From abuse at treenetnz.com  Wed Dec  1 15:26:33 2004
From: abuse at treenetnz.com (Windows User)
Date: Tue Nov 30 21:25:06 2004
Subject: [SC-Help] Re: SpamCop Parser not responding
References: <MPG.1c155f1827fb62db989680@news.spamcop.net>
	<coedq0$nc0$1@news.spamcop.net>
Message-ID: <MPG.1c17f306e96a5833989681@news.spamcop.net>

In article <coedq0$nc0$1@news.spamcop.net>, dsp4ever2002@yahoo.com 
says...
> 
> "Abuse treenetnz.com" <abuse@treenetnz.com> wrote in message > posted to 
> spamcop, .geeks and .help followup set to .help
> >
> > For the last 12+ hours I have been unable to get the web parser to
> > complete a job. It appears to hang sometime before processing the
> > received headers.
> >
> > Is spamcop under some sort of temporay overload I should continue to
> > wait out or is it deeper?
> >
> > -- 
> > AJ
> > Treehouse Networks abuse@
> > www.treenetnz.com
> 
>   I'm having similar troubles...only getting responses about half the time 
> and not any if I forward multiple attachments.  Have written to the 
> deputies.    Good luck....let me know if you get it fixed.
> 
> Scott C. 
> 

That is strange. Sounds like a different problem though.
I am sending in multiples and always getting responses back. But the 
trackers go to dead links or incomplete parse pages.


-- 
AJ
Treehouse Networks abuse@
www.treenetnz.com
From abuse at treenetnz.com  Wed Dec  1 15:27:48 2004
From: abuse at treenetnz.com (Windows User)
Date: Tue Nov 30 21:30:05 2004
Subject: [SC-Help] Re: SpamCop Parser not responding
References: <MPG.1c155f1827fb62db989680@news.spamcop.net>
	<cogdb1$u82$1@news.spamcop.net>
Message-ID: <MPG.1c17f34e973f0679989682@news.spamcop.net>

In article <cogdb1$u82$1@news.spamcop.net>, nobody@spamcop.net says...
> 
> "Abuse treenetnz.com" <abuse@treenetnz.com> wrote in message
> news:MPG.1c155f1827fb62db989680@news.spamcop.net...
> > posted to spamcop, .geeks and .help followup set to .help
> >
> > For the last 12+ hours I have been unable to get the web parser
> to
> > complete a job. It appears to hang sometime before processing the
> > received headers.
> 
> Apparently, for most people it is working just fine, but there are
> a couple of other people who are having problems.  I would write to
> the deputies and give them as much information as I can (times,
> browser, IP address, provider, tracking URL's, whatever you can
> think of) so they can see if there is a common thread among those
> who are having problems.
> 
> Miss Betsy
> 

Thanks guys for all your replies.
It disappeared suddenly after certain messages expired over the 24 hours 
age limit. But it has just started again so these ones will be passed on 
to the depuities.

-- 
AJ
Treehouse Networks abuse@
www.treenetnz.com
From ric.gates at bigsleep.org  Wed Dec  1 04:24:39 2004
From: ric.gates at bigsleep.org (Blammo)
Date: Tue Nov 30 23:25:04 2004
Subject: [SC-Help] Re: Annoying bug - Skip to Reports link goes nowhere
References: <cof08j$1t6$1@news.spamcop.net>
Message-ID: <Xns95B1CFB7DCFC3blammo@216.154.195.61>

On 29 Nov 2004 Stewart Gordon entered spamcop.help and left 
news:cof08j$1t6$1@news.spamcop.net:

> The link target should be generated regardless of whether there is any 
> actual reporting to do.  A sensible place to put it for "nothing to do" 
> reports is at the error message itself.
> 
> 

I've noticed this myself, but only now really looked at the code.
I compared two reports of the same message, the second was too old. Now 
this page is of course dynamically generated and I can only guess as to 
what the template looks like.
The "Skip to Reports" link points to an anchor named "report"...
------------

<div class="warning">Cannot resolve http://www.asdg32.biz/book/</div>
<a name="report">
    	<p><strong>Please make sure this email IS spam:</strong><br>

> Note: This is invalid HTML as <A> may not contain <p>.

<font face="courier" size=2>
    	From: "tester" &lt;test@somewhere.com&gt;     
	(<strong>testing</strong>)<br>
    	First line of message<br>
</font>
<a href="/sc?id=SpamCopId&action=display">View full message</a>
<p></a>

> ---^ hmm... somethings wrong there!

------------

<div class="warning">
    	Using postmaster#publicf.bta.net.cn@devnull.spamcop.net for 
statistical tracking.
</div>
<div class="error">
    	Sorry, this email is too old to file a spam report.  You must report 
spam within 2 days of receipt.  This mail was received on [date]
</div>
Message is [days] old<br>
<div class="error">Nothing to do.</div>

------------
Now I would write this completely different, for one, there's very few IDs, 
and lots of "anonymous" blocks, and DIV is used in places where something 
like <EM>, <B> or <i> should be used. And <P> isn't often closed so the 
browser gets to guess at where it should be closed.
I would do something like this...
------------

<div id="resolve">
     	<em class="warning">using devnull...</em><br>
    	text...<br>
   	<em class="warning">Cannot resolve http://www.url.dom</em><br>
    	Regular message here<br>
</div>
<div id="report">
    	<p><strong>Please make sure this email IS spam:</strong></p>

<p>
    	<tt class="messagesummary">From: "tester" &lt;test@somewhere.com&gt;     
	(<strong>testing</strong>)<br>
    	First line of message<br></tt>
</p>
<a href="/sc?id=spamid&action=display">View full message</a>
<p>...</p>
<form>...</form>
</div>

-----------
Here I have a block defined for the report section, so we can link to the 
ID in that block - this won't work in some older browsers, but this is 
really the least of their problems. This will make the entire section a 
target and has the added benefit of allowing the entire target to be 
styled. The "nothing to do" simply goes inside that block...
-----------

<div id="report">
<p class="error">
    	Sorry, this email is too old to file a spam report.  You must report 
spam within 2 days of receipt.  This mail was received on [date]
</p>
<p class="error">Nothing to do.</p>
</div>

-----------
In my experience, rewriting something like this can be a major task, you 
may be able to simply move the area where the <a name="report"> anchor is 
written, though depending on how the parsing code is written, this could 
take days. Well written code allows you to easily change the template, but 
this is rarely the case since the coder is probably more concerned with 
just getting it to work. I suspect that most of the old HTML code has been 
replaced but some of it still lurks in there.
I often look at stuff others have written, figure out how it works, then 
throw it away and rewrite it myself. I even have some old script that I 
need to rewrite to change the page layout, but it's not designed well for 
that and I wouldn't be wasting any time just rewriting the whole thing. 
Nothing quite as complex as SpamCop, but I've figured out ways to make 
templates where I can rewrite the HTML without effecting the script that 
generates it.

-- 
| Ric
|
From smjg_1998 at yahoo.com  Wed Dec  1 13:18:07 2004
From: smjg_1998 at yahoo.com (Stewart Gordon)
Date: Wed Dec  1 08:20:02 2004
Subject: [SC-Help] Re: Annoying bug - Skip to Reports link goes nowhere
In-Reply-To: <Xns95B1CFB7DCFC3blammo@216.154.195.61>
References: <cof08j$1t6$1@news.spamcop.net>
	<Xns95B1CFB7DCFC3blammo@216.154.195.61>
Message-ID: <cokga0$i79$1@news.spamcop.net>

Blammo wrote:
<snip>
> In my experience, rewriting something like this can be a major task, you 
> may be able to simply move the area where the <a name="report"> anchor is 
> written, though depending on how the parsing code is written, this could 
> take days.
<snip>

Why _move_ anything?  Why not just change it so that in place of the first

     <p class="error">

it writes

     <p class="error"><a name="report"></a>

?

Stewart.

-- 
My e-mail is valid but not my primary mailbox.  Please keep replies on 
the 'group where everyone may benefit.
From ric.gates at bigsleep.org  Wed Dec  1 19:53:07 2004
From: ric.gates at bigsleep.org (Blammo)
Date: Wed Dec  1 14:55:03 2004
Subject: [SC-Help] Re: Annoying bug - Skip to Reports link goes nowhere
References: <cof08j$1t6$1@news.spamcop.net>
	<Xns95B1CFB7DCFC3blammo@216.154.195.61> <cokga0$i79$1@news.spamcop.net>
Message-ID: <Xns95B278FE7A7CEblammo@216.154.195.61>

On 01 Dec 2004 Stewart Gordon entered spamcop.help and left
news:cokga0$i79$1@news.spamcop.net: 

> Blammo wrote:
> <snip>
>> In my experience, rewriting something like this can be a major task,
>> you may be able to simply move the area where the <a name="report">
>> anchor is written, though depending on how the parsing code is
>> written, this could take days.
> <snip>
> 
> Why _move_ anything?  Why not just change it so that in place of the
> first 
> 
>      <p class="error">
> 
> it writes
> 
>      <p class="error"><a name="report"></a>
> 

Certainly that could work, but when I looked at the source it appeared to 
me that that section isn't written when there's "nothing to do", only 
speculation of course. There's a lot of "if ...else"'s in the parser and 
the part that contains the "report" link probably doesn't exist in that "if 
.. else". So he would probably have to move or rewrite that part of the 
script.
My first thought was this is a feature, not a bug, but then if there's 
nothing to do you want to go to the next report anyway, so your suggestion 
makes sense. I'm only speculating on why it was written this way in the 
first place.


-- 
| Ric
|
From MikeE at ster.invalid  Wed Dec  1 17:17:50 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Wed Dec  1 20:20:03 2004
Subject: [SC-Help] Re: Being Spammed By G4-TechTV?
References: <colfh4$7mc$1@news.spamcop.net>
Message-ID: <colqep$f3u$1@news.spamcop.net>

The usual routine is to only use spamcop.spam for posting spams, not for
discussion.  The idea is that spamcop and spamcop.help are for
discussion, and no spams are to be posted there.  So, one way to work it
is to post a spam into .spam, but not discuss it there, and to start a
thread in spamcop or .help which references the spam in .spam and to
discuss it in the other groups.  Sounds complicated, and it certainly is
now that there is a better way of doing it.

The better way of doing it is to not post the spam at all in .spam, but
instead to feed the spam to the parser and copy the tracking url.  Then,
either send or cancel the reports and paste the tracker into the
discussion group spamcop.help or spamcop.

So, now, in order to perform tidy little housekeeping, I'm going to do
about 3 things.  I'm going to make a tracker out of your spam, I'm going
to crosspost this reply into spamcop.help and .spam, and I'm going to
structure followups to spamcop help.

And, I'm going to address your questions inline below.

Ryan Smith wrote:
> Ok, here's a real odd one. I've recieved several odd pieces of email
> lately that Spamcop is tracking back to G4's email servers, but due
> to the content of the message(a fake PayPal email with a 169.* link),
> I find it hard to believe someone is purposely trying to spam me.
> Below is the entirity of the email, would someone mind telling me
> what's going on?
>
> For reference: HomeLan/ControlNet email servers are trusted mailhosts

This tracker isn't exactly what yours would look like because you have
mailhosts enabled;  but the tracker and its environs look like this from
the top of the parse [I snip off http://www to prevent some wrapping]:

Here is your TRACKING URL - it may be saved for future reference:
spamcop.net/sc?id=z698319261z1b9a6f71fd59877d92293174036d35e9z

I prefer to talk about headers by abbreviating them

  Abbreviated Received lines *comment
  from (192.168.1.105) by blade4.cesmail.net *serves you
  from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net  *serves
you
  from (192.168.1.101)  by mailgate.cesmail.net  *serves you
  from pop.homelanfed.com [38.113.222.30] by mailgate.cesmail.net
*serves you
  from ([192.168.51.10]  by mail.mcw.controlnet.com   *serves you
  from [63.173.148.11] (helo=paypal.com) by mail1sj.controlnet.com
*sourceline
  from (TRUSSO.g4media.com [169.254.101.152]) by g4media.com *bogusline

Call that 7 lines where line 6 is the sourceline and line 7 is the
bogusline.

Others may disagree with me here, because some people like to examine
the 'mind' of the spammer, where 'spammer' means the 'person' or
whatever who constructed the item which did something which caused it to
be injected into the smtp stream which caused you to receive it.

My approach is somewhat simpler.  I decide if it is reportable as a
spam, and then I decide how to report it.  I don't do any spammer
mindreading.

So, I look at that item and determine its spamsource.  I also determine
that it looks like a PayPal phish except that the payload site doesn't
work, because it is of an IANA special use IP block.  The spam is also
misconstructed by having the header call it multipart alternative with a
boundary, when in fact it is texthtml with no boundary.  As a result,
SpamCop doesn't even find the useless link.

Finding links in message body
no links found


Then, I would notify/report the spamsource.  SpamCop would notify
tscholz@g4media.com  which is the tech/admin contact for the arin
registration;  there is no reg'd abuse.net notify.  Because of that, I
personally would also notify the parent arin reg'd  abuse@sprint.net

whois -h whois.arin.net 63.173.148.11 ...
Sprint  63.160.0.0 - 63.175.255.255
   abuse@sprint.net
G4 Media 63.173.148.0 - 63.173.148.255
   tscholz@g4media.com [no reg'd abusenet]

I would spend no time whatsoever on wondering why the spammersource
screwed up the phishing expedition.  I think there are better things to
spend time on;  like, notifying PayPal or investigating whether or not
the source IP is compromised.


-- 
Mike Easter
kibitzer, not SC admin

From virgedx at spamcop.net  Wed Dec  1 21:14:45 2004
From: virgedx at spamcop.net (Ryan Smith)
Date: Wed Dec  1 21:15:03 2004
Subject: [SC-Help] Re: Being Spammed By G4-TechTV?
References: <colfh4$7mc$1@news.spamcop.net> <colqep$f3u$1@news.spamcop.net>
Message-ID: <coltqn$hjq$1@news.spamcop.net>

Thanks, and sorry about posting in the wrong newsgroup(Spamcop help says 
that .spam is for discussion spam, and doesn't list .help, so it was the 
closest match). Anyhow, I've already done as you've described(sent a report 
off to tscholz), but otherwise I'm just puzzled about this. Their link is to 
a non-routable IP, and to port 0 no less, and the email makes no attempt to 
replicate a real PayPal email, so it just strikes me as very odd, as if they 
wanted this phising scheme to fail.

To add more oddness to it, I just received a bounced email that originally 
came from the same source. But this one used my address as the From address, 
and was advertising a blog/webcam site(and not a specific one, just a link 
saying to "check out my blog", but used the same text/background style and 
bad link. You're right in that I probably shouldn't pursue this any further 
since its doubtful anything will come of it, but at this point, I'm not sure 
if someone is screwing with my head, or what.

-Ryan Smith

"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:colqep$f3u$1@news.spamcop.net...
> The usual routine is to only use spamcop.spam for posting spams, not for
> discussion.  The idea is that spamcop and spamcop.help are for
> discussion, and no spams are to be posted there.  So, one way to work it
> is to post a spam into .spam, but not discuss it there, and to start a
> thread in spamcop or .help which references the spam in .spam and to
> discuss it in the other groups.  Sounds complicated, and it certainly is
> now that there is a better way of doing it.
>
> The better way of doing it is to not post the spam at all in .spam, but
> instead to feed the spam to the parser and copy the tracking url.  Then,
> either send or cancel the reports and paste the tracker into the
> discussion group spamcop.help or spamcop.
>
> So, now, in order to perform tidy little housekeeping, I'm going to do
> about 3 things.  I'm going to make a tracker out of your spam, I'm going
> to crosspost this reply into spamcop.help and .spam, and I'm going to
> structure followups to spamcop help.
>
> And, I'm going to address your questions inline below. 


From nobody at devnull.spamcop.net  Wed Dec  1 20:29:25 2004
From: nobody at devnull.spamcop.net (Cat)
Date: Wed Dec  1 21:30:03 2004
Subject: [SC-Help] Re: Being Spammed By G4-TechTV?
In-Reply-To: <coltqn$hjq$1@news.spamcop.net>
References: <colfh4$7mc$1@news.spamcop.net> <colqep$f3u$1@news.spamcop.net>
	<coltqn$hjq$1@news.spamcop.net>
Message-ID: <colum1$i58$1@news.spamcop.net>

(Top posting fixed)

Ryan Smith wrote:

> "Mike Easter" <MikeE@ster.invalid> wrote in message 
> news:colqep$f3u$1@news.spamcop.net...

<snip>

>>So, now, in order to perform tidy little housekeeping, I'm going to do
>>about 3 things.  I'm going to make a tracker out of your spam, I'm going
>>to crosspost this reply into spamcop.help and .spam, and I'm going to
>>structure followups to spamcop help.
>>
>>And, I'm going to address your questions inline below. 

 > Thanks, and sorry about posting in the wrong newsgroup(Spamcop help says
 > that .spam is for discussion spam, and doesn't list .help, so it was the
 > closest match).

<snip>

It's ok. The good thing is that you posted your spam in .spam instead of 
one of the other newsgroups. The forum page doesn't really explain it 
well, but like Mike said, the discussion part should be posted to the 
main spamcop newsgroup or here in .help while the spam part is posted in 
.spam or post the tracking URL instead.

One more thing that will help you to be able to communicate easier in 
the newsgroup...
Notice how Mike posted his comments inline below each quoted point while 
snipping the rest except for the part that he posted at the top 
directing you on where to post certain things. When you post your 
comments at the top, it forces the reader to have to scroll back and 
forth to understand the context and makes people less likely to read 
your posts. The logical and polite order is to post your own comments 
inline below each quoted point like Mike did.

See #6 at http://linux.sgms-centre.com/misc/netiquette.php and #1 and #2 
at http://www.river.com/users/share/etiquette/ for more snipping and 
inline posting netiquette.


-Cat
  SpamCop user, not an admin
From MikeE at ster.invalid  Wed Dec  1 18:35:36 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Wed Dec  1 21:35:03 2004
Subject: [SC-Help] Re: Being Spammed By G4-TechTV?
References: <colfh4$7mc$1@news.spamcop.net> <colqep$f3u$1@news.spamcop.net>
	<coltqn$hjq$1@news.spamcop.net>
Message-ID: <colv0i$ift$1@news.spamcop.net>

Ryan Smith wrote:
> Thanks, and sorry about posting in the wrong newsgroup(Spamcop help
> says that .spam is for discussion spam, and doesn't list .help, so it
> was the closest match).

Yes.  Local 'lore' and the routines or popular behaviors are different
from the faq.  Sometimes there's a tiny bit of discussion which goes on
in .spam, but the problem with carrying on a discussion in there is that
no one reads it -- why would they?  It only contains spam by
'tradition'.   So, as a result, any discussions in .spam are limited to
a few people who peek in there and see if anything is going on that
hasn't been flagged in .help or spamcop.  It is better to move it out
here where more people can see it.

Also, spamcop.help [where we are] is also a little 'lame' as well.
Without getting into all of the details about why, currently
spamcop.help lacks a link from an important set of links to the
newsgroups;  so it is like the 'other side' or alternate persona of a
'lame duck', more like a dead duck which is still flying.

> Anyhow, I've already done as you've
> described(sent a report off to tscholz), but otherwise I'm just
> puzzled about this. Their link is to a non-routable IP, and to port 0
> no less, and the email makes no attempt to replicate a real PayPal
> email, so it just strikes me as very odd, as if they wanted this
> phising scheme to fail.

I agree that it is very strange looking.  Spammers are all kinds of
things;  totally incompetent, all mixed up, pretty smart, dumb, liars,
and $deity knows what else.

Try to keep the rules in order, rule 1 & 2 involves spammers lying, and
rule 3 sez they're stupid.  After you go beyond the rules, things get
more complicated.  For example, there is the 'Quirk Objection' - which
sez, after bringing up questions about things such as 'brains'
"Objection!  Assumes organs not in evidence!"

http://www.spamfaq.net/terminology.shtml

> To add more oddness to it, I just received a bounced email that
> originally came from the same source. But this one used my address as
> the From address, and was advertising a blog/webcam site(and not a
> specific one, just a link saying to "check out my blog", but used the
> same text/background style and bad link. You're right in that I
> probably shouldn't pursue this any further since its doubtful
> anything will come of it, but at this point, I'm not sure if someone
> is screwing with my head, or what.

The only way someone can screw with your head is if you 'let' [or invite
or some other word] them do it.

-- 
Mike Easter
kibitzer, not SC admin

From ric.gates at bigsleep.org  Thu Dec  2 03:17:21 2004
From: ric.gates at bigsleep.org (Blammo)
Date: Wed Dec  1 22:20:03 2004
Subject: [SC-Help] Re: Being Spammed By G4-TechTV?
References: <colfh4$7mc$1@news.spamcop.net> <colqep$f3u$1@news.spamcop.net>
	<coltqn$hjq$1@news.spamcop.net> <colv0i$ift$1@news.spamcop.net>
Message-ID: <Xns95B2C44FBE971blammo@216.154.195.61>

On 01 Dec 2004 Mike Easter entered spamcop.help and left 
news:colv0i$ift$1@news.spamcop.net:

> I agree that it is very strange looking.  Spammers are all kinds of
> things;  totally incompetent, all mixed up, pretty smart, dumb, liars,
> and $deity knows what else.
> 
> Try to keep the rules in order, rule 1 & 2 involves spammers lying, and
> rule 3 sez they're stupid.  After you go beyond the rules, things get
> more complicated.  For example, there is the 'Quirk Objection' - which
> sez, after bringing up questions about things such as 'brains'
> "Objection!  Assumes organs not in evidence!"
> 

Like most discussion involving spammer logic, that I skim over and pay 
little attention to, my first assumption is that the spamware is doing all 
the thinking, thus : garbage in garbage out. Seems futile to try to sort 
some order out of chaos.

-- 
| Ric
|
From PossumTrot at dont.spam.me  Fri Dec  3 14:27:21 2004
From: PossumTrot at dont.spam.me (Possum Trot)
Date: Fri Dec  3 17:35:02 2004
Subject: [SC-Help] Reports regarding this spam have already been sent:
Message-ID: <coqpev$m82$1@news.spamcop.net>

Are others experiencing frequent unfathomable cases of this message?  In the 
past couple of weeks I see this about every 15 to 30 spam.  I submit the 
spam from OE in groups of about 15.  I Shift-right click to select a batch, 
then send, delete those 15 and select and send the next batch.  I could see 
forgetting to delete and then re-submitting a whole batch, but I see no way 
I could resend one, especially one in the middle of a group.

To this point I haven't saved links or the originals for analysis.  It's 
sort of a nit, but confusing. 


From dogworkings at DELETE.pobox.THIS.com  Sun Dec  5 08:19:22 2004
From: dogworkings at DELETE.pobox.THIS.com (Jim Carroll)
Date: Sun Dec  5 09:25:02 2004
Subject: [SC-Help] "No body provided.  Check format of submission"
Message-ID: <cov5fi$6ke$1@news.spamcop.net>

Many of the spam messages that flood my inbox have no "body" per se, just an 
attachment.

Spamcop is rejecting my submission of these as spam, with the subject 
message.

These messages ARE spam, and they're every bit as annoying as messages with 
bodies.  Why is Spamcop giving a free ride to spammers who undoubtedly know 
that Spamcop seems to ignore spam with no message body but with an 
attachment?

Thanks in advance. 


From mrichter at cpl.net  Sun Dec  5 07:45:47 2004
From: mrichter at cpl.net (Mike Richter)
Date: Sun Dec  5 10:50:03 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
In-Reply-To: <cov5fi$6ke$1@news.spamcop.net>
References: <cov5fi$6ke$1@news.spamcop.net>
Message-ID: <covaf5$95n$1@news.spamcop.net>

Jim Carroll wrote:

> Many of the spam messages that flood my inbox have no "body" per se, just an 
> attachment.
> 
> Spamcop is rejecting my submission of these as spam, with the subject 
> message.
> 
> These messages ARE spam, and they're every bit as annoying as messages with 
> bodies.  Why is Spamcop giving a free ride to spammers who undoubtedly know 
> that Spamcop seems to ignore spam with no message body but with an 
> attachment?
> 
> Thanks in advance. 

Posted by a (mostly) happy SC user, not an official:

SC rejects them because it has nothing of substance to report. If the 
attachment is TXT, copy the contents into your report as though it were 
inline.

Mike
-- 
mrichter@cpl.net
http://www.mrichter.com/

From MikeE at ster.invalid  Sun Dec  5 07:49:03 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Dec  5 10:50:05 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net>
Message-ID: <coval5$9df$1@news.spamcop.net>

Jim Carroll wrote:
> Many of the spam messages that flood my inbox have no "body" per se,
> just an attachment.
>
> Spamcop is rejecting my submission of these as spam, with the subject
> message.
>
> These messages ARE spam, and they're every bit as annoying as
> messages with bodies.  Why is Spamcop giving a free ride to spammers
> who undoubtedly know that Spamcop seems to ignore spam with no
> message body but with an attachment?

Oh goody!  A guessing game!  I already have an idea!

First, in reply to what you have 'stated' -- it doesn't work that way
you said.  A properly submitted mailitem which has an attachment will
parse just fine, where the key words are 'properly submitted'.

Your newsreader is Outlook Express OE.  It is an excellent agent for
submitting spam either by pasting into the webparser or by using the
submit email address.

When pasting into the webparser, you access the original what I call
'smtp mime' or complete headers plus unrendered spambody by selecting
the item and using File/ Properties/ Details/ Message source/ and then
select all of that, copy and paste it into the webparser.

That item will have the 'attachment' with whatever is its appropriate
mime structure under the complete headers.

If you are using OE to submit by mail, you would use 'forward as
attachment' function *NOT* 'forward'.

If you open a piece of spam with OE, which I rcommend against, and you
see an empty body with an attachment in the attachment field above the
body section, and then you  *FORWARD* the item instead of forwarding it
as an attachment, you will get the effect you have described.

So, if you are using OE you are forwarding not as an attachment.

The other possibility is that you aren't using OE for your mailuser
agent, but are using Outlook OL, the part of the MS Office suite for
your mail and just using OE for your newsing.  That is a whole different
discussion, since OL *can't* forward as attachment.

-- 
Mike Easter
kibitzer, not SC admin

From Kilgallen at SpamCop.net  Sun Dec  5 11:13:15 2004
From: Kilgallen at SpamCop.net (Larry Kilgallen)
Date: Sun Dec  5 12:15:03 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net>
Message-ID: <qBVkb85cbKfs@eisner.encompasserve.org>

In article <cov5fi$6ke$1@news.spamcop.net>, "Jim Carroll" <dogworkings@DELETE.pobox.THIS.com> writes:
> Many of the spam messages that flood my inbox have no "body" per se, just an 
> attachment.
> 
> Spamcop is rejecting my submission of these as spam, with the subject 
> message.
> 
> These messages ARE spam, and they're every bit as annoying as messages with 
> bodies.  Why is Spamcop giving a free ride to spammers who undoubtedly know 
> that Spamcop seems to ignore spam with no message body but with an 
> attachment?

Because the most frequent method for SpamCop getting a body-free message
has historically been user error (including in their choice of email
client).

But it is certainly not the _only_ source, as it is possible to get
this even from messages trapped by the SpamCop Filtering Service.
From David1 at suescornerweb.com  Sun Dec  5 16:31:59 2004
From: David1 at suescornerweb.com (David 1)
Date: Sun Dec  5 16:35:04 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
In-Reply-To: <coval5$9df$1@news.spamcop.net>
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
Message-ID: <covumb$m5e$1@news.spamcop.net>

Mike Easter wrote:
> Jim Carroll wrote:
> 
>>Many of the spam messages that flood my inbox have no "body" per se,
>>just an attachment.
>>
>>Spamcop is rejecting my submission of these as spam, with the subject
>>message.
>>
>>These messages ARE spam, and they're every bit as annoying as
>>messages with bodies.  Why is Spamcop giving a free ride to spammers
>>who undoubtedly know that Spamcop seems to ignore spam with no
>>message body but with an attachment?
> 
> 
> Oh goody!  A guessing game!  I already have an idea!
> 
> First, in reply to what you have 'stated' -- it doesn't work that way
> you said.  A properly submitted mailitem which has an attachment will
> parse just fine, where the key words are 'properly submitted'.
> 
> Your newsreader is Outlook Express OE.  It is an excellent agent for
> submitting spam either by pasting into the webparser or by using the
> submit email address.
> 
> When pasting into the webparser, you access the original what I call
> 'smtp mime' or complete headers plus unrendered spambody by selecting
> the item and using File/ Properties/ Details/ Message source/ and then
> select all of that, copy and paste it into the webparser.
> 
> That item will have the 'attachment' with whatever is its appropriate
> mime structure under the complete headers.
> 
> If you are using OE to submit by mail, you would use 'forward as
> attachment' function *NOT* 'forward'.
> 
> If you open a piece of spam with OE, which I rcommend against, and you
> see an empty body with an attachment in the attachment field above the
> body section, and then you  *FORWARD* the item instead of forwarding it
> as an attachment, you will get the effect you have described.
> 
> So, if you are using OE you are forwarding not as an attachment.
> 
> The other possibility is that you aren't using OE for your mailuser
> agent, but are using Outlook OL, the part of the MS Office suite for
> your mail and just using OE for your newsing.  That is a whole different
> discussion, since OL *can't* forward as attachment.
> 
I've recently Switched from OE to T-Bird 0.08 & has been working great 
Accept I really don't know if the attachments are getting checked I just 
report what ever SC tells me to report & if the spam ticked me off I 
also check the little preset button I made for the feds. So now that 
I've rambled Do I really need to check if the attachments are being 
checked & if I do how do I go about doing that????
David 1
From nobody at devnull.spamcop.net  Sun Dec  5 16:05:37 2004
From: nobody at devnull.spamcop.net (Cat)
Date: Sun Dec  5 17:10:04 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
In-Reply-To: <covaf5$95n$1@news.spamcop.net>
References: <cov5fi$6ke$1@news.spamcop.net> <covaf5$95n$1@news.spamcop.net>
Message-ID: <cp00n7$ngk$1@news.spamcop.net>

Mike Richter wrote:

<snip>

> SC rejects them because it has nothing of substance to report. If the 
> attachment is TXT, copy the contents into your report as though it were 
> inline.
> 
> Mike

But doesn't that count as materially changing the submitted spam, which 
would be against SpamCop rules? If he forwards as attachment, that 
should work fine to get it all in there.
From nobody at devnull.spamcop.net  Sun Dec  5 16:08:23 2004
From: nobody at devnull.spamcop.net (Cat)
Date: Sun Dec  5 17:10:07 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
In-Reply-To: <covumb$m5e$1@news.spamcop.net>
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net>
Message-ID: <cp00sd$ngk$2@news.spamcop.net>

David 1 wrote:

<giant snip>

> I've recently Switched from OE to T-Bird 0.08 & has been working great 

<snip>

Thunderbird 0.8? You're behind a bit. It's up to 0.9 now, which is what 
I'm using since I switched from Netscape to Firefox.
From MikeE at ster.invalid  Sun Dec  5 15:00:07 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Dec  5 18:05:03 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net>
Message-ID: <cp03tm$poi$1@news.spamcop.net>

David 1 wrote:
> Accept I really don't know if the attachments are getting checked I
> just report what ever SC tells me to report & if the spam ticked me
> off I also check the little preset button I made for the feds. So now
> that I've rambled Do I really need to check if the attachments are
> being checked & if I do how do I go about doing that????

When you say 'attachments' and wonder if they are being checked you are
thinking of a mail as it appears to a spam reader.

First, don't be a spamreader unless there is some very good reason to do
so, and then only be a secure spamreader.

Second, from the point of view of the SC parser, there is no such thing
as an 'attachment'.  A mail consists of headers and then whatever comes
after that.  That is, everything that is not part of the header is part
of the 'body'.  That is, everything which is in the body includes all
manner of 'structure' and all parts of that structure are evaluated
according to their content type.  The body isn't 'subdivided' by the
parser into what is an 'attachment' to a reader accustomed to an
'attachment' field;  it is only subdivided according to its content
type.

Said yet another way, you should look at your spamitem in the same way
that it would be pasted into the webparser.  There is only the headers
and everything which comes after the headers.  The headers are parsed
for source and everything which comes after is parsed for spamvertiser.

-- 
Mike Easter
kibitzer, not SC admin

From ftabor at direcway.com  Sun Dec  5 18:29:55 2004
From: ftabor at direcway.com (Frank Tabor)
Date: Sun Dec  5 18:30:03 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
In-Reply-To: <cp00sd$ngk$2@news.spamcop.net>
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net> <cp00sd$ngk$2@news.spamcop.net>
Message-ID: <cp05l6$qjt$1@news.spamcop.net>

Cat wrote:
> David 1 wrote:
> 
> <giant snip>
> 
>> I've recently Switched from OE to T-Bird 0.08 & has been working great 
> 
> 
> <snip>
> 
> Thunderbird 0.8? You're behind a bit. It's up to 0.9 now, which is what 
> I'm using since I switched from Netscape to Firefox.

Release Candidate 1.0RC has been out for several days.
From David1 at suescornerweb.com  Sun Dec  5 19:17:02 2004
From: David1 at suescornerweb.com (David 1)
Date: Sun Dec  5 19:20:03 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
In-Reply-To: <cp00sd$ngk$2@news.spamcop.net>
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net> <cp00sd$ngk$2@news.spamcop.net>
Message-ID: <cp08c0$t4k$1@news.spamcop.net>

Cat wrote:
> David 1 wrote:
> 
> <giant snip>
> 
>> I've recently Switched from OE to T-Bird 0.08 & has been working great 
> 
> 
> <snip>
> 
> Thunderbird 0.8? You're behind a bit. It's up to 0.9 now, which is what 
> I'm using since I switched from Netscape to Firefox.
Yeah, I'm waiting on the disk, I thought it would be here by now don't 
want to really D/L with dial up I MISS MY DSL
From David1 at suescornerweb.com  Sun Dec  5 19:22:26 2004
From: David1 at suescornerweb.com (David 1)
Date: Sun Dec  5 19:25:03 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
In-Reply-To: <cp03tm$poi$1@news.spamcop.net>
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net> <cp03tm$poi$1@news.spamcop.net>
Message-ID: <cp08m7$thh$1@news.spamcop.net>

Mike Easter wrote:
> David 1 wrote:
> 
>>Accept I really don't know if the attachments are getting checked I
>>just report what ever SC tells me to report & if the spam ticked me
>>off I also check the little preset button I made for the feds. So now
>>that I've rambled Do I really need to check if the attachments are
>>being checked & if I do how do I go about doing that????
> 
> 
> When you say 'attachments' and wonder if they are being checked you are
> thinking of a mail as it appears to a spam reader.
> 
> First, don't be a spamreader unless there is some very good reason to do
> so, and then only be a secure spamreader.
> 
> Second, from the point of view of the SC parser, there is no such thing
> as an 'attachment'.  A mail consists of headers and then whatever comes
> after that.  That is, everything that is not part of the header is part
> of the 'body'.  That is, everything which is in the body includes all
> manner of 'structure' and all parts of that structure are evaluated
> according to their content type.  The body isn't 'subdivided' by the
> parser into what is an 'attachment' to a reader accustomed to an
> 'attachment' field;  it is only subdivided according to its content
> type.
> 
> Said yet another way, you should look at your spamitem in the same way
> that it would be pasted into the webparser.  There is only the headers
> and everything which comes after the headers.  The headers are parsed
> for source and everything which comes after is parsed for spamvertiser.
> 
Well if I understand everything you just said correctly, then if the 
spammer sends an attachment it just don't matter cause the reader 
whether it be from SC or any other service Just ain't going/equipt to 
deal with it.

I've already seen enough of your post to know if I got this wrong you'll 
correct me fairly fast <G> so I'll wait.
David 1
From h9vzc2i02 at sneakemail.com  Sun Dec  5 17:14:25 2004
From: h9vzc2i02 at sneakemail.com (Anon_)
Date: Sun Dec  5 20:15:03 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net>
Message-ID: <cp0bq0$van$1@news.spamcop.net>


"David 1" <David1@suescornerweb.com> wrote in message
news:covumb$m5e$1@news.spamcop.net...
> Mike Easter wrote:
> > Jim Carroll wrote:
> >
> >>Many of the spam messages that flood my inbox have no "body" per se,
> >>just an attachment.
> >>
> >>Spamcop is rejecting my submission of these as spam, with the subject
> >>message.
> >>
> >>These messages ARE spam, and they're every bit as annoying as
> >>messages with bodies.  Why is Spamcop giving a free ride to spammers
> >>who undoubtedly know that Spamcop seems to ignore spam with no
> >>message body but with an attachment?
> >
> >
> > Oh goody!  A guessing game!  I already have an idea!
> >
> > First, in reply to what you have 'stated' -- it doesn't work that way
> > you said.  A properly submitted mailitem which has an attachment will
> > parse just fine, where the key words are 'properly submitted'.
> >
> > Your newsreader is Outlook Express OE.  It is an excellent agent for
> > submitting spam either by pasting into the webparser or by using the
> > submit email address.
> >
> > When pasting into the webparser, you access the original what I call
> > 'smtp mime' or complete headers plus unrendered spambody by selecting
> > the item and using File/ Properties/ Details/ Message source/ and then
> > select all of that, copy and paste it into the webparser.
> >
> > That item will have the 'attachment' with whatever is its appropriate
> > mime structure under the complete headers.
> >
> > If you are using OE to submit by mail, you would use 'forward as
> > attachment' function *NOT* 'forward'.
> >
> > If you open a piece of spam with OE, which I rcommend against, and you
> > see an empty body with an attachment in the attachment field above the
> > body section, and then you  *FORWARD* the item instead of forwarding it
> > as an attachment, you will get the effect you have described.
> >
> > So, if you are using OE you are forwarding not as an attachment.
> >
> > The other possibility is that you aren't using OE for your mailuser
> > agent, but are using Outlook OL, the part of the MS Office suite for
> > your mail and just using OE for your newsing.  That is a whole different
> > discussion, since OL *can't* forward as attachment.
> >
> I've recently Switched from OE to T-Bird 0.08 & has been working great
> Accept I really don't know if the attachments are getting checked I just
> report what ever SC tells me to report & if the spam ticked me off I
> also check the little preset button I made for the feds. So now that
> I've rambled Do I really need to check if the attachments are being
> checked & if I do how do I go about doing that????
> David 1

****
Easy test to see what SC is getting - just "submit" to yourself and see if
the attachment is identical to what you received.

