From ob1db at spamcop.net Sun May 1 17:06:38 2005 From: ob1db at spamcop.net (David Butler) Date: Sun May 1 16:10:03 2005 Subject: [SC-Help] Links not found error Message-ID: http://www.spamcop.net/sc?id=z758698182ze3c4ceb0098a7a3edf35f19e8b157121z finds no links, but I can manually parse it: Parsing input: www.fasterdaz.com No recent reports, no history available Routing details for 202.99.172.149 [refresh/show] Cached whois for 202.99.172.149 : ipanm@heinfo.net abuse@cnc-noc.net Using abuse net on abuse@cnc-noc.net abuse net cnc-noc.net = antispam@public.zz.ha.cn, abuse@cnc-noc.net, postmaster@cnc-noc.net Using best contacts antispam@public.zz.ha.cn abuse@cnc-noc.net postmaster@cnc-noc.net antispam@public.zz.ha.cn redirects to abuse@chinanet.cn.net repeat parsing had no effect. Any ideas ? From nobody at devnull.spamcop.net Sun May 1 19:16:49 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun May 1 19:20:05 2005 Subject: [SC-Help] Re: Links not found error References: Message-ID: "David Butler" wrote in message news:d53cts$ltl$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z758698182ze3c4ceb0098a7a3edf35f19e8b157121z > > finds no links, but I can manually parse it: > > repeat parsing had no effect. > > Any ideas ? You mean beyond the hundreds of posts already existing here, the discussions ongoing over in the web-Forum???? The only actual / hard data not existing yet is Julian's words ... ideas, concepts, specifics, generalities .. many of these already offered right here in the same newsgroups, some of them even have recognizable Subject: Lines. Did you look at the data found at http://www.dnsreport.com/tools/dnsreport.ch?domain=fasterdaz.com At present, it's amazing that you actually could reach it, but once again, your browser will allow / ignore some of this so as not to ruin the user experience. The SpamCop parser doesn't take those same liberties. From bar_n0ne at hotmail.com Mon May 2 10:12:43 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon May 2 01:15:10 2005 Subject: [SC-Help] Re: Links not found error References: Message-ID: "WazoO" wrote in message news:d53o18$r91$1@news.spamcop.net... > "David Butler" wrote in message > news:d53cts$ltl$1@news.spamcop.net... > > http://www.spamcop.net/sc?id=z758698182ze3c4ceb0098a7a3edf35f19e8b157121z > > > > finds no links, but I can manually parse it: > > > > repeat parsing had no effect. > > > > Any ideas ? > > You mean beyond the hundreds of posts already > existing here, the discussions ongoing over in the > web-Forum???? The only actual / hard data not > existing yet is Julian's words ... ideas, concepts, > specifics, generalities .. many of these already > offered right here in the same newsgroups, some > of them even have recognizable Subject: Lines. > > Did you look at the data found at > http://www.dnsreport.com/tools/dnsreport.ch?domain=fasterdaz.com > At present, it's amazing that you actually could > reach it, but once again, your browser will allow > / ignore some of this so as not to ruin the user > experience. The SpamCop parser doesn't take > those same liberties. He was talking about the SC parser, If I read correctly he says entering the link into the parser window yields the reporting addresses he showed. There really is something weird going on, I've got some spam-sites that SC will patiently sit and try for over a minute to parse, but it tries every time, and others it mostly deosn't bother with, maybe after many tries it will, some it parses one out of 3 or 4 times (I get a lot of repeat spanms for the same site, so 1st report will parse, next one doesn't. (same site). If SC caches some of the name resolutions, I think there is some kind of problem with that part of the software. Anyway, in my mind the only reason I want a parse is to get the name up on the stats page, the hosters largely are unresponsive and don't give a damn anyway (MCI, CNC-NOC,Tietong, hjtele kornet, hana etc.), but I'd like the URBL's to get access to the names so spamassassin can help reject/kill more of these spams for sites that use it. I'd be really happy if SC simply offered up a way to make these domain names available (as in the stats page) somehow. Also in some countries, particularly the middle east, that gets the domains and IP ranges automatically blocked at their gateways. I know their is collateral damage, but it seems the only way to get ISP's to shape up is for them to have unhappy paying customers. Otherwise it's mostly a game to annoy the spammer, and a successful parse of a misbehaving site is a little like thumbing your nose at a quarry in hide and seek. From bar_n0ne at hotmail.com Mon May 2 16:32:30 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon May 2 07:35:03 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: <7651876dfc234ded9084d7da137209b5@soc.med.fizzing.at.the.bunghole> <11323-42707CAC-123@storefull-3272.bay.webtv.net> Message-ID: "Berny" wrote in message news:d4qajt$2p9$1@news.spamcop.net... > "DJ Mike" wrote in message > news:11323-42707CAC-123@storefull-3272.bay.webtv.net... > > He is back to sending from 65.182.142.2 > > (abuse@xo.com) > > > > By amazing coincidence > > NS1.THEHOTTESTTHINGAROUND.COM > > IP: 65.182.140.151 (xo.com) > > I got that a few weeks ago so they might have moved it by now. > > > > Anyone know how to nominate MCI for a SPEWS listing? Or are they already > > listed? > > > > I don't know the answer to your question but s/he also seem to have switched > from SBewGlobal to XO/Imedia for sending the crap. > > Who owns XO nowadays? I haven't seen a spam from them in ages, Of course I > seem to remember them having some fame as listwashers, so perhaps my LARTS > will at least stop the spew for me. See the SBCGlobal thread on spamcop. Now moved to pacbell, spamvertized site also left MCI for 69.67.72.10, not well stealthed from SC as the old site was, and is under special attention from abuse at xo as an interested 3d party latest sending ip was 69.67.72.16 From ob1db at spamcop.net Mon May 2 13:01:17 2005 From: ob1db at spamcop.net (David Butler) Date: Mon May 2 12:05:03 2005 Subject: [SC-Help] Re: Links not found error References: Message-ID: "Berny" wrote in message news:d54cse$ahe$1@news.spamcop.net... > > "WazoO" wrote in message > news:d53o18$r91$1@news.spamcop.net... > > "David Butler" wrote in message > > news:d53cts$ltl$1@news.spamcop.net... > > > > http://www.spamcop.net/sc?id=z758698182ze3c4ceb0098a7a3edf35f19e8b157121z > > > > > > finds no links, but I can manually parse it: > > > > > > repeat parsing had no effect. > > > > > > Any ideas ? > > > > You mean beyond the hundreds of posts already > > existing here, the discussions ongoing over in the > > web-Forum???? The only actual / hard data not > > existing yet is Julian's words ... ideas, concepts, > > specifics, generalities .. many of these already > > offered right here in the same newsgroups, some > > of them even have recognizable Subject: Lines. > > Snip > > > He was talking about the SC parser, If I read correctly he says entering the > link into the parser window yields the reporting addresses he showed. > > There really is something weird going on, I've got some spam-sites that SC > will patiently sit and try for over a minute to parse, but it tries every > time, and others it mostly deosn't bother with, maybe after many tries it > will, some it parses one out of 3 or 4 times (I get a lot of repeat spanms > for the same site, so 1st report will parse, next one doesn't. (same site). > If SC caches some of the name resolutions, I think there is some kind of > problem with that part of the software. Yes, this is what I was talking about. Since SC parsed the site individualy, I don't see why it failed in context. Certainly the question did not merit the prior reponses testiness... Thanks David From nobody at devnull.spamcop.net Mon May 2 15:20:28 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon May 2 15:25:03 2005 Subject: [SC-Help] Re: Links not found error References: Message-ID: "Berny" wrote in message news:d54cse$ahe$1@news.spamcop.net... > > He was talking about the SC parser, If I read correctly he says entering the > link into the parser window yields the reporting addresses he showed. The spam parsing engine and the single-line look-up are separate codebase structures. (From this side of the screen) the only thing "in common" is that Julian removed the single-line look-up entry 'form' and merged that into a decision check in the remaining form-window ... a single line of text