Spam Notification Messages

Spam and other fraudulent messages that get through our normal anti-spam controls and are detected are transferred to a special spam handling account. An automated system retrieves them and extracts the information about the connecting host (this is when the actual blacklisting occurs).  An abuse report message is then constructed with this information along with other diagnostics information and sent to the Jade Abuse Report account.  If the submitting MTA’s public whois data includes abuse reporting addresses the abuse report is also immediately sent there as well.

The abuse report is sent using the Internet standard ARF (Abuse Report Format) (see Abuse Report Reporting Standards for links to the technical standards). The text portion of the abuse report contains a brief description of the report, the original message headers and the ARF (message header summary section) and WHOIS data. The original message is attached to this administrative message intact without any modification.

Once received by the Jade Abuse Report account the message is reviewed for a second time. If it is determined that the original message was not spam the block is removed and the remote admin notified. Domains who do not have abuse contact information published get silently blocked with no notification. The double human verification of spam messages was designed to reduce the possibility of improperly blocking remote sites. So far there have been no false positives with this approach.  Whitelisting at this time is done manually for only a few of the larger providers (Google, Microsoft, AOL, Yahoo, TenCent and NetEase at the time of this writing).

When spam is processed by our internal handling process the offending sending IP address is automatically entered into our spam blacklist.  This is implemented as an IP block on our mail servers.  Should the postmaster review later determine that the message was inappropriately submitted (it is not spam) the block is manually removed.     We are working on a system where the blacklist will eventually be linked to a Jade RBL (which we will then also make public).

Why Do We Send Notification Messages?

We forward the spam notification to service providers in an attempt to assist their efforts to combat spam on their networks.  The fight against spam is not easy and the service providers are on the front line in this battle.  We view service providers as partners in this battle against spam and similar criminal behaviour.

Can A Provider Be Removed From Our List?

Yes of course!   All you need to do is to reply to our notification and let us know how the problem has been resolved.  If it appears that appropriate action has been taken we will immediately remove the IP address from our block list.  Alternatively see our SPAM Block Removal Procedure page for other ways to be removed.

How Do I Know If We Are Listed?

Please check our SPAM Host Blocks and SPAM Network Blocks pages.  These pages list both block lists and are updated automatically by our systems.

Do You Notify All Providers?

We make an attempt to notify all providers who we do not believe to be in the spamming business.  As long as the whois record contains a contact address we will in most cases forward the notification to that address.  One notable exception is for networks we have good reason to believe are directly involved in the spam business (Eonix in the USA is one example).

Why Do We Send The Original Message As An Attachment?

Each provider has their own systems, policies and procedures in place for handling abuse complaints.  The needs differ and so do the requirements for providing information.  As it is impossible for us to try to conform to every provider’s conventions we try to provide as much information as we can in our single message to them.  Our notification section includes the IP address where we received the spam from, the receiving MTA and time, the unaltered message header, the public whois record for this IP address, and the original unaltered message as an attachment (standard MIME format and labelling).  The message attachment contains ALL MESSAGE HEADERS as received by our systems (which is also duplicated in the introductory text).  This includes both the message To: and Cc: headers that are displayed by most user agents but also the SMTP envelope information and all other trace information.  In addition to the information provided in the header we provide the entire message as some providers need this in order to pursue legal or other procedures against spammers.

Why We Don’t Do Header Analysis For Providers

In previous versions of the Jade Spam Tools software we only provided the IP address of the connecting host and the corresponding WHOIS record in the text portion of the report. We found that several of the larger providers were not able to deal with this, either due to lack of knowledge of how to interpret email message headers, or more likely unable to justify the time investment to manually trace each and every complaint. To assist remote providers as well as to better interact with their automated complaint handling systems we built ARF (Address Reporting Format) capabilities into our Spam Tools suite in September 2015. In addition to providing the abuse reports in a format that can be handled by remote automation it required us to automate the message parsing and analysis on our end. In addition to the IP address and WHOIS data that have always been provided we now provide the full message header in the introductory header (not as an attachment), the receiving MTA name, arrival date, SMTP sender and recipient information and authentication results (when available). This information is provided in the standard ARF MIME attachment and also duplicated in the introductory text section for sites without automated abuse message handling tools.

