Is KnuJon getting a report?

[Spamnophobic]

As of yesterday I have unmoled and have added my personal KnuJon reporting address in my reporting preferences. Conveniently, a juicy lottery scam spam landed in my SpamCop webmail Inbox and I (Quick) reported it. I got no confirmation since yesterday, so I went to my reporting history, where it said:

"Submitted: dinsdag 13 maart 2007 19:05:33 +0100:

Prize Ref No: UK/9420X2/68

No reports filed".

To see why no reports were filed I parsed the entire source again and then cancelled the report after making copies of the report and the entire message. Now I would have posted the tracking URL, but I see that it contains my private KnuJon reporting address. Is it safe to post the URL, or should I mung that out of my copy and then post the entire copy "here", or what should I do?

In the header I see what seems to me to be a remarkable constellation of private, non-routable IP-addresses, so I can understand that the parser may be confused. No doubt this is what the spammerscammers intend. While this is undesirable of course, my primary concern at the moment is to get this racket reported to KnuJon via my private address, so I can watch to see if it gets taken down. Thereby I hope that the SpamCop parse details will be useful.

So my question is: "No reports filed" (noting that stuff is still being devnulled in spite of my unmoling) although the KnuJon report is ticked and the address correct. Has a report gone to KnuJon or not? If not, and I can find out quickly enough, then I'll submit one manually. But in the future it would be nice if SpamCop did it for me. I suppose the fact that I cancelled the second parse is no doubt responsible for some of the devnulling, but it all leaves me in confusion as to what reports, if any, were sent, and if not, why not.

A second question is of course, how does the parser get on with private IP addresses in the header? For some reason the parser seems to have interpreted them as "Internal handoffs by trusted sites" with a completely different IP to the private one in the header. How this could be is way out of my depth technically.

I realise it will be difficult to answer the latter questions without seeing the report. So if "someone" could answer the first question, I'll post again quickly with the appropriate information. Thanks.

Penny

[StevenUnderwood]

In the header I see what seems to me to be a remarkable constellation of private, non-routable IP-addresses, so I can understand that the parser may be confused. No doubt this is what the spammerscammers intend. While this is undesirable of course, my primary concern at the moment is to get this racket reported to KnuJon via my private address, so I can watch to see if it gets taken down. Thereby I hope that the SpamCop parse details will be useful.

Was this message received via GMail, perhaps? There is another thread in the same forum dealing with a similiar problem with GMail. Please read it.

[SpamCopAdmin]

Now I would have posted the tracking URL, but I see that it contains my private KnuJon reporting address.

The Tracking URL from the top of the parse page does NOT contain any secret information. It is always appropriate to post a Tracking URL.

- Don D'Minion - SpamCop Admin -

[Spamnophobic]

Thanks Don. I've now indeed discovered that unless you're logged in as me, you won't see the user-defined KnuJon report bit. That bit I've copied, munged and added. The URL is:

http://www.spamcop.net/sc?id=z1251557822zd...02b865242bde5az

Plus:

Re: 24.71.223.10 (User defined recipient)

myID at coldrain.net

This was ticked, as was the sjrb.ca address, in the original "No reports filed" report (which I can no longer access.)

Was this message received via GMail, perhaps? There is another thread in the same forum dealing with a similiar problem with GMail. Please read it.

Thanks Steven for your suggestion. I presume you mean this thread:

http://forum.spamcop.net/forums/index.php?...36&hl=GMail

The header IP constellation does look similar, though there is no mention of GMail. Can you shed any light on what the parser is making of it? Is it a succesful spammer ploy to fool the parser? Rather than attempt a manual complaint, if that, by analogy with the GMail example, is what would be needed, I would rather report the scamspam to KnuJon and let them deal with it.

Can anyone say whether reports have gone to KnuJon, and the other places which ought to get them now I've shed my moley fur? Thanks.

Penny

[StevenUnderwood]

Thanks Steven for your suggestion. I presume you mean this thread:

http://forum.spamcop.net/forums/index.php?...36&hl=GMail

The header IP constellation does look similar, though there is no mention of GMail. Can you shed any light on what the parser is making of it? Is it a succesful spammer ploy to fool the parser? Rather than attempt a manual complaint, if that, by analogy with the GMail example, is what would be needed, I would rather report the scamspam to KnuJon and let them deal with it.

