When Mozilla Thunderbird message filters quit...

jim hardy

Science Advisor
Gold Member
2018 Award
9,682
4,619
I set message filters in Thunderbird to recognize and automatically forward spam to:
the ISP from which they were sent
Spamcop.org
and my ISP's support desk

then move the spam to a folder named Spamwars .

Worked fine for a few weeks
then stopped for no apparent reason

filters wont even run manually any more.

Here they are
upload_2019-3-12_0-58-45.png



and my current spammer originates at Colocrossing dot com per Spamcop
here's relevant part of header
upload_2019-3-12_0-26-44.png


the spam always comes from some address in 104.168.(something different every time)
and that address range decodes to colocrossing dot com in Buffalo.
Spam from them always has Return-Path: <newsletter@(some random garbage).site>
so i keyed on that characteristic
......
and here's my Colocrossing filter

upload_2019-3-12_0-18-8.png



if anyone knows what's wrong with Thunderbird's message filter program please advise.


i'm trying to get my ISP's way more awkward filters working now

thanks

old jim
 

Attachments

Last edited:
320
109
The following is a speculation: it may be that your auto-forwarding the emails to your ISP led to them changing their Cloud Authority parameters in such manner as to stop them from getting the emails -- they may have in doing that kept emails addressed to you from being effectively filtered by the Cloud Authority Engine.
 
Last edited:

jim hardy

Science Advisor
Gold Member
2018 Award
9,682
4,619
You might want to edit the first screenshot in your post to remove your email address.
Thanks - will do now
 
320
109
Do any of the other filters work? Have you tried creating and artificially triggering a test filter? Say by sending yourself an email from another account, or from a different IP address, or with a test word in the subject line?
 

jim hardy

Science Advisor
Gold Member
2018 Award
9,682
4,619
The following is a speculation: it may be that your auto-forwarding the emails to your ISP led to them changing their Cloud Authority parameters in such manner as to stop them from getting the emails -- they may have in doing that kept emails addressed to you from being effectively filtered by the Cloud Authority Engine.
while i dont know what alll of the terms in that mean,

i would have blocked me by now too...

Something on my local Thunderbird has changed - my filters no longer activate, i cant even just flag a message.
So i think i've been sabotaged by a more sophisticated foe.
I even re-installed Thunderbird to no avail.

For the time being i just logged into my account at my ISP's mail handler.
It is a terribly awkward and frustrating one - they have terrible programmers there-
but i was able to create a filter there to simply discard colocrossing spam

that stopped the 'chinese water torture' of two to six effing spams every hour of the day

you'd think responsible business entities would be better behaved, my own ISP included.

Of the thousand or so spams i've forwarded to Centurylink they've responded to only one, and i submitted that one by mistake - it came from a friend and was legitimate.
I'd set a filter to trigger on "Cialis or Viagra" to block those awful Indian Pharmacy spams for "pecker pills"
My friend sent me an email with word "Socialism" in the subject
and the fllter parsed "Cialis" out of the middle of that word. I guess it ignores leading and trailing spaces. Sigh.
Sometimes i think if there's any intelligence in IT industry it must be artificial.
I've said elsewhere: "Bill Gates is the Prince of Mediocrity"

[Moderator: off topic removed]

Perhaps i'll revise filters at my ISP to make my spammer further annoy them.
I've already signed up their support desk address with him.

old jim
 
Last edited by a moderator:

jim hardy

Science Advisor
Gold Member
2018 Award
9,682
4,619
320
109
I noticed
X-Scanned by: Cloudmark Authority Engine​
in your email header.

Cloudmark Authority provides spam-interception services. ISPs and other email service providers outsource their anti-spam requirement to them. They (Cloudmark) have some configuration options available to their customers (ISPs and email services.

I also noticed that you said that the filtration worked for a couple of weeks or so, and then without you making changes, it stopped working.

Add to that the fact that you're forwarding them a copy of every offending email.

All of a sudden it's not enough that they police up your trash email, but now that you no longer have to look at it, for some reason they might not understand, they get inundated with it.

When you set up good effective filters and you chose to copy your ISP on every spam, maybe your ISP just turned off filtration implementation for your IP or email address, because their inbox was getting bombed.