For sites that want to look at all the raw data, the original unaltered message is provided as an attachment. Standard header analysis as well as the presentation of the message header however no longer require opening of the message attachment. For organizations who do want to look deeper into the message the next section outlines exactly what our reports contain and how to interpret the attached message headers.  If there are further questions that are not answered here please do let us know and we’ll work with you to understand and pull whatever data you need from the headers.

Basic Notification Message

Below is an actual sample message sent to a provider chosen at random.   We are not trying to imply anything about the remote provider through our example below.  This notification is very typical of what we see for ALL providers.

SPAM REPORT

SPAM was received from the IP Address 77.238.18.178 by Jade Networks.  The attached message contains the original message complete with all 
message headers as received by our systems.  Our MTA's also record in the Received: header fields the connecting host IP address as well as 
the message envelope and sender information as presented to our system (the SMTP MAIL FROM and RCPT TO data).

This report is in standard Abuse Reporting Feedback format (see RFC 5965 and related Internet standards for additional information).  The 
details in the ARF data (attached) is duplicated in this summary section for sites without automated ARF processing tools.  The original 
message header and WHOIS details for the connecting host can be found at the end of this section.  The ARF data and original message are also 
included as attachments for sites with automated ARF handling tools.

ALL INFORMATION NEEDED FOR MESSAGE TRACKING IS INCLUDED IN THE ATTACHED MESSAGE AND SUMMARY INFORMATION BELOW.  Should you need any assistance 
in interpreting the message headers or any other information presented here please let us know.  Information about our spam prevention policies, 
how we go about collecting information, and the interpretation of these notification messages can be found at http://jade-networks.com/spam/

Message Header Summary
----------------------
Feedback-Type: abuse
User-Agent: JadeSpamTools/0.2
Version: 1
Source-IP: 77.238.18.178
Reporting-MTA: mx2.jade.net
Arrival-Date: Wed, 30 Sep 2015 22:04:13 +0800 (HKT)
Original-Mail-From: bounce-85316-114247184-3308-248@newsletter.news-car.it
Original-Rcpt-To: tim@jade.net
Original-Envelope-Id: e6f168b67e4ce7470b4d3007cb16dc19@newsletter.news-car.it
Authenticaion-Results: mx2.jade.net; spf=pass (sender SPF authorized) smtp.mailfrom=newsletter.news-car.it (client-ip=77.238.18.178; helo=mx03.newsletter.news-car.it; envelope-from=bounce-85316-114247184-3308-248@newsletter.news-car.it; receiver=tim@jade.net)