Since the parser looks at the attachment only (not the body of the e-mail
submittal) THAT (the attachment) is the important thing.

--
A SpamCop user and forum reader,
Not Admin
***



From MikeE at ster.invalid  Sun Dec  5 17:52:13 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Dec  5 20:55:04 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net> <cp03tm$poi$1@news.spamcop.net>
	<cp08m7$thh$1@news.spamcop.net>
Message-ID: <cp0e0c$s0$1@news.spamcop.net>

David 1 wrote:
> Well if I understand everything you just said correctly,

You didn't understand me correctly.

>  then if the
> spammer sends an attachment it just don't matter cause the reader
> whether it be from SC or any other service Just ain't going/equipt to
> deal with it.

Not correct;  ie 'Wrong.'.   As in, 'bzzzztttt'.

> I've already seen enough of your post to know if I got this wrong
> you'll correct me fairly fast <G> so I'll wait.

What I said was [in less words than before] ...

... forget about the concept of 'attachments'.

>From a parser's point of view, there's no such thing as that.

There's only headers and then everything else.

Or, said yet another way, 'Attachments are not a problem.' in any way,
shape, or form.

You should stop there if too many words get in the way of understanding.


There are many problems for the parser which can arise from the body.
None of them have anything to do with the 'spamreader's concept' of an
'attachment'.  My 'concept' of the parser is that it doesn't even
see/recognize the notion of an 'attachment', only content type -- which
content type is not something a 'spamreader' will see.  That content
type is only something which someone who examines the message /source/
will see;  which is the way the parser sees it, the spamitem.

So, the idea I'm trying to get over to you is that if you are seeing and
thinking about 'attachments', and want to talk about how the parser sees
them, where 'them' = attachments, then you aren't on the same 'page' as
the parser;  ie you and the parser aren't thinking in the same way about
what a spam is made of.

-- 
Mike Easter
kibitzer, not SC admin

From h9vzc2i02 at sneakemail.com  Sun Dec  5 20:21:46 2004
From: h9vzc2i02 at sneakemail.com (Anon_)
Date: Sun Dec  5 23:25:03 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net> <cp03tm$poi$1@news.spamcop.net>
	<cp08m7$thh$1@news.spamcop.net> <cp0e0c$s0$1@news.spamcop.net>
Message-ID: <cp0mpa$6a9$1@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message
news:cp0e0c$s0$1@news.spamcop.net...
> David 1 wrote:
> > Well if I understand everything you just said correctly,
>
> You didn't understand me correctly.
>
> >  then if the
> > spammer sends an attachment it just don't matter cause the reader
> > whether it be from SC or any other service Just ain't going/equipt to
> > deal with it.
>
> Not correct;  ie 'Wrong.'.   As in, 'bzzzztttt'.
>
> > I've already seen enough of your post to know if I got this wrong
> > you'll correct me fairly fast <G> so I'll wait.
>
> What I said was [in less words than before] ...
>
> ... forget about the concept of 'attachments'.
>
> From a parser's point of view, there's no such thing as that.
>
> There's only headers and then everything else.
>

**
If you look at the 'message source' you will see that that is correct.

If there are attachments, they just appear in line with everything else with
a 'note' that the following text is an attachment to the e-mail.

As said above, the parser doesn't care whether that part of the e-mail is an
attachment or just more 'message', it just plugs merrily along.

--
A SpamCop user and forum reader,
Not Admin
***
<clip>


From David1 at suescornerweb.com  Mon Dec  6 00:46:26 2004
From: David1 at suescornerweb.com (David 1)
Date: Mon Dec  6 00:45:04 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
In-Reply-To: <cp0e0c$s0$1@news.spamcop.net>
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net> <cp03tm$poi$1@news.spamcop.net>
	<cp08m7$thh$1@news.spamcop.net> <cp0e0c$s0$1@news.spamcop.net>
Message-ID: <cp0rk9$8tj$2@news.spamcop.net>

Mike Easter wrote:
> David 1 wrote:
> 
>>Well if I understand everything you just said correctly,
> 
> 
> You didn't understand me correctly.
> 
> 
>> then if the
>>spammer sends an attachment it just don't matter cause the reader
>>whether it be from SC or any other service Just ain't going/equipt to
>>deal with it.
> 
> 
> Not correct;  ie 'Wrong.'.   As in, 'bzzzztttt'.
> 
> 
>>I've already seen enough of your post to know if I got this wrong
>>you'll correct me fairly fast <G> so I'll wait.
> 
> 
> What I said was [in less words than before] ...
> 
> ... forget about the concept of 'attachments'.
> 
> From a parser's point of view, there's no such thing as that.
> 
> There's only headers and then everything else.
> 
> Or, said yet another way, 'Attachments are not a problem.' in any way,
> shape, or form.
> 
> You should stop there if too many words get in the way of understanding.
> 
> 
> There are many problems for the parser which can arise from the body.
> None of them have anything to do with the 'spamreader's concept' of an
> 'attachment'.  My 'concept' of the parser is that it doesn't even
> see/recognize the notion of an 'attachment', only content type -- which
> content type is not something a 'spamreader' will see.  That content
> type is only something which someone who examines the message /source/
> will see;  which is the way the parser sees it, the spamitem.
> 
> So, the idea I'm trying to get over to you is that if you are seeing and
> thinking about 'attachments', and want to talk about how the parser sees
> them, where 'them' = attachments, then you aren't on the same 'page' as
> the parser;  ie you and the parser aren't thinking in the same way about
> what a spam is made of.
> 
Ok, I think, yeah ok, well Thanks for replying.
David 1 <G>
From David1 at suescornerweb.com  Mon Dec  6 00:47:40 2004
From: David1 at suescornerweb.com (David 1)
Date: Mon Dec  6 00:50:03 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
In-Reply-To: <cp0mpa$6a9$1@news.spamcop.net>
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net> <cp03tm$poi$1@news.spamcop.net>
	<cp08m7$thh$1@news.spamcop.net> <cp0e0c$s0$1@news.spamcop.net>
	<cp0mpa$6a9$1@news.spamcop.net>
Message-ID: <cp0rmj$8tj$3@news.spamcop.net>

Anon_ wrote:
> "Mike Easter" <MikeE@ster.invalid> wrote in message
> news:cp0e0c$s0$1@news.spamcop.net...
> 
>>David 1 wrote:
>>
>>>Well if I understand everything you just said correctly,
>>
>>You didn't understand me correctly.
>>
>>
>>> then if the
>>>spammer sends an attachment it just don't matter cause the reader
>>>whether it be from SC or any other service Just ain't going/equipt to
>>>deal with it.
>>
>>Not correct;  ie 'Wrong.'.   As in, 'bzzzztttt'.
>>
>>
>>>I've already seen enough of your post to know if I got this wrong
>>>you'll correct me fairly fast <G> so I'll wait.
>>
>>What I said was [in less words than before] ...
>>
>>... forget about the concept of 'attachments'.
>>
>>From a parser's point of view, there's no such thing as that.
>>
>>There's only headers and then everything else.
>>
> 
> 
> **
> If you look at the 'message source' you will see that that is correct.
> 
> If there are attachments, they just appear in line with everything else with
> a 'note' that the following text is an attachment to the e-mail.
> 
> As said above, the parser doesn't care whether that part of the e-mail is an
> attachment or just more 'message', it just plugs merrily along.
> 
> --
> A SpamCop user and forum reader,
> Not Admin
> ***
> <clip>
> 
> 
NOW that I understood, Thank You.

David 1
From dogworkings at DELETE.pobox.THIS.com  Mon Dec  6 07:33:52 2004
From: dogworkings at DELETE.pobox.THIS.com (Jim Carroll)
Date: Mon Dec  6 09:00:04 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
Message-ID: <cp1of3$pp7$1@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:coval5$9df$1@news.spamcop.net...
>
>
> If you are using OE to submit by mail, you would use 'forward as
> attachment' function *NOT* 'forward'.

I do "forward as attachment" using Outlook Express and occasionally I still 
receive the "no body provided" message.

> If you open a piece of spam with OE, which I rcommend against,

I've disabled the preview pane for just this reason.  I highlight spam, and 
use "forward as attachment".  Sometimes several at a batch.

> So, if you are using OE you are forwarding not as an attachment.

Again, I do NOT "forward".

> Oh goody!  A guessing game!  I already have an idea!

> First, in reply to what you have 'stated'

I'm sorry I'm not as knowledgeable as you, and that I didn't know the answer 
before I asked.  My sword is nailed to the wall above the fireplace, 
otherwise I'd fall on it.

Thanks for your "help". 


From dogworkings at DELETE.pobox.THIS.com  Mon Dec  6 07:55:26 2004
From: dogworkings at DELETE.pobox.THIS.com (Jim Carroll)
Date: Mon Dec  6 09:00:06 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net> <covaf5$95n$1@news.spamcop.net>
	<cp00n7$ngk$1@news.spamcop.net>
Message-ID: <cp1of3$pp7$2@news.spamcop.net>


"Cat" <nobody@devnull.spamcop.net> wrote in message
news:cp00n7$ngk$1@news.spamcop.net...

>> SC rejects them because it has nothing of substance to report. If the
>> attachment is TXT, copy the contents into your report as though it were
>> inline.
>
> But doesn't that count as materially changing the submitted spam, which
> would be against SpamCop rules?

That was my understanding.

> If he forwards as attachment, that  should work fine to get it all in
> there.

That was what Julian Haight himself told me to do when I long ago tried to
"forward" a message from Outlook Express instead of "forward as attachment".

Today, I got two more "no body provided, check format of submission." error
messages.  Appended to this is what showed up when I selected the "tracking
URL" of one and then selected "view original message".

Status:  U
Return-Path: <svxhbgky@fresh.de>
Received: from adsl-68-255-147-105.dsl.akrnoh.ameritech.net
([68.255.1xx.1xx])
by timothy.mail.atl.earthlink.net (EarthLink SMTP Server) with SMTP id
1cB2nyap3Nl3pw0
Sun, 5 Dec 2004 14:49:04 -0500 (EST)
Received: from contest.pop11.odn.ne.jp ([0.128.216.158])
 by polio.pop11.odn.ne.jp (Sun Java System Messaging Server 6.1 HotFix 0.06
(built
 Aug 25 2004)) with ESMTP id <0C5I00DW4[3
From: <svxhbgky@fresh.de>
Message-Id: <2004____________________3pw0@timothy.mail.atl.earthlink.net>
Date: Sun, 5 Dec 2004 14:49:04 -0500 (EST)
X-ELNK-AV: 0



From dogworkings at DELETE.pobox.THIS.com  Mon Dec  6 07:56:29 2004
From: dogworkings at DELETE.pobox.THIS.com (Jim Carroll)
Date: Mon Dec  6 09:00:10 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net> <cp03tm$poi$1@news.spamcop.net>
	<cp08m7$thh$1@news.spamcop.net> <cp0e0c$s0$1@news.spamcop.net>
Message-ID: <cp1of4$pp7$3@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message
news:cp0e0c$s0$1@news.spamcop.net...
>
> ... forget about the concept of 'attachments'.
>
> From a parser's point of view, there's no such thing as that.
>
> There's only headers and then everything else.
>
> Or, said yet another way, 'Attachments are not a problem.' in any way,
> shape, or form.

What I was saying, said another way, is that "forward as attachment" isn't
working as it once did.

I don't know if OE has changed as regards WHAT it forwards as an attachment,
if the spammers are sending something different, or if Spamcop has changed
as regards what it will accept as a submission, but SOMEthing has changed,
at least as I see it.  I've been submitting spam to Spamcop since it was
julianhaight.com, and have found the process to be fairly intuitive, and
have not seen the "no body provided.  Check format of submission" message
until just lately, and I'm seeing it a couple of times per day.

Formerly, before the volume of spam that got past two filters (pobox and
earthlink) got as large as it is, I reported the occasional spam by "view
message source" (ctrl-F3 in Outlook Express), copying the resulting text,
and pasting it to Spamcop, and that worked, but much more slowly than
"forward as attachment".

What I referred to as "attachments" in the original post may have been in
error.  Whatever the "content" of the spam, OE shows the message in the
inbox as having an attachment with the small attachment icon.  I have never
opened such a post to see whether it truly carries an "attachment" or not.
Nor will I -- I may be stupid, but I'm not crazy.

I may try using "forward as attachment" only with the messages that show up
WITHOUT the "attachment" icon, and use the old "view message source"
strategy with those messages displaying as having attachments.  If that
doesn't work, I guess it's back to "just hit delete".  I'm going to let the
scholars like you report spam.  I'll go back to being part of the problem.


From MikeE at ster.invalid  Mon Dec  6 06:42:18 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Mon Dec  6 09:45:03 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net> <covaf5$95n$1@news.spamcop.net>
	<cp00n7$ngk$1@news.spamcop.net> <cp1of3$pp7$2@news.spamcop.net>
Message-ID: <cp1r46$rqp$1@news.spamcop.net>

Jim Carroll wrote:
> Today, I got two more "no body provided, check format of submission."
> error messages.  Appended to this is what showed up when I selected
> the "tracking URL" of one and then selected "view original message".

Posting the tracking url here would be best.

> Status:  U

> X-ELNK-AV: 0

Those look like the first and last headerlines of an email received by
an EL subscriber;  and what you posted looks like what I call an 'empty
spam' -- that is, a message with no body.

That appears to be a different type of item than the initial onset of
this thread

Jim Carroll wrote:
> Many of the spam messages that flood my inbox have no "body" per se,
> just an attachment.

Where is the 'evidence' of an /attachment/ to this particular item?

-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Mon Dec  6 06:56:34 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Mon Dec  6 10:00:03 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net> <cp03tm$poi$1@news.spamcop.net>
	<cp08m7$thh$1@news.spamcop.net> <cp0e0c$s0$1@news.spamcop.net>
	<cp1of4$pp7$3@news.spamcop.net>
Message-ID: <cp1ruu$sff$1@news.spamcop.net>

Jim Carroll wrote:
> Formerly, before the volume of spam that got past two filters (pobox
> and earthlink) got as large as it is, I reported the occasional spam
> by "view message source" (ctrl-F3 in Outlook Express), copying the
> resulting text, and pasting it to Spamcop, and that worked, but much
> more slowly than "forward as attachment".

Control-F3 will not work to view the message source with a message both
closed and unpreviewed.

If a selected message is unopened and unpreviewed, you have to use File/
Properties/ Details tab/ Message source button to access the complete
headers contiguous with the message body, and....

.... if you only use File/ Properties/ Details tab and do *NOT* go
further to the Message source button, you will access only the complete
headers and will be missing the message body and if submitted to
spamcop's webparser you will get 'no body provided - check format of
submission'

If a message is either open /or/ previewed, control-F3 will display the
message source.

> What I referred to as "attachments" in the original post may have
> been in error.  Whatever the "content" of the spam, OE shows the
> message in the inbox as having an attachment with the small
> attachment icon.  I have never opened such a post to see whether it
> truly carries an "attachment" or not. Nor will I -- I may be stupid,
> but I'm not crazy.

I just did a survey of the last 10 spam items with an attachment icon in
my Junk folder.  They were all simply multiparts consisting of a
plaintext part and a text/html part.

> I may try using "forward as attachment" only with the messages that
> show up WITHOUT the "attachment" icon, and use the old "view message
> source" strategy with those messages displaying as having
> attachments.  If that doesn't work, I guess it's back to "just hit
> delete".  I'm going to let the scholars like you report spam.  I'll
> go back to being part of the problem.

IMO, the best way to troubleshoot a problem is to *NOT* use the forward
as attachment method, because that introduces layers of complexity which
are not necessary for the webparser.

By using the webparser, you can *see* exactly what you are asking the
parser to do, and if you are 'familiar' with the process from previous
parsings, you can even see when something is wrong with something.

Further, if you are /not/ familiar with what is going on, you can simply
post the tracking url to this newsgroup so that we can use the tracker
to access what you fed the parser and see for ourselves what is going
on.

-- 
Mike Easter
kibitzer, not SC admin

From dogworkings at DELETE.pobox.THIS.com  Mon Dec  6 09:08:39 2004
From: dogworkings at DELETE.pobox.THIS.com (Jim Carroll)
Date: Mon Dec  6 10:10:04 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net> <cp03tm$poi$1@news.spamcop.net>
	<cp08m7$thh$1@news.spamcop.net> <cp0e0c$s0$1@news.spamcop.net>
	<cp1of4$pp7$3@news.spamcop.net> <cp1ruu$sff$1@news.spamcop.net>
Message-ID: <cp1sml$t1i$1@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:cp1ruu$sff$1@news.spamcop.net...
> Further, if you are /not/ familiar with what is going on, you can simply
> post the tracking url to this newsgroup so that we can use the tracker
> to access what you fed the parser and see for ourselves what is going
> on.

Or maybe "just hit delete".

Is there a way to donate my unused SpamCop privileges to a knowledgeable 
user?

This is a lot more trouble than it's worth.

I'm not as stupid as this thread has made me sound; I've been using 
computers since 1981.  But spam has kicked my ass and I'm about to give up 
trying to do something constructive about it.



From nobody at spamcop.net  Mon Dec  6 10:20:09 2004
From: nobody at spamcop.net (Miss Betsy)
Date: Mon Dec  6 10:25:02 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net> <cp03tm$poi$1@news.spamcop.net>
	<cp08m7$thh$1@news.spamcop.net> <cp0e0c$s0$1@news.spamcop.net>
	<cp1of4$pp7$3@news.spamcop.net> <cp1ruu$sff$1@news.spamcop.net>
	<cp1sml$t1i$1@news.spamcop.net>
Message-ID: <cp1tc8$tia$1@news.spamcop.net>


"Jim Carroll" <dogworkings@DELETE.pobox.THIS.com> wrote in message
news:cp1sml$t1i$1@news.spamcop.net...
<snip>
> I'm not as stupid as this thread has made me sound; I've been using
> computers since 1981.  But spam has kicked my ass and I'm about to
give up
> trying to do something constructive about it.

Submitting spam is not as difficult as it seems either, but most of the
responders are either people who know so many different ways to get
errors that they need a lot of information to make a specific helpful
reply or they have seen the same question so many times and, for
whatever reason, feel sarcastic today.

If there is truly no body (which happens), it is permissible to submit
with 'no body provided' or similar language to get the parser to work.
If it is an attachment, I don't understand why that is not showing up.
There was someone else who thought that a spam that had one word in
HTML and one word in plain text created that error.  That probably had
something to do with his mail reader, but it's not been resolved yet.

Otherwise, if you don't have time to figure out the nuances, don't
worry about those that don't make it through the parser.  There are
plenty that do.  A little reporting is better than none.

HTH

Miss Betsy



From MikeE at ster.invalid  Mon Dec  6 07:41:16 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Mon Dec  6 10:45:03 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net> <cp03tm$poi$1@news.spamcop.net>
	<cp08m7$thh$1@news.spamcop.net> <cp0e0c$s0$1@news.spamcop.net>
	<cp1of4$pp7$3@news.spamcop.net> <cp1ruu$sff$1@news.spamcop.net>
	<cp1sml$t1i$1@news.spamcop.net>
Message-ID: <cp1uip$ua1$1@news.spamcop.net>

Jim Carroll wrote:
> Or maybe "just hit delete".

There's nothing wrong with deleting spams.

> This is a lot more trouble than it's worth.

My philosophy is that spam reporting should be 'secondary' to the
primary mission/s of the management of the Inbox.  That management
should be done in some way which is both secure and nonfrustrating, so
it would be best if there were no spam or viruses in the Inbox at all.

A mailuser agent mua like OE isn't 'designed' to be distinguishing spams
from nonspams by the human user eyeball reading spamsubjects and froms,
so ideally the spam would have been subject tagged with something like
SpamPal before they got to the mua.  Then, OE could mesage rule send all
of the spams to the Junk folder and end all of the spam's frustration
and 'contamination' and interference with the Inbox.

Only if the user felt like 'visiting' hir spam would s/he go to Junk.
If s/he wanted to be a spam reporter, s/he could.  If s/he just wanted
to mass delete all of the spam s/he could.  The annoyance of the spam
would be over.

Similarly I would configure OE to have a BigMail folder so that any
virms, including those missed by the AV agents of provider or other
would be corralled into there.


-- 
Mike Easter
kibitzer, not SC admin

From h9vzc2i02 at sneakemail.com  Mon Dec  6 08:17:06 2004
From: h9vzc2i02 at sneakemail.com (Anon_)
Date: Mon Dec  6 11:20:03 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net> <cp03tm$poi$1@news.spamcop.net>
	<cp08m7$thh$1@news.spamcop.net> <cp0e0c$s0$1@news.spamcop.net>
	<cp1of4$pp7$3@news.spamcop.net>
Message-ID: <cp20mg$vrh$1@news.spamcop.net>


"Jim Carroll" <dogworkings@DELETE.pobox.THIS.com> wrote in message
news:cp1of4$pp7$3@news.spamcop.net...
>
> "Mike Easter" <MikeE@ster.invalid> wrote in message
> news:cp0e0c$s0$1@news.spamcop.net...
> >
> > ... forget about the concept of 'attachments'.
> >
> > From a parser's point of view, there's no such thing as that.
> >
> > There's only headers and then everything else.
> >
> > Or, said yet another way, 'Attachments are not a problem.' in any way,
> > shape, or form.
>
> What I was saying, said another way, is that "forward as attachment" isn't
> working as it once did.
>
> I don't know if OE has changed as regards WHAT it forwards as an
attachment,

**
I'm still using oe and submitting as attachment - SC has been responding
correctly - so it appears that there has been no change in how SC handles
attachments.
**

<clip>

**
My submittals mentioned above sometimes contained spam with attachments -
those also worked OK.

--
A SpamCop user and forum reader,
Not Admin
***



From h9vzc2i02 at sneakemail.com  Mon Dec  6 08:28:14 2004
From: h9vzc2i02 at sneakemail.com (Anon_)
Date: Mon Dec  6 11:30:04 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net> <cp03tm$poi$1@news.spamcop.net>
	<cp08m7$thh$1@news.spamcop.net> <cp0e0c$s0$1@news.spamcop.net>
	<cp1of4$pp7$3@news.spamcop.net> <cp1ruu$sff$1@news.spamcop.net>
	<cp1sml$t1i$1@news.spamcop.net>
Message-ID: <cp21bc$h5$1@news.spamcop.net>


"Jim Carroll" <dogworkings@DELETE.pobox.THIS.com> wrote in message
news:cp1sml$t1i$1@news.spamcop.net...
>
> "Mike Easter" <MikeE@ster.invalid> wrote in message
> news:cp1ruu$sff$1@news.spamcop.net...
> > Further, if you are /not/ familiar with what is going on, you can simply
> > post the tracking url to this newsgroup so that we can use the tracker
> > to access what you fed the parser and see for ourselves what is going
> > on.
>
> Or maybe "just hit delete".
>
> Is there a way to donate my unused SpamCop privileges to a knowledgeable
> user?
>
> This is a lot more trouble than it's worth.
>
> I'm not as stupid as this thread has made me sound; I've been using
> computers since 1981.  But spam has kicked my ass and I'm about to give up
> trying to do something constructive about it.
>

**
HEY please bear with us and do not give up!!!!

We are all trying to help so when something asked is answered in an unclear
manner, just ask again or look at further posts - just because one poster's
response is muddy, do not assume all posts are going to be unclear.

Usually Mike Easter's responses are the best around.

--
A SpamCop user and forum reader,
Not Admin
***



From nobody at devnull.spamcop.net  Mon Dec  6 11:46:59 2004
From: nobody at devnull.spamcop.net (WazoO)
Date: Mon Dec  6 12:50:04 2004
Subject: [SC-Help] Re: Add mailhost not working quite right
References: <Xns95B75C98D21A8blarp@216.154.195.61>
Message-ID: <cp25uj$3nv$1@news.spamcop.net>

"Tom Geldner" <tom@blarpxx.com> wrote in message
news:Xns95B75C98D21A8blarp@216.154.195.61...
> This comes up when I paste the entire email into the Paste headers box.
>
> Sorry, SpamCop has encountered errors:
> Confirmation codes do not match:
>
> From recipient address: 9sDvHMpNySr3f9yi
> From header:            9sDvHMpNySr3f9yi
> From body:
>
> If I do it separately as headers and body, it will accept it.

  Per all the traffic over in the web-based Forum on your
scenario, you are dealing with white-space issues.  Of course,
I also thought that those probe e-mails had some silly sentence
in them about not making some data public ... but what do
I know?


From buzzard554 at fastmail.co.uk  Mon Dec  6 18:25:14 2004
From: buzzard554 at fastmail.co.uk (Martin Edwards)
Date: Mon Dec  6 13:25:03 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
In-Reply-To: <cp1tc8$tia$1@news.spamcop.net>
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net> <cp03tm$poi$1@news.spamcop.net>
	<cp08m7$thh$1@news.spamcop.net> <cp0e0c$s0$1@news.spamcop.net>
	<cp1of4$pp7$3@news.spamcop.net> <cp1ruu$sff$1@news.spamcop.net>
	<cp1sml$t1i$1@news.spamcop.net> <cp1tc8$tia$1@news.spamcop.net>
Message-ID: <cp2855$5bn$1@news.spamcop.net>

Miss Betsy wrote:
> 
> Otherwise, if you don't have time to figure out the nuances, don't
> worry about those that don't make it through the parser.  There are
> plenty that do.  A little reporting is better than none.
> 
> HTH
> 
> Miss Betsy
> 

Well, yeah, Miss Betsy.  Seems to me though that some of 'em feel 
sarcastic quite a lot.

From nobody at devnull.spamcop.net  Mon Dec  6 14:42:28 2004
From: nobody at devnull.spamcop.net (WazoO)
Date: Mon Dec  6 15:45:05 2004
Subject: [SC-Help] Re: Is this a valid Received: line?
References: <Xns95B7694A2890Eblarp@216.154.195.61>
Message-ID: <cp2g7h$a9d$1@news.spamcop.net>

"Tom Geldner" <tom@blarpxx.com> wrote in message
news:Xns95B7694A2890Eblarp@216.154.195.61...
> I am having trouble with SpamCop parsing my spam reports. It's started to
> complain that it can't determine the source. I suspect my ISP has changed
> the way they write headers but I don't know enough about this to really
> tell. Here are the received headers from a sample email. I've munged all
> the mail addresses -- the servers are the actual servers.

  Try providing a Tracking URL of one of these failed items.  Your
"sample" is hosed due to the vagaries of the manipulations used
to post it/read it 'here' .. and not enough data provided to waste
time trying to build a 'fake' spam to try to submit it ....


From nobody at spamcop.net  Mon Dec  6 16:44:14 2004
From: nobody at spamcop.net (Miss Betsy)
Date: Mon Dec  6 16:45:03 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net> <coval5$9df$1@news.spamcop.net>
	<covumb$m5e$1@news.spamcop.net> <cp03tm$poi$1@news.spamcop.net>
	<cp08m7$thh$1@news.spamcop.net> <cp0e0c$s0$1@news.spamcop.net>
	<cp1of4$pp7$3@news.spamcop.net> <cp1ruu$sff$1@news.spamcop.net>
	<cp1sml$t1i$1@news.spamcop.net> <cp1tc8$tia$1@news.spamcop.net>
	<cp2855$5bn$1@news.spamcop.net>
Message-ID: <cp2jsc$d25$1@news.spamcop.net>


"Martin Edwards" <buzzard554@fastmail.co.uk> wrote in message
news:cp2855$5bn$1@news.spamcop.net...
> Miss Betsy wrote:
> >
> > Otherwise, if you don't have time to figure out the nuances, don't
> > worry about those that don't make it through the parser.  There are
> > plenty that do.  A little reporting is better than none.
> >
> > HTH
> >
> > Miss Betsy
> >
>
> Well, yeah, Miss Betsy.  Seems to me though that some of 'em feel
> sarcastic quite a lot.

That's just the way they talk.  When you talk to a mechanic about your
car, you don't get customer service type terms - they tell it like it
is (it's only good for parking in your yard and planting flowers in -
actual quote).  It's the same thing with the techies here.  They talk
to each other like that and don't get insulted so they don't quite
understand why posters do.  It's a whole lot 'friendlier' than when I
first started posting because there are more non-techs here, but they
still aren't talking to 'customers' - they are talking to 'peers'

I remember when people first started to ask for more politeness.  One
poster (an admin) was extremely angry because he was blocked.  The
exchange between him and admin posters was very acrimonious and full of
'personal' references.  Other posters tried to intervene with customer
service type posts, but were mainly ignored by the combatants.  At the
end, the original poster posted, "Been a real interesting discussion."
and went away satisfied.

Miss Betsy



From fredfighter at spamcop.net  Tue Dec  7 03:51:42 2004
From: fredfighter at spamcop.net (Fred the Red Shirt)
Date: Mon Dec  6 22:20:04 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net>
Message-ID: <41B528CE.BDFDA64C@spamcop.net>



Jim Carroll wrote:

> Many of the spam messages that flood my inbox have no "body" per se, just an
> attachment.
>

Many of mine have no body and no attachment.  They look like maybe dumb
attempts to check the validity of harvested address lists.

Regardless, I type the word "BLANK." in the body and submit it.

I do not consider that to be a material alteration of the spam.

--

FF


From fredfighter at spamcop.net  Tue Dec  7 04:05:15 2004
From: fredfighter at spamcop.net (Fred the Red Shirt)
Date: Mon Dec  6 22:30:02 2004
Subject: [SC-Help] Re: Political unsolicited email?
References: <cj6q74$utc$1@news.spamcop.net>
Message-ID: <41B52BFB.B7168D77@spamcop.net>



Jim Wasson wrote:

> I just reported a political e-mail that was sent to me "because you are
> registered to vote in the state ..."  I have reported maybe two or three
> like this in the past. Personally I consider these to be spam.
>

I define spam as unsolicted bulk email without regard to content.  I report
as _probable_ spam, unsolicted email that I _presume_ to be bulk.

It doesn't matter to me if it is political, commercial, promotional,
religious,
or absolute nonsense.   I do get a fair bit of spam with indeterminate
content
becuase I cannot read it for any of a variety of reasons.   I get a lot more

that I do not read becuase I am confident that it is unsolicited bulk email
from the subject line and from: header alone.

Political spam may be exempt from (they) CAN SPAM (you) as are many
other spams.  I don't care, I don't have to care, after all, I'm not an AG,
so (they) CAN SPAM (you) is totally irrelevant to me.

Neither, AFAIK, does SpamCop nor do users of the SCBL care about
other definitions or legal exemptions.   Nor should any of us.

--

FF





From fredfighter at spamcop.net  Tue Dec  7 04:22:01 2004
From: fredfighter at spamcop.net (Fred the Red Shirt)
Date: Mon Dec  6 22:50:03 2004
Subject: [SC-Help] Does SpamCop Whitelisting ever work?
Message-ID: <41B52FE9.69DA57D5@spamcop.net>

I've "Released and Whitelisted" the same four emails, all of them are
SpamCop
spam reports, about a dozen times over the last week or two.  They keep
going
back to my "Held Mail" directory.  Is this something that should be
reported, or
is it a bug that has been ignored for a long time now?  Or both?  };-)

Here are example headers:

Date:    Tue, 30 Nov 2004 18:01:17 -0500 [2004-11-30 11:01PM GMT]
Delivered-To:   spamcop-net-fredfighter@spamcop.net
From:   Fred <1303929294@reports.spamcop.net>
Message-ID:   <rid_1303929294@msgid.spamcop.net>
Precedence:   list
Received:

    * (qmail 24820 invoked from network); 1 Dec 2004 15:29:37 -0000
    * from unknown (192.168.1.103) by blade4.cesmail.net with QMQP; 1
Dec 2004 15:29:37 -0000
    * from vmx2.spamcop.net (64.74.133.250) by mailgate2.cesmail.net
with SMTP; 1 Dec 2004 15:29:37 -0000
    * from sc-app3.eq.ironport.com (HELO spamcop.net) (192.168.19.203)
by vmx2.spamcop.net with SMTP; 01 Dec 2004 07:29:37 -0800
    * from [4.159.77.15] by spamcop.net with HTTP; Wed, 01 Dec 2004
15:29:37 GMT

Return-Path:   <1303929294@bounces.spamcop.net>
Subject:   [SpamCop (66.131.9.73) id:1303929294]christmass sale _ MS
Streets and Trips 2004
To:   fredfighter@spamcop.net
X-Mailer:   Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; JUNO)
via http://www.spamcop.net/ v1.389
X-Spam-Checker-Version:   SpamAssassin 3.0.0 (2004-09-13) on blade4
X-Spam-Level:
X-Spam-Status:   hits=-78.8
tests=BIZ_TLD,FORGED_MUA_MOZILLA,FORGED_RCVD_HELO,
FROM_ENDS_IN_NUMS,LONGWORDS,SARE_OEM_PRODS_1,SARE_OEM_PRODS_2,
SARE_OEM_PRODS_3,SARE_OEM_PRODS_FEW,SARE_PRODS_LOTS,SARE_PRODUCTS_02,
SARE_PRODUCTS_03,SARE_PRODUCTS_04,URIBL_OB_SURBL,URIBL_SBL,
URIBL_SC_SURBL,URIBL_WS_SURBL,USER_IN_WHITELIST version=3.0.0
X-SpamCop-Checked:   192.168.1.103 64.74.133.250 192.168.19.203
4.159.77.15
X-SpamCop-Disposition:   Blocked dnsbl.sorbs.net
X-SpamCop-Whitelisted:   spamcop.net
X-SpamCop-sourceip:   66.131.9.73

I also have a filter rule that is supposed to catch these reports, it is
also being
superceded, evidently, by my use of teh sorbs blacklist.

BTW, doesn't this also mean that a SpamCop IP is on the sorbs blacklist?

What's up with that?

--

FF

From nobody at devnull.spamcop.net  Mon Dec  6 22:17:19 2004
From: nobody at devnull.spamcop.net (WazoO)
Date: Mon Dec  6 23:20:02 2004
Subject: [SC-Help] Re: Does SpamCop Whitelisting ever work?
References: <41B52FE9.69DA57D5@spamcop.net>
Message-ID: <cp3asf$rku$1@news.spamcop.net>

"Fred the Red Shirt" <fredfighter@spamcop.net> wrote in message
news:41B52FE9.69DA57D5@spamcop.net...
> X-SpamCop-Checked:   192.168.1.103 64.74.133.250 192.168.19.203
> 4.159.77.15
> X-SpamCop-Disposition:   Blocked dnsbl.sorbs.net
> X-SpamCop-Whitelisted:   spamcop.net
> X-SpamCop-sourceip:   66.131.9.73
>
> I also have a filter rule that is supposed to catch these reports, it is
> also being superceded, evidently, by my use of teh sorbs blacklist.
>
> BTW, doesn't this also mean that a SpamCop IP is on the sorbs blacklist?
>
> What's up with that?

For starters, you need to learn to use your tools a bit better.
You chose not to use a Tracking URL, so everyone else is
stuck having to work around all the issues of what you are
describing, what you saw, what you think you copied,
what actually made the transition to 'here', and the final
what really is displayed here on others' screens.

  For instance, I was disbelieving that the decision point on
your sample was 192.168.19.203 .. but then I noticed the
bad line-wraps ... so the decision point was actually made
on the IP 4.159.77.15 .. which is the IP listed on sorbs ...

  At that point, I decided to simply suggest that you'd
probably be better off taking your query to either the
spamcop.mail newsgroup of over to the web-based
Forum for perhaps a better / quicker answer from
other SpamCop E-Mail account users.  I know for a
fact that there are a number of entries on this over in
the web-based Forum version of the FAQ.


From Kilgallen at SpamCop.net  Tue Dec  7 07:42:49 2004
From: Kilgallen at SpamCop.net (Larry Kilgallen)
Date: Tue Dec  7 08:45:02 2004
Subject: [SC-Help] Re: Political unsolicited email?
References: <cj6q74$utc$1@news.spamcop.net> <41B52BFB.B7168D77@spamcop.net>
Message-ID: <ZAxNNnJQzlrp@eisner.encompasserve.org>

In article <41B52BFB.B7168D77@spamcop.net>, Fred the Red Shirt <fredfighter@spamcop.net> writes:
> 
> 
> Jim Wasson wrote:
> 
>> I just reported a political e-mail that was sent to me "because you are
>> registered to vote in the state ..."  I have reported maybe two or three
>> like this in the past. Personally I consider these to be spam.
>>
> 
> I define spam as unsolicted bulk email without regard to content.  I report
> as _probable_ spam, unsolicted email that I _presume_ to be bulk.

