When Mozilla Thunderbird message filters quit....

  • Thread starter jim hardy
  • Start date
  • Tags
    Filters
In summary, your filters stopped working because of an unspecified change on your local Thunderbird, and you are forwarding copies of every spam to your ISP in an effort to get their help.
  • #1
jim hardy
Science Advisor
Gold Member
Dearly Missed
9,832
4,894
I set message filters in Thunderbird to recognize and automatically forward spam to:
the ISP from which they were sent
Spamcop.org
and my ISP's support desk

then move the spam to a folder named Spamwars .

Worked fine for a few weeks
then stopped for no apparent reason

filters won't even run manually any more.

Here they are
upload_2019-3-12_0-58-45.png
and my current spammer originates at Colocrossing dot com per Spamcop
here's relevant part of header
upload_2019-3-12_0-26-44.png


the spam always comes from some address in 104.168.(something different every time)
and that address range decodes to colocrossing dot com in Buffalo.
Spam from them always has Return-Path: <newsletter@(some random garbage).site>
so i keyed on that characteristic
...
and here's my Colocrossing filter

upload_2019-3-12_0-18-8.png
if anyone knows what's wrong with Thunderbird's message filter program please advise.i'm trying to get my ISP's way more awkward filters working now

thanks

old jim
 

Attachments

  • upload_2019-3-12_0-18-8.png
    upload_2019-3-12_0-18-8.png
    20.3 KB · Views: 1,234
  • upload_2019-3-12_0-26-44.png
    upload_2019-3-12_0-26-44.png
    3.5 KB · Views: 1,051
  • upload_2019-3-12_0-58-45.png
    upload_2019-3-12_0-58-45.png
    18.5 KB · Views: 1,335
Last edited:
  • Like
Likes sysprog
Computer science news on Phys.org
  • #2
The following is a speculation: it may be that your auto-forwarding the emails to your ISP led to them changing their Cloud Authority parameters in such manner as to stop them from getting the emails -- they may have in doing that kept emails addressed to you from being effectively filtered by the Cloud Authority Engine.
 
Last edited:
  • Like
Likes jim hardy
  • #3
sysprog said:
You might want to edit the first screenshot in your post to remove your email address.
Thanks - will do now
 
  • #4
Do any of the other filters work? Have you tried creating and artificially triggering a test filter? Say by sending yourself an email from another account, or from a different IP address, or with a test word in the subject line?
 
  • #5
sysprog said:
The following is a speculation: it may be that your auto-forwarding the emails to your ISP led to them changing their Cloud Authority parameters in such manner as to stop them from getting the emails -- they may have in doing that kept emails addressed to you from being effectively filtered by the Cloud Authority Engine.

while i don't know what alll of the terms in that mean,

i would have blocked me by now too...

Something on my local Thunderbird has changed - my filters no longer activate, i can't even just flag a message.
So i think I've been sabotaged by a more sophisticated foe.
I even re-installed Thunderbird to no avail.

For the time being i just logged into my account at my ISP's mail handler.
It is a terribly awkward and frustrating one - they have terrible programmers there-
but i was able to create a filter there to simply discard colocrossing spam

that stopped the 'chinese water torture' of two to six effing spams every hour of the day

you'd think responsible business entities would be better behaved, my own ISP included.

Of the thousand or so spams I've forwarded to Centurylink they've responded to only one, and i submitted that one by mistake - it came from a friend and was legitimate.
I'd set a filter to trigger on "Cialis or Viagra" to block those awful Indian Pharmacy spams for "pecker pills"
My friend sent me an email with word "Socialism" in the subject
and the fllter parsed "Cialis" out of the middle of that word. I guess it ignores leading and trailing spaces. Sigh.
Sometimes i think if there's any intelligence in IT industry it must be artificial.
I've said elsewhere: "Bill Gates is the Prince of Mediocrity"

[Moderator: off topic removed]

Perhaps i'll revise filters at my ISP to make my spammer further annoy them.
I've already signed up their support desk address with him.

old jim
 
Last edited by a moderator:
  • #6
  • #7
I noticed
X-Scanned by: Cloudmark Authority Engine​
in your email header.