Original Message Header
-----------------------
Return-Path: 
Delivered-To: unknown
Received: from ms1.jade.net (202.75.0.10:143) by mx2.jade.net with IMAP4; 30
  Sep 2015 14:32:01 -0000
Received: from mx2.jade.net (mx2.jade.net [202.75.0.3])
	 by ms1.jade.net (Cyrus v2.4.17-Fedora-RPM-2.4.17-8.fc21) with LMTPA;
	 Wed, 30 Sep 2015 22:04:19 +0800
X-Sieve: CMU Sieve 2.4
Received: from localhost (localhost [127.0.0.1])
	by mx2.jade.net (Jade Networks Mailer) with ESMTP id 6E8352980738
	for ; Wed, 30 Sep 2015 22:04:19 +0800 (HKT)
X-Virus-Scanned: amavisd-new at jade.net
X-Spam-Flag: NO
X-Spam-Score: 5.13
X-Spam-Level: *****
X-Spam-Status: No, score=5.13 tagged_above=2 required=6.2
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_IMAGE_ONLY_24=1.282,
	HTML_IMAGE_RATIO_02=0.805, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.105,
	SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_JP_SURBL=1.948]
	autolearn=disabled
Received: from mx2.jade.net ([127.0.0.1])
	by localhost (jade.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 5UUHsw_qQIms for ;
	Wed, 30 Sep 2015 22:04:15 +0800 (HKT)
Authentication-Results: mx2.jade.net; spf=pass (sender SPF authorized) smtp.mailfrom=newsletter.news-car.it (client-ip=77.238.18.178; helo=mx03.newsletter.news-car.it; envelope-from=bounce-85316-114247184-3308-248@newsletter.news-car.it; receiver=tim@jade.net)
Received: from mx03.newsletter.news-car.it (mx03.newsletter.news-car.it [77.238.18.178])
	by mx2.jade.net (Jade Networks Mailer) with ESMTP
	for ; Wed, 30 Sep 2015 22:04:13 +0800 (HKT)
Received: from newsletter.news-car.it (unknown [192.168.101.5])
	by mx03.newsletter.news-car.it (Postfix) with ESMTP id E315EA262B
	for ; Wed, 30 Sep 2015 16:04:07 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
	d=newsletter.news-car.it; s=nwsl; t=1443621847;
	bh=6S6lJH3dpGV4v/HlB7iq7zV26C5DHIGRgGIhlp92mno=;
	h=Date:To:From:Reply-to:Subject:List-Unsubscribe:From;
	b=FwmfiyzHuPzp2a94vJxXlfNaJ66Vt6VqerrA2WvscyhqMt1HBzn1j4Fx7RnbmaRlB
	 JMzMu/XdC/ZbsNmSVI4erXsj8G1tVS/ITItbv9C9H0PpK58nYZq+9jR5al//zPonHx
	 k52CYsY75rqZ0PVzPXvQhp7JGtptXYez+KgtUUhc=
Received: by newsletter.news-car.it (Postfix, from userid 0)
	id D6F3B1001A4; Wed, 30 Sep 2015 16:04:07 +0200 (CEST)
Date: Wed, 30 Sep 2015 16:04:07 +0200
To: "tim@jade.net" 
From: Meetic 
Reply-to: Meetic 
Subject: 3 giorni gratis
Message-ID: 
X-Priority: 3
Sender: 
X-Mailer: Postfix
X-Complaints-To: postmaster@newsletter.news-car.it
List-Unsubscribe: , 
X-MessageID: 13e-c0wb-dGltQGphZGUubmV0-s8-rt-rs
X-Report-Abuse: 
X-SMTPAPI: {"unique_args":{"abuse-id":"13e-c0wb-dGltQGphZGUubmV0-s8-rt-rs"}, "category":"campaign"}
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-getmail-retrieved-from-mailbox: INBOX

WHOIS Record
------------
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '77.238.18.128 - 77.238.18.255'

% Abuse contact for '77.238.18.128 - 77.238.18.255' is 'abuse-ripe@telecomitalia.it'

inetnum:        77.238.18.128 - 77.238.18.255
netname:        EASY-NEW-MEDIA-SRL
descr:          webservers   EASYNEWMEDIASRL
country:        it
admin-c:        ITR2-RIPE
tech-c:         ITR2-RIPE
status:         ASSIGNED PA
mnt-by:         FULCOM-MNT-RIPE
created:        2010-01-13T14:40:35Z
last-modified:  2014-06-12T13:20:00Z
source:         RIPE # Filtered

role:           IT Telecom Role
address:        Telecom Italia S.p.A.
address:        Via Oriolo Romano, 257
address:        Italy
phone:          +390636878029
fax-no:         +390641862917
remarks:        trouble: ripe-noc@telecomitalia.it
admin-c:        ITR2-RIPE
tech-c:         ITR2-RIPE
nic-hdl:        ITR2-RIPE
remarks:        ##############################################
remarks:        Pay attention
remarks:        Any communication sent to email different
remarks:        from the following will be ignored !
remarks:        ##############################################
remarks:        Any abuse and spamming  reports, please
remarks:        send them to abuse-ripe@telecomitalia.it
remarks:        ##############################################
mnt-by:         FULCOM-MNT-RIPE
created:        2003-04-22T07:54:13Z
last-modified:  2012-08-09T09:17:57Z
source:         RIPE # Filtered

% Information related to '77.238.0.0/19AS20746'

route:          77.238.0.0/19
descr:          aggregato rilasciato in FEBBRAIO/07
origin:         AS20746
mnt-by:         FULCOM-MNT-RIPE
created:        2007-04-11T16:15:17Z
last-modified:  2007-04-11T16:15:17Z
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.80.1 (DB-2)

The format of the abuse report message is fairly simple. The message is MIME encoded with an outer Content-Type of multipart/report and report-type=feedback-report. The message consists of three MIME parts. The first is a simple text/plan encoded text message containing the information shown above. The second part is of type message/feedback-report and contains the parsed information in standard ARF format. The third MIME part is of type message/rfc822 (inline) and contains the unaltered spam message as received by Jade.