The next step is done by SpamCop, which only lists in the DNSbl after
evidence of bulk.
From tjtmdREMOVE_THIS at attglobal.net  Tue Dec  7 10:07:41 2004
From: tjtmdREMOVE_THIS at attglobal.net (Tanya)
Date: Tue Dec  7 10:35:04 2004
Subject: [SC-Help] help stopping spammer -- please advise
Message-ID: <41B5C73D.D5A6D95B@attglobal.net>

hello,
i am getting bombarded by porn and have been reporting it to uce@ftc.gov
and spamCop and it seems to have multiplied!
(at least 5 per day -- <it seems> from the same source)
when i click on the webSite where "Administrator of network hosting
website referenced in spam" even though it has a number of characters
the email address reduces to my isp (postmaster@myISP.net) ALWAYS
(however sometimes it only has anti-spam not postmaster)
anti-spam@myISP.net)
(also sometimes under the originating isp)
none of the other spams have this (very rarely do they refer to my isp)
NOTHING like a sig. file is in the body of the messages that i send

here is the tracking url (fwiw)
http://www.spamcop.net/sc?id=z700151331z4e249db60f7fe4cce7232b313ea4e41bz

please advise


From Kilgallen at SpamCop.net  Tue Dec  7 09:46:48 2004
From: Kilgallen at SpamCop.net (Larry Kilgallen)
Date: Tue Dec  7 10:50:03 2004
Subject: [SC-Help] Technical details even though they are disabled
Message-ID: <Vneh7Cm4hdwn@eisner.encompasserve.org>

After a bad parse, Julian suggested I turn on Mailhosts.

I have done that, but now every parse seems to show technical details,
even though I have Simple Output set in my preferences.

Has anyone else encountered this ?

Does anyone know a solution ?
From MikeE at ster.invalid  Tue Dec  7 10:40:25 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Dec  7 13:45:02 2004
Subject: [SC-Help] Re: help stopping spammer -- please advise
References: <41B5C73D.D5A6D95B@attglobal.net>
Message-ID: <cp4teg$tst$1@news.spamcop.net>

Tanya wrote:
> i am getting bombarded by porn and have been reporting it to
> uce@ftc.gov and spamCop and it seems to have multiplied!

As a general rule, notifying for spam does not do anything directly to
reduce the spam.  The FTC is busy doing whatever it is the FTC does, but
merely 'accumulates' spams at their uce address, and SpamCop notifies
contribute to the SCbl for spamsource, generally open proxies, and
publicize spamvertisers for the sc-surbl lists - while notifying the
spamsource providers and spamvertiser providers so they can do with that
information what they like.

> (at least 5 per day -- <it seems> from the same source)
> when i click on the webSite

When you do /what/?  I'm not clear on those words you said.  Does that
say that you are clicking on the spamvertised website?  Or are you
saying that you are checking the spamcop form to notify for the
spamvertiser?

> where "Administrator of network hosting
> website referenced in spam" even though it has a number of characters
> the email address reduces to my isp (postmaster@myISP.net) ALWAYS
> (however sometimes it only has anti-spam not postmaster)
> anti-spam@myISP.net)
> (also sometimes under the originating isp)
> none of the other spams have this (very rarely do they refer to my
> isp) NOTHING like a sig. file is in the body of the messages that i
> send

I'm not understanding any part of that part of the par.

spamcop.net/sc?id=z700151331z4e249db60f7fe4cce7232b313ea4e41bz

That is a live tracker [you should report or cancel it] for a porn spam
sourced at a .cn provider which SC wants to notify for and a
ptolemaeus.info spamvertiser site which is also at a .cn provider which
SC wants to notify.

Inside the spam are URLs and links to graphics.  One link I checked is
redirected to a 'remove' at
http://4.78.57.78/ptolemaeus.info/b9a1a4d40a8891c3a6b510d8d/remove.php

4.78.57.78 no rDNS is spews S1660 listed as the /23

1, 4.78.22.0/23, Level3 (Bruce Louis Goldberg / adult.foxcounter.com /
vh3.techiemedia.net)

and whose provider structure is

whois -h whois.arin.net 4.78.57.78 ...
Level 3 Communications, Inc 4.0.0.0 - 4.255.255.255
Co-Location.com Inc.  4.78.56.0 - 4.78.57.255


-- 
Mike Easter
kibitzer, not SC admin

From nobody at spamcop.net  Tue Dec  7 14:06:31 2004
From: nobody at spamcop.net (Ellen)
Date: Tue Dec  7 14:10:03 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
Message-ID: <cp4uvc$v02$2@news.spamcop.net>


"Larry Kilgallen" <Kilgallen@SpamCop.net> wrote in message
news:Vneh7Cm4hdwn@eisner.encompasserve.org...
> After a bad parse, Julian suggested I turn on Mailhosts.
>
> I have done that, but now every parse seems to show technical details,
> even though I have Simple Output set in my preferences.
>
> Has anyone else encountered this ?
>
> Does anyone know a solution ?

Yes you get details once you have mailhosts set up and no I don't think
there is a solution. What bothers you about it?

Ellen


From Kilgallen at SpamCop.net  Tue Dec  7 13:16:58 2004
From: Kilgallen at SpamCop.net (Larry Kilgallen)
Date: Tue Dec  7 14:20:03 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
	<cp4uvc$v02$2@news.spamcop.net>
Message-ID: <mKCI4JQtoRHQ@eisner.encompasserve.org>

In article <cp4uvc$v02$2@news.spamcop.net>, "Ellen" <nobody@spamcop.net> writes:
> 
> "Larry Kilgallen" <Kilgallen@SpamCop.net> wrote in message
> news:Vneh7Cm4hdwn@eisner.encompasserve.org...
>> After a bad parse, Julian suggested I turn on Mailhosts.
>>
>> I have done that, but now every parse seems to show technical details,
>> even though I have Simple Output set in my preferences.
>>
>> Has anyone else encountered this ?
>>
>> Does anyone know a solution ?
> 
> Yes you get details once you have mailhosts set up and no I don't think
> there is a solution. What bothers you about it?

The checkboxes are off the screen and I have to scroll to get to them.

I would not care if the stuff of no interest to me were at the bottom.
From nobody at spamcop.net  Tue Dec  7 14:22:45 2004
From: nobody at spamcop.net (Ellen)
Date: Tue Dec  7 14:25:04 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
	<cp4uvc$v02$2@news.spamcop.net> <mKCI4JQtoRHQ@eisner.encompasserve.org>
Message-ID: <cp4vsd$vr8$1@news.spamcop.net>


"Larry Kilgallen" <Kilgallen@SpamCop.net> wrote in message
news:mKCI4JQtoRHQ@eisner.encompasserve.org...
> >
>
> The checkboxes are off the screen and I have to scroll to get to them.
>
> I would not care if the stuff of no interest to me were at the bottom.

Ah - use a smaller font?

Ellen


From Kilgallen at SpamCop.net  Tue Dec  7 14:13:05 2004
From: Kilgallen at SpamCop.net (Larry Kilgallen)
Date: Tue Dec  7 15:15:01 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
	<cp4uvc$v02$2@news.spamcop.net> <mKCI4JQtoRHQ@eisner.encompasserve.org>
	<cp4vsd$vr8$1@news.spamcop.net>
Message-ID: <YwWOHO0iDlyc@eisner.encompasserve.org>

In article <cp4vsd$vr8$1@news.spamcop.net>, "Ellen" <nobody@spamcop.net> writes:
> 
> "Larry Kilgallen" <Kilgallen@SpamCop.net> wrote in message
> news:mKCI4JQtoRHQ@eisner.encompasserve.org...
>> >
>>
>> The checkboxes are off the screen and I have to scroll to get to them.
>>
>> I would not care if the stuff of no interest to me were at the bottom.
> 
> Ah - use a smaller font?

You should insert a smiley when writing a joke.

Just as a test, I changed my browser font size from 14 points to
6 points (not that I could read the text associated with the boxes
at that size) and the following text still did not fit in one screenful.

Does it on any screen you read with ?

====================================================

Spam Header
Here is your TRACKING URL - it may be saved for future reference:
http://www.spamcop.net/sc?id=z700231063z6585b1175764f05062bbadf649068a32z
0: Received: from unknown (192.168.1.103) by blade4.cesmail.net with QMQP; 7 Dec 2004 19:30:46 -0000
Internal handoff at SpamCop

1: Received: from unknown (HELO emailgateway) (64.80.57.137) by mailgate2.cesmail.net with SMTP; 7 Dec 2004 19:30:45 -0000
No unique hostname found for source: 64.80.57.137
SpamCop received mail from SpamCop ( 64.80.57.137 )

2: Received: from bdcserver.sales ([192.168.100.14]) by emailgateway with Microsoft SMTPSVC(5.0.2195.6713); Tue, 7 Dec 2004 14:23:29 -0500
Internal handoff at SpamCop

Tracking message source: 64.80.57.137:
Routing details for 64.80.57.137
[refresh/show] Cached whois for 64.80.57.137 : ipadmin@paetec.com
Using best contacts abuse@paetec.com
Yum, this spam is fresh!
Message is 0 hours old
64.80.57.137 not listed in dnsbl.njabl.org
64.80.57.137 not listed in dnsbl.njabl.org
64.80.57.137 not listed in cbl.abuseat.org
64.80.57.137 not listed in dnsbl.sorbs.net
64.80.57.137 not listed in relays.ordb.org.
64.80.57.137 not listed in query.bondedsender.org
64.80.57.137 not listed in iadb.isipp.com
Finding links in message body
Recurse multipart:
   Recurse multipart:
      Parsing text part
      Parsing HTML part
   Ignored image/gif part
   Ignored image/gif part
Resolving link obfuscation
http://www.computerclearinghouse.com/
   host 128.121.175.102 (getting name) = www.computerclearinghouse.com.
http://www.computerclearinghouse.com
   host 128.121.175.102 = www.computerclearinghouse.com (cached)
Tracking link: http://www.computerclearinghouse.com/
[report history]
Resolves to 128.121.175.102
Routing details for 128.121.175.102
[refresh/show] Cached whois for 128.121.175.102 : ip@wh.verio.net
Using best contacts abuse@verio.net
Tracking link: http://www.computerclearinghouse.com
[report history]
ISP believes this issue is resolved http://www.computerclearinghouse.com
Resolves to 128.121.175.102
Routing details for 128.121.175.102
[refresh/show] Cached whois for 128.121.175.102 : ip@wh.verio.net
Using best contacts abuse@verio.net
ISP has already taken action against the account:http://www.computerclearinghouse.com
http://www.computerclearinghouse.com has been appealed previously.

From MikeE at ster.invalid  Tue Dec  7 13:16:42 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Dec  7 16:20:03 2004
Subject: [SC-Help] Re: Is this a valid Received: line?
References: <Xns95B7694A2890Eblarp@216.154.195.61>
	<cp2g7h$a9d$1@news.spamcop.net> <Xns95B88201A645Ablarp@216.154.195.61>
Message-ID: <cp56jh$50f$1@news.spamcop.net>

Tom Geldner wrote:
> "WazoO"

>>   Try providing a Tracking URL of one of these failed items.  Your
>> "sample" is hosed due to the vagaries of the manipulations used
>> to post it/read it 'here' .. and not enough data provided to waste
>> time trying to build a 'fake' spam to try to submit it ....
>
> My sample was supplied simply to ask if the received line was a
> normal RFC- compliant line. That should be evident to people who know
> those things.

No, your original 'question' was:

Tom Geldner wrote:
> I am having trouble with SpamCop parsing my spam reports. It's
> started to complain that it can't determine the source.

and that is an excellent place to start discussing the issue.

The business about whatall happens in the Received tracelines is myriad,
and the parser has a number of different strategies for coping with that
mischief.

What really matters here is how SC handles the condition, not what an
'optimal' or RFC compliant header should look like.

In this case, if we only look at the topline:

  Received: from boogabooga by juliet.affordablehost.com with
local-bsmtp (Exim 4.43) id 1Ca24e-00050b-IM for me@mydomain.yes; Thu, 02
Dec 2004 20:17:29 -0500

... we see it in the format

Received: from helo by your.affordable somestuff datestamp

That is non-compliant because it lacks an IP in the 'from' field.  But
it doesn't necessarily matter.  The parser can skip that line and go to
the next one.

  Received: from [216.207.37.198] (helo=smtp1.plextor.com) by
juliet.affordablehost.com with smtp (Exim 4.43) id 1Ca24e-0005Xn-Bx for
me@mydomain.yes; Thu, 02 Dec 2004 20:17:28 -0500

... which is in the format

Received: from [source.ip](helo) by your.affordable somestuff datestamp

But, in this case 216.207.37.198  rDNS
216-207-37-198.dia.cust.qwest.net   which is a dynamic qwest IP and not
a plextor server - so that is the 'first sign of bogosity' which is a
good place to break a chain, so it is likely that the SC parser would
break the chain there before it got to the next line

  Received: from smtp.plextor.com ([192.168.32.8]) by smtp1.plextor.com
with Microsoft  SMTPSVC(6.0.3790.211); Thu, 2 Dec 2004 17:16:38 -0800

....which is in the format

Received: from rDNS ([source.ip]) by aserver.domain somestuff datestamp

which is bogus and trying to show an internal plextor transaction.

So, the point is more about the *reality* of what a particular item
actually sez than a theoretical discussion of what a Received traceline
/should/ look like.

For that reason, it is better to post a specific tracker and talk about
that one item, than the theory of headers and Received lines.


-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Tue Dec  7 13:36:44 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Dec  7 16:40:03 2004
Subject: [SC-Help] Re: Is this a valid Received: line?
References: <Xns95B7694A2890Eblarp@216.154.195.61>
	<cp2g7h$a9d$1@news.spamcop.net> <Xns95B88201A645Ablarp@216.154.195.61>
	<cp56jh$50f$1@news.spamcop.net>
Message-ID: <cp57p3$62s$1@news.spamcop.net>

Mike Easter wrote:
>   Received: from [216.207.37.198] (helo=smtp1.plextor.com) by
> juliet.affordablehost.com with smtp (Exim 4.43) id 1Ca24e-0005Xn-Bx
> for me@mydomain.yes; Thu, 02 Dec 2004 20:17:28 -0500
>
> ... which is in the format
>
> Received: from [source.ip](helo) by your.affordable somestuff
> datestamp
>
> But, in this case 216.207.37.198  rDNS
> 216-207-37-198.dia.cust.qwest.net   which is a dynamic qwest IP and
> not a plextor server - so that is the 'first sign of bogosity' which
> is a good place to break a chain, so it is likely that the SC parser
> would break the chain there before it got to the next line

I'm still messing with this;  as it is possible that 'someone' is using
a dynamic qwest IP as a server for the plextor.com domain.  It is also
possible for all the headerlines under the top one to be bogus and for
the topone to be problematically non-compliant.

dns plextor.com
Mail for plextor.com is handled by smtp1.plextor.com
Canonical name: plextor.com
Addresses:
  206.173.5.186

smtp1.plextor.com  DNS  216.207.37.198
216.207.37.198  rDNS  216-207-37-198.dia.cust.qwest.net

... so then that would allow me to continue to chain past the dynamic
qwest IP to the next line

And the next line looks like an internal one for plextor;  so maybe we
are looking at some incomplete headers of something or other

If all of the headerlines are bogus but the top one, then it would be
essential for the server at affordablehost to be reporting the source
IP.

dns affordablehost.com
Mail for affordablehost.com is handled by apple.affordablehost.com
apple.affordablehost.com
Canonical name: affordablehost.com
Addresses:
  12.164.25.254

apple.affordablehost.com  DNS  216.46.192.60



-- 
Mike Easter
kibitzer, not SC admin

From nobody at spamcop.net  Tue Dec  7 17:11:14 2004
From: nobody at spamcop.net (Ellen)
Date: Tue Dec  7 17:15:04 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
	<cp4uvc$v02$2@news.spamcop.net> <mKCI4JQtoRHQ@eisner.encompasserve.org>
	<cp4vsd$vr8$1@news.spamcop.net> <YwWOHO0iDlyc@eisner.encompasserve.org>
Message-ID: <cp59ol$7hp$1@news.spamcop.net>


"Larry Kilgallen" <Kilgallen@SpamCop.net> wrote in message
news:YwWOHO0iDlyc@eisner.encompasserve.org...
> In article <cp4vsd$vr8$1@news.spamcop.net>, "Ellen" <nobody@spamcop.net>
writes:
> >
> > Ah - use a smaller font?

:-)


>
> You should insert a smiley when writing a joke.
>
> Just as a test, I changed my browser font size from 14 points to
> 6 points (not that I could read the text associated with the boxes
> at that size) and the following text still did not fit in one screenful.
>
> Does it on any screen you read with ?
>

Very honestly it has been so long -- years actually -- since I saw a parse
with technical details turned off that I have no idea what shows up with
them off. Just the tracking url and the checkboxes? I'll set up an account
later and rustle up a spam to parse ....

Ellen


From johnl at spamcop.net  Tue Dec  7 22:14:24 2004
From: johnl at spamcop.net (JohnL)
Date: Tue Dec  7 17:15:11 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
	<cp4uvc$v02$2@news.spamcop.net> <mKCI4JQtoRHQ@eisner.encompasserve.org>
	<cp4vsd$vr8$1@news.spamcop.net> <YwWOHO0iDlyc@eisner.encompasserve.org>
	<cp59ol$7hp$1@news.spamcop.net>
Message-ID: <Xns95B89B07E985Djohnlspamcopnet@216.154.195.61>

"Ellen" <nobody@spamcop.net> wrote in
news:cp59ol$7hp$1@news.spamcop.net: 

> Very honestly it has been so long -- years actually -- since I saw a
> parse with technical details turned off that I have no idea what shows
> up with them off. Just the tracking url and the checkboxes? I'll set
> up an account later and rustle up a spam to parse ....
> 
> Ellen

Can't you just click on the "Skip to Reports" link?
From Kilgallen at SpamCop.net  Tue Dec  7 16:18:20 2004
From: Kilgallen at SpamCop.net (Larry Kilgallen)
Date: Tue Dec  7 17:20:02 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
	<cp4uvc$v02$2@news.spamcop.net> <mKCI4JQtoRHQ@eisner.encompasserve.org>
	<cp4vsd$vr8$1@news.spamcop.net> <YwWOHO0iDlyc@eisner.encompasserve.org>
	<cp59ol$7hp$1@news.spamcop.net>
	<Xns95B89B07E985Djohnlspamcopnet@216.154.195.61>
Message-ID: <FJEyc7Q+SpcZ@eisner.encompasserve.org>

In article <Xns95B89B07E985Djohnlspamcopnet@216.154.195.61>, JohnL <johnl@spamcop.net> writes:
> "Ellen" <nobody@spamcop.net> wrote in
> news:cp59ol$7hp$1@news.spamcop.net: 
> 
>> Very honestly it has been so long -- years actually -- since I saw a
>> parse with technical details turned off that I have no idea what shows
>> up with them off. Just the tracking url and the checkboxes? I'll set
>> up an account later and rustle up a spam to parse ....
>> 
>> Ellen
> 
> Can't you just click on the "Skip to Reports" link?

Neither I nor the Netscape Search command find any such text
on the reporting page.
From johnl at spamcop.net  Tue Dec  7 22:26:27 2004
From: johnl at spamcop.net (JohnL)
Date: Tue Dec  7 17:30:02 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
	<cp4uvc$v02$2@news.spamcop.net> <mKCI4JQtoRHQ@eisner.encompasserve.org>
	<cp4vsd$vr8$1@news.spamcop.net> <YwWOHO0iDlyc@eisner.encompasserve.org>
	<cp59ol$7hp$1@news.spamcop.net>
	<Xns95B89B07E985Djohnlspamcopnet@216.154.195.61>
	<FJEyc7Q+SpcZ@eisner.encompasserve.org>
Message-ID: <Xns95B89D12EE434johnlspamcopnet@216.154.195.61>

Kilgallen@SpamCop.net (Larry Kilgallen) wrote in
news:FJEyc7Q+SpcZ@eisner.encompasserve.org: 

> In article <Xns95B89B07E985Djohnlspamcopnet@216.154.195.61>, JohnL
> <johnl@spamcop.net> writes: 
>> Can't you just click on the "Skip to Reports" link?
> 
> Neither I nor the Netscape Search command find any such text
> on the reporting page.
> 

Hmm, need to check, maybe it needs JavaScript enabled.
Let me try it with "your choice" of it disabled. ;-)
From MikeE at ster.invalid  Tue Dec  7 14:33:02 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Dec  7 17:35:03 2004
Subject: [SC-Help] Re: Is this a valid Received: line?
References: <Xns95B7694A2890Eblarp@216.154.195.61>
Message-ID: <cp5b2k$8kl$1@news.spamcop.net>

Tom Geldner wrote:
> Received: from boogabooga by juliet.affordablehost.com

> To my untrained eye, the first Received line does not look parsable
> since it's showing an internal relay FROM a user account (boogabooga)
> TO the server that user account resides on. Would this cause SC to
> choke?

Disregarding spamcop or the path of the mailitem in question, but just
'chatting' about what we think of how juliet.affordablehost.com handles
that particular one line in isolation, it would be more compliant if it
stamped its 'from' field with the source IP and the rDNS and the helo.

But, there's another juliet.affordablehost.com line, the top one sez:

    by juliet.affordablehost.com with local-bsmtp

whereas the 2nd one sez

    by juliet.affordablehost.com with esmtp

and they are both 'driving' Exim 4.43

The top one's 'from' field doesn't have much in it;  whereas the 2nd
one's 'from' field has

  from [216.207.37.198] (helo=smtp1.plextor.com)

which on re-analysis would make sense, because plextor's mx is that IP
and name.


If the top line is/were the only truthful line, and all of the rest is
bogus, then the top line is doing a bad job by not telling the IP of its
source.  OTOH, if the topline is just part of the internal handling by
juliet, then it doesn't matter, because it has the situation 'covered'
by the 2nd line underneath.

It is really *really* much better to talk about a real item, and a
complete item, than to talk about pieces of headers in theory.  There's
a lot of talk and not much substance;  whereas it would be better if
there were actual substance, so there wouldn't have to be as much
'useless' talk.

Sometimes I don't even bother to discuss partial headers, they are such
a pain.


-- 
Mike Easter
kibitzer, not SC admin

From Kilgallen at SpamCop.net  Tue Dec  7 16:34:01 2004
From: Kilgallen at SpamCop.net (Larry Kilgallen)
Date: Tue Dec  7 17:35:06 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
	<cp4uvc$v02$2@news.spamcop.net> <mKCI4JQtoRHQ@eisner.encompasserve.org>
	<cp4vsd$vr8$1@news.spamcop.net> <YwWOHO0iDlyc@eisner.encompasserve.org>
	<cp59ol$7hp$1@news.spamcop.net>
	<Xns95B89B07E985Djohnlspamcopnet@216.154.195.61>
	<FJEyc7Q+SpcZ@eisner.encompasserve.org>
	<Xns95B89D12EE434johnlspamcopnet@216.154.195.61>
Message-ID: <GZZWi1f6uazJ@eisner.encompasserve.org>

In article <Xns95B89D12EE434johnlspamcopnet@216.154.195.61>, JohnL <johnl@spamcop.net> writes:
> Kilgallen@SpamCop.net (Larry Kilgallen) wrote in
> news:FJEyc7Q+SpcZ@eisner.encompasserve.org: 
> 
>> In article <Xns95B89B07E985Djohnlspamcopnet@216.154.195.61>, JohnL
>> <johnl@spamcop.net> writes: 
>>> Can't you just click on the "Skip to Reports" link?
>> 
>> Neither I nor the Netscape Search command find any such text
>> on the reporting page.
>> 
> 
> Hmm, need to check, maybe it needs JavaScript enabled.
> Let me try it with "your choice" of it disabled. ;-)

Certainly implementing such a feature does not require JavaScript,
but the one you are seeing might have been implemented the hard way.

There is some question, however, as to whether we are talking about
the same thing - reporting from a username where "Technical Details"
are _disabled_, right ?
From johnl at spamcop.net  Tue Dec  7 22:35:29 2004
From: johnl at spamcop.net (JohnL)
Date: Tue Dec  7 17:40:02 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
	<cp4uvc$v02$2@news.spamcop.net> <mKCI4JQtoRHQ@eisner.encompasserve.org>
	<cp4vsd$vr8$1@news.spamcop.net> <YwWOHO0iDlyc@eisner.encompasserve.org>
	<cp59ol$7hp$1@news.spamcop.net>
	<Xns95B89B07E985Djohnlspamcopnet@216.154.195.61>
	<FJEyc7Q+SpcZ@eisner.encompasserve.org>
	<Xns95B89D12EE434johnlspamcopnet@216.154.195.61>
	<GZZWi1f6uazJ@eisner.encompasserve.org>
Message-ID: <Xns95B89E9B4B0E6johnlspamcopnet@216.154.195.61>

Kilgallen@SpamCop.net (Larry Kilgallen) wrote in 
news:GZZWi1f6uazJ@eisner.encompasserve.org:

> There is some question, however, as to whether we are talking about
> the same thing - reporting from a username where "Technical Details"
> are _disabled_, right ?

No, this is with them enabled.
I thought that's what you had now.
From Kilgallen at SpamCop.net  Tue Dec  7 16:42:59 2004
From: Kilgallen at SpamCop.net (Larry Kilgallen)
Date: Tue Dec  7 17:45:02 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
	<cp4uvc$v02$2@news.spamcop.net> <mKCI4JQtoRHQ@eisner.encompasserve.org>
	<cp4vsd$vr8$1@news.spamcop.net> <YwWOHO0iDlyc@eisner.encompasserve.org>
	<cp59ol$7hp$1@news.spamcop.net>
	<Xns95B89B07E985Djohnlspamcopnet@216.154.195.61>
	<FJEyc7Q+SpcZ@eisner.encompasserve.org>
	<Xns95B89D12EE434johnlspamcopnet@216.154.195.61>
	<GZZWi1f6uazJ@eisner.encompasserve.org>
	<Xns95B89E9B4B0E6johnlspamcopnet@216.154.195.61>
Message-ID: <1OPEHPZbx6Io@eisner.encompasserve.org>

In article <Xns95B89E9B4B0E6johnlspamcopnet@216.154.195.61>, JohnL <johnl@spamcop.net> writes:
> Kilgallen@SpamCop.net (Larry Kilgallen) wrote in 
> news:GZZWi1f6uazJ@eisner.encompasserve.org:
> 
>> There is some question, however, as to whether we are talking about
>> the same thing - reporting from a username where "Technical Details"
>> are _disabled_, right ?
> 
> No, this is with them enabled.
> I thought that's what you had now.

No.

By enabling technical details I could get even more of what I don't want :-)
From johnl at spamcop.net  Tue Dec  7 22:45:19 2004
From: johnl at spamcop.net (JohnL)
Date: Tue Dec  7 17:50:02 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
	<cp4uvc$v02$2@news.spamcop.net> <mKCI4JQtoRHQ@eisner.encompasserve.org>
	<cp4vsd$vr8$1@news.spamcop.net> <YwWOHO0iDlyc@eisner.encompasserve.org>
	<cp59ol$7hp$1@news.spamcop.net>
	<Xns95B89B07E985Djohnlspamcopnet@216.154.195.61>
	<FJEyc7Q+SpcZ@eisner.encompasserve.org>
	<Xns95B89D12EE434johnlspamcopnet@216.154.195.61>
	<GZZWi1f6uazJ@eisner.encompasserve.org>
	<Xns95B89E9B4B0E6johnlspamcopnet@216.154.195.61>
	<1OPEHPZbx6Io@eisner.encompasserve.org>
Message-ID: <Xns95B8A0462B91johnlspamcopnet@216.154.195.61>

Kilgallen@SpamCop.net (Larry Kilgallen) wrote in
news:1OPEHPZbx6Io@eisner.encompasserve.org: 

> In article <Xns95B89E9B4B0E6johnlspamcopnet@216.154.195.61>, JohnL
> <johnl@spamcop.net> writes:  
>> No, this is with them enabled.
>> I thought that's what you had now.
> 
> No.
> 
> By enabling technical details I could get even more of what I don't
> want :-) 
> 

LOL, sorry about that.
I was assuming (HATE that word) that tech details had gotten turned on when 
you enabled Mailhosts.
From tjtmdREMOVE_THIS at attglobal.net  Tue Dec  7 17:24:42 2004
From: tjtmdREMOVE_THIS at attglobal.net (Tanya)
Date: Tue Dec  7 17:50:06 2004
Subject: [SC-Help] Re: help stopping spammer -- please advise
References: <41B5C73D.D5A6D95B@attglobal.net> <cp4teg$tst$1@news.spamcop.net>
Message-ID: <41B62DA9.3C1BB4C3@attglobal.net>

Mike Easter wrote:

> Tanya wrote:
> > i am getting bombarded by porn and have been reporting it to
> > uce@ftc.gov and spamCop and it seems to have multiplied!
>
> As a general rule, notifying for spam does not do anything directly to
> reduce the spam.  The FTC is busy doing whatever it is the FTC does, but
> merely 'accumulates' spams at their uce address, and SpamCop notifies
> contribute to the SCbl for spamsource, generally open proxies, and
> publicize spamvertisers for the sc-surbl lists - while notifying the
> spamsource providers and spamvertiser providers so they can do with that
> information what they like.
>
> > (at least 5 per day -- <it seems> from the same source)
> > when i click on the webSite
>
> When you do /what/?

when i click on for example <postmaster#cnc-noc.net@devnull.spamcop.net> it
returns postmaster @myIsp.net.

> I'm not clear on those words you said.  Does that
> say that you are clicking on the spamvertised website?  Or are you
> saying that you are checking the spamcop form to notify for the
> spamvertiser?

i am NOT clicking on the links in the spam what i meant was clicking on the
suggested addresses that spamCop returns

> > where "Administrator of network hosting
> > website referenced in spam" even though it has a number of characters
> > the email address reduces to my isp (postmaster@myISP.net) ALWAYS
> > (however sometimes it only has anti-spam not postmaster)
> > anti-spam@myISP.net)
> > (also sometimes under the originating isp)
> > none of the other spams have this (very rarely do they refer to my
> > isp) NOTHING like a sig. file is in the body of the messages that i
> > send
>
> I'm not understanding any part of that part of the par.

well it is clear above
if you click this <postmaster#cnc-noc.net@devnull.spamcop.net>
i don't know whether you would get postmaster@myISP.net
OR
postmaster@ster.invalid

> spamcop.net/sc?id=z700151331z4e249db60f7fe4cce7232b313ea4e41bz
>
> That is a live tracker [you should report or cancel it]

thnx

> for a porn spam
> sourced at a .cn provider which SC wants to notify for and a
> ptolemaeus.info spamvertiser site which is also at a .cn provider which
> SC wants to notify.

i know what it is for -- the graphics open automatically in email
this is W.A.Y. beyond viagra etc.
totally ILLegal --
basically aside from HOPING some "authority" would be *interested* i wonder
why my isp is ALWAYS either under the originator AND / or the referenced url
(this is all under spamCop's report)

> Inside the spam are URLs and links to graphics.  One link I checked is
> redirected to a 'remove' at
> http://4.78.57.78/ptolemaeus.info/b9a1a4d40a8891c3a6b510d8d/remove.php
>
> 4.78.57.78 no rDNS is spews S1660 listed as the /23
>
> 1, 4.78.22.0/23, Level3 (Bruce Louis Goldberg / adult.foxcounter.com /
> vh3.techiemedia.net)
>
> and whose provider structure is
>
> whois -h whois.arin.net 4.78.57.78 ...
> Level 3 Communications, Inc 4.0.0.0 - 4.255.255.255
> Co-Location.com Inc.  4.78.56.0 - 4.78.57.255

not clear on the above -- at all...
really want to know why my isp is ALWAYS in the report that spamCop shows
(prior to) either report / cancel etc.)

>
>
> --
> Mike Easter
> kibitzer, not SC admin

answers inLine above
thanks

From MikeE at ster.invalid  Tue Dec  7 15:07:34 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Dec  7 18:10:02 2004
Subject: [SC-Help] Re: help stopping spammer -- please advise
References: <41B5C73D.D5A6D95B@attglobal.net> <cp4teg$tst$1@news.spamcop.net>
	<41B62DA9.3C1BB4C3@attglobal.net>
Message-ID: <cp5d3c$aca$1@news.spamcop.net>

Tanya wrote:
>> When you do /what/?
>
> when i click on for example
> <postmaster#cnc-noc.net@devnull.spamcop.net> it returns postmaster
> @myIsp.net.

First, I don't know why that happens - but disregard it for now - that
isn't what you are supposed to do.

When I use the tracker which you posted earlier, the live one, what I
would be doing would be clicking the check /beside/ the address, not
/on/ the actual address link.

Second, if, for sake of the experiment, I click on the link you are
describing above, as it appears on the webpage, that is a 'mailto' link,
which opens a newmail in my mailagent and which To address is that
displayed above, which won't go anywhere [eventually], as that address
is really just for SC internal handling.

> i am NOT clicking on the links in the spam what i meant was clicking
> on the suggested addresses that spamCop returns

OK I understand now not spamlinks, but I can't think of any [good]
reason to be doing that link mailto clicking you just described.  SC is
just telling you how it is going to address the mail it sends.  There
may be something useful to be done with clicking on some of the
addresses provided so that you can send your own 'personal' mail to the
target.  Are you wanting to send a mail from yourself personally to the
intended recipients, or would you be just as happy having spamcop be
doing the notifying for you.

> well it is clear above
> if you click this <postmaster#cnc-noc.net@devnull.spamcop.net>
> i don't know whether you would get postmaster@myISP.net
> OR
> postmaster@ster.invalid

I get neither of the last 2, only a newmail trying to be addressed to:

postmaster#cnc-noc.net@devnull.spamcop.net

> basically aside from HOPING some "authority" would be *interested* i
> wonder why my isp is ALWAYS either under the originator AND / or the
> referenced url (this is all under spamCop's report)

I don't know why you are seeing what you described, unless you somewhere
told SC that you wanted your ISP notified about all of your spams, in
addition to the other notifies.

> not clear on the above -- at all...
> really want to know why my isp is ALWAYS in the report that spamCop
> shows (prior to) either report / cancel etc.)


-- 
Mike Easter
kibitzer, not SC admin

From nobody at spamcop.net  Tue Dec  7 19:08:05 2004
From: nobody at spamcop.net (Miss Betsy)
Date: Tue Dec  7 19:10:04 2004
Subject: [SC-Help] Re: help stopping spammer -- please advise
References: <41B5C73D.D5A6D95B@attglobal.net> <cp4teg$tst$1@news.spamcop.net>
	<41B62DA9.3C1BB4C3@attglobal.net>
Message-ID: <cp5ggm$cul$1@news.spamcop.net>

> i know what it is for -- the graphics open automatically in email
> this is W.A.Y. beyond viagra etc.
> totally ILLegal --
> basically aside from HOPING some "authority" would be
*interested* i wonder
> why my isp is ALWAYS either under the originator AND / or the
referenced url
> (this is all under spamCop's report)
>

There is no 'authority' who is interested because of the
international nature of the internet, there is no way that law
enforcement can work across all the different borders.

The internet is based on netiquette from the assigning of IP
addresses on down.  The best thing to do if you are receiving porn
emails is to change your address to one that is alphanumeric - for
instance t9yn9 - and be prudent about where you use it and whom you
give it to.  Many people have throwaway accounts (either free ones
like hotmail or sneakemail) for purchasing items.

The alternative is to get a filter that uses blocklists (Mailwasher
is one, but do NOT use the bounce feature which is as annoying as
spam to people whose email addresses the spammer has forged;
spamcop email service is another - you get free reporting also if
you want to use it.  There is nothing like hitting the send button
on a report for a particularly nasty spam.  Although most spam
comes from places who don't do anything to spammers (unless it is a
zombied machine in which case the operator is generally happy to be
informed), the IP address will go on the spamcop blocklist which
many people use to block spam from even entering their inboxes.

> > Inside the spam are URLs and links to graphics.  One link I
checked is
> > redirected to a 'remove' at
> >
http://4.78.57.78/ptolemaeus.info/b9a1a4d40a8891c3a6b510d8d/remove.php
> >
> > 4.78.57.78 no rDNS is spews S1660 listed as the /23
> >
> > 1, 4.78.22.0/23, Level3 (Bruce Louis Goldberg /
adult.foxcounter.com /
> > vh3.techiemedia.net)
> >
> > and whose provider structure is
> >
> > whois -h whois.arin.net 4.78.57.78 ...
> > Level 3 Communications, Inc 4.0.0.0 - 4.255.255.255
> > Co-Location.com Inc.  4.78.56.0 - 4.78.57.255
>
> not clear on the above -- at all...
> really want to know why my isp is ALWAYS in the report that
spamCop shows
> (prior to) either report / cancel etc.)

He is telling you what the records say about the person who runs
that website and who gives them bandwidth to establish their
website.

All I get when I click on that address is the same as Mike - an
email addressed to the address.  Of course, I didn 't try right
clicking.  It may be irrelevant if what you want to do is to report
spam to make it stop now - which reporting won't do.  However, if
you do want to continue reporting, maybe you need to be more
specific about what exactly you are doing and why and it will give
someone an idea about what is happening.

Miss Betsy


From nobody at spamcop.net  Tue Dec  7 19:13:25 2004
From: nobody at spamcop.net (Miss Betsy)
Date: Tue Dec  7 19:15:02 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
	<cp4uvc$v02$2@news.spamcop.net> <mKCI4JQtoRHQ@eisner.encompasserve.org>
	<cp4vsd$vr8$1@news.spamcop.net> <YwWOHO0iDlyc@eisner.encompasserve.org>
	<cp59ol$7hp$1@news.spamcop.net>
	<Xns95B89B07E985Djohnlspamcopnet@216.154.195.61>
	<FJEyc7Q+SpcZ@eisner.encompasserve.org>
	<Xns95B89D12EE434johnlspamcopnet@216.154.195.61>
	<GZZWi1f6uazJ@eisner.encompasserve.org>
	<Xns95B89E9B4B0E6johnlspamcopnet@216.154.195.61>
	<1OPEHPZbx6Io@eisner.encompasserve.org>
Message-ID: <cp5gqm$da8$1@news.spamcop.net>


"Larry Kilgallen" <Kilgallen@SpamCop.net> wrote in message
news:1OPEHPZbx6Io@eisner.encompasserve.org...
> In article <Xns95B89E9B4B0E6johnlspamcopnet@216.154.195.61>,
JohnL <johnl@spamcop.net> writes:
> > Kilgallen@SpamCop.net (Larry Kilgallen) wrote in
> > news:GZZWi1f6uazJ@eisner.encompasserve.org:
> >
> >> There is some question, however, as to whether we are talking
about
> >> the same thing - reporting from a username where "Technical
Details"
> >> are _disabled_, right ?
> >
> > No, this is with them enabled.
> > I thought that's what you had now.
>
> No.
>
> By enabling technical details I could get even more of what I
don't want :-)

Maybe if you enabled technical details, you could see the 'skip to
reports' - it is right at the top and you click it and it takes you
to the checkboxes.  Perhaps the default Mailhosts thing doesn't
include that, but if you enabled it, it would.

