jakeqz Posted October 4, 2023 Share Posted October 4, 2023 (edited) Every time I report a spam message received at my Hotmail account, SpamCop determines the contact for "administrator of network where email originates" to be report_spam@hotmail.com. However, inspection of the mail headers shows that not to be the case, e.g.: Received: from AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:44c::5) by AS8P193MB2382.EURP193.PROD.OUTLOOK.COM with HTTPS; Tue, 3 Oct 2023 15:28:10 +0000 Received: from DU2PR04CA0207.eurprd04.prod.outlook.com (2603:10a6:10:28d::32) by AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:44c::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.36; Tue, 3 Oct 2023 15:28:09 +0000 Received: from DB8EUR05FT010.eop-eur05.prod.protection.outlook.com (2603:10a6:10:28d:cafe::15) by DU2PR04CA0207.outlook.office365.com (2603:10a6:10:28d::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6838.33 via Frontend Transport; Tue, 3 Oct 2023 15:28:09 +0000 Authentication-Results: spf=pass (sender IP is 209.85.214.181) smtp.mailfrom=gmail.com; dkim=pass (signature was verified) header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;compauth=pass reason=100 Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates 209.85.214.181 as permitted sender) receiver=protection.outlook.com; client-ip=209.85.214.181; helo=mail-pl1-f181.google.com; pr=C Received: from mail-pl1-f181.google.com (209.85.214.181) by DB8EUR05FT010.mail.protection.outlook.com (10.233.238.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6863.25 via Frontend Transport; Tue, 3 Oct 2023 15:28:09 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:1830A70AD80F9A9C5DDA0956A6565E0F07486E1A53319B5F648B1C48091097A4;UpperCasedChecksum:F6F09C646996FB69260BCD16869957B70CCEA6E4056F0FB0C4A00A22B3220D63;SizeAsReceived:2722;Count:15 Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-1c724577e1fso8065395ad.0 for <REDACTED@hotmail.com>; Tue, 03 Oct 2023 08:28:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696346889; x=1696951689; darn=hotmail.com; h=to:from:subject:mime-version:date:message-id:from:to:cc:subject :date:message-id:reply-to; bh=SrLg2YvJLmqd/+QGi/H6iXVpfTMuSJ/YkMnF3dKFxcY=; b=inLfrt/5c226G2qeHRW4LBG8CN1hEFspRxBc9OpLZPfy1DvHy0Rm1Dp7rH3cnObzwC FfiF5OopH1nHYCNRSlLcHA4Yh8ON5/lcd3HyF4gqx4bM4fjEhnX15ardKHATJYUwIiL5 WhTgym6KzAZ6ssPgkqRH1CMXh9d6Vrmmwl7+MqIlokt/4tygvusCi67m5nLGUyElcrIn vhfgWV3Zr/AK/LDK7XmcPvhVKnn6l3/DcrXqONCWO8NRgBUsFuxHiyajDcjG196dTnqm niLqcDuMFZK5J8vVBeRzbaY2QFc/XIKm7V2zyGizduZmYlrve9w7ZB9ahIGOm1mMUQHp ghLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696346889; x=1696951689; h=to:from:subject:mime-version:date:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=SrLg2YvJLmqd/+QGi/H6iXVpfTMuSJ/YkMnF3dKFxcY=; b=XOtzEjAUbRUhMuueFPR3cxa3uJh0E4nxH6DENlHbGRgnvj3ygVTKM85EtLFCSkQTEi a4FfE/fN1Z0T7iIHFAuAw08LHeyDw5AIek6yP2cbwavAjmUu5YC1JS17D49ifZ1mQhqT kSHejXedg0LyL0uZDDTfY5qh3m0tzIkinDQKCWNa6zHcD1s3FJBKLgNTTmBgXQ/2HGbK /orVUdXUx5qlytYpufirA73Gt5P5Xp2FlAPvrjT0sETStHbtX/7FFw+ULYlSWkYp9nuT BPlfHBdCxsFeJP9dN/ede/WXndmIrm1nfQHihly32ZRIM61XIJtYbW1vOQiQSFR5OxR6 tEyw== X-Gm-Message-State: AOJu0YwJLUyGX20LZl+O5SxCIaqp3yQjJHIWR9rYgpaDz36Pc85hu5CP pxUgS3eaH+6OurJqH5F8ex7xaRUEB+YoUA== X-Google-Smtp-Source: AGHT+IHjAbwzOFNeIlpniig2zRnSU6TaV+3PT+rABrqG4ehNHpUCCJLU505M1rpEM7ZWBMKSNJw0EA== X-Received: by 2002:a17:902:f7cf:b0:1c6:dcb:1e31 with SMTP id h15-20020a170902f7cf00b001c60dcb1e31mr13918357plw.4.1696346888858; Tue, 03 Oct 2023 08:28:08 -0700 (PDT) Return-Path: REDACTED@gmail.com Received: from [172.26.16.51] ([43.153.79.51]) by smtp.gmail.com with ESMTPSA id n11-20020a170902e54b00b001c446f12973sm1693302plf.203.2023.10.03.08.28.08 for <REDACTED@hotmail.