From nttp.sc.sh at bigsleep.org Fri Jul 1 02:24:31 2005 From: nttp.sc.sh at bigsleep.org (Blammo) Date: Thu Jun 30 21:25:03 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: On 30 Jun 2005 WazoO entered spamcop.help and left news:da239e$gck$1@news.spamcop.net: > Blammo's follow-ups, the years of continuing bitches > about the www.spamcop.net FAQ-o-matic thing ... trying to picture > this page as having those 'initial' answers for those first-time (ticked > off) visitors I don't have much trouble with the FAQ-O-Matic, but I think the priority's a little messed up; some info is buried, or out-dated, or nonexistent. I mean, first, you need to know what Spamcop does, then how to get the original spam source, how to sign up, how to report and reporting rules, then what to do when things go wrong. Seems like "how to read headers" would be important as well. Signing up could be a higher priority, but signing up only to find out you can't report is pretty annoying. Perhaps "What you need before signing up" would take care of that. Of course Spamcop Mail would be a separate section, but similar, and the "What to do if you're blocked" would be a separate section. It is basically that way now, but needs improvement -- | Ric | From nttp.sc.sh at bigsleep.org Fri Jul 1 03:55:32 2005 From: nttp.sc.sh at bigsleep.org (Blammo) Date: Thu Jun 30 23:00:03 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: On 30 Jun 2005 WazoO entered spamcop.help and left news:da2827$jcj$1@news.spamcop.net: > "Blammo" wrote in message > news:Xns9685BB667D317blammo@216.154.195.61... >> > > Are you attempting to answer my actual query for input on attempting > to do this "portal" page, Well, I believe by "portal page" you are refering to the Help link, but I'm not really sure. I look at the big picture first, so it's just a general input comment, so where your work will end up doesn't effect my input much. >> It is basically that way now, but needs improvement > > Based on your "never been there"... Nope, never been there. I can imagine what I would do if I were new to Spamcop, or never been a member, I would look at the FAQ/Help/Info first, even if there were no news groups. Even if what you do never gets incorporated into the main Spamcop Help section, I still think there's a basic order of logic, the order may be slightly different for the Forum FAQ, but could be copied over to the main help section. But that's just the view from my window. I need to write a "Spam FAQ" myself, I know it takes work. I do visit forums but I have to limit myself, I already waste too much time in news groups. I can easily waste hours searching forums never finding anything, if you can improve on that then you get an 'atta boy' from me. -- | Ric | From nobody at devnull.spamcop.net Fri Jul 1 00:49:17 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Jul 1 00:50:03 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "Blammo" wrote in message news:Xns9685CAD50E96Bblammo@216.154.195.61... > On 30 Jun 2005 WazoO entered spamcop.help and left > news:da2827$jcj$1@news.spamcop.net: > > "Blammo" wrote in message > > news:Xns9685BB667D317blammo@216.154.195.61... > >> > > Are you attempting to answer my actual query for input on attempting > > to do this "portal" page, > > Well, I believe by "portal page" you are refering to the Help link, but > I'm not really sure. I look at the big picture first, so it's just a > general input comment, so where your work will end up doesn't effect my > input much. http://forum.spamcop.net/forums/index.php?act=home is the weak example I'm trying to talk about > >> It is basically that way now, but needs improvement > > > > Based on your "never been there"... > > Nope, never been there. I can imagine what I would do if I were new to > Spamcop, or never been a member, I would look at the FAQ/Help/Info first, > even if there were no news groups. Pop's last were dealing with "new to SpamCop" issues .. One person stated that "Help" suggested "help for that web page" I just re-named the "Forum FAQ" links on the Forum pages as someone complained that "Forum FAQ" sounded like "use of the Frum issues" .... today, a new user bitched that "the" SpamCop FAQ was opaque, didn't have answers, etc, but figured the "SpamCop FAQ" links on the Forum pages would take him right back to the same FAQ ... > Even if what you do never gets incorporated into the main Spamcop Help > section, I still think there's a basic order of logic, the order may be > slightly different for the Forum FAQ, but could be copied over to the main > help section. Still missing the main point it seems ... two different systems, under control of different people ... thus far, I'm still a bit of a free agent, but I have no access to the "main help system" > But that's just the view from my window. I need to write a "Spam FAQ" > myself, I know it takes work. I do visit forums but I have to limit myself, > I already waste too much time in news groups. I can easily waste hours > searching forums never finding anything, if you can improve on that then > you get an 'atta boy' from me. ?? in addition to the built-in Forum search engine, adding in a Google search function for the Forum, newsgroups, and the www.spamcop.net pages (for the original FAQ) ... SpamCop functions broken out into separate categories .. active Moderators to move those wrongly posted items ...?? and again, you were/are one of the vocal ones talking about the (FAQ) issue ... I must still be missing something .. From nobody at devnull.spamcop.net Fri Jul 1 20:46:41 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Jul 1 20:50:02 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "Blammo" wrote in message news:Xns96862FB4911blammo@216.154.195.61... > > Maybe you are expecting something from me? I'm just adding input, sounds > like you heard it all before. Someone mentioned FAQ and I offered my > opinion. You are probably donating your time and doing the best you can. I > think that about sums it up. Actually, yes ... and I'm even looking for input from all those that have me kill-filed due to the "Forum" thing ... I admit it took me most of the day to figure out how the flow all worked and how to stick my data into the stream, but .. I finally got there. So yes, here's the repeat request ... what FAQ questions need to go at the top of the list? Going back to the referenced "first-time visitor to the SpamCop site" .. figure three normal causes; 1. e-mail blocked message 2. spam report recipient 3. search engine or some other referal > I'm just kidding about the forums you know... Why? In general, I think they suck also. The majority of web-sites I manage use forums for support. Some are pretty good, others aren't worth the electrons killed to paint the screen. In the case of the SpamCop forum, I'm doing what I can to take advantage of doing something to make it a viable resource for those that use it. Anyway, that said, take a current look at http://forum.spamcop.net/forums/index.php?act=home and rattle on. At the risk of ticking some folks off, a reply with this data included might get some of those plonking folks on board with their needed ideas on getting this page set up before then working on how to work it into the www.spamcop.net Help list .... From MikeE at ster.invalid Sat Jul 2 01:53:56 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 2 03:55:02 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: WazoO wrote: > In the case of the SpamCop forum, > I'm doing what I can to take advantage of doing something > to make it a viable resource for those that use it. Yet another function of the forum - don't you really need another ;-) could be to direct or encourage people to use the newsgroups. The forum's structure lends itself to such as stickies to make the faq more dynamic or timely; but it shouldn't be a replacement for a properly navigable frequently updated website faq. The forum is also somehow appealing as a dialog place both to those people who don't know how to use a newsreader, and also to some others for some strange reasons which probably have to do with their personal ideas about moderation of a forum as opposed to an unwillingness to moderate a newsgroup, or maybe because of some kind of little html features. But I also think the forum could be a stepping stone to the more efficient dynamics of a 'real' newsgroup interaction -- much as is seen in the evolving googlegroupers. They 'discover' news in googlegroups. Then they learn that they can interact more 'smoothly' with a newsreader than browser working googlegroups. Similarly those who discover 24hoursupport.helpdesk in the iamnotageek forum gravitate to the nntp newsgroup. So, one can still use googlegroups for certain functions, like searching and linking to a past discussion, but for 'everyday' communication, one uses their nntp newsreader, not a browser. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Jul 3 07:03:50 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 3 09:05:07 2005 Subject: [SC-Help] Re: what to make of this crap, misdirect bounce... References: Message-ID: to .spam & .help, f/ups to .help The structure is misdirected bounce from nokia.com to your/a cox account showing 8 bad nokia addies and an attached spam. The attached mortgage spam had a bogus From your/a cox account, contained 2 bogus Received lines, sourced from a multilisted RR proxy trojan and promoted http://yki.mt-12-34.com/aim.asp 221.10.201.177 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL28428 -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Jul 3 07:12:39 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 3 09:15:02 2005 Subject: [SC-Help] Re: and one for comfluent... References: Message-ID: to .spam & .help, f/ups to .help The structure is a misdirected confluent bounce to your/a cox account with 7 bad confluent addies and an attached spam. The attached mortgage spam had a bogus From your/a cox account, contained 2 bogus Received lines, was sourced from a multilisted .kr proxy trojan and promoted http://hssxw.mt-12-34.com/aim.asp of the same spamhaus SBL28428. These will take up less 'room' if you just post a tracker. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sun Jul 3 11:03:24 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jul 3 11:05:08 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "Mike Easter" wrote in message news:da5h6c$g6j$1@news.spamcop.net... > WazoO wrote: > > In the case of the SpamCop forum, > > I'm doing what I can to take advantage of doing something > > to make it a viable resource for those that use it. > > Yet another function of the forum - don't you really need another ;-) > could be to direct or encourage people to use the newsgroups. Link to "Newsgroups" in place. I added links to the spamcop, .help, and .mail archives. Referrals within the Forum to the newsgroups exist. We've been here before. > The forum's structure lends itself to such as stickies to make the faq > more dynamic or timely; but it shouldn't be a replacement for a > properly navigable frequently updated website faq. That statement suggests that the URL offered hasn't been followed. Yes, the URL is housed on the same server that hosts the Forum. Yes, the (primarily) .php scripts were written to pull in Fotum data. But, this is "not" a "Forum page" ... it's your 'normal' web-page. I started pulling the "Forum FAQ" data into the right-hand column, scrolling and clicking should be available for the majority of folks. http://forum.spamcop.net/forums/index.php?act=home Please put "the Forum" stuff to the side and take a look at this page. > The forum is also somehow appealing as a dialog place both to those > people who don't know how to use a newsreader, and also to some others > for some strange reasons which probably have to do with their personal > ideas about moderation of a forum as opposed to an unwillingness to > moderate a newsgroup, or maybe because of some kind of little html > features. This isn't the actual subject matter for this thread. I'm trying to stick with the first-time visitor and access to FAQ data. From nobody at devnull.spamcop.net Sun Jul 3 12:34:09 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sun Jul 3 11:35:03 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "WazoO" wrote in message news:da239e$gck$1@news.spamcop.net... > "Mike Easter" wrote in message > news:da1seo$cnh$1@news.spamcop.net... >> WazoO wrote: >> > What (few) questions need to show up there? >> > FAQ, Forum, newsgroups already linked to at >> > the top of the page .... >> > >> > http://forum.spamcop.net/forums/index.php?act=home >> >> I'm not clear on integrating that page with the >> others at the forum. > > Maybe take another look at my 6-24 post in this > thread. The 'portal' > page being an entrance point .... as I stated, the > Forum is but one > link off of this page. > ... Can the Peanut Gallery chime in one more time? How about just finding everything that presently exists, and setting it aside in apprpriately named subject folders? Draw the relevant site parts into you machne, starting from the SC Entry Page, and start all over again, pretending to be: 1. the newbie recently described, and 2. the experienced user who just needs to reference something? and maybe 3. Just be someone who wants to learn about SC and what it's about? Then start an outline/flow chart, from scratch, initially ignoring anything that's aleady been written. Make it two columns (not three). Try to keep the format more like a tutorial, with a detailed Introduction. Since many newbie questions are short responses, many could be right there on that page in bookmarks, maybe some links to "more" if the reader wants, that eventually lead into the other chart somewhere. Once that all exists, then copy/paste/modify/add new data where it's relevant, until all the conditionals and data areas are filled in. Then share the INITIAL work for "rfc" if you will, and when it's fleshed out, go away and come back and present the final outcome, offering only further public comment at the milestones as each approaches. As for the problems with Ironport et al not making things available, I'd tell them to shit or get off the pot and if nothing better was forthcoming, I'd go put the crap on my own site, and just hold it to my chest until some poor soul needed it. Word of mouth would get it pretty rapidly deployed for you, and a monthly or weekly mention in the groups would keep it in view. Better than nothing for something that has had such a huge amount of productive effort already invested in it. Most of what already exists is well written, just poorly presented, IMO. So, the "meat" of all that can/could be pulled in where and when needed if done so carefully. No sense reinventing any wheels when a few mods here and there might do just as well or better. I sincerely wish I could offer more than simple desctuctive criticism, which this borders on, but I am disabled and simply too unreliable to take on anything of that magnitude. Otherwise I'd try to show you what I'm talking about. I am still pretty analytical though, and good at critiquing what's already been written. But who isn't? My two cents, adjusted for inflation, 69 dollars. Pop From MikeE at ster.invalid Sun Jul 3 09:43:00 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 3 11:45:02 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: WazoO wrote: > http://forum.spamcop.net/forums/index.php?act=home > > Please put "the Forum" stuff to the side and take a > look at this page. I've been following the evolution of that page closely. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sun Jul 3 12:52:27 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sun Jul 3 11:55:03 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: ... > Anyway, that said, take a current look at > http://forum.spamcop.net/forums/index.php?act=home > and rattle on. At the risk of ticking some folks > off, > a reply with this data included might get some of > those > plonking folks on board with their needed ideas on > getting this page set up before then working on how > to > work it into the www.spamcop.net Help list .... > > I might have less destructive criticism this time, not sure. On first blush, or glush in my case, that page looks like a "what the heck?", and then "Oh, I see, look at all that good information!" But then I see the tiny size of the vertical nav bar; good gosh, look at it! Then, a few page down clicks, and I see yet more valuable information. Huh! IT's all here, but it's going to be hidden in many thousands of words and what looks like hundreds of links, all of which I have to page down to see more than one or two of. Aha, there's an intro to spamcop: Oh, it's for recipeints of spam reports. Jeez, I wish there was something I coujld tell WHERE to look in amongst all this stuff! There's a LOT of good stuff there in you're not a newbie reporter or just wondeing what spamcop is all about. The results of spamcop are obvious there, for a newbie, but that's not what I want; I want to ... uhh, I forgot now. Nuts on it. Good as it is, I still don't think it's very good. For one thing, that center column is an incredible waste of good space that chould have been used much more effieieicntly for the same outcome and even nagivations. . Think I'm ouit o f typin gpower - cheers & luck to all Pop From nobody at devnull.spamcop.net Sun Jul 3 12:53:53 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sun Jul 3 11:55:05 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "Mike Easter" wrote in message news:da5h6c$g6j$1@news.spamcop.net... > WazoO wrote: >> In the case of the SpamCop forum, >> I'm doing what I can to take advantage of doing >> something >> to make it a viable resource for those that use it. > > Yet another function of the forum - don't you really > need another ;-) > could be to direct or encourage people to use the > newsgroups. > > The forum's structure lends itself to such as > stickies to make the faq > more dynamic or timely; but it shouldn't be a > replacement for a > properly navigable frequently updated website faq. > > The forum is also somehow appealing as a dialog place > both to those > people who don't know how to use a newsreader, and > also to some others > for some strange reasons which probably have to do > with their personal > ideas about moderation of a forum as opposed to an > unwillingness to > moderate a newsgroup, or maybe because of some kind > of little html > features. > > But I also think the forum could be a stepping stone > to the more > efficient dynamics of a 'real' newsgroup > interaction -- much as is seen > in the evolving googlegroupers. They 'discover' news > in googlegroups. > Then they learn that they can interact more > 'smoothly' with a newsreader > than browser working googlegroups. Similarly those > who discover > 24hoursupport.helpdesk in the iamnotageek forum > gravitate to the nntp > newsgroup. > > So, one can still use googlegroups for certain > functions, like searching > and linking to a past discussion, but for 'everyday' > communication, one > uses their nntp newsreader, not a browser. > > > -- > Mike Easter > kibitzer, not SC admin > > IMO that's an importan and excelllletnt observataion. From nobody at devnull.spamcop.net Sun Jul 3 12:21:03 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jul 3 12:25:03 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "Blammo" wrote in message news:Xns9687A17913Ablammo@216.154.195.61... > On 01 Jul 2005 WazoO entered spamcop.help and left > news:da4o5h$2ko$1@news.spamcop.net: > > OK, well I was a little concerned that you might expect us here to link to > the forum FAQ to answer FAQs here, I can't do that only because we may > never hear from them again; they may start using the forum which isn't much > help to use here. I would rather say "here is your answer [answer] ... you > could try the forum as well", which would let them decide. I expect nothing. And as stated in an eatlier response to Mike, I have to suspect that you've not followed the link yet. While waiting for the (hoped for) helpful suggestions, I'd gone ahead and started populating the FAQ coulmn with what I had. I'll repeat again, this isn't a "Forum page" ... it's hosted on the same server, thus the driving URL, yes, it is a set of scripts written by the folks that developed the Forum, yes, it does pull in data from the Forum, but .... it is your garden variety web-page. I'm not pushing Forum / newsgroup issues, this is all about providing an accessible FAQ. To keep things on track, please take a look at the web-page found at http://forum.spamcop.net/forums/index.php?act=home > Now, for first time visitors, I see four types... Thanks for time and effort in this response. Copied off for more research, will snip a bit as I've not got answers for a few items ... > (1) Got the "blocked by Spamcop" message. Miss Betsy's "Why am I Blocked?" entry > (2) Looking for help with their spam problem. Complicated there, but there are a number of items already in place for both Admin and end-user types. > (3) Want to use the Spamcop block list. Some entries there, even causing some controversy. Instructions on how to add/use BLs for blocking, but (last time I looked) nothing on how to set things up for the recommended Tagging action. > (4) Abuse report recipient (mail admins) At the moment, first item on the FAQ list on the referenced web-page. > So I think the most important item would be "What is Spamcop?" in general, > since this applies to those three. I don't know how I would organize that, > but it should probably keep those three types in mind. Interesting in that the first link on the Forum FAQ went to a www.spamcop.net FAQ entry that listed all the sevices available, a bit of description on all .. someone killed that FAQ entry, I eventually changed the Forum FAQ link to something close. > 4 is probably a special case, I think they should have their own page, > actually they do, don't they? I often forget about them, but they probably > do need a special FAQ entry. However the report itself can supply the > necessary info or links, there are those can't can't seem to read very > well, they miss the link, that should be considered. Yes, there is an Admin/ISP section. But, just as in the normal user scenario, you've got those that "ain't got the time" .. get frustrated chasing one link after another, on and on ... There's a current discussion started by an "Admin" of a hosting site in receipt of a forwarded SpamCop complaint .. this Admin followed the link to the "report action center" - select from a dropdown to indicate the status of the issue (spammer nuked, under investifation, innocent bystander, etc ...) ... this Admin couldn't figure anything out from that screen, as all this Admin wanted to know was how to track down the complainer (and this wasn't in the disposition drop down list) There is a link "how this got tracked to you" which then takes you to the Tracking URL of the parse ... but no links back to any FAQ/explanation of the process ... Your suggestion is great, but .... outside the scope of this thread and anything I can do .... >It would probably be a > good idea to have translations as well. I don't know how involved you can > get into that, it seems like a special area, but still you probably need a > special FAQ section to help keep them from asking stupid questions in the > forums, regulars often aren't very nice to these guys and we don't want > them rejecting reports. Translation requests have been made for years. Some have been attempted/offered. I think the issue boiled down to a block of text is offered, someone looks at it and says "I have no idea what it says ... so there's no way I'm going to put this in a public place." > More details on how Spamcop works: > (a) Reporting service It's possible that one of my major points has been skipped again. The www.spamcop.net FAQ has been around for ages (the last "new look" revamp also caused the entry dates to disappear) ... yet this seemingly simple request still causes complaints. The Forum FAQ was one attempt at trying to fill in the blanks, the creation of the "How to Use ..." Forum section was another. Recall that the only person that "really" knows what's going on is Julian, and he rarely makes data public. More than once, I've tinkered around enough to make some guesses, write something up, only to find that the program changed a bit while I was typing > (b) Mail filtering service > > I don't know much about the mail reporting service, so I have to skip that, > but I think much of the spam reporting info applies to mail members as > well. Thankfully, there are some folks that have made major contributions to flushing out that section of the FAQ (the Forum version again) ... no access to the www.pamcop.net version and the current staffing issues in making changes there these days.
> Also there is at least one section I failed to mention, the Spamassassin > section. This should probably be under (3) Want to use the Spamcop block > list. (maybe that should end with a ?). That subject should cover that, and > a subsection under that... > (a) For mail administrators > (b) For end users There is a www.spamcop.net FAQ entry for some SpamAssassin settings. However, there is also a recent Forum Discussion from someone taking exceptions to that list of settings .... FAQ - http://www.spamcop.net/fom-serve/cache/331.html Topic -http://forum.spamcop.net/forums/index.php?showtopic=4410 > Now I think this is a logical order, but some may not like so many clicks, > some expect one click to answer their question (dream on). I think a good > way to deal with this is to include all links on one page in a list format, > then use DHTML to colapse it. This is actually quite easy to do, if you > want some code I can supply it, though I generally ignore browsers that > don't support CSS2 and Javascript 1.5, so for them the list don't colapse > or just stays colapsed depending on several things. For example I have a > menu that is colapsed in Communicator, in IE5.0 the first item is expanded > (I don't know why), and in non-css browsers the list is expanded. Anyway I > designed it so that you can get to every page without expanding the list, > if you can't do that then the list can just be expanded by default, only > using Javascript to colapse it. Also you can use server-side script or > Javascript to expand the members section for members that are logged in > (or have a cookie set). Thanks for the offer. I also do web-page development, but .... I'm also working under a number of constraints here. Not my server, not my service, not my code .... some of my learning curve on this app might be best explained here http://forum.spamcop.net/forums/index.php?showtopic=4387&view=findpost&p=29884 Again, thanks for the time and effort. Much appreciated. From nobody at devnull.spamcop.net Sun Jul 3 14:55:32 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jul 3 15:00:03 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "Mike Easter" wrote in message news:da911r$7cl$1@news.spamcop.net... > WazoO wrote: > > http://forum.spamcop.net/forums/index.php?act=home > > > > Please put "the Forum" stuff to the side and take a > > look at this page. > > I've been following the evolution of that page closely. Apologies, misinterpretation involved obviously. From anon at coks.net Sun Jul 3 13:51:43 2005 From: anon at coks.net (J G) Date: Sun Jul 3 15:55:02 2005 Subject: [SC-Help] Re: what to make of this crap, misdirect bounce... In-Reply-To: References: Message-ID: On 7/3/2005 6:03 AM Mike Easter scribbled: > to .spam & .help, f/ups to .help > > The structure is misdirected bounce from nokia.com to your/a cox account > showing 8 bad nokia addies and an attached spam. > > The attached mortgage spam had a bogus From your/a cox account, > contained 2 bogus Received lines, sourced from a multilisted RR proxy > trojan and promoted http://yki.mt-12-34.com/aim.asp 221.10.201.177 > http://www.spamhaus.org/SBL/sbl.lasso?query=SBL28428 > Thanks, Mike, there was something there which was over my head at the time - probably all the bogusness - Now I'm just my confused self again... From nobody at devnull.spamcop.net Sun Jul 3 16:11:41 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jul 3 16:15:03 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "Pop" wrote in message news:da91m9$7n1$1@news.spamcop.net... > ... > > Anyway, that said, take a current look at > > http://forum.spamcop.net/forums/index.php?act=home > > and rattle on. > > I might have less destructive criticism this time, not > sure. On first blush, or glush in my case, that page > looks like a "what the heck?", and then "Oh, I see, > look at all that good information!" I asked for this Just noting again that I'm strictly volunteer, so I can only do so much, reach so far, access only certain bits. . > But then I see the tiny size of the vertical nav > bar; good gosh, look at it! Then, a few page down > clicks, and I see yet more valuable information. Huh! > IT's all here, but it's going to be hidden in many > thousands of words and what looks like hundreds of > links, all of which I have to page down to see more > than one or two of. The last request I made here was for a list of those "important" first-time visitor items. While waiting for that feedback, I simply started loading up the data with what I had available. Yes, I'm all too familiar with the complaints about the www.spamcop.net FAQ being "hard to navigate" and not having the answers in plain sight .. and the totally opposite complaint that the one-page (expanded content) access point I hacked together is much too massive. >Aha, there's an intro to spamcop: > Oh, it's for recipeints of spam reports. Jeez, I wish > there was something I coujld tell WHERE to look in > amongst all this stuff! OK, take a look now ... Index started ... help at all? From anon at coks.net Sun Jul 3 14:39:00 2005 From: anon at coks.net (J G) Date: Sun Jul 3 16:40:03 2005 Subject: [SC-Help] Re: and one for comfluent... In-Reply-To: References: Message-ID: On 7/3/2005 6:12 AM Mike Easter scribbled: > to .spam & .help, f/ups to .help > > The structure is a misdirected confluent bounce to your/a cox account > with 7 bad confluent addies and an attached spam. > > The attached mortgage spam had a bogus From your/a cox account, > contained 2 bogus Received lines, was sourced from a multilisted .kr > proxy trojan and promoted http://hssxw.mt-12-34.com/aim.asp of the same > spamhaus SBL28428. > > These will take up less 'room' if you just post a tracker. > If memory serves me, I had a problem with the tracker at the time - no matter, plenty more crap to deal with... From MikeE at ster.invalid Sun Jul 3 15:04:55 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 3 17:05:03 2005 Subject: [SC-Help] Re: and one for comfluent... References: Message-ID: J G wrote: > Mike Easter >> These will take up less 'room' if you just post a tracker. >> > If memory serves me, I had a problem with the tracker at the time - no > matter, plenty more crap to deal with... After the complicated one in spamcop with 6 deep headers where I wished the tracker hadn't munged the addresses, I found myself wishing for the .spam ng posting again. -- Mike Easter kibitzer, not SC admin From anon at coks.net Sun Jul 3 15:15:51 2005 From: anon at coks.net (J G) Date: Sun Jul 3 17:15:02 2005 Subject: [SC-Help] Re: and one for comfluent... In-Reply-To: References: Message-ID: On 7/3/2005 2:04 PM Mike Easter scribbled: > J G wrote: > >>Mike Easter > > >>>These will take up less 'room' if you just post a tracker. >>> >> >>If memory serves me, I had a problem with the tracker at the time - no >>matter, plenty more crap to deal with... > > > After the complicated one in spamcop with 6 deep headers where I wished > the tracker hadn't munged the addresses, I found myself wishing for the > .spam ng posting again. > Hey, let me know, I'll send you whatever you want wherever you want. I just don't know where from 1 to the next. Got a reject from symantec and had to spend an hour trying to figure out if it really was symantec and never did really figure it out - the IP seemed to be IANA unallocated #, which didn't leave with a warm and fuzzy feeling...symantec, sheesh, never liked Norton anyway... From spam_eviscerator at spamcop.net Mon Jul 4 03:12:08 2005 From: spam_eviscerator at spamcop.net (Spam Eviscerator) Date: Mon Jul 4 02:15:04 2005 Subject: [SC-Help] Batch processing? Message-ID: <1gz5kpl.114q48zfv3f3qN%spam_eviscerator@spamcop.net> Is it possible to batch process spams that have been emailed to spamcop? Doing it one at a time is incredibly tedious, especially when I get 100 spams a day. From nobody at devnull.spamcop.net Mon Jul 4 09:05:07 2005 From: nobody at devnull.spamcop.net (Pop) Date: Mon Jul 4 08:05:04 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: ... > >>Aha, there's an intro to spamcop: >> Oh, it's for recipeints of spam reports. Jeez, I >> wish >> there was something I coujld tell WHERE to look in >> amongst all this stuff! > > OK, take a look now ... Index started ... help at > all? > > As they say, it's a beginning, ... but I'm inclined to not be very critical of you personally; there's a hormongous amount of good information on that page, and I think I understand the situation a lot better now. You've done an incredible job given what you have to work with. I'm also aware of Ellen's involvement and others too, FWIW. I've become pretty firmly convinced that it's a "system" problem more than anything else - you seem to have a good head around what's needed but you aren't getting the access & wherewithal that you need to accomplish it if I've read you correctly. I pretty much feel, and this is only my opinion of course, that what's needed can only be accomplished by someone knowledgeable (a la you, whoever), needs to splinter off if a usable format is going to develop. It'll have to be a team effort of a chosen group amongst the knowledgeable, but on the other hand that might easily lead to further separation of the intimacy wiht the "system". What I'm getting at is, it's a lost cause given the recent information you've provided and nothing is going to change anytime soon. I'm back now to some past opinions, not good, of the corporate attitude toward Spamcop in general. Once again, I'm done bitching unless I see something that makes improvement look possible. "Deja vue all over again". I'll try to quit rabble-rousing too, which is all I feel my comments accomplished. That wasn't the intent, really. Regards, Pop From MikeE at ster.invalid Mon Jul 4 06:37:48 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 4 08:40:03 2005 Subject: [SC-Help] Re: Batch processing? References: <1gz5kpl.114q48zfv3f3qN%spam_eviscerator@spamcop.net> Message-ID: Spam Eviscerator wrote: > Is it possible to batch process spams that have been emailed to > spamcop? Doing it one at a time is incredibly tedious, especially > when I get 100 spams a day. Normal reporting by webparser submits one spam, sees one parser result, and selects one set of notifies to report, all in a relatively short time per submission. If several iterations of parsers are running 'in parallel', there's no wasted reporter waiting time for all of the processes. Normal reporting by email submission submits many spams and receives links to many parser results at a later time, which links are accessed one at a time for selections of notifies to report. The delay between emailing the bulk spam submissions and receiving the parser links varies. Multiple parallel browser iterations of the links again reduce waiting time. Pre-approved quick reporting by email submission submits many spams at a time, whose parser derived spamsources are assumed 'autoapproved' right or wrong with resultant reporting of all of the sources and no spamvertisers without further reporter action on any parser links required. SpamCop email clients can quickreport en masse directly from their held webmail. Because there is some hazard of errant reporting of parser errors by quickreporting, every configurable effort should be made to reduce the chances of reporting your own provider by configuring for mailhosts before any quickreporting begins. -- Mike Easter kibitzer, not SC admin From mcwebber at my-deja.com Mon Jul 4 12:47:54 2005 From: mcwebber at my-deja.com (McWebber) Date: Mon Jul 4 11:50:03 2005 Subject: [SC-Help] Spamcop Misreading Headers Message-ID: With the headers below, Spamcop parses it and skips the real header and picks the fake 179.243.186.188 as the IP to lart. abuse#iana.org@devnull.spamcop.net and for some reason doesn't want to lart abuse@cybercity.dk for 217.157.61.45 which is the ultimate source of the spam Re: 217.157.61.45 (Automated open-relay testing system(s)) To: Internal spamcop handling: (relays) Return-Path: Received: from omega.adventist.dk ([217.157.61.45]) by redacted (8.10.2/8.10.2) with SMTP id j64EUrK10943 for ; Mon, 4 Jul 2005 09:30:53 -0500 Received: from xbnq (179.243.186.188) by omega.adventist.dk; Mon, 4 Jul 2005 16:31:25 +0200 Message-ID: <006b01c4b5e6$18170c27$d69d6449@xbnq> Reply-To: From: To: me@example.com Subject: We can make it within one weeek. Swiss bnkers achieve the equal result within a year. Date: Mon, 4 Jul 2005 16:31:25 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_006B_01C46449.D69D0C27" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-UIDL: 80P!!B%,!!lME!!Jn+"! -- McWebber No email replies read If someone tells you to forward an email to all your friends please forget that I'm your friend. From spam_eviscerator at spamcop.net Mon Jul 4 19:47:45 2005 From: spam_eviscerator at spamcop.net (Spam Eviscerator) Date: Mon Jul 4 18:50:03 2005 Subject: [SC-Help] Re: Batch processing? References: <1gz5kpl.114q48zfv3f3qN%spam_eviscerator@spamcop.net> Message-ID: <1gz6ua6.puya3717cpku8N%spam_eviscerator@spamcop.net> Mike Easter wrote: > Spam Eviscerator wrote: > > Is it possible to batch process spams that have been emailed to > > spamcop? Doing it one at a time is incredibly tedious, especially > > when I get 100 spams a day. > Normal reporting by email submission submits many spams and receives > links to many parser results at a later time, which links are accessed > one at a time for selections of notifies to report. The delay between > emailing the bulk spam submissions and receiving the parser links > varies. Multiple parallel browser iterations of the links again reduce > waiting time. This is what I'm doing right now. But it appears quite clunky. > Pre-approved quick reporting by email submission submits many spams at a > time, whose parser derived spamsources are assumed 'autoapproved' right > or wrong with resultant reporting of all of the sources and no > spamvertisers without further reporter action on any parser links > required. How does one get them "pre-approved" for quick reporting? I've already added my mailhosts to the appropriate place in SC. And besides, I've inspected the spams in my junk folder before I sent them on to SC for reporting (so there's no likelihood of my reporting my own ISP--at least that hasn't happened since I've added my own mailhosts). Currently, what I've done after emailing the spam submissions, is to click "Report Spam" and then approve them for transmittal one by one. This one-by-one approval is what's driving me nuts. Is there a screen that I'm not aware of that allows me to list all submitted spams with perhaps a checkbox beside each so I can check them all off and do a mass submission? > SpamCop email clients can quickreport en masse directly from their held > webmail. Unfortunately, this doesn't work for me since I have numerous email addresses that are not SC related. > Because there is some hazard of errant reporting of parser errors by > quickreporting, every configurable effort should be made to reduce the > chances of reporting your own provider by configuring for mailhosts > before any quickreporting begins. I understand. I have already done this, both by registering my own mailhosts at SC and inspecting the spams held in my Eudora Junk mailbox before I invoke an AppleScript which automatically creates and sends the spams, complete with headers, one per email, to SC for further processing. From MikeE at ster.invalid Mon Jul 4 17:08:25 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 4 19:10:03 2005 Subject: [SC-Help] Re: Batch processing? References: <1gz5kpl.114q48zfv3f3qN%spam_eviscerator@spamcop.net> <1gz6ua6.puya3717cpku8N%spam_eviscerator@spamcop.net> Message-ID: Spam Eviscerator wrote: > Mike Easter >> Pre-approved quick reporting by email submission submits many spams >> at a time, whose parser derived spamsources are assumed >> 'autoapproved' right or wrong with resultant reporting of all of the >> sources and no spamvertisers without further reporter action on any >> parser links required. > > How does one get them "pre-approved" for quick reporting? You beseech the deputies/admin to approve your account to be able to quick report. > I've > already added my mailhosts to the appropriate place in SC. And > besides, I've inspected the spams in my junk folder before I sent > them on to SC for reporting (so there's no likelihood of my reporting > my own ISP--at least that hasn't happened since I've added my own > mailhosts). All of those efforts will diminish significantly the chances of misparsed spamheaders from naming your own provider as source, but it can still happen. There's a potential for parser parsing errors and there's a potential for other, reporter errors -- each oversight step reduces the chances of errors. > Currently, what I've done after emailing the spam submissions, is to > click "Report Spam" and then approve them for transmittal one by one. > This one-by-one approval is what's driving me nuts. Is there a screen > that I'm not aware of that allows me to list all submitted spams with > perhaps a checkbox beside each so I can check them all off and do a > mass submission? No, there is not a screen. If you are approved for quick reporting your submit address will have a different address and a different result. That is, you make a request to service admin.spamcop.net to be approved for quick reporting. Then you will have a different submit address to send the spams. The result of sending to that address will be that you don't have parser reporting approval links to click. >> Because there is some hazard of errant reporting of parser errors by >> quickreporting, every configurable effort should be made to reduce >> the chances of reporting your own provider by configuring for >> mailhosts before any quickreporting begins. > > I understand. I have already done this, both by registering my own > mailhosts at SC and inspecting the spams held in my Eudora Junk > mailbox before I invoke an AppleScript which automatically creates > and sends the spams, complete with headers, one per email, to SC for > further processing. The mailhosts will help. The advantage of your own inspecting is to prevent your submitting something which isn't a spam. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue Jul 5 02:57:46 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Jul 5 03:00:03 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "WazoO" wrote in message news:da9gpu$frb$1@news.spamcop.net... > "Pop" wrote in message > news:da91m9$7n1$1@news.spamcop.net... > > ... > > > Anyway, that said, take a current look at > > > http://forum.spamcop.net/forums/index.php?act=home > > >Aha, there's an intro to spamcop: > > Oh, it's for recipeints of spam reports. Jeez, I wish > > there was something I coujld tell WHERE to look in > > amongst all this stuff! > > OK, take a look now ... Index started ... help at all? And even more, I figured out how to get anchor tags working in this thing. ....???? From nobody at spamcop.net Tue Jul 5 01:02:25 2005 From: nobody at spamcop.net (N. Miller) Date: Tue Jul 5 03:05:02 2005 Subject: [SC-Help] Re: Spamcop Misreading Headers References: Message-ID: <1ng53vcldnh7l$.dlg@news.spamcop.net> On Mon, 4 Jul 2005 11:47:54 -0400, McWebber wrote: > With the headers below, Spamcop parses it and skips the real header and > picks the fake 179.243.186.188 as the IP to lart. > abuse#iana.org@devnull.spamcop.net and for some reason doesn't want to lart > abuse@cybercity.dk for 217.157.61.45 which is the ultimate source of the > spam Interesting. Sam Spade is not fooled, but running your headers results in this tracker: http://www.spamcop.net/sc?id=z782224777z0a198f6cfa8ad5016f6589da2edfd169z Apparently the originating IP address is close to the IP address of the MX server for the domain listed, and SC thinks it is a trustable relay. Odd that SC can't see, as Sam Spade does, that the IP address isn't a valid block of IP addresses. Sam Spade says: --------------- 07/04/05 23:52:25 Input The Received: headers are the important ones to read My comments are just hints, and should be considered only an opinion. I may have guessed wrong, or things may have changed since I was written Return-Path: Received: from omega.adventist.dk ([217.157.61.45]) by redacted (8.10.2/8.10.2) with SMTP id j64EUrK10943 for ; Mon, 4 Jul 2005 09:30:53 -0500 This received header was added by your mailserver redacted received this from omega.adventist.dk (IP addresses match) Received: from xbnq (179.243.186.188) by omega.adventist.dk; Mon, 4 Jul 2005 16:31:25 +0200 omega.adventist.dk received this from someone claiming to be xbnq This host doesn't exist, so all headers below this one are probably forged Message-ID: <006b01c4b5e6$18170c27$d69d6449@xbnq> --------------- -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. From MikeE at ster.invalid Tue Jul 5 05:51:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 5 07:55:03 2005 Subject: [SC-Help] Re: Incorrect parsing of source IP for http://www.spamcop.net/sc?id=z782199815z9c391e5f64401830ced6a66f74fda7eez References: Message-ID: Posted to .help & .spam, f/ups to .help Mark C wrote: > I reported some spam which included a forged mail header. > Spamcop incorrectly identified the source IP. Correct. > Here's the tracking URL: www.spamcop.net/sc?id=z782199815z9c391e5f64401830ced6a66f74fda7eez If reported today, reports would be sent to: Re: 202.0.32.211 (Administrator of network where email originates) Abbreviated Received lines *comment from bm-3a.paradise.net.nz (202.0.58.22) by irene-1.paradise.net.nz *serves you from smtp-2.paradise.net.nz ([202.0.32.211]) by linda-3.paradise.net.nz *serves you, from 61-230-136-3.dynamic.hinet.net ([61.230.136.3]) by smtp-2.paradise.net.nz *sourceline from [81.204.65.230] (port=1372 helo=[Virginian]) by 61-230-136-3.dynamic.hinet.net *bogusline > The spam source IP should have been (IMO): > xx-xxx-xxx-x.dynamic.hinet.net (obfuscated) Correct. > Instead, spamcop suggested I report to my ISP > (the next to last valid mail header) Correct. > I haven't yet clicked the "Send Spam Reports Now" button. Better than that, you cancelled the report. Summary: - you are correct, parse broke chain prematurely - you need to configure for mailhosts - housekeeping, post in discussion group SC's algorithm in 'standard mode' tries to figure out if an IP is a relay in the chain by performing a test that I call the 'MX step' when it is trying to relate an upper 'from' IP field with a lower 'by' domainname field because the parse's target is supposed to be the source, not some relay in the chain. paradise.net.nz's MXes are pop3.paradise.net.nz A (Address) 203.96.152.6 smtp.paradise.net.nz A (Address) 203.96.152.32 but SC doesn't recognize that situation from the IP 202.0.32.211 because the IP which shows up is 'too far' away and also because SC doesn't recognize the IP as a relay for paradise yet. Given time and experience, the parser has shown the ability to adapt to the situation, when the parser's experience has matured with that MTA it sees in the chain -- after the 'submitting to relay testers' program has aged. However, you can configure SC for a different mode than standard if you configure it to use mailhosts. Mailhosts is poorly described on this faq page http://www.spamcop.net/fom-serve/cache/397.html How do I configure Mailhosts for SpamCop? and it is configured by going to your parser page having logged in http://www.spamcop.net/ and clicking 'mailhosts' and beginning the process for configuration. If you choose to not configure for mailhosts, if you continue to submit your parses, it is likely that SC will be able to figure out what is going on in time. But mailhosts is a 'smarter' configuration, because it helps SC decipher that using my so-called 'MX step' doesn't need to be done. Housekeeping: The reason that I posted also to .help and made f/ups there is that .spam wasn't intended to be a discussion group, or traditionally hasn't been used as a discussion group. Once upon a time the tracker device didn't work like it does now and it was necessary to post raw spams with complete headers into this group - so at that time people posted their questions into the discussion newsgroups spamcop or spamcop.help and their spam into spamcop.spam and/but didn't discuss the issue in spam, but discussed it in the discussion group. Things have changed now, so it is better to just post a tracker into .help or spamcop and not use .spam at all. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Jul 5 09:28:40 2005 From: nobody at spamcop.net (Ellen) Date: Tue Jul 5 09:20:03 2005 Subject: [SC-Help] Re: Batch processing? References: <1gz5kpl.114q48zfv3f3qN%spam_eviscerator@spamcop.net> <1gz6ua6.puya3717cpku8N%spam_eviscerator@spamcop.net> Message-ID: "Mike Easter" wrote in message news:dacfha$2ge$1@news.spamcop.net... > Spam Eviscerator wrote: > > Mike Easter > > >> Pre-approved quick reporting by email submission submits many spams > >> at a time, whose parser derived spamsources are assumed > >> 'autoapproved' right or wrong with resultant reporting of all of the > >> sources and no spamvertisers without further reporter action on any > >> parser links required. > > > > How does one get them "pre-approved" for quick reporting? > > You beseech the deputies/admin to approve your account to be able to > quick report. > Write to service admin.spamcop.net and ask for quick submit. Ellen From nobody at spamcop.net Tue Jul 5 09:33:06 2005 From: nobody at spamcop.net (Ellen) Date: Tue Jul 5 09:20:07 2005 Subject: [SC-Help] Re: Spamcop Misreading Headers References: <1ng53vcldnh7l$.dlg@news.spamcop.net> Message-ID: "N. Miller" wrote in message news:1ng53vcldnh7l$.dlg@news.spamcop.net... > On Mon, 4 Jul 2005 11:47:54 -0400, McWebber wrote: > > > With the headers below, Spamcop parses it and skips the real header and > > picks the fake 179.243.186.188 as the IP to lart. > > abuse#iana.org@devnull.spamcop.net and for some reason doesn't want to lart > > abuse@cybercity.dk for 217.157.61.45 which is the ultimate source of the > > spam > > Interesting. Sam Spade is not fooled, but running your headers results in > this tracker: > > http://www.spamcop.net/sc?id=z782224777z0a198f6cfa8ad5016f6589da2edfd169z > If you set up your mailhosts then the parser doesn't have a problem. Ellen From nobody at devnull.spamcop.net Tue Jul 5 13:10:32 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Jul 5 13:15:03 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "Blammo" wrote in message news:Xns968A15B0A5500blammo@216.154.195.61... > On 04 Jul 2005 WazoO entered spamcop.help and left > news:dadb1a$gco$1@news.spamcop.net: > > > And even more, I figured out how to get anchor tags working > > in this thing. ....???? > > Wrong: Must have been timing, as I can't find the error you're pointing to. This is not your (my) normal web-page. I'm working in an environment in which I don't get to work on the page directly. This page in particular, I get to edit a script file via a 'control panel' window in the application. I'd suspect that I could ignore the "don't edit this file directly" warning, edit the file directly, then restart the application to then pull in the changes ... but again, I don't have that luxury. The security bits in place attempt to ensure that malicious code can't be 'uploaded' .. basically meaning that there's a process that HTML gets converted a bit for the application to process, then a BBCode to HTML conversion gets kicked in to convert that output back to paint the page. Unfortunately, this actual process never got documented, so there's a lot of "this works" .. "this doesn't work" ... "this code needs to be typed in like this .." ... I'm still feeling around in the dark here. From nobody at devnull.spamcop.net Tue Jul 5 13:14:22 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Jul 5 13:15:08 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "Blammo" wrote in message news:Xns968A1E7D32B62blammo@216.154.195.61... > On 03 Jul 2005 WazoO entered spamcop.help and left > news:da939f$8oa$1@news.spamcop.net: > > > I'm not pushing Forum / newsgroup issues, this > > is all about providing an accessible FAQ. To keep things > > on track, please take a look at the web-page found at > > http://forum.spamcop.net/forums/index.php?act=home > > I offered a few suggestions, but I can't offer much because I hate looking > at other's sites for the purpose of evaluation. > You don't even want me to get started on that page. > > I can try to help with any specific questions. Well, again, the focus of this exercise is on access to the FAQ data. I'm fighting my own battles on trying to figure out how to work the scripts involved in the processing of data that builds the displayed page. From nobody at devnull.spamcop.net Tue Jul 5 14:01:05 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Jul 5 14:05:03 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "Blammo" wrote in message news:Xns968A1E7D32B62blammo@216.154.195.61... > On 03 Jul 2005 WazoO entered spamcop.help and left > news:da939f$8oa$1@news.spamcop.net: > > > I'm not pushing Forum / newsgroup issues, this > > is all about providing an accessible FAQ. To keep things > > on track, please take a look at the web-page found at > > http://forum.spamcop.net/forums/index.php?act=home > > I offered a few suggestions, but I can't offer much because I hate looking > at other's sites for the purpose of evaluation. > You don't even want me to get started on that page. That last got me wondering, fired up FireFox 1.04 and see yet again more rendering issues ... not sure if some of this is stuff resolved in the alpha version of 1.1 .??? From nobody at devnull.spamcop.net Tue Jul 5 14:03:38 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Jul 5 14:05:07 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "Blammo" wrote in message news:Xns968A6E85C4860blammo@216.154.195.61... > On 05 Jul 2005 WazoO entered spamcop.help and left > news:daef5e$5gg$1@news.spamcop.net: > > > Well, again, the focus of this exercise is on access to > > the FAQ data. > > Maybe it will evolve into something a little less cryptic. you definitely lost me on that .... that whole "Why are you here" section was shooting for the quick answer thing.?? From nobody at devnull.spamcop.net Tue Jul 5 14:51:07 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Jul 5 14:55:03 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "Blammo" wrote in message news:Xns968A6E1AE695blammo@216.154.195.61... > On 05 Jul 2005 WazoO entered spamcop.help and left > news:daeeu8$5de$1@news.spamcop.net: > > > Must have been timing, as I can't find the error you're pointing to. > > Jump To Section Links -> > ... > Credits & Thanks > [points to] > http://forum.spamcop.net/forums/index.php?showtopic=2238#Credit > > which is OK, but the target doesn't exist because the "target" is > "#Credit", which is what I was referring to above. Still lost, link resolves, checked tags at both ends ..??? > > that I could ignore the "don't edit this file directly" warning, > > edit the file directly, then restart the application to then pull > > in the changes ... but again, I don't have that luxury. > > Probably not a good idea, unless you know exactly how the board generates > it's code. This page script is based on a "lite" version of a product that's been going to be released "Real Soon Now" for at least 8 months ... assume also a partial justification for no existing documentation ..?? > That's the why most bbcode is. In phpBB it converts "+" to a space, the > only way to actually post a message with a "+" in it is to post in html and > use + otherwise phpBB is pretty nice. > I never write that down so I always forget how to post a "+", so when I > need to it usually takes me a couple tries to remember. At present, I'm not smart enough to say whether it's the BBCode stuff or the mystical conversion processes that have got me dazed. I'm still learning, likening this a bit to the day I got to start learning Fortran. At a new assignment for less than two weeks. "You run the electronics shop?" yes "Computers are made with electronic circuits, aren't they?" yes "Got one out here that needs fixing. Call me when it's up again." (some numbers are probably wrong here, it's been ages) Look at a customized Data General S-280 ask an operator to show me how to log on operator shows me the problem situation go through some S-280 manuals to figure out how it works eventually figure out how to log on as 'root'/supervisor/whatever eventually find the source files .. even neater, I find the bad section of code realize fixing it is over my head, recall that there was a "programmer" in the TDA for the site, start trying to find him .. turns out that the guy was a budget analyst, filling the "programmer" slot .. there is no "programmer" in my searches, found some Rolm documentation on the Fortran language (let's say version 1.7) Data General is running version 1.5 many hours spent at re-writing code (eventually figuring out that all those indents weren't just for looks ... data started so many characters in, commands started so many spaces in, etc.) Then figuring out the compiler command (flags) that were in the Rolm 1.7 version that didn't fly in the DG 1.5 version ... late that night, system is up and running LTCDR is unhappy that I called him at that hour .... however, .. Navy Captain sends MP's to my door to escort me back to the office .. turns out the code section I re-worked contained classified data above my clearance level ... much paperwork ensued From nobody at spamcop.net Tue Jul 5 14:40:20 2005 From: nobody at spamcop.net (N. Miller) Date: Tue Jul 5 16:45:02 2005 Subject: [SC-Help] Re: Spamcop Misreading Headers References: <1ng53vcldnh7l$.dlg@news.spamcop.net> Message-ID: <1fhwrbw3z4ld3.dlg@news.spamcop.net> On Tue, 5 Jul 2005 08:33:06 -0400, Ellen wrote: > "N. Miller" wrote in message > news:1ng53vcldnh7l$.dlg@news.spamcop.net... >> On Mon, 4 Jul 2005 11:47:54 -0400, McWebber wrote: >> >>> With the headers below, Spamcop parses it and skips the real header and >>> picks the fake 179.243.186.188 as the IP to lart. >>> abuse#iana.org@devnull.spamcop.net and for some reason doesn't want to > lart >>> abuse@cybercity.dk for 217.157.61.45 which is the ultimate source of > the >>> spam >> >> Interesting. Sam Spade is not fooled, but running your headers results in >> this tracker: >> >> http://www.spamcop.net/sc?id=z782224777z0a198f6cfa8ad5016f6589da2edfd169z >> > > If you set up your mailhosts then the parser doesn't have a problem. I can't run somebody else's spam through my parser with mailhosts set up. But trying to jigger the headers so that they would be rational for my mailhosts, then running through my old account with mailhosts configured, and I get: http://www.spamcop.net/sc?id=z782506773z1e602d8276030386033a40bb6bef35ccz In the first tracker that I posted, SC wants to report the bogus IP address as a source, in the second tracker, SC wants to report the valid IP address as the source. All I did was to modify the top Received line. The SC account I used to generate those headers does not have mailhosts configure; if it did, the tracker for the original headers utterly fail to parse: http://www.spamcop.net/sc?id=z782507836zc92355c79390ec7bcf81dd298e73130cz But, yes, I can see that McWebber needs to configure mailhosts. That surely would fix his problem. -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. From nobody at devnull.spamcop.net Tue Jul 5 17:07:49 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Jul 5 17:10:03 2005 Subject: [SC-Help] Re: Spamcop Misreading Headers References: <1ng53vcldnh7l$.dlg@news.spamcop.net> <1fhwrbw3z4ld3.dlg@news.spamcop.net> Message-ID: "N. Miller" wrote in message news:1fhwrbw3z4ld3.dlg@news.spamcop.net... > > I can't run somebody else's spam through my parser with mailhosts set up. Use the parser without reference to your mailhosts configuration http://forum.spamcop.net/forums/index.php?showtopic=3156&st=0&p=20947&#entry20947 From nobody at spamcop.net Tue Jul 5 15:31:49 2005 From: nobody at spamcop.net (N. Miller) Date: Tue Jul 5 17:35:02 2005 Subject: [SC-Help] Re: Spamcop Misreading Headers References: <1ng53vcldnh7l$.dlg@news.spamcop.net> <1fhwrbw3z4ld3.dlg@news.spamcop.net> Message-ID: <1203stk44zrgu.dlg@news.spamcop.net> On Tue, 5 Jul 2005 16:07:49 -0500, WazoO wrote: > "N. Miller" wrote in message > news:1fhwrbw3z4ld3.dlg@news.spamcop.net... >> >> I can't run somebody else's spam through my parser with mailhosts set up. > > Use the parser without reference to your mailhosts configuration But I have two SC accounts, one with mailhosts configured, the other without mailhosts configured. -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. From MikeE at ster.invalid Tue Jul 5 15:54:57 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 5 17:55:02 2005 Subject: [SC-Help] Re: Spamcop Misreading Headers References: <1ng53vcldnh7l$.dlg@news.spamcop.net> <1fhwrbw3z4ld3.dlg@news.spamcop.net> Message-ID: WazoO wrote: > "N. Miller" wrote in message > news:1fhwrbw3z4ld3.dlg@news.spamcop.net... >> >> I can't run somebody else's spam through my parser with mailhosts >> set up. > > Use the parser without reference to your mailhosts configuration > http://forum.spamcop.net/forums/index.php?showtopic=3156&st=0&p=20947&#entry20947 What that sez by Jeff G is It appears that you can use the parser without reference to your mailhosts configuration if you do the following: Parse as normal. Copy the Tracking URL. Cancel. Logout (if you are using the www.spamcop.net site) Browse to the Tracking URL, replacing members.spamcop.net or mailsc.spamcop.net in the URL with www.spamcop.net as appropriate. My experience is that if someone posts a tracking URL which belongs to their mailhosted configuration [that is, they are mailhosted and SC parsed an item for them] and I access the tracker, what I see is a 'mailhosted' tracker, with the little 0 and 1 and 2 etc for the Received lines. I also see the algorithmic logic which is designed for mailhosted users. Mailhosted parsing is different from non-mailhosted parsing. If I view the entire message from that tracker described above and copy the spam & headers and go to my parser page which is not mailhosted and have the parser parse the item anew for me, I will get a non-mailhosted result, and I can copy that tracker and show the 'public' the difference between what happens when the mailhosted person had the item parsed and what happens when it is parsed by a non-mailhosted person. I don't see how what Jeff G is saying jibes with my experience that I just described. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Jul 5 15:56:00 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 5 18:00:02 2005 Subject: [SC-Help] Re: Spamcop Misreading Headers References: <1ng53vcldnh7l$.dlg@news.spamcop.net> <1fhwrbw3z4ld3.dlg@news.spamcop.net> <1203stk44zrgu.dlg@news.spamcop.net> Message-ID: N. Miller wrote: > But I have two SC accounts, one with mailhosts configured, the other > without mailhosts configured. That is an advantage. When you are logged in as the non-mailhosted user, you can get a different result sometimes than you would get as the mailhosted one. -- Mike Easter kibitzer, not SC admin From mark.c at somewhere.invalid Wed Jul 6 00:11:27 2005 From: mark.c at somewhere.invalid (Mark C) Date: Tue Jul 5 19:15:03 2005 Subject: [SC-Help] Re: Incorrect parsing of source IP for http://www.spamcop.net/sc?id=... <- Thanks Mike! References: Message-ID: "Mike Easter" wrote in news:dads7h$php$1@news.spamcop.net: > Summary: > - you are correct, parse broke chain prematurely > - you need to configure for mailhosts Now done, and it works well. Another spam with similar headers had the source correctly identified, after I followed the 'mailhosts' instructions. > - housekeeping, post in discussion group I will post in .help in the future. Thanks! From MikeE at ster.invalid Tue Jul 5 22:17:47 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 6 00:20:02 2005 Subject: [SC-Help] Re: Spamcop Misreading Headers References: <1ng53vcldnh7l$.dlg@news.spamcop.net> <1fhwrbw3z4ld3.dlg@news.spamcop.net> Message-ID: Blammo wrote: > Mike Easter >> What that sez by Jeff G is > Hmm, so how are you supposed to report that? I don't understand the question. Do you mean "What if Mike disagrees that you can escape the mailhost effect that way?" Or do you mean "If what Jeff sez doesn't work, what are you supposed to do?" Or do you mean something else? My own opinion is that you need a different other additional non-mailhost account if you want to use the parser 'experimentally' in a non-mailhosted configuration. Then, you get rid of the cookie associated with the mailhosted login business and 'become' the non-mailhosted persona or 'alter-ego'. -- Mike Easter kibitzer, not SC admin From bar_n0ne at hotmail.com Wed Jul 6 10:16:30 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Jul 6 01:25:04 2005 Subject: [SC-Help] Re: Spamcop Misreading Headers References: <1ng53vcldnh7l$.dlg@news.spamcop.net> <1fhwrbw3z4ld3.dlg@news.spamcop.net> Message-ID: "Mike Easter" wrote in message news:dafm1a$t6a$1@news.spamcop.net... > Blammo wrote: > > Mike Easter > > Then, you get rid of the cookie associated with the mailhosted login > business and 'become' the non-mailhosted persona or 'alter-ego'. or -- simpler, use a different browser for the different configurations, since most do not share cookie stores. ie (no endorsements implied) Exploder for mailhosted, Netscraper for the non-mailhosted account.. From bill_beyer at excite.cXoYmZ Wed Jul 6 08:44:26 2005 From: bill_beyer at excite.cXoYmZ (Bill Beyer) Date: Wed Jul 6 10:45:03 2005 Subject: [SC-Help] Irritating development Message-ID: I've been submitting spam for years through MSOE by simply forwarding it as an attachment. Unless spamcop was having issues it was never a problem. For the past couple of days I intermittently get no response from spamcop when I submit the spam. It still parses spam from the 2 webmail accounts I also use to submit spam and they're all sent to the same spamcop address but stuff sent from MSOE just seems to go into a black hole. No response, nothing. Then suddenly it will start working again. Anyone else having this problem? From nobody at devnull.spamcop.net Wed Jul 6 13:00:27 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jul 6 13:05:03 2005 Subject: [SC-Help] Re: Irritating development References: Message-ID: "Bill Beyer" wrote in message news:dagqh5$i20$1@news.spamcop.net... > I've been submitting spam for years through MSOE by simply forwarding it as > an attachment. Unless spamcop was having issues it was never a problem. For > the past couple of days I intermittently get no response from spamcop when I > submit the spam. > > It still parses spam from the 2 webmail accounts I also use to submit spam > and they're all sent to the same spamcop address but stuff sent from MSOE > just seems to go into a black hole. No response, nothing. Then suddenly it > will start working again. > > Anyone else having this problem? http://forum.spamcop.net/forums/index.php?showtopic=4480 has another ComCast customer asking the same question. The question of the day then is whether the Forum FAQ entry E-Mail spam submittals blocked by your ISP? http://forum.spamcop.net/forums/index.php?showtopic=2782 needs to be updated. Your description is a bit different with the "suddenly will start working again" .. possibly due to the filtering tools not applied to all their servers yet ..???? The "test" would be to CC: a non-ComCast account with the spam submittals and see if that e-mail did in fact leave ComCast. From bill_beyer at excite.cXoYmZ Wed Jul 6 11:31:17 2005 From: bill_beyer at excite.cXoYmZ (Bill Beyer) Date: Wed Jul 6 13:30:03 2005 Subject: [SC-Help] Re: Irritating development References: Message-ID: "WazoO" wrote in message news:dah2nb$n7t$1@news.spamcop.net... > "Bill Beyer" wrote in message > news:dagqh5$i20$1@news.spamcop.net... > > I've been submitting spam for years through MSOE by simply forwarding it > as > > an attachment. Unless spamcop was having issues it was never a problem. > For > > the past couple of days I intermittently get no response from spamcop when > I > > submit the spam. > > > > It still parses spam from the 2 webmail accounts I also use to submit spam > > and they're all sent to the same spamcop address but stuff sent from MSOE > > just seems to go into a black hole. No response, nothing. Then suddenly it > > will start working again. > > > > Anyone else having this problem? > > http://forum.spamcop.net/forums/index.php?showtopic=4480 > has another ComCast customer asking the same question. > The question of the day then is whether the Forum FAQ entry > E-Mail spam submittals blocked by your ISP? > http://forum.spamcop.net/forums/index.php?showtopic=2782 > needs to be updated. Your description is a bit different > with the "suddenly will start working again" .. possibly > due to the filtering tools not applied to all their servers > yet ..???? The "test" would be to CC: a non-ComCast > account with the spam submittals and see if that e-mail > did in fact leave ComCast. That's a good idea. I'll give it a try and see what happens. From lart-o-matic at revbeergoggles.com Wed Jul 6 13:56:12 2005 From: lart-o-matic at revbeergoggles.com (Rev Beergoggles) Date: Wed Jul 6 14:00:03 2005 Subject: [SC-Help] Re: Irritating development References: Message-ID: Bill Beyer did pass the time by typing: > "WazoO" wrote ... >> "Bill Beyer" wrote ... >>> I've been submitting spam for years through MSOE by simply forwarding it as >>> an attachment. Unless spamcop was having issues it was never a problem. For >>> the past couple of days I intermittently get no response from spamcop when I >>> submit the spam. >>> Anyone else having this problem? >> >> http://forum.spamcop.net/forums/index.php?showtopic=4480 >> has another ComCast customer asking the same question. >> The question of the day then is whether the Forum FAQ entry >> E-Mail spam submittals blocked by your ISP? > > That's a good idea. I'll give it a try and see what happens. Same thing with cox.net. OTOH, I found if you forward all the spams as attachements to one email, they go through. That and it's easier than one at a time. -- DougW From bill_beyer at excite.cXoYmZ Wed Jul 6 12:03:43 2005 From: bill_beyer at excite.cXoYmZ (Bill Beyer) Date: Wed Jul 6 14:00:07 2005 Subject: [SC-Help] Re: Irritating development References: Message-ID: "Bill Beyer" wrote in message news:dah4a1$o52$1@news.spamcop.net... > > "WazoO" wrote in message > news:dah2nb$n7t$1@news.spamcop.net... > > "Bill Beyer" wrote in message > > news:dagqh5$i20$1@news.spamcop.net... > > > I've been submitting spam for years through MSOE by simply forwarding it > > as > > > an attachment. Unless spamcop was having issues it was never a problem. > > For > > > the past couple of days I intermittently get no response from spamcop > when > > I > > > submit the spam. > > > > > > It still parses spam from the 2 webmail accounts I also use to submit > spam > > > and they're all sent to the same spamcop address but stuff sent from > MSOE > > > just seems to go into a black hole. No response, nothing. Then suddenly > it > > > will start working again. > > > > > > Anyone else having this problem? > > > > http://forum.spamcop.net/forums/index.php?showtopic=4480 > > has another ComCast customer asking the same question. > > The question of the day then is whether the Forum FAQ entry > > E-Mail spam submittals blocked by your ISP? > > http://forum.spamcop.net/forums/index.php?showtopic=2782 > > needs to be updated. Your description is a bit different > > with the "suddenly will start working again" .. possibly > > due to the filtering tools not applied to all their servers > > yet ..???? The "test" would be to CC: a non-ComCast > > account with the spam submittals and see if that e-mail > > did in fact leave ComCast. > > That's a good idea. I'll give it a try and see what happens. > It appears that the mail is not leaving Comcast's servers. I'm trying to get some answers from Comcast now. From bill_beyer at excite.cXoYmZ Wed Jul 6 12:33:21 2005 From: bill_beyer at excite.cXoYmZ (Bill Beyer) Date: Wed Jul 6 14:30:02 2005 Subject: [SC-Help] Re: Irritating development References: Message-ID: "Rev Beergoggles" wrote in message news:dah5vp$p4u$1@news.spamcop.net... > Bill Beyer did pass the time by typing: > > "WazoO" wrote ... > >> "Bill Beyer" wrote ... > >>> I've been submitting spam for years through MSOE by simply forwarding it as > >>> an attachment. Unless spamcop was having issues it was never a problem. For > >>> the past couple of days I intermittently get no response from spamcop when I > >>> submit the spam. > > >>> Anyone else having this problem? > >> > >> http://forum.spamcop.net/forums/index.php?showtopic=4480 > >> has another ComCast customer asking the same question. > >> The question of the day then is whether the Forum FAQ entry > >> E-Mail spam submittals blocked by your ISP? > > > > > That's a good idea. I'll give it a try and see what happens. > > Same thing with cox.net. > > OTOH, I found if you forward all the spams as attachements to > one email, they go through. That and it's easier than one at a time. > > -- > DougW That's normally what I do. IN the interest of trying to diagnose this issue I've also tried forwarding them 1 at a time as well. Neither way works. From MikeE at ster.invalid Wed Jul 6 13:30:53 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 6 15:35:02 2005 Subject: [SC-Help] Re: Text replaced when copying spam for reporting purposes References: Message-ID: Posted to .spam & .help, f/ups to .help Jeff wrote: > I just received a spam message advertising Viagra, Cialis and Valium > from PharmzOnline Shop; however, when I tried copying and pasting the > message text it was changed and does not reflect the real message. Summary: - original unrendered spambody + complete headers are reported - opening or previewing spam rendered insecurely is a bad idea - housekeeping: use discussion groups for discussing What you see when you open a spam with something like OE^1 configured however itsecurely it may be and using IE's^1 rendering engine is entirely different from what you see if you correctly access^2 its message source^3 in preparation for pasting into SC's^1 webparser. ^1 OE Outlook Express, IE Internet Explorer, SC SpamCop ^2 OE/ File/ Properties/ Detail tab/ Message source button - select all, copy, paste ^3 Message source can contain base64 encoded graphics or html, unrendered raw html, or encoded graphics which when displayed can show text > I > tried forwarding the message and got the same result. What you see when you 'view entire message' in the parser's webpage display of the message source which is what you see when you forward a message as an attachment is entirely different from what you see when your OE/IE engine renders the spam as above. > I suppose I > could take a screen shot of the actual message, but is there another > way to report spam where the message is changed during the copy/paste > to spamcop? The concept of the spam submission process is not to send a picture of what you are seeing on the screen when you choose to render your spam, but to send a copy of the original complete spam, which consists of complete headers and raw message source, which is what is done if you copy the message source or forward as attachment. As a housekeeping issue: the newsgroups spamcop and spamcop.help are for discussing spamcop issues, but the group spamcop.spam has just been used in the past for posting examples of raw spam and/or complete headers -- that function has now been replaced by use of a tracking URL. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Jul 6 15:42:13 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jul 6 15:45:03 2005 Subject: [SC-Help] Re: Text replaced when copying spam for reporting purposes References: Message-ID: "Mike Easter" wrote in message news:dahbhc$spq$1@news.spamcop.net... > Posted to .spam & .help, f/ups to .help > > Jeff wrote: > > I just received a spam message advertising Viagra, Cialis and Valium > > from PharmzOnline Shop; however, when I tried copying and pasting the > > message text it was changed and does not reflect the real message. An attempt to explain this exists at the entry; http://forum.spamcop.net/forums/index.php?showtopic=3571 Mike's response is good, just pointing out another resource that has example data shown. From nobody at devnull.spamcop.net Wed Jul 6 15:49:00 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jul 6 15:50:02 2005 Subject: [SC-Help] Re: Irritating development References: Message-ID: "Rev Beergoggles" wrote in message news:dah5vp$p4u$1@news.spamcop.net... > Bill Beyer did pass the time by typing: > > "WazoO" wrote ... > >> "Bill Beyer" wrote ... > > >>> Anyone else having this problem? > >> > >> http://forum.spamcop.net/forums/index.php?showtopic=4480 > >> has another ComCast customer asking the same question. > >> The question of the day then is whether the Forum FAQ entry > >> E-Mail spam submittals blocked by your ISP? > > > That's a good idea. I'll give it a try and see what happens. > > Same thing with cox.net. Cox was already in the referenced Forum FAQ entry. http://forum.spamcop.net/forums/index.php?showtopic=2782 From nobody at devnull.spamcop.net Wed Jul 6 16:15:25 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jul 6 16:20:03 2005 Subject: [SC-Help] Re: Irritating development References: Message-ID: "Bill Beyer" wrote in message news:dah66q$p6o$1@news.spamcop.net... > > > > The question of the day then is whether the Forum FAQ entry > > > E-Mail spam submittals blocked by your ISP? > > > http://forum.spamcop.net/forums/index.php?showtopic=2782 > > > needs to be updated. > > That's a good idea. I'll give it a try and see what happens. > > It appears that the mail is not leaving Comcast's servers. I'm trying to get > some answers from Comcast now. Based on this and the other Forum posting, the Forum FAQ entry has been updated to include Comcast. From nobody at devnull.spamcop.net Wed Jul 6 16:24:41 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jul 6 16:25:03 2005 Subject: [SC-Help] X-No-Archive: yes and the newsgroup archives Message-ID: Just noting that there is a lot of data being lost due to usage of this header flag bit. Some threads leave one wondering what was actually being talked to as there are Reply's listed with no corresponding previous entry. From glnews030922 at highspot.net Wed Jul 6 22:38:04 2005 From: glnews030922 at highspot.net (Graeme Leith) Date: Wed Jul 6 16:35:03 2005 Subject: [SC-Help] Re: spam from unallocated IP? 46.50.126.146 In-Reply-To: References: Message-ID: Dominik 'Rathann' Mierzejewski wrote: > http://www.spamcop.net/sc?id=z782776317zf7ff8d358624850a286e90b1446839b6z > > It's either a fake header which managed to fool SC's parser or (unlikely) > a hijacked IP. It's a fake header that happens to have a valid format. The real source is the next server up in the chain (134.174.110.5) which is currently listed in the SCBL. If you go through the process of setting up you mailhosts in the SpamCop system, you shouldn't get more errors like this. *** Cross posted & followups to spamcop.help *** From lart-o-matic at revbeergoggles.com Wed Jul 6 17:13:50 2005 From: lart-o-matic at revbeergoggles.com (Rev Beergoggles) Date: Wed Jul 6 17:20:02 2005 Subject: [SC-Help] Re: X-No-Archive: yes and the newsgroup archives References: Message-ID: WazoO did pass the time by typing: > Just noting that there is a lot of data being lost due to > usage of this header flag bit. Some threads leave one > wondering what was actually being talked to as there > are Reply's listed with no corresponding previous > entry. That's the unfortunate side effect. Especially if you read with google. I just run hamster as a local news spool and decide myself what to do with the server cache. Side effect is it makes reading much faster. Downside is it's a server and therefore takes a copy of everything you don't have set in the filters. -- rbg From bill_beyer at excite.cXoYmZ Wed Jul 6 15:50:43 2005 From: bill_beyer at excite.cXoYmZ (Bill Beyer) Date: Wed Jul 6 17:50:03 2005 Subject: [SC-Help] Re: Irritating development References: Message-ID: "WazoO" wrote in message news:dahe4t$ucs$1@news.spamcop.net... > "Bill Beyer" wrote in message > news:dah66q$p6o$1@news.spamcop.net... > > > > > > The question of the day then is whether the Forum FAQ entry > > > > E-Mail spam submittals blocked by your ISP? > > > > http://forum.spamcop.net/forums/index.php?showtopic=2782 > > > > needs to be updated. > > > > That's a good idea. I'll give it a try and see what happens. > > > > It appears that the mail is not leaving Comcast's servers. I'm trying to > get > > some answers from Comcast now. > > Based on this and the other Forum posting, the Forum FAQ > entry has been updated to include Comcast. According to tier 1 support even if filters were implemented it would return some sort of error message if the Comcast servers were blocking the outgoing mail. The issue has been escalated to tier 2 for now. From nobody at devnull.spamcop.net Wed Jul 6 17:47:16 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jul 6 17:50:08 2005 Subject: [SC-Help] Re: X-No-Archive: yes and the newsgroup archives References: Message-ID: "Rev Beergoggles" wrote in message news:dahhtp$s7$1@news.spamcop.net... > WazoO did pass the time by typing: > > Just noting that there is a lot of data being lost due to > > usage of this header flag bit. Some threads leave one > > wondering what was actually being talked to as there > > are Reply's listed with no corresponding previous > > entry. > > That's the unfortunate side effect. Especially if you read > with google. This was posted as a side-issue / heads-up for some. A bit of fall-out of the www.spamcop.net FAQ being incomplete, the Forum FAQ being too huge and a Forum resource, the on-going work on a Portal page, previous discussion points, all suggesting that the newsgroup archives are a searchable resource for data .. just pointing out that this resource is also found to be incomplete for those that hadm't thought about it. > I just run hamster as a local news spool and decide myself > what to do with the server cache. Side effect is it makes > reading much faster. Downside is it's a server and therefore > takes a copy of everything you don't have set in the filters. As the premise for trying to build a better access point to a FAQ, just firing up a newsreader is problematic enough for some, setting up a server seems a step beyond for those targeted users. From dominik at usenet.rangers.eu.org Thu Jul 7 23:02:26 2005 From: dominik at usenet.rangers.eu.org (Dominik 'Rathann' Mierzejewski) Date: Thu Jul 7 18:15:02 2005 Subject: [SC-Help] Re: spam from unallocated IP? 46.50.126.146 References: Message-ID: Date: Wed, 06 Jul 2005 21:38:04 +0100, Group: spamcop.help Msg-ID: From: Graeme Leith: > Dominik 'Rathann' Mierzejewski wrote: > > http://www.spamcop.net/sc?id=z782776317zf7ff8d358624850a286e90b1446839b6z > > > > It's either a fake header which managed to fool SC's parser or > > (unlikely) > > a hijacked IP. > It's a fake header that happens to have a valid format. The real source > is the next server up in the chain (134.174.110.5) which is currently > listed in the SCBL. That's what I figured. And I have reported it manually there, too. > If you go through the process of setting up you mailhosts in the SpamCop > system, you shouldn't get more errors like this. Huh? Why would it help? The problem was with the second hop before my MX. Regards, R. -- RangersBL: http://dnsbl.rangers.eu.org/ "I've always wanted to be an executioner, that's why I became a sysadmin." -- Jim Howes at news.admin.net-abuse.email From glnews030922 at highspot.net Fri Jul 8 01:05:25 2005 From: glnews030922 at highspot.net (Graeme Leith) Date: Thu Jul 7 19:05:03 2005 Subject: [SC-Help] Re: spam from unallocated IP? 46.50.126.146 In-Reply-To: References: Message-ID: Dominik 'Rathann' Mierzejewski wrote: > Date: Wed, 06 Jul 2005 21:38:04 +0100, Group: spamcop.help > Msg-ID: > From: Graeme Leith: > >>If you go through the process of setting up you mailhosts in the SpamCop >>system, you shouldn't get more errors like this. > > Huh? Why would it help? The problem was with the second hop before my MX. If you run through the mailhosts setup, the system becomes much less likely to trust anything it doesn't recognize as being normal for your mail system. In this case, it would have stopped tracing at the hop immediately before your own host and not gone on to the valid, though forged, headers. -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From anon at coks.net Thu Jul 7 18:47:11 2005 From: anon at coks.net (J G) Date: Thu Jul 7 20:50:03 2005 Subject: [SC-Help] Re: spam from unallocated IP? 46.50.126.146 In-Reply-To: References: Message-ID: On 7/7/2005 4:05 PM Graeme Leith scribbled: The sig - Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. Any comments on this? From nobody at devnull.spamcop.net Thu Jul 7 20:53:39 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jul 7 20:55:05 2005 Subject: [SC-Help] Re: spam from unallocated IP? 46.50.126.146 References: Message-ID: "J G" wrote in message news:dakibn$om9$1@news.spamcop.net... > On 7/7/2005 4:05 PM Graeme Leith scribbled: > The sig - > > Evidence shows Cyveillance abuse internet resources. > I recommend unchecking their box in SpamCop reports. > Cyveillance are part of the problem. > They are not part of the solution. > > Any comments on this? Please ... use the search function ... the SpamCop newsgroup archives, Google itself, something ... Please don't get this started again ... From anon at coks.net Thu Jul 7 18:59:57 2005 From: anon at coks.net (J G) Date: Thu Jul 7 21:00:04 2005 Subject: [SC-Help] Re: spam from unallocated IP? 46.50.126.146 In-Reply-To: References: Message-ID: On 7/7/2005 5:53 PM WazoO scribbled: > "J G" wrote in message news:dakibn$om9$1@news.spamcop.net... > >>On 7/7/2005 4:05 PM Graeme Leith scribbled: >>The sig - >> >>Evidence shows Cyveillance abuse internet resources. >>I recommend unchecking their box in SpamCop reports. >>Cyveillance are part of the problem. >>They are not part of the solution. >> >>Any comments on this? > > > Please ... use the search function ... the SpamCop newsgroup > archives, Google itself, something ... Please don't get this > started again ... > > huh? wasn't aware that this was an ongoing discussioon - had not seen anything on it lately, altho I don't read every thread cause I got another life.... I'll check the archives and sorry... jg From geoff at nospam.gjctech.co.uk Fri Jul 8 12:30:06 2005 From: geoff at nospam.gjctech.co.uk (Geoff Lane) Date: Fri Jul 8 07:35:06 2005 Subject: [SC-Help] Spam "from" reserved netblocks Message-ID: Recently, I've got a lot of spam with headers forged to appear to be from an IANA reserved netblock. The latest was "from" 111.120.227.30, which I understand from Sam Spade to be included in RESERVED-8. (here's an excerpt from Sam Spade) NetRange: 96.0.0.0 - 123.255.255.255 CIDR: 96.0.0.0/4, 112.0.0.0/5, 120.0.0.0/6 NetName: RESERVED-8 NetHandle: NET-96-0-0-0-1 NetType: IANA Reserved I have a suspicion that anything apparently from a reserved netblock is probably forged, and thus probably spam. If so, I can use such netblock information to supplement my spam filters - but are my suspicions true? TIA, -- Geoff Lane Cornwall, UK From glnews030922 at highspot.net Fri Jul 8 13:47:24 2005 From: glnews030922 at highspot.net (Graeme Leith) Date: Fri Jul 8 07:45:03 2005 Subject: [SC-Help] Re: spam from unallocated IP? 46.50.126.146 In-Reply-To: References: Message-ID: J G wrote: > On 7/7/2005 4:05 PM Graeme Leith scribbled: > The sig - > > Evidence shows Cyveillance abuse internet resources. > I recommend unchecking their box in SpamCop reports. > Cyveillance are part of the problem. > They are not part of the solution. > > Any comments on this? http://www.highspot.net/cyveillance/ From glnews030922 at highspot.net Fri Jul 8 13:55:27 2005 From: glnews030922 at highspot.net (Graeme Leith) Date: Fri Jul 8 07:55:03 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks In-Reply-To: References: Message-ID: Geoff Lane wrote: > Recently, I've got a lot of spam with headers forged to appear to be from > an IANA reserved netblock. The latest was "from" 111.120.227.30, which I > understand from Sam Spade to be included in RESERVED-8. (here's an excerpt > from Sam Spade) > > NetRange: 96.0.0.0 - 123.255.255.255 > CIDR: 96.0.0.0/4, 112.0.0.0/5, 120.0.0.0/6 > NetName: RESERVED-8 > NetHandle: NET-96-0-0-0-1 > NetType: IANA Reserved > > I have a suspicion that anything apparently from a reserved netblock is > probably forged, and thus probably spam. If so, I can use such netblock > information to supplement my spam filters - but are my suspicions true? If you haven't gone through the mailhosts setup on the SpamCop web pages, the parser is almost certainly following valid, but untrusted, headers and getting the wrong source. Set up mailhosts. Please post a tracking link, or the full spam in spamcop.spam, if you still see problems. -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From geoff at nospam.gjctech.co.uk Fri Jul 8 13:31:21 2005 From: geoff at nospam.gjctech.co.uk (Geoff Lane) Date: Fri Jul 8 08:35:02 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: Graeme Leith wrote in news:dalpc1$du1$1@news.spamcop.net: >> I have a suspicion that anything apparently from a reserved netblock >> is probably forged, and thus probably spam. If so, I can use such >> netblock information to supplement my spam filters - but are my >> suspicions true? > > If you haven't gone through the mailhosts setup on the SpamCop web > pages, the parser is almost certainly following valid, but untrusted, > headers and getting the wrong source. Although I reported this particular spam (ID = 1463337860), I got the IP address myself direct from the headers. I submitted the report to Cyveilance purely to help get the offending IP added to the SBL. My interest here is whether mail from a reserved netblock is likely to be a legitimate message, and so whether I can legitimately filter on reserved netblocks. I don't need to parse anything through Spamcop for that because my filters already have the ability to blacklist netblocks. If I add 96.0.0.0-123.255.255.255 to the blacklist, anything that purports to be from or routed via the RESERVED-8 netblock will get dumped into my spam bin - and it would be similar for any other reserved netblock that I would add to my blacklist when I discovered spammy using it. BTW, I can't quite get my head around mailhosts configuration. I have potentially an unlimited number of e-mail accounts with a catch-all mailbox for each of several domains. AFAICT, you have to configure every email address - and that's something I can't do because there are far too many fo them. Also, I have intermediate servers between my MUA and my ISP's servers, which you can see from the report referenced above. -- Geoff Lane Cornwall, UK From nobody at spamcop.net Fri Jul 8 08:26:55 2005 From: nobody at spamcop.net (N. Miller) Date: Fri Jul 8 10:40:04 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: <11ff4vinnokeh$.dlg@news.spamcop.net> On Fri, 8 Jul 2005 12:31:21 +0000 (UTC), Geoff Lane wrote: > My interest here is whether mail from a reserved netblock is likely to > be a legitimate message, and so whether I can legitimately filter on > reserved netblocks. I don't need to parse anything through Spamcop for > that because my filters already have the ability to blacklist netblocks. > If I add 96.0.0.0-123.255.255.255 to the blacklist, anything that > purports to be from or routed via the RESERVED-8 netblock will get > dumped into my spam bin - and it would be similar for any other reserved > netblock that I would add to my blacklist when I discovered spammy using > it. Google on "bogons". It would be a valid filter check, but I have seen IANA assign blocks from reserved space over time, so using these "bogons" to filter on would require periodic review of the listed IP address blocks. > BTW, I can't quite get my head around mailhosts configuration. I have > potentially an unlimited number of e-mail accounts with a catch-all > mailbox for each of several domains. AFAICT, you have to configure every > email address - and that's something I can't do because there are far > too many fo them. Also, I have intermediate servers between my MUA and > my ISP's servers, which you can see from the report referenced above. That wasn't the way I interpreted it. Just one email address per host chain added. -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. From MikeE at ster.invalid Fri Jul 8 09:02:44 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 8 11:05:02 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: Geoff Lane wrote: > Although I reported this particular spam (ID = 1463337860), > have intermediate servers between > my MUA and my ISP's servers, which you can see from the report > referenced above. We can't see anything from a report ID. A reportid of your own is something you can use to obtain a tracker to post so that we can see what you are talking about. When you visit your own report, you can view the entire spam which gives you access to its tracker. When I visit your reportid, I don't have that same access. If you post the tracker, then I/we can see the complete spam and its headers. -- Mike Easter kibitzer, not SC admin From geoff at nospam.gjctech.co.uk Fri Jul 8 16:10:38 2005 From: geoff at nospam.gjctech.co.uk (Geoff Lane) Date: Fri Jul 8 11:15:03 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: "Mike Easter" wrote in news:dam4ij$ktj$1@news.spamcop.net: >> Although I reported this particular spam (ID = 1463337860), > >> have intermediate servers between >> my MUA and my ISP's servers, which you can see from the report >> referenced above. > > We can't see anything from a report ID. A reportid of your own is > something you can use to obtain a tracker to post so that we can see > what you are talking about. > > When you visit your own report, you can view the entire spam which > gives you access to its tracker. When I visit your reportid, I don't > have that same access. If you post the tracker, then I/we can see the > complete spam and its headers. When I visit the report, I get a link at the top of the page, clicking this gives me a tracking URL to a page that tells me to who I've reported the spam and to who else I can report it, but not the message content. If that's what you mean, the tracking URL is: http://www.spamcop.net/sc?id=z783529303zebc07806f94f849fb00e0b39c9e450bfz Cheers, -- Geoff Lane Cornwall, UK From anon at coks.net Fri Jul 8 09:13:38 2005 From: anon at coks.net (J G) Date: Fri Jul 8 11:15:08 2005 Subject: [SC-Help] Re: spam from unallocated IP? 46.50.126.146 In-Reply-To: References: Message-ID: On 7/8/2005 4:47 AM Graeme Leith scribbled: > J G wrote: > >>On 7/7/2005 4:05 PM Graeme Leith scribbled: >>The sig - >> >>Evidence shows Cyveillance abuse internet resources. >>I recommend unchecking their box in SpamCop reports. >>Cyveillance are part of the problem. >>They are not part of the solution. >> >>Any comments on this? > > > http://www.highspot.net/cyveillance/ Thanks for that - appears I have some more homework. I'll refrain from any further discussion until I can contribute intelligently. From MikeE at ster.invalid Fri Jul 8 09:55:56 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 8 12:00:03 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: Geoff Lane wrote: > When I visit the report, I get a link at the top of the page, clicking > this gives me a tracking URL to a page that tells me to who I've > reported the spam and to who else I can report it, but not the message > content. If that's what you mean, the tracking URL is: > > http://www.spamcop.net/sc?id=z783529303zebc07806f94f849fb00e0b39c9e450bfz Yes. That's what I mean. If the viewer of the link is logged in and configured to show technical details in preferences, that tracker shows hir a copy of the headers, the verbose of the parse, and access to view the entire message. If the viewer of the link is /not/ so configured, all that is seen is the 'bottom' of the above, which sex the report has been sent and who it was sent to. I can also see that the item was /not/ parsed as a mailhost configuration, another issue which is afoot here. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Jul 8 10:05:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 8 12:10:04 2005 Subject: [SC-Help] Re: spam from unallocated IP? 46.50.126.146 References: Message-ID: J G wrote: > Graeme Leith >>> Evidence shows Cyveillance abuse internet resources. >>> I recommend unchecking their box in SpamCop reports. >>> Cyveillance are part of the problem. >>> They are not part of the solution. >> http://www.highspot.net/cyveillance/ > Thanks for that - appears I have some more homework. > I'll refrain from any further discussion until I can contribute > intelligently. In addition to Graeme's link, here're some pipermail archive items: Graeme's similar to the above, with a little more: http://news.spamcop.net/pipermail/spamcop-help/2004-July/062641.html Julian's remarks: http://news.spamcop.net/pipermail/spamcop-list/2003-June/044984.html Julian's posting of Brian Murray's [Cyveillance] remarks: http://news.spamcop.net/pipermail/spamcop-list/2003-June/045279.html -- Mike Easter kibitzer, not SC admin From anon at coks.net Fri Jul 8 10:22:35 2005 From: anon at coks.net (J G) Date: Fri Jul 8 12:25:02 2005 Subject: [SC-Help] Re: spam from unallocated IP? 46.50.126.146 In-Reply-To: References: Message-ID: On 7/8/2005 9:05 AM Mike Easter scribbled: > Julian's remarks: > http://news.spamcop.net/pipermail/spamcop-list/2003-June/044984.html > > Julian's posting of Brian Murray's [Cyveillance] remarks: > http://news.spamcop.net/pipermail/spamcop-list/2003-June/045279.html > > Thanks for saving me time, Mike... From jr70 at blackhole.invalid Fri Jul 8 10:45:27 2005 From: jr70 at blackhole.invalid (John Richards) Date: Fri Jul 8 12:50:03 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: <11ff4vinnokeh$.dlg@news.spamcop.net> Message-ID: N. Miller wrote: > On Fri, 8 Jul 2005 12:31:21 +0000 (UTC), Geoff Lane wrote: > >> BTW, I can't quite get my head around mailhosts configuration. I have >> potentially an unlimited number of e-mail accounts with a catch-all >> mailbox for each of several domains. AFAICT, you have to configure every >> email address - and that's something I can't do because there are far >> too many fo them. Also, I have intermediate servers between my MUA and >> my ISP's servers, which you can see from the report referenced above. > > That wasn't the way I interpreted it. Just one email address per host chain > added. I got that part. But how does one set it up for multiple domains, some of which have separate mailhosts? -- John Richards From glnews030922 at highspot.net Fri Jul 8 19:17:28 2005 From: glnews030922 at highspot.net (Graeme Leith) Date: Fri Jul 8 13:15:02 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks In-Reply-To: References: Message-ID: Geoff Lane wrote: > Although I reported this particular spam (ID = 1463337860), I got the IP > address myself direct from the headers. I submitted the report to > Cyveilance purely to help get the offending IP added to the SBL. Where did you get evidence of a connection between Spamhaus and Cyveillance? As far as I am aware, they are in no way related. > > My interest here is whether mail from a reserved netblock is likely to > be a legitimate message, and so whether I can legitimately filter on > reserved netblocks. I don't need to parse anything through Spamcop for > that because my filters already have the ability to blacklist netblocks. > If I add 96.0.0.0-123.255.255.255 to the blacklist, anything that > purports to be from or routed via the RESERVED-8 netblock will get > dumped into my spam bin - and it would be similar for any other reserved > netblock that I would add to my blacklist when I discovered spammy using > it. It's probably not a good idea filtering on IANA reserved blocks. People often use them as internal addresses and run a NAT gateway. If they have servers inside their network that pass the mail around before it gets to the internet proper, there will be headers with reserved addresses in them that are legitimate. You can filter connect attempts from reserved addresses at your border routers, as these should never see connections from reserved space on the external interface. They are called "bogons" in the networking world if you're looking for a list. > BTW, I can't quite get my head around mailhosts configuration. I have > potentially an unlimited number of e-mail accounts with a catch-all > mailbox for each of several domains. AFAICT, you have to configure every > email address - and that's something I can't do because there are far > too many fo them. Also, I have intermediate servers between my MUA and > my ISP's servers, which you can see from the report referenced above. I run my own mail server and although I don't have a catch all address, I do create new addresses for each new contact I have. I trained the mailhosts setup with a single address and haven't had any problems with it. It seems to associate the mail servers with your account, rather than individual addresses. When you set up mailhosts, it sends out discovery emails to get a baseline. The system handles intermediate MTAs with no problems that I've seen. My system not only includes my own server, but POPs and forwards to/from several locations. As long as you train it with each path you expect to see mail go through it seems very reliable. -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From geoff at nospam.gjctech.co.uk Fri Jul 8 18:14:15 2005 From: geoff at nospam.gjctech.co.uk (Geoff Lane) Date: Fri Jul 8 13:15:05 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: "Mike Easter" wrote in news:dam7ma$mtj$1 @news.spamcop.net: > I can also see that the item was /not/ parsed as a mailhost > configuration, another issue which is afoot here. I would set up mailhost configuration but I don't know how to do that. The instructions seem to want me to carry out a configuration for every email address that may receive mail. However, I have unlimited addresses for each of several domains, so I can't achieve what I infer to be required. Perhaps a key here is that the term "account" is not adequately defined. Is an "account" a Spamcop account, a user account on my local mail server, an ISP account, an email address (no matter whether that corresponds to a configured local user account), etc? If an "account" is an ISP account, what do I need to do if my ISP uses a server farm and mail be sent to and received from a variety of servers that may have dynamic addresses and for which the number of hosts and IP addresses are hidden from me? -- Geoff Lane Cornwall, UK From glnews030922 at highspot.net Fri Jul 8 19:34:17 2005 From: glnews030922 at highspot.net (Graeme Leith) Date: Fri Jul 8 13:35:02 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks In-Reply-To: References: Message-ID: Geoff Lane wrote: > "Mike Easter" wrote in news:dam7ma$mtj$1 > @news.spamcop.net: > > >>I can also see that the item was /not/ parsed as a mailhost >>configuration, another issue which is afoot here. > > > I would set up mailhost configuration but I don't know how to do that. The > instructions seem to want me to carry out a configuration for every email > address that may receive mail. However, I have unlimited addresses for each > of several domains, so I can't achieve what I infer to be required. > > Perhaps a key here is that the term "account" is not adequately defined. Is > an "account" a Spamcop account, a user account on my local mail server, an > ISP account, an email address (no matter whether that corresponds to a > configured local user account), etc? Account in this case is at least at ISP level. It may actually be at spamcop account level and trust all MTAs that you set up for that SpamCop account, no matter the path the mail takes through them. Not sure on this, but it would explain some behavior that I've seen with the system dealing with things I would expect it to fail on. > > If an "account" is an ISP account, what do I need to do if my ISP uses a > server farm and mail be sent to and received from a variety of servers that > may have dynamic addresses and for which the number of hosts and IP > addresses are hidden from me? Depends on the ISP. It's highly likely that SC knows about all of the mail servers for your ISP and will handle them automagically when you go through the setup. It did for my ISPs, even though it was only trained with a single email through each one. -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From geoff at nospam.gjctech.co.uk Fri Jul 8 19:01:07 2005 From: geoff at nospam.gjctech.co.uk (Geoff Lane) Date: Fri Jul 8 14:05:03 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: Graeme Leith wrote in news:damc7l$q79$1 @news.spamcop.net: >> Although I reported this particular spam (ID = 1463337860), I got the IP >> address myself direct from the headers. I submitted the report to >> Cyveilance purely to help get the offending IP added to the SBL. > > Where did you get evidence of a connection between Spamhaus and > Cyveillance? As far as I am aware, they are in no way related. My bad. I meant "SCBL" - Spamcop's own list. AIUI, I have to report to at least one to get SC to register the spam, and Cyveillance seemed to the be lesser evil (although I do not that you may not agree with that point of view!) The only other options were to report to "abuse" addresses that I suspect are spam-friendly and may even be the spammer himself. -- Geoff Lane Cornwall, UK From nobody at devnull.spamcop.net Fri Jul 8 14:59:03 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Jul 8 15:00:04 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: "Geoff Lane" wrote in message news:Xns968D89CCA7630gjctcswxnsrt@216.154.195.61... > > BTW, I can't quite get my head around mailhosts configuration. I have > potentially an unlimited number of e-mail accounts with a catch-all > mailbox for each of several domains. AFAICT, you have to configure every > email address - and that's something I can't do because there are far > too many fo them. Also, I have intermediate servers between my MUA and > my ISP's servers, which you can see from the report referenced above. Though it's ticked off many, primary support for the MailHost Configuration of a reporting account is found at http://forum.spamcop.net/forums/index.php?showforum=7 per Julian's original request. No. it's not "per address" ... it's the "host" part that's the deal in question. From geoff at nospam.gjctech.co.uk Fri Jul 8 20:34:32 2005 From: geoff at nospam.gjctech.co.uk (Geoff Lane) Date: Fri Jul 8 15:35:02 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: "WazoO" wrote in news:damidn$tu0$1 @news.spamcop.net: > Though it's ticked off many, primary support for the MailHost > Configuration of a reporting account is found at > http://forum.spamcop.net/forums/index.php?showforum=7 > per Julian's original request. > > No. it's not "per address" ... it's the "host" part that's > the deal in question. > Thanks - In my defence I must point out that my original query was about use of bogons for filtering outside SC and the question of mailhosts arose from a reply to that. -- Geoff Lane Cornwall, UK From Paul.Sawyer.does.not.want.spam at unh.BAD.EXAMPLE.edu Fri Jul 8 21:03:44 2005 From: Paul.Sawyer.does.not.want.spam at unh.BAD.EXAMPLE.edu (Paul Sawyer) Date: Fri Jul 8 16:05:02 2005 Subject: [SC-Help] Re: spam from unallocated IP? 46.50.126.146 References: Message-ID: J G wrote in news:dam95k$o4g$2@news.spamcop.net: > On 7/8/2005 9:05 AM Mike Easter scribbled: > > >> Julian's remarks: >> http://news.spamcop.net/pipermail/spamcop-list/2003-June/044984.html >> >> Julian's posting of Brian Murray's [Cyveillance] remarks: >> http://news.spamcop.net/pipermail/spamcop-list/2003-June/045279.html >> >> > Thanks for saving me time, Mike... The big discussion was two years ago -- has anyone, including Julian and Brian Murray, got evidence that, since then: 1. Cyveillance has stopped doing bad things, like ignoring robots.txt 2. They have been effective in stopping ANY spammers Otherwise, those two-year old discussions seem to stand at "do not check Cyveillance...." -- From glnews030922 at highspot.net Fri Jul 8 22:58:11 2005 From: glnews030922 at highspot.net (Graeme Leith) Date: Fri Jul 8 16:55:02 2005 Subject: [SC-Help] Re: spam from unallocated IP? 46.50.126.146 In-Reply-To: References: Message-ID: Paul Sawyer wrote: > The big discussion was two years ago -- has anyone, including Julian and > Brian Murray, got evidence that, since then: > > 1. Cyveillance has stopped doing bad things, like ignoring robots.txt My Cyveillance page has been updated twice in the last month. The changes were as follows: 1. Removed the links to the Spamcop archives as they were out of date. 2. Added the two /24 blocks which are impossible to link back to Cyveillance without correlating them to firewall logs and seeing that they act like Cyvellance within seconds of rejections from known Cyveillance blocks. In short, they are getting worse in their abuses. It used to be possible to find rwhois or SWIP data pointing back to Cyveillance. Now, the blocks they are using are anonymous blocks within large ISP allocations with no way to trace them easily. They don't even bother to get robots.txt. They just start at the home page and follow all the links there. The fact that there is no rwhois or SWIP data is probably in violation of ICANN rules. > 2. They have been effective in stopping ANY spammers No evidence has ever been presented that they do *anything* useful with the information that they get from SpamCop. From geoff at nospam.gjctech.co.uk Fri Jul 8 23:04:42 2005 From: geoff at nospam.gjctech.co.uk (Geoff Lane) Date: Fri Jul 8 18:05:04 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: Thanks for the info. I tried registering my primary address. SC came up with two MX's and sent emails via both. I tried following the instructions in the messages, but ended up with the following error when I pasted each complete email into the top box and clicked Process Sample: Sorry, SpamCop has encountered errors: Confirmation codes do not match: >From recipient address: xxxxxxxxxxxxxxxx >From header: xxxxxxxxxxxxxxxx >From body: xxxxxxxxxxxxxxxx Those codes (the same in both messages) match in that they are identical. However, I've munged them here because the messages claim to contain information confidential to my SC account. I tried starting a new topic on the suggested forum but SC denied me access - hence my post here. Now I have no idea where I am with SC - and that's only the first of six domains and three other mail services :( -- Geoff From nobody at devnull.spamcop.net Fri Jul 8 18:21:59 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Jul 8 18:25:03 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: "Geoff Lane" wrote in message news:Xns968DEADA4C78Fgjctcswxnsrt@216.154.195.61... > Thanks for the info. > > I tried registering my primary address. SC came up with two MX's and sent > emails via both. I tried following the instructions in the messages, but > ended up with the following error when I pasted each complete email into > the top box and clicked Process Sample: > > Sorry, SpamCop has encountered errors: > Confirmation codes do not match: > > From recipient address: xxxxxxxxxxxxxxxx > From header: xxxxxxxxxxxxxxxx > From body: xxxxxxxxxxxxxxxx Known issue, in fact the most recent Topic in the Mailhost Forum section dealt with the same query ... issue is white-space .. it only happens to some folks, no idea if it's server or app related, but .... at least one of those items has extra characters added to the end of the displayed string ... > I tried starting a new topic on the suggested forum but SC denied me access > - hence my post here. Most Forum sections are open to read ... registration required to post. There is no 'direct' connection, so no, the Forum doesn't know about your other existing SpamCop accounts. > Now I have no idea where I am with SC - and that's only the first of six > domains and three other mail services :( Again, others have "been there" before you ... the Forum FAQ also includes a link to "One version of a Step-by-step MailHost set-up" http://forum.spamcop.net/forums/index.php?showtopic=3185&view=findpost&p=21169 From geoff at nospam.gjctech.co.uk Fri Jul 8 23:29:41 2005 From: geoff at nospam.gjctech.co.uk (Geoff Lane) Date: Fri Jul 8 18:30:04 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: "WazoO" wrote in news:damua8$5ub$1@news.spamcop.net: > Again, others have "been there" before you ... the Forum FAQ also > includes a link to "One version of a Step-by-step MailHost set-up" > http://forum.spamcop.net/forums/index.php?showtopic=3185&view=findpost& > p=21169 Thanks for the info. Cracked it - I successfully submitted the config confirmation messages by saving as .eml files and sending as attachments. One down, seven to go :) -- Geoff Lane Cornwall, UK From nobody at spamcop.net Fri Jul 8 17:34:05 2005 From: nobody at spamcop.net (N. Miller) Date: Fri Jul 8 19:35:02 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: <11ff4vinnokeh$.dlg@news.spamcop.net> Message-ID: <1a4zkhqq1md8h.dlg@news.spamcop.net> On Fri, 8 Jul 2005 09:45:27 -0700, John Richards wrote: > N. Miller wrote: >> On Fri, 8 Jul 2005 12:31:21 +0000 (UTC), Geoff Lane wrote: >> >>> BTW, I can't quite get my head around mailhosts configuration. I have >>> potentially an unlimited number of e-mail accounts with a catch-all >>> mailbox for each of several domains. AFAICT, you have to configure every >>> email address - and that's something I can't do because there are far >>> too many fo them. Also, I have intermediate servers between my MUA and >>> my ISP's servers, which you can see from the report referenced above. >> >> That wasn't the way I interpreted it. Just one email address per host chain >> added. > > I got that part. But how does one set it up for multiple domains, some > of which have separate mailhosts? You would set up mailhosts for each mail service that you use. I have one service which has multiple domains, but the same MX servers. I only sent set up for one of those email addresses. I think the point is to have an example from each legitimate path that email takes to your Inbox. -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. From jr70 at blackhole.invalid Fri Jul 8 23:09:16 2005 From: jr70 at blackhole.invalid (John Richards) Date: Sat Jul 9 01:10:03 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: WazoO wrote: > "Geoff Lane" wrote in message > news:Xns968D89CCA7630gjctcswxnsrt@216.154.195.61... >> >> BTW, I can't quite get my head around mailhosts configuration. I have >> potentially an unlimited number of e-mail accounts with a catch-all >> mailbox for each of several domains. AFAICT, you have to configure every >> email address - and that's something I can't do because there are far >> too many fo them. Also, I have intermediate servers between my MUA and >> my ISP's servers, which you can see from the report referenced above. > > Though it's ticked off many, primary support for the MailHost > Configuration of a reporting account is found at > http://forum.spamcop.net/forums/index.php?showforum=7 > per Julian's original request. > > No. it's not "per address" ... it's the "host" part that's > the deal in question. So, one would need a separate SpamCop account for each different mailhost? That could get very unwieldy and unworkable. -- John Richards From sean at twin-dad.com Fri Jul 8 23:12:48 2005 From: sean at twin-dad.com (Sean Sowell) Date: Sat Jul 9 01:15:03 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: Geoff Lane wrote in news:Xns968DEF1692036gjctcswxnsrt@216.154.195.61... .... > Thanks for the info. > > Cracked it - I successfully submitted the config confirmation messages by > saving as .eml files and sending as attachments. One down, seven to go :) I've been reading along and also set up mailhosts earlier today, but SpamCop wouldn't let me forward my account configuration emails as attachments. Below is the full message source of the returned message, with a few things [munged] for obvious reasons. Instead I ended up copying and pasting each message source to the top window on the http://www.spamcop.net/mcgi?action=mhreturn screen. The questions remain though: 1. Why don't my .eml attachments go through? 2. Do I really have to zip up my .eml files if I want to submit them that way going forward? 3. If so, is there a limit to the number of spamples in each zip file, or to the total size of each zip file? Geoff seems to be using Outlook Express like I am, since his email files end with ".eml". I'm running OE 6.00.2800.1123 under Win2K SP4. FYI, when I first signed up with SpamCop on May 25th I got the same error messages trying to submit my first few spamples as attachments. Since then I've been copying and pasting full message sources into new messages and sending them to my personal reporting address. That method, though, is rather slow and I'd very much like to forward my submissions as attachments. Also, even though it probably doesn't relate to this situation, earlier today I switched from mole to regular reporting status. Before posting here, I searched forum.spamcop.net for "recent viruses or other malware", a string that appears in the autoreply message pasted in below.. I reviewed topics 2188, 3696 and 4046 but they did not answer my questions. (No, the message does not contain a virus; it is plain text directly from SpamCop.) I also searched news.spamcop.net for the same string but nothing came back. The FAQ does not appear to address this issue. Also, there seems not to be any way to search the spamcop-help or spamcop-list mail archives. So, here I am! Hopefully someone with sharper eyes can solve this mystery ... ? Many thanks in advance, Sean S. ===== Return-path: <> Envelope-to: [munge]@twin-dad.com Delivery-date: Fri, 08 Jul 2005 16:38:13 -0500 Received: from [munge] by gator16.hostgator.com with local-bsmtp (Exim 4.50) id 1Dr0Y0-00039V-QG for [munge]@twin-dad.com; Fri, 08 Jul 2005 16:38:13 -0500 Received: from mailnull by gator16.hostgator.com with local (Exim 4.50) id 1Dr0Y0-0005GA-Nm for [munge]@twin-dad.com; Fri, 08 Jul 2005 16:38:12 -0500 X-Failed-Recipients: mhconf.[munge]@cmds.spamcop.net Auto-Submitted: auto-generated From: Mail Delivery System To: [munge]@twin-dad.com Subject: Mail delivery failed: returning message to sender Message-Id: Date: Fri, 08 Jul 2005 16:38:12 -0500 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on gator16.hostgator.com X-Spam-Level: X-Spam-Status: No, score=-4.6 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.0.4 This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: mhconf.[munge]@cmds.spamcop.net This message has been rejected because it has a potentially executable attachment "SpamCop account configuration email.eml" This form of attachment has been used by recent viruses or other malware. If you meant to send this file then please package it up as a zip file and resend it. ------ This is a copy of the message, including all the headers. ------ Return-path: <[munge]@twin-dad.com> Received: from c-24-4-31-126.hsd1.ca.comcast.net ([24.4.31.126]:10735 helo=hq02) by gator16.hostgator.com with esmtpa (Exim 4.50) id 1Dr0Y0-0004rb-BW for mhconf.[munge]@cmds.spamcop.net; Fri, 08 Jul 2005 16:38:12 -0500 Message-ID: <240a01c58405$5b6f4950$9a0fa8c0@hq02> Reply-To: "Sean Sowell" <[munge]@twin-dad.com> From: "Sean Sowell" <[munge]@twin-dad.com> To: Subject: [munge]@twin-dad test Date: Fri, 8 Jul 2005 14:38:16 -0700 Organization: twin-dad.com MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_2407_01C583CA.AD5B6E50" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1506 Disposition-Notification-To: "Sean Sowell" <[munge]@twin-dad.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 This is a multi-part message in MIME format. ------=_NextPart_000_2407_01C583CA.AD5B6E50 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit ------=_NextPart_000_2407_01C583CA.AD5B6E50 Content-Type: message/rfc822; name="SpamCop account configuration email.eml" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="SpamCop account configuration email.eml" Return-path: Envelope-to: [munge]@twin-dad.com Delivery-date: Fri, 08 Jul 2005 16:35:57 -0500 Received: from [munge] by gator16.hostgator.com with local-bsmtp (Exim 4.50) id 1Dr0Vn-00014i-Ly for [munge]@twin-dad.com; Fri, 08 Jul 2005 16:35:56 -0500 Received: from sc-app2.spamcop.net ([64.74.133.243]:1750 helo=spamcop.net) by gator16.hostgator.com with smtp (Exim 4.50) id 1Dr0Vn-0006PN-Ao for [munge]@twin-dad.com; Fri, 08 Jul 2005 16:35:55 -0500 X-SpamCop-Conf: [munge] Received: from [24.4.31.126] by spamcop.net with HTTP; Fri, 08 Jul 2005 21:35:59 GMT From: SpamCop robot To: [munge]@twin-dad.com Subject: SpamCop account configuration email Precedence: list Message-ID: Date: Fri, 08 Jul 2005 21:35:59 GMT X-Mailer: Mozilla/4.0 (compatible; WebCapture 3.0; Windows) via http://www.spamcop.net/ v1.466 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on gator16.hostgator.com X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00,FORGED_MUA_MOZILLA autolearn=no version=3.0.4 Hello SpamCop user, This email contains special codes and tracking information to help SpamCop figure out your specific email configuration. Do not post this email in public. It contains confidential information related to the security of your SpamCop account. Please return this complete email, preserving full headers and the special tracking codes below. Visit this address: http://www.spamcop.net/mcgi?action=mhreturn Alternately, you may submit via email. Forward the message as an attachment to this address. Or create a new message and paste this email into it. Either way, send it to to: mhconf.[munge]@cmds.spamcop.net Some email software may only support one or the other of these submission methods. For information on your email software and to learn how to get full headers see this FAQ: http://www.spamcop.net/fom-serve/cache/19.html Special codes follow: ################################################################ X-SpamCop-Mx: twin-dad.com. X-SpamCop-Mx-Ip: 70.84.62.226 X-SpamCop-Mh-Name: twin-dad.com X-SpamCop-Recip: [munge]@twin-dad.com X-SpamCop-Unixtime: 1120858559 X-SpamCop-Conf: [munge] X-SpamCop-Randomness: [munge] X-SpamCop-Hash: [munge] ################################################################ ------=_NextPart_000_2407_01C583CA.AD5B6E50-- From jr70 at blackhole.invalid Fri Jul 8 23:19:04 2005 From: jr70 at blackhole.invalid (John Richards) Date: Sat Jul 9 01:20:03 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: <11ff4vinnokeh$.dlg@news.spamcop.net> <1a4zkhqq1md8h.dlg@news.spamcop.net> Message-ID: N. Miller wrote: > On Fri, 8 Jul 2005 09:45:27 -0700, John Richards wrote: > >> N. Miller wrote: >>> On Fri, 8 Jul 2005 12:31:21 +0000 (UTC), Geoff Lane wrote: >>> >>>> BTW, I can't quite get my head around mailhosts configuration. I have >>>> potentially an unlimited number of e-mail accounts with a catch-all >>>> mailbox for each of several domains. AFAICT, you have to configure every >>>> email address - and that's something I can't do because there are far >>>> too many fo them. Also, I have intermediate servers between my MUA and >>>> my ISP's servers, which you can see from the report referenced above. >>> >>> That wasn't the way I interpreted it. Just one email address per host chain >>> added. >> >> I got that part. But how does one set it up for multiple domains, some >> of which have separate mailhosts? > > You would set up mailhosts for each mail service that you use. I have one > service which has multiple domains, but the same MX servers. I only sent > set up for one of those email addresses. I think the point is to have an > example from each legitimate path that email takes to your Inbox. Is it possible to have multiple mailhosts/ multiple mail services under one spamcop reporting account? -- John Richards From geoff at nospam.gjctech.co.uk Sat Jul 9 09:16:22 2005 From: geoff at nospam.gjctech.co.uk (Geoff Lane) Date: Sat Jul 9 04:20:04 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: "Sean Sowell" wrote in news:danmcn$jat$1@news.spamcop.net: > Geoff seems to be using Outlook Express like I am, since his email > files end with ".eml". I'm running OE 6.00.2800.1123 under Win2K SP4. Geoff is absolutely not using a Microsoft MUA - I'm using an ancient version of The Bat! When I exported the message, I had a choice of nearly a dozen formats; I just elected to save as .eml HTH, -- Geoff Lane Cornwall, UK From glnews030922 at highspot.net Sat Jul 9 13:38:10 2005 From: glnews030922 at highspot.net (Graeme Leith) Date: Sat Jul 9 07:35:14 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks In-Reply-To: References: <11ff4vinnokeh$.dlg@news.spamcop.net> <1a4zkhqq1md8h.dlg@news.spamcop.net> Message-ID: John Richards wrote: > Is it possible to have multiple mailhosts/ multiple mail services under > one spamcop reporting account? Yes. I currently have 5 set up on a single Spamcop account. -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From MikeE at ster.invalid Sat Jul 9 06:22:23 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 9 08:25:02 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: Sean Sowell wrote: > Geoff Lane wrote in >> Cracked it - I successfully submitted the config confirmation >> messages by saving as .eml files and sending as attachments. One >> down, seven to go :) Let us disregard Geoff's problems with the mailhost configuration which he solved by using .eml attachments. Geoff was using The Bat, not OE and it appears that his problem was some currently unexplained change in the formatting of the Special Codes section. That is, talking about Geoff's problem which he has resolved in his own way already isn't going to help with Sean's problem -- but rather cause confusion. > I've been reading along and also set up mailhosts earlier today, but > SpamCop wouldn't let me forward my account configuration emails as > attachments. Below is the full message source of the returned > message, with a few things [munged] for obvious reasons. Forwarding as attachment [using the menu selection, not an 'artificial' multistep save as .eml, then Insert/ File attachment] from OE should be working properly. Traditionally SC's ability to handle OE's 'forward as attachment' function has been very reliable. > Instead I ended up copying and pasting each message source to the top > window on the http://www.spamcop.net/mcgi?action=mhreturn screen. > The questions remain though: Solving a problem for the mailhost configuration should be a very separate issue from everyday submissions to the parser by email. If I'm hearing you correctly, that mailhost configuration issue has been solved with your own pasting strategy -- so let's don't talk about your mailhost configuration problem any more. No talking about Geoff's mailhost config problem; no talking about Sean's mailhost config problem at the same time we are talking about Sean trying to submit spams to the parser. Let us now focus on submitting spams to the parser with Sean's OE by forwarding as attachments using the menu selection 'forward as attachment' only. > 1. Why don't my .eml attachments go through? I recommend to use your forward as attachment function as opposed to saving an item as .eml and inserting it as an attachment. If forwarding as attachment isn't working correctly, there are some 'tricks' to troubleshooting that here using forwarding to self and posting the result into the newsgroup spamcop.spam. > 2. Do I really have to zip up my .eml files if I want to submit them > that way going forward? No. > 3. If so, is there a limit to the number of spamples in each zip > file, or to the total size of each zip file? Forget about zipping. That is some kind of server message which doesn't apply to our current goal. There is no faq information about zipping spams for submission to spamcop. > Geoff seems to be using Outlook Express like I am, since his email > files end with ".eml". I'm running OE 6.00.2800.1123 under Win2K SP4. Geoff has corrected that assumption. Solving your OE problems /should/ be easy. I'm understanding that you had some problems configuring your mailhosts but your mailhost is configured and now all we need to talk about is troubleshooting problems submitting spams. That shouldn't be a big problem. > FYI, when I first signed up with SpamCop on May 25th I got the same > error messages trying to submit my first few spamples as attachments. Let's focus on solving that problem. > Since then I've been copying and pasting full message sources into > new messages and sending them to my personal reporting address. That > method, though, is rather slow and I'd very much like to forward my > submissions as attachments. Yes. > Also, even though it probably doesn't relate to this situation, > earlier today I switched from mole to regular reporting status. > > Before posting here, I searched forum.spamcop.net for "recent viruses > or other malware", a string that appears in the autoreply message > pasted in below.. I reviewed topics 2188, 3696 and 4046 but they did > not answer my questions. (No, the message does not contain a virus; > it is plain text directly from SpamCop.) I also searched > news.spamcop.net for the same string but nothing came back. The FAQ > does not appear to address this issue. Also, there seems not to be > any way to search the spamcop-help or spamcop-list mail archives. > > So, here I am! Hopefully someone with sharper eyes can solve this > mystery ... ? > A message that you sent could not be delivered to one or more of its > recipients. This is a permanent error. The following address(es) > failed: > > mhconf.