Miss Betsy



From Kilgallen at SpamCop.net  Tue Dec  7 23:01:18 2004
From: Kilgallen at SpamCop.net (Larry Kilgallen)
Date: Wed Dec  8 00:05:06 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
	<cp4uvc$v02$2@news.spamcop.net> <mKCI4JQtoRHQ@eisner.encompasserve.org>
	<cp4vsd$vr8$1@news.spamcop.net> <YwWOHO0iDlyc@eisner.encompasserve.org>
	<cp59ol$7hp$1@news.spamcop.net>
	<Xns95B89B07E985Djohnlspamcopnet@216.154.195.61>
	<FJEyc7Q+SpcZ@eisner.encompasserve.org>
	<Xns95B89D12EE434johnlspamcopnet@216.154.195.61>
	<GZZWi1f6uazJ@eisner.encompasserve.org>
	<Xns95B89E9B4B0E6johnlspamcopnet@216.154.195.61>
	<1OPEHPZbx6Io@eisner.encompasserve.org> <cp5gqm$da8$1@neOrganization: LJK
	Software
Message-ID: <OEykndWSb+3Y@eisner.encompasserve.org>

In article <cp5gqm$da8$1@news.spamcop.net>, "Miss Betsy" <nobody@spamcop.net> writes:
> 
> "Larry Kilgallen" <Kilgallen@SpamCop.net> wrote in message
> news:1OPEHPZbx6Io@eisner.encompasserve.org...
>> In article <Xns95B89E9B4B0E6johnlspamcopnet@216.154.195.61>,
> JohnL <johnl@spamcop.net> writes:
>> > Kilgallen@SpamCop.net (Larry Kilgallen) wrote in
>> > news:GZZWi1f6uazJ@eisner.encompasserve.org:
>> >
>> >> There is some question, however, as to whether we are talking
> about
>> >> the same thing - reporting from a username where "Technical
> Details"
>> >> are _disabled_, right ?
>> >
>> > No, this is with them enabled.
>> > I thought that's what you had now.
>>
>> No.
>>
>> By enabling technical details I could get even more of what I
> don't want :-)
> 
> Maybe if you enabled technical details, you could see the 'skip to
> reports' - it is right at the top and you click it and it takes you
> to the checkboxes.  Perhaps the default Mailhosts thing doesn't
> include that, but if you enabled it, it would.

But it does not solve the base problem, which is useless crud on the
screen.  I am on the verge of backing out of the whole mailhosts thing.
From nobody at devnull.spamcop.net  Wed Dec  8 00:05:57 2004
From: nobody at devnull.spamcop.net (Cat)
Date: Wed Dec  8 01:10:05 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
In-Reply-To: <cp1of3$pp7$2@news.spamcop.net>
References: <cov5fi$6ke$1@news.spamcop.net> <covaf5$95n$1@news.spamcop.net>
	<cp00n7$ngk$1@news.spamcop.net> <cp1of3$pp7$2@news.spamcop.net>
Message-ID: <cp65ns$pit$1@news.spamcop.net>

Jim Carroll wrote:
> "Cat" <nobody@devnull.spamcop.net> wrote in message
> news:cp00n7$ngk$1@news.spamcop.net...

<snip>

>>If he forwards as attachment, that  should work fine to get it all in
>>there.
> 
> 
> That was what Julian Haight himself told me to do when I long ago tried to
> "forward" a message from Outlook Express instead of "forward as attachment".
> 
> Today, I got two more "no body provided, check format of submission." error
> messages.  Appended to this is what showed up when I selected the "tracking
> URL" of one and then selected "view original message".

<snip>

I started having a similar problem back when I still used OE for an old 
account that got a lot of spam. I forwarded as attachment like always, 
but SpamCop reports stop coming back, and they weren't even waiting for 
me to file on the report page. I seem to recall that no one was ever 
able to come up with a solution for why it totally stopped acting right. 
Shortly afterward, I ditched that account since I'd been using it 
increasingly less and using my Yahoo account most of the time. My 
current ISP account, which I've had for a year and a half, rarely ever 
gets spam. I used Netscape for newsgroup and occasionally e-mail up 
until recently when I finally switched over to Firefox and its 
Thunderbird e-mail/news reader. I haven't had to try forward as 
attachment with either of those.
From David1 at suescornerweb.com  Wed Dec  8 02:52:39 2004
From: David1 at suescornerweb.com (David 1)
Date: Wed Dec  8 02:55:03 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
In-Reply-To: <cp65ns$pit$1@news.spamcop.net>
References: <cov5fi$6ke$1@news.spamcop.net> <covaf5$95n$1@news.spamcop.net>
	<cp00n7$ngk$1@news.spamcop.net> <cp1of3$pp7$2@news.spamcop.net>
	<cp65ns$pit$1@news.spamcop.net>
Message-ID: <cp6bqg$spv$1@news.spamcop.net>

Cat wrote:
> Jim Carroll wrote:
> 
>> "Cat" <nobody@devnull.spamcop.net> wrote in message
>> news:cp00n7$ngk$1@news.spamcop.net...
> 
> 
> <snip>
> 
>>> If he forwards as attachment, that  should work fine to get it all in
>>> there.
>>
>>
>>
>> That was what Julian Haight himself told me to do when I long ago 
>> tried to
>> "forward" a message from Outlook Express instead of "forward as 
>> attachment".
>>
>> Today, I got two more "no body provided, check format of submission." 
>> error
>> messages.  Appended to this is what showed up when I selected the 
>> "tracking
>> URL" of one and then selected "view original message".
> 
> 
> <snip>
> 
> I started having a similar problem back when I still used OE for an old 
> account that got a lot of spam. I forwarded as attachment like always, 
> but SpamCop reports stop coming back, and they weren't even waiting for 
> me to file on the report page. I seem to recall that no one was ever 
> able to come up with a solution for why it totally stopped acting right. 
> Shortly afterward, I ditched that account since I'd been using it 
> increasingly less and using my Yahoo account most of the time. My 
> current ISP account, which I've had for a year and a half, rarely ever 
> gets spam. I used Netscape for newsgroup and occasionally e-mail up 
> until recently when I finally switched over to Firefox and its 
> Thunderbird e-mail/news reader. I haven't had to try forward as 
> attachment with either of those.
Worked for me in T-bird .08 & now also in .09, except for today I didn't 
get any back for some reason
David 1
From nobody at spamcop.net  Wed Dec  8 06:12:16 2004
From: nobody at spamcop.net (Miss Betsy)
Date: Wed Dec  8 06:10:03 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
	<cp4uvc$v02$2@news.spamcop.net> <mKCI4JQtoRHQ@eisner.encompasserve.org>
	<cp4vsd$vr8$1@news.spamcop.net> <YwWOHO0iDlyc@eisner.encompasserve.org>
	<cp59ol$7hp$1@news.spamcop.net>
	<Xns95B89B07E985Djohnlspamcopnet@216.154.195.61>
	<FJEyc7Q+SpcZ@eisner.encompasserve.org>
	<Xns95B89D12EE434johnlspamcopnet@216.154.195.61>
	<GZZWi1f6uazJ@eisner.encompasserve.org>
	<Xns95B89E9B4B0E6johnlspamcopnet@216.154.195.61>
	<1OPEHPZbx6Io@eisner.encompasserve.org> <cp5gqm$da8$1@neOrganization: LJK
	Software <OEykndWSb+3Y@eisner.encompasserve.org>
Message-ID: <cp6ne0$3ot$1@news.spamcop.net>


"Larry Kilgallen" <Kilgallen@SpamCop.net> wrote in message
news:OEykndWSb+3Y@eisner.encompasserve.org...
<snip>
> But it does not solve the base problem, which is useless crud on
the
> screen.  I am on the verge of backing out of the whole mailhosts
thing.

Most of the time one doesn't want to look at the parse, but once in
a while, it is useful to be able to see how the parser decides what
to do.  IMHO, it is a little like having to 'review' each report.
99% of the time, whatever spamcop decides is fine with me.  It is
that 1% where the parser hiccups that needs review, not only of the
results, but sometimes the technical details.

If you aren't interested in the 'useless crud', why don't you just
use quick reporting?

Miss Betsy


From korhojy at POISSPAMMIThotmail.com  Wed Dec  8 15:42:12 2004
From: korhojy at POISSPAMMIThotmail.com (Jyri Korhonen)
Date: Wed Dec  8 08:45:03 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
	<cp4uvc$v02$2@news.spamcop.net> <mKCI4JQtoRHQ@eisner.encompasserve.org>
	<cp4vsd$vr8$1@news.spamcop.net> <YwWOHO0iDlyc@eisner.encompasserve.org>
	<cp59ol$7hp$1@news.spamcop.net>
	<Xns95B89B07E985Djohnlspamcopnet@216.154.195.61>
	<FJEyc7Q+SpcZ@eisner.encompasserve.org>
	<Xns95B89D12EE434johnlspamcopnet@216.154.195.61>
	<GZZWi1f6uazJ@eisner.encompasserve.org>
	<Xns95B89E9B4B0E6johnlspamcopnet@216.154.195.61>
	<1OPEHPZbx6Io@eisner.encompasserve.org> <cp5gqm$da8$1@neOrganization: LJK
	Software <OEykndWSb+3Y@eisner.encompasserve.org>
	<cp6ne0$3ot$1@news.spamcop.net>
Message-ID: <cp70bo$8gn$1@news.spamcop.net>

"Miss Betsy" <nobody@spamcop.net> wrote:

> If you aren't interested in the 'useless crud',
> why don't you just use quick reporting?

To be able to cancel the reports, if necessary?

From Kilgallen at SpamCop.net  Wed Dec  8 09:52:20 2004
From: Kilgallen at SpamCop.net (Larry Kilgallen)
Date: Wed Dec  8 10:55:03 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
	<cp4uvc$v02$2@news.spamcop.net> <mKCI4JQtoRHQ@eisner.encompasserve.org>
	<cp4vsd$vr8$1@news.spamcop.net> <YwWOHO0iDlyc@eisner.encompasserve.org>
	<cp59ol$7hp$1@news.spamcop.net>
	<Xns95B89B07E985Djohnlspamcopnet@216.154.195.61>
	<FJEyc7Q+SpcZ@eisner.encompasserve.org>
	<Xns95B89D12EE434johnlspamcopnet@216.154.195.61>
	<GZZWi1f6uazJ@eisner.encompasserve.org>
	<Xns95B89E9B4B0E6johnlspamcopnet@216.154.195.61>
	<1OPEHPZbx6Io@eisner.encompasserve.org> <cp5gqm$da8$1@neOrganization: LJK
	Software
Message-ID: <Y3HNXBOaRWDi@eisner.encompasserve.org>

In article <cp6ne0$3ot$1@news.spamcop.net>, "Miss Betsy" <nobody@spamcop.net> writes:

> Most of the time one doesn't want to look at the parse, but once in
> a while, it is useful to be able to see how the parser decides what
> to do.

And in those cases I can go back and enable "show technical details".

> If you aren't interested in the 'useless crud', why don't you just
> use quick reporting?

Because I want to send reports to additional places, like NANAS.
From eddie at eddie.web  Wed Dec  8 13:55:03 2004
From: eddie at eddie.web (eddie)
Date: Wed Dec  8 13:55:02 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net> <41B528CE.BDFDA64C@spamcop.net>
Message-ID: <pan.2004.12.08.18.55.02.245000@eddie.web>

On Tue, 07 Dec 2004 03:51:42 +0000, Fred the Red Shirt scratched out the
following:

> 
> 
> Jim Carroll wrote:
> 
>> Many of the spam messages that flood my inbox have no "body" per se,
>> just an attachment.
>>
>>
> Many of mine have no body and no attachment.  They look like maybe dumb
> attempts to check the validity of harvested address lists.
> 
> Regardless, I type the word "BLANK." in the body and submit it.
> 
> I do not consider that to be a material alteration of the spam.

I agree - I insert <no body> after a blank line after the last line of
header. I believe even a dot will work.
It is most certainly spam and may even be harassment or some kind of test
mailing. In any case, a legit ISP would want to know about it.

-- 
"I don't understand what happened. Nobody I know voted for Bush."
Dan Pauline Kael-Rather
From nobody at spamcop.net  Wed Dec  8 18:31:10 2004
From: nobody at spamcop.net (Miss Betsy)
Date: Wed Dec  8 18:30:03 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
	<cp4uvc$v02$2@news.spamcop.net> <mKCI4JQtoRHQ@eisner.encompasserve.org>
	<cp4vsd$vr8$1@news.spamcop.net> <YwWOHO0iDlyc@eisner.encompasserve.org>
	<cp59ol$7hp$1@news.spamcop.net>
	<Xns95B89B07E985Djohnlspamcopnet@216.154.195.61>
	<FJEyc7Q+SpcZ@eisner.encompasserve.org>
	<Xns95B89D12EE434johnlspamcopnet@216.154.195.61>
	<GZZWi1f6uazJ@eisner.encompasserve.org>
	<Xns95B89E9B4B0E6johnlspamcopnet@216.154.195.61>
	<1OPEHPZbx6Io@eisner.encompasserve.org> <cp5gqm$da8$1@neOrganization: LJK
	Software <Y3HNXBOaRWDi@eisner.encompasserve.org>
Message-ID: <cp82ne$ugt$1@news.spamcop.net>


"Larry Kilgallen" <snip>
> And in those cases I can go back and enable "show technical
details".
>
> > If you aren't interested in the 'useless crud', why don't you
just
> > use quick reporting?
>
> Because I want to send reports to additional places, like NANAS.

Then it isn't really 'useless crud' - it is just superfluous.
Well, I think the 'skip to' works well - it is one more click, but
then if you want to see you only have to scroll up.  Each to his
own. Did you try enabling to see if it appears?

Miss Betsy


From Kilgallen at SpamCop.net  Wed Dec  8 22:56:49 2004
From: Kilgallen at SpamCop.net (Larry Kilgallen)
Date: Thu Dec  9 00:00:03 2004
Subject: [SC-Help] Re: Technical details even though they are disabled
References: <Vneh7Cm4hdwn@eisner.encompasserve.org>
	<cp4uvc$v02$2@news.spamcop.net> <mKCI4JQtoRHQ@eisner.encompasserve.org>
	<cp4vsd$vr8$1@news.spamcop.net> <YwWOHO0iDlyc@eisner.encompasserve.org>
	<cp59ol$7hp$1@news.spamcop.net>
	<Xns95B89B07E985Djohnlspamcopnet@216.154.195.61>
	<FJEyc7Q+SpcZ@eisner.encompasserve.org>
	<Xns95B89D12EE434johnlspamcopnet@216.154.195.61>
	<GZZWi1f6uazJ@eisner.encompasserve.org>
	<Xns95B89E9B4B0E6johnlspamcopnet@216.154.195.61>
	<1OPEHPZbx6Io@eisner.encompasserve.org> <cp5gqm$da8$1@neOrganization: LJK
	Software
Message-ID: <vMaFq740R+xj@eisner.encompasserve.org>

In article <cp82ne$ugt$1@news.spamcop.net>, "Miss Betsy" <nobody@spamcop.net> writes:
> 
> "Larry Kilgallen" <snip>
>> And in those cases I can go back and enable "show technical
> details".
>>
>> > If you aren't interested in the 'useless crud', why don't you
> just
>> > use quick reporting?
>>
>> Because I want to send reports to additional places, like NANAS.
> 
> Then it isn't really 'useless crud' - it is just superfluous.
> Well, I think the 'skip to' works well - it is one more click, but
> then if you want to see you only have to scroll up.  Each to his
> own. Did you try enabling to see if it appears?

No it would produce even _more_ useless text.

But I got an official SpamCop response indicating that the extra text
is there by accident.  I am hopeful of a fix.
From little at pussy.com  Thu Dec  9 01:12:45 2004
From: little at pussy.com (Tha King)
Date: Thu Dec  9 04:10:03 2004
Subject: [SC-Help] need more
Message-ID: <cp94l1$in4$1@news.spamcop.net>

http://signups.triplexcash.com/hit.php?w=105565&s=25&p=2



From spammers_lie at pobox.com  Thu Dec  9 14:39:07 2004
From: spammers_lie at pobox.com (Tom Betz)
Date: Thu Dec  9 09:40:03 2004
Subject: [SC-Help] Spamcop misparses this e-mail's body
Message-ID: <Xns95BA622F71D9Dgreenriverordinance@216.154.195.61>


See the phish spam tracked at:
 
<http://www.spamcop.net/sc?id=z700812755za1ab450be3df3ed70a59eb7286c282fcz>

It reports the WAMU.COM text that links to the URL in the body, instead of 
the real GULTAB.ORG URL with which that text is associated.

GULTAB.ORG appears to be down or dead already, so it's not such a big deal, 
but the misparsing could stand to be fixed.

Thanks.

From MikeE at ster.invalid  Thu Dec  9 07:11:08 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Thu Dec  9 10:15:03 2004
Subject: [SC-Help] Re: Spamcop misparses this e-mail's body
References: <Xns95BA622F71D9Dgreenriverordinance@216.154.195.61>
Message-ID: <cp9pts$unr$1@news.spamcop.net>

Tom Betz wrote:
> See the phish spam tracked at:
>
spamcop.net/sc?id=z700812755za1ab450be3df3ed70a59eb7286c282fcz>
>
> It reports the WAMU.COM text that links to the URL in the body,
> instead of the real GULTAB.ORG URL with which that text is associated.
>
> GULTAB.ORG appears to be down or dead already, so it's not such a big
> deal, but the misparsing could stand to be fixed.

That tracker currently finds both wamu & gultab, but the gultab doesn't
resolve.

Tracking link: http://www.wamu.com/home.htm
abuse@wamu.net refuses SpamCop reports
Using abuse#wamu.net@devnull.spamcop.net for statistical tracking.

Tracking link:
http://gultab.org/.wamusk/index.php?mfcisapicommand=signinfpp&usingssl=1&email=&userid=

Cannot resolve
http://gultab.org/.wamusk/index.php?mfcisapicommand=signinfpp&usingssl=1&email=&userid=

-- 
Mike Easter
kibitzer, not SC admin

From nobody at spamcop.net  Thu Dec  9 12:57:43 2004
From: nobody at spamcop.net (Ellen)
Date: Thu Dec  9 13:45:04 2004
Subject: [SC-Help] Re: Spamcop misparses this e-mail's body
References: <Xns95BA622F71D9Dgreenriverordinance@216.154.195.61>
Message-ID: <cpa6ck$8ck$1@news.spamcop.net>



"Tom Betz" <spammers_lie@pobox.com> wrote in message
news:Xns95BA622F71D9Dgreenriverordinance@216.154.195.61...
>
> See the phish spam tracked at:
>
>
<http://www.spamcop.net/sc?id=z700812755za1ab450be3df3ed70a59eb7286c282fcz>
>
> It reports the WAMU.COM text that links to the URL in the body, instead of
> the real GULTAB.ORG URL with which that text is associated.
>
> GULTAB.ORG appears to be down or dead already, so it's not such a big
deal,
> but the misparsing could stand to be fixed.
>
> Thanks.
>

Thanks

Ellen


From tjtmdREMOVE_THIS at attglobal.net  Thu Dec  9 15:08:53 2004
From: tjtmdREMOVE_THIS at attglobal.net (Tanya)
Date: Thu Dec  9 15:35:03 2004
Subject: [SC-Help] Re: help stopping spammer -- please advise
References: <41B5C73D.D5A6D95B@attglobal.net> <cp4teg$tst$1@news.spamcop.net>
	<41B62DA9.3C1BB4C3@attglobal.net> <cp5d3c$aca$1@news.spamcop.net>
Message-ID: <41B8B0D5.72BE559E@attglobal.net>

Mike Easter wrote:

> Tanya wrote:
> >> When you do /what/?
> >
> > when i click on for example
> > <postmaster#cnc-noc.net@devnull.spamcop.net> it returns postmaster
> > @myIsp.net.
>
> First, I don't know why that happens - but disregard it for now - that
> isn't what you are supposed to do.
>
> When I use the tracker which you posted earlier, the live one, what I
> would be doing would be clicking the check /beside/ the address, not
> /on/ the actual address link.

now that i reported it the address comes up as you describe (plus i tried w/
mozilla and it shows what you found before and after reporting)

> Second, if, for sake of the experiment, I click on the link you are
> describing above, as it appears on the webpage, that is a 'mailto' link,
> which opens a newmail in my mailagent and which To address is that
> displayed above, which won't go anywhere [eventually], as that address
> is really just for SC internal handling.

but these are under
"(Administrator of network where email originates)"
and or
"(Administrator of network hosting website referenced in spam)"

> > i am NOT clicking on the links in the spam what i meant was clicking
> > on the suggested addresses that spamCop returns
>
> OK I understand now not spamlinks, but I can't think of any [good]
> reason to be doing that link mailto clicking you just described.

reason i did was b/c sometimes i report manually also before reporting (in
netscape) if i click the aforementioned link it goes to postmaster@myISP.net
and i get a reply from them
also my isp is on all of these (the porn from 1 source)

> SC is
> just telling you how it is going to address the mail it sends.  There
> may be something useful to be done with clicking on some of the
> addresses provided so that you can send your own 'personal' mail to the
> target. Are you wanting to send a mail from yourself personally to the

> intended recipients, or would you be just as happy having spamcop be
> doing the notifying for you.

i guess i can choose since i am receiving a number of these per
day...........
:-)
<snip>

> I get neither of the last 2, only a newmail trying to be addressed to:
>
> postmaster#cnc-noc.net@devnull.spamcop.net

same after i have reported it (netscape) and both times with mozilla.

> > basically aside from HOPING some "authority" would be *interested* i
> > wonder why my isp is ALWAYS either under the originator AND / or the
> > referenced url (this is all under spamCop's report)
>
> I don't know why you are seeing what you described, unless you somewhere
> told SC that you wanted your ISP notified about all of your spams, in
> addition to the other notifies.

no i have not asked them to send reports to my isp.

> --
> Mike Easter
> kibitzer, not SC admin

thanks Mike...




From tjtmdREMOVE_THIS at attglobal.net  Thu Dec  9 15:10:46 2004
From: tjtmdREMOVE_THIS at attglobal.net (Tanya)
Date: Thu Dec  9 15:40:02 2004
Subject: [SC-Help] Re: help stopping spammer -- please advise
References: <41B5C73D.D5A6D95B@attglobal.net> <cp4teg$tst$1@news.spamcop.net>
	<41B62DA9.3C1BB4C3@attglobal.net> <cp5ggm$cul$1@news.spamcop.net>
Message-ID: <41B8B145.ACB9DAC8@attglobal.net>

Miss Betsy wrote:

> > i know what it is for -- the graphics open automatically in email
> > this is W.A.Y. beyond viagra etc.
> > totally ILLegal --
> > basically aside from HOPING some "authority" would be
> *interested* i wonder
> > why my isp is ALWAYS either under the originator AND / or the
> referenced url
> > (this is all under spamCop's report)
> >
>
> There is no 'authority' who is interested because of the
> international nature of the internet, there is no way that law
> enforcement can work across all the different borders.

these would not be legal ANYWHERE.
also if i (when i) receive fraud (banks etc.) sometimes the bank tells me
to forward it to uce@ftc.gov so i thought that they would at some point do
something.

> The internet is based on netiquette from the assigning of IP
> addresses on down.  The best thing to do if you are receiving porn
> emails is to change your address to one that is alphanumeric - for
> instance t9yn9 - and be prudent about where you use it and whom you
> give it to.  Many people have throwaway accounts (either free ones
> like hotmail or sneakemail) for purchasing items.

so i have to change email addresses b/c someone is doing something TOTALLY
illegal?
that's not too fair

> The alternative is to get a filter that uses blocklists (Mailwasher
> is one, but do NOT use the bounce feature which is as annoying as
> spam to people whose email addresses the spammer has forged;
> spamcop email service is another - you get free reporting also if
> you want to use it.  There is nothing like hitting the send button
> on a report for a particularly nasty spam.  Although most spam
> comes from places who don't do anything to spammers (unless it is a
> zombied machine in which case the operator is generally happy to be
> informed), the IP address will go on the spamcop blocklist which
> many people use to block spam from even entering their inboxes.
>
> > > Inside the spam are URLs and links to graphics.  One link I
> checked is
> > > redirected to a 'remove' at
> > >
> http://4.78.57.78/ptolemaeus.info/b9a1a4d40a8891c3a6b510d8d/remove.php
> > >
> > > 4.78.57.78 no rDNS is spews S1660 listed as the /23
> > >
> > > 1, 4.78.22.0/23, Level3 (Bruce Louis Goldberg /
> adult.foxcounter.com /
> > > vh3.techiemedia.net)
> > >
> > > and whose provider structure is
> > >
> > > whois -h whois.arin.net 4.78.57.78 ...
> > > Level 3 Communications, Inc 4.0.0.0 - 4.255.255.255
> > > Co-Location.com Inc.  4.78.56.0 - 4.78.57.255

<snip>

> He is telling you what the records say about the person who runs
> that website and who gives them bandwidth to establish their
> website.

thanks

>
>
> All I get when I click on that address is the same as Mike - an
> email addressed to the address.  Of course, I didn 't try right
> clicking.  It may be irrelevant if what you want to do is to report
> spam to make it stop now - which reporting won't do.  However, if
> you do want to continue reporting, maybe you need to be more
> specific about what exactly you are doing and why and it will give
> someone an idea about what is happening.

if i manually report and click on the links under "(Administrator of
network hosting website referenced in spam)"
and
"(Administrator of network where email originates)" the string above turns
into postmaster@myISP.net and if i send it my isp replies that they don't
have spammers etc.
(in this case b/c it shows up in every report from spamCop.)

>
>
> Miss Betsy

thank you


From sdp at spamcop.net  Thu Dec  9 14:13:36 2004
From: sdp at spamcop.net (Scott Peterson)
Date: Thu Dec  9 17:15:03 2004
Subject: [SC-Help] Are whitelist entries case sensitive?
Message-ID: <cpaimg$kki$1@news.spamcop.net>

I have some evidence that they are.  I only found one hit on the words 
"case sensitive" in spamcop help, and it was about personal reporting 
addresses, not white/black lists.

The indication I have that they are are the addresses 
specials@outpost.com and Specials@Outpost.com in my whitelist.  I 
presume the second one was added when it slipped past the first one in 
the whitelist, which would only differ in case.

Can we make these case insensitive?  Call this a feature request.

--- sdp
From nobody at spamcop.net  Thu Dec  9 19:12:44 2004
From: nobody at spamcop.net (Miss Betsy)
Date: Thu Dec  9 19:15:02 2004
Subject: [SC-Help] Re: help stopping spammer -- please advise
References: <41B5C73D.D5A6D95B@attglobal.net> <cp4teg$tst$1@news.spamcop.net>
	<41B62DA9.3C1BB4C3@attglobal.net> <cp5ggm$cul$1@news.spamcop.net>
	<41B8B145.ACB9DAC8@attglobal.net>
Message-ID: <cpaphc$ptn$1@news.spamcop.net>


"Tanya" <snip>
> these would not be legal ANYWHERE.
> also if i (when i) receive fraud (banks etc.) sometimes the bank
tells me
> to forward it to uce@ftc.gov so i thought that they would at some
point do
> something.

There are agencies who do pursue fraud (however, they are primarily
interested in where someone has been defrauded), but I think porn
gets into censorship issues.
>
> > The internet is based on netiquette from the assigning of IP
> > addresses on down.  The best thing to do if you are receiving
porn
> > emails is to change your address to one that is alphanumeric -
for
> > instance t9yn9 - and be prudent about where you use it and whom
you
> > give it to.  Many people have throwaway accounts (either free
ones
> > like hotmail or sneakemail) for purchasing items.
>
> so i have to change email addresses b/c someone is doing
something TOTALLY
> illegal?
> that's not too fair

Sending unsolicited email has not been made illegal in many places
including the US.  If you judge whether you want unsolicited email
by content, then again, there is a problem with censorship.

Having locks on doors and showing ID's to cash checks are also
unfair, but we do them.  If you had used your present email address
prudently in the first place, you would not have a spam problem
now.

<snip>
> if i manually report and click on the links under "(Administrator
of
> network hosting website referenced in spam)"
> and
> "(Administrator of network where email originates)" the string
above turns
> into postmaster@myISP.net and if i send it my isp replies that
they don't
> have spammers etc.
> (in this case b/c it shows up in every report from spamCop.)

Generally, 'manually report' means that you send the report instead
of sending through spamcop so I am not sure what you mean by that.

Also, I don't understand why you are clicking on the links instead
of the 'send' nor if your isp shows up, why you send them a report.

Perhaps if you explain more, it will become clearer.  There are
certain situations where the parser has a hard time with the
headers and won't go beyond your isp, but then you don't ever see
another address.  It could be your timing.  Since those links are
not intended, as far as I know, to be used for creating emails,
perhaps they do resolve to a default after a while.

Note I am not an expert and I am just guessing at why this is
happening.

Miss Betsy

Miss Betsy


From ric.gates at bigsleep.org  Fri Dec 10 03:05:26 2004
From: ric.gates at bigsleep.org (Blammo)
Date: Thu Dec  9 22:10:02 2004
Subject: [SC-Help] Re: Are whitelist entries case sensitive?
References: <cpaimg$kki$1@news.spamcop.net>
Message-ID: <Xns95BAC2535F2D6blammo@216.154.195.61>

On 09 Dec 2004 Scott Peterson entered spamcop.help and left 
news:cpaimg$kki$1@news.spamcop.net:

> The indication I have that they are are the addresses 
> specials@outpost.com and Specials@Outpost.com in my whitelist.  I 
> presume the second one was added when it slipped past the first one in 
> the whitelist, which would only differ in case.
> 

In the example - Specials@Outpost.com
@Outpost.com is never case sensitive, if a filter matches case for a domain 
then it is wrong. Try whitelisting the entire domain if you can.
Specials@ could be case sensitive, but I've never seen any server use case 
sensitive user names in eMail addresses.
In either case, it's very unlikely that any pattern matching in a filter 
would be case sensitive. The only time you really want case sensitivity is 
when parsing a binary attachment like with a virus filter, and you would 
normally have to specify that you want it on.

Not that it doesn't happen, Mozilla has the ugly bug #129393
http://bugzilla.mozilla.org/show_bug.cgi?id=129393
However the code there is most likely looking for an exact match, and to 
make it case insensitive it would either have to use a regex or convert 
everything to lower case.

-- 
| Ric
|
From firewoman at default.domain.not.available  Fri Dec 10 11:15:57 2004
From: firewoman at default.domain.not.available (Firewoman)
Date: Fri Dec 10 11:20:06 2004
Subject: [SC-Help] Re: need more
References: <cp94l1$in4$1@news.spamcop.net>
Message-ID: <cpci3e$skp$1@news.spamcop.net>

Hrm.................


"Tha King"  wrote in message news:cp94l1$in4$1@news.spamcop.net...
> http://signups.triplexcash.com/hit.php?w=105565&s=25&p=2

 host 66.228.193.42 = dedicated45.swiftdesk.com (cached)
[report history]
Routing details for 66.228.193.42
[refresh/show] Cached whois for 66.228.193.42 : abuse@swiftco.net
Using abuse net on abuse@swiftco.net
No abuse net record for swiftco.net
Using best contacts abuse@swiftco.net


 66.228.192.0/23 is listed on the Spamhaus Block List (SBL)

25-Jul-2004 16:47 GMT | SR04

SWIFT VENTURES Inc dirty block

Compass Communications, Inc. CCOM-2001 (NET-66-228-192-0-1)
66.228.192.0 - 66.228.223.255
SWIFT VENTURES Inc CCOM-SWIFTDESK-1-2002 (NET-66-228-192-0-2)
66.228.192.0 - 66.228.194.255

OrgName: SWIFT VENTURES Inc
OrgID: SWIFTV
Address: 16010 37th Ave NE
City: Seattle
StateProv: WA
PostalCode: 98155
Country: US

NetRange: 66.228.192.0 - 66.228.194.255
CIDR: 66.228.192.0/23, 66.228.194.0/24
NetName: CCOM-SWIFTDESK-1-2002
NetHandle: NET-66-228-192-0-2
Parent: NET-66-228-192-0-1
NetType: Reassigned
NameServer: NS1.SWIFTDESK.COM
NameServer: NS2.SWIFTDESK.COM
Comment:
RegDate: 2002-06-26
Updated: 2002-06-26

TechHandle: HG234-ARIN
TechName: Goss, Henry
TechPhone: +1-206-728-2736
TechEmail: abuse@swiftco.net

OrgTechHandle: HG234-ARIN
OrgTechName: Goss, Henry
OrgTechPhone: +1-206-728-2736
OrgTechEmail: abuse@swiftco.net





And for triplexcash.com:
Registrant:
 Sampson Investments AVV
 9836 White Oak Ave. Suite109
 Northridge, CA 91325
 US

 Domain name: TRIPLEXCASH.COM

 Administrative Contact:
    Goss, Henry
    1 Long Dirt Road
    Vancover, BC 87213
    CA
    206-854-4436    Fax: (206)523-4619

 Technical Contact:
    Goss, Henry      1 Long Dirt Road
    Vancover, BA 16601
    CA
    206-854-4436    Fax: 206-523-4619Henry seems to have both sides of the
border covered.....


From Merlyn at Spamcop.net  Fri Dec 10 11:17:40 2004
From: Merlyn at Spamcop.net (Merlyn)
Date: Fri Dec 10 11:20:15 2004
Subject: [SC-Help] Re: need more
References: <cp94l1$in4$1@news.spamcop.net> <cpci3e$skp$1@news.spamcop.net>
Message-ID: <cpci74$smn$1@news.spamcop.net>

"Firewoman" <firewoman@default.domain.not.available> wrote in message 
news:cpci3e$skp$1@news.spamcop.net...
> Hrm.................
>
>
> "Tha King"  wrote in message news:cp94l1$in4$1@news.spamcop.net...

[snipped]

I think he meant "Tha King of fools" :-)

-- 

Regards,
Merlyn

A Spamcop advocate
No emails this account is for newsgroups only
People demand freedom of speech to make up for the freedom of thought which 
they avoided


From fredfighter at spamcop.net  Sat Dec 11 05:12:41 2004
From: fredfighter at spamcop.net (Fred the Red Shirt)
Date: Fri Dec 10 23:40:13 2004
Subject: [SC-Help] Re: Does SpamCop Whitelisting ever work?
References: <41B52FE9.69DA57D5@spamcop.net> <cp3asf$rku$1@news.spamcop.net>
Message-ID: <41BA81C9.5165709B@spamcop.net>



WazoO wrote:

> "Fred the Red Shirt" <fredfighter@spamcop.net> wrote in message
> news:41B52FE9.69DA57D5@spamcop.net...
> > X-SpamCop-Checked:   192.168.1.103 64.74.133.250 192.168.19.203
> > 4.159.77.15
> >
> > X-SpamCop-Whitelisted:   spamcop.net
> > X-SpamCop-sourceip:   66.131.9.73
> >
> > I also have a filter rule that is supposed to catch these reports, it is
> > also being superceded, evidently, by my use of teh sorbs blacklist.
> >
> > BTW, doesn't this also mean that a SpamCop IP is on the sorbs blacklist?
> >
> > What's up with that?
>
> For starters, you need to learn to use your tools a bit better.
> You chose not to use a Tracking URL, so everyone else is
> stuck having to work around all the issues of what you are
> describing, what you saw, what you think you copied,
> what actually made the transition to 'here', and the final
> what really is displayed here on others' screens.

Fair enough.  What's a tracking URL and how would one use it?

>
>
>   For instance, I was disbelieving that the decision point on
> your sample was 192.168.19.203 .. but then I noticed the
> bad line-wraps ... so the decision point was actually made
> on the IP 4.159.77.15 .. which is the IP listed on sorbs ...

Ok, you;re thinking that somewhere befor being parsed an errant
carriage return got inserted into the headers.

Is there a good reason why the SpamCop header:

 X-SpamCop-Disposition:   Blocked dnsbl.sorbs.net

does not specify the IP that was found on sorbs?  That would save the
user the trouble of rechecking every IP SpamCOp already checked.
Do you think I should suggest to someone that this feature be upgraded?


>
>
>   At that point, I decided to simply suggest that you'd
> probably be better off taking your query to either the
> spamcop.mail newsgroup of over to the web-based
> Forum for perhaps a better / quicker answer from
> other SpamCop E-Mail account users.  I know

Do you know the URL for the web based forum to which you
refer?  Is it part of the SpamCop site?

>
> Forum for perhaps a better / quicker answer from
> other SpamCop E-Mail account users.  I know for a
> fact that there are a number of entries on this over in
> the web-based Forum version of the FAQ.

Is there more than one SpamCop FAQ?

As they say on the net, thanks in advance.