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Oct 2023 08:28:08 -0700 (PDT) It seems to me that this email originated from Google, but this is not being picked up by SpamCop. Is it missing some of the earlier headers added lower down due to something Microsoft have have inserted. Or am I missing something? Or maybe it relates to this: Quote Parsing header: Received: from AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:44c::5) by AS8P193MB2382.EURP193.PROD.OUTLOOK.COM with HTTPS; Tue, 3 Oct 2023 15:28:10 +0000 host 2603:10a6:20b:44c:0:0:0:5 (getting name) no name Possible spammer: 2603:10a6:20b:44c:0:0:0:5 Received line accepted Received: from DU2PR04CA0207.eurprd04.prod.outlook.com (2603:10a6:10:28d::32) by AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:44c::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.36; Tue, 3 Oct 2023 15:28:09 +0000 Masking IP-based 'by' clause. Received: from DU2PR04CA0207.eurprd04.prod.outlook.com (2603:10a6:10:28d::32) by AS8P193MB2383.EURP193.PROD.OUTLOOK.COM with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.36; Tue, 3 Oct 2023 15:28:09 +0000 host 2603:10a6:10:28d:0:0:0:32 (getting name) no name 2603:10a6:20b:44c:0:0:0:5 not listed in cbl.abuseat.org 2603:10a6:20b:44c:0:0:0:5 not listed in dnsbl.sorbs.net 2603:10a6:20b:44c:0:0:0:5 is not an MX for AS8P193MB2382.EURP193.PROD.OUTLOOK.COM 2603:10a6:20b:44c:0:0:0:5 is not an MX for AS8P193MB2383.EURP193.PROD.OUTLOOK.COM 2603:10a6:20b:44c:0:0:0:5 is not an MX for AS8P193MB2382.EURP193.PROD.OUTLOOK.COM Possible spammer: 2603:10a6:10:28d:0:0:0:32 Host AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (checking ip) IP not found ; AS8P193MB2383.EURP193.PROD.OUTLOOK.COM discarded as fake. Routing details for 2603:10a6:20b:44c:0:0:0:5 [refresh/show] Cached whois for 2603:10a6:20b:44c:0:0:0:5 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 2603:10a6:20b:44c:0:0:0:5 (getting name) no name failed, using default abuse@hotmail.com abuse@hotmail.com redirects to report_spam@hotmail.com Chain error AS8P193MB2383.EURP193.PROD.OUTLOOK.COM not equal to last sender received line discarded It seems SpamCop may be rejecting genuine Microsoft hostnames as fake when they are in fact not. Edited October 4, 2023 by jakeqz remove extra blank lines from paste Quote Link to comment Share on other sites More sharing options...
petzl Posted October 4, 2023 Share Posted October 4, 2023 (edited) 2 hours ago, jakeqz said: Every time I report a spam message received at my Hotmail account, SpamCop determines the contact for "administrator of network where email originates" to be report_spam[AT]hotmail[DOI]com. Years ago Hotmail abuse wanted SpamCop reported to a different address. This may now be a ignored legacy address? Might pay to click refresh for IP address to see if it changes Just tried refresh and seems a hard coded to a now bitbined address IMO Edited October 4, 2023 by petzl Quote Link to comment Share on other sites More sharing options...
jakeqz Posted October 5, 2023 Author Share Posted October 5, 2023 23 hours ago, petzl said: Years ago Hotmail abuse wanted SpamCop reported to a different address. This may now be a ignored legacy address? You seem to be answering a different question from the one I asked. It seems that SpamCop is failing to parse the email headers received at Microsoft accounts, for example failing to recognize that the originator of a spam email was Google (or whomever), and thus failing to send spam reports to the originator's ISP. This is not related to the reporting address for spam originating from Microsoft's systems. I am referring to spam that has originated elsewhere, that is *received* by a Microsoft-based email account. Quote Link to comment Share on other sites More sharing options...
Lking Posted October 5, 2023 Share Posted October 5, 2023 If you would provide the Tracking URI for the message the rest of us could see the parser's results. Quote Link to comment Share on other sites More sharing options...
jakeqz Posted October 5, 2023 Author Share Posted October 5, 2023 14 minutes ago, Lking said: If you would provide the Tracking URI for the message the rest of us could see the parser's results. https://www.spamcop.net/sc?id=z6863858533zda313e960ea36c0c2f11f0d79ce8ae4fz (Didn't want to divulge personal information on a public forum and cant redact information from this. But the spammers already have my email address. So be enlightened :)) Quote Link to comment Share on other sites More sharing options...