heads down the single-line look-up code branch, more than one line kicks over to the spam parser. And that (my guess) takes one back to the time-out scenario. The "testiness" issue yet again ... damn, you (DB) pose a query on a subject that's been hammered for a couple of months in several newsgroups and the web-Forum, then choose to simply ask "any ideas?" No testiness involved, simply asking / suggesting about all the existing commentary and whether any time had (or would be) spent on looking at "all" the "ideas" presented thus far. From jodi at musesmuse.com Mon May 2 16:45:33 2005 From: jodi at musesmuse.com (Jodi Krangle) Date: Mon May 2 15:45:37 2005 Subject: [SC-Help] Help? Fraudulent email in the "from" of sp*m! Message-ID: <6.1.1.1.2.20050502153835.01ade638@mail.spamcop.net> I'm really hoping someone here has some advice for me... My business email address - jodi@internet-marketing-mm.com - is getting TONS of "mail undeliverable" messages (and I mean thousands a day) from some slimy sp*mmers who have put that email address in the "from" field of their mailouts. :( This has been going on for about five days not (maybe more) and it shows no sign of stopping. It's EXTREMELY annoying. I'm aware that when people report sp*m, it's reported by IP address and not necessarily by the actual email address listed in the mail... although I'm sure my email address IS being banned by some people who really think I'd be stupid enough to send out that crap, since the email address actually makes reference to "internet-marketing". Is there ANYTHING I can do about this? Does anyone have any advice for me here? I'm getting more than a little desperate. Thanks in advance for any help you can offer! All the best, --Jodi ---------------------------------------------------------------------- Jodi Krangle - Proprietress of The Muse's Muse Songwriting Resource @ www.musesmuse.com To find out more about the free monthly e-zine: http://www.musesmuse.com/musenews.html Do you have a website no one can find? http://www.internet-marketing-mm.com/ for details. ---------------------------------------------------------------------- From MikeE at ster.invalid Mon May 2 14:19:40 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 2 16:20:06 2005 Subject: [SC-Help] Re: Help? Fraudulent email in the "from" of sp*m! References: Message-ID: Jodi Krangle wrote: > I'm really hoping someone here has some advice for me... There's not really any good news here. > My business email address - jodi@internet-marketing-mm.com - is > getting TONS of "mail undeliverable" messages (and I mean thousands a > day) from some slimy sp*mmers who have put that email address in the > "from" field of their mailouts. :( That can sometimes cause absolutely huge amounts of trouble, depending upon the volume of 'belated bounces' you receive, it can fill up your Inbox and actually cause you some service denial because of 'mailbox full'. > This has been going on for about five days not (maybe more) and it > shows no sign of stopping. It's EXTREMELY annoying. Yes. > I'm aware that when people report sp*m, it's reported by IP address > and not necessarily by the actual email address listed in the mail... > although I'm sure my email address IS being banned by some people who > really think I'd be stupid enough to send out that crap, since the > email address actually makes reference to "internet-marketing". It is true that some foolish spam recipients click on 'block sender' as a reaction to spam. If there is some concordance between that particular inane behavior and someone who you want to email, then you could 'accidentally' be blocked by a foolish spammee who blocked your addy as a sender on the basis of the spam they received with your addy as the bogus From. > Is there ANYTHING I can do about this? No. You can't even spamcop report the original spam items. You /can/ report the belated bounces caused by those servers which are accepting the spams and then creating newmails addressed to the bogus From. That behavior creates what is called 'backscatter' and it is abusive and can be reported. There's nothing you can do about stopping the originator of the spam, any more than usual. You can manually report the spam source of the original item -- but it is probably just an abused proxy. > Does anyone have any advice > for me here? I'm getting more than a little desperate. Try to handle your Inbox in a manner that is non-frustrating. If you can automate it, do so. -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Mon May 2 16:41:44 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Mon May 2 16:45:15 2005 Subject: [SC-Help] Re: Help? Fraudulent email in the "from" of sp*m! References: Message-ID: In article , Jodi Krangle writes: > I'm really hoping someone here has some advice for me... > > My business email address - jodi@internet-marketing-mm.com - is getting > TONS of "mail undeliverable" messages (and I mean thousands a day) from > some slimy sp*mmers who have put that email address in the "from" field of > their mailouts. :( As I report that spam (the message claiming I sent a message I did not) I include something like the following text in my SpamCop report: Believe it or not, spammers lie. Please adjust your software to not send these meaningless warnings blindly to the "From:" address, but instead respond within the SMTP dialog, so your comments get to the actual originator rather than pestering an innocent bystander. From SCNews.5.myspamgobbler at spamgourmet.com Mon May 2 15:16:32 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Mon May 2 17:20:44 2005 Subject: [SC-Help] Re: Help? Fraudulent email in the "from" of sp*m! In-Reply-To: References: Message-ID: Jodi Krangle wrote: > I'm really hoping someone here has some advice for me... > > My business email address - jodi@internet-marketing-mm.com - is getting > TONS of "mail undeliverable" messages (and I mean thousands a day) from > some slimy sp*mmers who have put that email address in the "from" field > of their mailouts. :( What would be very helpful is to be able to 'see' the bounces. The best way to do this is to put them through the SpamCop parser and paste a tracker to this newsgroup. Ideally, one that contains the full spam item, but we may be able to track down the original messages. This will tell us (TINU) more useful information. > > This has been going on for about five days not (maybe more) and it shows > no sign of stopping. It's EXTREMELY annoying. > > I'm aware that when people report sp*m, it's reported by IP address and > not necessarily by the actual email address listed in the mail... > although I'm sure my email address IS being banned by some people who > really think I'd be stupid enough to send out that crap, since the email > address actually makes reference to "internet-marketing". > Performing a quick search, 205.207.28.103 is not listed in any blocklist. You may want to have a chat with Samurai Consulting just to let them know this is happening. Hopefully, they are aware enough that they would look at the real source of the emails, but this looks like it may be a small hosting company, and someone working there may not know how to read headers well. I just spent a couple of days working on removing all support for an anonymous bulk emailer and a couple of large hosting companies took the software sites down without contacting the owners because I included their hosting company in the reports, even though they are just listing the software. This was an overreaction, but don't let this happen to you. > Is there ANYTHING I can do about this? Does anyone have any advice for > me here? I'm getting more than a little desperate. > I can imagine how bothersome this could be. I haven't personally had the pleasure of dealing with this. (knocking on wood) It is possible that this is being done by a competitor, but most likely, it is just your turn. This happens to many people, and it will usually stop after a period of time. I'm curious about the headers to your message. It shows a FORGED_RCVD_HELO, so I would appreciate an email from you just to make sure that this message was coming from you and not from a newsgroup troll or some such. spamnscamsreporter at gmail dot com. I am also curious about your aversion to spelling out spam/mer. :) > Thanks in advance for any help you can offer! > > All the best, > > --Jodi > > ---------------------------------------------------------------------- > Jodi Krangle - Proprietress of The Muse's Muse > Songwriting