Reported spam identified as originated from myself by hosting provider

[Gingko]

 

4 hours ago, petzl said:

Have you tried latest Microsoft Edge and got past the CAPTCHA?
Everyone so-far except you have reported it works?
Have then you set-up another SpamCop account  without mailhosts being set-up, to try to correct spam reports from going to wrong source of spam?

No one knows these answers except you?
 

YES, I tried latest Microsoft Edge (in Internet Explorer mode, following the instructions found at the very end of this other topic [<- there is a link there] in this very same forum that you don't even want to read despite this is the THIRD time that I quote it for you in THIS thread), and I got past the CAPTCHA THIS WAY.

“Everyone so-far except you have reported it works?” ??
NO, someone in this very same forum [<- there is a link there] already reported it in this very same forum in a topic that you don't even want to read, so I found the topic, then I read the topic, then I followed the instructions recently given at the very end of that topic, then IT WORKED.

YES, I set-up another SpamCop account (THAT WAY) without mailhosts being set-up, to try to correct spam reports from going to wrong source of spam.

“No one knows these answers except you?” ??
NO, someone in this very same forum [<- there is a link there] already reported it in this very same forum in a topic that you don't even want to read, so I found the topic, then I read the topic, then I followed the instructions recently given at the very end of that topic, then IT WORKED.


I normally never use Microsoft Edge in common life.

And last but not least, this is also an off topic subject.
The initial subject was about OVH identifying the spams that I reported as originated by myself.

Edited July 8, 2023 by Gingko

[Gingko]

7 hours ago, RobiBue said:

Personally I maintain that if your mailhosts are set up correctly, you shouldn't have to list them to report spam. somehow SC, in my past experience, has had problems with registered mailhosts, especially when something changed...
Without mailhost registration I rarely had problems reporting and when someone has mailhosts set up and has trouble, I run the same spam parse, but without the mailhosts, and it reports the correct sender, at least it has so far...
That is, IMNSHO, the crux of the matter.

The initial subject was not about mailhosts.

And even if the subject seems however to have indirectly raised certain problems related to mailhosts, these problems do not seem to have at any time indicated that I was the author of the spams which I reported.

On some occasions spam analysis showed messages like “Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust this Received line” (which I don't quite understand, since each time the mailhost, which is almost always my own mail server, was registered), but none of these analyzes produced a report indicating explicitly that the origin of the spam was me.

It is the OVH company which seems to have decided that, in a totally uncorrelated manner with, in particular, the IP address indicated in the report's subject.

Now I continue to submit mails to OVH.

But each time I see OVH in the report to be sent, I add the following in the “Additional notes” field (actually in French, here translated):
 

Quote

Instructions for the Abuse OVH department:
Please note that the server kim8.reeves.fr (visible in the headers) is the RECIPIENT server of this spam.
Please do not confuse it with that of the spammer, mistake which you have already committed several times recently.

 

[petzl]

4 hours ago, Gingko said:

Supposed receiving system not associated with any of your mailhosts Will not trust this Received line” (which I don't quite understand,

It's gobbledegook that appears when you have mailhosts set-up.
What SpamCop does then is identify the last email "server" that your email server received it from
sending reports not always to the spam source. 
Not really a biggie as the mail server abuse deck will cancel the free email account (if they react to abuse complaints).
But it is always better to report to the source of spam as well which stops them just using free account to some degree,
Makes it more difficult for a spammer.
If you open a 2nd SpamCop page and put in the source IP into its "form box" you can add abuse contact it gives to your report.

Edited July 8, 2023 by petzl

[petzl]

12 hours ago, Gingko said:

I normally never use Microsoft Edge in common life.

Thanks must of missed some posts
I occasionally get sometime signing into my Bank I then do it with Edge and seem problem solved?

[Gingko]

21 minutes ago, petzl said:

Thanks must of missed some posts
I occasionally get sometime signing into my Bank I then do it with Edge and seem problem solved?

I never said that the problem was solved.
It's just a workaround which can be used for a problem that lasts for at least 5 years, and that Spamcop didn't fix for at least 5 years.
Nevertheless the very nature of this workaround gives a good indication about how Spamcop should fix it.
The problem will be solved when Spamcop will have changed its registration page, allowing it to work with any browser, of course.
But unfortunately, my experience is that if a bug is not fixed for 5 years, it means that nobody cares about this bug, thus it will never be fixed.