Cloudmark Authority provides spam-interception services. ISPs and other email service providers outsource their anti-spam requirement to them. They (Cloudmark) have some configuration options available to their customers (ISPs and email services.

I also noticed that you said that the filtration worked for a couple of weeks or so, and then without you making changes, it stopped working.

Add to that the fact that you're forwarding them a copy of every offending email.

All of a sudden it's not enough that they police up your trash email, but now that you no longer have to look at it, for some reason they might not understand, they get inundated with it.

When you set up good effective filters and you chose to copy your ISP on every spam, maybe your ISP just turned off filtration implementation for your IP or email address, because their inbox was getting bombed.

It may be that from their perspective, you were punishing them for doing their job, so they decided to stop doing the part of it that was getting them punished.
 
  • #8
jim hardy said:
EDIT
made a new cialis filter and it worked

maybe just my existing filters are disabled ?

will poke at it and see if i can get us some more symptoms.
You might try re-creating your colocrossing filter with a new name, and no copies to the ISP, or to anyone else who can punish you for sending them spam.
 
  • Like
Likes jim hardy
  • #9
sysprog said:
It may be that from their perspective, you were punishing them for doing their job, so they decided to stop doing the part of it that was getting them punished.

Hmmmm. I can see how they'd think that.
And yes in honesty i was trying to be a "Squeaky Wheel".

I had no idea what was "Cloudmark Authority " - will learn some more about it.

Is there a legitimate way to report spam ? Spamcop has proved completely ineffective.

I have successfully got rid of a few by contacting the spammer's ISP ,
for one of them i found their CEO on Linked In and alerted him he had a nest of spammers
he took care of it.
colocrossing seems completely indifferent and i can't find their executive team. Usually i go to investor relations , but these guys are well hid.

Thanks for the suggestions

and the edification

i'll be back when i have some progress to report or next question

THANK YOU !
When i become emperor you are assured a high position in my court !

old jim
 
  • Like
Likes sysprog
  • #10
jim hardy said:
I had no idea what was "Cloudmark Authority " - will learn some more about it.
When you see the X- at the beginning of a header, it sometimes means that an anti-spam provider has provided a spam-scoring header extension that your local Thunderbird client can recognize and act on.

The X-CM-Score: 0 may have been a spam score saying that the message was fine. I suspect that the ISP you've been forwarding spam to may have added it as a not-spam flag to stop them from getting the messages.

Maybe you could compare the header from a similar message previously moved to your spamwars folder. I imagine you'll notice a difference.
 
Last edited:
  • Like
Likes jim hardy
  • #11
my colocrossing spammer changed his Return-Path text again just a few minutes ago.
Was newsletter@ now it's returns@
i think he's in cahoots with Centurylink because i just now made that filter aware of him

upload_2019-3-12_13-3-12.png
sysprog said:
When you see the X- at the beginning of a header, it sometimes means that an anti-spam provider has provided a spam-scoring header extension that your local Thunderbird client can recognize and act on.

is that the two Mozilla status lines up top ? Looks like low scores.

How would i make somebody aware of this rectal degenerate ?

Looking for an old header - I've deleted most of the spam emails.

old jim
 

Attachments

  • upload_2019-3-12_13-3-12.png
    upload_2019-3-12_13-3-12.png
    9.1 KB · Views: 758
  • #12
sysprog said:
Maybe you could compare the header from a similar message previously moved to your spamwars folder. I imagine you'll notice a difference.
here's one of the first ones i was able to track to colocrossing