The text part of the message contains a verbal description of the report intended for human recipients of the message (many remote recipients tend to be automated abuse report handling systems). There are three parts to the data in this human readable part – the Message Header Summary section, the Original Message Header section, and the collected WHOIS record for the connecting host. The Message Header Summary section is simply a copy of the ARF data encoded in the second MIME part. The Original Message Header section is the unaltered received message header. We include this here as many providers have told us they are reluctant to open the original message attachment. The final section of the text part contains the WHOIS information collected for the IP address of the remote connecting MTA. We include this with our report so that it is clear to the provider where we obtained the contact information.

Abuse Report Format (ARF) Data

The ARF data provided in both the text introduction part as well as the second MIME section contain the following information:

  • Feedback-Type: abuse
  • Version: 1
  • Source-IP: this is the IP address of the MTA that submitted the message to Jade.
  • Reporting-MTA: the name of the Jade MTA that received the message.
  • Arrival-Date: the date/time when the message was received by Jade.
  • Original-Mail-From: the SMTP envelope sender address (MAIL FROM).
  • Original-Rcpt-To: the SMTP envelope recipient address (RCPT TO).
  • Original-Envelope-Id: the original message ID.
  • Authentication-Results: the results of any authentication attempts. There can be zero or more of these. At the time of this writing this is mainly focused on SPF validations however this section will eventually also include DKIM results.

Please note that the Original-Rcpt-To field is not 100% reliable as bcc recipients do not always show up in the trace header fields (nor should they).

Attached Message Header Analysis

The attached message header (the rest of the message is not shown here) to the notification above is shown below.  When messages pass through different systems (sometimes in the same computer) trace information is appended at the top of the message header.  Trace information that arrives with the message from the outside we generally consider unreliable as we have no way to determine if it is accurate or forged.  This information is forwarded to the upstream MTA provider in case the additional trace information can be useful in their message tracking efforts.