--

FF

From fredfighter at spamcop.net  Sat Dec 11 05:40:18 2004
From: fredfighter at spamcop.net (Fred the Red Shirt)
Date: Sat Dec 11 00:05:03 2004
Subject: [SC-Help] Re: Does SpamCop Whitelisting ever work?
References: <41B52FE9.69DA57D5@spamcop.net> <cp3asf$rku$1@news.spamcop.net>
Message-ID: <41BA8841.3E48FC06@spamcop.net>



Dear Waz0o,

After thinking  a bit more about your response I think I can safely conclude
that you did not understand the question at all.  Probably it would be best if

you not worry about answering my follow-up questions.

Since my problem is a whitelisting failure (e.g. email from the Spamcop
auto-responder is being sent to my Held Mail and whitelisitng it doesn't help)

and NOT a spam reporting problem I should probably post the question
in the SpamCop.mail newsgroup.

E.g. the only way to use my tools to generate a tracking URL would
be to report the SpamCop AutoAck back to SpamCop as spam,
and I do not think you really want me to do that.

As they say on the net, thanks in advance.

--

FF


From I_Report_Spam at webtv.net  Sun Dec 12 18:04:47 2004
From: I_Report_Spam at webtv.net (DJ Mike)
Date: Sun Dec 12 21:20:27 2004
Subject: [SC-Help] Spamcop cannot resolve 202.102.230.35-36 domains.
Message-ID: <1503-41BCF8BF-11@storefull-3278.bay.webtv.net>

WELCOME! Cheating House Wife Services
http://www.companionshipgo.com/suzi/
Host: 202.102.230.36
Reporting addresses:
abuse@chinanet.cn.net, 
abuse@cnc-noc.net

===============
WELCOME! Cheating House Wife Services
http://www.1stplaceglobalhost.biz/899394/chws/fullpage.php
Host: 202.102.230.38
Reporting addresses:
abuse@chinanet.cn.net 
abuse@cnc-noc.net

From MikeE at ster.invalid  Sun Dec 12 20:49:57 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Dec 12 23:50:06 2004
Subject: [SC-Help] Re: Spamcop cannot resolve 202.102.230.35-36 domains.
References: <1503-41BCF8BF-11@storefull-3278.bay.webtv.net>
Message-ID: <cpj712$u65$1@news.spamcop.net>

DJ Mike wrote:
> http://www.companionshipgo.com/suzi/
> Host: 202.102.230.36

That's the only one I messed around with.  My EL dns gave me an
'instant' resolve.  SC waited and waited and gave up.  I went to
dnsstuff which goes to the root and comes down.  The nameservers timed
out over and over again.  I checked the caches at a number of ISPs with
the tool at dnsstuff, which showed EL had it cached, as did a couple of
other places.

For that one, the basic problem is that if your resolver doesn't have it
cached, there /is/ no [decent] nameservice, because the domain's
nameservers don't answer in a reasonable time.

There are 2 nameservers at the roots, there is a 3rd [stealth]
nameserver at the nameservers.  It has terrible failed nameservice all
over the place at dnsstuff.  Here's an example

How I am searching:
  Searching for www.companionshipgo.com A record at h.root-servers.net
[128.63.2.53]: Got referral to a.gtld-servers.net. [took 49 ms]
  Searching for www.companionshipgo.com A record at a.gtld-servers.net.
[192.5.6.30]: Got referral to ns1.gtnlc.com. [took 51 ms]
  Searching for www.companionshipgo.com A record at ns1.gtnlc.com.
[69.25.212.134]: Timed out.  Trying again.
  Searching for www.companionshipgo.com A record at ns2.gtnlc.com.
[219.148.2.27]: Timed out.  Trying again.
  Searching for www.companionshipgo.com A record at ns2.gtnlc.com.
[219.148.2.27]: Timed out.  Trying again.
  Searching for www.companionshipgo.com A record at ns1.gtnlc.com.
[69.25.212.134]: Timed out.  Trying again.
  Searching for www.companionshipgo.com A record at ns1.gtnlc.com.
[69.25.212.134]: Timed out.  Trying again.
  Searching for www.companionshipgo.com A record at ns2.gtnlc.com.
[219.148.2.27]: Timed out.  Trying again.


-- 
Mike Easter
kibitzer, not SC admin

From ric.gates at bigsleep.org  Mon Dec 13 05:04:05 2004
From: ric.gates at bigsleep.org (Blammo)
Date: Mon Dec 13 00:05:02 2004
Subject: [SC-Help] Re: Spamcop cannot resolve 202.102.230.35-36 domains.
References: <1503-41BCF8BF-11@storefull-3278.bay.webtv.net>
	<cpj712$u65$1@news.spamcop.net>
Message-ID: <Xns95BDD66FDDE91blammo@216.154.195.61>

On 12 Dec 2004 Mike Easter entered spamcop.help and left 
news:cpj712$u65$1@news.spamcop.net:

> For that one, the basic problem is that if your resolver doesn't have it
> cached, there /is/ no [decent] nameservice, because the domain's
> nameservers don't answer in a reasonable time.
> 

I wonder if they are overloaded because of all the crap hosted over there, 
or maybe their networks can't handle the traffic.
Perhaps we'll get lucky and they'll self-destruct.

-- 
| Ric
From bar_n0ne at hotmail.com  Mon Dec 13 09:53:10 2004
From: bar_n0ne at hotmail.com (Berny)
Date: Mon Dec 13 00:55:03 2004
Subject: [SC-Help] Re: Spamcop cannot resolve 202.102.230.35-36 domains.
References: <1503-41BCF8BF-11@storefull-3278.bay.webtv.net>
	<cpj712$u65$1@news.spamcop.net> <Xns95BDD66FDDE91blammo@216.154.195.61>
Message-ID: <cpjaoa$ue$1@news.spamcop.net>


"Blammo" <ric.gates@bigsleep.org> wrote in message
news:Xns95BDD66FDDE91blammo@216.154.195.61...
> On 12 Dec 2004 Mike Easter entered spamcop.help and left
> news:cpj712$u65$1@news.spamcop.net:
>
> > For that one, the basic problem is that if your resolver doesn't have it
> > cached, there /is/ no [decent] nameservice, because the domain's
> > nameservers don't answer in a reasonable time.
> >
>
> I wonder if they are overloaded because of all the crap hosted over there,
> or maybe their networks can't handle the traffic.
> Perhaps we'll get lucky and they'll self-destruct.
>
> -- 
> | Ric

If you look over in .spamcop, you'll see all kinds of threads on
2-2.102.230.36, mainly relating to some kind of "Vampiring" on this
host(er), also in the help forum


From nobody at nowhere.invalid  Mon Dec 13 12:32:03 2004
From: nobody at nowhere.invalid (Steven Maesslein)
Date: Mon Dec 13 06:35:03 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
Message-ID: <slrncrqvdj.15l.nobody@127.0.0.1>

On Mon, 13 Dec 2004 02:00:39 -0700, SpamCop Admin coughed into spamcop
and left this in <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>:

> It looks like a spammer is using a number generator to create reportID
> numbers to be used with our @reports.spamcop.net address.

Don't forget the "abuse@nic.it" factor. That particular address feeds a 
mailing list run by the Italian (so-called) anti-spam (wannabe) 
authorities. Trouble is, that list is crawling with spammers who then 
spam the "reportid" addresses of SC complainants.

I've been receiving spams sent to $REPORTID@reports.spamcop.net for 
quite a while. Each and every time, $REPORTID is the ID of a report 
sent to abuse@nic.it.

-- 
Steve

If you try to please everybody, nobody will like it.
From ric.gates at bigsleep.org  Mon Dec 13 12:20:41 2004
From: ric.gates at bigsleep.org (Blammo)
Date: Mon Dec 13 07:25:03 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<slrncrqvdj.15l.nobody@127.0.0.1>
Message-ID: <Xns95BE2C5288038blammo@216.154.195.61>

On 13 Dec 2004 Steven Maesslein entered spamcop and left 
news:slrncrqvdj.15l.nobody@127.0.0.1:

> 
> Don't forget the "abuse@nic.it" factor. That particular address feeds a 
> mailing list run by the Italian (so-called) anti-spam (wannabe) 
> authorities. Trouble is, that list is crawling with spammers who then 
> spam the "reportid" addresses of SC complainants.
> 

Two of mine are too old to track, and one from Oct 6 was sent to 
abuse@nic.it, that is rather old.


-- 
| Ric
|
From postm at ster.blorchDOTorg  Mon Dec 13 07:28:57 2004
From: postm at ster.blorchDOTorg (Mark K. Bilbo)
Date: Mon Dec 13 08:30:03 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
Message-ID: <cpk58q$hgb$1@news.spamcop.net>

On Mon, 13 Dec 2004 02:00:39 -0700, SpamCop Admin wrote:

> The traffic is spam, so it should be reported, but with one caution.
> It's important that the spam not be confused with actual replies to our
> current reports.  Replies to reports aren't spam and shouldn't be
> reported.

Just got one myself via:

1046833788@reports.spamcop.net

Wasn't sure what to do with it at first but I've reported it now.

What is it with these idiots? Of all the people *least interested in what
spam scum are peddling, it'd be people using services like Spamcop.
Spammers aren't just stupid, it's like they're in a contest of stupidity
and going for the gold...
From ric.gates at bigsleep.org  Mon Dec 13 13:29:43 2004
From: ric.gates at bigsleep.org (Blammo)
Date: Mon Dec 13 08:30:08 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpk58q$hgb$1@news.spamcop.net>
Message-ID: <Xns95BE3806E296Bblammo@216.154.195.61>

On 13 Dec 2004 Mark K. Bilbo entered spamcop.help and left 
news:cpk58q$hgb$1@news.spamcop.net:

> Spammers aren't just stupid, it's like they're in a contest of stupidity
> and going for the gold...
> 

I'd say we found the gold medal winner.

-- 
| Ric
|
From bar_n0ne at hotmail.com  Mon Dec 13 17:31:01 2004
From: bar_n0ne at hotmail.com (Berny)
Date: Mon Dec 13 08:35:04 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpk58q$hgb$1@news.spamcop.net>
Message-ID: <cpk5in$i07$1@news.spamcop.net>


"Mark K. Bilbo" <postm@ster.blorchDOTorg> wrote in message
news:cpk58q$hgb$1@news.spamcop.net...
> On Mon, 13 Dec 2004 02:00:39 -0700, SpamCop Admin wrote:
>
> > The traffic is spam, so it should be reported, but with one caution.
> > It's important that the spam not be confused with actual replies to our
> > current reports.  Replies to reports aren't spam and shouldn't be
> > reported.
>
> Just got one myself via:
>
> 1046833788@reports.spamcop.net
>
> Wasn't sure what to do with it at first but I've reported it now.
>
> What is it with these idiots? Of all the people *least interested in what
> spam scum are peddling, it'd be people using services like Spamcop.
> Spammers aren't just stupid, it's like they're in a contest of stupidity
> and going for the gold..

Probably an enlargement spam? Their little way of retaliating with what they
percieve as an insult..


From mikeyhsd at sport.rr.com  Mon Dec 13 07:52:14 2004
From: mikeyhsd at sport.rr.com (mikeyhsd)
Date: Mon Dec 13 08:55:02 2004
Subject: [SC-Help] no responses
Message-ID: <cpk6q9$iop$1@news.spamcop.net>

for the past week or so, am not getting spam reports back on spam that is 
being sent in.
I use a hotmail for response and spam cop responses are specifically 
allowed.
any suggestions on what I should look for.

did have one or two reports of "do not report virus", but both my isp's do 
virus scans of mail, and I have AVG scan all email as well.



mikeyhsd@sport.rr.com 


From postm at ster.blorchDOTorg  Mon Dec 13 07:56:23 2004
From: postm at ster.blorchDOTorg (Mark K. Bilbo)
Date: Mon Dec 13 08:55:05 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpk58q$hgb$1@news.spamcop.net> <cpk5in$i07$1@news.spamcop.net>
Message-ID: <cpk6s8$iph$1@news.spamcop.net>

On Mon, 13 Dec 2004 17:31:01 +0400, Berny wrote:

> 
> "Mark K. Bilbo" <postm@ster.blorchDOTorg> wrote in message
> news:cpk58q$hgb$1@news.spamcop.net...
>> On Mon, 13 Dec 2004 02:00:39 -0700, SpamCop Admin wrote:
>>
>> > The traffic is spam, so it should be reported, but with one caution.
>> > It's important that the spam not be confused with actual replies to
>> > our current reports.  Replies to reports aren't spam and shouldn't be
>> > reported.
>>
>> Just got one myself via:
>>
>> 1046833788@reports.spamcop.net
>>
>> Wasn't sure what to do with it at first but I've reported it now.
>>
>> What is it with these idiots? Of all the people *least interested in
>> what spam scum are peddling, it'd be people using services like Spamcop.
>> Spammers aren't just stupid, it's like they're in a contest of stupidity
>> and going for the gold..
> 
> Probably an enlargement spam? Their little way of retaliating with what
> they percieve as an insult..

Actually it's an "enlaaaregment" spam. <g>

I love the way they've had to scramble spellings trying to get around
filters. If they have to bastardize the spelling any further than what
they're up to now, nobody's going to know what they're selling anyway.

(Seems they have a "devjcce" that can gain more inches... I guess that's
nice for the "devjcce"... uh... I think?)


From mrogoff at cesmail.net  Mon Dec 13 08:54:22 2004
From: mrogoff at cesmail.net (Martin Rogoff)
Date: Mon Dec 13 09:55:03 2004
Subject: [SC-Help] Re: Spam to @reports.spamcop.net address
References: <cog9b2$qh7$1@news.spamcop.net> <cogd1q$tv8$1@news.spamcop.net>
Message-ID: <pparr0dfluu2gjh95tcabje76n31h8pamd@4ax.com>

"Ellen" <nobody@spamcop.net> wrote:

>
>
>Yes they do self destruct after a while -- it used to be 30 days, I am not
>sure if that time got lengthened. Please email me the report numbers -- the
>local part of the email address -- so that I can see if they are report
>numbers for reports sent to a recipient who we have already beaten up or
>whether we need to go do that. deputies <at> spamcop.net
>
>TIA
>
>Ellen
>


I got a rash of them today.



693638454@reports.spamcop.net
38973471@reports.spamcop.net
748221139@reports.spamcop.net
800120502@reports.spamcop.net
679151538
763914729
795230773
1092559532@reports.spamcop.net
812632799@reports.spamcop.net
775470061@reports.spamcop.net
From nobody at spamcop.net  Mon Dec 13 10:21:57 2004
From: nobody at spamcop.net (Ellen)
Date: Mon Dec 13 10:30:03 2004
Subject: [SC-Help] Re: Spam to @reports.spamcop.net address
References: <cog9b2$qh7$1@news.spamcop.net> <cogd1q$tv8$1@news.spamcop.net>
	<pparr0dfluu2gjh95tcabje76n31h8pamd@4ax.com>
Message-ID: <cpkcb2$mdl$1@news.spamcop.net>



"Martin Rogoff" <mrogoff@cesmail.net> wrote in message
news:pparr0dfluu2gjh95tcabje76n31h8pamd@4ax.com...
> "Ellen" <nobody@spamcop.net> wrote:
>
> >
> >
> >Yes they do self destruct after a while -- it used to be 30 days, I am
not
> >sure if that time got lengthened. Please email me the report numbers -- 
the
> >local part of the email address -- so that I can see if they are report
> >numbers for reports sent to a recipient who we have already beaten up or
> >whether we need to go do that. deputies <at> spamcop.net
> >
> >TIA
> >
> >Ellen
> >
>
>
> I got a rash of them today.
>
>
>
> 693638454@reports.spamcop.net
> 38973471@reports.spamcop.net
> 748221139@reports.spamcop.net
> 800120502@reports.spamcop.net
> 679151538
> 763914729
> 795230773
> 1092559532@reports.spamcop.net
> 812632799@reports.spamcop.net
> 775470061@reports.spamcop.net

Yes -- everyone is getting them -- how delightful -- NOT. Anyway -- we have
opened a ticket on it and hopefully will have a fix in place in the not too
distant future altho I do not know how long it will take. In the interrim
just keep reporting them.

Ellen


From mfkmek820 at yahoo.com  Mon Dec 13 09:35:12 2004
From: mfkmek820 at yahoo.com (Fred K)
Date: Mon Dec 13 13:40:03 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpk58q$hgb$1@news.spamcop.net>
Message-ID: <cpknds$tav$1@news.spamcop.net>


"Mark K. Bilbo" <postm@ster.blorchDOTorg> wrote in message 
news:cpk58q$hgb$1@news.spamcop.net...
>> What is it with these idiots? Of all the people *least interested in what
> spam scum are peddling, it'd be people using services like Spamcop.
> Spammers aren't just stupid, it's like they're in a contest of stupidity
> and going for the gold.

Ever hear of "revenge" and "up yours" or F^@*k you"? I  think that is the 
message, not the actual idea of getting you to fall for the spamvertized 
stuff.

Fred k 


From eddie at eddie.web  Mon Dec 13 14:44:06 2004
From: eddie at eddie.web (eddie)
Date: Mon Dec 13 14:45:07 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpk58q$hgb$1@news.spamcop.net>
Message-ID: <pan.2004.12.13.19.44.06.542000@eddie.web>

On Mon, 13 Dec 2004 07:28:57 -0600, Mark K. Bilbo scratched out the
following:

snip
> What is it with these idiots? Of all the people *least interested in what
> spam scum are peddling, it'd be people using services like Spamcop.
> Spammers aren't just stupid, it's like they're in a contest of stupidity
> and going for the gold...

Most spammers are so stupid they simply don't know it. 
Does a fish know the water is salty?
Just another case of "Been down so long, looks like up to me."
Spammers roasting on an open fire ...

I like the spamkiddies that write about "gnomic prices" 

From eddie at eddie.web  Mon Dec 13 14:45:46 2004
From: eddie at eddie.web (eddie)
Date: Mon Dec 13 14:50:03 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpk58q$hgb$1@news.spamcop.net> <cpknds$tav$1@news.spamcop.net>
Message-ID: <pan.2004.12.13.19.45.46.516000@eddie.web>

On Mon, 13 Dec 2004 09:35:12 -0900, Fred K scratched out the following:

snip
> Ever hear of "revenge" and "up yours" or F^@*k you"? I  think that is the
> message, not the actual idea of getting you to fall for the spamvertized
> stuff.
> 
> Fred k

It's called "Spamkiddy rage." They have lost sight of their goal, which is
exactly what we want to happen.
From spammers_lie at pobox.com  Mon Dec 13 20:17:03 2004
From: spammers_lie at pobox.com (Tom Betz)
Date: Mon Dec 13 15:20:04 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpk58q$hgb$1@news.spamcop.net> <cpknds$tav$1@news.spamcop.net>
	<pan.2004.12.13.19.45.46.516000@eddie.web>
Message-ID: <Xns95BE9B7AF4799greenriverordinance@216.154.195.61>

eddie <eddie@eddie.web> wrote in
news:pan.2004.12.13.19.45.46.516000@eddie.web: 

> On Mon, 13 Dec 2004 09:35:12 -0900, Fred K scratched out the
> following: 
> 
> snip
>> Ever hear of "revenge" and "up yours" or F^@*k you"? I  think that is
>> the message, not the actual idea of getting you to fall for the
>> spamvertized stuff.
>> 
>> Fred k
> 
> It's called "Spamkiddy rage." They have lost sight of their goal,
> which is exactly what we want to happen.

I only saw one.  I suspect more were attempted, but were caught in other 
traps I have that search the Received headers for listed IP addresses.

Doubtless most of these are coming from IP space that is already 
blocklisted to hell and gone, so very few will get through.

I know no more will get through from that Chinese source.
From spammers_lie at pobox.com  Mon Dec 13 20:17:45 2004
From: spammers_lie at pobox.com (Tom Betz)
Date: Mon Dec 13 15:20:16 2004
Subject: [SC-Help] Re: Spamcop misparses this e-mail's body
References: <Xns95BA622F71D9Dgreenriverordinance@216.154.195.61>
	<cpa6ck$8ck$1@news.spamcop.net>
Message-ID: <Xns95BE9B99048BAgreenriverordinance@216.154.195.61>

"Ellen" <nobody@spamcop.net> wrote in news:cpa6ck$8ck$1@news.spamcop.net:

> Thanks

Thank you -- but Mike was right, I misread the report.
From porpoise1954 at yahoo.co.uk  Mon Dec 13 21:58:22 2004
From: porpoise1954 at yahoo.co.uk (Porpoise)
Date: Mon Dec 13 17:05:04 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpk58q$hgb$1@news.spamcop.net>
Message-ID: <cpl3hg$5m1$1@news.spamcop.net>


"Mark K. Bilbo" <postm@ster.blorchDOTorg> wrote in message 
news:cpk58q$hgb$1@news.spamcop.net...
> On Mon, 13 Dec 2004 02:00:39 -0700, SpamCop Admin wrote:
>
>> The traffic is spam, so it should be reported, but with one caution.
>> It's important that the spam not be confused with actual replies to our
>> current reports.  Replies to reports aren't spam and shouldn't be
>> reported.
>
> Just got one myself via:
>
> 1046833788@reports.spamcop.net
>
> Wasn't sure what to do with it at first but I've reported it now.
>
> What is it with these idiots? Of all the people *least interested in what
> spam scum are peddling, it'd be people using services like Spamcop.
> Spammers aren't just stupid, it's like they're in a contest of stupidity
> and going for the gold...

Probably just trying to be annoying!!!! 


From nobody at spamcop.net  Mon Dec 13 19:37:12 2004
From: nobody at spamcop.net (Miss Betsy)
Date: Mon Dec 13 19:35:03 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpk58q$hgb$1@news.spamcop.net> <cpl3hg$5m1$1@news.spamcop.net>
Message-ID: <cplcf3$bn2$1@news.spamcop.net>


"Porpoise" <porpoise1954@yahoo.co.uk> wrote in message
news:cpl3hg$5m1$1@news.spamcop.net...
<snip>
> > What is it with these idiots? Of all the people *least
interested in what
> > spam scum are peddling, it'd be people using services like
Spamcop.
> > Spammers aren't just stupid, it's like they're in a contest of
stupidity
> > and going for the gold...
>
> Probably just trying to be annoying!!!!

I don't think that it is what is happening now (esp. with the ones
from italy), but a long time ago, Jim Mertz deliberately spammed
the report id of a few spamcop reports.  I think that he was
looking for a particular reporter, myself.  Or maybe verifying
reporter addresses.

Obviously, they don't care because they are 'bullet proof' or
perhaps the lists are for sale to those who are gullible enough to
buy them.

Miss Betsy


From julian at mehnle.net  Tue Dec 14 04:13:00 2004
From: julian at mehnle.net (Julian Mehnle)
Date: Mon Dec 13 22:15:02 2004
Subject: [SC-Help] Re: ReportingID Spam
In-Reply-To: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
Message-ID: <cpllnt$hcf$1@news.spamcop.net>

Hi SpamCop Admins,

Don wrote:
> It looks like a spammer is using a number generator to create reportID
> numbers to be used with our @reports.spamcop.net address.
> 
> For example, a recent spam was sent to 194356809 @ reports.spamcop.net
> and forwarded to a user by us.
> 
> Current reportID numbers are in the 1313340000 range now.

You might want to modify the @reports.spamcop.net address scheme in the 
future so the localparts contain a cryptographic hash not unlike the 
Sender Rewriting Scheme (SRS) concept[1].

That way, the reports.spamcop.net MX could verify whether a given 
localpart is genuine, so the localparts would no longer be "guessable" by 
spammers.

Of course this doesn't help against the "abuse@nic.it factor" and other 
such address leaking problems, but it's better than nothing.

References:
  1. http://www.libsrs2.org
From wb8tyw at qsl.network  Mon Dec 13 22:27:13 2004
From: wb8tyw at qsl.network (John E. Malmberg)
Date: Mon Dec 13 22:30:03 2004
Subject: [SC-Help] Re: Spam to @reports.spamcop.net address
In-Reply-To: <cpkcb2$mdl$1@news.spamcop.net>
References: <cog9b2$qh7$1@news.spamcop.net> <cogd1q$tv8$1@news.spamcop.net>
	<pparr0dfluu2gjh95tcabje76n31h8pamd@4ax.com> <cpkcb2$mdl$1@news.spamcop.net>
Message-ID: <IIudne_4c7YPwCPcRVn-iA@adelphia.com>

Ellen wrote:

> Yes -- everyone is getting them -- how delightful -- NOT. Anyway -- we have
> opened a ticket on it and hopefully will have a fix in place in the not too
> distant future altho I do not know how long it will take. In the interrim
> just keep reporting them.

Will the fix involve them getting treated as spamtrap hits? :-)

-John
wb8tyw@qsl.network
Personal Opinion Only
From nospam at temporaryrelay002.ath.cx  Tue Dec 14 07:48:14 2004
From: nospam at temporaryrelay002.ath.cx (Gingko)
Date: Tue Dec 14 01:50:02 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
Message-ID: <cpm2bm$po9$1@news.spamcop.net>

"SpamCop Admin" <service@admin.spamcop.net> a écrit dans le message de news: 
j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com...
> Some users are getting spam via our "report reply" system that
> translates the reporting address on SpamCop complaints to the user who
> filed the report and then forwards the message to him.
>

I got about 10 of them since yesterday.

What I find very surprising is that I have the "Forward only replies from 
sentient people" option checked in my Spamcop preferences.

Does it mean that the spammer created a robot for answering the 
"confirmation email" ????

Gingko


From nospam at temporaryrelay002.ath.cx  Tue Dec 14 08:05:53 2004
From: nospam at temporaryrelay002.ath.cx (Gingko)
Date: Tue Dec 14 02:10:02 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpm2bm$po9$1@news.spamcop.net>
Message-ID: <cpm3cm$qc3$1@news.spamcop.net>

Another thing :

Some of these messages have the "@reports.spamcop.net" replaced by "@<my 
registered domain>" in the "To" field (probably setting the real address in 
the "Bcc" field).

.... but I cannot see the error in the log file of my SMTP server ???

Anyway, I am wondering, in this case, if the chosen ID numbers are always 
random ?

Gingko


From nobody at nowhere.invalid  Tue Dec 14 09:56:47 2004
From: nobody at nowhere.invalid (Steven Maesslein)
Date: Tue Dec 14 04:00:03 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpk58q$hgb$1@news.spamcop.net>
Message-ID: <slrncrtamf.nj.nobody@127.0.0.1>

On Mon, 13 Dec 2004 07:28:57 -0600, Mark K. Bilbo coughed into spamcop
and left this in <cpk58q$hgb$1@news.spamcop.net>:

> Just got one myself via:
>
> 1046833788@reports.spamcop.net
>
> Wasn't sure what to do with it at first but I've reported it now.

I've also just noticed that the spammer is evading SC's SpamAssassin
scoring by using the whitelisted spamcop@devnull.spamcop.net as the MAIL
FROM address in the SMTP envelope, thus making the spam end up with a SA
score of about -80 instead of the 20 it'd normally have (and thus get
diverted to held mail by those who use the SA scoring for that purpose).

-- 
Steve

It is impossible for an optimist to be pleasantly
suprised.
From ric.gates at bigsleep.org  Tue Dec 14 11:17:00 2004
From: ric.gates at bigsleep.org (Blammo)
Date: Tue Dec 14 06:20:08 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpk58q$hgb$1@news.spamcop.net> <slrncrtamf.nj.nobody@127.0.0.1>
Message-ID: <Xns95BF21851B31Dblammo@216.154.195.61>

On 14 Dec 2004 Steven Maesslein entered spamcop and left 
news:slrncrtamf.nj.nobody@127.0.0.1:

> I've also just noticed that the spammer is evading SC's SpamAssassin
> scoring by using the whitelisted spamcop@devnull.spamcop.net as the MAIL
> FROM address in the SMTP envelope, thus making the spam end up with a SA
> score of about -80 instead of the 20 it'd normally have (and thus get
> diverted to held mail by those who use the SA scoring for that purpose).
> 

um, are you looking at X-SpamCop-Return-Path?

-- 
| Ric
From nobody at nowhere.invalid  Tue Dec 14 14:20:02 2004
From: nobody at nowhere.invalid (Steven Maesslein)
Date: Tue Dec 14 08:25:04 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpk58q$hgb$1@news.spamcop.net> <slrncrtamf.nj.nobody@127.0.0.1>
	<Xns95BF21851B31Dblammo@216.154.195.61>
Message-ID: <slrncrtq42.q7.nobody@127.0.0.1>

On Tue, 14 Dec 2004 11:17:00 +0000 (UTC), Blammo coughed into spamcop
and left this in <Xns95BF21851B31Dblammo@216.154.195.61>:

> um, are you looking at X-SpamCop-Return-Path?

No.

I'm looking at this, which is inserted by *my* MTA which I trust:

Return-Path: <spamcop@devnull.spamcop.net>

And this which is inserted by SC itself:

X-SpamCop-Whitelisted: spamcop@devnull.spamcop.net

X-Spam-Status: hits=-79.8 tests=FORGED_RCVD_HELO,HTML_10_20,HTML_MESSAGE,
	HTML_MIME_NO_HTML_TAG,INFO_TLD,LONGWORDS,MIME_BOUND_DD_DIGITS,
	MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MPART_ALT_DIFF,
	MSGID_FROM_MTA_HEADER,SARE_OBFUENLARGE,UNIQUE_WORDS,URIBL_SBL,
	URIBL_SC_SURBL,URIBL_WS_SURBL,USER_IN_WHITELIST_TO version=3.0.0
                                      ^^^^^^^^^^^^^^^^^^^^

SA is *not* running on my own server.

-- 
Steve

It is better for civilization to be going down the drain,
than to be coming up it.
From ric.gates at bigsleep.org  Tue Dec 14 18:33:49 2004
From: ric.gates at bigsleep.org (Blammo)
Date: Tue Dec 14 13:35:06 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpk58q$hgb$1@news.spamcop.net> <slrncrtamf.nj.nobody@127.0.0.1>
	<Xns95BF21851B31Dblammo@216.154.195.61> <slrncrtq42.q7.nobody@127.0.0.1>
Message-ID: <Xns95BF6B95CE838blammo@216.154.195.61>

On 14 Dec 2004 Steven Maesslein entered spamcop and left 
news:slrncrtq42.q7.nobody@127.0.0.1:

>> um, are you looking at X-SpamCop-Return-Path?
> 
> No.
> 
> I'm looking at this, which is inserted by *my* MTA which I trust:
> 
> Return-Path: <spamcop@devnull.spamcop.net>
> 

Well, that is the return path, it did come from spamcop.
That Return-Path: is added by vmx?.spamcop.net

if you want to know the source, look at the X-SpamCop-Return-Path

-- 
| Ric
From ric.gates at bigsleep.org  Tue Dec 14 18:43:53 2004
From: ric.gates at bigsleep.org (Blammo)
Date: Tue Dec 14 13:45:03 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpk58q$hgb$1@news.spamcop.net> <slrncrtamf.nj.nobody@127.0.0.1>
	<Xns95BF21851B31Dblammo@216.154.195.61> <slrncrtq42.q7.nobody@127.0.0.1>
Message-ID: <Xns95BF6D4ABBD10blammo@216.154.195.61>

On 14 Dec 2004 Steven Maesslein entered spamcop and left 
news:slrncrtq42.q7.nobody@127.0.0.1:

> SA is *not* running on my own server.
> 

But you have a SpamCop mail account? If not I don't know how that got in 
there because I don't see Spamassassin headers in mine.

-- 
| Ric
From tjtmdREMOVE_THIS at attglobal.net  Tue Dec 14 19:22:10 2004
From: tjtmdREMOVE_THIS at attglobal.net (Tanya)
Date: Tue Dec 14 19:50:02 2004
Subject: [SC-Help] Re: help stopping spammer -- please advise
References: <41B5C73D.D5A6D95B@attglobal.net> <cp4teg$tst$1@news.spamcop.net>
	<41B62DA9.3C1BB4C3@attglobal.net> <cp5ggm$cul$1@news.spamcop.net>
	<41B8B145.ACB9DAC8@attglobal.net> <cpaphc$ptn$1@news.spamcop.net>
Message-ID: <41BF83B2.D9CB6C37@attglobal.net>

Miss Betsy wrote:
<snip>

> Perhaps if you explain more, it will become clearer.  There are
> certain situations where the parser has a hard time with the
> headers and won't go beyond your isp, but then you don't ever see
> another address.  It could be your timing.  Since those links are
> not intended, as far as I know, to be used for creating emails,
> perhaps they do resolve to a default after a while.
>
> Note I am not an expert and I am just guessing at why this is
> happening.
>
> Miss Betsy
>
> Miss Betsy

hi,
just wanted to thank you for replying -- next time i post i'll word the
question clearly (or at least try ...)
:-)
but basically it was answered.......
best wishes for the Holidays!
sincerely
Tanya




From spammers_lie at pobox.com  Wed Dec 15 19:19:12 2004
From: spammers_lie at pobox.com (Tom Betz)
Date: Wed Dec 15 14:20:03 2004
Subject: [SC-Help] Are Spam submissions by e-mail working?
Message-ID: <Xns95C091AC24F93greenriverordinance@216.154.195.61>

Over the last couple of days I've submitted quite a few spams by e-mail, 
but have not received any responses from Spamcop.

Is fixing the spam-through-Spamcop-servers problem holding up spam 
submissions by e-mail?
From David1 at suescornerweb.com  Wed Dec 15 14:25:42 2004
From: David1 at suescornerweb.com (David 1)
Date: Wed Dec 15 14:25:05 2004
Subject: [SC-Help] Re: Are Spam submissions by e-mail working?
In-Reply-To: <Xns95C091AC24F93greenriverordinance@216.154.195.61>
References: <Xns95C091AC24F93greenriverordinance@216.154.195.61>
Message-ID: <cpq31n$b73$1@news.spamcop.net>

Tom Betz wrote:
> Over the last couple of days I've submitted quite a few spams by e-mail, 
> but have not received any responses from Spamcop.
> 
> Is fixing the spam-through-Spamcop-servers problem holding up spam 
> submissions by e-mail?
I've been getting mine back within 15 Minutes of sending them in.
David 1
From spammers_lie at pobox.com  Wed Dec 15 19:44:45 2004
From: spammers_lie at pobox.com (Tom Betz)
Date: Wed Dec 15 14:45:27 2004
Subject: [SC-Help] Re: Are Spam submissions by e-mail working?
References: <Xns95C091AC24F93greenriverordinance@216.154.195.61>
	<cpq31n$b73$1@news.spamcop.net>
Message-ID: <Xns95C09600B8669greenriverordinance@216.154.195.61>

David 1 <David1@suescornerweb.com> wrote in
news:cpq31n$b73$1@news.spamcop.net: 

> Tom Betz wrote:
>> Over the last couple of days I've submitted quite a few spams by
>> e-mail, but have not received any responses from Spamcop.
>> 
>> Is fixing the spam-through-Spamcop-servers problem holding up spam 
>> submissions by e-mail?
> I've been getting mine back within 15 Minutes of sending them in.

Thanks.

Something else must be going on.



From nobody at spamcop.net  Wed Dec 15 15:55:06 2004
From: nobody at spamcop.net (Ellen)
Date: Wed Dec 15 16:00:04 2004
Subject: [SC-Help] Re: Are Spam submissions by e-mail working?
References: <Xns95C091AC24F93greenriverordinance@216.154.195.61>
	<cpq31n$b73$1@news.spamcop.net>
	<Xns95C09600B8669greenriverordinance@216.154.195.61>
Message-ID: <cpq8hd$f7d$1@news.spamcop.net>



"Tom Betz" <spammers_lie@pobox.com> wrote in message
news:Xns95C09600B8669greenriverordinance@216.154.195.61...
> David 1 <David1@suescornerweb.com> wrote in
> news:cpq31n$b73$1@news.spamcop.net:
>
> > Tom Betz wrote:
> >> Over the last couple of days I've submitted quite a few spams by
> >> e-mail, but have not received any responses from Spamcop.
> >>

Answered via email

Ellen


From firewoman at default.domain.not.available  Thu Dec 16 14:14:55 2004
From: firewoman at default.domain.not.available (Firewoman)
Date: Thu Dec 16 14:15:04 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
Message-ID: <cpsmqo$ufk$1@news.spamcop.net>

"SpamCop Admin" <service@admin.spamcop.net> wrote in message
news:j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com...
> Some users are getting spam via our "report reply" system that
> translates the reporting address on SpamCop complaints to the user who
> filed the report and then forwards the message to him.

Just an FYI, there's a discussion in nanae about this as well, possibly
misinformed... here's a link to the <ugh> google groups:

 http://tinyurl.com/4eqa8


From MikeE at ster.invalid  Thu Dec 16 11:32:09 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Thu Dec 16 14:35:03 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpsmqo$ufk$1@news.spamcop.net>
Message-ID: <cpsnr4$v9d$1@news.spamcop.net>

Firewoman wrote:
>  here's a link to the <ugh> google groups:
>
>  http://tinyurl.com/4eqa8

I don't like that 'beta';  I use the regular 'ol googlegroups .uk or .ca

http://snipurl.com/bf0n

-- 
Mike Easter
kibitzer, not SC admin

From fredfighter at spamcop.net  Fri Dec 17 03:20:51 2004
From: fredfighter at spamcop.net (Fred the Red Shirt)
Date: Thu Dec 16 21:45:04 2004
Subject: [SC-Help] Re: Are whitelist entries case sensitive?
References: <cpaimg$kki$1@news.spamcop.net>
	<Xns95BAC2535F2D6blammo@216.154.195.61>
Message-ID: <41C25093.765CC9AF@spamcop.net>



Blammo wrote:

> On 09 Dec 2004 Scott Peterson entered spamcop.help and left
> news:cpaimg$kki$1@news.spamcop.net:
>
> > The indication I have that they are are the addresses
> > specials@outpost.com and Specials@Outpost.com in my whitelist.  I
> > presume the second one was added when it slipped past the first one in
> > the whitelist, which would only differ in case.
> >
>
> In the example - Specials@Outpost.com
> @Outpost.com is never case sensitive, if a filter matches case for a domain
> then it is wrong. Try whitelisting the entire domain if you can.
> Specials@ could be case sensitive, but I've never seen any server use case
> sensitive user names in eMail addresses.