[RobiBue]

5 hours ago, Gingko said:

1) The initial subject was not about mailhosts.

2) And even if the subject seems however to have indirectly raised certain problems related to mailhosts, these problems do not seem to have at any time indicated that I was the author of the spams which I reported.

3) On some occasions spam analysis showed messages like “Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust this Received line” (which I don't quite understand, since each time the mailhost, which is almost always my own mail server, was registered), but none of these analyzes produced a report indicating explicitly that the origin of the spam was me.

1) I understand that: "Reported spam identified as originated from myself by hosting provider"

2) from my understanding, it wasn't the subject but the way that spamcop parsed the spam email and the way the received headers are inserted:

Quote

Received: from mail.key-consulting.tech (mail.key-consulting.tech [51.195.100.62])
	by xxxxxxx (Postfix) with ESMTPS id 3CE881D600B5
	for <x>; Wed,  7 Jun 2023 11:45:58 +0200 (CEST)
Received: from 136.169.211.136.dynamic.ufanet.ru (unknown [136.169.211.136])
	by mail.key-consulting.tech (Postfix) with ESMTPSA id 0591D1BBBD90;
	Wed,  7 Jun 2023 09:26:45 +0000 (UTC)

again, the parser stopped at 51.195.100.62
Possible forgery. Supposed receiving system not associated with any of your mailhosts
which was the next received line "by mail.key-consulting.tech (Postfix)" and therein lies the problem I am trying to explain.
 

3) “Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust this Received line” is exactly what I'm trying to describe.

I am simply trying to help, not point fingers or accuse of anything, just point out the reason a) why the parse failed to correctly get the source, and b) why I do not use mailhosts setup.

 

I do understand that, and again, it seems like everybody is talking around in circles.
My point is that if mailhosts are not set up correctly (and it only requires a simple change by your provider to mess it up if it was set up right) the parser is likely to have you report yourself as spam source, which, of course, you probably are not — unless your system was compromised.

[RobiBue]

1 hour ago, Gingko said:

But unfortunately, my experience is that if a bug is not fixed for 5 years, it means that nobody cares about this bug, thus it will never be fixed.

unfortunately, that is true, and if I look at my bug list with mozilla, there are bugs that have been there for more than 13 years (one I have been following that I can't fix has been there for almost 14 years - 4 months shy) and there are others which are even older with wontfix status... yeah, I know what you mean...
On the other hand, captchas are somewhat useless, as AI is strarting to abuse those "human" checks, and google abused the captchas to create their own free word reader... I can explain further if there is any interest... heck, here's a youtube link that will explain what I mean.

[Gingko]

43 minutes ago, RobiBue said:

1) I understand that: "Reported spam identified as originated from myself by hosting provider"

2) from my understanding, it wasn't the subject but the way that spamcop parsed the spam email and the way the received headers are inserted:

again, the parser stopped at 51.195.100.62
Possible forgery. Supposed receiving system not associated with any of your mailhosts
which was the next received line "by mail.key-consulting.tech (Postfix)" and therein lies the problem I am trying to explain.
 

3) “Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust this Received line” is exactly what I'm trying to describe.

I am simply trying to help, not point fingers or accuse of anything, just point out the reason a) why the parse failed to correctly get the source, and b) why I do not use mailhosts setup.

 

I do understand that, and again, it seems like everybody is talking around in circles.
My point is that if mailhosts are not set up correctly (and it only requires a simple change by your provider to mess it up if it was set up right) the parser is likely to have you report yourself as spam source, which, of course, you probably are not — unless your system was compromised.

Of course, but :

1. My mailhosts was correctly recognised as I can read “kim0.reeves.fr received mail from sending system 51.195.100.62” - kim0.reeves.fr was the name given to this mailhost, this is the name of my first generation server given maybe 10 years ago, Spamcop couldn't know it if the mailhost was not identified.
2. 136.169.211.136 is not associated with any of my mailhosts, this is normal as 136.169.211.136 is the spammer, it doesn't have to be associated with any of my mailhosts.
   It doesn't look like a forgery either, if I type dig -x 136.169.211.136 in a Linux command line, I truly get 136.169.211.136.dynamic.ufanet.ru as the reverse DNS of that IP.

51.195.100.62 (reverse DNS mail.key-consulting.tech), just seems to be an intermediary relay (also hosted by OVH) not belonging to me.
I suppose that this relay is either open, either related to the spammer in some manner.