Can anyone say whether reports have gone to KnuJon, and the other places which ought to get them now I've shed my moley fur? Thanks.

Penny

Yes, that is the thread of which I spoke.

It looks like you have a mailhost named SpamCop that SHOULD be labeled Shaw (or something similiar). The message seems to have come from inside the Shaw.ca network, unless there are missing headers.

We will not be able to tell you if a report has gone to KnuJon unless we see the original TrackingURL. You can do the same. You would look for a line similiar to:

Reports regarding this spam have already been sent:

Reportid: 2196640985 To: cancelled[at]devnull.spamcop.net

[Spamnophobic]

Steven, thanks. I definitely do not have any mailhosts at Shaw. My only mailhosts are here at the DDS and of course SpamCop e-mail itself, and seem to be fully registered. In the version of the report to which my tracking URL leads, I see, but only if I am logged in, exactly:

"Reports regarding this spam have already been sent:

Reportid: 2196640985 To: cancelled[at]devnull.spamcop.net"

So I am still wondering whether this report has been sent, or cancelled.

I do not have a tracking URL more original, or indeed any other tracking URL for this spam; the first report (which I see via Past Reports, set Report History to Last Week) contains no hyperlink and consists only of the text:

"Submitted: 13 March 2007 19:05:33 +0100:

Prize Ref No: UK/9420X2/68

No reports filed"

(Date is in English now as I'm at home.)

I received no e-mail confirmation from this report (which I otherwise always did receive in the molehole), which prompted me to try to find out if a report had gone to KnuJon, and to look at the information from parsing the header, as described.

Does anyone have further thoughts about the header and its parse?

Penny

[StevenUnderwood]

"Reports regarding this spam have already been sent:

Reportid: 2196640985 To: cancelled[at]devnull.spamcop.net"

If that is the only TrackingURL ever used to report that spam, then the only report made was cancelled.

[SpamCopAdmin]

Just so there's no confusion...

The only time the system will send "Personal copies of outgoing reports" is when you manually report the spam after logging into your reporting account here. It doesn't come into play if you report spam from the webmail interface or by using the link you get returned from email submissions.

- Don D'Minion - SpamCop Admin -

[Spamnophobic]

Thanks for that clarification Don.

I have now forwarded the spam to KnuJon (it's now too old for a SpamCop report), and in future will have to "two-step" report scams, phishing, etc. to get SpamCop to send reports to KnuJon. Not a problem.

I still far from understand the parse. I wonder:

1. Why did the parser resolve "Received from [10.0.x.x] ..." to "Internal handoff by trusted site 24.71.223.10"?

2. Why does SpamCop trust 24.71.223.10 when (a) this is apparently the source of the spam and ( it is listed on dnsbl.sorbs.net (see parse)? By the way, (separate issue so maybe I should put it into a different or new thread?) I have this blacklist ticked in my "Email filtering blacklists" in webmail, yet it didn't get put in Held Mail.

I checked 24.71.223.10 at SORBS and discover it's in dynamic IP space. I presume therefore it's an end-user machine and thus may well be zombied. Doesn't seem trustworthy to me. Then again, as per March 13th SORBS also says "Listed as an exception and therefore NOT blocked", whatever may be behind that statement. It certainly seems to have sent me a nasty scam. (Or perhaps I really did win a lottery prize?)

3. Why was the report to internet.abuse[at]sjrb.ca not sent? (SpamCop staff have since confirmed that I have sent 0 reports since unmoling.) This was not a private report. Is it because SpamCop trusts this IP? Or does Quick Reporting lead to never sending any reports? That, it seems to me, would make sending Quick Reports exactly the same as mole reporting. So before I was twice a mole and am now but once?

Still somewhat confused ex-mole (Penny)

[StevenUnderwood]

Most of these should be answered authoritatively by a deputy (continue with Don since you have his ear). Here is my take on it.

