From driehuis.fcnzpbc2005 at playbeing.com  Tue Feb  1 02:54:24 2005
From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis)
Date: Mon Jan 31 20:55:07 2005
Subject: [SC-Help] Re: phishing emails...
In-Reply-To: <ctlbm6$gmu$1@news.spamcop.net>
References: <ctjrkp$iio$1@news.spamcop.net> <ctlbm6$gmu$1@news.spamcop.net>
Message-ID: <ctmngi$etc$1@news.spamcop.net>

mikeyhsd wrote:

> you should alsomake an attempt to send it to the party they are faking.
> most of them have a phishing reporting address on their web sites.
> like paypoal has an address on their sute to report phising to.

[ Please review http://www.xs4all.nl/~hanb/documents/quotingguide.html ]

Be very, very careful when reporting to spoofed parties. If you pick the 
wrong address, you're adding to their spamload.

For example, if you're not sure where to report eBay spoofs, a good 
starting point would be to Google for
  http://www.google.com/search?q=reporting+spoof+ebay
From l.rem.mayne at uea.ac.uk  Tue Feb  1 09:18:38 2005
From: l.rem.mayne at uea.ac.uk (Leon Mayne)
Date: Tue Feb  1 04:20:04 2005
Subject: [SC-Help] Re: Spamcop Plugin for Outlook
References: <Xns95EF7EB328139nntprogerscom@216.154.195.61>
Message-ID: <ctnhhf$66i$1@news.spamcop.net>

Lucas Tam wrote:
> Can anyone recommend a spamcop plugin for Outlook 2003?

<plug> http://www.olspamcop.org </plug>

I just had to, you know :-)


From nobody at devnull.spamcop.net  Tue Feb  1 12:22:23 2005
From: nobody at devnull.spamcop.net (Paul Peeraerts)
Date: Tue Feb  1 07:30:03 2005
Subject: [SC-Help] History
Message-ID: <ESPR0E8C76CF@esperanto.be>

My mail server uses the Spamcop blacklists, and a client that tried to 
send a mail to us received the following warning:

Blocked - see http://www.spamcop.net/bl.shtml?193.252.22.175

but if you go to that URL you get:

193.252.22.175 not listed in bl.spamcop.net

So I suppose the IP-number was delisted just recently. Is there a place 
where I can find the recent history of listing and delisting for a given 
IP-number?

Tx!
From nobody at devnull.spamcop.net  Tue Feb  1 09:25:30 2005
From: nobody at devnull.spamcop.net (Pop)
Date: Tue Feb  1 09:30:38 2005
Subject: [SC-Help] Re: Spamcop Plugin for Outlook
References: <Xns95EF7EB328139nntprogerscom@216.154.195.61>
	<ctnhhf$66i$1@news.spamcop.net>
Message-ID: <cto3gp$hi1$1@news.spamcop.net>

Leon Mayne wrote:
> Lucas Tam wrote:
>> Can anyone recommend a spamcop plugin for Outlook 2003?
> 
> <plug> http://www.olspamcop.org </plug>
> 
> I just had to, you know :-)

Glad you did; first I've seen it.

Pop

From TJLWBECGSGWU at spammotel.com  Tue Feb  1 19:04:38 2005
From: TJLWBECGSGWU at spammotel.com (Mathew Hendry)
Date: Tue Feb  1 14:10:04 2005
Subject: [SC-Help] Re: History
References: <ESPR0E8C76CF@esperanto.be>
Message-ID: <tljvv0dm316ra0mpnf3fp35a1fknvre37d@4ax.com>

Paul Peeraerts <nobody@devnull.spamcop.net> wrote in
<ESPR0E8C76CF@esperanto.be>:

>My mail server uses the Spamcop blacklists, and a client that tried to 
>send a mail to us received the following warning:
>
>Blocked - see http://www.spamcop.net/bl.shtml?193.252.22.175
>
>but if you go to that URL you get:
>
>193.252.22.175 not listed in bl.spamcop.net
>
>So I suppose the IP-number was delisted just recently. Is there a place 
>where I can find the recent history of listing and delisting for a given 
>IP-number?

Maybe not quite what you're after, but you can sign up for an ISP account
and request hourly or daily reports on the IP ranges you're interested in.
See

http://www.spamcop.net/fom-serve/cache/94.html

You're not listed by SpamCop anymore but you are on a couple of other
blacklists

http://openrbl.org/ip/193/252/22/175.htm

Given your presence on SpamBag "backscatter", it's possible that you've been
bouncing (not rejecting) spam and viruses, which is an annoying thing to be
doing and will get you blacklisted sooner or later.

-- Mat.

From TJLWBECGSGWU at spammotel.com  Tue Feb  1 21:58:02 2005
From: TJLWBECGSGWU at spammotel.com (Mathew Hendry)
Date: Tue Feb  1 17:00:04 2005
Subject: [SC-Help] Re: History
References: <ESPR0E8C76CF@esperanto.be>
	<tljvv0dm316ra0mpnf3fp35a1fknvre37d@4ax.com>
Message-ID: <t4uvv0p4t581aeekhfqur26k7t7tf2i46j@4ax.com>

Mathew Hendry <TJLWBECGSGWU@spammotel.com> wrote in
<tljvv0dm316ra0mpnf3fp35a1fknvre37d@4ax.com>:

>Paul Peeraerts <nobody@devnull.spamcop.net> wrote in
><ESPR0E8C76CF@esperanto.be>:
>
>>My mail server uses the Spamcop blacklists, and a client that tried to 
>>send a mail to us received the following warning:
>>
>>Blocked - see http://www.spamcop.net/bl.shtml?193.252.22.175
>>
>>but if you go to that URL you get:
>>
>>193.252.22.175 not listed in bl.spamcop.net
>>
>>So I suppose the IP-number was delisted just recently. Is there a place 
>>where I can find the recent history of listing and delisting for a given 
>>IP-number?

Sorry, I completely misread the context there - it was not you who was
listed, but your customer. Substitute "they" for "you" and "their" for
"your" in what I said below. :)

>Maybe not quite what you're after, but you can sign up for an ISP account
>and request hourly or daily reports on the IP ranges you're interested in.
>See
>
>http://www.spamcop.net/fom-serve/cache/94.html
>
>You're not listed by SpamCop anymore but you are on a couple of other
>blacklists
>
>http://openrbl.org/ip/193/252/22/175.htm
>
>Given your presence on SpamBag "backscatter", it's possible that you've been
>bouncing (not rejecting) spam and viruses, which is an annoying thing to be
>doing and will get you blacklisted sooner or later.

There is currently no automated way to get a listing history without a
specific report id to find it, and even then, you only get rough statistics.
More detailed stats used to be published, but spammers were using it to
finesse the system.

-- Mat.

From wb8tyw at qsl.network  Tue Feb  1 23:24:09 2005
From: wb8tyw at qsl.network (John E. Malmberg)
Date: Tue Feb  1 23:25:02 2005
Subject: [SC-Help] Re: History
In-Reply-To: <ESPR0E8C76CF@esperanto.be>
References: <ESPR0E8C76CF@esperanto.be>
Message-ID: <ctpkla$s1l$1@news.spamcop.net>

Paul Peeraerts wrote:
> My mail server uses the Spamcop blacklists, and a client that tried to 
> send a mail to us received the following warning:
> 
> Blocked - see http://www.spamcop.net/bl.shtml?193.252.22.175

> but if you go to that URL you get:
> 
> 193.252.22.175 not listed in bl.spamcop.net
> 
> So I suppose the IP-number was delisted just recently. Is there a place 
> where I can find the recent history of listing and delisting for a given 
> IP-number?

The full information is only available from a deputy, because as has 
been explained before, the spammers were using the data.

But there is more information available from other sources:

And your unless your client's ISP fixes what appears to be a severe 
security problem on their network, they will probably find more and more 
networks refusing their e-mail.

http://ops.mail-abuse.com/cgi-bin/nph-ops-sview?193.252.22.175

It shows that this is the output relaying for a web mailer that as of 
Jan 23 was sending illegal Nigerian 419 scams on behalf of criminals.

As long as these criminals can use that web mailer, it has effectively 
made those mail servers the output of an open relay.

The people that report this spam to the MAPS-OPS typically also will 
report it to other anti-spam organizations, so there is no telling how 
many private blocking lists that mail server is on.

Spamhaus.org is now listing networks that permit spammers to send 
Nigerian 419 scams, and spamhaus.org is more widely used as a blocking 
list than spamcop.net.

That mail server is not currently listed with spamhaus.org, but with 
what can be viewed from it, it is probably a matter of time.

http://groups-beta.google.com/groups?as_epq=%22193.252.22.175%22&as_ugroup=*abuse*

Is showing a 419 scam dated JAN 30, 2005.

In this case, the mail server is not admitting where it got the spam 
that it is sending from, which is a very bad sign.  It indicates that 
the spammer possibly has administrative access to the server, or a 
server on a local LAN.

The public evidence is that this mail server and the network around them 
have severe security problems and a number of criminals on the internet 
have found this out, and have taken at least some control of them.

Criminals sell this information to other criminals, so until your 
client's ISP takes action to stop them, this problem will only get worse 
for them.

I would not worry too much about the spamcop.net reports, I would 
recommend that your client's ISP do a complete security audit on the 
servers until they find out how these criminals are able to send spam 
through it.

And unlike your server which gives an SMTP diagnostic when it does not 
accept e-mail, many commercial spam filters just silently delete mail 
from sources of spam.

So when your client does not get a rejection message from other networks 
they send e-mail to, there still is a high possibility that their 
intended recipient never received their e-mail.

-John
wb8tyw@qsl.network
Personal Opinion Only
From ipmarketing at spamcop.net  Wed Feb  2 08:29:58 2005
From: ipmarketing at spamcop.net (Iain)
Date: Wed Feb  2 03:35:04 2005
Subject: [SC-Help] rDNS checks and third party SMTP agents
Message-ID: <ctq32d$5a0$1@news.spamcop.net>

I still working on my same Government project and have a new issue to seek 
help about :-)

One proposal is that opted-in mail be despatched via a coordinated 
cross-Governement eMail service. This is raising numerous issues including:

1. If mail is not sent in the name of the 'real' Government agency then this 
is both a poor user experience and could be confused for phishing mail 
either by the recipient or a mail scanner (I've seen mail where the scanner 
compared the domain quoted in links included in the body of the message with 
the domain of the sender and if they didn't match would insert a large 
'possible fraud attempt' tag in red into the message at every link!

2. If the cross-Government service then simply sends mail in the name 
(domain) of the real agency, then (I presume) unless the SMTP server is 
listed in the real agency's DNS the mail send would fail any rDNS check, 
i.e. the server would appear to be sending mail under a domain for which the 
server were not listed. Is this correct?

3. To ensure rDNS checks worked, would it be necessary for the sending SMTP 
server to have a valid MX record or would the servers IP just need to apear 
in the domain records? The significance of a 'valid MX' is that this would 
be a cross-Government *sending* service and we wouldn't want inbound mail 
going to it should the regular SMTP servers not be available at any tme for 
some unexpected reason

I'm sure Mike is going to read this and think "third party sending 
agency...sounds like a dirty list", but it's not :-) Just well intentioned 
ideas for shared infrastructure which continues to give us issues. The is a 
lot of political desire - 'political' with a big 'P', not company 
politics! - for shared infrastructure with little understanding of the 
technical and imlpementation issues this often raises. The belief is it 
makes things simpler, easier and cheaper, although IMHO it's usually the 
opposite!

Thanks for any help on this. If you can see other holes a shared service 
like this might lead us into please feel free to say (like another user of 
the shared service abusing mail/spam policies and causing the entire service 
to become blocklisted??)

Thx.../Iain 


From ipmarketing at spamcop.net  Wed Feb  2 08:49:03 2005
From: ipmarketing at spamcop.net (Iain)
Date: Wed Feb  2 03:50:02 2005
Subject: [SC-Help] Re: Validating SMTP addresses
References: <csgbrt$iuv$1@news.spamcop.net>
	<Xns95E144A99A58Eblammo@216.154.195.61> <cslpvh$q69$1@news.spamcop.net>
	<Xns95E391E88DC8Ablammo@216.154.195.61> <csns3h$48i$1@news.spamcop.net>
	<Xns95E5D06E2400Eblammo@216.154.195.61>
Message-ID: <ctq466$658$1@news.spamcop.net>

"Blammo" <ric.gates@bigsleep.org> wrote in message 
news:Xns95E5D06E2400Eblammo@216.154.195.61...
> On 20 Jan 2005 Iain entered spamcop.help and left
> news:csns3h$48i$1@news.spamcop.net:
>

> I like to require some other information as well, and address or phone
> number, the name of their ISP. This of course depends on the context, but
> may give you something else to validate along with the eMail address and
> IP.

A part of the problem here is the service would predominantly be to 
companies. Now a small company will know their ISP but who working for a 
larger business knows the routing of the Internet connection.

Some of the mail to be sent will be directly related to a known company but 
the problem is there's no knowledge of the users and therefore their mail 
addresses. Just because we know the user is associated with 'Acme' and that 
Acme does business out of a certain address, it doesn't really help us with 
whether a user's mail addres sis correct or if mail to them fails how to 
contact them. The might work in a completely different location.

I think it all comes back to one of the benefits of a verified opt-in. Not 
only is it the proper way to put addresses onto a user's profile but sending 
a test/welcome/confirmatory [select your choice of term] message and waiting 
for a positive action back from that address (probably via URL loop-back) 
seems the only way to ensure the address is really working and owned by the 
person providing the address.

I have also come up with some plans to try and help ensure an address 
continues to work and mail to it is accepted. This is by monitoring 
click-ins from mail sent. It won't be absolute as people may not use the 
links but if they do it will help to give confidence that an address is 
still 'good'. This could even be used as a basis for a periodic re-verify 
message. If link usage were observed then no need, but if no observed 
response from an address then maybe re-verify after a period of 12 months 
since last known contact, i.e. click-in/opt-in verify.

.../Iain 


From nobody at devnull.spamcop.net  Wed Feb  2 09:41:45 2005
From: nobody at devnull.spamcop.net (Paul Peeraerts)
Date: Wed Feb  2 04:55:39 2005
Subject: [SC-Help] Re: History
In-Reply-To: <ctpkla$s1l$1@news.spamcop.net>
References: <ESPR0E8C76CF@esperanto.be> <ctpkla$s1l$1@news.spamcop.net>
Message-ID: <ESPR0EA1A626@esperanto.be>


Thanks John and Mathew for your very interesting information!

Paul
From TJLWBECGSGWU at spammotel.com  Wed Feb  2 11:46:58 2005
From: TJLWBECGSGWU at spammotel.com (Mathew Hendry)
Date: Wed Feb  2 06:50:03 2005
Subject: [SC-Help] Re: rDNS checks and third party SMTP agents
References: <ctq32d$5a0$1@news.spamcop.net>
Message-ID: <7tb101pd96nd97mpn6l7tq1ch66l2bpqev@4ax.com>

"Iain" <ipmarketing@spamcop.net> wrote in <ctq32d$5a0$1@news.spamcop.net>:

>One proposal is that opted-in mail be despatched via a coordinated 
>cross-Governement eMail service. This is raising numerous issues including:
>
>1. If mail is not sent in the name of the 'real' Government agency then this 
>is both a poor user experience and could be confused for phishing mail 
>either by the recipient or a mail scanner (I've seen mail where the scanner 
>compared the domain quoted in links included in the body of the message with 
>the domain of the sender and if they didn't match would insert a large 
>'possible fraud attempt' tag in red into the message at every link!
>
>2. If the cross-Government service then simply sends mail in the name 
>(domain) of the real agency, then (I presume) unless the SMTP server is 
>listed in the real agency's DNS the mail send would fail any rDNS check, 
>i.e. the server would appear to be sending mail under a domain for which the 
>server were not listed. Is this correct?
>
>3. To ensure rDNS checks worked, would it be necessary for the sending SMTP 
>server to have a valid MX record or would the servers IP just need to apear 
>in the domain records? The significance of a 'valid MX' is that this would 
>be a cross-Government *sending* service and we wouldn't want inbound mail 
>going to it should the regular SMTP servers not be available at any tme for 
>some unexpected reason

Systems like SPF and SenderID may be what you're looking for here. Your
government agencies would publish specially formatted DNS records for their
domains saying "we send e-mail [only] from these IP addresses":

http://spf.pobox.com

Use of third party mail certification systems (Bonded Sender, Habeas, ISIPP,
...) might be a good idea as well.

One big problem I can see with a centralised system like this is that if
there's a single significant security incident at one of the client
agencies, every single agency could find its e-mail blacklisted. That and
the possibility of catastrophic system failure - not an unknown occurrence
in government IT projects... ;)

-- Mat.

From wb8tyw at qsl.network  Wed Feb  2 10:40:26 2005
From: wb8tyw at qsl.network (John E. Malmberg)
Date: Wed Feb  2 11:45:04 2005
Subject: [SC-Help] Re: Validating SMTP addresses
References: <csgbrt$iuv$1@news.spamcop.net>
	<Xns95E144A99A58Eblammo@216.154.195.61> <cslpvh$q69$1@news.spamcop.net>
	<Xns95E391E88DC8Ablammo@216.154.195.61> <csns3h$48i$1@news.spamcop.net>
	<Xns95E5D06E2400Eblammo@216.154.195.61> <ctq466$658$1@news.spamcop.net>
Message-ID: <5oamKzfjk95N@eisner.encompasserve.org>

In article <ctq466$658$1@news.spamcop.net>,
  "Iain" <ipmarketing@spamcop.net> writes:
>
> I have also come up with some plans to try and help ensure an address
> continues to work and mail to it is accepted. This is by monitoring
> click-ins from mail sent. It won't be absolute as people may not use the
> links but if they do it will help to give confidence that an address is
> still 'good'. This could even be used as a basis for a periodic re-verify
> message. If link usage were observed then no need, but if no observed
> response from an address then maybe re-verify after a period of 12 months
> since last known contact, i.e. click-in/opt-in verify.

Careful with paying attention to click-ins.  A click-in should only be
considered valid for a short period of time after the e-mail can reasonably
assumed to be accepted and read by a user.  After that, it is dead forever,
and never should be used as a substitute for a password.

There are several ways that a message with confirming click-ins may end up
visible to the public internet.

One is by users accidentally posting it to a mailing list that is archived
on the internet.

Another is that when a spam filter misclassifies it one as spam, some users
will automatically post it to news.admin.net-abuse.sightings intact.

And of course there are those nice viruses that will pick a random e-mail
or other document (even deleted ones) and mail it out with them as a "cover".

If you are thinking of using web bugs, which are a variant of clickable links,
but are automatically activated by reading e-mail, secure mail clients
disable those by default.

-John
wb8tyw@qsl.network
Personal Opinion Only
From ipmarketing at spamcop.net  Wed Feb  2 17:42:21 2005
From: ipmarketing at spamcop.net (Iain)
Date: Wed Feb  2 12:45:03 2005
Subject: [SC-Help] Re: Validating SMTP addresses
References: <csgbrt$iuv$1@news.spamcop.net>
	<Xns95E144A99A58Eblammo@216.154.195.61> <cslpvh$q69$1@news.spamcop.net>
	<Xns95E391E88DC8Ablammo@216.154.195.61> <csns3h$48i$1@news.spamcop.net>
	<Xns95E5D06E2400Eblammo@216.154.195.61> <ctq466$658$1@news.spamcop.net>
	<5oamKzfjk95N@eisner.encompasserve.org>
Message-ID: <ctr3e2$pl2$1@news.spamcop.net>


"John E. Malmberg" <wb8tyw@qsl.network> wrote in message 
news:5oamKzfjk95N@eisner.encompasserve.org...
> In article <ctq466$658$1@news.spamcop.net>,
>  "Iain" <ipmarketing@spamcop.net> writes:

> Careful with paying attention to click-ins.  A click-in should only be
> considered valid for a short period of time after the e-mail can 
> reasonably
> assumed to be accepted and read by a user.  After that, it is dead 
> forever,
> and never should be used as a substitute for a password.

The click-in is only evidence the Email was received and a link it contained 
being used. The click-in is not a substitute login!

.../Iain 


From wb8tyw at qsl.network  Wed Feb  2 16:54:58 2005
From: wb8tyw at qsl.network (John E. Malmberg)
Date: Wed Feb  2 18:00:03 2005
Subject: [SC-Help] Re: rDNS checks and third party SMTP agents
References: <ctq32d$5a0$1@news.spamcop.net>
Message-ID: <srTnRasXiN0U@eisner.encompasserve.org>

In article <ctq32d$5a0$1@news.spamcop.net>,
 "Iain" <ipmarketing@spamcop.net> writes:
> I still working on my same Government project and have a new issue to seek
> help about :-)
>
> One proposal is that opted-in mail be despatched via a coordinated
> cross-Governement eMail service. This is raising numerous issues including:
>
> 1. If mail is not sent in the name of the 'real' Government agency then this
> is both a poor user experience and could be confused for phishing mail
> either by the recipient or a mail scanner (I've seen mail where the scanner
> compared the domain quoted in links included in the body of the message with
> the domain of the sender and if they didn't match would insert a large
> 'possible fraud attempt' tag in red into the message at every link!

Should not be a problem if the mail server is configured correctly.  The
domain that the mail server is operating from does not have to match the
domain name that the message is coming from.

As long as the rDNS and DNS entries are correct for the mail server, only
a very badly broken spam filter should ever trip on them.

And such a broken spam filter probably has such a high positive rate that
no one sane takes it seriously.

As long as both the sending from name and the mailserver network name are
domain names that can only be issued to the government, there should be
no suspicion of phishing.

Where things get funny is when some government employee pays taxpayers money to
register a commercial domain instead of using one of the ones reserved
to the governent that they can usually get for "free".  That sets the
stage for being mistaken for phishing no matter what mail server they use.

The other area where real mail can be mistaken for phishing is is where
government/company mailings are sent out on an external provider's mail
service which has an I.P. address that is shared with other mailings,
and so the domain name of the sending mail server as determined by rDNS
is not associated with the claimed government agency or company.

> 2. If the cross-Government service then simply sends mail in the name
> (domain) of the real agency, then (I presume) unless the SMTP server is
> listed in the real agency's DNS the mail send would fail any rDNS check,
> i.e. the server would appear to be sending mail under a domain for which the
> server were not listed. Is this correct?

No.  rDNS checks apply only to the server name, not the domain that the
mail claims to be sent from.

> 3. To ensure rDNS checks worked, would it be necessary for the sending SMTP
> server to have a valid MX record or would the servers IP just need to apear
> in the domain records? The significance of a 'valid MX' is that this would
> be a cross-Government *sending* service and we wouldn't want inbound mail
> going to it should the regular SMTP servers not be available at any tme for
> some unexpected reason

MX records are only required for incoming mail servers not outgoing mail
servers.  That is one of the weaknesses in SMTP e-mail that various discussions
are trying to come up with a solution to.  There currently is no way that
a domain owner can indicate which mail servers are allowed to relay mail
for an I.P. address.  SPF is a proposed solution for that, but it is
incompatible with existing mail forwarding services.

MX records control what mail server(s) will accept e-mail for a domain name,
and the lack of an MX record for a sending mail server should not cause
any problem unless the spam filter is badly broken as stated above.

As near as I can determine, my broadband ISP has about 12 incoming mail
servers, and an unknown amount of outgoing mail servers, and it does not
look like the the incoming mail servers are used for normal outgoing mail.

> I'm sure Mike is going to read this and think "third party sending
> agency...sounds like a dirty list", but it's not :-) Just well intentioned
> ideas for shared infrastructure which continues to give us issues. The is a
> lot of political desire - 'political' with a big 'P', not company
> politics! - for shared infrastructure with little understanding of the
> technical and imlpementation issues this often raises. The belief is it
> makes things simpler, easier and cheaper, although IMHO it's usually the
> opposite!

I would strongly recommend getting a local person that understands all
the technical issues involved with operating a mail server for multiple shared
domains.

What you want to do is really quite a common and normal thing, so if
the technical staff for the network and mail server know what you want to
do, they should have no problems doing it.  If they can not do it easily,
it means you need to find some that do, or your likely to have a lot of
easily avoided problems.

> Thanks for any help on this. If you can see other holes a shared service
> like this might lead us into please feel free to say (like another user of
> the shared service abusing mail/spam policies and causing the entire service
> to become blocklisted??)

For disaster tolerance, you should have a backup sending server, and such
depending on how critical your need is.

It is pretty easy to set up a mailer that never gets caught by properly
implemented anti-spam defenses.

It is impossible to set up a mailer that never gets caught by some person's
broken spam filter implementation, so it is a waste of time trying to
anticipate more than the elementary things, like never sending HTML or
attachments with out permission.

-John
wb8tyw@qsl.network
Personal Opinion Only
From buzzard554 at fastmail.co.uk  Thu Feb  3 09:53:14 2005
From: buzzard554 at fastmail.co.uk (Martin Edwards)
Date: Thu Feb  3 04:50:24 2005
Subject: [SC-Help] Re: Fake bounce defeats Spamcop (again)
In-Reply-To: <csot4j$o8j$1@news.spamcop.net>
References: <csot4j$o8j$1@news.spamcop.net>
Message-ID: <ctss3u$um1$1@news.spamcop.net>

Martin Edwards wrote:
> I get these, and the poster's example have it in common with mine that 
> the Return-path line is empty.  My guess is that that is the reason. Can 
> someone more technically savvy than me help out here?

Eg

http://www.spamcop.net/sc?id=z728091513z67ff16d4bd1c5ad4df2b459b9e1eaeacz

I was parsing the headers only for manual reporting.  It nearly always 
works, and I don't think I left anything in that looks like a body.
From buzzard554 at fastmail.co.uk  Thu Feb  3 09:55:49 2005
From: buzzard554 at fastmail.co.uk (Martin Edwards)
Date: Thu Feb  3 04:55:14 2005
Subject: [SC-Help] Re: Fake bounce defeats Spamcop (again)
In-Reply-To: <csot4j$o8j$1@news.spamcop.net>
References: <csot4j$o8j$1@news.spamcop.net>
Message-ID: <ctss8p$um1$2@news.spamcop.net>

Martin Edwards wrote:
> I get these, and the poster's example have it in common with mine that 
> the Return-path line is empty.  My guess is that that is the reason. Can 
> someone more technically savvy than me help out here?

Same thing:

http://www.spamcop.net/sc?id=z728092768z6a8dea18d7f2e1aa1cf98ac04833e78cz
From MikeE at ster.invalid  Thu Feb  3 02:31:57 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Thu Feb  3 05:35:23 2005
Subject: [SC-Help] Re: Fake bounce defeats Spamcop (again)
References: <csot4j$o8j$1@news.spamcop.net> <ctss8p$um1$2@news.spamcop.net>
Message-ID: <ctsuhl$in$1@news.spamcop.net>

Martin Edwards wrote:
www.spamcop.net/sc?id=z728091513z67ff16d4bd1c5ad4df2b459b9e1eaeacz
>
> I was parsing the headers only for manual reporting.  It nearly always
> works, and I don't think I left anything in that looks like a body.

> Same thing:
>
www.spamcop.net/sc?id=z728092768z6a8dea18d7f2e1aa1cf98ac04833e78cz

Both of those 'suffer' from the condition of the bottom trace Received
line not being 'folded' properly.  If I clean it up by removing the
returns from that bottom line on each of them, then the header with no
body will parse properly.

www.spamcop.net/sc?id=z728100877zbb47adbcd36360cd302b39052b261134z
Received: from mzcf ([62.0.66.142])

www.spamcop.net/sc?id=z728099746z44f0a06e0d4ef8f93902fbdf2cb8f9e0z
Received: from ldxulow ([62.0.66.142])

Presumably the problem with the improper line configuration lies with
the server for the dialup 62.0.66.142 rDNS
dialup-62-0-66-142.tlv.netvision.net.il -- namely
mxout5.netvision.net.il DNS 194.90.9.29

-- 
Mike Easter
kibitzer, not SC admin

From buzzard554 at fastmail.co.uk  Thu Feb  3 18:25:02 2005
From: buzzard554 at fastmail.co.uk (Martin Edwards)
Date: Thu Feb  3 13:25:06 2005
Subject: [SC-Help] Re: Fake bounce defeats Spamcop (again)
In-Reply-To: <ctsuhl$in$1@news.spamcop.net>
References: <csot4j$o8j$1@news.spamcop.net> <ctss8p$um1$2@news.spamcop.net>
	<ctsuhl$in$1@news.spamcop.net>
Message-ID: <cttq3k$h0a$1@news.spamcop.net>

Mike Easter wrote:
> Martin Edwards wrote:
> www.spamcop.net/sc?id=z728091513z67ff16d4bd1c5ad4df2b459b9e1eaeacz
> 
>>I was parsing the headers only for manual reporting.  It nearly always
>>works, and I don't think I left anything in that looks like a body.
> 
> 
>>Same thing:
>>
> 
> www.spamcop.net/sc?id=z728092768z6a8dea18d7f2e1aa1cf98ac04833e78cz
> 
> Both of those 'suffer' from the condition of the bottom trace Received
> line not being 'folded' properly.  If I clean it up by removing the
> returns from that bottom line on each of them, then the header with no
> body will parse properly.
> 
> www.spamcop.net/sc?id=z728100877zbb47adbcd36360cd302b39052b261134z
> Received: from mzcf ([62.0.66.142])
> 
> www.spamcop.net/sc?id=z728099746z44f0a06e0d4ef8f93902fbdf2cb8f9e0z
> Received: from ldxulow ([62.0.66.142])
> 
> Presumably the problem with the improper line configuration lies with
> the server for the dialup 62.0.66.142 rDNS
> dialup-62-0-66-142.tlv.netvision.net.il -- namely
> mxout5.netvision.net.il DNS 194.90.9.29
> 
Thanks.  I'll check for that next time.
From nobody at spamcop.net  Thu Feb  3 19:18:00 2005
From: nobody at spamcop.net (Ellen)
Date: Thu Feb  3 19:35:03 2005
Subject: [SC-Help] Maint window 2/4/2005
Message-ID: <ctufuj$13r$1@news.spamcop.net>


The system will be in maintenance mode for some hardware changes tomorrow at
about 2PM PST.   The maintenance is to address the outages of the last 48
hours that you may have noticed. The maintenance should take under an hour.
This will affect only the reporting system and not the email system.

Ellen
SpamCop

followups to spamcop

Please propagate to the appropriate forums.



From ric.gates at bigsleep.org  Fri Feb  4 05:20:34 2005
From: ric.gates at bigsleep.org (Blammo)
Date: Fri Feb  4 00:25:04 2005
Subject: [SC-Help] Re: Validating SMTP addresses
References: <csgbrt$iuv$1@news.spamcop.net>
	<Xns95E144A99A58Eblammo@216.154.195.61> <cslpvh$q69$1@news.spamcop.net>
	<Xns95E391E88DC8Ablammo@216.154.195.61> <csns3h$48i$1@news.spamcop.net>
	<Xns95E5D06E2400Eblammo@216.154.195.61> <ctq466$658$1@news.spamcop.net>
Message-ID: <Xns95F2D941BF263blammo@216.154.195.61>

On 02 Feb 2005 Iain entered spamcop.help and left
news:ctq466$658$1@news.spamcop.net: 

> A part of the problem here is the service would predominantly be to 
> companies. Now a small company will know their ISP but who working for
> a larger business knows the routing of the Internet connection.
> 
> Some of the mail to be sent will be directly related to a known
> company but the problem is there's no knowledge of the users and
> therefore their mail addresses. Just because we know the user is
> associated with 'Acme' and that Acme does business out of a certain
> address, it doesn't really help us with whether a user's mail addres
> sis correct or if mail to them fails how to contact them. The might
> work in a completely different location. 
> 

Oh yes, don't I know that problem.

But what I mean is having some information on the subscriber gives you 
information that you may be able to track, and information that you can use 
to legitamize the opt-in.
I am really getting tired of bogus opt-ins, when they do have any subscribe 
info it's always bogus - the name is wrong, the address is wrong and the IP 
(if stated) is bogus. I had a reply from the TinyURL guy asking why I don't 
just unsubscribe, and I told him about all the bogus info and I would 
rather keep reporting it than unsub. I find it very odd that the same name 
(I have no idea where the name came from) is used for many different types 
of spam advertising many different types of sites, all from many different 
ISPs. Even sending unmunged reports to ISP/Admins that white-list (or 
forward reports) doesn't even make any difference, so I no longer send 
reports to some of them. I've been getting this crap for 4 years now, and I 
guess I'm just going to keep reporting the idiots.
Then there's one piece of junk I get that I *may* have subscribed to, but I 
don't remember doing so (it would've have been over 4 years ago if I did) 
and they've never provided any proof that I actualy did, so I continue to 
report them.

Sorry to rant, but this junk stops and then starts up again and I get 
pissed.
-- 
| Ric
|
From ric.gates at bigsleep.org  Fri Feb  4 05:26:29 2005
From: ric.gates at bigsleep.org (Blammo)
Date: Fri Feb  4 00:30:09 2005
Subject: [SC-Help] Re: phishing emails...
References: <ctjrkp$iio$1@news.spamcop.net> <ctlbm6$gmu$1@news.spamcop.net>
	<ctmngi$etc$1@news.spamcop.net>
Message-ID: <Xns95F2DA42FBB61blammo@216.154.195.61>

On 31 Jan 2005 Bert Driehuis entered spamcop.help and left 
news:ctmngi$etc$1@news.spamcop.net:

> For example, if you're not sure where to report eBay spoofs, a good 
> starting point would be to Google for
> 

Some of them will reply to your eMail, Paypal will reply.
Replies are nice, it makes you feel like they want to know.

I really don't understand why they can't these bank scammers, how hard can 
it be to catch them, just give them what they want. Seems that reporting 
them is futile.

-- 
| Ric
|
From ric.gates at bigsleep.org  Fri Feb  4 05:54:57 2005
From: ric.gates at bigsleep.org (Blammo)
Date: Fri Feb  4 00:55:05 2005
Subject: [SC-Help] Re: rDNS checks and third party SMTP agents
References: <ctq32d$5a0$1@news.spamcop.net>
Message-ID: <Xns95F2DF1606F9Dblammo@216.154.195.61>

On 02 Feb 2005 Iain entered spamcop.help and left
news:ctq32d$5a0$1@news.spamcop.net: 

> 3. To ensure rDNS checks worked, would it be necessary for the sending
> SMTP server to have a valid MX record or would the servers IP just
> need to apear in the domain records? The significance of a 'valid MX'
> is that this would be a cross-Government *sending* service and we
> wouldn't want inbound mail going to it should the regular SMTP servers
> not be available at any tme for some unexpected reason
> 

As John said, MX records have nothing to do with outgoing mail, MX just 
defines which IP(s) accepts incoming mail.
The From header does not have to be the same as the SMTP Mail From, just 
make sure the SMTP commands are valid. You also have the To: and Reply-To: 
headers, so you can use these to make the message look presentable, without 
causing SMTP problems.

Take a look at this absolutely horrid wizard
http://spf.pobox.com/wizard.html

It took me two days of reading and testing to make any sense out of that, 
so if anyone unfamiliar with it can get it, my hat's off to ya.
And to confuse you even more...
http://spf.pobox.com/mechanisms.html
and
http://spftools.infinitepenguins.net/create.php

And to make matters worse, you can run tests
http://spftools.infinitepenguins.net/check.php
http://spf.pobox.com/why.html
But don't make a mistake or you're screwed because they cache DNS, making 
it rather useless.

If you figure that all out you'll either learn more about SMTP and SPF, or 
become completely confused, depending on what you knew before.
-- 
| Ric
|
From nobody at spamcop.net  Fri Feb  4 07:54:08 2005
From: nobody at spamcop.net (Miss Betsy)
Date: Fri Feb  4 07:55:03 2005
Subject: [SC-Help] Re: phishing emails...
References: <ctjrkp$iio$1@news.spamcop.net> <ctlbm6$gmu$1@news.spamcop.net>
	<ctmngi$etc$1@news.spamcop.net> <Xns95F2DA42FBB61blammo@216.154.195.61>
Message-ID: <ctvr2t$u2g$1@news.spamcop.net>


"Blammo" <ric.gates@bigsleep.org> wrote in message
news:Xns95F2DA42FBB61blammo@216.154.195.61...
> On 31 Jan 2005 Bert Driehuis entered spamcop.help and left
> news:ctmngi$etc$1@news.spamcop.net:
>
> > For example, if you're not sure where to report eBay spoofs, a
good
> > starting point would be to Google for
> >
>
> Some of them will reply to your eMail, Paypal will reply.
> Replies are nice, it makes you feel like they want to know.
>
> I really don't understand why they can't these bank scammers, how
hard can
> it be to catch them, just give them what they want. Seems that
reporting
> them is futile.

Part of it may be that in order to prosecute, there has to be
someone who actually lost money (though I don't know why they can't
do a sting?) and another part may be that they rise up as fast as
they catch them.  I mean that they arrest drunken drivers all the
time, but there are still drunken drivers to arrest.

Miss Betsy


From CGray2 at kc.rr.com  Fri Feb  4 11:46:58 2005
From: CGray2 at kc.rr.com (Lane Gray, Czar Castic)
Date: Fri Feb  4 12:45:04 2005
Subject: [SC-Help] Opera problems
Message-ID: <cu0ca8$9fj$1@news.spamcop.net>

While trying to send a spam to Spamcop, apparently Opera munches up
things, as Spamcop says it sees no links in the spam, and off to the
appropriate page where they say how to workaround with OE.  It doesn't
mention what to do when the problem comes from Opera's M2 mailer (which I
use and love).  I wanted to report the website even more than I wanted to
report the spammer, as the spam was a phishing expedition, and those bug
me.
Any workarounds for Opera?
I make the email the active window, press 'C' which puts the raw text in
the clipboard, then paste it into a new mail, which I send to spamcop.
What else is there?


-- 

Lane Gray
Yes, I'm a minion of Satan, but my duties are largely ceremonial


From Merlyn at Spamcop.net  Fri Feb  4 13:21:53 2005
From: Merlyn at Spamcop.net (Merlyn)
Date: Fri Feb  4 13:25:03 2005
Subject: [SC-Help] Re: Opera problems
References: <cu0ca8$9fj$1@news.spamcop.net>
Message-ID: <cu0eg6$b2j$1@news.spamcop.net>

"Lane Gray, Czar Castic" <CGray2@kc.rr.com> wrote in message 
news:cu0ca8$9fj$1@news.spamcop.net...
> While trying to send a spam to Spamcop, apparently Opera munches up
> things, as Spamcop says it sees no links in the spam, and off to the
> appropriate page where they say how to workaround with OE.  It doesn't
> mention what to do when the problem comes from Opera's M2 mailer (which I
> use and love).  I wanted to report the website even more than I wanted to
> report the spammer, as the spam was a phishing expedition, and those bug
> me.
> Any workarounds for Opera?
> I make the email the active window, press 'C' which puts the raw text in
> the clipboard, then paste it into a new mail, which I send to spamcop.
> What else is there?
>

Can you send it (the spam) as an attachment instead of pasting it into a new 
email?

-- 

Regards,
Merlyn

A Spamcop advocate
No emails this account is for newsgroups only
People demand freedom of speech to make up for the freedom of thought which 
they avoided 


From CGray2 at kc.rr.com  Fri Feb  4 13:03:01 2005
From: CGray2 at kc.rr.com (Lane Gray, Czar Castic)
Date: Fri Feb  4 14:05:07 2005
Subject: [SC-Help] Re: Opera problems
References: <cu0ca8$9fj$1@news.spamcop.net> <cu0eg6$b2j$1@news.spamcop.net>
Message-ID: <cu0gor$cr2$1@news.spamcop.net>

Merlyn wrote:
> "Lane Gray, Czar Castic" <CGray2@kc.rr.com> wrote in message
> news:cu0ca8$9fj$1@news.spamcop.net...
> > While trying to send a spam to Spamcop, apparently Opera munches up
> > things, as Spamcop says it sees no links in the spam, and off to the
> > appropriate page where they say how to workaround with OE.  It doesn't
> > mention what to do when the problem comes from Opera's M2 mailer
(which I
> > use and love).  I wanted to report the website even more than I wanted
to
> > report the spammer, as the spam was a phishing expedition, and those
bug
> > me.
> > Any workarounds for Opera?
> > I make the email the active window, press 'C' which puts the raw text
in
> > the clipboard, then paste it into a new mail, which I send to spamcop.
> > What else is there?
> >
>
> Can you send it (the spam) as an attachment instead of pasting it into a
new
> email?
>
Sadly, Opera currently has no facility for that.  The last year or so,
their developers have been working on full-featured IMAP support, and
that's taken all their time.  Future versions may hopefully include that,
along with ROT13 support.


-- 
Lane Gray
Yes, I'm a minion of Satan, but my duties are largely ceremonial


From MikeE at ster.invalid  Fri Feb  4 12:15:21 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Fri Feb  4 15:15:24 2005
Subject: [SC-Help] Re: Opera problems
References: <cu0ca8$9fj$1@news.spamcop.net>
Message-ID: <cu0l3m$fm0$1@news.spamcop.net>

Lane Gray, Czar Castic wrote:
> While trying to send a spam to Spamcop, apparently Opera munches up
> things, as Spamcop says it sees no links in the spam,

Post a tracking url so we can see what SC is looking at.


-- 
Mike Easter
kibitzer, not SC admin
From ric.gates at bigsleep.org  Sat Feb  5 03:01:01 2005
From: ric.gates at bigsleep.org (Blammo)
Date: Fri Feb  4 22:05:14 2005
Subject: [SC-Help] Re: phishing emails...
References: <ctjrkp$iio$1@news.spamcop.net> <ctlbm6$gmu$1@news.spamcop.net>
	<ctmngi$etc$1@news.spamcop.net> <Xns95F2DA42FBB61blammo@216.154.195.61>
	<ctvr2t$u2g$1@news.spamcop.net>
Message-ID: <Xns95F3C19A6CE9Fblammo@216.154.195.61>

On 04 Feb 2005 Miss Betsy entered spamcop.help and left 
news:ctvr2t$u2g$1@news.spamcop.net:

> Part of it may be that in order to prosecute, there has to be
> someone who actually lost money (though I don't know why they can't
> do a sting?) and another part may be that they rise up as fast as
> they catch them.  I mean that they arrest drunken drivers all the
> time, but there are still drunken drivers to arrest.
> 

Another thing I thought of is that they may be using this info for 
something else. However it seems a simple matter for the bank to use these 
eMails to trap the scammers. Certainly the eMail itself is evidence of 
intent, they could send the scammers information they can track.

