not used by me, so take care.
https://www.whois.com/whois

I don't understand why you write this.
I don't have any problem about Spamcop submitting.
I have problems with the OVH abuse service which does not correctly interpret Spamcop reports which are correct.

[petzl]

On 6/26/2023 at 10:42 PM, Gingko said:

I don't understand why you write this.
I don't have any problem about Spamcop submitting.
I have problems with the OVH abuse service which does not correctly interpret Spamcop reports which are correct.

I don't understand why you wrote that?
Some here get their jollies from fake help requests
136.169.211.136 is not OVH? it's Russia Always send a SC track URL in your  request makes aid replies easier!
OVH used to be black-hat and obnoxious, They have servers in different countries, must have their spammers now trained, not had spam from them for years?
When they refused to stop sent complaint to that countries CERT seems OVH didn't like that?
Would help if I could see at least one SC track, But your choice! (OVH would have your server from your report)
"We offer a completely free and fully functional 2 weeks trial here. No credit card required."
51.195.100.62 OVH have free offer spammers delight  you can ask them to reset password but SpamCop should be reporting to the Russian source?
But falls over if it does not have it's DNS set up correctly

Edited June 27, 2023 by petzl

[ninth]

IP is currently on 3 blacklists

[Gingko]

On 6/27/2023 at 2:00 AM, petzl said:

I don't understand why you wrote that?
Some here get their jollies from fake help requests
136.169.211.136 is not OVH? it's Russia Always send a SC track URL in your  request makes aid replies easier!
OVH used to be black-hat and obnoxious, They have servers in different countries, must have their spammers now trained, not had spam from them for years?
When they refused to stop sent complaint to that countries CERT seems OVH didn't like that?
Would help if I could see at least one SC track, But your choice! (OVH would have your server from your report)
"We offer a completely free and fully functional 2 weeks trial here. No credit card required."
51.195.100.62 OVH have free offer spammers delight  you can ask them to reset password but SpamCop should be reporting to the Russian source?
But falls over if it does not have it's DNS set up correctly

Actually, it looks like you were asking for the tracking URL of my sample.
My sample is one out of five, and in all of these cases, spams are reported to OVH, and OVH misunderstood it as sent by myself.

For the record, here are the tracking URLs for all of them:

Submitted: 07/06/2023 14:35:43 +0200:
https://www.spamcop.net/sc?id=z6849854102zed06af770ac057586f0ce80e985399edz
Submitted: 10/06/2023 13:04:22 +0200:
https://www.spamcop.net/sc?id=z6850200976z96a521840b9823cf50bcc66986d9950bz
Submitted: 21/06/2023 05:49:43 +0200:
https://www.spamcop.net/sc?id=z6851513926z7e5877d656928d255a2174580d8cf21cz
Submitted: 22/06/2023 16:34:05 +0200:
https://www.spamcop.net/sc?id=z6851713322z1510237a4f610445d6ee38ea4d5bd4f0z
https://www.spamcop.net/sc?id=z6851713324zf8111491b846f64ad5d3e7c5338e551cz

The Received fields quoted above comes from the first one.
 

[ninth]

IP forgery means server has a security problem?

[petzl]

5 hours ago, Gingko said:

Actually, it looks like you were asking for the tracking URL of my sample.
My sample is one out of five, and in all of these cases, spams are reported to OVH, and OVH misunderstood it as sent by myself.

Yes SpamCop is not reporting the source IP in this case. so you need to do this become better than the BOT SpamCop
https://www.spamcop.net/sc?id=z6849854102zed06af770ac057586f0ce80e985399edz   

No unique hostname found for source: 136.169.211.136 (abuse[AT]ufanetp[DOT]ru )
Possible forgery. Supposed receiving system not associated with any of your mailhosts 
Which is SC will only send reports to identifiable IP's in this case  51.195.100.62  OVH's free spammer account
http://51.195.100.62   or registrar of
https://www.plesk.com  Registrar Abuse Contact Email:  legalservices[AT]eurodns[DOT]com

Also report the or any spammers link to in this case Registrar Abuse Contact Email:  abuse[AT]support[DOT]gandi[DOT]net
http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd
May seem a bit of work but if you do this you become poison to a spammer

Edited June 30, 2023 by petzl

[RobiBue]

13 hours ago, Gingko said:

My sample is one out of five, and in all of these cases, spams are reported to OVH, and OVH misunderstood it as sent by myself.

