From h9vzc2i02 at sneakemail.com Wed Jun 1 22:33:33 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Thu Jun 2 00:35:02 2005 Subject: [SC-Help] Re: HTML spam, Spamcop says: No links found References: Message-ID: "WazoO" wrote in message news:d7fmre$qrm$1@news.spamcop.net... > "Frede Hansen" wrote in message > news:Xns966682BCA8AE5cornerred@216.154.195.61... > > I am getting a lot of HTML based spam, where Spamcop fails, > > since there is no way to attach the HTML in the report. > > As the reference to the www.spamcop.net FAQ didn't seem > to help, perhaps some data found over in the Forum may help. > http://forum.spamcop.net/forums/ For example, the entry in > the "How to Use ... Reporting" Forum section titled; > " OE6 Secure handling of e-mail - Why Forward won't work" > Whether you use OE or not, there are some concepts there > that may help to explain what you are doing wrong. > > > Then offcause i try simply to paste the links that the HTML is hiding, > > but then: No links found , i am just told. > > And this is going to get you into trouble as this is in violation > of rules and guidelines to the use of your SpamCop Reporting > account. That you are having issues would seem to increase > your chances of getting nailed on this. > > The act of "pasting stuff into your e-mail/spam submittal" is > wrong, but that you are having problems is probably based > on what you are attempting to manipulate and the way you > are doing it. See the above URL for some background on > e-mail construction, HTML rendering, etc. > > Not only do you not identify the OS and applications > involved in your e-mail handling, but you also don't > actually state just how you are handling your submittal. > > ** Another thing, you cannot 'paste' anything into an html page - you have to look at the source code and add the info in the form of html code in the correct place for the parser to see it. Again, messing with the spam IS a violation of SC's rules anyhow. -- A SpamCop user and forum reader, Not Admin *** From lane at joeandlane.com Thu Jun 2 12:59:45 2005 From: lane at joeandlane.com (Lane) Date: Thu Jun 2 12:53:38 2005 Subject: [SC-Help] They're varying their shields, captain! Message-ID: <200506021159.45749.lane@joeandlane.com> I've been getting two or three emails every day for about a month from nrefi.net and frefi.net and some other *refi.net's using ip range 85.138.36.x but I notice that when I report these to Spam Cop they don't get blocked. I understand that the scoring system may prevent a spammer from ever getting listed, but I'm curious about the SenderBase information on this ip range. It appears here: http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=85.138.36.161 That this IP has had a 100% drop in email in the last 24 hours, yet it has had a 502% increase in the last 30 days. The average magnitude is 1.2%. So I'm wondering if these guys are just cycling through a set of ip's just fast enough to render the senderbase information obsolete just in time to avoid being blocked. Maybe I'm not getting the technology, but it seems to me that these *refi.net people are slipping through spamcop like a knife through butter. lane From pete+usenet at heypete.com Thu Jun 2 11:10:44 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Thu Jun 2 13:15:04 2005 Subject: [SC-Help] Re: They're varying their shields, captain! References: Message-ID: In article , Lane wrote: > Maybe I'm not getting the technology, but it seems to me that these *refi.net > people are slipping through spamcop like a knife through butter. Easy solution: Rotate the shield harmonics! Ok, nevermind. :) -- Pete Stephenson HeyPete.com From dfm2a3l0t2 at spymac.com Thu Jun 2 17:53:58 2005 From: dfm2a3l0t2 at spymac.com (D.F. Manno) Date: Thu Jun 2 16:55:02 2005 Subject: [SC-Help] Re: They're varying their shields, captain! References: Message-ID: In article , Pete Stephenson wrote: > Lane wrote: > > > Maybe I'm not getting the technology, but it seems to me that these > > *refi.net people are slipping through spamcop like a knife through butter. > > Easy solution: Rotate the shield harmonics! "But Cap'n...the dilithium crystals canna take any more!" -- D.F. Manno dfm2a3l0t2@spymac.com "The work goes on, the cause endures, the hope still lives and the dream will never die." From eddie at eddie.web Thu Jun 2 22:45:43 2005 From: eddie at eddie.web (eddie) Date: Thu Jun 2 21:50:03 2005 Subject: [SC-Help] Re: They're varying their shields, captain! References: Message-ID: On Thu, 02 Jun 2005 16:53:58 -0400, D.F. Manno scratched out the following: > In article , > Pete Stephenson wrote: > >> Lane wrote: >> >> > Maybe I'm not getting the technology, but it seems to me that these >> > *refi.net people are slipping through spamcop like a knife through >> > butter. >> >> Easy solution: Rotate the shield harmonics! > > "But Cap'n...the dilithium crystals canna take any more!" MacGyver will take us through the StarGate and we will then make repairs, swapping the dylithium crystals for naquadah generators. Then the shields will hold up for an entire episode without warp or antimatter drive failure. Scotty is a natural working with MacG, whose first name is Angus What a team! -- Once movie theaters gave out steak knives Today they confiscate them From buzzard554 at fastmail.co.uk Fri Jun 3 09:19:55 2005 From: buzzard554 at fastmail.co.uk (Martin Edwards) Date: Fri Jun 3 03:20:03 2005 Subject: [SC-Help] Re: They're varying their shields, captain! In-Reply-To: References: Message-ID: D.F. Manno wrote: > In article , > Pete Stephenson wrote: > > >> Lane wrote: >> >> >>>Maybe I'm not getting the technology, but it seems to me that these >>>*refi.net people are slipping through spamcop like a knife through butter. >> >>Easy solution: Rotate the shield harmonics! > > > "But Cap'n...the dilithium crystals canna take any more!" If you ask me, Jim, it's Scotty who can't take any more. From lane at joeandlane.com Fri Jun 3 17:03:39 2005 From: lane at joeandlane.com (Lane) Date: Fri Jun 3 16:57:26 2005 Subject: [SC-Help] Re: They're varying their shields, captain! In-Reply-To: References: Message-ID: <200506031603.39640.lane@joeandlane.com> On Friday 03 June 2005 02:19, Martin Edwards wrote: > D.F. Manno wrote: > > In article , > > > > Pete Stephenson wrote: > >> Lane wrote: > >>>Maybe I'm not getting the technology, but it seems to me that these > >>>*refi.net people are slipping through spamcop like a knife through > >>> butter. > >> > >>Easy solution: Rotate the shield harmonics! > > > > "But Cap'n...the dilithium crystals canna take any more!" > > If you ask me, Jim, it's Scotty who can't take any more. So anyway ... back to the *refi.net SPAMmers .... Today I got one from ip: 205.211.197.142 claiming to be from http://www.parefi.net/book.php I check senderbase at http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=205.211.197.142 and I see that this IP volume/magnitude has changed from 1102%/1.7 in the last thirty days to -100%/0.0 in the last day. So is such a dramatic volume change used in the cipher to calcumalate when an ip is a spammer? lane P.S. Just to keep the "Trek" dialog going, "I'd rather take the shuttle. A man would have to be INSANE to want his particles scattered all over the universe, like that!" From nobody at spamcop.net Fri Jun 3 18:33:11 2005 From: nobody at spamcop.net (Ellen) Date: Fri Jun 3 18:05:02 2005 Subject: [SC-Help] Re: They're varying their shields, captain! References: Message-ID: "Lane" wrote in message news:mailman.23.1117832246.169.spamcop-help@news.spamcop.net... > > Today I got one from ip: 205.211.197.142 claiming to be from > http://www.parefi.net/book.php > > I check senderbase at > http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=205.211.197.142 > > and I see that this IP volume/magnitude has changed from 1102%/1.7 in the last > thirty days to -100%/0.0 in the last day. > > So is such a dramatic volume change used in the cipher to calcumalate when an > ip is a spammer? > I just changed the report routing on that block to inetcontact@amnetus.com let's see if that makes a difference. I suspect they just have a buncch of compromised machines down there in Hondurus. The volume change in SenderBase can mean that someone noticed the machine was compromised and took it offline or that the worm/trojan got orders to go quiet for a while or lost contact with the mothership ... And yes the IP is listed. Ellen From lane at joeandlane.com Fri Jun 3 19:20:20 2005 From: lane at joeandlane.com (Lane) Date: Fri Jun 3 19:14:08 2005 Subject: [SC-Help] Re: They're varying their shields, captain! In-Reply-To: References: Message-ID: <200506031820.21210.lane@joeandlane.com> On Friday 03 June 2005 16:33, Ellen wrote: > "Lane" wrote in message > news:mailman.23.1117832246.169.spamcop-help@news.spamcop.net... > > > Today I got one from ip: 205.211.197.142 claiming to be from > > http://www.parefi.net/book.php > > > > I check senderbase at > > http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=205.211.197 >.142 > > > and I see that this IP volume/magnitude has changed from 1102%/1.7 in the > > last > > > thirty days to -100%/0.0 in the last day. > > > > So is such a dramatic volume change used in the cipher to calcumalate > > when > > an > > > ip is a spammer? > > I just changed the report routing on that block to inetcontact@amnetus.com > let's see if that makes a difference. I suspect they just have a buncch of > compromised machines down there in Hondurus. > > The volume change in SenderBase can mean that someone noticed the machine > was compromised and took it offline or that the worm/trojan got orders to > go quiet for a while or lost contact with the mothership ... > > And yes the IP is listed. > > Ellen > > Thanks, Ellen lane ~"He's not really dead, Jim!" From panoptes at iquest.net Sat Jun 4 12:41:36 2005 From: panoptes at iquest.net (Daniel W. Johnson) Date: Sat Jun 4 12:45:02 2005 Subject: [SC-Help] Re: HTML spam, Spamcop says: No links found References: Message-ID: <1gxmqa7.b6e5fdvfeczeN%panoptes@iquest.net> Mike Easter wrote: > Any time you want to talk about a result of a parse, the best way to do > it is to post the tracking url from the top of the page. This is true > even if you have already submitted your report. You can resubmit the > same spam item, copy the tracking url, then cancel the report for that > parse, and paste the tracker in here. As an alternative to submitting it again, it seems to be possible to get that Parse link from the Past Reports page. -- Daniel W. Johnson panoptes@iquest.net http://members.iquest.net/~panoptes/ 039 53 36 N / 086 11 55 W From hendrik_maryns at despammed.com Sun Jun 5 01:13:36 2005 From: hendrik_maryns at despammed.com (Hendrik Maryns) Date: Sat Jun 4 18:15:04 2005 Subject: [SC-Help] cancel report Message-ID: Hi, I accidentaly reported a false email: I saw that just after hitting the Report button... What should I do to cancel/undo/whatever? It concerns java.sun.com, so I guess they won't really bother, but just to know when this happens again... Cheers, H. -- Hendrik Maryns Interesting websites: www.lieverleven.be (I cooperate) www.eu04.com European Referendum Campaign aouw.org The Art Of Urban Warfare From nobody at devnull.spamcop.net Sat Jun 4 18:18:40 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Jun 4 18:20:02 2005 Subject: [SC-Help] Re: cancel report References: Message-ID: "Hendrik Maryns" wrote in message news:d7t90m$9tg$1@news.spamcop.net... > > I accidentaly reported a false email: I saw that just after hitting the > Report button... > > What should I do to cancel/undo/whatever? How can I unsend a Report? http://forum.spamcop.net/forums/index.php?showtopic=138 From hendrik_maryns at despammed.com Sun Jun 5 02:04:36 2005 From: hendrik_maryns at despammed.com (Hendrik Maryns) Date: Sat Jun 4 19:05:02 2005 Subject: [SC-Help] Re: cancel report In-Reply-To: References: Message-ID: WazoO uitte de volgende tekst op 5/06/2005 0:18: > "Hendrik Maryns" wrote in message > news:d7t90m$9tg$1@news.spamcop.net... > >>I accidentaly reported a false email: I saw that just after hitting the >>Report button... >> >>What should I do to cancel/undo/whatever? > > > How can I unsend a Report? > http://forum.spamcop.net/forums/index.php?showtopic=138 Ok, but I can't find a report ID under the Past Reports. I found the report and the associated addresses though. So should I just send them an e-mail with my apologies then? H. -- Hendrik Maryns Interesting websites: www.lieverleven.be (I cooperate) www.eu04.com European Referendum Campaign aouw.org The Art Of Urban Warfare From lane at joeandlane.com Sun Jun 5 16:33:56 2005 From: lane at joeandlane.com (Lane) Date: Sun Jun 5 16:28:02 2005 Subject: [SC-Help] Re: They're varying their shields, captain! In-Reply-To: <200506031820.21210.lane@joeandlane.com> References: <200506031820.21210.lane@joeandlane.com> Message-ID: <200506051533.56750.lane@joeandlane.com> On Friday 03 June 2005 18:20, you wrote: > On Friday 03 June 2005 16:33, Ellen wrote: > > > "Lane" wrote in message > > > news:mailman.23.1117832246.169.spamcop-help@news.spamcop.net... > > > > > > Today I got one from ip: 205.211.197.142 claiming to be from > > > http://www.parefi.net/book.php > > > > > > I check senderbase at > > > > > http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=205.211.1 > > >97 .142 > > > > > > and I see that this IP volume/magnitude has changed from 1102%/1.7 in > > > the last thirty days to -100%/0.0 in the last day. > > > > > > So is such a dramatic volume change used in the cipher to calcumalate > > > when an ip is a spammer? > > > > I just changed the report routing on that block to > > inetcontact@amnetus.com let's see if that makes a difference. I suspect > > they just have a buncch of compromised machines down there in Hondurus. > > > > The volume change in SenderBase can mean that someone noticed the machine > > was compromised and took it offline or that the worm/trojan got orders to > > go quiet for a while or lost contact with the mothership ... > > > > And yes the IP is listed. > > > > Ellen > > Thanks, Ellen > > lane ~"He's not really dead, Jim!" He may not be dead, But apparently he's a zombie! I've gotten two more from these *refi.net folks. The latest is from ip: 69.61.199.73 Senderbase, http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=69.61.199.73 says that magnitude is 2.4 in the last day, with a 7088% volume change vs. average in the last day. So I ask again, does volume change figure into the determination of whether or not to block an ip? This appears to be from fuse.net but Spamcop http://www.spamcop.net/w3m?action=checkblock&ip=69.61.199.73 says he is not listed in bl.spamcop.net just trying to get my head around how all of this works. Thanks, Lane From nobody at devnull.spamcop.net Sun Jun 5 16:39:06 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jun 5 16:40:02 2005 Subject: [SC-Help] Re: They're varying their shields, captain! References: <200506031820.21210.lane@joeandlane.com> Message-ID: "Lane" wrote in message news:mailman.26.1118003284.169.spamcop-help@news.spamcop.net... > > So I ask again, does volume change figure into the determination of whether or > not to block an ip? The Forum FAQ http://forum.spamcop.net/forums/index.php?showtopic=2238 contains links that point back to an entry in the www.spamcop.net original FAQ ... those details made public about the SpamCopDNSBL are found at http://forum.spamcop.net/forums/index.php?showtopic=2238 which is found via the "Help" link on the www.spamcop.net web-page. Both FAQ lists were created so that you don't have to ask, ask again, and ask yet another time. Please avail yourself to either (preferably both) FAQ lists, then ask your next question. From lane at joeandlane.com Sun Jun 5 18:22:55 2005 From: lane at joeandlane.com (Lane) Date: Sun Jun 5 18:17:03 2005 Subject: [SC-Help] Re: They're varying their shields, captain! In-Reply-To: References: Message-ID: <200506051722.56432.lane@joeandlane.com> On Sunday 05 June 2005 15:39, WazoO wrote: > "Lane" wrote in message > news:mailman.26.1118003284.169.spamcop-help@news.spamcop.net... > > > So I ask again, does volume change figure into the determination of > > whether or > > > not to block an ip? > > The Forum FAQ http://forum.spamcop.net/forums/index.php?showtopic=2238 > contains links that point back to an entry in the www.spamcop.net > original FAQ ... those details made public about the SpamCopDNSBL > are found at http://forum.spamcop.net/forums/index.php?showtopic=2238 > which is found via the "Help" link on the www.spamcop.net web-page. > Both FAQ lists were created so that you don't have to ask, ask > again, and ask yet another time. Please avail yourself to either > (preferably both) FAQ lists, then ask your next question. > > > _______________________________________________ > SpamCop-Help mailing list > SpamCop-Help@news.spamcop.net > http://news.spamcop.net/mailman/listinfo/spamcop-help Over here at http://www.spamcop.net/fom-serve/cache/297.html I find, "What is the SCBL? The SCBL is a list of IP addresses which have transmitted reported email to SpamCop users, which in turn is used to block and filter unwanted email. The SCBL is a fast and automatic list of sites sending reported mail, with a number of report sources, including automated reports and SpamCop user submissions." So I'm led to believe that "list of IP addresses which have transmitted reported email to SpamCop users ... fast and automatic ..." means that when I report to SpamCop and SpamCop shows me the IP address of the sender, then, barring some internal conflict, the ip address should be listed. And regardless of listing or not listing, the action (or inaction) should probably be corroborated with other RBL's I understand that a single report doesn't warrant blocking the ip. But when SenderBase (which SpamCop refers me to) shows a thousand or more percent increase in traffic with magnitudes in full digits over the last 24 hours, I'm curious as to why SpamCop doesn't block the site. That's all. Curious. As I said, I'm trying to understand how this works so that I can help manage this menace more effectively. Next question: is it absolutely necessary to "talk" down to someone who is clearly participating? Please don't blow a gasket. Don't respond if it is going to get your blood pressure up. Matter of fact, I'll just unsubscribe myself so you won't be troubled by my questions. Thank you for participating in whatever capacity. I guess I don't really need to know, anyway. lane From nobody at devnull.spamcop.net Sun Jun 5 18:54:11 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jun 5 18:55:03 2005 Subject: [SC-Help] Re: They're varying their shields, captain! References: Message-ID: "Lane" wrote in message news:mailman.27.1118009823.169.spamcop-help@news.spamcop.net... > > Over here at http://www.spamcop.net/fom-serve/cache/297.html I find, As I stated, both FAQ "question lists" end up pointing to the same FAQ entry. The point being that it could actually be found from either entrance pont. > "What is the SCBL? > The SCBL is a list of IP addresses which have transmitted reported email to > SpamCop users, which in turn is used to block and filter unwanted email. The > SCBL is a fast and automatic list of sites sending reported mail, with a > number of report sources, including automated reports and SpamCop user > submissions." > > So I'm led to believe that "list of IP addresses which have transmitted > reported email to SpamCop users ... fast and automatic ..." means that when I > report to SpamCop and SpamCop shows me the IP address of the sender, then, > barring some internal conflict, the ip address should be listed. The FAQ entry identified has a large portion of text devoted to a mathematical model delaing with listing/de-listing. Why did you chose to stop reading/citing at the first paragraph? > regardless of listing or not listing, the action (or inaction) should > probably be corroborated with other RBL's Huh? All the zillions of other BLs have their own requirements and specifications .. that's why there are so many of them. > I understand that a single report doesn't warrant blocking the ip. But when > SenderBase (which SpamCop refers me to) shows a thousand or more percent > increase in traffic with magnitudes in full digits over the last 24 hours, > I'm curious as to why SpamCop doesn't block the site. That's all. Curious. There's a difference between "total traffic" and "traffic that gets reported" .... > Next question: is it absolutely necessary to "talk" down to someone who is > clearly participating? Talk down? Pointing out that someone has already spent the time to type up an entry that does in fact answer the question you posed (and as you pointed out, posed repeatedly) is hardly "talking down" to someone, other than pointing out that there was no sign of attempted research prior to posting and making the additional remark that you had posted exactly the same query before ... > Please don't blow a gasket. Don't respond if it is going to get your blood > pressure up. Matter of fact, I'll just unsubscribe myself so you won't be > troubled by my questions. Rather than "subscribing" .. fire up an actual NNTP tool and point it to news://news.spamcop.net/spamcop.help (for the newsgroup your posts are currently showing up in) > Thank you for participating in whatever capacity. I guess I don't > really need to know, anyway. I find this to be pretty confusing. As I stated, the publically released details on how the SpamCopDNSBL works is in fact explained in the very FAQ you cited. From xxxxx at xxxxx.net Mon Jun 6 17:22:40 2005 From: xxxxx at xxxxx.net (Bob Stringer) Date: Mon Jun 6 19:25:02 2005 Subject: [SC-Help] Is this message legit re spamcop account? Message-ID: I received the e-mail quoted below, indicating that it was from "webmaster@spamcop.net" I've changed my e-mail address in the quoted portions, including in the link that was provided, to protect the innocent. Otherwise it's verbatim. I never trust messages like this one, since it simply looks like someone's trying to get account information out of me. For reasons I'll explain shortly, however, although I wasn't going to log in or provide any information, I clicked on the link to see what was up. However, all I got was a "404 Not Found" page at the Spamcop web site. This ordinarily would have been be the end of the matter for me, except that today is June 6, precisely the date for the renewal of my account. I in fact renewed my account though PayPal over two weeks ago, but the fact that I've received such a message on the renewal date makes me wonder whether it could be legitimate. I obviously don't want my account to be closed because someone messed up the record of my payment. So, does anyone know whether this kind of message is sent when an account is up for renewal, or whatever? (It seems very strange that an account would be closed within 24 hours without a response, since not everyone is in contact with e-mail every single day of his life). Hunting around the spamcop web site I didn't see any obvious e-mail addresses for inquiries, and so I sent e-mail messages, saying essentially what I've said above, to support@cesmail.net, paypal@cesmail.net, service@cesmail.net. One of those addresses sent me my original renewal notice on May 22, and the other two were referenced in the PayPal message confirming my renewal payment. I didn't know where else to send it. If anyone knows that there's some other address for corresponding regarding accounts, or can suggest any other address to which I should send a message, I'd appreciate being informed. And quickly, since the message, if it's legit, indicates my account will be suspended in 24 hours! Thanks. And here's the message I received: From: webmaster@spamcop.net To: xxxxx@xxxxx.net Date: Monday, June 6, 2005, 1:42:41 PM Subject: Account Alert Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons. http://www.spamcop.net/confirm.php?email=xxxxx@xxxxx.net Thank you for your attention to this question. We apologize for any inconvenience. Sincerely,Spamcop Security Department Assistant. -- Bob Stringer From scamper at trisk.com Mon Jun 6 18:54:29 2005 From: scamper at trisk.com (Garen Erdoisa) Date: Mon Jun 6 19:55:03 2005 Subject: [SC-Help] Re: Is this message legit re spamcop account? In-Reply-To: References: Message-ID: Bob Stringer wrote: > I received the e-mail quoted below, indicating that it was > from "webmaster@spamcop.net" > > I've changed my e-mail address in the quoted portions, > including in the link that was provided, to protect the > innocent. Otherwise it's verbatim. > > I never trust messages like this one, since it simply looks > like someone's trying to get account information out of me. > For reasons I'll explain shortly, however, although I wasn't > going to log in or provide any information, I clicked on > the link to see what was up. However, all I got was a "404 > Not Found" page at the Spamcop web site. > > This ordinarily would have been be the end of the matter for > me, except that today is June 6, precisely the date for the > renewal of my account. I in fact renewed my account though > PayPal over two weeks ago, but the fact that I've received > such a message on the renewal date makes me wonder whether > it could be legitimate. I obviously don't want my account to > be closed because someone messed up the record of my > payment. > > So, does anyone know whether this kind of message is sent > when an account is up for renewal, or whatever? (It seems > very strange that an account would be closed within 24 hours > without a response, since not everyone is in contact with > e-mail every single day of his life). > > Hunting around the spamcop web site I didn't see any obvious > e-mail addresses for inquiries, and so I sent e-mail > messages, saying essentially what I've said above, to > support@cesmail.net, paypal@cesmail.net, > service@cesmail.net. One of those addresses sent me my > original renewal notice on May 22, and the other two were > referenced in the PayPal message confirming my renewal > payment. I didn't know where else to send it. > > If anyone knows that there's some other address for > corresponding regarding accounts, or can suggest any other > address to which I should send a message, I'd appreciate > being informed. And quickly, since the message, if it's > legit, indicates my account will be suspended in 24 hours! > > Thanks. > > And here's the message I received: > > From: webmaster@spamcop.net > To: xxxxx@xxxxx.net > Date: Monday, June 6, 2005, 1:42:41 PM > Subject: Account Alert > > Dear Valued Member, > > According to our site policy you will have to confirm your > account by the following link or else your account will be > suspended within 24 hours for security reasons. > > http://www.spamcop.net/confirm.php?email=xxxxx@xxxxx.net > > Thank you for your attention to this question. We apologize > for any inconvenience. > > Sincerely,Spamcop Security Department Assistant. > 1) Full headers are not shown in the above. 2) the message body source is not shown in the above. 3) you should post messages such as this to spamcop.spam, or better yet, feed it to the spamcop parser then post the spamcop tracker url here so the rest of us can see how spamcop parsed the message. Other than that: It looks to me based ont the wording of the message like a phish scam that forged headers to make it appear to you like it might be comming from spamcop, but is in reality trying to trick you into entering your credit card info so the scammer can steal it. You'll need to look at the message source to reveal the hidden links which will show where the link will really send you if you click on it. This same sort of tactic is used to target many banks and places like paypal and ebay to try to trick users into entering personal info. From MikeE at ster.invalid Mon Jun 6 18:23:13 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 6 20:25:02 2005 Subject: [SC-Help] Re: Is this message legit re spamcop account? References: Message-ID: Bob Stringer wrote: > I received the e-mail quoted below, No one around here talks about mail by pasting the rendered results of the body. We talk about mail by looking at its headers and its unrendered body. Submit the item to the parser properly, copy the tracking url, cancel the reports, and paste the tracker here. Goodness gracious, did a turnip truck just drive by here? -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon Jun 6 21:27:21 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Jun 6 21:30:03 2005 Subject: [SC-Help] Re: Is this message legit re spamcop account? References: Message-ID: "Bob Stringer" wrote in message news:ell9a11h9louloo12kpjljagtb3f0rld3h@4ax.com... > I received the e-mail quoted below, indicating that it was > from "webmaster@spamcop.net" Your sample is a bulls*&t phish. > Hunting around the spamcop web site I didn't see any obvious > e-mail addresses for inquiries, This is frustrating, just pointed out the same thing over in another newsgroup. As the www.spamcop.net FAQ left you confused, I'll again point to the single-page access point to a much expanded version at http://forum.spamcop.net/forums/ You will find that the entry there titled "How can I contact a SpamCop representative?" in fact points to a www.spamcop.net FAQ item that you say you couldn't find. > and so I sent e-mail > messages, saying essentially what I've said above, to > support@cesmail.net, paypal@cesmail.net, > service@cesmail.net. One of those addresses sent me my > original renewal notice on May 22, and the other two were Two of those ended up in JT's InBox ... not sure where the 'papypal' address ends up, but I'll guess that JT has all three copies of your query (any wonder why he complains of being so overloaded?) > If anyone knows that there's some other address for > corresponding regarding accounts, or can suggest any other > address to which I should send a message, I'd appreciate > being informed. And quickly, since the message, if it's > legit, indicates my account will be suspended in 24 hours! It's a frigging spam ... handle it accordingly. > And here's the message I received: > > From: webmaster@spamcop.net > To: xxxxx@xxxxx.net > Date: Monday, June 6, 2005, 1:42:41 PM > Subject: Account Alert Without headers, this "sample" is pretty useless other than pointing out the obvious .. a spammer has found a gullible recipient. From nobody at devnull.spamcop.net Mon Jun 6 21:32:25 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Jun 6 21:35:02 2005 Subject: [SC-Help] Re: cancel report References: Message-ID: "Hendrik Maryns" wrote in message news:d7tc0a$c39$1@news.spamcop.net... > WazoO uitte de volgende tekst op 5/06/2005 0:18: > > > > How can I unsend a Report? > > http://forum.spamcop.net/forums/index.php?showtopic=138 > > Ok, but I can't find a report ID under the Past Reports. I found the > report and the associated addresses though. So should I just send them > an e-mail with my apologies then? I plead stupid (though noting that the re-look has caused the referenced Forum FAQ item to be updated twice since that last post) .... every report I see in my "report history" has a Report ID. (Then again, I am a free-report only account holder and most of my Report History items are 'cancelled'?) I would have to suggest that if there is no Report ID, there was no report sent out. Is it possible you're a Mole reporter? From nobody at spamcop.net Mon Jun 6 22:20:59 2005 From: nobody at spamcop.net (Ellen) Date: Tue Jun 7 07:40:03 2005 Subject: [SC-Help] Re: Is this message legit re spamcop account? References: Message-ID: "Bob Stringer" wrote in message news:ell9a11h9louloo12kpjljagtb3f0rld3h@4ax.com... > I received the e-mail quoted below, indicating that it was > from "webmaster@spamcop.net" > > > From: webmaster@spamcop.net > To: xxxxx@xxxxx.net > Date: Monday, June 6, 2005, 1:42:41 PM > Subject: Account Alert > > Dear Valued Member, > > According to our site policy you will have to confirm your > account by the following link or else your account will be > suspended within 24 hours for security reasons. > > http://www.spamcop.net/confirm.php?email=xxxxx@xxxxx.net > > Thank you for your attention to this question. We apologize > for any inconvenience. > > Sincerely,Spamcop Security Department Assistant. > We don't have a webmaster@ email address and we do not have a security department and thusly no assistants :-) In any case you would find if you analyzed the received headers that this did not come from SpamCop. You can write to service@admin.spamcop.net or deputies@admin.spamcop.net if you have a paid reporting account or support@spamcop.net if you have an email account if you are ever in doubt about any mailing. Ellen SpamCop From xxxxx at xxxxx.net Tue Jun 7 19:13:41 2005 From: xxxxx at xxxxx.net (Bob Stringer) Date: Tue Jun 7 21:15:03 2005 Subject: [SC-Help] Re: Is this message legit re spamcop account? References: Message-ID: <9ugca1l8b26jq9bbs1q6kr6itgapn940iu@4ax.com> On Mon, 06 Jun 2005 17:54:29 -0600, Garen Erdoisa wrote: >[snip] > ... or better yet, feed it to the spamcop parser then post > the spamcop tracker url here so the rest of us can see how > spamcop parsed the message Here it is: > Other than that: > It looks to me based ont the wording of the message like a > phish scam that forged headers to make it appear to you > like it might be comming from spamcop, but is in reality > trying to trick you into entering your credit card info so > the scammer can steal it. I thought so. But as mentioned, what especially made me wonder was that the message coincided with the renewal date of my account. Also, when I clicked on the link to see where it led, rather than taking me to a page that asked for information, it took me to (what appeared to be) a "404 Not Found" page at the Spamcop web site. Seemed like an odd thing for a phisher to do, but what do I know. >You'll need to look at the message source to reveal the hidden links >which will show where the link will really send you if you click on it. How do I do that? I know how to look at all the header info, but I'm not clear on what a message source is. Thanks for the help. From xxxxx at xxxxx.net Tue Jun 7 19:15:14 2005 From: xxxxx at xxxxx.net (Bob Stringer) Date: Tue Jun 7 21:20:02 2005 Subject: [SC-Help] Re: Is this message legit re spamcop account? References: Message-ID: On Mon, 6 Jun 2005 21:20:59 -0400, "Ellen" wrote: > [snip] > You can write to service@admin.spamcop.net or > deputies@admin.spamcop.net if you have a paid reporting > account or support@spamcop.net if you have an email > account if you are ever in doubt about any mailing. Thanks very much, Ellen. From anon at coks.net Tue Jun 7 19:39:23 2005 From: anon at coks.net (Jeff G.) Date: Tue Jun 7 21:40:02 2005 Subject: [SC-Help] Re: Is this message legit re spamcop account? In-Reply-To: <9ugca1l8b26jq9bbs1q6kr6itgapn940iu@4ax.com> References: <9ugca1l8b26jq9bbs1q6kr6itgapn940iu@4ax.com> Message-ID: On 6/7/2005 6:13 PM Bob Stringer scribbled: > On Mon, 06 Jun 2005 17:54:29 -0600, Garen Erdoisa > wrote: > > >>[snip] > > >>... or better yet, feed it to the spamcop parser then post >>the spamcop tracker url here so the rest of us can see how >>spamcop parsed the message > > > Here it is: > > > >>Other than that: > > >>It looks to me based ont the wording of the message like a >>phish scam that forged headers to make it appear to you >>like it might be comming from spamcop, but is in reality >>trying to trick you into entering your credit card info so >>the scammer can steal it. > > > I thought so. But as mentioned, what especially made me > wonder was that the message coincided with the renewal date > of my account. Also, when I clicked on the link to see where > it led, rather than taking me to a page that asked for > information, it took me to (what appeared to be) a "404 Not > Found" page at the Spamcop web site. Seemed like an odd > thing for a phisher to do, but what do I know. > > >>You'll need to look at the message source to reveal the hidden links >>which will show where the link will really send you if you click on it. > > > How do I do that? I know how to look at all the header info, > but I'm not clear on what a message source is. > > Thanks for the help. Buried in all the gobbly gook in the msg. body, which you view via the source code view in your email client, you'll most likely find a HTML ref to an HTTP - starts w/ blahblah - if you don't know what you're looking at, you'll need some practice and at the end of the day, you won't be much better off with the knowledge... From xxxxx at xxxxx.net Tue Jun 7 21:02:46 2005 From: xxxxx at xxxxx.net (Bob Stringer) Date: Tue Jun 7 23:05:02 2005 Subject: [SC-Help] Re: Is this message legit re spamcop account? References: <9ugca1l8b26jq9bbs1q6kr6itgapn940iu@4ax.com> Message-ID: <1tnca1ppuhu2cm95krjnrvhg1n0fj7i26a@4ax.com> On Tue, 07 Jun 2005 18:39:23 -0700, "Jeff G." wrote: >Buried in all the gobbly gook in the msg. body, which you view via the >source code view in your email client, you'll most likely find a HTML >ref to an HTTP - >starts w/ blahblah - if you don't know what you're looking at, >you'll need some practice and at the end of the day, you won't be much >better off with the knowledge... Yeah. I can see you're right. Since all I really needed to know was that the message wasn't legit, so I'll leave it at that. Thanks. From h9vzc2i02 at sneakemail.com Wed Jun 8 01:25:58 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Wed Jun 8 03:25:03 2005 Subject: [SC-Help] Re: Is this message legit re spamcop account? References: <9ugca1l8b26jq9bbs1q6kr6itgapn940iu@4ax.com> <1tnca1ppuhu2cm95krjnrvhg1n0fj7i26a@4ax.com> Message-ID: "Bob Stringer" wrote in message news:1tnca1ppuhu2cm95krjnrvhg1n0fj7i26a@4ax.com... > On Tue, 07 Jun 2005 18:39:23 -0700, "Jeff G." > wrote: > > >Buried in all the gobbly gook in the msg. body, which you view via the > >source code view in your email client, you'll most likely find a HTML > >ref to an HTTP - > >starts w/ blahblah - if you don't know what you're looking at, > >you'll need some practice and at the end of the day, you won't be much > >better off with the knowledge... > > Yeah. I can see you're right. > ** Learning html is like learning any foreign language - same sentence structure and vocabulary problems. Unless you really want to pursue it (almost as a vocation), it really is not worth it [I studied it on my own for several months out of curiosity] and have forgotten most of it by now. -- A SpamCop user and forum reader, Not Admin *** ** > Since all I really needed to know was that the message > wasn't legit, so I'll leave it at that. > > Thanks. From anon at coks.net Wed Jun 8 16:03:09 2005 From: anon at coks.net (Jeff G.) Date: Wed Jun 8 18:05:02 2005 Subject: [SC-Help] spamvertisement reporting & a question... Message-ID: Using SC, a fr instance, the 2 following urls http://members.spamcop.net/mcgi?action=gettrack&reportid=1443463100 http://members.spamcop.net/mcgi?action=gettrack&reportid=1443463094 came up with the notation /No recent reports, no history available/ in the results window. Both these have come up within the past week in past spam. Any reason the No Record msg comes up, when I know for a fact its been reported before by yours truly (no, I'm not feeling neglected)? Or does that dbase only update weekly or whatever? curious... Also, given the 2 methods of choice with reporting - copying and pasting whole msg or forwarding, is there a benefit or preference to using one or the other? Tnx... From MikeE at ster.invalid Wed Jun 8 16:30:23 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 8 18:35:03 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... References: Message-ID: Jeff G. wrote: > Using SC, a fr instance, the 2 following urls > > http://members.spamcop.net/mcgi?action=gettrack&reportid=1443463100 > http://members.spamcop.net/mcgi?action=gettrack&reportid=1443463094 The only person who can view a report # is the person who sent it [or someone on the 'inside' like a deputy] -- so when you want to talk about something which is a report # as a spam item, you need to convert its report # into a tracker. If you put a report # into the slot here http://www.spamcop.net/mcgi?action=histmenu or click on a report # here http://www.spamcop.net/mcgi?action=showhistory it will show the spam item, with a link at the top called 'parse' That parse link is actually the tracker url, which has this kind of configuration, which you can see is different than what you posted http://www.spamcop.net/sc?id=z772419713zbc845968bbf41763ade3944ad8acb21fz Also, there's another problem about posting a link which starts with 'members.spamcop.net' -- for nonmembers or nonpaying viewers, any such link will have to be of the configuration 'spamcop.net' -- removing the 'members' part. > came up with the notation > > /No recent reports, no history available/ > > in the results window. But, all of that being said; 'no recent reports, no history available' doesn't mean anything. When you read SC verbose, some things/words mean something, some things/words don't mean anything, and some things/words don't mean what they seem, or they don't mean it where you are seeing it, they mean it somewhere else not too