spam

General discussions and other topics.
20 posts Page 2 of 2
by ankh » Tue Apr 19, 2016 11:24 am
PS, this is Spamcop's explanation of what it needs, from their example page.
That's what's missing and needs to be included in the graymail item, to let the spam be reported to Spamcop.

EXAMPLE:

Received: from julianhaight.com (usr25-dialup4.mix1.Sacramento.mci.net [166.55.9.4])
by sam.julianhaight.com (8.8.7/8.8.7) with ESMTP id MAA14120;
Sat, 7 Mar 1998 12:08:52 -0800


"Notice the line marked in red. This is the most important part of the header that SpamCop cares about. This is called a received line. Some email messages have only one received line, some have more than one. Every time the email makes a "hop" from one server on the internet to another, one more received line is added. They can be used to track the email back along its path to the origin. Without this information, SpamCop can do nothing. All the other information in the header is suspect (it can be faked). The received line portion of the header always contains SOME kernel of truth. SpamCop separates the kernel from the chaff in order to find the true source of the spam."
by ankh » Wed Apr 20, 2016 6:29 am
OK, something changed, maybe enough.

As noted above I was getting 2 kinds of graymail
-- some with malware/viruses and the letter icon ".eml" attachment (those I could open, see full headers and forward to Spamcop where they got parsed and I could report them
-- some (mostly softbank) with no malware, no letter icon, and no headers I could forward.

Now I'm getting the little envelope icon at the bottom of all the graymail (.eml file) and the paperclip icon at the top
Here's a typical header, all I can see:

From: Roberta.Elmore@m.mx.sonic.net
Subject: ****SPAM(12.2)**** Finally get that job with a Degree
Date: April 20, 2016 at 2:28:21 AM PDT
To: hank@spamcop.net


(forwarded back to my Sonic address by Spamcop, which is no longer filtering spam, just a forwarding service for people with addresses there -- spam has to be explicitly reported before they notice it now.)



I can open that attachment with Mac Mail or other things and see all the graphics.
I can set Mac Mail to view all headers and they're there
Testing that to see if it will contain all the headers needed to forward it so Spamcop can get it parsed.

I'll forward some of this morning's batch to the same support address.
by ankh » Wed Apr 20, 2016 6:43 am
OK, that seems to be working now.

Still have to open the attachment with Mac mail -- which is probably some risk.

Is there any way I can forward the "attached file" -- letter icon, .eml file type -- to the Spamcop forwarding address and have the contents parsed?

Also, sigh --the most prolific spammer hitting me, "hetzner.de" doesn't accept spam reports so the reports just go to devnull at Spamcop. I guess they at least do some statistics with them.

From: Roberta.Elmore@m.mx.sonic.net (Finally get that job with a Degree)
Don’t like the job you work at and you think about changing it for something bet
ter? - Is your lack of a degree holding you back from career advancement?-
Re: 136.243.189.197 (Administrator of network where email originates)
To: abuse#hetzner.de@devnull.spamcop.net (Notes)
by ankh » Wed Apr 20, 2016 7:21 am
And - just now - got a new graymail lacking the attachment, no letter icon, no .eml file
So the fix is intermittent somehow

Forwarded that separately to gkeller (support) as requested earlier.

I'll stop throwing them at you 'til I hear something, unless you want me to keep forwarding examples.
by ankh » Fri Apr 22, 2016 7:29 pm
Boiling a long exchange down, perhaps too far:

SpamAssassin adds its own headers to email before the email appears in Graymail

That stuff has to be removed before submitting to Spamcop or it tries to report Sonic (the "Mailhosts" thing at Spamcop, when done completely, stops that from happening -- but the reporting tool still chokes on it.

To report the original spam (from the Graymail folder) to Spamcop,
-- in Sonic Webmail right click the message,
-- choose "More" from the pulldown menu,
-- choose "Show Source"
-- scroll down until you find the beginning of the original mail headers, skipping all the SpamAssassin stuff.
-- Hilight from there to the end, copy, and paste into the Spamcop reporting tool window.