Resource @ www.musesmuse.com > > To find out more about the free monthly e-zine: > http://www.musesmuse.com/musenews.html > > Do you have a website no one can find? > http://www.internet-marketing-mm.com/ for details. > ---------------------------------------------------------------------- > From nospam at fuck-off-and-die.com Tue May 3 15:24:13 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Tue May 3 04:40:07 2005 Subject: [SC-Help] Re: Help? Fraudulent email in the "from" of sp*m! References: Message-ID: <05559798f0794bcbbeb31797e97def82@biz.forsale.celebrities.nude> Brian (SnSR), , the subaqueous, screeching horse, and faker and painter of wood to make it look like great and exotic wood, moralised: > I just spent a couple of days working on removing all support for an > anonymous bulk emailer and a couple of large hosting companies took > the software sites down without contacting the owners because I > included their hosting company in the reports, even though they are > just listing the software. > > This was an overreaction, but don't let this happen to you. No. That was just fucking irrelevant bullshit, you fucking cunt. From bar_n0ne at hotmail.com Tue May 3 14:03:27 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue May 3 05:07:10 2005 Subject: [SC-Help] Re: Help? Fraudulent email in the "from" of sp*m! References: <05559798f0794bcbbeb31797e97def82@biz.forsale.celebrities.nude> Message-ID: "Kadaitcha Man" wrote in message > > No. That was just fucking irrelevant bullsh*t, you f*cking cunt. > Got spanked eh? :) From nospam at fuck-off-and-die.com Wed May 4 19:26:41 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Wed May 4 08:45:26 2005 Subject: [SC-Help] Re: Help? Fraudulent email in the "from" of sp*m! References: <05559798f0794bcbbeb31797e97def82@biz.forsale.celebrities.nude> Message-ID: <276387b69aa14639a31f567f99332f80@alt.binaries.erotica.multimedia.foul.tasting.vaginal.secretions> Berny, , the wrinkly, streaming pimp, and puppeteer/marionetteer, derogated: > "Kadaitcha Man" wrote in message > >> No. That was just fucking irrelevant bullsh*t, you f*cking cunt. >> > > Got spanked eh? :) Not that I recall. Besides, there are no asterisks in the words bullshit and fucking. From bar_n0ne at hotmail.com Wed May 4 18:29:20 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed May 4 09:30:03 2005 Subject: [SC-Help] Re: Help? Fraudulent email in the "from" of sp*m! References: <05559798f0794bcbbeb31797e97def82@biz.forsale.celebrities.nude> <276387b69aa14639a31f567f99332f80@alt.binaries.erotica.multimedia.foul.tasting.vaginal.secretions> Message-ID: "Kadaitcha Man" wrote in message news:276387b69aa14639a31f567f99332f80@alt.binaries.erotica.multimedia.foul.tasting.vaginal.secretions... > Berny, , the wrinkly, streaming pimp, and > puppeteer/marionetteer, derogated: > > > "Kadaitcha Man" wrote in message > > >> No. That was just fucking irrelevant bullsh*t, you f*cking cunt. > >> > > > > Got spanked eh? :) > > Not that I recall. Besides, there are no asterisks in the words bullshit and > fucking. > Oh, Tourettes Syndrome then, From buzzard554 at fastmail.co.uk Wed May 4 19:20:08 2005 From: buzzard554 at fastmail.co.uk (Martin Edwards) Date: Wed May 4 13:20:07 2005 Subject: [SC-Help] Re: Help? Fraudulent email in the "from" of sp*m! In-Reply-To: References: <05559798f0794bcbbeb31797e97def82@biz.forsale.celebrities.nude> <276387b69aa14639a31f567f99332f80@alt.binaries.erotica.multimedia.foul.tasting.vaginal.secretions> Message-ID: Berny wrote: > "Kadaitcha Man" wrote in message > news:276387b69aa14639a31f567f99332f80@alt.binaries.erotica.multimedia.foul.tasting.vaginal.secretions... > >>Berny, , the wrinkly, streaming pimp, and >>puppeteer/marionetteer, derogated: >> >> >>>"Kadaitcha Man" wrote in message > >>> >>>>No. That was just fucking irrelevant bullsh*t, you f*cking cunt. >>>> >>> >>>Got spanked eh? :) >> >>Not that I recall. Besides, there are no asterisks in the words bullshit > > and > >>fucking. >> > > > Oh, Tourettes Syndrome then, > > At this point Berny was struck by lightning and a voice came out of the sky: "Missed the f*ck*ng b*st*rd!" From I_Report_Spam at webtv.net Wed May 4 13:12:33 2005 From: I_Report_Spam at webtv.net (DJ Mike) Date: Wed May 4 15:30:15 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: Message-ID: <469-42791EA1-21@storefull-3276.bay.webtv.net> He moved on the 1st. At first, whoa007@pacbell.net as an interested 3rd party. He isn't any more but I add his email anyway. If any one is near San Jose, maybe they can drop him a line. 69.67.72.10, 69.67.72.20 Reporting addresses: abuse@xo.com CustName: Roger Graves Address: 301 W. Capital Exp. City: San Jose StateProv: CA PostalCode: 95136 Country: US NetRange: 69.67.72.0 - 69.67.72.255 NetName: DATAMONITOR-BUSSINESS-INFORMATION OrgTechHandle: NOC1264-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-408-268-4526 OrgTechEmail: whoa007@pacbell.net From P.scadden at ^no-spam^remove.gns.cri.nz Thu May 5 10:12:27 2005 From: P.scadden at ^no-spam^remove.gns.cri.nz (Phil Scadden) Date: Wed May 4 17:15:03 2005 Subject: [SC-Help] analysis failed on this spam Message-ID: This spam http://www.spamcop.net/sc?id=z759777881z82490c88d1145b8f3a52d0517158ce77z resulted in spamcop deciding our isp was the source. It also appears to have failed to resolve the links. From MikeE at ster.invalid Wed May 4 16:33:23 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 4 18:35:03 2005 Subject: [SC-Help] Re: analysis failed on this spam References: Message-ID: Phil Scadden wrote: www.spamcop.net/sc?id=z759777881z82490c88d1145b8f3a52d0517158ce77z > resulted in spamcop deciding our isp was the source. It also appears > to have failed to resolve the links. SC breaks the chain prematurely naming the topline's IP. Abbreviated Received lines *comment from grfn6.gns.cri.nz ([131.203.5.60]) by dndm1.gns.cri.nz *serves you from omega.gns.cri.nz by grfn6.gns.cri.nz *serves you from bl4-179-92.dsl.telepac.pt [81.193.179.92] by omega.gns.cri.nz *sourceline from zhrulf.blessed-sacrament.com ([61.205.106.167]) by ucott.blessed-sacrament.com *bogusline ... because/but it broke off parsing after it had already accepted the 'by' field of the 3rd line. Sometimes it chokes on the information in the 'from' field and quits the parse prematurely without helpful explanation. When it does that, I tinker with the parser by forging lines in ways that I know the parser likes. For example, it helps the parser to get rid of some excess information in the 3rd line like this 'minor' forgery's parse. http://www.spamcop.net/sc?id=z759796999zb7d38d117bd4e7f5014c4b72c261c23bz In this example, SC correctly parses the header and recognizes the source as the .pt 81.193.179.92 It also finds the link in the body, but fails to offer to notify for it. My tinkering with the 3rd line was to change this: Received: from bl4-179-92.dsl.telepac.pt (bl4-179-92.dsl.telepac.pt [81.193.179.92]) by omega.gns.cri.nz (8.10.2-20030919/8.10.2) with SMTP id j44JEk621142; Thu, 5 May 2005 07:14:47 +1200 (NZST) to this Received: from bl4-179-92.dsl.telepac.pt [81.193.179.92] by omega.gns.cri.nz (8.10.2-20030919/8.10.2) with SMTP id j44JEk621142; Thu, 5 May 2005 07:14:47 +1200 (NZST) Why that should fix the problem, I don't know. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed May 4 16:41:04 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 4 18:40:02 2005 Subject: [SC-Help] Re: analysis failed on this spam References: Message-ID: Phil Scadden wrote: > This spam www.spamcop.net/sc?id=z759777881z82490c88d1145b8f3a52d0517158ce77z > resulted in spamcop deciding our isp was the source. You can reduce the chances of that happening by correctly configuring for mailhosts. http://www.spamcop.net/fom-serve/cache/397.html How do I configure Mailhosts for SpamCop? -- Mike Easter kibitzer, not SC admin From P.scadden at ^no-spam^remove.gns.cri.nz Thu May 5 11:41:40 2005 From: P.scadden at ^no-spam^remove.gns.cri.nz (Phil Scadden) Date: Wed May 4 18:45:02 2005 Subject: [SC-Help] Re: analysis failed on this spam References: Message-ID: > When it does that, I tinker with the parser by forging lines in ways > that I know the parser likes. For example, it helps the parser to get > rid of some excess information in the 3rd line like this 'minor' > forgery's parse. Okay, so extract file. Edit it, send file as attachment. Will do. From MikeE at ster.invalid Wed May 4 17:02:16 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 4 19:05:03 2005 Subject: [SC-Help] Re: analysis failed on this spam References: Message-ID: Phil Scadden wrote: >> When it does that, I tinker with the parser by forging lines in ways >> that I know the parser likes. For example, it helps the parser to >> get rid of some excess information in the 3rd line like this 'minor' >> forgery's parse. > > Okay, so extract file. Edit it, send file as attachment. Will do. Huh? I don't understand. You can't forge/materially change/ a spam to enable a parse, if that's what you mean. I do it for experimental and demonstration purposes on the spams which I cancel the report for to demonstrate or illustrate an 'issue' so as to possibly help with any parser adjustments. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed May 4 18:12:04 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 4 20:15:06 2005 Subject: [SC-Help] Re: analysis failed on this spam References: Message-ID: Mike Easter wrote: > You can't forge/materially change/ a spam > to enable a parse, if that's what you mean. Before a deputy has my scalp, let me post this link http://www.spamcop.net/fom-serve/cache/283.html Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find. > I do it for experimental and demonstration purposes -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu May 5 00:16:17 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Wed May 4 23:20:09 2005 Subject: [SC-Help] Re: Help? Fraudulent email in the "from" of sp*m! References: Message-ID: "Jodi Krangle" wrote in message > I'm really hoping someone here has some advice for me... > > My business email address - jodi@internet-marketing-mm.com - is getting > TONS of "mail undeliverable" messages (and I mean thousands a day) from > some slimy sp*mmers who have put that email address in the "from" field of > their mailouts. :( > > This has been going on for about five days not (maybe more) and it shows no > sign of stopping. It's EXTREMELY annoying. > > I'm aware that when people report sp*m, it's reported by IP address and not > necessarily by the actual email address listed in the mail... although I'm > sure my email address IS being banned by some people who really think I'd > be stupid enough to send out that crap, since the email address actually > makes reference to "internet-marketing". > > Is there ANYTHING I can do about this? Does anyone have any advice for me > here? I'm getting more than a little desperate. > > Thanks in advance for any help you can offer! Sorry, Jodi, but I don't do the "advice" thingy as that is an extremely slippery slope. But I am given to asking stupid questions, like do you have an email client that supports some sort of filter rules? If not, why not? If so, why not simply filter for your addy in the "Sender:" header and direct the spew you allegedly sent yourself into the trash, letting your mail sort unhindered into your mailbox? Or am I missing something here? Have you the LARTed the abusing "bouncers"? Once I were one of them until Mike Easter 'splained me this: The worms forge the spamitems, 'tis not the work of human malice or ill will. Nothing in or about the viral slough we call spam merits also a qualifier as email. It is nothing more nor less than the illegitimate spawn of a virus which in itself an abortion of creative intellect put to criminal ends. When your name falls into the "From" field in the virus' macro template, it may stick for a time, but it is a programming defect that reveals the nature of the thing. It is more like an unthinking automaton than a human being. I dredged through what came to me until I found the one that said that I had sent it to myself and confronted the abuse desk for my ISP with the obvious, asking that they not believe such nonsense and asking their help in LARTing the abusing ISPs that were bouncing the spam to me "as if" I had anything to do with it. Worms lie. Everything in a spamitem is forged by the worm except the host's IPA. I am a recovering "bouncer" and my name is Bill. Sorry for the lunatic rambling, gotta get back on my meds I see... Last time this happened here was about a year ago and for that I am thankful. Best wishes, Glenn From jr70 at blackhole.invalid Wed May 4 22:37:57 2005 From: jr70 at blackhole.invalid (John Richards) Date: Thu May 5 00:40:03 2005 Subject: [SC-Help] Re: analysis failed on this spam References: Message-ID: "Mike Easter" wrote in message news:d5biua$h56$1@news.spamcop.net... > > You can reduce the chances of that happening by correctly configuring > for mailhosts. > > http://www.spamcop.net/fom-serve/cache/397.html How do I configure > Mailhosts for SpamCop? I don't really understand those instructions. The section "For users with multiple accounts..." is unclear. Do they mean multiple email addresses? The diagram shows multiple 'accounts' forwarding to "Account C." I have multiple email addresses and none of them forward anywhere. That scenario isn't covered. Am I supposed to have as many SpamCop accounts as I have pop accounts? That will make reporting spam very inconvenient! -- John Richards From bounce at bounce.com Wed May 4 22:52:56 2005 From: bounce at bounce.com (Don J. Reid) Date: Thu May 5 00:55:02 2005 Subject: [SC-Help] Did I receive this bounce because... Message-ID: See message in .spam Did I receive this bounce because some one forged my addy, or is it a retaliation for not perfectly munged reports. I have received MAILER-DAEMON response before but not seen this type before Thanks Don J. From nobody at devnull.spamcop.net Thu May 5 01:25:49 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu May 5 01:30:04 2005 Subject: [SC-Help] Re: analysis failed on this spam References: Message-ID: "John Richards" wrote in message news:d5c7v6$rhq$1@news.spamcop.net... > > I don't really understand those instructions. The section "For users with > multiple accounts..." is unclear. Do they mean multiple email addresses? > The diagram shows multiple 'accounts' forwarding to "Account C." > I have multiple email addresses and none of them forward anywhere. > That scenario isn't covered. Am I supposed to have as many SpamCop > accounts as I have pop accounts? That will make reporting spam very > inconvenient! You could take advantage of the experience gained by those who have gone before ..??? http://forum.spamcop.net/forums/ in particular, the MailHost Configuration Forum section ..??? Bottom line, it's the "host" that counts, not the specific 'account' .... The remainder gets to how and what you report ... From MikeE at ster.invalid Wed May 4 23:41:41 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 5 01:40:02 2005 Subject: [SC-Help] Re: Did I receive this bounce because... References: Message-ID: Don J. Reid wrote: > Did I receive this bounce because some one forged my addy, or is it a > retaliation for not perfectly munged reports. > > I have received MAILER-DAEMON response before but not seen this type > before It looks to me like; in the beginning, 216.191.158.153 no rDNS an allstream user emailed a buncha ilap addresses and must've put your addy as a bogus From. The ilap server accepted the mail for delivery and then bounced the mail it had accepted by creating a newmail addressed to your addy the From and with the headers of the original item attached. It also 'declared' the source IP of the original item in the body of its DSN "The original message was received at Wed, 4 May 2005 13:45:50 -0400 (EDT) from [216.191.158.153]" That's cute. But, cute or not, that is abusive behavior on the ilap server's part and is spamcop reportable. I'm guessing at the scenario because there's mungeing pretty much everywhere. -- Mike Easter kibitzer, not SC admin From Ilgaz at spamcop.net Thu May 5 13:22:39 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Thu May 5 05:25:31 2005 Subject: [SC-Help] Any Symbian geeks around? Message-ID: Hi, It may be impossible but I better ask. Also asked on forums a while ago. I got Nokia 7650 which is a Symbian 60 series phone. As Spamcop offers SSL capability, I enable it. Problem is, Equifax is not in phones certificate database. I tried a funny thing as sending the certificate as a message via bluetooth, of course it didn't work :) It bugs me each time I get mail or connect as "untrusted". From what I understand, it needs to be in .sis format and actually installed as a program. I know it since Nokia Symbian signing certificates installed that way. Should I bother asking to Equifax? They ignored my last mail, weeks ago. Ilgaz Ocal From nobody at devnull.spamcop.net Thu May 5 06:50:08 