far away. This particular thing/words doesn't mean anything. Don't take it 'literally'. -- Mike Easter kibitzer, not SC admin From anon at coks.net Wed Jun 8 18:13:24 2005 From: anon at coks.net (Jeff G.) Date: Wed Jun 8 20:15:04 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... In-Reply-To: References: Message-ID: On 6/8/2005 3:30 PM Mike Easter scribbled: > But, all of that being said; 'no recent reports, no history available' > doesn't mean anything. oh... > > When you read SC verbose, some things/words mean something, some > things/words don't mean anything, and some things/words don't mean what > they seem, or they don't mean it where you are seeing it, they mean it > somewhere else not too far away. alice in wonderland... > This particular thing/words doesn't mean anything. Don't take it > 'literally'. > > in any case, I wasn't sure if I should just plonk those names out or not... From anon at coks.net Wed Jun 8 18:30:17 2005 From: anon at coks.net (Jeff G.) Date: Wed Jun 8 20:30:02 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... In-Reply-To: References: Message-ID: On 6/8/2005 5:13 PM Jeff G. scribbled: > On 6/8/2005 3:30 PM Mike Easter scribbled: > > > >>But, all of that being said; 'no recent reports, no history available' >>doesn't mean anything. > > > oh... > > >>When you read SC verbose, some things/words mean something, some >>things/words don't mean anything, and some things/words don't mean what >>they seem, or they don't mean it where you are seeing it, they mean it >>somewhere else not too far away. > > > alice in wonderland... > > >>This particular thing/words doesn't mean anything. Don't take it >>'literally'. >> >> > > in any case, I wasn't sure if I should just plonk those names out or not... BTW, Mike, got an answer for 2nd question on reporting method? tnx... From MikeE at ster.invalid Wed Jun 8 19:33:00 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 8 21:35:03 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... References: Message-ID: Jeff G. wrote: > Also, given the 2 methods of choice with reporting - copying and > pasting whole msg or forwarding, is there a benefit or preference to > using one or the other? The advantage of copying and pasting into the parser is that you get 'faster' rather quicker/sooner results. The disadvantage is that there is 'deadtime' that you need to manage constructively. If you can develop a 'rhythm' of keypresses to get to the message source and paste it into the webparser, or alternatively use a keypress macro, then 'feeding' the parser is actually very efficient, one spam at a time, per 1.5 second [hypothetical]. Then, you would need a strategy to manage the deadtime, one of which might be to use multiple iterations of parsers -- so your 'macro' of keypresses feeds a sequence of parsers so that the individual parser's results match up with your approval process. That can result in no deadtime and a continuous sequence of feeding one spam at a time into multiple parsers whose results and approvals match up with the speed of the parser processing. The advantage of forwarding 'masses' of spams at a time is that you avoid the above sequence of having to have an efficient series of keypresses for each spamitem and of transitioning between parsers and their report options. The disadvantage is that you have to wait for the mailforwarded items to get processed in their own sweet time. The other disadvantage is that you still have to manage the problem of accessing the numerous link/s and and the report approval process however efficient or inefficient that is. Some people who 'move toward' sending masses of spams at a time get frustrated by that links portion of the report confirmation and its slowdown and decide to 'degenerate' [or accelerate] into quick reporting. Quick reporting dramatically changes the amount of time required to report some large number of spams. It has its dangers and its limitations or disadvantages, but it does feed a lot of spamsources into the SCbl without as much 'personal' time expenditure [or oversight], and there isn't much lost these days by not reporting the spamvertisers to their providers. There's always the ever-present danger of reporting your own provider if some kind of changes occur in the headerlines of your spams. -- Mike Easter kibitzer, not SC admin From anon at coks.net Wed Jun 8 19:50:58 2005 From: anon at coks.net (Jeff G.) Date: Wed Jun 8 21:50:04 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... In-Reply-To: References: Message-ID: On 6/8/2005 6:33 PM Mike Easter scribbled: > Jeff G. wrote: > >>Also, given the 2 methods of choice with reporting - copying and >>pasting whole msg or forwarding, is there a benefit or preference to >>using one or the other? > > > The advantage of copying and pasting into the parser is that you get > 'faster' rather quicker/sooner results. The disadvantage is that there > is 'deadtime' that you need to manage constructively. If you can > develop a 'rhythm' of keypresses to get to the message source and paste > it into the webparser, or alternatively use a keypress macro, then > 'feeding' the parser is actually very efficient, one spam at a time, per > 1.5 second [hypothetical]. > > Then, you would need a strategy to manage the deadtime, one of which > might be to use multiple iterations of parsers -- so your 'macro' of > keypresses feeds a sequence of parsers so that the individual parser's > results match up with your approval process. That can result in no > deadtime and a continuous sequence of feeding one spam at a time into > multiple parsers whose results and approvals match up with the speed of > the parser processing. > > The advantage of forwarding 'masses' of spams at a time is that you > avoid the above sequence of having to have an efficient series of > keypresses for each spamitem and of transitioning between parsers and > their report options. > > The disadvantage is that you have to wait for the mailforwarded items to > get processed in their own sweet time. The other disadvantage is that > you still have to manage the problem of accessing the numerous link/s > and and the report approval process however efficient or inefficient > that is. > > Some people who 'move toward' sending masses of spams at a time get > frustrated by that links portion of the report confirmation and its > slowdown and decide to 'degenerate' [or accelerate] into quick > reporting. Quick reporting dramatically changes the amount of time > required to report some large number of spams. It has its dangers and > its limitations or disadvantages, but it does feed a lot of spamsources > into the SCbl without as much 'personal' time expenditure [or > oversight], and there isn't much lost these days by not reporting the > spamvertisers to their providers. There's always the ever-present > danger of reporting your own provider if some kind of changes occur in > the headerlines of your spams. > Thanks, Mike, that gives me something to mull over. FWIW, I had already gotten to the first point of coordinating the keystrokes. The rest of this missive I need to study a bit - never used said macros before, but sure am familiar with the "dead time"... From anon at coks.net Wed Jun 8 21:34:39 2005 From: anon at coks.net (Jeff G.) Date: Wed Jun 8 23:35:03 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... In-Reply-To: References: Message-ID: "...there isn't much lost these days by not reporting the > spamvertisers to their providers." Mike, could you elaborate once more why going into the body and digging out the spamadverts is a waste for most? I got 1 guy in another group who swears this is the way - you spelled it out last week, but Thunderbird isn't the best ng searcher in the world and I forget the thread name anywho. Quick & dirty - 2 lines... Tnx... From MikeE at ster.invalid Wed Jun 8 22:21:25 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 9 00:25:02 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... References: Message-ID: Jeff G. wrote: > > "...there isn't much lost these days by not reporting the >> spamvertisers to their providers." > > Mike, could you elaborate once more why going into the body and > digging out the spamadverts is a waste for most? I didn't say that. What I sed or implied was that SC has a standard protocol for spamvertisers. The standard protocol is that it finds the url and resolves it [unless it doesn't] and then the resolved url's provider's contacts are notified. SC doesn't use any tools to determine if that spamvertiser provider is unresponsive, such as checking and seeing if the IP is spews or spamhaused. The only mechanism there is for an IP to have an alternate notify than the mechanism I described above is if there has been enough routing attention that a deputy has intervened and created a special routing entry so that something else is notified instead of the protocol notify. So, very often the SC derived spamvertiser notify isn't a responsive one. In which case the notify isn't really good for anything. The only thing which is good for anything is that the reported url gets put on the spamvertiser page where sc-surbl scrapes it and it contributes to that db. I say you could do that with a lot less trouble and resource expenditure on the part of SC and the reporter if you did it another way. > I got 1 guy in another group who swears this is the way - you spelled > it out last week, but Thunderbird isn't the best ng searcher in the > world and I forget the thread name anywho. Quick & dirty - 2 lines... > Tnx... What someone may have been saying is that if the options for notifying about a spam were to result in 'squashing' the cause of the source or/vs squashing the spamvertiser, squashing the spamvertiser would be much much better than squashing the source problem. What I said in alt.spam the other day is that unfortunately, neither of those squashes takes place. Given that nothing happens as a result of the notifies, then almost the only thing that happens is that the source IP gets listed on the SCbl, which is a plus because it helps us filter spam; and the spamvertised url could possibly get put into the sc-surbl, which would also help us filter spam. The notifies aren't doing us any good [to exaggerate this point for the sake of emphasis] -- the only thing that is doing us any good is to try to help us get the spam filtered. -- Mike Easter kibitzer, not SC admin From anon at coks.net Thu Jun 9 08:16:25 2005 From: anon at coks.net (Jeff G.) Date: Thu Jun 9 10:20:03 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... In-Reply-To: References: Message-ID: On 6/8/2005 9:21 PM Mike Easter scribbled: >>Mike, could you elaborate once more why going into the body and >>digging out the spamadverts is a waste for most? > > > I didn't say that. What I sed or implied was that SC has a standard > protocol for spamvertisers. The standard protocol is that it finds the > url and resolves it [unless it doesn't] and then the resolved url's > provider's contacts are notified. > > SC doesn't use any tools to determine if that spamvertiser provider is > unresponsive, such as checking and seeing if the IP is spews or > spamhaused. The only mechanism there is for an IP to have an alternate > notify than the mechanism I described above is if there has been enough > routing attention that a deputy has intervened and created a special > routing entry so that something else is notified instead of the protocol > notify. > > So, very often the SC derived spamvertiser notify isn't a responsive > one. In which case the notify isn't really good for anything. The only > thing which is good for anything is that the reported url gets put on > the spamvertiser page where sc-surbl scrapes it and it contributes to > that db. > > I say you could do that with a lot less trouble and resource expenditure > on the part of SC and the reporter if you did it another way. > What someone may have been saying is that if the options for notifying > about a spam were to result in 'squashing' the cause of the source or/vs > squashing the spamvertiser, squashing the spamvertiser would be much > much better than squashing the source problem. > > What I said in alt.spam the other day is that unfortunately, neither of > those squashes takes place. Given that nothing happens as a result of > the notifies, then almost the only thing that happens is that the source > IP gets listed on the SCbl, which is a plus because it helps us filter > spam; and the spamvertised url could possibly get put into the > sc-surbl, which would also help us filter spam. > > The notifies aren't doing us any good [to exaggerate this point for the > sake of emphasis] -- the only thing that is doing us any good is to try > to help us get the spam filtered. > I was actually thinking of a post of a couple weeks ago where you said one shouldn't be opening spam for any reason - I may has misconscrewed something in that post - no matter now, we're all together here, farting into the wind... From MikeE at ster.invalid Thu Jun 9 11:54:18 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 9 13:55:02 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... References: Message-ID: Jeff G. wrote: > I was actually thinking of a post of a couple weeks ago where you said > one shouldn't be opening spam for any reason - I may has misconscrewed > something in that post - no matter now, we're all together here, > farting into the wind... There are different reasons for different people that they shouldn't be opening or reading their spam. Let's say they are an ordinary citizen non-reporter -- one of the masses. I don't want them getting spam mixed up into their goodmail in their inbox, I don't want them reading spam subjects and getting curious about what is inside, I don't want them opening spam to see if it is spam because they are confused by the subject, I don't want them 'unpledged' to never help or 'buy' a spamvertised item, I don't want them opening spam insecurely, and I definitely don't want them clicking on something they see in a spam. So, I want them configured so that all of their spam is directed away from their inbox. I want them securely mentally disciplined so that they can visit a Junk folder and make sure there isn't a goodmail in there while they massively delete all of the spam without opening any of it; and I want them to be able to move the occasional spam in their inbox into the Junk without opening it. I also want them pledged to be completely disinterested in whatever might be inside a spam offering to sell a brand new Crossfire convertible for $1000 because they aren't interested in any product being sold in a spam. Let's say they are a 'simple' spamcop reporter. I don't mean simple mentally. I mean someone who is interested in reporting their spam with spamcop. They aren't a highly skilled javascript deobfuscator or cgi cracker who is tracking down the payment methods or parties on some spammer's website. They are simply receiving their spam and simply reporting it, including its spamvertisers, and simply not reporting innocent bystanders. Maybe they have some additional notifies, but that is fodder for a larger subject. I want that person to be configured so that all of their spam is directed away from their inbox, let's say by spampal or by spamcop mail, and securely mentally disciplined and able to move an occasional spam. They also don't need to be opening their spam for anything. They can submit it to the parser and see its headers which have been 'policed' by spampal or spamassassin and tell that it is spam. They can see the url/s because spamcop has displayed them. They can tell what is or isn't an IB, or they can look at the raw unrendered html if they need to clarify. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Jun 9 16:17:57 2005 From: nobody at devnull.spamcop.net (Cat) Date: Thu Jun 9 16:20:03 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... In-Reply-To: References: Message-ID: Mike Easter wrote: > I want that person to be configured so that all of their spam is > directed away from their inbox, let's say by spampal or by spamcop mail, > and securely mentally disciplined and able to move an occasional spam. > They also don't need to be opening their spam for anything. They can > submit it to the parser and see its headers which have been 'policed' by > spampal or spamassassin and tell that it is spam. They can see the > url/s because spamcop has displayed them. They can tell what is or > isn't an IB, or they can look at the raw unrendered html if they need to > clarify. Tell that to web based e-mail sites like Yahoo and force them to redesign their site so that you can get that info without opening spam. Like I said before, until sites like Yahoo and Gmail have that ability, the only way anyone can report spam to those addresses is to open it. I don't get spam at my Gmail address, only to my Yahoo address, but I'm certainly not going to give up on spam reporting and resort to a rather wimpy "just hit delete" mode just because there's no way to get raw html without opening it. I have my settings so that images in all e-mail are blocked, so I can open it safely. Resorting to "just hit delete" lets the spammers get away with spamming. I'd much rather be able to report them if it means getting them shut down instead of sticking my head in the sand and ignoring it if it means having to open the spam. I do understand that some spam comes through foreign ISPs where complaints will just be ignored, but I'd rather be able to report the spam so that ISPs that actually disconnect spammers can do something about the situation instead of "just hit delete." Then there are also cases like I mentioned in a previous post where I would have accidentally deleted important e-mail in a few rare cases if I hadn't looked at it because a quick look at the subject and from lines looked a little spammy. From nobody at devnull.spamcop.net Thu Jun 9 16:26:38 2005 From: nobody at devnull.spamcop.net (Cat) Date: Thu Jun 9 16:30:03 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... In-Reply-To: References: Message-ID: Cat wrote: > I do > understand that some spam comes through foreign ISPs where complaints > will just be ignored, but I'd rather be able to report the spam so that > ISPs that actually disconnect spammers can do something about the > situation instead of "just hit delete." To add to that, it certainly doesn't HELP spammers if having to open a spam to be able to forward it to report it means actually getting the spammer shut down as opposed to sticking your head in the sand and pretending it's not there just because you can't get the raw html without opening it in web-based e-mail. Aside from almost missing important e-mails because the subject and from looked spammy, if I never looked in my bulk folder to report spam there, I would also miss a few other important e-mails that occasionally hit the bulk folder by accident, although e-mail in those cases is easier to judge as legit by just looking at the subject and from. From MikeE at ster.invalid Thu Jun 9 14:47:57 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 9 16:50:03 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... References: Message-ID: Cat wrote: > Tell that to web based e-mail sites like Yahoo and force them to > redesign their site so that you can get that info without opening > spam. Yes, well I can't fix some things that want to force people to open a mail to properly access it for reporting. Naturally I think such systems should be redesigned. >I have my settings so that > images in all e-mail are blocked, so I can open it safely. There /are/ methods for 'safety-fying' the opening of spam, but some people are very interested in safetyfying because they /want/ to be spamreaders. I just attacked another poor soul today in alt.spam for being a spamreader. > Resorting > to "just hit delete" lets the spammers get away with spamming. I don't think I was promoting jhd instead of reporting. My jhd advice is directed toward people who aren't reporting who I want to delete their spam unopened rather than opening their spam. > Then there are also cases like I mentioned in a previous > post where I would have accidentally deleted important e-mail in a > few rare cases if I hadn't looked at it because a quick look at the > subject and from lines looked a little spammy. If a reporter is reporting all of their spam, the reporting process is another chance to 'catch' a goodmail which got put into Junk. When the reporter is reporting something which has headers which contain spampal or spamassassin Xlines, it is highly unlikely they are going to report a goodmail -- similarly the reporting process will be displaying url/s which look spammy or not. With that 'safety feature' a person could put a doubtful mail into Junk without opening it. Then when they parsed their Junk, its goodmail header qualities would be displayed. That 'program' assumes something like a spampal proxy. Having spampal examine your mail's headers and interior is better than you reading subjects and froms and trying to figure out what is spam and ham. Also faster. -- Mike Easter kibitzer, not SC admin From mrichter at cpl.net Fri Jun 10 12:29:57 2005 From: mrichter at cpl.net (Mike Richter) Date: Fri Jun 10 14:30:03 2005 Subject: [SC-Help] Re: Help me guys, whats going on? In-Reply-To: References: Message-ID: Kristoffer Lein wrote: > Today I received this message. I am apperantly blocked in some register. > > What to do? > > Failed to deliver to '****@attglobal.net' > SMTP module(domain attglobal.net) reports: > return-path address <****@cqmail.net> rejected by mx2.prserv.net: > 550 RBL block by MX.RBL - Spammer (20050518) > Posted by a (mostly) happy SC user, not an official. Your outgoing mail was sent from an (unidentified) IP address which was placed on a blocklist, presumably for being used by a spammer. You are not necessarily the spammer; indeed, it might only be that your IP address is a neighbor of that of a spammer. Since the blocklist cited is not SpamCop's, there is nothing to be done here. If you will provide the IP address, those expert in such matters can give more information. (Indeed, they may be willing to track it down from the sending domain, but the address of the server is both easier to use and able to give unambiguous results.) The solution is to send e-mail from a 'clean' IP address. If you cannot persuade your ISP to do due diligence, then you may have to have recourse to a supplemental account (Yahoo!, hotmail, etc.). Mike -- mrichter@cpl.net http://www.mrichter.com/ From MikeE at ster.invalid Fri Jun 10 13:22:25 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 10 15:25:03 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: Mike Richter wrote: > Kristoffer Lein wrote: >> Today I received this message. I am apperantly blocked in some >> register. >> >> What to do? >> >> Failed to deliver to '****@attglobal.net' >> SMTP module(domain attglobal.net) reports: >> return-path address <****@cqmail.net> rejected by mx2.prserv.net: >> 550 RBL block by MX.RBL - Spammer (20050518) Altho' we can't tell exactly what is going on, what he's talking about is a from spamcop address. cqmail.net's incoming MXes are mx.cesmail.net & mx2.cesmail.net -- I don't know what spamcop's mail's output servers are -- but the appearance of what he posted is that Kristoffer was mailing from a spamcop account thru' some unknown SC output server and the recipient MX for attglobal.net which was mx2.prserv.net rejected the transaction on the basis of some unknown blocklist. Unfortunately the rejection information doesn't carry the spamcop server output IP which was rejected or the name of a blocklist; but the reason Kristoffer is asking here is because this is a spamcop newsgroup. It is actually a mail question I think; and for that reason the expectation is that it be handled somewhere other than in a regular spamcop.help newsgroup. > Your outgoing mail was sent from an (unidentified) IP address which > was placed on a blocklist, presumably for being used by a spammer. An unidentified *spamcop mail* IP address -- wherein the problem. > You are not necessarily the spammer; indeed, it might only be that > your IP address is a neighbor of that of a spammer. > > Since the blocklist cited is not SpamCop's, there is nothing to be > done here. Unless someone in charge of spamcop mail and the spamcop mail output servers gets down to the bottom of it. > If you will provide the IP address, those expert in such > matters can give more information. (Indeed, they may be willing to > track it down from the sending domain, but the address of the server > is both easier to use and able to give unambiguous results.) > > The solution is to send e-mail from a 'clean' IP address. If you > cannot persuade your ISP to do due diligence, then you may have to > have recourse to a supplemental account (Yahoo!, hotmail, etc.). See how terrible it all sounds when your mail provider is spamcop? -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri Jun 10 16:32:35 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Jun 10 16:35:03 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: "Kristoffer Lein" wrote in message news:koffer-96217F.17264810062005@news.cesmail.net... > Today I received this message. I am apperantly blocked in some register. > > What to do? > > Failed to deliver to '****@attglobal.net' > SMTP module(domain attglobal.net) reports: > return-path address <****@cqmail.net> rejected by mx2.prserv.net: > 550 RBL block by MX.RBL - Spammer (20050518) Though the error is a bit different, it does involve some part of AT&T ... there is a bit more data in a discussion "over there" http://forum.spamcop.net/forums/index.php?showtopic=4321 As stated in other responses, a bit more detail would have to be offered in order to try to chase this one down also. No, I've not received any feedback yet. From anon at coks.net Fri Jun 10 18:57:10 2005 From: anon at coks.net (Jeff G.) Date: Fri Jun 10 21:00:02 2005 Subject: [SC-Help] methods used... Message-ID: Following is a quote from a knowledgable fellow from another ng - whats wrong with this theory, if anything, aside from the fact that most folks don't have the time with just 30-40 spams per day? I mean, come on, in a week or two?? Its simple >>Get spam. >>Go to website in spam >> To see if it exists >> Do a traceroute to the site to see who hosts it >> Report the site to the host >>do the same for any website in the spam that provides images (may not be >>the same host) >>and the same for any 'sign off' website in the spam (again, may not be >>the same host) >> >>The host will close the site, costing the spammer money (most webhosts >>dont refund monies when closed for cause) >>he may open new sites, if he spams for them, you close them as well. >> >>You can do this with programs that come with your computer system, or >>you can employ such as Visual Route or NeoTrace that combine them >> >>It wont be automatic, you may have to do this for a week or two before >>seeing results. Within a month, generally, you will start to see >>reductions in spam, keep it up, and in 3 months you will usually see a >>quite massive reduction in spam. Keep it up and in 6 months or so, you >>(or that account) will be virtually spam free. It wont stop it >>completely, but it will reduce it to a level far more manageable. I.e. >>200 spam per day down to 3 or 4 per week (and if you continue to do it, >>even that will in time come down) From MikeE at ster.invalid Fri Jun 10 19:36:13 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 10 21:40:03 2005 Subject: [SC-Help] Re: methods used... References: Message-ID: Jeff G. wrote: > Following is a quote from a knowledgable fellow from another ng - > whats wrong with this theory, if anything, aside from the fact that > most folks don't have the time with just 30-40 spams per day? > I mean, come on, in a week or two?? The 'fundamentals' of notifying the spamvertiser provider are based on the concept that a whitehat provider doesn't want the client to be spamming; and when you report to the provider of the spamvertiser, the provider will shut down the website. Then, ostensibly the dejected spammer will give up spamming forever and go away. > Its simple >>> Get spam. >>> Go to website in spam >>> To see if it exists >>> Do a traceroute to the site to see who hosts it >>> Report the site to the host This is a description of a rather foolish way to go about finding who the provider for the website is, because you can make that determination without actually opening the spam and letting it exercise your browser to take you to the site. You can determine the link in the spam without opening it, you can use some tool such as SamSpade's GET function or web based similars so that you determine the true location of the spamsite if it has been redirected from the 'original' as in appears in the raw unopened spam. Spamcop does the 'straightforward' ones for you, but it doesn't determine anything but the simplest of redirectors in which the redirection is built into the original link, such as a yahoo redirector. But, the overall point remains -- 'report the site to the host'. >>> do the same for any website in the spam that provides images (may >>> not be the same host) >>> and the same for any 'sign off' website in the spam (again, may not >>> be the same host) Theoretically images may be hosted on another site. Spamcop's reporting doesn't report to the providers of images. Theoretically the remove may be hosted at another site. The business about notifying for a remove is a subject which I personally consider of some controversy. We will temporarily skip past the controversy and say that spamcop's reporting does routinely report to the provider of a remove site. >>> The host will close the site, costing the spammer money (most >>> webhosts dont refund monies when closed for cause) This part is sadly rarely, almost never, true. If it were true more often than rarely, the reporting would be doing a lot more good than it is actually doing. What generally happens when you report the spamvertiser to the provider/host whether you do it by spamcop or manually is absolutely nothing. >>> he may open new sites, if he spams for them, you close them as well. That's the whole idea behind the reporting which we wish would work that way. >>> You can do this with programs that come with your computer system, >>> or you can employ such as Visual Route or NeoTrace that combine them The business about how you go about determining who/how to notify, whether you use spamcop or whether you use other tools or whether you use spamcop and many other tools is part of what we talk about around here. >>> It wont be automatic, you may have to do this for a week or two >>> before seeing results. Within a month, generally, you will start >>> to see reductions in spam, keep it up, and in 3 months you will >>> usually see a quite massive reduction in spam. Keep it up and in 6 >>> months or so, you (or that account) will be virtually spam free. >>> It wont stop it completely, but it will reduce it to a level far >>> more manageable. I.e. 200 spam per day down to 3 or 4 per week (and >>> if you continue to do it, even that will in time come down) Blahblahblah. That all sounds nice, except for the part about the providers you are notifying not being whitehat, but distinctly blackhat and unresponsive. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Jun 10 20:13:44 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 10 22:15:02 2005 Subject: [SC-Help] Re: methods used... References: Message-ID: Jeff G. wrote: > Its simple >>> Report the site to the host Now that I've painted that other gloomy story; I'll tell another story. If you turn yourself into a sufficiently effective manual notifier; in which your notifies are succinct and to the point and accurate and valid about what you are notifying about -- and include in those notifies upstreams and parents for things like listed unresponsives and why, and for no abuse.net reg'd abuse contacts, and include a fair number of contacts at each of the providers, on the chance that there might be a language barrier, say about 4 for each -- so that the blackhats are seeing whoall you are notifying and why they are being notified -- and you do this all unmunged and from the spammed address because your attitude is that you don't have anything against listwashing, because your principle function in life is to protect your inbox -- you may see some results. What may happen is that your spammed address may get branded as an 'anti-' -- an antispam 'troublemaker' who notifies pertinent addresses which result in some feedback even to the blackhat providers that those parents or upstreams are concerned about these little troubles and they are tired of hearing about it, and is it really true that there isn't an abuse address and why don't they do something about that and is it really true that they are spews and spamhaus listed blah blah. The blackhat sometimes doesn't like for their providers' providers to be getting notified. Of course when upstreams are getting involved there may be several, each of which has a few legitimate contact addresses. The consequence of becoming 'anti-' listed can result in the address getting itself listwashed and getting less spam. Some spam reporters don't believe in 'inviting' listwashing -- other reporters are afraid that unmungeing will result in retaliation. Some reporters write long or 'nasty' notifies. I believe that a notify should only contain the briefest of information, just enough so that there won't be any confusion about why the entity was notified -- not a lecture on why spam is bad or how many times someone has been notified or anything like that. It only takes one word to say 'unresponsive' well, maybe 3 if you say 'unresponsive to notifies' and a couple or three more to say 'spews & spamhaus listed'. Then, a few more words about 'no abuse.net reg'd contact'. You can get that stuff on a line or so and have a little template that you just fill in. There are some examples of good notifies in the newsgroup nana-sightings. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Jun 10 20:25:22 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 10 22:30:04 2005 Subject: [SC-Help] Re: methods used... References: Message-ID: Mike Easter wrote: > It only takes one word to say 'unresponsive' well, maybe 3 if you say > 'unresponsive to notifies' and a couple or three more to say 'spews & > spamhaus listed'. Then, a few more words about 'no abuse.net reg'd > contact'. You can get that stuff on a line or so and have a little > template that you just fill in. There are some examples of good > notifies in the newsgroup nana-sightings. That may cause some confusion. I'm not talking about telling the spamvertiser provider that they are unresponsive to notifies. I'm notifying the spamvertiser provider 'simply' because they are the provider for the spamsite. That's all. I'm 'talking to' the upstreams or parent about why I'm notifying /them/. I'm notifying these several contacts for the upstreams because their child or downstream is unresponsive to notifies and/or is spews and spamhaus listed and/or doesn't have an abuse.net reg'd contact. Each notified entity has its own little line/section about why it is being notified. There is a good and legitimate reason for notifying each address in the To: section -- which might contain quite a few addresses for a single spam. -- Mike Easter kibitzer, not SC admin From h9vzc2i02 at sneakemail.com Fri Jun 10 20:40:25 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Fri Jun 10 22:40:04 2005 Subject: [SC-Help] Re: methods used... References: Message-ID: "Jeff G." wrote in message news:d8dcqq$hu7$1@news.spamcop.net... > Following is a quote from a knowledgable fellow from another ng - whats > wrong with this theory, if anything, aside from the fact that most folks > don't have the time with just 30-40 spams per day? > I mean, come on, in a week or two?? > > > Its simple > >>Get spam. > >>Go to website in spam > >> To see if it exists ** Error number one - you have confirmed that YOUR e-mail address is a good, live, responsive one - which guarantees that you will get MORE spam from them and anyone whom they wish to sell, give, or furnish your address to. -- A SpamCop user and forum reader, Not Admin *** From anon at coks.net Fri Jun 10 20:49:07 2005 From: anon at coks.net (Jeff G.) Date: Fri Jun 10 22:50:01 2005 Subject: [SC-Help] Re: methods used... In-Reply-To: References: Message-ID: On 6/10/2005 6:36 PM Mike Easter scribbled: > > Blahblahblah. That all sounds nice, except for the part about the > providers you are notifying not being whitehat, but distinctly blackhat > and unresponsive. > so basically, the guys blowing smoke. Thats my take. OR he's spending an inordinate amount of time at nailing specific spamvertisers, which takes us back to Holdon Caulfield. My only point here is the amount of misinformation being ladled out to the masses... From anon at coks.net Fri Jun 10 21:03:55 2005 From: anon at coks.net (Jeff G.) Date: Fri Jun 10 23:05:03 2005 Subject: [SC-Help] Re: methods used... In-Reply-To: References: Message-ID: On 6/10/2005 7:40 PM Anon_ scribbled: > "Jeff G." wrote in message > news:d8dcqq$hu7$1@news.spamcop.net... > >>Following is a quote from a knowledgable fellow from another ng - whats >>wrong with this theory, if anything, aside from the fact that most folks >>don't have the time with just 30-40 spams per day? >>I mean, come on, in a week or two?? >> >> >>Its simple >> >>>>Get spam. >>>>Go to website in spam >>>> To see if it exists > > > ** > Error number one - you have confirmed that YOUR e-mail address is a good, > live, responsive one - which guarantees that you will get MORE spam from > them and anyone whom they wish to sell, give, or furnish your address to. > unless they decide to steer clear of you since you cause trouble, which seems to be a possibility. But seems to be that ya gotta spend a lot of time at it, which most commonfolk don't have. Which is why we are here... From bar_n0ne at hotmail.com Sat Jun 11 11:08:36 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Jun 11 02:10:02 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: "Mike Richter" wrote in message news:d8cm6u$5ct$1@news.spamcop.net... > Kristoffer Lein wrote: SNIP > > return-path address <****@cqmail.net> rejected by mx2.prserv.net: > > 550 RBL block by MX.RBL - Spammer (20050518) SNIP > The solution is to send e-mail from a 'clean' IP address. If you cannot > persuade your ISP to do due diligence, then you may have to have > recourse to a supplemental account (Yahoo!, hotmail, etc.). until about a year ago, cq net was Alan Ralskys playground (AFAIK), and almost all spam-vertizing and a lot of spam originated or was hosted from there. It got on a lot of blacklists as a result that aren't necessarily updated very often, if ever. Frankly, I think tough s**t, that ISP spammed the hell out of me for a couple of years and if it and its customers now suffer a couple of years more from now, well, it's karma and deserved. It now looks like most big time spammers have moved to CRC (tietong) and they too will find themselves in the situation you are in. even if they clean up as cq net appears to have done. I guess it's time to look at the router tables and local block lists again. ;) From nobody at spamcop.net Sat Jun 11 00:50:12 2005 From: nobody at spamcop.net (N. Miller) Date: Sat Jun 11 02:55:02 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: <1sej63jox41f0$.dlg@news.spamcop.net> On Sat, 11 Jun 2005 10:08:36 +0400, Berny wrote: > "Mike Richter" wrote in message > news:d8cm6u$5ct$1@news.spamcop.net... >> Kristoffer Lein wrote: > SNIP >>> return-path address <****@cqmail.net> rejected by mx2.prserv.net: >>> 550 RBL block by MX.RBL - Spammer (20050518) > SNIP >> The solution is to send e-mail from a 'clean' IP address. If you cannot >> persuade your ISP to do due diligence, then you may have to have >> recourse to a supplemental account (Yahoo!, hotmail, etc.). > > until about a year ago, cq net was Alan Ralskys playground (AFAIK), and > almost all spam-vertizing and a lot of spam originated or was hosted from > there. It got on a lot of blacklists as a result that aren't necessarily > updated very often, if ever. Just wondering what "cq net" has to do with this? I can't find a connection. -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. From big_mart_98 at yahoo.com Sat Jun 11 09:24:03 2005 From: big_mart_98 at yahoo.com (Martin Edwards) Date: Sat Jun 11 03:25:02 2005 Subject: [SC-Help] Re: methods used... In-Reply-To: References: Message-ID: Jeff G. wrote: > On 6/10/2005 7:40 PM Anon_ scribbled: > > >>"Jeff G." wrote in message >>news:d8dcqq$hu7$1@news.spamcop.net... >> >> >>>Following is a quote from a knowledgable fellow from another ng - whats >>>wrong with this theory, if anything, aside from the fact that most folks >>>don't have the time with just 30-40 spams per day? >>>I mean, come on, in a week or two?? >>> >>> >>>Its simple >>> >>> >>>>>Get spam. >>>>>Go to website in spam >>>>> To see if it exists >> >> >>** >>Error number one - you have confirmed that YOUR e-mail address is a