can't grok the issue - been years since I looked at this - now clueless
as to wtf...

https://www.spamcop.net/sc?id=z6765414372z951c9aab132b0e5ee54b6b0bef07d505z

On 7/12/22 3:13 PM, jrg wrote:
> can't grok the issue - been years since I looked at this - now clueless
> as to wtf...

Try starting by asking a question other than implying wtf. ;-)

What are you trying to figure out?

--
Grant. . . .
unix || die

On 7/12/22 15:02, Grant Taylor wrote:
> On 7/12/22 3:13 PM, jrg wrote:
>> can't grok the issue - been years since I looked at this - now
>> clueless as to wtf...
>
> Try starting by asking a question other than implying wtf.  ;-)
>
> What are you trying to figure out?
>
>
>
sorry, Grant, I thought the output would be clear to those that
understood this - this isn't to say you don't, its that apparently s/cop
semi-retired before I could learn how they did what they do. I've never
been an admin, just a spam weary user. When I had to change isps, I
wasn't able to change my user name but it worked anyway up to here. So
for me, changing mailhosts is a wtf moment and I don't know if even
possible now.

Parsing header:
0: Received: from 144.160.244.37 (EHLO alph770.prodigy.net) by
10.213.242.213 with SMTPs (version=TLS1_2
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Tue, 12 Jul 2022 06:55:13
+0000
Hostname verified: alph770.prodigy.net
Possible forgery. Supposed receiving system not associated with any of
your mailhosts
Will not trust this Received line.
Mailhost configuration problem, identified internal IP as source
Mailhost:
Please correct this situation - register every email address where you
receive spam
No source IP address found, cannot proceed.
Add/edit your mailhost configuration
Finding full email headers
Submitting spam via email (may work better)
Example: What spam headers should look like
Nothing to do.

On 7/12/22 17:36, jrg wrote:

> Mailhost configuration problem, identified internal IP as source
> Mailhost:
> Please correct this situation - register every email address where you
> receive spam
> No source IP address found, cannot proceed.
> Add/edit your mailhost configuration

It seems I have no access to accomplish this, so I guess what I need to
know is if am I spinning my wheels here. Only reason being, I received
2 of these spam same day, one spoofing paypal and one netflix. Curious...

On Tuesday, 12 July 2022 17:36 -0700,
in article <tal438$jne$1@gioia.aioe.org>,
jrg <jeff.g.group@att.net> wrote:

> On 7/12/22 15:02, Grant Taylor wrote:

> sorry, Grant, I thought the output would be clear to those that
> understood this - this isn't to say you don't, its that apparently
> s/cop semi-retired before I could learn how they did what they do.
> I've never been an admin, just a spam weary user. When I had to
> change isps, I wasn't able to change my user name but it worked
> anyway up to here. So for me, changing mailhosts is a wtf moment
> and I don't know if even possible now.

> Parsing header:
> 0: Received: from 144.160.244.37 (EHLO alph770.prodigy.net) by 10.213.242.213
> with SMTPs (version=TLS1_2 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Tue,
> 12 Jul 2022 06:55:13 +0000
> Hostname verified: alph770.prodigy.net
> Possible forgery. Supposed receiving system not associated with any of your
> mailhosts
> Will not trust this Received line.
> Mailhost configuration problem, identified internal IP as source
> Mailhost:
> Please correct this situation - register every email address where you receive
> spam
> No source IP address found, cannot proceed.
> Add/edit your mailhost configuration
> Finding full email headers
> Submitting spam via email (may work better)
> Example: What spam headers should look like
> Nothing to do.

OK, I can't be certain, but it looks like SC is not expecting this
prodigy.net server to be used by your @att.net address. Perhaps, SC
isn't expecting you to be receiving mail at an @att.net, 'cause this
is an AT&T Services, Inc. server, sitting in an AT&T (AMERITECH) /16.

$ whois 144.160.244.37 | grep -iE at.\?t\|^CIDR
CIDR: 144.160.0.0/16
Organization: AT&T Services, Inc. (ATTSE-Z)
OrgName: AT&T Services, Inc.
OrgId: ATTSE-Z
Comment: http://www.att.com
Ref: https://rdap.arin.net/registry/entity/ATTSE-Z
OrgAbuseEmail: abuse@att.net
OrgTechEmail: ew2497@att.com

Additionally, prodigy.net is an AT&T property.