-- 
| Ric
|
From ric.gates at bigsleep.org  Sat Feb  5 03:14:07 2005
From: ric.gates at bigsleep.org (Blammo)
Date: Fri Feb  4 22:15:04 2005
Subject: [SC-Help] Re: Opera problems
References: <cu0ca8$9fj$1@news.spamcop.net> <cu0eg6$b2j$1@news.spamcop.net>
	<cu0gor$cr2$1@news.spamcop.net>
Message-ID: <Xns95F3C3D2FC9EAblammo@216.154.195.61>

On 04 Feb 2005 Lane Gray, Czar Castic entered spamcop.help and left 
news:cu0gor$cr2$1@news.spamcop.net:

> Merlyn wrote:
>> "Lane Gray, Czar Castic" <CGray2@kc.rr.com> wrote in message
>> news:cu0ca8$9fj$1@news.spamcop.net...
>> > While trying to send a spam to Spamcop, apparently Opera munches up
>> > things, as Spamcop says it sees no links in the spam, and off to the
>> > appropriate page where they say how to workaround with OE.  It doesn't
>> > mention what to do when the problem comes from Opera's M2 mailer
> (which I
>> > use and love).  I wanted to report the website even more than I wanted
> to
>> > report the spammer, as the spam was a phishing expedition, and those
> bug
>> > me.
>> > Any workarounds for Opera?
>> > I make the email the active window, press 'C' which puts the raw text
> in
>> > the clipboard, then paste it into a new mail, which I send to spamcop.
>> > What else is there?
>> >
>>
>> Can you send it (the spam) as an attachment instead of pasting it into a
> new
>> email?
>>
> Sadly, Opera currently has no facility for that.  The last year or so,
> their developers have been working on full-featured IMAP support, and
> that's taken all their time.  Future versions may hopefully include that,
> along with ROT13 support.
> 
> 

Can you save it as a file? Or copy it like you do, paste it into a text 
editor (TextView, NotePad, TextPad...) save it as "spam.eml" then send it 
as an attachment. You should be able to send multiple emails this way.

I'm not actually sure this will work because it may not send it in a 
content-type that SpamCop will accept. I tried this with Mozilla and it 
sent it as "message/rfc822".

-- 
| Ric
|
From nobody at spamcop.net  Sat Feb  5 09:17:42 2005
From: nobody at spamcop.net (Miss Betsy)
Date: Sat Feb  5 09:15:04 2005
Subject: [SC-Help] Re: phishing emails...
References: <ctjrkp$iio$1@news.spamcop.net> <ctlbm6$gmu$1@news.spamcop.net>
	<ctmngi$etc$1@news.spamcop.net> <Xns95F2DA42FBB61blammo@216.154.195.61>
	<ctvr2t$u2g$1@news.spamcop.net> <Xns95F3C19A6CE9Fblammo@216.154.195.61>
Message-ID: <cu2kbi$l3j$1@news.spamcop.net>


"Blammo" <ric.gates@bigsleep.org> wrote in message
news:Xns95F3C19A6CE9Fblammo@216.154.195.61...
> On 04 Feb 2005 Miss Betsy entered spamcop.help and left
> news:ctvr2t$u2g$1@news.spamcop.net:
>
> > Part of it may be that in order to prosecute, there has to be
> > someone who actually lost money (though I don't know why they
can't
> > do a sting?) and another part may be that they rise up as fast
as
> > they catch them.  I mean that they arrest drunken drivers all
the
> > time, but there are still drunken drivers to arrest.
> >
>
> Another thing I thought of is that they may be using this info
for
> something else. However it seems a simple matter for the bank to
use these
> eMails to trap the scammers. Certainly the eMail itself is
evidence of
> intent, they could send the scammers information they can track.

As you say, maybe they don't actually use the info directly so that
when the bank sends the info, nothing happens.  Or maybe the bank
doesn't want to lose a big enough sum to tempt them.  Obviously,
they have figured out how to avoid being nailed while getting
enough gullible people to bite to make it worthwhile.  And
sometimes I wonder if some of them aren't just a game - some hacker
kid who just keeps count on how many filters he avoids and how
bites he gets as well as the wannaberich who don't know how to use
the software they bought so all their spam gets deleted one way or
another and nobody bites so there is no way to stop them until they
get discouraged.

Miss Betsy


From buzzard554 at fastmail.co.uk  Mon Feb  7 19:22:44 2005
From: buzzard554 at fastmail.co.uk (Martin Edwards)
Date: Mon Feb  7 14:20:07 2005
Subject: [SC-Help] Parser fooled: suggestions?
Message-ID: <cu8evc$g17$1@news.spamcop.net>

http://www.spamcop.net/sc?id=z729770546z8326b1146bb1c9c7b815bae051e5b79fz
From nobody at devnull.spamcop.net  Mon Feb  7 13:24:05 2005
From: nobody at devnull.spamcop.net (WazoO)
Date: Mon Feb  7 14:25:03 2005
Subject: [SC-Help] Re: Parser fooled: suggestions?
References: <cu8evc$g17$1@news.spamcop.net>
Message-ID: <cu8f8l$gn9$1@news.spamcop.net>

"Martin Edwards" <buzzard554@fastmail.co.uk> wrote in message
news:cu8evc$g17$1@news.spamcop.net...
> http://www.spamcop.net/sc?id=z729770546z8326b1146bb1c9c7b815bae051e5b79fz

It all starts with just what you are using to submit your spam.
On this case, the problem starts with the first line of text;
"A false bounce was received via your server with the ...."
which is then followed by a blank line ... the parser reads
this line as the "header" and of course craps out.  Probably
no sense talking about the lack of a body at this point ....


From bite_me at its.fun  Mon Feb  7 20:01:36 2005
From: bite_me at its.fun (Rev. Guido S. DeLuxe, DD, LDD, OGG, OHS, ST, MI, MSU)
Date: Mon Feb  7 23:15:05 2005
Subject: [SC-Help] 
	spamcop "cannot resolve..." but the web site is there, and i can
	get a whois...
Message-ID: <pan.2005.02.08.04.01.36.960678@ebeneezer.org>

i've been getting quite a number of spamvertised websites that spamcop is
unable to resolve, but when i try the URL, the web site is there, and when
i do a manual whois, information comes up right away... is there something
wrong with spamcop, or is there something else going on?
From jeff.simon.2 at sbcglobal.net  Tue Feb  8 00:03:39 2005
From: jeff.simon.2 at sbcglobal.net (Jeff)
Date: Tue Feb  8 00:05:03 2005
Subject: [SC-Help] Spammers getting smarter?
Message-ID: <cu9h78$p9h$1@news.spamcop.net>

I noticed that Spammers seem to have found a way around the block image 
feature of Outlook Express in Windows XP SP2.  The images are loading and 
there are attachments with nearly all the spam involved now.  It is not 
Microsoft's fault either.  Some Spam with Images is still blocked.  Do you 
know how to open these e-mails without notifying the Spammers that it was 
opened?  I am getting bombarded with spam now and I had it fairly under 
control for awhile.  Now its picking up, like 15 or more a day when it used 
to be around 6 or less!  I know they must be knowing that I opened them.

I hope someone can help me out, thanks in advance!

Jeff 


From bite_me at its.fun  Mon Feb  7 23:36:00 2005
From: bite_me at its.fun (Rev. Guido S. DeLuxe, DD, LDD, OGG, OHS, ST, MI, MSU)
Date: Tue Feb  8 02:50:07 2005
Subject: [SC-Help] 
	disinformation newsletter that i subscribe to is suddently getting
	flagged by spamcop
Message-ID: <pan.2005.02.08.07.35.59.460421@ebeneezer.org>

this is a little complex, so bear with me...

i'm subscribed to the disinformation mailing list. have been for several
years now. it has only recently started being a problem... i'd say maybe
a month or so ago. someone, and i think it's spamcop, is letting the
mailing list through (probably because i have whitelisted it on webmail),
but it's getting flagged as spam by spam assassin, and when it arrives on
my machine, instead of getting routed to the disinformation mailbox, it
gets routed to the spam mailbox. i'm sure that it's not my mailserver that
is flagging it as spam, because on my mailserver i have a procmail rule
that makes an end run around spam assassin when it encounters a sender
address at disinfo dot com. the only other place that i know of that's
filtering my mail through spam assassin is spamcop.

what i need to know is:

1) how do i essentially set up a procmail rule on spamcop, like i did on
my own mailserver, or otherwise convince the version of spam assassin that
spamcop is running to ignore the disinformation newsletter?

2) what's different about the disinformation newsletter or about the
version of spam assassin that's running on spamcop's mailservers, that
causes disinfo to be flagged as spam now, when it wasn't getting flagged
until around a month ago?
From MikeE at ster.invalid  Tue Feb  8 03:49:01 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 06:50:06 2005
Subject: [SC-Help] 
	Re: spamcop "cannot resolve..." but the web site is there, and i
	can get a whois...
References: <pan.2005.02.08.04.01.36.960678@ebeneezer.org>
Message-ID: <cua8tq$9v6$1@news.spamcop.net>

Rev. Guido S. DeLuxe,
> i've been getting quite a number of spamvertised websites that
> spamcop is unable to resolve, but when i try the URL, the web site is
> there, and when i do a manual whois, information comes up right
> away... is there something wrong with spamcop, or is there something
> else going on?

It is very common for people to post examples of spamvertised URLs here
which SC can't resolve.

When 'we' play with them, where 'play' represents accessing the URL with
a browser, resolving the URL with /our/ resolvers, or 'studying' the
nameservice in depth with something like dnsstuff's facilities to time
measure nameservice and to obtain a dns report of the 'integrity' of the
domainname, including nameservice, stealth nameservice, and other
features such as mx, we generally see some kind of 'mess'.  'We' can't
actually see whether or not spamcop's resolver has been blocked by the
domain's nameserver/s, but probably sometimes it is.

So, the shorter answer is that when SC can't resolve a URL, sometimes it
is because the domainname's nameservice is flakey, sometimes it is
because SC is blocked, sometimes both.  We out here can't determine
which is which, except for the flakiness part.

If you are a paid reporter, you can add additional notifies to your
report.  You can resolve the URL on your own and feed the IP to the
parser to get SC's notify information and add those notifies to the
report which missed the URL for resolving problems.  If you are a free
reporter, you can manually notify the same way.

-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Tue Feb  8 04:11:34 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 07:25:03 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net>
Message-ID: <cuaaso$b4m$1@news.spamcop.net>

Jeff wrote:
> Do you know how to open these e-mails without
> notifying the Spammers that it was opened?

There are several issues here, but I'll try to focus on one small area
at a time.  My personal opinion is that you shouldn't be opening or
previewing spam or virms.  The spams should have been sorted into the
Junk folder with some kind of filter which can 'comb' through the
headers and body effectively identifying spams so that they don't
populate your Inbox.  I use SpamPal.  You should *not* be examining spam
subjects and spam froms with your human eyeballs which are connected to
your human brain which is connected to your human interest and curiosity
and confusion and amusement to decide what is spam and what is not and
most definitely you should not be opening spams to see if they are spam.

Now, given that all of the spam is in the Junk folder and not the Inbox,
there is no reason to open the spams in the Junk folder unless you are
some kind of 'advanced' spamfighter who is an investigator of some kind
who has need to either render known spams or visit spamsites for
purposes of the advanced attack on some element of the spammer's issue.

Most people who are using spamcop are simply reporting that spam, and it
is a rare spam which needs to be rendered in order to accurately report
it.  So, you can spamcop report spams without opening them by either
accessing them by the message properties to paste the item into the
webparser or by mailing the closed item as an attachment to the submit
address.  During the examination of the spamcop parse such things as
innocent bystanders in a spam can almost always be perceived in the
spams which have never been opened or previewed.

In the very unusual situation that a spam needs to be opened, it can be
opened in OE6 without rendering html by configuring to read as plaintext
in OE/ Tools/ Options/ Read tab - check read messages in plaintext.  You
can also toggle OE to go offline by putting an online/offline toggle in
your toolbar, or by using File/ Work Offline to prevent webbug access if
you are rendering spams for some reason in spite of my opinion.  Your
preview function should be disabled in OE/ View/ Layout - Preview Pane -
uncheck Show preview pane.  The other configuration that some people use
is in OE/ Tools/ Options/ Security - check do not allow attachments to
be opened or saved.  Those of us who don't open spam or virms can be
configured differently than those who do.


-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Tue Feb  8 04:27:50 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 07:35:03 2005
Subject: [SC-Help] 
	Re: disinformation newsletter that i subscribe to is suddently
	getting flagged by spamcop
References: <pan.2005.02.08.07.35.59.460421@ebeneezer.org>
Message-ID: <cuabie$bn4$1@news.spamcop.net>

Rev. Guido S. DeLuxe,
> i'm subscribed to the disinformation mailing list.

> 1) how do i essentially set up a procmail rule on spamcop,

> 2) what's different about the disinformation newsletter

Take a newsletter which fits your concern, ie which was tagged/filtered,
submit it to the parser, copy the tracking url at the top of the parse
and cancel the report.  Paste the tracker here so we can take a look at
the item to figure out why it was tagged as spam and also make a
suggestion about whitelisting it.

-- 
Mike Easter
kibitzer, not SC admin

From bite_me at its.fun  Tue Feb  8 06:47:02 2005
From: bite_me at its.fun (Rev. Guido S. DeLuxe, DD, LDD, OGG, OHS, ST, MI, MSU)
Date: Tue Feb  8 10:00:06 2005
Subject: [SC-Help] 
	Re: disinformation newsletter that i subscribe to is suddently
	getting flagged by spamcop
References: <pan.2005.02.08.07.35.59.460421@ebeneezer.org>
	<cuabie$bn4$1@news.spamcop.net>
Message-ID: <pan.2005.02.08.14.47.02.106572@ebeneezer.org>

On Tue, 08 Feb 2005 04:27:50 -0800, Mike Easter, an eminent manifestation
of Tina Chopp, wrote:

> Rev. Guido S. DeLuxe,
>> i'm subscribed to the disinformation mailing list.
> 
>> 1) how do i essentially set up a procmail rule on spamcop,
> 
>> 2) what's different about the disinformation newsletter
> 
> Take a newsletter which fits your concern, ie which was tagged/filtered,
> submit it to the parser, copy the tracking url at the top of the parse and
> cancel the report.  Paste the tracker here so we can take a look at the
> item to figure out why it was tagged as spam and also make a suggestion
> about whitelisting it.

http://www.spamcop.net/sc?id=z730077084zf01b5c5b0e8415125bb1bcee1184e3a7z
From MikeE at ster.invalid  Tue Feb  8 07:16:03 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 10:20:06 2005
Subject: [SC-Help] 
	Re: disinformation newsletter that i subscribe to is suddently
	getting flagged by spamcop
References: <pan.2005.02.08.07.35.59.460421@ebeneezer.org>
	<cuabie$bn4$1@news.spamcop.net> <pan.2005.02.08.14.47.02.106572@ebeneezer.org>
Message-ID: <cual20$hnh$1@news.spamcop.net>

Rev. Guido

www.spamcop.net/sc?id=z730077084zf01b5c5b0e8415125bb1bcee1184e3a7z

X-Spam-Status: Yes, score=7.5 required=5.0
tests=DRUGS_DEPRESSION,HTML_30_40,
 HTML_MESSAGE,J_CHICKENPOX_16,PORN_DISGUISED autolearn=disabled
 version=3.0.1
X-Spam-Report:
 *  0.6 J_CHICKENPOX_16 BODY: 1alpha-pock-6alpha
 *  0.9 HTML_30_40 BODY: Message is 30% to 40% HTML
 *  0.0 HTML_MESSAGE BODY: HTML included in message
 *  6.0 PORN_DISGUISED RAW: Disguised PORN
 *  0.0 DRUGS_DEPRESSION Contains a reference to a prescription
antidepressant
X-UIDL: 5/&!!<(9"!=G]!!QCn!!

The SA 'disguised porn' rule was the killer all by itself.  I don't know
what the rule does, ie what it looks for, it is listed here
http://spamassassin.apache.org/tests_3_0_x.html but not described - but
you don't have control over the SA rules I don't think, so the way to
handle it would be to simply whitelist the newsletter.  'Arguing' that
the newsletter isn't 'pornish' is a waste of time.  If you were
configuring your own SA, maybe you wouldn't choose that rule or give it
that value.

If that From is consistent, I would use it.

From: "disinfo" <alex@disinfo.com>


-- 
Mike Easter
kibitzer, not SC admin

From agent01413 at my-deja.com  Tue Feb  8 15:19:53 2005
From: agent01413 at my-deja.com (Socks)
Date: Tue Feb  8 10:20:10 2005
Subject: [SC-Help] 
	Re: disinformation newsletter that i subscribe to is suddently
	getting flagged by spamcop
References: <pan.2005.02.08.07.35.59.460421@ebeneezer.org>
Message-ID: <Xns95F754B30201agent01413MYDEJACOM@216.154.195.61>

"Rev. Guido S. DeLuxe, DD, LDD, OGG, OHS, ST, MI, MSU" <bite_me@its.fun>
wrote in news:pan.2005.02.08.07.35.59.460421@ebeneezer.org: 

> i'm subscribed to the disinformation mailing list. have been for
> several years now. it has only recently started being a problem... i'd
> say maybe a month or so ago. someone, and i think it's spamcop, is
> letting the mailing list through (probably because i have whitelisted
> it on webmail), but it's getting flagged as spam by spam assassin, and
> when it arrives on my machine, instead of getting routed to the
> disinformation mailbox, it gets routed to the spam mailbox. i'm sure
> that it's not my mailserver that is flagging it as spam, because on my
> mailserver i have a procmail rule that makes an end run around spam
> assassin when it encounters a sender address at disinfo dot com. the
> only other place that i know of that's filtering my mail through spam
> assassin is spamcop. 

Spamassassin tells you when spamcop thinks something is spam. Here are my 
spamassassin entries from a recently flagged spam:

X-Spam-Status: Yes, hits=15.281 tagged_above=4 required=14.5 tests=AWL,
 DIGEST_MULTIPLE, DNS_FROM_RFC_ABUSE, DNS_FROM_RFC_POST, DOMAIN_RATIO,
 FORGED_RCVD_HELO, HTML_90_100, HTML_MESSAGE, MIME_HEADER_CTYPE_ONLY,
 MIME_HTML_ONLY, MSGID_FROM_MTA_HEADER, NORMAL_HTTP_TO_IP, PYZOR_CHECK,
 RAZOR2_CF_RANGE_51_100, RAZOR2_CHECK, RCVD_IN_BL_SPAMCOP_NET
X-Spam-Level: ***************
X-Spam-Flag: YES

Notice the last entry.  No guesswork involved. Either spamcop identified 
this as an IPA already in thie database, or it didn't.  

-- 
"Some witty person in rec.arts.sf.composition (I forget who) called them 
feral apostrophes. Untamed, unregulated, they roam the wastes of the 
English language and pop up where lea'st expected." 
From MikeE at ster.invalid  Tue Feb  8 08:03:34 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 11:05:05 2005
Subject: [SC-Help] 
	Re: disinformation newsletter that i subscribe to is suddently
	getting flagged by spamcop
References: <pan.2005.02.08.07.35.59.460421@ebeneezer.org>
	<cuabie$bn4$1@news.spamcop.net> <pan.2005.02.08.14.47.02.106572@ebeneezer.org>
	<cual20$hnh$1@news.spamcop.net>
Message-ID: <cuanr2$jo0$1@news.spamcop.net>

Mike Easter wrote:
> The SA 'disguised porn' rule was the killer all by itself.  I don't
> know what the rule does, ie what it looks for

This is the regex for the disguised porn rule:


/\b(?:c[*0]cks?|d[1*]cks?|h[0*]rny|b[1*]tch(?:es)|f[*0]ckk?ed|p[*]ssy|p[
*]ssies)\b/i



-- 
Mike Easter
kibitzer, not SC admin

From sommerfeld at hamachi.org  Tue Feb  8 11:09:24 2005
From: sommerfeld at hamachi.org (Bill Sommerfeld)
Date: Tue Feb  8 11:10:07 2005
Subject: [SC-Help] Re: disinformation newsletter that i subscribe to is
	suddently getting flagged by spamcop
In-Reply-To: <cual20$hnh$1@news.spamcop.net>
References: <pan.2005.02.08.07.35.59.460421@ebeneezer.org>
	<cuabie$bn4$1@news.spamcop.net> <pan.2005.02.08.14.47.02.106572@ebeneezer.org>
	<cual20$hnh$1@news.spamcop.net>
Message-ID: <cuao7m$k6i$1@news.spamcop.net>

Mike Easter wrote:

>  *  6.0 PORN_DISGUISED RAW: Disguised PORN
>  *  0.0 DRUGS_DEPRESSION Contains a reference to a prescription
> antidepressant
> X-UIDL: 5/&!!<(9"!=G]!!QCn!!
> 
> The SA 'disguised porn' rule was the killer all by itself.  I don't know
> what the rule does, ie what it looks for, it is listed here
> http://spamassassin.apache.org/tests_3_0_x.html but not described

Huh?  I couldn't find it there.

I found:
body   	    	  Attempts to disguise porn words   	  DISGUISE_PORN   	 
1.490 1.835 0.798 0.030

I checked the source.  DISGUISE_PORN has a pattern matching the 
consonants of various slang anatomical terms with wildcards in place of 
vowels.   If you want to see it, download the source archives from 
http://spamassassin.apache.org/downloads.cgi and look in 
Mail-SpamAssassin-3.0.2/rules/20_porn.cf

PORN_DISGUISED looks like a local addition; the even "6.0" score 
suggests that it wasn't ranked by the spamassassin score optimiser.
From MikeE at ster.invalid  Tue Feb  8 08:17:47 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 11:20:03 2005
Subject: [SC-Help] 
	Re: disinformation newsletter that i subscribe to is suddently
	getting flagged by spamcop
References: <pan.2005.02.08.07.35.59.460421@ebeneezer.org>
	<cuabie$bn4$1@news.spamcop.net> <pan.2005.02.08.14.47.02.106572@ebeneezer.org>
	<cual20$hnh$1@news.spamcop.net> <cuao7m$k6i$1@news.spamcop.net>
Message-ID: <cuaoln$kki$1@news.spamcop.net>

Bill Sommerfeld wrote:
>>  *  6.0 PORN_DISGUISED RAW: Disguised PORN

> Huh?  I couldn't find it there.
>
> I found:
> body         Attempts to disguise porn words     DISGUISE_PORN
> 1.490 1.835 0.798 0.030
>
> I checked the source.  DISGUISE_PORN has a pattern matching the
> consonants of various slang anatomical terms with wildcards in place
> of vowels.   If you want to see it, download the source archives from
> http://spamassassin.apache.org/downloads.cgi and look in
> Mail-SpamAssassin-3.0.2/rules/20_porn.cf
>
> PORN_DISGUISED looks like a local addition; the even "6.0" score
> suggests that it wasn't ranked by the spamassassin score optimiser.

I assumed that porn_disguised 'must be' the same as disguised_porn, but
maybe not.  The regex I posted in a preceding was for disguised_porn,
not porn_disguised - from
http://spamassassin.apache.org/full/2.6x/dist/rules/20_porn.cf

-- 
Mike Easter
kibitzer, not SC admin

From bite_me at its.fun  Tue Feb  8 09:32:17 2005
From: bite_me at its.fun (Rev. Guido S. DeLuxe, DD, LDD, OGG, OHS, ST, MI, MSU)
Date: Tue Feb  8 12:45:04 2005
Subject: [SC-Help] 
	Re: disinformation newsletter that i subscribe to is suddently
	getting flagged by spamcop
References: <pan.2005.02.08.07.35.59.460421@ebeneezer.org>
	<cuabie$bn4$1@news.spamcop.net> <pan.2005.02.08.14.47.02.106572@ebeneezer.org>
	<cual20$hnh$1@news.spamcop.net>
Message-ID: <pan.2005.02.08.17.32.17.328261@ebeneezer.org>

On Tue, 08 Feb 2005 07:16:03 -0800, Mike Easter, an eminent manifestation
of Tina Chopp, wrote:

> Rev. Guido
> 
> www.spamcop.net/sc?id=z730077084zf01b5c5b0e8415125bb1bcee1184e3a7z
> 
> X-Spam-Status: Yes, score=7.5 required=5.0
> tests=DRUGS_DEPRESSION,HTML_30_40,
>  HTML_MESSAGE,J_CHICKENPOX_16,PORN_DISGUISED autolearn=disabled
>  version=3.0.1
> X-Spam-Report:
>  *  0.6 J_CHICKENPOX_16 BODY: 1alpha-pock-6alpha *  0.9 HTML_30_40 BODY:
>  Message is 30% to 40% HTML *  0.0 HTML_MESSAGE BODY: HTML included in
>  message *  6.0 PORN_DISGUISED RAW: Disguised PORN *  0.0 DRUGS_DEPRESSION
>  Contains a reference to a prescription
> antidepressant
> X-UIDL: 5/&!!<(9"!=G]!!QCn!!
> 
> The SA 'disguised porn' rule was the killer all by itself.  I don't know
> what the rule does, ie what it looks for, it is listed here
> http://spamassassin.apache.org/tests_3_0_x.html but not described - but
> you don't have control over the SA rules I don't think, so the way to
> handle it would be to simply whitelist the newsletter.  'Arguing' that the
> newsletter isn't 'pornish' is a waste of time.  If you were configuring
> your own SA, maybe you wouldn't choose that rule or give it that value.
> 
> If that From is consistent, I would use it.
> 
> From: "disinfo" <alex@disinfo.com>

that's great... except that i whitelisted alex at disinfo dot com at
spamcop webmail, and that didn't make any difference. is there somewhere
else that i can whitelist addresses that affects spamcop?

not only that, but why is it an issue now, and it wasn't a month ago? the
content of the newsletter hasn't gotten _that_ pornographic... is this
another case of "demons"?

thanks
GSDL
From buzzard554 at fastmail.co.uk  Tue Feb  8 17:58:41 2005
From: buzzard554 at fastmail.co.uk (Martin Edwards)
Date: Tue Feb  8 13:00:05 2005
Subject: [SC-Help] Re: Parser fooled: suggestions?
In-Reply-To: <cu8f8l$gn9$1@news.spamcop.net>
References: <cu8evc$g17$1@news.spamcop.net> <cu8f8l$gn9$1@news.spamcop.net>
Message-ID: <cuaudn$oi9$1@news.spamcop.net>

WazoO wrote:
> "Martin Edwards" <buzzard554@fastmail.co.uk> wrote in message
> news:cu8evc$g17$1@news.spamcop.net...
> 
>>http://www.spamcop.net/sc?id=z729770546z8326b1146bb1c9c7b815bae051e5b79fz
> 
> 
> It all starts with just what you are using to submit your spam.
> On this case, the problem starts with the first line of text;
> "A false bounce was received via your server with the ...."
> which is then followed by a blank line ... the parser reads
> this line as the "header" and of course craps out.  Probably
> no sense talking about the lack of a body at this point ....
> 
> 
I seem to have done things in the wrong order.  There would normally be 
no body as I report false bounces manually.  Somehow I sent what should 
have been the first line of my e-mail to the parser.  I screwed up but 
I'll be back with this one: it does sometimes get fooled for no obvious 
reason.
From MikeE at ster.invalid  Tue Feb  8 10:24:42 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 13:25:51 2005
Subject: [SC-Help] 
	Re: disinformation newsletter that i subscribe to is suddently
	getting flagged by spamcop
References: <pan.2005.02.08.07.35.59.460421@ebeneezer.org>
	<cuabie$bn4$1@news.spamcop.net> <pan.2005.02.08.14.47.02.106572@ebeneezer.org>
	<cual20$hnh$1@news.spamcop.net> <pan.2005.02.08.17.32.17.328261@ebeneezer.org>
Message-ID: <cub03m$pou$1@news.spamcop.net>

Rev.
> Mike Easter,
>> From: "disinfo" <alex@disinfo.com>
>
> that's great... except that i whitelisted alex at disinfo dot com at
> spamcop webmail, and that didn't make any difference. is there
> somewhere else that i can whitelist addresses that affects spamcop?

I'm not a mail user, but I read that there is a place for you to manage
your whitelist.  You should do that/ review that.  You can also do it
from the held mail place, I read.
http://www.spamcop.net/fom-serve/cache/320.html  How do I view my
whitelist?

> not only that, but why is it an issue now, and it wasn't a month ago?

I couldn't see the 'spot' or 'expression' in the newsletter that tripped
the regex, so I can't say what did it.


-- 
Mike Easter
kibitzer, not SC admin

From nobody at devnull.spamcop.net  Tue Feb  8 13:35:37 2005
From: nobody at devnull.spamcop.net (Pop)
Date: Tue Feb  8 13:40:03 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
Message-ID: <cub0pi$q9u$1@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:cuaaso$b4m$1@news.spamcop.net...
> Jeff wrote:
>> Do you know how to open these e-mails without
>> notifying the Spammers that it was opened?
...
> In the very unusual situation that a spam needs to be opened, it can be
> opened in OE6 without rendering html by configuring to read as plaintext
> in OE/ Tools/ Options/ Read tab - check read messages in plaintext.  You
> can also toggle OE to go offline by putting an online/offline toggle in
> your toolbar, or by using File/ Work Offline to prevent webbug access if
> you are rendering spams for some reason in spite of my opinion.  Your
> preview function should be disabled in OE/ View/ Layout - Preview Pane -
> uncheck Show preview pane.  The other configuration that some people use
> is in OE/ Tools/ Options/ Security - check do not allow attachments to
> be opened or saved.  Those of us who don't open spam or virms can be
> configured differently than those who do.

If I may, I'd like to add, regarding viewing emails in Plain Text: 
Assumning it's from someone you know and you're already sure it's not spam, 
you can simply use Format | Rich Text (html)  to see it as intended.  Check 
it out, save it, go flub around with the rest of your mail, and look closer 
at your friend's mail at your leisure.
   But like Mike said, NEVER open an attachment you didn't know was coming. 
I don't accept them either, but I do give people who wish to send me 
attachments (clients) a "special" code to use to remind me who they are and 
that they're going to or did send an attachment.

As for Mike's advice:  It's all good.

Pop


From bite_me at its.fun  Tue Feb  8 10:34:44 2005
From: bite_me at its.fun (Rev. Guido S. DeLuxe, DD, LDD, OGG, OHS, ST, MI, MSU)
Date: Tue Feb  8 13:50:57 2005
Subject: [SC-Help] 
	Re: disinformation newsletter that i subscribe to is suddently
	getting flagged by spamcop
References: <pan.2005.02.08.07.35.59.460421@ebeneezer.org>
	<cuabie$bn4$1@news.spamcop.net> <pan.2005.02.08.14.47.02.106572@ebeneezer.org>
	<cual20$hnh$1@news.spamcop.net> <pan.2005.02.08.17.32.17.328261@ebeneezer.org>
	<cub03m$pou$1@news.spamcop.net>
Message-ID: <pan.2005.02.08.18.34.43.882905@ebeneezer.org>

On Tue, 08 Feb 2005 10:24:42 -0800, Mike Easter, an eminent manifestation
of Tina Chopp, wrote:

> I'm not a mail user, but I read that there is a place for you to manage
> your whitelist.  You should do that/ review that.  You can also do it
> from the held mail place, I read.
> http://www.spamcop.net/fom-serve/cache/320.html  How do I view my
> whitelist?

i'm not normally a webmail user either, but the first thing it says is to
login to webmail... i did that two or three weeks ago: i put disinfo.com,
alex@disinfo.com, and "disinfo" <alex@disinfo.com> in the white list but
the messages are still getting flagged...

i'm beginning to suspect demons...
From MikeE at ster.invalid  Tue Feb  8 10:53:46 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 13:55:03 2005
Subject: [SC-Help] 
	Re: disinformation newsletter that i subscribe to is suddently
	getting flagged by spamcop
References: <pan.2005.02.08.07.35.59.460421@ebeneezer.org>
	<cuabie$bn4$1@news.spamcop.net> <pan.2005.02.08.14.47.02.106572@ebeneezer.org>
	<cual20$hnh$1@news.spamcop.net> <pan.2005.02.08.17.32.17.328261@ebeneezer.org>
	<cub03m$pou$1@news.spamcop.net> <pan.2005.02.08.18.34.43.882905@ebeneezer.org>
Message-ID: <cub1q6$r78$1@news.spamcop.net>

Rev.
> Mike Easter,
>> manage your whitelist.  You should do that/ review that.

> i did that two or three weeks ago: i put
> disinfo.com, alex@disinfo.com, and "disinfo" <alex@disinfo.com> in
> the white list but the messages are still getting flagged...
>
> i'm beginning to suspect demons...

Yabbut...

Those 'demons' can cause some configuration to get changed or to not be
what you think it is.  I'm saying you should go look at it, and perhaps
do it all over *again* and/or do it a different way.

2 or 3 weeks ago was then.  This is now.


-- 
Mike Easter
kibitzer, not SC admin

From nobody at spamcop.net  Tue Feb  8 19:09:43 2005
From: nobody at spamcop.net (Heidi)
Date: Tue Feb  8 14:15:04 2005
Subject: [SC-Help] Hi
Message-ID: <cub33b$s8f$5@news.spamcop.net>

hi,

I'm a girl who just made her own website :)  This whole semester I felt 
like I want to do something I've never done before.. friend suggested 
to finally make a site about me, and what I do everyday.   It's neet how 
my private life is inside one website ;) Verify your age and connect to 
my webcam today -)

Hope you'll anjoy my new hobby as much as I do :)

From bite_me at its.fun  Tue Feb  8 12:02:06 2005
From: bite_me at its.fun (Rev. Guido S. DeLuxe, DD, LDD, OGG, OHS, ST, MI, MSU)
Date: Tue Feb  8 15:15:05 2005
Subject: [SC-Help] 
	Re: disinformation newsletter that i subscribe to is suddently
	getting flagged by spamcop
References: <pan.2005.02.08.07.35.59.460421@ebeneezer.org>
	<cuabie$bn4$1@news.spamcop.net> <pan.2005.02.08.14.47.02.106572@ebeneezer.org>
	<cual20$hnh$1@news.spamcop.net> <pan.2005.02.08.17.32.17.328261@ebeneezer.org>
	<cub03m$pou$1@news.spamcop.net> <pan.2005.02.08.18.34.43.882905@ebeneezer.org>
	<cub1q6$r78$1@news.spamcop.net>
Message-ID: <pan.2005.02.08.20.02.05.794646@ebeneezer.org>

On Tue, 08 Feb 2005 10:53:46 -0800, Mike Easter, an eminent manifestation
of Tina Chopp, wrote:

> Yabbut...
> 
> Those 'demons' can cause some configuration to get changed or to not be
> what you think it is.  I'm saying you should go look at it, and perhaps do
> it all over *again* and/or do it a different way.
> 
> 2 or 3 weeks ago was then.  This is now.

when i checked it yesterday, it was still there...

fine... i've removed and replaced the addresses in my whitelist, but there
really isn't any "different" way of doing it... either the address gets
deleted, or added. as far as i can tell, there's no way to edit the
whitelist that doesn't involve vi

i'll get back to you tomorrow, when the next disinfo newsletter comes in.

thanks for your help... 8)
GSDL
From geoff at nospam.gjctech.co.uk  Tue Feb  8 21:39:10 2005
From: geoff at nospam.gjctech.co.uk (Geoff Lane)
Date: Tue Feb  8 16:40:05 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<cub0pi$q9u$1@news.spamcop.net>
Message-ID: <Xns95F7DD0E1CB9Fgjctcswxnsrt@216.154.195.61>

"Pop" <nobody@devnull.spamcop.net> wrote in news:cub0pi$q9u$1
@news.spamcop.net:

> As for Mike's advice:  It's all good.

As someone who's been on the receiving end of the results of such bad 
advice, I assure you that Mike's advice has one fatal flaw. I implore you 
*do not report anything unless you are sure it is spam* - and that usually 
means looking at the thing.

-- 
Geoff Lane
Cornwall, UK
From geoff at nospam.gjctech.co.uk  Tue Feb  8 21:39:19 2005
From: geoff at nospam.gjctech.co.uk (Geoff Lane)
Date: Tue Feb  8 16:40:08 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
Message-ID: <Xns95F7DD145DA50gjctcswxnsrt@216.154.195.61>

"Mike Easter" <MikeE@ster.invalid> wrote in
news:cuaaso$b4m$1@news.spamcop.net: 

> Most people who are using spamcop are simply reporting that spam, and
> it is a rare spam which needs to be rendered in order to accurately
> report it.  So, you can spamcop report spams without opening them by
> either accessing them by the message properties to paste the item into
> the webparser or by mailing the closed item as an attachment to the
> submit address.  During the examination of the spamcop parse such
> things as innocent bystanders in a spam can almost always be perceived
> in the spams which have never been opened or previewed.

Oh dear ... are you really that sure that you can identify Spampal false
positives without looking? Pray, how do you identify innocent bystanders
in a spam can from the spamcop parse? I strongly suspect that you can't
and I suspect that someone doing exactly as you suggest led to my being
falsely accused of spamming recently. 

If you don't want to open suspected spam, please delete unopened and
*unreported* anything you're reasonably sure is spam. If you're going to
report it, you must be sure that it is spam. This means you should at
least look at the thing in something that won't fetch off-page resources
or execute attachments (such as The Bat!). But please, I implore you,
don't take Mikes advice and report spam without verifying that it is
spam. Someone did recently, which resulted in my ISP issuing unwarranted
threats to close my account, and cost me nearly five-hundred dollars in
lost production. 

-- 
Geoff Lane
Cornwall, UK
From MikeE at ster.invalid  Tue Feb  8 13:55:53 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 16:55:03 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<cub0pi$q9u$1@news.spamcop.net> <Xns95F7DD0E1CB9Fgjctcswxnsrt@216.154.195.61>
Message-ID: <cubcfk$3km$1@news.spamcop.net>

Geoff Lane wrote:
>  I implore
> you *do not report anything unless you are sure it is spam* - and
> that usually means looking at the thing.

I agree that you shouldn't be reporting anything which isn't spam.

If it is necessary to look at a spam's body because of some ambiguity or
confusion, you can look at the 'view entire message' in the spamcop
parser prior to reporting.

That may mean looking at raw html.  Only if one were still 'confused' at
that point would it be necessary to look at the spam in some other way.

I cannot imagine such a scenario just now off the top of my head.

-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Tue Feb  8 14:16:01 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 17:20:07 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<Xns95F7DD145DA50gjctcswxnsrt@216.154.195.61>
Message-ID: <cubdlc$4i3$1@news.spamcop.net>

Geoff Lane wrote:
> "Mike Easter"
>> Most people who are using spamcop are simply reporting that spam, and
>> it is a rare spam which needs to be rendered in order to accurately
>> report it.  So, you can spamcop report spams without opening them by
>> either accessing them by the message properties to paste the item
>> into the webparser or by mailing the closed item as an attachment to
>> the submit address.  During the examination of the spamcop parse such
>> things as innocent bystanders in a spam can almost always be
>> perceived in the spams which have never been opened or previewed.
>
> Oh dear ... are you really that sure that you can identify Spampal
> false positives without looking?

I don't know how you have /your/ spampal configured, but I haven't had a
SP false positive yet.  Perhaps I will one of these days, but 'during'
or with the parse I am examining every element of what is before me,
which includes the spampal X-lines about why it called the item spam.
If it isn't a classic or typical spam, it's body can be viewed in the
parser.  My original premise is that it is rare that my tagged spam
needs to be opened.  I can't remember when that last happened.

> Pray, how do you identify innocent
> bystanders in a spam can from the spamcop parse? I strongly suspect
> that you can't and I suspect that someone doing exactly as you
> suggest led to my being falsely accused of spamming recently.

I'm quite familiar with that incident, and I would not be spamcop
reporting my mailing list items, which that item was;  that item would
*not* have been tagged as spam by spampal, and I would *not* have even
been submitting my mailing list items to the parser in the first place,
much less one which wasn't spampal tagged.

And, that particular item was also not tagged as spam by the spamcop,
and when you parse just the headers of what you posted, it does *not*
fit the standard profile which my spams fit, which includes proxy abuses
and spamsource listed IPs.  Since you didn't post the tracker for access
to the body, I can't comment on how many other ways that item didn't fit
a spam profile.  At the time of the discussion, I accessed the original
item somewhere, so I have seen its body, but I don't have that link
right now, but it was not a spammish item.  That was a stupid report and
a stupid incompetent reaction by a provider to a stupid report.

> If you don't want to open suspected spam, please delete unopened and
> *unreported* anything you're reasonably sure is spam.

Wrong.

> If you're going
> to report it, you must be sure that it is spam. This means you should
> at least look at the thing in something that won't fetch off-page
> resources or execute attachments (such as The Bat!).

Every spam can be looked at by its message properties.  Once upon a time
I was pasting every spam which was pasted into the spamcop parser into a
notepad for viewing because that is faster that 'view entire message' in
spamcop's parse.  Now that I've streamlined some things that step isn't
normally necessary or convenient.

> But please, I
> implore you, don't take Mikes advice and report spam without
> verifying that it is spam. Someone did recently, which resulted in my
> ISP issuing unwarranted threats to close my account, and cost me
> nearly five-hundred dollars in lost production.

Just because a bad reporter made a bad report doesn't prove that one
style of spam reporting is superior to another and it doesn't mean that
people should be opening known spam.

There are plenty of reporters who are opening their spam and making bad
reports.  In fact, it is entirely possible that the person who made the
report of the mailing list item to which we are referring made that
report after opening the spam.

If that person had been using my methods, the item wouldn't have been
tagged and it wouldn't have been parsed.  If it had been parsed, it
wouldn't have been reported.

-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Tue Feb  8 14:22:48 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 17:25:04 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<Xns95F7DD145DA50gjctcswxnsrt@216.154.195.61> <cubdlc$4i3$1@news.spamcop.net>
Message-ID: <cube24$4r6$1@news.spamcop.net>

Mike Easter wrote:
> There are plenty of reporters who are opening their spam and making
> bad reports.  In fact, it is entirely possible that the person who
> made the report of the mailing list item to which we are referring
> made that report after opening the spam.

Not 'spam'.  Correction and elaboration of the last line above.

In fact, it is entirely possible that the person who made the report of
the mailing list item to which we are referring
... erroneously made that report after opening the spamcop mail untagged
mailing list item.

-- 
Mike Easter
kibitzer, not SC admin

From geoff at nospam.gjctech.co.uk  Tue Feb  8 23:22:42 2005
From: geoff at nospam.gjctech.co.uk (Geoff Lane)
Date: Tue Feb  8 18:25:03 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<Xns95F7DD145DA50gjctcswxnsrt@216.154.195.61> <cubdlc$4i3$1@news.spamcop.net>
Message-ID: <Xns95F7EE9B84414gjctcswxnsrt@216.154.195.61>

"Mike Easter" <MikeE@ster.invalid> wrote in
news:cubdlc$4i3$1@news.spamcop.net: 

> I don't know how you have /your/ spampal configured, but I haven't had
> a SP false positive yet.  Perhaps I will one of these days, but
> 'during' or with the parse I am examining every element of what is
> before me, which includes the spampal X-lines about why it called the
> item spam. If it isn't a classic or typical spam, it's body can be
> viewed in the parser.  My original premise is that it is rare that my
> tagged spam needs to be opened.  I can't remember when that last
> happened. 