My experience with the SpamCop web-based email client is that whitelisting
in particular and filtering in general often fails for no aparent purpose.

For instance I'll click on that slightly curved trianglular icon that is
supposed
to filter the inbox and nothing in the inbox will get filtered.  Or some emails

will be filtered while others that should be are not.  This will (not) happen
maybe 4 or 5  times in one session and then suddenly it will work.

Or sometimes the filtering will fail for several days and the all of a
sudden the 200 or 300 emails that have accumulated in the inbox
will be filtered.  Meanwhile I will have done nothing to my filters or
other options.  It just suddenly starts working again.

For the past several weeks, filtering has been extremely problematic.

--

FF


From ric.gates at bigsleep.org  Fri Dec 17 03:49:30 2004
From: ric.gates at bigsleep.org (Blammo)
Date: Thu Dec 16 22:50:03 2004
Subject: [SC-Help] Re: Are whitelist entries case sensitive?
References: <cpaimg$kki$1@news.spamcop.net>
	<Xns95BAC2535F2D6blammo@216.154.195.61> <41C25093.765CC9AF@spamcop.net>
Message-ID: <Xns95C1C9CC265A5blammo@216.154.195.61>

On 16 Dec 2004 Fred the Red Shirt entered spamcop.help and left
news:41C25093.765CC9AF@spamcop.net: 

> My experience with the SpamCop web-based email client is that
> whitelisting in particular and filtering in general often fails for no
> aparent purpose. 
> 

This is interesting because I noticed some similar problem with my own mail 
server configuration. I recently added a X-White-Listed header, tested it 
and it seemed to work fine. Then I got one eMail that didn't have the 
header when I know it should have. It worked when I tested it, so I looked 
through the code and didn't see any reason for it to fail. the only thing I 
could figure was that an if statement in the header config was not, at 
certain times, resolving to true, so the header was not added. This might 
be happening in other rules, where a macro isn't set maybe because the 
server is running several queue runs or something odd, I would probably 
need to track the server logs to find the source of the error.
I actually fixed it by just removing the if statement, so if the macro is 
unset the header is not there.
I probably didn't do a very good job there of trying to analyze an error 
that I barely understand and may or may not have anything to do with 
Spamcop's problem ;-)

A problem I've noticed on other servers is that when the message is sent to 
multiple recipients it won't always use your filter settings, but one of 
the other recipient's mail filter settings. I assume this happens because 
the message is filtered before it's copied to the other accounts. It's 
kinda funny because now I know what some other users have their filter set 
to, and I'm sure there is some spam that's getting deleted and I never see 
it. But this shouldn't affect my whitelist because it's unlikely those 
would be sent to other users that I don't know.

-- 
| Ric
|
From nospam at temporaryrelay002.ath.cx  Fri Dec 17 09:47:58 2004
From: nospam at temporaryrelay002.ath.cx (Gingko)
Date: Fri Dec 17 03:50:02 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
Message-ID: <cpu6g0$v1c$1@news.spamcop.net>

Hello,

I still received 5 of these messages this morning (via Spamcop).

http://www.spamcop.net/sc?id=z703494570zfe0beef00b9a424b05fb95d37fe05509z
http://www.spamcop.net/sc?id=z703494571z3145fdfe823b15738c83539908113c07z
http://www.spamcop.net/sc?id=z703494572za2be4d757f9b698c10ac5058eeca0774z
http://www.spamcop.net/sc?id=z703494573zc8fb6e7fc52f93ebfe799f9ac28fa04az
http://www.spamcop.net/sc?id=z703494574zc40c70b96cf647153e7766613d5d7299z


Only one were sent to " <number>@reports.spamcop.net "
Others were sent to :
<number> (alone)
<number> (alone)
<number>@<mydomain>
<number>@<mydomain>

That is what I can see in the "To:" field.

Of course, I don't know what was in the "Bcc:" field....

Gingko.


From hwolfe at spamcop.net  Fri Dec 17 05:20:54 2004
From: hwolfe at spamcop.net (Herb Wolfe)
Date: Fri Dec 17 06:25:05 2004
Subject: [SC-Help] Re: ReportingID Spam
In-Reply-To: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
Message-ID: <cpufe4$4b0$1@news.spamcop.net>

Looks like I've got 9 more this morning.
From TMHRVMFWREVN at spammotel.com  Fri Dec 17 12:01:05 2004
From: TMHRVMFWREVN at spammotel.com (Rob)
Date: Fri Dec 17 07:05:03 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpufe4$4b0$1@news.spamcop.net>
Message-ID: <cpuhqs$60g$1@news.spamcop.net>


"Herb Wolfe" <hwolfe@spamcop.net> wrote in message
news:cpufe4$4b0$1@news.spamcop.net...
> Looks like I've got 9 more this morning.

At least I'm glad to see I'm not the only one getting these.  I got a
further four this morning and get a few every day.  I suspect it is the same
person every time due to the number of them reaching me, always three or
four, always all the same.


From postm at ster.blorchDOTorg  Fri Dec 17 07:01:55 2004
From: postm at ster.blorchDOTorg (Mark K. Bilbo)
Date: Fri Dec 17 08:00:02 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpk58q$hgb$1@news.spamcop.net> <cpknds$tav$1@news.spamcop.net>
Message-ID: <cpul5n$7m2$1@news.spamcop.net>

On Mon, 13 Dec 2004 09:35:12 -0900, Fred K wrote:

> 
> "Mark K. Bilbo" <postm@ster.blorchDOTorg> wrote in message
> news:cpk58q$hgb$1@news.spamcop.net...
>>> What is it with these idiots? Of all the people *least interested in
>>> what
>> spam scum are peddling, it'd be people using services like Spamcop.
>> Spammers aren't just stupid, it's like they're in a contest of stupidity
>> and going for the gold.
> 
> Ever hear of "revenge" and "up yours" or F^@*k you"? I  think that is the
> message, not the actual idea of getting you to fall for the spamvertized
> stuff.

I'm not sure. Revenge would imply some kind of intelligence. Spammers are
stupid. Spammers are very, very, very, very, very stupid. Not to mention,
stupid.

He may think he's pulled off quite a little marketing "coup." They are
that stupid.

(Did I mention spammers are stupid?)

From nobody at spamcop.net  Fri Dec 17 07:47:17 2004
From: nobody at spamcop.net (Ellen)
Date: Fri Dec 17 08:05:03 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpufe4$4b0$1@news.spamcop.net>
Message-ID: <cpuld0$8is$1@news.spamcop.net>



"Herb Wolfe" <hwolfe@spamcop.net> wrote in message
news:cpufe4$4b0$1@news.spamcop.net...
> Looks like I've got 9 more this morning.

Please send me the "to" addresses from those or a few of those. Ginko seems
to have premunged his before he parsed so I can't get them from there.
deputies  <at>  spamcop.net   Thanks

Ellen


From newandrew at rump.dk  Fri Dec 17 13:28:12 2004
From: newandrew at rump.dk (Andrew Engels Rump (formerly Leif Andrew Rump))
Date: Fri Dec 17 08:30:04 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpufe4$4b0$1@news.spamcop.net> <cpuld0$8is$1@news.spamcop.net>
Message-ID: <Xns95C29332B5F8Bnewandrewrumpdk@216.154.195.61>

[posted and mailed]

FUT: spamcop.help

After drinking 3 Pan Galactic Gargle Blasters, "Ellen"
<nobody@spamcop.net> mumbled in news:cpuld0$8is$1@news.spamcop.net: 
> "Herb Wolfe" <hwolfe@spamcop.net> wrote in message
> news:cpufe4$4b0$1@news.spamcop.net...
>> Looks like I've got 9 more this morning.
> Please send me the "to" addresses from those or a few of those.
> Ginko seems to have premunged his before he parsed so I can't
> get them from there. deputies  <at>  spamcop.net   Thanks

Hmm. These reports apparently wasn't mine or at least SpamCop
"Cannot find spam for reportid 544937441":

544937441<at>reports.spamcop.net
451013504<at>reports.spamcop.net
181322256<at>reports.spamcop.net
1259550652<at>reports.spamcop.net
...

Apparently the spammer send it Bcc to me with a random number in
to To-field!?!

Andrew
-- 
*** The opinions expressed are not necessarily those of my employer. ***
* Software Engineer Andrew Engels Rump * BLIK og ROERarbejderforbundet *
* Immerkaer 42, 2650 Hvidovre * Tlf: +45 3638 3638, Fax: +45 3638 3639 *
Home: N55?41'38.9" E12?29'08.6" (WGS 84) Work: N55?39'50.9" E12?27'47.4"
E-mail: mailto:newandrew@rump.dk WWW http://www.rump.dk/homepage/andrew/
From crappy.trappy at ntlworld.com  Fri Dec 17 14:15:04 2004
From: crappy.trappy at ntlworld.com (Tim)
Date: Fri Dec 17 09:15:03 2004
Subject: [SC-Help] Re: ReportingID Spam
In-Reply-To: <cpuld0$8is$1@news.spamcop.net>
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpufe4$4b0$1@news.spamcop.net> <cpuld0$8is$1@news.spamcop.net>
Message-ID: <cpupl5$b5h$1@news.spamcop.net>

Ellen wrote:
> "Herb Wolfe" <hwolfe@spamcop.net> wrote in message
> news:cpufe4$4b0$1@news.spamcop.net...
> 
>>Looks like I've got 9 more this morning.
> 
> 
> Please send me the "to" addresses from those or a few of those. Ginko seems
> to have premunged his before he parsed so I can't get them from there.
> deputies  <at>  spamcop.net   Thanks
> 
> Ellen
> 
> 
I got 16 today but didn't record the numbers.
I'll do that when I get my next batch.

From crappy.trappy at ntlworld.com  Fri Dec 17 14:18:37 2004
From: crappy.trappy at ntlworld.com (Tim)
Date: Fri Dec 17 09:20:03 2004
Subject: [SC-Help] Re: ReportingID Spam
In-Reply-To: <cpul5n$7m2$1@news.spamcop.net>
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpk58q$hgb$1@news.spamcop.net> <cpknds$tav$1@news.spamcop.net>
	<cpul5n$7m2$1@news.spamcop.net>
Message-ID: <cpuprr$bev$1@news.spamcop.net>

Mark K. Bilbo wrote:
> He may think he's pulled off quite a little marketing "coup." 
> 
Yeah but how many actual sales do ya think this moron is gonna get?

> (Did I mention spammers are stupid?)
> 
Not enough times!
From MikeE at ster.invalid  Fri Dec 17 06:46:50 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Fri Dec 17 09:50:03 2004
Subject: [SC-Help] Re: spamcop parsing not working?
References: <cpud5s$3b8$1@news.spamcop.net>
Message-ID: <cpurg1$ckk$1@news.spamcop.net>

Posted to .help & .spam;  f/ups to .help

user@domain.invalid wrote:
> hey, this spam doesn't originate from my ISP, but the spamcop parser
> thinks that it does.  can this be fixed?

Mailhosts.

spamcop.net/sc?id=z703508788z5088a34db41c7d2c594444669e6fcd97z

  Abbreviated Received line summary *comment
  from unknown (192.168.1.103) by blade5.cesmail.net *serves you
  from vpop4.superb.net (66.36.226.13) by mailgate2.cesmail.net *serves
you
  from unknown (HELO smtp4.superb.net) (66.36.226.12) by
vpop4.superb.net *serves you
  from unknown (HELO smtp4.superb.net) (127.0.0.1) by localhost *serves
you
  from unknown (HELO 66.36.226.12) (213.135.115.130) by 66.36.226.12
*sourceline, noncompliant
  from FRSCV-AW63 (83.16.216.82) by 83.16.216.82 *bogusline

SC sez Tracking message source: 66.36.226.12:

Reading from 'the source up', the headers show 213.135.115.130 => your
superb => SC

213.135.115.130 no rDNS is ripe
inetnum:      213.135.114.0 - 213.135.122.127
netname:      ESOO-NET
descr:        OJSC "ElectroSvyaz of Orenburg region"
nikonov@esoo.ru   vic@mail.esoo.ru

213.135.115.130  is multilisted in spamsource bl/s & proxy bl/s for port
3128 http proxyspam

The problem for the parser is that your provider spends a lot of lines
saying very little, but the all important sourceline it handles very
poorly and noncompliantly.

Your provider's servers are 'trying' to use this configuration:

Received: from rDNS (HELO helo) (source.ip) by receiving.domainname with
somestuff datestamp

but the all important sourceline has '66.36.226.12' in the 'by' field
instead of 'smtp4.superb.net'

As a result, SC interprets it as a 'forgery' and breaks the chain at the
last goodline above, which is #3 of my abbreviateds.  SC skips #4.

What you will need to do to get SC to parse your provider's lines
correctly is to use the mailhosts system.


Housekeeping.

You posted this is spamcop.spam;  but that group is only for posting
spamitems, not discussing.  When you post a tracker, which you did and
which is far superior to posting plain old spam, you can and should post
it and discuss it in spamcop.help or spamcop, the discussion groups
[which do not permit spam but do permit trackers].

-- 
Mike Easter
kibitzer, not SC admin

From nospam at temporaryrelay002.ath.cx  Fri Dec 17 18:55:54 2004
From: nospam at temporaryrelay002.ath.cx (Gingko)
Date: Fri Dec 17 13:00:03 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpufe4$4b0$1@news.spamcop.net> <cpuld0$8is$1@news.spamcop.net>
Message-ID: <cpv6jc$jcc$1@news.spamcop.net>

----- Original Message ----- 
From: "Ellen" <nobody@spamcop.net>
Newsgroups: spamcop.help,spamcop
Sent: Friday, December 17, 2004 1:47 PM
Subject: Re: ReportingID Spam


> "Herb Wolfe" <hwolfe@spamcop.net> wrote in message
> news:cpufe4$4b0$1@news.spamcop.net...
>> Looks like I've got 9 more this morning.
>
> Please send me the "to" addresses from those or a few of those. Ginko
> seems
> to have premunged his before he parsed so I can't get them from there.
> deputies  <at>  spamcop.net   Thanks
>
> Ellen

I just resent to deputies  <at>  spamcop.net  my 5 spams, not premunged.

But I have the idea that the real "To" address is the "Bcc" one, and maybe
the numbers in the "Bcc" field are not the same as the numbers in the "To"
field.

Two of these spams have addresses like "<number>@<my.mail.server>" in the 
"To" field.
With theses addresses, I should have had two "unknown users" in the log
files of my SMTP server.
I didn't see anything like that.

I think that means the spammer didn't use a "regular" SMTP server for
sending its messages.
I think that means also that the spammer has some sort of robot for
answering the confirmation message, because normally my Spamcop
configuration shouldn't allow any message to reach me if sent by a machine.

Gingko.


From redwolfe_98 at nospam.com  Fri Dec 17 19:51:41 2004
From: redwolfe_98 at nospam.com (redwolfe_98)
Date: Fri Dec 17 19:55:02 2004
Subject: [SC-Help] Spam-Reporting Problem
Message-ID: <cpvuuu$2tq$1@news.spamcop.net>

i have noticed that, often, when i forward spam to spamcop, the url for the 
webite that is promoted in the spam is not processed by spamcop, and so i 
cannot report the spam to the network hosting the website.. here is one 
example of such a url that spamcop cannot process...

http://www.thebestmortage.com/x/loan.php?id=fan



From nobody at devnull.spamcop.net  Fri Dec 17 19:22:44 2004
From: nobody at devnull.spamcop.net (WazoO)
Date: Fri Dec 17 20:25:03 2004
Subject: [SC-Help] Re: Spam-Reporting Problem
References: <cpvuuu$2tq$1@news.spamcop.net>
Message-ID: <cq00p4$4f6$1@news.spamcop.net>

"redwolfe_98" <redwolfe_98@nospam.com> wrote in message
news:cpvuuu$2tq$1@news.spamcop.net...
> i have noticed that, often, when i forward spam to spamcop, the url for
the
> webite that is promoted in the spam is not processed by spamcop, and so i
> cannot report the spam to the network hosting the website.. here is one
> example of such a url that spamcop cannot process...
>
> http://www.thebestmortage.com/x/loan.php?id=fan

12/17/04 19:21:04 Slow traceroute www.thebestmortage.com
Trace www.thebestmortage.com (202.102.230.36) ...

Maybe take the time to read the newsgroup you posted in.
Loads of traffic about these fine folks.


From ric.gates at bigsleep.org  Sat Dec 18 03:50:11 2004
From: ric.gates at bigsleep.org (Blammo)
Date: Fri Dec 17 22:55:03 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpufe4$4b0$1@news.spamcop.net> <cpuld0$8is$1@news.spamcop.net>
	<cpv6jc$jcc$1@news.spamcop.net>
Message-ID: <Xns95C2C9EF6F755blammo@216.154.195.61>

On 17 Dec 2004 Gingko entered spamcop.help and left
news:cpv6jc$jcc$1@news.spamcop.net: 

> Two of these spams have addresses like "<number>@<my.mail.server>" in
> the "To" field.
> With theses addresses, I should have had two "unknown users" in the
> log files of my SMTP server.

Not necessarily, To: is not the same as SMTP RCPT TO:

-- 
| Ric
|
From redwolfe_98 at nospam.com  Sat Dec 18 04:16:13 2004
From: redwolfe_98 at nospam.com (redwolfe_98)
Date: Sat Dec 18 04:20:03 2004
Subject: [SC-Help] Re: Spam-Reporting Problem
References: <cpvuuu$2tq$1@news.spamcop.net> <cq00p4$4f6$1@news.spamcop.net>
Message-ID: <cq0sgv$kkl$1@news.spamcop.net>

here is another url that cannot be processed by spamcop, and so i cannot 
report the spam to the isp hosting the website..

http://www.freerate.net/x/loan.php?id=kt7



From nobody at devnull.spamcop.net  Sat Dec 18 06:22:49 2004
From: nobody at devnull.spamcop.net (WazoO)
Date: Sat Dec 18 07:25:02 2004
Subject: [SC-Help] Re: Spam-Reporting Problem
References: <cpvuuu$2tq$1@news.spamcop.net> <cq00p4$4f6$1@news.spamcop.net>
	<cq0sgv$kkl$1@news.spamcop.net>
Message-ID: <cq17ep$q4r$1@news.spamcop.net>

"redwolfe_98" <redwolfe_98@nospam.com> wrote in message
news:cq0sgv$kkl$1@news.spamcop.net...
> here is another url that cannot be processed by spamcop, and so i cannot
> report the spam to the isp hosting the website..
>
> http://www.freerate.net/x/loan.php?id=kt7

12/18/04 06:22:07 Slow traceroute www.freerate.net
Trace www.freerate.net (202.102.230.36) ...

Look familiar?


From jwinsor at jps.net  Sat Dec 18 06:35:29 2004
From: jwinsor at jps.net (J. Winsor)
Date: Sat Dec 18 09:35:48 2004
Subject: [SC-Help] Reporting blank-appearing messages that are really html
Message-ID: <41C44031.2070609@jps.net>

Sorry if this has been covered here, but I don't know what key words I 
should use to search for this.  I tried sending a message to the 
newsgroup, but could not connect to the server.   :-(

Occasionally I receive spam messages that appear to have no body, 
however, if the message is saved to disk as html, there IS a body, but 
it just displays an invisible image.  (I have heard that this is used to 
detect e-mail and ip addresses)  Here's the latest one:

<html>
<head>
<link rel="important stylesheet" 
href="chrome://messenger/skin/messageBody.css">
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" 
class="header-part1"><tr><td><b>From: 
</b><lydzypuzsl@yahoo.com></td></tr><tr><td><b>Date: </b>Sat, 18 Dec 
2004 04:58:24 -0800 (PST)</td></tr></table><table border=0 cellspacing=0 
cellpadding=0 width="100%" class="header-part3"><tr><td><b>X-UIDL: 
</b>1cFEat6KI3NZFpn0</td></tr><tr><td><b>X-Mozilla-Status: 
</b>0001</td></tr><tr><td><b>X-Mozilla-Status2: 
</b>00000000</td></tr><tr><td><b>Status: 
</b>RO</td></tr><tr><td><b>Return-Path: 
</b><lydzypuzsl@yahoo.com></td></tr><tr><td><b>Received: </b>from 
207.217.120.169 ([219.138.175.28])    by 
ommx-a065c14.pas.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 
1cFEat6KI3NZFpn0    Sat, 18 Dec 2004 04:58:24 -0800 
(PST)</td></tr><tr><td><b>Received: </b>from 
averred</td></tr><tr><td><b>Message-ID: 
</b><200412180458.1cFEat6KI3NZFpn0@ommx-a065c14.pas.sa.earthlink.net></td></tr><tr><td><b>X-ELNK-AV: 
</b>0</td></tr></table><br>
</body>
</html>

If I report it, I get a reply saying that there was no body so nothing 
could be done.  If I paste the html in when forwarding, the parser seems 
to think that there are two submissions, one with no header and one with 
no body.  See these:

http://www.spamcop.net/sc?id=z703920673z5903c2ae5641d96ef78ed4a1e8f68be2z
http://www.spamcop.net/sc?id=z703920674zfc8e19636281e46bdacb48471c508612z

How can these things be reported?
Jayell

From TMHRVMFWREVN at spammotel.com  Sat Dec 18 16:28:41 2004
From: TMHRVMFWREVN at spammotel.com (Rob)
Date: Sat Dec 18 11:50:19 2004
Subject: [SC-Help] 
	Re: Reporting blank-appearing messages that are really html
References: <mailman.35.1103380550.4572.spamcop-help@news.spamcop.net>
Message-ID: <cq1n1l$31j$1@news.spamcop.net>


"J. Winsor" <jwinsor@jps.net> wrote in message
news:mailman.35.1103380550.4572.spamcop-help@news.spamcop.net...
> Sorry if this has been covered here, but I don't know what key words I
> should use to search for this.  I tried sending a message to the
> newsgroup, but could not connect to the server.   :-(
>
> Occasionally I receive spam messages that appear to have no body,
> however, if the message is saved to disk as html, there IS a body, but
> it just displays an invisible image.  (I have heard that this is used to
> detect e-mail and ip addresses)  Here's the latest one:
>
> <html>
> <head>
> <link rel="important stylesheet"
> href="chrome://messenger/skin/messageBody.css">
> </head>
> <body>
> <table border=0 cellspacing=0 cellpadding=0 width="100%"
> class="header-part1"><tr><td><b>From:
> </b><lydzypuzsl@yahoo.com></td></tr><tr><td><b>Date: </b>Sat, 18 Dec
> 2004 04:58:24 -0800 (PST)</td></tr></table><table border=0 cellspacing=0
> cellpadding=0 width="100%" class="header-part3"><tr><td><b>X-UIDL:
> </b>1cFEat6KI3NZFpn0</td></tr><tr><td><b>X-Mozilla-Status:
> </b>0001</td></tr><tr><td><b>X-Mozilla-Status2:
> </b>00000000</td></tr><tr><td><b>Status:
> </b>RO</td></tr><tr><td><b>Return-Path:
> </b><lydzypuzsl@yahoo.com></td></tr><tr><td><b>Received: </b>from
> 207.217.120.169 ([219.138.175.28])    by
> ommx-a065c14.pas.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
> 1cFEat6KI3NZFpn0    Sat, 18 Dec 2004 04:58:24 -0800
> (PST)</td></tr><tr><td><b>Received: </b>from
> averred</td></tr><tr><td><b>Message-ID:
>
</b><200412180458.1cFEat6KI3NZFpn0@ommx-a065c14.pas.sa.earthlink.net></td></
tr><tr><td><b>X-ELNK-AV:
> </b>0</td></tr></table><br>
> </body>
> </html>
>
> If I report it, I get a reply saying that there was no body so nothing
> could be done.  If I paste the html in when forwarding, the parser seems
> to think that there are two submissions, one with no header and one with
> no body.  See these:
>
> http://www.spamcop.net/sc?id=z703920673z5903c2ae5641d96ef78ed4a1e8f68be2z
> http://www.spamcop.net/sc?id=z703920674zfc8e19636281e46bdacb48471c508612z
>
> How can these things be reported?
> Jayell
>

There have been a lot of these mails with no body getting through, but, this
is the first time I have heard of them containing an invisible image, I
wonder if they are the same.  Using MailWasher I can preview them in plain
text and that should reveal any invisible images or text as above, but,
doesn't so you may be getting something different.  No matter, you should be
able to report them the same way as other no body messages.  Under the
Header leave one line and add <no body in spam mail> with the <> brackets.
Once processed you will get a partial error message from SpamCop to do with
body and you will only see the source address to report.  MailWasher using
the SpamCop DNS block list sees these mails as spam.

Rob


From TMHRVMFWREVN at spammotel.com  Sat Dec 18 16:49:11 2004
From: TMHRVMFWREVN at spammotel.com (Rob)
Date: Sat Dec 18 11:50:43 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <cov5fi$6ke$1@news.spamcop.net> <41B528CE.BDFDA64C@spamcop.net>
Message-ID: <cq1n1m$31j$2@news.spamcop.net>


"Fred the Red Shirt" <fredfighter@spamcop.net> wrote in message
news:41B528CE.BDFDA64C@spamcop.net...
>
>
> Jim Carroll wrote:
>
> > Many of the spam messages that flood my inbox have no "body" per se,
just an
> > attachment.
> >
>
> Many of mine have no body and no attachment.  They look like maybe dumb
> attempts to check the validity of harvested address lists.
>
> Regardless, I type the word "BLANK." in the body and submit it.
>
> I do not consider that to be a material alteration of the spam.
>
> --
>
> FF
>
>

Yes, I've been getting some of these for a little while now perhaps a little
block once a week.  I've seen a thread about this quite a few months back in
fact and it was thought that it was a spammer with a poorly configured
client/server/relay.  Normally the From and Return line are forged so also
without a body I cannot see how these mails can be used to confirm and
address.  I leave a line under header and type <no body in spam mail> and it
parses, but, only source can be reported.  Using MailWasher which uses the
SpamCop DNS block list I notice most of them are seen as spam.

Rob


From newandrew at rump.dk  Sat Dec 18 20:51:34 2004
From: newandrew at rump.dk (Andrew Engels Rump (formerly Leif Andrew Rump))
Date: Sat Dec 18 15:55:22 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpufe4$4b0$1@news.spamcop.net> <cpuld0$8is$1@news.spamcop.net>
	<cpv6jc$jcc$1@news.spamcop.net> <Xns95C2C9EF6F755blammo@216.154.195.61>
Message-ID: <Xns95C3DE5DC6981newandrewrumpdk@216.154.195.61>

After drinking 3 Pan Galactic Gargle Blasters, Blammo 
<ric.gates@bigsleep.org> mumbled in news:Xns95C2C9EF6F755blammo@
216.154.195.61:
> On 17 Dec 2004 Gingko entered spamcop.help and left
> news:cpv6jc$jcc$1@news.spamcop.net: 
>> Two of these spams have addresses like "<number>@<my.mail.server>"
>> in the "To" field.
>> With theses addresses, I should have had two "unknown users" in
>> the log files of my SMTP server. 
> Not necessarily, To: is not the same as SMTP RCPT TO:

No and that include Bcc: (and Cc:). We need to get information
from someone who records the SMTP RCPT TO:. I know spamcop.mail
is "dead", but I have posted this to the group hoping that someone
will take it over to the forum - or that I will do it on monday.

What I am suggesting is that Jeff records the RCPT TO: - just as
my own ISP does in a X-RCPT-TO:. A field just as Return-Path: which
gives the SMTP input from MAIL FROM:.

Andrew
-- 
*** The opinions expressed are not necessarily those of my employer. ***
* Software Engineer Andrew Engels Rump * BLIK og ROERarbejderforbundet *
* Immerkaer 42, 2650 Hvidovre * Tlf: +45 3638 3638, Fax: +45 3638 3639 *
Home: N55?41'38.9" E12?29'08.6" (WGS 84) Work: N55?39'50.9" E12?27'47.4"
E-mail: mailto:newandrew@rump.dk WWW http://www.rump.dk/homepage/andrew/
From redwolfe_98 at nospam.com  Sat Dec 18 22:24:14 2004
From: redwolfe_98 at nospam.com (redwolfe_98)
Date: Sat Dec 18 22:25:02 2004
Subject: [SC-Help] Re: Spam-Reporting Problem
References: <cpvuuu$2tq$1@news.spamcop.net> <cq00p4$4f6$1@news.spamcop.net>
	<cq0sgv$kkl$1@news.spamcop.net> <cq17ep$q4r$1@news.spamcop.net>
Message-ID: <cq2s90$s8u$1@news.spamcop.net>

here's another one.. it looks like the spammers have figured out a way to 
beat spamcop..

http://www.potcheesie.com/27/


wazo, what do you suggest that i do to track down the isp's hosting these 
websites? sometimes, i have some luck using samspade.com, but that site 
seems to be down, most of the time.. what other website can i go to where i 
can enter the url, and it will trace the isp?


From jwinsor at jps.net  Sat Dec 18 19:48:15 2004
From: jwinsor at jps.net (J. Winsor)
Date: Sat Dec 18 22:48:29 2004
Subject: [SC-Help]  Re: Reporting blank-appearing messages that are really
	html
In-Reply-To: <cq1n1l$31j$1@news.spamcop.net>
Message-ID: <D03D43CC-5170-11D9-9CF8-000393A99BEA@jps.net>


On Saturday, December 18, 2004, at 08:28  AM, Rob wrote:

>> Occasionally I receive spam messages that appear to have no body,
>> however, if the message is saved to disk as html, there IS a body, but
>> it just displays an invisible image.  (I have heard that this is used  
>> to
>> detect e-mail and ip addresses)  Here's the latest one:
>>
>> <html>
>> <head>
>> <link rel="important stylesheet"
>> href="chrome://messenger/skin/messageBody.css">
>> </head>
>> <body>
>> <table border=0 cellspacing=0 cellpadding=0 width="100%"
>> class="header-part1"><tr><td><b>From:
>> </b><lydzypuzsl@yahoo.com></td></tr><tr><td><b>Date: </b>Sat, 18 Dec
>> 2004 04:58:24 -0800 (PST)</td></tr></table><table border=0  
>> cellspacing=0
>> cellpadding=0 width="100%" class="header-part3"><tr><td><b>X-UIDL:
>> </b>1cFEat6KI3NZFpn0</td></tr><tr><td><b>X-Mozilla-Status:
>> </b>0001</td></tr><tr><td><b>X-Mozilla-Status2:
>> </b>00000000</td></tr><tr><td><b>Status:
>> </b>RO</td></tr><tr><td><b>Return-Path:
>> </b><lydzypuzsl@yahoo.com></td></tr><tr><td><b>Received: </b>from
>> 207.217.120.169 ([219.138.175.28])    by
>> ommx-a065c14.pas.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
>> 1cFEat6KI3NZFpn0    Sat, 18 Dec 2004 04:58:24 -0800
>> (PST)</td></tr><tr><td><b>Received: </b>from
>> averred</td></tr><tr><td><b>Message-ID:
>> </b><200412180458.1cFEat6KI3NZFpn0@ommx- 
>> a065c14.pas.sa.earthlink.net></td></
>> tr><tr><td><b>X-ELNK-AV:
>> </b>0</td></tr></table><br>
>> </body>
>> </html>
>>
>> If I report it, I get a reply saying that there was no body so nothing
>> could be done.  If I paste the html in when forwarding, the parser  
>> seems
>> to think that there are two submissions, one with no header and one  
>> with
>> no body.  See these:
>
> There have been a lot of these mails with no body getting through,  
> but, this
> is the first time I have heard of them containing an invisible image, I
> wonder if they are the same.

All of the "bodyless" spam messages that I've received in the past  
several months are the same.

> Using MailWasher I can preview them in plain
> text and that should reveal any invisible images or text as above, but,
> doesn't so you may be getting something different.

Being a Mac user, MailWasher is useless to me.  The html text can  
easily be seen though (in any OS) by saving the mail message in html  
format and opening the saved file in any text editor.

> No matter, you should be
> able to report them the same way as other no body messages.

I've never been able to successfully report a no-body message.

> Under the
> Header leave one line and add <no body in spam mail> with the <>  
> brackets.
> Once processed you will get a partial error message from SpamCop to do  
> with
> body and you will only see the source address to report.

This sounds as if you are attaching the spam message inline rather than  
as an attachment as SpamCop recommends that we do.  However, I did also  
try sending the above inline and pasting in the html text beneath the  
header, but that, too, resulted in the parser perceiving it as two  
submissions, one without a body and the other without a header.

I think it's important to be able to include the info in the html  
SOMEHOW, since it contains direct links back to the spammer, but so far  
I haven't been able to figure out how to do it.
Jayell

From jwinsor at jps.net  Sat Dec 18 19:54:28 2004
From: jwinsor at jps.net (J. Winsor)
Date: Sat Dec 18 22:54:42 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
In-Reply-To: <cq1n1m$31j$2@news.spamcop.net>
Message-ID: <AE64B6B1-5171-11D9-9CF8-000393A99BEA@jps.net>


On Saturday, December 18, 2004, at 08:49  AM, Rob wrote:

>> Many of mine have no body and no attachment.  They look like maybe 
>> dumb
>> attempts to check the validity of harvested address lists.
>>
>> Regardless, I type the word "BLANK." in the body and submit it.
>>
>> I do not consider that to be a material alteration of the spam.
>> [snip]

> Yes, I've been getting some of these for a little while now perhaps a 
> little
> block once a week.  I've seen a thread about this quite a few months 
> back in
> fact and it was thought that it was a spammer with a poorly configured
> client/server/relay.

There's nothing wrong with how many of these are formatted; they are 
sneaky ways for spammers to determine what addresses are active and 
actually opened their spam.  Here are a couple of descriptions of this 
practice that I clipped from some spam-related web sites.  
(Unfortunately I didn't keep the URLS.)

"A message like this will usualy contain an html portion with an image 
in it that is a single pixel in size, that is white-on-white.  It 
doesn't show up when you look at it, but it sends a request to the 
sender's specified website to get the pixel, thus showing them which 
email accounts are active."

"Web bugs
Spam isn?t the only kind of email problem to worry about. Even in 
otherwise legitimate email, it is possibly to use a web bug to collect 
information about you. Every image in an HTML-formatted email has to be 
downloaded from a server somewhere, and that server can log your email 
address and your IP address. If the image is a web bug ? a 1 X 1 pixel 
white or transparent image ? in an innocent looking message, you?ll 
never notice that you?re being spied on.

Web bugs aren?t confined to email, either. They can be placed in word 
processor documents, for instance, with similar results."

Jayell
From MikeE at ster.invalid  Sat Dec 18 20:37:44 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Sat Dec 18 23:40:02 2004
Subject: [SC-Help] Re: Spam-Reporting Problem
References: <cpvuuu$2tq$1@news.spamcop.net> <cq00p4$4f6$1@news.spamcop.net>
	<cq0sgv$kkl$1@news.spamcop.net> <cq17ep$q4r$1@news.spamcop.net>
	<cq2s90$s8u$1@news.spamcop.net>
Message-ID: <cq30i5$unm$1@news.spamcop.net>

redwolfe_98 wrote:
> here's another one.. it looks like the spammers have figured out a
> way to beat spamcop..
>
> http://www.potcheesie.com/27/

That's another  202.102.230.36

> wazo, what do you suggest that i do to track down the isp's hosting
> these websites? sometimes, i have some luck using samspade.com, but
> that site seems to be down, most of the time.. what other website can
> i go to where i can enter the url, and it will trace the isp?

SamSpade's console for Win is extremely useful http://samspade.org/ssw/
Sam Spade for Windows - once you learn how to use it, that is the
quickest for a simple tast like the DNS.

dnsstuff can resolve things - for resolving www.potcheesie.com you would
use the DNS tool for the A record on the top of the R column of tools.
That is a more 'sophisticated' resolve than SS for win gives.

I went to spamlinks http://spamlinks.openrbl.org/tools-trace.htm  and
found some more.  Here's one http://www.spamhelp.org/tools.php


-- 
Mike Easter
kibitzer, not SC admin

From jeffg at spamcop.net  Sun Dec 19 01:24:14 2004
From: jeffg at spamcop.net (Jeff G.)
Date: Sun Dec 19 02:00:06 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpufe4$4b0$1@news.spamcop.net> <cpuld0$8is$1@news.spamcop.net>
	<cpv6jc$jcc$1@news.spamcop.net> <Xns95C2C9EF6F755blammo@216.154.195.61>
	<Xns95C3DE5DC6981newandrewrumpdk@216.154.195.61>
Message-ID: <cq38k6$3fi$1@news.spamcop.net>

Andrew Engels Rump (formerly Leif Andrew Rump) <newandrew@rump.dk>
organized electrons in article
news:Xns95C3DE5DC6981newandrewrumpdk@216.154.195.61 that appeared as
follows:
> After drinking 3 Pan Galactic Gargle Blasters, Blammo
> <ric.gates@bigsleep.org> mumbled in news:Xns95C2C9EF6F755blammo@
> 216.154.195.61:
>> On 17 Dec 2004 Gingko entered spamcop.help and left
>> news:cpv6jc$jcc$1@news.spamcop.net:
>>> Two of these spams have addresses like "<number>@<my.mail.server>"
>>> in the "To" field.
>>> With theses addresses, I should have had two "unknown users" in
>>> the log files of my SMTP server.
>> Not necessarily, To: is not the same as SMTP RCPT TO:
>
> No and that include Bcc: (and Cc:). We need to get information
> from someone who records the SMTP RCPT TO:. I know spamcop.mail
> is "dead", but I have posted this to the group hoping that someone
> will take it over to the forum - or that I will do it on monday.
>
> What I am suggesting is that Jeff records the RCPT TO: - just as
> my own ISP does in a X-RCPT-TO:. A field just as Return-Path: which
> gives the SMTP input from MAIL FROM:.
>
> Andrew

Have you seen the "Delivered-To" Header Line?  I've asked for a "for"
clause on the Received Header Lines, there hasn't been enough support
for that idea.