$ whois prodigy.net | grep -iE at.\?t
Registrant Organization: AT&T SERVICES, INC.
Registrant Email: att-domains@att.com
Admin Organization: AT&T SERVICES, INC.
Admin Email: att-domains@att.com
Tech Organization: AT&T SERVICES, INC.
Tech Email: att-domains@att.com

An email originated at an IP address belonging to Apple, 17.57.152.18,
was relayed internally by Apple's 17.58.23.196
(mr85p00im-ztdg06021701.me.com), and delivered to your provider's mail
server, 144.160.244.37 (alph770.prodigy.net). The Apple server was
verified by a yahoo.com server. (Y! used to provide mail services for
AT$T and its subsidiaries.)

Jeff, is your @att.net being forwarded to a Y! address of some sort?
If so, this is likely to cause SC to barf.

If you log into SC, you'll find a Mailhosts tab, between Report Spam
and Statistics. At the bottom of the known hosts, you are offered the
opportunity to add new addresses. Once you jump through the hoops, SC
will recognize the path, even if it is forwarded.

--
David Ritz <dritz@mindspring.com>
Be kind to animals; kiss a shark.

On 7/12/22 6:36 PM, jrg wrote:
> sorry, Grant, I thought the output would be clear to those that
> understood this - this isn't to say you don't, its that apparently s/cop
> semi-retired before I could learn how they did what they do.  I've never
> been an admin, just a spam weary user.  When I had to change isps, I
> wasn't able to change my user name but it worked anyway up to here.  So
> for me, changing mailhosts is a wtf moment and I don't know if even
> possible now.

You still haven't asked a question. You've made statements and seem to
be expecting us to infer what your question is.

So it now seems as if you are asking about why SpamCop is responding the
way that they are as opposed to you asking question about the headers.
Is that accurate?

I've not done much with SpamCop in a long time. But when I last did, if
memory serves -- I was forwarding email to them as an attachment. I had
to send the email from an address associated with my SpamCop account and
to a SpamCop address specific to me. Any time that pairing was broken,
for any reason, things did not behave properly.

With that in mind, this hints at the pairing being broken. The pairing
being broken makes sense with your comment about changing ISPs.
(Assuming your registered source address was your address at your old ISP.)

I suspect that you need to follow the "Add/edit your mailhost
configuration" link and update something about your SpamCop account to
properly reflect your new ISP.

If this is not what you're hoping to find an answer for, try asking a
question along the lines of "What does X mean?" or "How do I fix Y?" or
"How do I prevent Z from happening?".

--
Grant. . . .
unix || die

"jrg" <jeff.g.group@att.net> wrote in message
news:tako56$tdp$1@gioia.aioe.org...
> can't grok the issue - been years since I looked at this - now clueless as
> to wtf...
>
> https://www.spamcop.net/sc?id=z6765414372z951c9aab132b0e5ee54b6b0bef07d505z

You have a gaggle of extraneous information introduced by your local mail
server at 10.213.242.213, which SpamCop refuses to process (as it's not an
internet-routable IP).

The first relevant header is this;

Received: from mr85p00im-ztdg06021701.me.com (mr85p00im-ztdg06021701.me.com
[17.58.23.196])
by alph770.prodigy.net (Inbound 8.15.2/8.15.2) with ESMTPS id
26C6tBM5035139
(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
for <x>; Tue, 12 Jul 2022 02:55:12 -0400

Remove everything above that line, then re-submit it - it should then be
parsed properly.

--
Bob Milutinovic
Cognicom

On 7/12/22 6:36 PM, jrg wrote:
> sorry, Grant, I thought the output would be clear to those that
> understood this - this isn't to say you don't, its that apparently s/cop
> semi-retired before I could learn how they did what they do. I've never
> been an admin, just a spam weary user.  When I had to change isps, I
> wasn't able to change my user name but it worked anyway up to here. So
> for me, changing mailhosts is a wtf moment and I don't know if even
> possible now.

1. Who is "s/cop?"
2. What does changing mailhosts have to do with anything?
3. What is the actual problem?

You don't actually include any spam headers in your messsage.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."

On 7/12/22 20:07, Grant Taylor wrote:
> On 7/12/22 6:36 PM, jrg wrote:
>> sorry, Grant, I thought the output would be clear to those that
>> understood this - this isn't to say you don't, its that apparently
>> s/cop semi-retired before I could learn how they did what they do.
>> I've never been an admin, just a spam weary user.  When I had to
>> change isps, I wasn't able to change my user name but it worked anyway
>> up to here.  So for me, changing mailhosts is a wtf moment and I don't
>> know if even possible now.
>
> You still haven't asked a question.  You've made statements and seem to
> be expecting us to infer what your question is.
>
> So it now seems as if you are asking about why SpamCop is responding the
> way that they are as opposed to you asking question about the headers.
> Is that accurate?

yessir, silly of me to do so, but I assumed, and that was an oops...
>
> I've not done much with SpamCop in a long time.  But when I last did, if
> memory serves -- I was forwarding email to them as an attachment.  I had
> to send the email from an address associated with my SpamCop account and
> to a SpamCop address specific to me.  Any time that pairing was broken,
> for any reason, things did not behave properly.
>

I have done that once or twice, forget why but have mostly pasted source
into the sc window and got report immediately.