good, >>live, responsive one - which guarantees that you will get MORE spam from >>them and anyone whom they wish to sell, give, or furnish your address to. >> > > unless they decide to steer clear of you since you cause trouble, which > seems to be a possibility. But seems to be that ya gotta spend a lot of > time at it, which most commonfolk don't have. > Which is why we are here... Just so: an interesting thread, but I'll stick with the Web form for now. From bar_n0ne at hotmail.com Sat Jun 11 14:26:05 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Jun 11 05:30:13 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: <1sej63jox41f0$.dlg@news.spamcop.net> Message-ID: "N. Miller" wrote in message news:1sej63jox41f0$.dlg@news.spamcop.net... > On Sat, 11 Jun 2005 10:08:36 +0400, Berny wrote: > > > "Mike Richter" wrote in message > > news:d8cm6u$5ct$1@news.spamcop.net... > >> Kristoffer Lein wrote: > > SNIP > >>> return-path address <****@cqmail.net> rejected by mx2.prserv.net: > >>> 550 RBL block by MX.RBL - Spammer (20050518) > > SNIP > Just wondering what "cq net" has to do with this? I can't find a > connection. umm... apologies (mine) are maybe in order, i saw cqmail.net and connected it with cq-net From anon at coks.net Sat Jun 11 09:15:03 2005 From: anon at coks.net (Jeff G.) Date: Sat Jun 11 11:15:03 2005 Subject: [SC-Help] Re: methods used... In-Reply-To: References: Message-ID: On 6/11/2005 12:24 AM Martin Edwards scribbled: > Jeff G. wrote: > >>On 6/10/2005 7:40 PM Anon_ scribbled: >> >> >> >>>"Jeff G." wrote in message >>>news:d8dcqq$hu7$1@news.spamcop.net... >>> >>> >>> >>>>Following is a quote from a knowledgable fellow from another ng - whats >>>>wrong with this theory, if anything, aside from the fact that most folks >>>>don't have the time with just 30-40 spams per day? >>>>I mean, come on, in a week or two?? >>>> >>>> >>>>Its simple >>>> >>>> >>>> >>>>>>Get spam. >>>>>>Go to website in spam >>>>>> To see if it exists >>> >>> >>>** >>>Error number one - you have confirmed that YOUR e-mail address is a good, >>>live, responsive one - which guarantees that you will get MORE spam from >>>them and anyone whom they wish to sell, give, or furnish your address to. >>> >> >>unless they decide to steer clear of you since you cause trouble, which >>seems to be a possibility. But seems to be that ya gotta spend a lot of >>time at it, which most commonfolk don't have. >>Which is why we are here... > > > Just so: an interesting thread, but I'll stick with the Web form for now. As will I, since the convenience can't be matched. Lack of concrete results, however, is grating... From MikeE at ster.invalid Sat Jun 11 11:27:10 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 11 13:30:04 2005 Subject: [SC-Help] Re: methods used... References: Message-ID: Jeff G. wrote: > Anon_ scribbled: >> "Jeff G." >>>>> Get spam. >>>>> Go to website in spam >>>>> To see if it exists >> >> >> ** >> Error number one - you have confirmed that YOUR e-mail address is a >> good, live, responsive one - which guarantees that you will get MORE >> spam from them and anyone whom they wish to sell, give, or furnish >> your address to. What Anon is talking about is that when you open a spam and click on its link, the link itself can be uniquely configured for you; besides the fact that a webbug can be configured for your identity. These unique identifiers characterize you as a spam opener and a spam believer, which makes you a spammee -- someone who needs to be on more lists. > unless they decide to steer clear of you since you cause trouble, > which seems to be a possibility. There is nothing about being a spam opener and a spam believer that makes anyone steer clear of you because you are trouble, but rather makes you a spammee. Keep in mind what is happening all the time and what isn't happening almost all the time. What is happening all of the time is spamming, and lists growing longer or bigger. What isn't happening at all is any kind of removal from any lists for any reasons, except rarely. What is also happening occasionally is webbugging and special list creation for adding people to other lists. > But seems to be that ya gotta spend > a lot of time at it, which most commonfolk don't have. The business of getting branded or labeled as an anti- is not something that happens very much at all -- and not everyone agrees with facilitating listwashing. The standard SC configuration is to munge and to separate the reporter from the report, just the opposite of notifying unmunged from the spammed address. > Which is why we are here... Spamcop's parsing and notifying is real fast. Manual determination of better notifies and completion of a manual notify template is considerably slower. -- Mike Easter kibitzer, not SC admin From steve at prolynx.com Sat Jun 11 15:46:26 2005 From: steve at prolynx.com (Steve Sybesma) Date: Sat Jun 11 16:50:03 2005 Subject: [SC-Help] Automation Message-ID: Hello all, I use Win98SE and OE6. (By preference, not necessity.) Looking for some way to automate the sending of spam to the 'quick' e-mail address I use for SpamCop. I would like to selectively highlight mail that I consider spam (which is why I don't want to use a program like MailWasher, etc.), then be able to right-click and have a context menu item similar to "Forward As Attachment" which takes it the next few steps so that I don't have to select the group send that I use (SpamCop, the FTC and my ISP) and I don't have to hit 'Send' and 'Delete'. I want to make it every bit as easy to report spam as it is to delete it. This will be an encouragement to anyone who still uses Outlook Express 6 to do their spam reports. Steve Thornton, CO From anon at coks.net Sat Jun 11 15:13:12 2005 From: anon at coks.net (Jeff G.) Date: Sat Jun 11 17:15:03 2005 Subject: [SC-Help] Re: methods used... In-Reply-To: References: Message-ID: On 6/11/2005 10:27 AM Mike Easter scribbled: > Jeff G. wrote: > >>Anon_ scribbled: >> >>>"Jeff G." > > >>>>>>Get spam. >>>>>>Go to website in spam >>>>>> To see if it exists >>> >>> >>>** >>>Error number one - you have confirmed that YOUR e-mail address is a >>>good, live, responsive one - which guarantees that you will get MORE >>>spam from them and anyone whom they wish to sell, give, or furnish >>>your address to. > > > What Anon is talking about is that when you open a spam and click on its > link, the link itself can be uniquely configured for you; besides the > fact that a webbug can be configured for your identity. These unique > identifiers characterize you as a spam opener and a spam believer, which > makes you a spammee -- someone who needs to be on more lists. > > I understood what anon was saying, Mike - don't forget I had supplied a quote from another - those are his words that anon was responding to... >>unless they decide to steer clear of you since you cause trouble, >>which seems to be a possibility. > > > There is nothing about being a spam opener and a spam believer that > makes anyone steer clear of you because you are trouble, but rather > makes you a spammee. Same other guy was claiming otherwise. I tend to agree with you that it seems unlikely to happen, since if it in fact did, more would do it... > > Keep in mind what is happening all the time and what isn't happening > almost all the time. What is happening all of the time is spamming, and > lists growing longer or bigger. What isn't happening at all is any kind > of removal from any lists for any reasons, except rarely. > > What is also happening occasionally is webbugging and special list > creation for adding people to other lists. > > >> But seems to be that ya gotta spend >>a lot of time at it, which most commonfolk don't have. > > > The business of getting branded or labeled as an anti- is not something > that happens very much at all -- and not everyone agrees with > facilitating listwashing. The standard SC configuration is to munge and > to separate the reporter from the report, just the opposite of notifying > unmunged from the spammed address. > > >>Which is why we are here... > > > Spamcop's parsing and notifying is real fast. Manual determination of > better notifies and completion of a manual notify template is > considerably slower. Thought that was what I was implying at the end. BTW the SC server seems to drag real bad at certain times - there are probably times of the day where traffic is heaviest. Got any useful stats on that? From nobody at devnull.spamcop.net Sat Jun 11 17:40:52 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Jun 11 17:45:03 2005 Subject: [SC-Help] Re: methods used... References: Message-ID: "Jeff G." wrote in message news:d8fk2r$p27$1@news.spamcop.net... > > BTW the SC server seems to drag real bad at certain times - there are > probably times of the day where traffic is heaviest. > Got any useful stats on that? http://www.spamcop.net/spamgraph.shtml?spamstats http://www.spamcop.net/spamgraph.shtml?spamweek From MikeE at ster.invalid Sat Jun 11 15:47:43 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 11 17:50:02 2005 Subject: [SC-Help] Re: methods used... References: Message-ID: WazoO wrote: > "Jeff G." >> >> BTW the SC server seems to drag real bad at certain times - there are >> probably times of the day where traffic is heaviest. >> Got any useful stats on that? > > http://www.spamcop.net/spamgraph.shtml?spamstats > http://www.spamcop.net/spamgraph.shtml?spamweek I was just coming in here to post the link for the week, which I think shows it better than the day one, but WazoO beat me. -- Mike Easter kibitzer, not SC admin From hendrik_maryns at despammed.com Sun Jun 12 02:10:20 2005 From: hendrik_maryns at despammed.com (Hendrik Maryns) Date: Sat Jun 11 19:10:03 2005 Subject: [SC-Help] Re: cancel report In-Reply-To: References: Message-ID: WazoO uitte de volgende tekst op 7/06/2005 3:32: > "Hendrik Maryns" wrote in message > news:d7tc0a$c39$1@news.spamcop.net... > >>WazoO uitte de volgende tekst op 5/06/2005 0:18: >> >>>How can I unsend a Report? >>>http://forum.spamcop.net/forums/index.php?showtopic=138 >> >>Ok, but I can't find a report ID under the Past Reports. I found the >>report and the associated addresses though. So should I just send them >>an e-mail with my apologies then? > > > I plead stupid (though noting that the re-look has caused the > referenced Forum FAQ item to be updated twice since that > last post) .... every report I see in my "report history" has a > Report ID. (Then again, I am a free-report only account > holder and most of my Report History items are 'cancelled'?) > I would have to suggest that if there is no Report ID, there > was no report sent out. Is it possible you're a Mole reporter? Ok, this is what I find under Sent Reports: Submitted: Thursday, May 26, 2005 22:33:25 +0200: Your Report (Review ID: 453954) - Minor typo in documentation of Collection * 1433856541 ( http://java.sun.com/support/index.html ) To: abuse#above.net@devnull.spamcop.net * 1433856535 ( http://java.sun.com/j2se/1.5.0/docs/api/java/ut... ) To: abuse#above.net@devnull.spamcop.net * 1433856519 ( 129.147.62.1 ) To: spamcop@imaphost.com * 1433856507 ( http://bugs.sun.com/bugdatabase/index.jsp ) To: postmaster@sun.com * 1433856506 ( 129.147.62.1 ) To: postmaster@sun.com * 1433856495 ( http://bugs.sun.com/bugdatabase/index.jsp ) To: abuse#sun.com@devnull.spamcop.net * 1433856430 ( 129.147.62.1 ) To: abuse#sun.com@devnull.spamcop.net if you can tell me what the report ID is, please tell me. BTW: the Review ID 453954 is something from sun, not from Spamcop. Thanks for the help so far. H. -- Hendrik Maryns Interesting websites: www.lieverleven.be (I cooperate) www.eu04.com European Referendum Campaign aouw.org The Art Of Urban Warfare From SCNews.5.myspamgobbler at spamgourmet.com Sat Jun 11 18:40:41 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Sat Jun 11 20:45:03 2005 Subject: [SC-Help] Re: cancel report In-Reply-To: References: Message-ID: Hendrik Maryns wrote: > WazoO uitte de volgende tekst op 7/06/2005 3:32: > >> "Hendrik Maryns" wrote in message >> news:d7tc0a$c39$1@news.spamcop.net... >> >>> WazoO uitte de volgende tekst op 5/06/2005 0:18: >>> >>>> How can I unsend a Report? >>>> http://forum.spamcop.net/forums/index.php?showtopic=138 >>> >>> >>> Ok, but I can't find a report ID under the Past Reports. I found the >>> report and the associated addresses though. So should I just send them >>> an e-mail with my apologies then? >> >> >> >> I plead stupid (though noting that the re-look has caused the >> referenced Forum FAQ item to be updated twice since that >> last post) .... every report I see in my "report history" has a >> Report ID. (Then again, I am a free-report only account >> holder and most of my Report History items are 'cancelled'?) >> I would have to suggest that if there is no Report ID, there >> was no report sent out. Is it possible you're a Mole reporter? > > > Ok, this is what I find under Sent Reports: > > Submitted: Thursday, May 26, 2005 22:33:25 +0200: > Your Report (Review ID: 453954) - Minor typo in documentation of Collection > > * 1433856541 ( http://java.sun.com/support/index.html ) To: > abuse#above.net@devnull.spamcop.net > * 1433856535 ( http://java.sun.com/j2se/1.5.0/docs/api/java/ut... ) > To: abuse#above.net@devnull.spamcop.net > * 1433856519 ( 129.147.62.1 ) To: spamcop@imaphost.com > * 1433856507 ( http://bugs.sun.com/bugdatabase/index.jsp ) To: > postmaster@sun.com > * 1433856506 ( 129.147.62.1 ) To: postmaster@sun.com > * 1433856495 ( http://bugs.sun.com/bugdatabase/index.jsp ) To: > abuse#sun.com@devnull.spamcop.net > * 1433856430 ( 129.147.62.1 ) To: abuse#sun.com@devnull.spamcop.net > > if you can tell me what the report ID is, please tell me. BTW: the > Review ID 453954 is something from sun, not from Spamcop. > > Thanks for the help so far. > > H. > The report ID's are 1433856541 and the rest. The only report that actually got sent was to postmaster [at] sun [dot] com. Send them an apology CC'd to spamcop deputies. From MikeE at ster.invalid Sat Jun 11 18:47:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 11 20:50:03 2005 Subject: [SC-Help] Re: cancel report References: Message-ID: Hendrik Maryns wrote: > I accidentaly reported a false email: I saw that just after hitting > the Report button... > > What should I do to cancel/undo/whatever? > > It concerns java.sun.com, so I guess they won't really bother, but > just to know when this happens again... Hendrik Maryns wrote: > Ok, this is what I find under Sent Reports: > > Submitted: Thursday, May 26, 2005 22:33:25 +0200: > Your Report (Review ID: 453954) - Minor typo in documentation of > Collection > > * 1433856541 ( http://java.sun.com/support/index.html ) To: > abuse#above.net@devnull.spamcop.net > * 1433856535 ( > http://java.sun.com/j2se/1.5.0/docs/api/java/ut... ) To: > abuse#above.net@devnull.spamcop.net > * 1433856519 ( 129.147.62.1 ) To: spamcop@imaphost.com > * 1433856507 ( http://bugs.sun.com/bugdatabase/index.jsp ) To: > postmaster@sun.com > * 1433856506 ( 129.147.62.1 ) To: postmaster@sun.com > * 1433856495 ( http://bugs.sun.com/bugdatabase/index.jsp ) To: > abuse#sun.com@devnull.spamcop.net > * 1433856430 ( 129.147.62.1 ) To: > abuse#sun.com@devnull.spamcop.net > > if you can tell me what the report ID is, please tell me. BTW: the > Review ID 453954 is something from sun, not from Spamcop. If I go to my past reports at spamcop at http://www.spamcop.net/mcgi?action=showhistory -- that same link should be /your/ past reports, in a different configuration than what you posted. -- I see reportid #s like 1444596165 1442498783 1441644256 which tell me where each of those reports went. *and also*..... .... and also when I click on a reportid number like above, it takes me to a parse of that particular spam. But... I can't look at the spam from your own report id, because if I feed the reportid gizmo at http://www.spamcop.net/mcgi?action=histmenu one of your report id/s, such as 1433856541 I can see a report which looks like what you posted above, but when I click on the link attached to each reportid number, it doesn't take me to the parse of the spam, because those aren't mine. If you go to the last link I posted and feed it one of my reports such as 1444596165 -- you will see what I mean. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Jun 11 18:53:47 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 11 20:55:02 2005 Subject: [SC-Help] Re: cancel report References: Message-ID: Brian (SnSR) wrote: > The report ID's are 1433856541 and the rest. The only report that > actually got sent was to postmaster [at] sun [dot] com. Send them an > apology CC'd to spamcop deputies. Brian's answer is much much better than what I said. ;-) -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Jun 12 08:38:27 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jun 12 10:40:03 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: Kristoffer Lein wrote: > "Mike Easter" >> Unfortunately the rejection information doesn't carry the spamcop >> server output IP which was rejected or the name of a blocklist; but >> the reason Kristoffer is asking here is because this is a spamcop >> newsgroup. It is actually a mail question I think; and for that >> reason the expectation is that it be handled somewhere other than in >> a regular spamcop.help newsgroup. > > I do have a Spamcop email-account. Should I ask questions regarding > this in some other newsgroup? The problem is that JT would rather support mail related issues in a webforum. Those of us who are not JT would rather do support in news like this, but we are limited in our scope and abilities. I'm not a SC mail client so I don't know some SC mail things except what I read, except in 'general' terms. If you had to go to the forum, the mail forum is here http://forum.spamcop.net/forums/index.php?showforum=4 SpamCop Email System & Accounts > This information, the Spamcop server output and the name of the > blocklist, would it help is I posted the entire message including > headers? The best way to post a complete mail is not to post it in here, but to submit it to the webparser as if it were a spam, then after the item is parsed the parser provides a tracking url or tracker. You copy that tracker and then cancel the report, since it isn't a spam. Then you paste the tracker into the news message here. The tracker provides access to the entire mail in 'storage'. This is a tracker and its environment Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z773461900z01c46ac69539f51ad885c14087bfc12az > And also - I send many mails that don¹t get rejected. Should I worry > about this problem at all? I think we should figure out what is going on. If a spamcop mail output server is getting itself onto some kind of blocklist that is worth knowing about. If I know a mail output server's IP I can find out what published/public blocklists it is on. -- Mike Easter kibitzer, not SC admin From mrichter at cpl.net Sun Jun 12 08:56:22 2005 From: mrichter at cpl.net (Mike Richter) Date: Sun Jun 12 11:00:04 2005 Subject: [SC-Help] Re: Help me guys, whats going on? In-Reply-To: References: Message-ID: Kristoffer Lein wrote: > In article , > Mike Richter wrote: > > >>Your outgoing mail was sent from an (unidentified) IP address which was >>placed on a blocklist, presumably for being used by a spammer. You are >>not necessarily the spammer; indeed, it might only be that your IP >>address is a neighbor of that of a spammer. > > > Is this my ISP's smtp-server that is blacklisted? > > > >>Since the blocklist cited is not SpamCop's, there is nothing to be done >>here. If you will provide the IP address, those expert in such matters >>can give more information. (Indeed, they may be willing to track it down >>from the sending domain, but the address of the server is both easier to >>use and able to give unambiguous results.) > > > Tell me what IP you need Mike, I will post it to you. I didn't post the > email addresses for obvious reasons. > > > >>The solution is to send e-mail from a 'clean' IP address. If you cannot >>persuade your ISP to do due diligence, then you may have to have >>recourse to a supplemental account (Yahoo!, hotmail, etc.). > > > Will it solve the problem if I set up a local smtp? 1. Yes, it is your ISP's SMTP server that found its way onto a blacklist. 2. The IP address needed is that which was blacklisted, usually that from which the bounced e-mail was sent. However, I repeat that there are experts on this list; I am far from that so I urge you not to suggest private dialogue. (I have in fact done a bit of the diagnostic work others here accomplish routinely. My conclusion was that they have the skills and tools; I might acquire them with dedication I lack.) 3. Unfortunately, as long as you are using a bad server address, you'll be stuck with what else is sent from it. Note that many blacklists believe in guilt by association: if you are in a block with notorious spammers, you may be listed. SpamCop used that approach only briefly and returned to 'innocent until proven guilty' - a policy to which it now adheres. If there were a credible identification of the source below IP address, no doubt that would be used and problems such as yours would vanish. Unfortunately, the only lower-level information the protocol allows is From and Reply to - both of which are forged routinely. Mike -- mrichter@cpl.net http://www.mrichter.com/ From edb2000 at spamcop.net Sun Jun 12 11:02:40 2005 From: edb2000 at spamcop.net (Don Wannit) Date: Sun Jun 12 13:05:03 2005 Subject: [SC-Help] Re: methods used... In-Reply-To: References: Message-ID: Jeff G. wrote: > unless they decide to steer clear of you since you cause trouble, which > seems to be a possibility. Not likely. Otherwise I wouldn't be getting all the spam sent to our abuse@ address. And spammers would avoid sending spam to any @spamcop.net address. -- Don Wannit A paid SpamCop user since 1999 From anon at coks.net Sun Jun 12 14:14:43 2005 From: anon at coks.net (Jeff G.) Date: Sun Jun 12 16:15:02 2005 Subject: [SC-Help] cnc.noc Message-ID: Looks like cnc.noc.net is non-responsive - surprise. And the volumn seems to be going up... From hendrik_maryns at despammed.com Mon Jun 13 02:04:58 2005 From: hendrik_maryns at despammed.com (Hendrik Maryns) Date: Sun Jun 12 19:05:03 2005 Subject: [SC-Help] Re: cancel report In-Reply-To: References: Message-ID: Brian (SnSR) uitte de volgende tekst op 12/06/2005 2:40: > Hendrik Maryns wrote: > >> WazoO uitte de volgende tekst op 7/06/2005 3:32: >> >>> "Hendrik Maryns" wrote in message >>> news:d7tc0a$c39$1@news.spamcop.net... >>> >>>> WazoO uitte de volgende tekst op 5/06/2005 0:18: >>>> >>>>> How can I unsend a Report? >>>>> http://forum.spamcop.net/forums/index.php?showtopic=138 >>>> >>>> >>>> >>>> Ok, but I can't find a report ID under the Past Reports. I found the >>>> report and the associated addresses though. So should I just send them >>>> an e-mail with my apologies then? >>> >>> >>> >>> >>> I plead stupid (though noting that the re-look has caused the >>> referenced Forum FAQ item to be updated twice since that >>> last post) .... every report I see in my "report history" has a >>> Report ID. (Then again, I am a free-report only account >>> holder and most of my Report History items are 'cancelled'?) >>> I would have to suggest that if there is no Report ID, there >>> was no report sent out. Is it possible you're a Mole reporter? >> >> >> >> Ok, this is what I find under Sent Reports: >> >> Submitted: Thursday, May 26, 2005 22:33:25 +0200: >> Your Report (Review ID: 453954) - Minor typo in documentation of >> Collection >> >> * 1433856541 ( http://java.sun.com/support/index.html ) To: >> abuse#above.net@devnull.spamcop.net >> * 1433856535 ( http://java.sun.com/j2se/1.5.0/docs/api/java/ut... >> ) To: abuse#above.net@devnull.spamcop.net >> * 1433856519 ( 129.147.62.1 ) To: spamcop@imaphost.com >> * 1433856507 ( http://bugs.sun.com/bugdatabase/index.jsp ) To: >> postmaster@sun.com >> * 1433856506 ( 129.147.62.1 ) To: postmaster@sun.com >> * 1433856495 ( http://bugs.sun.com/bugdatabase/index.jsp ) To: >> abuse#sun.com@devnull.spamcop.net >> * 1433856430 ( 129.147.62.1 ) To: abuse#sun.com@devnull.spamcop.net >> >> if you can tell me what the report ID is, please tell me. BTW: the >> Review ID 453954 is something from sun, not from Spamcop. >> >> Thanks for the help so far. >> >> H. >> > > The report ID's are 1433856541 and the rest. The only report that > actually got sent was to postmaster [at] sun [dot] com. Send them an > apology CC'd to spamcop deputies. Thanks, i did that. Will remember this procedure in the future. -- Hendrik Maryns Interesting websites: www.lieverleven.be (I cooperate) www.eu04.com European Referendum Campaign aouw.org The Art Of Urban Warfare From pete+usenet at heypete.com Sun Jun 12 18:54:34 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Sun Jun 12 20:55:02 2005 Subject: [SC-Help] Re: cnc.noc References: Message-ID: In article , "Jeff G." wrote: > Looks like cnc.noc.net is non-responsive - surprise. > And the volumn seems to be going up... Yup. In addition to spam, I get substantial amounts of various attacks, probes, unsolicited traffic, etc. from cnc-noc.net. Look for reports from "HeyPete" on MyNetWatchman.com. *shakes head sadly* -- Pete Stephenson HeyPete.com From MikeE at ster.invalid Mon Jun 13 03:08:30 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 13 05:10:17 2005 Subject: [SC-Help] Re: Bad tracking of spam from x.phoenix-dns.com References: Message-ID: Gene S wrote: > Is anybody at SC actually checking the cases of bad tracking? A deputy sed that the design is for them to check them, but that they are getting a lot and they're not getting checked properly. > Spam from x.phoenix-dns.com keeps coming for a while now, but the SC > doesn't parse the headers correctly. It keeps sending reports to > admins of fake addresses and to bad_tracking, like in the case of > "aga (178.233.90.121)" in the example below. Can anything be done > about it? > > Received: from x.phoenix-dns.com (x.phoenix-dns.com [63.247.69.162]) > by X (Postfix) with SMTP id CAF5939E39 > for ; Sat, 11 Jun 2005 01:14:25 +0400 (MSD) > Received: from aga (178.233.90.121) > by x.phoenix-dns.com; Fri, 10 Jun 2005 17:14:23 -0400 > > Maybe SC can add a field to the submission form to the extent "I > believe the parser barfed, the correct source of spam is ..."? To a human parser, I would interpret the 2nd line as bogus and I would want SC to untrust 63.247.69.162 as a server. It /is/ the mx for x.phoenix-dns.com. That would cause it to get named as a source and contribute to its being SCbl listed. >From a newsgroup housekeeping point of view, there are a couple of better ways to talk about this issue than posting partial headers in .spam. First, it would be better to talk about it by posting the tracker for the parse of the spam [or even a tracker for a parse of the headers alone] -- that permits the discussants to actually see how SC is currently parsing the same item. The tracker stores the spam [or headers] and when the tracker link is accessed, the item is reparsed anew. For example if a deputy had fixed the problem we are talking about, we would see it. Second, when the tracker is what is posted, it can be posted in a 'proper' discussion group, like spamcop.help or spamcop. The ng .spam was invented long ago before trackers were so good so that raw spam with complete headers could be posted here to allow discussions about an item -- because such spam postings were not allowed in the discussion groups. Nowadays a tracker is a better post for the complete item, so there's no need for anything here. Usually when I answer a post in .spam, I 'move it' by making its/my f/ups to one of the discussion groups. Third, pertaining to the 1st, this is what a tracker looks like and its environs at the top of a parsed result Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z774399296z5b586e5f15c5c54435849ba57a4386bbz -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Jun 13 09:19:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 13 11:20:03 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: Kristoffer Lein wrote: > 09a4z> > > Where to go from here? www.spamcop.net/sc?id=z774454329zc050fed378d9ec15bf5faa41c2cf09a4z;actio n=display What that item shows me is not something emailed from a spamcop account. The item shows this construction.... >From swip.net mailerdaemon headers^0 over a 3 piece body - DSN words^1 - DSN code 5.0.0 - Original mail headers^2 where the mailerdemon headers^0 show an item sourced from swip.net to a spamcop mailbox, the DSN body describes^1 mx2.prserv.net rejecting an unstated IP based on an unknown 'mx.rbl' blocklist, and the original mail headers^2 show your From showing a source IP of 193.217.177.229 which is rDNS 217-177-229.7002.adsl.tele2.no. So, I'm assuming you emailed someone at swip.net from the tele2.no IP which got bounced and the bounce was received at the spamcop addy -- but the bounce was based on the .no IP, not a SC IP. I can't make any sense or relationship between what the DSN body is saying^1 and what I'm seeing in the headers^2. The .no IP is listed in njabl and sorbs because it is a dynamic. Your mail shouldn't be going out a dynamic IP. If it was belatedly bounced and bounced to a different From rather than rejected that might explain how it got into the SC mailbox. Are you familiar with this mail which got bounced? Were you replying to a Kai somebody about something Bakgir? Can you figure out why this is coming from swip.net but sez attglobal.net/mx2.prserv.net? The prserv/att goes together but I don't get swip. Of course all of the domains involved between you and Kai are munged out. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Jun 13 09:58:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 13 12:00:03 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: Mike Easter wrote: > Are you familiar with this mail which got bounced? Were you replying > to a Kai somebody about something Bakgir? Can you figure out why > this is coming from swip.net but sez attglobal.net/mx2.prserv.net? > The prserv/att goes together but I don't get swip. Of course all of > the domains involved between you and Kai are munged out. That is, I don't want any usernames or addressses; I'm just trying to understand the 'concept' - your original From domainname, which mailserver you used to send it, and the To domainname. Apparently you got it the bounce in your SC mailbox. For example, in your original mail out there's a bogus helo of 192.168.0.102 -- which is a non-routing IP usually reserved for internal networking. I don't quite understand how that got there. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Jun 13 12:55:57 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 13 15:00:02 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: Kristoffer Lein wrote: > "Mike Easter" >> From swip.net mailerdaemon headers^0 over a 3 piece body >> - DSN words^1 >> - DSN code 5.0.0 >> - Original mail headers^2 >> >> where the mailerdemon headers^0 show an item sourced from swip.net >> to a spamcop mailbox, the DSN body describes^1 mx2.prserv.net >> rejecting an unstated IP based on an unknown 'mx.rbl' blocklist, and >> the original mail headers^2 show your From showing a source IP of >> 193.217.177.229 which is rDNS 217-177-229.7002.adsl.tele2.no. > > This looks like my IP, DSL from Tele2.no. Correct. >> So, I'm assuming you emailed someone at swip.net from the tele2.no IP >> which got bounced and the bounce was received at the spamcop addy That assumption of mine was incorrect. More later. > I emailed from my SC-account to a attglobal account. Swip.net has > something to do with my ISP, but is it they who bounce me? Correct. They inform you that the attempt to mail didn't work. More later. >> -- but the bounce was based on the .no IP, not a SC IP. I can't >> make any sense or relationship between what the DSN body is saying^1 >> and what I'm seeing in the headers^2. The .no IP is listed in njabl >> and sorbs because it is a dynamic. Your mail shouldn't be going out >> a dynamic IP. If it was belatedly bounced and bounced to a different >> From rather than rejected that might explain how it got into the SC >> mailbox. I'm straightened out on this now. The mail was going from your dynamic IP to your provider's server. > My ISP¹s mail server is situated in Sweden, and I have to use this > with my SC-account - they don¹t suply smtp. My mail is sent from me, > Norway, trough Sweden (my ISP¹s smtp). The .no IP (mine) is dynamic, > doesn¹t all DSL connections have dynamic IP¹s? Yes -- now that I understand the relationship between your dynamic and your provider's server all is well. >> Are you familiar with this mail which got bounced? Were you >> replying to a Kai somebody about something Bakgir? > > Yes. Kai has a webshop and sells bicycles > and spares. Bakgir in english is rear derailleur, which is broken on > my bicycle and I¹m buying a new one from Kai. bakgir is a good name for a rear deraileur. :-) >> Can you figure out why this is coming from swip.net but sez >> attglobal.net/mx2.prserv.net? The prserv/att goes together but I >> don't get swip. Of course all of the domains involved between you >> and Kai are munged out. > > A DNS lookup on swip.net, The Swedish IP Network, shows that it is > owned by Tele2. In 1991 SWIPnet, was launched as the first commercial > IP supplier in Sweden. Tele2 is originally a Swedish phone company > with offices in several European countries, including Norway and is > my ISP. Yes. Thanks. How I was trying to tie them together didn't work. But they are tied I see now. More about how I understand it better in the other one. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Jun 13 13:17:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 13 15:20:03 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: Kristoffer Lein wrote: > "Mike Easter" >> That is, I don't want any usernames or addressses; I'm just trying >> to understand the 'concept' - your original From domainname, which >> mailserver you used to send it, and the To domainname. Apparently >> you got it the bounce in your SC mailbox. > > My SpamCop email (cqmail.net) -> trough my ISP (mail.c2i.net) -> too > attglobal.net user -> "spam bounce" back to me again. OK. I'm beginning to get it. This next is completely wrong; don't even read it ;-) Mike Easter wrote: > So, I'm assuming you emailed someone at swip.net from the tele2.no IP > which got bounced and the bounce was received at the spamcop addy -- > but the bounce was based on the .no IP, not a SC IP. I can't make > any sense or relationship between what the DSN body is saying^1 and > what I'm seeing in the headers^2. The .no IP is listed in njabl and > sorbs because it is a dynamic. Your mail shouldn't be going out a > dynamic IP. If it was belatedly bounced and bounced to a different > From rather than rejected that might explain how it got into the SC > mailbox. Instead of what I said there... Swip is yours, as you explained. The bounce is your own provider telling you that you/it tried to send a/your mail and it wasn't accepted/ was rejected/ by the recipient server which was working for attglobal. That is a true 'proper' rejected transaction and is *not* a 'belated' bounce [which gets accepted and then a newmail is initiated to the From]. Kai's domainname is attglobal.net and the prserv mx is what is doing the rejecting for it. So, the wouldbe path would be your dynamic .no IP to the swip smtp toward the attglobal via its prserv MX -- but the prserv MX refused to take the mail from the swip server, so your own swip server told you that your/its mail's transaction failed. The bottommost headers I described earlier is your server taking the item from your IP. We are still left to guess at why the prserv mx refused swip's transaction, but/and we have one swip outgoing IP to look at, namely the one which sent your mail to the spamcop mailbox. That may not be the IP which tried to transact with the prserv/attglobal MX. That IP is 212.247.154.225 rDNS mailfe08.swip.net and it is currently listed on the blocklists blars and dnsbl [rmst] and jammd and spamcannibal. That is not an insignificant group. The only one showing evidence for that IP is spamcannibal at http://www.spamcannibal.org/cannibal.cgi It is very frustrating when a rejected transaction takes place and the actual output IP which is being rejected isn't named in the DSN. It would also be nice if the DSN which rejects something based on a blocklist would name a blocklist, unless it is a 'private' one -- which this may be. The attglobal/prserv MX may have its own non-public blocklist named 'mx.rbl'. When the output IP isn't stated, we are left to guess, because the incoming MXes are listed, not the output server IPs. The mail admin who is the most responsible for figuring out what is going on is the swip admin. Swip needs to be finding out why attglobal's MX should be rejecting its mail, namely yours. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon Jun 13 18:45:11 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Jun 13 18:50:03 2005 Subject: [SC-Help] Re: APNIC issues References: Message-ID: "Ellen" wrote in message news:d8kcb0$ldn$1@news.spamcop.net... > I have opened a ticket on the APNIC issues. Until that is resolved, there is > no point in sending any more of these to routing. I am not inclined to > manual route the whole of apnic one block at a time :-) > > Thanks > > Ellen Complaint was that no one saw this post in other newsgroups. Replied to cross-post into spamcop and spamcop.help, follow-ups remain to spamcop.routing. From h9vzc2i02 at sneakemail.com Tue Jun 14 11:47:35 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Tue Jun 14 13:45:03 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: "Kristoffer Lein" wrote in message news:kristoffer.lein-4D7766.20255513062005@news.cesmail.net... > In article , > "Mike Easter" wrote: > > > www.spamcop.net/sc?id=z774454329zc050fed378d9ec15bf5faa41c2cf09a4z;actio > > n=display > > > > What that item shows me is not something emailed from a spamcop account. > > The item shows this construction.... > > My ISP¹s mail server is situated in Sweden, and I have to use this with > my SC-account - they don¹t suply smtp. My mail is sent from me, Norway, > trough Sweden (my ISP¹s smtp). The .no IP (mine) is dynamic, doesn¹t all > DSL connections have dynamic IP¹s? > ** Try getting a free e-mail account (hotmail.com for instance) and send mail from that address to the address that has been rejecting your mail and see if you can get through to someone that way and maybe clear up what is REALLY going on. The may be able to tell you what BL you are on and why. -- A SpamCop user and forum reader, Not Admin *** From rwcs at spamcop.net Tue Jun 14 19:16:08 2005 From: rwcs at spamcop.net (BMW) Date: Tue Jun 14 18:20:03 2005 Subject: [SC-Help] Is this for real? Message-ID: This seems screwy to me BUT no attempt is made to steal my personal info. . . AND yet my account is still working! Help me read this header it looks like emc.emc.com.tw then received this from spamcop.net (192.168.33.104) (an unroutable LAN address), then emc.emc.com.tw. (192.168.10.1) (another unroutable LAN address) sent it to emclog.emc.com.tw, then emclog.emc.com.tw (192.72.220.9) sent it to blade5.cesmail.net (the spamcop mail server). . . I did read this right, RIGHT? Received today: ====================================================== Return-Path: Delivered-To: spamcop-net-rwcs@spamcop.net Received: (qmail 15232 invoked from network); 14 Jun 2005 21:12:03 -0000 Received: from unknown (192.168.1.101) by blade5.cesmail.net with QMQP; 14 Jun 2005 21:12:03 -0000 Received: from emclog.emc.com.tw (192.72.220.9) by mailgate.cesmail.net with SMTP; 14 Jun 2005 21:12:02 -0000 Received: from emc.emc.com.tw (emc [192.168.10.1]) by emclog.emc.com.tw (8.12.10/8.12.10) with ESMTP id j5EL7sDT021684 for ; Wed, 15 Jun 2005 05:07:54 +0800 (CST) Received: from spamcop.net ([192.168.33.104]) by emc.emc.com.tw (8.11.6/8.11.4) with ESMTP id j5EL9Qg14912 for ; Wed, 15 Jun 2005 05:09:27 +0800 (CST) Message-Id: <200506142109.j5EL9Qg14912@emc.emc.com.tw> From: webmaster@spamcop.net To: rwcs@spamcop.net Subject: Your Account is Suspended For Security Reasons Date: Wed, 15 Jun 2005 05:11:29 +0800 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0010_7FD6A9D5.79AB7BCC" X-Priority: 3 X-MSMail-Priority: Normal X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on blade5 X-Spam-Level: * X-Spam-Status: hits=1.9 tests=HTML_20_30,HTML_MESSAGE,MISSING_MIMEOLE, NO_REAL_NAME,PRIORITY_NO_NAME version=3.0.2 X-SpamCop-Checked: This is a multi-part message in MIME format. ------=_NextPart_000_0010_7FD6A9D5.79AB7BCC Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit ------------------ Virus Warning Message (on emc) Found virus WORM_MYTOB.EJ in file account-report.doc .pif (in account-report.zip) The uncleanable file is deleted. --------------------------------------------------------- ------=_NextPart_000_0010_7FD6A9D5.79AB7BCC Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit
Dear user rwcs,

It has come to our attention that your Spamcop User Profile ( x ) records are out of date. For further details see the attached document.