For the record, here are the tracking URLs for all of them:

Submitted: 07/06/2023 14:35:43 +0200:
https://www.spamcop.net/sc?id=z6849854102zed06af770ac057586f0ce80e985399edz

Hello Ginko,
you seem to be running into the mailhost problem.
on yours, the last received line is claimed to be a forgery (I am not quite sure why) but it's clear that it's complaining about mailhosts:
Possible forgery. Supposed receiving system not associated with any of your mailhosts
 

I ran an example from this first one you mentioned and this is the result:
https://www.spamcop.net/sc?id=z6852725851zc170c42b2748612531d95d02d1c43095z

on mine, without mailhosts set up, it goes straight to the russian IP : whois for 136.169.211.136 : abuse (at) ufanet.ru

some people don't have mailhost problems, I never use them since I don't have my own mailhosts I run through...

[Gingko]

3 hours ago, RobiBue said:

Hello Ginko,
you seem to be running into the mailhost problem.
on yours, the last received line is claimed to be a forgery (I am not quite sure why) but it's clear that it's complaining about mailhosts:
Possible forgery. Supposed receiving system not associated with any of your mailhosts
 

I ran an example from this first one you mentioned and this is the result:
https://www.spamcop.net/sc?id=z6852725851zc170c42b2748612531d95d02d1c43095z

on mine, without mailhosts set up, it goes straight to the russian IP : whois for 136.169.211.136 : abuse (at) ufanet.ru

some people don't have mailhost problems, I never use them since I don't have my own mailhosts I run through...

I don't think so.
My mailhost is kim8.reeves.fr (currently 87.98.218.11), it has been registered for more than 10 years, and there is no recent change on it.

None of the 51.195.100.62 or 136.169.211.136 IPs are mine.

And this problem came out starting june 2023, whereas I report from this mailhost (which hasn't changed recently) the very same way for much much much much much longer than that without this kind of problem.

But 51.195.100.62, although not mine, is also OVH, like my 87.98.218.11.

I don't know why 136.169.211.136 is claimed to be forgery.
Maybe it is actually forgery, in some way.
Otherwise it is likely a Spamcop bug.

Gingko

[ninth]

It does not matter how long your server has operated if there are vulnerabilities in security system and may have been hacked...report to server admin. I checked all the 6 IPs in the headers and OVH france was the only one not blacklisted and the russian IP was listed but not the source of abuse - likely in a local network of other spammers. All the rest were not consistent DNS and level 2 listed for sending spam.

If the messages go to IPs not known to your server it should not go through those routers as Robi explained. This is a case of do not shoot the messenger and expect them to resolve problems for free when they did not cause them. SC is an automatic program that is updated to stay current to report spam not to be a webmaster of all trades and your best bet now is to take the aussies good advice.

[petzl]

7 hours ago, Gingko said:

I don't think so.
My mailhost is kim8.reeves.fr (currently 87.98.218.11), it has been registered for more than 10 years, and there is no recent change on it.

None of the 51.195.100.62 or 136.169.211.136 IPs are mine.

And this problem came out starting june 2023, whereas I report from this mailhost (which hasn't changed recently) the very same way for much much much much much longer than that without this kind of problem.

But 51.195.100.62, although not mine, is also OVH, like my 87.98.218.11.

I don't know why 136.169.211.136 is claimed to be forgery.
Maybe it is actually forgery, in some way.
Otherwise it is likely a Spamcop bug.

Gingko

RobiBue is correct but mailhosts sometimes get confused.
Might try to delete your present mailhost and re-register them.
SpamCop mailhosts collect a lot of nearby mailhost IP's
Maybe
Try opening another SpamCop account with no mailhosts setup 
Becareful you don't report yourself wiyh every submission

Edited July 1, 2023 by petzl

[Gingko]

6 hours ago, ninth said:

It does not matter how long your server has operated if there are vulnerabilities in security system and may have been hacked...report to server admin. I checked all the 6 IPs in the headers and OVH france was the only one not blacklisted and the russian IP was listed but not the source of abuse - likely in a local network of other spammers. All the rest were not consistent DNS and level 2 listed for sending spam.

If the messages go to IPs not known to your server it should not go through those routers as Robi explained. This is a case of do not shoot the messenger and expect them to resolve problems for free when they did not cause them. SC is an automatic program that is updated to stay current to report spam not to be a webmaster of all trades and your best bet now is to take the aussies good advice.

My server is a bare metal dedicated server.
No one but myself is administrator of it.
I have full listing of its SMTP logs kept for 24 days, I'd know if it has been hacked, at least at this level.