> With that in mind, this hints at the pairing being broken.  The pairing
> being broken makes sense with your comment about changing ISPs.
> (Assuming your registered source address was your address at your old ISP.)
> inally

This is the gist of it - when I last tried to edit/add addresses, sc
seemed to balk and refuse to accept anything but my original addy BUT it
accepted input from my att address.. Since my spam dropped dramatically
at some point, probably due to att filters (I like to think they had to
do something what with their rep), my reporting dropped to nil. Now
seems to be coming back with netflix, paypal, etc spoofs replacing
viagra and nigerians.

> I suspect that you need to follow the "Add/edit your mailhost
> configuration" link and update something about your SpamCop account to
> properly reflect your new ISP.

The problem seems to be the "something" - I don't grok some of the host
entries.
>
> If this is not what you're hoping to find an answer for, try asking a
> question along the lines of "What does X mean?" or "How do I fix Y?" or
> "How do I prevent Z from happening?".
>

I'd like to dump the cox entries since they are history but sc balks at
my changing id.
Thank you for your time - I'll see if David's reply gives me an inkling.

On 7/13/22 15:33, Scott Dorsey wrote:
> On 7/12/22 6:36 PM, jrg wrote:
>> sorry, Grant, I thought the output would be clear to those that
>> understood this - this isn't to say you don't, its that apparently s/cop
>> semi-retired before I could learn how they did what they do. I've never
>> been an admin, just a spam weary user.  When I had to change isps, I
>> wasn't able to change my user name but it worked anyway up to here. So
>> for me, changing mailhosts is a wtf moment and I don't know if even
>> possible now.
>
>
> 1. Who is "s/cop?"

spamcop

> 2. What does changing mailhosts have to do with anything?

spamcop reporting service

> 3. What is the actual problem?

changing mailhosts in this instance is problematic.
>
> You don't actually include any spam headers in your messsage.

I had in original post, just trimmed down to problem lines since it was
a large pos (piece of shit) and was replying to Grant. It would appear
to be a problem somewhere with at&t, yahoo, and cox. I lost my s/cop
manual (joke).

Thanks for asking.

> --scott

On 7/12/22 19:30, David Ritz wrote:

<snip>

> Jeff, is your @att.net being forwarded to a Y! address of some sort?
> If so, this is likely to cause SC to barf.

roger that, this just to ack your reply and thank you - I intuitively
thought this but cox/prodigy was getting in the way and SC shows a bunch
of mailhosts, but the genetic relationships need analysis - after the
comet...

jg

On 7/14/22 6:51 PM, jrg wrote:
> yessir, silly of me to do so, but I assumed, and that was an oops...

No apology necessary. I'm fairly sure that we all make innocent and
unintentional mistakes at one point or another in our lives.

> I have done that once or twice, forget why but have mostly pasted source
> into the sc window and got report immediately.

Ah. The last time I used SpamCop, I was forwarding messages (as
attachments to preserve headers) to my personal SpamCop reporting
address. That communications channel /requires/ that the source address
match what they have on file.

> This is the gist of it - when I last tried to edit/add addresses, sc
> seemed to balk and refuse to accept anything but my original addy BUT it
> accepted input from my att address..  Since my spam dropped dramatically
> at some point, probably due to att filters (I like to think they had to
> do something what with their rep), my reporting dropped to nil.  Now
> seems to be coming back with netflix, paypal, etc spoofs replacing
> viagra and nigerians.

I know it's not proper, but I wonder if you could sign up for a new
account with SpamCop using your new address and regain proper access.

> The problem seems to be the "something" - I don't grok some of the host
> entries.

Please clarify if you're talking about (Received:) headers (in what you
linked to) in your original message or something in the SpamCop web
interface for editing hosts?

> I'd like to dump the cox entries since they are history but sc balks at
> my changing id.

I take it that this is a reference to something in the SpamCop web
interface as I don't see (case insensitive) "cox" anywhere (...) in your
original message.

I have refreshed my SpamCop account credentials and am looking at the
Mailhosts (2nd from the left) tab.

I'll do some homework on my end if you'll please explain what you are
seeing and what is causing you to pause. Hopefully together we can get
this to work for you. :-)

> Thank you for your time - I'll see if David's reply gives me an inkling.