Thank you for using Spamcop!
The Spamcop Support Team






+++ Attachment: No Virus (Clean)
+++ Spamcop Antivirus - www.spamcop.net ------=_NextPart_000_0010_7FD6A9D5.79AB7BCC Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit ------------------ Virus Warning Message (on emc) account-report.zip is removed from here because it contains a virus. --------------------------------------------------------- ------=_NextPart_000_0010_7FD6A9D5.79AB7BCC-- =========================================================== From SCNews.5.myspamgobbler at spamgourmet.com Tue Jun 14 16:29:12 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Tue Jun 14 18:35:02 2005 Subject: [SC-Help] Re: Is this for real? In-Reply-To: References: Message-ID: BMW wrote: > This seems screwy to me BUT no attempt is made to steal my personal > info. . . AND yet my account is still working! This is a forgery. That attempts to infect your computer with WORM_MYTOB.EJ > > Help me read this header it looks like emc.emc.com.tw then received this > from spamcop.net (192.168.33.104) (an unroutable LAN address), then > emc.emc.com.tw. (192.168.10.1) (another unroutable LAN address) sent it > to emclog.emc.com.tw, then emclog.emc.com.tw (192.72.220.9) sent it to > blade5.cesmail.net (the spamcop mail server). . . I did read this right, > RIGHT? > > Received today: > ====================================================== > Return-Path: *Forged > Delivered-To: spamcop-net-rwcs@spamcop.net > Received: (qmail 15232 invoked from network); 14 Jun 2005 21:12:03 -0000 > Received: from unknown (192.168.1.101) *Internal Spamcop handling > by blade5.cesmail.net with QMQP; 14 Jun 2005 21:12:03 -0000 > Received: from emclog.emc.com.tw (192.72.220.9) *Origin of worm infested email > by mailgate.cesmail.net with SMTP; 14 Jun 2005 21:12:02 -0000 > Received: from emc.emc.com.tw (emc [192.168.10.1]) *Possible forgery, possible trojaned computer > by emclog.emc.com.tw (8.12.10/8.12.10) with ESMTP id j5EL7sDT021684 > for ; Wed, 15 Jun 2005 05:07:54 +0800 (CST) > Received: from spamcop.net ([192.168.33.104]) *Forged > by emc.emc.com.tw (8.11.6/8.11.4) with ESMTP id j5EL9Qg14912 > for ; Wed, 15 Jun 2005 05:09:27 +0800 (CST) > Message-Id: <200506142109.j5EL9Qg14912@emc.emc.com.tw> From anon at coks.net Tue Jun 14 16:35:46 2005 From: anon at coks.net (Jeff G.) Date: Tue Jun 14 18:35:07 2005 Subject: [SC-Help] Re: Is this for real? In-Reply-To: References: Message-ID: On 6/14/2005 3:16 PM BMW scribbled: > This seems screwy to me BUT no attempt is made to steal my personal > info. . . AND yet my account is still working! > > Help me read this header it looks like emc.emc.com.tw then received this > from spamcop.net (192.168.33.104) (an unroutable LAN address), then > emc.emc.com.tw. (192.168.10.1) (another unroutable LAN address) sent it > to emclog.emc.com.tw, then emclog.emc.com.tw (192.72.220.9) sent it to > blade5.cesmail.net (the spamcop mail server). . . I did read this right, > RIGHT? I can't help with the headers - let someone else deal with them. But I can tell you that the spamcop msg. is a fake and has been reported here already - see recent postings... From MikeE at ster.invalid Tue Jun 14 17:26:34 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 14 19:30:03 2005 Subject: [SC-Help] Re: Is this for real? References: Message-ID: BMW wrote: > Help me read this header it looks like emc.emc.com.tw then received > this from spamcop.net (192.168.33.104) Don't start at the bottom and go up. Start at the top and go down, chaining from an upper 'from' field to a lower 'by' field watching for the first sign of bogosity -- where the chain breaks. Brian's asterisked annotations of the header are correct. > (an unroutable LAN address), > then emc.emc.com.tw. (192.168.10.1) (another unroutable LAN address) > sent it > to emclog.emc.com.tw, then emclog.emc.com.tw (192.72.220.9) sent it to > blade5.cesmail.net (the spamcop mail server). . . I did read this > right, RIGHT? Well, you read the last part correctly, which is where to start. The uppermost Received headerline is the reliable part. You are trying to figure out how far down the reliability goes. I like to depict them like this: Abbreviated Received lines *comment from unknown (192.168.1.101) by blade5.cesmail.net *serves you from emclog.emc.com.tw (192.72.220.9) by mailgate.cesmail.net *sourceline, server from emc.emc.com.tw (emc [192.168.10.1]) by emclog.emc.com.tw *bad or bogusline from spamcop.net ([192.168.33.104]) by emc.emc.com.tw *bogusline After the headers come a 3 part message body in mime delimitors, whose parts consist of plaintext antiviral characterization & deletion info, html viral propagation body, and plaintext antiviral filename & deletion info. >From the appearance of the structure, my guess would be that the original item was a viral propagation pretending to be From SC webmaster addressed To rwcs and containing body information claiming to be from spamcop and having an attachment named account-report.zip which archived a mytobe worm in an executable .pif file disguised as a .doc file. When the propagation passed thru' the emc .tw server, its AV agent stripped the attachment and continued the item on to you. In doing so, it also stripped the original Content-type line and replaced it with its own. That seems like a rather bizarre behavior, but I have seen it before. The original propagation headers contained a bogusline. The .tw server's line is flawed, noncompliant. There /is/ an smtp server at 192.72.220.9 rDNS emclog.emc.com.tw which does not relay promiscuously, but refuses to be manipulated and quits after a few tries. -- Mike Easter kibitzer, not SC admin From anon at coks.net Tue Jun 14 17:51:09 2005 From: anon at coks.net (Jeff G.) Date: Tue Jun 14 19:50:03 2005 Subject: [SC-Help] Your basic blank msg...retry... Message-ID: SC didn't/won't send this report http://www.spamcop.net/sc?id=z774772624zb4931e491be41bb0a6008a3eadd2213bz due to lack of body - "No body provided, check format of submission". There was no body. How does one report this? Dave Lerner was good enuf to respond to this this A.M. but his instructions /probably/ applied to one who forwards the spam rather than copy & paste, so it drew a blank for me. Afterwards, I ran this spam through a little utility called Abuse which I was using before spamcop. The LART message created by this uitility contained a warning about contained virii, one which I've not seen before with this utility - out of the blue it was injected into the Lart body. I don't understand where the virus may be in a msg. with no attachments and no body. This is getting curiousier by the minute... Is this the right group? From MikeE at ster.invalid Tue Jun 14 18:07:30 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 14 20:10:02 2005 Subject: [SC-Help] Re: Your basic blank msg...retry... References: Message-ID: Jeff G. wrote: > SC didn't/won't send this report > http://www.spamcop.net/sc?id=z774772624zb4931e491be41bb0a6008a3eadd2213bz > due to lack of body - "No body provided, check format of submission". > There was no body. > How does one report this? You have to add 'no body text' after an empty line after the headers before submitting. > Dave Lerner was good enuf to respond to this this A.M. but his > instructions /probably/ applied to one who forwards the spam rather > than copy & paste, so it drew a blank for me. Paste it into the webparser, introduce an empty line so there will be an empty line between the last line of the header and the first line of the 'body', then paste in [no body text]. Then parse. > Is this the right group? See my earlier message about this at news://news.spamcop.net/d8ms9u$7o2$1@news.spamcop.net which is From: "Mike Easter" Newsgroups: spamcop Subject: Re: Your basic blank msg... Date: Tue, 14 Jun 2005 08:15:13 -0700 Message-ID: -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue Jun 14 21:11:19 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Tue Jun 14 20:15:02 2005 Subject: [SC-Help] Re: Your basic blank msg...retry... References: Message-ID: "Jeff G." wrote in message news:d8nqev$rfh$1@news.spamcop.net... > SC didn't/won't send this report > http://www.spamcop.net/sc?id=z774772624zb4931e491be41bb0a6008a3eadd2213bz > due to lack of body - "No body provided, check format of submission". > There was no body. > How does one report this? > > Dave Lerner was good enuf to respond to this this A.M. but his > instructions /probably/ applied to one who forwards the spam rather than > copy & paste, so it drew a blank for me. Afterwards, I ran this spam > through a little utility called Abuse which I was using before spamcop. > The LART message created by this uitility contained a warning about > contained virii, one which I've not seen before with this utility - out > of the blue it was injected into the Lart body. > I don't understand where the virus may be in a msg. with no attachments > and no body. I 'speck the absence of the spambody might throw an error flag in the program processing the spam, hence ??? a warning message? I would ignore it. > This is getting curiousier by the minute... > Is this the right group? Group .help is apparently of historic interest only as most people apparently use "spamcop" for help. For spam with no body, paste to form, add one blank line after headers. Add another line: [no spam body]. Now headers will process. Some advise adding note to report that there was no spam body, but I have no idea why that matters to anyone... Glenn From anon at coks.net Tue Jun 14 18:15:01 2005 From: anon at coks.net (Jeff G.) Date: Tue Jun 14 20:15:05 2005 Subject: [SC-Help] Re: Your basic blank msg...retry... In-Reply-To: References: Message-ID: On 6/14/2005 5:07 PM Mike Easter scribbled: > Jeff G. wrote: > >>SC didn't/won't send this report >> > > http://www.spamcop.net/sc?id=z774772624zb4931e491be41bb0a6008a3eadd2213bz > >>due to lack of body - "No body provided, check format of submission". >>There was no body. >>How does one report this? > > > You have to add 'no body text' after an empty line after the headers > before submitting. see below... > > >>Dave Lerner was good enuf to respond to this this A.M. but his >>instructions /probably/ applied to one who forwards the spam rather >>than copy & paste, so it drew a blank for me. see below... > > > Paste it into the webparser, introduce an empty line so there will be an > empty line between the last line of the header and the first line of the > 'body', then paste in [no body text]. Then parse. didn't know this was possible... > > >>Is this the right group? > > > See my earlier message about this at > news://news.spamcop.net/d8ms9u$7o2$1@news.spamcop.net > > which is > > From: "Mike Easter" > Newsgroups: spamcop > Subject: Re: Your basic blank msg... > Date: Tue, 14 Jun 2005 08:15:13 -0700 > Message-ID: > Where was this msg. posted - I never saw it? From anon at coks.net Tue Jun 14 18:28:05 2005 From: anon at coks.net (Jeff G.) Date: Tue Jun 14 20:30:03 2005 Subject: [SC-Help] Re: Your basic blank msg...retry... In-Reply-To: References: Message-ID: On 6/14/2005 5:11 PM Glenn Daniels scribbled: > "Jeff G." wrote in message > news:d8nqev$rfh$1@news.spamcop.net... > >>SC didn't/won't send this report >>http://www.spamcop.net/sc?id=z774772624zb4931e491be41bb0a6008a3eadd2213bz >>due to lack of body - "No body provided, check format of submission". >>There was no body. >>How does one report this? >> >>Dave Lerner was good enuf to respond to this this A.M. but his >>instructions /probably/ applied to one who forwards the spam rather than >>copy & paste, so it drew a blank for me. Afterwards, I ran this spam >>through a little utility called Abuse which I was using before spamcop. >> The LART message created by this uitility contained a warning about >>contained virii, one which I've not seen before with this utility - out >>of the blue it was injected into the Lart body. >>I don't understand where the virus may be in a msg. with no attachments >>and no body. > > > I 'speck the absence of the spambody might > throw an error flag in the program processing > the spam, hence ??? a warning message? I > would ignore it. > > >>This is getting curiousier by the minute... >>Is this the right group? > > > Group .help is apparently of historic interest > only as most people apparently use "spamcop" > for help. > > For spam with no body, paste to form, add one > blank line after headers. Add another line: > [no spam body]. Now headers will process. > Some advise adding note to report that > there was no spam body, but I have no idea > why that matters to anyone... > > Glenn > > Thaks, Glenn... 1.) I wasn't aware of the separate group named spamcop (thought it was a subject header) and now am - was wondering where everyone was... 2.) As previously posted, wasn't aware one could/would want to edit the parse box. 3.) Thanks for the tip on erroneous Lart by other utility - guess nobody's perfect. 4.) Sorry, Mike, missed your post earlier... From nttp.sc.sh at bigsleep.org Wed Jun 15 05:54:06 2005 From: nttp.sc.sh at bigsleep.org (Blammo) Date: Wed Jun 15 00:55:02 2005 Subject: [SC-Help] Re: Your basic blank msg...retry... References: Message-ID: On 14 Jun 2005 Jeff G. entered spamcop.help and left news:d8nrrn$sa7$1@news.spamcop.net: >> Paste it into the webparser, introduce an empty line so there will be an >> empty line between the last line of the header and the first line of the >> 'body', then paste in [no body text]. Then parse. > > didn't know this was possible... > In case you didn't know, make sure you copy the message from the source view. In Thunderbird I assume it's still CTRL+U, or View > Message Source. Some have tried View > Full Headers, and copy that, but that won't work because it's a fancy display, not original. -- | Ric | From anon at coks.net Tue Jun 14 23:04:34 2005 From: anon at coks.net (Jeff G.) Date: Wed Jun 15 01:05:03 2005 Subject: [SC-Help] Re: Your basic blank msg...retry... In-Reply-To: References: Message-ID: On 6/14/2005 9:54 PM Blammo scribbled: > On 14 Jun 2005 Jeff G. entered spamcop.help and left > news:d8nrrn$sa7$1@news.spamcop.net: > > >>>Paste it into the webparser, introduce an empty line so there will be an >>>empty line between the last line of the header and the first line of the >>>'body', then paste in [no body text]. Then parse. >> >>didn't know this was possible... >> > > > In case you didn't know, make sure you copy the message from the source > view. In Thunderbird I assume it's still CTRL+U, or View > Message Source. > Some have tried View > Full Headers, and copy that, but that won't work > because it's a fancy display, not original. > Tnx, Blamo, but that isn't the problem. I just didn't know that one could add to the body, altho it would seem that this site could deal with such moronic spam - its been around for at least a year or so... From nobody at devnull.spamcop.net Wed Jun 15 01:42:45 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jun 15 01:45:03 2005 Subject: [SC-Help] Re: Your basic blank msg...retry... References: Message-ID: "Jeff G." wrote in message news:d8ocqj$5lb$1@news.spamcop.net... > > > Tnx, Blamo, but that isn't the problem. I just didn't know that one > could add to the body, altho it would seem that this site could deal > with such moronic spam - its been around for at least a year or so... Seems very odd having to explain things to a long-time user and Forum Moderator, but will go along that the posting ID is just a coincidence .... spam constructs have always been an issue. Your amazement that the parser can't handle such a 'simple' issue is actually by design. You have to look at things from the other side. Spammers play games. There is more than one e-mail server application out there. There is more than one e-mail client application in use 'out there' ... User knowledge and experience ranges from ancient guru to 'just bought my first computer an hour ago" .... Let's pick a nice round number of 100 spam submittals a second coming in. Somehow, the parsing engine must decide; header complete, RFC compliant, actually valid content? is there a blank line to separate the header and body? is there a body? if so, plain text, HTML, Base-64, .ZIP file, ..??? are there any attachments? if so, encoding, file type, etc.???? oh wait, is this a user submittal with a dozen spams attached? maybe now, the parser might pass it on to the look-up tools ..?? Problems in the above? Was it due to ... spammer construct, e-mail server configuration issue e-mail transmission issue e-mail client issue user hosed something up in a cut/paste/add as attachment/Forward lightening strike in Timbuktu tossed some trash on the line somewhere I'm not even going to go near the actual "let's process the sucker" part of the marvel ... even the above doesn't try to touch everything .. just trying to suggest that if there is any "surprise" it probably ought to be that it works as well as it does ... From anon at coks.net Wed Jun 15 08:46:05 2005 From: anon at coks.net (Jeff G.) Date: Wed Jun 15 10:45:02 2005 Subject: [SC-Help] Re: Your basic blank msg...retry... In-Reply-To: References: Message-ID: On 6/14/2005 10:42 PM WazoO scribbled: > "Jeff G." wrote in message > news:d8ocqj$5lb$1@news.spamcop.net... > >>Tnx, Blamo, but that isn't the problem. I just didn't know that one >>could add to the body, altho it would seem that this site could deal >>with such moronic spam - its been around for at least a year or so... > > > Seems very odd having to explain things to a long-time user and > Forum Moderator, but will go along that the posting ID is just a > coincidence ... id is a coinkydink - I'll try to live up to his good name... From MikeE at ster.invalid Wed Jun 15 08:48:54 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 15 10:50:02 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: Kristoffer Lein wrote: > "Mike Easter" >> The mail admin who is the most responsible for figuring out what is >> going on is the swip admin. Swip needs to be finding out why >> attglobal's MX should be rejecting its mail, namely yours. > > Update - > > I tried to mail directly to the postmaster, but it bounced: > > Failed to deliver to 'postmaster@mailfe08.swip.net' I wouldn't have used that hostname as the mailing domainname, I would've used swip.net postmaster@swip.net mailfe08.swip.net = 212.247.154.225 both ways but it doesn't have an MX like that, ie as that hostname whereas swip.net has the MX mailgw.swip.net Or, said another way, if you try to email something [a hostname/domainname] for which there is not an MX, it doesn't work. If you try to mail something for which there /is/ an MX, then you are trying to get the mx to take a mail for the username. > SMTP module(domain mailfe08.swip.net) reports: > DNS Loop: A-record for mailfe08.swip.net points back to us > > Using SpamCop webmail (and a different smtp I guess) I get this > message: > > Failed to deliver to '' > LOCAL module(account postmaster) reports: > account is full (quota exceeded) I don't quite get that; but I still don't like that address. > I have also mailed customer support, but I don¹t expect them to > understand or fix the problem. When mail bounces I can use the SpamCop > webmail and it solves the problem temporarly. > > Could it solve my problem permanently to set-up a local smtp? A local smtp? -- Mike Easter kibitzer, not SC admin From anon at coks.net Wed Jun 15 08:51:28 2005 From: anon at coks.net (Jeff G.) Date: Wed Jun 15 10:55:02 2005 Subject: [SC-Help] Re: Your basic blank msg...retry... In-Reply-To: References: Message-ID: On 6/14/2005 10:42 PM WazoO scribbled: > "Jeff G." wrote in message > news:d8ocqj$5lb$1@news.spamcop.net... > >>Tnx, Blamo, but that isn't the problem. I just didn't know that one >>could add to the body, altho it would seem that this site could deal >>with such moronic spam - its been around for at least a year or so... > > > Seems very odd having to explain things to a long-time user and > Forum Moderator, but will go along that the posting ID is just a > coincidence .... spam constructs have always been an issue. Your > amazement that the parser can't handle such a 'simple' issue is > actually by design. You have to look at things from the other side. > > Spammers play games. There is more than one e-mail server > application out there. There is more than one e-mail client > application in use 'out there' ... User knowledge and experience > ranges from ancient guru to 'just bought my first computer an > hour ago" .... Let's pick a nice round number of 100 spam > submittals a second coming in. > > Somehow, the parsing engine must decide; > > header complete, RFC compliant, actually valid content? > is there a blank line to separate the header and body? > is there a body? if so, plain text, HTML, Base-64, .ZIP file, ..??? > are there any attachments? if so, encoding, file type, etc.???? > oh wait, is this a user submittal with a dozen spams attached? > maybe now, the parser might pass it on to the look-up tools ..?? > > Problems in the above? Was it due to ... > spammer construct, > e-mail server configuration issue > e-mail transmission issue > e-mail client issue > user hosed something up in a cut/paste/add as attachment/Forward > lightening strike in Timbuktu tossed some trash on the line somewhere > > I'm not even going to go near the actual "let's process > the sucker" part of the marvel ... even the above doesn't > try to touch everything .. just trying to suggest that if > there is any "surprise" it probably ought to be that it > works as well as it does ... > > point taken...probably should have put it differently, but no SC bashing intended. Simple was definitely not the word to use. That 1 short piece of spam gave me a bit of trouble... From SCNews.5.myspamgobbler at spamgourmet.com Wed Jun 15 09:46:48 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Wed Jun 15 11:50:03 2005 Subject: [SC-Help] Re: Your basic blank msg...retry... In-Reply-To: References: Message-ID: Jeff G. wrote: > On 6/14/2005 10:42 PM WazoO scribbled: > > >>Seems very odd having to explain things to a long-time user and >>Forum Moderator, but will go along that the posting ID is just a >>coincidence ... > > > id is a coinkydink - I'll try to live up to his good name... It would be nice for the rest of us if you would consider changing the ID, if only by adding a letter. From anon at coks.net Wed Jun 15 09:53:30 2005 From: anon at coks.net (J G) Date: Wed Jun 15 11:55:03 2005 Subject: [SC-Help] Re: Your basic blank msg...retry... In-Reply-To: References: Message-ID: On 6/15/2005 8:46 AM Brian (SnSR) scribbled: > Jeff G. wrote: > >>On 6/14/2005 10:42 PM WazoO scribbled: >> >> > > >>>Seems very odd having to explain things to a long-time user and >>>Forum Moderator, but will go along that the posting ID is just a >>>coincidence ... >> >> >>id is a coinkydink - I'll try to live up to his good name... > > > It would be nice for the rest of us if you would consider changing the > ID, if only by adding a letter. Done, sorry... From SCNews.5.myspamgobbler at spamgourmet.com Wed Jun 15 10:27:32 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Wed Jun 15 12:30:03 2005 Subject: [SC-Help] Re: Your basic blank msg...retry... In-Reply-To: References: Message-ID: J G wrote: > On 6/15/2005 8:46 AM Brian (SnSR) scribbled: > > >>Jeff G. wrote: >> >> >>>On 6/14/2005 10:42 PM WazoO scribbled: >>> >>> >> >> >>>>Seems very odd having to explain things to a long-time user and >>>>Forum Moderator, but will go along that the posting ID is just a >>>>coincidence ... >>> >>> >>>id is a coinkydink - I'll try to live up to his good name... >> >> >>It would be nice for the rest of us if you would consider changing the >>ID, if only by adding a letter. > > Done, sorry... Thanks Jeff. Now we won't be getting you two mixed up. No need to be sorry, it wasn't that big of a deal. From anon at coks.net Wed Jun 15 17:55:20 2005 From: anon at coks.net (J G) Date: Wed Jun 15 19:55:02 2005 Subject: [SC-Help] One more time, please... Message-ID: Know I've asked before, I think, but can't find much in the way of recomendations in the help docs and am lousy in searching the usenet. Which method is preferred - forwarding spam as attachments or copy, paste, send? SC has been dragging pretty badly lately while I'm using copy/paste/report and what with 60-100 spam a day, I ain't got that time - specially if I get some gainful employment, which better be soon. Thanks... From nobody at devnull.spamcop.net Wed Jun 15 20:22:01 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jun 15 20:25:05 2005 Subject: [SC-Help] Re: One more time, please... References: Message-ID: "J G" wrote in message news:d8qf2p$bom$1@news.spamcop.net... > > Know I've asked before, I think, but can't find much in the way of > recomendations in the help docs and am lousy in searching the usenet. Suggests that you haven't ried looking through the Forum yet. One current bit of discussion about speed (of both methods) is seen at http://forum.spamcop.net/forums/index.php?showtopic=3697 > Which method is preferred - forwarding spam as attachments or copy, > paste, send? The e-mail submittal was created to stop the whining about having to sit on the screen all day, waiting for the paring engine to come back with results. The concept being .. hit the office, fire up the e-mail, process the spam via e-mail submittal, get about doing the real job .. as time became available during the day, then do the follow-up of actually reviewing and reporting the parser results. (Unfortunately, this method became so fast, that now we see the bitching about results not being provided immediately, most newer folks not realizing that this was designed to be a background process that ran at a lower priority) > SC has been dragging pretty badly lately while I'm using > copy/paste/report and what with 60-100 spam a day, I ain't got that time > - specially if I get some gainful employment, which better be soon. > Thanks... And again, the normal suggestion is to report what you can, delete the rest. Some folks will focus on something like 'the last dozen" ... the porn stuff" ... whatever suits you on the mix of stuff that you get to see .. the premise being that someone else is hopefully reporting the crap you're deleting ... From MikeE at ster.invalid Wed Jun 15 18:34:56 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 15 20:35:02 2005 Subject: [SC-Help] Re: One more time, please... References: Message-ID: J G wrote: > Know I've asked before, I think, but can't find much in the way of > recomendations in the help docs and am lousy in searching the usenet. > > Which method is preferred - forwarding spam as attachments or copy, > paste, send? This is what I sed the other day: From: "Mike Easter" Newsgroups: spamcop.help Subject: Re: spamvertisement reporting & a question... Date: Wed, 8 Jun 2005 18:33:00 -0700 Message-ID: Jeff G. wrote: > Also, given the 2 methods of choice with reporting - copying and > pasting whole msg or forwarding, is there a benefit or preference to > using one or the other? The advantage of copying and pasting into the parser is that you get 'faster' rather quicker/sooner results. The disadvantage is that there is 'deadtime' that you need to manage constructively. If you can develop a 'rhythm' of keypresses to get to the message source and paste it into the webparser, or alternatively use a keypress macro, then 'feeding' the parser is actually very efficient, one spam at a time, per 1.5 second [hypothetical]. Then, you would need a strategy to manage the deadtime, one of which might be to use multiple iterations of parsers -- so your 'macro' of keypresses feeds a sequence of parsers so that the individual parser's results match up with your approval process. That can result in no deadtime and a continuous sequence of feeding one spam at a time into multiple parsers whose results and approvals match up with the speed of the parser processing. The advantage of forwarding 'masses' of spams at a time is that you avoid the above sequence of having to have an efficient series of keypresses for each spamitem and of transitioning between parsers and their report options. The disadvantage is that you have to wait for the mailforwarded items to get processed in their own sweet time. The other disadvantage is that you still have to manage the problem of accessing the numerous link/s and and the report approval process however efficient or inefficient that is. Some people who 'move toward' sending masses of spams at a time get frustrated by that links portion of the report confirmation and its slowdown and decide to 'degenerate' [or accelerate] into quick reporting. Quick reporting dramatically changes the amount of time required to report some large number of spams. It has its dangers and its limitations or disadvantages, but it does feed a lot of spamsources into the SCbl without as much 'personal' time expenditure [or oversight], and there isn't much lost these days by not reporting the spamvertisers to their providers. There's always the ever-present danger of reporting your own provider if some kind of changes occur in the headerlines of your spams. -- Mike Easter kibitzer, not SC admin From anon at coks.net Wed Jun 15 19:49:32 2005 From: anon at coks.net (J G) Date: Wed Jun 15 21:50:03 2005 Subject: [SC-Help] Re: One more time, please... In-Reply-To: References: Message-ID: On 6/15/2005 5:34 PM Mike Easter scribbled: > J G wrote: > >>Know I've asked before, I think, but can't find much in the way of >>recomendations in the help docs and am lousy in searching the usenet. >> >>Which method is preferred - forwarding spam as attachments or copy, >>paste, send? > > > This is what I sed the other day: > > From: "Mike Easter" > Newsgroups: spamcop.help > Subject: Re: spamvertisement reporting & a question... > Date: Wed, 8 Jun 2005 18:33:00 -0700 > Message-ID: > > Jeff G. wrote: > >>Also, given the 2 methods of choice with reporting - copying and >>pasting whole msg or forwarding, is there a benefit or preference to >>using one or the other? > > > The advantage of copying and pasting into the parser is that you get > 'faster' rather quicker/sooner results. The disadvantage is that there > is 'deadtime' that you need to manage constructively. If you can > develop a 'rhythm' of keypresses to get to the message source and paste > it into the webparser, or alternatively use a keypress macro, then > 'feeding' the parser is actually very efficient, one spam at a time, per > 1.5 second [hypothetical]. > > Then, you would need a strategy to manage the deadtime, one of which > might be to use multiple iterations of parsers -- so your 'macro' of > keypresses feeds a sequence of parsers so that the individual parser's > results match up with your approval process. That can result in no > deadtime and a continuous sequence of feeding one spam at a time into > multiple parsers whose results and approvals match up with the speed of > the parser processing. Please don't take so much of your time on my thickness - I can get along with simple yes and nos where possible and thanks, Mike, that was the post and it opened a can of worms for me here which fogged my memory of last week. Thunderbird isn't really a good usenet client - serves my purpose, but the various settings make it difficult to bring back former posts - lets leave that. I took your idea for the past week - open 3-4 tabs of SC - any more would be no benefit. At 7-9 A.M.Pacific time, I'm getting 2 minute waits per parse, if not total fail, which come out to maybe 1 out of 10 or so. At one point, I thought a particular spam was a cause - I posted a queston on etewatches and got a thud If I were getting 1.5 sec. times, I'd be happy, but it ain't happening. Afraid I'm running a model T-box (only 600 mgz) or maybe my cable provider is bogged down at that point, though no other browser use seems affected. Think pipelining may slow the process down?? I have it set to on - and no firewall ... > > The advantage of forwarding 'masses' of spams at a time is that you > avoid the above sequence of having to have an efficient series of > keypresses for each spamitem and of transitioning between parsers and > their report options. > > The disadvantage is that you have to wait for the mailforwarded items to > get processed in their own sweet time. The other disadvantage is that > you still have to manage the problem of accessing the numerous link/s > and and the report approval process however efficient or inefficient > that is. Heres where I got lost - does forwarding a spam, going to work and coming back on cause the "unsubmitted report notice" to pop up next sign on? This isn't explained anywhere I can find. Due to the system dragging, I've chalked this up to a failed send in the prior session, which has occured 3 or 4 times this week. And the forwarding solution /doesn't/ report spamvertisers - hmmm... > > Some people who 'move toward' sending masses of spams at a time get > frustrated by that links portion of the report confirmation and its > slowdown and decide to 'degenerate' [or accelerate] into quick > reporting. Quick reporting dramatically changes the amount of time > required to report some large number of spams. It has its dangers and > its limitations or disadvantages, but it does feed a lot of spamsources > into the SCbl without as much 'personal' time expenditure [or > oversight], and there isn't much lost these days by not reporting the > spamvertisers to their providers. There's always the ever-present > danger of reporting your own provider if some kind of changes occur in > the headerlines of your spams. Yeh, I could get cox bl'd... > > From anon at coks.net Wed Jun 15 19:53:39 2005 From: anon at coks.net (J G) Date: Wed Jun 15 21:55:02 2005 Subject: [SC-Help] Re: One more time, please... In-Reply-To: References: Message-ID: On 6/15/2005 5:22 PM WazoO scribbled: > "J G" wrote in message news:d8qf2p$bom$1@news.spamcop.net... > >>Know I've asked before, I think, but can't find much in the way of >>recomendations in the help docs and am lousy in searching the usenet. > > > Suggests that you haven't ried looking through the Forum yet. One > current bit of discussion about speed (of both methods) is seen at > http://forum.spamcop.net/forums/index.php?showtopic=3697 No, haven't had the time for forums what with learning reporting... > > >>Which method is preferred - forwarding spam as attachments or copy, >>paste, send? > > > The e-mail submittal was created to stop the whining about having > to sit on the screen all day, waiting for the paring engine to come > back with results. sorry to join the whiners... > > >>SC has been dragging pretty badly lately while I'm using >>copy/paste/report and what with 60-100 spam a day, I ain't got that time >>- specially if I get some gainful employment, which better be soon. >>Thanks... > > > And again, the normal suggestion is to report what you can, > delete the rest. Some folks will focus on something like 'the > last dozen" ... the porn stuff" ... whatever suits you on the mix > of stuff that you get to see .. the premise being that someone else > is hopefully reporting the crap you're deleting ... Thanks for that input... From MikeE at ster.invalid Wed Jun 15 21:05:20 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 15 23:10:03 2005 Subject: [SC-Help] Re: One more time, please... References: Message-ID: J G wrote: > At 7-9 A.M.Pacific time, I'm getting 2 minute > waits per parse, That's a bad time. If I were being delayed a lot, I wouldn't do it then. >> The disadvantage is that you have to wait for the mailforwarded >> items to get processed in their own sweet time. The other >> disadvantage is that you still have to manage the problem of >> accessing the numerous link/s and and the report approval process >> however efficient or inefficient that is. > > Heres where I got lost - does forwarding a spam, going to work and > coming back on cause the "unsubmitted report notice" to pop up next > sign on? If you forward spams, you come back to links which require time. > This isn't explained anywhere I can find. Due to the system > dragging, I've chalked this up to a failed send in the prior session, > which has occured 3 or 4 times this week. > And the forwarding solution /doesn't/ report spamvertisers - hmmm... The forwarding can be done as a regular report which does report spamvertisers if they are resolved; or it can be done as quick which doesn't. If you have requested and been approved for quick. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu Jun 16 13:09:40 2005 From: nobody at spamcop.net (hoju) Date: Wed Jun 15 23:10:08 2005 Subject: [SC-Help] How do you send from outlook express Message-ID: I am looking for some assistance every time I forward email to the spamcop for processing it keeps coming Spamcop encountered errors. why is this. From anon at coks.net Wed Jun 15 21:32:21 2005 From: anon at coks.net (J G) Date: Wed Jun 15 23:35:03 2005 Subject: [SC-Help] Re: One more time, please... In-Reply-To: References: Message-ID: On 6/15/2005 8:05 PM Mike Easter scribbled: > J G wrote: > > >>At 7-9 A.M.Pacific time, I'm getting 2 minute >>waits per parse, > > > That's a bad time. If I were being delayed a lot, I wouldn't do it > then. > > >>>The disadvantage is that you have to wait for the mailforwarded >>>items to get processed in their own sweet time. The other >>>disadvantage is that you still have to manage the problem of >>>accessing the numerous link/s and and the report approval process >>>however efficient or inefficient that is. >> >>Heres where I got lost - does forwarding a spam, going to work and >>coming back on cause the "unsubmitted report notice" to pop up next >>sign on? > > > If you forward spams, you come back to links which require time. That must be the line over the input box which says you have unreported spam - see below > > >>This isn't explained anywhere I can find. Due to the system >>dragging, I've chalked this up to a failed send in the prior session, >>which has occured 3 or 4 times this week. >>And the forwarding solution /doesn't/ report spamvertisers - hmmm... > > > The forwarding can be done as a regular report which does report > spamvertisers if they are resolved; or it can be done as quick which > doesn't. If you have requested and been approved for quick. requested and approved for "quick"? How so? From anon at coks.net Wed Jun 15 21:34:44 2005 From: anon at coks.net (J G) Date: Wed Jun 15 23:35:08 2005 Subject: [SC-Help] Re: How do you send from outlook express In-Reply-To: References: Message-ID: On 6/15/2005 8:09 PM hoju scribbled: > I am looking for some assistance every time I forward email to the spamcop > for processing it keeps coming Spamcop encountered errors. why is this. > > just below the input box, don't you see the link for eudora/outlook workaround? that must have something to do with it - better to switch to Thunderbird, IMHO... From MikeE at ster.invalid Wed Jun 15 21:51:47 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 15 23:55:04 2005 Subject: [SC-Help] Re: How do you send from outlook express References: Message-ID: hoju wrote: > I am looking for some assistance every time I forward email to the > spamcop for processing it keeps coming Spamcop encountered errors. > why is this. You are using the word 'forward' which is a very wrong word/term if you are describing how to submit spam from OE to spamcop's parser by mail. SC very specifically emphasizes^1 that you *MUST NOT* /forward/ -- but that you *MUST* forward as attachment. forward != forward as attachment -- where that != abbreviation means /does not equal/ That is, forward does not equal forward as attachment; they are separate and very different items on the menu. ^1 http://www.spamcop.net/fom-serve/cache/166.html -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Jun 15 21:55:46 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 16 00:00:02 2005 Subject: [SC-Help] Re: One more time, please... References: Message-ID: J G wrote: > requested and approved for "quick"? How so? Since I am generally anti-quickreporting, I don't help people do it. We also get into these arguments over in alt.locksmithing, where I take the other side of the argument. -- Mike Easter kibitzer, not SC admin From anon at coks.net Wed Jun 15 22:03:16 2005 From: anon at coks.net (J G) Date: Thu Jun 16 00:05:04 2005 Subject: [SC-Help] Re: One more time, please... In-Reply-To: References: Message-ID: On 6/15/2005 8:55 PM Mike Easter scribbled: > J G wrote: > >>requested and approved for "quick"? How so? > > > Since I am generally anti-quickreporting, I don't help people do it. > > We also get into these arguments over in alt.locksmithing, where I take > the other side of the argument. > > more than I needed to know, tnx... From SCNews.5.myspamgobbler at spamgourmet.com Wed Jun 15 23:40:17 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Thu Jun 16 01:45:03 2005 Subject: [SC-Help] Re: One more time, please... In-Reply-To: References: Message-ID: J G wrote: > > Please don't take so much of your time on my thickness - I can get along > with simple yes and nos where possible and thanks, Mike, that was the > post and it opened a can of worms for me here which fogged my memory of > last week. Thunderbird isn't really a good usenet client - serves my > purpose, but the various settings make it difficult to bring back former > posts - lets leave that. View/Threads/All will bring back read posts/threads. From Kilgallen at SpamCop.net Thu Jun 16 08:19:35 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Thu Jun 16 08:20:02 2005 Subject: [SC-Help] Re: One more time, please... References: Message-ID: In article , J G writes: > > Know I've asked before, I think, but can't find much in the way of > recomendations in the help docs and am lousy in searching the usenet. > > Which method is preferred - forwarding spam as attachments or copy, > paste, send? Favored by whom ? For me, working from a character based interface, sending the spam embedded in the message works just fine. From mcwebber at my-deja.com Thu Jun 16 10:11:23 2005 From: mcwebber at my-deja.com (McWebber) Date: Thu Jun 16 09:15:03 2005 Subject: [SC-Help] Bounce From Postmaster Message-ID: Regarding: Email from 210.110.168.23 / Wed, 15 Jun 2005 21:26:28 -0700 http://www.spamcop.net/w3m?i=z1448198327z086e13793cca8a07f1a2ca4b756c9d3ez Got a bounce message: Transmit Report: science@main.ksf.or.kr¿¡°Ô ¸ÞÀÏ ¹ß¼ÛÀ» 3¹ø ½ÃµµÇßÁö¸¸ ½ÇÆÐÇÏ¿´½À´Ï´Ù. (½ÇÆÐ ÀÌÀ¯ : 900 Socket connect fail(220.95.254.3)) <Âü°í> ½ÇÆÐ ÀÌÀ¯¿¡ ´ëÇÑ ¼³¸í User unknown :¸ÞÀÏÀ» ¼ö½ÅÇÒ »ç¿ëÀÚ°¡ Á¸ÀçÇÏÁö ¾ÊÀ½ Socket connect fail:¼ö½Å ¸ÞÀÏ ¼¹ö¿Í ¿¬°á ½ÇÆÐ DATA write fail :¼ö½Å ¸ÞÀÏ ¼¹ö·Î ¸Þ¼¼Áö ¼Û½Å ½ÇÆÐ DATA reponse fail :¼ö½Å ¸ÞÀÏ ¼¹ö·ÎºÎÅÍ ¸Þ¼¼Áö ¼ö½Å ½ÇÆÐ -- McWebber No email replies read If someone tells you to forward an email to all your friends please forget that I'm your friend. From anon at coks.net Thu Jun 16 08:28:31 2005 From: anon at coks.net (J G) Date: Thu Jun 16 10:30:03 2005 Subject: [SC-Help] Re: One more time, please... In-Reply-To: References: Message-ID: On 6/15/2005 10:40 PM Brian (SnSR) scribbled: > J G wrote: > > >>Please don't take so much of your time on my thickness - I can get along >>with simple yes and nos where possible and thanks, Mike, that was the >>post and it opened a can of worms for me here which fogged my memory of >>last week. Thunderbird isn't really a good usenet client - serves my >>purpose, but the various settings make it difficult to bring back former >>posts - lets leave that. > > > View/Threads/All will bring back read posts/threads. > Thanks, Brian, but it doesn't. I've lived with this minor nuisance since early Netscape - I can get around it buy deleting the .rc files if I /really/ need to... From anon at coks.net Thu Jun 16 08:31:39 2005 From: anon at coks.net (J G) Date: Thu Jun 16 10:35:02 2005 Subject: [SC-Help] Re: One more time, please... In-Reply-To: References: Message-ID: On 6/16/2005 5:19 AM Larry Kilgallen scribbled: > In article , J G writes: > >>Know I've asked before, I think, but can't find much in the way of >>recomendations in the help docs and am lousy in searching the usenet. >> >>Which method is preferred - forwarding spam as attachments or copy, >>paste, send? > > > Favored by whom ? > > For me, working from a character based interface, sending the spam > embedded in the message works just fine. Favored by whoever set this whole system up for free is who I was thinking of... From nobody at spamcop.net Thu Jun 16 09:02:16 2005 From: nobody at spamcop.net (N. Miller) Date: Thu Jun 16 11:05:02 2005 Subject: [SC-Help] Re: How do you send from outlook express References: Message-ID: On Thu, 16 Jun 2005 12:09:40 +0900, hoju wrote: > I am looking for some assistance every time I forward email to the spamcop > for processing it keeps coming Spamcop encountered errors. why is this. Right click on the message in the list of messages (you don't need to open the message when using MSOE), which should bring up a menu. From the menu, select, "Forward As Attachment". This will bring up a message compose window with the spam item attached; Mike Easter explains why you need to do that in his reply. -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. From nobody at spamcop.net Thu Jun 16 09:03:47 2005 From: nobody at spamcop.net (N. Miller) Date: Thu Jun 16 11:05:08 2005 Subject: [SC-Help] Re: How do you send from outlook express References: Message-ID: On Wed, 15 Jun 2005 20:34:44 -0700, J G wrote: > On 6/15/2005 8:09 PM hoju scribbled: > >> I am looking for some assistance every time I forward email to the spamcop >> for processing it keeps coming Spamcop encountered errors. why is this. >> >> > just below the input box, don't you see the link for eudora/outlook > workaround? > that must have something to do with it - better to switch to > Thunderbird, IMHO... MS Outlook Express is not MS Outlook; the two are as different from each other as each is from Eudora. MS Outlook Express can forward email to SpamCop just fine; as long as the forwarder uses the "Forward As Attachment" option. I have done it enough times to know that it does work. -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. From nobody at devnull.spamcop.net Thu Jun 16 11:35:24 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jun 16 11:40:03 2005 Subject: [SC-Help] Re: One more time, please... References: Message-ID: "J G" wrote in message news:d8qm0k$fob$1@news.spamcop.net... > On 6/15/2005 5:22 PM WazoO scribbled: > > > "J G" wrote in message news:d8qf2p$bom$1@news.spamcop.net... > > > >>Know I've asked before, I think, but can't find much in the way of > >>recomendations in the help docs and am lousy in searching the usenet. > > > > Suggests that you haven't ried looking through the Forum yet. One > > current bit of discussion about speed (of both methods) is seen at > > http://forum.spamcop.net/forums/index.php?showtopic=3697 > > No, haven't had the time for forums what with learning reporting... Well, you're the one that said "can't find things" .. "not good at searching" .... just pointing out that the majority of the questions you've been asking already have answers in place "over there" From anon at coks.net Thu Jun 16 09:43:28 2005 From: anon at coks.net (J G) Date: Thu Jun 16 11:45:03 2005 Subject: [SC-Help] Re: One more time, please... In-Reply-To: References: Message-ID: On 6/16/2005 8:35 AM WazoO scribbled: > "J G" wrote in message news:d8qm0k$fob$1@news.spamcop.net... > >>On 6/15/2005 5:22 PM WazoO scribbled: >> >> >>>"J G" wrote in message > > news:d8qf2p$bom$1@news.spamcop.net... > >>>>Know I've asked before, I think, but can't find much in the way of >>>>recomendations in the help docs and am lousy in searching the usenet. >>> >>>Suggests that you haven't ried looking through the Forum yet. One >>>current bit of discussion about speed (of both methods) is seen at >>>http://forum.spamcop.net/forums/index.php?showtopic=3697 >> >>No, haven't had the time for forums what with learning reporting... > > > Well, you're the one that said "can't find things" .. "not good > at searching" .... just pointing out that the majority of the > questions you've been asking already have answers in place > "over there" > > No lack of gratitude intended - have it on my psl toolbar as we speak and thanks for the input... From nobody at spamcop.net Thu Jun 16 13:52:54 2005 From: nobody at spamcop.net (Dave Lerner) Date: Thu Jun 16 12:55:04 2005 Subject: [SC-Help] Re: One more time, please... In-Reply-To: References: Message-ID: J G wrote: >Know I've asked before, I think, but can't find much in the way of >recomendations in the help docs and am lousy in searching the usenet. >Which method is preferred - forwarding spam as attachments or copy, >paste, send? Larry Kilgallen wrote: >Favored by whom ? J G wrote: >Favored by whoever set this whole system up for free is who I was >thinking of... I don't recall seeing any request from a Spamcop admin to use one method vs. another. I think they're more concerned with accurate reporting, e.g., only reporting email that is really spam, not falsifying the report, and not reporting innocent bystanders. Whichever method you find most convenient should be fine. From news at REMOVECAPSalanharper.com Thu Jun 16 16:58:34 2005 From: news at REMOVECAPSalanharper.com (Alan Harper) Date: Thu Jun 16 19:00:03 2005 Subject: [SC-Help] Am I using a spam-friendly host? Message-ID: <160620051558342325%news@REMOVECAPSalanharper.com> I had the opportunity to set up my mail program after a mail database crash. As part of this, I sent myself a bunch of emails, one of which was identified as "spam" and blocked. However, I can't figure out why it was blocked. I think my mailhosts files are fully configured, but I will check that out later. In any case, this suggests that somewhere between me and me there is a mail host that was in the spamcop black list on Friday. I checked all the hosts today and none are now listed. Is there any way that I can figure out why an email was blocked by spamcop, and whether one of the computers I use to for outgoing mail was in the spamcop list, as least as of last Friday? I have posted the mail in question in spamcop.spam. To understand it, it might help to know that I send mail out using my dsl host, pacbell.net, to myself at @sbcglobal.net, this is forwarded to alan@ which is hosted at opensourcehost.com, and then forwarded to @spamcop.net, from which I pick it up. Thanks Alan From MikeE at ster.invalid Thu Jun 16 18:25:40 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 16 20:30:02 2005 Subject: [SC-Help] Re: Am I using a spam-friendly host? References: <160620051558342325%news@REMOVECAPSalanharper.com> Message-ID: Alan Harper wrote: > Is there any way that I can figure out why an email was blocked by > spamcop, and whether one of the computers I use to for outgoing mail > was in the spamcop list, as least as of last Friday? 207.115.63.31 rDNS yipvmd-ext.prodigy.net was recently SCbl listed but it is off now; senderbase's SCbl db sez it is still listed as of this post, but SC's web sez it isn't, and the SC web is more recent and correct. > I have posted the mail in question in spamcop.spam. To understand it, > it might help to know that I send mail out using my dsl host, > pacbell.net, to myself at @sbcglobal.net, this is > forwarded to alan@ which is hosted at > opensourcehost.com, and then forwarded to > @spamcop.net, from which I pick it up. Actually, it goes pacbell > *prodigy* > yahoo > opensource > SC Here're the headers abbreviated from unknown (192.168.1.103) by blade5.cesmail.net from jag.opensourcehost.com (69.93.35.100) by mailgate2.cesmail.net from [66.163.168.165] (helo=mta819.mail.yahoo.com) by jag.opensourcehost.com from (EHLO yipvmd.prodigy.net) (207.115.63.31) by mta819.mail.yahoo.com from (prgy-npn1.prodigy.com [207.115.54.37]) by yipvmd.prodigy.net from (adsl-67-123-90-147.dsl.snfc21.pacbell.net [67.123.90.147]) by pimout4-ext.prodigy.net The prodigy output server which sends to the yahoo was listed, but isn't now. -- Mike Easter kibitzer, not SC admin From news at REMOVECAPSalanharper.com Thu Jun 16 21:45:05 2005 From: news at REMOVECAPSalanharper.com (Alan Harper) Date: Thu Jun 16 23:50:03 2005 Subject: [SC-Help] Re: Am I using a spam-friendly host? References: <160620051558342325%news@REMOVECAPSalanharper.com> Message-ID: <160620052045058747%news@REMOVECAPSalanharper.com> In article , Mike Easter wrote: > Alan Harper wrote: > > Is there any way that I can figure out why an email was blocked by > > spamcop, and whether one of the computers I use to for outgoing mail > > was in the spamcop list, as least as of last Friday? > > 207.115.63.31 rDNS yipvmd-ext.prodigy.net > > was recently SCbl listed but it is off now; senderbase's SCbl db sez it > is still listed as of this post, but SC's web sez it isn't, and the SC > web is more recent and correct. Thank you. I will communicate with SBC and see what they say. (Somehow I suspect their response will be "blow it out your tailpipe"--but at least I will feel better having talked to them!) Alan From pete+usenet at heypete.com Thu Jun 16 21:56:51 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Fri Jun 17 00:00:02 2005 Subject: [SC-Help] Re: Am I using a spam-friendly host? References: <160620051558342325%news@REMOVECAPSalanharper.com> <160620052045058747%news@REMOVECAPSalanharper.com> Message-ID: In article <160620052045058747%news@REMOVECAPSalanharper.com>, Alan Harper wrote: > Thank you. I will communicate with SBC and see what they say. (Somehow > I suspect their response will be "blow it out your tailpipe"--but at > least I will feel better having talked to them!) Possibly, but my experience has shown that mentally-retarded monkeys smoking crack are more intelligent than they are. Good luck trying to get ANY consistent response out of them. /Mr. Stephenson? The Mentally Retarded Crack Monkey Anti-Defamation League is on line two... -- Pete Stephenson HeyPete.com From MikeE at ster.invalid Thu Jun 16 22:19:03 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 17 00:20:03 2005 Subject: [SC-Help] Re: Am I using a spam-friendly host? References: <160620051558342325%news@REMOVECAPSalanharper.com> <160620052045058747%news@REMOVECAPSalanharper.com> Message-ID: Alan Harper wrote: > Mike Easter >> 207.115.63.31 rDNS yipvmd-ext.prodigy.net >> >> was recently SCbl listed but it is off now; > Thank you. I will communicate with SBC and see what they say. It is currently listed again -- point them at the misdirecting bouncing faq. -- it is spending quite a bit of time being listed 207.115.63.31 listed in bl.spamcop.net will be delisted automatically in approximately 13 hours. has sent mail to SpamCop spam traps in the past week In the past 156.2 days, it has been listed 33 times for a total of 36.3 days It appears this listing is caused by misdirected bounces. We have a FAQ which covers this topic: Why auto-responses are bad (Misdirected bounces). http://www.spamcop.net/fom-serve/cache/329.html#bounces Please read this FAQ and heed the advice contained in it. -- Mike Easter kibitzer, not SC admin From SCNews.5.myspamgobbler at spamgourmet.com Thu Jun 16 23:25:00 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Fri Jun 17 01:30:03 2005 Subject: [SC-Help] Re: One more time, please... In-Reply-To: References: Message-ID: J G wrote: > On 6/15/2005 10:40 PM Brian (SnSR) scribbled: > > >>J G wrote: >> >> >> >>>Please don't take so much of your time on my thickness - I can get along >>>with simple yes and nos where possible and thanks, Mike, that was the >>>post and it opened a can of worms for me here which fogged my memory of >>>last week. Thunderbird isn't really a good usenet client - serves my >>>purpose, but the various settings make it difficult to bring back former >>>posts - lets leave that. >> >> >>View/Threads/All will bring back read posts/threads. >> > > Thanks, Brian, but it doesn't. I've lived with this minor nuisance > since early Netscape - I can get around it buy deleting the .rc files if > I /really/ need to... How are you sorting/viewing messages? Maybe it's the View/Messages/Unread instead of all that is causing this. From MikeE at ster.invalid Fri Jun 17 05:47:09 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 17 07:50:04 2005 Subject: [SC-Help] Re: One more time, please... References: Message-ID: Blammo wrote: > But actually when someone refers to a previous post, they could > supply a link, such as news:d88684$ime$1@news.spamcop.net which will > work. The way OE works about that is that that link above will only work if news.spamcop.net is the default newsreader. Currently I have about 20 different news accounts in my 'stable' of newsservers. Altho' I'm not likely to be selecting from all of them as my default, for different reasons I 'flip around' the default between about 4 of them. If I want a news link to properly 'hit' the SC news server regardless of default, I have to construct it as news://news.spamcop.net/d88684$ime$1@news.spamcop.net -- or if someone posts it as you did above, I go into my news accounts and change my default newsreader to news.spamcop.net so that the shorter one works. Or, if the SC newsserver is the default, I can also paste the shorter link into the browser addressline -- or if it isn't, I can paste the longer into the addressline. -- Mike Easter kibitzer, not SC admin From mcwebber at my-deja.com Fri Jun 17 15:18:04 2005 From: mcwebber at my-deja.com (McWebber) Date: Fri Jun 17 14:20:02 2005 Subject: [SC-Help] Why Doesn't Spamcop Lart Yahoo? Message-ID: Headers: Return-Path: Received: from web33615.mail.mud.yahoo.com (web33615.mail.mud.yahoo.com [68.142.199.247]) by redacted (8.10.2/8.10.2) with SMTP id j5HHibA12200 for ; Fri, 17 Jun 2005 12:44:37 -0500 Received: (qmail 21250 invoked by uid 60001); 17 Jun 2005 17:45:18 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content -Transfer-Encoding; b=FaLGac5qEgSH983qwmZC277P+nlgogd1GkelnEpOGck1TUl/yRbqfF4f4HxOUjp7OU12R3C0Kx kW5wJ9oVy08HXohqNSf7vU6I9Bfa5zA19J89XlS1FkQ0Ca59cL5So5J36ilkHNF725Ym0ZKfeKDd 9MJ/59yPqqUmKpmJCZE8Q= ; Message-ID: <20050617174518.21248.qmail@web33615.mail.mud.yahoo.com> Received: from [68.80.203.195] by web33615.mail.mud.yahoo.com via HTTP; Fri, 17 Jun 2005 10:45:18 PDT Date: Fri, 17 Jun 2005 10:45:18 -0700 (PDT) From: gene simone Subject: RE: Response to your recent Refinance request To: spamtrap MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1804541703-1119030318=:20259" Content-Transfer-Encoding: 8bit X-UIDL: a)j"!*X+"!G=Y"!mHW"! Spamcop only wants to send to abuse@comcast.net instead of both Comcast and Yahoo where the email is coming from. Also, in this case, the identical spam was previously received from a similar address signed by the same person. Return-Path: Received: from web53509.mail.yahoo.com (web53509.mail.yahoo.com [206.190.37.70]) by redacted (8.10.2/8.10.2) with SMTP id j36KA8Y12144 for ; Wed, 6 Apr 2005 15:10:09 -0500 Received: (qmail 1625 invoked by uid 60001); 6 Apr 2005 20:11:46 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=FEqXL493vJ+okYYYMl1dUphGMRXu+Psd0v88YMdNH/sQG/MCEbRdr8kGTxm3eFK6JOa0f7mLOb TvR/E2aFN3pCY7w29QfGEKmJJt4GGc8c+Q4M70MrxyBF3gAUYy4EL48pvwxiqbj+TJcPFvLMqwbw qBbETkVp9c8ig2YM3Cldo= ; Message-ID: <20050406201146.1623.qmail@web53509.mail.yahoo.com> Received: from [68.80.203.195] by web53509.mail.yahoo.com via HTTP; Wed, 06 Apr 2005 13:11:46 PDT Date: Wed, 6 Apr 2005 13:11:46 -0700 (PDT) From: gene s Subject: RE: Response to your recent Refinance request To: spamtrap MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-616926842-1112818306=:99681" X-UIDL: $iP!!(kl!!o,W!!ha`!! -- McWebber No email replies read If someone tells you to forward an email to all your friends please forget that I'm your friend. From nobody at spamcop.net Fri Jun 17 16:36:08 2005 From: nobody at spamcop.net (SJones) Date: Fri Jun 17 15:40:03 2005 Subject: [SC-Help] Re: Why Doesn't Spamcop Lart Yahoo? In-Reply-To: References: Message-ID: On or about 6/17/2005 2:18 PM, McWebber penned the following: > Headers: > > Return-Path: > Received: from web33615.mail.mud.yahoo.com (web33615.mail.mud.yahoo.com > [68.142.199.247]) > by redacted (8.10.2/8.10.2) with SMTP id j5HHibA12200 > for ; Fri, 17 Jun 2005 12:44:37 -0500 > Received: (qmail 21250 invoked by uid 60001); 17 Jun 2005 17:45:18 -0000 > DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; > s=s1024; d=yahoo.com; > > h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content > -Transfer-Encoding; > > b=FaLGac5qEgSH983qwmZC277P+nlgogd1GkelnEpOGck1TUl/yRbqfF4f4HxOUjp7OU12R3C0Kx > kW5wJ9oVy08HXohqNSf7vU6I9Bfa5zA19J89XlS1FkQ0Ca59cL5So5J36ilkHNF725Ym0ZKfeKDd > 9MJ/59yPqqUmKpmJCZE8Q= ; > Message-ID: <20050617174518.21248.qmail@web33615.mail.mud.yahoo.com> > Received: from [68.80.203.195] by web33615.mail.mud.yahoo.com via HTTP; Fri, > 17 Jun 2005 10:45:18 PDT > Date: Fri, 17 Jun 2005 10:45:18 -0700 (PDT) > From: gene simone > Subject: RE: Response to your recent Refinance request > To: spamtrap > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="0-1804541703-1119030318=:20259" > Content-Transfer-Encoding: 8bit > X-UIDL: a)j"!*X+"!G=Y"!mHW"! > > Spamcop only wants to send to abuse@comcast.net instead of both Comcast and > Yahoo where the email is coming from. Also, in this case, the identical spam > was previously received from a similar address signed by the same person. > > Return-Path: > Received: from web53509.mail.yahoo.com (web53509.mail.yahoo.com > [206.190.37.70]) > by redacted (8.10.2/8.10.2) with SMTP id j36KA8Y12144 > for ; Wed, 6 Apr 2005 15:10:09 -0500 > Received: (qmail 1625 invoked by uid 60001); 6 Apr 2005 20:11:46 -0000 > Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys > DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; > s=s1024; d=yahoo.com; > > b=FEqXL493vJ+okYYYMl1dUphGMRXu+Psd0v88YMdNH/sQG/MCEbRdr8kGTxm3eFK6JOa0f7mLOb > TvR/E2aFN3pCY7w29QfGEKmJJt4GGc8c+Q4M70MrxyBF3gAUYy4EL48pvwxiqbj+TJcPFvLMqwbw > qBbETkVp9c8ig2YM3Cldo= ; > Message-ID: <20050406201146.1623.qmail@web53509.mail.yahoo.com> > Received: from [68.80.203.195] by web53509.mail.yahoo.com via HTTP; Wed, 06 > Apr 2005 13:11:46 PDT > Date: Wed, 6 Apr 2005 13:11:46 -0700 (PDT) > From: gene s > Subject: RE: Response to your recent Refinance request > To: spamtrap > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="0-616926842-1112818306=:99681" > X-UIDL: $iP!!(kl!!o,W!!ha`!! > > > Since the return address DOES show as a good address, I would assume that Yahoo doesn't accept spamcop reports. 250 sender ok RCPT TO: 250 recipient ok RSET 250 reset ok QUIT 221 mta134.mail.re2.yahoo.com -- All spam & UCE are reported. From anon at coks.net Fri Jun 17 16:12:57 2005 From: anon at coks.net (J G) Date: Fri Jun 17 18:15:03 2005 Subject: [SC-Help] Re: One more time, please... In-Reply-To: References: Message-ID: On 6/16/2005 10:25 PM Brian (SnSR) scribbled: > J G wrote: > >>On 6/15/2005 10:40 PM Brian (SnSR) scribbled: >> >> >> >>>J G wrote: >>> >>> >>> >>> >>>>Please don't take so much of your time on my thickness - I can get along >>>>with simple yes and nos where possible and thanks, Mike, that was the >>>>post and it opened a can of worms for me here which fogged my memory of >>>>last week. Thunderbird isn't really a good usenet client - serves my >>>>purpose, but the various settings make it difficult to bring back former >>>>posts - lets leave that. >>> >>> >>>View/Threads/All will bring back read posts/threads. >>> >> >>Thanks, Brian, but it doesn't. I've lived with this minor nuisance >>since early Netscape - I can get around it buy deleting the .rc files if >>I /really/ need to... > > > How are you sorting/viewing messages? Maybe it's the > View/Messages/Unread instead of all that is causing this. Brian - I have the spamcop /account/ set to d/l only unread (under offline&diskspace). So the view setting makes no diff - that just dawned on me. Problem is there are 3 or 4 places to set parameters and they're all intertwined. As I think I stated earlier, I've learned long ago to live with this since up to now, I've had no real need to search old posts -sounds like I may have to learn. Thanks for the input... From anon at coks.net Fri Jun 17 16:18:06 2005 From: anon at coks.net (J G) Date: Fri Jun 17 18:20:02 2005 Subject: [SC-Help] Re: Why Doesn't Spamcop Lart Yahoo? In-Reply-To: References: Message-ID: On 6/17/2005 12:36 PM SJones scribbled: > On or about 6/17/2005 2:18 PM, McWebber penned the following: > >>Headers: >> >>Return-Path: >>Received: from web33615.mail.mud.yahoo.com (web33615.mail.mud.yahoo.com >>[68.142.199.247]) >> by redacted (8.10.2/8.10.2) with SMTP id j5HHibA12200 >> for ; Fri, 17 Jun 2005 12:44:37 -0500 >>Received: (qmail 21250 invoked by uid 60001); 17 Jun 2005 17:45:18 -0000 >>DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; >> s=s1024; d=yahoo.com; >> >>h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content >>-Transfer-Encoding; >> >>b=FaLGac5qEgSH983qwmZC277P+nlgogd1GkelnEpOGck1TUl/yRbqfF4f4HxOUjp7OU12R3C0Kx >>kW5wJ9oVy08HXohqNSf7vU6I9Bfa5zA19J89XlS1FkQ0Ca59cL5So5J36ilkHNF725Ym0ZKfeKDd >>9MJ/59yPqqUmKpmJCZE8Q= ; >>Message-ID: <20050617174518.21248.qmail@web33615.mail.mud.yahoo.com> >>Received: from [68.80.203.195] by web33615.mail.mud.yahoo.com via HTTP; Fri, >>17 Jun 2005 10:45:18 PDT >>Date: Fri, 17 Jun 2005 10:45:18 -0700 (PDT) >>From: gene simone >>Subject: RE: Response to your recent Refinance request >>To: spamtrap >>MIME-Version: 1.0 >>Content-Type: multipart/alternative; >>boundary="0-1804541703-1119030318=:20259" >>Content-Transfer-Encoding: 8bit >>X-UIDL: a)j"!*X+"!G=Y"!mHW"! >> >>Spamcop only wants to send to abuse@comcast.net instead of both Comcast and >>Yahoo where the email is coming from. Also, in this case, the identical spam >>was previously received from a similar address signed by the same person. >> >>Return-Path: >>Received: from web53509.mail.yahoo.com (web53509.mail.yahoo.com >>[206.190.37.70]) >> by redacted (8.10.2/8.10.2) with SMTP id j36KA8Y12144 >> for ; Wed, 6 Apr 2005 15:10:09 -0500 >>Received: (qmail 1625 invoked by uid 60001); 6 Apr 2005 20:11:46 -0000 >>Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys >>DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; >> s=s1024; d=yahoo.com; >> >>b=FEqXL493vJ+okYYYMl1dUphGMRXu+Psd0v88YMdNH/sQG/MCEbRdr8kGTxm3eFK6JOa0f7mLOb >>TvR/E2aFN3pCY7w29QfGEKmJJt4GGc8c+Q4M70MrxyBF3gAUYy4EL48pvwxiqbj+TJcPFvLMqwbw >>qBbETkVp9c8ig2YM3Cldo= ; >>Message-ID: <20050406201146.1623.qmail@web53509.mail.yahoo.com> >>Received: from [68.80.203.195] by web53509.mail.yahoo.com via HTTP; Wed, 06 >>Apr 2005 13:11:46 PDT >>Date: Wed, 6 Apr 2005 13:11:46 -0700 (PDT) >>From: gene s >>Subject: RE: Response to your recent Refinance request >>To: spamtrap >>MIME-Version: 1.0 >>Content-Type: multipart/alternative; >>boundary="0-616926842-1112818306=:99681" >>X-UIDL: $iP!!(kl!!o,W!!ha`!! >> >> >> > > Since the return address DOES show as a good address, I would assume > that Yahoo doesn't accept spamcop reports. > > 250 sender ok > RCPT TO: > 250 recipient ok > RSET > 250 reset ok > QUIT > 221 mta134.mail.re2.yahoo.com > Yahoo only accepts reports on bad addresses? Could that be explained? From nttp.sc.sh at bigsleep.org Sat Jun 18 00:55:29 2005 From: nttp.sc.sh at bigsleep.org (Blammo) Date: Fri Jun 17 20:00:02 2005 Subject: [SC-Help] Re: One more time, please... References: Message-ID: On 17 Jun 2005 J G entered spamcop.help and left news:d8vhqq$pc1$1@news.spamcop.net: > As I think I stated earlier, I've learned long > ago to live with this since up to now, I've had no real need to search > old posts -sounds like I may have to learn. Xnews works pretty good for that. http://xnews.newsguy.com/ That depends on how much you want to learn, since Xnews has way more options than you'll want to use. But once I started using it I could never go back to Netscape/Mozilla or Agent. Xnews supports XPAT search, so if you know part of the subject or sender or messageID you can search and not have to download all the headers or articles. Also I like the "ding" whenever someone replies to my posts. -- | Ric | From anon at coks.net Fri Jun 17 18:22:27 2005 From: anon at coks.net (J G) Date: Fri Jun 17 20:25:03 2005 Subject: [SC-Help] Re: One more time, please... In-Reply-To: References: Message-ID: On 6/17/2005 4:55 PM Blammo scribbled: > On 17 Jun 2005 J G entered spamcop.help and left > news:d8vhqq$pc1$1@news.spamcop.net: > > >>As I think I stated earlier, I've learned long >>ago to live with this since up to now, I've had no real need to search >>old posts -sounds like I may have to learn. > > > Xnews works pretty good for that. http://xnews.newsguy.com/ > That depends on how much you want to learn, since Xnews has way more > options than you'll want to use. But once I started using it I could never > go back to Netscape/Mozilla or Agent. > Xnews supports XPAT search, so if you know part of the subject or sender or > messageID you can search and not have to download all the headers or > articles. > Also I like the "ding" whenever someone replies to my posts. > Thanks, I've seen it around for a while here and there - I'll look into it when I get a minute... From SCNews.5.myspamgobbler at spamgourmet.com Fri Jun 17 22:08:33 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Sat Jun 18 00:15:03 2005 Subject: [SC-Help] Re: Why Doesn't Spamcop Lart Yahoo? In-Reply-To: References: Message-ID: SJones wrote: > On or about 6/17/2005 2:18 PM, McWebber penned the following: > >>Headers: >> >>Return-Path: >>Received: from web33615.mail.mud.yahoo.com (web33615.mail.mud.yahoo.com >>[68.142.199.247]) >> by redacted (8.10.2/8.10.2) with SMTP id j5HHibA12200 >> for ; Fri, 17 Jun 2005 12:44:37 -0500 >>Received: (qmail 21250 invoked by uid 60001); 17 Jun 2005 17:45:18 -0000 >>DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; >> s=s1024; d=yahoo.com; >> >>h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content >>-Transfer-Encoding; >> >>b=FaLGac5qEgSH983qwmZC277P+nlgogd1GkelnEpOGck1TUl/yRbqfF4f4HxOUjp7OU12R3C0Kx >>kW5wJ9oVy08HXohqNSf7vU6I9Bfa5zA19J89XlS1FkQ0Ca59cL5So5J36ilkHNF725Ym0ZKfeKDd >>9MJ/59yPqqUmKpmJCZE8Q= ; >>Message-ID: <20050617174518.21248.qmail@web33615.mail.mud.yahoo.com> >>Received: from [68.80.203.195] by web33615.mail.mud.yahoo.com via HTTP; Fri, >>17 Jun 2005 10:45:18 PDT >>Date: Fri, 17 Jun 2005 10:45:18 -0700 (PDT) >>From: gene simone >>Subject: RE: Response to your recent Refinance request >>To: spamtrap >>MIME-Version: 1.0 >>Content-Type: multipart/alternative; >>boundary="0-1804541703-1119030318=:20259" >>Content-Transfer-Encoding: 8bit >>X-UIDL: a)j"!*X+"!G=Y"!mHW"! >> >>Spamcop only wants to send to abuse@comcast.net instead of both Comcast and >>Yahoo where the email is coming from. Also, in this case, the identical spam >>was previously received from a similar address signed by the same person. >> >>Return-Path: >>Received: from web53509.mail.yahoo.com (web53509.mail.yahoo.com >>[206.190.37.70]) >> by redacted (8.10.2/8.10.2) with SMTP id j36KA8Y12144 >> for ; Wed, 6 Apr 2005 15:10:09 -0500 >>Received: (qmail 1625 invoked by uid 60001); 6 Apr 2005 20:11:46 -0000 >>Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys >>DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; >> s=s1024; d=yahoo.com; >> >>b=FEqXL493vJ+okYYYMl1dUphGMRXu+Psd0v88YMdNH/sQG/MCEbRdr8kGTxm3eFK6JOa0f7mLOb >>TvR/E2aFN3pCY7w29QfGEKmJJt4GGc8c+Q4M70MrxyBF3gAUYy4EL48pvwxiqbj+TJcPFvLMqwbw >>qBbETkVp9c8ig2YM3Cldo= ; >>Message-ID: <20050406201146.1623.qmail@web53509.mail.yahoo.com> >>Received: from [68.80.203.195] by web53509.mail.yahoo.com via HTTP; Wed, 06 >>Apr 2005 13:11:46 PDT >>Date: Wed, 6 Apr 2005 13:11:46 -0700 (PDT) >>From: gene s >>Subject: RE: Response to your recent Refinance request >>To: spamtrap >>MIME-Version: 1.0 >>Content-Type: multipart/alternative; >>boundary="0-616926842-1112818306=:99681" >>X-UIDL: $iP!!