[Gingko]

2 hours ago, petzl said:

RobiBue is correct but mailhosts sometimes get confused.
Might try to delete your present mailhost and re-register them.
SpamCop mailhosts collect a lot of nearby mailhost IP's
Maybe
Try opening another SpamCop account with no mailhosts setup 
Becareful you don't report yourself wiyh every submission

I just tried to delete this mail host (I actually have 8 registered), and register it again.
The new result looks like very very identical to the previous one.

There is a strange point, there, anyway, that I always have wondered about.
This registration shows also all former IPs that I used from my previous server (the successive ones that this server now replaces), despite I no longer own them for many years.
It doesn't seem this can be deleted in any way.
Even after having deleted the mailhost as they comes back when registering again.

And my other mailhosts show also many IPs not belonging to me.
(they generally concern SMTP servers that I sometimes exceptionally use, like GMail, Hotmail, Yahoo, but which does belong to me)

[Gingko]

Another point :
This mailhost do not register IPv6, despite my server has it and (sometimes) use it.
I don't know how to force IPv6 in mailhost registering.

Only my GMail, Yahoo and Hotmail mailhost have registered IPv6 with IPv4.

[ninth]

Ran out of IPv4 addresses 10 years ago so you will need to upgrade SW and HW to access both.

[Gingko]

46 minutes ago, ninth said:

Ran out of IPv4 addresses 10 years ago so you will need to upgrade SW and HW to access both.

I just said my servers HAVE IPv6 now.
And my home connection too.
Want do you want I upgrade?

[Gingko]

14 hours ago, petzl said:

Maybe
Try opening another SpamCop account with no mailhosts setup 
Becareful you don't report yourself wiyh every submission

Actually, it is not possible right now to open another SpamCop account.
Opening one require to satisfy a captcha, and the captcha is not working.

[petzl]

33 minutes ago, Gingko said:

Actually, it is not possible right now to open another SpamCop account.
Opening one require to satisfy a captcha, and the captcha is not working.
 

This seems to be continually being mentioned. Nothing being done?

[petzl]

11 hours ago, Gingko said:

I just tried to delete this mail host (I actually have 8 registered), and register it again.
The new result looks like very very identical to the previous one.

There is a strange point, there, anyway, that I always have wondered about.
This registration shows also all former IPs that I used from my previous server (the successive ones that this server now replaces), despite I no longer own them for many years.
It doesn't seem this can be deleted in any way.
Even after having deleted the mailhost as they comes back when registering again.

And my other mailhosts show also many IPs not belonging to me.
(they generally concern SMTP servers that I sometimes exceptionally use, like GMail, Hotmail, Yahoo, but which does belong to me)

Again SpamCop was sold in 2003 with no or little upgrading since.
But as you have probably gathered I use SpamCop as an aid mostly reporting directly to the spam source.
I have a Windows operating service use these programs to help attack spammers with with
Win32Whois
IPNetInfo
The SpamCop parse box is also full of info by pasting info into it
 

Statistics:
114.99.1.229 not listed in bl.spamcop.net
More Information.
114.99.1.229 listed in cbl.abuseat.org ( 1 )
Reporting addresses:
anti-spam@chinatelecom.cn

114.99.1.229 listed in cbl.abuseat.org ( 1 ) means, The machine using this IP is infected with malware that is emitting spam
Reporting addresses:
anti-spam[AT]chinatelecom[DOT]cn, which is rubbish (ignored), Chinese spam needs sending as attachment from spammed email to 
abuse[AT]12321[DOT]cn

[ninth]

In the latest SC report the following error was uncovered:

MX record pointing to IP address instead of domain name to specify mail exchange which cannot be resolved.

As usual spamvertisers will try anything to avoid anti-spam services proving they are bad coders in the process.

[Gingko]

9 hours ago, petzl said:

This seems to be continually being mentioned. Nothing being done?

This problem seems to last for at least 5 years.

Following this thread:

… I finally successfully registered a new account following this protocol:

1. Using the Microsoft Edge browser.
2. Switch it to Internet Explorer mode.

To me, it looks like this is the result of general improvements in the HTML/CSS standards implemented in recent browsers, which were not followed by updates in the SpamCop server's HTML coding.

[petzl]

21 minutes ago, Gingko said:

This problem seems to last for at least 5 years.

Following this thread:

… I finally successfully registered a new account following this protocol:

1. Using the Microsoft Edge browser.
2. Switch it to Internet Explorer mode.

To me, it looks like this is the result of general improvements in the HTML/CSS standards implemented in recent browsers, which were not followed by updates in the SpamCop server's HTML coding.

Not seeing a improvement just downgrades 
Even the headers have increased in size but the spam still is a problem.