From - Mon Feb 11 00:15:01 2019
X-Account-Key: account1
X-UIDL: 12069.MNcWwLMxb8u2gPV4ZkEjFK5judEMkYiKJDADOLmxuyU=
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: newsletter@bifocalsuncogentunepigrammatically.fun
Received: from mx05.onyx.dfw.sync.lan (LHLO mx05.onyx.dfw.sync.lan)
(10.41.8.45) by md27.onyx.dfw.sync.lan with LMTP; Sun, 10 Feb 2019 18:34:06
-0500 (EST)
Return-Path: <newsletter@bifocalsuncogentunepigrammatically.fun>
X_CMAE_Category: , ,
X-CNFS-Analysis: v=2.3 cv=StvuF8G0 c=1 sm=1 tr=0 a=X7bPcOT5vV2asLf1FkwxoA==:117 a=X7bPcOT5vV2asLf1FkwxoA==:17 a=KGjhK52YXX0A:10 a=9cW_t1CCXrUA:10 a=MKtGQD3n3ToA:10 a=CFTnQlWoA9kA:10 a=Sp86Ll0KR80A:10 a=ZZnuYtJkoWoA:10 a=iDm_qOtnAAAA:8 a=tclcd6dtLQvEqt9_mmAA:9 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=sJeurnS2WKi5zltlStNU:22 a=p-dnK0njbqwfn1k4-x12:22 a=3lMFb2gA92Fu04n3_66V:22
X-CM-Score: 0
X-Scanned-by: Cloudmark Authority Engine
X-Received-HELO: from [147.78.180.166] (helo=smtp.con)
Received: from [147.78.180.166] ([147.78.180.166:46995] helo=smtp.con)
by smtp.embarq.synacor.com (envelope-from <newsletter@bifocalsuncogentunepigrammatically.fun>)
(ecelerity 3.6.25.56547 r(Core:3.6.25.0)) with ESMTP
id 86/B1-24419-090B06C5; Sun, 10 Feb 2019 18:33:18 -0500
From: "Keranique Hair" <Amk6sjz@ZhtKdTh.bifocalsuncogentunepigrammatically.fun>
Message-ID: <86.B1.24419.090B06C5@mx05.onyx.dfw.sync.lan>
Subject:#1 Hair Regrowth System for Women – Lowest Price Guaranteed
Date: Sun, 10 Feb 2019 23:24:46 -0000
Content-type: text/html

differences don't leap out at me aside from scrambling in Return-Path text.

old jim
 
  • #13
ps Thanks for your help.

I don't know much but i do learn as i plod along
and i have the good sense to recognize and watch over the shoulders of those more capable than i.

Maybe i'll send my ISP a truce offering ?

Maybe a handwritten on paper letter to colocrossing in Buffalo with hardcopies of spam headers ?

old jim
 
  • #14
:warning: When you bounce the messages back to the sender you are sending information. The fact that you sent any response is apt to increase the sender's targeting of you, including listing your email address with other spammers in a category of 'responder'. I recommend against sending the messages in response to being sent them. It's kind of a tar baby thing ...
 
  • #15
do you know anything of "Spamhaus" ?

if this is to be believed
https://www.spamhaus.org/sbl/listings/colocrossing.com
upload_2019-3-12_15-56-11.png
colocrossing.com is a bad actor.
Seems they'd be plenty capable of sabotage.i found their Jon Biloh on LinkedIn, will try to apprise him "There's trouble in River City" .
upload_2019-3-12_15-59-17.png
 

Attachments

  • upload_2019-3-12_15-56-11.png
    upload_2019-3-12_15-56-11.png
    10.2 KB · Views: 743
  • upload_2019-3-12_15-59-17.png
    upload_2019-3-12_15-59-17.png
    26.1 KB · Views: 733
  • #16
Spamhaus is a world-class antispam organization -- ref: https://en.wikipedia.org/wiki/The_Spamhaus_Project

Colocrossing is a company that provides multiple co-location facilities and associated bandwidth provision services. The 'colo' in the name is a reference to colocators (colos, for short), which are devices that are co-located at a physical installation site.

There is a fixed overhead cost associated with running a server. Co-locating multiple physically independent servers at a single server room allows collecting and distributing the costs of HVAC, infra-structural FE-SE (Field Engineering - Systems Engineering) services, security personnel, etc., so as to provide economy of scale.