[munge]@cmds.spamcop.net That problem above is about configuration of hosts. Let's don't talk about it. Let's only talk about problems with submitting spams to the parser and any errors which arise from normal menu selected 'forward as attachment' and let's don't be saving the spam as .eml files and let's don't be zipping anything up. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Sat Jul 9 06:36:05 2005 From: nobody at spamcop.net (N. Miller) Date: Sat Jul 9 08:40:03 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: <1uxl6h6ldol25$.dlg@news.spamcop.net> On Fri, 8 Jul 2005 22:09:16 -0700, John Richards wrote: > WazoO wrote: >> "Geoff Lane" wrote in message >> news:Xns968D89CCA7630gjctcswxnsrt@216.154.195.61... >>> >>> BTW, I can't quite get my head around mailhosts configuration. I have >>> potentially an unlimited number of e-mail accounts with a catch-all >>> mailbox for each of several domains. AFAICT, you have to configure every >>> email address - and that's something I can't do because there are far >>> too many fo them. Also, I have intermediate servers between my MUA and >>> my ISP's servers, which you can see from the report referenced above. >> >> Though it's ticked off many, primary support for the MailHost >> Configuration of a reporting account is found at >> http://forum.spamcop.net/forums/index.php?showforum=7 >> per Julian's original request. >> >> No. it's not "per address" ... it's the "host" part that's >> the deal in question. > > So, one would need a separate SpamCop account for each different > mailhost? That could get very unwieldy and unworkable. Not at all. I have one SpamCop account with several mailhosts configured. Yahoo!, SBC, GMail, Dark Horse Comics, Juno mail, etc., etc., -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. From sean at twin-dad.com Sat Jul 9 11:11:34 2005 From: sean at twin-dad.com (Sean Sowell) Date: Sat Jul 9 13:15:12 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: Mike Easter replied: > Sean Sowell wrote: ... > > I've been reading along and also set up mailhosts earlier today, but > > SpamCop wouldn't let me forward my account configuration emails as > > attachments. Below is the full message source of the returned > > message, with a few things [munged] for obvious reasons. > > Forwarding as attachment [using the menu selection, not an 'artificial' > multistep save as .eml, then Insert/ File attachment] from OE should be > working properly. Traditionally SC's ability to handle OE's 'forward as > attachment' function has been very reliable. ... OK, take two. I tried it this way as well and it does not work either. I selected the twenty spamples that SpamAssassin did not catch in the past 48 hours, right-clicked and chose the menu item 'Forward as Attachment', just as you instructed. I did not add a subject or anything to the message body. I just sent it striaght off to SpamCop at 0916 Pacific time. But I received a nearly identical rejection message almost immediately. It is pasted in below, except that I removed all but the first spample from the end. ... > > 1. Why don't my .eml attachments go through? > > I recommend to use your forward as attachment function as opposed to > saving an item as .eml and inserting it as an attachment. If forwarding > as attachment isn't working correctly, there are some 'tricks' to > troubleshooting that here using forwarding to self and posting the > result into the newsgroup spamcop.spam. ... No, it still doesn't work. If you could check ahead to see what might be going wrong, I'd appreciate it. The first sample is the failed submission to my personal reporting address. The second sample (also separated by "=====") is the one that I forwarded to myself the same way a few minutes ago, as you suggested above. I also excerpted it to keep only the first of the twenty spamples. It appears that my host's server is not letting me send emails out with ".eml" attachments. If my interpretation is correct, what should I explain to Hostgator about what I'm doing, so they'll be persuaded to let me send such attachments to SpamCop? Or, what further steps do I need to take to troubleshoot the problem? Thanks again, Sean S. ===== Return-path: <> Envelope-to: [munge]@twin-dad.com Delivery-date: Sat, 09 Jul 2005 11:16:21 -0500 Received: from sojs by gator16.hostgator.com with local-bsmtp (Exim 4.50) id 1DrI02-0002kt-7n for [munge]@twin-dad.com; Sat, 09 Jul 2005 11:16:21 -0500 Received: from mailnull by gator16.hostgator.com with local (Exim 4.50) id 1DrI02-00087i-2Q for [munge]@twin-dad.com; Sat, 09 Jul 2005 11:16:18 -0500 X-Failed-Recipients: submit.[munge]@spam.spamcop.net Auto-Submitted: auto-generated From: Mail Delivery System To: [munge]@twin-dad.com Subject: Mail delivery failed: returning message to sender Message-Id: Date: Sat, 09 Jul 2005 11:16:18 -0500 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on gator16.hostgator.com X-Spam-Level: * X-Spam-Status: No, score=1.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, UPPERCASE_25_50,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL, URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=no version=3.0.4 This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: submit.[munge]@spam.spamcop.net This message has been rejected because it has a potentially executable attachment "Scoring houses - the easy way!.eml" This form of attachment has been used by recent viruses or other malware. If you meant to send this file then please package it up as a zip file and resend it. ------ This is a copy of the message, including all the headers. ------ ------ The body of the message is 150153 characters long; only the first ------ 106496 or so are included here. Return-path: <[munge]@twin-dad.com> Received: from c-24-4-31-126.hsd1.ca.comcast.net ([24.4.31.126]:1609 helo=hq02) by gator16.hostgator.com with esmtpa (Exim 4.50) id 1DrHzy-000744-TC for submit.[munge]@spam.spamcop.net; Sat, 09 Jul 2005 11:16:18 -0500 Message-ID: <00ce01c584a1$8a5deea0$9a0fa8c0@hq02> Reply-To: "Sean Sowell" <[munge]@twin-dad.com> From: "Sean Sowell" <[munge]@twin-dad.com> To: "##spamcop-report" Subject: Date: Sat, 9 Jul 2005 09:16:15 -0700 Organization: twin-dad.com MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_00CB_01C58466.DB75ACA0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1506 Disposition-Notification-To: "Sean Sowell" <[munge]@twin-dad.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 This is a multi-part message in MIME format. ------=_NextPart_000_00CB_01C58466.DB75ACA0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit ------=_NextPart_000_00CB_01C58466.DB75ACA0 Content-Type: message/rfc822; name="Scoring houses - the easy way!.eml" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="Scoring houses - the easy way!.eml" Return-path: Envelope-to: [munge]@twin-dad.com Delivery-date: Thu, 07 Jul 2005 17:01:15 -0500 Received: from sojs by gator16.hostgator.com with local-bsmtp (Exim 4.50) id 1DqeQi-0007uQ-Tj for [munge]@twin-dad.com; Thu, 07 Jul 2005 17:01:15 -0500 Received: from outboundmail.realty01.net ([66.181.198.102]:33698) by gator16.hostgator.com with esmtp (Exim 4.50) id 1DqeQi-0007WO-Nz for [munge]@twin-dad.com; Thu, 07 Jul 2005 17:01:12 -0500 To: [munge]@twin-dad.com From: "Realty Ease" Subject: Scoring houses - the easy way! Reply-To: "Realty Ease" Date: Thu, 7 Jul 2005 18:01:20 -0400 Message-Id: > MIME-Version: 1.0 Content-type: text/plain X-Priority: 3 (Normal) X-MSMail-Priority: Normal Importance: Normal X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on gator16.hostgator.com X-Spam-Level: ** X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_50,INVALID_MSGID, MISSING_MIMEOLE,PRIORITY_NO_NAME autolearn=no version=3.0.4 Dear Sean Sowell, Imagine owning a brand new home at a discounted price, that someone else locates for you, then rent them to people which they supply as rent to own, and you basically sit back and get wealthy doing it! Oh, maybe this will help even more...there's no charge! You really should have a look at this: http://realty01.net/eckkLkjZZMgA19hBSpO/388/37/index.php?p=b52rb3 Best Wishes, The Realty Staff J.P.Corp. P.O.B. 859 Norwalk, CT. 06856 If you would like to unsubscribe, please click here: http://realty01.net/optout.aspx?cid=388&ec=eckkLkjZZMgA19hBSpO ------=_NextPart_000_00CB_01C58466.DB75ACA0 ===== Return-path: <> Envelope-to: [munge]@twin-dad.com Delivery-date: Sat, 09 Jul 2005 11:56:23 -0500 Received: from sojs by gator16.hostgator.com with local-bsmtp (Exim 4.50) id 1DrIcX-0007XC-Qc for [munge]@twin-dad.com; Sat, 09 Jul 2005 11:56:23 -0500 Received: from mailnull by gator16.hostgator.com with local (Exim 4.50) id 1DrIcX-0005pm-MV for [munge]@twin-dad.com; Sat, 09 Jul 2005 11:56:05 -0500 X-Failed-Recipients: [munge]@twin-dad.com Auto-Submitted: auto-generated From: Mail Delivery System To: [munge]@twin-dad.com Subject: Mail delivery failed: returning message to sender Message-Id: Date: Sat, 09 Jul 2005 11:56:05 -0500 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on gator16.hostgator.com X-Spam-Level: * X-Spam-Status: No, score=1.1 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, UPPERCASE_25_50,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL, URIBL_SBL,URIBL_SC_SURBL autolearn=no version=3.0.4 This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [munge]@twin-dad.com This message has been rejected because it has a potentially executable attachment "Scoring houses - the easy way!.eml" This form of attachment has been used by recent viruses or other malware. If you meant to send this file then please package it up as a zip file and resend it. ------ This is a copy of the message, including all the headers. ------ ------ The body of the message is 150153 characters long; only the first ------ 106496 or so are included here. Return-path: <[munge]@twin-dad.com> Received: from c-24-4-31-126.hsd1.ca.comcast.net ([24.4.31.126]:1650 helo=hq02) by gator16.hostgator.com with esmtpa (Exim 4.50) id 1DrIcU-0007AE-H8 for [munge]@twin-dad.com; Sat, 09 Jul 2005 11:56:05 -0500 Message-ID: <016501c584a7$19ae37e0$9a0fa8c0@hq02> Reply-To: "Sean Sowell" <[munge]@twin-dad.com> From: "Sean Sowell" <[munge]@twin-dad.com> To: "Sean Sowell" <[munge]@twin-dad.com> Subject: Date: Sat, 9 Jul 2005 09:56:03 -0700 Organization: twin-dad.com MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0162_01C5846C.6AD3B180" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1506 Disposition-Notification-To: "Sean Sowell" <[munge]@twin-dad.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 This is a multi-part message in MIME format. ------=_NextPart_000_0162_01C5846C.6AD3B180 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit ------=_NextPart_000_0162_01C5846C.6AD3B180 Content-Type: message/rfc822; name="Scoring houses - the easy way!.eml" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="Scoring houses - the easy way!.eml" Return-path: Envelope-to: [munge]@twin-dad.com Delivery-date: Thu, 07 Jul 2005 17:01:15 -0500 Received: from sojs by gator16.hostgator.com with local-bsmtp (Exim 4.50) id 1DqeQi-0007uQ-Tj for [munge]@twin-dad.com; Thu, 07 Jul 2005 17:01:15 -0500 Received: from outboundmail.realty01.net ([66.181.198.102]:33698) by gator16.hostgator.com with esmtp (Exim 4.50) id 1DqeQi-0007WO-Nz for [munge]@twin-dad.com; Thu, 07 Jul 2005 17:01:12 -0500 To: [munge]@twin-dad.com From: "Realty Ease" Subject: Scoring houses - the easy way! Reply-To: "Realty Ease" Date: Thu, 7 Jul 2005 18:01:20 -0400 Message-Id: > MIME-Version: 1.0 Content-type: text/plain X-Priority: 3 (Normal) X-MSMail-Priority: Normal Importance: Normal X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on gator16.hostgator.com X-Spam-Level: ** X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_50,INVALID_MSGID, MISSING_MIMEOLE,PRIORITY_NO_NAME autolearn=no version=3.0.4 Dear Sean Sowell, Imagine owning a brand new home at a discounted price, that someone else locates for you, then rent them to people which they supply as rent to own, and you basically sit back and get wealthy doing it! Oh, maybe this will help even more...there's no charge! You really should have a look at this: http://realty01.net/eckkLkjZZMgA19hBSpO/388/37/index.php?p=b52rb3 Best Wishes, The Realty Staff J.P.Corp. P.O.B. 859 Norwalk, CT. 06856 If you would like to unsubscribe, please click here: http://realty01.net/optout.aspx?cid=388&ec=eckkLkjZZMgA19hBSpO ------=_NextPart_000_0162_01C5846C.6AD3B180 From sean at twin-dad.com Sat Jul 9 19:36:52 2005 From: sean at twin-dad.com (Sean Sowell) Date: Sat Jul 9 21:40:03 2005 Subject: [SC-Help] Inability to "forward as attachment" [was Re: Spam "from" reserved netblocks] References: Message-ID: Haven't heard back yet, and I realized I should probably clarify for Mike Easter or anyone else who is trying to figure this out... I sent both batches (excerpted below) this morning, at 9:16 and at 9:56 Pacific time. Each rejection message also came back at the same times - 9:16 and 9:56. Hopefully that missing detail wasn't preventing anyone from troubleshooting why I can't "forward as attachment". Thanks again for looking into this ~ Sean Sowell replied: > Mike Easter replied: > > Sean Sowell wrote: > ... > > > I've been reading along and also set up mailhosts earlier today, but > > > SpamCop wouldn't let me forward my account configuration emails as > > > attachments. Below is the full message source of the returned > > > message, with a few things [munged] for obvious reasons. > > > > Forwarding as attachment [using the menu selection, not an 'artificial' > > multistep save as .eml, then Insert/ File attachment] from OE should be > > working properly. Traditionally SC's ability to handle OE's 'forward as > > attachment' function has been very reliable. > ... > OK, take two. I tried it this way as well and it does not work either. I > selected the twenty spamples that SpamAssassin did not catch in the past 48 > hours, right-clicked and chose the menu item 'Forward as Attachment', just > as you instructed. I did not add a subject or anything to the message body. > I just sent it striaght off to SpamCop at 0916 Pacific time. But I received > a nearly identical rejection message almost immediately. It is pasted in > below, except that I removed all but the first spample from the end. > ... > > > 1. Why don't my .eml attachments go through? > > > > I recommend to use your forward as attachment function as opposed to > > saving an item as .eml and inserting it as an attachment. If forwarding > > as attachment isn't working correctly, there are some 'tricks' to > > troubleshooting that here using forwarding to self and posting the > > result into the newsgroup spamcop.spam. > ... > > No, it still doesn't work. If you could check ahead to see what might be > going wrong, I'd appreciate it. The first sample is the failed submission > to my personal reporting address. > > The second sample (also separated by "=====") is the one that I forwarded to > myself the same way a few minutes ago, as you suggested above. I also > excerpted it to keep only the first of the twenty spamples. > > It appears that my host's server is not letting me send emails out with > ".eml" attachments. If my interpretation is correct, what should I explain > to Hostgator about what I'm doing, so they'll be persuaded to let me send > such attachments to SpamCop? Or, what further steps do I need to take to > troubleshoot the problem? > > Thanks again, > > Sean S. > > ===== > > Return-path: <> > Envelope-to: [munge]@twin-dad.com > Delivery-date: Sat, 09 Jul 2005 11:16:21 -0500 > Received: from sojs by gator16.hostgator.com with local-bsmtp (Exim 4.50) > id 1DrI02-0002kt-7n > for [munge]@twin-dad.com; Sat, 09 Jul 2005 11:16:21 -0500 > Received: from mailnull by gator16.hostgator.com with local (Exim 4.50) > id 1DrI02-00087i-2Q > for [munge]@twin-dad.com; Sat, 09 Jul 2005 11:16:18 -0500 > X-Failed-Recipients: submit.[munge]@spam.spamcop.net > Auto-Submitted: auto-generated > From: Mail Delivery System > To: [munge]@twin-dad.com > Subject: Mail delivery failed: returning message to sender > Message-Id: > Date: Sat, 09 Jul 2005 11:16:18 -0500 > X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on > gator16.hostgator.com > X-Spam-Level: * > X-Spam-Status: No, score=1.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, > UPPERCASE_25_50,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL, > URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=no version=3.0.4 > > This message was created automatically by mail delivery software. > > A message that you sent could not be delivered to one or more of its > recipients. This is a permanent error. The following address(es) failed: > > submit.[munge]@spam.spamcop.net > This message has been rejected because it has > a potentially executable attachment "Scoring houses - the easy way!.eml" > This form of attachment has been used by > recent viruses or other malware. > If you meant to send this file then please > package it up as a zip file and resend it. > > ------ This is a copy of the message, including all the headers. ------ > ------ The body of the message is 150153 characters long; only the first > ------ 106496 or so are included here. > > Return-path: <[munge]@twin-dad.com> > Received: from c-24-4-31-126.hsd1.ca.comcast.net ([24.4.31.126]:1609 > helo=hq02) > by gator16.hostgator.com with esmtpa (Exim 4.50) > id 1DrHzy-000744-TC > for submit.[munge]@spam.spamcop.net; Sat, 09 Jul 2005 11:16:18 -0500 > Message-ID: <00ce01c584a1$8a5deea0$9a0fa8c0@hq02> > Reply-To: "Sean Sowell" <[munge]@twin-dad.com> > From: "Sean Sowell" <[munge]@twin-dad.com> > To: "##spamcop-report" > Subject: > Date: Sat, 9 Jul 2005 09:16:15 -0700 > Organization: twin-dad.com > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----=_NextPart_000_00CB_01C58466.DB75ACA0" > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 6.00.2800.1506 > Disposition-Notification-To: "Sean Sowell" <[munge]@twin-dad.com> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 > > This is a multi-part message in MIME format. > > ------=_NextPart_000_00CB_01C58466.DB75ACA0 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: 7bit > > > ------=_NextPart_000_00CB_01C58466.DB75ACA0 > Content-Type: message/rfc822; > name="Scoring houses - the easy way!.eml" > Content-Transfer-Encoding: 7bit > Content-Disposition: attachment; > filename="Scoring houses - the easy way!.eml" > > Return-path: > Envelope-to: [munge]@twin-dad.com > Delivery-date: Thu, 07 Jul 2005 17:01:15 -0500 > Received: from sojs by gator16.hostgator.com with local-bsmtp (Exim 4.50) > id 1DqeQi-0007uQ-Tj > for [munge]@twin-dad.com; Thu, 07 Jul 2005 17:01:15 -0500 > Received: from outboundmail.realty01.net ([66.181.198.102]:33698) > by gator16.hostgator.com with esmtp (Exim 4.50) > id 1DqeQi-0007WO-Nz > for [munge]@twin-dad.com; Thu, 07 Jul 2005 17:01:12 -0500 > To: [munge]@twin-dad.com > From: "Realty Ease" > Subject: Scoring houses - the easy way! > Reply-To: "Realty Ease" > > Date: Thu, 7 Jul 2005 18:01:20 -0400 > Message-Id: > > > MIME-Version: 1.0 > Content-type: text/plain > X-Priority: 3 (Normal) > X-MSMail-Priority: Normal > Importance: Normal > X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on > gator16.hostgator.com > X-Spam-Level: ** > X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_50,INVALID_MSGID, > MISSING_MIMEOLE,PRIORITY_NO_NAME autolearn=no version=3.0.4 > > Dear Sean Sowell, > > Imagine owning a brand new home at a discounted price, that someone else > locates for you, then rent them to people which they supply as rent to own, > and you basically sit back and get wealthy doing it! > > Oh, maybe this will help even more...there's no charge! > > You really should have a look at this: > http://realty01.net/eckkLkjZZMgA19hBSpO/388/37/index.php?p=b52rb3 > > > Best Wishes, > > The Realty Staff > > > > > > > > J.P.Corp. > P.O.B. 859 > Norwalk, CT. 06856 > > > > If you would like to unsubscribe, please click here: > http://realty01.net/optout.aspx?cid=388&ec=eckkLkjZZMgA19hBSpO > > > ------=_NextPart_000_00CB_01C58466.DB75ACA0 > > ===== > > Return-path: <> > Envelope-to: [munge]@twin-dad.com > Delivery-date: Sat, 09 Jul 2005 11:56:23 -0500 > Received: from sojs by gator16.hostgator.com with local-bsmtp (Exim 4.50) > id 1DrIcX-0007XC-Qc > for [munge]@twin-dad.com; Sat, 09 Jul 2005 11:56:23 -0500 > Received: from mailnull by gator16.hostgator.com with local (Exim 4.50) > id 1DrIcX-0005pm-MV > for [munge]@twin-dad.com; Sat, 09 Jul 2005 11:56:05 -0500 > X-Failed-Recipients: [munge]@twin-dad.com > Auto-Submitted: auto-generated > From: Mail Delivery System > To: [munge]@twin-dad.com > Subject: Mail delivery failed: returning message to sender > Message-Id: > Date: Sat, 09 Jul 2005 11:56:05 -0500 > X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on > gator16.hostgator.com > X-Spam-Level: * > X-Spam-Status: No, score=1.1 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, > UPPERCASE_25_50,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL, > URIBL_SBL,URIBL_SC_SURBL autolearn=no version=3.0.4 > > This message was created automatically by mail delivery software. > > A message that you sent could not be delivered to one or more of its > recipients. This is a permanent error. The following address(es) failed: > > [munge]@twin-dad.com > This message has been rejected because it has > a potentially executable attachment "Scoring houses - the easy way!.eml" > This form of attachment has been used by > recent viruses or other malware. > If you meant to send this file then please > package it up as a zip file and resend it. > > ------ This is a copy of the message, including all the headers. ------ > ------ The body of the message is 150153 characters long; only the first > ------ 106496 or so are included here. > > Return-path: <[munge]@twin-dad.com> > Received: from c-24-4-31-126.hsd1.ca.comcast.net ([24.4.31.126]:1650 > helo=hq02) > by gator16.hostgator.com with esmtpa (Exim 4.50) > id 1DrIcU-0007AE-H8 > for [munge]@twin-dad.com; Sat, 09 Jul 2005 11:56:05 -0500 > Message-ID: <016501c584a7$19ae37e0$9a0fa8c0@hq02> > Reply-To: "Sean Sowell" <[munge]@twin-dad.com> > From: "Sean Sowell" <[munge]@twin-dad.com> > To: "Sean Sowell" <[munge]@twin-dad.com> > Subject: > Date: Sat, 9 Jul 2005 09:56:03 -0700 > Organization: twin-dad.com > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----=_NextPart_000_0162_01C5846C.6AD3B180" > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 6.00.2800.1506 > Disposition-Notification-To: "Sean Sowell" <[munge]@twin-dad.com> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 > > This is a multi-part message in MIME format. > > ------=_NextPart_000_0162_01C5846C.6AD3B180 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: 7bit > > > ------=_NextPart_000_0162_01C5846C.6AD3B180 > Content-Type: message/rfc822; > name="Scoring houses - the easy way!.eml" > Content-Transfer-Encoding: 7bit > Content-Disposition: attachment; > filename="Scoring houses - the easy way!.eml" > > Return-path: > Envelope-to: [munge]@twin-dad.com > Delivery-date: Thu, 07 Jul 2005 17:01:15 -0500 > Received: from sojs by gator16.hostgator.com with local-bsmtp (Exim 4.50) > id 1DqeQi-0007uQ-Tj > for [munge]@twin-dad.com; Thu, 07 Jul 2005 17:01:15 -0500 > Received: from outboundmail.realty01.net ([66.181.198.102]:33698) > by gator16.hostgator.com with esmtp (Exim 4.50) > id 1DqeQi-0007WO-Nz > for [munge]@twin-dad.com; Thu, 07 Jul 2005 17:01:12 -0500 > To: [munge]@twin-dad.com > From: "Realty Ease" > Subject: Scoring houses - the easy way! > Reply-To: "Realty Ease" > > Date: Thu, 7 Jul 2005 18:01:20 -0400 > Message-Id: > > > MIME-Version: 1.0 > Content-type: text/plain > X-Priority: 3 (Normal) > X-MSMail-Priority: Normal > Importance: Normal > X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on > gator16.hostgator.com > X-Spam-Level: ** > X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_50,INVALID_MSGID, > MISSING_MIMEOLE,PRIORITY_NO_NAME autolearn=no version=3.0.4 > > Dear Sean Sowell, > > Imagine owning a brand new home at a discounted price, that someone else > locates for you, then rent them to people which they supply as rent to own, > and you basically sit back and get wealthy doing it! > > Oh, maybe this will help even more...there's no charge! > > You really should have a look at this: > http://realty01.net/eckkLkjZZMgA19hBSpO/388/37/index.php?p=b52rb3 > > > Best Wishes, > > The Realty Staff > > > > > > > > J.P.Corp. > P.O.B. 859 > Norwalk, CT. 06856 > > > > If you would like to unsubscribe, please click here: > http://realty01.net/optout.aspx?cid=388&ec=eckkLkjZZMgA19hBSpO > > > ------=_NextPart_000_0162_01C5846C.6AD3B180 > > From nobody at spamcop.net Sat Jul 9 20:26:15 2005 From: nobody at spamcop.net (N. Miller) Date: Sat Jul 9 22:30:03 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: <9alh3lx0rrkw.dlg@news.spamcop.net> On Sat, 9 Jul 2005 10:11:34 -0700, Sean Sowell wrote: > OK, take two. I tried it this way as well and it does not work either. I > selected the twenty spamples that SpamAssassin did not catch in the past 48 > hours, right-clicked and chose the menu item 'Forward as Attachment', just > as you instructed. I did not add a subject or anything to the message body. > I just sent it striaght off to SpamCop at 0916 Pacific time. But I received > a nearly identical rejection message almost immediately. It is pasted in > below, except that I removed all but the first spample from the end. > ... >>> 1. Why don't my .eml attachments go through? >> >> I recommend to use your forward as attachment function as opposed to >> saving an item as .eml and inserting it as an attachment. If forwarding >> as attachment isn't working correctly, there are some 'tricks' to >> troubleshooting that here using forwarding to self and posting the >> result into the newsgroup spamcop.spam. > ... > > No, it still doesn't work. If you could check ahead to see what might be > going wrong, I'd appreciate it. The first sample is the failed submission > to my personal reporting address. > This message was created automatically by mail delivery software. > > A message that you sent could not be delivered to one or more of its > recipients. This is a permanent error. The following address(es) failed: > > submit.[munge]@spam.spamcop.net > This message has been rejected because it has > a potentially executable attachment "Scoring houses - the easy way!.eml" > This form of attachment has been used by > recent viruses or other malware. > If you meant to send this file then please > package it up as a zip file and resend it. It says to zip it. Did you try zipping it? -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. From nttp.sc.sh at bigsleep.org Sun Jul 10 03:26:24 2005 From: nttp.sc.sh at bigsleep.org (Blammo) Date: Sat Jul 9 22:30:08 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: On 09 Jul 2005 Sean Sowell entered spamcop.help and left news:dap0g7$7h8$1@news.spamcop.net: > This message has been rejected because it has > a potentially executable attachment "Scoring houses - the easy > way!.eml" This form of attachment has been used by > recent viruses or other malware. > If you meant to send this file then please > package it up as a zip file and resend it. > Your idiotic ISP is rejecting that with a "virus filter", which is checking the message body for the line 'file*="*.eml"'. You can test this by simply sending a message with a single line exactly: file=.eml or maybe name=.eml You might have to adjust that a little, but the line must end with .eml or .eml" I bitched to an ISP that was rejecting eMails with a line like: Content-Type: message/rfc822; name=".com" or or even in your case this might bounce: Go to www.hostgator.com This is probably from a very old filter rule that is outdated and doesn't bother to check for a mime header, as "Content-Type: message/rfc822;" is certainly not an executable attachment. What's even worse is that they are sending bounces because of this, which proves they are completely brain-dead. -- | Ric | From MikeE at ster.invalid Sat Jul 9 21:28:54 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 9 23:30:03 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: Blammo wrote: > Sean Sowell >> This message has been rejected because it has >> a potentially executable attachment > Your idiotic ISP is rejecting that with a "virus filter", which is > checking the message body for the line 'file*="*.eml"'. Ric has nailed it. The problem is with your provider doing a dumb*ss outgoing 'filtering' strategy based on your attaching .eml for your submit spam emails.. Unless something changes about their configuration for you, you can forget about forwarding spam as an attachment for submitting to spamcop. You will either have to forget about submitting spam to spamcop altogether or submit spam 'one at a time' into the websparser. Or change providers. :-) -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Jul 9 21:31:46 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 9 23:35:03 2005 Subject: [SC-Help] Re: Inability to "forward as attachment" [was Re: Spam "from" reserved netblocks] References: Message-ID: Sean Sowell wrote: > Haven't heard back yet, and I realized I should probably clarify for > Mike Easter or anyone else who is trying to figure this out... I was gone for the day. See my other note. Your problem is that your mail provider is screwing your SC submissions over, as Ric has accurately assessed. As things currently stand, you are dead in the water about submitting anything to anything that consists of an .eml attachment because that is prohibited by your provider's configuration. -- Mike Easter kibitzer, not SC admin From jr70 at blackhole.invalid Sat Jul 9 22:12:50 2005 From: jr70 at blackhole.invalid (John Richards) Date: Sun Jul 10 00:15:03 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: <9alh3lx0rrkw.dlg@news.spamcop.net> Message-ID: N. Miller wrote: > On Sat, 9 Jul 2005 10:11:34 -0700, Sean Sowell wrote: > >> OK, take two. I tried it this way as well and it does not work either. I >> selected the twenty spamples that SpamAssassin did not catch in the past 48 >> hours, right-clicked and chose the menu item 'Forward as Attachment', just >> as you instructed. I did not add a subject or anything to the message body. >> I just sent it striaght off to SpamCop at 0916 Pacific time. But I received >> a nearly identical rejection message almost immediately. It is pasted in >> below, except that I removed all but the first spample from the end. >> ... >>>> 1. Why don't my .eml attachments go through? >>> >>> I recommend to use your forward as attachment function as opposed to >>> saving an item as .eml and inserting it as an attachment. If forwarding >>> as attachment isn't working correctly, there are some 'tricks' to >>> troubleshooting that here using forwarding to self and posting the >>> result into the newsgroup spamcop.spam. >> ... >> >> No, it still doesn't work. If you could check ahead to see what might be >> going wrong, I'd appreciate it. The first sample is the failed submission >> to my personal reporting address. > >> This message was created automatically by mail delivery software. >> >> A message that you sent could not be delivered to one or more of its >> recipients. This is a permanent error. The following address(es) failed: >> >> submit.[munge]@spam.spamcop.net >> This message has been rejected because it has >> a potentially executable attachment "Scoring houses - the easy way!.eml" >> This form of attachment has been used by >> recent viruses or other malware. >> If you meant to send this file then please >> package it up as a zip file and resend it. > > > It says to zip it. Did you try zipping it? What's the point? SpamCop will not accept zipped spam reports. -- John Richards From bar_n0ne at hotmail.com Sun Jul 10 10:35:46 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun Jul 10 01:40:04 2005 Subject: [SC-Help] Re: Inability to "forward as attachment" [was Re: Spam "from" reserved netblocks] References: Message-ID: "Mike Easter" wrote in message news:daq4qv$29u$1@news.spamcop.net... > Sean Sowell wrote: > > Haven't heard back yet, and I realized I should probably clarify for > > Mike Easter or anyone else who is trying to figure this out... > > I was gone for the day. See my other note. Your problem is that your > mail provider is screwing your SC submissions over, as Ric has > accurately assessed. > > As things currently stand, you are dead in the water about submitting > anything to anything that consists of an .eml attachment because that is > prohibited by your provider's configuration. > > -- > Mike Easter > kibitzer, not SC admin Some ISP's (one of mine for example) forbid in and outbound .eml attachments as possible virus propagations. It seems .eml is also used to identify E(something)MacroLanguage, and a year or 2 ago there was a virus moving around this way disguiused as an Email Attachment. (well, disguised as an attached E-Mail). I forgot what the E stood for If you want to know you can Giggle it. From bar_n0ne at hotmail.com Sun Jul 10 11:11:11 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun Jul 10 02:15:03 2005 Subject: [SC-Help] Re: Inability to "forward as attachment" [was Re: Spam "from" reserved netblocks] References: Message-ID: "Blammo" wrote in message news:Xns968EE9A38E501blammo@216.154.195.61... > On 09 Jul 2005 Berny entered spamcop.help and left > news:daqc3k$66m$1@news.spamcop.net: > > > Some ISP's (one of mine for example) forbid in and outbound .eml > > attachments as possible virus propagations. It seems .eml is also used > > to identify E(something)MacroLanguage > > I guarantee that will never, ever infect my computer. I don't put up for > ISPs doing stupid shit like that. > I'm sorry if I sound offensive, but I'm leaving an ISP I've had for 9 years > because of this, and really only because they respond like morons. > > -- > | Ric > | In this case it is my employer. From Ilgaz at spamcop.net Sun Jul 10 16:45:00 2005 From: Ilgaz at spamcop.net (Ilgaz Ocal) Date: Sun Jul 10 08:45:15 2005 Subject: [SC-Help] Re: X-No-Archive: yes and the newsgroup archives References: Message-ID: On 2005-07-06 23:24:41 +0300, "WazoO" said: > Just noting that there is a lot of data being lost due to > usage of this header flag bit. Some threads leave one > wondering what was actually being talked to as there > are Reply's listed with no corresponding previous > entry. I used that header for couple of days until figuring many of people I try to help does not have actual usenet access (from ISP etc) I removed the header, but still it doesn't mean I like Google ; the search engine default I take time to change to yahoo to archive my messages. Well, looks as I better be patient about google for a couple of months. I never understand why they changed the excellent, mature dejanews code to something they use. "Look we code better!'? Well, it clearly failed. " IMHO ". I remember having IBM.net account with their excellent usenet service. Some days I was lazy to launch nntp reader I have and was using dejanews account to post replies etc. It was that good (I bet you know) If you people try to help people etc, you can either mail them or keep that header away. Ilgaz ps: I don't get how a T1 speed running professional mail harvester would get tricked by "NOSPAM" etc but its not the topic now :) From mcwebber at my-deja.com Sun Jul 10 11:01:56 2005 From: mcwebber at my-deja.com (McWebber) Date: Sun Jul 10 10:05:06 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: "Geoff Lane" wrote in message news:Xns968D89CCA7630gjctcswxnsrt@216.154.195.61... > > Although I reported this particular spam (ID = 1463337860), I got the IP > address myself direct from the headers. I submitted the report to > Cyveilance purely to help get the offending IP added to the SBL. Cyveilance is more likely to end up in the SBL before anything you report to them. They're scum. -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From mcwebber at my-deja.com Sun Jul 10 11:20:56 2005 From: mcwebber at my-deja.com (McWebber) Date: Sun Jul 10 10:20:02 2005 Subject: [SC-Help] Re: Inability to "forward as attachment" [was Re: Spam "from" reserved netblocks] References: Message-ID: "Blammo" wrote in message news:Xns968F3441CCD4blammo@216.154.195.61... > On 09 Jul 2005 Berny entered spamcop.help and left > news:daqe65$75b$1@news.spamcop.net: > > > In this case it is my employer. > > > > Ouch, well, if it's a business server then they can do what they want, as > long as it only effects them of course, but when you are paying for eMail > service you do expect them to deliver it, at least I do. > Read your contract. From mcwebber at my-deja.com Sun Jul 10 11:25:37 2005 From: mcwebber at my-deja.com (McWebber) Date: Sun Jul 10 10:25:02 2005 Subject: [SC-Help] Re: Spam "from" reserved netblocks References: Message-ID: "Geoff Lane" wrote in message news:Xns968DC1B886415gjctcswxnsrt@216.154.195.61... > > AIUI, I have to report to at least one to get SC to register the spam, and > Cyveillance seemed to the be lesser evil (although I do not that you may > not agree with that point of view!) As do many web sites with documentation of Cyveillance being evil. Just google for Cyveillance bot blocking. -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From hercules at invaliddomain.com Sun Jul 10 00:56:37 2005 From: hercules at invaliddomain.com (hercules) Date: Sun Jul 10 14:00:02 2005 Subject: [SC-Help] Spamcop cannot find obfuscated link Message-ID:


Cl4ick her3e, - no prescr2iption requir4ed!


alarms, and might be watching the progress of some imaginary work-box with St. Pauls upon the lid, the yard-measure in the
he, she, or it, may be - has kept us waiting for a considerable I have been familiar with every stone in the place. If I betray
The sudden exultation with which he slapped me on the knee, and It warnt for long as I felt that; for she was found. I had ony
about the space of a flash of lightning, and then fell down - and My answer was, to pass out at the gate immediately. She made a
year. I think we may safely put it down at that. Well. - Thats
There was a profound silence. After a few moments of painful was quite alone at those times - addressed a letter to me,
a relative, that I could discover, except a sister, who fled to appeared at last - which was not by any means to be relied upon -
this. Its natral in young folk, Masr Davy, when theyre new to a note written in pencil, and headed, in a legal manner, Heep v.