FWIW, I get at least ten Spampal false positives a week. Over half of 
those are from mailing lists to which I subscribe. Most of the remainder
fall foul of the Bayesian plugin. I've even had mail from family trapped
by Spampal! 

Now, I'm not suggesting that you should open spam in one of Microsoft's
MUAs. I'm just saying that you should make sure that something actually
is spam before reporting it. If you can do that by viewing the raw text
then fine. 

However, yesterday I found a message in my spam bin where looking at the
raw text didn't work. The body of the message was one line, "Here's
someone you might like to see!" accompanied by an inline image. I was
almost sure it was spam and was about to delete it but the sender's
e-mail address rang a bell. I transferred it to my MUA (which isn't
susceptible to the same ills as the MS offerings) and took a peek. It
was from my niece and the interesting someone was her new-born son! 

> Just because a bad reporter made a bad report doesn't prove that one
> style of spam reporting is superior to another and it doesn't mean
> that people should be opening known spam.
---
I'm not convinced that you can be sure a message is spam without opening
it. By "opening" I mean inspecting the contents. For plain text, you can 
get away with looking at the raw text - but you I don't think that you 
can do that with a message that contains just an image. If you don't 
want to open it and you are not *100% certain* that the message is spam, 
then delete it by all means but *do not report it*. Spamcop's rules 
state that you must only use SC to report spam, from which I infer that 
you must not report anything that you're not 100% sure is spam. To do so 
runs the risk of causing collateral damage. 

BTW, I'm not saying anything about known spam, that is messages you are
100% positive are spam. I'm just saying that you should have the decency
to verify that a message you suspect to be spam actually is spam before
you report it. 

-- 
Geoff Lane
Cornwall, UK
From MikeE at ster.invalid  Tue Feb  8 15:47:42 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 18:50:04 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<Xns95F7DD145DA50gjctcswxnsrt@216.154.195.61> <cubdlc$4i3$1@news.spamcop.net>
	<Xns95F7EE9B84414gjctcswxnsrt@216.154.195.61>
Message-ID: <cubj19$8j5$1@news.spamcop.net>

Geoff Lane wrote:
> FWIW, I get at least ten Spampal false positives a week. Over half of
> those are from mailing lists to which I subscribe. Most of the
> remainder fall foul of the Bayesian plugin. I've even had mail from
> family trapped by Spampal!

Eek!  I'm seeing none over the 'life' of my SP usage and you are seeing
10 a week.

Something is wrong with your SP configuration then.  The problem with
being configured so that you have some good mail and spam all mixed up
together with a SP tag is that you have defeated the purpose of your
filter because you are having to thoroughly examine everything which has
the SP tag.  That's not good at all.  You haven't completely defeated
its purpose because you still have the X-lines to look at when you start
your evaluation, but among other things you should have whitelisted all
of your mailing lists and friends a long time ago.

It is hard for two different mail profiles people to talk to each other
about how things should be done.  I am able to configure a particular
way because I get virtually *NO* unknown wanted mail.  If I were having
to configure filters for someone else, I would have to take a good look
at a big pile of their spam and wanted mail.  My configuration strategy
for someone else might be significantly different from my own.

That would also affect reporting.


-- 
Mike Easter
kibitzer, not SC admin

From jeff.simon.2 at sbcglobal.net  Tue Feb  8 18:56:32 2005
From: jeff.simon.2 at sbcglobal.net (Jeff)
Date: Tue Feb  8 19:00:04 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
Message-ID: <cubjji$8v5$1@news.spamcop.net>

In the very unusual situation that a spam needs to be opened, it can be
opened in OE6 without rendering html by configuring to read as plaintext
in OE/ Tools/ Options/ Read tab - check read messages in plaintext.  You
can also toggle OE to go offline by putting an online/offline toggle in
your toolbar, or by using File/ Work Offline to prevent webbug access if
you are rendering spams for some reason in spite of my opinion.  Your
preview function should be disabled in OE/ View/ Layout - Preview Pane -
uncheck Show preview pane.  The other configuration that some people use
is in OE/ Tools/ Options/ Security - check do not allow attachments to
be opened or saved.  Those of us who don't open spam or virms can be
configured differently than those who do.

The problem with doing that is I noticed after I did disable HTML in 
e-mails, e-mails don't load right for legitmate ones.  I get ones from 
Yahoo! Groups everyday and its necessary for those to have HTML required.  I 
also view the pictures in the preview window so I can't turn that off 
either.  Those two solutions/suggestions aren't practical for me to use. 


From MikeE at ster.invalid  Tue Feb  8 16:08:46 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 19:10:03 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<Xns95F7DD145DA50gjctcswxnsrt@216.154.195.61> <cubdlc$4i3$1@news.spamcop.net>
	<Xns95F7EE9B84414gjctcswxnsrt@216.154.195.61>
Message-ID: <cubk8p$9j7$1@news.spamcop.net>

Geoff Lane wrote:
> Most of the
> remainder fall foul of the Bayesian plugin.

If I were using a filter or plugin which was tagging goodmail, I would
either eliminate or reconfigure that filter.  Surprisingly or
interestingly, compared to other people, I'm not using the SP Bayesian
plugin, just the regex and url body ones.   I'm mostly dependent upon my
selection of dnsbl/s.

The whole idea of a spam filter is to *not* 'eliminate' good mail, even
if there is some porosity.  In this case replace eliminate with tag.
Theoretically, someone might choose to use a properly constructed
idealized [porosity but 'never' a false positive] filter to eliminate
spam.

I don't want to get into a debate about that deleting, because there are
flaws in that argument for some mail profiles -- how to idealize a
filter depends very much on the ability to discriminate /wisely/ the
qualities of the wanted mail from the qualities of the unwanted mail -- 
and that would mean specifically for that person's *real* mail, not some
'universal' hypothetical model.

So, someone who is able to reject mail during the transaction might
configure in some way which ran a very small risk of bouncing a wanted
mail, because that isn't always so bad.  Inconvenient perhaps, but far
superior to losing it.

The SpamPal user who is tagging and also SpamCop reporting that tagged
mail has some advantages over the SP user who is deleting the tagged
mail otherwise unseen except by SP.  The SP SC reporter has an
additional opportunity to overview during the reporting process.  If the
SP SC reporter's experiences are that the SP tagging *never* shows a
false positive, the strategy is going to be different from someone for
whom that tagging of wanted mail is a very very real problem.  Tagging
wanted mail is highly undesirable and 'must' be eliminated, in my
opinion.

And, what I would do about it would be to configure my SP so that it was
'never' [almost never?] giving me false positives.

-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Tue Feb  8 16:19:39 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 19:20:02 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<cubjji$8v5$1@news.spamcop.net>
Message-ID: <cubkt5$a1i$1@news.spamcop.net>

Jeff wrote:
> The problem with doing that is I noticed after I did disable HTML in
> e-mails, e-mails don't load right for legitmate ones.  I get ones from
> Yahoo! Groups everyday and its necessary for those to have HTML
> required.  I also view the pictures in the preview window so I can't
> turn that off either.  Those two solutions/suggestions aren't
> practical for me to use.

In my own configuration, I'm configured to render html because I get
html mail from my friends and one of my mailing lists which 'won't'
plaintext, and, as you will recall, I'm the one who is saying don't open
spam and virms and that there is no spam or virms in my Inbox.  None.

Being configured to preview is tantamount to opening everything which is
previewed, so it is a very insecure condition.  You should not even be
'visiting' your Junk folder or any other folder such as your Inbox which
/might/ contain unknown mail in that configuration.  If you even access
a folder with a 'dangerous' or undesirable mail in it with Preview
enabled and you are insecure, you can become virus infected by a
mailicious item 'falling into' the preview slot.

That is, sufficiently insecurely configured, if you are 'in' your Inbox
and a properly constructed virm lands in the Inbox [the #1 position]
which causes it to become the 'target' or selected item, the preview
process of OE can use IE's rendering engine to render the html of the
previewed item, and the/your insecurity can result in the execution of
the viral payload, which can easily be too new for whatever antiviral
agent you have running.

Said another way, you can 'accidentally' preview a virm and thus infect
yourself.

There's another separate issue which is about housekeeping and proper
quoting and citing which has nothing to do with the rest of this, so I
think I'll put that in another post.



-- 
Mike Easter
kibitzer, not SC admin

From geoff at nospam.gjctech.co.uk  Wed Feb  9 00:32:09 2005
From: geoff at nospam.gjctech.co.uk (Geoff Lane)
Date: Tue Feb  8 19:35:04 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<Xns95F7DD145DA50gjctcswxnsrt@216.154.195.61> <cubdlc$4i3$1@news.spamcop.net>
	<Xns95F7EE9B84414gjctcswxnsrt@216.154.195.61> <cubj19$8j5$1@news.spamcop.net>
Message-ID: <Xns95F863D8BE9gjctcswxnsrt@216.154.195.61>

"Mike Easter" <MikeE@ster.invalid> wrote in news:cubj19$8j5$1
@news.spamcop.net:

> but among other things you should have whitelisted all
> of your mailing lists and friends a long time ago.

Unfortunately not so easy when a mailing list uses the OP's address in 
the From field (which is what TBUDL does) and the mailing list address in 
Reply-To. Spampal only appears to allow whitelisting on the From address, 
which implies that I need to whitelist every list member.

Also, I work freelance and get a significant amount of mail from 
prospective clients and agents. Often I haven't heard from someone for 
months or even years until one of their messages ends up in my spambin.

Friends and family get whitelisted as soon as I know their address. 
However, I need to know their address first, and they usually seem to 
tell me by sending a message from the new address.

Even if you don't get false positives, it doesn't mean that others
don't. So, unqualified advice not to look at suspected spam (to decide
whether it is actually spam) is IMO dangerous. I infered from your
original post advice to the OP to rely on anti-spam filtering to decide
whether each message was spam ("You should *not* be examining spam 
subjects and spam froms with your human eyeballs...") As I've pointed 
out, relying solely on something like Spampal is dangerous -- Spampal is 
not infallible (and IIRC, advises against automatically deleting messages 
it tags as spam for precisely that reason).

That said, how can you be 100% sure that you have no undetected false 
positives? Surely, to be 100% sure means inspecting each trapped message, 
and I infer from your previous posts that you don't do that.

-- 
Geoff Lane
Cornwall, UK
From MikeE at ster.invalid  Tue Feb  8 16:34:12 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 19:35:08 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<cubjji$8v5$1@news.spamcop.net>
Message-ID: <cubloe$ak6$1@news.spamcop.net>

Mike Easter wrote:
> There's another separate issue which is about housekeeping and proper
> quoting and citing which has nothing to do with the rest of this, so I
> think I'll put that in another post.


Jeff wrote:

<this part is my cite, but I wasn't attributed and my quotation wasn't
'depicted' as being by me in your post.  It gained those little marks
because my OE put them there because it looked like your own words>

> In the very unusual situation that a spam needs to be opened, it can
> be opened in OE6 without rendering html by configuring to read as
> plaintext
> in OE/ Tools/ Options/ Read tab - check read messages in plaintext.
> You can also toggle OE to go offline by putting an online/offline
> toggle in your toolbar, or by using File/ Work Offline to prevent
> webbug access if you are rendering spams for some reason in spite of
> my opinion.  Your preview function should be disabled in OE/ View/
> Layout - Preview Pane - uncheck Show preview pane.  The other
> configuration that some people use
> is in OE/ Tools/ Options/ Security - check do not allow attachments to
> be opened or saved.  Those of us who don't open spam or virms can be
> configured differently than those who do.


<this part is Jeff's cite, and it shows up properly with little 'quote'
marks in this > shape because I'm configured to do that>

> The problem with doing that is I noticed after I did disable HTML in
> e-mails, e-mails don't load right for legitmate ones.  I get ones from
> Yahoo! Groups everyday and its necessary for those to have HTML
> required.  I also view the pictures in the preview window so I can't
> turn that off either.  Those two solutions/suggestions aren't
> practical for me to use.


In OE, the place to configure to create the quote marks for the other
person's remarks is in OE/ Tools/ Options/ Send tab - News sending
format section - Plaintext is checked - Click Plain Text Settings -
check MIME and select encode text using None and Automatically wrap text
at 72-74 chars and check Indent the original text with >

OE has some problems with its handling of all that, and it can be
improved upon with OE QuoteFix, but that's another subject.

Here is an article which appears regularly in a newsgroup called
news.newusers.questions and a link to another article about the same
thing.

<snip>
[TIP] How to format responses to postings

When you post a response to another posting, you should normally "quote"
(include) some of the text from that posting, to give readers some
context for your own words.  Most newsreading software can automatically
quote the entire text of that posting for you, prefixing each line with
a ">" symbol to indicate that it is quoted material.

To save network resources, server disk space and readers' time, you
should use this complete quoted copy only as a starting point, as
follows:

1. You should delete material that is not directly relevant to your own
response.  Keep only enough to establish some context for your words.
Often a sentence or two will be all you need.  You do not need to quote
people's "signatures;" see point 4 below.

2. You should place your own comments after the words that you are
responding to, so that others can easily read things in sequence.

3. If you are responding to several points in the original posting, so
that you have to quote a fair amount of it, intersperse your comments in
point/counterpoint style.

4. Make sure you attribute quoted comments correctly, especially when
there are "nested quotes."  Most newsreading software puts something
like "Joe Blow wrote:" at the beginning of quoted material; don't delete
it.

For a more detailed discussion of the rationale behind these "rules,"
and responses to some common objections, see

http://members.fortunecity.com/nnqweb/nquote.html
</snip>


-- 
Mike Easter
kibitzer, not SC admin

From geoff at nospam.gjctech.co.uk  Wed Feb  9 00:48:21 2005
From: geoff at nospam.gjctech.co.uk (Geoff Lane)
Date: Tue Feb  8 19:50:02 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<Xns95F7DD145DA50gjctcswxnsrt@216.154.195.61> <cubdlc$4i3$1@news.spamcop.net>
	<Xns95F7EE9B84414gjctcswxnsrt@216.154.195.61> <cubk8p$9j7$1@news.spamcop.net>
Message-ID: <Xns95F88FD0F553gjctcswxnsrt@216.154.195.61>

"Mike Easter" <MikeE@ster.invalid> wrote in news:cubk8p$9j7$1
@news.spamcop.net:

> And, what I would do about it would be to configure my SP so that it was
> 'never' [almost never?] giving me false positives.

Tried that, been there, done it. Unfortunately, thanks in part no doubt to 
my reporting spammers, I get rather a lot of spam. I just checked my 
spamtrap and mail server logs. In the last three hours, I've downloaded and 
deleted unread twelve messages sent to abandoned email addresses and my 
spamtrap contains fifteen messages, all spam caught about 50/50 by SBL+XBL 
and the Bayesian plugin. Experience shows that without the Bayesian plugin, 
those messages it caught would have got through (albeit many would be 
trapped by secondary filtering on user MUAs).

Just over a year ago, I was getting well over a thousand spams per day. 
Most of those were bounces or complaints resulting from a Floridian spammer 
"borrowing" one of my domains. It isn't that bad now, but I still get 
nearly a thousand spams a week sent to valid email addresses. So, the ten a 
week represents about one percent of messages tagged as spam, which 
probably isn't as bad as you thought.

-- 
Geoff Lane
Cornwall, UK
From MikeE at ster.invalid  Tue Feb  8 16:51:00 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 19:55:03 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<Xns95F7DD145DA50gjctcswxnsrt@216.154.195.61> <cubdlc$4i3$1@news.spamcop.net>
	<Xns95F7EE9B84414gjctcswxnsrt@216.154.195.61> <cubj19$8j5$1@news.spamcop.net>
	<Xns95F863D8BE9gjctcswxnsrt@216.154.195.61>
Message-ID: <cubmnu$bje$1@news.spamcop.net>

Geoff Lane wrote:
> "Mike Easter"
>> but among other things you should have whitelisted all
>> of your mailing lists and friends a long time ago.
>
> Unfortunately not so easy when a mailing list uses the OP's address in
> the From field (which is what TBUDL does) and the mailing list
> address in Reply-To. Spampal only appears to allow whitelisting on
> the From address, which implies that I need to whitelist every list
> member.

This kind of dialog is useful, but of course it isn't the same as if a
'filter consultant' were 'holding' your email in hir hand and making
suggestiongs about how to configure, but maybe this will be of some
piecemeal help anyway.

Here's what SP sez about how it works its whitelisting, from the manual.
This is very typical for whitelisting.

<snip>
Note: Headers that the whitelist compares against
The whitelist function only looks for email addresses in certain headers
of your email.

These headers are currently: From:, Reply-To:, Sender:, Mailing-List:
and Return-Path:
</snip>

So, if I look back at the 'Wrongly accused' thread first item with the
headers, I see this useful line:

Reply-To: tbudl@thebat.dutaint.com

and that's the addy I would use to whitelist the TBUDL mailing list.

> Also, I work freelance and get a significant amount of mail from
> prospective clients and agents. Often I haven't heard from someone for
> months or even years until one of their messages ends up in my
> spambin.

Yes, the problem with unknown wanted mail is the bugbear of spam
filtering.  Your filter shouldn't be tagging your unknown wanted mail,
even at the cost of increasing porosity a tiny little bit.

> Friends and family get whitelisted as soon as I know their address.
> However, I need to know their address first, and they usually seem to
> tell me by sending a message from the new address.

Ditto my above.

> Even if you don't get false positives, it doesn't mean that others
> don't. So, unqualified advice not to look at suspected spam (to decide
> whether it is actually spam) is IMO dangerous. I infered from your
> original post advice to the OP to rely on anti-spam filtering to
> decide whether each message was spam ("You should *not* be examining
> spam subjects and spam froms with your human eyeballs...") As I've
> pointed out, relying solely on something like Spampal is dangerous --
> Spampal is not infallible (and IIRC, advises against automatically
> deleting messages it tags as spam for precisely that reason).

That's a good point.  My configuration permits me to do that.  Until
someone else's configuration permits them to do that, we can't go 'post
hoc ergo propter hoc'

> That said, how can you be 100% sure that you have no undetected false
> positives? Surely, to be 100% sure means inspecting each trapped
> message, and I infer from your previous posts that you don't do that.

That's hard to describe.  You would have to see a 'video' or realtime of
my screen^1 during the spam submission parsing process.  Had you watched
me, you would feel quite comfortable that I'm not reporting any
non-spam.


^1That is actually possible with some cute little client server
softwares if both people are broadband connected

-- 
Mike Easter
kibitzer, not SC admin

From geoff at nospam.gjctech.co.uk  Wed Feb  9 01:01:52 2005
From: geoff at nospam.gjctech.co.uk (Geoff Lane)
Date: Tue Feb  8 20:05:06 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<Xns95F7DD145DA50gjctcswxnsrt@216.154.195.61> <cubdlc$4i3$1@news.spamcop.net>
	<Xns95F7EE9B84414gjctcswxnsrt@216.154.195.61> <cubj19$8j5$1@news.spamcop.net>
	<Xns95F863D8BE9gjctcswxnsrt@216.154.195.61> <cubmnu$bje$1@news.spamcop.net>
Message-ID: <Xns95F8B47587BDgjctcswxnsrt@216.154.195.61>

"Mike Easter" <MikeE@ster.invalid> wrote in
news:cubmnu$bje$1@news.spamcop.net: 

> Here's what SP sez about how it works its whitelisting, from the
> manual. This is very typical for whitelisting.
> 
> <snip>
> Note: Headers that the whitelist compares against
> The whitelist function only looks for email addresses in certain
> headers of your email.
> 
> These headers are currently: From:, Reply-To:, Sender:, Mailing-List:
> and Return-Path:
> </snip>
> 
> So, if I look back at the 'Wrongly accused' thread first item with the
> headers, I see this useful line:
> 
> Reply-To: tbudl@thebat.dutaint.com
---

Ah! now that's not wot it sez in my SP help! I'm a version or two behind
(1.583) and the help only mentions the From: header. Certainly I did try
some time ago to whitelist on the Reply-To: header but it didn't work. I
even wrote to suggest just that feature, but didn't know it had been
implemented. 

So, perhaps it's time to accept the update that Spampal offered a couple
of days ago. That will let me tidy things up significantly. 

Thanks,

-- 
Geoff Lane
Cornwall, UK
From MikeE at ster.invalid  Tue Feb  8 17:13:55 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 20:15:05 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<Xns95F7DD145DA50gjctcswxnsrt@216.154.195.61> <cubdlc$4i3$1@news.spamcop.net>
	<Xns95F7EE9B84414gjctcswxnsrt@216.154.195.61>
Message-ID: <cubo2t$ckc$1@news.spamcop.net>

Geoff Lane wrote:
> However, yesterday I found a message in my spam bin where looking at
> the raw text didn't work. The body of the message was one line,
> "Here's someone you might like to see!" accompanied by an inline
> image.

Without seeing the complete item, I can't say this with certainty;  but
I'm almost sure that item would've never been tagged by my SP
configuration;  unless your niece's IP is on some kind of spamsource or
proxy/trojan list.

I think I am going to be critical of how you have your SP configured.
It is tagging too much good mail.

If there is goodmail and spam all mixed up somewhere, either tagged or
untagged it doesn't matter, the filter hasn't done much of a job.

Somehow the configuration has to result in a very very very small amount
of 'stuff' that has to be humanly examined /somehow/ to determine if it
is spam.  Back in the old days I used to manually move 'obvious' spam to
my eyeballs unopened into the Junk folder.  Certain types of mail needed
to be 'inspected' from the 'interior' -- mail from my friends which had
gone into my BigMail folder and thus was suspicious for possibly being a
virus [or a graphic] and also mail which might be spam and might not.
So I would pick it up by its Properties and look at the message source.
That way I wasn't opening any mails which I didn't already know what was
inside.  I was using the more insecure versions of IE and OE back in
those days, and was quite aware of their insecurities.

And, typically when I handled my mixed goodmail and spam that way I
would move the spam into the Junk folder and it would almost never be
opened.  In those same old days I was manually reporting everything, so
it was also pasted into a notepad type of template and was 'readable' in
that way.  Occasionally something needed to be rendered, but I already
knew the structure and whether I needed to be offline or not.

-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Tue Feb  8 17:22:37 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 20:25:05 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<Xns95F7DD145DA50gjctcswxnsrt@216.154.195.61> <cubdlc$4i3$1@news.spamcop.net>
	<Xns95F7EE9B84414gjctcswxnsrt@216.154.195.61> <cubj19$8j5$1@news.spamcop.net>
	<Xns95F863D8BE9gjctcswxnsrt@216.154.195.61> <cubmnu$bje$1@news.spamcop.net>
	<Xns95F8B47587BDgjctcswxnsrt@216.154.195.61>
Message-ID: <cuboj7$d5j$1@news.spamcop.net>

Geoff Lane wrote:
> "Mike Easter"
>> These headers are currently: From:, Reply-To:, Sender:, Mailing-List:
>> and Return-Path:

> Ah! now that's not wot it sez in my SP help! I'm a version or two
> behind (1.583) and the help only mentions the From: header.

1.588 for me.  I see it is 1.591 at the site.  Hmm.

I don't know when it changed.  My manual access was at the site because
that's the way 'it works' when you manual access with the program.  I
haven't personally configured for anything other than From.  The version
history page doesn't describe a change from From to the others so I just
don't know about that.  A whitelist should properly work as described or
something thereabouts.


-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Tue Feb  8 17:34:18 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb  8 20:35:45 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<Xns95F7DD145DA50gjctcswxnsrt@216.154.195.61> <cubdlc$4i3$1@news.spamcop.net>
	<Xns95F7EE9B84414gjctcswxnsrt@216.154.195.61> <cubk8p$9j7$1@news.spamcop.net>
	<Xns95F88FD0F553gjctcswxnsrt@216.154.195.61>
Message-ID: <cubp95$dn7$1@news.spamcop.net>

Geoff Lane wrote:
> but I still get nearly a thousand spams a week sent to valid
> email addresses. So, the ten a week represents about one percent of
> messages tagged as spam, which probably isn't as bad as you thought.

The reason 10 false positives is 'bad' is because they are 'buried' in a
thousand spams, which 'buries' you back into those thousand 'things' to
have to look at.  A thousand messages a week to have to humanly look at
'carefully' because of goodmail getting in there;  because you don't
want to lose or report goodmail.

If you had a different configuration so that week after week there were
no wanted mails tagged, but the occasional spam were untagged, wouldn't
that be better?  The occasional false negative which my SP configuration
permits is *always* easily recognizable as spam, so I simply move it
over to the Junk manually.

That *has* to be better than looking thru' a thousand ugly spams trying
to find a few goodmails.  That sounds terrible.

-- 
Mike Easter
kibitzer, not SC admin

From geoff at nospam.gjctech.co.uk  Wed Feb  9 01:58:35 2005
From: geoff at nospam.gjctech.co.uk (Geoff Lane)
Date: Tue Feb  8 21:00:04 2005
Subject: [SC-Help] Spampal config (false positives)
Message-ID: <Xns95F814E573BF3gjctcswxnsrt@216.154.195.61>

I've started a new thread because our converstation was getting 
dangerously close to hijacking the other.
--

In the thread, "Spammers getting smarter", Mike Easter wrote:

> Without seeing the complete item, I can't say this with certainty; 
> but I'm almost sure that item would've never been tagged by my SP 
> configuration;  unless your niece's IP is on some kind of spamsource
> or proxy/trojan list.
---
Must be -- she's on a dynamically allocated ISP netblock. IIRC, it was 
SBL that trapped it. 

> I think I am going to be critical of how you have your SP configured. 
> It is tagging too much good mail. 

> If there is goodmail and spam all mixed up somewhere, either tagged or 
> untagged it doesn't matter, the filter hasn't done much of a job. 
---
There is a mix of spam and ham. Due to the nature and quantity of spam 
and ham I'm getting it's quite difficult to filter with complete 
accuracy. I'm convinced that the way I have it configured results in the 
smallest volume of one being mixed with the other -- my spambin contains 
about 1% ham.

If I were to do it the other way, so that no ham was binned, a much 
larger percentage of spam would end up being delivered to users. Now, if 
I were the only user I could filter that in my MUA and the combined 
filtering would give much better separation. However, I have to consider 
other users on my network - and I would rather trap a few ham messages 
than let some of the cr*p through to my wife and son.

In another message, Mike wrote:

> The reason 10 false positives is 'bad' is because they are 'buried' in
> a thousand spams, which 'buries' you back into those thousand
> 'things' to have to look at.  A thousand messages a week to have to
> humanly look at 'carefully' because of goodmail getting in there; 
> because you don't want to lose or report goodmail. 
---
It's not as bad as you think. Firstly, I check the spambin every few 
hours. Secondly, I'm looking at just the sender and subject headers in a 
list on my server - not the entire messages. A subject munged to get by 
keyword filters is obviously spam, as is something with a subject like 
"Quality meds" or the name of certain pharmacuticals. So, I can select 
and delete obvious spam (most times, that'll be the whole spambin). Any 
that remain can be investigated further by checking the raw text. I 
actually copy very few spam messages through to my MUA.

However, I now only report spam that gets through my filters and so false 
positives in my spambin will not give rise to unwarranted reports.

-- 
Geoff Lane
Cornwall, UK
From driehuis.fcnzpbc2005 at playbeing.com  Wed Feb  9 04:00:57 2005
From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis)
Date: Tue Feb  8 22:05:04 2005
Subject: [SC-Help] Re: Spammers getting smarter?
In-Reply-To: <cubj19$8j5$1@news.spamcop.net>
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<Xns95F7DD145DA50gjctcswxnsrt@216.154.195.61> <cubdlc$4i3$1@news.spamcop.net>
	<Xns95F7EE9B84414gjctcswxnsrt@216.154.195.61> <cubj19$8j5$1@news.spamcop.net>
Message-ID: <cubue4$hks$1@news.spamcop.net>

Mike Easter wrote:

> Eek!  I'm seeing none over the 'life' of my SP usage and you are seeing
> 10 a week.
> 
> Something is wrong with your SP configuration then.  [...]

Determining if a given piece of e-mail is spam requires two things: the 
technical insights in how to tell forgeries from unforged e-mail (the 
latter category comprising both desired e-mail and spam that doesn't 
hide its origin). The second is insight into (if not a perfect 
administration of) outside parties whose stuff was actually requested.

Most users cannot be left with the technical determiniation. Many users 
have no clue what they subscribed to. In the hands of users who do 
cannot give a positive answer to both considerations, tools that make 
spam reporting user friendly also make the same tool idiot friendly.

I do not want to take sides in this particular discussion, not knowing 
the complete facts from eiter side, but I take exception to the 
suggestion that a mechanical tool like SpamPal can replace human oversight.

That said, users who use tools they do not understand whilst being 
warned of the dangers deserve to be strung up together with the 
spammers. I usually give them one bite of the apple (I know, I'm not a 
hardcore anti-spammer), but second offense and into the blocklist they 
go (together with parties I expect to take action if I requested 
assistance from such parties, like postmasters of small sites).

I've added a couple of users of a tool that deliberately sends reports 
to innocent bystanders to my private blacklist, together with the 
company that sells that piece of crap. As the bold warning on the 
SpamCop submission form notes so eloquently, "The last thing SpamCop 
wants are network administrators so accustomed to false claims that they 
no longer take these spam reports seriously."

Again: this is not a comment specifically about SpamPal, but if a tool 
makes it easy to inappropriately report non-spam, caution is called for. 
Even if ultimately it's pilot error. Too many people trust their tools 
over their judgement.
From sg at nowhere.com  Tue Feb  8 20:41:52 2005
From: sg at nowhere.com (Steve Grosz)
Date: Tue Feb  8 22:45:06 2005
Subject: [SC-Help] Curious
Message-ID: <cuc0s6$iub$1@news.spamcop.net>

I'm curious, what good does reporting the spam to SpamCop actually do? 
Is there a RBL list that can be added to my email server that will help me?

Steve
From cpollock at earthlink.net  Tue Feb  8 21:53:02 2005
From: cpollock at earthlink.net (Chris)
Date: Tue Feb  8 22:55:04 2005
Subject: [SC-Help] processing of a spam msg aborted
Message-ID: <cuc1eu$jkd$1@news.spamcop.net>

I get the below every time on the same spam msg when its processing.  I'd
hate to delete all my unreported spam, and reloading the report doesn't
seem to help.  Anything else I can do?

got sigalarm, taking too long to process, aborted.
Perhaps you can wait a few minutes and reload?

-- 
Chris
Registered Linux User 283774 http://counter.li.org
21:48:50 up 28 days, 4:25, 1 user, load average: 0.79, 0.81, 0.87
Mandrake Linux 10.1 Official, kernel 2.6.8.1-12mdk


From wb8tyw at qsl.network  Tue Feb  8 23:07:19 2005
From: wb8tyw at qsl.network (John E. Malmberg)
Date: Tue Feb  8 23:10:05 2005
Subject: [SC-Help] Re: Curious
In-Reply-To: <cuc0s6$iub$1@news.spamcop.net>
References: <cuc0s6$iub$1@news.spamcop.net>
Message-ID: <cuc29o$k6u$1@news.spamcop.net>

Steve Grosz wrote:
> I'm curious, what good does reporting the spam to SpamCop actually do? 
> Is there a RBL list that can be added to my email server that will help me?

MAPS is claiming trademark on RBL, so the generic term has become DNSbl.

There is a bl.spamcop.net, but it may be too aggressive for use on a 
production mailserver.  It is more useful in a scoring system.
A spamcop.net listing is a high probability of spam, but not absolute.

Also, once a spam source makes it on to the more conservative DNSbls, 
many spamcop.net reporters never see any more spam from that source to 
report it, which may cause it to drop off of the spamcop.net list.

As you have not specified what you are currently using, there is no way 
to advise you on what else is available.

There are well over 200 dnsbls out there, some with strict criteria, and 
others that are slowly listing the entire internet, including anyone 
that sends them an e-mail asking about their particular DNSbl.

In general people have reported that with a selected set of conservative 
DNSbls, they can get from 80 to 95% spam rejection with pretty much no 
false positives.

And by checking suspicious e-mail from I.P.s on aggressive lists, or 
with defective rdns, for links that either do not resolve, or resolve to 
I.P. addresses that are in the conservative DNSbls, reports are that 
close to 100% of spam can be rejected with out impacting real e-mail.

Currently SpamAssassin 3.x as a Milter seems to be the only content 
filter that can perform the URL lookup test.

-John
wb8tyw@qsl.network
Personal Opinion Only
From sg at nowhere.com  Tue Feb  8 21:20:29 2005
From: sg at nowhere.com (Steve Grosz)
Date: Tue Feb  8 23:25:03 2005
Subject: [SC-Help] Re: Curious
In-Reply-To: <cuc29o$k6u$1@news.spamcop.net>
References: <cuc0s6$iub$1@news.spamcop.net> <cuc29o$k6u$1@news.spamcop.net>
Message-ID: <cuc34k$kps$1@news.spamcop.net>

Currently I use 2 lists:

sbl.spamhaus.org and relays.ordb.org, and still get quite a bit of spam, 
at least 25-30 in my inbox alone!

Is there a better list to be using?

Steve

John E. Malmberg wrote:
> Steve Grosz wrote:
> 
>> I'm curious, what good does reporting the spam to SpamCop actually do? 
>> Is there a RBL list that can be added to my email server that will 
>> help me?
> 
> 
> MAPS is claiming trademark on RBL, so the generic term has become DNSbl.
> 
> There is a bl.spamcop.net, but it may be too aggressive for use on a 
> production mailserver.  It is more useful in a scoring system.
> A spamcop.net listing is a high probability of spam, but not absolute.
> 
> Also, once a spam source makes it on to the more conservative DNSbls, 
> many spamcop.net reporters never see any more spam from that source to 
> report it, which may cause it to drop off of the spamcop.net list.
> 
> As you have not specified what you are currently using, there is no way 
> to advise you on what else is available.
> 
> There are well over 200 dnsbls out there, some with strict criteria, and 
> others that are slowly listing the entire internet, including anyone 
> that sends them an e-mail asking about their particular DNSbl.
> 
> In general people have reported that with a selected set of conservative 
> DNSbls, they can get from 80 to 95% spam rejection with pretty much no 
> false positives.
> 
> And by checking suspicious e-mail from I.P.s on aggressive lists, or 
> with defective rdns, for links that either do not resolve, or resolve to 
> I.P. addresses that are in the conservative DNSbls, reports are that 
> close to 100% of spam can be rejected with out impacting real e-mail.
> 
> Currently SpamAssassin 3.x as a Milter seems to be the only content 
> filter that can perform the URL lookup test.
> 
> -John
> wb8tyw@qsl.network
> Personal Opinion Only
From wb8tyw at qsl.network  Tue Feb  8 23:48:41 2005
From: wb8tyw at qsl.network (John E. Malmberg)
Date: Tue Feb  8 23:50:06 2005
Subject: [SC-Help] Re: Curious
In-Reply-To: <cuc34k$kps$1@news.spamcop.net>
References: <cuc0s6$iub$1@news.spamcop.net> <cuc29o$k6u$1@news.spamcop.net>
	<cuc34k$kps$1@news.spamcop.net>
Message-ID: <cuc4na$lr7$1@news.spamcop.net>

Steve Grosz wrote:
> Currently I use 2 lists:
> 
> sbl.spamhaus.org and relays.ordb.org, and still get quite a bit of spam, 
> at least 25-30 in my inbox alone!
> 
> Is there a better list to be using?

Change your sbl.spamhaus.org listing to sbl-xbl.spamhaus.org and you 
should see a significant reduction.  See spamhaus.org for details.

I have not seen a report anywhere of an incorrect listing in the 
xbl.spamhaus.org.

Also consider using the njabl.org open proxy/ open relay list and the 
list.dsbl.org lists.

There seems to be quite an overlap with the njabl.org and the 
list.dsbl.org, so using both may not be needed.

Also consider adding a DHCP list, most spam comes from DHCP addresses. 
There is a small risk of false positives from this as sometimes ISPs 
will do a renumber and put real mail servers in what used to be a DHCP 
pool that they submitted for listing.

The SORBS.NET DUHL list seems to be the most up to date.  NJABL.ORG 
dynablock list seems to be less up to date.

AOL has been rejecting e-mail with no rDNS at all for quite a while now, 
and there does not seem to be anyone complaining publicly about their 
e-mails being rejected.

One of my postmasters has a policy that when spam comes in from certain 
countries, they put a local block on the /23 surrounding it.  The reject 
text points to a link for the procedure to request a white listing.  At 
the last report from that postmaster, there have been no requests to 
have any of those blocks removed from any source.

The unconfirmed and mulithop dsbl.org lists are likely to cause real 
e-mails to be rejected, so they are best for scoring.

The SORBS spamtrap lists are also prone to listing ISP mail servers.

Also, please do not top-post, and trim as much as you can from the 
previous replies with out losing context.

-John
wb8tyw@qsl.network
Personal Opinion Only
From MikeE at ster.invalid  Tue Feb  8 21:00:34 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Wed Feb  9 00:00:05 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<Xns95F7DD145DA50gjctcswxnsrt@216.154.195.61> <cubdlc$4i3$1@news.spamcop.net>
	<Xns95F7EE9B84414gjctcswxnsrt@216.154.195.61> <cubj19$8j5$1@news.spamcop.net>
	<cubue4$hks$1@news.spamcop.net>
Message-ID: <cuc5bs$mh3$1@news.spamcop.net>

Bert Driehuis wrote:
> I take exception to the
> suggestion that a mechanical tool like SpamPal can replace human
> oversight.

The most important role SpamPal provides in screening my mail is to
examine the headers for the presence of IPs which are in various
blocklists which I have chosen and to tag the item if that occurs.  The
much lesser role of trying to examine the body could probably be
completely dispensed for my mail which contains almost no unknown wanted
mail.  For someone like me who can whitelist all of their wanted mail, I
can include the blocklists made of numerous countries, for example.
Someone else wouldn't be able to do that.

That particular blocklist screening function on header IP information is
so 'mechanical' and easily done by the proxy that it bears no
relationship to the humanoid activities of 'recognizing' spam by its
various contents of subject or from or body.  The spambody isn't even
involved or important very often.  For my spam.

It is also far superior to human eyeballs trying to read spamsubjects
'discriminatively'.  For my spam.  'Looking at' a subject which has been
tagged as spam because it comes from a spammy IP is very different from
'reading' and 'interpreting' a subject which hasn't had that filtering
process applied to the header.  The human eyeballs are looking at a
clever spam subject.  The proxy looked at what blocklists the thing came
from.  No comparison.


-- 
Mike Easter
kibitzer, not SC admin

From jeff.simon.2 at sbcglobal.net  Wed Feb  9 00:07:29 2005
From: jeff.simon.2 at sbcglobal.net (Jeff)
Date: Wed Feb  9 00:10:04 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<cubjji$8v5$1@news.spamcop.net> <cubloe$ak6$1@news.spamcop.net>
Message-ID: <cuc5qd$mr1$1@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:cubloe$ak6$1@news.spamcop.net...
> Mike Easter wrote:
>> There's another separate issue which is about housekeeping and proper
>> quoting and citing which has nothing to do with the rest of this, so I
>> think I'll put that in another post.
>
>
Excuse me Mr. Correcto but I DID try to do better this time!!!!  I deleted 
off the text and you're still jumping on my back about it!!  What is your 
problem??  I get tired of this BS all the time.  I only didn't hit reply 
first and then delete but other than that, I DID do it right,  I deleted off 
the old text and then replied to your block of text that I thought was 
relevent, gee whiz!

Find another person to attack on AOL or somewhere who is way worse.  Those 
kooks on AOL are 100 times worse than me, trust me because I have been using 
them for a FREE Trial.  People type in CAPS, they don't take off old replies 
on Message boards.  I am not nearly as bad as that.  I'm tired of this and 
its getting me quite irritated as you can see now. 


From MikeE at ster.invalid  Tue Feb  8 21:11:36 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Wed Feb  9 00:15:04 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<cubjji$8v5$1@news.spamcop.net> <cubloe$ak6$1@news.spamcop.net>
	<cuc5qd$mr1$1@news.spamcop.net>
Message-ID: <cuc60i$n39$1@news.spamcop.net>

Jeff wrote:
> Excuse me Mr. Correcto but I DID try to do better this time!!!! 

Everything is fine.  Thanks.


-- 
Mike Easter
kibitzer, not SC admin
From nobody at devnull.spamcop.net  Wed Feb  9 09:15:34 2005
From: nobody at devnull.spamcop.net (Pop)
Date: Wed Feb  9 09:20:03 2005
Subject: [SC-Help] Re: Spammers getting smarter?
References: <cu9h78$p9h$1@news.spamcop.net> <cuaaso$b4m$1@news.spamcop.net>
	<Xns95F7DD145DA50gjctcswxnsrt@216.154.195.61> <cubdlc$4i3$1@news.spamcop.net>
	<Xns95F7EE9B84414gjctcswxnsrt@216.154.195.61>
Message-ID: <cud5tq$e5h$1@news.spamcop.net>

Geoff Lane wrote:
...
>
> BTW, I'm not saying anything about known spam, that is messages you
> are 100% positive are spam. I'm just saying that you should have the
> decency to verify that a message you suspect to be spam actually is
> spam before you report it.

That's what you're "saying", but it's not what you "said".



From bite_me at its.fun  Wed Feb  9 07:18:12 2005
From: bite_me at its.fun (Rev. Guido S. DeLuxe, DD, LDD, OGG, OHS, ST, MI, MSU)
Date: Wed Feb  9 10:35:05 2005
Subject: [SC-Help] 
	Re: disinformation newsletter that i subscribe to is suddently
	getting flagged by spamcop
References: <pan.2005.02.08.07.35.59.460421@ebeneezer.org>
	<cuabie$bn4$1@news.spamcop.net> <pan.2005.02.08.14.47.02.106572@ebeneezer.org>
	<cual20$hnh$1@news.spamcop.net> <pan.2005.02.08.17.32.17.328261@ebeneezer.org>
	<cub03m$pou$1@news.spamcop.net> <pan.2005.02.08.18.34.43.882905@ebeneezer.org>
	<cub1q6$r78$1@news.spamcop.net>
Message-ID: <pan.2005.02.09.15.18.12.204877@ebeneezer.org>

well, rather as i suspected, it's still flagged.

what now?
From MikeE at ster.invalid  Wed Feb  9 07:49:19 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Wed Feb  9 10:50:05 2005
Subject: [SC-Help] 
	Re: disinformation newsletter that i subscribe to is suddently
	getting flagged by spamcop
References: <pan.2005.02.08.07.35.59.460421@ebeneezer.org>
	<cuabie$bn4$1@news.spamcop.net> <pan.2005.02.08.14.47.02.106572@ebeneezer.org>
	<cual20$hnh$1@news.spamcop.net> <pan.2005.02.08.17.32.17.328261@ebeneezer.org>
	<cub03m$pou$1@news.spamcop.net> <pan.2005.02.08.18.34.43.882905@ebeneezer.org>
	<cub1q6$r78$1@news.spamcop.net> <pan.2005.02.09.15.18.12.204877@ebeneezer.org>
Message-ID: <cudbch$hvs$1@news.spamcop.net>

Rev. Guido
> well, rather as i suspected, it's still flagged.
>
> what now?