It may be that from their perspective, you were punishing them for doing their job, so they decided to stop doing the part of it that was getting them punished.
 
320
109
EDIT
made a new cialis filter and it worked

maybe just my existing filters are disabled ?

will poke at it and see if i can get us some more symptoms.
You might try re-creating your colocrossing filter with a new name, and no copies to the ISP, or to anyone else who can punish you for sending them spam.
 

jim hardy

Science Advisor
Gold Member
2018 Award
9,682
4,619
It may be that from their perspective, you were punishing them for doing their job, so they decided to stop doing the part of it that was getting them punished.
Hmmmm. I can see how they'd think that.
And yes in honesty i was trying to be a "Squeaky Wheel".

I had no idea what was "Cloudmark Authority " - will learn some more about it.

Is there a legitimate way to report spam ? Spamcop has proved completely ineffective.

I have successfully got rid of a few by contacting the spammer's ISP ,
for one of them i found their CEO on Linked In and alerted him he had a nest of spammers
he took care of it.
colocrossing seems completely indifferent and i cant find their executive team. Usually i go to investor relations , but these guys are well hid.

Thanks for the suggestions

and the edification

i'll be back when i have some progress to report or next question

THANK YOU !
When i become emperor you are assured a high position in my court !

old jim
 
320
109
jim hardy said:
I had no idea what was "Cloudmark Authority " - will learn some more about it.
When you see the X- at the beginning of a header, it sometimes means that an anti-spam provider has provided a spam-scoring header extension that your local Thunderbird client can recognize and act on.

The X-CM-Score: 0 may have been a spam score saying that the message was fine. I suspect that the ISP you've been forwarding spam to may have added it as a not-spam flag to stop them from getting the messages.

Maybe you could compare the header from a similar message previously moved to your spamwars folder. I imagine you'll notice a difference.
 
Last edited:

jim hardy

Science Advisor
Gold Member
2018 Award
9,682
4,619
my colocrossing spammer changed his Return-Path text again just a few minutes ago.
Was newsletter@ now it's returns@
i think he's in cahoots with Centurylink because i just now made that filter aware of him

When you see the X- at the beginning of a header, it sometimes means that an anti-spam provider has provided a spam-scoring header extension that your local Thunderbird client can recognize and act on.
is that the two Mozilla status lines up top ? Looks like low scores.

How would i make somebody aware of this rectal degenerate ?

Looking for an old header - ive deleted most of the spam emails.

old jim
 

Attachments

jim hardy

Science Advisor
Gold Member
2018 Award
9,682
4,619
Maybe you could compare the header from a similar message previously moved to your spamwars folder. I imagine you'll notice a difference.

here's one of the first ones i was able to track to colocrossing

From - Mon Feb 11 00:15:01 2019
X-Account-Key: account1
X-UIDL: 12069.MNcWwLMxb8u2gPV4ZkEjFK5judEMkYiKJDADOLmxuyU=
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: newsletter@bifocalsuncogentunepigrammatically.fun
Received: from mx05.onyx.dfw.sync.lan (LHLO mx05.onyx.dfw.sync.lan)
(10.41.8.45) by md27.onyx.dfw.sync.lan with LMTP; Sun, 10 Feb 2019 18:34:06
-0500 (EST)
Return-Path: <newsletter@bifocalsuncogentunepigrammatically.fun>
X_CMAE_Category: , ,
X-CNFS-Analysis: v=2.3 cv=StvuF8G0 c=1 sm=1 tr=0 a=X7bPcOT5vV2asLf1FkwxoA==:117 a=X7bPcOT5vV2asLf1FkwxoA==:17 a=KGjhK52YXX0A:10 a=9cW_t1CCXrUA:10 a=MKtGQD3n3ToA:10 a=CFTnQlWoA9kA:10 a=Sp86Ll0KR80A:10 a=ZZnuYtJkoWoA:10 a=iDm_qOtnAAAA:8 a=tclcd6dtLQvEqt9_mmAA:9 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=sJeurnS2WKi5zltlStNU:22 a=p-dnK0njbqwfn1k4-x12:22 a=3lMFb2gA92Fu04n3_66V:22
X-CM-Score: 0
X-Scanned-by: Cloudmark Authority Engine
X-Received-HELO: from [147.78.180.166] (helo=smtp.con)
Received: from [147.78.180.166] ([147.78.180.166:46995] helo=smtp.con)
by smtp.embarq.synacor.com (envelope-from <newsletter@bifocalsuncogentunepigrammatically.fun>)
(ecelerity 3.6.25.56547 r(Core:3.6.25.0)) with ESMTP
id 86/B1-24419-090B06C5; Sun, 10 Feb 2019 18:33:18 -0500
From: "Keranique Hair" <Amk6sjz@ZhtKdTh.bifocalsuncogentunepigrammatically.fun>
Message-ID: <86.B1.24419.090B06C5@mx05.onyx.dfw.sync.lan>
Subject:#1 Hair Regrowth System for Women – Lowest Price Guaranteed
Date: Sun, 10 Feb 2019 23:24:46 -0000
Content-type: text/html
differences don't leap out at me aside from scrambling in Return-Path text.