most remarkable circumstance is, that I really dont think he heads, as they looked from water to sky, and muttering to one
4n1o4h4j5s7q2j1i5s6g5b5u1u2l6e6b4i7p8a4t7n9y5s2l3c8t9a8i3u6m7d5t5i3q2f7c8a6z2s4v7q4u2r3q6z9c2r2a4e8d4v8k9k7s3f8w4e7w5q2g6q3w
------=_Part_24988419_16339931.2380759504195-- ------=_Part_27439337_13577171.2140688502451 Content-Type: image/gif; name="Yrumdn.GIF" Content-Transfer-Encoding: base64 Content-ID: <097601c5258f$67dc5ac0$82fed1ae@freebiestuff.com> R0lGODlhMwEVAfcAAAAAAIAAAACAAICAAAAAgIAAgACAgMDAwMDcwKbK8AAAAP///wIXDGDAITKT From MikeE at ster.invalid Sun Jul 10 12:46:44 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 10 14:50:03 2005 Subject: [SC-Help] Re: Spamcop cannot find obfuscated link References: Message-ID: hercules wrote: Date: Sat, 09 Jul 2005 23:56:37 -0600 NNTP-Posting-Date: Sun, 10 Jul 2005 17:57:14 +0000 (UTC) - the way to communicate about a spamcop parsing is to submit the entire spam to the parser and copy the tracking url^1 for pasting here - pasting raw spambodies into the discussion groups spamcop or spamcop.help is frowned on - your clock is set wrong by about 12 hours, generally an AM/PM error. ^1 When you parse a spam in the webparser, this type link appears at the top: Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z784342658zaf2a8423b8d1d1f298851f99205e1c31z If you resubmit the spam you are talking about, you can cancel the report. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Jul 10 13:20:41 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 10 15:25:02 2005 Subject: [SC-Help] Re: Spamcop cannot find obfuscated link References: Message-ID: hercules wrote: > Cl4ick her3e, If you feed http://lcumpphqzozb.org.%20.jpgolyt2z5d6lk07dkjycn.lesseecbjga.info#wbqgbyc.org nakedly into the parser, SC cannot resolve it. If you feed that into a websniffer^1, it can't resolve it. If you feed it into NetDemon deobfuscator^2, it will resolve it to a 'dot space dot' configuration which SC also can't resolve and NetDemon can't websniff it as is. http://lcumpphqzozb.org. .jpgolyt2z5d6lk07dkjycn.lesseecbjga.info/ If I then feed NetDemon's dotspacedot deobfuscation into SamSpade's^3 GET console, it /will/ be able to GET from the webserver the 'simplified' url http://lcumpphqzozb.org.jpgolyt2z5d6lk07dkjycn.lesseecbjga.info/ which refers to http://lcumpphqzozb.org.jpgolyt2z5d6lk07dkjycn.lesseecbjga.info/ES001/?affiliate_id=233670&campaign_id=21005 which is where the payload is for the spamvertised pharm site. ^1 http://web-sniffer.net/ ^2 http://www.netdemon.net/tools.html or the netdemon.exe which I use ^3 spade.exe or http://samspade.org/ -- Mike Easter kibitzer, not SC admin From nttp.sc.sh at bigsleep.org Sun Jul 10 22:17:59 2005 From: nttp.sc.sh at bigsleep.org (Blammo) Date: Sun Jul 10 17:20:04 2005 Subject: [SC-Help] Re: Inability to "forward as attachment" [was Re: Spam "from" reserved netblocks] References: Message-ID: On 10 Jul 2005 McWebber entered spamcop.help and left news:daraq8$k2f$1@news.spamcop.net: > Read your contract. > LOL, what, you mean the contract I got 9 years ago when I signed up? They never published no stink'n contract. Contract are for lawyers, I just don't pay them for service they ain't giving me. Americans should quit paying for shoddy service and over-priced goods, I really don't think anyone gives a shit. Or maybe it's "in your contract" huh? -- | Ric | From MikeE at ster.invalid Sun Jul 10 18:16:30 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 10 20:20:02 2005 Subject: [SC-Help] Re: X-No-Archive: yes and the newsgroup archives References: <6733d1dtukbtdrrobp2v6ru5mmd8ginigk@4ax.com> Message-ID: Erik Vastmasd wrote: > Ilgaz Ocal >> "WazoO" >>> Just noting that there is a lot of data being lost due to >>> usage of this header flag bit. Some threads leave one >>> wondering what was actually being talked to as there >>> are Reply's listed with no corresponding previous >>> entry. >> >> I used that header for couple of days until figuring many of people I >> try to help does not have actual usenet access (from ISP etc) >> >> I removed the header, but still it doesn't mean I like Google ; the >> search engine default I take time to change to yahoo to archive my >> messages. Google 'basically' doesn't archive the spamcop newsgroups [except a little bit by accident]. Spamcop's news is *not* Usenet. I call newsservers like spamcop's 'public private newsservers'. Some other categorizers call such newsservers 'Specialized Public NNTP News Servers'. > I still use "X-No-Archive: yes " in my posts and it doesn't mean that > other people won't see my post, because it will still be sent to > Usenet and available to other ISP's and Google etc. Consider what you post to usenet newsgroups to be handled one way by such archivers as google and what you post to spamcop's groups to be handled 'just' by spamcop's newsserver. > I think even > Google will display the post for a relatively short period, but it > means that my posts shouldn't be saved in most archives indefinitely. Correct. For what you post that gets archived by google. Spamcop posts 'mostly' ie almost entirely, don't get archived by google. -- Mike Easter kibitzer, not SC admin From wskrispy at EXCISEoptonline.net Sun Jul 10 22:48:46 2005 From: wskrispy at EXCISEoptonline.net (wskrispy) Date: Sun Jul 10 21:45:03 2005 Subject: [SC-Help] Spamcop failing to detect true originating IP Message-ID: Hiyas. I'm no antispam maven and don't have much ambition to become one, but I've been using the Spamcop website sporadically over the last few months to report a bunch of spams with originating IPs not already in the SC blocking list. About 5 days ago the SC site seems to have changed. Apparently the parser progs are treating my pasted spams differently. I'm using the exact same method (in Thunderbird, View, Message Source, Ctrl-A, Ctrl-C, paste into SC website spam reporting input box), but now all my submissions come back with a message like "No source IP header found - cannot proceed". Most of these spams have spoofed senders but the real originating IP is plain to see in the second block of headers. Why is SC suddenly unable, or suddenly unwilling, to see them? I quickly set up Mailhosts just now but the problem remains. I guess I'll have to read more to see if my Mailhosts setup is correct, but like I said I don't plan to get too deep into this. I'm on vacation from heavyduty putering for at least a year. Anyway, just thought I'd report this in case anyone at SC needs an additional tip-off on stuff happening out here in userland. -- wsk From nobody at devnull.spamcop.net Sun Jul 10 22:40:14 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jul 10 22:45:07 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: Message-ID: "wskrispy" wrote in message news:dasiur$7ir$1@news.spamcop.net... > Hiyas. I'm no antispam maven and don't have much ambition to become one, > but I've been using the Spamcop website sporadically over the last few However, doing some legwork may help resolve the issue. > months to report a bunch of spams with originating IPs not already in > the SC blocking list. About 5 days ago the SC site seems to have > changed. Apparently the parser progs are treating my pasted spams > differently. I'm not aware of any change. There's not a flood of folks making the same claim. So, the imnplication is that something changed on your end. Coincidemtally, a thread in the spamcop newsgroup reads pretty close to the same story, but the result turns out to that the user's ISP decided to implement some brain-dead filtering on outgoing e-mail, such that the SpamCop submittals were seen as virus infected due to the attached .eml file (the forward as attachment of the spam) and the ISP's e-mail habdler decided to put a big warning about the virus into the outgoing e-mail, which of course screwed it up entirely as fas as the SpamCop parser was concerned. Test: CC: your next submittal to an off-site address such that you can see what your ISP might be doing to your outgoing. . > I quickly set up Mailhosts just now but the problem remains. I guess > I'll have to read more to see if my Mailhosts setup is correct, but like > I said I don't plan to get too deep into this. I'm on vacation from > heavyduty putering for at least a year. I believe you'd have a whole different set of error messages if your MailHost configuration was wrong .. From spam_eviscerator at spamcop.net Mon Jul 11 01:10:30 2005 From: spam_eviscerator at spamcop.net (Spam Eviscerator) Date: Mon Jul 11 00:15:03 2005 Subject: [SC-Help] Re: Batch processing? References: <1gz5kpl.114q48zfv3f3qN%spam_eviscerator@spamcop.net> <1gz6ua6.puya3717cpku8N%spam_eviscerator@spamcop.net> Message-ID: <1gzgo0z.ql9ibf1qabd2eN%spam_eviscerator@spamcop.net> Ellen wrote: > "Mike Easter" wrote in message > news:dacfha$2ge$1@news.spamcop.net... > > Spam Eviscerator wrote: > > > Mike Easter > > > > >> Pre-approved quick reporting by email submission submits many spams > > >> at a time, whose parser derived spamsources are assumed > > >> 'autoapproved' right or wrong with resultant reporting of all of the > > >> sources and no spamvertisers without further reporter action on any > > >> parser links required. > > > > > > How does one get them "pre-approved" for quick reporting? > > > > You beseech the deputies/admin to approve your account to be able to > > quick report. > > > > Write to service admin.spamcop.net and ask for quick submit. > > > Ellen Thank you, Mike and Ellen. I've done so, they've responded favorably and I'm in hog heaven. It's now so easy with my automation scripts to report them en masse after manually reviewing my Junk folder just to be sure I'm not misreporting anybody. Woe be to spammers who harass me! :-) From SCNews.5.myspamgobbler at spamgourmet.com Sun Jul 10 23:42:33 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Mon Jul 11 01:45:03 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP In-Reply-To: References: Message-ID: WazoO wrote: > "wskrispy" wrote in message > news:dasiur$7ir$1@news.spamcop.net... > >>Hiyas. I'm no antispam maven and don't have much ambition to become one, >>but I've been using the Spamcop website sporadically over the last few > > > However, doing some legwork may help resolve the issue. > > >>months to report a bunch of spams with originating IPs not already in >>the SC blocking list. About 5 days ago the SC site seems to have >>changed. Apparently the parser progs are treating my pasted spams >>differently. > > > I'm not aware of any change. There's not a flood of folks making > the same claim. So, the imnplication is that something changed on > your end. Coincidemtally, a thread in the spamcop newsgroup > reads pretty close to the same story, but the result turns out to > that the user's ISP decided to implement some brain-dead > filtering on outgoing e-mail, such that the SpamCop submittals > were seen as virus infected due to the attached .eml file (the > forward as attachment of the spam) and the ISP's e-mail > habdler decided to put a big warning about the virus into the > outgoing e-mail, which of course screwed it up entirely as fas > as the SpamCop parser was concerned. > > Test: CC: your next submittal to an off-site address such that > you can see what your ISP might be doing to your outgoing. > . He is copy/pasting into the web page, not forwarding, so the above is irrelevant. > >>I quickly set up Mailhosts just now but the problem remains. I guess >>I'll have to read more to see if my Mailhosts setup is correct, but like >>I said I don't plan to get too deep into this. I'm on vacation from >>heavyduty putering for at least a year. > > > I believe you'd have a whole different set of error messages if > your MailHost configuration was wrong .. > > I've had the same error message a number of times in the past, but, at the moment, I don't recall what the cause of it was. It would be helpful to share a tracking URL so someone may be able to figure out what the problem is. From MikeE at ster.invalid Mon Jul 11 09:37:18 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 11 11:40:03 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: Message-ID: wskrispy wrote: > Why is SC suddenly unable, or > suddenly unwilling, to see them? We can't see the spam or the parsing unless you post the tracking url. Put a spam like you are describing into the parser and copy and paste the tracking url from the top of the page here. Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z784681180z3e1208e47d5955be1126a5a1f83d78e9z -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Jul 11 10:30:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 11 12:35:02 2005 Subject: [SC-Help] Re: error iin spam cop report? References: Message-ID: posted to .spam & .help, f/ups to .help die spammer wrote: > Why is spamcop not accepting these spams? The easiest way to discuss a spam is to post its tracker in a discussion group. Below is a tracker and its environment for the spam you posted, copied from the top of the parse of that spam. Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z784698895zadee85c27dacaab52adf35aa18966342z SC determines the source, finds the url but can't resolve it, and declines to report because the spam is too old. The age is determined from your own provider's timestamp Thu, 7 Jul 2005 15:39:13 +0000 http://www.spamcop.net/fom-serve/cache/188.html Why does SpamCop say my spam is too old? -- Mike Easter kibitzer, not SC admin From hercules at invaliddomain.com Mon Jul 11 14:27:18 2005 From: hercules at invaliddomain.com (hercules) Date: Mon Jul 11 15:30:03 2005 Subject: [SC-Help] Re: Spamcop cannot find obfuscated link In-Reply-To: References: Message-ID: Hi, I received two more spam, here is one with just the reporting id... These spam get through most filters set in its path. http://www.spamcop.net/sc?id=z784756066zb248d3021f32114f0ebfec1afb3eebc3z From MikeE at ster.invalid Mon Jul 11 13:59:37 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 11 16:00:02 2005 Subject: [SC-Help] Re: Spamcop cannot find obfuscated link References: Message-ID: hercules wrote: > Hi, I received two more spam, here is one with just the reporting > id... These spam get through most filters set in its path. > > www.spamcop.net/sc?id=z784756066zb248d3021f32114f0ebfec1afb3eebc3z I use SpamPal configured with a number of dnsbl/s. That item would have been tagged as spam because its source IP is in cbl which causes it to be in spamhaus's xbl or sbl-xbl. It also appears in the/my country list for Brazil. It also might've triggered other body filters. SC cannot deobfuscate the url htt p://azwhnfmjr.com. %2Ehdvzcetzpixwc17wvs6h.tr ophemahi.info#vuakvotpb.com or http://azwhnfmjr.com. %2Ehdvzcetzpixwc17wvs6h.trophemahi.info#vuakvotpb.com or http://azwhnfmjr.com. .hdvzcetzpixwc17wvs6h.trophemahi.info#vuakvotpb.com -- nor can any of my deobfuscators, online or consoled. If I manually convert the dotspacedot configuration to just a dot http://azwhnfmjr.com.hdvzcetzpixwc17wvs6h.trophemahi.info#vuakvotpb.com it still doesn't resolve; but there is such a thing as the trophemahi.info domainname. -- Mike Easter kibitzer, not SC admin From diespammer at spamthis.net Mon Jul 11 18:42:27 2005 From: diespammer at spamthis.net (die spammer) Date: Mon Jul 11 20:40:03 2005 Subject: [SC-Help] Re: error iin spam cop report? In-Reply-To: References: Message-ID: all this spam isnt even a day old... I report it almost as soon as I get it. When I try to report the spam through spamcop, I do not get any messages that the spam is too old. Thought this was the spamcop discussion group. hmmmmm Mike Easter wrote: > posted to .spam & .help, f/ups to .help > > die spammer wrote: > >>Why is spamcop not accepting these spams? > > > The easiest way to discuss a spam is to post its tracker in a discussion > group. Below is a tracker and its environment for the spam you posted, > copied from the top of the parse of that spam. > > Here is your TRACKING URL - it may be saved for future reference: > http://www.spamcop.net/sc?id=z784698895zadee85c27dacaab52adf35aa18966342z > > SC determines the source, finds the url but can't resolve it, and > declines to report because the spam is too old. > > The age is determined from your own provider's timestamp Thu, 7 Jul 2005 > 15:39:13 +0000 > > http://www.spamcop.net/fom-serve/cache/188.html Why does SpamCop say my > spam is too old? > > From jeffg at spamcop.net Tue Jul 12 01:42:03 2005 From: jeffg at spamcop.net (Jeff G.) Date: Tue Jul 12 01:00:04 2005 Subject: [SC-Help] Re: Links not parsed References: Message-ID: eric5b wrote: > In the message news://news.spamcop.net/dav3ao$k6e$1@news.spamcop.net > posted in spamcop.spam the following links > http://www.softdemand.biz > http://www.softdemand.biz/uns.htm > are not parsed. Please keep refreshing. Those links should be parsed eventually. They may be parsed more quickly if you first parse one of them as a separate item (on one line) in another browser window. TPTB are aware of this issue. Followups set. -- Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please reply via Forum, Group, or List only. From bseymour at spamcop.net Tue Jul 12 11:00:47 2005 From: bseymour at spamcop.net (bseymour) Date: Tue Jul 12 13:05:02 2005 Subject: [SC-Help] Need Support to recover lost e-mail Message-ID: My wife was downloading email from spamcop yesterday when the computer crashed, HARD. She saw a number of new messages right before the crash, bug after restarting there was nothing. I checked her account via WebMail and the messages were gone, downloaded. Is there any way the SpamCop team could help us recover those messages? Thanks in advance... From bseymour at spamcop.net Tue Jul 12 11:09:07 2005 From: bseymour at spamcop.net (bseymour) Date: Tue Jul 12 13:10:02 2005 Subject: [SC-Help] Re: Need Support to recover lost e-mail References: Message-ID: A bit more info: She needs messages from July 10th and 11th only. "bseymour" wrote in message news:db0svs$j4c$1@news.spamcop.net... | My wife was downloading email from spamcop yesterday when the computer | crashed, HARD. She saw a number of new messages right before the crash, bug | after restarting there was nothing. I checked her account via WebMail and | the messages were gone, downloaded. | | Is there any way the SpamCop team could help us recover those messages? | | Thanks in advance... | | | From wskrispy at EXCISEoptonline.net Tue Jul 12 14:45:13 2005 From: wskrispy at EXCISEoptonline.net (wskrispy) Date: Tue Jul 12 13:50:02 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP In-Reply-To: References: Message-ID: Mike Easter wrote: > wskrispy wrote: > >>Why is SC suddenly unable, or >>suddenly unwilling, to see them? > > > We can't see the spam or the parsing unless you post the tracking url. > > Put a spam like you are describing into the parser and copy and paste > the tracking url from the top of the page here. > > Here is your TRACKING URL - it may be saved for future reference: > http://www.spamcop.net/sc?id=z784681180z3e1208e47d5955be1126a5a1f83d78e9z > > Thanks for the responses guys. It looks like the Spamcop parser was choking on headers crammed into the email by our SpamAssassin. I don't know why Spamcop wasn't previously choking on these... I don't think they've changed. I also don't think any ISP-related stuff has changed. In any case, when I trim the source down to the bare minimum with just the originating headers Spamcop is now accepting it (I could have sworn I tried this a few days ago and it choked). Ah well, it would be interesting to get into it more but other duties call. -- wsk From MikeE at ster.invalid Tue Jul 12 12:19:07 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 12 14:20:02 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: Message-ID: wskrispy wrote: > Mike Easter wrote: >> Put a spam like you are describing into the parser and copy and paste >> the tracking url from the top of the page here. > In any case, when I trim the source down to the bare minimum with just > the originating headers Spamcop is now accepting it (I could have > sworn I tried this a few days ago and it choked). That sounds like it might be a material change, which is against the rules http://www.spamcop.net/fom-serve/cache/283.html "Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find." http://www.spamcop.net/fom-serve/cache/143.html What if I break the rule(s)? "Free users who break one of the rules will be immediately banned from SpamCop." > Ah well, it would be > interesting to get into it more but other duties call. Perhaps you should stop submitting spam for reports until you have time to show what the problem is with a tracker as advised so you can find out what you should do instead of what you are doing. -- Mike Easter kibitzer, not SC admin From mcwebber at my-deja.com Tue Jul 12 16:13:43 2005 From: mcwebber at my-deja.com (McWebber) Date: Tue Jul 12 15:20:03 2005 Subject: [SC-Help] Re: Need Support to recover lost e-mail References: Message-ID: "bseymour" wrote in message news:db0svs$j4c$1@news.spamcop.net... > My wife was downloading email from spamcop yesterday when the computer > crashed, HARD. She saw a number of new messages right before the crash, bug > after restarting there was nothing. I checked her account via WebMail and > the messages were gone, downloaded. > > Is there any way the SpamCop team could help us recover those messages? If your PC told the spamcop POP3 server that the mail was retrieved, and you don't have Outlook Express set to leave a copy of the message on the server, I think it's gone. If OE is set to leave a copy on the server, you may be able to grab it from another PC as still new. Unless there's a backup and the email was sitting there from the previous day and got backed up overnight. My guess would be you're SOL. -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From jr70 at blackhole.invalid Tue Jul 12 13:27:10 2005 From: jr70 at blackhole.invalid (John Richards) Date: Tue Jul 12 15:30:02 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: Message-ID: Mike Easter wrote: > wskrispy wrote: >> Mike Easter wrote: > >>> Put a spam like you are describing into the parser and copy and paste >>> the tracking url from the top of the page here. > >> In any case, when I trim the source down to the bare minimum with just >> the originating headers Spamcop is now accepting it (I could have >> sworn I tried this a few days ago and it choked). > > That sounds like it might be a material change, which is against the > rules http://www.spamcop.net/fom-serve/cache/283.html "Do not make any > material changes to spam before submitting or parsing which may cause > SpamCop to find a link, address or URL it normally would not, by design, > find." How about if he just removes the headers added by SpamAssassin? On a related note, the end user can often configure his ISP's mailserver to add special headers to an incoming message to gage its spamminess. My ISP prepends "[Bulk]" to the subject field of suspected spam (an option I elected). Aren't these things technically "material changes"? -- John Richards From kenbrody at spamcop.net Tue Jul 12 17:13:25 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Tue Jul 12 16:25:02 2005 Subject: [SC-Help] Re: Need Support to recover lost e-mail References: Message-ID: <42D42465.D79A3B60@spamcop.net> McWebber wrote: > > "bseymour" wrote in message > news:db0svs$j4c$1@news.spamcop.net... > > My wife was downloading email from spamcop yesterday when the computer > > crashed, HARD. She saw a number of new messages right before the crash, > bug > > after restarting there was nothing. I checked her account via WebMail and > > the messages were gone, downloaded. > > > > Is there any way the SpamCop team could help us recover those messages? > > If your PC told the spamcop POP3 server that the mail was retrieved, and you > don't have Outlook Express set to leave a copy of the message on the server, > I think it's gone. If OE is set to leave a copy on the server, you may be > able to grab it from another PC as still new. Unless there's a backup and > the email was sitting there from the previous day and got backed up > overnight. My guess would be you're SOL. Since SpamCop's webmail interface has a trash bin, it's possible that when you delete messages via POP that they end up there. Check the "Trash" folder. If they're not there, "SOL" may be correct. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From nobody at spamcop.net Tue Jul 12 15:09:30 2005 From: nobody at spamcop.net (N. Miller) Date: Tue Jul 12 17:10:03 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: Message-ID: <1ocfc9g47g1v1$.dlg@news.spamcop.net> On Tue, 12 Jul 2005 12:27:10 -0700, John Richards wrote: > On a related note, the end user can often configure his ISP's mailserver > to add special headers to an incoming message to gage its spamminess. > My ISP prepends "[Bulk]" to the subject field of suspected spam (an > option I elected). Aren't these things technically "material changes"? I think the "material changes" clause applies to reporters modifying the message after downloading it from the servers. What the servers add to the headers is, generally, covered by the RFCs, and thus become a part of the message. -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. From nobody at spamcop.net Tue Jul 12 15:12:43 2005 From: nobody at spamcop.net (N. Miller) Date: Tue Jul 12 17:15:02 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: Message-ID: On Tue, 12 Jul 2005 13:45:13 -0400, wskrispy wrote: > Mike Easter wrote: >> wskrispy wrote: >> >>>Why is SC suddenly unable, or >>>suddenly unwilling, to see them? >> >> >> We can't see the spam or the parsing unless you post the tracking url. >> >> Put a spam like you are describing into the parser and copy and paste >> the tracking url from the top of the page here. >> >> Here is your TRACKING URL - it may be saved for future reference: >> http://www.spamcop.net/sc?id=z784681180z3e1208e47d5955be1126a5a1f83d78e9z >> >> > > Thanks for the responses guys. It looks like the Spamcop parser was > choking on headers crammed into the email by our SpamAssassin. I don't > know why Spamcop wasn't previously choking on these... I don't think > they've changed. I also don't think any ISP-related stuff has changed. > > In any case, when I trim the source down to the bare minimum with just > the originating headers Spamcop is now accepting it (I could have sworn > I tried this a few days ago and it choked). Ah well, it would be > interesting to get into it more but other duties call. That is interesting. One of my mail providers uses SpamAssassin, and made a change in the manner of SA's operation which broke the headers; I believe by adding an unexpected, and non-RFC-compliant space. When it wrapped in my MTA, the result was a blank line, denoting the end of the headers, and my MTA added its two cents worth before putting the email in the mailbox. The result was "headers in the body", or something like that. If you control the configuration of SA, make sure that your changes aren't breaking things. Otherwise, bring the problem to the attention of your mail administrator. -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. From MikeE at ster.invalid Tue Jul 12 15:20:54 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 12 17:25:03 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: Message-ID: John Richards wrote: > Mike Easter wrote: >> wskrispy wrote: >>> In any case, when I trim the source down to the bare minimum with >>> just the originating headers Spamcop is now accepting it (I could >>> have sworn I tried this a few days ago and it choked). >> >> That sounds like it might be a material change, /Might/ is an important operative word there. > How about if he just removes the headers added by SpamAssassin? It would seem that if one only removed headers added by SA, that the residual wouldn't be very illegal -- but, that doesn't really compute very well, because it would also seem that headers added by SA wouldn't befuddle spamcop. So, that causes me to question the analysis of the issue, which we are spending a lot more time talking about some imaginary issue which hasn't yet been displayed by the tracker which is the essential missing ingredient in this conversation we shouldn't be having yet because the OP failed to paste the trackers in the first place and then they failed to paste the trackers in the second place, and now here we are having some kind of complicated discussion about something that hasn't yet been completely defined yet. That is a big waste of time. If we are going to talk about what is and what is not likely to be breaking the rules of spamcop, we should be looking at the first tracker and we should be looking at the second tracker and we should be figuring out why some problem developed with the first tracker and why the 2nd tracker isn't the best way to solve the problem. But instead of that, we are all typing and typing and typing and we don't have any view of what it is we aren't even talking about correctly. > Aren't these things > technically "material changes"? Notice that we are now talking about your description of something instead of your display of the real thing. Describing something as specific as headers is silly, when we could be talking about the real thing instead of an inadequate attempt to describe the real thing. -- Mike Easter kibitzer, not SC admin From wskrispy at EXCISEoptonline.net Tue Jul 12 19:13:20 2005 From: wskrispy at EXCISEoptonline.net (wskrispy) Date: Tue Jul 12 18:15:03 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP In-Reply-To: References: Message-ID: Mike Easter wrote: > John Richards wrote: > >>Mike Easter wrote: >> >>>wskrispy wrote: > > >>>>In any case, when I trim the source down to the bare minimum with >>>>just the originating headers Spamcop is now accepting it (I could >>>>have sworn I tried this a few days ago and it choked). >>> >>>That sounds like it might be a material change, > > > /Might/ is an important operative word there. > > >>How about if he just removes the headers added by SpamAssassin? > > > It would seem that if one only removed headers added by SA, that the > residual wouldn't be very illegal -- but, that doesn't really compute > very well, because it would also seem that headers added by SA wouldn't > befuddle spamcop. > > So, that causes me to question the analysis of the issue, which we are > spending a lot more time talking about some imaginary issue which hasn't > yet been displayed by the tracker which is the essential missing > ingredient in this conversation we shouldn't be having yet because the > OP failed to paste the trackers in the first place and then they failed > to paste the trackers in the second place, and now here we are having > some kind of complicated discussion about something that hasn't yet been > completely defined yet. > > That is a big waste of time. If we are going to talk about what is and > what is not likely to be breaking the rules of spamcop, we should be > looking at the first tracker and we should be looking at the second > tracker and we should be figuring out why some problem developed with > the first tracker and why the 2nd tracker isn't the best way to solve > the problem. > > But instead of that, we are all typing and typing and typing and we > don't have any view of what it is we aren't even talking about > correctly. > > >>Aren't these things >>technically "material changes"? > > > Notice that we are now talking about your description of something > instead of your display of the real thing. > > Describing something as specific as headers is silly, when we could be > talking about the real thing instead of an inadequate attempt to > describe the real thing. > Ok man, no need to get upset. I was reluctant to post trackers because I was iffy about getting my client's IPs sprayed all over the place. But I guess there's no harm in it. Here's a tracker from a spam that Spamcop choked on, complete with SA headers: http://www.spamcop.net/sc?id=z785186974zfb5c4d04f5694f362a90b200bac251bfz Here's output from a "show headers" link from weeks ago for a spam likewise including SA headers but that Spamcop did not choke on: ---BEGIN SPAMCOP OUTPUT--- Parse From - Wed Jun 15 14:18:45 2005 X-Account-Key: account5 X-UIDL: 91b664203ffe022b36c15fd7098eaa95 X-Mozilla-Status: 0201 X-Mozilla-Status2: 10000000 Return-path: Envelope-to: x Delivery-date: Wed, 15 Jun 2005 12:39:09 -0400 Received: from acconci1 by 1n5-199.servernode.net with local-bsmtp (Exim 4.43) id 1Diauz-0001gi-An for x; Wed, 15 Jun 2005 12:39:09 -0400 Received: from [62.101.126.224] (helo=acconci.com) by 1n5-199.servernode.net with esmtp (Exim 4.43) id 1Diaux-0001fo-UD for x; Wed, 15 Jun 2005 12:39:09 -0400 From: admin@acconci.com To: x Subject: ACCOUNT ALERT Date: Wed, 15 Jun 2005 18:42:17 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0001_9606B4E5.67267592" X-Priority: 3 X-MSMail-Priority: Normal X-Spam-Level: *** X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on 1n5-199.servernode.net X-Spam-Status: No, score=3.8 required=4.5 tests=MISSING_MIMEOLE,NO_REAL_NAME, PRIORITY_NO_NAME,SUBJ_ALL_CAPS autolearn=no version=3.0.4 Message-Id: This is a multi-part message in MIME format. ------=_NextPart_000_0001_9606B4E5.67267592 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached. ------=_NextPart_000_0001_9606B4E5.67267592 Content-Type: application/octet-stream; name="info-text.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="info-text.zip" ---END SPAMCOP OUTPUT--- And here's output from a "show headers" link of a spam reported (and digested by Spamcop) yesterday which I trimmed in the manner described earlier, from the same spam Spamcop did not digest with SA headers intact: ---BEGIN SPAMCOP OUTPUT--- Received: from [85.40.108.210] (helo=acconci.com) by 1n5-199.servernode.net with esmtp (Exim 4.43) id 1DsIoe-0002vp-22 for x; Tue, 12 Jul 2005 07:20:45 -0400 From: support@acconci.com To: x Subject: Your Account is Suspended Date: Tue, 12 Jul 2005 13:24:52 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Spam-Exim: G0lXR5SLNg3n2MuDuSG1jq58 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0001_54E3884D.FB9CD81E" ------=_NextPart_000_0001_54E3884D.FB9CD81E Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
Dear Acconci Member,

Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

If you choose to ignore our request, you leave us no choice but to cancel your membership.

Virtually yours,
The Acconci Support Team






+++ Attachment: No Virus found
+++ Acconci Antivirus - www.acconci.com ------=_NextPart_000_0001_54E3884D.FB9CD81E-- ------------=_42D3A78D.83D3022A Content-Type: text/plain; x-avg=cert; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Content-Description: "AVG certification" Viruses found in the attached files. The file readme.zip: Virus identified I-Worm/Mytob.HL. The attachment was m= oved to the virus vault. Checked by AVG Anti-Virus. Version: 7.0.336 / Virus Database: 267.8.12/46 - Release Date: 7/11/2005 ------------=_42D3A78D.83D3022A-- . ---END SPAMCOP OUTPUT--- By the way, I seriously doubt removing SA headers constitutes a "material change" to Spamcop. Any reasonable application of this rule would confine it to body material and original headers only. If they had meant any change at all they would simply have said "Do not make any changes to spam before submitting...", dispensing with "material". Also by the way, who are you? Some kinda anti-spam maven? -- wsk From MikeE at ster.invalid Tue Jul 12 16:22:40 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 12 18:25:02 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: Message-ID: Various forms of inadequate 'header describing'. wskrispy wrote: > message like "No source IP header found - cannot proceed". Most of > these spams have spoofed senders but the real originating IP is plain > to see in the second block of headers. wskrispy wrote: > when I trim the source down to the bare minimum with just > the originating headers Spamcop is now accepting it John Richards wrote: > How about if he just removes the headers added by SpamAssassin? > My ISP prepends "[Bulk]" to the subject field of > suspected spam (an option I elected). Aren't these things > technically "material changes"? N. Miller wrote: > One of my mail providers uses SpamAssassin, and > made a change in the manner of SA's operation which broke the > headers; I believe by adding an unexpected, and non-RFC-compliant > space. When it wrapped in my MTA, the result was a blank line, > denoting the end of the headers, and my MTA added its two cents worth > before putting the email in the mailbox. The result was "headers in > the body", or something like that. When we talk about a header, it might seem like it is sufficient to 'describe' the headers in some way which we feel like characterizes the issue; but nothing characterizes an issue about a specific header related discussion as much as access to the 'real' headers themselves, instead of an inadequately described generi-cized description of what the poster is talking about. Invariably there is some other part of the header which actually may come to relevance, and there is no substitute for the real header. It takes much less 'space' to paste the tracker than even beginning to 'simply' describe a header, which description is typically going to somehow turn up inadquate in ways in which the original describer can not possibly anticipate. If we are going to talk about a spam or a parse or what SC did with something or what something said or whatever; we should be posting the tracker so that when the unexpected considerations arise, the original headers and/or spam are right there available at the tracker. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Jul 12 16:30:36 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 12 18:35:04 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: Message-ID: wskrispy wrote: > Here's a tracker from a spam that Spamcop choked on, complete with SA > headers: > > http://www.spamcop.net/sc?id=z785186974zfb5c4d04f5694f362a90b200bac251bfz Good! Posting a tracker is enormously important/ essential/ for these issues. Received: from acconci1 by 1n5-199.servernode.net That is the first part of the top line from the tracker. That line is totally unacceptable/ noncompliant/ from the perspective of reporting spam. There is nothing you can do, such as removing SA lines, which will restore those headers to a proper condition for reporting spam. That line's 'from' field is supposed to contain the IP address of the source from which the servernode received the item. If it doesn't, there *must* be some other compliant line stamped properly to 'represent' what is missing there. > Received: from [62.101.126.224] (helo=acconci.com) > by 1n5-199.servernode.net with esmtp (Exim 4.43) > id 1Diaux-0001fo-UD > for x; Wed, 15 Jun 2005 12:39:09 -0400 This second line can take the place of the first line; it is a compliant line. -- Mike Easter kibitzer, not SC admin From wskrispy at EXCISEoptonline.net Tue Jul 12 19:40:51 2005 From: wskrispy at EXCISEoptonline.net (wskrispy) Date: Tue Jul 12 18:45:03 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP In-Reply-To: References: Message-ID: Mike Easter wrote: > wskrispy wrote: > >>Here's a tracker from a spam that Spamcop choked on, complete with SA >>headers: >> >> > > http://www.spamcop.net/sc?id=z785186974zfb5c4d04f5694f362a90b200bac251bfz > > Good! Posting a tracker is enormously important/ essential/ for these > issues. > > Received: from acconci1 by 1n5-199.servernode.net > > That is the first part of the top line from the tracker. That line is > totally unacceptable/ noncompliant/ from the perspective of reporting > spam. There is nothing you can do, such as removing SA lines, which > will restore those headers to a proper condition for reporting spam. > > That line's 'from' field is supposed to contain the IP address of the > source from which the servernode received the item. If it doesn't, > there *must* be some other compliant line stamped properly to > 'represent' what is missing there. > > >>Received: from [62.101.126.224] (helo=acconci.com) >> by 1n5-199.servernode.net with esmtp (Exim 4.43) >> id 1Diaux-0001fo-UD >> for x; Wed, 15 Jun 2005 12:39:09 -0400 > > > This second line can take the place of the first line; it is a > compliant line. > > Yes, so why doesn't Spamcop use this second line and accept it as source IP? And the reason the first line is unusable is: the spammer succeeded in his spoof (he made 1n5-199.servernode.net think it was receiving mail from "acconci1", which is the linux username running the mailserver on 1n5-199.servernode.net itself!). I thought we're in the business of outsmarting these clowns. -- wsk From jr70 at blackhole.invalid Tue Jul 12 18:12:40 2005 From: jr70 at blackhole.invalid (John Richards) Date: Tue Jul 12 20:15:02 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: Message-ID: Mike Easter wrote: > > John Richards wrote: >> My ISP prepends "[Bulk]" to the subject field of >> suspected spam (an option I elected). Aren't these things >> technically "material changes"? > > When we talk about a header, it might seem like it is sufficient to > 'describe' the headers in some way which we feel like characterizes the > issue; but nothing characterizes an issue about a specific header > related discussion as much as access to the 'real' headers themselves, > instead of an inadequately described generi-cized description of what > the poster is talking about. > > Invariably there is some other part of the header which actually may > come to relevance, and there is no substitute for the real header. > > It takes much less 'space' to paste the tracker than even beginning to > 'simply' describe a header, which description is typically going to > somehow turn up inadquate in ways in which the original describer can > not possibly anticipate. > > If we are going to talk about a spam or a parse or what SC did with > something or what something said or whatever; we should be posting the > tracker so that when the unexpected considerations arise, the original > headers and/or spam are right there available at the tracker. The quote of mine (above) does not pertain to a specific tracker. AFAIK, SC does nothing with the Subject header. I was merely trying to elucidate what changes are acceptable and would not violate the the SC rule against "material changes". -- John Richards From MikeE at ster.invalid Wed Jul 13 01:12:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 13 03:15:04 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: Message-ID: wskrispy wrote: > Mike Easter wrote: >> wskrispy wrote: >> >>> Here's a tracker from a spam that Spamcop choked on, complete with >>> SA headers: www.spamcop.net/sc?id=z785186974zfb5c4d04f5694f362a90b200bac251bfz Abbreviated Received lines *comment from acconci1 by 1n5-199.servernode.net *noncompliant from localhost by 1n5-199.servernode.net *noncompliant >> There is nothing you can do, such as removing SA >> lines, which will restore those headers to a proper condition for >> reporting spam. >>> Received: from [62.101.126.224] (helo=acconci.com) >>> by 1n5-199.servernode.net with esmtp (Exim 4.43) >> This second line can take the place of the first line; it is a >> compliant line. > > Yes, so why doesn't Spamcop use this second line and accept it as > source IP? As you can see from the tracker which shows the entirety of the headers and from my abbreviation above of the 'from' and 'by' fields extracted from that header, your server is not stamping the 'from' field of its source with the IP address. This is unsatisfactory for spam reporting. > And the reason the first line is unusable is: the spammer succeeded in > his spoof (he made 1n5-199.servernode.net think it was receiving mail > from "acconci1", which is the linux username running the mailserver on > 1n5-199.servernode.net itself!). I thought we're in the business of > outsmarting these clowns. The spammer can say what s/he wants in the helo -- but the spammer cannot [easily] 'spoof' the necessary SYN & ACK packet correspondence during which the server is communicating with a particular IP address. The server knows what IP it is accepting the smtp transactions from and sending transactions to. It is imperative that the server stamp the 'from' field with that IP address for trace purposes. In your second example for which we don't have a tracker URL, the two lines show that one of them was compliant. Abbreviated Received lines *comment from acconci1 by 1n5-199.servernode.net *noncompliant from [62.101.126.224] (helo=acconci.com) by 1n5-199.servernode.net *compliant Because the 2nd line shows the source IP address, it can be parsed properly while the topline is ignored. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Jul 13 01:47:16 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 13 03:50:05 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: Message-ID: Some more of the story. Now we are going to discuss this item www.spamcop.net/sc?id=z785186974zfb5c4d04f5694f362a90b200bac251bfz from a different perspective. Previously I was explaining why SC cannot derive an IP address as a source by parsing those headers as submitted. Now we can talk about the 'entirety' of what the item contains. What was submitted to the parser for the tracker above consists of headers from your provider to you of a mail which contains an attachment of a mail which used to have a viral propagation which has subsequently been stripped. This structure is thus found: topheaders body1 attachment headers body2 AVG info The 'story' is that 85.40.108.210 rDNS host210-108.pool8540.interbusiness.it calling itself acconci.com in the helo propagated a virus I-Worm/Mytob.HL in a password.zip attachment. That propagation had From admin@acconci.com and was received by the server 1n5-199.servernode.net which was running SpamAssassin 3 and AVG 7 antivirus That item was identified as spam by SpamAssassin and stripped of its virus propagation by AVG. The topheaders are 'internal' headers for the servernode server, whereas the attachment headers show the source IP of the propagation. body1 describes SA functionality and report, body2 is the propagation's body content, and AVG info is describing the stripping and characterizing the virm. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Jul 13 02:27:10 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 13 04:30:03 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: Message-ID: Mike Easter wrote: > SC > cannot derive an IP address as a source by parsing those headers as > submitted. > topheaders > body1 > attachment headers > body2 > AVG info > That item was identified as spam by SpamAssassin > The topheaders are 'internal' headers for > the servernode server, whereas the attachment headers show the source > IP of the propagation. > > body1 describes SA functionality and report, body2 is the > propagation's body content, If one *assumes* that that server would handle a spam [not a virm propagation] similarly except for the virus stripping by AVG, that is going to be a very/totally unsatisfactory structure for submitting spams to spamcop. The server would be imposing an additional set of headers and body over the spam's original headers and body using some elements from the spam's headers and body in what I'm calling 'topheaders' above. The topheaders don't show the source IP and the whole structure is a rather zany implementation of the SA functionality. But, rather than assume, it would be better to see something that was a 'pure' spam recognized by SA which wasn't additionally handled for stripping as a viral propagation by AVG. Since the SA implementation is zany, yet another useful tracker would be one for a spam which SA failed to recognize. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Jul 13 02:53:10 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 13 04:55:53 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: Message-ID: John Richards wrote: > Mike Easter wrote: >> >> John Richards wrote: >>> My ISP prepends "[Bulk]" to the subject field of >>> suspected spam (an option I elected). Aren't these things >>> technically "material changes"? >> >> When we talk about a header, it might seem like it is sufficient to >> 'describe' the headers in some way which we feel like characterizes >> the issue; but nothing characterizes an issue about a specific >> header related discussion as much as access to the 'real' headers >> themselves, instead of an inadequately described generi-cized >> description of what the poster is talking about. You and I aren't really going to talk about these headers that we are both talking around, I guess, but my spam filter adds a lot more than 'Bulk' to the headers. Besides changing the subject for spams, it also adds a 'bunch' of X-lines. The faq doesn't address the issue of the myriad of lines which have been added by servers and filters and proxies. Its thrust is to fundamentally establish a concept of not allowing people to manipulate headers willy nilly to 'help out' the various parsing problems. As you have seen from this thread, manipulating headers to help SC achieve a parse may or may not be a material change. http://www.spamcop.net/sc?id=z785347108z0b93e7f4dcb3a10b9abce43536798828z I just grabbed a spam and parsed it for an example, since I'm fussing at everyone else about even mentioning headers without posting a tracker. Those headers happen to show a spam with a lot of header lines which look a little like a mailing list item. Crazy spammer bogosity which you can analyze spammer thought processes if you like. As received by my mailbox from my provider's server, the added and changed lines separate from the top Received line of the server, are the subject, prepended with a SPAM identifier by my spamfilter proxy, and the last 6 X lines, one of which is my provider's server's AV agent line and 5 of which are my spamfilter's lines. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed Jul 13 07:45:02 2005 From: nobody at spamcop.net (Ellen) Date: Wed Jul 13 07:40:03 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: Message-ID: "wskrispy" wrote in message news:db1fa1> > Here's a tracker from a spam that Spamcop choked on, complete with SA > headers: > > http://www.spamcop.net/sc?id=z785186974zfb5c4d04f5694f362a90b200bac251bfz > Assuming that these are the received headers as delivered by your ISP/hosting company server to your mailbox, there is *no* IP in the topmost received header showing your ISP mailserver receiving the mail: Received: from acconci1 by 1n5-199.servernode.net with local-bsmtp (Exim 4.43) id 1DsR07-0000Yn-17 for x; Tue, 12 Jul 2005 16:05:08 -0400 SpamCop cannot extract useful information from that header. The next receved header has no IP either: Received: from localhost by 1n5-199.servernode.net with SpamAssassin (version 3.0.4); Tue, 12 Jul 2005 16:05:08 -0400 Therefore there is no way that SC has determine the source of the spam. Looking at the report history for your account, I see several more spams where your server failed to record the IP of the connecting server which is attempting to deliver the spam. It has nothing to do with SpamAssassin and the SA X-headers. For some reason and for some spams, your server will print 2 received headers as above rather than showing the connecting IP as it does for other spams: Received: from [85.40.108.210] (helo=acconci.com) by 1n5-199.servernode.net with esmtp (Exim 4.43) id 1Drjnp-000154-8l for x; Sun, 10 Jul 2005 17:57:34 -0400 From: administrator@acconci.com To: x Subject: Your Account is Suspended For Security Reasons You will have to discuss this with your ISP/hosting company admin/tech support to find out what the problem is. It may be that if some other user at the ISP/hosting company is sending the spam/virus/phish that the headers are as above as the mail was just shuffled around internally. Ellen SpamCop From wskrispy at EXCISEoptonline.net Wed Jul 13 14:44:00 2005 From: wskrispy at EXCISEoptonline.net (wskrispy) Date: Wed Jul 13 13:45:03 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP In-Reply-To: References: Message-ID: Ellen wrote: > "wskrispy" wrote in message news:db1fa1> > >>Here's a tracker from a spam that Spamcop choked on, complete with SA >>headers: >> >>http://www.spamcop.net/sc?id=z785186974zfb5c4d04f5694f362a90b200bac251bfz >> > > > Assuming that these are the received headers as delivered by your > ISP/hosting company server to your mailbox, there is *no* IP in the topmost > received header showing your ISP mailserver receiving the mail: > > Received: from acconci1 by 1n5-199.servernode.net with local-bsmtp (Exim > 4.43) > id 1DsR07-0000Yn-17 for x; Tue, 12 Jul 2005 16:05:08 -0400 > > SpamCop cannot extract useful information from that header. > > The next receved header has no IP either: > > Received: from localhost by 1n5-199.servernode.net > with SpamAssassin (version 3.0.4); > Tue, 12 Jul 2005 16:05:08 -0400 > > Therefore there is no way that SC has determine the source of the spam. > > Looking at the report history for your account, I see several more spams > where your server failed to record the IP of the connecting server which is > attempting to deliver the spam. It has nothing to do with SpamAssassin and > the SA X-headers. > > For some reason and for some spams, your server will print 2 received > headers as above rather than showing the connecting IP as it does for other > spams: > > Received: from [85.40.108.210] (helo=acconci.com) > by 1n5-199.servernode.net with esmtp (Exim 4.43) > id 1Drjnp-000154-8l > for x; Sun, 10 Jul 2005 17:57:34 -0400 > From: administrator@acconci.com > To: x > Subject: Your Account is Suspended For Security Reasons > > You will have to discuss this with your ISP/hosting company admin/tech > support to find out what the problem is. It may be that if some other user > at the ISP/hosting company is sending the spam/virus/phish that the headers > are as above as the mail was just shuffled around internally. > > Ellen > SpamCop > Thanks for the response, Ellen. I must say I'm a bit confused at this point. No doubt I need to bone up a bit more on spam lore, not to mention smtp basics, etc.,. From one vantage point I'm almost tempted to say that, well, it looks like the spammer has outwitted Spamcop. You say "there is no way that SC has (can) determine the source of the spam". If that's so, wouldn't you agree the spammer has found a spoofing method that confounds Spamcop? This server is a Virtual Private Server under a hosting company. I administer it for an artist's studio. I'm a retired programmer, not an Admin. But I know enough to get LANs up and running and to provide basic WWW/FTP/Email services and troubleshoooting for small businesses. As far as I can tell, this server is configured with typical options and its primary mailer program (Exim) is not writing anything unusual to emails, nor deleting or scrambling headers. On the other hand, the hosting company originally providing this VPS, after a period of good service, totally crashed and burned (as so many companies in the lower price tiers do) and was "merged" with a provider called "WebHostPlus". WebHostPlus has a shady past (it is apparently run by a group of NYC-area Russian emigr?s with Russian-mobster-like business ties) and I have been meaning to move my client (the artist's studio) to a different provider. I wonder if WebHostPlus is low enough to sell a certain service to spammers whereby they can appear as an internal user to VPS accounts? If I were a proper Admin I'd probably already have this sorted out. I think I'll take a look at the server logs, try to see if anyone from strange IPs has been logging in or hijacking daemons in some way. I'll let you know what I discover. --- wsk From nobody at devnull.spamcop.net Wed Jul 13 15:10:06 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Wed Jul 13 14:10:03 2005 Subject: [SC-Help] Re: Need Support to recover lost e-mail References: Message-ID: "bseymour" wrote in message > My wife was downloading email from spamcop yesterday when the computer > crashed, HARD. She saw a number of new messages right before the crash, bug > after restarting there was nothing. I checked her account via WebMail and > the messages were gone, downloaded. > > Is there any way the SpamCop team could help us recover those messages? > The "lost" data may exist on your hard drive as a file allocation error. A file was "open" and data was being recorded to disk at the time of the crash. It is sometimes possible to recover such alloccation error fragments using chkdsk. If chkdsk recovers data to a .chk file, open it with notepad. If you find whole emails of interest to you there, you may select the data segment of interest and using copy-paste recreate the email as a plain text file, then rename same to open it in your default email client. Once the data is erased or overwritten, recovery is very unlikely. Glenn From nobody at spamcop.net Wed Jul 13 13:24:55 2005 From: nobody at spamcop.net (N. Miller) Date: Wed Jul 13 15:25:02 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: Message-ID: <1sxvpgfconcpt$.dlg@news.spamcop.net> On Wed, 13 Jul 2005 13:44:00 -0400, wskrispy wrote: > From one vantage point I'm almost tempted to say that, well, it looks > like the spammer has outwitted Spamcop. You say "there is no way that SC > has (can) determine the source of the spam". If that's so, wouldn't you > agree the spammer has found a spoofing method that confounds Spamcop? No. Spammers use spoofed "HELO" strings all of the time. I see a lot of attempts to dump email on my server with "HELO mail.yahoo.com", followed by the connecting IP address; that IP address is never a yahoo.com IP address. The important point to note is that the spammer can't control the IP address which my MX is seeing. If the MX is properly configured, it will show the connecting IP address; at that point, SpamCop can proceed. But whether that IP address is present, or not, in the headers is beyond the control of the spammer. The responsibility to log the IP addresses of the incoming connections lies squarely on the receiving email server. Therefore, it is your own email system which is outwitting SpamCop. It would also outwit Sam Spade, and me. > This server is a Virtual Private Server under a hosting company. I > administer it for an artist's studio. I'm a retired programmer, not an > Admin. But I know enough to get LANs up and running and to provide basic > WWW/FTP/Email services and troubleshoooting for small businesses. As far > as I can tell, this server is configured with typical options and its > primary mailer program (Exim) is not writing anything unusual to emails, > nor deleting or scrambling headers. It is, however, omitting certain information which is available to it, and could be included; namely, the IP address of the incoming connection. -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. From nobody at spamcop.net Wed Jul 13 13:28:29 2005 From: nobody at spamcop.net (N. Miller) Date: Wed Jul 13 15:30:03 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: Message-ID: <1la7t2n7xnpys.dlg@news.spamcop.net> On Tue, 12 Jul 2005 15:22:40 -0700, Mike Easter wrote: > N. Miller wrote: >> One of my mail providers uses SpamAssassin, and >> made a change in the manner of SA's operation which broke the >> headers; I believe by adding an unexpected, and non-RFC-compliant >> space. When it wrapped in my MTA, the result was a blank line, >> denoting the end of the headers, and my MTA added its two cents worth >> before putting the email in the mailbox. The result was "headers in >> the body", or something like that. > > When we talk about a header, it might seem like it is sufficient to > 'describe' the headers in some way which we feel like characterizes the > issue; but nothing characterizes an issue about a specific header > related discussion as much as access to the 'real' headers themselves, > instead of an inadequately described generi-cized description of what > the poster is talking about. Well, duh. If I wasn't just using an anecdote to support a contention that the mail server configuration seems to have been hosed; if I was really concerned about what had happened, I would have dug up the old message (several months ago; possibly last year even) and done just that. All I was trying to do was suggest that the OP has a local server configuration issue which needed investigating. As events transpired, it is a local sever issue, but it isn't an SA issue. -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. From bseymour at spamcop.net Wed Jul 13 13:32:38 2005 From: bseymour at spamcop.net (bseymour) Date: Wed Jul 13 15:35:04 2005 Subject: [SC-Help] Re: Need Support to recover lost e-mail References: Message-ID: Thanks to everyone for the advice and support! I'll try a disk recovery tool, but I'm not optimistic. ---------------------------------------------------------------------- "bseymour" wrote in message news:db0svs$j4c$1@news.spamcop.net... My wife was downloading email from spamcop yesterday when the computer crashed, HARD. She saw a number of new messages right before the crash, bug after restarting there was nothing. I checked her account via WebMail and the messages were gone, downloaded. Is there any way the SpamCop team could help us recover those messages? Thanks in advance... From wskrispy at EXCISEoptonline.net Wed Jul 13 18:26:34 2005 From: wskrispy at EXCISEoptonline.net (wskrispy) Date: Wed Jul 13 17:30:04 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP In-Reply-To: <1sxvpgfconcpt$.dlg@news.spamcop.net> References: <1sxvpgfconcpt$.dlg@news.spamcop.net> Message-ID: N. Miller wrote: > On Wed, 13 Jul 2005 13:44:00 -0400, wskrispy wrote: > > >> From one vantage point I'm almost tempted to say that, well, it looks >>like the spammer has outwitted Spamcop. You say "there is no way that SC >>has (can) determine the source of the spam". If that's so, wouldn't you >>agree the spammer has found a spoofing method that confounds Spamcop? > > > No. Spammers use spoofed "HELO" strings all of the time. I see a lot of > attempts to dump email on my server with "HELO mail.yahoo.com", followed by > the connecting IP address; that IP address is never a yahoo.com IP address. > The important point to note is that the spammer can't control the IP > address which my MX is seeing. If the MX is properly configured, it will > show the connecting IP address; at that point, SpamCop can proceed. But > whether that IP address is present, or not, in the headers is beyond the > control of the spammer. The responsibility to log the IP addresses of the > incoming connections lies squarely on the receiving email server. > Therefore, it is your own email system which is outwitting SpamCop. It > would also outwit Sam Spade, and me. > > >>This server is a Virtual Private Server under a hosting company. I >>administer it for an artist's studio. I'm a retired programmer, not an >>Admin. But I know enough to get LANs up and running and to provide basic >>WWW/FTP/Email services and troubleshoooting for small businesses. As far >>as I can tell, this server is configured with typical options and its >>primary mailer program (Exim) is not writing anything unusual to emails, >>nor deleting or scrambling headers. > > > It is, however, omitting certain information which is available to it, and > could be included; namely, the IP address of the incoming connection. > Hold on a sec Ellen and N. Miller-- if you look at the entire message at tracker http://www.spamcop.net/sc?id=z785186974zfb5c4d04f5694f362a90b200bac251bfz;action=display you will see that in the header block below the SA Content Analysis there is a third Received header which does in fact identify the connecting IP (85.40.108.210). Why didn't Spamcop use this and proceed? Ellen said "For some reason and for some spams, your server will print 2 received headers as above rather than showing the connecting IP as it does for other spams". This is not so. All these spams have this header block eventually showing the connecting IP. -- wsk From wskrispy at EXCISEoptonline.net Wed Jul 13 18:35:42 2005 From: wskrispy at EXCISEoptonline.net (wskrispy) Date: Wed Jul 13 17:40:02 2005 Subject: [SC-Help] What now? Message-ID: Hiyas. One of my clients is under assault from a very aggressive spammer who is spoofing sender names, sending dozens of worm-infected spams per hour. I have reported about five of these spams to Spamcop and have sent two messages to the abuse email address at the Italian ISP this clown uses. The offending IP hasn't even shown up on Spamcop's blocking list (my first report of this IP was at least 10 days ago). I've received no reply from the ISP. What should I do now? -- wsk From MikeE at ster.invalid Wed Jul 13 15:51:36 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 13 17:55:03 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: <1sxvpgfconcpt$.dlg@news.spamcop.net> Message-ID: wskrispy wrote: > Hold on a sec Ellen and N. Miller-- if you look at the entire message > at tracker > http://www.spamcop.net/sc?id=z785186974zfb5c4d04f5694f362a90b200bac251bfz;action=display > you will see that in the header block below the SA Content Analysis > there is a third Received header which does in fact identify the > connecting IP (85.40.108.210). Why didn't Spamcop use this and > proceed? Actually what you are describing as a 'third Received header' is a /first/ Received header traceline of the *original* item, which your provider's server calls Content-Description: original message before SpamAssassin of the mime structure of the attachment. That's what I was describing in news:db2gtt$g2t$1@news.spamcop.net Mike Easter wrote: > This structure is thus found: > > topheaders > body1 > attachment headers > body2 > AVG info > whereas the attachment headers show the source > IP of the propagation. > Ellen said "For some reason and for some spams, your server will > print 2 received headers as above rather than showing the connecting > IP as it does for other spams". This is not so. All these spams have > this header block eventually showing the connecting IP. You are saying that all of 'these' spams have attachment headers which show the source IP just like the example item which is actually a viral propagation, not a 'simple' or regular spam per se. Then all you will have to do is find a technique to isolate those original 'attachment' headers, which are also contiguous with the spambody [see body2 above], to submit to the parser. In such isolation, the parser can not only find the source IP but also any contained spamvertiser URLs. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Jul 13 16:10:50 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 13 18:15:04 2005 Subject: [SC-Help] Re: What now? References: Message-ID: wskrispy wrote: > Hiyas. One of my clients is under assault from a very aggressive > spammer who is spoofing sender names, sending dozens of worm-infected > spams per hour. I have reported about five of these spams to Spamcop > and have sent two messages to the abuse email address at the Italian > ISP this clown uses. That sounds like the Italian IP of your recent 'spam' example which is actually a viral propagation. 85.40.108.210 rDNS host210-108.pool8540.interbusiness.it Virus identified I-Worm/Mytob.HL > The offending IP hasn't even shown up on Spamcop's blocking list (my > first report of this IP was at least 10 days ago). I've received no > reply from the ISP. What should I do now? If you /successfully/ submit and report the isolated propagation as discussed in news:db42d1$eap$1@news.spamcop.net Mike Easter wrote: > Then all you will have to do is find a technique to isolate those > original 'attachment' headers, which are also contiguous with the > spambody [see body2 above], to submit to the parser. then SC will identify the source IP if reported, and tally up the 'score' according to its formula described at http://www.spamcop.net/fom-serve/cache/297.html What is the SpamCop Blocking List (SCBL)? which weighs recent reports, considers reputation points or estimations of nonreport traffic, weighs any additional SC spamtraps and so forth. At the present time, the IP 85.40.108.210 does not show on the 'radar screen' at senderbase. Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 0.0 -100% Last 30d 0.0 -100% Average 0.0 -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed Jul 13 21:08:46 2005 From: nobody at spamcop.net (Ellen) Date: Wed Jul 13 20:15:02 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: <1sxvpgfconcpt$.dlg@news.spamcop.net> Message-ID: "wskrispy" wrote in message news:db40uc$d3o$1@news.spamcop.net... > N. Miller wrote: > > > > Hold on a sec Ellen and N. Miller-- if you look at the entire message at > tracker > http://www.spamcop.net/sc?id=z785186974zfb5c4d04f5694f362a90b200bac251bfz;action=display > you will see that in the header block below the SA Content Analysis > there is a third Received header which does in fact identify the > connecting IP (85.40.108.210). Why didn't Spamcop use this and proceed? > > Ellen said "For some reason and for some spams, your server will print 2 > received headers as above rather than showing the connecting IP as it > does for other spams". This is not so. All these spams have this header > block eventually showing the connecting IP. > I know what the problem is - there are two ways that an admin can set up SA. In one method, all the original headers are preserved in their normal order and the SA stuff is added as X-headers. SC handles this fine. In the second method, SA adds that block of text and then stuffs the original email into the message body. SC does not handle spams which have been processed thru SA in that mode. Either turn off SA or get it set to handle inbound mail analysis by the other method. Ellen From nobody at spamcop.net Wed Jul 13 21:09:43 2005 From: nobody at spamcop.net (Ellen) Date: Wed Jul 13 20:15:09 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: Message-ID: "wskrispy" wrote in message news:db3jt2$32l$1@news.spamcop.net... > Ellen wrote: > > "wskrispy" wrote in message news:db1fa1> > > > >>Here's a tracker from a spam that Spamcop choked on, complete with SA > >>headers: > >> > >>http://www.spamcop.net/sc?id=z785186974zfb5c4d04f5694f362a90b200bac251bfz > >> > > > > > > You will have to discuss this with your ISP/hosting company admin/tech > > support to find out what the problem is. It may be that if some other user > > at the ISP/hosting company is sending the spam/virus/phish that the headers > > are as above as the mail was just shuffled around internally. > > > > Ellen > > SpamCop > > > > Thanks for the response, Ellen. I must say I'm a bit confused at this > point. No doubt I need to bone up a bit more on spam lore, not to > mention smtp basics, etc.,. > > From one vantage point I'm almost tempted to say that, well, it looks > like the spammer has outwitted Spamcop. You say "there is no way that SC > has (can) determine the source of the spam". If that's so, wouldn't you > agree the spammer has found a spoofing method that confounds Spamcop? No I would say that your ISP/hosting company is not stamping adequate Received headers for some reason and that has nothing to do with the spammer outwitting SC. > This server is a Virtual Private Server under a hosting company. I > administer it for an artist's studio. I'm a retired programmer, not an > Admin. But I know enough to get LANs up and running and to provide basic > WWW/FTP/Email services and troubleshoooting for small businesses. As far > as I can tell, this server is configured with typical options and its > primary mailer program (Exim) is not writing anything unusual to emails, > nor deleting or scrambling headers. There is nothing that SpamCop - or anyone doing it manually -- can do to determine injection if the Received headers are inadequate and these are inadequate. That Received header is stamped by *your* hosting company. The hosting company server is supposed to know and to include the IP of the server connecting to deliver the email. > > On the other hand, the hosting company originally providing this VPS, > after a period of good service, totally crashed and burned (as so many > companies in the lower price tiers do) and was "merged" with a provider > called "WebHostPlus". WebHostPlus has a shady past (it is apparently run > by a group of NYC-area Russian emigrés with Russian-mobster-like > business ties) and I have been meaning to move my client (the artist's > studio) to a different provider. I wonder if WebHostPlus is low enough > to sell a certain service to spammers whereby they can appear as an > internal user to VPS accounts? There is an old saying -- when you hear hoofbeats think horses not zebras. It may be something as simple as a misconfigured server in their server farm. It may be that if their backup MX is being used then for some reason the proper headers areb't stamped. Who knows -- no one but them. Over the years I have seen all sorts of oddball things and in 99.9% of the cases the reason turned out to be misconfigured server software or something similar. > > If I were a proper Admin I'd probably already have this sorted out. I > think I'll take a look at the server logs, try to see if anyone from > strange IPs has been logging in or hijacking daemons in some way. I'll > let you know what I discover. OK. As I say I saw a couple of other instances of these sort of borked headers in your report history. See my next email. Ellen From anon at coks.net Wed Jul 13 19:15:48 2005 From: anon at coks.net (J G) Date: Wed Jul 13 21:15:04 2005 Subject: [SC-Help] Re: Need Support to recover lost e-mail In-Reply-To: References: Message-ID: On 7/13/2005 12:32 PM bseymour scribbled: > Thanks to everyone for the advice and support! I'll try a disk recovery > tool, but I'm not optimistic. > > ---------------------------------------------------------------------- > > "bseymour" wrote in message > news:db0svs$j4c$1@news.spamcop.net... > My wife was downloading email from spamcop yesterday when the computer > crashed, HARD. She saw a number of new messages right before the crash, bug > after restarting there was nothing. I checked her account via WebMail and > the messages were gone, downloaded. > > Is there any way the SpamCop team could help us recover those messages? > > Thanks in advance... > > > > Did you look into the inbox file itself (inbox no extension)? You might have just blown the index file, but I don't use outlook distress, so not so sure. I believe the Inbox should be a plain text file... From anon at coks.net Wed Jul 13 19:21:34 2005 From: anon at coks.net (J G) Date: Wed Jul 13 21:25:03 2005 Subject: [SC-Help] OT Re: What now? In-Reply-To: References: Message-ID: On 7/13/2005 3:10 PM Mike Easter scribbled: news:db42d1$eap$1@news.spamcop.net Using Thunderbird, how do I get it to follow the above link? Anyone here know a simple answer? Thanks, know the question belongs elsewhere... From MikeE at ster.invalid Wed Jul 13 20:11:57 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 13 22:15:03 2005 Subject: [SC-Help] Re: OT Re: What now? References: Message-ID: J G wrote: > Mike Easter scribbled: > news:db42d1$eap$1@news.spamcop.net > Using Thunderbird, how do I get it to follow the above link? I don't know tbird -- in the IE/OE marriage, a link like that causes IE to call up OE for the display and OE tries to get the mid from the default newsserver.. In that IE/OE combination, it is essential that the OE default newsserver be news.spamcop.net if it is so configured, but if I had made the link be designed for OE to have /any/ newsserver as default, I should have put news://news.spamcop.net/db42d1$eap$1@news.spamcop.net Try that one. > Anyone here know a simple answer? > Thanks, know the question belongs elsewhere... -- Mike Easter kibitzer, not SC admin From SCNews.5.myspamgobbler at spamgourmet.com Wed Jul 13 22:58:41 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Thu Jul 14 01:05:15 2005 Subject: [SC-Help] Re: OT Re: What now? In-Reply-To: References: Message-ID: Mike Easter wrote: > J G wrote: > >> Mike Easter scribbled: > > >> news:db42d1$eap$1@news.spamcop.net > > >>Using Thunderbird, how do I get it to follow the above link? > > > I don't know tbird -- in the IE/OE marriage, a link like that causes IE > to call up OE for the display and OE tries to get the mid from the > default newsserver.. > > In that IE/OE combination, it is essential that the OE default > newsserver be news.spamcop.net if it is so configured, but if I had made > the link be designed for OE to have /any/ newsserver as default, I > should have put news://news.spamcop.net/db42d1$eap$1@news.spamcop.net > Try that one. > > That works better for Thunderbird and Firefox. From anon at coks.net Wed Jul 13 23:31:06 2005 From: anon at coks.net (J G) Date: Thu Jul 14 01:30:03 2005 Subject: [SC-Help] Re: OT Re: What now? In-Reply-To: References: Message-ID: On 7/13/2005 7:11 PM Mike Easter scribbled: >>Using Thunderbird, how do I get it to follow the above link? > > In that IE/OE combination, it is essential that the OE default > newsserver be news.spamcop.net if it is so configured, but if I had made > the link be designed for OE to have /any/ newsserver as default, I > should have put news://news.spamcop.net/db42d1$eap$1@news.spamcop.net > Try that one. > That works - "essential that the OE default newsserver be news.spamcop.net if it is so configured..." works for spamcop, I guess... From wskrispy at EXCISEoptonline.net Thu Jul 14 04:19:24 2005 From: wskrispy at EXCISEoptonline.net (wskrispy) Date: Thu Jul 14 03:20:09 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP In-Reply-To: References: <1sxvpgfconcpt$.dlg@news.spamcop.net> Message-ID: Ellen wrote: > "wskrispy" wrote in message > news:db40uc$d3o$1@news.spamcop.net... > >>N. Miller wrote: >> >>Hold on a sec Ellen and N. Miller-- if you look at the entire message at >>tracker >> > > http://www.spamcop.net/sc?id=z785186974zfb5c4d04f5694f362a90b200bac251bfz;action=display > >> you will see that in the header block below the SA Content Analysis >>there is a third Received header which does in fact identify the >>connecting IP (85.40.108.210). Why didn't Spamcop use this and proceed? >> >>Ellen said "For some reason and for some spams, your server will print 2 >>received headers as above rather than showing the connecting IP as it >>does for other spams". This is not so. All these spams have this header >>block eventually showing the connecting IP. >> > > > > I know what the problem is - there are two ways that an admin can set up SA. > In one method, all the original headers are preserved in their normal order > and the SA stuff is added as X-headers. SC handles this fine. In the second > method, SA adds that block of text and then stuffs the original email into > the message body. SC does not handle spams which have been processed thru SA > in that mode. Either turn off SA or get it set to handle inbound mail > analysis by the other method. > > Ellen > > Ok I'll try the other mode (no way am I turning SA off, my users would instantly be buried under piles of spam dwarfing Mt. Everest). Thanks very much Ellen. -- wsk From glnews030922 at highspot.net Thu Jul 14 10:26:59 2005 From: glnews030922 at highspot.net (Graeme Leith) Date: Thu Jul 14 04:30:02 2005 Subject: [SC-Help] Re: OT Re: What now? In-Reply-To: References: Message-ID: J G wrote: > On 7/13/2005 3:10 PM Mike Easter scribbled: > > > news:db42d1$eap$1@news.spamcop.net > > > Using Thunderbird, how do I get it to follow the above link? > Anyone here know a simple answer? > Thanks, know the question belongs elsewhere... Not sure on vanilla Thunderbird, but it works with a right click if you have this extension installed: http://extensionroom.mozdev.org/more-info/messageid-finder -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From nobody at spamcop.net Thu Jul 14 09:21:42 2005 From: nobody at spamcop.net (Ellen) Date: Thu Jul 14 11:05:02 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: <1sxvpgfconcpt$.dlg@news.spamcop.net> Message-ID: "wskrispy" wrote in message news:db53lu$1a2$1@news.spamcop.net... > > Ok I'll try the other mode (no way am I turning SA off, my users would > instantly be buried under piles of spam dwarfing Mt. Everest). > > Thanks very much Ellen. > You're welcome. I didn't seriously think you were going to turn off SA :-) E From anon at coks.net Thu Jul 14 09:32:40 2005 From: anon at coks.net (J G) Date: Thu Jul 14 11:35:04 2005 Subject: [SC-Help] Re: OT Re: What now? In-Reply-To: References: Message-ID: On 7/14/2005 1:26 AM Graeme Leith scribbled: > J G wrote: > >>On 7/13/2005 3:10 PM Mike Easter scribbled: >> >> >> news:db42d1$eap$1@news.spamcop.net >> >> >>Using Thunderbird, how do I get it to follow the above link? >>Anyone here know a simple answer? >>Thanks, know the question belongs elsewhere... > > > Not sure on vanilla Thunderbird, but it works with a right click if you > have this extension installed: > > http://extensionroom.mozdev.org/more-info/messageid-finder > Thanks, Graeme - works fine with 1.02... From nobody at spamcop.net Thu Jul 14 10:11:10 2005 From: nobody at spamcop.net (N. Miller) Date: Thu Jul 14 12:15:03 2005 Subject: [SC-Help] Re: Spamcop failing to detect true originating IP References: <1sxvpgfconcpt$.dlg@news.spamcop.net> Message-ID: On Wed, 13 Jul 2005 17:26:34 -0400, wskrispy wrote: > Hold on a sec Ellen and N. Miller-- if you look at the entire message at > tracker > http://www.spamcop.net/sc?id=z785186974zfb5c4d04f5694f362a90b200bac251bfz;action=display > you will see that in the header block below the SA Content Analysis > there is a third Received header which does in fact identify the > connecting IP (85.40.108.210). Why didn't Spamcop use this and proceed? I just stopped reading the headers at the same point as the SpamCop parser, or Sam Spade WinTools would have stopped. It really looks very much like what happened with my DHC email account. The administrator of that account made the fix suggested by Ellen within 24 hours of my question to him about what had happened. -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. From geoff at nospam.gjctech.co.uk Thu Jul 14 21:52:30 2005 From: geoff at nospam.gjctech.co.uk (Geoff Lane) Date: Thu Jul 14 16:55:02 2005 Subject: [SC-Help] Failed to parse HTML Head Message-ID: tracker: http://www.spamcop.net/sc? id=z785942629z3962ecd67a466a51942bd4514c9d2268z In the above report, SC refused to parse the HTML Head section and instead returned an error. Following the link, it would appear that SC is now being much more strict. So, I increased my screen resolution to 2048 x 1536 and maximised the message source window so that each line would be copied to the clipboard without breaks. I checked the textarea in the reporting form to ensure that no extra line breaks occurred. SC still returned the error and refused to parse the HTML section. Looking at the source, I suspect that it's tripping up on the following lines: ------=_NextPart_001_0001_291C5BDC.A05E6DC5 Content-Type: text/html; charset="iso-8859-1" Now, that break is spammy's doing, not mine. So, if this is what is tripping up the SC parser then spammy has found yet another way to circumvent SC. -- Geoff Lane Cornwall, UK From anon at coks.net Thu Jul 14 16:21:50 2005 From: anon at coks.net (J G) Date: Thu Jul 14 18:25:10 2005 Subject: [SC-Help] Re: Need Support to recover lost e-mail In-Reply-To: References: Message-ID: On 7/14/2005 3:11 PM Blammo scribbled: > On 13 Jul 2005 J G entered spamcop.help and left > news:db4e99$l60$2@news.spamcop.net: > > >>Did you look into the inbox file itself (inbox no extension)? You might >>have just blown the index file, but I don't use outlook distress, so not >>so sure. I believe the Inbox should be a plain text file... >> > > > It's very hard to find the Outlook inbox, I have found it before, but I > don't remember where, and it's not plain text and hardly readable. And it > does have an extension. > The best thing to do when you have a crash like that is to go to web mail > and see if any messages are still there, pop should not delete the messages > if it doesn't finish the download. If it did make it to the "delete stage" > then I don't know, it's probably gone. > If that is true about OE, thats typical m$ lack of adherence to standards - I thought it was pretty much standard that mbox format was plain text. but I've been wrong before... From nobody at devnull.spamcop.net Thu Jul 14 21:09:16 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jul 14 21:10:04 2005 Subject: [SC-Help] Re: Need Support to recover lost e-mail References: Message-ID: "J G" wrote in message news:db4e99$l60$2@news.spamcop.net... > > > > "bseymour" wrote in message > > news:db0svs$j4c$1@news.spamcop.net... > > My wife was downloading email from spamcop yesterday when the computer > > crashed, HARD. She saw a number of new messages right before the crash, bug > > after restarting there was nothing. I checked her account via WebMail and > > the messages were gone, downloaded. > > > > Is there any way the SpamCop team could help us recover those messages? > > > > Thanks in advance... > > > Did you look into the inbox file itself (inbox no extension)? You might > have just blown the index file, but I don't use outlook distress, so not > so sure. I believe the Inbox should be a plain text file... Not said or agreed to, so the next question would be what version of Outlook Express is in use. File storage implementation changed immensely between versions 3,4, and 5 ... 6 just carried on with 5's game plan. If we go with OE6 .... file extension in question is .dbx OE6 | Tools | Options | Maintenance | Store Folder This shows you where the .dbx files are stored (an allows one to move them somewhere else) folders.dbx keeps track of all the folders, sub-folders, newsgroups subscribed to, etc. Inbox.dbx is the InBox data, etc. Data sites include http://www.oehelp.com/ (dbxtract used to be free) which also links to http://insideoe.tomsterdam.com/ ... if the problems aren't described in these links, you don't have a problem From MikeE at ster.invalid Fri Jul 15 00:59:52 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 15 03:00:35 2005 Subject: [SC-Help] Re: Failed to parse HTML Head References: Message-ID: Geoff Lane wrote: > tracker: http://www.spamcop.net/sc? > id=z785942629z3962ecd67a466a51942bd4514c9d2268z > > In the above report, SC refused to parse the HTML Head section and > instead returned an error. Correct, SC sez Finding links in message body Recurse multipart: Recurse multipart: Parsing text part Parsing HTML part error: couldn't parse head Message body parser requires full, accurate copy of message More information on this error.. no links found The problem is in the structure of the mime within/around the mime. The header sez: Content-Type: multipart/related; type="multipart/alternative"; boundary="NextPartA" Then, in the body we see the 'wrapper' for the inner mime structure, note line * ---NextPartA * Content-Type: multipart/alternative; boundary="NextPartB" --NextPartB Content-Type: text/plain; --NextPartB Content-Type: text/html; --NextPartB --NextPartA The problem is that the wrapper/delimitor for the inner mime structure at the * should say 'Content-Type: text/html' If I make/forge that change, everything parses properly: http://www.spamcop.net/sc?id=z786087094z2665f33efee612bfa51e48dbb997a16az Resolving link obfuscation http://www.soft-dream.com host www.soft-dream.com (checking ip) = 85.21.41.2 host 85.21.41.2 (getting name) no name http://www.soft-dream.com/uns.htm Tracking link: http://www.soft-dream.com [report history] Resolves to 85.21.41.2 Routing details for 85.21.41.2 [refresh/show] Cached whois for 85.21.41.2 : postmaster@corbina.net abuse@corbina.net Using abuse net on postmaster@corbina.net abuse net corbina.net = admin@corbina.ru, abuse@corbina.net Using best contacts admin@corbina.ru abuse@corbina.net -- Mike Easter kibitzer, not SC admin From geoff at nospam.gjctech.co.uk Fri Jul 15 09:13:46 2005 From: geoff at nospam.gjctech.co.uk (Geoff Lane) Date: Fri Jul 15 04:15:03 2005 Subject: [SC-Help] Re: Failed to parse HTML Head References: Message-ID: "Mike Easter" wrote in news:db7msv$j03$1 @news.spamcop.net: > The problem is in the structure of the mime within/around the mime. > [...] > > The problem is that the wrapper/delimitor for the inner mime structure > at the * should say 'Content-Type: text/html' > > If I make/forge that change, everything parses properly: Thanks for that. Although I can see what you've done, I don't have enough expertise to completely understand why you've done it - and so can't "correct" the source of future spam where spammy is using the same trick. Even if I did, I suspect that altering the source and then sending LARTS via SC would be against SC's terms of use (or would it?). -- Geoff Lane Cornwall, UK From MikeE at ster.invalid Fri Jul 15 03:13:16 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 15 05:15:56 2005 Subject: [SC-Help] Re: Failed to parse HTML Head References: Message-ID: Geoff Lane wrote: > "Mike Easter" >> The problem is that the wrapper/delimitor for the inner mime >> structure at the * should say 'Content-Type: text/html' >> >> If I make/forge that change, everything parses properly: > Although I can see what you've done, I don't have enough expertise to > completely understand why you've done it - and so can't "correct" the > source of future spam where spammy is using the same trick. Even if I > did, I suspect that altering the source and then sending LARTS via SC > would be against SC's terms of use (or would it?). No no no. That wasn't the purpose of the forgery. The purpose was to aid 'us' in understanding the problem. We aren't supposed to forge/alter our spam to feed to the parser. We are having a discussion here to go about understanding the problem. That's the reason I call it 'forgery' and cancel it. By making a change and seeing the parser parse the item, I confirm what I think was wrong with the structure, from the parser's point of view. -- Mike Easter kibitzer, not SC admin From geoff at nospam.gjctech.co.uk Fri Jul 15 11:33:15 2005 From: geoff at nospam.gjctech.co.uk (Geoff Lane) Date: Fri Jul 15 06:35:14 2005 Subject: [SC-Help] Re: Failed to parse HTML Head References: Message-ID: "Mike Easter" wrote in news:db7ung$mu5$1 @news.spamcop.net: > No no no. That wasn't the purpose of the forgery. The purpose was to > aid 'us' in understanding the problem. I now have a much better understanding of the problem, in that your "forgery" has achieved its purpose. You've also confirmed my suspicion that changing the source and then using SC to send a LART is not allowed. Many thanks, -- Geoff Lane Cornwall, UK From no at spam.invalid Fri Jul 15 09:28:53 2005 From: no at spam.invalid (Michael Wise) Date: Fri Jul 15 11:30:03 2005 Subject: [SC-Help] Re: Need Support to recover lost e-mail References: Message-ID: In article , Blammo wrote: > > If that is true about OE, thats typical m$ lack of adherence to > > standards - I thought it was pretty much standard that mbox format was > > plain text. but I've been wrong before... > > > > Netscape has always used the UNIX mbox format, as do a few others, MS and > Eurdora never did. On what planet is this? On Earth, Eudora has always been mbox (at least the Mac version does) since it first came out a full seven or so years before Netscape. --Mike From cashbox at bellsouth.net Sat Jul 16 15:05:19 2005 From: cashbox at bellsouth.net (JOE AHEARN) Date: Sat Jul 16 14:05:32 2005 Subject: [SC-Help] Re: Failed to parse HTML Head References: Message-ID: <000d01c58a30$edb320d0$6101a8c0@JOSEPH> ----- Original Message ----- From: "Mike Easter" Newsgroups: spamcop.help To: "Joe Ahearn" Sent: Friday, July 15, 2005 5:13 AM Subject: [SC-Help] Re: Failed to parse HTML Head > Geoff Lane wrote: >> "Mike Easter" >>> The problem is that the wrapper/delimitor for the inner mime >>> structure at the * should say 'Content-Type: text/html' >>> >>> If I make/forge that change, everything parses properly: > >> Although I can see what you've done, I don't have enough expertise to >> completely understand why you've done it - and so can't "correct" the >> source of future spam where spammy is using the same trick. Even if I >> did, I suspect that altering the source and then sending LARTS via SC >> would be against SC's terms of use (or would it?). > > No no no. That wasn't the purpose of the forgery. The purpose was to > aid 'us' in understanding the problem. > > We aren't supposed to forge/alter our spam to feed to the parser. We > are having a discussion here to go about understanding the problem. > > That's the reason I call it 'forgery' and cancel it. By making a change > and seeing the parser parse the item, I confirm what I think was wrong > with the structure, from the parser's point of view. > > -- > Mike Easter > kibitzer, not SC admin > > > _______________________________________________ > SpamCop-Help mailing list > SpamCop-Help@news.spamcop.net > http://news.spamcop.net/mailman/listinfo/spamcop-help >What you continue to send to me doe no good and just contributes to email I >have to plow through to get maybe one or two emails. Please take me off >your list. Please! Joe Ahearn From cashbox at bellsouth.net Sat Jul 16 15:06:51 2005 From: cashbox at bellsouth.net (JOE AHEARN) Date: Sat Jul 16 14:07:03 2005 Subject: [SC-Help] Re: Need Support to recover lost e-mail References: Message-ID: <001601c58a31$2429d8c0$6101a8c0@JOSEPH> ----- Original Message ----- From: "Blammo" Newsgroups: spamcop.help To: "Joe Ahearn" Sent: Saturday, July 16, 2005 2:20 AM Subject: [SC-Help] Re: Need Support to recover lost e-mail > On 15 Jul 2005 Michael Wise entered spamcop.help and left news:no- > 87E7CE.08285215072005@news.cesmail.net: > >> On what planet is this? On Earth, Eudora has always been mbox (at least >> the Mac version does) since it first came out a full seven or so years >> before Netscape. >> > > Well I guess it does, in a way, they aren't UNIX format, they split the > message attachments up for one. My memory sometimes fails me, as I thought > they were unreadable, in a database format. > > -- > | Ric > _______________________________________________ > SpamCop-Help mailing list > SpamCop-Help@news.spamcop.net > http://news.spamcop.net/mailman/listinfo/spamcop-help >Take me off your least Please. Please! Joe Ahearn From cashbox at bellsouth.net Sat Jul 16 15:14:20 2005 From: cashbox at bellsouth.net (JOE AHEARN) Date: Sat Jul 16 14:14:37 2005 Subject: [SC-Help] Failed to parse HTML Head References: Message-ID: <003a01c58a32$300ca4a0$6101a8c0@JOSEPH> ----- Original Message ----- From: "Geoff Lane" Newsgroups: spamcop.help To: "Joe Ahearn" Sent: Thursday, July 14, 2005 4:52 PM Subject: [SC-Help] Failed to parse HTML Head > tracker: http://www.spamcop.net/sc? > id=z785942629z3962ecd67a466a51942bd4514c9d2268z > > In the above report, SC refused to parse the HTML Head section and instead > returned an error. Following the link, it would appear that SC is now > being > much more strict. So, I increased my screen resolution to 2048 x 1536 and > maximised the message source window so that each line would be copied to > the clipboard without breaks. I checked the textarea in the reporting form > to ensure that no extra line breaks occurred. SC still returned the error > and refused to parse the HTML section. > > Looking at the source, I suspect that it's tripping up on the following > lines: > > ------=_NextPart_001_0001_291C5BDC.A05E6DC5 > Content-Type: text/html; > charset="iso-8859-1" > > Now, that break is spammy's doing, not mine. So, if this is what is > tripping up the SC parser then spammy has found yet another way to > circumvent SC. > > -- > Geoff Lane > Cornwall, UK > _______________________________________________ > SpamCop-Help mailing list > SpamCop-Help@news.spamcop.net > http://news.spamcop.net/mailman/listinfo/spamcop-help >Please take me off your list. Please! Joe ahearn From nobody at devnull.spamcop.net Sat Jul 16 14:38:08 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Jul 16 14:40:04 2005 Subject: JOE AHEARN was-> Re: [SC-Help] Re: Failed to parse HTML Head References: Message-ID: "JOE AHEARN" wrote in message news:mailman.51.1121537135.169.spamcop-help@news.spamcop.net... > > > SpamCop-Help@news.spamcop.net > > http://news.spamcop.net/mailman/listinfo/spamcop-help > >What you continue to send to me doe no good and just contributes to email I > >have to plow through to get maybe one or two emails. Please take me off > >your list. Please! Joe Ahearn You filled out a form to request these newsletters. You confirmed that you wanted these newsletters. You ignore the links in these newsletters. You fail to look at the headers that also include; List-Unsubscribe: http://news.spamcop.net/mailman/listinfo/spamcop-help mailto:spamcop-help-request@news.spamcop.net?subject=unsubscribe Please grab a clue here somewhere and handle this just as you did when you signed up for it. From CGray2 at kc.rr.com Sat Jul 16 15:20:49 2005 From: CGray2 at kc.rr.com (Lane Gray, Czar Castic) Date: Sat Jul 16 15:20:03 2005 Subject: [SC-Help] Opera won't play with Spamcop, hashes headers Message-ID: I brought this up awhile ago, but the helpful reply came after I'd already ditched the spam and emptied the trash from Opera (I use their M2 as my mail and news client of choice), so I couldn't send along a copy of what I'd sent. Here's the tracking URL and below, what Opera sent to spamcop: http://www.spamcop.net/sc?id=z761129865zf78eab133dd819f61c9e9ded5b9d7176z Supposedly, pressing "C" copies the raw text, including headers, into the clipboard, but it obviously does something wrong, because SC doesn't bother parsing the HTML in the body (I'd already sent abuse@hopone.net a LART request; I was hoping, probably in vain, to swing a LART at the website involved. What, if anything, can I do to make Opera play along with what the SC parser is looking for? Or, I suppose, what can the folks at Opera do to the next version of their mailer? (crossposted to opera.mail.news as well as spamcop.help as I'd just as soon get this working right, I figure one bunch or the other ought to have an answer) The spam I sent to spamcop: Return-path: Received: from ms-mta-01 (ms-mta-01-smtp [10.15.8.71]) by ms-mss-01.rdc-kc.rr.com (iPlanet Messaging Server 5.2 HotFix 2.04 (built Feb 8 2005)) with ESMTP id <0IJP001TAKPDIK@ms-mss-01.rdc-kc.rr.com> for cgray2@kc.rr.com; Sat, 16 Jul 2005 01:58:25 -0500 (CDT) Received: from kcmx01.mgw.rr.com (kcmx01.mgw.rr.com [24.94.163.190]) by ms-mta-01.rdc-kc.rr.com (iPlanet Messaging Server 5.2 HotFix 2.04 (built Feb 8 2005)) with ESMTP id <0IJP00I6AKSALC@ms-mta-01.rdc-kc.rr.com> for cgray2@kc.rr.com (ORCPT cgray2@kc.rr.com); Sat, 16 Jul 2005 02:00:10 -0500 (CDT) Received: from promotionsltd.net ([66.235.162.83]) by kcmx01.mgw.rr.com (8.12.10/8.12.8) with ESMTP id j6G6o29E020878for ; Sat, 16 Jul 2005 03:00:08 -0400 (EDT) Received: by promotionsltd.net id hr2oog075j09; Sat, 16 Jul 2005 02:54:33 -0400 Date: Sat, 16 Jul 2005 02:54:33 -0400 From: "Processing Dept." Subject: Hershey's Offer Confirmation #o6o4r2763q93 To: cgray2@kc.rr.com Reply-to: myhersheys Message-id: MIME-version: 1.0 Content-type: multipart/alternative; boundary="----------=_227500021-6471445-1" Content-transfer-encoding: binary X-Virus-Scanned: Symantec AntiVirus Scan Engine Original-recipient: rfc822;cgray2@kc.rr.com X-Antivirus: AVG for E-mail 7.0.323 [267.8.15] This is a multi-part message in MIME format... ------------=_227500021-6471445-1 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline Content-Transfer-Encoding: 7bit ------------=_227500021-6471445-1 Content-Type: text/html; charset="us-ascii" Content-Disposition: inline Content-Transfer-Encoding: 7bit