The other place to rap about stuff that has to do with spamcop mail is
in the forum^1.  JT is in charge of mail [and the newsgroup and forum
servers] and he has abandoned interacting in the newsgroups.  He also
doesn't drop in to the forums very often, but there is more mail support
in the forum than 'here' - the newsgroup spamcop.mail - which was
originally intended to support mail.

I'm not a SC mail user, so I'm outa suggestions here.

^1 http://forum.spamcop.net/forums/index.php?showforum=4  SpamCop Email
System & Accounts

-- 
Mike Easter
kibitzer, not SC admin

From bite_me at its.fun  Wed Feb  9 08:12:41 2005
From: bite_me at its.fun (Rev. Guido S. DeLuxe, DD, LDD, OGG, OHS, ST, MI, MSU)
Date: Wed Feb  9 11:30:05 2005
Subject: [SC-Help] 
	disinformation newsletter is suddenly getting flagged by spam
	assassin and whitelisting it doesn't help
Message-ID: <pan.2005.02.09.16.12.41.404072@ebeneezer.org>

i'm subscribed to the disinformation mailing list. have been for several
years now. it has only recently started being a problem... i'd say maybe a
month or so ago. someone, and i think it's spamcop, is letting the mailing
list through (probably because i have whitelisted it on webmail), but it's
getting flagged as spam by spam assassin, and when it arrives on my
machine, instead of getting routed to the disinformation mailbox, it gets
routed to the spam mailbox. i'm sure that it's not my mailserver that is
flagging it as spam, because on my mailserver i have a procmail rule that
makes an end run around spam assassin when it encounters a sender address
at disinfo dot com. the only other place that i know of that's filtering
my mail through spam assassin is spamcop.

i've deleted and re-added the addresses to my whitelist, just to make sure
(and as recommended by mike easter in the help forum) but that doesn't
seem to make any difference: the messages still get flagged as spam.

here is a tracking URL, if will help:
http://www.spamcop.net/sc?id=z730077084zf01b5c5b0e8415125bb1bcee1184e3a7z

i'm at a loss here... can somebody help me out?

thanks
GSDL
From bite_me at its.fun  Wed Feb  9 08:16:12 2005
From: bite_me at its.fun (Rev. Guido S. DeLuxe, DD, LDD, OGG, OHS, ST, MI, MSU)
Date: Wed Feb  9 11:30:17 2005
Subject: [SC-Help] 
	Re: disinformation newsletter is suddenly getting flagged by spam
	assassin and whitelisting it doesn't help
References: <pan.2005.02.09.16.12.41.404072@ebeneezer.org>
Message-ID: <pan.2005.02.09.16.16.12.709540@ebeneezer.org>

oops... sorry... wrong newsgroup
From buzzard554 at fastmail.co.uk  Wed Feb  9 18:34:29 2005
From: buzzard554 at fastmail.co.uk (Martin Edwards)
Date: Wed Feb  9 13:35:05 2005
Subject: [SC-Help] Re: Parser fooled: suggestions?
In-Reply-To: <cuaudn$oi9$1@news.spamcop.net>
References: <cu8evc$g17$1@news.spamcop.net> <cu8f8l$gn9$1@news.spamcop.net>
	<cuaudn$oi9$1@news.spamcop.net>
Message-ID: <cudksn$oc4$1@news.spamcop.net>

Martin Edwards wrote:
> WazoO wrote:
> 
>> "Martin Edwards" <buzzard554@fastmail.co.uk> wrote in message
>> news:cu8evc$g17$1@news.spamcop.net...
>>
>>> http://www.spamcop.net/sc?id=z729770546z8326b1146bb1c9c7b815bae051e5b79fz 
>>>
>>
>>
>>
>> It all starts with just what you are using to submit your spam.
>> On this case, the problem starts with the first line of text;
>> "A false bounce was received via your server with the ...."
>> which is then followed by a blank line ... the parser reads
>> this line as the "header" and of course craps out.  Probably
>> no sense talking about the lack of a body at this point ....
>>
>>
> I seem to have done things in the wrong order.  There would normally be 
> no body as I report false bounces manually.  Somehow I sent what should 
> have been the first line of my e-mail to the parser.  I screwed up but 
> I'll be back with this one: it does sometimes get fooled for no obvious 
> reason.

http://www.spamcop.net/sc?id=z730506274zd6d4fbeb75d3f257435846fd51d3f6cfz
From buzzard554 at fastmail.co.uk  Wed Feb  9 18:45:43 2005
From: buzzard554 at fastmail.co.uk (Martin Edwards)
Date: Wed Feb  9 13:45:03 2005
Subject: [SC-Help] Bad Phish
Message-ID: <cudlhr$out$1@news.spamcop.net>

I recently got a phishing post with most of the words misspelt like much 
spam has to avoid filters.  Surely any recipient would know this was spam.
From skyllightq at rogers.com  Wed Feb  9 13:44:34 2005
From: skyllightq at rogers.com (Ciberguy)
Date: Wed Feb  9 13:50:02 2005
Subject: [SC-Help] Using SpamCop
Message-ID: <cudlng$p25$1@news.spamcop.net>

When I attempt to submit spam I go to the following web site:
http://members.spamcop.net/

I get back the following message:
      The page cannot be displayed
      The page you are looking for is currently unavailable. The Web site
might be experiencing technical difficulties, or you may need to adjust your
browser settings.


OK what am I missing here?


From dkona7b02 at sneakemail.com  Wed Feb  9 13:55:37 2005
From: dkona7b02 at sneakemail.com (Spam Hater)
Date: Wed Feb  9 13:55:43 2005
Subject: [SC-Help] Re: Using SpamCop
In-Reply-To: <cudlng$p25$1@news.spamcop.net>
Message-ID: <3.0.5.32.20050209135537.014fc490@loki.fstrf.org>

Must be a problem on your side...  I can get there from here.  I am not
a paid member so can't get in, but I do get the login box...  What do
you get if you try the generic page: http://www.spamcop.net ?


At 01:44 PM 2/9/2005 -0500, Ciberguy typed:
 
>When I attempt to submit spam I go to the following web site:
>http://members.spamcop.net/
>
>I get back the following message:
>      The page cannot be displayed
>      The page you are looking for is currently unavailable. The Web site
>might be experiencing technical difficulties, or you may need to adjust your
>browser settings.
>
>
>OK what am I missing here?
From feldethom2165 at email2me.net  Wed Feb  9 10:06:17 2005
From: feldethom2165 at email2me.net (Fred k)
Date: Wed Feb  9 14:10:07 2005
Subject: [SC-Help] Re: Using SpamCop
References: <cudlng$p25$1@news.spamcop.net>
Message-ID: <cudmv5$qcn$1@news.spamcop.net>


"Ciberguy" <skyllightq@rogers.com> wrote in message 
news:cudlng$p25$1@news.spamcop.net...
> When I attempt to submit spam I go to the following web site:
> http://members.spamcop.net/
>
> I get back the following message:
>      The page cannot be displayed
>      The page you are looking for is currently unavailable. The Web site
> might be experiencing technical difficulties, or you may need to adjust 
> your
> browser settings.
>
>
> OK what am I missing here?


I can get in.

Fred k 


From bite_me at its.fun  Wed Feb  9 13:11:53 2005
From: bite_me at its.fun (Rev. Guido S. DeLuxe, DD, LDD, OGG, OHS, ST, MI, MSU)
Date: Wed Feb  9 16:30:05 2005
Subject: [SC-Help] Re: Using SpamCop
References: <cudlng$p25$1@news.spamcop.net> <cudmv5$qcn$1@news.spamcop.net>
Message-ID: <pan.2005.02.09.21.11.53.235395@ebeneezer.org>

On Wed, 09 Feb 2005 10:06:17 -0900, Fred k, an eminent manifestation of
Tina Chopp, wrote:

> I can get in.

that's odd, because i'm a paid member, and i *can't* get in at
members.spamcop.net - i get a login box, but it won't accept my
username/password - although i can get in without a problem at
mailsc.spamcop.net
From beachkid at cesmail.net  Wed Feb  9 16:31:18 2005
From: beachkid at cesmail.net (Linspire User)
Date: Wed Feb  9 16:35:05 2005
Subject: [SC-Help] Re: Using SpamCop
In-Reply-To: <pan.2005.02.09.21.11.53.235395@ebeneezer.org>
References: <cudlng$p25$1@news.spamcop.net> <cudmv5$qcn$1@news.spamcop.net>
	<pan.2005.02.09.21.11.53.235395@ebeneezer.org>
Message-ID: <cudvf6$1p9$1@news.spamcop.net>

Ditto for me as I am a paid member.  That is, not
able to get in @ members but can get in @ mailsc.

Rev. Guido S. DeLuxe, DD, LDD, OGG, OHS, ST, MI, MSU wrote:
> On Wed, 09 Feb 2005 10:06:17 -0900, Fred k, an eminent manifestation of
> Tina Chopp, wrote:
> 
> 
>>I can get in.
> 
> 
> that's odd, because i'm a paid member, and i *can't* get in at
> members.spamcop.net - i get a login box, but it won't accept my
> username/password - although i can get in without a problem at
> mailsc.spamcop.net
From TJLWBECGSGWU at spammotel.com  Wed Feb  9 21:36:54 2005
From: TJLWBECGSGWU at spammotel.com (Mathew Hendry)
Date: Wed Feb  9 16:40:04 2005
Subject: [SC-Help] Re: Using SpamCop
In-Reply-To: <pan.2005.02.09.21.11.53.235395@ebeneezer.org>
References: <cudlng$p25$1@news.spamcop.net> <cudmv5$qcn$1@news.spamcop.net>
	<pan.2005.02.09.21.11.53.235395@ebeneezer.org>
Message-ID: <cudvpm$sqs$1@news.spamcop.net>

Rev. Guido S. DeLuxe, DD, LDD, OGG, OHS, ST, MI, MSU wrote:
> On Wed, 09 Feb 2005 10:06:17 -0900, Fred k, an eminent manifestation of
> Tina Chopp, wrote:
> 
>>I can get in.
> 
> that's odd, because i'm a paid member, and i *can't* get in at
> members.spamcop.net - i get a login box, but it won't accept my
> username/password - although i can get in without a problem at
> mailsc.spamcop.net

Depends what you're paying for I think. IIRC, members.spamcop.net is for 
reporting-only accounts, and mailsc.spamcop.net is for SpamCop Mail 
accounts. www.spamcop.net should work for everybody.

-- Mat.
From nobody at devnull.spamcop.net  Wed Feb  9 17:19:26 2005
From: nobody at devnull.spamcop.net (WazoO)
Date: Wed Feb  9 18:20:04 2005
Subject: [SC-Help] Re: Parser fooled: suggestions?
References: <cu8evc$g17$1@news.spamcop.net> <cu8f8l$gn9$1@news.spamcop.net>
	<cuaudn$oi9$1@news.spamcop.net> <cudksn$oc4$1@news.spamcop.net>
Message-ID: <cue5pu$6a0$1@news.spamcop.net>

"Martin Edwards" <buzzard554@fastmail.co.uk> wrote in message
news:cudksn$oc4$1@news.spamcop.net...
> Martin Edwards wrote:
> > WazoO wrote:
> >
> >> "Martin Edwards" <buzzard554@fastmail.co.uk> wrote in message
> >> news:cu8evc$g17$1@news.spamcop.net...
> >>
> >>>
http://www.spamcop.net/sc?id=z729770546z8326b1146bb1c9c7b815bae051e5b79fz
> >>
> >> It all starts with just what you are using to submit your spam.
> >> On this case, the problem starts with the first line of text;
> >> "A false bounce was received via your server with the ...."
> >> which is then followed by a blank line ... the parser reads
> >> this line as the "header" and of course craps out.  Probably
> >> no sense talking about the lack of a body at this point ....
> >>
> > I'll be back with this one: it does sometimes get fooled for no obvious
> > reason.
>
> http://www.spamcop.net/sc?id=z730506274zd6d4fbeb75d3f257435846fd51d3f6cfz

Same as above .... this time it's bad line-wraps in the headers lines:
Received: from ytsv (unverified [208.61.203.148]) by Mail1.isnetworking.com
(Vircom SMTPRS 4.0.330.8) with SMTP id <B0012533292@Mail1.isnetworking.com>;
Tue, 8 Feb 2005 19:41:46 -0600


From buzzard554 at fastmail.co.uk  Thu Feb 10 17:47:23 2005
From: buzzard554 at fastmail.co.uk (Martin Edwards)
Date: Thu Feb 10 12:45:05 2005
Subject: [SC-Help] Re: Parser fooled: suggestions?
In-Reply-To: <cue5pu$6a0$1@news.spamcop.net>
References: <cu8evc$g17$1@news.spamcop.net> <cu8f8l$gn9$1@news.spamcop.net>
	<cuaudn$oi9$1@news.spamcop.net> <cudksn$oc4$1@news.spamcop.net>
	<cue5pu$6a0$1@news.spamcop.net>
Message-ID: <cug6ga$ld7$1@news.spamcop.net>

WazoO wrote:
> "Martin Edwards" <buzzard554@fastmail.co.uk> wrote in message
> news:cudksn$oc4$1@news.spamcop.net...
> 
>>Martin Edwards wrote:
>>
>>>WazoO wrote:
>>>
>>>
>>>>"Martin Edwards" <buzzard554@fastmail.co.uk> wrote in message
>>>>news:cu8evc$g17$1@news.spamcop.net...
>>>>
>>>>
> http://www.spamcop.net/sc?id=z729770546z8326b1146bb1c9c7b815bae051e5b79fz
> 
>>>>It all starts with just what you are using to submit your spam.
>>>>On this case, the problem starts with the first line of text;
>>>>"A false bounce was received via your server with the ...."
>>>>which is then followed by a blank line ... the parser reads
>>>>this line as the "header" and of course craps out.  Probably
>>>>no sense talking about the lack of a body at this point ....
>>>>
>>>
>>>I'll be back with this one: it does sometimes get fooled for no obvious
>>>reason.
>>
>>http://www.spamcop.net/sc?id=z730506274zd6d4fbeb75d3f257435846fd51d3f6cfz
> 
> 
> Same as above .... this time it's bad line-wraps in the headers lines:
> Received: from ytsv (unverified [208.61.203.148]) by Mail1.isnetworking.com
> (Vircom SMTPRS 4.0.330.8) with SMTP id <B0012533292@Mail1.isnetworking.com>;
> Tue, 8 Feb 2005 19:41:46 -0600
> 
> 
Thanks: I'll keep my eye open for that one.
From feldethom2165 at email2me.net  Thu Feb 10 09:29:14 2005
From: feldethom2165 at email2me.net (Fred k)
Date: Thu Feb 10 13:32:00 2005
Subject: [SC-Help] How did this find my mailbox
Message-ID: <cug960$p2j$1@news.spamcop.net>

My email address or a To: field is nowhere in the header.

Return-path: <POKADIGBO@terra.es>
Received: from mta-3.x.net (mta-3.x.net [208.138.130.78])
 by mailstore-3.x.net
 (Sun Java System Messaging Server 6.1 HotFix 0.06 (built Nov 11 2004))
 with ESMTP id <0IBP003NJ9SQY3B0@mailstore-3.x.net>; Thu,
 10 Feb 2005 05:34:03 -0900 (AKST)
Received: from psmtp.com (exprod6mx72.postini.com [64.18.1.56])
 by mta-3.x.net
 (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with SMTP id
 <0IBP00BJ49S0BS@mta-3.x.net>; Thu, 10 Feb 2005 05:34:02 -0900 (AKST)
Received: from source ([213.4.129.48]) by exprod6mx72.postini.com
 ([64.18.5.10]) with SMTP; Thu, 10 Feb 2005 09:33:26 -0500 (EST)
Received: from terra.es ([10.20.4.99])
 by tfdsmtp3.mail.isp (Netscape Messaging Server 4.15 tfdsmtp3 Mar 14 2002
 21:29:48) with ESMTP id IBP9J201.ISH; Thu, 10 Feb 2005 15:28:14 +0100
Date: Thu, 10 Feb 2005 15:28:13 +0100
From: POKADIGBO <POKADIGBO@terra.es>
Subject: Letter
Reply-to: p.okadigbo@catpost.co.uk
Message-id: <14d33614be46.14be4614d336@terra.es>
MIME-version: 1.0
X-Mailer: Netscape Webmail
Content-type: text/plain; charset=us-ascii
Content-language: es
Content-transfer-encoding: 7bit
Content-disposition: inline
X-Accept-Language: es
X-pstn-levels: (S: 0.00000/64.89070 R:95.9108 P:95.9108 M:94.5022 
C:99.5902 )
X-NAS-Language: English
X-NAS-Bayes: #0: 9.8703E-060; #1: 1
X-NAS-Classification: 0
X-NAS-MessageID: 842
X-NAS-Validation: {BB4B6A78-C306-49E3-9794-B878481CCA59}

Fred k 


From Merlyn at Spamcop.net  Thu Feb 10 13:41:18 2005
From: Merlyn at Spamcop.net (Merlyn)
Date: Thu Feb 10 13:45:11 2005
Subject: [SC-Help] Re: How did this find my mailbox
References: <cug960$p2j$1@news.spamcop.net>
Message-ID: <cug9sg$q0l$1@news.spamcop.net>

"Fred k" <feldethom2165@email2me.net> wrote in message 
news:cug960$p2j$1@news.spamcop.net...
> My email address or a To: field is nowhere in the header.

[snipped]

Probably a BCC

-- 

Regards,
Merlyn

A Spamcop advocate
No emails this account is for newsgroups only
People demand freedom of speech to make up for the freedom of thought which 
they avoided



From Kilgallen at SpamCop.net  Thu Feb 10 13:35:16 2005
From: Kilgallen at SpamCop.net (Larry Kilgallen)
Date: Thu Feb 10 14:40:06 2005
Subject: [SC-Help] Re: How did this find my mailbox
References: <cug960$p2j$1@news.spamcop.net>
Message-ID: <jPGqVY$QHLQY@eisner.encompasserve.org>

In article <cug960$p2j$1@news.spamcop.net>, "Fred k" <feldethom2165@email2me.net> writes:
> My email address or a To: field is nowhere in the header.

Inclusion of a To: field has nothing to do with delivery of the message.

Delivery is based on transmission time SMTP dialog components that are
not contained in the message headers.
From feldethom2165 at email2me.net  Thu Feb 10 14:25:18 2005
From: feldethom2165 at email2me.net (Fred k)
Date: Thu Feb 10 18:30:06 2005
Subject: [SC-Help] Re: How did this find my mailbox
References: <cug960$p2j$1@news.spamcop.net>
	<jPGqVY$QHLQY@eisner.encompasserve.org>
Message-ID: <cugqgv$7s9$1@news.spamcop.net>


"Larry Kilgallen" <Kilgallen@SpamCop.net> wrote in message 
news:jPGqVY$QHLQY@eisner.encompasserve.org...
 Inclusion of a To: field has nothing to do with delivery of the message.
>
> Delivery is based on transmission time SMTP dialog components that are
> not contained in the message headers.

I have looked at other messages. All of them have my name@emal.com somewhere 
in the header. This one and a few others do not. I relize that the to: field 
does not have to be me.

Fred k 


From MikeE at ster.invalid  Thu Feb 10 16:48:24 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Thu Feb 10 19:50:23 2005
Subject: [SC-Help] Re: How did this find my mailbox
References: <cug960$p2j$1@news.spamcop.net>
	<jPGqVY$QHLQY@eisner.encompasserve.org> <cugqgv$7s9$1@news.spamcop.net>
Message-ID: <cugvb5$b2a$1@news.spamcop.net>

Fred k wrote:
> I have looked at other messages. All of them have my name@emal.com
> somewhere in the header. This one and a few others do not. I relize
> that the to: field does not have to be me.

It is not necessary that your name appear anywhere in the header fields
which are accessible to you in mail you receive.

You can experiment with your own mailuser agent OE, which has a BCC
function entirely consistent with concealing the email address of those
BCC designated recipients from each other.  Altho' the OE BCC function
may not be identical with the function of ratware, it does serve to
demonstrate the function.

When you send a mail to various recipients, those which appear in the To
and CC will appear in those fields of the mail.  When you put recipients
into the BCC address field, the recipients do /not/ see those recipient
addresses which were placed in there.

If you send yourself a mail, and put nothing in the To or CC, but put
your own addy in the BCC, the received mail will not show you anywhere
in the headers.  The To will say 'undisclosed recipients'.

If you look back into the Sent folder for that mail, your Sent item will
show your address in the BCC.

-- 
Mike Easter
kibitzer, not SC admin

From feldethom2165 at email2me.net  Thu Feb 10 16:29:18 2005
From: feldethom2165 at email2me.net (Fred k)
Date: Thu Feb 10 20:30:07 2005
Subject: [SC-Help] Re: How did this find my mailbox
References: <cug960$p2j$1@news.spamcop.net>
	<jPGqVY$QHLQY@eisner.encompasserve.org> <cugqgv$7s9$1@news.spamcop.net>
	<cugvb5$b2a$1@news.spamcop.net>
Message-ID: <cuh1p9$cms$1@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:cugvb5$b2a$1@news.spamcop.net...
> Fred k wrote:
>> I have looked at other messages. All of them have my name@emal.com
>> somewhere in the header. This one and a few others do not. I relize
>> that the to: field does not have to be me.
>
> It is not necessary that your name appear anywhere in the header fields
> which are accessible to you in mail you receive.

Well I did. This is a BCC only to myself. It shows me as "for" twice and 
once as ORCPT . The original one I posted does not.

Return-path: <name@gci.net>
Received: from mta-2.gci.net (mta-2.gci.net [208.138.130.83])
 by mailstore-3.gci.net
 (Sun Java System Messaging Server 6.1 HotFix 0.06 (built Nov 11 2004))
 with ESMTP id <0IBQ0099Y3VA8C40@mailstore-3.gci.net> for name@gci.net; Thu,
 10 Feb 2005 16:23:34 -0900 (AKST)
Received: from psmtp.com (exprod6mx4.postini.com [64.18.1.144])
 by mta-2.gci.net
 (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) with SMTP id
 <0IBQ00K0U3VA95@mta-2.gci.net> for name@gci.net (ORCPT name@gci.net); Thu,
 10 Feb 2005 16:23:34 -0900 (AKST)
Received: from source ([208.138.130.80]) by exprod6mx4.postini.com
 ([64.18.5.10]) with SMTP; Thu, 10 Feb 2005 17:23:30 -0800 (PST)
Received: from notebook ([66.223.133.149])
 by mmp-1.gci.net (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18
 2003)) with ESMTP id <0IBQ001173V4YP@mmp-1.gci.net> for name@gci.net; Thu,
 10 Feb 2005 16:23:30 -0900 (AKST)
Date: Thu, 10 Feb 2005 16:23:36 -0900
From: The names <name@gci.net>
Subject: test
To: <Undisclosed-Recipient:;>
Message-id: <003c01c50fd8$50baf730$04000100@notebook>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
Content-type: multipart/alternative;
 boundary="Boundary_(ID_rqldJROSEL3DlNUQJJ5Jbg)"
X-Priority: 3
X-MSMail-priority: Normal
Original-recipient: rfc822;name@gci.net
X-NAS-Language: Unknown
X-NAS-Bayes: #0: 3.91155E-007; #1: 1
X-NAS-Classification: 0
X-NAS-MessageID: 879
X-NAS-Validation: {BB4B6A78-C306-49E3-9794-B878481CCA59}

Fred k 


From skyllightq at rogers.com  Fri Feb 11 08:51:21 2005
From: skyllightq at rogers.com (Ciberguy)
Date: Fri Feb 11 08:55:27 2005
Subject: [SC-Help] Re: Using SpamCop
References: <cudlng$p25$1@news.spamcop.net> <cudmv5$qcn$1@news.spamcop.net>
	<pan.2005.02.09.21.11.53.235395@ebeneezer.org> <cudvf6$1p9$1@news.spamcop.net>
Message-ID: <cuid9j$jh2$1@news.spamcop.net>


"Linspire User" <beachkid@cesmail.net> wrote in message
news:cudvf6$1p9$1@news.spamcop.net...
> Ditto for me as I am a paid member.  That is, not
> able to get in @ members but can get in @ mailsc.
>
OK there are several of us that can't get in. I can't even get in using
www.spamcop.net ! I am a paid member so I don't understand what is going on.
Am I - are we blocked for some reason? I have been using IE to enter the
site forever when that stop working I was able to get in using Netscape now
that has stopped.

What is going on?????


From ric.gates at bigsleep.org  Fri Feb 11 13:54:52 2005
From: ric.gates at bigsleep.org (Blammo)
Date: Fri Feb 11 08:55:54 2005
Subject: [SC-Help] Re: How did this find my mailbox
References: <cug960$p2j$1@news.spamcop.net>
	<jPGqVY$QHLQY@eisner.encompasserve.org> <cugqgv$7s9$1@news.spamcop.net>
	<cugvb5$b2a$1@news.spamcop.net> <cuh1p9$cms$1@news.spamcop.net>
Message-ID: <Xns95FA3C560AEF3blammo@216.154.195.61>

On 10 Feb 2005 Fred k entered spamcop.help and left 
news:cuh1p9$cms$1@news.spamcop.net:

> Well I did. This is a BCC only to myself. It shows me as "for" twice and 
> once as ORCPT . The original one I posted does not.
> 

There are several possibilities, the message may have been sent to multiple 
recipients in the same domain, and since there are multiple copies of the 
message the MTX is unable to insert the <user> information into the 
headers. This is a well-known problem with Sendmail, for example. in order 
to insert the <user> information into a header a separate process needs to 
be spawned for each message copy, this usually happens when a local 
delivery program is used, such as Procmail.

You cannot perform an accurate test of your mail system unless you send the 
test message from an outside source.


-- 
| Ric
|
From skyllightq at rogers.com  Fri Feb 11 08:54:51 2005
From: skyllightq at rogers.com (Ciberguy)
Date: Fri Feb 11 09:00:03 2005
Subject: [SC-Help] Re: Using SpamCop
References: <cudlng$p25$1@news.spamcop.net> <cudmv5$qcn$1@news.spamcop.net>
	<pan.2005.02.09.21.11.53.235395@ebeneezer.org> <cudvpm$sqs$1@news.spamcop.net>
Message-ID: <cuidg6$jkf$1@news.spamcop.net>


"Mathew Hendry" <TJLWBECGSGWU@spammotel.com> wrote in message
news:cudvpm$sqs$1@news.spamcop.net...
> > that's odd, because i'm a paid member, and i *can't* get in at
> > members.spamcop.net - i get a login box, but it won't accept my
> > username/password - although i can get in without a problem at
> > mailsc.spamcop.net
>

What is mailsc.spamcop.net? Is that a web site or a newsgroup?


From feldethom2165 at email2me.net  Fri Feb 11 08:47:30 2005
From: feldethom2165 at email2me.net (Fred k)
Date: Fri Feb 11 12:50:31 2005
Subject: [SC-Help] Re: Using SpamCop
References: <cudlng$p25$1@news.spamcop.net> <cudmv5$qcn$1@news.spamcop.net>
	<pan.2005.02.09.21.11.53.235395@ebeneezer.org> <cudvpm$sqs$1@news.spamcop.net>
	<cuidg6$jkf$1@news.spamcop.net>
Message-ID: <cuir3m$t8s$1@news.spamcop.net>


"Ciberguy" <skyllightq@rogers.com> wrote in message 
news:cuidg6$jkf$1@news.spamcop.net...
>
>> > that's odd, because i'm a paid member, and i *can't* get in at
>> > members.spamcop.net - i get a login box, but it won't accept my
>> > username/password - although i can get in without a problem at
>> > mailsc.spamcop.net


Did you check your cookies settings? You must accept the cookie SC sends at 
login

Fred k 


From feldethom2165 at email2me.net  Fri Feb 11 08:50:34 2005
From: feldethom2165 at email2me.net (Fred k)
Date: Fri Feb 11 12:55:08 2005
Subject: [SC-Help] Re: How did this find my mailbox
References: <cug960$p2j$1@news.spamcop.net>
	<jPGqVY$QHLQY@eisner.encompasserve.org> <cugqgv$7s9$1@news.spamcop.net>
	<cugvb5$b2a$1@news.spamcop.net> <cuh1p9$cms$1@news.spamcop.net>
	<Xns95FA3C560AEF3blammo@216.154.195.61>
Message-ID: <cuir96$tcc$1@news.spamcop.net>


"Blammo" <ric.gates@bigsleep.org> wrote in message 
news:Xns95FA3C560AEF3blammo@216.154.195.61...
>
> You cannot perform an accurate test of your mail system unless you send 
> the
> test message from an outside source.


Well I did send from another ISP to 2 email addresses at my ISP, including 
my own. My address still appeared in ORCPT and the for field of the header.

Fred k 


From TJLWBECGSGWU at spammotel.com  Fri Feb 11 20:22:34 2005
From: TJLWBECGSGWU at spammotel.com (Mathew Hendry)
Date: Fri Feb 11 15:25:09 2005
Subject: [SC-Help] Re: Using SpamCop
In-Reply-To: <cuidg6$jkf$1@news.spamcop.net>
References: <cudlng$p25$1@news.spamcop.net> <cudmv5$qcn$1@news.spamcop.net>
	<pan.2005.02.09.21.11.53.235395@ebeneezer.org> <cudvpm$sqs$1@news.spamcop.net>
	<cuidg6$jkf$1@news.spamcop.net>
Message-ID: <cuj46b$139$1@news.spamcop.net>

Ciberguy wrote:
> 
> What is mailsc.spamcop.net? Is that a web site or a newsgroup?

Website. For hysterical raisins, it's accessible only by SpamCop Mail 
users, but once you get in, it's just like the main site at www.spamcop.net.

-- Mat.
From ric.gates at bigsleep.org  Fri Feb 11 22:33:10 2005
From: ric.gates at bigsleep.org (Blammo)
Date: Fri Feb 11 17:35:07 2005
Subject: [SC-Help] Re: How did this find my mailbox
References: <cug960$p2j$1@news.spamcop.net>
	<jPGqVY$QHLQY@eisner.encompasserve.org> <cugqgv$7s9$1@news.spamcop.net>
	<cugvb5$b2a$1@news.spamcop.net> <cuh1p9$cms$1@news.spamcop.net>
	<Xns95FA3C560AEF3blammo@216.154.195.61> <cuir96$tcc$1@news.spamcop.net>
Message-ID: <Xns95FA943608774blammo@216.154.195.61>

On 11 Feb 2005 Fred k entered spamcop.help and left
news:cuir96$tcc$1@news.spamcop.net: 

> Well I did send from another ISP to 2 email addresses at my ISP,
> including my own. My address still appeared in ORCPT and the for field
> of the header. 
> 

Well there may be another reason why this is happening and I havn't 
narrowed it down yet, but I believe it has something to do with the way the 
mail-to is formed, for example 
"user@domain.dom" <user@domain.dom>
may trigger this. I know that in certain cases (on my mail server), where 
the message is not sent to multiple recipients, the header does not appear, 
though I don't run the same mail server as your ISP so the cause may be 
different. Also you can depend on good mail software (even Outlook) to send 
well formatted commands, while spamware that directly connects to your ISP 
mail server is completely unpredictable.
This could've also been a "glitch" and may rarely or never happen again. 
Speaking of glitches my ISP had a strange problem for a time where 
spamassassin would occasionally not run (no spamassassin headers in the 
message at all), but every time I tested it, it always worked. It seems to 
have been fixed since they upgraded spamassassin, I have no idea whether it 
was the upgrade or some "glitch" somewhere else, they of course never tell 
you because they never do anything wrong.

-- 
| Ric
From skyllightq at rogers.com  Fri Feb 11 22:15:36 2005
From: skyllightq at rogers.com (Ciberguy)
Date: Fri Feb 11 22:20:03 2005
Subject: [SC-Help] Re: Using SpamCop
References: <cudlng$p25$1@news.spamcop.net> <cudmv5$qcn$1@news.spamcop.net>
	<pan.2005.02.09.21.11.53.235395@ebeneezer.org> <cudvpm$sqs$1@news.spamcop.net>
	<cuidg6$jkf$1@news.spamcop.net> <cuj46b$139$1@news.spamcop.net>
Message-ID: <cujsef$msf$1@news.spamcop.net>


"Mathew Hendry" <TJLWBECGSGWU@spammotel.com> wrote in message
news:cuj46b$139$1@news.spamcop.net...
> Ciberguy wrote:
> >
> > What is mailsc.spamcop.net? Is that a web site or a newsgroup?
>
> Website. For hysterical raisins, it's accessible only by SpamCop Mail
> users, but once you get in, it's just like the main site at
www.spamcop.net.
>
> -- Mat.

Thanks Mat for answering my question!!! :)

BTW,
I email spamcop support. The following is what I received from them:

"Your account is OK.  There's no reason on this end why you shouldn't be
able to log in.

Try logging in at http://www.spamcop.net/ instead.  Maybe that will work
better for you.

If you're using a personal firewall, try telling it that spamcop.net is a
"trusted" site.  Same for both of your browsers.  Clear the browser
cache.  Get rid of any old SpamCop cookies.  Reset your IE security
settings to the defaults."


When I added the web addresses to ZoneAlarm as trusted it worked like a
charm!
Strange I never had to do that before..... Oh well go figure!
Thank you Fred for the pointer!!!!!!

Thank you folks for hanging in there!
Elton


From Miles_NG at hotmail.com  Sat Feb 12 17:19:44 2005
From: Miles_NG at hotmail.com (Miles (RemoveThis))
Date: Fri Feb 11 23:20:04 2005
Subject: [SC-Help] Re: How did this find my mailbox
References: <cug960$p2j$1@news.spamcop.net>
	<jPGqVY$QHLQY@eisner.encompasserve.org> <cugqgv$7s9$1@news.spamcop.net>
	<cugvb5$b2a$1@news.spamcop.net>
Message-ID: <cuk050$ou7$1@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:cugvb5$b2a$1@news.spamcop.net...
> When you send a mail to various recipients, those which appear in the To
> and CC will appear in those fields of the mail.  When you put recipients
> into the BCC address field, the recipients do /not/ see those recipient
> addresses which were placed in there.

I have some email aliases (within my normal ISP email framework) which 
direct to my main email address.  My original intention in doing this was to 
be able to ditch a particular alias if it was compromised and got onto spam 
databases.

However when spammers send stuff BCC (with just one person's email address 
showing in the "To" field) I don't seem to be able to determine which of the 
aliases the spammer sent it to.  Has anyone got any suggestions?  (I'm using 
Outlook 2002, SP3).  I thought of giving up on my current ISP and going to 
one that actually gives you several separate email addresses rather than 
just aliases that are collected by your main in-box, but that's a lot of 
hassle if there's a simpler way. 


From sommerfeld at hamachi.org  Fri Feb 11 23:54:08 2005
From: sommerfeld at hamachi.org (Bill Sommerfeld)
Date: Fri Feb 11 23:55:41 2005
Subject: [SC-Help] Re: How did this find my mailbox
In-Reply-To: <cugqgv$7s9$1@news.spamcop.net>
References: <cug960$p2j$1@news.spamcop.net>
	<jPGqVY$QHLQY@eisner.encompasserve.org> <cugqgv$7s9$1@news.spamcop.net>
Message-ID: <cuk25h$q3a$1@news.spamcop.net>

Fred k wrote:
> "Larry Kilgallen" <Kilgallen@SpamCop.net> wrote in message 
> news:jPGqVY$QHLQY@eisner.encompasserve.org...
>  Inclusion of a To: field has nothing to do with delivery of the message.
> 
>>Delivery is based on transmission time SMTP dialog components that are
>>not contained in the message headers.
> 
> 
> I have looked at other messages. All of them have my name@emal.com somewhere 
> in the header. This one and a few others do not. I relize that the to: field 
> does not have to be me.

Some mailers will not put the envelope recipient into the received: 
header if there's more than one envelope recipient.

see RFC 2821, http://www.ietf.org/rfc/rfc2821.txt, and RFC 2822,
http://www.ietf.org/rfc/rfc2822.txt, which are the standards which 
define how internet mail works.  the recipient's mail address need 
appear only in the "envelope" data which is not part of the delivered 
message.  if you have access to the mailer logs of your mail server 
(unlikely) your address will turn up there, though.




From MikeE at ster.invalid  Fri Feb 11 21:44:39 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Sat Feb 12 00:45:41 2005
Subject: [SC-Help] Re: How did this find my mailbox
References: <cug960$p2j$1@news.spamcop.net>
	<jPGqVY$QHLQY@eisner.encompasserve.org> <cugqgv$7s9$1@news.spamcop.net>
	<cugvb5$b2a$1@news.spamcop.net> <cuk050$ou7$1@news.spamcop.net>
Message-ID: <cuk52f$rje$1@news.spamcop.net>

Miles wrote:
> However when spammers send stuff BCC (with just one person's email
> address showing in the "To" field) I don't seem to be able to
> determine which of the aliases the spammer sent it to.

Correct.  Unless it happens to show up in the 'for' field of the
Received traceline that Fred k described.

> Has anyone
> got any suggestions?

> I have some email aliases (within my normal ISP email framework) which
> direct to my main email address.

If you 'mix up' mail to several usernames in the same mailbox, you won't
be able to tell how a BCC item was addressed unless the addy shows up in
the 'for' field.

The suggestion is that if that result is unsatisfactory, you can't mix
them up like that.

-- 
Mike Easter
kibitzer, not SC admin

From feldethom2165 at email2me.net  Fri Feb 11 22:00:50 2005
From: feldethom2165 at email2me.net (Fred k)
Date: Sat Feb 12 02:05:35 2005
Subject: [SC-Help] Re: How did this find my mailbox
References: <cug960$p2j$1@news.spamcop.net>
	<jPGqVY$QHLQY@eisner.encompasserve.org> <cugqgv$7s9$1@news.spamcop.net>
	<cuk25h$q3a$1@news.spamcop.net>
Message-ID: <cuk9jd$tpc$1@news.spamcop.net>


"Bill Sommerfeld" <sommerfeld@hamachi.org> wrote in message 
news:cuk25h$q3a$1@news.spamcop.net...
> see RFC 2821, http://www.ietf.org/rfc/rfc2821.txt, and RFC 2822,
> http://www.ietf.org/rfc/rfc2822.txt, which are the standards which define 
> how internet mail works.  the recipient's mail address need appear only in 
> the "envelope" data which is not part of the delivered message.  if you 
> have access to the mailer logs of your mail server (unlikely) your address 
> will turn up there, though.


Thanks Bill
The details are way over my head. I appreciate the time you took to come up 
with an explanation that makes sense.

Fred k 


From ric.gates at bigsleep.org  Sun Feb 13 01:51:39 2005
From: ric.gates at bigsleep.org (Blammo)
Date: Sat Feb 12 20:55:03 2005
Subject: [SC-Help] Re: How did this find my mailbox
References: <cug960$p2j$1@news.spamcop.net>
	<jPGqVY$QHLQY@eisner.encompasserve.org> <cugqgv$7s9$1@news.spamcop.net>
	<cuk25h$q3a$1@news.spamcop.net> <cuk9jd$tpc$1@news.spamcop.net>
Message-ID: <Xns95FBB5DEB23D7blammo@216.154.195.61>

On 11 Feb 2005 Fred k entered spamcop.help and left
news:cuk9jd$tpc$1@news.spamcop.net: 

> The details are way over my head. I appreciate the time you took to
> come up with an explanation that makes sense.
> 

That actually doesn't explain anything at all, since you proved your ISP 
stores the envelope recipient data in the headers.
I have an ISP running Postfix and Courier and the envelope recipient 
appears in every single message (including junk not addressed to me).
Also the logs may not show the actual alias used, but only the users mbox, 
unless it has been configured it to specifically do so.

-- 
| Ric
|
From driehuis.fcnzpbc2005 at playbeing.com  Mon Feb 14 04:38:25 2005
From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis)
Date: Sun Feb 13 22:40:06 2005
Subject: [SC-Help] Re: How did this find my mailbox
References: <cug960$p2j$1@news.spamcop.net>
	<jPGqVY$QHLQY@eisner.encompasserve.org>
	<cugqgv$7s9$1@news.spamcop.net>
	<cugvb5$b2a$1@news.spamcop.net>
	<cuh1p9$cms$1@news.spamcop.net>
	<Xns95FA3C560AEF3blammo@216.154.195.61>
	<cuir96$tcc$1@news.spamcop.net>
Message-ID: <20050214043825.79d92063@wednesday.playbeing.org>

On Fri, 11 Feb 2005 08:50:34 -0900
"Fred k" <feldethom2165@email2me.net> wrote:

> Well I did send from another ISP to 2 email addresses at my ISP, including 
> my own. My address still appeared in ORCPT and the for field of the header.

Look closer -- the ORCPT line also listed a 'for name@...' entry.

If you can find the filter magic in Outhouse, you may want to consider setting up a filter to file away messages that have a line

 Received: from psmtp.com

but doesn't have 'for name@gci.net' in the same line.
From MikeE at ster.invalid  Sun Feb 13 19:57:25 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Feb 13 23:00:03 2005
Subject: [SC-Help] Re: How did this find my mailbox
References: 
	<cug960$p2j$1@news.spamcop.net><jPGqVY$QHLQY@eisner.encompasserve.org><cugqgv$7s9$1@news.spamcop.net><cugvb5$b2a$1@news.spamcop.net><cuh1p9$cms$1@news.spamcop.net><Xns95FA3C560AEF3blammo@216.154.195.61><cuir96$tcc$1@news.spamcop.net>
	<20050214043825.79d92063@wednesday.playbeing.org>
Message-ID: <cup7h9$tn9$1@news.spamcop.net>

Bert Driehuis wrote:
> If you can find the filter magic in Outhouse,

Fred's likely mua is OE, not OL, and it has extremely weak message
rules, such as Subject, To, From, size, attachment, and a few other
simplistic ones.

-- 
Mike Easter
kibitzer, not SC admin

From driehuis.fcnzpbc2005 at playbeing.com  Mon Feb 14 05:58:47 2005
From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis)
Date: Mon Feb 14 00:00:03 2005
Subject: [SC-Help] Re: How did this find my mailbox
References: <cug960$p2j$1@news.spamcop.net>
	<jPGqVY$QHLQY@eisner.encompasserve.org>
	<cugqgv$7s9$1@news.spamcop.net>
	<cugvb5$b2a$1@news.spamcop.net>
	<cuh1p9$cms$1@news.spamcop.net>
	<Xns95FA3C560AEF3blammo@216.154.195.61>
	<cuir96$tcc$1@news.spamcop.net>
	<20050214043825.79d92063@wednesday.playbeing.org>
	<cup7h9$tn9$1@news.spamcop.net>
Message-ID: <20050214055847.3705af87@wednesday.playbeing.org>

On Sun, 13 Feb 2005 19:57:25 -0800
"Mike Easter" <MikeE@ster.invalid> wrote:

> Bert Driehuis wrote:
> > If you can find the filter magic in Outhouse,
> 
> Fred's likely mua is OE, not OL, and it has extremely weak message
> rules, such as Subject, To, From, size, attachment, and a few other
> simplistic ones.