1. Why did the parser resolve "Received from [10.0.x.x] ..." to "Internal handoff by trusted site 24.71.223.10"?

The 10.0.x.x addresses are private for use on internal networks.

It would be possible (though unlikely) that every one of Shaw's customers does not receive a public address but instead receives a private one. That is how the majority of businesses operate right now.

2. Why does SpamCop trust 24.71.223.10 when (a) this is apparently the source of the spam and ( it is listed on dnsbl.sorbs.net (see parse)?

(A)It was found as the source of the spam only because all previous hops were on their internal network. That machine itself is NOT the true source of this spam, but is as far back as spamcop can go with the headers provided. Again, this is similiar to the GMail issue where the packets never left the google network.

(B)The decisions of another entity has nothing to do with the trust established with SpamCop. This IP address is possibly one of the outgoing SMTP servers and past experience has shown that it can be trusted that it provides the IP address of the machine sending it the message.

[SpamCopAdmin]

1. Why did the parser resolve "Received from [10.0.x.x] ..." to "Internal handoff by trusted site 24.71.223.10"?

IP addresses starting with 10 are reserved for internal use only. They can't (not possible) be used to send or receive mail to/from outside the local network. SpamCop knows that, and correctly identifies the "Received" line as part of an internal hop (handoff).

2. Why does SpamCop trust 24.71.223.10 when (a) this is apparently the source of the spam

"Trusted" simply means that we have flagged the IP as being trusted to accurately record the source IP when it handles mail. That's the limit of the "trust."

The IP looks like a dynamic IP to me, so I removed the trusted flag. It is sending spam like crazy, and leaving it as "trusted" could lead to fooling SpamCop into accepting a spammer forgery. Bad JuJu.

it is listed on dnsbl.sorbs.net (see parse)? By the way, (separate issue so maybe I should put it into a different or new thread?) I have this blacklist ticked in my "Email filtering blacklists" in webmail, yet it didn't get put in Held Mail.

The SORBS listing appears to be somewhat fluid.

>- X-SpamCop-Checked: 192.168.1.101 24.71.223.10 ...

That line shows that the SpamCop filters looked at 24.71.223.10 when you got the mail, but the IP wasn't on any blocking lists at the time.

If the email had been diverted to your Held Mail, the headers would have also shown an "X-SpamCop-Disposition" line citing the reason for the blockage.

3. Why was the report to internet.abuse[at]sjrb.ca not sent?

Because you cancelled the report.

You submitted the same spam twice. Once on the 13th, and again on the 14th. The one from the 13th is waiting to be reported (too old now), and the one on the 14th was processed but cancelled. I can't tell how the spams were submitted.

- Don -

[Spamnophobic]

Steven and Don, thank you once again for your help.

Don, thank you for your answers to (1) and (2) and action on (2). Regarding Quick Reporting, I have now Quick Reported another spam, which did result in a notification, and the basic reports have been sent, so my "double mole" hypothesis is definitely disproved, fortunately.

As to my first report, which you see still waiting to be reported (although now too old to report), all I can see of it in my Report History is:

Submitted: dinsdag 13 maart 2007 19:05:33 +0100:

Prize Ref No: UK/9420X2/68

No reports filed

No report ID, no tracking URL (I didn't receive an e-mail notification). Nothing clickable, no "You have unsent reports" notification anywhere in my SpamCop web interface that I can see. So I can find no way to get at it to cancel it. It is not clear to me how this can come about, but I suppose now I'm no longer a mole I should stop wanting to turn over every square centimetre of earth and let you guys get on with more important things! I would appreciate it though if SpamCop staff would cancel it for me.

Cheers, Penny

[SpamCopAdmin]

So I can find no way to get at it to cancel it.

That's all irrelevant. The spam is too old to report. Forget about it and move on. It is too old to process, so it can't be reported or cancelled. It will remain forever in your report history as unreported.

It is not clear to me how this can come about

You submitted the spam and didn't report it. That's all there is to it. We'll never know why it didn't get reported.

- Don -

[Spamnophobic]

Forget about it and move on

How could I forget my first non-mole report?