If I open mail.key-consulting.tech in a browser, I get a “Web Server's Default Page” suggesting a new hosting account never configured to do anything.

And if you “do not use mailhosts setup”, what do you do instead ?

[Gingko]

54 minutes ago, RobiBue said:

unfortunately, that is true, and if I look at my bug list with mozilla, there are bugs that have been there for more than 13 years (one I have been following that I can't fix has been there for almost 14 years - 4 months shy) and there are others which are even older with wontfix status... yeah, I know what you mean...
On the other hand, captchas are somewhat useless, as AI is strarting to abuse those "human" checks, and google abused the captchas to create their own free word reader... I can explain further if there is any interest... heck, here's a youtube link that will explain what I mean.

As the bug concerns the registration of any Spamcop's new account, this doesn't give a good expectation for the future of Spamcop itself.

[Gingko]

Actually …

Is there (still ??) somebody reading this forum who has effectively authority about the Spamcop maintenance or development, who has effectively access to its code, who has rights to change something to it, to its servers, programmatically?

If not, where such people could be find?

[ninth]

Start Here - before you make your first Post - SpamCop Discussion

[RobiBue]

18 hours ago, Gingko said:

Of course, but :

1. My mailhosts was correctly recognised as I can read “kim0.reeves.fr received mail from sending system 51.195.100.62” - kim0.reeves.fr was the name given to this mailhost, this is the name of my first generation server given maybe 10 years ago, Spamcop couldn't know it if the mailhost was not identified.
2. 136.169.211.136 is not associated with any of my mailhosts, this is normal as 136.169.211.136 is the spammer, it doesn't have to be associated with any of my mailhosts.
   It doesn't look like a forgery either, if I type dig -x 136.169.211.136 in a Linux command line, I truly get 136.169.211.136.dynamic.ufanet.ru as the reverse DNS of that IP.

51.195.100.62 (reverse DNS mail.key-consulting.tech), just seems to be an intermediary relay (also hosted by OVH) not belonging to me.
I suppose that this relay is either open, either related to the spammer in some manner.

If I open mail.key-consulting.tech in a browser, I get a “Web Server's Default Page” suggesting a new hosting account never configured to do anything.

And if you “do not use mailhosts setup”, what do you do instead ?

I completely get the part of the mail servers and which is which, and we, as "humans" and with some idea on how email distribution works behind the scenes, can tell where it came from (usually) and which intermediate servers it went through.
It's the "machine" which, with evolving technology and complex functionality, can have problems seeing the path.

Usually it works fine, but oftentimes I have noticed, and keep repeating it, that when mailhosts are set up, the system sometimes acts up and stops somewhere in between. Probably because something changed which is out of our (our used loosely) control (like the OVH MX) and could have been changed by the provider due to new IP# allocation or other reasons. Then you have to run the mailhost setup again, but if you don't know something changed, and they won't inform you because they don't think you'd be affected, you might end up "reporting yourself" or your provider.

To avoid that scenario, I do not register the mailhosts with SC. I let the system analyze every Received:  line without skipping "trusted" MXs. Thus far it has always worked, and if it stops somewhere in between with this method, then someone has their MX badly configured and needs to look into it...
This is what it looks to me:

no mailhosts, just plain report the spam

 

[Gingko]

15 hours ago, RobiBue said:

Usually it works fine, but oftentimes I have noticed, and keep repeating it, that when mailhosts are set up, the system sometimes acts up and stops somewhere in between. Probably because something changed which is out of our (our used loosely) control (like the OVH MX) and could have been changed by the provider due to new IP# allocation or other reasons. Then you have to run the mailhost setup again, but if you don't know something changed, and they won't inform you because they don't think you'd be affected, you might end up "reporting yourself" or your provider.

When Spamcop send a report, this report has a subject like the following :

“[SpamCop (52.128.42.65) id:7271670813]SBA Saturdae”

With the spammer's IP or advertising link (determined by Spamcop), the report id and the spam subjects all included in that subject.

The same data (determined by Spamcop) is also included in the report's text.

For all cases that I quoted in the beginning of this thread, I have the message sent by my hosting provider (OVH) informing me that “I am a spammer”, and containing a copy of the corresponding report.

In none of these cases, any IP address or domain name belonging to me was quoted in the Spamcop's reports subjects. This implies that OVH has not taken any account of the information given by Spamcop, and that they analysed themselves the spam headers following their own understandings.