There's no option to get the original spam without the extra stuff, nor to remove the extra stuff to get back to the original -- except by doing this one message at a time, "by hand"
----------------

Many other possible approaches have been suggested that "ought to be an option" or "ought to work" or "ought to be there" in Mac Mail or Thunderbird or other tools -- but aren't, didn't, and weren't.
by ankh » Sat Apr 23, 2016 7:43 am
P.S. -- a neighbor wondered aloud to me why bother trying to report spam to Spamcop (particularly about sources that refuse to accept spam complaints, notably "hetzner.de" which barfs Spanish-language spam daily).

Here's why I bother (and I've gotten some encouragement from Sonic support folks to persist):

-----------------quote---------
SpamCop tries to provide reports to abuse addresses as a byproduct service of its primary goal of feeding statistics to the database that is used to determine whether spam source IP addresses should be included in the SpamCop blacklist and your submissions, even those whose reports to hetzner are devnulled, contribute to those statistics. And there's nothing stopping you from complaining directly to hetzner, yourself, although in case the reason that SpamCop is "devnulling" reports is that hetzner shares spam complaints with their spammers, you might want to do that from a "throw-away" e-mail address.
---------------- http://forum.spamcop.net/forums/topic/1 ... y-with-it/

And here's how: https://www.spamcop.net/anonsignup.shtml

Note this isn't simply point-and-grunt stuff, it would be easier if I were a programmer.
But I'm not, and I'm able to work through the complications involved without too much effort.

It really does seem to have an effect. If I take a break from reporting, more spam starts showing up in graymail and getting through to inbox. Once I start reporting what I see, within a few days, _those_particular_ source IP addresses get blocked and the spam drops off for a while, from those addresses. Yeah, they work around that.
by ankh » Mon Apr 25, 2016 11:51 am
[outdated, deleted to save electrons]
by ankh » Wed May 04, 2016 9:46 am
As a general heads-up: if you're reporting to SpamCop, make sure you look at the draft reports before submitting them, because there are several different ways of hiding your identification in the reports -- SpamCop tries to change anything like that to [x] but sometimes fails.

I learned this the hard way -- trusted the submitted reports for about three days, and that triggered a deluge of additional spam.

There's some discussion at http://forum.spamcop.net/topic/16651-no ... ment-95298 where I'm being slowly educated.
by ankh » Tue May 10, 2016 10:21 am
Dang, I'm not sure how long this has been happening.

Spamcop is now sending out the reporter's IP address to the spammers.
If you have a fixed IP like I do, this might as well send your name, address, and phone number to the spammers. Not good.

(some digits changed to "n" in this quote since the spammers harvest everywhere)

Received: from [75.101.5n.nnn] by spamcop.net
with HTTP; Tue, 10 May 2016 17:16:20 GMT
From: "x" <preview@reports.spamcop.net>


There doesn't appear to be any way to edit this out -- it's not in the spam being reported, it's added by SpamCop to the reports they send out to all the sites that were involved in sending the spam.

I'm not going to report any more to SpamCop unless they can fix this.
by ankh » Wed Jun 05, 2019 7:29 pm
Belated followup: I went back to reporting spam to Spamcop because I was overwhelmed with spam here at Sonic.

Eventually their forums
http://forum.spamcop.net/topic/37788-re ... ce/?page=3

advised asking Spamcop's support about the header problems, and they found and fixed an internal problem of some sort with analysis of the email headers. Reports are now mostly being accepted and I know where to send the problem reports.
20 posts Page 2 of 2

Who is online

In total there are 3 users online :: 0 registered, 0 hidden and 3 guests (based on users active over the past 5 minutes)
Most users ever online was 422 on Sat May 26, 2012 5:28 am

Users browsing this forum: No registered users and 3 guests