------------=_227500021-6471445-1-- -- Lane Gray Yes, I'm a minion of Satan, but my duties are largely ceremonial From nobody at devnull.spamcop.net Sat Jul 16 15:40:05 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Jul 16 15:45:02 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: "Lane Gray, Czar Castic" wrote in message news:dbbmjs$liq$1@news.spamcop.net... > I brought this up awhile ago, but the helpful reply came after I'd already ditched the spam and emptied the trash from Opera (I use > their M2 as my mail and news client of choice), so I couldn't send along a copy of what I'd sent. > > Here's the tracking URL and below, what Opera sent to spamcop: > http://www.spamcop.net/sc?id=z761129865zf78eab133dd819f61c9e9ded5b9d7176z You lie .... the Tracking URL spam has no relationship at all to the crap you posted "here" .. which by the way in not appreciated. If you must post your spam, the newsgroup spamcop.spam is the place set aside for that. In general these days, this is not needed as the Tracking URL will contain the data required. Your alleged "doesn't parse HTML" is an issue for some other reason. The data found in your Tracking URL spam was a "URL not resolvable" issue, though one would wonder why someone would expect http://adi.fakerolexsite.com./ We a1so carry a11 top qua1ity 1ouis Vuitton handbags! would be a real site or give a hoot about complaints. Possibly "turn on full details" in your preferences would offer enough of an explanation for what happened in your parse. The resolves one time, not the next is a known issue, but ... structuring your query needs some work ..... From MikeE at ster.invalid Sat Jul 16 14:41:43 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 16 16:45:03 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: Lane Gray, Czar Castic wrote: > I brought this up awhile ago, I don't see any previous posts from you here or in opera.mail+news > Here's the tracking URL and below, what Opera sent to spamcop: www.spamcop.net/sc?id=z761129865zf78eab133dd819f61c9e9ded5b9d7176z That's an item received by a cox mailbox, parsed for a cox mailhosts, spamvertising http://adi.fakerolexsite.com./ which has a dot after the 'com' -- but it demonstrates that the item was copied and pasted and submitted properly with complete headers over raw message body. > Supposedly, pressing "C" copies the raw text, including headers, into > the clipboard, but it obviously does something wrong, because SC > doesn't bother parsing the HTML in the body In the tracker item, SC finds the spamvertised url and fails to resolve it. If I feed the raw 'improper' url into the parser, it also fails to resolve it. If I remove the improper dot, SC also fails to resolve. My resolver resolves to 194.126.189.106. If I use a GET on the proper url, it provides a payload and also redirects to http://www.911replicas.com/ + which is also 194.126.189.106 > What, if anything, can I do to make Opera play along with what the SC > parser is looking for? You are successfully copying and submitting if the tracker and the completely different item you pasted here are examples of what you are getting from Opera. SC's faq doesn't show instructions for Opera, but I've seen screenshots at spamcop.com. > The spam I sent to spamcop: What you pasted here which you shouldn't have is a completely different item. Here's a tracker for it after I removed the newsreader induced linewraps from the header and submitted it to the parser. http://www.spamcop.net/sc?id=z786666345za61e720ddd2c3e8cdda9802236220af2z That item is to your kc.rr.com mailbox and is spamvertising http://promotionsltd.net and SC finds the spamvertised url and resolves it and offers to report to dstich@intelletrace.com when I parsed it. Report Spam to: Re: 66.235.162.83 (Administrator of network where email originates) To: abuse@hopone.net (Notes) Re: 66.235.162.83 (Third party interested in email source) To: Cyveillance spam collection (Notes) Re: http://promotionsltd.net/ljdforlyfe/67 (Administrator of network hosting website referenced in spam) To: dstich@intelletrace.com (Notes) -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Jul 16 15:30:53 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 16 17:35:07 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: Lane Gray, Czar Castic wrote: > Supposedly, pressing "C" copies the raw text, including headers, into > the clipboard, Yep. That's what it sez here http://www.opera.com/features/keyboard/index.dml Keyboard Shortcuts in Opera E-mail keys Copy raw e-mail data to clipboard C That's better than the screenshot information at spamcop.com -- Mike Easter kibitzer, not SC admin From CGray2 at kc.rr.com Sat Jul 16 19:18:54 2005 From: CGray2 at kc.rr.com (Lane Gray, Czar Castic) Date: Sat Jul 16 19:20:03 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: WazoO wrote: > > You lie Wrong. .... the Tracking URL spam has no relationship at all > to the crap you posted Well, I'll have the manners to apologize (I won't bother pointing out your apparent lack of same, oops) for sending the whole spam. Yeah, had I been thinking clearly rather than trying to get the heck out of the house earlier, I'd have only sent the headers. My bad; I'm sorry. > this is not needed as the Tracking URL will > contain the data required. > > Your alleged "doesn't parse HTML" is an issue for > some other reason. The data found in your Tracking > URL spam was a "URL not resolvable" issue, though > one would wonder why someone would expect > http://adi.SNIPPED.com./ > We a1so carry a11 top qua1ity 1ouis Vuitton handbags! > would be a real site or give a hoot about complaints. Here's the cut 'n' paste from what I got when I reported it _____quoted bit________ Finding links in message body Parsing text part error: couldn't parse head Message body parser requires full, accurate copy of message More information on this error.. no links found ___________end quoted bit______ I also didn't read the entirety of the MIME-encoded mail: I've turned off the HTML and MIME rendering in Opera, I saw no message body, as they didn't bother including a plain-text message. > Possibly "turn on full details" in your preferences > would offer enough of an explanation for what > happened in your parse. The resolves one time, not > the next is a known issue, but ... structuring your query > needs some work ..... > Well, like I said, I apologize. It certainly seems like my problem stems from a line-wrap issue, most likely. I'll see if disabling line-wrapping on my outgoing messages helps. Oh, and thanks, Mike, for your more helpful and measured response (timely, too). -- Lane Gray Yes, I'm a minion of Satan, but my duties are largely ceremonial From CGray2 at kc.rr.com Sat Jul 16 21:07:40 2005 From: CGray2 at kc.rr.com (Lane Gray, Czar Castic) Date: Sat Jul 16 21:10:03 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: Mike Easter wrote: > Lane Gray, Czar Castic wrote: > > I brought this up awhile ago, > > I don't see any previous posts from you here or in opera.mail+news > I don't know what the deal was: I remember asking here (or over at opera, I don't recall, and neither shows up) and, here's the funny bit, getting a reply. I remember the reply, too. Who knows, maybe I dreamt it. But I remember it. Weird. > > Here's the tracking URL and below, what Opera sent to spamcop: > www.spamcop.net/sc?id=z761129865zf78eab133dd819f61c9e9ded5b9d7176z > > That's an item received by a cox mailbox, parsed for a cox mailhosts, > spamvertising http://adi.fakerolexsite.com./ which has a dot after the > 'com' -- but it demonstrates that the item was copied and pasted and > submitted properly with complete headers over raw message body. > My bad. I'd looked around the spamcop's "More information on this error" and put the tracking url found there. Here's the one from the one I sent (the tracker I'd meant to send in the earlier post) http://www.spamcop.net/sc?id=z786645139z212429dde5c066b746f581f8d9bf76e1z > > > What, if anything, can I do to make Opera play along with what the SC > > parser is looking for? > > You are successfully copying and submitting if the tracker and the > completely different item you pasted here are examples of what you are > getting from Opera. SC's faq doesn't show instructions for Opera, but > I've seen screenshots at spamcop.com. > > > The spam I sent to spamcop: > > What you pasted here which you shouldn't have is a completely different > item. Yep, and I apologize. Oops. > Here's a tracker for it after I removed the newsreader induced > linewraps from the header and submitted it to the parser. > > http://www.spamcop.net/sc?id=z786666345za61e720ddd2c3e8cdda9802236220af2z Oh, thanks for pointing out the linewrap thing, that held the key. The last couple I've sent have worked fine, once I told Opera to kill linewrapping in outgoing mail. I just need to either kill it for my regular newsgrouping or hit "return" on my own from time to time. -- Lane Gray Yes, I'm a minion of Satan, but my duties are largely ceremonial From MikeE at ster.invalid Sat Jul 16 19:27:56 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 16 21:30:03 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: Lane Gray, Czar Castic wrote: > Mike Easter wrote: > I'd looked around the spamcop's "More information on this > error" That 'more information' link is very important about describing exactly the problem the tracker below shows. http://www.spamcop.net/fom-serve/cache/368.html Problems with spam not in original format That page displays 'mangling' of headers. A header has to have a fieldname colon space field value. The fieldname has to be continuous without spaces. If the field value can reside on a single line that's fine. If the field value must be 'folded' onto multiple lines, it has to be folded with leading whitespace on every folded line. It is common for some Received tracelines to get folded. If they are improperly folded, that is no good. > Here's the one from the one I sent (the tracker I'd meant to send in > the earlier post) > www.spamcop.net/sc?id=z786645139z212429dde5c066b746f581f8d9bf76e1z That tracker shows badly folded lines - SC calls them mangled. The Received tracelines are mangled and the Content-Type line is mangled. > Oh, thanks for pointing out the linewrap thing, that held the key. > The last couple > I've sent have worked fine, once I told Opera to kill linewrapping in > outgoing mail. So, how are you submitting these? You aren't using 'C' to copy the raw source with contiguous headers and pasting it into the webparser? But instead you are hitting C and doing what with the raw message source spam in the clipboard? > I just need to either kill it for my regular newsgrouping or hit > "return" on > my own from time to time. It is 'normal' for news messages to be wrapped by the newsagent, not the editing human. But when you paste a spam anywhere, wrongly here and not so wrongly in spamcop.spam, the newsagent introduces linewraps into it which have to be removed before putting it into the parser. That is one of many reasons I would rather work with trackers than newsgroup posted spam. -- Mike Easter kibitzer, not SC admin From no at spam.invalid Sat Jul 16 20:11:37 2005 From: no at spam.invalid (Michael Wise) Date: Sat Jul 16 22:15:03 2005 Subject: [SC-Help] Re: Need Support to recover lost e-mail References: Message-ID: In article , Blammo wrote: > > On what planet is this? On Earth, Eudora has always been mbox (at least > > the Mac version does) since it first came out a full seven or so years > > before Netscape. > > > > Well I guess it does, in a way, they aren't UNIX format, they split the > message attachments up for one. My memory sometimes fails me, as I thought > they were unreadable, in a database format. They are UNIX mbox format and always have been. The line break method will vary depending on whether you're using Windows or the Mac OS...but they're still mbox files. See: http://eudora.com/techsupport/kb/1333hq.html --Mike From CGray2 at kc.rr.com Sat Jul 16 23:22:08 2005 From: CGray2 at kc.rr.com (Lane Gray, Czar Castic) Date: Sat Jul 16 23:25:02 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: Mike Easter wrote: > Lane Gray, Czar Castic wrote: > www.spamcop.net/sc?id=z786645139z212429dde5c066b746f581f8d9bf76e1z > > That tracker shows badly folded lines - SC calls them mangled. The > Received tracelines are mangled and the Content-Type line is mangled. > > > Oh, thanks for pointing out the linewrap thing, that held the key. > > The last couple > > I've sent have worked fine, once I told Opera to kill linewrapping in > > outgoing mail. > > So, how are you submitting these? You aren't using 'C' to copy the raw > source with contiguous headers and pasting it into the webparser? But > instead you are hitting C and doing what with the raw message source > spam in the clipboard? > I'd hit "C" and put it in an email which I send to submit.ypf@spam.spamcop.net. > > I just need to either kill it for my regular newsgrouping or hit > > "return" on > > my own from time to time. > > It is 'normal' for news messages to be wrapped by the newsagent, not the > editing human. But when you paste a spam anywhere, wrongly here and not > so wrongly in spamcop.spam, the newsagent introduces linewraps into it > which have to be removed before putting it into the parser. That is one > of many reasons I would rather work with trackers than newsgroup posted > spam. > Right. I'd had Opera (the mail/news client portion) set to automatically line-wrap outgoing messages. While helpful for mail and news, it made Spamcop hack and cough. That "More info" link might benefit from a mention of that for the Opera people. Not that we represent a large demographic (Hey, I play a pedal steel guitar, too; I've grown used to traveling in small company). -- Lane Gray Yes, I'm a minion of Satan, but my duties are largely ceremonial From MikeE at ster.invalid Sat Jul 16 22:36:41 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 17 00:40:03 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: Lane Gray, Czar Castic wrote: > Mike Easter wrote: >> Lane Gray, Czar Castic wrote: >>> I brought this up awhile ago, >> >> I don't see any previous posts from you here or in opera.mail+news >> > I don't know what the deal was: I remember asking here (or over at > opera, I don't recall, and neither shows up) and, here's the funny > bit, getting a reply. I remember the reply, too. Who knows, maybe I > dreamt it. But I remember it. Weird. Feb '05 http://news.spamcop.net/pipermail/spamcop-help/2005-February/064339.html [SC-Help] Opera problems Lane Gray, Czar Castic CGray2 at kc.rr.com Fri Feb 4 11:46:58 EST 2005 All I sed in that thread was that I wanted a tracker. :-) -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Jul 16 22:54:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 17 00:55:02 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: Lane Gray, Czar Castic wrote: > Mike Easter wrote: >> So, how are you submitting these? You aren't using 'C' to copy the >> raw source with contiguous headers and pasting it into the >> webparser? But instead you are hitting C and doing what with the >> raw message source spam in the clipboard? >> > I'd hit "C" and put it in an email which I send to submit.ypf of alphanumerics which must identify me to Spamcop>@spam.spamcop.net. I see. I'm reading in the Opera ng/s^1 that redirect is /supposed to/ function as forward as attachment does in OE, but I'm reading an Opera person saying in the forums^2 that redirect doesn't work like that. Have you tried redirect? How about doing one of those and posting the tracker, even if it doesn't work so that we can find out if redirect is working like the person in the opera ng sez or like the forum person sez. ^1 Starts here: Newsgroups: opera.mail+news Subject: how can I include all headers in message forwarding? Date: Fri, 23 Jan 2004 17:34:23 -0500 Message-ID: Snurled googleup of 8 message thread http://snipurl.com/gb25 "Then Redirect sounds like what you want. The message will keep the ole headers basically unchanged, and the receiver will see the message as sent from the spammer. (In addition, the message will have new headers where the receiver can see who actually sent the message: resent-from with your address, in addition to the original from with the spammers address, resent-message-id with your message-id, in addition to the original message-id etc.) Redirect is so seldom used it does not have a button on the toolbar by default, but it is available in the context-menu you get when right-clicking the message in the message list." ^2 http://forum.spamcop.net/forums/lofiversion/index.php/t4361.html See huckerJun 9 2005, 11:27 AM http://forum.spamcop.net/forums/index.php?showtopic=4361&st=0&p=29072&#entry29072 "Redirect removes the headers and just pastes the body into a fresh email." > That "More info" link might benefit from a > mention of that for the Opera people. Not that we represent a large > demographic (Hey, I play a pedal steel guitar, too; I've grown used to > traveling in small company). The SC faq has a very very large section on how to submit spams properly to the parser and how to email them. Unfortunately Opera isn't mentioned in either. -- Mike Easter kibitzer, not SC admin From anon at coks.net Sat Jul 16 23:58:27 2005 From: anon at coks.net (J G) Date: Sun Jul 17 02:00:03 2005 Subject: [SC-Help] OT Re: Opera won't play with Spamcop, hashes headers In-Reply-To: References: Message-ID: On 7/16/2005 8:22 PM Lane Gray, Czar Castic scribbled: Hey, I play a pedal steel guitar, too; I've grown used to > traveling in small company. > lets see - Duane Allman, Dickey Betts, Ry Cooder, George Harrison, Hound Dog James, Bonnie Raitt, Jeff Beck, Muddy Waters, Taj Mahal, and did we mention Eric Clapton? small company indeed - then there's Jerry Garcia... From CGray2 at kc.rr.com Sun Jul 17 03:25:49 2005 From: CGray2 at kc.rr.com (Lane Gray, Czar Castic) Date: Sun Jul 17 03:25:10 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: "Mike Easter" wrote in message news:dbcob3$aqp$1@news.spamcop.net... > Lane Gray, Czar Castic wrote: > > Mike Easter wrote: > > >> So, how are you submitting these? You aren't using 'C' to copy the > >> raw source with contiguous headers and pasting it into the > >> webparser? But instead you are hitting C and doing what with the > >> raw message source spam in the clipboard? > >> > > I'd hit "C" and put it in an email which I send to submit.ypf > of alphanumerics which must identify me to Spamcop>@spam.spamcop.net. > > I see. > > I'm reading in the Opera ng/s^1 that redirect is /supposed to/ function > as forward as attachment does in OE, but I'm reading an Opera person > saying in the forums^2 that redirect doesn't work like that. > > Have you tried redirect? How about doing one of those and posting the > tracker, even if it doesn't work so that we can find out if redirect is > working like the person in the opera ng sez or like the forum person > sez. > > ^1 Starts here: > Newsgroups: opera.mail+news > Subject: how can I include all headers in message forwarding? > Date: Fri, 23 Jan 2004 17:34:23 -0500 > Message-ID: > > Snurled googleup of 8 message thread http://snipurl.com/gb25 > > "Then Redirect sounds like what you want. The message will keep the ole > headers basically unchanged, and the receiver will see the message as > sent from the spammer. (In addition, the message will have new headers > where the receiver can see who actually sent the message: resent-from > with your address, in addition to the original from with the spammers > address, resent-message-id with your message-id, in addition to the > original message-id etc.) Redirect is so seldom used it does not have a > button on the toolbar by default, but it is available in the > context-menu you get when right-clicking the message in the message > list." > > > ^2 http://forum.spamcop.net/forums/lofiversion/index.php/t4361.html > > See huckerJun 9 2005, 11:27 AM > > http://forum.spamcop.net/forums/index.php?showtopic=4361&st=0&p=29072&#entry29072 > > "Redirect removes the headers and just pastes the body into a fresh > email." > > > > That "More info" link might benefit from a > > mention of that for the Opera people. Not that we represent a large > > demographic (Hey, I play a pedal steel guitar, too; I've grown used to > > traveling in small company). > > The SC faq has a very very large section on how to submit spams properly > to the parser and how to email them. Unfortunately Opera isn't > mentioned in either. > The person from the forum had it right. Redirect made the SC parser hack and cough, to wit: SpamCop encountered errors while saving spam for processing: SpamCop could not find your spam message in this email: Return-Path: Received: from sc-smtp1.eq.ironport.com (sc-smtp1.eq.ironport.com [192.168.18.81]) by sc-app3.eq.ironport.com (Postfix) with ESMTP id 01FB1142E2 for ; Sat, 16 Jul 2005 22:30:06 -0700 (PDT) Received: from ms-smtp-01.rdc-kc.rr.com (24.94.166.115) by sc-smtp1.eq.ironport.com with ESMTP; 16 Jul 2005 22:30:05 -0700 Received: from stylgar (CPE-69-76-185-251.kc.res.rr.com [69.76.185.251]) by ms-smtp-01.rdc-kc.rr.com (8.12.10/8.12.7) with ESMTP id j6H5U2Z7020151 for ; Sun, 17 Jul 2005 00:30:02 -0500 (CDT) Received: from 127.0.0.1 (AVG SMTP 7.0.323 [267.8.16]); Sun, 17 Jul 2005 00:31:33 -0500 Date: Sat, 16 Jul 2005 22:06:43 -0800 From: "Saraann Neal" To: nobody@kc.rr.com Subject: Re-live your younger days in the relationship. sulfite Received: from zaq.ne.jp (zaq3d2e6475.zaq.ne.jp [61.46.100.117]) by lamx02.mgw.rr.com (8.12.10/8.12.8) with ESMTP id j6H56Cdp003713; Sun, 17 Jul 2005 01:06:41 -0400 (EDT) Message-ID: <059201c58a8d$52f3ac10$0f9c0245@DRIJFJ> X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 X-Mailer: Microsoft Outlook Express 6.00.2900.2527 X-MSMail-priority: Normal X-Virus-Scanned: Symantec AntiVirus Scan Engine X-Virus-Scanned: Symantec AntiVirus Scan Engine X-Antivirus: AVG for E-mail 7.0.323 [267.8.16] Resent-To: "SpamCop AutoResponder" Resent-From: "Lane Gray, Czar Castic" Content-Type: text/plain; format=flowed; delsp=yes; charset=iso-8859-1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Resent-Date: Sun, 17 Jul 2005 00:31:31 -0500 Resent-Message-ID: If you want to be a stallion in the bedroom, check us out. We have some of the lowest prices possible on the internet to buy erection enhancement pills. Many of our customers simply use the medications to enhance their love life. Sex can be a lot of fun. Load up http://deletedcrapwithaniftycustomizedurl.com/ to see how cheap it really is. Nope. "C" to put the whole thing in the clipboard, pasted into a new email with linewrapping turned off seems the only way to go. -- Lane Gray Yes, I'm a minion of Satan, but my duties are largely ceremonial From CGray2 at kc.rr.com Sun Jul 17 03:30:23 2005 From: CGray2 at kc.rr.com (Lane Gray, Czar Castic) Date: Sun Jul 17 03:30:03 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: Mike Easter > Lane Gray, Czar Castic wrote: > > Mike Easter wrote: > >> Lane Gray, Czar Castic wrote: > >>> I brought this up awhile ago, > >> > >> I don't see any previous posts from you here or in opera.mail+news > >> > > I don't know what the deal was: I remember asking here (or over at > > opera, I don't recall, and neither shows up) and, here's the funny > > bit, getting a reply. I remember the reply, too. Who knows, maybe I > > dreamt it. But I remember it. Weird. > > Feb '05 > http://news.spamcop.net/pipermail/spamcop-help/2005-February/064339.html > [SC-Help] Opera problems > Lane Gray, Czar Castic CGray2 at kc.rr.com > Fri Feb 4 11:46:58 EST 2005 > > All I sed in that thread was that I wanted a tracker. :-) > And I let it die because I'd already deleted that one email, so I didn't have the tracker anymore, and hadn't gotten any spam that made me mad until the other day (the ones that irritate me most have that annoying part in the plaintext section that says "Get a capable HTML mailer", as if any chance exists that a spammer will tell me how to set up my programs. Thanks for restoring my sense of sanity, I knew I'd sent one in here. From nobody at devnull.spamcop.net Sun Jul 17 04:12:39 2005 From: nobody at devnull.spamcop.net (Cat) Date: Sun Jul 17 04:15:02 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers In-Reply-To: References: Message-ID: Lane Gray, Czar Castic wrote: > The person from the forum had it right. Redirect made the SC parser hack and cough, to wit: > SpamCop encountered errors while saving spam for processing: > SpamCop could not find your spam message in this email: Please stop posting spam here. You've already been told once that spam should not be posted to this newsgroup. As others have said, please post spam only in spamcop.spam and reference the spam here with the tracking URL. We all get enough spam of our own without having to weed through spam posts looking for legitimate information in a place where we're promised a spam free environment. Please note the "no spam" rule listed at http://www.spamcop.net/help.shtml From CGray2 at kc.rr.com Sun Jul 17 05:59:22 2005 From: CGray2 at kc.rr.com (Lane Gray, Czar Castic) Date: Sun Jul 17 06:00:16 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: "Cat" wrote in message news:dbd3ti$gfd$1@news.spamcop.net... > Lane Gray, Czar Castic wrote: > > > > > The person from the forum had it right. Redirect made the SC parser hack and cough, to wit: > > SpamCop encountered errors while saving spam for processing: > > SpamCop could not find your spam message in this email: > > > > Please stop posting spam here. You've already been told once that spam > should not be posted to this newsgroup. As others have said, please post > spam only in spamcop.spam and reference the spam here with the tracking > URL. Sorry, I thought I'd trimmed everything but the relevant headers, but sent before I got that trimmed. I hardly use OE at all anymore, just haven't gotten around to adding this swerver to my Opera news accounts. -- Lane Gray Yes, I'm a minion of Satan, but my duties are largely ceremonial From MikeE at ster.invalid Sun Jul 17 04:00:21 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 17 06:05:03 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: Lane Gray, Czar Castic wrote: > "Mike Easter" >> I'm reading in the Opera ng/s^1 that redirect is /supposed to/ >> function as forward as attachment does in OE, but I'm reading an >> Opera person saying in the forums^2 that redirect doesn't work like >> that. >> >> Have you tried redirect? How about doing one of those and posting >> the tracker, even if it doesn't work so that we can find out if >> redirect is working like the person in the opera ng sez or like the >> forum person sez. >> "Then Redirect sounds like what you want. The message will keep the >> ole headers basically unchanged, and the receiver will see the >> message as sent from the spammer. >> "Redirect removes the headers and just pastes the body into a fresh >> email." > The person from the forum had it right. Redirect made the SC parser > hack and cough, to wit: The person from the forum didn't understand the whole picture with his simple statement; so he didn't have it right. This is being quite helpful for an understanding of your Opera's redirect function, but we are also causing problems here. I was hoping for a tracker. Unfortunately those headers also contain your submit address which should be kept a secret. The effect of the redirect is not the same as OE's forward as attachment, and it is also not what I expected to see. It is a very strange chimera of the original headers merged with a new set of headers. I'm posting a tracker for what you posted here, which would have been a better way to do it. http://www.spamcop.net/sc?id=z786829437z4165d4e9ee0021a7167d3ffc0b055002z > SpamCop encountered errors while saving spam for processing: > SpamCop could not find your spam message in this email: The tracker shows a merging of the headers of the original spam with the headers of your mail to SC, sorta like what would happen if your system [ie mailbox] were forwarding a mail to SC's submit address. Abbreviated Received lines *comment from (sc-smtp1.eq.ironport.com [192.168.18.81]) by sc-app3.eq.ironport.com from ms-smtp-01.rdc-kc.rr.com (24.94.166.115) by sc-smtp1.eq.ironport.com from stylgar (CPE-69-76-185-251.kc.res.rr.com [69.76.185.251]) by ms-smtp-01.rdc-kc.rr.com from 127.0.0.1 (AVG SMTP 7.0.323 [267.8.16]) *timestamp1 from zaq.ne.jp (zaq3d2e6475.zaq.ne.jp [61.46.100.117]) by lamx02.mgw.rr.com *timestamp2 So SC can't tell where the headers in your mail to the submit address stop and the headers which were originally those of the spam begin. Because I'm a human and not an algorithm, I can see that the source of the original item was 61.46.100.117 rDNS zaq3d2e6475.zaq.ne.jp which is SC blocklisted. The Received tracelines are 'broken' in the next to the last line above, or #4 down in a 5 line set. The top 3 are from you to SC, the 5th was the only one in the original spam. > Nope. "C" to put the whole thing in the clipboard, pasted into a new > email with linewrapping turned off seems the only way to go. Only is a strong word; I would choose 'best' for an immediate solution. I'm surprised at this result. I expect that one could configure a mailhost to accomodate this strange behavior of this Opera. It would seem that a mailhost might 'train' SC to accept/ignore the line marked '*timestamp1' above as part of a mailhost configuration so that it could get past it to the next line. That line is broken in that it is a non-compliant Received traceline and doesn't have a 'by' field -- causing SC to break the chain right there to name your own IP. Back to the problem of exposing your submit address which is supposed to remain a secret as it is to be only used by you. It is possible for an evildoer who wanted to cause you trouble to submit 'bad' reports under your submit address, and when discovered it could cause you to lose your SC privileges. It would be better to keep your submit address a secret -- once a secret is out, you should get rid of the old submit address and get a new one. You would do that by using the same form where you signed up http://www.spamcop.net/anonsignup.shtml if you are free "This is a free SpamCop account. You may re-run this free authorization whenever you need to. If you do, any previous authorization information associated with your email address will be deleted." If you are not free, you handle the problem of getting a new submit address a little differently I think. -- Mike Easter kibitzer, not SC admin From CGray2 at kc.rr.com Sun Jul 17 06:02:19 2005 From: CGray2 at kc.rr.com (Lane Gray, Czar Castic) Date: Sun Jul 17 06:05:09 2005 Subject: [SC-Help] Re: OT Re: Opera won't play with Spamcop, hashes headers References: Message-ID: "J G" wrote in message news:dbcrvf$cb2$1@news.spamcop.net... > On 7/16/2005 8:22 PM Lane Gray, Czar Castic scribbled: > > > Hey, I play a pedal steel guitar, too; I've grown used to > > traveling in small company. > > > > lets see - Duane Allman, Dickey Betts, Ry Cooder, George Harrison, Hound > Dog James, Bonnie Raitt, Jeff Beck, Muddy Waters, Taj Mahal, and did we > mention Eric Clapton? > small company indeed - then there's Jerry Garcia... Jerry played one, I don't think any of those others did, except perhaps Taj. Remember, I'm talking about the double-barrelled buffet table (that you sit behind to play, like Robert Randolph), not the metal-bodied slide guitar. Oh, and you failed to mention both Alex Lifeson and Steve Howe. ISTR that when the Allman Brothers used a steel, they brought in Dan Dugmore. -- Lane Gray Yes, I'm a minion of Satan, but my duties are largely ceremonial From MikeE at ster.invalid Sun Jul 17 04:20:07 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 17 06:25:03 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: Lane Gray, Czar Castic wrote: > "Cat" >> Please stop posting spam here. That's probably more my fault than Lane's. I'm trying to see what Opera's redirect does. I was expecting a tracker. > Sorry, I thought I'd trimmed everything but the relevant headers, but > sent before > I got that trimmed. Now I'm confused about whether or how you altered what you posted here. The concept is that a tracker is best for everything. If you want to post anything it can generally be submitted to the parser and a tracking URL obtained, even if there isn't an appropriate report, because any item can be cancelled rather than reported. When there weren't such wonderful trackers, spams were posted in spamcop.spam because there's not supposed to be any spam posted in the discussion groups spamcop.help or spamcop -- and there's not supposed to be discussion in spamcop.spam -- so you have to post in spamcop.spam and discuss here. It is awkward and inferior to a tracker because of the problem with the aforementioned linewraps induced by the newsreader. -- Mike Easter kibitzer, not SC admin From CGray2 at kc.rr.com Sun Jul 17 07:12:24 2005 From: CGray2 at kc.rr.com (Lane Gray, Czar Castic) Date: Sun Jul 17 07:15:03 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: Mike Easter" wrote in message news:dbda7k$jd1$1@news.spamcop.net... > Lane Gray, Czar Castic wrote: > > "Mike Easter" > > > This is being quite helpful for an understanding of your Opera's > redirect function, but we are also causing problems here. I was hoping > for a tracker. Unfortunately those headers also contain your submit > address which should be kept a secret. > Oops. I only saw it the once, which I munged. I didn't see the other two instances. I've gotten a new one. > The effect of the redirect is not the same as OE's forward as > attachment, and it is also not what I expected to see. It is a very > strange chimera of the original headers merged with a new set of > headers. > > I'm posting a tracker for what you posted here, which would have been a > better way to do it. > > http://www.spamcop.net/sc?id=z786829437z4165d4e9ee0021a7167d3ffc0b055002z > > > So SC can't tell where the headers in your mail to the submit address > stop and the headers which were originally those of the spam begin. > > Because I'm a human and not an algorithm, I can see that the source of > the original item was 61.46.100.117 rDNS zaq3d2e6475.zaq.ne.jp which is > SC blocklisted. > I'm thinking more and more of getting the spamcop address. roadrunner's RBLs, if they exist, seem horridly inadequate. Although better than AOL's (we still have an AOL account, too many people didn't switch to the new address when we got roadrunner five years ago, so our rental property biz needs the AOL. > Back to the problem of exposing your submit address which is supposed to > remain a secret as it is to be only used by you. It is possible for an > evildoer who wanted to cause you trouble to submit 'bad' reports under > your submit address, and when discovered it could cause you to lose your > SC privileges. It would be better to keep your submit address a > secret -- once a secret is out, you should get rid of the old submit > address and get a new one. You would do that by using the same form > where you signed up http://www.spamcop.net/anonsignup.shtml if you > are free "This is a free SpamCop account. You may re-run this free > authorization whenever you need to. If you do, any previous > authorization information associated with your email address will be > deleted." > > If you are not free, you handle the problem of getting a new submit > address a little differently I think. > Thanks, and done. From CGray2 at kc.rr.com Sun Jul 17 07:12:32 2005 From: CGray2 at kc.rr.com (Lane Gray, Czar Castic) Date: Sun Jul 17 07:15:11 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: Mike Easter wrote: > Lane Gray, Czar Castic wrote: > > "Cat" > > >> Please stop posting spam here. > > That's probably more my fault than Lane's. I'm trying to see what > Opera's redirect does. I was expecting a tracker. > It wouldn't give me one, it just told me it couldn't track it. Which accounts for what I'd sent. > > Sorry, I thought I'd trimmed everything but the relevant headers, but > > sent before > > I got that trimmed. > > Now I'm confused about whether or how you altered what you posted here. > I'd meant to snip the body, not the header. Only I'd forgotten to do that. So I didn't alter it, save for mangling the web address of the spamvert. I'd then meant to just chuck it and send headers only. > The concept is that a tracker is best for everything. If you want to > post anything it can generally be submitted to the parser and a tracking > URL obtained, even if there isn't an appropriate report, because any > item can be cancelled rather than reported. > Apparently, if it can't find the spam, it just sends a message back saying "you don't get a tracker, I can't see the beef." -- Lane Gray Yes, I'm a minion of Satan, but my duties are largely ceremonial From MikeE at ster.invalid Sun Jul 17 05:28:18 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 17 07:30:03 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: Mike Easter wrote: >>> I'm reading in the Opera ng/s^1 that redirect is /supposed to/ >>> function as forward as attachment does in OE, but I'm reading an >>> Opera person saying in the forums^2 that redirect doesn't work like >>> that. It definitely doesn't function like OE's forward as attachment. >>> "Then Redirect sounds like what you want. The message will keep the >>> ole headers basically unchanged, and the receiver will see the >>> message as sent from the spammer. Here's how redirect is described at opera: Redirecting a message In addition to forwarding and replying to messages, you can also redirect them. When redirecting a message, certain message headers (Resent-To, Resent-From, Resent-Date, and Resent-Message-ID) are used to specify the message redirector, while the original sender, date, and message-id headers are maintained. In other words, a message appears as if it is coming from the original sender, though it is still possible to establish that it was actually sent by a third-party. When redirecting a message, Opera inserts the original message body, but does not quote it. http://www.opera.com/support/tutorials/mail/send/index.dml >>> "Redirect removes the headers and just pastes the body into a fresh >>> email." Definitely not. > This is being quite helpful for an understanding of your Opera's > redirect function, There are still somethings I don't understand about redirect. Among other things, I'm curious about whether or not one could select a 'bunch' of mailitems and redirect the entire lot of them. Probably not. > The tracker shows a merging of the headers of the original spam with > the headers of your mail to SC, sorta like what would happen if your > system [ie mailbox] were forwarding a mail to SC's submit address. > So SC can't tell where the headers in your mail to the submit address > stop and the headers which were originally those of the spam begin. > I expect that one could configure a mailhost to accomodate this > strange behavior of this Opera. I'm trying to look beyond this 'simple' issue of pasting a single spam into a mail with the 'C' function. If I were doing a bunch of spams with Opera, I could open several iterations of the webparser and be pasting, moving to the next parser, pasting, moving to the next parser, pasting, going back to the first parser and reporting, pasting there, going to the 2nd parser and reporting, pasting there, and so on. If SC can deal with one spam obtained by C in the body of a submit mail, can it handle a 'string' of them without the proper MIME structure for attachments? I'm surprised it tolerates the inline condition as you've described your pasting into the submit mail, because when OE forwards as attachment, there is a structure there which is between the headers of the mail to spamcop and the headers of the spam. When you do it inline, there's just going to be an empty line. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Jul 17 05:44:34 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 17 07:45:02 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: Lane Gray, Czar Castic wrote: > I'm thinking more and more of getting the spamcop address. > roadrunner's RBLs, if they exist, seem horridly inadequate. Correct. I was RR. What I didn't like about RR's spam and virus system were several things. Most importantly, I couldn't turn it off. Next most importantly, I couldn't really configure it to my choosing. I can't recall if I could access its trapped spam or not. When you can't control the filter well, it is going to miss spam and it might also be 'losing' goodmail. At that time, RR was subscribing to MAPS RBL+ and then adding its own custom filters based on security tactics. I'm currently EL. While there are many faults to the EL system, it is quite configurable. My main configuration is off and I use spampal. If I weren't using a filter like SP's for filter/tagging spam, I would want a configurable filtertagging system like SC's. An advantage to having a SC mail account would be the quality of the configurable filtering and the ease of reporting what has been held. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Jul 17 05:50:11 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 17 07:55:02 2005 Subject: [SC-Help] Re: Opera won't play with Spamcop, hashes headers References: Message-ID: Lane Gray, Czar Castic wrote: > Mike Easter wrote: >> Now I'm confused about whether or how you altered what you posted >> here. >> > I'd meant to snip the body, not the header. Only I'd forgotten to do > that. > So I didn't alter it, save for mangling the web address of the > spamvert. Got it. > Apparently, if it can't find the spam, it just sends a message back > saying "you don't > get a tracker, I can't see the beef." Heh. Yes. As you saw me do, 'anything' that is mail, including what SC sent you in its mail, is parseable. You could actually have parsed the /entire/ message from spamcop to you [cancelling the report of course] which would contain 'inside' what you posted here. Then, when accessing that tracker, I would 'view entire message' and find inside what SC had received from the redirected submit. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sun Jul 17 12:42:39 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sun Jul 17 11:45:03 2005 Subject: [SC-Help] OT side comment Re: Opera won't play with Spamcop, hashes headers References: Message-ID: ... > ..., the newsagent introduces linewraps into it > which have to be removed before putting it into the > parser. That is one > of many reasons I would rather work with trackers > than newsgroup posted > spam. > > -- > Mike Easter > kibitzer, not SC admin > > I know you didn't have me in mind, but ... finally, I have an understandable description of when to (or not) post a full spam over in .spam. I've often wondered, even looked for the info without success. Thanks! Pop --- Long-time lurking newbie, still pretty ignorant but ... From MikeE at ster.invalid Sun Jul 17 11:23:43 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 17 13:25:07 2005 Subject: [SC-Help] Re: OT side comment Re: Opera won't play with Spamcop, hashes headers References: Message-ID: Pop wrote: >> ..., the newsagent introduces linewraps into it >> which have to be removed before putting it into the >> parser. That is one >> of many reasons I would rather work with trackers >> than newsgroup posted >> spam. > I know you didn't have me in mind, but ... finally, I > have an understandable description of when to (or not) > post a full spam over in .spam. I've often wondered, > even looked for the info without success. The introduction of the wraps by the newsagent is especially bad in trying to communicate things about a spam and especially of spamcop's parsing of it because the 'experimenter' like me has to manually remove the wraps. The problem, besides the 'minor' inconvenience of having to do that by hand, is that you/I can't tell the difference between some 'spurious' or confounding linewraps which were in the original spam as received and can cause parsing trouble somewhere, and the 'known' spurious and confounding linewraps which were introduced by the linewrapping newsagent. Was this particular linewrap in there before? or was it added by the newsagent? Linewraps in the body of the spam in the html might cause problems with resolving something. They definitely cause problems when they wrap b64 or uuencoded graphics lines; eg if a person wanted to look at a .gif to sleuth out something about a spam contained in the graphic. The removal of some/many extra added linewraps is a huge pain. Most of the time the presumption is that the only thing that matters is the impact on the wrapping of the Received tracelines, but the problem often goes far beyond that. That's one of the reasons some of us were experimenting with using .eml and .txt attachments in .spam, so as to be able to post a spam in that newsgroup without causing any wrapping or introduction of new linewraps which weren't present in the original. The problem we ran into was that the performance of the various newsagents was different, especially when we were crossing operating system lines. If one were going to post an 'advisory' on posting spams into .spam by attachment, it would have to have several different 'branches' -- just like the advisories on getting full headers or submitting things to the webparser vs email with different agents. The simplest rule is to 'always' use a tracker, even when it seems like you can't easily do it. In the case of this issue we're talking about, a very useful strategy would have been to parser submit the 'reply' that the spamcop responder gave when it couldn't parse the item which was redirected and then to cancel the report. That way 'we' would be able to see what the responder received that it responded to which didn't provide a tracker because the received item is returned 'inside' the response which doesn't have a tracker. -- Mike Easter kibitzer, not SC admin From spam_hjp at yahoo.com Sun Jul 17 18:59:06 2005 From: spam_hjp at yahoo.com (Jim) Date: Sun Jul 17 18:00:03 2005 Subject: [SC-Help] Reporting problem Message-ID: I noticed today I was not getting emails back from SC after submitting spam as a single group using Thunderbird so I did the following test. I had 4 spam's. I submitted the 4 as a single group (1 attachment) and then submitted each spam separately. I have received the single submittals email back from SC telling me spam was ready to process. It has been over an hour since I got the emails back for the single submittals but I have gotten nothing for all the group submittals today. I have no problems submitting spam from spamcop.net I do not recall making any changes that would cause this. Jim From nobody at devnull.spamcop.net Sun Jul 17 20:21:14 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jul 17 20:25:03 2005 Subject: [SC-Help] Re: Reporting problem References: Message-ID: "Jim" wrote in message news:dbekbg$976$1@news.spamcop.net... > I noticed today I was not getting emails back from SC after submitting spam as a single group > using Thunderbird so I did the following test. > > I had 4 spam's. > > I submitted the 4 as a single group (1 attachment) and then submitted each spam separately. > > I have received the single submittals email back from SC telling me spam was ready to process. > > It has been over an hour since I got the emails back for the single submittals but I have gotten > nothing for all the group submittals today. Emailed Spam Submissions Disappearing? No Confirmation e-mails? http://forum.spamcop.net/forums/index.php?showtopic=1848 From spam_hjp at yahoo.com Sun Jul 17 22:01:11 2005 From: spam_hjp at yahoo.com (Jim) Date: Sun Jul 17 21:05:05 2005 Subject: [SC-Help] Re: Reporting problem In-Reply-To: References: Message-ID: WazoO wrote: > "Jim" wrote in message > news:dbekbg$976$1@news.spamcop.net... > >>I noticed today I was not getting emails back from SC after submitting > > spam as a single group > >>using Thunderbird so I did the following test. >> >>I had 4 spam's. >> >>I submitted the 4 as a single group (1 attachment) and then submitted each > > spam separately. > >>I have received the single submittals email back from SC telling me spam > > was ready to process. > >>It has been over an hour since I got the emails back for the single > > submittals but I have gotten > >>nothing for all the group submittals today. > > > Emailed Spam Submissions Disappearing? No Confirmation e-mails? > http://forum.spamcop.net/forums/index.php?showtopic=1848 > > I don,t see my problem listed in forum. It work yesterday with multiple spams in one attachment. Today it does not. Besides not getting the email the spam is never available at spamcop.net to report. If I submit attachment with 1 spam it works. I get the email and it is available at spamcop.net if I do not want to use the link in the email. From spam_hjp at yahoo.com Mon Jul 18 08:51:51 2005 From: spam_hjp at yahoo.com (Jim) Date: Mon Jul 18 07:55:02 2005 Subject: [SC-Help] Reporting problem (found problem) Message-ID: Jim wrote: > I noticed today I was not getting emails back from SC after submitting spam as a single group using Thunderbird so I did the following test. > > > > I had 4 spam's. > > I submitted the 4 as a single group (1 attachment) and then submitted each spam separately. > > I have received the single submittals email back from SC telling me spam was ready to process. > > It has been over an hour since I got the emails back for the single submittals but I have gotten nothing for all the group submittals today. > > I have no problems submitting spam from spamcop.net > > > I do not recall making any changes that would cause this. > > > Jim > The problem is with Comcast (my ISP) I tried sending myself an email with 2 email attachments and I did not get it. I sent another email with 2 jpg attachments and I got it. Thanks all Jim From kenbrody at spamcop.net Mon Jul 18 11:55:18 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Mon Jul 18 11:30:04 2005 Subject: [SC-Help] Re: Reporting problem (found problem) References: Message-ID: <42DBC2D6.E40FDBF5@spamcop.net> Jim wrote: [...] > The problem is with Comcast (my ISP) > > I tried sending myself an email with 2 email attachments and I did not get it. > > I sent another email with 2 jpg attachments and I got it. They're probably "helping" you by detecting that you're trying to send spam, and silently throwing them away. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From news at REMOVECAPSalanharper.com Mon Jul 18 09:25:16 2005 From: news at REMOVECAPSalanharper.com (Alan Harper) Date: Mon Jul 18 11:30:10 2005 Subject: [SC-Help] Why is email from KR and CN getting through? Message-ID: <180720050825164528%news@REMOVECAPSalanharper.com> I have my blacklists in my spamcop options set to every DNS blacklist except SPEWS and SORBS.? So my blacklists include "South Korea (the country) = korea.services.net" and "China (the country) = cn.rbl.cluecentral.net". This AM I found that I was getting spam that appears to be coming from these countries. Some examples: http://www.spamcop.net/mcgi?action=gettrack&reportid=1470760887 from 222.118.168.163 which is in Korea: http://www.senderbase.org/search?searchString=222.118.168.163 . http://www.spamcop.net/mcgi?action=gettrack&reportid=1470760704 from 222.139.66.85 which may be in China (reports sent to abuse@chinanet.cn.net). http://www.spamcop.net/mcgi?action=gettrack&reportid=1470760476 from 61.149.217.69 which is in China: http://www.senderbase.org/search?searchString=61.149.217.69 . and many others. Is something broken, will it get fixed? On a related point, it sure would be nice if Spamcop had an option to block all mail from APNIC. A ? (I can't remember why, but I found that these two lists were blocking unacceptable--to me--quantities of legitimate email, so I turned them off). From nobody at devnull.spamcop.net Mon Jul 18 12:44:34 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Jul 18 12:45:02 2005 Subject: [SC-Help] Re: Reporting problem References: Message-ID: "Jim" wrote in message news:dbev0t$f4l$1@news.spamcop.net... > WazoO wrote: > > > > Emailed Spam Submissions Disappearing? No Confirmation e-mails? > > http://forum.spamcop.net/forums/index.php?showtopic=1848 > > > I don,t see my problem listed in forum. It work yesterday with multiple spams in one > attachment. Today it does not. Besides not getting the email the spam is never available at > spamcop.net to report. > > If I submit attachment with 1 spam it works. I get the email and it is available at spamcop.net > if I do not want to use the link in the email. OK, that's what I get for trying to pinpoint a single item rather than pointing to the FAQ and allowing the view of the whole list .. based on your next post, then the answer you seek was just recently discussed (why I didn't include that link) .. but as you looked no further also, try "E-Mail spam submittals blocked by your ISP" http://forum.spamcop.net/forums/index.php?showtopic=2782 Both and more found under the "Parsing Problems / Issues" portion of the SpamCop Parsing and Reporting Service portion of the (Forum) FAQ From viper at venomx.com Wed Jul 20 04:46:44 2005 From: viper at venomx.com (Viper) Date: Wed Jul 20 03:50:10 2005 Subject: [SC-Help] Yahoo redirects Message-ID: Anyway Spamcop can be set up so it strips off the Yahoo redirects from spammed URLs? From mcwebber at my-deja.com Wed Jul 20 11:03:09 2005 From: mcwebber at my-deja.com (McWebber) Date: Wed Jul 20 10:05:05 2005 Subject: [SC-Help] Re: Yahoo redirects References: Message-ID: "Viper" wrote in message news:dbkvh7$lko$1@news.spamcop.net... > Anyway Spamcop can be set up so it strips off the Yahoo redirects from > spammed URLs? > > Why just Yahoo? From glnews030922 at highspot.net Wed Jul 20 23:36:02 2005 From: glnews030922 at highspot.net (Graeme Leith) Date: Wed Jul 20 17:40:19 2005 Subject: [SC-Help] Re: SC wrongly detects spammer address In-Reply-To: References: Message-ID: SPG wrote: > I got this spam: > http://www.spamcop.net/sc?id=z788095883z6381708b04f1e2541630e84c7cf63dcbz > > SC wrongly detects spammer's address. > Why SC detects my mailbox provider (POLBOX) as spamer ??? On the Spamcop web site, click the mailhosts tab at the top of the page and go through the setup procedure. Once this is done, the problem should go away. [Crossposted and followups to spamcop.help] -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From MikeE at ster.invalid Wed Jul 20 16:27:38 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 20 18:30:03 2005 Subject: [SC-Help] Re: SC wrongly detects spammer address References: Message-ID: Graeme Leith wrote: > SPG wrote: >> I got this spam: >> http://www.spamcop.net/sc?id=z788095883z6381708b04f1e2541630e84c7cf63dcbz >> >> SC wrongly detects spammer's address. > >> Why SC detects my mailbox provider (POLBOX) as spamer ??? > > On the Spamcop web site, click the mailhosts tab at the top of the > page and go through the setup procedure. Once this is done, the > problem should go away. For SPG, not really Graeme. Abbreviated Received lines *comment from [213.241.68.194] (helo=noe.katowice.mtl.pl) by free.polbox.*serves you from (ntmygi058237.mygi.nt.ftth.ppp.infoweb.ne.jp [61.124.74.237]) by noe.katowice.mtl.pl *sourceline from IAMRK-AG02 (61.124.74.237) by 61.124.74.237 *bogusline Absent a mailhost configuration, SC has to figure out how to chain each upper 'from' field IP to the lower 'by' field domain/hostname. If you examine the verbose of the tracker, you can watch that process if you are accustomed to its order. 213.241.68.194 rDNS arka.katowice.mtl.pl [which is not /exactly/ noe.katowice.mtl.pl] and also noe.katowice.mtl.pl from the 'by' has cname katowice.mtl.pl and alias noe.katowice.mtl.pl and DNS 213.241.68.194 As a result, SC recognizes the IP and the host/domainname as MX, so that part is 'good' but it isn't *familiar* with the server/relay/MTA [in this case MX] yet. Until it is satisfied to 'trust' the IP to be a server which matches with the host/domainname in the 'by' below, it has to break the chain. With time and 'maturity', SC /should/ be able to recognize the server as a server and trust it to be a relaying server -- even if you don't configure to mailhost. The wiser strategy would be to configure for mailhosting, because there may be a variety of header configurations which can emerge from your providers MXes and MTAs, and this is possibly only one variety. -- Mike Easter kibitzer, not SC admin From viper at venomx.com Thu Jul 21 00:30:57 2005 From: viper at venomx.com (Viper) Date: Wed Jul 20 23:30:02 2005 Subject: [SC-Help] Re: Yahoo redirects References: Message-ID: McWebber wrote: > "Viper" wrote in message > news:dbkvh7$lko$1@news.spamcop.net... >> Anyway Spamcop can be set up so it strips off the Yahoo redirects >> from spammed URLs? >> >> > > Why just Yahoo? Well I only asked about Yahoo because thats what I seem to be getting now. From duncanObfsucation at punk.net Thu Jul 21 04:35:31 2005 From: duncanObfsucation at punk.net (D. Campbell (remove obfuscation)) Date: Thu Jul 21 06:50:15 2005 Subject: [SC-Help] Re: Reporting problem (found problem: COMCAST) References: Message-ID: "Jim" wrote: > Jim wrote: > > > I noticed today I was not getting emails back from SC after submitting spam as a single group > using Thunderbird so I did the following test. > > [steps snipped] > > The problem is with Comcast (my ISP) > I tried sending myself an email with 2 email attachments and I did not get it. > I sent another email with 2 jpg attachments and I got it. > > Thanks all > Jim Hi, Jim. I noticed the same thing today. Seems all my submissions since July 4th have been eaten by the comcast mailserver. Fortunately the outgoing filtering seems to be on their server and not at the router. I set OE to use one of the spamcop MXs as its smtp server for an OE "Account" and a submission from that user got through. COMCAST does seem to be blocking SMB and lp at the router. Fast. Flakey (2% packet loss). Costly ($60/mo). Rude. I'll try again with my other mail-handling ISPs tomorrow. d. From spam_hjp at yahoo.com Thu Jul 21 08:21:55 2005 From: spam_hjp at yahoo.com (Jim) Date: Thu Jul 21 07:25:03 2005 Subject: [SC-Help] Re: Reporting problem (found problem: COMCAST) In-Reply-To: References: Message-ID: > > Hi, Jim. > > I noticed the same thing today. Seems all my submissions > since July 4th have been eaten by the comcast mailserver. > > Fortunately the outgoing filtering seems to be on their > server and not at the router. I set OE to use one of the > spamcop MXs as its smtp server for an OE "Account" and a > submission from that user got through. > > COMCAST does seem to be blocking SMB and lp at the router. > > Fast. Flakey (2% packet loss). Costly ($60/mo). Rude. > > I'll try again with my other mail-handling ISPs tomorrow. > > d. > > I had about 12 emails from/to comcast about them blocking outgoing emails determined to be spam. They kept saying they do not block outgoing email. On one of their last emails they had me go to Comcast Web Mail and submit the spam. It was even blocked there. They kept asking me to go to online chat to try to solve the problem. In frustration I just gave up. Another problem in dealing with Comcast by email is that you do not get a service number so every email is handle by a different person. It also made no difference if the spam was in the body of the email or as an attachment, it was still block. From dwallace72 at comcast.net Fri Jul 22 14:05:59 2005 From: dwallace72 at comcast.net (Wallace, David K.) Date: Fri Jul 22 13:10:03 2005 Subject: [SC-Help] Listed on the blacklist and can't find out why Message-ID: Over the last 2 days, our company's domain has been listed on SpamCop's black list. We have been given the following reason: a.. System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) Based on your definition of "Spam Traps", I'm going to make the following assumption: This means if a company subscribes to SpamCop's service, they create fictitious email addresses (example: bobby@companyabc.com); Then, if any emails get sent to bobby@companyabc.com, they are making the assumption that these emails are spam emails, and will put the originating email domain in their black list. My questions are: 1. Do you do it by Domain Name or MX Record? (meaning, I don't want to get black listed if someone is spoofing our name) 2. How do we find out what email address or domain you are referring to? If this is an accidental error by a user who has misspelled a users address, how can I stop it unless I know what is being done wrong? I feel like I'm looking for a ghost, because I know mass emails are not being sent out from my company, but I have nothing else to search for to find the root cause of the issue. Please help... From MikeE at ster.invalid Fri Jul 22 11:33:08 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 22 13:35:02 2005 Subject: [SC-Help] Re: Listed on the blacklist and can't find out why References: Message-ID: "Wallace, David K." wrote in message news:dbr91n$kod$1@news.spamcop.net > Over the last 2 days, our company's domain has been listed on > SpamCop's black list. We have been given the following reason: > a.. System has sent mail to SpamCop spam traps in the past week (spam > traps are secret, no reports or evidence are provided by SpamCop) There were additional sub-links from the route you got to that information you pasted which talks about some of the reasons a server might be hitting spamtraps. You should read that. > Based on your definition of "Spam Traps", I'm going to make the > following assumption: Don't make any assumptions about spamcop spamtraps except that they are email addresses which have never been used and therefore there is no way that they could have ever subscribed to anything and so therefore the only 'lists' they would be on would be spammerlists. Even if I don't know anything about spamcop's spamtraps, the assumption you posted is not correct. > 2. How do we find out what email address or domain you are referring > to? If this is an accidental error by a user who has misspelled a > users address, how can I stop it unless I know what is being done > wrong? When you were headed toward the words you pasted above, you most likely passed by the links on this page http://www.spamcop.net/bl.shtml SpamCop Blocking List Details -- with links to this page http://www.spamcop.net/fom-serve/cache/75.html Help for abuse-desks and administrators -- which has links to such information as http://www.spamcop.net/fom-serve/cache/329.html Why are auto responders bad? -- which is one cause of hitting spamtraps. > I feel like I'm looking for a ghost, because I know mass emails are > not being sent out from my company, but I have nothing else to search > for to find the root cause of the issue. -- Mike Easter kibitzer, not SC admin From duncanObfsucation at punk.net Fri Jul 22 12:33:55 2005 From: duncanObfsucation at punk.net (D. Campbell (remove obfuscation)) Date: Fri Jul 22 14:35:03 2005 Subject: [SC-Help] Re: Reporting problem (found problem: COMCAST) References: Message-ID: "Jim" wrote:. > (quoting me) > > > > Hi, Jim. > > > > I noticed the same thing today. Seems all my submissions > > since July 4th have been eaten by the comcast mailserver. > > > > Fortunately the outgoing filtering seems to be on their > > server and not at the router. I set OE to use one of the > > spamcop MXs as its smtp server for an OE "Account" and a > > submission from that user got through. > > > > Fast. Flakey (2% packet loss). Costly ($60/mo). Rude. > > > > I'll try again with my other mail-handling ISPs tomorrow. > > > > d. > > > > > I had about 12 emails from/to comcast about them blocking outgoing emails determined to be spam. > They kept saying they do not block outgoing email. On one of their last emails they had me > go to Comcast Web Mail and submit the spam. It was even blocked there. They kept asking me to > go to online chat to try to solve the problem. In frustration I just gave up. Another problem > in dealing with Comcast by email is that you do not get a service number so every email is > handle by a different person. > > It also made no difference if the spam was in the body of the email or as an attachment, it was > still block. I repeated your test and found I was able to forward either one or two *CLEAN* email attachments through the comcast mailserver with no trouble. If I forward a message known to contain a virus, though, nothing comes through. The message isn't rejected on submission and doesn't generate any error message but is silently killed. Comcast accepts mail submissions from its customers with no authentication beyond the IP. My other mail-handling ISP, geekisp (www.geekisp.net) does forward the messages, even if spammy or infected, after renaming the infected attachment and prepending a virus notification on the subject line. GeekISP requires encryption and authentication and supports IMAP. I really like 'em. duncan. From spam_hjp at yahoo.com Fri Jul 22 15:45:28 2005 From: spam_hjp at yahoo.com (Jim) Date: Fri Jul 22 14:50:02 2005 Subject: [SC-Help] Re: Reporting problem (found problem: COMCAST) In-Reply-To: References: Message-ID: > > I repeated your test and found I was able to forward > either one or two *CLEAN* email attachments through > the comcast mailserver with no trouble. > > If I forward a message known to contain a virus, though, > nothing comes through. The message isn't rejected on > submission and doesn't generate any error message but > is silently killed. > > Comcast accepts mail submissions from its customers with > no authentication beyond the IP. > > > My other mail-handling ISP, geekisp (www.geekisp.net) > does forward the messages, even if spammy or infected, > after renaming the infected attachment and prepending > a virus notification on the subject line. > > GeekISP requires encryption and authentication and > supports IMAP. I really like 'em. > > duncan. > > I found a small smtp server that allows me to email spam report to SC. It works for both OE and Thunderbird. I only had to make 1 change in Thunderbird. I thinking Comcast might bitch but until then. From nobody at spamcop.net Fri Jul 22 12:57:31 2005 From: nobody at spamcop.net (N. Miller) Date: Fri Jul 22 15:00:03 2005 Subject: [SC-Help] Re: Listed on the blacklist and can't find out why References: Message-ID: On Fri, 22 Jul 2005 13:05:59 -0400, Wallace, David K. wrote: > My questions are: > 1. Do you do it by Domain Name or MX Record? (meaning, I don't want to get > black listed if someone is spoofing our name) Neither. As I understand things. The list is based solely on IP addresses from which spam was sent. > 2. How do we find out what email address or domain you are referring to? If > this is an accidental error by a user who has misspelled a users address, > how can I stop it unless I know what is being done wrong? Email addresses are not the basis of blocking; they are way too easily forged. -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. From wb8tyw at qsl.network Fri Jul 22 23:51:17 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Fri Jul 22 22:55:03 2005 Subject: [SC-Help] Re: Listed on the blacklist and can't find out why In-Reply-To: References: Message-ID: Wallace, David K. wrote: > Over the last 2 days, our company's domain has been listed on SpamCop's > black list. We have been given the following reason: > a.. System has sent mail to SpamCop spam traps in the past week (spam traps > are secret, no reports or evidence are provided by SpamCop) > > Based on your definition of "Spam Traps", I'm going to make the following > assumption: > This means if a company subscribes to SpamCop's service, they create > fictitious email addresses (example: bobby@companyabc.com); Then, if any > emails get sent to bobby@companyabc.com, they are making the assumption that > these emails are spam emails, and will put the originating email domain in > their black list. Totally incorrect assumption. > My questions are: > 1. Do you do it by Domain Name or MX Record? (meaning, I don't want to get > black listed if someone is spoofing our name) Neither. > 2. How do we find out what email address or domain you are referring to? If > this is an accidental error by a user who has misspelled a users address, > how can I stop it unless I know what is being done wrong? Post the I.P. address that you think is listed. Spamcop.net only deals with the I.P. address that delivered the spam to the spamtrap. > I feel like I'm looking for a ghost, because I know mass emails are not > being sent out from my company, but I have nothing else to search for to > find the root cause of the issue. Many people have made that claim and discovered that they were wrong. If you have any security hole on your network, spammers will use it to send out spam. The other issue is auto-responders that automatically send a new message back to the forged addresses in viruses or spam. If you have any thing that does that, spammers and especially viruses will use your mail server as part of a denial of service attack against others. -John wb8tyw@qsl.network Personal Opinion Only From bhetrick at notinnedmeats.iname.com Sat Jul 23 21:55:19 2005 From: bhetrick at notinnedmeats.iname.com (Brian Hetrick) Date: Sat Jul 23 21:00:04 2005 Subject: [SC-Help] Re: Reporting problem (found problem: COMCAST) References: Message-ID: "D. Campbell (remove obfuscation)" wrote ... > I noticed the same thing today. Seems all my submissions > since July 4th have been eaten by the comcast mailserver. > > Fortunately the outgoing filtering seems to be on their > server and not at the router. I set OE to use one of the > spamcop MXs as its smtp server for an OE "Account" and a > submission from that user got through. Thank you. That -- going "direct to MX" on SpamCop submissions -- was a brilliant idea. My usual mail host cans any mail with a .eml at- tachment (as "there are viruses that do that"), and I was getting about a 50% loss rate going through Comcast's mailer. Now, forwarding the spam to the FTC is still a problem, but I suppose I can do direct to MX there, as well. From bhetrick at notinnedmeats.iname.com Sun Jul 24 12:16:20 2005 From: bhetrick at notinnedmeats.iname.com (Brian Hetrick) Date: Sun Jul 24 11:20:04 2005 Subject: [SC-Help] Re: Reporting problem (found problem: COMCAST) References: Message-ID: "Blammo" wrote ... > So why do you put up with stupid mail hosts and ISPs? For the same reason I put up with SpamCop needing _two_ clicks to process a spam, when a single confirm this one/process next one button would do. From gilleng at sbox.tugraz.at Mon Jul 25 08:17:39 2005 From: gilleng at sbox.tugraz.at (Gasti Gillen) Date: Mon Jul 25 01:20:03 2005 Subject: [SC-Help] seeking for range query Message-ID: I am not to sure if this is the right ng for his posting. If not, please notify me where to post it. I have the following request: I am looking for a free tool or web site which I can use to make a whole range query (e.g. 143.50.*.*) to find out which of the addresses in my B-Class net are listed on the common worldwide lists. with kind regards, Gasti Gillen University of Graz in Austria From MikeE at ster.invalid Mon Jul 25 06:54:39 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 25 08:55:03 2005 Subject: [SC-Help] Re: seeking for range query References: Message-ID: Gasti Gillen wrote: University of Graz in Austria > I am not to sure if this is the right ng for his posting. > > If not, please notify me where to post it. This is not a bad place to start. There are more admin types [and also kooks] in news.admin.net-abuse.email. > I am looking for a free tool or web site which I can use to make a > whole range query (e.g. 143.50.*.*) to find out which of the > addresses in my B-Class net are listed on the common worldwide lists. I know of no such animal. That entire /16 is under the University's aegis, as you have mentioned. Some ideas come to mind from an administration point of view. The /16 could be portscanned for 'important' ports by the admin, not the curious. The output servers for the mail could be individually looked up someplace like dnsstuff. The 6 IPs I've listed below don't show up anywhere. I can put the /16 into the tool at senderbase to see which servers have a record of outputting mail and see only these: Addresses in 143.50.0.0/16 used to send email address | hostname |DNS Verified | Daily Mag | Monthly Mag 143.50.13.36 herakles.kfunigraz.ac.at Y 4.7 4.7 143.50.212.116 inode116.kfunigraz.ac.at Y 0.0 3.5 143.50.129.26 teutates.kfunigraz.ac.at Y 3.4 3.5 143.50.212.176 inode176.kfunigraz.ac.at Y 0.0 3.1 143.50.5.28 mbug28.kfunigraz.ac.at Y 2.5 2.8 143.50.5.29 mbug29.kfunigraz.ac.at Y 2.3 2.7 ... where 'Daily Mag' I've abbreviated for magnitude which is a logarithm of the output; similarly for Monthly, where monthly means per day over the past month. The bottom 2 in this case are the MXes, the top 4 are output servers, where there's been some change recently for 2 of the servers whose output has gone to zero. That is, inode116 had a big jump up in its monthly output from its previous average, as did inode176 -- but now they have fallen off to zero. For that type of conversation and investigation, senderbase is the only free 'assayer' of such information I know. The person who can access the logs for the inodes could evaluate why they had a jump in their output activity. I've gotten into arguments in nanae about senderbase information, because a number of mail admins don't respect its assessments. -- Mike Easter kibitzer, not SC admin From austringer at spamcop.net Mon Jul 25 10:53:42 2005 From: austringer at spamcop.net (A Chen) Date: Mon Jul 25 12:55:03 2005 Subject: [SC-Help] not receiving notification Message-ID: I've got my preferences set to receive notification of held messages Sunday thru Thursday. However, I'm not getting these reports... our network uses Barracuda and I whitelisted spamcop there, but I'm still not getting them regularly. Just one on this Monday. But when I looked at my held mail there was a whole stack, several days' worth. Is this a spamcop problem or something else? If the latter, where else can I look? I'm also asking our Barracuta folks. Thanks From gilleng at sbox.tugraz.at Tue Jul 26 12:53:17 2005 From: gilleng at sbox.tugraz.at (Gasti Gillen) Date: Tue Jul 26 05:55:16 2005 Subject: [SC-Help] Re: seeking for range query References: Message-ID: Thanks Mike. I think I did not express myself properly: Actually I am looking for something like: http://dsbl.org/listing, which could be used for a hole range lookup. with kind regards, Gasti From stuart.coggin at spamcop.net Tue Jul 26 22:36:58 2005 From: stuart.coggin at spamcop.net (Stuart Coggin) Date: Tue Jul 26 07:40:04 2005 Subject: [SC-Help] Is spamcop mail relay blacklisted by SORBS? Message-ID: Hi, Over the last couple of hours I have noticed mail being relayed to my mail server via my Spamcop account was being rejected by my mailhost because the relay at spamcop.net (c60.cesmail.net) is listed in the sorbs.net blacklist. I did confirm this with a manual check from http://www.au.sorbs.net/cgi-bin/db : Address: 216.154.195.49 Record Created: Sat Apr 24 10:13:08 2004 GMT Record Updated: Tue Jul 26 02:42:30 2005 GMT Additional Information: Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49]) by desperado.sorbs.net (Postfix) with ESMTP id BFD9111431 for <[email]>; Fri, 04 Mar 2005 05:08:32 +1000 (EST) Currently active and flagged to be published in DNS If you wish to request a delisting please do so through the Support System. Is this right? From mcwebber at my-deja.com Tue Jul 26 08:56:16 2005 From: mcwebber at my-deja.com (McWebber) Date: Tue Jul 26 08:00:04 2005 Subject: [SC-Help] Re: Is spamcop mail relay blacklisted by SORBS? References: Message-ID: "Stuart Coggin" wrote in message news:dc578s$bom$1@news.spamcop.net... > Hi, > > Over the last couple of hours I have noticed mail being relayed to my > mail server via my Spamcop account was being rejected by my mailhost > because the relay at spamcop.net (c60.cesmail.net) is listed in the > sorbs.net blacklist. > > I did confirm this with a manual check from > http://www.au.sorbs.net/cgi-bin/db : > > Address: 216.154.195.49 It's being taken care of. -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From Kilgallen at SpamCop.net Tue Jul 26 08:22:57 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Tue Jul 26 08:25:02 2005 Subject: [SC-Help] Re: Is spamcop mail relay blacklisted by SORBS? References: Message-ID: In article , Stuart Coggin writes: > Hi, > > Over the last couple of hours I have noticed mail being relayed to my > mail server via my Spamcop account was being rejected by my mailhost > because the relay at spamcop.net (c60.cesmail.net) is listed in the > sorbs.net blacklist. Just like non-SpamCop customers, it seems to me that if you want to always accept email from a particular IP address you should whitelist it on your server. From stuart.coggin at spamcop.net Tue Jul 26 23:50:26 2005 From: stuart.coggin at spamcop.net (Stuart Coggin) Date: Tue Jul 26 08:55:03 2005 Subject: [SC-Help] Re: Is spamcop mail relay blacklisted by SORBS? In-Reply-To: References: Message-ID: Larry Kilgallen wrote: > In article , Stuart Coggin writes: > >>Hi, >> >>Over the last couple of hours I have noticed mail being relayed to my >>mail server via my Spamcop account was being rejected by my mailhost >>because the relay at spamcop.net (c60.cesmail.net) is listed in the >>sorbs.net blacklist. > > > Just like non-SpamCop customers, it seems to me that if you want to > always accept email from a particular IP address you should whitelist > it on your server. But there is nothing to guarantee that the IP address(es) of the SpamCop relay(s) remain constant is there? Or are they documented by SpamCop, and set in stone somewhere? One assumes that load sharing, and backup systems will result in more than one relay being used over a period of time, making ad-hoc maintenance of a whitelist a bit hit and miss. Far better that a commercial anti-spam company avoids the irony of being blacklisted in the first place ;-) From MikeE at ster.invalid Tue Jul 26 07:27:53 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 26 09:30:02 2005 Subject: [SC-Help] Re: seeking for range query References: Message-ID: Gasti Gillen wrote: > Actually I am looking for something like: http://dsbl.org/listing, > which could be used for a hole range lookup. I didn't know dsbl had a range lookup - but it is currently inop. http://dsbl.org/listingrange This facility is being rewritten to improve performance and is currently unavailable -- Mike Easter kibitzer, not SC admin From nttp.sc.sh at bigsleep.org Tue Jul 26 15:02:45 2005 From: nttp.sc.sh at bigsleep.org (Blammo) Date: Tue Jul 26 10:05:04 2005 Subject: [SC-Help] Re: Is spamcop mail relay blacklisted by SORBS? References: Message-ID: On 26 Jul 2005 Stuart Coggin entered spamcop.help and left news:dc5bik$elm$1@news.spamcop.net: > Larry Kilgallen wrote: >> >> Just like non-SpamCop customers, it seems to me that if you want to >> always accept email from a particular IP address you should whitelist >> it on your server. > > But there is nothing to guarantee that the IP address(es) of the > SpamCop relay(s) remain constant is there? Or are they documented by > SpamCop, and set in stone somewhere? An "SPF" type check on the domains shows a txt record of 216.154.195.32/27 -- | Ric | From bhetrick at notinnedmeats.iname.com Tue Jul 26 11:23:26 2005 From: bhetrick at notinnedmeats.iname.com (Brian Hetrick) Date: Tue Jul 26 10:25:07 2005 Subject: [SC-Help] Re: Reporting problem (found problem: COMCAST) References: Message-ID: "Blammo" wrote ... > In short, you are comparing some inconvenience to a complete lack > of functionality. Well, since I submit spam by e-mail, it is conceivable that SpamCop could allow me to confirm its parses of all spams in a batch with a single click, rather than demanding two clicks per spam. So it is really rather a lot of inconvenience SpamCop is imposing. And writing a script to rename the .eml's to .txt's took all of an hour or two, certainly less than one week's SpamCop inconvenience. Not all of us are willing to change ISPs after 17 years due to their filtering .eml attachments. We have different opinions as to whether it is "worth it;" but that difference makes neither of us wrong. From NoSpam at Here.please Tue Jul 26 12:36:38 2005 From: NoSpam at Here.please (Lking) Date: Tue Jul 26 11:40:04 2005 Subject: [SC-Help] Re: Reporting problem (found problem: COMCAST) In-Reply-To: References: Message-ID: Brian Hetrick wrote: > "Blammo" wrote ... > >> In short, you are comparing some inconvenience to a complete lack >> of functionality. > > ... > Not all of us are willing to change ISPs after 17 years due to their > filtering .eml attachments. We have different opinions as to whether > it is "worth it;" but that difference makes neither of us wrong. > 17 years with COMCAST? my my. I do question if it is "worth it" considering the amount of spam I get from/through COMCAST servers. Their effort seems to be more of an inconvenience to you than the spammers hosted by COMCAST or using COMCAST's resources. From bhetrick at notinnedmeats.iname.com Tue Jul 26 15:59:13 2005 From: bhetrick at notinnedmeats.iname.com (Brian Hetrick) Date: Tue Jul 26 15:00:03 2005 Subject: [SC-Help] Re: Reporting problem (found problem: COMCAST) References: Message-ID: "Lking" wrote ... > 17 years with COMCAST? my my. No, I was responding to Blammo, who in a previous discussion of ISPs filtering .eml attachments said: > I'm sorry if I sound offensive, but I'm leaving an ISP I've had for > 9 years because of this, and really only because they respond like > morons. I mis-remembered the time period. My bad. From gilleng at sbox.tugraz.at Wed Jul 27 11:08:49 2005 From: gilleng at sbox.tugraz.at (Gasti Gillen) Date: Wed Jul 27 04:10:02 2005 Subject: [SC-Help] Re: seeking for range query References: Message-ID: Thanks, I found out that http://dsbl.org/listingrange is currently unavailable. Thatīs why I am looking for some other page where this service does work! I thought there must be some somewhere, as threre are that many black-lists around in the internet. kind regards, Gasti From forrie at Noforriesp.amcom Wed Jul 27 13:57:46 2005 From: forrie at Noforriesp.amcom (Forrest Aldrich) Date: Wed Jul 27 13:00:07 2005 Subject: [SC-Help] Reporting botnet spam? Message-ID: My system gets regular spam from botnets -- it's annoying, and the volume has been on the rise (frequency). Is there an RBL or place where these attacks can be reported. These are generally dynamic pools, but not all RBLs are up-to-date on this material. Seems reasonable that there could be an RBL that tracks botnet activity and can be used in DNS similarly. Thanks. From MikeE at ster.invalid Wed Jul 27 14:31:30 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 27 16:35:02 2005 Subject: [SC-Help] Re: Reporting botnet spam? References: Message-ID: Forrest Aldrich wrote: > My system gets regular spam from botnets Just in case one person's jargon or argot [how about jargot?] isn't the same as another's, here's a long discussion of the term botnet from a reliable source http://en.wikipedia.org/wiki/Botnet That rather comprehensive discussion of the term wouldn't afford some kind of 'special' blocklist for so-called botnet spam > Is there an RBL or place where these attacks can be reported. How about if you report your botnet spam the same way as you report the rest of your spam, or the 'non-botnet' spam? > These are generally dynamic pools, but not all RBLs are up-to-date on > this material. Seems reasonable that there could be an RBL that > tracks botnet activity and can be used in DNS similarly. -- Mike Easter kibitzer, not SC admin From ddotrdotnewman at qub.ac.uk Fri Jul 29 16:10:51 2005 From: ddotrdotnewman at qub.ac.uk (David R. Newman) Date: Fri Jul 29 10:15:03 2005 Subject: [SC-Help] Average reporting time and timezones Message-ID: When I report spam, Spamcop tells me my average reporting time. For years it stuck at 12 hours, so I assumed it wasn't calculating that. Now it's gone up to 13 hours, so something must have happened. How is the average time calculated, and does it take account of time zones? I'm several hours ahead of the spamcop servers. From mcwebber at my-deja.com Fri Jul 29 11:28:20 2005 From: mcwebber at my-deja.com (McWebber) Date: Fri Jul 29 10:30:03 2005 Subject: [SC-Help] Spamcop Bug Message-ID: Quite often, after I have reported a spam via pasting it into the online form, when I am then presented with the form again on the /sc page. I will paste in another spam, click to submit, and get an error page that says No Data/Too much data. If I then bring up the main www.spamcop.net page and paste in the identical spam, it submits just fine. There must be something in the form submission via the /sc page that is different. It is most common when submitting spam that is in Cyrillic. -- McWebber No email replies read If someone tells you to forward an email to all your friends please forget that I'm your friend. From MikeE at ster.invalid Fri Jul 29 08:50:46 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 29 10:55:02 2005 Subject: [SC-Help] Re: Average reporting time and timezones References: Message-ID: David R. Newman wrote: > When I report spam, Spamcop tells me my average reporting time. For > years it stuck at 12 hours, so I assumed it wasn't calculating that. > Now it's gone up to 13 hours, so something must have happened. > > How is the average time calculated, and does it take account of time > zones? I'm several hours ahead of the spamcop servers. I don't know the answer to your question, but I'll comment on what little information I know, and then you may have some additional information to work with while you try to guess the answer. First of all, whenever I 'think' about what time it is now, in a global context, I don't think what time it is PDT, Pacific Daylight Time. I think about what time it is UTC. That way when I'm looking at headers, I don't have to do all kinds of gyrations for the various different timezones. I just convert everything to UTC. Or you can say GMT, but the two terms are not precisely the same. Second, there's another piece of information about a spam's 'date' or timestamp. It is not what is in the Date line created by the spammer. And, what it /is/ isn't altogether simple. It is officially "The parser takes the date from the earliest trusted received line. Rather than what it used to do, which was take the date from the top-most received line." But I would elaborate on that subject. I would say 'earliest' trusted received line means the lowest or bottommost trusted received line. The bottommost trusted receivedline can be the top line, or it can be the bottommost mailhost line, or it can be the bottommost trusted server line. And we most surely would express that in UTC, nicht war? Third, so what do we do with this information? Compare the age of a spam based on the bottommost information as above with the present time UTC? That's what I would do. That also means that the age of the spam is going to be influenced by the parser's use of the mailhost of the person submitting to the parser. If you have a mailhost configuration, that will determine/affect SC's calculations as to the age of your spam. -- Mike Easter kibitzer, not SC admin From duncanObfsucation at punk.net Sun Jul 31 20:39:37 2005 From: duncanObfsucation at punk.net (D. Campbell (remove obfuscation)) Date: Sun Jul 31 22:40:02 2005 Subject: [SC-Help] Re: Reporting problem (found problem: COMCAST) References: Message-ID: "Jim" wrote in message: > > I found a small smtp server that allows me to email spam report to SC. It works for both OE > and Thunderbird. I only had to make 1 change in Thunderbird. I thinking Comcast might bitch > but until then. They'll never notice. It's not what they're looking for and the response would certainly not be to bitch about it but rather to block outgoing connections, probably from all customers. Enjoy your new server. If you're running it yourself, though, take care that spammers aren't enjoying it too. Glad to hear the idea of sending forwarded spam to the parser (and to an archiver) was useful to you. d.