old jim
 

jim hardy

Science Advisor
Gold Member
2018 Award
9,682
4,619
ps Thanks for your help.

I dont know much but i do learn as i plod along
and i have the good sense to recognize and watch over the shoulders of those more capable than i.

Maybe i'll send my ISP a truce offering ?

Maybe a handwritten on paper letter to colocrossing in Buffalo with hardcopies of spam headers ?

old jim
 
320
109
:warning: When you bounce the messages back to the sender you are sending information. The fact that you sent any response is apt to increase the sender's targeting of you, including listing your email address with other spammers in a category of 'responder'. I recommend against sending the messages in response to being sent them. It's kind of a tar baby thing ...
 

jim hardy

Science Advisor
Gold Member
2018 Award
9,682
4,619
do you know anything of "Spamhaus" ?

if this is to be believed
https://www.spamhaus.org/sbl/listings/colocrossing.com
upload_2019-3-12_15-56-11.png



colocrossing.com is a bad actor.
Seems they'd be plenty capable of sabotage.


i found their Jon Biloh on LinkedIn, will try to apprise him "There's trouble in River City" .


upload_2019-3-12_15-59-17.png
 

Attachments

320
109
Spamhaus is a world-class antispam organization -- ref: https://en.wikipedia.org/wiki/The_Spamhaus_Project

Colocrossing is a company that provides multiple co-location facilities and associated bandwidth provision services. The 'colo' in the name is a reference to colocators (colos, for short), which are devices that are co-located at a physical installation site.

There is a fixed overhead cost associated with running a server. Co-locating multiple physically independent servers at a single server room allows collecting and distributing the costs of HVAC, infra-structural FE-SE (Field Engineering - Systems Engineering) services, security personnel, etc., so as to provide economy of scale.

Typically the clients of a co-location provider are hardware-independent of one-another at the server-rack level, as in, these are this guy's servers and those are that guys servers; it's our server farm, but the servers belong to their respective individual owners -- ref: https://en.wikipedia.org/wiki/Colocation_centre

Similarly, generic bandwidth providers do not claim ownership of any of the semiotic (meaning-related -- syntactic and semantic) content or specificity of character of the data streams that the clients handle. It's all 1s and 0s to them. They'll identify where they got the data and where they sent it, and point to that source and sink when anyone asks who is responsible for what's being received and sent. Some may actively obscure origination information, some of them including from themselves, to the best of their ability to do so and still get paid.
 
Last edited:

jim hardy

Science Advisor
Gold Member
2018 Award
9,682
4,619
Some may actively obscure origination information, some of them including from themselves, to the best of their ability to do so and still get paid.
i think that's what's going on.

i've admitted defeat ,
just set filters to delete anything that looks like it came from colon-crossing ,
triggering on Return-Path text containing ' returns@' and '.site '
Probably i'll modify them to look instead at Received: From .and trigger on domains(right word?)104.168.(anything)
X-Scanned-by: Cloudmark Authority Engine
X-Received-HELO: from [104.168.55.59] (helo=infusehooklikeglossopharyngeal.site)
Received: from [104.168.55.59] ([104.168.55.59:60999] helo=infusehooklikeglossopharyngeal.site)
by smtp.embarq.synacor.com (envelope-from <returns@infusehooklikeglossopharyngeal.site>)
and whatever they change that to next week...