And there are no plugins to improve on the default?

I dislike OL for wasting my precious screen real-estate, which is
why I'm back to using Pine via IMAP on my office mailbox. I've never
even seen recent versions of OE, but I always though OE had the edge on
OL when it came to Internet features like dealing with headers.

FWIW, I think SpamAssassin would be powerful enough to express the
condition that the OP wanted to check for. I think that's available as a
plugin for OE, no?
From MikeE at ster.invalid  Sun Feb 13 21:16:41 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Mon Feb 14 00:20:35 2005
Subject: [SC-Help] Re: How did this find my mailbox
References: 
	<cug960$p2j$1@news.spamcop.net><jPGqVY$QHLQY@eisner.encompasserve.org><cugqgv$7s9$1@news.spamcop.net><cugvb5$b2a$1@news.spamcop.net><cuh1p9$cms$1@news.spamcop.net><Xns95FA3C560AEF3blammo@216.154.195.61><cuir96$tcc$1@news.spamcop.net><20050214043825.79d92063@wednesday.playbeing.org><cup7h9$tn9$1@news.spamcop.net>
	<20050214055847.3705af87@wednesday.playbeing.org>
Message-ID: <cupc5t$cm$1@news.spamcop.net>

Bert Driehuis wrote:
> "Mike Easter"

>> Fred's likely mua is OE, not OL, and it has extremely weak message
>> rules, such as Subject, To, From, size, attachment, and a few other
>> simplistic ones.
>
> And there are no plugins to improve on the default?

There's a newsproxy Nfilter for filtering news, and there's a spamproxy
SpamPal for filtering spam.  There may be others, but those are the ones
I use.

> OE had the edge
> on OL when it came to Internet features like dealing with headers.

OE's edge over OL re mailheaders is that it stores the mail intact.  OL
separates the headers and saves them OK, and/but then mapi-izes the body
for the store, then has to de-mapi it into an html 'creation' and stick
that concoction back together with the original header if called upon
for source.  Not a pretty picture.  OE can access the original mail
nicely, but it doesn't have much 'power' in terms of such as filters to
work on headers.

> FWIW, I think SpamAssassin would be powerful enough to express the
> condition that the OP wanted to check for. I think that's available
> as a plugin for OE, no?

There're ways to install SA on Win, even without cygwin, but it isn't a
popular trick.  I wouldn't call it an OE plugin.
http://wiki.apache.org/spamassassin/InstallingOnWindows

SA will also install on some Macs.

-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Sun Feb 13 21:24:49 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Mon Feb 14 00:25:02 2005
Subject: [SC-Help] Re: How did this find my mailbox
References: 
	<cug960$p2j$1@news.spamcop.net><jPGqVY$QHLQY@eisner.encompasserve.org><cugqgv$7s9$1@news.spamcop.net><cugvb5$b2a$1@news.spamcop.net><cuh1p9$cms$1@news.spamcop.net><Xns95FA3C560AEF3blammo@216.154.195.61><cuir96$tcc$1@news.spamcop.net><20050214043825.79d92063@wednesday.playbeing.org><cup7h9$tn9$1@news.spamcop.net>
	<20050214055847.3705af87@wednesday.playbeing.org>
Message-ID: <cupcl5$pu$1@news.spamcop.net>

Bert Driehuis wrote:

Oh, and thanks for the wrapping  :-)

-- 
Mike Easter
kibitzer, not SC admin
From tamerz at spamcop.net  Wed Feb 16 18:37:21 2005
From: tamerz at spamcop.net (Tames McTigue)
Date: Wed Feb 16 13:48:30 2005
Subject: [SC-Help] How do I block all messages that aren't whitelisted?
Message-ID: <Xns95FF8069AB575tamerzspamcopnet@216.154.195.61>

I would have thought this was a common question (and maybe I am blind and 
missing it) but I would like any mail sent to me that isn't in the 
whitelist considered spam and held until I whitelist or report it.

Thanks.

Tames McTigue
tamerz@spamcop.net
From spam_hjp at yahoo.com  Wed Feb 16 21:13:15 2005
From: spam_hjp at yahoo.com (Jim)
Date: Wed Feb 16 21:15:07 2005
Subject: [SC-Help] firefox stats
Message-ID: <cv0ujv$ait$1@news.spamcop.net>

When trying to get stats at http://www.spamcop.net/spamgraph.shtml?spamstats with Firefox I get 
a blank page.  With IE I get the 24 hour graph.   Do I have something set wrong with Firefox?
From driehuis.fcnzpbc2005 at playbeing.com  Thu Feb 17 03:22:39 2005
From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis)
Date: Wed Feb 16 21:25:03 2005
Subject: [SC-Help] Re: firefox stats
References: <cv0ujv$ait$1@news.spamcop.net>
Message-ID: <20050217032239.2e9e1d09@wednesday.playbeing.org>

On Wed, 16 Feb 2005 21:13:15 -0500
Jim <spam_hjp@yahoo.com> wrote:

> When trying to get stats at
> http://www.spamcop.net/spamgraph.shtml?spamstats with Firefox I get  a
> blank page.  With IE I get the 24 hour graph.   Do I have something
> set wrong with Firefox?

You wouldn't have "load images from same site only" checked, would you?
From Unknown.User at Invalid.Domain  Wed Feb 16 21:23:27 2005
From: Unknown.User at Invalid.Domain (Jan M. Nelken)
Date: Wed Feb 16 21:30:03 2005
Subject: [SC-Help] Re: firefox stats
In-Reply-To: <cv0ujv$ait$1@news.spamcop.net>
References: <cv0ujv$ait$1@news.spamcop.net>
Message-ID: <cv0v9v$b5i$1@news.spamcop.net>

Jim wrote:
> When trying to get stats at 
> http://www.spamcop.net/spamgraph.shtml?spamstats with Firefox I get a 
> blank page.  With IE I get the 24 hour graph.   Do I have something set 
> wrong with Firefox?

Tools -> Options -> Web Features

Select "Load Images", but unselect "for originating web site only"
Click OK


Jan M. Nelken
From TJLWBECGSGWU at spammotel.com  Thu Feb 17 10:11:02 2005
From: TJLWBECGSGWU at spammotel.com (Mathew Hendry)
Date: Thu Feb 17 05:15:35 2005
Subject: [SC-Help] Re: How do I block all messages that aren't whitelisted?
In-Reply-To: <Xns95FF8069AB575tamerzspamcopnet@216.154.195.61>
References: <Xns95FF8069AB575tamerzspamcopnet@216.154.195.61>
Message-ID: <cv1qj4$qqe$1@news.spamcop.net>

Tames McTigue wrote:
> I would have thought this was a common question (and maybe I am blind and 
> missing it) but I would like any mail sent to me that isn't in the 
> whitelist considered spam and held until I whitelist or report it.

Assuming you're talking about the SpamCop Mail system:

https://webmail.spamcop.net/horde/imp/spamcop/blacklists.php

First option "Block All".

-- Mat.
From spam_hjp at yahoo.com  Thu Feb 17 06:13:01 2005
From: spam_hjp at yahoo.com (Jim)
Date: Thu Feb 17 06:15:35 2005
Subject: [SC-Help] Re: firefox stats
In-Reply-To: <20050217032239.2e9e1d09@wednesday.playbeing.org>
References: <cv0ujv$ait$1@news.spamcop.net>
	<20050217032239.2e9e1d09@wednesday.playbeing.org>
Message-ID: <cv1u81$sln$1@news.spamcop.net>


> 
> 
> You wouldn't have "load images from same site only" checked, would you?



Thanks  -  That was it.
From tamerz at spamcop.net  Fri Feb 18 03:51:45 2005
From: tamerz at spamcop.net (Tames McTigue)
Date: Thu Feb 17 22:55:04 2005
Subject: [SC-Help] Re: How do I block all messages that aren't whitelisted?
References: <Xns95FF8069AB575tamerzspamcopnet@216.154.195.61>
	<cv1qj4$qqe$1@news.spamcop.net>
Message-ID: <Xns9600DE6997BC8tamerzspamcopnet@216.154.195.61>

Mathew Hendry <TJLWBECGSGWU@spammotel.com> wrote in
news:cv1qj4$qqe$1@news.spamcop.net: 

> 
> Assuming you're talking about the SpamCop Mail system:
> 
> https://webmail.spamcop.net/horde/imp/spamcop/blacklists.php
> 
> First option "Block All".
> 
> -- Mat.
> 

Exactly what I was looking for.  Thanks!
From REMOVEnntp at rogers.com  Fri Feb 18 05:17:47 2005
From: REMOVEnntp at rogers.com (Lucas Tam)
Date: Fri Feb 18 00:20:03 2005
Subject: [SC-Help] Made a Mistake Reporting my own Mail Host!
Message-ID: <Xns960130474F8Enntprogerscom@216.154.195.61>

I transferred my mail hosting to a new provider and I was having some 
trouble setting up my mail host. In anycase, I accidently reported a piece 
of spam and it sent a message to my system administrator.

Since I mistakenly reported the spam will this cause any problems? Does it 
take more than 1 piece of spam to flag an IP as Blacklisted? I would hate 
to blacklist my mail host as they have have been great.

I've checked the blacklists and so far they do not seem to be on it... Is 
there anyway to unreport a piece of spam?

Thanks.

-- 
Lucas Tam (REMOVEnntp@rogers.com)
Please delete "REMOVE" from the e-mail address when replying.
http://members.ebay.com/aboutme/coolspot18/
From REMOVEnntp at rogers.com  Fri Feb 18 05:24:46 2005
From: REMOVEnntp at rogers.com (Lucas Tam)
Date: Fri Feb 18 00:25:02 2005
Subject: [SC-Help] Re: Spamcop Plugin for Outlook
References: <Xns95EF7EB328139nntprogerscom@216.154.195.61>
	<ctnhhf$66i$1@news.spamcop.net>
Message-ID: <Xns9601433320B1nntprogerscom@216.154.195.61>

"Leon Mayne" <l.rem.mayne@uea.ac.uk> wrote in news:ctnhhf$66i$1
@news.spamcop.net:

> Lucas Tam wrote:
>> Can anyone recommend a spamcop plugin for Outlook 2003?
> 
> <plug> http://www.olspamcop.org </plug>
> 
> I just had to, you know :-)


Thanks! This looks good :)

-- 
Lucas Tam (REMOVEnntp@rogers.com)
Please delete "REMOVE" from the e-mail address when replying.
http://members.ebay.com/aboutme/coolspot18/
From nobody at devnull.spamcop.net  Fri Feb 18 02:04:00 2005
From: nobody at devnull.spamcop.net (WazoO)
Date: Fri Feb 18 03:05:22 2005
Subject: [SC-Help] Re: Made a Mistake Reporting my own Mail Host!
References: <Xns960130474F8Enntprogerscom@216.154.195.61>
Message-ID: <cv47hg$826$1@news.spamcop.net>

"Lucas Tam" <REMOVEnntp@rogers.com> wrote in message
news:Xns960130474F8Enntprogerscom@216.154.195.61...
>
> I've checked the blacklists and so far they do not seem to be on it... Is
> there anyway to unreport a piece of spam?

"How can I unsend a Report?" found at
http://forum.spamcop.net/forums/index.php?showtopic=2238


From MikeE at ster.invalid  Fri Feb 18 04:54:34 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Fri Feb 18 07:55:06 2005
Subject: [SC-Help] Re: Made a Mistake Reporting my own Mail Host!
References: <Xns960130474F8Enntprogerscom@216.154.195.61>
Message-ID: <cv4ohg$iv9$1@news.spamcop.net>

Lucas Tam wrote:
> Since I mistakenly reported the spam will this cause any problems?

Probably not.

> Does it take more than 1 piece of spam to flag an IP as Blacklisted?

Yes, there is a mathematical equation or algorithm based on reports
[reporter or spamtrap] vs 'reputation' points influenced by traffic
which is nonspam described here -- What is the SpamCop Blocking List
(SCBL)? - http://www.spamcop.net/fom-serve/cache/297.html

> I've checked the blacklists and so far they do not seem to be on
> it...

Good.  It was probably no harm done.  Be more careful in the future.
There is an additional step which can be taken which is to email an
apologetic recant to the reported/notified with a copy to a deputy so
that if there is actual 'trouble', ie a listing, your recant can
facilitate its repair.

> Is there anyway to unreport a piece of spam?

No.  When you mail your report, it is mailed and it is reported.  A
deputy doesn't 'unreport' something because you erred.  Under
conditions, a deputy will manually delist something whose listing was
entirely in error.

-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Fri Feb 18 12:01:48 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Fri Feb 18 15:05:05 2005
Subject: [SC-Help] Re: Emails SpamCop can't parse
References: <cv5587$rrg$1@news.spamcop.net>
Message-ID: <cv5hip$51l$1@news.spamcop.net>

Posted to .help & .spam, f/ups to .help.

Discussions in spamcop.help or spamcop -- no discussions in
spamcop.spam.

Phil Calvert wrote:
> I've seen a number of emails recently that SpamCop fails to parse.
> The links are there, but SpamCop reports "no links found."  Here is
> an example of one such email:

Pasting something in .spam to discuss how SC parses it causes a number
of problems which are caused by your newsreader's posting of the spam
into the message body to introduce linewraps which interfere with the
ability of the parser to parse the item, so spam posting in spamcop.spam
is a very very poor substitute for posting the tracker of the item which
you originally submitted to the parser.  That tracker way we can see the
same parse result which you saw.  See my tracker below.

When I 'work with' the item you 'bent' by posting it into .spam, I have
to remove improper linewraps.  If improper linewraps were present in the
original and that was what caused the problem, those improper linewraps
get removed by me just like the 'improper' line wraps which you
introduced when you posted it into .spam.

Bottom line:  if you want to talk about how spamcop parsed a spam, don't
post it in .spam the way we used to.  Instead, feed it to the parser and
copy the tracking url and paste that into any group you like,
spamcop.help or spamcop.  There is no longer any need for the usage of
spamcop.spam now that the tracker contains all of the original spam item
in addition to the parsing tracker.

Here is the tracker for your spam indicating that what I repaired from
your post and submitted to the parser was able to show the links.

www.spamcop.net/sc?id=z733979065z4eb151f727c5224c9d4efd081856f618z
Report Spam to:
Re: 211.58.111.157 (Administrator of network where email originates)
   To: nospam#hanaro.com@devnull.spamcop.net (Notes)
   To: abuse@hanaro.com (Notes)
Re: http://www.aurilavepoppetleggumdigging.com/emms... (Administrator of
network hosting website referenced in spam)
   To: postmaster#chinanet.cn.net@devnull.spamcop.net (Notes)
   To: anti-spam@chinanet.cn.net (Notes)
   To: ct-abuse@abuse.sprint.net (Notes)
Re: http://www.zoo345.com/192879/rpm/lifetime.html (Administrator of
network hosting website referenced in spam)
   To: postmaster@chinatietong.com (Notes)
   To: crnet_mgr@chinatietong.com (Notes)
   To: crnet_tec@chinatietong.com (Notes)



-- 
Mike Easter
kibitzer, not SC admin

From viper at venomx.com  Fri Feb 18 17:48:59 2005
From: viper at venomx.com (Viper)
Date: Fri Feb 18 17:50:04 2005
Subject: [SC-Help] How it works?
Message-ID: <cv5rcn$buv$1@news.spamcop.net>

I was wondering how SpamCop worked.

How many reports does it take to get an IP listed?
Can one person reporting the same spam/IP daily get it listed?
How many have to report a IP before its listed?
How long after the spam stops for the IP to be unlisted?
After the IP is removed is it "ruined" for future issues?
If a spam hits a SpamCop spam trap does it get listed auto?

I ask because a few people are saying spamcop doesnt help and I tried 
explaining how it works but wanted to make sure I am correct and if not I 
will correct myself. 


From MikeE at ster.invalid  Fri Feb 18 15:36:57 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Fri Feb 18 18:40:05 2005
Subject: [SC-Help] Re: How it works?
References: <cv5rcn$buv$1@news.spamcop.net>
Message-ID: <cv5u6b$di3$1@news.spamcop.net>

Viper wrote:
> I was wondering how SpamCop worked.

How much of the faq have you read?  There's a lot in there;  start with
the part which you must read before you begin to report and then proceed
thru' all of the various sections.  Surely you don't want us (tinu) to
be interpreting all of that for you, do you?

> How many reports does it take to get an IP listed?

It depends.

> Can one person reporting the same spam/IP daily get it listed?

You are saying one person reporting one spam of one IP source per day.
In the real world, spam is sent to a lot more than one person;  tens,
hundreds, or thousands of thousands -- resulting in many similar reports
of spam by many reporters and many spamtraps.

Why are you asking such an irrelevant question?

Notice that I'm addressing each of your questions, so I expect you to
address each of mine.

> How many have to report a IP before its listed?

It depends.

> How long after the spam stops for the IP to be unlisted?

It depends.

> After the IP is removed is it "ruined" for future issues?

No.

> If a spam hits a SpamCop spam trap does it get listed auto?

No, but spamtraps count differently than reporters.
http://www.spamcop.net/fom-serve/cache/297.html  What is the SpamCop
Blocking List (SCBL)?  -- How the SCBL Works -- 

> I ask because a few people are saying spamcop doesnt help and I tried
> explaining how it works but wanted to make sure I am correct and if
> not I will correct myself.

"Spamcop doesn't help" -- means that submitting spam to the spamcop
parser for notifying spamsource and spamvertiser providers [which works
to notify] and influencing the listing of spamsources in the spamcop
blocklist [which works to cause such spamsource listings] /doesn't/
'help' to directly cause someone to get less spam.  It helps to
contribute to the SCbl and it helps to contribute to the sc-surbl from
the statistics page.

Besides 'doesn't help' reduce spamload, handling spam irresponsibly and
insecurely to submit it can actually result in somone getting /more/
spam rather than less.


-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Fri Feb 18 16:00:50 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Fri Feb 18 19:05:04 2005
Subject: [SC-Help] Re: How it works?
References: <cv5rcn$buv$1@news.spamcop.net>
Message-ID: <cv5vj4$ein$1@news.spamcop.net>

Viper wrote:
> I ask because a few people are saying spamcop doesnt help

Now, I have an additional question or two for you.

The term 'troll' is much overused and abused, but it has a number of
interesting ramifications.

Do you know what some of the different types of trolls are?  Or the
history of trolling?  Before answering any of these troll questions, you
might want to review some troll history in the wikipedia:
http://en.wikipedia.org/wiki/Internet_troll  "Internet troll -- An
internet troll is a person who sends duplicitous messages hoping to get
angry responses, or a message sent by such a person. "

The other kind of character which makes the troll business work are the
billy-goats who respond to trolls.

Since most groups like this which didn't just fall off the turnip truck
like to avoid participating in trollish threads, these participants try
to not respond to trolls in a billygoat-like way.

So, my next question for you, after you please adequately review the
spamcop faq/s as well as the history of trolling as it applies to
duplicity and 'stirring the pot' for billygoat responses, is....

How can I tell the difference between a duplicitous troll who is asking
potentially annoying questions and looking for billygoats to respond,
and/from a genuine clueless newbie who hasn't bothered to read the faq
before asking silly irrelevant questions.

-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Fri Feb 18 16:27:16 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Fri Feb 18 19:30:09 2005
Subject: [SC-Help] Re: How it works?
References: <cv5rcn$buv$1@news.spamcop.net> <cv5vj4$ein$1@news.spamcop.net>
Message-ID: <cv614n$fjn$1@news.spamcop.net>

Mike Easter wrote:
> How can I tell the difference between a duplicitous troll

One answer is to look around and see if the persona attached to the
handle and address is known for trollish behavior.

Having done so, I retract my earlier remarks about duplicity and will go
with/assume 'honest' questions which were asked without enough faq
reading, and so I would simply stick with my original link to the faq
about how the SCbl works instead of being overly suspicious.

http://www.spamcop.net/fom-serve/cache/297.html

-- 
Mike Easter
kibitzer, not SC admin

From wb8tyw at qsl.network  Fri Feb 18 19:40:41 2005
From: wb8tyw at qsl.network (John E. Malmberg)
Date: Fri Feb 18 19:45:06 2005
Subject: [SC-Help] Re: How it works?
In-Reply-To: <cv5rcn$buv$1@news.spamcop.net>
References: <cv5rcn$buv$1@news.spamcop.net>
Message-ID: <cv61ua$g63$1@news.spamcop.net>

Viper wrote:
> I was wondering how SpamCop worked.

All your questions are really answered in several FAQs at the 
spamcop.net site, but many people prefer to answer with myth and legend.

> How many reports does it take to get an IP listed?

At least one.  The exact number depends on the amount of mail seen from 
that I.P. from special confidential monitoring points.


> Can one person reporting the same spam/IP daily get it listed?

It theoretically needs to be a different spam, but it is possible to 
abuse the parser and make a malicious report.  However such an attack is 
  usually only practical against a very low volume mail server, and then 
only once.

> How many have to report a IP before its listed?

While rumor claims that it takes reports from more than one user to get 
a listing, it actually does not seem to for low (as measured by spamcop) 
volume mail servers.

The idea that it requires two different reporters directly conflicts 
with the cases where someone manages to list their own mailserver by not 
paying attention.

> How long after the spam stops for the IP to be unlisted?

It varies from 1/2 hour to a maximum of 48 hours, and there is now a one 
time express delisting that can be used by the mail server owner if they 
are absolutely sure that they have fixed the problem.

> After the IP is removed is it "ruined" for future issues?

Not from a spamcop.net listing, but the listing history may affect how 
long it stays listed after the last spam report should it get listed again.

And an IP that lets spam escape it may end up on local blocking lists, 
so any report of spam needs to be taken seriously by the mail server 
owner.  One of my postmaster has a policy of blocking the "/23" that 
contains the IP where the spam came from if the spam comes from certain 
countries.

A "\23" is a network administrator abbreviation for a block of 512 IP 
addresses.  So far there have been no problems with that policy in 
several years.

> If a spam hits a SpamCop spam trap does it get listed auto?

No.  Some participants of this forum wish that it was the case.

A spamtrap hit counts the same as two human reports.

> I ask because a few people are saying spamcop doesnt help and I tried 
> explaining how it works but wanted to make sure I am correct and if not I 
> will correct myself. 

Spamcop.net is only one tool in helping to eliminate spam.  If it is the 
only tool that you or your mail server operators use, it is very likely 
that you will be greatly disappointed.

It is very useful for ISPs with zombie computers on them to isolate 
those computers, which both saves the ISP money and allows them to 
quickly find network problems that are being caused for their paying 
customers.

It is also very useful for identifying new sources of spam.

Spamcop.net tries to identify the true source of spam, so intermediate 
relays may not get listed, and it appears that most mail servers only 
check the I.P. of what mailserver is trying the delivery, which means 
spam relayed that way will get through even if the source is on the 
spamcop.net blocking list.

A listing in the bl.spamcop.net is best used for scoring, not an 
absolute block.  It only indicates a high probability that the e-mail is 
spam, but because spamcop.net will occasionally list real mail servers, 
using it will likely cause

However many mail servers only have the choice of rejecting based on 
blocking lists, they can not analyze the body while the mail is being 
transferred.

And if the e-mail is rejected, if it is a real mail, the sender is 
notified and is alerted that there is a problem that needs to be resolved.

Systems that analyze mail after the mail server has accepted it have no 
way to notify real senders of non-delivery without making a denial of 
service attack on the mail servers of the forged addresses used in spam 
runs.  So with those systems, anything detected as spam is either 
quarantined or silently deleted, and it can be a long time before 
someone realizes that a real mail was mis-classified.

So you decide, which practice causes the most damage in a mistake with a 
time sensitive e-mail?  A system that quarantines it or one that rejects it?

Also consider the folly of time sensitive e-mails.  It can take up to 4 
days to deliver an e-mail from the time that you send it with out you 
being notified of the delay.  (yes, most mail servers, will attempt to 
notify that they are still trying, but those are usually the originating 
mail server, and does not take into account intermediate relays and
forwarding services)


The bulk of spam is really stopped by other more conservative block 
listing services.

As measured by one of my postmasters, spamcop.net blocking list is only 
catching about 3% of the spam delivery attempts.  The local and 
conservative blocking lists are removing about 95%.  That postmaster 
also the one that locally blocks /23s from some countries.  The local 
blocks are stopping 50% of the spam, with no reports of those blocks 
being in error.

 From several reports on usenet from some ISP postmasters, the state of 
the art in spam blocking is now that 80% of the spam can be reliably 
separated by the conservative blocking lists, and that adding A good 
DHCP blocking list can bring that number up to 95% with little risk of 
rejecting a legitimate e-mail.

And keeping the spam out of the mail server lowers the cost of operating 
the mail server, as many commercial sites have to pay a metered rate for 
their internet connection, and if the mail server is the main bandwidth 
consumer, refusing the spam can make a significant difference.

Some mail servers can do content analysis before completely accepting an 
e-mail, and in those cases proper content analysis can usually safely 
eliminate the remaining spam.

Doing most content analysis on the remaining mail that gets through is 
just as likely to cause a false positive as it is to detect additional 
spam, and this includes Bayesian style filtering.

These false positives can be reduced to almost none, if the scoring in 
the content filtering requires either a bad rDNS, or a listing in one of 
the aggressive blocking lists as one of the requirements.  That way it 
will not catch someone helping discuss a spam related problem.

Right now the most accurate content check is to look up what IP the URLs 
in the e-mail resolve to, and if it resolves to an IP address that mail 
would not be accepted from it is almost certainly spam.  If the URL does 
not resolve, then it is either a typo, or spam.

-John
wb8tyw@qsl.network
Personal Opinion Only
From viper at venomx.com  Fri Feb 18 20:37:56 2005
From: viper at venomx.com (Viper)
Date: Fri Feb 18 20:40:03 2005
Subject: [SC-Help] Re: How it works?
References: <cv5rcn$buv$1@news.spamcop.net> <cv5u6b$di3$1@news.spamcop.net>
Message-ID: <cv659g$i5b$1@news.spamcop.net>

Mike Easter wrote:
> Viper wrote:
>> I was wondering how SpamCop worked.
>
> How much of the faq have you read?  There's a lot in there;  start
> with the part which you must read before you begin to report and then
> proceed thru' all of the various sections.  Surely you don't want us
> (tinu) to be interpreting all of that for you, do you?
>
I did look but wasnt reading every page. I tried looking for a how it works 
or how we list.. but didnt see one. I did look here after I posted and seen 
(You?) this url was suggested to someone else. 
http://www.spamcop.net/fom-serve/cache/297.html

>> How many reports does it take to get an IP listed?
>
> It depends.
>
>> Can one person reporting the same spam/IP daily get it listed?
>
> You are saying one person reporting one spam of one IP source per day.
> In the real world, spam is sent to a lot more than one person;  tens,
> hundreds, or thousands of thousands -- resulting in many similar
> reports of spam by many reporters and many spamtraps.

Yes but as we all know most JHD.

> Why are you asking such an irrelevant question?

Because the way the one guy who said he was listed was talking he was listed 
for ONE report. From what I have always understood it took more than one 
report.

> Notice that I'm addressing each of your questions, so I expect you to
> address each of mine.
>
>> How many have to report a IP before its listed?
>
> It depends.
>
>> How long after the spam stops for the IP to be unlisted?
>
> It depends.
>
>> After the IP is removed is it "ruined" for future issues?
>
> No.
>
>> If a spam hits a SpamCop spam trap does it get listed auto?
>
> No, but spamtraps count differently than reporters.
> http://www.spamcop.net/fom-serve/cache/297.html  What is the SpamCop
> Blocking List (SCBL)?  -- How the SCBL Works --
>
>> I ask because a few people are saying spamcop doesnt help and I tried
>> explaining how it works but wanted to make sure I am correct and if
>> not I will correct myself.
>
> "Spamcop doesn't help" -- means that submitting spam to the spamcop
> parser for notifying spamsource and spamvertiser providers [which
> works to notify] and influencing the listing of spamsources in the
> spamcop blocklist [which works to cause such spamsource listings]
> /doesn't/ 'help' to directly cause someone to get less spam.  It
> helps to contribute to the SCbl and it helps to contribute to the
> sc-surbl from the statistics page.
>
> Besides 'doesn't help' reduce spamload, handling spam irresponsibly
> and insecurely to submit it can actually result in somone getting
> /more/ spam rather than less.

Yes I read the FAQ before and yes I know what a Troll is. But I would rather 
stick up for SpamCop then let him spew his lies and some newbie read what he 
has to say and take it as truth because noone spoke up. 


From peter at stoddard.name  Fri Feb 18 17:52:45 2005
From: peter at stoddard.name (Peter Stoddard)
Date: Fri Feb 18 20:52:53 2005
Subject: [SC-Help] How do I treat this?
Message-ID: <c3570fbd1914a3b8c705ead87fe507ef@stoddard.name>

Hi folks

I have been reporting spam using the web.  I have been receiving the 
following from this guy from cta.cq.net.  Should I stop reporting spam 
for a little while, or should I keep on reporting it?  It isn't very 
frequent ... maybe one or two a week.  If I do stop for awhile, do I 
stop reporting any .cn, or any cq.cn, or what?

******************snip******************

Subject: re:
From: abuse@cta.cq.cn
To: 1363518056@reports.spamcop.net

We have already informed police to assist our resolve it.

----------------------------------------------
???????????????????????????? http://mail.online.cq.cn

******************snip******************

If you are curious, the full header follows:

	Subject: 	re:
	Date: 	February 18, 2005 11:20:54 PM PST
	From: 	  abuse@cta.cq.cn
	To: 	  1363518056@reports.spamcop.net
	Status: 	U
	Return-Path: 	<spamcop@devnull.spamcop.net>
	Received: 	from wsmarth-swift.pas.sa.earthlink.net ([207.217.120.253]) 
by mx-a065b01.pas.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 
1d2cEx4sP3NZFpK4 for <pstoddard61@earthlink.net>; Fri, 18 Feb 2005 
10:14:57 -0800 (PST)
	Received: 	from toucan-120.pocket ([10.4.120.212] 
helo=toucan.mail.pas.earthlink.net) by 
wsmarth-swift.pas.sa.earthlink.net with smtp (Exim 3.36 #1) id 
1D2CeW-0000El-00 for pstoddard61@earthlink.net; Fri, 18 Feb 2005 
10:14:56 -0800
	Received: 	from vmx2.spamcop.net ([64.74.133.250]) by 
toucan.mail.pas.earthlink.net (EarthLink Mail Service) with ESMTP id 
1d2cEr64X3NZFmk0 for <spam@stoddard.us>; Fri, 18 Feb 2005 10:14:51 
-0800 (PST)
	Received: 	from sc-app4.eq.ironport.com (HELO spamcop.net) 
(192.168.19.204) by vmx2.spamcop.net with SMTP; 18 Feb 2005 10:14:43 
-0800
	Received: 	from vmx2.spamcop.net (sc-smtp2.eq.ironport.com 
[192.168.18.82]) by sc-app4.eq.ironport.com (Postfix) with ESMTP id 
1EE155112 for <1363518056@reports.spamcop.net>; Fri, 18 Feb 2005 
09:20:12 -0800 (PST)
	Received: 	from unknown (HELO cta.cq.cn) (61.128.128.102) by 
vmx2.spamcop.net with SMTP; 18 Feb 2005 09:20:11 -0800
	Received: 	from cta.cq.cn([10.1.0.1]) by cta.cq.cn(AIMC 3.1.0.0) with 
SMTP id jm154216301d; Sat, 19 Feb 2005 00:59:55 +0800
	X-Mindspring-Loop: 	spam@stoddard.us
	X-Spamcop-Reply-Ids: 	1363518056
	X-Spamcop-Return-Path: 	<null_user_9753@aimc.com>
	X-Aimc-Mailtype: 	System(AutoReply)
	X-Aimc-Filter: 	abuse.4(cta.cq.cn)
	X_Aimc_Auto_Created_Msg: 	abuse@cta.cq.cn auto-reply to 
1363518056@reports.spamcop.net
	Content-Type: 	text/plain
	Content-Transfer-Encoding: 	8bit
	Mime-Version: 	1.0
	X-Aimailer: 	AIMC 3.1.0.0 2004.07.27
	X-Aimime: 	MIME/SMIME Lib 2.9 2.9 2004.07.27
	X-Priority: 	3
	X-Originating-Ip: 	61.128.128.55
	X-Aimc-Auth: 	(null)
	X-Aimc-Mailfrom: 	null_user_9753@aimc.com
	Message-Id: 	<gA949780994044.04370@mta1>
	X-Aimc-Msg-Id: 	4Bv3LCNB
	X-Elnk-Av: 	0

--
Peter Stoddard  -  Sacramento  -  California
916-501-4078
From pcalvert at r0cketmail.c0m  Fri Feb 18 20:59:36 2005
From: pcalvert at r0cketmail.c0m (Phil Calvert)
Date: Fri Feb 18 21:00:03 2005
Subject: [SC-Help] Re: Emails SpamCop can't parse
References: <cv5587$rrg$1@news.spamcop.net> <cv5hip$51l$1@news.spamcop.net>
Message-ID: <cv66ia$j23$1@news.spamcop.net>

Hi Mike,

What's interesting is that I just ran the original email through SpamCop and
it parsed it successfully this time.  So something has changed.  Apparently
someone was able to figure out what was tripping up SpamCop, fortunately.

I just noticed something kind of strange, though.  The reporting addresses
for the links keep changing.  The reporting addresses I am getting are
different than the ones you posted.

When I ran the original email through SpamCop just now, here are the
reporting addresses I got for the links that were found:

Re: http://www.aurilavepoppetleggumdigging.com/emms... (Administrator of
network hosting website referenced in spam)
To: abuse@cnc-noc.net (Notes)
To: postmaster#cnc-noc.net@devnull.spamcop.net (Notes)

Re: http://www.zoo345.com/192879/rpm/lifetime.html (Administrator of network
hosting website referenced in spam)
To: postmaster#chinanet.cn.net@devnull.spamcop.net (Notes)
To: anti-spam@chinanet.cn.net (Notes)
To: renbin@mail.he.cn (Notes)
To: ct-abuse@abuse.sprint.net (Notes)


Then I opened the tracking link in a new browser window to see what I would
see, and noticed that the reporting addresses for the second link were
different:

Re: http://www.zoo345.com/192879/rpm/lifetime.html (Administrator of network
hosting website referenced in spam)
To: cfc_dcy@sina.com (Notes)


After a few minutes, I again opened the tracking link in a new browser
window, and the reporting addresses were again different:

Re: http://www.aurilavepoppetleggumdigging.com/emms... (Administrator of
network hosting website referenced in spam)
To: cfc_dcy@sina.com (Notes)

Re: http://www.zoo345.com/192879/rpm/lifetime.html (Administrator of network
hosting website referenced in spam)
To: abuse@cnc-noc.net (Notes)
To: postmaster#cnc-noc.net@devnull.spamcop.net (Notes)

I wonder what's going on.  It seems a bit odd that the reporting addresses
would change from one minute to the next.

Phil


"Mike Easter" <MikeE@ster.invalid> wrote in message
news:cv5hip$51l$1@news.spamcop.net...
> Posted to .help & .spam, f/ups to .help.
>
> Discussions in spamcop.help or spamcop -- no discussions in
> spamcop.spam.
>
> Phil Calvert wrote:
> > I've seen a number of emails recently that SpamCop fails to parse.
> > The links are there, but SpamCop reports "no links found."  Here is
> > an example of one such email:
>
> Pasting something in .spam to discuss how SC parses it causes a number
> of problems which are caused by your newsreader's posting of the spam
> into the message body to introduce linewraps which interfere with the
> ability of the parser to parse the item, so spam posting in spamcop.spam
> is a very very poor substitute for posting the tracker of the item which
> you originally submitted to the parser.  That tracker way we can see the
> same parse result which you saw.  See my tracker below.
>
> When I 'work with' the item you 'bent' by posting it into .spam, I have
> to remove improper linewraps.  If improper linewraps were present in the
> original and that was what caused the problem, those improper linewraps
> get removed by me just like the 'improper' line wraps which you
> introduced when you posted it into .spam.
>
> Bottom line:  if you want to talk about how spamcop parsed a spam, don't
> post it in .spam the way we used to.  Instead, feed it to the parser and
> copy the tracking url and paste that into any group you like,
> spamcop.help or spamcop.  There is no longer any need for the usage of
> spamcop.spam now that the tracker contains all of the original spam item
> in addition to the parsing tracker.
>
> Here is the tracker for your spam indicating that what I repaired from
> your post and submitted to the parser was able to show the links.
>
> www.spamcop.net/sc?id=z733979065z4eb151f727c5224c9d4efd081856f618z
> Report Spam to:
> Re: 211.58.111.157 (Administrator of network where email originates)
>    To: nospam#hanaro.com@devnull.spamcop.net (Notes)
>    To: abuse@hanaro.com (Notes)
> Re: http://www.aurilavepoppetleggumdigging.com/emms... (Administrator of
> network hosting website referenced in spam)
>    To: postmaster#chinanet.cn.net@devnull.spamcop.net (Notes)
>    To: anti-spam@chinanet.cn.net (Notes)
>    To: ct-abuse@abuse.sprint.net (Notes)
> Re: http://www.zoo345.com/192879/rpm/lifetime.html (Administrator of
> network hosting website referenced in spam)
>    To: postmaster@chinatietong.com (Notes)
>    To: crnet_mgr@chinatietong.com (Notes)
>    To: crnet_tec@chinatietong.com (Notes)
>
>
>
> --
> Mike Easter
> kibitzer, not SC admin
>


From REMOVEnntp at rogers.com  Sat Feb 19 03:08:49 2005
From: REMOVEnntp at rogers.com (Lucas Tam)
Date: Fri Feb 18 22:10:06 2005
Subject: [SC-Help] Re: Made a Mistake Reporting my own Mail Host!
References: <Xns960130474F8Enntprogerscom@216.154.195.61>
	<cv4ohg$iv9$1@news.spamcop.net>
Message-ID: <Xns9601E14AC7719nntprogerscom@216.154.195.61>

"Mike Easter" <MikeE@ster.invalid> wrote in news:cv4ohg$iv9$1
@news.spamcop.net:

> Good.  It was probably no harm done.  Be more careful in the future.

I just transferred my e-mail hosting to a new provider but I forgot to 
update my Mailhosts... and it was causing a problem with the spam parser.

Good way of making a first impression with a new host huh : )

P.S. Webmail.us seems so far to be a great e-mail host... in case anyone is 
looking for e-mail hosting.

-- 
Lucas Tam (REMOVEnntp@rogers.com)
Please delete "REMOVE" from the e-mail address when replying.
http://members.ebay.com/aboutme/coolspot18/
From anon-e-moose at yahoo.com  Sat Feb 19 03:09:44 2005
From: anon-e-moose at yahoo.com (Anon-E-Moose)
Date: Fri Feb 18 22:10:32 2005
Subject: [SC-Help] Re: How do I treat this?
References: <mailman.89.1108777974.4572.spamcop-help@news.spamcop.net>
Message-ID: <Xns9601E1726F53Danonemooseyahoocom@216.154.195.61>

Peter Stoddard <peter@stoddard.name> wrote in 
news:mailman.89.1108777974.4572.spamcop-help@news.spamcop.net:

> From: abuse@cta.cq.cn
> To: 1363518056@reports.spamcop.net
> 
> We have already informed police to assist our resolve it.

Chinese police... maybe the spammer will be caught and shot!!! ; )

From nobody at spamcop.net  Fri Feb 18 22:35:48 2005
From: nobody at spamcop.net (Miss Betsy)
Date: Fri Feb 18 22:35:03 2005
Subject: [SC-Help] Re: How do I treat this?
References: <mailman.89.1108777974.4572.spamcop-help@news.spamcop.net>
Message-ID: <cv6bvi$mfc$1@news.spamcop.net>


"Peter Stoddard" <peter@stoddard.name> wrote in message
news:mailman.89.1108777974.4572.spamcop-help@news.spamcop.net...
Hi folks

I have been reporting spam using the web.  I have been receiving
the
following from this guy from cta.cq.net.  Should I stop reporting
spam
for a little while, or should I keep on reporting it?  It isn't
very
frequent ... maybe one or two a week.  If I do stop for awhile, do
I
stop reporting any .cn, or any cq.cn, or what?

<snip>

Don't stop reporting it.  If they are serious, you won't get any
more.  If they are not, then you will still get it.  Spamcop will
not list reports that are sent after the fact (IOW, if they stopped
sending spam, but you didn't check your email and sent a report on
something that had been sent before they stopped.)

Miss Betsy


From MikeE at ster.invalid  Fri Feb 18 20:24:48 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Fri Feb 18 23:25:05 2005
Subject: [SC-Help] Re: Emails SpamCop can't parse
References: <cv5587$rrg$1@news.spamcop.net> <cv5hip$51l$1@news.spamcop.net>
	<cv66ia$j23$1@news.spamcop.net>
Message-ID: <cv6f27$oaq$1@news.spamcop.net>

Phil Calvert wrote:
> What's interesting is that I just ran the original email through
> SpamCop and it parsed it successfully this time.  So something has
> changed.  Apparently someone was able to figure out what was tripping
> up SpamCop, fortunately.

Getting a parse one time [or on reparse] and not another [or on first
parse] is not unusual.  I forgot to mention that most of 'us' 'reparse'
an item which fails to body parse properly the first time.  My strategy
is to attempt a reparse, and then if it fails the second time, to
examine the header to see if there's something wrong in there
interfering with a successful parse.

> I just noticed something kind of strange, though.  The reporting
> addresses for the links keep changing.  The reporting addresses I am
> getting are different than the ones you posted.

That happens if the resolution of the domainnname changes.  Sometimes
there is 'tricky' nameservice going on.

> When I ran the original email through SpamCop just now, here are the
> reporting addresses I got for the links that were found:

<snip those addresses>

> Then I opened the tracking link in a new browser window to see what I
> would see, and noticed that the reporting addresses for the second
> link were different:

<snip>

> After a few minutes, I again opened the tracking link in a new browser
> window, and the reporting addresses were again different:

<snip>

> I wonder what's going on.  It seems a bit odd that the reporting
> addresses would change from one minute to the next.