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu May 5 06:55:04 2005 Subject: [SC-Help] Re: Any Symbian geeks around? References: Message-ID: "Ilgaz" wrote in message news:d5cokv$4ge$1@news.spamcop.net... > > It may be impossible but I better ask. Also asked on forums a while ago. > > I got Nokia 7650 which is a Symbian 60 series phone. As Spamcop offers > SSL capability, I enable it. I responded 'over there' .. bottom line, the 7650 isn't a U.S. model, got tired of reading all the "wonders of SSL on a cell-phone' with no hard data ... read through the FAQ listings on a few other phone models with no details found ... Would suggest you hit www.nokia.com yourself, pick the right 'area' .. see if you have any better luck at finding that model .. or send them the query ... Other Forum discussions on SSL connections and certificate manipulations were provided in the response "over there" From nobody at devnull.spamcop.net Thu May 5 06:58:19 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu May 5 07:00:02 2005 Subject: [SC-Help] Re: Any Symbian geeks around? References: Message-ID: "Ilgaz" wrote in message news:d5cokv$4ge$1@news.spamcop.net... > > It may be impossible but I better ask. Also asked on forums a while ago. > > I got Nokia 7650 which is a Symbian 60 series phone. As Spamcop offers > SSL capability, I enable it. OK, gave it a shot ... but my language skills stopped. Have you been to the Nokia support site at http://www.nokia.com.tr/id1781.html ..?? From jr70 at blackhole.invalid Thu May 5 10:15:35 2005 From: jr70 at blackhole.invalid (John Richards) Date: Thu May 5 12:20:04 2005 Subject: [SC-Help] Re: analysis failed on this spam References: Message-ID: "WazoO" wrote in message news:d5cap5$t10$1@news.spamcop.net... > "John Richards" wrote in message > news:d5c7v6$rhq$1@news.spamcop.net... >> >> I don't really understand those instructions. The section "For users with >> multiple accounts..." is unclear. Do they mean multiple email addresses? >> The diagram shows multiple 'accounts' forwarding to "Account C." >> I have multiple email addresses and none of them forward anywhere. >> That scenario isn't covered. Am I supposed to have as many SpamCop >> accounts as I have pop accounts? That will make reporting spam very >> inconvenient! > > You could take advantage of the experience gained by > those who have gone before ..??? > http://forum.spamcop.net/forums/ in particular, the > MailHost Configuration Forum section ..??? Hmmm, I read this forum via my NNTP newsreader, and I don't see that forum as an available newsgroup. > Bottom line, it's the "host" that counts, not the > specific 'account' .... The remainder gets to > how and what you report ... That makes sense. The instructions should be clarified to point that out. Still, I have five different mail receiving hosts, so it looks like spam reporting will get too complex for me to bother with. -- John Richards From nobody at devnull.spamcop.net Thu May 5 13:03:46 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu May 5 13:05:03 2005 Subject: [SC-Help] Re: analysis failed on this spam References: Message-ID: "John Richards" wrote in message news:d5dgr7$glv$1@news.spamcop.net... > "WazoO" wrote in message news:d5cap5$t10$1@news.spamcop.net... > > > > You could take advantage of the experience gained by > > those who have gone before ..??? > > http://forum.spamcop.net/forums/ in particular, the > > MailHost Configuration Forum section ..??? > > Hmmm, I read this forum via my NNTP newsreader, and I don't see > that forum as an available newsgroup. NNTP = Newsgroups HTTP = web stuff > > Bottom line, it's the "host" that counts, not the > > specific 'account' .... The remainder gets to > > how and what you report ... > > That makes sense. The instructions should be clarified to point that out. > Still, I have five different mail receiving hosts, so it looks like spam > reporting will get too complex for me to bother with. The MailHost Configuration forum section suggested has data posted by other users, some sample data, and in the Forum FAQ, there's a sample or two of a walk-through of the process. The data is out there, but you need to take those few steps .... From bounce at bounce.com Thu May 5 14:22:59 2005 From: bounce at bounce.com (Don J. Reid) Date: Thu May 5 16:25:03 2005 Subject: [SC-Help] Re: Did I receive this bounce because... References: Message-ID: "Mike Easter" wrote in message news:d5cbit$thm$1@news.spamcop.net... > Don J. Reid wrote: >> Did I receive this bounce because some one forged my addy, or is it a >> retaliation for not perfectly munged reports. >> >> I have received MAILER-DAEMON response before but not seen this type >> before > > It looks to me like; in the beginning, 216.191.158.153 no rDNS an > allstream user emailed a buncha ilap addresses and must've put your addy > as a bogus From. The ilap server accepted the mail for delivery and > then bounced the mail it had accepted by creating a newmail addressed to > your addy the From and with the headers of the original item attached. > It also 'declared' the source IP of the original item in the body of its > DSN "The original message was received at Wed, 4 May 2005 13:45:50 -0400 > (EDT) from [216.191.158.153]" That's cute. > > But, cute or not, that is abusive behavior on the ilap server's part and > is spamcop reportable. I'm guessing at the scenario because there's > mungeing pretty much everywhere. > > -- > Mike Easter > kibitzer, not SC admin > Thanks Mike From Ilgaz at spamcop.net Fri May 6 04:11:33 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Thu May 5 20:15:05 2005 Subject: [SC-Help] Re: Any Symbian geeks around? References: Message-ID: On 2005-05-05 13:50:08 +0300, "WazoO" said: > "Ilgaz" wrote in message > news:d5cokv$4ge$1@news.spamcop.net... >> >> It may be impossible but I better ask. Also asked on forums a while ago. >> >> I got Nokia 7650 which is a Symbian 60 series phone. As Spamcop offers >> SSL capability, I enable it. > > I responded 'over there' .. bottom line, the 7650 isn't a > U.S. model, got tired of reading all the "wonders of SSL > on a cell-phone' with no hard data ... read through the > FAQ listings on a few other phone models with no details > found ... Would suggest you hit www.nokia.com yourself, > pick the right 'area' .. see if you have any better luck at > finding that model .. or send them the query ... > > Other Forum discussions on SSL connections and > certificate manipulations were provided in the response > "over there" One of reasons I purchased spamcop service was the SSL capability. Spamcop is my main mail now and all secure communication is there. I also use advanced mail clients, forgetting some of "nifty" HTML rendering etc for more security. Like Eudora Pro for instance. Using non SSL on cell phone imap/pop3 while your mail host provides that capability is not a good idea. Especially on GPRS. Its exactly the 3rd option on mailbox setup of that tiny PDA so be sure its not some "fantasy" option. I don't tell the wonders of SSL etc, I have the capability, I want to use it, the reasons can be too complicated. Lets say, I am close to some cell phone admin level people etc and know how amazingly insecure gprs (2.5 G) can be. Let me say, seeing Yahoo doesn't even offer SSL (forget about IMAP etc) was a plain shock for me. About the nokia.com.tr, oh they are good translators, nothing else ;) Thanks anyway but already know to ask them. Also no wonder why Equifax having such root not included problems on many platforms/programs since they didn't even care to answer my single mail. Now, that was a polite and highly technical mail explaining all details, firmware etc. Ilgaz Ocal From nobody at devnull.spamcop.net Fri May 6 01:29:17 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Fri May 6 00:30:03 2005 Subject: [SC-Help] Re: Did I receive this bounce because... References: Message-ID: "Don J. Reid" wrote in message > "Mike Easter" wrote in message ... > > Don J. Reid wrote: > >> Did I receive this bounce because some one forged my addy, or is it a > >> retaliation for not perfectly munged reports. > >> > >> I have received MAILER-DAEMON response before but not seen this type > >> before > > > > It looks to me like; in the beginning, 216.191.158.153 no rDNS an > > allstream user emailed a buncha ilap addresses and must've put your addy > > as a bogus From. The ilap server accepted the mail for delivery and > > then bounced the mail it had accepted by creating a newmail addressed to > > your