We need legislation to hold ISP's liable for their client's misbehavior.
Any common carrier like a railroad or airline doesn't let you harass the other passengers
until they face fines and confiscation of their servers things will not get any better.
There are laws against maintaining a public nuisance.


Same goes for phone companies and their telemarketers.
I've written my congressman to effect
"NSA and FTC are so incompetent they cant even find Rachel from Card Services.
Do you expect me to believe they have any clue who hacked the DNC Emails? Dream On.

Please sow the idea among your colleagues of requiring telephone companies to implement a star code that puts last call received into a database for NSA.
Caller ID can be spoofed but every call has billing information that we consumers can't get to. Stash that for every call reported by the new star code and let statistics take over..
Surely NSA's computer can find Rachel and her floozie friends with that."
My congressman seemed not impressed. Politicians use telemarketers themselves.

sorry for rant

over and out for the night

THANK YOU for sharing your knowledge .

old jim
 
320
109
I've written my congressman to effect
"NSA and FTC are so incompetent they cant even find Rachel from Card Services.
Do you expect me to believe they have any clue who hacked the DNC Emails? Dream On.
Please sow the idea among your colleagues of requiring telephone companies to implement a star code that puts last call received into a database for NSA.
Caller ID can be spoofed but every call has billing information that we consumers can't get to. Stash that for every call reported by the new star code and let statistics take over..
Surely NSA's computer can find Rachel and her floozie friends with that."
My congressman seemed not impressed. Politicians use telemarketers themselves.
Here's a page from a longtime anti-spam warrior: http://www.danhatesspam.com/law/
 

jim hardy

Science Advisor
Gold Member
2018 Award
9,682
4,619
if anybody else gets on a spammers list

Thunderbird filters are as picky about format as Fortran-II

to trigger from " Return Path: " line in the header

which looks like this
X-Mozilla-Keys:
Return-Path: newsletter@nothanitenothaday.top ( note the colon : )
i had to tell the filter to look for a line named Return Path and because that's not offered i had to "Customize" it

click on this little arrow and a drop down menu appears, bottom entry there is "Customize"
upload_2019-3-13_20-45-49.png


that lets you type in the name of a line in the header, i used Return-Path:
i spent a day figuring out it has to match exactly except you have to leave off the colon {:}
no error messages are provided, you have to find that one by trial and error..

i sent my ISP a truce offering and got a nice reply , with some help for using their filters

so right now i'm trapping colocrossing spam with Thunderbird filter, maxnoc spam with my ISP's filter,
simply moving both to spam folders so i can monitor how well the filters work.

My ISP agreed to look into those two spammers.

We shall see. Even a Pyrrhic victory feels good when it's over :headbang:

Thanks @sysprog you helped more than you know...

old jim
 

Attachments

320
109
This site:
allows a quick way to get location and WHOIS information on an ip address by putting it in the subdomain prefix position in the URL, e.g.:

That page includes the following line:
NetRange: 104.168.0.0 - 104.168.127.255
That's the entire 1st half of 104.168 ...

Regarding the 2nd half:

Checking an arbitrarily-chosen URL from that higher range:

shows the comparatively innocuous:
This product includes GeoLite2 data created by MaxMind, available from http://www.maxmind.com.​
and
NetRange: 104.168.128.0 - 104.168.255.255​
assigned to Hostway.

If you need to get email from maxmind or another blocked Hostway address, you can whitelist it in your filtering system, so I think filtering at the secondary level, in this case the 104.168. range, isn't going to make you miss out on too much non-hateworthy email.
 

The Physics Forums Way

We Value Quality
• Topics based on mainstream science
• Proper English grammar and spelling
We Value Civility
• Positive and compassionate attitudes
• Patience while debating
We Value Productivity
• Disciplined to remain on-topic
• Recognition of own weaknesses
• Solo and co-op problem solving
Top