-- 
Thanks and Best Regards,  Jeff G.
I have been a SpamCop User/Member/Customer since 1999 and am a
Moderator of the new web-based forums (now the primary method for
getting help, http://forum.spamcop.net).  Please reply via Forum, Group,
or List only.

From TMHRVMFWREVN at spammotel.com  Sun Dec 19 06:47:27 2004
From: TMHRVMFWREVN at spammotel.com (Rob)
Date: Sun Dec 19 02:00:13 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
References: <mailman.37.1103428483.4572.spamcop-help@news.spamcop.net>
Message-ID: <cq38l1$3fl$1@news.spamcop.net>


"J. Winsor" <jwinsor@jps.net> wrote in message
news:mailman.37.1103428483.4572.spamcop-help@news.spamcop.net...

On Saturday, December 18, 2004, at 08:49  AM, Rob wrote:

>> Many of mine have no body and no attachment.  They look like maybe
>> dumb
>> attempts to check the validity of harvested address lists.
>>
>> Regardless, I type the word "BLANK." in the body and submit it.
>>
>> I do not consider that to be a material alteration of the spam.
>> [snip]

> Yes, I've been getting some of these for a little while now perhaps a
> little
> block once a week.  I've seen a thread about this quite a few months
> back in
> fact and it was thought that it was a spammer with a poorly configured
> client/server/relay.

There's nothing wrong with how many of these are formatted; they are
sneaky ways for spammers to determine what addresses are active and
actually opened their spam.  Here are a couple of descriptions of this
practice that I clipped from some spam-related web sites.
(Unfortunately I didn't keep the URLS.)

"A message like this will usualy contain an html portion with an image
in it that is a single pixel in size, that is white-on-white.  It
doesn't show up when you look at it, but it sends a request to the
sender's specified website to get the pixel, thus showing them which
email accounts are active."

"Web bugs
Spam isn’t the only kind of email problem to worry about. Even in
otherwise legitimate email, it is possibly to use a web bug to collect
information about you. Every image in an HTML-formatted email has to be
downloaded from a server somewhere, and that server can log your email
address and your IP address. If the image is a web bug – a 1 X 1 pixel
white or transparent image – in an innocent looking message, you’ll
never notice that you’re being spied on.

Web bugs aren’t confined to email, either. They can be placed in word
processor documents, for instance, with similar results."

Jayell

I've heard about this, but, surely if an image has been placed in an HTML
mail even 1 pixel white on white then the mail will indicate what the
content type is after the header when viewed as source.  Also there should
be code for calling the 1 pixel white on white image that should be visible
when source is chosen.  You may not see anything when the mail is viewed as
HTML, but, you should see something when you view the source and there is
nothing at all below the header and often the header isn't even complete


From TMHRVMFWREVN at spammotel.com  Sun Dec 19 06:52:40 2004
From: TMHRVMFWREVN at spammotel.com (Rob)
Date: Sun Dec 19 02:00:18 2004
Subject: [SC-Help]  Re: Reporting blank-appearing messages that are
	reallyhtml
References: <mailman.36.1103428111.4572.spamcop-help@news.spamcop.net>
Message-ID: <cq38l2$3fl$2@news.spamcop.net>


"J. Winsor" <jwinsor@jps.net> wrote in message
news:mailman.36.1103428111.4572.spamcop-help@news.spamcop.net...
>
> On Saturday, December 18, 2004, at 08:28  AM, Rob wrote:
>
> >> Occasionally I receive spam messages that appear to have no body,
> >> however, if the message is saved to disk as html, there IS a body, but
> >> it just displays an invisible image.  (I have heard that this is used
> >> to
> >> detect e-mail and ip addresses)  Here's the latest one:
> >>
> >> <html>
> >> <head>
> >> <link rel="important stylesheet"
> >> href="chrome://messenger/skin/messageBody.css">
> >> </head>
> >> <body>
> >> <table border=0 cellspacing=0 cellpadding=0 width="100%"
> >> class="header-part1"><tr><td><b>From:
> >> </b><lydzypuzsl@yahoo.com></td></tr><tr><td><b>Date: </b>Sat, 18 Dec
> >> 2004 04:58:24 -0800 (PST)</td></tr></table><table border=0
> >> cellspacing=0
> >> cellpadding=0 width="100%" class="header-part3"><tr><td><b>X-UIDL:
> >> </b>1cFEat6KI3NZFpn0</td></tr><tr><td><b>X-Mozilla-Status:
> >> </b>0001</td></tr><tr><td><b>X-Mozilla-Status2:
> >> </b>00000000</td></tr><tr><td><b>Status:
> >> </b>RO</td></tr><tr><td><b>Return-Path:
> >> </b><lydzypuzsl@yahoo.com></td></tr><tr><td><b>Received: </b>from
> >> 207.217.120.169 ([219.138.175.28])    by
> >> ommx-a065c14.pas.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
> >> 1cFEat6KI3NZFpn0    Sat, 18 Dec 2004 04:58:24 -0800
> >> (PST)</td></tr><tr><td><b>Received: </b>from
> >> averred</td></tr><tr><td><b>Message-ID:
> >> </b><200412180458.1cFEat6KI3NZFpn0@ommx-
> >> a065c14.pas.sa.earthlink.net></td></
> >> tr><tr><td><b>X-ELNK-AV:
> >> </b>0</td></tr></table><br>
> >> </body>
> >> </html>
> >>
> >> If I report it, I get a reply saying that there was no body so nothing
> >> could be done.  If I paste the html in when forwarding, the parser
> >> seems
> >> to think that there are two submissions, one with no header and one
> >> with
> >> no body.  See these:
> >
> > There have been a lot of these mails with no body getting through,
> > but, this
> > is the first time I have heard of them containing an invisible image, I
> > wonder if they are the same.
>
> All of the "bodyless" spam messages that I've received in the past
> several months are the same.
>
> > Using MailWasher I can preview them in plain
> > text and that should reveal any invisible images or text as above, but,
> > doesn't so you may be getting something different.
>
> Being a Mac user, MailWasher is useless to me.  The html text can
> easily be seen though (in any OS) by saving the mail message in html
> format and opening the saved file in any text editor.
>
> > No matter, you should be
> > able to report them the same way as other no body messages.
>
> I've never been able to successfully report a no-body message.
>
> > Under the
> > Header leave one line and add <no body in spam mail> with the <>
> > brackets.
> > Once processed you will get a partial error message from SpamCop to do
> > with
> > body and you will only see the source address to report.
>
> This sounds as if you are attaching the spam message inline rather than
> as an attachment as SpamCop recommends that we do.  However, I did also
> try sending the above inline and pasting in the html text beneath the
> header, but that, too, resulted in the parser perceiving it as two
> submissions, one without a body and the other without a header.
>
> I think it's important to be able to include the info in the html
> SOMEHOW, since it contains direct links back to the spammer, but so far
> I haven't been able to figure out how to do it.
> Jayell
>

I think we must be talking about two different types of blank messages.  The
ones you a referring to have a body that appears blank, but, are not, the
ones I am referring to have no body at all.


From jwinsor at jps.net  Sat Dec 18 23:18:31 2004
From: jwinsor at jps.net (J. Winsor)
Date: Sun Dec 19 02:18:48 2004
Subject: [SC-Help] Re: "No body provided.  Check format of submission"
In-Reply-To: <cq38l1$3fl$1@news.spamcop.net>
Message-ID: <302FD5CE-518E-11D9-9CF8-000393A99BEA@jps.net>


On Saturday, December 18, 2004, at 10:47  PM, Rob wrote:

>> Web bugs aren?t confined to email, either. They can be placed in word
>> processor documents, for instance, with similar results."
>>
>> Jayell
>
> I've heard about this, but, surely if an image has been placed in an 
> HTML
> mail even 1 pixel white on white then the mail will indicate what the
> content type is after the header when viewed as source.  Also there 
> should
> be code for calling the 1 pixel white on white image that should be 
> visible
> when source is chosen.  You may not see anything when the mail is 
> viewed as
> HTML, but, you should see something when you view the source and there 
> is
> nothing at all below the header and often the header isn't even 
> complete

The people who make these things seem to be super sneaky.  My sample 
message when the source is viewed shows the header info, but not the 
html in the body.  Even more oddly, the header when viewed in Apple 
Mail reads:

 From lydzypuzsl@yahoo.com Sat Dec 18 05:01:06 2004
Status:  U
Return-Path: <lydzypuzsl@yahoo.com>
Received: from 207.217.120.169 ([219.138.175.28])
	by ommx-a065c14.pas.sa.earthlink.net (EarthLink SMTP Server) with SMTP 
id 1cFEat6KI3NZFpn0
	Sat, 18 Dec 2004 04:58:24 -0800 (PST)
Received: from averred
From: <lydzypuzsl@yahoo.com>
Message-Id: 
<200412180458.1cFEat6KI3NZFpn0@ommx-a065c14.pas.sa.earthlink.net>
Date: Sat, 18 Dec 2004 04:58:24 -0800 (PST)
X-ELNK-AV: 0

... but when viewed in Mozilla mail reads:

 From - Sat Dec 18 05:02:39 2004
X-UIDL: 1cFEat6KI3NZFpn0
X-Mozilla-Status: 1001
X-Mozilla-Status2: 00000000
Status: RO
Return-Path: <lydzypuzsl@yahoo.com>
Received: from 207.217.120.169 ([219.138.175.28])
	by ommx-a065c14.pas.sa.earthlink.net (EarthLink SMTP Server) with SMTP 
id 1cFEat6KI3NZFpn0
	Sat, 18 Dec 2004 04:58:24 -0800 (PST)
Received: from averred
From: <lydzypuzsl@yahoo.com>
Message-Id: 
<200412180458.1cFEat6KI3NZFpn0@ommx-a065c14.pas.sa.earthlink.net>
Date: Sat, 18 Dec 2004 04:58:24 -0800 (PST)
X-ELNK-AV: 0

The lines above the "Return path" are different!  (I do think that 
Apple Mail [for Jaguar] does have some quirky behavior, as it sometimes 
displays html code in the message body instead of executing it when 
Mozilla does not.)

The problem remains, though, how to let SpamCop see the html code in 
the body of the invisible message.
Jayell
From jwinsor at jps.net  Sat Dec 18 23:21:46 2004
From: jwinsor at jps.net (J. Winsor)
Date: Sun Dec 19 02:22:04 2004
Subject: [SC-Help]  Re: Reporting blank-appearing messages that are
	reallyhtml
In-Reply-To: <cq38l2$3fl$2@news.spamcop.net>
Message-ID: <A415D3B2-518E-11D9-9CF8-000393A99BEA@jps.net>


On Saturday, December 18, 2004, at 10:52  PM, Rob wrote:

>> This sounds as if you are attaching the spam message inline rather 
>> than
>> as an attachment as SpamCop recommends that we do.  However, I did 
>> also
>> try sending the above inline and pasting in the html text beneath the
>> header, but that, too, resulted in the parser perceiving it as two
>> submissions, one without a body and the other without a header.
>>
>> I think it's important to be able to include the info in the html
>> SOMEHOW, since it contains direct links back to the spammer, but so 
>> far
>> I haven't been able to figure out how to do it.
>> Jayell
>>
>
> I think we must be talking about two different types of blank 
> messages.  The
> ones you a referring to have a body that appears blank, but, are not, 
> the
> ones I am referring to have no body at all.

Maybe not.  Have you tried saving the mail message to disk as an html 
file?  That's the only way that I've ever been able to detect something 
in the body of a "blank" message.

(Are you indeed forwarding spam messages inline rather than as 
attachments?)
Jayell

From redwolfe_98 at nospam.com  Sun Dec 19 02:26:16 2004
From: redwolfe_98 at nospam.com (redwolfe_98)
Date: Sun Dec 19 02:30:03 2004
Subject: [SC-Help] Re: Spam-Reporting Problem
References: <cpvuuu$2tq$1@news.spamcop.net> <cq00p4$4f6$1@news.spamcop.net>
	<cq0sgv$kkl$1@news.spamcop.net> <cq17ep$q4r$1@news.spamcop.net>
	<cq2s90$s8u$1@news.spamcop.net> <cq30i5$unm$1@news.spamcop.net>
Message-ID: <cq3aeq$4tu$1@news.spamcop.net>

thanks, mike.. :)  i will keep plugging along.. 


From ric.gates at bigsleep.org  Sun Dec 19 07:34:50 2004
From: ric.gates at bigsleep.org (Blammo)
Date: Sun Dec 19 02:35:03 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
	<cpufe4$4b0$1@news.spamcop.net> <cpuld0$8is$1@news.spamcop.net>
	<cpv6jc$jcc$1@news.spamcop.net> <Xns95C2C9EF6F755blammo@216.154.195.61>
	<Xns95C3DE5DC6981newandrewrumpdk@216.154.195.61>
	<cq38k6$3fi$1@news.spamcop.net>
Message-ID: <Xns95C3F0066DCAEblammo@216.154.195.61>

On 18 Dec 2004 Jeff G. entered spamcop.help and left 
news:cq38k6$3fi$1@news.spamcop.net:

> I've asked for a "for"
> clause on the Received Header Lines, there hasn't been enough support
> for that idea.
> 

Depending on the server / configuration, it may not work for multiple 
recipients. The value for "for" is probably the same value used for 
whatever x-Envelope-To header you might add.
Still, spammers often forge the To header, so it's not like we can really 
depend on that for anything.

-- 
| Ric
|
From TMHRVMFWREVN at spammotel.com  Sun Dec 19 15:56:21 2004
From: TMHRVMFWREVN at spammotel.com (Rob)
Date: Sun Dec 19 11:00:03 2004
Subject: [SC-Help]  Re: Reporting blank-appearing messages that
	arereallyhtml
References: <mailman.39.1103440924.4572.spamcop-help@news.spamcop.net>
Message-ID: <cq48hr$ld0$1@news.spamcop.net>


"J. Winsor" <jwinsor@jps.net> wrote in message
news:mailman.39.1103440924.4572.spamcop-help@news.spamcop.net...
>
> On Saturday, December 18, 2004, at 10:52  PM, Rob wrote:
>
> >> This sounds as if you are attaching the spam message inline rather
> >> than
> >> as an attachment as SpamCop recommends that we do.  However, I did
> >> also
> >> try sending the above inline and pasting in the html text beneath the
> >> header, but that, too, resulted in the parser perceiving it as two
> >> submissions, one without a body and the other without a header.
> >>
> >> I think it's important to be able to include the info in the html
> >> SOMEHOW, since it contains direct links back to the spammer, but so
> >> far
> >> I haven't been able to figure out how to do it.
> >> Jayell
> >>
> >
> > I think we must be talking about two different types of blank
> > messages.  The
> > ones you a referring to have a body that appears blank, but, are not,
> > the
> > ones I am referring to have no body at all.
>
> Maybe not.  Have you tried saving the mail message to disk as an html
> file?  That's the only way that I've ever been able to detect something
> in the body of a "blank" message.
>
> (Are you indeed forwarding spam messages inline rather than as
> attachments?)
> Jayell
>

I haven't actually downloaded spam for a long time as I forward most spam as
an attachment via MailWasher, but, next time I get a spam with no body I
will try what you suggest.  The only spam I submit inline are the ones with
no body as suggested several months ago because it seems to be the only way
of parsing and reporting the source of them.


From nospam at temporaryrelay002.ath.cx  Mon Dec 20 01:03:18 2004
From: nospam at temporaryrelay002.ath.cx (Gingko)
Date: Sun Dec 19 19:05:02 2004
Subject: [SC-Help] Re: ReportingID Spam
References: <j2mqr0dukvih7suadi9d2g8jfmschk0jj2@4ax.com>
Message-ID: <cq54s9$667$1@news.spamcop.net>

http://www.spamcop.net/sc?id=z704364598za59d1218d159f83cf32ba1ac2637026ez
http://www.spamcop.net/sc?id=z704364765zd1e2c61c189ff9be156aeaf14e68fab7z

(not premunged that time, I hope it will help better)

... but no other comment ...

Gingko


From greggo314 at earthlink.net  Sun Dec 19 22:47:15 2004
From: greggo314 at earthlink.net (Gregg Orenstein)
Date: Mon Dec 20 01:42:38 2004
Subject: [SC-Help] Bill Miller is the devil
Message-ID: <CKEALAGHKPAPBNKEBMMEEENICCAA.greggo314@earthlink.net>

My box is flooded with porn spam, all containing links to domains registered
by the same individual.  Here is the info:

Bill Miller
110 Robin Dr
Ironton  MO 63650
United States
Phone: 1.5735463786
Email: bmiller@usa.net

I'm not kidding...EVERYTHING that's shown up in the past month has been
linked to a different domain registered with exactly the information above.
I'm not saying that this is his real info (I don't know the possibility of
falsifying information when registering a domain), but WHOEVER it is has
been responsible for registering an untold number of crap domains.  I'd like
to know if there is any possible way to shut this person down.  If one
person is responsible, and can be pinpointed, are there any legal steps
available to insure that they never register another domain name again?


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.817 / Virus Database: 555 - Release Date: 12/15/2004

From nobody at spamcop.net  Mon Dec 20 06:16:12 2004
From: nobody at spamcop.net (SJones)
Date: Mon Dec 20 06:20:20 2004
Subject: [SC-Help] Re: Bill Miller is the devil
In-Reply-To: <mailman.40.1103524959.4572.spamcop-help@news.spamcop.net>
References: <mailman.40.1103524959.4572.spamcop-help@news.spamcop.net>
Message-ID: <cq6c9g$r78$1@news.spamcop.net>

On or about 12/20/2004 01:47, Gregg Orenstein penned the following:
> My box is flooded with porn spam, all containing links to domains registered
> by the same individual.  Here is the info:
> 
> Bill Miller
> 110 Robin Dr
> Ironton  MO 63650
> United States
> Phone: 1.5735463786
> Email: bmiller@usa.net
> 
> I'm not kidding...EVERYTHING that's shown up in the past month has been
> linked to a different domain registered with exactly the information above.
> I'm not saying that this is his real info (I don't know the possibility of
> falsifying information when registering a domain), but WHOEVER it is has
> been responsible for registering an untold number of crap domains.  I'd like
> to know if there is any possible way to shut this person down.  If one
> person is responsible, and can be pinpointed, are there any legal steps
> available to insure that they never register another domain name again?
> 
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.817 / Virus Database: 555 - Release Date: 12/15/2004
> 

[Contacting mxpool01.netaddress.usa.net [165.212.8.32]...]
[Connected]
220 cmsmail05.cms.usa.net ESMTP USA.NET-SMTA vC8.MAIN.3.21S; Mon, 20 Dec
2004 11:15:03 GMT
HELO hexillion.com
250 cmsmail05.cms.usa.net Hello hexillion.com [216.46.246.233], pleased
to meet you
MAIL FROM:<HexValidEmail@hexillion.com>
250 Sender OK
RCPT TO:<bmiller@usa.net>
550 <bmiller@usa.net>... User account cancelled by USA.NET
QUIT
221 Goodbye
[Connection closed]

-- 
All spam & UCE are reported.
From nobody at spamcop.net  Mon Dec 20 10:54:44 2004
From: nobody at spamcop.net (Pop)
Date: Mon Dec 20 10:55:03 2004
Subject: [SC-Help] Re: Bill Miller is the devil
References: <mailman.40.1103524959.4572.spamcop-help@news.spamcop.net>
Message-ID: <cq6sk4$4f1$1@news.spamcop.net>

Gregg Orenstein wrote:
>> My box is flooded with porn spam, all containing links to 
>> domains
>> registered by the same individual.  Here is the info:
>>
>> Bill Miller
>> 110 Robin Dr
>> Ironton  MO 63650
>> United States
>> Phone: 1.5735463786
>> Email: bmiller@usa.net
>>
>> I'm not kidding...EVERYTHING that's shown up in the past month 
>> has
>> been linked to a different domain registered with exactly the
>> information above. I'm not saying that this is his real info 
>> (I

That could be as simple as a joe-job.  Spammers are stupid, but 
only when something isn't holding its hand.  Even spammers aren't 
usually THAT stupid.
   Grab a sneakemail address and ask him why he's spamming:  You 
might be surprised at the answer. 


From SpamCopNews.5.myspamgobbler at spamgourmet.com  Mon Dec 20 22:23:36 2004
From: SpamCopNews.5.myspamgobbler at spamgourmet.com (Spam N Scams Reporter)
Date: Tue Dec 21 01:25:03 2004
Subject: [SC-Help] Re: Bill Miller is the devil
In-Reply-To: <mailman.40.1103524959.4572.spamcop-help@news.spamcop.net>
References: <mailman.40.1103524959.4572.spamcop-help@news.spamcop.net>
Message-ID: <cq8fhn$6rc$1@news.spamcop.net>

Gregg Orenstein wrote:
> My box is flooded with porn spam, all containing links to domains registered
> by the same individual.  Here is the info:
> 
> Bill Miller
> 110 Robin Dr
> Ironton  MO 63650
> United States
> Phone: 1.5735463786
> Email: bmiller@usa.net
> 
> I'm not kidding...EVERYTHING that's shown up in the past month has been
> linked to a different domain registered with exactly the information above.
> I'm not saying that this is his real info (I don't know the possibility of
> falsifying information when registering a domain), but WHOEVER it is has
> been responsible for registering an untold number of crap domains.  I'd like
> to know if there is any possible way to shut this person down.  If one
> person is responsible, and can be pinpointed, are there any legal steps
> available to insure that they never register another domain name again?
> 
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.817 / Virus Database: 555 - Release Date: 12/15/2004
> 

My suggestion is to make a phone call. I'll wager that this is not the 
person that registered, but a victim of identity theft. I have seen a 
prolific porn spammer use multiple domains that are all registered to 
the same person with valid information and probably using hir credit 
card as well.

After a while, s/h/it switches to using another victim for registrant. 
I've contacted a couple of them just to verify my assumption.

The boilerplate that this scum uses is very distinct.

I just checked and the address and phone number are correct, or at least 
were at one point.

  Miller, Bill
Robin Dr
Ironton, MO 63650
Phone: (573)546-3789

As someone else pointed out, the email address is not valid.

You could attempt to contact him and if my assumptions is correct, have 
him contact the registrar(s) and have them disable the domains. That 
would be the quickest way to shut them down. Filing a Whois Data Problem 
Report may work also, but it is a lot slower.

I use a calling card that only costs 3? a minute and it's not easily 
traced back to your phone. The FBI was able to do it very quickly when I 
called them back in July, but it shows up as being from somewhere else 
on caller id. AT&T's card is the best that I've found.

Brian
From w7el at eznec.com  Tue Dec 21 06:31:14 2004
From: w7el at eznec.com (Roy Lewallen)
Date: Tue Dec 21 09:35:03 2004
Subject: [SC-Help] Parser missed spamvertized web site and perp email
Message-ID: <cq9c3n$mvo$1@news.spamcop.net>

I just got an email from a spammer advertizing a lotto web site (posted 
on spamcop.spam as "freelotto.com").

The body of the message contained the email addresses of two "claims 
officers" to send responses to, and the name of the spamvertized site, 
freelotto.com.

Using the paste-in reporting system, SpamCop didn't flag any of these. 
(tracking URL 
http://www.spamcop.net/sc?id=z704905068z5455622c60798799c883656834f11874z).

SpamCop seems to have ignored the email addresses altogether, and says 
that as far as freelotto.com goes, "ISP believes this issue is 
resolved". But freelotto.com is up, alive, and well.

Shouldn't SpamCop have flagged the email address ISPs and the 
freelotto.com ISP for reporting?

Roy Lewallen
From MikeE at ster.invalid  Tue Dec 21 07:53:50 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Dec 21 10:55:05 2004
Subject: [SC-Help] Re: Parser missed spamvertized web site and perp email
References: <cq9c3n$mvo$1@news.spamcop.net>
Message-ID: <cq9gtg$q2d$1@news.spamcop.net>

Roy Lewallen wrote:
> I just got an email from a spammer advertizing a lotto web site
> (posted on spamcop.spam as "freelotto.com").

Correct.  It was sourced at a .tw webmailer which is spamcop [and
others] listed, and spamvertised payloads consisting of email addies and
the lotto site.  The lotto site is also multilisted, but not in spamhaus
or spews.

> The body of the message contained the email addresses of two "claims
> officers" to send responses to, and the name of the spamvertized site,
> freelotto.com.
>
> Using the paste-in reporting system, SpamCop didn't flag any of these.
> (tracking URL

spamcop.net/sc?id=z704905068z5455622c60798799c883656834f11874z).

That tracker currently names the .tw webmailer as source, finds the
lotto & webmailer sites, but doesn't notify the lotto site because they
don't want to be notified about it.  It is SC practice to not be
bothering any site providers who don't want to hear about it.  It
'automatically' notifies the webmailer because its site appeared in its
trailer to the mail.

> SpamCop seems to have ignored the email addresses altogether, and says
> that as far as freelotto.com goes, "ISP believes this issue is
> resolved". But freelotto.com is up, alive, and well.

Correct, correct, and correct.  SC style is to not notify email
payloads, since a long time ago, for various reasons.  SC style is to
not notify any spamvertiser provider who doesn't want it.  Here's where
SC tells the providers how to not be notified
http://www.spamcop.net/fom-serve/cache/266.html  SpamCop FAQ : Help for
abuse-desks and administrators : How can I control what type of reports
I receive?

> Shouldn't SpamCop have flagged the email address ISPs and the
> freelotto.com ISP for reporting?

'Flagged' is ambiguous to me.  The parsing process for spamvertised
url/s is to

 - find the url
 - resolve the url to IP
 - identify/find a notifying address for the IP
 - 'unnotify' [not notify] any found and resolved who don't want to be
notified for any reason

If you are a paid spamcop reporter, you can 'appeal' to SC to notify
anyway, unless it has been appealed already.  A paid reporter can also
add notify addresses to the SC report.  If you are a free spamcop
reporter, your options are to create your own manual notifies, with
which you can choose to make your own notifications, including the
provider for the email addies and perhaps better notifies than the ones
SC would choose to make.


-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Tue Dec 21 08:39:42 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Dec 21 11:40:04 2004
Subject: [SC-Help] Re: Parser missed spamvertized web site and perp email
References: <cq9c3n$mvo$1@news.spamcop.net> <cq9gtg$q2d$1@news.spamcop.net>
Message-ID: <cq9jjf$rrn$1@news.spamcop.net>

Mike Easter wrote:
> It is SC practice to not be
> bothering any site providers who don't want to hear about it.

One issue about not bothering providers which I'm not clear on is that
the statistics page doesn't describe how URLs which are found in a
reported spam, but which are not reported for any reason, either because
they are unchecked by the reporter, or because the provider has
'stipulations' such as no mungeing which might cause them to be
unchecked, or because the provider has chosen to not be reported, so
there is no report.

If a spamvertised URL isn't reported, does it or does it not 'appear' as
a statistic?

Spam in progress
Lists IP or address and quantity for reported spam within the last 30
minutes.
Spamvertised Web Sites  =>
http://www.spamcop.net/w3m?action=inprogress;type=www
37 issues
36 recipients
Abuse report sent to

Those statistics would imply that only *reported* sites count as a
statistic, not unreported ones.  If that were so, that would mean that a
spamvertiser provider would best be served by telling SC that it doesn't
want to hear about any reports of its site being spamvertised.

This 'presumption' I'm describing would fit with the current condition
of the lotto site.

If we go to surbl to find out if it is listed on the sc-surbl [the
providers scraped from the SC statistics page] we find that the lotto
site is *not* sc-surbl listed, but it /is/ listed in other surbl
listings.

SURBL+ Checker Query Results

freelotto.com is 64.14.48.101 [ rbl lookup ]
domain registered: 23-Oct-1996. [ full whois ]
  URIBL: ws.surbl.org: listed [Blocked, See:
http://www.stearns.org/sa-blacklist/]
  URIBL: uc.sasknow.com: not listed
 *URIBL: sc.surbl.org: not listed
  URIBL: ob.surbl.org: not listed
  URIBL: multi.surbl.org: listed [Blocked, freelotto.com on lists [ws],
See: http://www.surbl.org/lists.html]
  URIBL: ab.surbl.org: not listed

The business about what the ws.surbl.org listing means is described
here:
http://www.surbl.org/lists.html#ws

The ws contains listings from Bill Stearns sa-rulesets lists plus the
bigevil and midevil as described at the link above.  That link also
describes how it gets the sc-surbl listings and how it handles them.


-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Tue Dec 21 09:44:54 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Dec 21 12:45:03 2004
Subject: [SC-Help] Re: Parser missed spamvertized web site and perp email
References: <cq9c3n$mvo$1@news.spamcop.net> <cq9gtg$q2d$1@news.spamcop.net>
	<cq9jjf$rrn$1@news.spamcop.net>
Message-ID: <cq9ndn$ua0$1@news.spamcop.net>

Mike Easter wrote:
> If a spamvertised URL isn't reported, does it or does it not 'appear'
> as a statistic?

>From the lotto tracker in question....

Tracking link: http://www.freelotto.com
[report history]
ISP believes this issue is resolved http://www.freelotto.com
Resolves to 64.14.48.154
Routing details for 64.14.48.154
[refresh/show] Cached whois for 64.14.48.154 : abuse@savvis.net
Using abuse net on abuse@savvis.net
abuse net savvis.net = abuse@savvis.net
Using best contacts abuse@savvis.net

ISP has already taken action against the
account:http://www.freelotto.com
http://www.freelotto.com has been appealed previously.


...with the result that there is no report at all re freelotto.

ISTM - It seems to me - that it would be better if the notify for the
providers who have....

 - made a request that they not receive reports of spamvertisements
 - said they they have 'resolved' or 'taken action against' an account
 - or anything else, such as mungeing stipulations which prevent some or
any SC reports

....that notify should be going someplace like a spamcop devnull, just
like it does for bouncing and other forms of 'bad addresses' which
permit the 'non-notify' but reported type of 'non-report' to be
'registered' or counted toward something.

The potential value of the sc-surbl is not to be ignored.  They take
into account the 'problems' with SC reports as described here:
http://www.surbl.org/data.html  sc.surbl.org Data - and also here
http://www.surbl.org/lists.html#sc sc.surbl.org - SpamCop message-body
URI domains

The current state of affairs is that the SC notification of many of the
spamvertisers, such as .cn and .kr and many others is probably a big
waste of time, and in fact, if anything may aid the spammer in some way.
If the spammer is being hosted by a 'bulletproof' provider which he
'owns' - it is probably more valuable to be getting toothless SpamCop
reports for a number of useful purposes than it is 'harmful' to the
spamvertiser to be SC notified about.

Thus, practically the only thing of any value [regarding spamvertisers]
in the SC report is whatever benefit is derived from the spamvertiser
being scraped from the statistics page, or whatever/however else might
be done to facilitate the sc-surbl in the future^1.

So, for a provider/spamvertiser to be able to 'duck' the statistics page
by going unnotified [and no devnull] would seem to help the
spamvertiser.

^1 "We are now working with SpamCop to get the spam URI data directly
from them and compose SURBL from it." [from the data link at surbl
above]




-- 
Mike Easter
kibitzer, not SC admin

From greggo314 at earthlink.net  Tue Dec 21 10:13:58 2004
From: greggo314 at earthlink.net (Gregg Orenstein)
Date: Tue Dec 21 13:09:19 2004
Subject: [SC-Help] RE: Bill Miller is the devil
Message-ID: <CKEALAGHKPAPBNKEBMMEOENPCCAA.greggo314@earthlink.net>

Thanks for the replies.  I've attempted to contact this individual by phone
(thanks for the phone card tip) , and guess what?  Not only the email, but
also the phone number is non-op.  Now I have the added pleasure of being
able to include in abuse reports that the contact information for this
individual is spurious, and so any attempts to register a domain with it are
fraudulent.  Hopefully registrars will think with their heads rather than
their wallets, but the contents of my inbox (and their links) will be the
judge of that.

Many thanks for your helpful input!
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.817 / Virus Database: 555 - Release Date: 12/15/2004

From w7el at eznec.com  Tue Dec 21 16:38:33 2004
From: w7el at eznec.com (Roy Lewallen)
Date: Tue Dec 21 19:40:04 2004
Subject: [SC-Help] Re: Parser missed spamvertized web site and perp email
In-Reply-To: <cq9ndn$ua0$1@news.spamcop.net>
References: <cq9c3n$mvo$1@news.spamcop.net> <cq9gtg$q2d$1@news.spamcop.net>
	<cq9jjf$rrn$1@news.spamcop.net> <cq9ndn$ua0$1@news.spamcop.net>
Message-ID: <cqafmf$fjh$1@news.spamcop.net>

Thanks for all the information. It sounds like SpamCop is operating as 
intended, but it does seem to me that a site shouldn't be able to avoid 
getting listed on the blocklist just because they've told SpamCop they 
don't want to be bothered (if I correctly understand what you've said).

I just received another spam from the same spammer, advertising 
freelotto.com. Whatever "action" their ISP has taken, it isn't stopping 
the spam.

Roy Lewallen
From MikeE at ster.invalid  Tue Dec 21 16:52:31 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Dec 21 19:55:02 2004
Subject: [SC-Help] Re: Parser missed spamvertized web site and perp email
References: <cq9c3n$mvo$1@news.spamcop.net> <cq9gtg$q2d$1@news.spamcop.net>
	<cq9jjf$rrn$1@news.spamcop.net> <cq9ndn$ua0$1@news.spamcop.net>
	<cqafmf$fjh$1@news.spamcop.net>
Message-ID: <cqagfo$g2d$1@news.spamcop.net>

Roy Lewallen wrote:
> Thanks for all the information. It sounds like SpamCop is operating as
> intended, but it does seem to me that a site shouldn't be able to
> avoid getting listed on the blocklist just because they've told
> SpamCop they don't want to be bothered (if I correctly understand
> what you've said).

Don't confuse the issues of spamsources and the spamcop blocklist with
spamvertisers and the notification process.  A submitted spam is
analyzed for spamsource and for spamvertisers.  The reported spamsource
contributes to the spamcop blocklist, the notified spamvertiser does not
contribute to anything.

> I just received another spam from the same spammer, advertising
> freelotto.com. Whatever "action" their ISP has taken, it isn't
> stopping the spam.

There is no 'requirement' that a provider for a spamvertiser /do/
anything about what s/he is notified.  I think of it as a 'courtesy'
which spamcop is providing to spamvertisers which they can accept or
decline all of, of individually claim to have taken some action by
checking a form.

There are SC blocklist 'consequences' to a spamsource IP.  There are no
SC consequences to the appearance of a spamvertiser in a spam, except
those which flow from the contribution to the sc-surbl.


-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Wed Dec 22 06:55:28 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Wed Dec 22 10:00:04 2004
Subject: [SC-Help] Re: Unprocessable spam
References: <opsjex42zwsxzoz2@w-b-wolf.local>
Message-ID: <cqc1s6$bd2$1@news.spamcop.net>

Posted to .spam & .help f/ups to .help.  See housekeeping below.

W.B. Wolf wrote:
> I have tried forwarding/processing this spam via
> [ submit.<deleted-ME>@spam.spamcop.net ] ;  error message says
> "cannot parse head".  Spam also appears to show that I am the sender

Troubleshooting forwarding as attachment to the submit address
can/should be done by first reading carefully all instructions for your
mail user agent and then to also forward as attachment to yourself.

Also, you should not 'expose' your personal and encoded submit address
here.  That should be kept a secret to prevent someone from submitting
something inappropriate in your 'name'.  In order to have a secret
submit address now that that one has been exposed, you should get a new
one.

> "Please make sure this email IS spam:
> From: <w.b.wolf@earthlink.net> ()"
>
> When I try copying and pasting the header (message has no body) into
> the 2-part submission form, I get the following error message:

The item of the tracker has a tiny body, but it has no url/s.

> "No data / Too much data
> "You are most likely submitting a very large email. Please trim some
> of the unnecessary data (noting where this has been done) from this
> posting and try again. SpamCop will no longer accept email larger
> than 50.0K bytes. "Other possibilities: You may have a firewall which
> prevents HTTP POST commands, you may have linked to the wrong URL or
> your browser does not handle binary submissions correctly (try a
> different browser)"

The spamcop tracker links to an item whose headers are 'mangled' by
linewraps.  Here is a parse [non-mailhost] of the same item without the
mangling.

mine
spamcop.net/sc?id=z705275759z70f5f3c721599430683956935ecff5e2z

> Tracking link:

yours
spamcop.net/sc?id=z705261975zb967a06dd95460ae2de12a5346876212z


Housekeeping.  The ng spamcop.spam is not for discussing.  It is only
for posting spam, which isn't allowed in the discussion groups.  When
you post a tracker, there is no need to post anything in .spam, but post
the tracker in the discussion group spamcop or spamcop.help.


-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Wed Dec 22 07:01:18 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Wed Dec 22 10:05:03 2004
Subject: [SC-Help] Re: More unprocessable spam
References: <opsjeycwlesxzoz2@w-b-wolf.local>
Message-ID: <cqc274$bti$1@news.spamcop.net>

xpost .spam & .help; fups .help

W.B. Wolf wrote:
> Tracking url

spamcop.net/sc?id=z705262108z758ce22c9f47c66304094f8bf2e494a0z

> This one does not list me as the sender; otherwise, same problems as
> previous posting, "Unprocessable spam."