Return-Path: 
Delivered-To: unknown
Received: from ms1.jade.net (202.75.0.10:143) by mx2.jade.net with IMAP4; 30
  Sep 2015 14:32:01 -0000
Received: from mx2.jade.net (mx2.jade.net [202.75.0.3])
	 by ms1.jade.net (Cyrus v2.4.17-Fedora-RPM-2.4.17-8.fc21) with LMTPA;
	 Wed, 30 Sep 2015 22:04:19 +0800
X-Sieve: CMU Sieve 2.4
Received: from localhost (localhost [127.0.0.1])
	by mx2.jade.net (Jade Networks Mailer) with ESMTP id 6E8352980738
	for ; Wed, 30 Sep 2015 22:04:19 +0800 (HKT)
X-Virus-Scanned: amavisd-new at jade.net
X-Spam-Flag: NO
X-Spam-Score: 5.13
X-Spam-Level: *****
X-Spam-Status: No, score=5.13 tagged_above=2 required=6.2
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_IMAGE_ONLY_24=1.282,
	HTML_IMAGE_RATIO_02=0.805, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.105,
	SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_JP_SURBL=1.948]
	autolearn=disabled
Received: from mx2.jade.net ([127.0.0.1])
	by localhost (jade.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 5UUHsw_qQIms for ;
	Wed, 30 Sep 2015 22:04:15 +0800 (HKT)
Authentication-Results: mx2.jade.net; spf=pass (sender SPF authorized) smtp.mailfrom=newsletter.news-car.it (client-ip=77.238.18.178; helo=mx03.newsletter.news-car.it; envelope-from=bounce-85316-114247184-3308-248@newsletter.news-car.it; receiver=tim@jade.net)
Received: from mx03.newsletter.news-car.it (mx03.newsletter.news-car.it [77.238.18.178])
	by mx2.jade.net (Jade Networks Mailer) with ESMTP
	for ; Wed, 30 Sep 2015 22:04:13 +0800 (HKT)
Received: from newsletter.news-car.it (unknown [192.168.101.5])
	by mx03.newsletter.news-car.it (Postfix) with ESMTP id E315EA262B
	for ; Wed, 30 Sep 2015 16:04:07 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
	d=newsletter.news-car.it; s=nwsl; t=1443621847;
	bh=6S6lJH3dpGV4v/HlB7iq7zV26C5DHIGRgGIhlp92mno=;
	h=Date:To:From:Reply-to:Subject:List-Unsubscribe:From;
	b=FwmfiyzHuPzp2a94vJxXlfNaJ66Vt6VqerrA2WvscyhqMt1HBzn1j4Fx7RnbmaRlB
	 JMzMu/XdC/ZbsNmSVI4erXsj8G1tVS/ITItbv9C9H0PpK58nYZq+9jR5al//zPonHx
	 k52CYsY75rqZ0PVzPXvQhp7JGtptXYez+KgtUUhc=
Received: by newsletter.news-car.it (Postfix, from userid 0)
	id D6F3B1001A4; Wed, 30 Sep 2015 16:04:07 +0200 (CEST)
Date: Wed, 30 Sep 2015 16:04:07 +0200
To: "tim@jade.net" 
From: Meetic 
Reply-to: Meetic 
Subject: 3 giorni gratis
Message-ID: 
X-Priority: 3
Sender: 
X-Mailer: Postfix
X-Complaints-To: postmaster@newsletter.news-car.it
List-Unsubscribe: , 
X-MessageID: 13e-c0wb-dGltQGphZGUubmV0-s8-rt-rs
X-Report-Abuse: 
X-SMTPAPI: {"unique_args":{"abuse-id":"13e-c0wb-dGltQGphZGUubmV0-s8-rt-rs"}, "category":"campaign"}
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-getmail-retrieved-from-mailbox: INBOX

The first header inserted by the Jade MTA is:

Received: from mx03.newsletter.news-car.it (mx03.newsletter.news-car.it [77.238.18.178])
	by mx2.jade.net (Jade Networks Mailer) with ESMTP
	for ; Wed, 30 Sep 2015 22:04:13 +0800 (HKT)

This tells us when the message was received, on which Jade MTA (MX2 in this case), the sender IP address and SMTP envelope recipient address.  Much of this information is duplicated in the Authentication-Results header (if present):

Authentication-Results: mx2.jade.net; spf=pass (sender SPF authorized) smtp.mailfrom=newsletter.news-car.it 
        (client-ip=77.238.18.178; helo=mx03.newsletter.news-car.it; envelope-from=bounce-85316-114247184-3308-248@newsletter.news-car.it; 
        receiver=tim@jade.net)

Here we also have the SMTP envelope sender address (smtp.mailfrom), the SMTP HELO string (helo) and the connecting IP address.  The SMTP envelope recipient (receiver) is also included however as noted above this information is not always accurate (only one value is reported even if multiple RCPT TO recipients are provided during the SMTP session) so should not be trusted.

Trace information above the Authentication-Results header are generally only useful for Jade debugging but included here for completeness.  Trace information below the first Jade Received header was created either by the provider mail system and/or the spammer.   The later sometimes happens when a spammer wishes to hide where the message has been.  The provider trace information is useful only to the provider as they can often use information in this section to cross correlate with their messaging systems and user information.  Unfortunately we cannot be of much assistance with this analysis as these headers and trace information are very site specific.

As one might imagine when dealing with unknown spam messages it is best to open these messages in a safe environment such as a text editor.  We do forward everything as-is so if there are attached viruses to the original message they will be forwarded along with the rest of the message.  We do this deliberately in the event that the provider needs proof for legal or other reasons of malicious intent.  For message tracking purposes usually only the message header is needed for analysis.

Where Can I Get More Information?

We hope that this answers all your questions regarding our SPAM Notification messages.   If you have additional questions or if anything is not clear please do let us know and we will answer as quickly as we can (and update this page as appropriate).