addy the From and with the headers of the original item attached. > > It also 'declared' the source IP of the original item in the body of its > > DSN "The original message was received at Wed, 4 May 2005 13:45:50 -0400 > > (EDT) from [216.191.158.153]" That's cute. > > > > But, cute or not, that is abusive behavior on the ilap server's part and > > is spamcop reportable. I'm guessing at the scenario because there's > > mungeing pretty much everywhere. > > > > -- > > Mike Easter > > kibitzer, not SC admin > > > > Thanks Mike > > Looks like W32.Sober.O to me... Received similar item this morning and did not report as misguided bounce, but alerted sender to apparent viral propagation of the new virm variant first detected 05/02/2005. Glenn > From wb8tyw at qsl.network Fri May 6 11:43:44 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Fri May 6 11:45:02 2005 Subject: [SC-Help] Re: Did I receive this bounce because... References: Message-ID: <34jM4elkQmYF@eisner.encompasserve.org> In article , "Glenn Daniels" writes: > > Looks like W32.Sober.O to me... Received similar > item this morning and did not report as misguided > bounce, but alerted sender to apparent viral propagation > of the new virm variant first detected 05/02/2005. I recommend reporting all mis-guided bouncers so that they understand how much of a DDOS attack they are doing by not using SMTP rejects. If they do not get complaints to their abuse/postmaster addresses, they will not know how much problems they are causing. Most of these worms are direct to MX, so a mail server that is bouncing them probably is not using effective DNSbls to reject spam, so is probably abusively bouncing spam also. -John wb8tyw@qsl.network Personal Opinion Only From nobody at devnull.spamcop.net Fri May 6 17:17:40 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Fri May 6 16:20:04 2005 Subject: [SC-Help] Re: Did I receive this bounce because... References: <34jM4elkQmYF@eisner.encompasserve.org> Message-ID: "John E. Malmberg" wrote in message > "Glenn Daniels" writes: > > > > Looks like W32.Sober.O to me... Received similar > > item this morning and did not report as misguided > > bounce, but alerted sender to apparent viral propagation > > of the new virm variant first detected 05/02/2005. > > I recommend reporting all mis-guided bouncers so that they understand how much > of a DDOS attack they are doing by not using SMTP rejects. > > If they do not get complaints to their abuse/postmaster addresses, they will > not know how much problems they are causing. > ... Yabbut, this bugger dresses itself up to look like a misguided bounce while carrying a payload of addy's lifted from the infected server in its front end, payload virm packed in the tail end. You have never seen a bounce from 40 different Inboxes have you? This thing comes saying that it tried 40 times to be delivered and failing delivery gets returned to you as the allegedly forged Sender which elsewhere does not appear in the hoaxed bounce. See parse of specimen with virm code grossly truncated from the heart of the matter: http://www.spamcop.net/sc?id=z760494073z7037a6f183b13dd22b92e4025fa942fcz Glenn From nobody at devnull.spamcop.net Fri May 6 23:06:11 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri May 6 23:10:03 2005 Subject: [SC-Help] Spamvertized URL resolving issue - Someone from SpamCop responds Message-ID: For those of you that have been asking for input from "Someone from SpamCop" ... here's your response. The Forum FAQ http://forum.spamcop.net/forums/index.php?showtopic=2238 Contains an entry titled; New! SpamCop reporting of spamvertized sites - some philosophy Which links to an entry that includes commentary from myself, Mike Easter, Don (and by extension, Ellen) http://forum.spamcop.net/forums/index.php?showtopic=4085 and for those not happy with the HTML version, a LoFi view http://forum.spamcop.net/forums/lofiversion/index.php/t4085.html From dhill at cricalix.net Sat May 7 07:44:18 2005 From: dhill at cricalix.net (Duncan Hill) Date: Sat May 7 01:45:02 2005 Subject: [SC-Help] Parser missed URLs in spam.. Message-ID: http://www.spamcop.net/sc?id=z760605444zbd6d8a5bfd704c6bbd6a3ac143b3a035z The parser misses the URL that's about 30 lines down in the body. http://www.spamcop.net/sc?id=z760605443z7ec08a7b1611eae20442b7d8b1aa9b3fz Parser misses the URL that's in the plain text body, and alive and kicking (and just happens to be a redirector), and also in the HTML part. http://www.spamcop.net/sc?id=z760594773z37451b0b3b5559c426a6365e5f3c02e1z has the same URL tld as the first missed report. Mails are fowarded as attachment from KMail, and the parser has picked up other URLs before with no problem. From MikeE at ster.invalid Sat May 7 00:15:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 7 02:15:03 2005 Subject: [SC-Help] Re: Parser missed URLs in spam.. References: Message-ID: Duncan Hill wrote: >www.spamcop.net/sc?id=z760605444zbd6d8a5bfd704c6bbd6a3ac143b3a035z > > The parser misses the URL that's about 30 lines down in the body. Finds 2 urls but can't resolve them [and spends a very long time trying to do so]. Cannot resolve http://middleweight.klipsandbracks.com/tx Cannot resolve http://makeup.klipsandbracks.com/index.html It resolved promptly for me and didn't appear to have gross nameservice problems at dnsstuff, so maybe its nameservice is blocking SC's resolver. > www.spamcop.net/sc?id=z760605443z7ec08a7b1611eae20442b7d8b1aa9b3fz > > Parser misses the URL that's in the plain text body, and alive and > kicking (and just happens to be a redirector), and also in the HTML > part. Looks at both parts: Finding links in message body Recurse multipart: Parsing text part Parsing HTML part Resolving link obfuscation http://midland.myabsinth.com/nothanks.php http://all.myabsinth.com/575r.html http://contrariety.myabsinth.com/nothanks.php http://bide.myabsinth.com/575r.html Those are from both html and plaintext sections, I forget which is which. Sometimes it will resolve them, sometimes it won't. And when it doesn't, it doesn't spend any time at all messing with trying to resolve them. It just 'passes' on the resolving part without delay. IMO the parser is 'rigged' to sometimes 'bypass' body url resolving. "I don't feel like doing that right now; I'm doing some other stuff." If I feed one of those into the parser naked, it resolves it OK Parsing input: http://midland.myabsinth.com/nothanks.php Routing details for 202.99.172.149 Using postmaster#cnc-noc.net@devnull.spamcop.net for statistical tracking. www.spamcop.net/sc?id=z760594773z37451b0b3b5559c426a6365e5f3c02e1z > > has the same URL tld as the first missed report. Like the first, SC spends a great deal of time not resolving any of the links it finds: Resolving link obfuscation http://cliffhang.klipsandbracks.com/index.html host cliffhang.klipsandbracks.com (checking ip) ip not found ; cliffhang.klipsandbracks.com discarded as fake. http://continent.klipsandbracks.com/index.html host continent.klipsandbracks.com (checking ip) ip not found ; continent.klipsandbracks.com discarded as fake. http://shudder.klipsandbracks.com/index.html host shudder.klipsandbracks.com (checking ip) ip not found ; shudder.klipsandbracks.com discarded as fake. http://indeed.klipsandbracks.com/tx host indeed.klipsandbracks.com (checking ip) ip not found ; indeed.klipsandbracks.com discarded as fake. http://dugout.klipsandbracks.com/tx host dugout.klipsandbracks.com (checking ip) ip not found ; dugout.klipsandbracks.com discarded as fake. > Mails are fowarded as attachment from KMail, and the parser has > picked up other URLs before with no problem. It isn't related to kmail; those are common behaviors and situations with spamvertiser nonresolving problems. -- Mike Easter kibitzer, not SC admin From dhill at cricalix.net Sat May 7 11:04:36 2005 From: dhill at cricalix.net (Duncan Hill) Date: Sat May 7 05:06:20 2005 Subject: [SC-Help] Re: Parser missed URLs in spam.. References: Message-ID: Mike Easter wrote: > Cannot resolve http://middleweight.klipsandbracks.com/tx > Cannot resolve http://makeup.klipsandbracks.com/index.html > > It resolved promptly for me and didn't appear to have gross nameservice > problems at dnsstuff, so maybe its nameservice is blocking SC's This might be the core then. I can follow the links quite easily from my home connection. Does SC still push those TLDs into the lists that make their way to SURBL if it can't resolve them? From MikeE at ster.invalid Sat May 7 