(kl!!o,W!!ha`!! >> >> >> > > Since the return address DOES show as a good address, I would assume > that Yahoo doesn't accept spamcop reports. > > 250 sender ok > RCPT TO: > 250 recipient ok > RSET > 250 reset ok > QUIT > 221 mta134.mail.re2.yahoo.com > Yahoo always returns a 250 response no matter what. Their are two methods that I use to validate a Yahoo email account, other than sending an email. One if to try to sign up using that id (ffmmortgageco2) at http://edit.yahoo.com/config/eval_register?.v=&.intl=&new=1&.done=http%3a//mail.yahoo.com&.src=ym&.partner=&.p=&promo=&.last= If that id is available, you know that the email address is not valid. If the id is used, it may or may not be valid. I then check to see if there is a profile for this account at http://profiles.yahoo.com/ffmmortgageco2 If it returns something like this profile can not be found (it's been awhile so I don't recall the wording) it means that the account has been deleted. If it shows a profile, with information or not, it means that the account is valid. From SCNews.5.myspamgobbler at spamgourmet.com Fri Jun 17 22:28:58 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Sat Jun 18 00:35:03 2005 Subject: [SC-Help] Re: Why Doesn't Spamcop Lart Yahoo? In-Reply-To: References: Message-ID: SJones wrote: > On or about 6/17/2005 2:18 PM, McWebber penned the following: > >>Headers: >> >>Return-Path: >>Received: from web33615.mail.mud.yahoo.com (web33615.mail.mud.yahoo.com >>[68.142.199.247]) >> by redacted (8.10.2/8.10.2) with SMTP id j5HHibA12200 >> for ; Fri, 17 Jun 2005 12:44:37 -0500 >>Received: (qmail 21250 invoked by uid 60001); 17 Jun 2005 17:45:18 -0000 >>DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; >> s=s1024; d=yahoo.com; >> >>h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content >>-Transfer-Encoding; >> >>b=FaLGac5qEgSH983qwmZC277P+nlgogd1GkelnEpOGck1TUl/yRbqfF4f4HxOUjp7OU12R3C0Kx >>kW5wJ9oVy08HXohqNSf7vU6I9Bfa5zA19J89XlS1FkQ0Ca59cL5So5J36ilkHNF725Ym0ZKfeKDd >>9MJ/59yPqqUmKpmJCZE8Q= ; >>Message-ID: <20050617174518.21248.qmail@web33615.mail.mud.yahoo.com> >>Received: from [68.80.203.195] by web33615.mail.mud.yahoo.com via HTTP; Fri, >>17 Jun 2005 10:45:18 PDT >>Date: Fri, 17 Jun 2005 10:45:18 -0700 (PDT) >>From: gene simone >>Subject: RE: Response to your recent Refinance request >>To: spamtrap >>MIME-Version: 1.0 >>Content-Type: multipart/alternative; >>boundary="0-1804541703-1119030318=:20259" >>Content-Transfer-Encoding: 8bit >>X-UIDL: a)j"!*X+"!G=Y"!mHW"! >> >>Spamcop only wants to send to abuse@comcast.net instead of both Comcast and >>Yahoo where the email is coming from. Also, in this case, the identical spam >>was previously received from a similar address signed by the same person. >> >>Return-Path: >>Received: from web53509.mail.yahoo.com (web53509.mail.yahoo.com >>[206.190.37.70]) >> by redacted (8.10.2/8.10.2) with SMTP id j36KA8Y12144 >> for ; Wed, 6 Apr 2005 15:10:09 -0500 >>Received: (qmail 1625 invoked by uid 60001); 6 Apr 2005 20:11:46 -0000 >>Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys >>DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; >> s=s1024; d=yahoo.com; >> >>b=FEqXL493vJ+okYYYMl1dUphGMRXu+Psd0v88YMdNH/sQG/MCEbRdr8kGTxm3eFK6JOa0f7mLOb >>TvR/E2aFN3pCY7w29QfGEKmJJt4GGc8c+Q4M70MrxyBF3gAUYy4EL48pvwxiqbj+TJcPFvLMqwbw >>qBbETkVp9c8ig2YM3Cldo= ; >>Message-ID: <20050406201146.1623.qmail@web53509.mail.yahoo.com> >>Received: from [68.80.203.195] by web53509.mail.yahoo.com via HTTP; Wed, 06 >>Apr 2005 13:11:46 PDT >>Date: Wed, 6 Apr 2005 13:11:46 -0700 (PDT) >>From: gene s >>Subject: RE: Response to your recent Refinance request >>To: spamtrap >>MIME-Version: 1.0 >>Content-Type: multipart/alternative; >>boundary="0-616926842-1112818306=:99681" >>X-UIDL: $iP!!(kl!!o,W!!ha`!! >> >> >> > > Since the return address DOES show as a good address, I would assume > that Yahoo doesn't accept spamcop reports. > > 250 sender ok > RCPT TO: > 250 recipient ok > RSET > 250 reset ok > QUIT > 221 mta134.mail.re2.yahoo.com > The reason that SpamCop wants to lart Comcast is because the message source is 68.80.203.195 which is pcp08428970pcs.benslm01.pa.comcast.net. From news at REMOVECAPSalanharper.com Sat Jun 18 08:43:59 2005 From: news at REMOVECAPSalanharper.com (Alan Harper) Date: Sat Jun 18 10:45:03 2005 Subject: [SC-Help] Re: Am I using a spam-friendly host? References: <160620051558342325%news@REMOVECAPSalanharper.com> <160620052045058747%news@REMOVECAPSalanharper.com> Message-ID: <180620050743595657%news@REMOVECAPSalanharper.com> In article , Mike Easter wrote: > >> 207.115.63.31 rDNS yipvmd-ext.prodigy.net > >> > >> was recently SCbl listed but it is off now; > > > Thank you. I will communicate with SBC and see what they say. > > It is currently listed again -- point them at the misdirecting bouncing > faq. -- it is spending quite a bit of time being listed My communications with SBC, just for the general entertainment of the group (my inquiry sent 6/16, their response sent 6/19 (at 3:30AM, local time!) > Dear Alan, > > Thank you for contacting SBC Yahoo! E-mail Support. > > I apologize for the issue you have been experiencing and for the delay > in response. > > This issue can be best resolved working together over the telephone > because it requires multiple troubleshooting steps. Therefore, please > contact our voice support at 1-877-SBC-DSL5. As they have the tools > and expertise to assist you in this regard. I thank you for your > patience and understanding regarding this. > > Thank you for using SBC Internet Services. > > Sincerely, > > Marc > SBC DSL Tech Support Specialist > > > ======================================== > > You wrote: > Description: I recently found that mail that I sent to >@spamcop.net was marked as spam by my filter at spamcop.net. > It seems that > 207.115.63.31 rDNS yipvmd-ext.prodigy.net > was reported as a source of spam as of Fri 10 June, and was in the > spamcop.net blacklist for some days. > > Having one of your servers marked as a source of spam can mean that I > am unable to communicate with people who (or whose service providers) > choose to filter spam based on the spamcop blacklist. I use the spamcop > blacklist and have found it to reliably remove spam and mail from known > spam sources > > I cannot afford to have my emails marked as spam because > sbcglobal/yahoo allows other users to send spam through > sbcglobal/yahoo/prodigy servers. I choose to have my email hosted by > sbc because I expect you to deal with spam being sent through your > servers before it becomes severe enough to have your servers listed on > blacklists. > > Could you please tell me why the server in question was included in the > spamcop black list, and what efforts you are making to keep this from > happening again. > > Thank you > > Alan > > PS, No I don't use "Netscape 4.x" as my web browser--but your form > requires that I lie to you in order to get this message to you.:: > From mcwebber at my-deja.com Sat Jun 18 15:33:21 2005 From: mcwebber at my-deja.com (McWebber) Date: Sat Jun 18 14:35:02 2005 Subject: [SC-Help] Re: Why Doesn't Spamcop Lart Yahoo? References: Message-ID: "Brian (SnSR)" wrote in message news:d906r2$3v4$1@news.spamcop.net... > > Yahoo always returns a 250 response no matter what. No. I've seen it say 550 on a suspended or forged account. > > Their are two methods that I use to validate a Yahoo email account, > other than sending an email. One if to try to sign up using that id > (ffmmortgageco2) at > http://edit.yahoo.com/config/eval_register?.v=&.intl=&new=1&.done=http%3a//mail.yahoo.com&.src=ym&.partner=&.p=&promo=&.last= > > If that id is available, you know that the email address is not valid. Since in both cases the email address was the only form of contact, I would say they were good addresses. http://profiles.yahoo.com/ffmmortgage appears to have been deleted after my previous complaint. -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From mcwebber at my-deja.com Sat Jun 18 15:34:56 2005 From: mcwebber at my-deja.com (McWebber) Date: Sat Jun 18 14:40:03 2005 Subject: [SC-Help] Re: Why Doesn't Spamcop Lart Yahoo? References: Message-ID: "Brian (SnSR)" wrote in message news:d9081a$4gh$1@news.spamcop.net... > > The reason that SpamCop wants to lart Comcast is because the message > source is 68.80.203.195 which is pcp08428970pcs.benslm01.pa.comcast.net. The @yahoo.com address being a valid address and the only way to reply to the mortgage spam is why Yahoo needs a lart as well. The email came from Yahoo, although it may have been sent by a Comcast user. Yahoo should be larted, which I did manually. -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From mcwebber at my-deja.com Sun Jun 19 12:19:04 2005 From: mcwebber at my-deja.com (McWebber) Date: Sun Jun 19 11:20:03 2005 Subject: [SC-Help] Re: Why Doesn't Spamcop Lart Yahoo? References: Message-ID: "McWebber" wrote in message news:d91pfj$se7$1@news.spamcop.net... > "Brian (SnSR)" wrote in message > news:d906r2$3v4$1@news.spamcop.net... > > > > Yahoo always returns a 250 response no matter what. > > No. I've seen it say 550 on a suspended or forged account. > Sorry to fup to my own post, but it looks like Yahoo has changed the way their server responds. They used to send a 550 as I archived at: http://groups.google.ro/groups?q=g:thl1313900658d&dq=&hl=en&lr=&selm=s9769.168029%24yc3.7229907%40bin4.nnrp.aus1.giganews.com -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From dominik at usenet.rangers.eu.org Sun Jun 19 20:04:01 2005 From: dominik at usenet.rangers.eu.org (Dominik 'Rathann' Mierzejewski) Date: Sun Jun 19 15:15:02 2005 Subject: [SC-Help] SpamCop's WHOIS lookups fail Message-ID: Hello, folks. I'm seeing problems with SpamCop's WHOIS lookups. For example this: http://www.spamcop.net/sc?id=z776519289z0169b8d66529345b3f15c7acce09edd2z says: Tracking link: http://breastwork.frotvar.info/pr/coverage.htm No recent reports, no history available Resolves to 210.22.50.92 "whois 210.22.50.92@whois.apnic.net" (Getting contact from whois.apnic.net mirror) Display data: Lookup tc254-ap@whois.apnic.net "whois tc254-ap@whois.apnic.net" (Getting contact from whois.apnic.net mirror) Display data: tc254-ap = whois.apnic.net 210.22.50.92 (nothing found) host 210.22.50.92 (getting name) no name No reporting addresses found for 210.22.50.92, using devnull for tracking. While a lookup from my PC says: [whois.apnic.net] % [whois.apnic.net node-1] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 210.22.50.0 - 210.22.50.127 netname: shilong-trade-ltd country: cn descr: xian city,shanxi province admin-c: TC254-AP tech-c: TC254-AP status: ASSIGNED NON-PORTABLE changed: moujh@china-netcom.com 20021106 mnt-by: MAINT-CN-ZM28 source: APNIC person: TECH GROUP CNC address: 9/F, Building A, Corporate Square, No. 35 Financial Street, address: Xicheng District, Beijing 100032, P.R.China country: CN phone: +86-10-88093588 fax-no: +86-10-88091442 e-mail: tech-group@china-netcom.com nic-hdl: TC254-AP mnt-by: MAINT-CN-ZM28 changed: zhaomq@china-netcom.com 20010917 source: APNIC Any clues as to what's broken on SC's side? Regards, R. -- RangersBL: http://dnsbl.rangers.eu.org/ "I've always wanted to be an executioner, that's why I became a sysadmin." -- Jim Howes at news.admin.net-abuse.email From ahab at hiwaay.net Tue Jun 21 12:31:10 2005 From: ahab at hiwaay.net (Hoyt Weathers) Date: Tue Jun 21 12:35:03 2005 Subject: [SC-Help] A newbie question Message-ID: For submission of Spam to SC, I send a msg to submit.K8gPGx9JE2qJ7NSV@spam.spamcop.net. It contains the full headers and body of msg AFAIK. I keep receiving msgs from SC that there were no headers and could not proceed. What am I doing wrong if anything? Regards, Hoyt Weathers From nobody at devnull.spamcop.net Tue Jun 21 12:51:53 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Jun 21 12:55:03 2005 Subject: [SC-Help] Re: A newbie question References: Message-ID: "Hoyt Weathers" wrote in message news:d99fci$154$1@news.spamcop.net... > For submission of Spam to SC, I send a msg to > > submit.K8gPGx9JE2qJ7NSV@spam.spamcop.net. > > It contains the full headers and body of msg AFAIK. I keep receiving > msgs from SC that there were no headers and could not proceed. > > What am I doing wrong if anything? First of all, you've exposed "your" 'secret' reporting address to the world. Not knowing what type of account you've got set up, not sure which address you're going to need to terminate that account and set up a new one .... You seem to suggesting that you are attempting to do an e-mail type submittal, and the errors in getting this accomplished are legion. First stop is the FAQ via the "help button" on your logged-in page at www.spamcop.net Folks that seem to have a hard time navigating that FAQ seem to find the single-page access point to the much-expanded Forum FAQ easier ... http://forum.spamcop.net/forums/ At issue, things like the e-mail application you're using, the procedures used in getting the spam into something that gets sent to the SpamCop parser, and the spam itself. You've offered none of that data, so the FAQ links are to the top of those lists. From MikeE at ster.invalid Tue Jun 21 11:03:50 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 21 13:05:03 2005 Subject: [SC-Help] Re: A newbie question References: Message-ID: I agree with what WazoO was saying, just adding some in my style. Hoyt Weathers wrote: > For submission of Spam to SC, I send a msg to > > submit.K8gPGx9JE2qJ7NSV@spam.spamcop.net. I think it is better to troubleshoot problems by submitting to the webparser first and getting that working. You are Mac X; if you start at the first faq page for parsing and reporting, you follow this trail: http://www.spamcop.net/fom-serve/cache/19.html How do I get my email program to reveal the full, unmodified email? http://www.spamcop.net/fom-serve/cache/282.html Mac OS X - To get the full message source: and that page also has words to indicated that submitting by email requires a 3rd party addon 'To use the SpamCop's email submission system with Mac OS X, a plugin is available from subsume.com (SpamCop Mac OS X Mail Bundle)' So, you are probably getting ahead of yourself with the submit address, which you need to change now that you have exposed it To get a new authorization if you are free, go here http://www.spamcop.net/anonsignup.shtml where you first registered and re-register 'This is a free SpamCop account. You may re-run this free authorization whenever you need to. If you do, any previous authorization information associated with your email address will be deleted. ' > It contains the full headers and body of msg AFAIK. I keep receiving > msgs from SC that there were no headers and could not proceed. I don't think you are doing it correctly for a Mac X. > What am I doing wrong if anything? Get a new authorization, and use the webparser first using the above links. -- Mike Easter kibitzer, not SC admin From ahab at hiwaay.net Tue Jun 21 14:16:35 2005 From: ahab at hiwaay.net (Hoyt Weathers) Date: Tue Jun 21 14:20:03 2005 Subject: [SC-Help] Re: A newbie question In-Reply-To: References: Message-ID: < snipped > First, I apologize for screwing up posting that address. As my initial Subject indicated I am a newbie. I was just trying to be honest. I have applied for a new SC reporting only account. I received a reply from SC with a new PW. So far, SC does not recognize me. I have not yet received a new SC reporting address. Until I get a new reporting address I am out of luck as far as reporting anything to SC. How long does it take SC to recognize my new log in info? I do wish to work cooperatively with those here. I have tried what has been suggested above and to no avail so far. Often times, it just seems easier for me to delete the Spam and forget it and not even try to report it to SC. Since switching my Mac's operating system to 10.4.1, I have had no problems except with SC. Yes, SC has set numerous cookies. Hoyt Weathers From MikeE at ster.invalid Tue Jun 21 12:30:49 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 21 14:35:03 2005 Subject: [SC-Help] Re: A newbie question References: Message-ID: Hoyt Weathers wrote: > First, I apologize for screwing up posting that address. As my initial > Subject indicated I am a newbie. It's not the first time it has happened :-) > I have applied for a new SC reporting only account. I received a reply > from SC with a new PW. So far, SC does not recognize me. I have not > yet received a new SC reporting address. Until I get a new reporting > address I am out of luck as far as reporting anything to SC. You should take your new pw to http://www.spamcop.net/ and use the mailaddy and the pw to login. > How long does it take SC to recognize my new log in info? When you log in at the page above, the same link above will look different, it will have a webparser. That page with the webparser will also have a submit address; but I'm recommending that you not use it at this time. > I do wish to work cooperatively with those here. I have tried what has > been suggested above and to no avail so far. We're headed toward doing some webparsing and reporting first. Email submitting has some bumps that we can deal with later. > Often times, it just seems easier for me to delete the Spam and forget > it and not even try to report it to SC. Since switching my Mac's > operating system to 10.4.1, I have had no problems except with SC. IMO, everyone's first job is to manage their Inbox in a comfortable fashion so that spam isn't a nuisance, and spam reporting isn't necessary to do that. Spam reporting contributes to antispam efforts, but clearly it is a voluntary activity that has to fit into your 'scheme of things'. -- Mike Easter kibitzer, not SC admin From news at REMOVECAPSalanharper.com Tue Jun 21 17:19:25 2005 From: news at REMOVECAPSalanharper.com (Alan Harper) Date: Tue Jun 21 19:20:04 2005 Subject: [SC-Help] Understanding dsbl? Message-ID: <210620051619252635%news@REMOVECAPSalanharper.com> One of the computers that a colleague uses has an IP in dsbl.org. The IP is 200.79.150.31, and it has been in dsbl for presumably over 1 year. http://dsbl.org/listing?200.79.150.31 I assume that this is a dynamically allocated IP, and that it is in the list because another computer at that IP was a source of spam. I note that (a) only the postmaster responsible for this IP can initiate removal of the IP. Telnor is a monopoly, their service is (much) worse than US ISPs (hard to imagine) and I doubt that they will initiate removal of an IP, but I could try. I note also that senderbase doesn't seem to pick up the listing at dsbl.org http://www.senderbase.org/search?searchString=200.79.150.31 Perhaps senderbase has a reason for ignoring this list. However, spamcop has dsbl near the top of the list of additional filtering lists (see options under Horde). So I guess my questions are * any advice on how to get this IP out of dsbl * do people really filter email using dsbl * is dsbl considered reliable Thanks A From news at REMOVECAPSalanharper.com Tue Jun 21 17:23:13 2005 From: news at REMOVECAPSalanharper.com (Alan Harper) Date: Tue Jun 21 19:25:03 2005 Subject: [SC-Help] Re: SpamCop's WHOIS lookups fail References: Message-ID: <210620051623136288%news@REMOVECAPSalanharper.com> In article , Dominik 'Rathann' Mierzejewski wrote: > Hello, folks. > I'm seeing problems with SpamCop's WHOIS lookups. For example this: > http://www.spamcop.net/sc?id=z776519289z0169b8d66529345b3f15c7acce09edd2z > I suspect that the posts re APNIC in this newsgroup and spamcop.routing answer your question. In article , Anty Spam wrote: > "Ellen" wrote in message > news:d8kcb0$ldn$1@news.spamcop.net... > > I have opened a ticket on the APNIC issues. Until that is resolved, there > is > > no point in sending any more of these to routing. I am not inclined to > > manual route the whole of apnic one block at a time :-) > > > > Thanks > > > > Ellen > > > ============================================ > Thx Ellen > > That explains: > http://www.spamcop.net/sc?id=z774562683zd08b5ed5a1f0ce4844c35dd3ec1ecfc8z > > Tracking link: http://www.extrabadass.com/p1/ > [report history] > Resolves to 61.232.205.187 > Display data: > "whois 61.232.205.187@whois.arin.net" (Getting contact from whois.arin.net ) > Redirect to apnic: > "whois 61.232.205.187@whois.apnic.net" (Getting contact from > whois.apnic.net mirror) > Display data: > Lookup lq112-ap@whois.apnic.net > "whois lq112-ap@whois.apnic.net" (Getting contact from whois.apnic.net > mirror) > Display data: > lq112-ap = > Lookup lm273-ap@whois.apnic.net > "whois lm273-ap@whois.apnic.net" (Getting contact from whois.apnic.net > mirror) > Display data: > lm273-ap = > whois.apnic.net 61.232.205.187 (nothing found) > host 61.232.205.187 (getting name) no name > > No reporting addresses found for 61.232.205.187, using devnull for tracking. > > Anty Spam > > From MikeE at ster.invalid Tue Jun 21 18:08:08 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 21 20:10:03 2005 Subject: [SC-Help] Re: Understanding dsbl? References: <210620051619252635%news@REMOVECAPSalanharper.com> Message-ID: Alan Harper wrote: > One of the computers that a colleague uses has an IP in dsbl.org. The > IP is 200.79.150.31, and it has been in dsbl for presumably over 1 > year. > > http://dsbl.org/listing?200.79.150.31 > > I assume that this is a dynamically allocated IP, and that it is in > the list because another computer at that IP was a source of spam. 200.79.150.31 rDNS red-corp-200.79.150.31.telnor.net is listed in multiple blocklists for proxies, ahbl, blars, dnsbl, dsbl, jammd, njabl, sorbs x3, and some others and clearly has a history of problems. dsbl consists of 3 different lists; list, multihop, & unconfirmed; and it is listed in list and unconfirmed. The evidence shows 2004 Apr positive tests for port 1080 socks4&5 positive tests. The business of whether the IP is dynamic or whether it has current problems or not is not obvious except that its senderbase activity doesn't show and I can't find any fresh evidence of anything. > I note that (a) only the postmaster responsible for this IP can > initiate removal of the IP. Telnor is a monopoly, their service is > (much) worse than US ISPs (hard to imagine) and I doubt that they will > initiate removal of an IP, but I could try. > > I note also that senderbase doesn't seem to pick up the listing at > dsbl.org > > http://www.senderbase.org/search?searchString=200.79.150.31 > > Perhaps senderbase has a reason for ignoring this list. The default sb config shows 3 lists, the 'show all' shows more when something is listed, but I don't recall which ones they select. > However, spamcop has dsbl near the top of the list of additional > filtering lists (see options under Horde). > > So I guess my questions are > > * any advice on how to get this IP out of dsbl > * do people really filter email using dsbl > * is dsbl considered reliable There's more than dsbl to consider; but you could initiate the dsbl process and the confirmation would go to pm or abuse at telnor and they would respond or not however they do. The responsibility for dealing with these issues is really that of the role addresses. You could also run around to the other blocklists I mentioned and initiate whatever other processes you wanted to. Which people use which blocklists varies all over the map. I find dsbl a useful source of information; as you can see, it can harbor old evidence. For whatever it is worth, that IP 200.79.150.31 is currently online and echoes pings. How secure or insecure it is I couldn't tell you because I didn't choose to test it, but it doesn't currently show a port 1080, or 25 or 80. -- Mike Easter kibitzer, not SC admin From greyfire at spamcop.net Tue Jun 21 18:42:53 2005 From: greyfire at spamcop.net (Tom Talley) Date: Tue Jun 21 20:45:03 2005 Subject: [SC-Help] Re: Understanding dsbl? References: <210620051619252635%news@REMOVECAPSalanharper.com> Message-ID: Hmm, that address has issues. I just looked it up at http://www.dnsstuff.com. 200.79.150.31 shows up on the following block lists. - AHBL - listed as open proxy - BLARSBL - DNSBLNETAURMST - DNSBLNETAUT1 - DSBL - http://dslb.org/listing?200.79.150.31 - DSBLALL - JAMMDNSBL - NETHERUNSURE - NJABLPROXIES - SORBS-HTTP - Socks proxy - SORBS-SOCKS - SORBS-WEB - SPAMCANNIBAL There is possibly a trojan horse or virus running a proxy on the machine or its possible that it is misconfigured. If it is secured you will need to contact the various lists to have them test the machine. Tom From wb8tyw at qsl.network Thu Jun 23 00:19:07 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Wed Jun 22 23:20:03 2005 Subject: [SC-Help] Re: Understanding dsbl? In-Reply-To: <210620051619252635%news@REMOVECAPSalanharper.com> References: <210620051619252635%news@REMOVECAPSalanharper.com> Message-ID: Alan Harper wrote: > One of the computers that a colleague uses has an IP in dsbl.org. The > IP is 200.79.150.31, and it has been in dsbl for presumably over 1 > year. > > http://dsbl.org/listing?200.79.150.31 > I assume that this is a dynamically allocated IP, and that it is in the It is not listed as a DHCP address in the lookups that I know how to do. Is it a DHCP address, if so, that range needs to be submitted to SORBS and NJABL and MAP-DUL for preemptive blocking. The rDNS is red-corp-200.79.150.31.telnor.net, which is a generic name, and many networks are now refusing any E-MAIL from generic I.P. addresses. If this is a dynamically allocated I.P. the DSBL listing should not matter as it is simply not practical to operate a mail server on a DHCP address. DHCP address pool blocking lists are probably more widely used than DSBL.org. > list because another computer at that IP was a source of spam. If that is the case it is still real bad for all of telenor.net's customers on that physical network segment. And a lot of virtual subnets can share a single physical link. When the spammers are pumping spam through that open proxy, it is probably causing so much network congestion that the network is useless for all the other telenor.net customers sharing that link. A competent network owner will prevent an open proxy from sending mail as soon as they discover it and then notify the system owner. And not reconnect it until they are satisfied it is fixed. If a network owner leaves the open proxy connected while they wait for the system owner to fix it, they are hurting their own network and all of their customers. > So I guess my questions are > > * any advice on how to get this IP out of dsbl 1. Get telenor.net or the system owner to verify that the open proxies are fixed. 2. Get telenor.net to fix their e-mail server to accept the removal request. It is currently refusing to accept the removal e-mail. That is not a good sign. The error messages are apparently stating that the required postmaster and abuse e-mail addresses do not exist. And that means that the network will not get any notifications of trouble on their network. 3. Once the required e-mail addresses are working, get telenor.net to read the removal request and open a web page on the link included in the e-mail. Or, put a mail server on that I.P address that will accept the confirmation e-mail at one of the RFC required POSTMASTER or ABUSE accounts to the rDNS domain name. If there is no mail server at this I.P. address, then the DSBL.ORG listing should not be affecting mail sent through the ISP's mail server, unless someone is checking all headers in a message, which most spam filters do not do. Most mail servers only check the I.P. address that they are accepting the e-mail directly from. > * do people really filter email using dsbl Yes, I know of several commercial and non-commercial networks using it. Some of them quite large. If someone is trying to operate a mail server on that I.P. I suspect that they may find quite a bit of the Internet refusing their e-mail. And it is my guess that as people find out about the dsbl.org that the number of mail servers using it is only going to increase. > * is dsbl considered reliable It seems to be. I really doubt that you will be able to convince a mail server operator that is using it to stop. They do exactly what they say they do. An I.P. gets listed by someone getting it to send an e-mail to one of their listing servers. An IP is removed with in 25 hours of the owner of the postmaster and the abuse e-mail boxes as designated by rDNS verifying that they can read at least one of the two required role mailboxes. The process is completely automated. Only one removal request per I.P. address will be process per week once the network owner's mailbox accepts the message. So if they did not fix the problem before delisting, it is likely to get listed again. -John wb8tyw@qsl.network Personal Opinion Only From news at REMOVECAPSalanharper.com Thu Jun 23 14:16:21 2005 From: news at REMOVECAPSalanharper.com (Alan Harper) Date: Thu Jun 23 16:20:04 2005 Subject: [SC-Help] Re: Understanding dsbl? References: <210620051619252635%news@REMOVECAPSalanharper.com> Message-ID: <230620051316213493%news@REMOVECAPSalanharper.com> In article , John E. Malmberg wrote: > Alan Harper wrote: > > One of the computers that a colleague uses has an IP in dsbl.org. The > > IP is 200.79.150.31, and it has been in dsbl for presumably over 1 > > year. > > > > http://dsbl.org/listing?200.79.150.31 > > > I assume that this is a dynamically allocated IP, and that it is in the > > It is not listed as a DHCP address in the lookups that I know how to do. > Is it a DHCP address, if so, that range needs to be submitted to SORBS > and NJABL and MAP-DUL for preemptive blocking. > > The rDNS is red-corp-200.79.150.31.telnor.net, which is a generic name, > and many networks are now refusing any E-MAIL from generic I.P. addresses. > > If this is a dynamically allocated I.P. the DSBL listing should not > matter as it is simply not practical to operate a mail server on a DHCP > address. > Every time I think I understand something about mail protocols and spam filtering, it is demonstrated that I really don't. Perhaps someone can help me a little bit more here. A colleague who I work with is in Mexico, so he needs to use telnor.net as his ISP. He has a windows computer and is sending mail using Outlook, through a router (don't know which model), and uses opensourcehost.com as the smtp server. Our web site, terrapeninsular.org, maps to jag.opensourcehost.com = 69.93.35.100. He asked me to help because he was not able to send email to some recipients--and perhaps the problem was that his email was being ID'd as spam. I am trying to do what I can. Some headers from a recent email that he sent are: ------------------ RFC822 Header Follows ------------------ Return-Path: Delivered-To: my_spamcop_account@spamcop.net Received: (qmail 26283 invoked from network); 23 Jun 2005 16:50:19 -0000 Received: from unknown (192.168.1.101) by blade5.cesmail.net with QMQP; 23 Jun 2005 16:50:19 -0000 Received: from jag.opensourcehost.com (69.93.35.100) by mailgate.cesmail.net with SMTP; 23 Jun 2005 16:50:18 -0000 Received: from [200.79.150.31] (helo=HIS_ACCOUNT) by jag.opensourcehost.com with smtp (Exim 4.50) id 1DlUuD-0000n0-0N for me@mysite.com; Thu, 23 Jun 2005 11:50:21 -0500 From: =?US-ASCII?Q?Juan_M._Garcia_Caudillo?= To: "Alan Harper" %snip% X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) %snip% X-SpamCop-Checked: 192.168.1.101 69.93.35.100 200.79.150.31 X-SpamCop-Disposition: Blocked list.dsbl.org X-SpamCop-Whitelisted: terrapeninsular.org I guess the first question is, do you think that 200.79.150.31 is the IP of his router, or a computer that is somewhere "upstream" of his computer? This IP was listed in njabl http://njabl.org/cgi-bin/lookup.cgi?query=200.79.150.31 and is listed in dsbl http://dsbl.org/listing?200.79.150.31 . It appears that it is listed because there was an open relay at that IP in in 2004. Someone, not me, tried to get it unlisted from dsbl, but dsbl won't unlist it because telnor doesn't respond to the postmaster mail addresses to confirm anything. (Telnor doesn't have to care, it is a near monopoly). The second question is, is there any easy way to see if there is still an open proxy at this address? As far as I can tell, njabl hasn't retested the address, and dsbl won't retest it until telnor changes its procedures (I.e, until hell freezes over). Right now, whatever was blocking his email is no longer blocking it. This corresponds with my asking njabl to unlist this address, but I suspect that it was coincidence. Any other thoughts about what I can do to increase his chance of sending emails would be appreciated. Thanks Alan From MikeE at ster.invalid Thu Jun 23 15:13:07 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 23 17:15:03 2005 Subject: [SC-Help] Re: Understanding dsbl? References: <210620051619252635%news@REMOVECAPSalanharper.com> <230620051316213493%news@REMOVECAPSalanharper.com> Message-ID: Alan Harper wrote: > A colleague who I work with is in Mexico, so he needs to use > telnor.net as his ISP. He has a windows computer and is sending mail > using Outlook, through a router (don't know which model), and uses > opensourcehost.com as the smtp server. Our web site, > terrapeninsular.org, maps to jag.opensourcehost.com = 69.93.35.100. That all fits with what you've posted. But if you want to work that 'router' into the conversation it is going to make things sound more complicated than they need to. IMO 200.79.150.31 rDNS red-corp-200.79.150.31.telnor.net is your friend's user IP and the headers show the item going from that IP to his smtpserver to your spamcop account. Whether there is just one machine or a little network doing network address translation behind a NAT device or 'switch router' isn't really important. Whatever that is is represented by the IP 200.79.150.31 - whether it be one machine or a router representing one IP for several machines. The headers also show SC spotting the blocklisted IP and also passing the mailitem because its From domainname is whitelisted. X-SpamCop-Checked: 192.168.1.101 69.93.35.100 200.79.150.31 X-SpamCop-Disposition: Blocked list.dsbl.org X-SpamCop-Whitelisted: terrapeninsular.org > I guess the first question is, do you think that 200.79.150.31 is the > IP of his router, or a computer that is somewhere "upstream" of his > computer? I have a so-called switch router [actually just a NAT device] on my little network. As a result of that, my 'machine' doesn't really have my IP. My machine has an address translation that results in it having a nonroutable 192.168.1.