And actually my server's IP was not visible in any of these spams either.
There was only my server's domain name (kim8.reeves.fr), always in position “Received by”, that they must submit to a DNS server in order to get the IP.

To me, this implies a huge lack of intellectual faculties.

[ninth]

On 6/30/2023 at 9:34 PM, petzl said:

Yes SpamCop is not reporting the source IP in this case. so you need to do this become better than the BOT SpamCop
https://www.spamcop.net/sc?id=z6849854102zed06af770ac057586f0ce80e985399edz   

No unique hostname found for source: 136.169.211.136 (abuse[AT]ufanetp[DOT]ru )
Possible forgery. Supposed receiving system not associated with any of your mailhosts 
Which is SC will only send reports to identifiable IP's in this case  51.195.100.62  OVH's free spammer account
http://51.195.100.62   or registrar of
https://www.plesk.com  Registrar Abuse Contact Email:  legalservices[AT]eurodns[DOT]com

Also report the or any spammers link to in this case Registrar Abuse Contact Email:  abuse[AT]support[DOT]gandi[DOT]net
http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd
May seem a bit of work but if you do this you become poison to a spammer

Did you try this?

On 6/30/2023 at 4:00 PM, Gingko said:

My sample is one out of five, and in all of these cases, spams are reported to OVH, and OVH misunderstood it as sent by myself.

For the record, here are the tracking URLs for all of them:

Submitted: 07/06/2023 14:35:43 +0200:
https://www.spamcop.net/sc?id=z6849854102zed06af770ac057586f0ce80e985399edz
Submitted: 10/06/2023 13:04:22 +0200:
https://www.spamcop.net/sc?id=z6850200976z96a521840b9823cf50bcc66986d9950bz
Submitted: 21/06/2023 05:49:43 +0200:
https://www.spamcop.net/sc?id=z6851513926z7e5877d656928d255a2174580d8cf21cz
Submitted: 22/06/2023 16:34:05 +0200:
https://www.spamcop.net/sc?id=z6851713322z1510237a4f610445d6ee38ea4d5bd4f0z
https://www.spamcop.net/sc?id=z6851713324zf8111491b846f64ad5d3e7c5338e551cz

OVH was sent reports in all tracking URLs above but other reports were sent to serverpronto UCLA Halo-group cloudflare and akamai. The spam is being sent from different IP addresses each time and they are all blacklisted. If you research all the IPs you can manually report abuse. 

Edited July 10, 2023 by ninth
add

[Gingko]

3 hours ago, ninth said:

Did you try this?

OVH was sent reports in all tracking URLs above but other reports were sent to serverpronto UCLA Halo-group cloudflare and akamai. The spam is being sent from different IP addresses each time and they are all blacklisted. If you research all the IPs you can manually report abuse. 

The problem is that this would need that I'd spend 10 minutes on each spam by analysing all of them myself …

Edited July 10, 2023 by Gingko

[RobiBue]

20 hours ago, Gingko said:

In none of these cases, any IP address or domain name belonging to me was quoted in the Spamcop's reports subjects. This implies that OVH has not taken any account of the information given by Spamcop, and that they analysed themselves the spam headers following their own understandings.

And actually my server's IP was not visible in any of these spams either.
There was only my server's domain name (kim8.reeves.fr), always in position “Received by”, that they must submit to a DNS server in order to get the IP.

To me, this implies a huge lack of intellectual faculties.

I do absolutely agree with the last statement, albeit I'd point in the direction of OVH who according to the first statement apparently have either an incompetent abuse team, or none at all... any competent IT person would be able to see where the spam came from, and who the recipient thereof is, and furthermore, if a spammer receives spam from himself, he definitely wouldn't report himself.... I know, Russell's Corollary of Rule #3

[ninth]

14 hours ago, Gingko said:

The problem is that this would need that I'd spend 10 minutes on each spam by analysing all of them myself …

We all have busy lives and SC is flat out 24/7 fighting the good fight:

https://www.spamcop.net/spamgraph.shtml?spamstats

You are barking up the wrong tree expecting a forum to fix your multitude of IT problems. The main purpose is to discuss anti-spam and SC email issues and to develop a comprehensive library of knowledge for research eg have you looked up forgery on here, also relevant email forgery. This subject is well covered.