What is stored in the tracker is the spam.  When you access the tracker,
the parser reparses.  If something has changed, like the DNS for the
domainname, then the lookup on the reporting addresses for the IP
changes from what it was

-- 
Mike Easter
kibitzer, not SC admin

From buzzard554 at fastmail.co.uk  Sat Feb 19 08:53:50 2005
From: buzzard554 at fastmail.co.uk (Martin Edwards)
Date: Sat Feb 19 03:50:26 2005
Subject: [SC-Help] Re: How it works?
In-Reply-To: <cv5vj4$ein$1@news.spamcop.net>
References: <cv5rcn$buv$1@news.spamcop.net> <cv5vj4$ein$1@news.spamcop.net>
Message-ID: <cv6uj4$bd$1@news.spamcop.net>

Mike Easter wrote:
> 
> How can I tell the difference between a duplicitous troll who is asking
> potentially annoying questions and looking for billygoats to respond,
> and/from a genuine clueless newbie who hasn't bothered to read the faq
> before asking silly irrelevant questions.
> 
If this is Viper from alt.irc you may be onto something.
From pcalvert at r0cketmail.c0m  Sat Feb 19 13:49:38 2005
From: pcalvert at r0cketmail.c0m (Phil Calvert)
Date: Sat Feb 19 13:50:09 2005
Subject: [SC-Help] SpamCop leaking addresses
Message-ID: <cv81o3$jem$1@news.spamcop.net>

I noticed that SpamCop sometimes doesn't obscure email addresses even though
it is configured to do so.  Below is a tracking link for a spam analysis
which shows this behavior.  Even though the email addresses have already
been compromised (they're already on spammers' lists), I munged the domain
information before parsing the email.

http://www.spamcop.net/sc?id=z734341326z5c732e4b3425ccaa5a5a79d3ffd7fa71z


Phil



From MikeE at ster.invalid  Sat Feb 19 11:26:17 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Sat Feb 19 14:30:04 2005
Subject: [SC-Help] Re: SpamCop leaking addresses
References: <cv81o3$jem$1@news.spamcop.net>
Message-ID: <cv83sv$ko0$1@news.spamcop.net>

Phil Calvert wrote:
> I noticed that SpamCop sometimes doesn't obscure email addresses even
> though it is configured to do so.  Below is a tracking link for a
> spam analysis which shows this behavior.  Even though the email
> addresses have already been compromised (they're already on spammers'
> lists), I munged the domain information before parsing the email.
>
www.spamcop.net/sc?id=z734341326z5c732e4b3425ccaa5a5a79d3ffd7fa71z

There is a concept here which is worth considering.  I don't have the
answers to all of the questions which can be spun off from the concept,
but the concept is important to keep in mind.  The subject is mungeing
by a notifier to an abuse desk.

 - no mungeing manually emailed from the spammed address
 - spamcop notification with no SC mungeing
 - SC notification with standard SC mungeing
 - SC notify with minor additonal pre-parse mungeing
 - SC notify with major additonal pre-parse mungeing, ie 'ubermungeing'
 - mole reporting

The problem is in distinguishing between classes 4 & 5 and also with the
fact that unique identification can be contained 'invisibly' and not
successfully munged with the most intense ubermungeing.  The problem is
also what is permissible and what is not.  Somewhere about the level of
4 to 5 is where the permissibility ends and the reporter should shift to
mole reporting.

A clever spammer who wants to identify the recipient of a reported spam
will 'expose' some obvious identification and conceal the secret
identification.

Header mungeing up there in the Received tracelines from and by fields
is pretty much ubermungeing.

-- 
Mike Easter
kibitzer, not SC admin

From nobody at devnull.spamcop.net  Sat Feb 19 16:33:18 2005
From: nobody at devnull.spamcop.net (nobody)
Date: Sat Feb 19 16:35:05 2005
Subject: [SC-Help] Re: SpamCop leaking addresses
References: <cv81o3$jem$1@news.spamcop.net> <cv83sv$ko0$1@news.spamcop.net>
Message-ID: <cv8bb2$psg$1@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:cv83sv$ko0$1@news.spamcop.net...
> Phil Calvert wrote:
>> I noticed that SpamCop sometimes doesn't obscure email addresses even
>> though it is configured to do so.  Below is a tracking link for a
>> spam analysis which shows this behavior.  Even though the email
>> addresses have already been compromised (they're already on spammers'
>> lists), I munged the domain information before parsing the email.
>>
> www.spamcop.net/sc?id=z734341326z5c732e4b3425ccaa5a5a79d3ffd7fa71z

> Header mungeing up there in the Received tracelines from and by fields
> is pretty much ubermungeing.

I agree that munging the Received lines is overkill. I think Phil did it for 
this example because some of the cc: recipients are exposed. He wanted to 
hide the domain so that nobody could put the exposed user names and domains 
from the Received lines together to get the complete email addresses.

As for the problem of To: and Cc: addresses in any but the first line being 
revealed, this was discussed in the web forums earlier today. One of the 
admins there said that this should be fixed and that he has already informed 
the deputies.


From MikeE at ster.invalid  Sat Feb 19 13:58:08 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Sat Feb 19 17:00:02 2005
Subject: [SC-Help] Re: SpamCop leaking addresses
References: <cv81o3$jem$1@news.spamcop.net> <cv83sv$ko0$1@news.spamcop.net>
	<cv8bb2$psg$1@news.spamcop.net>
Message-ID: <cv8cpo$qh1$1@news.spamcop.net>

nobody wrote:
> I agree that munging the Received lines is overkill. I think Phil did
> it for this example because some of the cc: recipients are exposed.

'Extra' mungeing not described in the faq isn't going to be blessed by
anyone in charge, but personally I don't see anything wrong with
throwing out the whole CC: section -- but that's just my opinion.  If I
were the mungeing meister I would bless that before I would bless
mucking with the from and by field tracelines preparse.

-- 
Mike Easter
kibitzer, not SC admin

From nobody at devnull.spamcop.net  Sat Feb 19 17:05:35 2005
From: nobody at devnull.spamcop.net (nobody)
Date: Sat Feb 19 17:10:03 2005
Subject: [SC-Help] Re: SpamCop leaking addresses
References: <cv81o3$jem$1@news.spamcop.net> <cv83sv$ko0$1@news.spamcop.net>
	<cv8bb2$psg$1@news.spamcop.net> <cv8cpo$qh1$1@news.spamcop.net>
Message-ID: <cv8d7j$qv3$1@news.spamcop.net>

"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:cv8cpo$qh1$1@news.spamcop.net...
> nobody wrote:
>> I agree that munging the Received lines is overkill. I think Phil did
>> it for this example because some of the cc: recipients are exposed.
>
> 'Extra' mungeing not described in the faq isn't going to be blessed by
> anyone in charge,

Phil did not do anything wrong, because he cancelled the report. If he had 
sent it out with the Received: lines munged like this, that would have been 
bad.

> but personally I don't see anything wrong with
> throwing out the whole CC: section -- but that's just my opinion.

This is normally supposed to happen automatically. It should read Cc: 
<x>,<x>,<x>,<x>, but due to an unfortunate bug in the reporting system, this 
is only done in the first line of the To: and Cc: lines. The rest is left 
exposed.


From nobody at devnull.spamcop.net  Sat Feb 19 17:31:48 2005
From: nobody at devnull.spamcop.net (nobody)
Date: Sat Feb 19 17:35:05 2005
Subject: [SC-Help] Re: SpamCop leaking addresses
References: <cv81o3$jem$1@news.spamcop.net>
Message-ID: <cv8eoo$rqv$1@news.spamcop.net>

> Even though the email addresses have already
> been compromised (they're already on spammers' lists), I munged the domain
> information before parsing the email.

Unnecessary. We all know that MUNGED.c0m is really ncsu.edu.


From viper at venomx.com  Sat Feb 19 18:51:43 2005
From: viper at venomx.com (Viper)
Date: Sat Feb 19 18:55:06 2005
Subject: [SC-Help] Re: How it works?
References: <cv5rcn$buv$1@news.spamcop.net> <cv5vj4$ein$1@news.spamcop.net>
	<cv6uj4$bd$1@news.spamcop.net>
Message-ID: <cv8jea$ug6$1@news.spamcop.net>

Martin Edwards wrote:
> Mike Easter wrote:
>>
>> How can I tell the difference between a duplicitous troll who is
>> asking potentially annoying questions and looking for billygoats to
>> respond, and/from a genuine clueless newbie who hasn't bothered to
>> read the faq before asking silly irrelevant questions.
>>
> If this is Viper from alt.irc you may be onto something.

If this is Martin Edwards from alt.irc then he supports usenet spam and 
abuse. Ignore or killfile asap! 


From MikeE at ster.invalid  Sat Feb 19 16:02:41 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Sat Feb 19 19:05:03 2005
Subject: [SC-Help] Re: How it works?
References: <cv5rcn$buv$1@news.spamcop.net> <cv5vj4$ein$1@news.spamcop.net>
	<cv6uj4$bd$1@news.spamcop.net> <cv8jea$ug6$1@news.spamcop.net>
Message-ID: <cv8k3c$utf$1@news.spamcop.net>

Viper wrote:
> Martin Edwards wrote:
>> Mike Easter wrote:
>>>
>>> How can I tell the difference between a duplicitous troll who is
>>> asking potentially annoying questions and looking for billygoats to
>>> respond, and/from a genuine clueless newbie who hasn't bothered to
>>> read the faq before asking silly irrelevant questions.
>>>
>> If this is Viper from alt.irc you may be onto something.
>
> If this is Martin Edwards from alt.irc then he supports usenet spam
> and abuse. Ignore or killfile asap!

<drifting OT because my cite is in the middle of there>

This reminds me of the time years and years ago when I went into a bar
with a sociopathic friend of mine, who then proceeded to pick a fight
with a guy on the other side of me.

Yep, you got it.  My 'friend' - me - and the big tough guy in the red
shirt and red pants with an empty shoulder holster.  This is Texas, you
see.

You can imagine, "Hey, Red Rider!  Where's your gun?"

Fortunately when Red Rider threw his first unexpected punch across me
and knocking my witty buddy completely off his barstool I didn't even
spill my drink.

This time I was guilty of bringing up the troll subject in the first
place without good basis.  That time I was guilty of going anywhere with
that crazy 'pal'.

-- 
Mike Easter
kibitzer, not SC admin

From post.replies at invalid.address  Sun Feb 20 01:14:10 2005
From: post.replies at invalid.address (DougW)
Date: Sun Feb 20 02:15:09 2005
Subject: [SC-Help] parsing error.
Message-ID: <cv9dc0$cig$1@news.spamcop.net>

Been getting a load of spam usually containing your
typical metric assload of bogus links.  Problem is
the acutal link contains unprintable characters that
break the spamcop parsing routine.

Hard to duplicate but if you got one, easy to recognize.

<A href="http://anxilr.teh
exp
ertz.c
om/a/qw209118h/mof/"><font></font>


<A href="http://uckpstiw.s
mallr
x.c
om/a/fc209118zf/eofd/"><FONT SIZE=1

These are from two.  As you can see they break the url in
several locations that prevent it from being parsed properly.
(that isn't a CR in there)

I've put examples of the bodies up for those that want
to look.  That should maintain the actual content.

http://members.cox.net/wilsond/temp/050220-004511-43.txt
http://members.cox.net/wilsond/temp/050220-004515-45.txt

you will have to grab them using save-as or similar, browsing
them will break the URL as above.

-- 
DougW 


From MikeE at ster.invalid  Sun Feb 20 05:57:24 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Feb 20 09:00:08 2005
Subject: [SC-Help] Re: parsing error.
References: <cv9dc0$cig$1@news.spamcop.net>
Message-ID: <cva50r$pq3$1@news.spamcop.net>

DougW wrote:
> Been getting a load of spam usually containing your
> typical metric assload of bogus links.  Problem is
> the acutal link contains unprintable characters that
> break the spamcop parsing routine.

I only looked at this one

> <A href="http://uckpstiw.s
> mallr
> x.c
> om/a/fc209118zf/eofd/"><FONT SIZE=1

> http://members.cox.net/wilsond/temp/050220-004511-43.txt

www.spamcop.net/sc?id=z734608785zcd0723bf93f9e3376dd14e70edac276cz

SC found the broken link;  but it removed the distortion and the spaces
to resolve

Tracking link: http://uckpstiw.s mallr x.c om/a/fc209118zf/eofd/
No recent reports, no history available
Resolves to 219.153.0.147

The effect is that the graphic makes the display of the pharm promotion,
and anywhere on the graphic you click will result in the link which SC
found.  http://uckpstiw.smallrx.com/a/fc209118zf/eofd/  which is a
spamhaus spews etc blocklisted


-- 
Mike Easter
kibitzer, not SC admin

From not at home.today  Sun Feb 20 14:28:41 2005
From: not at home.today (Ant)
Date: Sun Feb 20 09:30:03 2005
Subject: [SC-Help] Re: parsing error.
References: <cv9dc0$cig$1@news.spamcop.net> <cva50r$pq3$1@news.spamcop.net>
Message-ID: <cva6se$qs7$1@news.spamcop.net>

"Mike Easter" wrote:

> DougW wrote:
[snip]
>> http://members.cox.net/wilsond/temp/050220-004511-43.txt
>
> www.spamcop.net/sc?id=z734608785zcd0723bf93f9e3376dd14e70edac276cz
>
> SC found the broken link;  but it removed the distortion and the spaces
> to resolve
>
> Tracking link: http://uckpstiw.s mallr x.c om/a/fc209118zf/eofd/
> No recent reports, no history available
> Resolves to 219.153.0.147

Interesting that before the parser resolved the link, it said this...

| Resolving link obfuscation
| http://uckpstiw.s mallr x.c om/a/fc209118zf/eofd/
| host uckpstiw.s (checking ip) ip not found ; uckpstiw.s discarded as fake.

...but didn't actually discard it.

The spaces were single carriage-returns, whereas normally the end-of-
line indicator is a carriage-return/line-feed pair. Single CRs (0x0D)
are used as EOL markers in Apple Mac text; Single LFs (0x0A) are used
in text created on unix-like systems. The bulk of the spam used the
usual (for MS and other) CR/LF (0x0D0A) pair.


From peter at stoddard.name  Sun Feb 20 11:19:35 2005
From: peter at stoddard.name (Peter Stoddard)
Date: Sun Feb 20 14:19:49 2005
Subject: [SC-Help] Mailhost configuration - problems
Message-ID: <cd8707890ec111ee93de3950255ef835@stoddard.name>

I have a Spamcop email address and am wondering about their Mailhost 
configuration initiative.  I forward mail to Spamcop from other 
mailhosts.  The project makes sense, but when I tried to configure my 
spamcop email address, I got this error

---------------------snip---------------------

Sorry, SpamCop has encountered errors:

Source IP not found.

Your email host does not appear to correctly identify the sending IP of
the email you receive.

If you feel this is in error, please try again or seek help in the 
SpamCop
help forum: http://www.spamcop.net/help.shtml

-----------------------snip--------------------

The source IP was Spamcop!

Here is the long header of the message Spamcop sent to me:

---------------------snip-------------------

	Subject: 	SpamCop account configuration email
	Date: 	February 20, 2005 10:03:28 AM PST
	From: 	  mhconf.e5hQLULryJJwdPN0@cmds.spamcop.net
	To: 	  pstoddard61@spamcop.net
	Return-Path: 	<service@admin.spamcop.net>
	Delivered-To: 	spamcop-net-pstoddard61@spamcop.net
	Received: 	(qmail 4135 invoked from network); 20 Feb 2005 18:03:28 
-0000
	Received: 	from unknown (192.168.1.101) by blade1.cesmail.net with 
QMQP; 20 Feb 2005 18:03:28 -0000
	Received: 	from sc-app4.spamcop.net (HELO spamcop.net) (64.74.133.245) 
by mailgate.cesmail.net with SMTP; 20 Feb 2005 18:03:28 -0000
	Received: 	from [68.164.93.154] by spamcop.net with HTTP; Sun, 20 Feb 
2005 18:03:28 GMT
	X-Spamcop-Conf: 	e5hQLULryJJwdPN0
	Precedence: 	list
	Message-Id: 	<wh4218d0f0gea2f@msgid.spamcop.net>
	X-Mailer: 	Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; 
rv:1.7.5) Gecko/20041107 Firefox/1.0 via http://www.spamcop.net/ v1.410
	X-Spam-Checker-Version: 	SpamAssassin 3.0.0 (2004-09-13) on blade1
	X-Spam-Level: 	**
	X-Spam-Status: 	hits=2.7 tests=FORGED_MUA_MOZILLA,FROM_HAS_MIXED_NUMS  
version=3.0.0
	X-Spamcop-Checked: 	192.168.1.101 64.74.133.245 68.164.93.154

-------------------------------snip---------------------------

They appear to be sending me to this forum to get help.  Any 
comments/advice?

Peter Stoddard  -  Sacramento  -  California
916-501-4078



From nobody at devnull.spamcop.net  Sun Feb 20 14:43:37 2005
From: nobody at devnull.spamcop.net (nobody)
Date: Sun Feb 20 14:45:05 2005
Subject: [SC-Help] Re: Mailhost configuration - problems
References: <mailman.90.1108927182.4572.spamcop-help@news.spamcop.net>
Message-ID: <cvap9g$6ff$1@news.spamcop.net>


"Peter Stoddard" <peter@stoddard.name> wrote in message 
news:mailman.90.1108927182.4572.spamcop-help@news.spamcop.net...

> They appear to be sending me to this forum to get help.  Any 
> comments/advice?
>

I think they mean this forum:
http://forum.spamcop.net/forums/index.php?showforum=7


From peter at stoddard.name  Sun Feb 20 15:12:22 2005
From: peter at stoddard.name (Peter Stoddard)
Date: Sun Feb 20 18:14:18 2005
Subject: [SC-Help] Re: Mailhost configuration - problems
In-Reply-To: <cvap9g$6ff$1@news.spamcop.net>
References: <mailman.90.1108927182.4572.spamcop-help@news.spamcop.net>
	<cvap9g$6ff$1@news.spamcop.net>
Message-ID: <98a426d622ebd29d5148803eb1a0a4c7@stoddard.name>


On Feb 20, 2005, at 11:43 AM, nobody wrote:

>
> "Peter Stoddard" <peter@stoddard.name> wrote in message
> news:mailman.90.1108927182.4572.spamcop-help@news.spamcop.net...
>
>> They appear to be sending me to this forum to get help.  Any
>> comments/advice?
>>
>
> I think they mean this forum:
> http://forum.spamcop.net/forums/index.php?showforum=7

OK, thanks.

From usenet2004 at fishter.org.uk  Mon Feb 21 18:44:21 2005
From: usenet2004 at fishter.org.uk (Fishter)
Date: Mon Feb 21 13:45:08 2005
Subject: [SC-Help] hotmail address not parsed
Message-ID: <9zo79t5glt2g.dlg@fishter.org.uk>

<http://www.spamcop.net/sc?id=z735057850zc689251947a71e1d447279e364c4250dz>

Is there any reason why the above spam doesn't trigger any emails to
hotmail.com when that address is mentioned twice in the body?

Cheers

-- 
Fishter
http://www.fishter.org.uk/
May I ask, who or what are you channelling?
From MikeE at ster.invalid  Mon Feb 21 11:27:08 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Mon Feb 21 14:30:06 2005
Subject: [SC-Help] Re: hotmail address not parsed
References: <9zo79t5glt2g.dlg@fishter.org.uk>
Message-ID: <cvdco3$oiu$1@news.spamcop.net>

Fishter wrote:
www.spamcop.net/sc?id=z735057850zc689251947a71e1d447279e364c4250dz>

<419 - payload at hotmail account>

> Is there any reason why the above spam doesn't trigger any emails to
> hotmail.com when that address is mentioned twice in the body?

The SC parser reporter doesn't notify about email address payloads.

If you are a paid reporter you can add the hotmail abuse notify to the
SC report.  If you are a free reporter, you can manually notify hotmail
abuse.  SC will provide you the recommended notify address, sorta.  It
sez you could use abuse@microsoft.com if you weren't submitting via SC.

MS/hotmail are very unpredictable about their responsiveness at the
various abuse addresses, so I always use at least two.

In this case the abuse.net reg'd for the domainname is
abuse@hotmail.com -- whereas the RIR lookup on the IP for the domainname
is abuse@microsoft.com

Interestingly, the trailer on the 419 appears to be radaruol.com.br and
the relay which it came thru' is 200.221.11.147 rDNS zipmail.com.br all
of which live in

inetnum:     200.221.0/18
aut-num:     AS15201
abuse-c:     SEO50 = @uol.com.br
owner:       Universo Online S.A

whois -h whois.abuse.net uol.com.br ...
abuse@uol.com.br   denuncia@uol.com.br  (for uol.com.br)

.. who doesn't want to hear about their subscribers spamming.and they
are spamhaus listed.  They are AS15201 and their upstreams are

Upstream Adjacent AS list
    AS10429   Telefonica Empresas SA = security@telesp.net.br
    AS7738    Telecomunicacoes da Bahia S.A.=
whois -h whois.abuse.net telemar.net.br ...
antispambr@abuse.net   postmaster@telemar.net.br   abuse@telemar.net.br
admin@telemar.net.br mail-abuse@nic.br  (for telemar.net.br)
    AS5511    OPENTRANSIT France Telecom=
whois -h whois.abuse.net opentransit.net ...
noc@opentransit.net  abuse@opentransit.net postmaster@opentransit.net
(for opentransit.net)
    AS8167    TELESC - Telecomunicacoes de Santa Catarina SA =
abuse@NOC.BRASILTELECOM.NET.BR

So, if you are a free reporter, as long as you are going to go to the
trouble of making up a template for the additional notifies, you can
also notify the upstreams for the unresponsive mail provider.



-- 
Mike Easter
kibitzer, not SC admin

From pawalls at _no_spam_gleim.com  Mon Feb 21 14:40:58 2005
From: pawalls at _no_spam_gleim.com (Philip Walls)
Date: Mon Feb 21 14:45:03 2005
Subject: [SC-Help] Huge increase in SCBL hits
Message-ID: <pan.2005.02.21.19.40.58.119064@_no_spam_gleim.com>

We have a company-wide spam trapping system where I work. As as way to
make sure our blacklisting and spamtrapping is sane, I keep logs of how
many emails were rejected from blacklists, and which blacklist they were
rejected from.

This weekend I noticed a very large increase in rejects coming from
spamcop.net, and I was just curious what might have caused such a gigantic
change.

My figures show a total change (all of our RBLs) from 11,000 to 23,000!!
And for spamcop.net alone:

This past Thursday: 4774
This past Sunday: 9638

The amount rejected has been steadily increasing since Thursday. If anyone
has any information relating to this, or if anyone has experienced similar
changes, I'd be interested to hear from you.
From nobody at spamcop.net  Mon Feb 21 21:40:39 2005
From: nobody at spamcop.net (waldo kitty)
Date: Mon Feb 21 16:45:05 2005
Subject: [SC-Help] Re: Spamcop couldn't find the links
References: <cvdc24$nca$1@news.spamcop.net> <cvdc96$nca$2@news.spamcop.net>
	<cvdd77$p3s$1@news.spamcop.net> <Xns96049B4467AB5wkitty42@216.154.195.61>
	<cvdjdd$t5j$1@news.spamcop.net>
Message-ID: <Xns9604A9A6B834wkitty42@216.154.195.61>

"Mike Easter" <MikeE@ster.invalid> wrote in
news:cvdjdd$t5j$1@news.spamcop.net: 

> waldo kitty wrote:
>> what about those spams that we submit to the parser that the parser
>> has problems with that we may not want to submit? can't just anyone
>> viewing that parse go ahead and hit the submit button and possibly
>> get us in trouble or something??
> 
> No.  You paste into the parser, copy the tracker, and cancel the
> report. That tracker url doesn't lead to what I call a 'live'
> tracker.  If you fail to cancel, you are correct;  the tracker is
> live and can be reported by anyone who accesses it.  No good.

right... i was thinking that if one canceled the report, that the parse 
was also lost... i guess that's another change that took place in this 
time of my absence from the spamcop areas...
 
>> the reason i ask is because i have one that the parser doesn't find
>> the link in because they are deliberately broken apart and the one
>> link is spread across three line... the thunderbird doesn't have a
>> problem with this but it effectively breaks the parse...
> 
> We are discussing something in .spam which we should be discussing in
> spamcop or .help.
> 

ok, i've followed up to spamcop.help...

>> ie:
>> <A href="http://oeudado.beatr
>> xbi
>> llz.n
>> et/a/df209118va/tads/"><FONT></FONT>
>> <FONT></FONT><IMG SRC="cid:kcisuuq_zfdrrbs_gemlvdp" border="0"
>> ALT=""> 
> 
> We recently discussed a 'folded' item in .help recently.  

ok, i'll see what i can find in that thread...

> Thread starts here
> 
> From: "DougW"
> Newsgroups: spamcop.help
> Subject: parsing error.
> Date: Sun, 20 Feb 2005 01:14:10 -0600
> Message-ID: <cv9dc0$cig$1@news.spamcop.net>
> 
> and Doug showed these:
> http://members.cox.net/wilsond/temp/050220-004511-43.txt
> http://members.cox.net/wilsond/temp/050220-004515-45.txt
> 
>> yes, i know... no discussion in .spam... email me if you like... the
>> address is in the sig... otherwise, ii may possibly wade thru the
>> groups but i really don't have time to wade thru some 4000+ messages
>> for this :(
>>
>> my main goal in posting this problem is to help fix this problem in
>> the parser and help spamcop.net catch more bad guys...
> 
> In one example of the one Doug posted, when I submitted it to the
> parser, it IDd the link's IP.
> www.spamcop.net/sc?id=z734608785zcd0723bf93f9e3376dd14e70edac276cz

in the report that i went ahead and filed, it says...

===== quote =====
Resolving link obfuscation
http://oeudado.beatr xbi llz.n et/a/df209118va/tads/
   host oeudado.beatr (checking ip) ip not found ; oeudado.beatr
   discarded as fake. 

Tracking link: http://oeudado.beatr xbi llz.n et/a/df209118va/tads/
No recent reports, no history available
Resolves to 219.153.0.147
===== end quote =====

and then in the reports, it stops at the first space when reporting to
the provider that owns that IP number... yes, it is the proper IP for
that domain, at this time... 

i don't quite understand the portion above RE: link obfuscation and i
don't understand why the link text wasn't stripped of spaces in the
tracking link portion... obviously, some part of the code removed or
ignored the spaces... in any case, i added a note to the report what
the real URL was since the report also carried the same broken stuff
that the deobfuscation stuff shows... 

minutes after filing the report, i got this message from the ISP of
that spamvertised site... 

===== quote =====
We have already disconnect connection for user  which sent to waste
mail£¬and settle this problem in three days. If he till send rubbish
mail, we do not resume his  network connections¡£ 
---------------------------------------------- 
»¶Ó­Ê¹ÓÃÖØÇìÈÈÏßµç×ÓÓʼþϵͳ http://mail.online.cq.cn
===== end quote =====

of course, i immediately used sam spade to try the url and it appears
that it is still operational... if i was a paying member, i guess i'd
apeal it or something since the spamvertised site is still in
operation... lies, lies and damned lies...


here's the link for my report...

www.spamcop.net/sc?id=z735085338z4694bef103136cf2b5d3a76c5c968757z 

-- 
       _\/
      (@@)                      Waldo Kitty, Waldo's Place USA
__ooO_( )_Ooo_____________________ telnet://bbs.wpusa.dynip.com
_|_____|_____|_____|_____|_____|_____ http://www.wpusa.dynip.com
____|__User_not_Admin_|_____|_____|_____ ftp://ftp.wpusa.dynip.com
_|_____|_____|_____|_____|_____|_____|_____ wkitty42 -at- alltel.net
From MikeE at ster.invalid  Mon Feb 21 13:53:21 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Mon Feb 21 16:55:04 2005
Subject: [SC-Help] Re: Spamcop couldn't find the links
References: <cvdc24$nca$1@news.spamcop.net> <cvdc96$nca$2@news.spamcop.net>
	<cvdd77$p3s$1@news.spamcop.net> <Xns96049B4467AB5wkitty42@216.154.195.61>
	<cvdjdd$t5j$1@news.spamcop.net> <Xns9604A9A6B834wkitty42@216.154.195.61>
Message-ID: <cvdlaa$u9c$1@news.spamcop.net>

waldo kitty wrote:
> ===== quote =====
> Resolving link obfuscation
> http://oeudado.beatr xbi llz.n et/a/df209118va/tads/
>    host oeudado.beatr (checking ip) ip not found ; oeudado.beatr
>    discarded as fake.
>
> Tracking link: http://oeudado.beatr xbi llz.n et/a/df209118va/tads/
> No recent reports, no history available
> Resolves to 219.153.0.147
> ===== end quote =====
>
> and then in the reports, it stops at the first space when reporting to
> the provider that owns that IP number... yes, it is the proper IP for
> that domain, at this time...

Yes.  Strange SC behavior 'discarded as fake' followed by 'resolves to'

> minutes after filing the report, i got this message from the ISP of
> that spamvertised site...
>
> ===== quote =====
> We have already disconnect connection for user

Someone else got one of those -- they are being interpreted as 'baloney
autoacks'

> apeal it or something since the spamvertised site is still in
> operation... lies, lies and damned lies...

Yep.  I don't actually think paying members often get much out of their
'appeals'

> here's the link for my report...
>
> www.spamcop.net/sc?id=z735085338z4694bef103136cf2b5d3a76c5c968757z

Much better for looking at the item.  I think that one works the same as
the one of Doug's I saved as an .eml and looked at.

-- 
Mike Easter
kibitzer, not SC admin

From nobody at spamcop.net  Mon Feb 21 19:20:33 2005
From: nobody at spamcop.net (Miss Betsy)
Date: Mon Feb 21 19:20:05 2005
Subject: [SC-Help] Blocked? Read this
Message-ID: <cvdtla$3ia$1@news.spamcop.net>

Why Am I Blocked?
Probable Causes

If your email has suddenly been blocked by the SpamCop blocklist,
it is probably because you share an IP address with other email
users and there is someone who:

    * is using auto-responses that are replying to spam with forged
spamtrap email addresses (such as Out-of-Office/Vacation notices,
virus notifications, and 'created email' bounces);
    * has a computer with a virus that sends spam without the
owner's knowledge;
    * has a computer that has been compromised and spammers are
remotely controlling it to transmit their spew;
    * is sending unsolicited emails and your internet service
provider is allowing it;
    * or because, as in all systems, there may have been a mistake.
(very rare)

The SpamCop BL listing will expire automatically within a specific
period of time based primarily on when the last spam came from that
IP address. http://www.spamcop.net/fom-serve/cache/297.html for
more information on the SpamCop BL listing.

For people who are operating servers: (followed by FAQ for people
who do not operate servers; if you don’t operate a server, scroll
down until you find it.)

Am I really listed in the SpamCop Blocklist?:
You can check the status of any server by entering its address at
http://www.spamcop.net/bl.shtml  The reason an IP address is listed
can also be obtained from that page.

If the blocklist only lists spamtraps, then the likely culprits are
auto-responders or misdirected bounces (that is, bounce emails sent
after acceptance of the email instead of being rejected by the
server during the SMTP phase, which would include emails such as
"no such user", "non-existent mailbox", and/or "quota exceeded").

If the blocklist only lists reports, you have a spammer at work.

If the blocklist lists spam traps and reports,
    * You have your firewall configured to allow a compromised
machine on your network to spew to the world
      (you do have a firewall in place, don't you?)
    * the SMTP/Auth exploit of an Exchange server is in progress,
see these links:
      http://news.spamcop.net/cgi-bin/fom?file=372
      http://www.winnetmag.com/article/articleid/40507/40507.html
      http://www.winnetmag.com/article/articleid/42406/42406.html
      How To Block Open SMTP Relaying and Clean Up Exchange Server
SMTP Queues To prevent SMTP relaying with Microsoft Exchange Server
see
http://support.microsoft.com/default.aspx?scid=KB;EN-US;324958#4
# (NOTE: While commonly seen on Exchange servers, this condition is
possible on all platforms)
     * Your PHP mailer program has been taken over by criminals.
(You did not know that your PHP bulletin board had a very
vulnerable mailer program on it? You did not know that you had PHP
installed and running?)

Please also see:

    * How can I get removed from SpamCop's blocking system?
http://www.spamcop.net/fom-serve/cache/76.html
    * John's explanation at John's revised post, for Why Am I
Blocked FAQ
http://forum.spamcop.net/forums/index.php?showtopic=673
    * Merlyn's explanation at FAQ Entry: Why is my email blocked?
http://forum.spamcop.net/forums/index.php?showtopic=35

Post the IP address that is blocked in the Spamcop web forum or
newsgroup. There are many knowledgeable people in the SpamCop
groups who will help you figure out why and offer solutions. If you
need to know what triggered the report from a spamtrap, email
deputies <at> spamcop.net. Only they can see. However, a post will
generally get you faster replies and more specific help on what is
the problem.

The rest of this FAQ is for people who do not run servers.
For people whose email was returned
Q: What does SpamCop do with my email?
A: Nothing

The Internet Service Provider (ISP) of the person, or business, you
are sending email "To" is blocking email from your ISP's computers
(servers), using a list provided by SpamCop.
Your email doesn't pass through SpamCop's mail servers and SpamCop
has no way of blocking or bouncing your email.
In addition, the SpamCop email service uses the blocklist to "tag"
incoming mail so that suspected spam is placed in a particular
folder and that is the way the blocklist is intended to be used.

Q: What is a blocklist?
A: A blocklist helps ISP’s to prevent spam coming to their
customers.

An ISP can use a blocklist (a list of IP addresses),to block
(bounce back) all email coming from a particular IP address.
The blocking is based not on your email address (which looks like
username@example.com), but on the IP address (which looks like
198.162.250.196).

This IP address is assigned to the mail server you use, which is
probably run by your ISP. You may share this same server with
hundreds or thousands of other customers. If one of the other
customers is sending spam through that shared mail server, it will
cause the IP address of that mail server to be put on the
blocklist. And when you send email through that server, ISP’s who
use blocklists to avoid receiving spam, will also block your email.

SpamCop is one of many blocklists. DNS Blackhole Lists (DNSBLs) is
a link to page that lists and categorizes a number of blocklists.
Trying to describe the difference between spamcop & other lists
(particularly the time it takes to get off the list) and how
SpamCop can be an early warning system for ISP's is a bit
difficult, as each is different in concept, targets, results
ranges, and oversight. If more specific data is desired on other
DNSBLs, please visit that listing site.

Q: What is SpamCop?
A: Unique, automated blocklist and spam filtering

SpamCop has a program that will find the correct address to send a
complaint because the email address you see that says who it is
from is often forged by spammers. SpamCop finds the correct IP
address and forwards complaints for its members. If a lot of
reports are made, the IP address goes on the SpamCop blocklist that
is used by many ISP’s. for more detailed information on how Spamcop
works see: http://www.spamcop.net/fom-serve/cache/3.html


Q: How do ISP’s use SpamCop
A: As 1) a warning that spammers have slipped by their defenses and
2) to block spam.

* Responsible ISP's welcome SpamCop reports and will remove
spammers quickly from their systems.
*When they block emails, they send a message that looks like this:
451 Blocked - see
http://www.spamcop.net/bl.shtml?xxxx.xxxx.xxxx.xxxx:
or
email from xxx.com blocked,refused by Spamcop,see
http://www.spamcop.net

Q: Why me?
A: It Happens to the best of us
It is annoying to have your email blocked. It is also annoying to
have a backhoe interrupt email service.

However, until the blocking problem is resolved, you can email
people through a web based email service (the most familiar web
based email services are hotmail and yahoo).

After you have taken care of the immediate problem of being able to
communicate with someone by email, the next step is to see what can
be done so this inconvenience does not happen to you again.

The one thing you do not want to do is to complain to those
correspondents who are using an email service that uses the SpamCop
blocklist. They probably really like the reduction in spam!

You have the responsibility to see that your ISP provides you with
reliable email service.
See this link for a longer explanation of costs
http://forum.spamcop.net/forums/index.php?showtopic=660

Q: Who do I contact to correct this problem?
A: Your ISP (email service provider) first
Usually the ISP with the blocked IP address has also been notified
with the evidence of spam reports. Your ISP may have already acted
on the Spamcop report they have received by the time you call. It
may just have been a mistake on their part or, possibly, the
reporter's part. Reporters can be fined or banned for mistakes.

As soon as your ISP stops the spam from being sent, or uses the
procedures at SpamCop to point out the reporter's mistake, the IP
address is taken off the blocklist (usually within 48 hours for
spam; immediately for reporter error).

It may be that your call is the first time your ISP has heard that
SpamCop has listed your IP address. Listings are made, in addition
to member reporting, automatically from spamtraps (an eMail address
that is not used, nor published anywhere, so only gets eMail if
someone is sending spam!).

Your ISP can find out about SpamCop at
http://www.spamcop.net/fom-serve/cache/76.html
 if they don’t already know about SpamCop.

SpamCop deputies have access to the full evidence for a listing.
Deputies can delist IP addresses which are listed in error.

Q: My ISP says it’s not their fault.
A: People in this forum will help with information to give your ISP

You will need to know your IP address for people to understand what
has happened (it should be in the message you received telling you
your mail was blocked).
It is also helpful to know the reasons why it was blocked. (To do
this, go to http://www.spamcop.net/bl.shtml . Make a note of the
reason for the listing. For example "Been reported as a source of
spam about 30 times" "Been detected sending mail to spam traps" as
this is important)
There are many people who will explain to you what has happened and
what you can do.

If you are interested in finding out more about blocklists and
exactly why your email was blocked, you may post in the web forum
http://forum.spamcop.net/forums/index.php?showforum=11
or in the SpamCop NNTP newsgroup
news://news.spamcop.net/spamcop.help  with the above information.

Please remember that this block is not aimed at you personally.
There are a limited number of IP addresses on the Internet, so you,
and the spammer, may get a different one each time you log-on. Your
Internet Service Provider is the only one who can investigate and
take action to stop spam from coming from that IP address. In the
meantime, the email service at the other end does not have to
accept your email until spam has stopped coming from that
particular IP address just as postal and package services can
refuse certain types of mail and packages.


Revised 17 Feb 2005 - Clarification of non-SMTP-reject e-mail
generation
Revised 2 February 2005 Revised the time period of listing and
added comment that there are two sections Miss Betsy
Revised 26 Jan 2005 - Wazoo added some of WB8TYW's input - more to
come <g>
Revised 18 Nov 2004 - Wazoo added DNSBL List URL
Revised 16 Nov 2004 - Wazoo - Ouch! newsgroup link fixed!
Revised 2 Sep 2004 - Wazoo
Revised August 7, 2004 - Miss Betsy, Wazoo, dbiel
Edited per Wazoo comments March 6, 2004 rev March 7 rev Mar 8 for
format (agsteele) Rev Mar11 with more links Rev Mar 12 with new
John link rev 13 listized "Probable Causes" rev 14 consolidated
some links
Contributors: Michaell, Mike Easter, Wazoo, Greenlady, John, JT,
JeffG
(Last Revised 26 January 2005)
(URL =
http://forum.spamcop.net/forums/lofiversion/index.php/t972.html )




From wb8tyw at qsl.network  Mon Feb 21 19:19:41 2005
From: wb8tyw at qsl.network (John E. Malmberg)
Date: Mon Feb 21 19:20:23 2005
Subject: [SC-Help] Re: Huge increase in SCBL hits
In-Reply-To: <pan.2005.02.21.19.40.58.119064@_no_spam_gleim.com>
References: <pan.2005.02.21.19.40.58.119064@_no_spam_gleim.com>
Message-ID: <cvdtqu$3j5$1@news.spamcop.net>

Followups set to spamcop

Philip Walls wrote:
> We have a company-wide spam trapping system where I work. As as way to
> make sure our blacklisting and spamtrapping is sane, I keep logs of how
> many emails were rejected from blacklists, and which blacklist they were
> rejected from.

If you can make the stats public on a web page, people are always 
interested in looking at this.

> This weekend I noticed a very large increase in rejects coming from
> spamcop.net, and I was just curious what might have caused such a gigantic
> change.

As near as I can determine from a quick browsing of 
news.admin-net.abuse.email, it appears a new worm variant got released 
which creates a bunch of new zombies.

At least two new spam runs seem to have suddenly started up.  And the 
non-ascii spam for two spamvertised web sites that seems to easily get 
by SpamAssasin 2.0 seems to have greatly increased.

I am seeing this mostly on what I get from the mail servers that 
primarily use content filters.

> My figures show a total change (all of our RBLs) from 11,000 to 23,000!!
> And for spamcop.net alone:
> 
> This past Thursday: 4774
> This past Sunday: 9638
> 
> The amount rejected has been steadily increasing since Thursday. If anyone
> has any information relating to this, or if anyone has experienced similar
> changes, I'd be interested to hear from you.

The admin dsbl list is showing a dramatic increase in spam.  It is 
minimally filtered, but these spammers are stupid enough to spam it.

One of the spammers is having their web sites avoid spamcop.net larts by 
overloading the parser with links.

A manual test of one of those spams shows that the first URL resolves to 
spamhaus.org listed IP addresses.

It appears that anyone using the feature in SpamAssasin 3.0 of looking 
up the IP addresses of URLs is probably not seen any of this spew.

-John
wb8tyw@qsl.network
Personal Opinion Only
From wb8tyw at qsl.network  Mon Feb 21 19:22:36 2005
From: wb8tyw at qsl.network (John E. Malmberg)
Date: Mon Feb 21 19:25:08 2005
Subject: [SC-Help] Re: Blocked? Read this
In-Reply-To: <cvdtla$3ia$1@news.spamcop.net>
References: <cvdtla$3ia$1@news.spamcop.net>
Message-ID: <cvdu0c$3j5$2@news.spamcop.net>

A link for your references:

http://dsbl.org/relay-methods

It describes many of the security problems that spammers already scan 
for and will exploit to send spam.

-John
wb8tyw@qsl.network
Personal Opinion Only
From MikeE at ster.invalid  Mon Feb 21 16:41:48 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Mon Feb 21 19:45:05 2005
Subject: [SC-Help] Re: Blocked? Read this
References: <cvdtla$3ia$1@news.spamcop.net> <cvdu0c$3j5$2@news.spamcop.net>
Message-ID: <cvdv6a$4rl$1@news.spamcop.net>

John E. Malmberg wrote:
> A link for your references:
> 
> http://dsbl.org/relay-methods
> 
> It describes many of the security problems that spammers already scan
> for and will exploit to send spam.

Ooh, that's a good one.  That would've been useful for the thread/qx: 

From: "Jon \(spamtrap\)" 
Newsgroups: spamcop
Subject: Re: Spammers could use Spamcop?
Date: Fri, 18 Feb 2005 15:42:08 -0000
Message-ID: <cv52eb$pnq$1@news.spamcop.net>

Jon (spamtrap) wrote:
> Thanks for your reply Norman...
<Norman's cite>
>> I am confused. Are you discussing open relays? Or open proxies?
> 
> Err... there's a difference? If you or someone could explain the
> difference I'd appreciate it; I thought they were the same thing.