* IP number -- but that is just a 'translation' and when I access something, like my smtp server or this newsgroup, 'my' IP is recorded as the 'router's' IP, which is 64.203.51.197 -- For me that number corresponds to your friend's 200.79.150.31 > This IP was listed in njabl > http://njabl.org/cgi-bin/lookup.cgi?query=200.79.150.31 and is listed > in dsbl http://dsbl.org/listing?200.79.150.31 . It appears that it is > listed because there was an open relay at that IP in in 2004. Someone, > not me, tried to get it unlisted from dsbl, but dsbl won't unlist it > because telnor doesn't respond to the postmaster mail addresses to > confirm anything. (Telnor doesn't have to care, it is a near > monopoly). You are fretting over this problem of your friend's telnor IP being listed. You are going to be able to do a little with blocklists which will accept your attempts to get it unlisted, and those blocklists which require correspondence with telnor you won't be able to do it yourself. > The second question is, is there any easy way to see if there is still > an open proxy at this address? As far as I can tell, njabl hasn't > retested the address, and dsbl won't retest it until telnor changes > its procedures (I.e, until hell freezes over). I'm not sure I'm in agreement with that plan, but you could probe the IP's ports for insecurities. But, that isn't the best strategy to evaluate an IP; ie remotely. Your friend can go to websites and get his own IP probed and his insecurities evaluated more easily and without creating some potential problems for whoever would be doing this portscanning you are thinking about. > Right now, whatever was blocking his email is no longer blocking it. > This corresponds with my asking njabl to unlist this address, but I > suspect that it was coincidence. The reason is that it is passing because of your having whitelisted terrapeninsular.org > Any other thoughts about what I can do to increase his chance of > sending emails would be appreciated. If you have his mail whitelisted, it shouldn't be a problem. -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Thu Jun 23 18:26:10 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Thu Jun 23 18:30:04 2005 Subject: [SC-Help] Re: Understanding dsbl? References: <210620051619252635%news@REMOVECAPSalanharper.com> <230620051316213493%news@REMOVECAPSalanharper.com> Message-ID: In article <230620051316213493%news@REMOVECAPSalanharper.com>, Alan Harper writes: > Every time I think I understand something about mail protocols and spam > filtering, it is demonstrated that I really don't. Perhaps someone can > help me a little bit more here. > > A colleague who I work with is in Mexico, so he needs to use telnor.net > as his ISP. He has a windows computer and is sending mail using > Outlook, through a router (don't know which model), and uses > opensourcehost.com as the smtp server. Our web site, > terrapeninsular.org, maps to jag.opensourcehost.com = 69.93.35.100. > > He asked me to help because he was not able to send email to some > recipients--and perhaps the problem was that his email was being ID'd > as spam. I am trying to do what I can. > I guess the first question is, do you think that 200.79.150.31 is the > IP of his router, or a computer that is somewhere "upstream" of his > computer? It is either the I.P. of his computer, or the I.P. address of a NAT (Network Address Translation) router that is between his computer and the Public Internet. If it is a NAT router then it can be shared with any number of computers, any one of them could be infected. However because of the nature of NAT, unless special arrangement is made, no incomming connections are usually allowed. So while an infected computer can spam viruses, it is more difficult for a spammer to send through such a zombied computer. Microsoft has stated publicly that their computers require a hardware or software firewall between them and the public internet. The hardware ones for home use are usually pre-configured for what is needed and are usually plug in and forget devices. Software firewalls are not as reliable and can be disabled by malware or social engineering. > This IP was listed in njabl > http://njabl.org/cgi-bin/lookup.cgi?query=200.79.150.31 and is listed > in dsbl http://dsbl.org/listing?200.79.150.31 . It appears that it is > listed because there was an open relay at that IP in in 2004. Not an open relay, an open proxy. An open proxy is far worse than an an open relay. An open relay does not hide the I.P. address of the abuser and can only relay e-mail. An open proxy both hides the I.P. address of the abuser, it also usually allows the abuser to use any TCP/IP protocol. The presence of an open proxy on a computer usually means that some criminal on the internet has more control of that computer than the system owner. > Someone, > not me, tried to get it unlisted from dsbl, but dsbl won't unlist it > because telnor doesn't respond to the postmaster mail addresses to > confirm anything. (Telnor doesn't have to care, it is a near monopoly). More precisely the error message is implying that the required ABUSE and POSTMASTER addresses are not available at all to receive any messages. And there are some networks that will refuse all e-mail from ISPs that do not have working ABUSE and POSTMASTER addresses. http://www.rfc-ignorant.org/tools/lookup.php?domain=telnor.net And some of the postmasters that I know will put a local block an entire network if their complaint to a required role account is rejected or ignored. And for the same postmasters, if they find a trend for a country is to have unresponsive ISPs, then tend to start blocking the entire country unless one of their users ask for a white listing of a specific IP address. > The second question is, is there any easy way to see if there is still > an open proxy at this address? There are some people that may have access to proxy testing software. You can try doing a telnet command to the ports listed as being open and see if the machine accepts a connection. The DSBL testing software can be downloaded from their web site in source format. > As far as I can tell, njabl hasn't retested the address, http://njabl.org/cgi-bin/lookup.cgi?query=200.79.150.31 States that they have tested it and removed the listing because they could not find an open proxy. > and dsbl won't retest it until telnor changes its > procedures (I.e, until hell freezes over). DSBL did not test the machine, and DSBL will not retest a machine. DSBL lists machines that people on the internet can get to send a specially crafted message to one of the DSBL mail servers. The people usually do such a test after receiving spam from that I.P. address. The listing remains until someone proves they can read an E-mail sent to one of the RFC required e-mail addresses that all mail servers must have and their operators must pay attention to. If there is a zombie machine on a DHCP range, eventually it may cause the entire DHCP pool to be listed by the DSBL and other blocking lists. Getting a DHCP pool listed is not a bad thing as some spammers know that spam from it will not get to a large number of mail servers. A zombie or an open relay on an ISP costs that ISP a significant amount of operating cash, so any network owner that is ignoring them or blocking spam/abuse reports is only hurting their own profits. According to one media report, if a spammer had to pay the going retail rate for the bandwidth stolen through an open proxy, they would have to pay $1,200 U.S. per week. > Right now, whatever was blocking his email is no longer blocking it. > This corresponds with my asking njabl to unlist this address, but I > suspect that it was coincidence. The I.P. address is not listed by NJABL at this time. NJABL is included in the apparently very popular SBL-XBL.SPAMHAUS.ORG list. > Any other thoughts about what I can do to increase his chance of > sending emails would be appreciated. As long as the required role accounts of POSTMASTER and ABUSE are not functional and acted on in real time by his ISP, he is likely to have problems with other networks accepting his e-mail. It also means that he is also likely to have periods of very poor network connectivity. And the people doing that type of blocking are not likely to change, as near as I can tell, more and more network adminstrators are blocking networks that do not have working role accounts, not only at the e-mail level, but at the router level also. And it is the well run networks that will issue rejection notices. Many networks will simply silently delete what they detect as spam. One of the reasons for this is to avoid cartooneys from people who get overly hostile if one of their messages is mistakently tagged as spam. Others just do it that way because they are not competently run. Smart hosting for your mail server will get around most of the blocks, except for the apparently few spam filters like the one spamcop.net uses that check all headers, and the people that are specifically blocking your ISP as it seems to be one of the few ISPs that are being specfically blocked for allegedly not removing spammers elsewhere on their network. A well run mail server will issue a SMTP rejection code when it refuses a message, and the standard block list check on the I.P. address is what is available on all the commercial mail servers that I am aware of. It costs more to do the addtional filtering checks and if the mail server operator has properly tuned their local and public blocking lists, in many cases, the additional filtering is more likely to catch real e-mails than it is any spam that gets through. Usually, but not always, it is safe to block the /23 (512 addresses) surrounding an I.P. address that sent spam or a virus as there is usually that much separation from the real mail servers I.P. addresses and the I.P. addresses allocated to end users. Such blocks usually need to be done manually as the error rate is probably too high for a simple automatic process. Mail servers that issue rejections based on I.P. addresses farther up the chain or by message content risk un-subscribing their users from mailing lists where spam or a virus leaked by the mailing list filters. Using an Open Proxy blocking list like the SBL-XBL, or DSBL on the input to a smart-hosting mail server can also prevent it from relaying spam or viruses from one of your users incase their machine get zombied, or someone phishes their account information. You may occasionally need to whitelist an I.P. like your colleague, but that should be a rare occurance. In most cases an e-mail connection from an I.P. address in list.dsbl.org, sbl-xbl.spamhaus.org means that the system is owned, and unless you specifically know that the listing is old, it is not a good idea to relay that mail. By diverting such mail attempts to a local administrator, you will probably be able to alert such users that someone else either has their access credentials or control of their computer. -John wb8tyw@qsl.network Personal Opinion Only From news at REMOVECAPSalanharper.com Thu Jun 23 17:21:41 2005 From: news at REMOVECAPSalanharper.com (Alan Harper) Date: Thu Jun 23 19:25:03 2005 Subject: [SC-Help] Re: Understanding dsbl? References: <210620051619252635%news@REMOVECAPSalanharper.com> <230620051316213493%news@REMOVECAPSalanharper.com> Message-ID: <230620051621413157%news@REMOVECAPSalanharper.com> In article , Mike Easter wrote: > > Right now, whatever was blocking his email is no longer blocking it. > > This corresponds with my asking njabl to unlist this address, but I > > suspect that it was coincidence. > > The reason is that it is passing because of your having whitelisted > terrapeninsular.org Thank you Mike, everything you say makes sense, except this line. What I meant to say was that two days ago my friend could not sent mail to other email accounts (which accounts I don't know). As of yesterday--after I got his IP delisted at njabl--he suddenly could send to those. He has always been whitelisted for me. Something changed yesterday, I don't know what. Thanks to John as well for a thorough explication of the subject. A From MikeE at ster.invalid Thu Jun 23 18:01:31 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 23 20:05:03 2005 Subject: [SC-Help] Re: Understanding dsbl? References: <210620051619252635%news@REMOVECAPSalanharper.com> <230620051316213493%news@REMOVECAPSalanharper.com> <230620051621413157%news@REMOVECAPSalanharper.com> Message-ID: Alan Harper wrote: > Mike Easter >> The reason is that it is passing because of your having whitelisted >> terrapeninsular.org > Thank you Mike, everything you say makes sense, except this line. What > I meant to say was that two days ago my friend could not sent mail to > other email accounts (which accounts I don't know). As of > yesterday--after I got his IP delisted at njabl--he suddenly could > send to those. He has always been whitelisted for me. > > Something changed yesterday, I don't know what. Oh, I see. Being listed on njabl proxies is important because it lists you on spamhaus's XBL and spamhaus is very popular, as John sed. If you got him off that njabl, he comes off the SBL-XBL. That is very good and could enable getting thru' some previous spamfilters. When I first looked up the IP, I saw the njabl, but I didn't see spamhaus, but now that I think on it, maybe spamhaus timed out on that lookup. -- Mike Easter kibitzer, not SC admin From anon at coks.net Thu Jun 23 23:35:26 2005 From: anon at coks.net (J G) Date: Fri Jun 24 01:35:04 2005 Subject: [SC-Help] Forum follies... Message-ID: Tried the forum, but it didn't work - can't reply, all in all a pretty lousy set up - kinda leaves a warm feeling in this "reporters" tummy..and, no, if I have to go through another FAQ with no answers, I'll start smoking again... question: and BTW if this question is below most at the forum, maybe you shouldn't offer it as a venue... */ While reporting, am getting the "you have unreported spam" message and wants to know if I want to report now - I do so and get whole parse but then at the end it says this has already been reported. I have no cancel button which I have seen mentioned around various help areas, so I can't cancel it Now, I can be in a hurry and using 3 diferent input screens at once and sometimes may dupe a post but not as often as this msg. So, someone else has reported this spam before me - yes? And we have no way of knowing this, right? Isn't this kind of -stupid? -waste of bandwidth? -in need of a fix? tnx... */ response by Wazo; */ You have an account, your submitted/reported spam is yours ... Yes, you and I could receive and submit the same spam, but neither one of us would know this. /brilliant/... From the sounds of it, you do need to slow down and look at things a bit closer. */ WTF doe that mean, Wazo? I'll slow down and see what - that someone else has already reported the same spam? And I observe that how? I got another response from Steve U. of a more thoughtful nature, but equally unenlightening: */ If you have a window open with the "you have unreported spam" and another open after following the link in the email reply, the situation you describe can occur. Usually you would either follow the email links OR keep following the unreported spam link until they are all gone. /they don't go gone they list out and state IF I had reported, blahblah, then that site had already been reported, such and such, then give me a new input box, no indication of anything further on previous subject, no cancel choice, nada/ If you submit the same message more than once, you will get a different tracking URL and be able to report multiple times...That would be against the rules, however. /Well, thats good to know./ */ I'm beginning to see why the NANAE groups froth... From anon at coks.net Fri Jun 24 00:39:29 2005 From: anon at coks.net (J G) Date: Fri Jun 24 02:40:02 2005 Subject: [SC-Help] Re: Forum follies... In-Reply-To: References: Message-ID: On 6/23/2005 11:24 PM Blammo scribbled: > On 23 Jun 2005 J G entered spamcop.help and left > news:d9g60c$nd0$1@news.spamcop.net: > > >>While reporting, am getting the "you have unreported spam" message and >>wants to know if I want to report now - I do so and get whole parse but >>then at the end it says this has already been reported. >> > > > That has been asked before, at least in .spamcop . > I have, a time or two, seen the parser "get stuck". If you click "Remove > all unreported spam" that should remove it, if not contact the deputies% (I > think). > Thanks, I a.)haven't been reading the ng for the past 2 years or so, nor do I have time to search the usenet after parsing and sending twice a day. b.)can see the "remove" option and can make that decision, but that leaves the open question. c.)wasn't aware of parser sticking in that fashion, so thanks again.. From nobody at devnull.spamcop.net Fri Jun 24 09:34:05 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Jun 24 09:35:03 2005 Subject: [SC-Help] Re: Forum follies... References: Message-ID: "J G" wrote in message news:d9g60c$nd0$1@news.spamcop.net... > Tried the forum, but it didn't work - can't reply, One of the Moderators removed your two failed attempts at a reply, you only leaving two posts containing nothing but the entire quoted contents of your first post. > all in all a pretty lousy set up - kinda leaves a warm feeling > in this "reporters" tummy..and, no, if I have to go > through another FAQ with no answers, I'll start smoking again... There is the www.spamcop.net FAQ which was the starting point of the FAQ found in the Forum ... The "set-up" issue seems odd, with so many other folks able to reply just fine .. noting again that both of your attempts "worked" .. just not having any content but the repeat of your first post ... Perhaps a couple of entries in the "How to Use .. Forum" might have cleared up some confusion on your part ..???? > question: > and BTW if this question is below most at the forum, maybe you shouldn't > offer it as a venue... > */ > While reporting, am getting the "you have unreported spam" message and > wants to know if I want to report now - I do so and get whole parse but > then at the end it says this has already been reported. > I have no cancel button which I have seen mentioned around various help > areas, so I can't cancel it > Now, I can be in a hurry and using 3 diferent input screens at once and > sometimes may dupe a post but not as often as this msg. > So, someone else has reported this spam before me - yes? > And we have no way of knowing this, right? > Isn't this kind of > -stupid? > -waste of bandwidth? > -in need of a fix? > > tnx... > */ > > response by Wazo; > */ > You have an account, your submitted/reported spam is yours ... Yes, you > and I could receive and submit the same spam, but neither one of us > would know this. > /brilliant/... Problem is that I was trying to clear up that you report your spam, I report mine. There is no connection as far as the SpamCop parser is concerned. So any "already reported" issue is based solely on "your" reported spam .. nothing to do with my reported spam. Not sure why you'd call this "brilliant" and still miss the point. > From the sounds of it, you do need to slow down and look at things a > bit closer. > */ > WTF doe that mean, Wazo? > I'll slow down and see what - that someone else has already reported the > same spam? And I observe that how? As above, there is no connection between spam you report and the spam someone else reports ... the slow-down remark dealt with your "got three screens running and am getting wierd errors" ... As backed up with StevenUnderwood's and Blammo's remarks, this "hurried" actioning can lead to possible glitches. > I got another response from Steve U. of a more thoughtful nature, but > equally unenlightening: > > I'm beginning to see why the NANAE groups froth... I'm not sure I see the connection between your alleged problem, the SpamCop Forum, these newsgroups, and NANAE ....???? From nobody at devnull.spamcop.net Fri Jun 24 12:10:18 2005 From: nobody at devnull.spamcop.net (Pop) Date: Fri Jun 24 11:15:05 2005 Subject: [SC-Help] I know you're tired of hearing this, but ... re FAQs Message-ID: Hi, I know this has been agonized over and over and talked about ad-infinitum and any suggestions are probably too late, but I'd like to make ONE more post about spamcop's Help areas. My input was always ignored previously and rationalized away, so the confusion I tried to point out still exists, IMO. Please, no flames, they just waste ether and are wasted on me; they're just not effective. It's just MO, but, I believe, valid. I guess since I've posted previously and the FAQs are basically "set" now, this'll be the last time I post aout them, but a comment from a poster in a recent spamcop. thread prompted me to write this. ------------------------------------- I'd like to provide you with a scenario in order to attempt bringing people along to my own view here. Let's say I'm a newbie (I'm really not much more than that) with a few spam reports under my belt. I don't know much about forums: These are forums for all I know. Anyway, I've heard a lot about spamsop and read the groups for awhile now, and now believe I know what questions I should ask. Or, at least enough to be dangerous. I jump to the opening page: spamcop.net/ = great page, great layout, looks good, informative, descriptive link names; I like it. So, I click to go to Help and end up at: http://www.spamcop.net/help.shtml First screen looks good: TOC looks very useful, a TOC with major entries below it and everything. Good show! Since I'd like to know more about the parsing and reporting aspects, parsing and reporting looks to be right up my alley! Funny format for a TOC, but ... oh well. So, I go to http://www.spamcop.net/fom-serve/cache/1.html But, what's that on this page: A more detailed TOC? Of what? Doesn't look like a TOC. The link names are some different, some the same, as back on the previous page. Is THIS the FAQ, or are those links all FAQs? If the links are all FAQs, then where's the rest of the TOC gone to? Is this a TOC of FAQs? If so where are the other links that were on the preceding page? So, on the previous page, TOC is a TOC; for what? So, jumping back to http://www.spamcop.net/help.shtml, I look closer. Oh! It's a TOC of FAQs! I see! So, if I go to the TOC link, I should get a detailed TOC, showing all the major links listed here, right? Well, when I go there, to http://www.spamcop.net/help.shtml it's not a TOC. Well, when I click any of those links, Parsing and Reporting Service, it looks more like a how-to set of links than it does a FAQ about spamcop parsing and reporting services. Hmm, yeah, I need to know how to use them, but that's not what I was looking for. OK, I want to know about spamcop parsing and reporting services. not how to use them. Where do I go? So, I back up to http://www.spamcop.net/fom-serve/cache/1.html and seeing nothing else related, go on back to http://www.spamcop.net/fom-serve/cache/1.html. Hmm, according to that page I've been to the first link under the TOC link, but ... where's the FAQ on the actual parsing and reporting service vs the how-to-use it? Now I'm lost, so I try the Search box for ;parsing and reporting;. Oh, cripe, it's a Google search! Look at all those hits! No help there, for a newbie like me who hasn't had much success with google yet and thus no faith in it! Not what I expected. I'm lost! Help! And the more I look, the more frustrated I get, and the less I comprehend of what's really going on . I'm lost. -------------------------- From MikeE at ster.invalid Fri Jun 24 09:28:52 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 24 11:30:02 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: Pop wrote: > So, I go to When I'm trying to learn how to navigate any site and they stick a 'site map' link up there I jump on it. Check it out http://www.spamcop.net/sitemap.shtml Site Map: -- Mike Easter kibitzer, not SC admin From anon at coks.net Fri Jun 24 09:49:31 2005 From: anon at coks.net (J G) Date: Fri Jun 24 11:50:03 2005 Subject: [SC-Help] Re: Forum follies... In-Reply-To: References: Message-ID: On 6/24/2005 6:34 AM WazoO scribbled: > "J G" wrote in message news:d9g60c$nd0$1@news.spamcop.net... > >>Tried the forum, but it didn't work - can't reply, You are, of course, correct on reading the FAQs - I was getting frustrated after running into 2 other forums which, in fact had different problems, but I was having a bad night..... > > >>While reporting, am getting the "you have unreported spam" message and >>wants to know if I want to report now - I do so and get whole parse but >>then at the end it says this has already been reported. >>I have no cancel button which I have seen mentioned around various help >>areas, so I can't cancel it >>Now, I can be in a hurry and using 3 diferent input screens at once and >>sometimes may dupe a post but not as often as this msg. >>So, someone else has reported this spam before me - yes? > >>response by Wazo; >>*/ >>You have an account, your submitted/reported spam is yours ... Yes, you >>and I could receive and submit the same spam, but neither one of us >>would know this. >>/brilliant/... > Sorry, see below... > > Problem is that I was trying to clear up that you report your spam, I > report mine. There is no connection as far as the SpamCop parser > is concerned. So any "already reported" issue is based solely on > "your" reported spam .. Thanks for making that clearer for me - I misconscrewed your earlier sentence... >> From the sounds of it, you do need to slow down and look at things a >>bit closer. probably so - it gets maddening at times and I don't /believe/ I was duping that many reports... > > As above, there is no connection between spam you report and > the spam someone else reports ... the slow-down remark dealt > with your "got three screens running and am getting wierd errors" ... > As backed up with StevenUnderwood's and Blammo's remarks, > this "hurried" actioning can lead to possible glitches. Probably my problem... >>I'm beginning to see why the NANAE groups froth... > > > I'm not sure I see the connection between your alleged problem, the > SpamCop Forum, these newsgroups, and NANAE ....???? When I decided to try and contribute to fighting this problem, I was referred to the NANAE groups - hardly the place for a novice reporter to learn anything - not being a sys admin, it may have well been greek. I thought it entertaining at first but it got dreary pretty fast. I can see how shoveling through this crap all day long could drive one a little nuts. There is so much more for me to learn I was just getting frustrated at it all... From anon at coks.net Fri Jun 24 09:50:20 2005 From: anon at coks.net (J G) Date: Fri Jun 24 11:50:08 2005 Subject: [SC-Help] Re: Forum follies... In-Reply-To: References: Message-ID: On 6/23/2005 11:45 PM Blammo scribbled: > On 23 Jun 2005 J G entered spamcop.help and left > news:d9g9of$pbl$1@news.spamcop.net: > > >>a.)haven't been reading the ng for the past 2 years or so, nor do I have >>time to search the usenet after parsing and sending twice a day. >> > > > No prob., I was just pointing that out considering you got no answer > elsewhere. That might be hard to search for anyway. > Thank you... From anon at coks.net Fri Jun 24 09:55:57 2005 From: anon at coks.net (J G) Date: Fri Jun 24 11:55:04 2005 Subject: [SC-Help] Re: Forum follies... In-Reply-To: References: Message-ID: On 6/23/2005 11:56 PM Blammo scribbled: > On 23 Jun 2005 Blammo entered spamcop.help and left > news:Xns967EEE4BC3028blammo@216.154.195.61: > > > Oh, close all extra windows and click "Report Spam" or the SpamCop logo > before you "Remove all unreported spam". The spam item may not be stuck, > you may be seeing an old page showing an item you have already reported. > This always happens when you have multiple windows open, it's nothing to be > concerned about. I forget that sometimes these things aren't always obvious > to everyone. > You should be able to tell by the link color if you've been there before. > And you don't want to reload the page if it ends in "/sc", just click the > logo. > Thanks again - BTW, got 3 out of 29 this A.M. - tried the delete option and SC came back with "0 reports deleted" - I'm sitting here thinking that if I miss a couple of spam, the world will collapse - gotta get a grip... From anon at coks.net Fri Jun 24 10:03:49 2005 From: anon at coks.net (J G) Date: Fri Jun 24 12:05:03 2005 Subject: [SC-Help] Re: Forum follies... In-Reply-To: References: Message-ID: On 6/24/2005 1:14 AM Blammo scribbled: > > If you have two windows or tabs open with the same spam report, you can > only report one, the second report will result in an error. However you can > open all the reporting links in the Spamcop email reply, or even use the > paste spam form in multiple windows and report each, one after the other. > You might even be able to speed things up doing that, or at least maybe you > don't get so bored. I've done this with 4 tabs open at once - probably not a good thing.... > > And finally (I hope), you can get duplicate spam messages. I just thought > of this because I just got two messages with the same subject, but looking > at the headers they are not exactly the same, so they both get reported. > However... > Mozilla has a bug, and probably Thunderbird as well, it will use the > subject for the attachment name, so they both can get combined together > into one message, both attachments will have the same name. This can result > in strange things happening, so I try to avoid it. If you notice two > messages with the same subject together, try to report them separately. > I'm not so sure Mozilla is wrong about this, but it should be avoided > anyway. > I had inquired about this dupe spam couple days ago and was told to report both. I copy and paste, don't forward, so I haven't run into /this/ problem - good to file somewhere, though, Thanks... From nobody at devnull.spamcop.net Fri Jun 24 12:09:46 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Jun 24 12:10:02 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "Pop" wrote in message news:d9h7om$9nh$1@news.spamcop.net... > > I know this has been agonized over and over and talked > about ad-infinitum and any suggestions are probably too > late, but I'd like to make ONE more post about > spamcop's Help areas. My input was always ignored > previously and rationalized away, so the confusion I > tried to point out still exists, IMO. Please, no > flames, they just waste ether and are wasted on me; > they're just not effective. It's just MO, but, I > believe, valid. Actually, this same discussion is going on "over there" at http://forum.spamcop.net/forums/index.php?showtopic=4387 > I guess since I've posted previously and the FAQs are > basically "set" now, this'll be the last time I post > aout them, but a comment from a poster in a recent > spamcop. thread prompted me to write this. The current situation: I can modify existing files in the Forum, but currently don't have "write" access such that I can "add" new files to the program set. Stuck there until JT changes some bits. As I've said many times before, the FAQ in the Forum was created one Saturday morning, using the www.spamcop.net as the starting point. This was in answer to the years of complaints about the FAQ-O-Matic thing not working, always out of date, incomplete, etc. Stated then and stated now, that work was never intended to be "the final solution" ... bit the story-line you present in your "can't find my way around" is in fact solved by the single-page form found in the Forum. The/My plan at this point .. when JT gets around to either moving some files for me or flipping some permission bits, the Forum will get a "portal" page ... basically a web page with various informational bits, links, data, etc ... the Forum itself will be just another link from the page. Part of this "portal" page will be a (intended) short FAQ to handle the normal "who the hell is SpamCop?" visitor. When this gets put into place and worked over, then Julian, Deputies, IronPort, etc. will be taken to task once again to make changes to the already referenced www.spamcop.net page (and Help pages) I have to note that the statement "FAQs are set" does not apply to the list of questions in the Forum version. I update that page on a regular basis, which has also led to the "it's too damn big" issue. Again, still waiting for JT to do something, but the next step was going to be converting the Glossary page to an HTML linked set-up .. once again, it's gotten too big in the format that it's in now .... once that action was accomplished, I was then looking forward to trying to do the same with the Forum FAQ. I will also note that you are one of the very few people that ever made a comment on the request for input on JT's offer to go the extra mile and buy some other software to be used to build a knowledgebase ... not sure I follow that your previous was ignored or rationalized away ... I'll just repeat, the www.spamcop.net FAQ has been a source of complaints since day one, I did the Forum FAQ as an alternative, I did get the Forum links to point at the top of the Forum back when IronPort assigned the additional task to one of their staff to go through the www.spamcop.net FAQ .... thus allowing access/view of the complete Forum structure (that also has expanded much since then) ... point being, there are other resources available, there is still on-going work in some areas, and input is taken .... From MikeE at ster.invalid Sat Jun 25 00:43:30 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 25 02:45:03 2005 Subject: [SC-Help] Re: Spam reported to dev null References: Message-ID: Posted to .help & .spam, f/ups to .help .spam isn't a normal discussion group, so I'm moving my followups to .help. Greg Grotyohann wrote: > Can anyone tell me why spam that comes from certain addresses like > level3.net goes to dev null? The best way to talk about any specific notify is to post its tracker from the top of the parsing page. This is how the tracker looks in its environment Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z778526474z9f64fe760eda26e022bb26298593b924z We can use that url to look at the spam and how spamcop parsed it and how it wants to notify for it. We can't tell much from your description of a notify. Basically, SC notifies only those providers who /want/ to be notified. SpamCop notification is a courtesy, not a punishment. If an issue is a spamsource, the reported source is counted toward the SC blocklist whether the provider wants to be notified or not. If the issue is a spamvertisement, it doesn't affect the blocklist whether the provider is notified or not. There are different reasons for different devnulls. > Also, why does Spamcop "refuse to bother > spam@apnic.net"? Most of the spam advertised web-sites seem to be > hosted on apic.net. apnic is a regional internet registrar RIR, not a website host. The RIRs are arin, ripe, apnic, lacnic, & afrinic. Those registries are where the providers IP blocks are looked up. Any apnic notify would be a 'mistake'. If you post a tracker for what you are citing we can talk about it. -- Mike Easter kibitzer, not SC admin From h9vzc2i02 at sneakemail.com Sun Jun 26 15:06:31 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Sun Jun 26 17:05:03 2005 Subject: [SC-Help] Re: Spam reported to dev null References: Message-ID: "Mike Easter" wrote in message news:d9iued$9te$1@news.spamcop.net... > Posted to .help & .spam, f/ups to .help > > .spam isn't a normal discussion group, so I'm moving my followups to > .help. > > Greg Grotyohann wrote: > > Can anyone tell me why spam that comes from certain addresses like > > level3.net goes to dev null? > > ** Dev null usually means that the 'recipient' has either refused to receive SC notifications (their choice) or that the SC notifications have returned a 505 type error (no such address etc.) -- A SpamCop user and forum reader, Not Admin *** From nobody at devnull.spamcop.net Sun Jun 26 18:06:33 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sun Jun 26 17:10:02 2005 Subject: [SC-Help] A little OT Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "Blammo" wrote in message news:Xns967FD1D5D5CF1blammo@216.154.195.61... > On 24 Jun 2005 WazoO entered spamcop.help and left > news:d9hb8a$d1j$1@news.spamcop.net: > >> the Forum will get a "portal" page ... basically a >> web page >> with various informational bits, links, data, etc >> ... the Forum >> itself will be just another link from the page. > > I hope you don't mean clicking help will take you to > the forum, or to go to > help/FAQ you have to go to the forum link first. > Some of us are Slightly modified subject response: "mortally afraid of forums.": Is that a tongue in your cheek, or is there some reason for "fearing" them besides their obvious downsides of gooey forums et al. I jump over there just for grins now and then but I don't post anything because I don't want to be "pulled" in that directon. Not that I have much to contribute anyway, but it's pretty tempting sometimes. IMO, and yes, I know you've heard it a million times, forums definitely have their place in the overall scheme of things. Like anything else, there always seems to be one more way to skin a cat. It's really only an issue here because it's a parallel but separate operation "over there" as you guys call it. Actually, I find the conversations about it more entertainment than anything else; personally, I say if they're happy there, fine, if it feels better here, that's fine too. Each to his own and unless I'm prompted, I've not much to say about it/them. Cheers, Pop > > -- > | Ric > | From nobody at devnull.spamcop.net Sun Jun 26 18:12:32 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sun Jun 26 17:15:03 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "Mike Easter" wrote in message news:d9h8rh$ao3$1@news.spamcop.net... > Pop wrote: >> So, I go to > > When I'm trying to learn how to navigate any site and > they stick a 'site > map' link up there I jump on it. > > Check it out http://www.spamcop.net/sitemap.shtml > Site Map: > ===> Yeah, I agree that's one very useful page. It makes sense and KUDOS to the author. Or whoever ran the toc program . I received another peanut gallery comment on the entry page for spamcop today. My sister was curious, so she took a look at it. She's more than a casual computer user and participates in lots of things