Edited July 11, 2023 by ninth
add

[Gingko]

2 hours ago, ninth said:

We all have busy lives and SC is flat out 24/7 fighting the good fight:

https://www.spamcop.net/spamgraph.shtml?spamstats

You are barking up the wrong tree expecting a forum to fix your multitude of IT problems. The main purpose is to discuss anti-spam and SC email issues and to develop a comprehensive library of knowledge for research eg have you looked up forgery on here, also relevant email forgery. This subject is well covered.

Initially, I was only looking for arguments or resources that I could use to be able to tell OVH that they can't just be so casual as to ask me not to use Spamcop.

But the discussion then evolved to question the problems with the management of mailhosts as well as the near impossibility for anyone to create a new Spamcop account due to the fact that the registration captcha had been designed to work with Internet Explorer, and that the disappearance of this navigator as well as the concomitant evolution of other navigators made the passage of this captcha become an obstacle course, requiring the use of the workaround mentioned above.

At this point, communication with the Spamcop development team would have seemed clearly necessary.

But the only existing resource that seems to exist for this seems to be this page, which only has 2 (possibly) email addresses related to this, and possibly (indirectly) a few other ways that aren't much better:

My own experience of this type of communication, combined with the very long age of this page, as well as the almost anecdotal maintenance of the site for a very, very long time, leads me to think that it is not even worthwhile for me to try to settle the problems using these email addresses. I'll likely never get any answer … and even if I get one, I'll probably still have to fight against a huge will not to acknowledge the problems.

I would have expected that at least some members of the development team follow this forum (or part of this forum), and be ready to intervene when it seems necessary.

When developers don't WANT to communicate, they know very well how not to communicate.

[ninth]

40 minutes ago, Gingko said:

I would have expected that at least some members of the development team follow this forum (or part of this forum), and be ready to intervene when it seems necessary.

They do and the app is in production not development and the last maintenance work was scheduled March 2023 see announcements.

[RobiBue]

Good morning, bonne journée,

about 20 years ago, communications with development would have worked here, but since, much has changed.
SC was sold to cisco/IronPort and has only been adapted to IPv6 lately.
When Julian initially developed SC, changes were constantly happening and communication was at its peak.

SC has, since cisco's  takeover, been only been modified minimally and I do not expect much to happen.
Dialogue with ISPs is going to become harder and harder, not because of SC but because of the way they, the ISPs, do business. With the implementation of AIs this dialogue will become even more one-sided and the lack of good IT personnel won't help the situation. For a while, IT departments have been shipped to India, just like call centers. I'm not saying everybody has done this, but the trend points in that direction. (at least that's the way it appears to me).

We are just mere users with some experience trying to help anyone with questions or give some advice... We have no access to the system, but I am almost for sure that there are members from the old and new dev team that read the forums occasionally. 👋 hi devs...

[Gingko]

24 minutes ago, ninth said:

They do and the app is in production not development and the last maintenance work was scheduled March 2023 see announcements.

Which announcements ? Here ?

Ok.

Will see if it makes any changes to the captcha registering problem.
This is now my main clue.

But I have some doubts.

“The last of our changes to our SpamCop mail servers”
“This should not affect the SpamCop website.”

You know what I mean?
 

Edited July 11, 2023 by Gingko

[ninth]

The computer system that needs fixing is yours Gingko with the help of telco and ISP as nobody else has the access.

Robi is right that getting helpdesk support is hard these days and if you do get past the chatbot they will be able to reset passwords and alike although they will rarely escalate the problem to technical teams. Buck passing is the preferred method to resolve problems - it's fine at our end must be your end. 

Due to experiencing high levels of enquiries there are delays and we will be in touch shorty. In the meantime go to our help center and FAQ...as we did not receive a reply in the last 5 minutes we have closed this ticket and marked as resolved. Thankyou for your patience and continuing support of our service.

[Gingko]

6 hours ago, ninth said:

The computer system that needs fixing is yours Gingko with the help of telco and ISP as nobody else has the access.

It is just necessary to try to register on Spamcop from scratch.
Tested on several browsers (Firefox, Chrome, Opera, Safari) on several computers and operating systems (Windows 10, Mac OS, Android).

I have only found a few browsers on Linux (like Firefox 102.10.0esr on Linux Debian 11) so far that seem to escape this captcha problem.

I am sure that users of such configurations will be delighted to learn that they are among the only ones who can still create a Spamcop account without using unexpected workarounds.

And I have always been impressed by the astonishing ability of some people to place themselves in denial in the face of the most obvious things.