-- 
Mike Easter
kibitzer, not SC admin
From wb8tyw at qsl.network  Tue Feb 22 01:46:23 2005
From: wb8tyw at qsl.network (John E. Malmberg)
Date: Tue Feb 22 01:50:03 2005
Subject: [SC-Help] Re: Blocked? Read this
In-Reply-To: <cvdv6a$4rl$1@news.spamcop.net>
References: <cvdtla$3ia$1@news.spamcop.net> <cvdu0c$3j5$2@news.spamcop.net>
	<cvdv6a$4rl$1@news.spamcop.net>
Message-ID: <cvekfv$gb0$2@news.spamcop.net>

Mike Easter wrote:
> 
> Ooh, that's a good one.  That would've been useful for the thread/qx: 
> 
> From: "Jon \(spamtrap\)" 
> Newsgroups: spamcop
> Subject: Re: Spammers could use Spamcop?
> Date: Fri, 18 Feb 2005 15:42:08 -0000

Well, this is the second time that I posted that link.  But I do not 
know if the first time was before feb 18th, and am currently too lazy to 
look that up.

-John
wb8tyw@qsl.network
Personal Opinion Only
From nobody at devnull.spamcop.net  Tue Feb 22 01:19:39 2005
From: nobody at devnull.spamcop.net (WazoO)
Date: Tue Feb 22 02:20:03 2005
Subject: [SC-Help] Re: Blocked? Read this
References: <cvdtla$3ia$1@news.spamcop.net> <cvdu0c$3j5$2@news.spamcop.net>
	<cvdv6a$4rl$1@news.spamcop.net> <cvekfv$gb0$2@news.spamcop.net>
Message-ID: <cvemea$hj3$1@news.spamcop.net>

"John E. Malmberg" <wb8tyw@qsl.network> wrote in message
news:cvekfv$gb0$2@news.spamcop.net...
>
> Well, this is the second time that I posted that link.  But I do not
> know if the first time was before feb 18th, and am currently too lazy to
> look that up.

 I'll take the heat on this also/again .... was helping a
nephew do some engine work ... 3/4" drive torque
wrench went from his hands on top of the engine to
my face down below .... one loose and two broken
molars, a bunch of pills, on and on ... I've been more
incoherent than anything else lately ... I recall the
last post, still marked as unread here, but yes, I'm
way behind in adding data such as this ... again,
blame me, not Miss Betsy ...


From nobody at devnull.spamcop.net  Tue Feb 22 10:01:20 2005
From: nobody at devnull.spamcop.net (Paul Peeraerts)
Date: Tue Feb 22 05:25:26 2005
Subject: [SC-Help] Spam from nobody@spamcop.net
Message-ID: <ESPR1082E131@esperanto.be>

I've noticed that about 30 % of the spam I receive, has 
"nobody@spamcop.net" as the "sender". Does this mean, that the spammers 
do know that we are reporting them but that they tell us in that way 
that they really don't care if we report them?

Just curious.
From nobody at spamcop.net  Tue Feb 22 05:45:00 2005
From: nobody at spamcop.net (Miss Betsy)
Date: Tue Feb 22 05:45:04 2005
Subject: [SC-Help] Re: Spam from nobody@spamcop.net
References: <ESPR1082E131@esperanto.be>
Message-ID: <cvf287$npt$1@news.spamcop.net>


"Paul Peeraerts" <nobody@devnull.spamcop.net> wrote in message
news:ESPR1082E131@esperanto.be...
> I've noticed that about 30 % of the spam I receive, has
> "nobody@spamcop.net" as the "sender". Does this mean, that the
spammers
> do know that we are reporting them but that they tell us in that
way
> that they really don't care if we report them?
>
> Just curious.

Spammers scrape addresses from everywhere, including this newsgroup
where there are lots of nobodies at spamcop.

I guess you could say that they don't care, but I don't think that
it is an 'in your face' gesture - simply a fallout of their general
inconsiderate practices.

Miss Betsy


From bar_n0ne at hotmail.com  Tue Feb 22 14:44:15 2005
From: bar_n0ne at hotmail.com (Berny)
Date: Tue Feb 22 05:45:08 2005
Subject: [SC-Help] Re: Spam from nobody@spamcop.net
References: <ESPR1082E131@esperanto.be>
Message-ID: <cvf2e5$nus$1@news.spamcop.net>

"Paul Peeraerts" <nobody@devnull.spamcop.net> wrote in message
news:ESPR1082E131@esperanto.be...
> I've noticed that about 30 % of the spam I receive, has
> "nobody@spamcop.net" as the "sender". Does this mean, that the spammers
> do know that we are reporting them but that they tell us in that way
> that they really don't care if we report them?
>
> Just curious.

Actually rather wierd, I've never seen any, or very, very few like that in
the past 5 years. I've seen a couple of fake spamcop messages from something
like admin, or whatever, threatening to cut off my mails for spamming, but
not for a couple of years at least.

BTW, they were all LARTed.

You must be some spammers pet peeve and this is his/her retaliation. or that
is a "signature" from some spammer whose millions CD doesn't have my name at
least.

And no, some of them don't care or they are hoping someone will think SC
sent them the spam, and complain about SC.


From MikeE at ster.invalid  Tue Feb 22 02:58:01 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb 22 06:00:08 2005
Subject: [SC-Help] Re: Spam from nobody@spamcop.net
References: <ESPR1082E131@esperanto.be>
Message-ID: <cvf3a4$ol0$1@news.spamcop.net>

Paul Peeraerts wrote:
> "nobody@spamcop.net" as the "sender".

I think it is just an address.  Spam needs a bogus From.

That's as good a from as any other.  Belated bounces [accepted & From
newmailed] of items with that From address used to get some kind of
devnull effect as it was a recommended newsgroup From munge.  Nowadays
the recommended is nobody@devnull.spamcop.net - so things have changed.

-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Tue Feb 22 08:21:32 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Tue Feb 22 11:25:05 2005
Subject: [SC-Help] 
	Re: spamsample - I can't report it because the account is disabled
References: <cvfkn4$9ks$1@news.spamcop.net>
Message-ID: <cvfm8s$aht$1@news.spamcop.net>

aafe wrote:
<from Subject:  I can't report it because the account is disabled>

 - posted to .help and .spam, followups to .help
 - the group spamcop.spam isn't for discussing something
 - for posting a spam, a tracker is better than pasting it in .spam
 - see tracker and parse/report result below
 - put your question in the body so there can be a dialog, subject
questions don't make dialog

This is the tracker to your spam, it is found at the top of a parse
www.spamcop.net/sc?id=z735408829zef2a5d8baca320c9f8199608300290dcz

This is the result of the parse:
Report Spam to:
Re: 81.34.176.111 (Administrator of network where email originates)
   To: nemesys@telefonica.es (Notes)
   To: postmaster@telefonica.es (Notes)
Re: 81.34.176.111 (Third party interested in email source)
   To: Cyveillance spam collection (Notes)
Re: http://www.1enderquotes.com/index2.php?refid=vik (Administrator of
network hosting website referenced in spam)
   To: igor@hostelecom.ru.com (Notes)

<report cancelled>

-- 
Mike Easter
kibitzer, not SC admin

From eddie at eddie.web  Tue Feb 22 12:19:33 2005
From: eddie at eddie.web (eddie)
Date: Tue Feb 22 12:20:03 2005
Subject: [SC-Help] Re: Spam from nobody@spamcop.net
References: <ESPR1082E131@esperanto.be>
Message-ID: <pan.2005.02.22.17.19.32.766000@eddie.web>

On Tue, 22 Feb 2005 10:01:20 +0100, Paul Peeraerts scratched out the
following:

> I've noticed that about 30 % of the spam I receive, has
> "nobody@spamcop.net" as the "sender". Does this mean, that the spammers do
> know that we are reporting them but that they tell us in that way that
> they really don't care if we report them?
> 
> Just curious.
You are probably on the BCC list and the nobody@ is simply necessary for
the spam to get through the internet. They may also hope that SC misses it
because of the SC address. If you don't find your own address in the
header, then you were definitely BCC'd. BCC names are usually stripped off
the recipient's mail to keep the rest of the list hidden.

-- 
Once movie theaters gave out steak knives
Today they confiscate them
From nobody at devnull.spamcop.net  Tue Feb 22 13:06:44 2005
From: nobody at devnull.spamcop.net (nobody)
Date: Tue Feb 22 13:10:06 2005
Subject: [SC-Help] Re: Blocked? Read this
References: <cvdtla$3ia$1@news.spamcop.net> <cvdu0c$3j5$2@news.spamcop.net>
	<cvdv6a$4rl$1@news.spamcop.net> <cvekfv$gb0$2@news.spamcop.net>
	<cvemea$hj3$1@news.spamcop.net>
Message-ID: <cvfsbt$ern$1@news.spamcop.net>

> I'll take the heat on this also/again .... was helping a
> nephew do some engine work ... 3/4" drive torque
> wrench went from his hands on top of the engine to
> my face down below .... one loose and two broken
> molars, a bunch of pills, on and on ... I've been more
> incoherent than anything else lately ... I recall the
> last post, still marked as unread here, but yes, I'm
> way behind in adding data such as this ... again,
> blame me, not Miss Betsy ...
>

I hope you will get better soon, Wazoo, so that you can be as helpful as in 
days past. All the best.


From nobody at devnull.spamcop.net  Thu Feb 24 10:22:55 2005
From: nobody at devnull.spamcop.net (Paul Peeraerts)
Date: Thu Feb 24 05:01:30 2005
Subject: [SC-Help] Re: Spam from nobody@spamcop.net
In-Reply-To: <cvf287$npt$1@news.spamcop.net>
References: <ESPR1082E131@esperanto.be> <cvf287$npt$1@news.spamcop.net>
Message-ID: <ESPR10B25C7B@esperanto.be>

Miss Betsy skribis je 2005-02-22 11:45:
> "Paul Peeraerts" <nobody@devnull.spamcop.net> wrote in message
> news:ESPR1082E131@esperanto.be...
> 
>>I've noticed that about 30 % of the spam I receive, has
>>"nobody@spamcop.net" as the "sender". Does this mean, that the
> 
> spammers
> 
>>do know that we are reporting them but that they tell us in that
> 
> way
> 
>>that they really don't care if we report them?
>>
>>Just curious.
> 
> 
> Spammers scrape addresses from everywhere, including this newsgroup
> where there are lots of nobodies at spamcop.
> 
> I guess you could say that they don't care, but I don't think that
> it is an 'in your face' gesture - simply a fallout of their general
> inconsiderate practices.

I have a different idea. I've changed the sender address with which I 
report to spamcop a few days ago, and today the first spams arrive with 
precisely that address as "sender". So I'm sure they can somewhere scan 
the spam reports.

From nobody at devnull.spamcop.net  Thu Feb 24 07:58:28 2005
From: nobody at devnull.spamcop.net (Miss Betsy)
Date: Thu Feb 24 07:55:06 2005
Subject: [SC-Help] Re: Spam from nobody@spamcop.net
References: <ESPR1082E131@esperanto.be> <cvf287$npt$1@news.spamcop.net>
	<ESPR10B25C7B@esperanto.be>
Message-ID: <cvkiqb$r6n$1@news.spamcop.net>


"Paul Peeraerts" <nobody@devnull.spamcop.net> wrote in message
news:ESPR10B25C7B@esperanto.be...
> Miss Betsy skribis je 2005-02-22 11:45:
> > "Paul Peeraerts" <nobody@devnull.spamcop.net> wrote in message
> > news:ESPR1082E131@esperanto.be...
<snip>
> > I guess you could say that they don't care, but I don't think
that
> > it is an 'in your face' gesture - simply a fallout of their
general
> > inconsiderate practices.
>
> I have a different idea. I've changed the sender address with
which I
> report to spamcop a few days ago, and today the first spams
arrive with
> precisely that address as "sender". So I'm sure they can
somewhere scan
> the spam reports.

Oh, yes they scan the spam reports.  When my ISP introduced
spamassassin, they added an internal hop and that server had a
distinctive name.  Soon after that was the name in the From line.
That's why some people mung the other addresses in the cc line.  I
still don't think that it is an 'in your face' kind of thing.  They
have to get new addresses from somewhere.  Selling mailing lists is
where some spammers get their money.

Miss Betsy


From bar_n0ne at hotmail.com  Thu Feb 24 17:34:45 2005
From: bar_n0ne at hotmail.com (Berny)
Date: Thu Feb 24 08:35:08 2005
Subject: [SC-Help] Re: Spam from nobody@spamcop.net
References: <ESPR1082E131@esperanto.be> <cvf287$npt$1@news.spamcop.net>
	<ESPR10B25C7B@esperanto.be> <cvkiqb$r6n$1@news.spamcop.net>
Message-ID: <cvkl5o$ss3$1@news.spamcop.net>


"Miss Betsy" <nobody@devnull.spamcop.net> wrote in message
news:cvkiqb$r6n$1@news.spamcop.net...
>
> "Paul Peeraerts" <nobody@devnull.spamcop.net> wrote in message
> news:ESPR10B25C7B@esperanto.be...
> > Miss Betsy skribis je 2005-02-22 11:45:
> > > "Paul Peeraerts" <nobody@devnull.spamcop.net> wrote in message
> > > news:ESPR1082E131@esperanto.be...
> <snip>
> > > I guess you could say that they don't care, but I don't think
> that
> > > it is an 'in your face' gesture - simply a fallout of their
> general
> > > inconsiderate practices.
> >
> > I have a different idea. I've changed the sender address with
> which I
> > report to spamcop a few days ago, and today the first spams
> arrive with
> > precisely that address as "sender". So I'm sure they can
> somewhere scan
> > the spam reports.
>
> Oh, yes they scan the spam reports.  When my ISP introduced
> spamassassin, they added an internal hop and that server had a
> distinctive name.  Soon after that was the name in the From line.
> That's why some people mung the other addresses in the cc line.  I
> still don't think that it is an 'in your face' kind of thing.  They
> have to get new addresses from somewhere.  Selling mailing lists is
> where some spammers get their money.
>
> Miss Betsy
>
>

Yeah, but, where would they get the reporting mail address? I mean, I may
recieve spam at A @ b . com, but submit them to SC from C @ d . com, the
report recipient shouldn't receive any information pointing to C @ d . com,
nor to E @ f . com which may be the SC account address. (Where SC's
acknowledgements go.) there well may be traces of A @ b . com in the spam
for a scanner to find.


From nobody at devnull.spamcop.net  Thu Feb 24 18:44:44 2005
From: nobody at devnull.spamcop.net (Miss Betsy)
Date: Thu Feb 24 18:45:06 2005
Subject: [SC-Help] Re: Spam from nobody@spamcop.net
References: <ESPR1082E131@esperanto.be> <cvf287$npt$1@news.spamcop.net>
	<ESPR10B25C7B@esperanto.be> <cvkiqb$r6n$1@news.spamcop.net>
	<cvkl5o$ss3$1@news.spamcop.net>
Message-ID: <cvlom3$lu8$1@news.spamcop.net>

> Yeah, but, where would they get the reporting mail address? I
mean, I may
> recieve spam at A @ b . com, but submit them to SC from C @ d .
com, the
> report recipient shouldn't receive any information pointing to C
@ d . com,
> nor to E @ f . com which may be the SC account address. (Where
SC's
> acknowledgements go.) there well may be traces of A @ b . com in
the spam
> for a scanner to find.

The sc mung doesn't get all the addresses.  Most people think that
it is useless to try to conceal addresses from a spammer who wants
them.  Also, if you are leaving the spamvertised site abuse
addresses checked, there are many of them where the reports go
directly to the spammer (until somebody in .routing suggests an
alternative).  Some blackhat source abuse desks also forward
reports directly to the spammer.

Miss Betsy
>


From alex at hotmail.com  Thu Feb 24 23:21:02 2005
From: alex at hotmail.com (Alex)
Date: Thu Feb 24 23:25:04 2005
Subject: [SC-Help] spamcop forwarded e-mail submission error
Message-ID: <cvm93f$m2$1@news.spamcop.net>

Hi,

Some e-mail harvestor screwed up a couple e-mail addresses and now we're
receiving spam on those incorrect e-mail addresses that is not on spamcop's
rbl.

I have sendmail configured to automatically forward any e-mails arriving to
that botched e-mail address to the submit spamcop e-mail address that I use.

However I get an error message:

SpamCop encountered errors while saving spam for processing:
SpamCop could not find your spam message in this email

My concern is I hope our mail server doesn't get accused of sending spam!!

Is there a way that I can donate an e-mail address to spamcop or other RBL's
that will automatically check for open-relays?


From spamcop at davnet.org  Fri Feb 25 14:17:30 2005
From: spamcop at davnet.org (Kevin Davidson)
Date: Fri Feb 25 14:20:05 2005
Subject: [SC-Help] Spam looks like a bounce
Message-ID: <cvntkb$36u$1@news.spamcop.net>

I posted a spam over in the spam area under the title "Spam looks like a 
bounce". I changed my real email name to "me" and my domain to 
"mydomain". I have an email account, me@acm.org, which forwards to 
me@mydomain.org.

I'm having a hard time understanding what this is and where it came 
from. It appears at first glance like a bounced message, only I didn't 
send it. Mainly I'm asking how to read the headers.

Thanks,
Kevin
From MikeE at ster.invalid  Fri Feb 25 12:59:21 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Fri Feb 25 16:00:03 2005
Subject: [SC-Help] Re: Spam looks like a bounce
References: <cvntkb$36u$1@news.spamcop.net>
Message-ID: <cvo3h2$70r$1@news.spamcop.net>

Kevin Davidson wrote:
> I posted a spam over in the spam area under the title "Spam looks
> like a bounce". I changed my real email name to "me" and my domain to
> "mydomain". I have an email account, me@acm.org, which forwards to
> me@mydomain.org.
>
> I'm having a hard time understanding what this is and where it came
> from. It appears at first glance like a bounced message, only I didn't
> send it. Mainly I'm asking how to read the headers.

Bounce is an ambiguous term to me, so I'll avoid it

You received a newmail header containing these Received tracelines

  Abbreviated Received tracelines
  from mydomain5 by lucy3.trkhosting.com
  from [199.222.69.92] (helo=alias2.acm.org) by lucy3.trkhosting.com
  from alias2.acm.org by alias2.acm.org

which consisted of 3 parts delineated by boundary lines
 - a little body 'The original message...'
 - DNS delivery-status - failed
 - original message

where the original message contained these Received tracelines

  Abbreviated Received tracelines *comment
  from psmtp.com ([64.18.2.110]) by alias2.acm.org *relay output,
timestamp discrepancy
  from source ([61.223.8.68]) by exprod7mx60.postini.com *source

64.18.2.110 looks like a postini server, which doesn't show me a port 25
just now.  It may just be an output server and postini isn't showing its
input server's IP in the headers.

61.223.8.68  rDNS  61-223-8-68.dynamic.hinet.net - shouldn't be able to
relay thru' the postini and there shouldn't be a timestamp discrepancy
there;  so I don't know exactly what's going on.  SC reads that as being
sourced by the hinet, which I do too, but postini should also be
notified, that's a 'bad' relay activity which looks open or promiscuous.


-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Fri Feb 25 13:09:07 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Fri Feb 25 16:10:02 2005
Subject: [SC-Help] Re: Spam looks like a bounce
References: <cvntkb$36u$1@news.spamcop.net>
Message-ID: <cvo43c$7fv$1@news.spamcop.net>

Kevin Davidson wrote:
> I'm having a hard time understanding what this is and where it came
> from.

The way that works is that the first, original spamitem from hinet was
addressed To you and From you at your acm.with your mydomain addy
blinded in the BCC or its equivalent.

When acm received and accepted the item for delivery, it couldn't
deliver to the mailbox for mydomain, so it created a newmail addressed
to your acm to tell you about the failed delivery.

When that newmail reached your acm mailbox, it was forwarded to your
mydomain mailbox.by acm => trkhosting.


-- 
Mike Easter
kibitzer, not SC admin

From bar_n0ne at hotmail.com  Sat Feb 26 09:34:40 2005
From: bar_n0ne at hotmail.com (Berny)
Date: Sat Feb 26 00:35:07 2005
Subject: [SC-Help] Re: Spam from nobody@spamcop.net
References: <ESPR1082E131@esperanto.be> <cvf287$npt$1@news.spamcop.net>
	<ESPR10B25C7B@esperanto.be> <cvkiqb$r6n$1@news.spamcop.net>
	<cvkl5o$ss3$1@news.spamcop.net> <cvlom3$lu8$1@news.spamcop.net>
Message-ID: <cvp1pk$obf$1@news.spamcop.net>

"Miss Betsy" <nobody@devnull.spamcop.net> wrote in message
news:cvlom3$lu8$1@news.spamcop.net...
> > Yeah, but, where would they get the reporting mail address? I
> mean, I may
> > recieve spam at A @ b . com, but submit them to SC from C @ d .
> com, the
> > report recipient shouldn't receive any information pointing to C
> @ d . com,
> > nor to E @ f . com which may be the SC account address. (Where
> SC's
> > acknowledgements go.) there well may be traces of A @ b . com in
> the spam
> > for a scanner to find.
>
> The sc mung doesn't get all the addresses.  Most people think that
> it is useless to try to conceal addresses from a spammer who wants
> them.  Also, if you are leaving the spamvertised site abuse
> addresses checked, there are many of them where the reports go
> directly to the spammer (until somebody in .routing suggests an
> alternative).  Some blackhat source abuse desks also forward
> reports directly to the spammer.
>
> Miss Betsy

I am pretty sure that MOST, if not all, Chinese and Korean ISP's hosting
spamvertizing forward ALL complaints they don't simply devnull to their
spammers. And the spammers also construct bogus headers from the internal
routings they see in the headers of reported spam, so the fakes are getting
better all the time. Enough to fool many a human doing a simplistic "parse",
so far not quite enough to fool SC.

I agree about the munging, my point is simply that neither the spam, nor the
report will have any references to either of C @ D, or E @ F. , which is
what the OP implied. Remember the spam was sent to A @ B.


From erin at bluefishe.com  Sat Feb 26 00:48:31 2005
From: erin at bluefishe.com (Erin)
Date: Sat Feb 26 03:50:05 2005
Subject: [SC-Help] Giving them my email
Message-ID: <cvpd02$i3$1@news.spamcop.net>

I'm new to this whole thing. Is it a very bad idea to put in the message 
"Take my email, emailwhere@spamwasreceived.com, off your list!"? I 
actually want to get my email off these lists instead of having to block 
them. Even if one spammer gets knocked offline, my email is still on 
whatever list is floating around out there. Is it not a better idea to 
have my email marked as potentially dangerous if you send spam to me?
From erin at bluefishe.com  Sat Feb 26 01:00:57 2005
From: erin at bluefishe.com (Erin)
Date: Sat Feb 26 04:00:03 2005
Subject: [SC-Help] Re: Giving them my email
In-Reply-To: <cvpd02$i3$1@news.spamcop.net>
References: <cvpd02$i3$1@news.spamcop.net>
Message-ID: <cvpdnb$i3$2@news.spamcop.net>

Erin wrote:
> I'm new to this whole thing. Is it a very bad idea to put in the message 
> "Take my email, emailwhere@spamwasreceived.com, off your list!"? I 
> actually want to get my email off these lists instead of having to block 
> them. Even if one spammer gets knocked offline, my email is still on 
> whatever list is floating around out there. Is it not a better idea to 
> have my email marked as potentially dangerous if you send spam to me?

Also, I paid for your service earlier today and never received an email. 
It said to wait 8 hours before pasting the confirmation, and now I can't 
find the page to paste it to. Where do I go? Is it normal to not get a 
reply yet?
From MikeE at ster.invalid  Sat Feb 26 05:09:46 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Sat Feb 26 08:10:04 2005
Subject: [SC-Help] Re: Giving them my email
References: <cvpd02$i3$1@news.spamcop.net>
Message-ID: <cvpscg$b9j$1@news.spamcop.net>

Erin wrote:
> I'm new to this whole thing. Is it a very bad idea to put in the
> message "Take my email, emailwhere@spamwasreceived.com, off your
> list!"?

Assumption1:  your question means "When I submit a spam to the spamcop
parser for parsing and reporting, and the spamcop reporting form
provides me with an opportunity to...

 - Send reports now
 - Preview reports
 - Cancel

... followed by another section which provides me with an opportunity
to...

 - enter comments for each of the 'Report spam to: ' entities, that I
should enter this sentence '"Take my email,
emailwhere@spamwasreceived.com off your list!" into that comments
section which will be mailed to the providers for the spamsource and for
the spamvertisers as a method of communicating with the actual spammer
to stop spamming me?"

Answer to assumption1:  No, that isn't a good sentence to enter into the
comments section, since the comments are ostensibly being directed to
the respective providers, not the spammer per se.

If your goal is to leave the spam intact instead of the standard spamcop
mungeing of the addresses in the To, CC, and Received lines, that is
configurable in the Preferences section for Reporting preferences - 8th
section - for mungeing "Leave spam copies intact".  You could also
provide your name and spammed email address to those providers in the
1st section of that Preferences where the 'Disply name' goes.

> I actually want to get my email off these lists instead of
> having to block them.

I'm interpreting that as saying "I don't mind being listwashed by those
spammers who do listwashing." -- as opposed to the antispammers who are
against listwashing.

> Even if one spammer gets knocked offline, my
> email is still on whatever list is floating around out there. Is it
> not a better idea to have my email marked as potentially dangerous if
> you send spam to me?

I'm interpreting that as saying that you feel that the spamcop report
will knock a spammer offline, and you would like for all of the spammers
to remove your address from their list because your address is
potentially dangerous to them because you are now a spamcop reporter.

You are apparently thinking that if you put that sentence above into
your reports to the providers for spamsources and spamvertisers that
somehow it will aid in the result of your address being removed from
spammer lists.

No.  It will not.  Without further elaboration until you clarify my
assumptions about what you are asking, because sometimes people
think....

Assumption2:  If I respond to the Remove address or Remove link, will
the spammers remove me from their mailing list?

.... which is a different question than the longer one I posted in
Assumption1 above.


-- 
Mike Easter
kibitzer, not SC admin

From mrichter at cpl.net  Sat Feb 26 11:37:29 2005
From: mrichter at cpl.net (Mike Richter)
Date: Sat Feb 26 14:40:07 2005
Subject: [SC-Help] Re: Giving them my email
In-Reply-To: <cvpd02$i3$1@news.spamcop.net>
References: <cvpd02$i3$1@news.spamcop.net>
Message-ID: <cvqj5i$ret$1@news.spamcop.net>

Erin wrote:

> I'm new to this whole thing. Is it a very bad idea to put in the message 
> "Take my email, emailwhere@spamwasreceived.com, off your list!"? I 
> actually want to get my email off these lists instead of having to block 
> them. Even if one spammer gets knocked offline, my email is still on 
> whatever list is floating around out there. Is it not a better idea to 
> have my email marked as potentially dangerous if you send spam to me?

Please read Mike Easter's post for long-term guidance. I hope to provide 
you here with simple answers to what appear to be your questions with 
some underlying truths (!) to guide you in the future.

Spammers are not benevolent entrepreneurs seeking your best interests. 
As a class, they are lying, cheating scam artists playing on your 
gullibility. Their only interest is their enrichment and they will take 
exactly those actions - legal, moral or otherwise - which enhance that 
interest.

They have no incentive to remove your name from their mailing lists even 
if they promise to do so. In fact, an e-mail to the spammer verifies 
your address and enhances the value of that address. In practice, it may 
"elevate" you to the status of preferred victim because of that 
verification. (A notice from SpamCop does not have that effect directly 
but in some cases can verify.)

There is an exception of little practical interest. Occasionally, a 
clueless company will spam in good faith and ultimate simplicity. 
Requesting removal then is arguably a positive move, though they are 
likely to have learned already by blocklist that their action was unwise 
and to have scrapped the list they used.

Mike
-- 
mrichter@cpl.net
http://www.mrichter.com/

From buzzard554 at fastmail.co.uk  Sun Feb 27 08:05:13 2005
From: buzzard554 at fastmail.co.uk (Martin Edwards)
Date: Sun Feb 27 03:05:25 2005
Subject: [SC-Help] Re: Giving them my email
In-Reply-To: <cvqj5i$ret$1@news.spamcop.net>
References: <cvpd02$i3$1@news.spamcop.net> <cvqj5i$ret$1@news.spamcop.net>
Message-ID: <cvrunb$oge$1@news.spamcop.net>

Mike Richter wrote:
> Erin wrote:
> 
>> I'm new to this whole thing. Is it a very bad idea to put in the 
>> message "Take my email, emailwhere@spamwasreceived.com, off your 
>> list!"? I actually want to get my email off these lists instead of 
>> having to block them. Even if one spammer gets knocked offline, my 
>> email is still on whatever list is floating around out there. Is it 
>> not a better idea to have my email marked as potentially dangerous if 
>> you send spam to me?
> 
> 
> Please read Mike Easter's post for long-term guidance. I hope to provide 
> you here with simple answers to what appear to be your questions with 
> some underlying truths (!) to guide you in the future.
> 
> Spammers are not benevolent entrepreneurs seeking your best interests. 
> As a class, they are lying, cheating scam artists playing on your 
> gullibility. Their only interest is their enrichment and they will take 
> exactly those actions - legal, moral or otherwise - which enhance that 
> interest.
> 
> They have no incentive to remove your name from their mailing lists even 
> if they promise to do so. In fact, an e-mail to the spammer verifies 
> your address and enhances the value of that address. In practice, it may 
> "elevate" you to the status of preferred victim because of that 
> verification. (A notice from SpamCop does not have that effect directly 
> but in some cases can verify.)
> 
> There is an exception of little practical interest. Occasionally, a 
> clueless company will spam in good faith and ultimate simplicity. 
> Requesting removal then is arguably a positive move, though they are 
> likely to have learned already by blocklist that their action was unwise 
> and to have scrapped the list they used.
> 
> Mike

I'd go along with that.  In a small minority of cases, I feel that 
people are jsut trying to get a business going and do not report.
From erin at bluefishe.com  Sun Feb 27 01:45:29 2005
From: erin at bluefishe.com (Erin)
Date: Sun Feb 27 04:46:31 2005
Subject: [SC-Help] Re: Giving them my email
In-Reply-To: <cvpscg$b9j$1@news.spamcop.net>
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
Message-ID: <cvs4mr$sc3$1@news.spamcop.net>

Mike Easter wrote:
> Erin wrote:
> 
>>I'm new to this whole thing. Is it a very bad idea to put in the
>>message "Take my email, emailwhere@spamwasreceived.com, off your
>>list!"?
> 
> 
> Assumption1:  your question means "When I submit a spam to the spamcop
> parser for parsing and reporting, and the spamcop reporting form
> provides me with an opportunity to...
> 
>  - Send reports now
>  - Preview reports
>  - Cancel
> 
> ... followed by another section which provides me with an opportunity
> to...
> 
>  - enter comments for each of the 'Report spam to: ' entities, that I
> should enter this sentence '"Take my email,
> emailwhere@spamwasreceived.com off your list!" into that comments
> section which will be mailed to the providers for the spamsource and for
> the spamvertisers as a method of communicating with the actual spammer
> to stop spamming me?"
> 
> Answer to assumption1:  No, that isn't a good sentence to enter into the
> comments section, since the comments are ostensibly being directed to
> the respective providers, not the spammer per se.
> 
> If your goal is to leave the spam intact instead of the standard spamcop
> mungeing of the addresses in the To, CC, and Received lines, that is
> configurable in the Preferences section for Reporting preferences - 8th
> section - for mungeing "Leave spam copies intact".  You could also
> provide your name and spammed email address to those providers in the
> 1st section of that Preferences where the 'Disply name' goes.
> 
> 
>>I actually want to get my email off these lists instead of
>>having to block them.
> 
> 
> I'm interpreting that as saying "I don't mind being listwashed by those
> spammers who do listwashing." -- as opposed to the antispammers who are
> against listwashing.
> 
> 
>>Even if one spammer gets knocked offline, my
>>email is still on whatever list is floating around out there. Is it
>>not a better idea to have my email marked as potentially dangerous if
>>you send spam to me?
> 
> 
> I'm interpreting that as saying that you feel that the spamcop report
> will knock a spammer offline, and you would like for all of the spammers
> to remove your address from their list because your address is
> potentially dangerous to them because you are now a spamcop reporter.
> 
> You are apparently thinking that if you put that sentence above into
> your reports to the providers for spamsources and spamvertisers that
> somehow it will aid in the result of your address being removed from
> spammer lists.
> 
> No.  It will not.  Without further elaboration until you clarify my
> assumptions about what you are asking, because sometimes people
> think....
> 
> Assumption2:  If I respond to the Remove address or Remove link, will
> the spammers remove me from their mailing list?
> 
> .... which is a different question than the longer one I posted in
> Assumption1 above.
> 
> 

Mike, the longer assumption was correct.

I googled 'listwashing'. Are you saying there is no ethical way to clear 
an email address of spam besides shutting it down or using some kind of 
blocking? I don't mind 'mungeing' from my own address, but I don't get 
very much spam - maybe 1 or 2 a week. However, I'm trying to cut down on 
my mom's spam for her, and I can't have access to her account (at 
hotmail) forever. Is there nothing I can do for her?

Also, I subscribed (paid $15) yesterday and never received an email from 
SpamCop. It said to wait 8 hours for an email before pasting the 
confirmation, and now I can't find the page to paste it to. Where do I 
go? Is it normal to not get a reply?

Thank you for your patience with the newbie.

Erin
From MikeE at ster.invalid  Sun Feb 27 07:07:24 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Feb 27 10:10:34 2005
Subject: [SC-Help] Re: Giving them my email
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net>
Message-ID: <cvsnkt$9u9$1@news.spamcop.net>

Erin wrote:
> Mike, the longer assumption was correct.

Okey dokey.  Got it.

> I googled 'listwashing'. Are you saying there is no ethical way to
> clear an email address of spam besides shutting it down or using some
> kind of blocking?

There is no ethical or unethical way to induce spammers to stop emailing
an address, with some very minor exceptions which can't be applied
broadly or generally in any kind of useful way as regards this
discussion.  I'll discuss some mailbox management below.

> I'm trying
> to cut down on my mom's spam for her, and I can't have access to her
> account (at hotmail) forever. Is there nothing I can do for her?

Let's call you her support person who is trying to help her
configuration so that she gets less spam frustration and handles her
mail better.  The more access a support person has to someone's mailbox
or account or computer or whatever, the better.

> Also, I subscribed (paid $15) yesterday and never received an email
> from SpamCop.

Paying $15 to SC would be for paying to be a paid SC reporter for 'fuel'
because fuel or megs or spam reporting is sold at any price, whereas
having a SC mail account costs $30/year.  Being a paid SC reporter is
fine, but it isn't going to do anything for your role as your mom's spam
and mailbox support person.   To me, SC reporting, either free or paid,
is fine for antispammers, but it doesn't do anything to reduce spam to
anyone's mailbox.  Of the many solutions discussed below, having a SC
mail account for $30/year /is/ a method to reduce spam.

> It said to wait 8 hours for an email before pasting the
> confirmation, and now I can't find the page to paste it to. Where do I
> go? Is it normal to not get a reply?

I'm assuming that before you decided to become a paid reporter, that you
were a free reporter and had already received a confirmational mail
because you have to be a free reporter before you can be a paid
reporter.  Then, in order to become a paid reporter from being a free
one, you went to the Preferences page and added fuel -- because that's
the only way I know how for you to pay $15 to SC for anything except by
donation.

> Thank you for your patience with the newbie.

There are currently 2 or 3 separate issues here.  One of them is in my
not understanding how or why - where 'why' means 'for what exact
purpose' you gave SC $15.  I'm supportive of your doing it, I just don't
understand what you were trying to do and how you were trying to do it.
Giving SC $15 doesn't do anything about this other issue below.

The other and completely separate issue is how to help your mother
defend herself against spam.

When I'm trying to teach newbies how to defend against spam, ie handle
the mailbox, I consider my #1 priority to eliminate spam from the Inbox
so that wanted mail can be handled non-frustratingly.  Ideally this
would be accomplished by filtering all spam from the Inbox by some kind
of filter which does not filter goodmail and so that the recipient did
not have to read spam subjects and froms to 'find' their goodmail.

That condition of handling mail doesn't have anything to do with
reporting spam.  Spam reporting is a separate activity from handling
mail, altho' if one 'wants to be' a spam reporter, the reporting can be
integrated with the handling.  But handling comes first and foremost.
Some people handle spam badly and also report it.  That is dumb.  They
should be handling spam smartly, whether they report it or not.

So, the first step in spam handling is developing a philosophy and a
pledge.  The pledge is to never aid or profit a spammer,  and the best
way to fulfill the pledge is to never preview or open a spam insecurely.
The best way to avoid opening a spam insecurely is to keep spam out of
the Inbox.  The Inbox was 'designed' for handling wanted mail, it wasn't
well designed for handling spam, and the spammer has the upper hand when
people are having to read their spam subjects and froms in order to
determine what is spam and what isn't.  That is an unhealthy activity.


-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Sun Feb 27 07:19:15 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Feb 27 10:20:03 2005
Subject: [SC-Help] Re: Giving them my email
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net>
Message-ID: <cvsob4$ads$1@news.spamcop.net>

Erin wrote:
> Are you saying there is no ethical way to
> clear an email address of spam besides shutting it down or using some
> kind of blocking?

That is fundamentally correct.  Personally, I don't like to 'run away'
from an email address, but I would rather 'defend it'.  However, I have
some experience at defending an address and I have some interest in
keeping currently spammed addresses.  My strategies of defending my
address might be different from someone who has a 'brand new' hotmail
address which is currently getting spammed to death.

> I don't mind 'mungeing' from my own address, but I
> don't get very much spam - maybe 1 or 2 a week.

I think that what you are going to be doing about your mail is going to
be different from what you are doing about your mom's mail;  assuming
that you are going to be your mom's mail support person.  It sounds like
you are going to be a paid SC reporter.

> However, I'm trying
> to cut down on my mom's spam for her, and I can't have access to her
> account (at hotmail) forever. Is there nothing I can do for her?

If your mom currently has a brand new hotmail address that doesn't have
'value' to her in some special way, and it is already getting tons and
tons of spam, probably because it was an address or a username which
previously belonged to someone else, then either you are going to have
to institute some significant filter or you are going to have to
jettison that address in favor of one which is more random or unique so
that it won't start getting all of the spam which someone else with the
same username has 'caused' by having a common username or by exposing
that username broadly in newsgroup From or at a naked mailto on a
website.

In the long run, even if she runs from her current addy, she will need a
spam defense strategy involving filters.

-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Sun Feb 27 07:55:42 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Feb 27 10:55:06 2005
Subject: [SC-Help] Re: Giving them my email
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net>
Message-ID: <cvsqfg$bsg$1@news.spamcop.net>

Erin wrote:
> I'm trying
> to cut down on my mom's spam for her, and I can't have access to her
> account (at hotmail) forever. Is there nothing I can do for her?

I've never had a hotmail account, free or otherwise, so I have to go to
msn to read about it.

Without signing up, all I get to read at msn re hotmail is this: "Spam
filtering - Choose between three spam filtering levels with Microsoft
SmartscreenT technology. Hotmail also offers the Bonded Sender Program
and Block Sender list to fight against spammers."

I can't tell if hotmail has a whitelisting system;  but whitelisted only
is a very very powerful filter method if someone isn't inclined to get
some kind of unknown wanted mail.  My provider offers a whitelisted
system as one of its 3 spamfiltering options of lo/med/hi, ie off,
known, suspect.

Tho' I don't have a hotmail, I do have a gmail account, and I have it
configured to forward to me, and it 'never' forwards spam, but it keeps
its spam for 30 days, so I go over to that account every once in a while
an look in there and see if there's any wanted mail mistakenly filtered.
Looking thru' filtered spam for a wanted mail /should/ be much faster
than looking thru' an Inbox full of spam looking for wanted mail.


-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Sun Feb 27 08:38:13 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Feb 27 11:40:13 2005
Subject: [SC-Help] Re: Giving them my email
References: <cvpd02$i3$1@news.spamcop.net>
Message-ID: <cvssv6$dtp$1@news.spamcop.net>

Erin wrote:
> I'm new to this whole thing.

> Is it a very bad idea to put in the
> message "Take my email, emailwhere@spamwasreceived.com, off your
> list!"?

SpamCop sends a report to the provider for the spamsource.  Typically, a
spamsource is an abused proxy;  so that provider has nothing to do with
the actual party who injected the spam via an abused user's insecurity,
except for the provider failing to force the userIP to either get secure
or stop sending mail out its port 25.

SpamCop also sends reports to the provider for the spamvertisers.  Such
providers range in hat color from white to gray to very black.  The
whitehat providers are concerned about and against their clients
spamvertising and may kill the account of a spamvertised site.
Blackhats are 'in cahoots' with the spammer and communicating with pure
blackhats is a little bit like communicating with a spammer, except for
the problem of 'plausible deniability'.  Obviously there is a huge range
of grayhats.

A few spams are 'straightup' -- in which the spamsource = the From = the
spamvertised site.  That is, the spam has a little bit of 'honesty' in
that it is from who it sez it is and it is promoting 'itself'.  For a
variety of reasons, straightup spam usually does a different style of
list management than ordinary common abusive spam.

Another straightup item is the item which the recipient requested, such
as a mailing list;  or a mailing list item which someone else requested
for the recipient;  or a mailing list item being run by someone who
isn't doing a good job of mailing list managment.

A proper mailing list management scheme involves a removal process.  So,
it is clear that using removal methods for something which you asked to
be mailed is appropriate.  Almost all other removal methods do not work
for a variety of reasons, and commonly the removal 'process' is
counterproductive in spam management.

Many spammers interpret removal requests as a sign that the person who
got the mail not only opens their spam and also reads it, but that they
also click on spamcontained links and believe what they read in spam.
That makes the recipient a better target than anyone else on the
spammer's old list.

So, if you provide addy information to a blackhat provider/spammer, you
will have contributed your address in a direction which is
undesirable -- not quite the same as responding to a remove gizmo,
because you gave the address via a spamcop report, but you still gave it
to a blackhat.

SpamCop's deputies do a little tiny bit about responding to reporter's
opinions that this or that is a blackhat, but most of the SC reporting
addresses are algorithmically derived, not by some magical human wisdom
of being able to read hatcolors in databases.

> I actually want to get my email off these lists instead of
> having to block them.

If you ever become a famous anti- which some spammers are 'afraid of',
your addy might make it to an anti- list;  but that won't stop a great
deal of spam, just some.

It is also possible to get removed from some mainsleaze list.
Mainsleaze spam is typically straightup and some mainsleaze would rather
not mail to those who don't want the spam, and spamcop's reports can go
to the mainsleaze provider who will help the mainsleaze listwash you
from their list.  Straightup mainsleaze spam is an insignificant
contribution to the spamload, so it isn't useful to be acting toward
your general spam as if it were straightup mainsleaze.

> Even if one spammer gets knocked offline, my
> email is still on whatever list is floating around out there.

Correct, but there isn't much about SC reporting which is going to knock
any spammers offline -- where 'spammers' is the entity which is actually
cranking out the email by the hundreds of thousands;  not to be confused
in this usage with the spamvertiser.