05:58:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 7 08:00:07 2005 Subject: [SC-Help] Re: Parser missed URLs in spam.. References: Message-ID: Duncan Hill wrote: > This might be the core then. I can follow the links quite easily > from my home connection. Does SC still push those TLDs into the > lists that make their way to SURBL if it can't resolve them? I think that the current status is that urls that make it to the statistics lists where sc-surbl finds them are the ones which are /reported/. If they don't get resolved, they don't get presented for the option of reporting, so they don't go to the list. I've expressed here before that I think the parsing reporting options should be expanded so as to 'relieve' the problem of spamvertisers going 'un-statistic/ed'. I think that the reporter should be presented with the option to say whether an url was a spamvertiser, as opposed to an innocent bystander, whether there is any reporting to the provider or not. I for one don't like to notify the majority of providers for spamvertisers for my spam. I think SC's 'level of responsibility' to the spamsource provider to notify them of a report calling them a source is very different from the responsibility of SC's reporter to notify the spamvertiser provider. I think the notification of a spamvertiser provider should be optional. The 'duty' of the SC reporter is to recognize if something is a spamvertiser or an IB -- and the reporting to the provider should be an option, not a requirement. Clearly there is some kind of condition in which the parser doesn't want to or can't provide an avenue for reporting a spamvertiser. That shouldn't be a reason or prevention for the statistics process. An analogy is the situation where there is a spamsource which doesn't have a 'master' to be notified as a provider for a spamsource, but SC's algorithm allows a devnull process for notifying so that the source will count toward the SC blocklist. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat May 7 06:17:50 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 7 08:20:03 2005 Subject: [SC-Help] Re: Parser missed URLs in spam.. References: Message-ID: Mike Easter wrote: > I think that the reporter should be presented with the option to say > whether an url was a spamvertiser, as opposed to an innocent > bystander, whether there is any reporting to the provider or not. I > for one don't like to notify the majority of providers for > spamvertisers for my spam. For me or my purposes or my opinion about how to handle spamvertisers, every found url, resolved or not, should include an opportunity to notify a devnull address. If it is an IB the devnull should be left unchecked by the responsible reporter; if an unresolved spamvertiser, the reporter would be able to check the devnull so that it would become a statistic. If it is a resolved spamvertiser with 'real' notify addresses, the reporter should be able to check the devnull and uncheck the real ones so as to not have to notify an undesirable provider. Some/many providers for spamvertisers are blackhats and the spam report which the current notifying process performs is simply a vehicle for the spammer to see the report containing the spamitem. That spamitem can contain all kinds of things to identify the recipient, which can lead to listwashing or even hostile activity. Modern spammers command armies of trojanized computers for sale to the highest bidder, which can be used for all kinds of mischief ranging from extortion to 'simple' unpleasant retaliation. The simplistic mungeing which SC performs by default or minor additonal mungeing which a reporter is permitted to perform prior to submission don't provide enough latitude for the relationship between the reporter and a spamvertiser provider. A reporter should be able to submit a report unmunged, default munged, slightly ubermunged, or the equivalent of the mole report -- no report at all for the spamvertiser. Previously mole reporting counted for something, but that counting condition was eliminated from contributing to the SCbl. Now the condition of quick reporting reports sources but not spamvertisers. There needs to be a method of 'counting' spamvertisers without notifying them, if that is the choice of the reporter. -- Mike Easter kibitzer, not SC admin From jimwasson at spamcop.net Sun May 8 13:59:36 2005 From: jimwasson at spamcop.net (Jim Wasson) Date: Sun May 8 16:00:03 2005 Subject: [SC-Help] Can't resolve link for spammer's website Message-ID: I seem to be getting a lot of this lately. The spams are parsed and reports are generated for the senders but not for the websites involved. I checked this report today: http://www.spamcop.net/sc?id=z761129865zf78eab133dd819f61c9e9ded5b9d7176z It says that the site at "http://adi.fakerolexsite.com./" can't be resolved and is discarded as a fake. Note the extra period at the end of the link. As a result SpamCop can't seem to find this address. I used SamSpade and the site (without the period) certainly is alive and well and hawking fake Rolexes. I reported this problem in this forum on 1 April (and got no response) in my post "Simple trick defeats lookup". From MikeE at ster.invalid Sun May 8 14:21:07 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 8 16:20:03 2005 Subject: [SC-Help] Re: Can't resolve link for spammer's website References: Message-ID: Jim Wasson wrote: > I seem to be getting a lot of this lately. The spams are parsed and > reports are generated for the senders but not for the websites > involved. I checked this report today: www.spamcop.net/sc?id=z761129865zf78eab133dd819f61c9e9ded5b9d7176z The business of SC not resolving an url is a topic of frequent conversation here. SC fails to resolve url/s it finds for many reasons. The url's nameservice blocks SC's resolver; the url's nameservice is too pokey or otherwise flawed; SC doesn't feel like resolving it for some reason that must have to do with resource managment. It is not possible to tell which of the various possibilities is operative at any given time; and those of us out here on the outside don't have many tools to try to guess. I don't have access to SC's resolver. I can see if an url resolves for me, and I can use the tools at dnsstuff to find 'weaknesses' and inadequacies in the nameservice for an item. The case of an 'odd' or flawed url is another matter. My resolvers don't seem to care if there's an extra dot there, and there's some kind of 'principle' or system by which a dot at the end of the tld is appropriate, but I can't remember what that principle is. However, if there were a genuinely 'bad' or misconfigured url in which the browser's error tolerance caused a browser to be able to access the url, it would be my guess that Julian would have no interest in building in better error tolerance into the parser. Internet Explorer's error tolerance for html errors is huge compared to some other browsers, and the whole subject of whether or not browsers should be error tolerant or not is a big mess. IMO, the world would be better off with much *less* error tolerance in that sphere, rather than more. > It says that the site at "http://adi.fakerolexsite.com./" can't be > resolved and is discarded as a fake. Note the extra period at the end > of the link. As a result SpamCop can't seem to find this address. I > used SamSpade and the site (without the period) certainly is alive > and well and hawking fake Rolexes. SC is not able to resolve that link with or without the extra dot; so in that sense it is just another url that SC doesn't resolve for one reason or another as described above. To say nothing of the disinterest in error tolerance. > I reported this problem in this forum on 1 April (and got no response) > in my post "Simple trick defeats lookup". -- Mike Easter kibitzer, not SC admin From jimwasson at spamcop.net Sun May 8 20:57:44 2005 From: jimwasson at spamcop.net (Jim Wasson) Date: Sun May 8 23:00:03 2005 Subject: [SC-Help] Re: Can't resolve link for spammer's website In-Reply-To: References: Message-ID: Mike Easter wrote: > Jim Wasson wrote: > >>I seem to be getting a lot of this lately. The spams are parsed and >>reports are generated for the senders but not for the websites >>involved. I checked this report today: > > > www.spamcop.net/sc?id=z761129865zf78eab133dd819f61c9e9ded5b9d7176z > > The business of SC not resolving an url is a topic of frequent > conversation here. > > SC fails to resolve url/s it finds for many reasons. The url's > nameservice blocks SC's resolver; the