online, but ... her comment on the entry page was (paraphrased): "what a lot of meaningless (to her) stuff. I had no idea where to look to see what spamcop was about." She doesn't think she'll get into spam reporting for awhile. FWIW, and sometimes I do use my blind eye instead of the one I can't see out of, I don't recall the Sitemap being visible. I'm not saying it isn't, just that I didn't notice it. It's probably there because I always found it easily enough if I'm looking for it. Or I used to: It's a BookMark now. Regards, Pop > -- > Mike Easter > kibitzer, not SC admin > > From nobody at devnull.spamcop.net Sun Jun 26 18:27:43 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sun Jun 26 17:30:02 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "WazoO" wrote in message news:d9hb8a$d1j$1@news.spamcop.net... > "Pop" wrote in message > news:d9h7om$9nh$1@news.spamcop.net... >> ... > > Actually, this same discussion is going on "over > there" at > http://forum.spamcop.net/forums/index.php?showtopic=4387 > ... > > The current situation: I can modify existing files in > the > Forum, but currently don't have "write" access such > that > I can "add" new files to the program set. Stuck > there > until JT changes some bits. ===> I apologize if you took that to be a complaint or confrontational. I didn't mean to make you spend your time defending the situation, although I DO very much appreciate the insight you provided. Your post is most informational. > ... > now, that work was never intended to be "the final > solution" ... bit the story-line you present in your > "can't > find my way around" is in fact solved by the > single-page > form found in the Forum. ===> Mmm, to a degree you're right, of course. But I was attempting to look at it from the view of someone who's been fighting spam and playing with CAUCE et al, and deciding to come see what Spamcop's all about, or even some complete newbie to SC, like my sister, who recently got interested enough to go check it out. And natch, I did give her the forum address; she liked it much better "over there". But, she needed someone to tell her about it or she wouldn't have found it. > > The/My plan at this point .. when JT gets around to > either > moving some files for me or flipping some permission > bits, > the Forum will get a "portal" page ... basically a > web page > with various informational bits, links, data, etc ... > the Forum > itself will be just another link from the page. Part > of this > "portal" page will be a (intended) short FAQ to > handle > the normal "who the hell is SpamCop?" visitor. When > this > gets put into place and worked over, then Julian, > Deputies, > IronPort, etc. will be taken to task once again to > make > changes to the already referenced www.spamcop.net > page (and Help pages) ===> It must be "interesting" to try to work on something that's gotten as fluid as the ironport/spamcop/used-to-be/spamcop/forum arena. One tihng about corporations, you always get the pleasure of the gvt way of doing things! . Been there done that is all I'm saying. > ... > > I will also note that you are one of the very few > people that > ever made a comment on the request for input on JT's > offer to go the extra mile and buy some other > software > to be used to build a knowledgebase ===> Hmm, I find that interesting. Too bad, really. Probably a "nothing to contribute" thing. Most of my working life was management related so I had/have some opinions on things like that. I do appreciate the little ego boost, though. I'd never heard that. ... not sure I follow > that your previous was ignored or rationalized away > ... ===> NBD. I got into a couple of the threads but the various parties were so divided I felt that it wasn't worth getting into long debates and there were a couple of near-arguements too as I recall. I was/am too ignorant of a lot of it to debate for very long or very earnestly, so more often than not I'd just let it go when someone explained how I mght be wrong and wasn't leaving openings for easy responses. Laziness on my part, probably. There was only once I recall feeling frustrated when Mike Easter (yes, I'm well aware of who he is and mean nothing negative here) apparently figured I was trying to be arguementative and let me know in his classis style of writing . Anyway, I didn't mean it as a complaint, but rather that the "opinions" flying around at the time were, uhh, rather strongly stated. > > I'll just repeat, the www.spamcop.net FAQ has been > a source of complaints since day one, I did the Forum > FAQ > as an alternative, I did get the Forum links to point > at the > top of the Forum back when IronPort assigned the > additional task to one of their staff to go through > the > www.spamcop.net FAQ .... thus allowing access/view > of the complete Forum structure (that also has > expanded > much since then) ... point being, there are other > resources > available, there is still on-going work in some > areas, and > input is taken .... > ===> Keep up the good work; and thanks for the insight. It's a thankless job, "but someone has to do it." I know you've worked hard at it. Best Regards, Pop > From wb8tyw at qsl.network Mon Jun 27 12:47:08 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Mon Jun 27 12:50:04 2005 Subject: [SC-Help] [webforum]Who would spam a sneakemail? Message-ID: On the web forum thingy, there is a discussion on how a spammer could have come up with a sneakmail address. I can not post there during the day, mainly because I can not remember my password and lynx is a bit cumbersome with using that forum. The original poster, a Jank1887 is stating that they are using a web mailer. Depending on what browser that Jank1887 is using, they may be giving quite a bit of control of their local system over to who ever sends them e-mail or spam. The Web mail site may be listed as "Trusted", which generally means that the content that it displays may be permitted to run scripts and even binaries linked to or contained in the e-mail. Some web mail providers require this lowered security level just to log into their service because they use a browser run script for the login process. In addition, with the web mail services that I have seen, there is no way to disable the automatic opening of external links, which give the spam sender a great deal of information about the sender and their network. And with some browers, there is a known exploit where a website can use the internal FTP facilty of the browser to locally run network scripts against other servers. DSBL.ORG has a web page that if you visit it with a vulnerable browser it will cause it to be listed on the DSBL.ORG, and it is trivial to craft an HTML e-mail that will automatically visit that web page. As the browser does not realize that it is running a script, disabling scripting on the browser is not a work-around. The Mozilla family of browsers is reported not to be vulnerable to this exploit. Some others have patches available. On the other hand, there is a claim that the systems both on the sending side and the receiving side could not have had a virus or other malware harvest the e-mail address because they were up to date on the virus scanners. That is not a defense. Any system that needs or user that depends on a virus scanner to keep it clean can never be assumed to be clean of infections, spyware or other malware. Virus scanners only target discovered viruses, and spyware scanners only target mass distributed spyware, and both are going to be at least 4 to 8 hours behind a new variant coming out. Neither type of scanner is going to be effective against malware that has not yet been detected in mass distribution. Some firewalls may block or detect some of the activity. And if the system containing the harvested addresses can automatically access files from other systems through the LANMAN protocol that are vulnerable to viruses, then the virus or malware does not have to infect the system containg the harvested addresses for it to be able to read the hard drive and harvest the contents. Just having the LANMAN protocol in common can be enough if a system makes any connection through the LANMAN protocol to a host running malware. That exploit is past it's 10th birthday now, and the only defense is still to have a firewall blocking the LANMAN protocol between the two machines. The only defense against a malware infection is to have the system locked down so that scripts and binaries can not be installed with out a the knowledge of the user, and that system must not be able to automatically initiate LANMAN connections to possibly infected systems. -John wb8tyw@qsl.network Personal Opinion Only From nobody at devnull.spamcop.net Mon Jun 27 16:00:22 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Jun 27 16:05:03 2005 Subject: [SC-Help] Re: [webforum]Who would spam a sneakemail? References: Message-ID: "John E. Malmberg" wrote in message news:M2mP8YRsncex@eisner.encompasserve.org... > On the web forum thingy, there is a discussion on how a spammer could have > come up with a sneakmail address. > > I can not post there during the day, mainly because I can not remember my > password and lynx is a bit cumbersome with using that forum. not sure I want to even try to imagine lynx access. There is the lo-fi display, but there isn't any way to log-in to that set-up. There has been talk here and there of some folks working on a low-density skin, shooting for phone browsers and such, but I can't imagine trying to tackle using that kind of tool at all either ... The password ... best I could do is reset it something and send that out to you, but technically, there is a "Forgot Password" link of you can see that on failed attempt at logging .. it does work, just not sure if it's "reachable" via text ..??? That said, I did cart your remarks over into that discussion. Thanks for writing it up. From nobody at devnull.spamcop.net Mon Jun 27 20:57:07 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Jun 27 21:00:03 2005 Subject: [SC-Help] Re: [webforum]Who would spam a sneakemail? References: Message-ID: "Blammo" wrote in message news:Xns9682AA423A5D0blammo@216.154.195.61... > On 27 Jun 2005 WazoO entered spamcop.help and left > news:d9plsm$p75$1@news.spamcop.net: > > > not sure I want to even try to imagine lynx access. There is the > > lo-fi display, but there isn't any way to log-in to that set-up. > > Huh? Why would there be no way to log in? ?? This like the second, third, fourth (?) post you've made that has the appearance that you only read half of what I typed ... In this case, you query "no way to log in" .... yet what I said was an issue with "logging into a lo-fi display" .... quite a difference. Why? I didn't write the application. But based on the traffic in the IBP support forums, the folks wanting to stick in rotating advertising banners, flash files in the header, JavaScript to jazz stuff up, requests for help on bypassing some screen controls so folks can add in animated graphics in their sig ..... those few of us that talk about limiting the crud to just plain text don't seem to carry much weight As stated in anther thread, I'm still waiting for JT to get around to resetting some permissions so I can add/replace some files for that app. From nttp.sc.sh at bigsleep.org Tue Jun 28 04:46:14 2005 From: nttp.sc.sh at bigsleep.org (Blammo) Date: Mon Jun 27 23:50:06 2005 Subject: [SC-Help] Re: [webforum]Who would spam a sneakemail? References: Message-ID: On 27 Jun 2005 WazoO entered spamcop.help and left news:d9q793$2ui$1@news.spamcop.net: >> > not sure I want to even try to imagine lynx access. There is the >> > lo-fi display, but there isn't any way to log-in to that set-up. >> >> Huh? Why would there be no way to log in? > > ?? This like the second, third, fourth (?) post you've made > that has the appearance that you only read half of what I typed ... OK, well just let me know if I do that, I really try to understand what someone is saying, I don't jump off the keyboard and reply because I got a hot finger (at least I try not to). > In this case, you query "no way to log in" .... yet what I said > was an issue with "logging into a lo-fi display" .... quite a > difference. > In english you wrote "but there isn't any way to log-in to that set-up", which would be part two of that sentence, like saying "lo-fi, no cookies, no http auth, no milk" which has four parts. so I don't understand what you are saying there. Now I read it all again, it looks like you are replying to two statements, but it comes out as one statement. I think you are refering to logging into the formun setup, but the connection is about as clear as mud (I had to read it 4 times to get that far). > Why? I didn't write the application. But based on the traffic > in the IBP support forums, the folks wanting to stick in rotating > advertising banners, flash files in the header, JavaScript to jazz > stuff up, requests for help on bypassing some screen controls so > folks can add in animated graphics in their sig ..... those few of > us that talk about limiting the crud to just plain text don't seem > to carry much weight > Well, none of that has even a little to do with Lynx, since it don't display any of that. Lynx may show graphics links, but they can be suppressed, I think completely suppressed (but don't remember exactly). Besides, placing crud at the top of your pages severly hurts your search engine rankings since it lowers relevence. It depends on your needs, but I generally put text content first, navigation second, then flash last. I know you have limits, and I'm not real concerned anyway. -- | Ric | From h9vzc2i02 at sneakemail.com Tue Jun 28 09:42:57 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Tue Jun 28 11:40:02 2005 Subject: [SC-Help] Re: [webforum]Who would spam a sneakemail? References: Message-ID: "John E. Malmberg" wrote in message news:M2mP8YRsncex@eisner.encompasserve.org... > On the web forum thingy, there is a discussion on how a spammer could have > come up with a sneakmail address. > ** I could not find THAT posting (about sneakemail) on the forum, but a spammer gets a sneakemail address the same way he gets any other address (scraping) and I HAVE gotten spam on my sneakemail addresses. I just kill that sneakemail address and recreate it if necessary. -- A SpamCop user and forum reader, Not Admin *** From P.scadden at ^no-spam^remove.gns.cri.nz Wed Jun 29 10:19:44 2005 From: P.scadden at ^no-spam^remove.gns.cri.nz (Phil Scadden) Date: Tue Jun 28 17:20:03 2005 Subject: [SC-Help] Spammer tricks successfully beat spamcop Message-ID: This tracker http://www.spamcop.net/sc?id=z779810189z8d50879f2990ca2d1564a632296301bbz Link isnt parsed and doesnt find the spam source From MikeE at ster.invalid Tue Jun 28 16:32:31 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 28 18:35:06 2005 Subject: [SC-Help] Re: Spammer tricks successfully beat spamcop References: Message-ID: Phil Scadden wrote: > This tracker www.spamcop.net/sc?id=z779810189z8d50879f2990ca2d1564a632296301bbz That is a live tracker. For tracker display purposes, you should finish the report process by sending it or cancelling it. Theoretically someone could do a little mischief by being able to send a report under your reporting persona. I've cancelled it. By following the redirector and the frame set you get to http://arfxgfzcv.org.xjdbburfnyvuahnub8mx.primulinedb.info/ES001/?affiliate_id=233670&campaign_id=21005 which has the payload. > Link isnt parsed and doesnt find the spam source You are correct. The URL is misformed and SC fails to deobfuscate it correct -- then it can't resolve what it has deobfuscated. SC determines the source Report Spam to: Re: 131.203.5.60 (Administrator of network where email originates) To: p.whimp@comnet.co.nz which appears to be your mailhost, because it breaks the chain prematurely. Abbreviated Receive lines *comment from grfn6.gns.cri.nz ([131.203.5.60]) by dndm1.gns.cri.nz *serves you from omega.gns.cri.nz (unverified) by grfn6.gns.cri.nz *serves you from (host86-130-77-159.range86-130.btcentralplus.com [86.130.77.159]) by omega.gns.cri.nz *sourceline SC fails to make the chain from the 2nd line to the third, leaving it stuck with the 1st. The source is the SCbl listed 86.130.77.159 -- notify abuse@btbroadband.com You can remedy this kind of problem by configuring for mailhosts. It is possible that at some future date SC may recognize the service between omega and grfn6 of gns.cri.nz -- but at present it does not. We have this little situation: dns gns.cri.nz Mail for gns.cri.nz is handled by mx1.gns.cri.nz Canonical name: gns.cri.nz Addresses: 131.203.97.4 202.53.176.4 mx1.gns.cri.nz = 161.65.52.34 SC tries very diligently:to work out this chaining problem 131.203.5.60 not listed in dnsbl.njabl.org 131.203.5.60 not listed in cbl.abuseat.org 131.203.5.60 not listed in dnsbl.sorbs.net 131.203.5.60 is not an MX for dndm1.gns.cri.nz 131.203.5.60 is not an MX for grfn6.gns.cri.nz 131.203.5.60 is not an MX for omega.gns.cri.nz 131.203.5.60 is not an MX for dndm1.gns.cri.nz 131.203.5.60 not listed in dnsbl.njabl.org host omega.gns.cri.nz (checking ip) = 161.65.52.34 161.65.52.34 not listed in dnsbl.njabl.org 161.65.52.34 not listed in cbl.abuseat.org 161.65.52.34 not listed in dnsbl.sorbs.net Chain test:omega.gns.cri.nz =? grfn6.gns.cri.nz host grfn6.gns.cri.nz (checking ip) = 131.203.5.60 131.203.5.60 is not an MX for omega.gns.cri.nz host omega.gns.cri.nz (checking ip) = 161.65.52.34 131.203.5.60 is not an MX for omega.gns.cri.nz omega.gns.cri.nz and grfn6.gns.cri.nz have same domain - chain verified ...but in the end it fails and has to quit at the top line. As a human, I'm able to figure it out and properly name the source below your servers. -- Mike Easter kibitzer, not SC admin From anon at coks.net Tue Jun 28 16:48:46 2005 From: anon at coks.net (J G) Date: Tue Jun 28 18:50:02 2005 Subject: [SC-Help] Re: Spammer tricks successfully beat spamcop In-Reply-To: References: Message-ID: On 6/28/2005 2:19 PM Phil Scadden scribbled: > This tracker > http://www.spamcop.net/sc?id=z779810189z8d50879f2990ca2d1564a632296301bbz > > Link isnt parsed and doesnt find the spam source > > Looks like comnet.co.nz to 1 other parser (I'm not one to argue with them), claiming the BT address is forged, and another says it is BTbroadband. Which are you thinking it is? From MikeE at ster.invalid Tue Jun 28 16:51:36 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 28 18:55:02 2005 Subject: [SC-Help] Re: Spammer tricks successfully beat spamcop References: Message-ID: Mike Easter wrote: > Phil Scadden wrote: >> Link isnt parsed and doesnt find the spam source > Report Spam to: > Re: 131.203.5.60 > which appears to be your mailhost, because it breaks the chain > prematurely. > > Abbreviated Receive lines *comment > from grfn6.gns.cri.nz ([131.203.5.60]) by dndm1.gns.cri.nz *serves > you from omega.gns.cri.nz (unverified) by grfn6.gns.cri.nz *serves > you from (host86-130-77-159.range86-130.btcentralplus.com > [86.130.77.159]) by omega.gns.cri.nz *sourceline > > SC fails to make the chain from the 2nd line to the third, leaving it > stuck with the 1st. One of the main reasons that SC can't chain thru' those lines is the great discrepancy between the IPs of the mx which gets the spam and the server which puts it in your mailbox. If the grfn6 server had stamped its line in the 'from' field with the IP of the server it got it from, you would have had a more satisfactory outcome. For demonstration purposes only, I have forged a spam in which I have corrected the deficiency of grfn6's line stamping http://www.spamcop.net/sc?id=z779834567z8407ed771ddb9549ad3eda29942f0397z That tracker shows SC correctly naming the source: Report Spam to: Re: 161.65.52.34 (Automated open-relay testing system(s)) To: Internal spamcop handling: (relays) (Notes) Re: 86.130.77.159 (Administrator of network where email originates) To: abuse@bt.com (Notes) To: Internal spamcop handling: (bt) ... and it suspects the MX of being an 'open relay' because it is unfamiliar with it. The configuration which I changed/forged the original to looks like this: Abbreviated Receive lines *comment from grfn6.gns.cri.nz ([131.203.5.60]) by dndm1.gns.cri.nz *serves you from omega.gns.cri.nz (161.65.52.34) by grfn6.gns.cri.nz *serves you from (host86-130-77-159.range86-130.btcentralplus.com [86.130.77.159]) by omega.gns.cri.nz *sourceline The difference from the original is that the 'from' field of the 2nd line is correctly configured to show the IP of the source [its own server] from which it got the item. Proper compliance requires that the Received tracelines be properly configured, and grfn6 isn't stamping its line, the 2nd one properly. In this case, that makes a lot of difference to spamcop, because there's a lot of difference in the IPs between omega and grfn6. -- Mike Easter kibitzer, not SC admin From anon at coks.net Tue Jun 28 18:27:33 2005 From: anon at coks.net (J G) Date: Tue Jun 28 20:30:05 2005 Subject: [SC-Help] Question on recipients... Message-ID: In the preference settings for SC reporting, there is a box which states you can add addresses you want all your spam reports snets to on top of the defined addresses. So I'd like to include my ISP's abuse desk and the UCE@ftc address for s&g. I assume you can input 2 addresses in that box separated by commas and I think that is in the Help section. So now I've decided to stop being a mole and am getting the following input option on my report page - Re: Forwarded Spam (User defined recipient) To: spam (Notes) To: (Notes) To: (Notes) I am assuming these are for anywhere else I may want to send certain reports /over and above/ those inputted in the preferences section - is this a correct assumption? And could someone define "untargetted reports" (sounds like an oxymoron)? I don't understand the phrase as used by the system... tnx guys, and you too, Ellen... From P.scadden at ^no-spam^remove.gns.cri.nz Wed Jun 29 15:36:41 2005 From: P.scadden at ^no-spam^remove.gns.cri.nz (Phil Scadden) Date: Tue Jun 28 22:40:03 2005 Subject: [SC-Help] Re: Spammer tricks successfully beat spamcop References: Message-ID: > You can remedy this kind of problem by configuring for mailhosts. It is > possible that at some future date SC may recognize the service between > omega and grfn6 of gns.cri.nz -- but at present it does not. What do you mean by "configuring for mailhosts"? I am not the sysadmin here but if it is a relatively change to the sendmail config, then I might be able to convince them to do it. From MikeE at ster.invalid Tue Jun 28 21:52:43 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 28 23:55:03 2005 Subject: [SC-Help] Re: Spammer tricks successfully beat spamcop References: Message-ID: Phil Scadden wrote: >> You can remedy this kind of problem by configuring for mailhosts. >> It is possible that at some future date SC may recognize the service >> between omega and grfn6 of gns.cri.nz -- but at present it does not. > > What do you mean by "configuring for mailhosts"? I am not the > sysadmin here but if it is a relatively change to the sendmail > config, then I might be able to convince them to do it. No -- I meant you configure SpamCop and yourself, your account into the mailhost configuration for you. If you are logged in at the webparser page at http://www.spamcop.net/ there's a 'mailhosts' tab. The description of the function [which looks/sounds confusing] is here http://www.spamcop.net/fom-serve/cache/397.html How do I configure Mailhosts for SpamCop? The idea is that by so configuring, SpamCop recognizes the top part of your headers as yours, however screwed up they may be. That description is an oversimplification, because there are some other algorithmic differences, but the point is that it helps SC considerably to know whose headers those are which are being processed. -- Mike Easter kibitzer, not SC admin From anon at coks.net Tue Jun 28 23:35:18 2005 From: anon at coks.net (J G) Date: Wed Jun 29 01:35:02 2005 Subject: [SC-Help] Re: Spammer tricks successfully beat spamcop In-Reply-To: References: Message-ID: On 6/28/2005 7:36 PM Phil Scadden scribbled: >>You can remedy this kind of problem by configuring for mailhosts. It is >>possible that at some future date SC may recognize the service between >>omega and grfn6 of gns.cri.nz -- but at present it does not. > > > What do you mean by "configuring for mailhosts"? I am not the sysadmin here > but if it is a relatively change to the sendmail config, then I might be > able to convince them to do it. > > are we stuck in a do loop here?? From Ilgaz at spamcop.net Wed Jun 29 15:30:59 2005 From: Ilgaz at spamcop.net (Ilgaz Ocal) Date: Wed Jun 29 07:35:03 2005 Subject: [SC-Help] Anet TW doesn't care about reports, wondering... Message-ID: Hi people, As any Taiwan company, I figured anet does not care about spam reports at all. Besides sending insultmonger good wishes ;) to them (nope, I don't abuse spamcop for it), what can a end user can do about it? I mean, I want to notify spamcop that their reports are ignored. Ilgaz From MikeE at ster.invalid Wed Jun 29 06:18:55 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 29 08:20:02 2005 Subject: [SC-Help] Re: Anet TW doesn't care about reports, wondering... References: Message-ID: Ilgaz Ocal wrote: > As any Taiwan company, I figured anet does not care about spam > reports at all. > > Besides sending insultmonger good wishes ;) to them (nope, I don't > abuse spamcop for it), what can a end user can do about it? > > I mean, I want to notify spamcop that their reports are ignored. >From a SC point of view, ignoring reports and being unresponsive is almost immaterial, IMO. That is, being notified is considered [by me] to be a courtesy SC extends to the provider. If the provider wanted to, s/he could turn off all SC notifications and not even be bothered with devnulling them or ignoring them. If the issue is a source, the IP is listed whether or not the provider ignores notifies. If the issue is a spamvertiser, the IP is 'only' put on the stats page whether or not the provider ignores notifies. A SC notify is like a 'courtesy ticket' in traffic parlance, not like a 'fix it ticket' which requires that you make repairs and report back or a 'real ticket' which requires that you pay a fine or go to court. If some issue has an upstream or parent which is of value to notify, that is an option to the reporter -- manually for free reporters or SC additional for paid reporters -- and that is about the end of the 'power' of notification. You might try to build a case for a /better/ notify if there /were/ one in routing, but if there isn't a better notify then there isn't a better notify. SC's role is notifying those who want to be notified, listing those which it lists, and statistic/ing reported spamvertisers. Other systems, such as spews and spamhaus, have a different listing impact and system than spamcop's. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Jun 30 16:38:10 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Thu Jun 30 16:35:02 2005 Subject: [SC-Help] Re: [webforum]Who would spam a sneakemail? References: Message-ID: "Anon_" wrote in message news:d9rr09$tuu$1@news.spamcop.net... > I could not find THAT posting (about sneakemail) on the forum, but a spammer > gets a sneakemail address the same way he gets any other address (scraping) > and I HAVE gotten spam on my sneakemail addresses. > > I just kill that sneakemail address and recreate it if necessary. The OP directed a complaint to the sneakemail addressee company and got a lot of flak back. My personal opinion is that the company had an employee who got a sobig virus infection for long enough that it got the sneakemail address. Miss Betsy From nobody at devnull.spamcop.net Thu Jun 30 18:23:38 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jun 30 18:25:03 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "Blammo" wrote in message news:Xns967FD1D5D5CF1blammo@216.154.195.61... > On 24 Jun 2005 WazoO entered spamcop.help and left > news:d9hb8a$d1j$1@news.spamcop.net: > > > the Forum will get a "portal" page ... basically a web page > > with various informational bits, links, data, etc ... the Forum > > itself will be just another link from the page. > > I hope you don't mean clicking help will take you to the forum, > or to go to help/FAQ you have to go to the forum link first. > Some of us are mortally afraid of forums. No, I said what I meant. However, issues abound. The Forum application was developed and meant to be run "from the house" .. by the system owner ... JT isn't going to toss me the keys, and I'm running into all kinds of permissions problems. He gave me some su powers a day or two ago, that let me move stiff around, went to install a modification, then found that I didn't have the rights to add / extend the SQL database. All that to state that I found a weak way to simulate where I'm headed. The page is not ready for prime time, still wrangling code on how this page gets 'developed' ... it isn't even close to what I actually had envisioned ... but .. here's 'your' chance ... take a look at the box currently labeled "Site Navigation" ... that box (or one of the others that will get knocked out) is what I'm suggesting as the spot to list the pointers to the "critical" items for those "first-time visitors, looking for that one answer" .... What (few) questions need to show up there? FAQ, Forum, newsgroups already linked to at the top of the page .... http://forum.spamcop.net/forums/index.php?act=home From MikeE at ster.invalid Thu Jun 30 16:41:35 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 30 18:45:03 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: WazoO wrote: > What (few) questions need to show up there? > FAQ, Forum, newsgroups already linked to at > the top of the page .... > > http://forum.spamcop.net/forums/index.php?act=home I'm not clear on integrating that page with the others at the forum. I can't seem to get to that page from any other forum page, including the normal forum front door at http://forum.spamcop.net/forums/ or its testing branch, so I presume this 'home' section is a 'fork' ;-) I see that site navigation gizmo on the left, but I can't figure out where the R side's content is coming from, as pertains to the 'normal' forum or the 'left' fork. Or the right fork? -- if you are going to be a fork, we should decide if you are right or left or red or blue or green or yellow or something. There definitely needs to be a site navigation and you definitely need to be able to get from anywhere you are to anywhere you want to go, not necessarily in one step, but there needs to be 'congruity'. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Jun 30 20:38:06 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jun 30 20:40:02 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "Mike Easter" wrote in message news:da1seo$cnh$1@news.spamcop.net... > WazoO wrote: > > What (few) questions need to show up there? > > FAQ, Forum, newsgroups already linked to at > > the top of the page .... > > > > http://forum.spamcop.net/forums/index.php?act=home > > I'm not clear on integrating that page with the others at the forum. Maybe take another look at my 6-24 post in this thread. The 'portal' page being an entrance point .... as I stated, the Forum is but one link off of this page. > I can't seem to get to that page from any other forum page, including > the normal forum front door at http://forum.spamcop.net/forums/ or its > testing branch, so I presume this 'home' section is a 'fork' ;-) Technically, the ?act=home invokes another .php file that pulls in a raft of other script files to "build" that web page. Trying to follow all the script bits, macros, links, variable sets is driving me a bit blind at present. As stated, this is but a weak example to try to show what was mwant by a "portal page" ... There is a much more flushed out / complete portal page script offered up as a 'starter' file, and the actual coding of that I'm much more familiar with. The problem is that to 'play' with that file, I'd have to make it live ... and I'm not willing at present to make everyone suffer while I figure it out. (Thus the request for input while I'm screwing with code in the background.) > I see that site navigation gizmo on the left, but I can't figure out > where the R side's content is coming from, as pertains to the 'normal' > forum or the 'left' fork. Or the right fork? -- if you are going to be > a fork, we should decide if you are right or left or red or blue or > green or yellow or something. As stated above, this page is built upon varius snippets of code. The lower left-hand stuff and right-hand stuff is built from Forum contents. I'm srill trying to sort the code bits on how the decision is made on what to dispaly, Control Panel allows for which Forum sections to pull content from, how many items to display ... one would think that time/date-ordered values would factor in, but it doesn't seem to reflect that. Again, this wasn't the actual page intended, still trying to figure out the code this script is using .. just trying to offer an example of where I was headed. > There definitely needs to be a site navigation and you definitely need > to be able to get from anywhere you are to anywhere you want to go, not > necessarily in one step, but there needs to be 'congruity'. Per Pop's remarks, Blammo's follow-ups, the years of continuing bitches about the www.spamcop.net FAQ-o-matic thing ... trying to picture this page as having those 'initial' answers for those first-time (ticked off) visitors, and links to the rest of the support venues if further dialog is needed/desired. Again, the 6-24 post in this thread. From nobody at devnull.spamcop.net Thu Jun 30 21:59:35 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jun 30 22:00:03 2005 Subject: [SC-Help] Re: I know you're tired of hearing this, but ... re FAQs References: Message-ID: "Blammo" wrote in message news:Xns9685BB667D317blammo@216.154.195.61... > On 30 Jun 2005 WazoO entered spamcop.help and left > news:da239e$gck$1@news.spamcop.net: > > > Blammo's follow-ups, the years of continuing bitches > > about the www.spamcop.net FAQ-o-matic thing ... trying to picture > > this page as having those 'initial' answers for those first-time (ticked > > off) visitors > > I don't have much trouble with the FAQ-O-Matic, but I think the priority's > a little messed up; some info is buried, or out-dated, or nonexistent. Yes, that's been a number of the complaints over the years. Again, one of the reasons that got me to do up the single-page access version. > I mean, first, you need to know what Spamcop does, then how to get the > original spam source, how to sign up, how to report and reporting rules, > then what to do when things go wrong. Seems like "how to read headers" > would be important as well. Signing up could be a higher priority, but > signing up only to find out you can't report is pretty annoying. Perhaps > "What you need before signing up" would take care of that. Are you attempting to answer my actual query for input on attempting to do this "portal" page, doing more complaining about the existing www.spamcop.net FAQ, or suggesting that you or someone else is going to try to write up something that takes all the existing data on how to work-around various issues into an "all you need to do is ..."???? Recall tha this is one of the biggest headaches, everyone wants to use their favorite tools, then bitch that the SpamCop parser isn't compliant, vice the "all you need" requirement of simply needing an RFC compliant agent (and server) ...???? > Of course Spamcop Mail would be a separate section, but similar, and the > "What to do if you're blocked" would be a separate section. > It is basically that way now, but needs improvement Based on your "never been there" and that Miss Betsy hasn't tried to meet the cyclic "someone ought to post a FAQ every day/week/ month" thing in quite a while ... have you ever looked at the (Forum) FAQ or Miss Betsy's effort on the "Why am I Blocked?" FAQ entry (developed in the Forum) ??? Did you note that this was in fact the first 'extra' link I placed into the "site navigation" box?