Typically the clients of a co-location provider are hardware-independent of one-another at the server-rack level, as in, these are this guy's servers and those are that guys servers; it's our server farm, but the servers belong to their respective individual owners -- ref: https://en.wikipedia.org/wiki/Colocation_centre

Similarly, generic bandwidth providers do not claim ownership of any of the semiotic (meaning-related -- syntactic and semantic) content or specificity of character of the data streams that the clients handle. It's all 1s and 0s to them. They'll identify where they got the data and where they sent it, and point to that source and sink when anyone asks who is responsible for what's being received and sent. Some may actively obscure origination information, some of them including from themselves, to the best of their ability to do so and still get paid.
 
Last edited:
  • #17
sysprog said:
Some may actively obscure origination information, some of them including from themselves, to the best of their ability to do so and still get paid.

i think that's what's going on.

i've admitted defeat ,
just set filters to delete anything that looks like it came from colon-crossing ,
triggering on Return-Path text containing ' returns@' and '.site '
Probably i'll modify them to look instead at Received: From .and trigger on domains(right word?)104.168.(anything)
X-Scanned-by: Cloudmark Authority Engine
X-Received-HELO: from [104.168.55.59] (helo=infusehooklikeglossopharyngeal.site)
Received: from [104.168.55.59] ([104.168.55.59:60999] helo=infusehooklikeglossopharyngeal.site)
by smtp.embarq.synacor.com (envelope-from <returns@infusehooklikeglossopharyngeal.site>)
and whatever they change that to next week...

We need legislation to hold ISP's liable for their client's misbehavior.
Any common carrier like a railroad or airline doesn't let you harass the other passengers
until they face fines and confiscation of their servers things will not get any better.
There are laws against maintaining a public nuisance.


Same goes for phone companies and their telemarketers.
I've written my congressman to effect
"NSA and FTC are so incompetent they can't even find Rachel from Card Services.
Do you expect me to believe they have any clue who hacked the DNC Emails? Dream On.

Please sow the idea among your colleagues of requiring telephone companies to implement a star code that puts last call received into a database for NSA.
Caller ID can be spoofed but every call has billing information that we consumers can't get to. Stash that for every call reported by the new star code and let statistics take over..
Surely NSA's computer can find Rachel and her floozie friends with that."
My congressman seemed not impressed. Politicians use telemarketers themselves.

sorry for rant

over and out for the night

THANK YOU for sharing your knowledge .

old jim
 
  • Like
Likes Bystander
  • #18
I've written my congressman to effect
"NSA and FTC are so incompetent they can't even find Rachel from Card Services.
Do you expect me to believe they have any clue who hacked the DNC Emails? Dream On.
Please sow the idea among your colleagues of requiring telephone companies to implement a star code that puts last call received into a database for NSA.
Caller ID can be spoofed but every call has billing information that we consumers can't get to. Stash that for every call reported by the new star code and let statistics take over..
Surely NSA's computer can find Rachel and her floozie friends with that."
My congressman seemed not impressed. Politicians use telemarketers themselves.
Here's a page from a longtime anti-spam warrior: http://www.danhatesspam.com/law/
 
  • Like
Likes jim hardy
  • #19
if anybody else gets on a spammers list

Thunderbird filters are as picky about format as Fortran-II

to trigger from " Return Path: " line in the header

which looks like this
X-Mozilla-Keys:
Return-Path: newsletter@nothanitenothaday.top ( note the colon : )

i had to tell the filter to look for a line named Return Path and because that's not offered i had to "Customize" it

click on this little arrow and a drop down menu appears, bottom entry there is "Customize"
upload_2019-3-13_20-45-49.png


that let's you type in the name of a line in the header, i used Return-Path:
i spent a day figuring out it has to match exactly except you have to leave off the colon {:}
no error messages are provided, you have to find that one by trial and error..

i sent my ISP a truce offering and got a nice reply , with some help for using their filters

so right now I'm trapping colocrossing spam with Thunderbird filter, maxnoc spam with my ISP's filter,
simply moving both to spam folders so i can monitor how well the filters work.

My ISP agreed to look into those two spammers.

We shall see. Even a Pyrrhic victory feels good when it's over :headbang:

Thanks @sysprog you helped more than you know...

old jim
 

Attachments

  • upload_2019-3-13_20-45-49.png
    upload_2019-3-13_20-45-49.png
    14.8 KB · Views: 607
  • #20
This site:
allows a quick way to get location and WHOIS information on an ip address by putting it in the subdomain prefix position in the URL, e.g.:

That page includes the following line:
NetRange: 104.168.0.0 - 104.168.127.255
That's the entire 1st half of 104.168 ...