You're welcome.

--
Grant. . . .
unix || die

On 7/14/22 9:49 PM, Grant Taylor wrote:
> I'll do some homework on my end if you'll please explain what you are
> seeing and what is causing you to pause.  Hopefully together we can get
> this to work for you.  :-)

Well, it seems as if SpamCop has refactored things significantly since I
last used them. They are migrating to a new method that /requires/ mail
host registration / configuration with them.

While poking around in their forums, actually searching the forums for
"mailhost" I found the following link which seems extremely germane to
(what you linked to) your original message.

Link -
Mailhost configuration problem, identified internal IP as source. Please
correct this situation
-
https://forum.spamcop.net/topic/47474-mailhost-configuration-problem-identified-internal-ip-as-source-please-correct-this-situation/#comment-159771

N.B. I don't know if this link is publicly available or if you need to
be signed into SpamCop to access it.

It seems like this is a common symptom when Mailhost(s) isn't (aren't)
configured.

I've added my primary and secondary MX but I don't have any spam at the
moment to test. (I recently purged my junk folder.)

I did receive multiple error reports when I tried to forward the
confirmation messages (as attachments) back to the unique address, along
with one success message. So, I deleted the configured mailhost(s) and
re-did the confirmation using the web form link in the confirmation
emails. (Email's plural b/c of primary and secondary MX.)

--
Grant. . . .
unix || die

In article <taqelv$iq9$1@gioia.aioe.org>, jrg <jeff.g.group@att.net> wrote:
>
>Thanks for asking.

You don't need any of this. Pull the headers up, start with the first received
line. That's where your mail server got the message from. Go to the next
received line. That's where that server got it from.

Now, you know a lot more than Spamcop does. You know what your ISP is and
that your mail was forwarded from a different ISP, so you can skip over the
received lines relating to those.

The FIRST received line that you see on the way down which doesn't show
something coming from one of your ISPs is trustworthy. All the lines below
that are not reliable.

Ignore all the DKIM stuff. It just clutters everything up. Look at the
first received line that isn't showing the source as one of the ISPs you
are using and THAT source is the place to complain to.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."

On 7/14/22 21:25, Grant Taylor wrote:

<snip>

> While poking around in their forums, actually searching the forums for
> "mailhost" I found the following link which seems extremely germane to
> (what you linked to) your original message.

germane, indeed...

The forum link on s/c mailhost page (for me) is
http://forum.spamcop.net/forums/index.php?showforum=7
which returns

"The page you requested does not exist "

with a link to sign in, which I couldn't do from there with my original
ID. So something is amiss and maybe an id-ectomy is in order. Aside,
error in above link was "index.php?showforum=7" - so its a bad link, I
guess.
Went back to the error page and noticed a "Home" button on the left
which appeared to be grayed out - that took me to the forum, huh..
1st thing I recognized was Wazoo's name - haven't seen it in over 12 years.

So now, I went to try your link, tyvm, and in the spamcop reporting help
section was a post which had the following bit -
"...getting a waiver from the op because something was not working
using the regular way of setting mailhost." I had had to get a waiver
once long ago, but totally forget why.

be back...

On 7/15/22 10:02 AM, jrg wrote:
> germane, indeed...

:-)

> The forum link on s/c mailhost page ... returns
>
> "The page you requested does not exist "

Ya, I saw a similar error.

> with a link to sign in, which I couldn't do from there with my original
> ID.  So something is amiss and maybe an id-ectomy is in order.

It sounds like you are finding little errors to chip away at in the
hopes of getting things working.

> Aside, error in above link was "index.php?showforum=7" - so its a
> bad link, I guess.

I don't know the current state of SpamCop. It seems as if their refresh
may be taking a little longer than might have originally been planed.
Or at least that's the impression that I got when I looked at things.

> be back...

Good luck.

I hope that things start working better and better for you.

--
Grant. . . .
unix || die

On 7/15/22 5:45 AM, Scott Dorsey wrote:
> You don't need any of this.

Eh....

There are a lot of things that we don't /need/ to survive. But having
them sure does make life a lot easier or enjoyable.

> Ignore all the DKIM stuff. It just clutters everything up. Look at
> the first received line that isn't showing the source as one of the
> ISPs you are using and THAT source is the place to complain to.

This is what SpamCop is hoping to automate. This is also why SpamCop
needs to know about your email path. They are trying to automate the
manual algorithm that you described so that it can be done in mass.

They are trying to ground / crowd source believed to be spam and apply
logic to it.

--
Grant. . . .
unix || die