Lking Posted October 5, 2023 Share Posted October 5, 2023 Quote Date: Tue, 03 Oct 2023 08:28:08 -0700 (PDT) Content-Type: multipart/alternative; boundary="===============1958825142170769511==" Subject: Jacob, Payment for order no. GHF383FZ is approved From: "Jacob Hotson" <thandekathande13@gmail.com> To: x X-IncomingHeaderCount: 15 SpamCop anticipated your concern. You see a slightly different screen then the rest of us see. If you logout and browse the forum as a "guest" and go to you post clicking on the Tracking URL I think you will see the redacted email. Quote Link to comment Share on other sites More sharing options...
RobiBue Posted October 5, 2023 Share Posted October 5, 2023 like Lking said, the parser removes personal info ( as well as possible) . That's why the tracking URL is always helpful. The problem with hotmail/outlook/microsoft is that their host names do not return IP addresses Host AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (checking ip) IP not found ; AS8P193MB2383.EURP193.PROD.OUTLOOK.COM discarded as fake. so already the first host, failing to return the IP address, causes the parser to throw away the remaining Received: lines and therefore uses the first IP address (in this case the IPv6 given on the Received: for that host) to find the abuse contact. This is Microsoft's fault that they try to hide their hosts and therefore the spam is presumed to come from them. They should fix their DNS records or keep getting hit by reports. Quote Link to comment Share on other sites More sharing options...
jakeqz Posted October 5, 2023 Author Share Posted October 5, 2023 2 minutes ago, RobiBue said: The problem with hotmail/outlook/microsoft is that their host names do not return IP addresses Host AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (checking ip) IP not found ; AS8P193MB2383.EURP193.PROD.OUTLOOK.COM discarded as fake. so already the first host, failing to return the IP address, causes the parser to throw away the remaining Received: lines and therefore uses the first IP address (in this case the IPv6 given on the Received: for that host) to find the abuse contact. This is Microsoft's fault that they try to hide their hosts and therefore the spam is presumed to come from them. They should fix their DNS records or keep getting hit by reports That's what I thought. But why can't SpamCop carry on parsing the `Received` header lines to get to the originator, regardless of Microsoft's shenanigans. That way, we would be able to report spam to the originating ISP, who might actually listen. Quote Link to comment Share on other sites More sharing options...
RobiBue Posted October 5, 2023 Share Posted October 5, 2023 SC doesn't continue past the first unmatched host due to the nature of spams: spammers historically insert/inject fake Received: headers to fool systems to keep parsing past the actual spammer host. and that's where SC usually does its best and stops at the first fake encounter. it is unfortunate that M$ handles their MX hosts the way they do, causing them to be marked as spam source. I maintain that M$ needs to fix their system to the way it was intended, and not the way they would prefer it to be hidden. Quote Link to comment Share on other sites More sharing options...
jakeqz Posted October 5, 2023 Author Share Posted October 5, 2023 (edited) 27 minutes ago, RobiBue said: SC doesn't continue past the first unmatched host due to the nature of spams: spammers historically insert/inject fake Received: headers to fool systems to keep parsing past the actual spammer host. and that's where SC usually does its best and stops at the first fake encounter. it is unfortunate that M$ handles their MX hosts the way they do, causing them to be marked as spam source. I maintain that M$ needs to fix their system to the way it was intended, and not the way they would prefer it to be hidden. Hmm. M$ spam filtering is awful. They keep putting genuine mail in the Junk folder and spam in the inbox, regardless of DKIM or SPF. It was so atrocious that I used to have a filter to move any email with `@` in the sender address to the inbox - until they decided that filters could only be run after spam classification and not on the 'junk mail' folder. They also randomly reject messages with 550 codes because "part of your network is on our blocklist". These are emails sent via GoDaddy. I've tried to contact both companies to resolve the problem. Both blame each other. If Microsoft made cars, they would crash every 50 miles. I hope they are not involved with self-driving cars. Though I don't trust the other players either. Once they are unleashed, I will be cowering at home, watching RoboCop or 2001. Edited October 5, 2023 by jakeqz Quote Link to comment Share on other sites More sharing options...
ninth Posted October 5, 2023 Share Posted October 5, 2023 (edited) Soooo I get my new M$car and a couple years down the track the V2 SW updates stipulate I can only fill up at M$petrol stations and soon after that I can only use certified M$mechanics and genuine parts for service and repairs. Then the M$battery model is released with 256 cameras to ensure a personalized experience and the battery slowly fails 4 years on and a new one costs an arm and a leg. Bill buys out tesla and twitter so he can corner the market...again and boast about being the world's richest twit on his account. Edited October 5, 2023 by ninth add Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.