Regarding the 2nd half:

Checking an arbitrarily-chosen URL from that higher range:

shows the comparatively innocuous:
This product includes GeoLite2 data created by MaxMind, available from http://www.maxmind.com.​
and
NetRange: 104.168.128.0 - 104.168.255.255​
assigned to Hostway.

If you need to get email from maxmind or another blocked Hostway address, you can whitelist it in your filtering system, so I think filtering at the secondary level, in this case the 104.168. range, isn't going to make you miss out on too much non-hateworthy email.
 
  • #21
hmmm

here's part of the output from that first link

upload_2019-3-14_4-38-25.png


reporting spam emails to their abuse doesn't work, been doing that for months via Spamcop

maybe i can give their phone number to Rachel from Card ServicesLetting my filters work for now. They caught about four last night between 6 and 10 pm. When i get comfortable will just set them to delete..
 

Attachments

  • upload_2019-3-14_4-38-25.png
    upload_2019-3-14_4-38-25.png
    6.2 KB · Views: 568
  • #22
  • #23
Moderator note: A number of off-topic comments were removed from this thread.
 
  • Like
Likes jim hardy
  • #24
sysprog said:
NN refers more to regulations against preferential treatment based on content and who is providing it.

understood. won't go political any more.

got my ISP filter working by domain .numbers now. Same syntax trouble, got to leave the colon off end of header line name.
upload_2019-3-14_14-35-30.png
The syntax differences between Centurytel's mail program and Thunderbird's are staggering. Perhaps trying to learn both at once was my initial mistake..

Hopefully soon i'll be able to just let them detect and delete automatically .

First filter was the hardest
it was a lot of trouble to learn but worth it.
A new tool for my Quixotic 'War on Spam'.

Thanks hereby extended to all who helped.

old jim
 

Attachments

  • upload_2019-3-14_14-35-30.png
    upload_2019-3-14_14-35-30.png
    6.5 KB · Views: 500
Last edited:
  • #25
Update

a phone call to sales at colocrossing in Buffalo NY seems to have stopped their spammer.

an email to the German outfit strato.de seems to have stopped theirs

I finally got a filter working that discards everything from maxnot in Brazil, they ignore requests for help so are probably a spam house

inbox has been 23 hours spam free now

and that was the goal.

thanks to all who contributed

old jim
 
  • Like
Likes Tom.G and sysprog

1. Why did my Mozilla Thunderbird message filters suddenly stop working?

There could be a few reasons for this. It's possible that there was a recent software update or change in your Thunderbird settings that affected the filters. It's also possible that there is a bug or glitch in the software. Another possibility is that your email server settings have changed, causing the filters to no longer work correctly.

2. How can I troubleshoot my Thunderbird filters not working?

To troubleshoot this issue, you can try disabling and then re-enabling the filters to see if that resolves the problem. You can also check your Thunderbird settings to make sure they are still correctly set up. If the issue persists, you may need to contact Thunderbird support for further assistance.

3. Is there a way to recover lost or deleted Thunderbird message filters?

If your filters have been accidentally deleted or lost, you may be able to recover them by restoring a backup of your Thunderbird profile. You can also try searching for the filter rules in your Thunderbird profile folder, as they may still be saved there. If all else fails, you may need to manually recreate the filters.

4. Can third-party add-ons affect Thunderbird message filters?

Yes, it is possible that a third-party add-on or extension in Thunderbird could interfere with the functioning of your message filters. If you recently installed a new add-on, try disabling it to see if that resolves the issue with your filters.

5. How can I create more advanced or complex filters in Thunderbird?

Thunderbird offers a variety of options for creating and customizing message filters. You can use multiple conditions, such as sender, subject, or recipient, to create more specific filters. You can also use regular expressions for even more advanced filtering. Thunderbird also allows you to apply multiple actions to a single filter, such as moving a message to a folder and marking it as read.

Back
Top