Same problem of the header linewrap mangling.  See mine.
spamcop.net/sc?id=z705280235z4ec8a163256a79eac77108d2fd2b5d7fz


-- 
Mike Easter
kibitzer, not SC admin
From w.b.wolf at cqmail.net  Wed Dec 22 10:24:53 2004
From: w.b.wolf at cqmail.net (W.B. Wolf)
Date: Wed Dec 22 10:25:02 2004
Subject: [SC-Help] Re: Unprocessable spam
References: <opsjex42zwsxzoz2@w-b-wolf.local> <cqc1s6$bd2$1@news.spamcop.net>
Message-ID: <opsje03rqbsxzoz2@w-b-wolf.local>

On Wed, 22 Dec 2004 06:55:28 -0800, Mike Easter <MikeE@ster.invalid> wrote:

> Posted to .spam & .help f/ups to .help.  See housekeeping below.
>
> W.B. Wolf wrote:
>> I have tried forwarding/processing this spam via
>> [ submit.<deleted-ME>@spam.spamcop.net ] ;  error message says
>> "cannot parse head".  Spam also appears to show that I am the sender
>
> Troubleshooting forwarding as attachment to the submit address
> can/should be done by first reading carefully all instructions for your
> mail user agent and then to also forward as attachment to yourself.
>
> Also, you should not 'expose' your personal and encoded submit address
> here.  That should be kept a secret to prevent someone from submitting
> something inappropriate in your 'name'.  In order to have a secret
> submit address now that that one has been exposed, you should get a new
> one.
>
>> "Please make sure this email IS spam:
>> From: <w.b.wolf@earthlink.net> ()"
>>
>> When I try copying and pasting the header (message has no body) into
>> the 2-part submission form, I get the following error message:
>
> The item of the tracker has a tiny body, but it has no url/s.
>
>> "No data / Too much data
>> "You are most likely submitting a very large email. Please trim some
>> of the unnecessary data (noting where this has been done) from this
>> posting and try again. SpamCop will no longer accept email larger
>> than 50.0K bytes. "Other possibilities: You may have a firewall which
>> prevents HTTP POST commands, you may have linked to the wrong URL or
>> your browser does not handle binary submissions correctly (try a
>> different browser)"
>
> The spamcop tracker links to an item whose headers are 'mangled' by
> linewraps.  Here is a parse [non-mailhost] of the same item without the
> mangling.
>
> mine
> spamcop.net/sc?id=z705275759z70f5f3c721599430683956935ecff5e2z
>
>> Tracking link:
>
> yours
> spamcop.net/sc?id=z705261975zb967a06dd95460ae2de12a5346876212z
>
>
> Housekeeping.  The ng spamcop.spam is not for discussing.  It is only
> for posting spam, which isn't allowed in the discussion groups.  When
> you post a tracker, there is no need to post anything in .spam, but post
> the tracker in the discussion group spamcop or spamcop.help.
>
>
Thank you, Mr. Easter, and I apologize for posting incorrectly.
I have tried to understand how to submit "non-mangled non-mailhost" report  
per instructions for Eudora Mac;  I have been 98% successful for about 2  
years.  The (2) items I tried to report today were highly unusual.  Next  
time, I'll simply give up:  I'm not enough of a geek to understand your  
generously provided instructions.  It's hard enough fighting the spammers  
-:).

Yes, I know I'm not supposed to expose my email address, but if it's plain  
as day in the message to which the tracking url refers, what's the  
difference?

I really do appreciate your time and effort on my behalf.  Thanks again.



-- 
W.B. Wolf
From MikeE at ster.invalid  Wed Dec 22 07:57:55 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Wed Dec 22 11:00:03 2004
Subject: [SC-Help] Re: Unprocessable spam
References: <opsjex42zwsxzoz2@w-b-wolf.local> <cqc1s6$bd2$1@news.spamcop.net>
	<opsje03rqbsxzoz2@w-b-wolf.local>
Message-ID: <cqc5h9$e3b$1@news.spamcop.net>

W.B. Wolf wrote:
> Mike Easter

>> W.B. Wolf wrote:
>>> I have tried forwarding/processing this spam via
>>> [ submit.<deleted-ME>@spam.spamcop.net ] ;

That's the one I was talking about.

>> Also, you should not 'expose' your personal and encoded submit
>> address here.

>>> "Please make sure this email IS spam:
>>> From: <w.b.wolf@earthlink.net> ()"

Not this one.

> The (2) items I tried to report today were highly
> unusual.

It is possible that you didn't mangle them 'yourself' but something did.
The header configuration has to be

Fieldname: Field values blah blah

and the values blah blah cannot have any wraps or returns not in
conformity with message protocols.  The reason the trackers I posted
were different was because I manually removed the wraps which didn't
belong.

> Yes, I know I'm not supposed to expose my email address,

The exposure of your email address at EL in the body of a news message
or other places besides the 'From' of a news message I don't believe are
problematic.  What I was talking about was your personal
submit:16charANcodeNMBR@spam.spamcop.net - which is supposed to be
secret.



-- 
Mike Easter
kibitzer, not SC admin

From cpollock at earthlink.net  Wed Dec 22 19:59:09 2004
From: cpollock at earthlink.net (Chris)
Date: Wed Dec 22 21:00:03 2004
Subject: [SC-Help] Canceling report
Message-ID: <cqd8pd$37f$1@news.spamcop.net>

Is it possible to cancel an already made report?  If so, how is it done?  I 
checked the FAQ and couldn't find anything on it.

-- 
Chris
Registered Linux User 283774 http://counter.li.org
7:58pm up 24 days, 5:16, 1 user, load average: 0.63, 0.50, 0.67


From nobody at devnull.spamcop.net  Wed Dec 22 20:31:23 2004
From: nobody at devnull.spamcop.net (WazoO)
Date: Wed Dec 22 21:35:02 2004
Subject: [SC-Help] Re: Canceling report
References: <cqd8pd$37f$1@news.spamcop.net>
Message-ID: <cqdalr$4a6$1@news.spamcop.net>

"Chris" <cpollock@earthlink.net> wrote in message
news:cqd8pd$37f$1@news.spamcop.net...
> Is it possible to cancel an already made report?  If so, how is it done?
I
> checked the FAQ and couldn't find anything on it.

The FAQ at http://forum.spamcop.net/forums/ includes an
entry for "How do I Unsend a Report" ... it includes the
quick answer of "no" .. but there are other steps to take
to hopefully clear things up with all concerned parties.


From cpollock at earthlink.net  Wed Dec 22 20:45:16 2004
From: cpollock at earthlink.net (Chris)
Date: Wed Dec 22 21:50:02 2004
Subject: [SC-Help] Re: Canceling report
References: <cqd8pd$37f$1@news.spamcop.net> <cqdalr$4a6$1@news.spamcop.net>
Message-ID: <cqdbfs$4lo$1@news.spamcop.net>

WazoO wrote:

> "Chris" <cpollock@earthlink.net> wrote in message
> news:cqd8pd$37f$1@news.spamcop.net...
>> Is it possible to cancel an already made report?  If so, how is it done?
> I
>> checked the FAQ and couldn't find anything on it.
> 
> The FAQ at http://forum.spamcop.net/forums/ includes an
> entry for "How do I Unsend a Report" ... it includes the
> quick answer of "no" .. but there are other steps to take
> to hopefully clear things up with all concerned parties.

Thanks, I've done as suggested and sent a retraction to spamcop and to those 
I accidentally reported.  

-- 
Chris
Registered Linux User 283774 http://counter.li.org
8:43pm up 24 days, 6:02, 1 user, load average: 0.29, 0.50, 0.60
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Original thought is like original sin: both happened before you were born
to people you could not have possibly met.
                -- Fran Lebowitz, "Social Studies"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Live - From Virgin Radio UK The Beatles - Come Together

From David1 at suescornerweb.com  Sun Dec 26 07:37:34 2004
From: David1 at suescornerweb.com (David 1)
Date: Sun Dec 26 07:40:03 2004
Subject: [SC-Help] HUH, what am I being told here
Message-ID: <cqmb9e$u78$3@news.spamcop.net>

& please dumb it down, I have a hard time understanding this stuff but I 
am trying.

Complete message posted in s.spam
-- 

David 1
bad addy
spamtrap@suescornerweb.com
From MikeE at ster.invalid  Sun Dec 26 05:54:52 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Dec 26 08:55:02 2004
Subject: [SC-Help] Re: HUH, What am I being told here
References: <cqmb0b$u78$1@news.spamcop.net> <cqmb65$u78$2@news.spamcop.net>
Message-ID: <cqmfqb$170$1@news.spamcop.net>

posted to .spam & .help;  f/ups to .help

David 1 wrote:
Subject: HUH, What am I being told here

>> You have sent a message that has been stopped!

>> Received: from [221.137.42.172] by skorpan.sverige.net

>> From: <jamessytwexlhfer@suescornerweb.com>
>> To: "Administrator" <jacob@sverige.net>
>> Subject: FREE SEARCH of our Foreclosure Listings

> Subject: Email is in RBL _ DENIED _ (by bl.spamcop.se from
> jamessytwexlhfer@suescornerweb.com reason Sending IP 221.137.42.172
> support SPAM )
> To: jamessytwexlhfer@suescornerweb.com
> <jamessytwexlhfer@suescornerweb.com
> Cc: postmaster@221.137.42.172

What you posted consists of these parts

 1 a form letter from a Swedish .se provider sverige
 2 the headers of the mail the sverige is 'bouncing'
 3 later the headers of the mail from sverige to you

1 shows that English is not the first language of the .se spam
recipient.  He is explaining that he is bouncing the mail because it is
on a blocklist.  He is referring to the mail headed by 2, which shows an
item sourced at the multilisted  221.137.42.172  no rDNS of the Shaghai
.cn Colnet OnLine Network.

Those 2 spam headers are full of bogus lines and include the From
jamessytwexlhfer@suescornerweb.com which is presumably why the .se
recipient at sverige emailed you about it;  which is not smart.  His
'bouncing' method for spam filtered mail appears to be to notify the
postmaster pm at the source IP and the From.

The headers in 3 are of no interest to us, except to confirm that he
emailed you at jamessytwexlhfer and copied the .cn pm.

-- 
Mike Easter
kibitzer, not SC admin

From David1 at suescornerweb.com  Sun Dec 26 11:00:17 2004
From: David1 at suescornerweb.com (David 1)
Date: Sun Dec 26 11:00:02 2004
Subject: [SC-Help] Re: HUH, What am I being told here
In-Reply-To: <cqmfqb$170$1@news.spamcop.net>
References: <cqmb0b$u78$1@news.spamcop.net> <cqmb65$u78$2@news.spamcop.net>
	<cqmfqb$170$1@news.spamcop.net>
Message-ID: <cqmn5a$516$1@news.spamcop.net>

Mike Easter wrote:
> posted to .spam & .help;  f/ups to .help
> 
> David 1 wrote:
> Subject: HUH, What am I being told here
> 
> 
>>>You have sent a message that has been stopped!
> 
> 
>>>Received: from [221.137.42.172] by skorpan.sverige.net
> 
> 
>>>From: <jamessytwexlhfer@suescornerweb.com>
>>>To: "Administrator" <jacob@sverige.net>
>>>Subject: FREE SEARCH of our Foreclosure Listings
> 
> 
>>Subject: Email is in RBL _ DENIED _ (by bl.spamcop.se from
>>jamessytwexlhfer@suescornerweb.com reason Sending IP 221.137.42.172
>>support SPAM )
>>To: jamessytwexlhfer@suescornerweb.com
>><jamessytwexlhfer@suescornerweb.com
>>Cc: postmaster@221.137.42.172
> 
> 
> What you posted consists of these parts
> 
>  1 a form letter from a Swedish .se provider sverige
>  2 the headers of the mail the sverige is 'bouncing'
>  3 later the headers of the mail from sverige to you
> 
> 1 shows that English is not the first language of the .se spam
> recipient.  He is explaining that he is bouncing the mail because it is
> on a blocklist.  He is referring to the mail headed by 2, which shows an
> item sourced at the multilisted  221.137.42.172  no rDNS of the Shaghai
> ..cn Colnet OnLine Network.
> 
> Those 2 spam headers are full of bogus lines and include the From
> jamessytwexlhfer@suescornerweb.com which is presumably why the .se
> recipient at sverige emailed you about it;  which is not smart.  His
> 'bouncing' method for spam filtered mail appears to be to notify the
> postmaster pm at the source IP and the From.
> 
> The headers in 3 are of no interest to us, except to confirm that he
> emailed you at jamessytwexlhfer and copied the .cn pm.
> 

so that really came from my domain, I thought someone just put that 
bogus addy in the return reply addy, I don't have a name anywhere like 
that on my list but Suescornerweb.com is mine.

-- 

David 1
bad addy
spamtrap@suescornerweb.com
From MikeE at ster.invalid  Sun Dec 26 09:14:11 2004
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Dec 26 12:15:09 2004
Subject: [SC-Help] Re: HUH, What am I being told here
References: <cqmb0b$u78$1@news.spamcop.net> <cqmb65$u78$2@news.spamcop.net>
	<cqmfqb$170$1@news.spamcop.net> <cqmn5a$516$1@news.spamcop.net>
Message-ID: <cqmrg1$7ig$1@news.spamcop.net>

David 1 wrote:
> Mike Easter wrote:

>> Those 2 spam headers are full of bogus lines and include the From
>> jamessytwexlhfer@suescornerweb.com which is presumably why the .se
>> recipient at sverige emailed you about it;  which is not smart.  His
>> 'bouncing' method for spam filtered mail appears to be to notify the
>> postmaster pm at the source IP and the From.

> so that really came from my domain,

No.  That isn't what I said.  I said it was sourced at the .cn IP.

> I thought someone just put that
> bogus addy in the return reply addy,

Yes.  That's what I said;  that the bogus From was forged along with
other forged lines in the headers.

> I don't have a name anywhere like
> that on my list but Suescornerweb.com is mine.

If you don't have a username like that, I don't know why you would want
to be receiving all of the mail with all of the different bogusnames
which might be addressed to suescornerweb.

The mail and nameservice for suescornerweb is handled by frognet.net.
What options do they give you for how to handle the various usernames
for suescornerweb which aren't in use?  Why not just reject them at the
server?


-- 
Mike Easter
kibitzer, not SC admin

From David1 at suescornerweb.com  Sun Dec 26 16:13:12 2004
From: David1 at suescornerweb.com (David 1)
Date: Sun Dec 26 16:15:02 2004
Subject: [SC-Help] Re: HUH, What am I being told here
In-Reply-To: <cqmrg1$7ig$1@news.spamcop.net>
References: <cqmb0b$u78$1@news.spamcop.net> <cqmb65$u78$2@news.spamcop.net>
	<cqmfqb$170$1@news.spamcop.net> <cqmn5a$516$1@news.spamcop.net>
	<cqmrg1$7ig$1@news.spamcop.net>
Message-ID: <cqn9ek$eq9$1@news.spamcop.net>

Mike Easter wrote:
> David 1 wrote:
> 
>>Mike Easter wrote:
> 
> 

> 
>>I don't have a name anywhere like
>>that on my list but Suescornerweb.com is mine.
> 
> 
> If you don't have a username like that, I don't know why you would want
> to be receiving all of the mail with all of the different bogusnames
> which might be addressed to suescornerweb.
> 
> The mail and nameservice for suescornerweb is handled by frognet.net.
> What options do they give you for how to handle the various usernames
> for suescornerweb which aren't in use?  Why not just reject them at the
> server?
> 
> 
I'm the postmaster, was under the impression that it's my problem + the 
fact I tend to make names on the fly like I did with the below addy 
before I got around to making it an official addy. So it's probably 
something I set up, I'm the one that sets up how much quota each 
accounts gets & then when it's over quota it gets bounced to the 
postmaster to deal with.
Sure hope that makes since

-- 

David 1
bad addy
spamtrap@suescornerweb.com
From tynyt at atlas.cz  Wed Dec 29 09:52:43 2004
From: tynyt at atlas.cz (tynyt)
Date: Wed Dec 29 03:55:03 2004
Subject: [SC-Help] functionality enhancement?
Message-ID: <MPG.1c3c8ec4d8e1b9c1989680@news.spamcop.net>

Hi,

is there possibility (or possibility to implement) to report spamhosts 
based on IP addres only or maillog entry?

Why? I configured my MTAs to reject e-mails based on some signs (ie. DNS 
A records, malformed e-mail addresses, malformed envelopes & headers 
etc), so I don't ever see message bodies as the mail gets rejected as 
soon as the envelope is read. The only thing I have is log entries. I 
assume that these hosts (many of them reside in China or Tai-wan) serve 
as DDoS/spam farm, as they use "bulk" DSL connectivity. This part works 
well for me.
But: second wave of attack comes from legacy SMTP hosts dont't having 
such strict policies (but they are not a open relay and many of them use 
some antispam lists), because of non-existent recipient and forged 
sender (which doesn't correspond to originator) -- forged sender is the 
target of spam.

So it would be nice to have an opportunity to report IPs as many of the 
2nd stage SMTP servers mentioned above would reject these spams.

I know that possibility of misuse of this feature could be very high, 
but this can be solved via accesibility for "trusted users" only - for 
example users that have reporting account for more than 6 months and use 
it wisely.

Thank for your attention

-- 
==========================================================
TyNyT -- computing since 1985 :-)
==========================================================

From ric.gates at bigsleep.org  Wed Dec 29 10:39:29 2004
From: ric.gates at bigsleep.org (Blammo)
Date: Wed Dec 29 05:40:22 2004
Subject: [SC-Help] Re: functionality enhancement?
References: <MPG.1c3c8ec4d8e1b9c1989680@news.spamcop.net>
Message-ID: <Xns95CE1B0FF3611blammo@216.154.195.61>

On 29 Dec 2004 tynyt entered spamcop.help and left 
news:MPG.1c3c8ec4d8e1b9c1989680@news.spamcop.net:

> So it would be nice to have an opportunity to report IPs as many of the 
> 2nd stage SMTP servers mentioned above would reject these spams.
> 

I'm not clear on what you mean by "2nd stage SMTP servers" but the obvious 
problem is that there is no way to know if it is spam or not.
Certainly multiple hits are a good sign of abuse, but those could also be 
relay attempts or bounces or even some sort of C/R. In addition I suspect 
that spammers "poke" at your server with an IP that's never used to send 
spam.
The best way to report this type of spam is to set up a spamtrap address 
that isn't subject to any filtering.

-- 
| Ric
|
From gospamming at yourdomain.invalid  Wed Dec 29 10:40:50 2004
From: gospamming at yourdomain.invalid (D.Diaz)
Date: Wed Dec 29 05:45:03 2004
Subject: [SC-Help] Re: functionality enhancement?
References: <MPG.1c3c8ec4d8e1b9c1989680@news.spamcop.net>
Message-ID: <Xns95CE76D1E1795xnddmxn@216.154.195.61>

tynyt <tynyt@atlas.cz> wrote in
news:MPG.1c3c8ec4d8e1b9c1989680@news.spamcop.net: 

> Hi,
> 
> is there possibility (or possibility to implement) to report spamhosts
> based on IP addres only or maillog entry?
> 

If I am not mistaken, that's precisely the way some DNSBLs are being fed
(but not the SpamCop BL). 

While I understand your points, I think that should never be done with
the SCBL.  The primary function of SpamCop.net is to be a reporting
tool.  The SCBL grows with the IP addresses those reports are pointing
to and uses them as proof of listing.  SpamCop.net shouldn't mix
listings sourced from spam submissions and listings sourced from
rejection logs, which would be lacking 'proper proofing'. 

I think every BL should have only one kind of feeding, and the combined
use of a selection of the most suitable DNSBLs for the special needs of
each mail admin will bring the most useful protection for their MTAs
(iow, less false positives/negatives for their particular type of mail
traffic). 

-- 
Daniel Diaz
SpamCop User
From tynyt at atlas.cz  Wed Dec 29 15:26:36 2004
From: tynyt at atlas.cz (tynyt)
Date: Wed Dec 29 09:30:02 2004
Subject: [SC-Help] Re: functionality enhancement?
References: <MPG.1c3c8ec4d8e1b9c1989680@news.spamcop.net>
	<Xns95CE1B0FF3611blammo@216.154.195.61>
Message-ID: <MPG.1c3cdcf695188c88989681@news.spamcop.net>

In article <Xns95CE1B0FF3611blammo@216.154.195.61>, 
ric.gates@bigsleep.org says...
> On 29 Dec 2004 tynyt entered spamcop.help and left 
> news:MPG.1c3c8ec4d8e1b9c1989680@news.spamcop.net:
> 
> > So it would be nice to have an opportunity to report IPs as many of the 
> > 2nd stage SMTP servers mentioned above would reject these spams.
> > 
> 
> I'm not clear on what you mean by "2nd stage SMTP servers" but the obvious 
> problem is that there is no way to know if it is spam or not.

2nd stage was meant that smtp server, who bounces message from spammer 
to final recipient.

> Certainly multiple hits are a good sign of abuse, but those could also be 
> relay attempts or bounces or even some sort of C/R. In addition I suspect 
> that spammers "poke" at your server with an IP that's never used to send 
> spam.

It's definitely an abusing transport. I spent too much time to analyse 
this mess and when logged (countermeasures were temporarily switched 
off) standard spam came out.

> The best way to report this type of spam is to set up a spamtrap address 
> that isn't subject to any filtering.

Well, this is practically impossible. I tried to set up such trap in the 
past, but the amount of data totally flooded our lines, moreover legacy 
e-mail was not able to pass through. There are approx. 20-30 incoming 
attempts per second to connect to smtp.


> 

-- 
==========================================================
TyNyT -- computing since 1985 :-)
==========================================================

From Kilgallen at SpamCop.net  Wed Dec 29 08:26:04 2004
From: Kilgallen at SpamCop.net (Larry Kilgallen)
Date: Wed Dec 29 09:30:09 2004
Subject: [SC-Help] Re: functionality enhancement?
References: <MPG.1c3c8ec4d8e1b9c1989680@news.spamcop.net>
	<Xns95CE76D1E1795xnddmxn@216.154.195.61>
Message-ID: <ovpNgj$uSy$H@eisner.encompasserve.org>

In article <Xns95CE76D1E1795xnddmxn@216.154.195.61>, "D.Diaz" <gospamming@yourdomain.invalid> writes:

> I think every BL should have only one kind of feeding, and the combined
> use of a selection of the most suitable DNSBLs for the special needs of
> each mail admin will bring the most useful protection for their MTAs
> (iow, less false positives/negatives for their particular type of mail
> traffic). 

Lots of us agree with Daniel, but sometime are reluctant to post "me too".
Once various DNSbl policies have been mixed together it is not possible to
sort them out.  Thus such mixing should only be done at the consuming MTA.
From tynyt at atlas.cz  Wed Dec 29 15:51:51 2004
From: tynyt at atlas.cz (tynyt)
Date: Wed Dec 29 09:55:04 2004
Subject: [SC-Help] Re: functionality enhancement?
References: <MPG.1c3c8ec4d8e1b9c1989680@news.spamcop.net>
	<Xns95CE76D1E1795xnddmxn@216.154.195.61>
Message-ID: <MPG.1c3ce2d97d26c86f989682@news.spamcop.net>

In article <Xns95CE76D1E1795xnddmxn@216.154.195.61>, 
gospamming@yourdomain.invalid says...
> tynyt <tynyt@atlas.cz> wrote in
> news:MPG.1c3c8ec4d8e1b9c1989680@news.spamcop.net: 
> 
> > Hi,
> > 
> > is there possibility (or possibility to implement) to report spamhosts
> > based on IP addres only or maillog entry?
> > 
> 
> If I am not mistaken, that's precisely the way some DNSBLs are being fed
> (but not the SpamCop BL). 

I know ordb for example (it's based on IP), but this (and others) BL 
lists only open relay sites, which does not correspond to this kind of 
smtp communication as none of the MTAs involved is open relay.

> While I understand your points, I think that should never be done with
> the SCBL.  The primary function of SpamCop.net is to be a reporting
> tool.  The SCBL grows with the IP addresses those reports are pointing
> to and uses them as proof of listing.  SpamCop.net shouldn't mix
> listings sourced from spam submissions and listings sourced from
> rejection logs, which would be lacking 'proper proofing'. 

I see, this is a good point. I know that my spam is spam, but don't know 
that others do have identical measures of "spamminess," moreover if 
somebody didn't submit data wilfully.

> 
> I think every BL should have only one kind of feeding, and the combined
> use of a selection of the most suitable DNSBLs for the special needs of
> each mail admin will bring the most useful protection for their MTAs
> (iow, less false positives/negatives for their particular type of mail
> traffic). 

I would appreciate any info if there is BL of such a type. It could help 
to lower the number of bounces that come every day if used in mass.


 

-- 
==========================================================
TyNyT -- computing since 1985 :-)
==========================================================

From ric.gates at bigsleep.org  Wed Dec 29 15:41:22 2004
From: ric.gates at bigsleep.org (Blammo)
Date: Wed Dec 29 10:45:04 2004
Subject: [SC-Help] Re: functionality enhancement?
References: <MPG.1c3c8ec4d8e1b9c1989680@news.spamcop.net>
	<Xns95CE1B0FF3611blammo@216.154.195.61>
	<MPG.1c3cdcf695188c88989681@news.spamcop.net>
Message-ID: <Xns95CE4E3D49439blammo@216.154.195.61>

On 29 Dec 2004 tynyt entered spamcop.help and left
news:MPG.1c3cdcf695188c88989681@news.spamcop.net: 

> In article <Xns95CE1B0FF3611blammo@216.154.195.61>, 
> ric.gates@bigsleep.org says...
>> On 29 Dec 2004 tynyt entered spamcop.help and left 
>> news:MPG.1c3c8ec4d8e1b9c1989680@news.spamcop.net:
>> 
>> > So it would be nice to have an opportunity to report IPs as many of
>> > the 2nd stage SMTP servers mentioned above would reject these
>> > spams. 
>> > 
>> 
>> I'm not clear on what you mean by "2nd stage SMTP servers" but the
>> obvious problem is that there is no way to know if it is spam or not.
> 
> 2nd stage was meant that smtp server, who bounces message from spammer
> to final recipient.
> 

First of all you're not going to get rejects to a forged sender, you're 
talking about DSN replies sent to the Envelope Sender. This is not spam 
even if the message itself is. You can block these yourself but you risk 
blocking valid mail. If your server only handles your personal mail, this 
probably isn't a problem.

> 
>> The best way to report this type of spam is to set up a spamtrap
>> address that isn't subject to any filtering.
> 
> Well, this is practically impossible. I tried to set up such trap in
> the past, but the amount of data totally flooded our lines, moreover
> legacy e-mail was not able to pass through. There are approx. 20-30
> incoming attempts per second to connect to smtp.
> 

Well, for the case mentioned above, you can't report bounces through 
SpamCop anyway.
Otherwise, nothing's impossible, just offhand I can think of a way to set 
up a cron job to switch the mail config and momentarily let some spam pass 
through.
Also, depending on you mail server, you should be able to configure limits 
to reduce the server load, and adding a white-list should reduce the 
processing time for valid mail. I write rulesets myself, but I try not to 
run any rule where it isn't needed, I need to conserve as much processing 
time as possible.

-- 
| Ric
From buzzard554 at fastmail.co.uk  Wed Dec 29 18:17:15 2004
From: buzzard554 at fastmail.co.uk (Martin Edwards)
Date: Wed Dec 29 13:20:03 2004
Subject: [SC-Help] Re: "bounce" defeats Spamcop
Message-ID: <cqus85$non$1@news.spamcop.net>

My guess is (and I'm far from a techhead) that there is nothing in the 
Return-path line, so there is no IP number to parse.  I've had quite a 
few of those lately.  There ain't 'arf bin some clever bastards.
From hercules at invaliddomain.com  Thu Dec 30 00:01:58 2004
From: hercules at invaliddomain.com (hercules)
Date: Thu Dec 30 02:05:04 2004
Subject: [SC-Help] Can I trust this?
Message-ID: <cr0941$imc$1@news.spamcop.net>

Hi, an email arrived in my mailbox with an opportunity to be removed from a 
list I've never subscribed to.
I would think this is actually the opposite and more like a confirmation.

there was more above this, but I clipped for brevity.
---------------------------------
Your address was collected as a result of posting to a link, a classified =
ad to our FFA Page, opting in to
our auto responder or partner site or you have sent us<br>
an E-mail recently .To be removed at no cost to you simply reply to this e=
mail address with the word
'REMOVE' in the SUBJECT area.  Your email address will<br>
be removed promptly - or email us with no longer in the subject.&nbsp;</fo=
nt> <a href=3D"mailto:takeoff@adminfundingconsult.com"><font size=3D"1">ta=
keoff@adminfundingconsult.com</font></a>
<font size=3D"1">Shankar Nagar/Nagpur-440010/India</font></p>
<p>&nbsp;</p>
From ric.gates at bigsleep.org  Thu Dec 30 07:22:32 2004
From: ric.gates at bigsleep.org (Blammo)
Date: Thu Dec 30 02:25:03 2004
Subject: [SC-Help] Re: Can I trust this?
References: <cr0941$imc$1@news.spamcop.net>
Message-ID: <Xns95CEEDD029050blammo@216.154.195.61>

On 29 Dec 2004 hercules entered spamcop.help and left
news:cr0941$imc$1@news.spamcop.net: 

> Hi, an email arrived in my mailbox with an opportunity to be removed
> from a list I've never subscribed to.
> I would think this is actually the opposite and more like a
> confirmation. 
> 
> there was more above this, but I clipped for brevity.
> ---------------------------------
> Your address was collected as a result of posting to a link, a
> classified = ad to our FFA Page,

Most likely bull.
Do you know what a FFA page is? It's simply a page where you can submit a 
link to your website, and usually noone places email addresses there, The 
idea of FFA seemed like a good one at first, but soon turned into an ugly 
mess because of course the page fills up and can't be navigated. And then 
people started adding more pages like this in order to feed the search 
engines with more links. Nowadays they are useless because the search 
engines are just too smart.
I'm going to assume this is a lie (though I haven't seen the headers), 
because they don't supply any evidence. Do you really want to just take 
their word for it? So if you reported it and they claimed they had the 
evidence that you signed up... so where is it? They most likely don't have 
it because they are liers.

The rest of the message could alter my opinion, but I've seen this junk 
before. It's too bad we have to assume some people are liers, but in my 
mind it's like the stranger that comes up to you on the street (like in the 
big city) and wants to be your buddy.
-- 
| Ric
|
From tynyt at atlas.cz  Thu Dec 30 13:45:06 2004
From: tynyt at atlas.cz (tynyt)
Date: Thu Dec 30 07:45:28 2004
Subject: [SC-Help] Re: functionality enhancement?
References: <MPG.1c3c8ec4d8e1b9c1989680@news.spamcop.net>
	<Xns95CE1B0FF3611blammo@216.154.195.61>
	<MPG.1c3cdcf695188c88989681@news.spamcop.net>
	<Xns95CE4E3D49439blammo@216.154.195.61>
Message-ID: <MPG.1c3e16a4356a9ad1989683@news.spamcop.net>

In article <Xns95CE4E3D49439blammo@216.154.195.61>, 
ric.gates@bigsleep.org says...

> 
> > 
> >> The best way to report this type of spam is to set up a spamtrap
> >> address that isn't subject to any filtering.
> > 
> > Well, this is practically impossible. I tried to set up such trap in
> > the past, but the amount of data totally flooded our lines, moreover
> > legacy e-mail was not able to pass through. There are approx. 20-30
> > incoming attempts per second to connect to smtp.
> > 
> 
> Well, for the case mentioned above, you can't report bounces through 
> SpamCop anyway.
> Otherwise, nothing's impossible, just offhand I can think of a way to set 
> up a cron job to switch the mail config and momentarily let some spam pass 
> through.
> Also, depending on you mail server, you should be able to configure limits 
> to reduce the server load, and adding a white-list should reduce the 
> processing time for valid mail. I write rulesets myself, but I try not to 
> run any rule where it isn't needed, I need to conserve as much processing 
> time as possible.

I've got everything (except bayes filter which is not acceptable to be 
implemented on our hardware) -- whitelists and blacklists, wrote custom 
rulesets, even limits to connection amount, mail server runs smoothly. 
At this moment everything works fine, everything I want is to have a 
opportunity to globally lower such kind of spam, as this kind of spam 
gets major problem (at least here in Central Europe)

-- 
==========================================================
TyNyT -- computing since 1985 :-)
==========================================================

From nobody at spamcop.net  Thu Dec 30 10:31:32 2004
From: nobody at spamcop.net (Pop)
Date: Thu Dec 30 10:35:23 2004
Subject: [SC-Help] Re: Can I trust this?
References: <cr0941$imc$1@news.spamcop.net>
	<Xns95CEEDD029050blammo@216.154.195.61>
Message-ID: <cr170l$3g1$1@news.spamcop.net>

Blammo wrote:
>> On 29 Dec 2004 hercules entered spamcop.help and left
>> news:cr0941$imc$1@news.spamcop.net:
>>
>>> Hi, an email arrived in my mailbox with an opportunity to be 
>>> removed
>>> from a list I've never subscribed to.
>>> I would think this is actually the opposite and more like a
>>> confirmation.
>>>
>>> there was more above this, but I clipped for brevity.
>>> ---------------------------------
>>> Your address was collected as a result of posting to a link, 
>>> a
>>> classified = ad to our FFA Page,
>>
>> Most likely bull.
...

In my book, that's plenty - it indicates they scrape addresses 
and don't use any sort of confirmtation.  I'd have stopped 
reading there and report it, if I hadn't already done so. 
Parsing it at SC would almost surely show it to be forged, et al.

Pop


From hercules at invaliddomain.com  Thu Dec 30 10:40:27 2004
From: hercules at invaliddomain.com (hercules)
Date: Thu Dec 30 12:40:02 2004
Subject: [SC-Help] Re: Can I trust this?
In-Reply-To: <cr170l$3g1$1@news.spamcop.net>
References: <cr0941$imc$1@news.spamcop.net>
	<Xns95CEEDD029050blammo@216.154.195.61> <cr170l$3g1$1@news.spamcop.net>
Message-ID: <cr1eh6$8cq$1@news.spamcop.net>

Pop wrote:
> Blammo wrote:
> 
>>> On 29 Dec 2004 hercules entered spamcop.help and left 
>>> news:cr0941$imc$1@news.spamcop.net:
>>> 
>>> 
>>>> Hi, an email arrived in my mailbox with an opportunity to be removed
>>>>  from a list I've never subscribed to. I would think this is actually
>>>>  the opposite and more like a confirmation.
>>>> 
>>>> there was more above this, but I clipped for brevity. 
>>>> --------------------------------- Your address was collected as a 
>>>> result of posting to a link, a classified = ad to our FFA Page,
>>> 
>>> Most likely bull.
> 
> ...
> 
> In my book, that's plenty - it indicates they scrape addresses and don't 
> use any sort of confirmtation.  I'd have stopped reading there and report 
> it, if I hadn't already done so. Parsing it at SC would almost surely show 
> it to be forged, et al.
> 
> Pop
> 
> 
Hi, I parsed the message with spamcop and it indicated the IP was listed in
dnsbl.sorbs.net. Knowing that I reported the offending message.

The message had formatting with my email address duplicated throughout, and
not knowing what parts of the email to omit, I'm not comfortable posting the
complete message as I have privacy concerns over real email addresses
being posted in a public forum such as this.

Thanks for your time.
From nobody at spamcop.net  Thu Dec 30 15:20:20 2004
From: nobody at spamcop.net (Pop)
Date: Thu Dec 30 15:25:04 2004
Subject: [SC-Help] Re: Can I trust this?
References: <cr0941$imc$1@news.spamcop.net>
	<Xns95CEEDD029050blammo@216.154.195.61> <cr170l$3g1$1@news.spamcop.net>
	<cr1eh6$8cq$1@news.spamcop.net>
Message-ID: <cr1nu4$e9n$1@news.spamcop.net>

...
>I'm not
>> comfortable posting the complete message as I have privacy 
>> concerns
>> over real email addresses
>> being posted in a public forum such as this.
>>
>> Thanks for your time.

Wise decision; it's part of what's called called "safe hex" in 
some circles.  Kinda dumb, IMO, but apt.  SC, whois and Sam Spade 
are my best friends.

Pop


From ric.gates at bigsleep.org  Fri Dec 31 02:40:28 2004
From: ric.gates at bigsleep.org (Blammo)
Date: Thu Dec 30 21:45:03 2004
Subject: [SC-Help] Re: Can I trust this?
References: <cr0941$imc$1@news.spamcop.net>
	<Xns95CEEDD029050blammo@216.154.195.61> <cr170l$3g1$1@news.spamcop.net>
	<cr1eh6$8cq$1@news.spamcop.net>
Message-ID: <Xns95CFBDFF5CC3blammo@216.154.195.61>

On 30 Dec 2004 hercules entered spamcop.help and left
news:cr1eh6$8cq$1@news.spamcop.net: 

> The message had formatting with my email address duplicated
> throughout, and not knowing what parts of the email to omit, I'm not
> comfortable posting the complete message as I have privacy concerns
> over real email addresses being posted in a public forum such as this.
> 

You posted enough info for me, but you can always copy the Tracking URL 
from the SpamCop report (it's right at the top) and past that in your 
message here, the next time you have questions.

-- 
| Ric
|
From spamtrap at mrsmith.com  Fri Dec 31 16:18:55 2004
From: spamtrap at mrsmith.com (Mr. Smith)
Date: Fri Dec 31 16:20:06 2004
Subject: [SC-Help] empty spam
Message-ID: <cr4fo0$3ht$1@news.spamcop.net>

I have received the same spam 3 ~ 4 per week, as posted in spamcop.spam 
under the heading "empty spam"



The originating IP changes each time. The nonsense text changes each time. 
The subject header always starts with         $.S.T.O.R-



There is nothing advertised and no links other than MSN search.



It is sent to multpile yahoo addresses. What would be the purpose of this? 
Is it to check email addresses (i.e. verify which ones do not bounce)?