> Is it
> not a better idea to have my email marked as potentially dangerous if
> you send spam to me?

That's the concept of becoming a famous anti-.  I suppose it is a
feather in an anti-'s cap to be found in a spammer's anti- list, but it
doesn't eliminate spam.

-- 
Mike Easter
kibitzer, not SC admin

From feldethom2165 at email2me.net  Sun Feb 27 08:06:56 2005
From: feldethom2165 at email2me.net (Fred k)
Date: Sun Feb 27 12:10:03 2005
Subject: [SC-Help] Re: Giving them my email
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net> <cvsqfg$bsg$1@news.spamcop.net>
Message-ID: <cvsun6$faf$1@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:cvsqfg$bsg$1@news.spamcop.net...
> Tho' I don't have a hotmail, I do have a gmail account, and I have it
> configured to forward to me, and it 'never' forwards spam, but it keeps
> its spam for 30 days, so I go over to that account every once in a while
> an look in there and see if there's any wanted mail mistakenly filtered.
> Looking thru' filtered spam for a wanted mail /should/ be much faster
> than looking thru' an Inbox full of spam looking for wanted mail.


Mike
What is gmail's ~ track record regarding false positives/negatives?

Fred k 


From MikeE at ster.invalid  Sun Feb 27 10:51:29 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Feb 27 13:55:33 2005
Subject: [SC-Help] Re: Giving them my email
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net> <cvsqfg$bsg$1@news.spamcop.net>
	<cvsun6$faf$1@news.spamcop.net>
Message-ID: <cvt4p4$jkr$1@news.spamcop.net>

Fred k wrote:
> "Mike Easter"

>> Tho' I don't have a hotmail, I do have a gmail account, and I have it
>> configured to forward to me, and it 'never' forwards spam, but it
>> keeps its spam for 30 days, so I go over to that account every once
>> in a while an look in there and see if there's any wanted mail
>> mistakenly filtered. Looking thru' filtered spam for a wanted mail
>> /should/ be much faster than looking thru' an Inbox full of spam
>> looking for wanted mail.
>

> What is gmail's ~ track record regarding false positives/negatives?

First a little background and clarification and perspective to help with
the interpretation.

Shortly after I got the gmail I started exposing it in the Reply-To in
usenet posts.  Shortly after that it was 'attacked' by an individual who
signed it up for a bunch of newsletters because of a petty newsgroup
disgreement and my criticism.  The majority of those newsletters sent a
confirmatory;  a couple of them sent me the IP of who signed me up,
which enabled me to know who that was, and who had left a trail with his
IP in another newsgroup and so I informed his provider of his bogus
signups.  A few of those newsletters handled their mailing list badly ie
non-confirmed, but straightup and I chose to unsub with the intention of
reporting them if they persisted.

Next;  I haven't been forwarding very long;  only about 10 days or so.
I don't exactly understand how gmail forwards.  That is, how often.  I
do know that it isn't 'rightaway' -- because sometimes when I go visit
the webmail there are a couple of items in the Inbox which haven't been
forwarded, but yet I have gotten wanted items forwarded.  Gmail has weak
forwarding filters to enable filtering on From Subject or To -- but I
don't currently have any of that enabled.  I would probably enable the
To feature;  maybe the From.  The To would keep away any spams which
didn't have my addy in the To;  the From would handle the items from
people I've given my gmail addy.

Then last, to answer your question, with that perspective.

I've received no forwarded spam.  Sometimes there has been a spam or two
in the Inbox when I visit, both before I started forwarding and after.
There have been a total of 73 spams to the account in the last 30 days,
none of which are 'like' the original newsletters which I was bogus
subscribed.  I've discovered no false positives in the spam folder.

So, the address doesn't get a great deal of activity of spam or wanted
mail to derive something useful about gmail stats.  I think there's
probably information about that if you search around, because some
people have set about to try to get a lot of spam at their gmail
accounts to test the gmail spam filter


-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Sun Feb 27 11:09:19 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Feb 27 14:10:10 2005
Subject: [SC-Help] Re: Giving them my email
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net> <cvsqfg$bsg$1@news.spamcop.net>
	<cvsun6$faf$1@news.spamcop.net> <cvt4p4$jkr$1@news.spamcop.net>
Message-ID: <cvt5qg$kpk$1@news.spamcop.net>

Mike Easter wrote:
> I've received no forwarded spam.  Sometimes there has been a spam or
> two in the Inbox when I visit,

Error.  I realized that I'm configured so that a gmail forwarded spams
would be 'hidden' in some other non-gmail spam;  so I looked thru' that
spam, briefly, cursorily.

I have received 2 forwarded gmail spams and they both/each would have
been forwarded even if I had enabled gmail's forwarding filtering for my
gmail addy in the To.  One of them also slipped by my SpamPal filter
untagged, which is very very uncommon.


-- 
Mike Easter
kibitzer, not SC admin

From erin at bluefishe.com  Sun Feb 27 11:15:54 2005
From: erin at bluefishe.com (Erin)
Date: Sun Feb 27 14:15:05 2005
Subject: [SC-Help] Membership/Fuel
In-Reply-To: <cvsnkt$9u9$1@news.spamcop.net>
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net> <cvsnkt$9u9$1@news.spamcop.net>
Message-ID: <cvt64c$l0h$1@news.spamcop.net>

Mike Easter wrote:

> ..what exact purpose' you gave SC $15.  I'm supportive of your doing it,
> I just don't understand what you were trying to do and how you were 
> trying to do it.

When I paste the email into the SC page, I get this message:

"Please wait - subscribe to remove this delay
(or click reload if this page does not refresh automatically in 7 seconds.)"

And one of the following lines:

"Members can get copies of all reports CCed to them."
"Membership is cheap! About $15 for two years of average use."
"Replies to members' reports can be received un-filtered."
"Join SpamCop: Help support this free service"
"Members avoid this nag screen"

So I signed up for $15 worth of 'fuel', thinking that is some sort of 
membership. What does this 'membership' include? I never received a 
confirmation email where I click on a link to confirm that I'm a member, 
so I'm still seeing these messages when I report spam through the web 
interface.
From erin at bluefishe.com  Sun Feb 27 12:04:17 2005
From: erin at bluefishe.com (Erin)
Date: Sun Feb 27 15:05:08 2005
Subject: [SC-Help] My Mom's Account
In-Reply-To: <cvsnkt$9u9$1@news.spamcop.net>
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net> <cvsnkt$9u9$1@news.spamcop.net>
Message-ID: <cvt8v3$mvu$1@news.spamcop.net>

Mike Easter wrote:

>>I'm trying
>>to cut down on my mom's spam for her, and I can't have access to her
>>account (at hotmail) forever. Is there nothing I can do for her?
> 
> 
> Let's call you her support person who is trying to help her
> configuration so that she gets less spam frustration and handles her
> mail better.  The more access a support person has to someone's mailbox
> or account or computer or whatever, the better.
> 
> 
> #1 priority to eliminate spam from the Inbox
> so that wanted mail can be handled non-frustratingly.  Ideally this
> would be accomplished by filtering all spam from the Inbox by some kind
> of filter which does not filter goodmail and so that the recipient did
> not have to read spam subjects and froms to 'find' their goodmail.

She has a hotmail account, and the JunkMail filter is turned on. She 
gets most of her spam filtered to the 'Junk E-Mail' folder. I currently 
use her password to get into her account to copy and report spam. She 
has a lot of attachment to this account (she's had it for years) and 
will not delete it.

> The best way to avoid opening a spam insecurely is to keep spam out of
> the Inbox.  The Inbox was 'designed' for handling wanted mail, it wasn't
> well designed for handling spam, and the spammer has the upper hand when
> people are having to read their spam subjects and froms in order to
> determine what is spam and what isn't.  That is an unhealthy activity.

She uses the web interface. Each time she checks her mail, she goes 
through the junk mail folder to retrieve messages that she wants and 
delete spam, sorting them without opening them.

I've checked hotmail for any kind of blocking list. There is one, but is 
it really practical to try to make a list of emails and domains to 
block? There is a 'reporting' service, and I'll look into this to see 
what exactly that does.

So if it's pointless to report her junkmail for the sake of receiving 
less, and you don't recommend unsubscribing, what are actions to take?
From kjz at despammed.com  Sun Feb 27 21:36:40 2005
From: kjz at despammed.com (Karl-Josef Ziegler)
Date: Sun Feb 27 15:40:03 2005
Subject: [SC-Help] Re: Spam looks like a bounce
In-Reply-To: <cvntkb$36u$1@news.spamcop.net>
References: <cvntkb$36u$1@news.spamcop.net>
Message-ID: <cvtb0h$oid$1@news.spamcop.net>

Kevin Davidson wrote:
> I posted a spam over in the spam area under the title "Spam looks like a 
> bounce". I changed my real email name to "me" and my domain to 
> "mydomain". I have an email account, me@acm.org, which forwards to 
> me@mydomain.org.

Such a 'forced bounce' (any other terminus technicus available?) seems 
one of the 'standard tricks' of the Russian Spam Gang (was it warez 
spam?). Sending the spam to a (known) non-existing localpart of a 
reputable domain/mailserver with your address as a forged sender. 
Instead of coming directly from the usual zombie (which may be in 
several blocklists) the bounce now comes from a reputable mailserver 
which may not be in a blocklist. Double abuse: zombie for sending the 
mail and the mailserver which has to handle thousands of these 'forced 
bounces'...

- kjz
From MikeE at ster.invalid  Sun Feb 27 15:01:00 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Feb 27 18:00:05 2005
Subject: [SC-Help] Re: Membership/Fuel
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net> <cvsnkt$9u9$1@news.spamcop.net>
	<cvt64c$l0h$1@news.spamcop.net>
Message-ID: <cvtjcs$v83$1@news.spamcop.net>

Erin wrote:
> So I signed up for $15 worth of 'fuel', thinking that is some sort of
> membership.

When you were a free reporter, you didn't derive those benefits you
described of being a paid reporter, so there are advantages to both you
and to spamcop of your being a paid reporter.

> What does this 'membership' include?

What you said, described here
http://www.spamcop.net/fom-serve/cache/288.html  Upgrade to a premium
member account

> I never received a
> confirmation email where I click on a link to confirm that I'm a
> member,

I'm not familiar with a confirmation email;  that link above just sez

"To upgrade to a premium SpamCop account, you must first sign up for and
verify a free account. Then, from your SpamCop access page, simply click
on the "Preferences" link and "Add Fuel" to your account.

As long as there is fuel in your account you will not be nagged by ads
or the delay screens. If you run out of fuel, your account will
automatically revert to a free user account."

> so I'm still seeing these messages when I report spam through the web
> interface.

I don't know what your status is -- whether the system thinks you are
still a free reporter or if it knows you are paid.  I would think that
if the system knows you are paid that it would show a delay or a nag,
which would be the first thing you would see, and the other would be
your ability to access old reports and to appeal.

-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Sun Feb 27 15:20:08 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Feb 27 18:20:04 2005
Subject: [SC-Help] Re: My Mom's Account
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net> <cvsnkt$9u9$1@news.spamcop.net>
	<cvt8v3$mvu$1@news.spamcop.net>
Message-ID: <cvtkgo$cn$1@news.spamcop.net>

Erin wrote:
> She has a hotmail account, and the JunkMail filter is turned on. She
> gets most of her spam filtered to the 'Junk E-Mail' folder. I
> currently use her password to get into her account to copy and report
> spam. She has a lot of attachment to this account (she's had it for
> years) and will not delete it.

OK.  I also like to keep my email address and not run away from/
abandon/ it.

> She uses the web interface. Each time she checks her mail, she goes
> through the junk mail folder to retrieve messages that she wants and
> delete spam, sorting them without opening them.

Am I understanding that she is adopting an attitude toward her spam like
a person who gets junk snailmail -- that is, that they like to sort
thru' the junkmail, throwing some of it away unopened, but opening those
items which are externally appealing -  to see what is advertised
inside -- to see if they want to go visit the website to find out more
about the promotion?

Otherwise, what is her idea of going thru' her junkmail?  One answer
might be to see if any wanted mail has been filtered by the spamfilter,
but I suspect that your mom is going to be one of those people who have
not adopted my pledge to not be opening and reading some spam curiously
and receptively and interestedly.

I hear some unpledged spamreaders giving me all kinds of excuses about
why they need to open and read some of their spam, but I would rather
that they were pledged and didn't do that -- because if they are
intentionally and interestedly and curiously opening and reading some
spam, then I have to be concerned about how insecurely they are doing
that [both mentally and technically] and what they are doing which is
going to cause them to get more and more and more spam.  Spam opening
and reading and spamlink clicking is a good/ excellent/ effective/ bad/
way to get more spam.

> I've checked hotmail for any kind of blocking list. There is one, but
> is it really practical to try to make a list of emails and domains to
> block?

No.

> There is a 'reporting' service, and I'll look into this to see
> what exactly that does.

That also isn't going to do much good for you.  Ostensibly it is
supposed to help improve the mail provider's filters.  I'm not familiar
with how hotmail handles theirs, but I personally think my provider's
reporting system is worthless.  My provider's minions who converse in
the provider newsgroup claim that spam reporting to their system is
worth doing, but I don't believe it.  Plus, their filter isn't all that
great and their reporting system is flawed and I don't use their filter
anyway -- so none of that pertains to me and them.

> So if it's pointless to report her junkmail for the sake of receiving
> less, and you don't recommend unsubscribing, what are actions to take?

The best filtering you can get, and not opening and reading any spam
insecurely, preferably not opening and reading any at all so as to
prevent being a spamreading spammee.  Some people /want/ to get and read
spam so that they can respond to some of it, and then they whine about
how much they get or how offended they are by some of it.  That's like
saying, "I want to get some spam, but I want to pick and choose which
spam I get."  It doesn't work like that.

My provider provides 3 spamblocker settings and I have the provider's
blocker turned off because I prefer my own filter.  I use SpamPal to tag
my spam and I report all that tagged spam with spamcop.  I also use
spamcop's blocklist to aid my SpamPal in filter tagging my mail, along
with a number of other blocklists.

My other email, gmail is currently being forwarded to that above
account -- so all of the spam which is filtered at gmail isn't getting
to the forwarded address, and the gmail spam is too much trouble for me
to bother with reporting, so I don't.

If the hotmail system and your mom's 'attitude' can't be adjusted to
provide excellent filtering, then she/you should consider some alternate
filtering system;  such as the $30 a year spamcop one or something else.

-- 
Mike Easter
kibitzer, not SC admin

From feldethom2165 at email2me.net  Sun Feb 27 14:43:51 2005
From: feldethom2165 at email2me.net (Fred k)
Date: Sun Feb 27 18:45:05 2005
Subject: [SC-Help] Re: Giving them my email
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net> <cvsqfg$bsg$1@news.spamcop.net>
	<cvsun6$faf$1@news.spamcop.net> <cvt4p4$jkr$1@news.spamcop.net>
	<cvt5qg$kpk$1@news.spamcop.net>
Message-ID: <cvtlvd$1cb$1@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:cvt5qg$kpk$1@news.spamcop.net...
> Mike Easter wrote:
>> I've received no forwarded spam.  Sometimes there has been a spam or
>> two in the Inbox when I visit,

Well I just opened a gmail account. On another subject:
My NIS2005 and their on-line nonsupport is really the pits. All they know to 
say is to re-install, which is their solution to everything. Today I got 2 
totally identical (header and content) 419 scams 40' apart. The first one 
was tagged spam, the second passed the filter.
Another issue that never got a straight answer after 10 back and forth email 
with non-support is if email content/subject from an allowed sender is 
checked against spam rules. From results i.e., mail from allowed senders 
being declared as spam, I can only deduce that NIS2005 bayes filter scores 
messages even from allowed senders. Again their only answer is to reinstall.

I am beginning to think NIS2005 is a piece of s@#t. My NIS 2004 is doing 
pretty good on my old computer.

Fred k 


From post.replies at invalid.address  Sun Feb 27 18:29:14 2005
From: post.replies at invalid.address (DougW)
Date: Sun Feb 27 19:30:09 2005
Subject: [SC-Help] Re: Giving them my email
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net> <cvsqfg$bsg$1@news.spamcop.net>
	<cvsun6$faf$1@news.spamcop.net> <cvt4p4$jkr$1@news.spamcop.net>
	<cvt5qg$kpk$1@news.spamcop.net> <cvtlvd$1cb$1@news.spamcop.net>
Message-ID: <cvtoko$3p1$1@news.spamcop.net>

Fred k did pass the time by typing:

> I am beginning to think NIS2005 is a piece of s@#t. My NIS 2004 is doing
> pretty good on my old computer.

The firewall is ok.  A better (and free) spam solution is to install
SpamPal and then load it with either the DNSBLs you want or plug in
several of the many many optional extras.

www.spampal.org

-- 
DougW 


From nobody at spamcop.net  Sun Feb 27 18:25:38 2005
From: nobody at spamcop.net (Ellen)
Date: Sun Feb 27 20:45:06 2005
Subject: [SC-Help] Re: Membership/Fuel
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net> <cvsnkt$9u9$1@news.spamcop.net>
	<cvt64c$l0h$1@news.spamcop.net>
Message-ID: <cvtt07$6pi$1@news.spamcop.net>

"Erin" <erin@bluefishe.com> wrote in message
news:cvt64c$l0h$1@news.spamcop.net...
>
> So I signed up for $15 worth of 'fuel', thinking that is some sort of
> membership. What does this 'membership' include? I never received a
> confirmation email where I click on a link to confirm that I'm a member,
> so I'm still seeing these messages when I report spam through the web
> interface.

Send the email address you registered with SpamCop and a summary of the
problem to service@admin.spamcop.net and Don will check your record and get
it straightened out.

Ellen
SpamCop


From erin at bluefishe.com  Sun Feb 27 18:26:33 2005
From: erin at bluefishe.com (Erin)
Date: Sun Feb 27 21:25:04 2005
Subject: [SC-Help] Opening spam insecure?
Message-ID: <cvtvbr$8gl$1@news.spamcop.net>

Don't I have to open spam to report it? I've been told to not open spam, 
but SpamPal doesn't work with web interfaces. Is it secure to open 
junkmail with web interfaces in order to copy/paste and/or forward?
From nobody at devnull.spamcop.net  Sun Feb 27 22:02:19 2005
From: nobody at devnull.spamcop.net (Miss Betsy)
Date: Sun Feb 27 22:00:07 2005
Subject: [SC-Help] Re: Opening spam insecure?
References: <cvtvbr$8gl$1@news.spamcop.net>
Message-ID: <cvu1ce$a4j$1@news.spamcop.net>


"Erin" <erin@bluefishe.com> wrote in message
news:cvtvbr$8gl$1@news.spamcop.net...
> Don't I have to open spam to report it? I've been told to not
open spam,
> but SpamPal doesn't work with web interfaces. Is it secure to
open
> junkmail with web interfaces in order to copy/paste and/or
forward?

As long as you are offline or have your preferences set so that
HTML is off, then it is not dangerous.  I don't know how to work
spampal, but since many people use it, I expect there is a way to
forward as attachment  or to view the raw message without 'opening'
it.

Miss Betsy


From nobody at devnull.spamcop.net  Sun Feb 27 22:09:08 2005
From: nobody at devnull.spamcop.net (Miss Betsy)
Date: Sun Feb 27 22:10:03 2005
Subject: [SC-Help] Re: Giving them my email
References: <cvpd02$i3$1@news.spamcop.net>
Message-ID: <cvu1p6$aek$1@news.spamcop.net>


"Erin" <erin@bluefishe.com> wrote in message
news:cvpd02$i3$1@news.spamcop.net...
> I'm new to this whole thing. Is it a very bad idea to put in the
message
> "Take my email, emailwhere@spamwasreceived.com, off your list!"?
I
> actually want to get my email off these lists instead of having
to block
> them. Even if one spammer gets knocked offline, my email is still
on
> whatever list is floating around out there. Is it not a better
idea to
> have my email marked as potentially dangerous if you send spam to
me?

In a word, yes it is a bad idea.  I know what you are thinking
(because I thought that way too when I first started getting spam),
but it doesn't work and basically, you just give your email address
to the spammer as a 'live' address which is worth more for him to
sell.

There is only one way to get a spam free address and that is to
change your email address to one that is alphanumeric like 3r1n
and make sure that it never appears on the internet (if you google,
it doesn't come up).  Also, have another address for ordering
things just in case the list gets into the hands of a spammer (the
business can be sold as well as the list stolen or it can be
spammer who lied).

Miss Betsy



From post.replies at invalid.address  Sun Feb 27 21:53:18 2005
From: post.replies at invalid.address (DougW)
Date: Sun Feb 27 22:55:03 2005
Subject: [SC-Help] spamcop parsing ok but reporting page still buggy.
Message-ID: <cvu4jc$c5d$1@news.spamcop.net>

>From a spam recently reported.
The spam URL contained (CR) codes and parsed correctly
but displayed in the b0rken way.

 Re: http://ofiysof.myr (Administrator of network hosting website referenced in spam)
   To: abuse@newworldtel.com (Notes)
   Additional notes (optional - max 2000 characters):

That would be myrxcart.com or .net

Three sample spams can be had here.
www.revbeergoggles.com/ferrisjones

I will eventually have a larger database there on this
wanker.. But for now.


You will find these domains causing problems.  All regsitered under
the same ficticious individual
::Registrant::
 Name : Ferris Jones
 Email : ferris@japan.com
 Address : 34 Bayside drive
 Zipcode : 90211
 Nation : US
 Tel : 4329929111
 Fax :

Internic complaints have been filed on these domains for false
information.  Spammy has also been forced to move to a real hole
in china. (not that china isn't a hole to begin with anyway)

reported ref          domain              Registrar action  last-ip
12-Feb   LJJIKIRQLZO  beatrxbillz.net     YESNIC    none    219.153.000.147
19-Feb   HEKHY7AJ44F  smallrx.com         YESNIC    none    219.153.000.147
19-Feb   WFTH06NTCO5  tehexpertz.com      YESNIC    none    219.153.000.147
21-Feb   STOKTDIWFHH  beatrxbillz.com     YESNIC    none    219.153.000.147
21-Feb   KZKL6RSTKT8  realrxnow.com       YESNIC    none    219.153.000.147
22-Feb   ACRK1W6MAEC  fightrxbillz.com    YESNIC    none    219.153.000.147
22-Feb   MHS5BD4YX2R  fightrxbillz.net    YESNIC    none    219.153.000.147
22-Feb   KXGKROO1ZYR  tehexpertz.net      YESNIC    none    219.153.000.147
22-Feb   TFYJJDHIIJT  realrxnow.net       YESNIC    none    219.153.000.147
22-Feb   S9GIUH5UUQG  smallrx.net         YESNIC    none    219.153.000.147
27-Feb   2GCWCFOSXNB  supercheapmeds.net  YESNIC    none    219.153.000.147
27-Feb   26OCGDOMOVN  supercheapmeds.com  YESNIC    none    219.153.000.147
27-Feb   VLV8K8N3YGB  rxcartonline.com    YESNIC    none    219.153.000.147
27-Feb   AO2XROQVTQG  rxcartonline.net    YESNIC    none
27-Feb   PTS8RR24JBG  myrxcart.com        YESNIC    none    219.153.000.147
27-Feb   ENL0VSY3KOD  myrxcart.net        YESNIC    none
27-Feb   MIZXWFMOLN4  cheapmedshut.com    YESNIC    none    219.153.000.147
27-Feb   TSVMIAVIM1V  cheapmedshut.net    YESNIC    none    219.153.000.147

-- 
rbg
head kook and bottle drainer revbeergoggles.com 


From nobody at spamcop.net  Sun Feb 27 19:54:51 2005
From: nobody at spamcop.net (Don Wannit)
Date: Sun Feb 27 22:55:25 2005
Subject: [SC-Help] Re: Giving them my email
In-Reply-To: <cvsqfg$bsg$1@news.spamcop.net>
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net> <cvsqfg$bsg$1@news.spamcop.net>
Message-ID: <cvu4mb$c6f$1@news.spamcop.net>

Mike Easter wrote:
> Erin wrote:
> 
>>I'm trying
>>to cut down on my mom's spam for her, and I can't have access to her
>>account (at hotmail) forever. Is there nothing I can do for her?
> 
> 
> I've never had a hotmail account, free or otherwise, so I have to go to
> msn to read about it.


I signed up for a free Hotmail account, and it appears that Hotmail does
have several settings of interest to pledged spam fighters.

Email goes either into your inbox or into your junk email folder,
depending on your settings.  You can also create other folders and
various filtering rules (very simple ones) to automatically sort
incoming messages into your various folders.  Not fancy, but not
bad for the price :-)

There is an "exclusive" setting for spam filtering, which is a
whitelisting feature.  It allows only messages from your "contacts"
into your inbox, others go to your junk mail folder.

Other settings for automatic spam filtering are "low" (you're
on your own), and "enhanced", which diverts suspected spam to the
junk folder based on Hotmail's rules.  Not much information on
them, but they claim that by confirming (they call it "reporting")
a suspected spam message as spam, users can help improve the spam
filtering.  Might be a large collective ham/spam database, but there
is not much information I could find in a quick look.

Another setting to be very sure to select, and which is not selected
by default, is to "Automatically suppress Internet content in
messages".  This one is found in the Options>Mail>Mail Display Settings
page.  If you don't select this, Hotmail will render images and
all that web-bug nastiness that lets the spam "phone home" to let
Sammy the Spammer know that your email address is a live one.

Off to explore the wonderful world of Hotmail some more...


-- 
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

From MikeE at ster.invalid  Sun Feb 27 20:08:26 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Feb 27 23:10:03 2005
Subject: [SC-Help] Re: Opening spam insecure?
References: <cvtvbr$8gl$1@news.spamcop.net>
Message-ID: <cvu5db$csc$1@news.spamcop.net>

Erin wrote:
> Don't I have to open spam to report it? I've been told to not open
> spam, but SpamPal doesn't work with web interfaces. Is it secure to
> open junkmail with web interfaces in order to copy/paste and/or
> forward?

Is it absolutely necessary that hotmail must be opened to be reported?

Be careful about interpreting my remarks about not opening spam.  Many
solid antispammers don't exactly see eye-to-eye with me about that, and
my position sounds somewhat extreme and other strategies than mine which
do involve opening spam may be employed, if done 'properly'.

My most defensible position is 'don't open spam irresponsibly - or
insecurely - or with the wrong attitude.'  Which might also include 'and
knowing what is inside it before you open it.'

If you have the right attitude and sufficient security both mentally and
technically, you can open spam, if you must.  I also argue that I don't
see why you must - or that a better configuration would be one in which
you didn't have to open spam.

I can't address all web interfaces about their insecurity.  I don't use
my connectivity provider's web interface for mail.  I /have/ used
gmail's web interface for mail, and it can be used securely.  I don't
know whether or not hotmail's web interface can be used securely, you'll
have to ask someone else about that, since I've never seen the inside of
a hotmail web interface.

I just know that I can separate my spam from my nonspam and report my
spam accurately without opening it.  I started doing that because the
rendering engine of my mailuser agent was inherently insecure, being
OE/IE, and also because spamfighting is a sport to me.  In that sport
there's a scorecard which counts for the spammer if s/he gets me to open
a spam 'accidentally' - where accidentally means that I open a spam to
find out what is inside -- because normally I would never open any such
unknown mail item without already knowing what was inside it from having
inspected its raw unrendered interior first.


-- 
Mike Easter
kibitzer, not SC admin

From nobody at spamcop.net  Sun Feb 27 20:10:47 2005
From: nobody at spamcop.net (Don Wannit)
Date: Sun Feb 27 23:15:02 2005
Subject: [SC-Help] Re: Opening spam insecure?
In-Reply-To: <cvtvbr$8gl$1@news.spamcop.net>
References: <cvtvbr$8gl$1@news.spamcop.net>
Message-ID: <cvu5k8$d0q$1@news.spamcop.net>

Erin wrote:

> Don't I have to open spam to report it? I've been told to not open spam, 
> but SpamPal doesn't work with web interfaces. Is it secure to open 
> junkmail with web interfaces in order to copy/paste and/or forward?


No, you don't have to open it.  And here, to paraphrase Bill Clinton,
it depends on what the meaning of "open" is.

You don't want to _render_ the full graphical form of email if it
might be spam.  You do need to look at its raw text content to confirm
that it really is spam, before you report it as spam.

You need to open the message just enough to look at the HTML/text
content to make sure it's spam or not.  DO NOT open it enough to
render images.  Rendering HTML formatting is OK, but fetching
style sheets, graphics images, and redirects is very very bad.

So you'll need to use a mail reader that allows you to look at the
message source (the gobbledy-gook code) without actually "phoning
home" to fetch pictures and such.  The problem is that if you allow
your email reading program to fetch those pretty pictures in the
spam, the very act of getting the pictures proves to the spam
sender that someone read the spam message, so the email address
is a live one.  That means the address will get LOTS more spam.

Mike Easter has lots more to say, I'm sure!

I sympathize with you, supporting your mother's email.  I just
sent the in-laws back home, and at 82+ they are not easy to
teach.  Good luck!

And I do strongly recommend the $30/year Spamcop email filtering
service.  It works so well that I set up our company to use
it to filter incoming business email.  It's important to avoid
false positives which could mean p*ssed off customers, and also
important to avoid wasting company time on spam.  We've found the
SpamCop email filtering to work very well, with lots less
hand-holding and administration headaches than other alternatives
we've tried.  You might want to set up your mother's email to
be filtered through SpamCop so she sees only the email that
passes, then you can check her held email as often as you choose
to see if any ham (good email) got caught as spam by mistake.
Or teach her to do it.  As time goes on, her personal SpamCop
whitelist will get better at letting email from her friends
through without delay, and the SC filtering will catch very
nearly all of the spam, with just a few getting through now
and then.

-- 
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999

From lart-o-matic at revbeergoggles.com  Sun Feb 27 22:21:15 2005
From: lart-o-matic at revbeergoggles.com (DougW)
Date: Sun Feb 27 23:25:04 2005
Subject: [SC-Help] Re: Opening spam insecure?
References: <cvtvbr$8gl$1@news.spamcop.net> <cvu5db$csc$1@news.spamcop.net>
Message-ID: <cvu67p$df9$1@news.spamcop.net>

Mike Easter did pass the time by typing:
> Erin wrote:
>> Don't I have to open spam to report it? I've been told to not open
>> spam, but SpamPal doesn't work with web interfaces. Is it secure to
>> open junkmail with web interfaces in order to copy/paste and/or
>> forward?


Generally, no.  You have no idea what payload the message may have.
Some use specific URLs to validate live email accounts or pull
other shenanigans.

> Is it absolutely necessary that hotmail must be opened to be reported?
>
> Be careful about interpreting my remarks about not opening spam.  Many
> solid antispammers don't exactly see eye-to-eye with me about that, and
> my position sounds somewhat extreme and other strategies than mine which
> do involve opening spam may be employed, if done 'properly'.

Sadly, hotmail doesn't have a safe view method.
(doesn't keep you from suggesting one though)
Just a way to view the source by enabling advanced headers.
http://www.spamcop.net/fom-serve/cache/22.html


-- 
rbg
head kook and wattle bosher, revbeergoggles.com 


From MikeE at ster.invalid  Sun Feb 27 20:28:45 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Feb 27 23:30:02 2005
Subject: [SC-Help] Re: Giving them my email
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net> <cvsqfg$bsg$1@news.spamcop.net>
	<cvu4mb$c6f$1@news.spamcop.net>
Message-ID: <cvu6je$dsb$1@news.spamcop.net>

Don Wannit wrote:
> I signed up for a free Hotmail account, and it appears that Hotmail
> does have several settings of interest to pledged spam fighters.

I'm glad for this education, I'll probably have more questions.

> Email goes either into your inbox or into your junk email folder,
> depending on your settings.

That's rather strange and it is similar to a statement Erin made about
her mom looking in her Junkmail for her mail.  There's something strange
about that.  The purpose of a filter is to eliminate [almost] all spam
from your Inbox.  If there's a junkmail folder with your goodmail in
there and a lot of spam, then that filter hasn't functioned properly.

You haven't described yet the discriminatory features of the hotmail
filter;  but that may be a bit much for posting and something that one
would have to actually look at to fully appreciate.

> You can also create other folders and
> various filtering rules (very simple ones) to automatically sort
> incoming messages into your various folders.  Not fancy, but not
> bad for the price :-)

I have a feeling about the typical simplistic filters;  something like
gmail's or EL's.

> There is an "exclusive" setting for spam filtering, which is a
> whitelisting feature.  It allows only messages from your "contacts"
> into your inbox, others go to your junk mail folder.

There's a lot to be said for a filter which provides the power of
whitelisting only.  I wouldn't be at all surprised if Erin's mom may not
be an excellent candidate for whitelisted only mail and delete if
possible everything which isn't whitelisted so she won't be trying to
get into that junkmail and read it.

> Other settings for automatic spam filtering are "low" (you're
> on your own), and "enhanced", which diverts suspected spam to the
> junk folder based on Hotmail's rules.  Not much information on
> them, but they claim that by confirming (they call it "reporting")
> a suspected spam message as spam, users can help improve the spam
> filtering.  Might be a large collective ham/spam database, but there
> is not much information I could find in a quick look.

Yeah yeah 'they' are always saying reporting helps.  I suppose people
should do that if it is easy enough.  At gmail, it is easy enough to
move an item and call it spam without further 'reporting' and I do that.
I do nothing for EL's reporting.

> Another setting to be very sure to select, and which is not selected
> by default, is to "Automatically suppress Internet content in
> messages".  This one is found in the Options>Mail>Mail Display
> Settings page.  If you don't select this, Hotmail will render images
> and
> all that web-bug nastiness that lets the spam "phone home" to let
> Sammy the Spammer know that your email address is a live one.

That kind of situation is exactly what I'm talking about when I'm
'lecturing' neophytes about not opening spam.  If I can get 'everyone'
to not open spam somehow, then I don't have to figure out every possible
insecurity in the world, whether it is a mailuser agent or a web
interface or whatever the next thing might be for how to securely handle
something.

The business of 'how can I open my spam securely' is a nightmare that
I'm totally against.  How about if we all just figure out how to not
open spam at all, instead of trying to figure out how to open spam for
some kind of purpose that I have to dissect as well.  Spam openers are a
big pain.  I have to be able to read their mind/attitude/pledgedness.  I
have to be able to figure out their security competency.  I have to
figure out a myriad of different kinds of interfaces.

My rule about not opening spam is a lot simpler;  just a little
difficult to implement sometimes.

> Off to explore the wonderful world of Hotmail some more...

-- 
Mike Easter
kibitzer, not SC admin

From feldethom2165 at email2me.net  Sun Feb 27 20:27:41 2005
From: feldethom2165 at email2me.net (Fred k)
Date: Mon Feb 28 00:30:03 2005
Subject: [SC-Help] Re: Giving them my email
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net> <cvsqfg$bsg$1@news.spamcop.net>
	<cvu4mb$c6f$1@news.spamcop.net> <cvu6je$dsb$1@news.spamcop.net>
Message-ID: <cvua58$gcd$1@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:cvu6je$dsb$1@news.spamcop.net...
> The business of 'how can I open my spam securely' is a nightmare that
> I'm totally against.  How about if we all just figure out how to not
> open spam at all, instead of trying to figure out how to open spam for
> some kind of purpose that I have to dissect as well.  Spam openers are a
> big pain.  I have to be able to read their mind/attitude/pledgedness.  I
> have to be able to figure out their security competency.  I have to
> figure out a myriad of different kinds of interfaces.
>
> My rule about not opening spam is a lot simpler;  just a little
> difficult to implement sometimes.

OE has text only read mode. In additon the latest updates make it so that 
you have to "allow images download" so that seems to prevent the problem of 
announcing that a spam mail has been looked at or am I wrong about that?

Fred k 


From MikeE at ster.invalid  Mon Feb 28 04:09:22 2005
From: MikeE at ster.invalid (Mike Easter)
Date: Mon Feb 28 07:10:04 2005
Subject: [SC-Help] Re: Giving them my email
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net> <cvsqfg$bsg$1@news.spamcop.net>
	<cvu4mb$c6f$1@news.spamcop.net> <cvu6je$dsb$1@news.spamcop.net>
	<cvua58$gcd$1@news.spamcop.net>
Message-ID: <cvv1j3$utj$1@news.spamcop.net>

Fred k wrote:
> "Mike Easter"
>> The business of 'how can I open my spam securely' is a nightmare that
>> I'm totally against.  How about if we all just figure out how to not
>> open spam at all, instead of trying to figure out how to open spam
>> for some kind of purpose that I have to dissect as well.  Spam
>> openers are a big pain.  I have to be able to read their
>> mind/attitude/pledgedness.  I have to be able to figure out their
>> security competency.  I have to figure out a myriad of different
>> kinds of interfaces.
>>
>> My rule about not opening spam is a lot simpler;  just a little
>> difficult to implement sometimes.
>
> OE has text only read mode. In additon the latest updates make it so
> that you have to "allow images download" so that seems to prevent the
> problem of announcing that a spam mail has been looked at or am I
> wrong about that?

You are correct, but...

Yes;  there have been dramatic improvements in the ability of OE to open
spam securely /technically/ by preventing the rendering of html.  But
you see where we/you are going?  Well now, let me see.... which version
of which mailuser agent?  In what exact configuration?  Which webmail?
What configuration?

But I still don't want people opening their spam 'insecurely', because
their brains so frequently aren't properly secured.  Maybe the spam
content will just 'demand' or convince that they paste a spamvertised
url into their browser's addressline to go see more.

So, I believe the answer to "how can I open my spam securely' is 'maybe
you can't, or maybe you can, but you shouldn't.'

People who want to read their spam are suspect to be people who might be
receptive to some spam.  I would rather that everyone is pledged and the
closest thing they come to the body of a spam is inspecting raw html in
the message source.

I would rather that their eyeballs don't fall on something which carries
the message of the spammer in any kind of readable, much less attractive
package.


-- 
Mike Easter
kibitzer, not SC admin

From nobody at devnull.spamcop.net  Mon Feb 28 09:24:44 2005
From: nobody at devnull.spamcop.net (Miss Betsy)
Date: Mon Feb 28 09:25:03 2005
Subject: [SC-Help] Re: Opening spam insecure?
References: <cvtvbr$8gl$1@news.spamcop.net> <cvu5k8$d0q$1@news.spamcop.net>
Message-ID: <cvv9bu$4fo$1@news.spamcop.net>

<snip>
> I sympathize with you, supporting your mother's email.  I just
> sent the in-laws back home, and at 82+ they are not easy to
> teach.  Good luck!

Hotmail has very strong spam filters plus whitelisting if the
intent is to give mom, a spam free inbox.  That way if she doesn't
listen and does enter her email address all over the web, she won't
get anything that you don't whitelist for her.

I haven't read the other thread so I don't know all the details,
but it is a delicate walk when the roles switch between mother and
daughter.  There are a lot of underlying emotions about losing the
warm feeling one had that mommy was always there to kiss and make
it better and OTOH losing one's independence and fearing to be a
burden.

Miss Betsy


From feldethom2165 at email2me.net  Mon Feb 28 08:14:45 2005
From: feldethom2165 at email2me.net (Fred k)
Date: Mon Feb 28 12:20:04 2005
Subject: [SC-Help] Re: Giving them my email
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net> <cvsqfg$bsg$1@news.spamcop.net>
	<cvu4mb$c6f$1@news.spamcop.net> <cvu6je$dsb$1@news.spamcop.net>
	<cvua58$gcd$1@news.spamcop.net> <cvv1j3$utj$1@news.spamcop.net>
Message-ID: <cvvjip$bkc$1@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message
news:cvv1j3$utj$1@news.spamcop.net...

> I would rather that their eyeballs don't fall on something which carries
> the message of the spammer in any kind of readable, much less attractive
> package.

I strongly agree with what you say. I am not inclined to go to spamvertized
sites. If I do I use a cloaking site. I suppose that counts still as a "good
hit", so I'll reconsider. All that is to research to improve the lousy job
NIS 2005 does with Spam. Peter Norton should not have sold out to Symantec.
They ruined his good reputation.
As an example yesterday I got 2 identical 419 scams 40' apart. The first one 
went to spam, the second to my inbox. Their canned reply is to reload NIS, 
enable address book import, already infected etc. If I had $10 for everytime 
I have done all that I'd be rich.

Fred k



From nobody at devnull.spamcop.net  Mon Feb 28 13:49:04 2005
From: nobody at devnull.spamcop.net (Pop)
Date: Mon Feb 28 13:50:06 2005
Subject: [SC-Help] Re: Giving them my email
References: <cvpd02$i3$1@news.spamcop.net> <cvpscg$b9j$1@news.spamcop.net>
	<cvs4mr$sc3$1@news.spamcop.net> <cvsqfg$bsg$1@news.spamcop.net>
	<cvu4mb$c6f$1@news.spamcop.net> <cvu6je$dsb$1@news.spamcop.net>
Message-ID: <cvvp2v$fm1$1@news.spamcop.net>

"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:cvu6je$dsb$1@news.spamcop.net...
> Don Wannit wrote:
>> I signed up for a free Hotmail account, and it appears that Hotmail
>> does have several settings of interest to pledged spam fighters.
>
> I'm glad for this education, I'll probably have more questions.
>
>> Email goes either into your inbox or into your junk email folder,
>> depending on your settings.
>
> That's rather strange and it is similar to a statement Erin made about
> her mom looking in her Junkmail for her mail.  There's something strange
> about that.  The purpose of a filter is to eliminate [almost] all spam
> from your Inbox.  If there's a junkmail folder with your goodmail in
> there and a lot of spam, then that filter hasn't functioned properly.
>
> You haven't described yet the discriminatory features of the hotmail
> filter;  but that may be a bit much for posting and something that one
> would have to actually look at to fully appreciate.

===> As a longtime past but not as of the last year or so user of Hotmail 
accounts, their filters do a pretty respectable job of sorting the mail. 
The biggest problem I found was when someone used a dictionariable name: 
Those collected spam faster than you could delete it.  Your suggestion for a 
an alpha-dig-alpha username worked pretty well at Hotmail - as I recall it 
had to start with an alpha but after that could be any character you could 
type on a keyboard.
   I never personally experienced any leaks or give-aways of info by Hotmail 
as many like to allege.
   With a good username and what they call "safe hex", spam was actually 
kept at a reasonable minimum.  In fact, I had one account that never did get 
spammed over two years use.  Others that became compromised I just 
abandoned, which at the time was the recommencation; don't know if it still 
is.
   My biggest gripe with Hotmail was, one had to physically visit the wite 
within every 30 day period or they'd deactivate it.  Made using Popping it 
to my real address kind of a moot point because I'd forget to sign into the 
web site now and then.  I have heard, but I'm not positive, that you have to 
pay for Hotmail accounts now, and I don't know whether you can still read 
your Hotmails from within OE.

Isn't gmail a recommended client only system?

No further comments below here.
Please see preceding post for full details.