url's nameservice is too pokey or > otherwise flawed; SC doesn't feel like resolving it for some reason > that must have to do with resource managment. It is not possible to > tell which of the various possibilities is operative at any given time; > and those of us out here on the outside don't have many tools to try to > guess. I don't have access to SC's resolver. I can see if an url > resolves for me, and I can use the tools at dnsstuff to find > 'weaknesses' and inadequacies in the nameservice for an item. > > The case of an 'odd' or flawed url is another matter. My resolvers > don't seem to care if there's an extra dot there, and there's some kind > of 'principle' or system by which a dot at the end of the tld is > appropriate, but I can't remember what that principle is. > > However, if there were a genuinely 'bad' or misconfigured url in which > the browser's error tolerance caused a browser to be able to access the > url, it would be my guess that Julian would have no interest in building > in better error tolerance into the parser. Internet Explorer's error > tolerance for html errors is huge compared to some other browsers, and > the whole subject of whether or not browsers should be error tolerant or > not is a big mess. IMO, the world would be better off with much *less* > error tolerance in that sphere, rather than more. > > >>It says that the site at "http://adi.fakerolexsite.com./" can't be >>resolved and is discarded as a fake. Note the extra period at the end >>of the link. As a result SpamCop can't seem to find this address. I >>used SamSpade and the site (without the period) certainly is alive >>and well and hawking fake Rolexes. > > > SC is not able to resolve that link with or without the extra dot; so > in that sense it is just another url that SC doesn't resolve for one > reason or another as described above. To say nothing of the disinterest > in error tolerance. > > >>I reported this problem in this forum on 1 April (and got no response) >>in my post "Simple trick defeats lookup". > > With regard to: > SC is not able to resolve that link with or without the extra dot; so > in that sense it is just another url that SC doesn't resolve for one > reason or another as described above. To say nothing of the disinterest > in error tolerance. If that is really the case then and since I don't think I can't think of a more trivial obfuscation than adding a single period to the end of the link then what is "Resolving link obfuscation" supposed to mean? From MikeE at ster.invalid Sun May 8 21:04:55 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 8 23:05:02 2005 Subject: [SC-Help] Re: Can't resolve link for spammer's website References: Message-ID: Jim Wasson wrote: > a more trivial obfuscation than adding a single period to the end of > the link then what is "Resolving link obfuscation" supposed to mean? SC /always/ sez 'resolving link obfuscation' -- it's like saying 'how do you do' or 'have a nice day' or 'now I'm getting ready to look at this link' It sez that even if the link is perfectly well non-obfuscated. Intepreting SC's language or verbose output should be done very carefully. It often doesn't mean what it 'looks like' and its location is not always where it looks like it should be thinking about. -- Mike Easter kibitzer, not SC admin From w7el at eznec.com Mon May 9 19:18:19 2005 From: w7el at eznec.com (Roy Lewallen) Date: Mon May 9 21:20:03 2005 Subject: [SC-Help] Personal blacklist problem Message-ID: I'm having trouble getting my spam filter to reject email from a particular spammer. Spam with the following header get through even though my personal blacklist contains *@fedmarket.com and, added more recently, *fedmarket*. Can anyone tell me what I need to add to my personal blacklist in order to get the filter to reject email from this spammer? Thanks, Roy Lewallen From - Mon May 09 18:11:14 2005 Return-Path: Received: from mx.easystreet.com (smtpfilter03 [10.32.1.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtpdelivery.easystreet.com (Postfix) with ESMTP id 78002845F7A for ; Mon, 9 May 2005 17:38:11 -0700 (PDT) Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mx.easystreet.com (Postfix) with ESMTP id D4C292F006C for ; Mon, 9 May 2005 17:38:10 -0700 (PDT) Received: from unknown (HELO blade1.cesmail.net) (192.168.1.211) by c60.cesmail.net with SMTP; 09 May 2005 20:38:09 -0400 Received: (qmail 27187 invoked by uid 1010); 10 May 2005 00:38:09 -0000 Received: (qmail 26998 invoked from network); 10 May 2005 00:37:59 -0000 Received: from unknown (192.168.1.103) by blade1.cesmail.net with QMQP; 10 May 2005 00:37:59 -0000 Received: from products.venturesonline.com (HELO digdug.vosn.net) (209.151.86.4) by mailgate2.cesmail.net with SMTP; 10 May 2005 00:37:59 -0000 Received: from [207.14.178.212] (port=47941 helo=wrtlnx06.wrtech.com) by digdug.vosn.net with esmtp (Exim 4.44) id 1DVIl0-00038t-5u for x; Mon, 09 May 2005 18:37:56 -0600 Received: from wrtech.com (unknown [207.14.178.212]) by wrtlnx06.wrtech.com (Postfix) with ESMTP id 925B346E623 for ; Mon, 9 May 2005 18:32:33 -0600 (MDT) Date: Mon, 09 May 2005 18:32:33 -0600 From: "Fedmarket" Subject: Federal Credit Card Holders Spend Easily To: Sender: "Fedmarket" Reply-To: "Fedmarket" Precedence: list Content-type: text/plain Message-Id: <20050510003233.925B346E623@wrtlnx06.wrtech.com> From Unknown.User at Invalid.Domain Mon May 9 22:26:54 2005 From: Unknown.User at Invalid.Domain (Jan M. Nelken) Date: Mon May 9 21:30:03 2005 Subject: [SC-Help] Re: Personal blacklist problem In-Reply-To: References: Message-ID: Roy Lewallen wrote: > I'm having trouble getting my spam filter to reject email from a > particular spammer. Spam with the following header get through even > though my personal blacklist contains *@fedmarket.com and, added more > recently, *fedmarket*. Can anyone tell me what I need to add to my > personal blacklist in order to get the filter to reject email from this > spammer? Is your blaclist processor case sensitive? You added *fedmarket* - but Sender andor From containes actually Fedmarket: From: "Fedmarket" Message-ID: "Roy Lewallen" wrote in message news:d5p24v$dkn$1@news.spamcop.net... > I'm having trouble getting my spam filter to reject email from a > particular spammer. Spam with the following header get through even > though my personal blacklist contains *@fedmarket.com and, added more > recently, *fedmarket*. Can anyone tell me what I need to add to my > personal blacklist in order to get the filter to reject email from this > spammer? Numerous Forum FAQ items that talk to various uses and implementation of various filtering options available on a SpamCop e-mail account exist. Both of your examples seem to miss the mark a bit, but then, those FAQ entries were developed by folks that do have and use their SpamCop e-mail accounts ... http://forum.spamcop.net/forums/index.php?showtopic=2238 or again, try posting into the spamcop.mail newsgroup From MikeE at ster.invalid Mon May 9 19:44:50 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 21:45:09 2005 Subject: [SC-Help] Re: Personal blacklist problem References: Message-ID: Roy Lewallen wrote: > I'm having trouble getting my spam filter What is your spam filter? -- Mike Easter kibitzer, not SC admin From edb2000 at spamcop.net Tue May 10 00:06:57 2005 From: edb2000 at spamcop.net (Don Wannit) Date: Tue May 10 02:10:03 2005 Subject: [SC-Help] Re: Personal blacklist problem In-Reply-To: References: Message-ID: Roy Lewallen wrote: > I'm having trouble getting my spam filter to reject email from a > particular spammer. Spam with the following header get through even > though my personal blacklist contains *@fedmarket.com and, added more > recently, *fedmarket*. Can anyone tell me what I need to add to my > personal blacklist in order to get the filter to reject email from this > spammer? > > Thanks, > Roy Lewallen Well, assuming that you're using SpamCop Filtered Email (otherwise, why would you be posting here?), you're posting in the wrong place, although a nearby one. There is a newsgroup specifically for SC email/webmail questions -- spamcop.mail -- although there seems to be some "herding" of us cats over to the web-based forum for SC email support questions. You can find that forum at http://forum.spamcop.net/forums/index.php?showforum=4 However, to answer your question here, I think you need to put simply fedmarket.com in your personal blacklist. No '@'-sign, no stars, just the domain name. Log into SpamCop, go to Webmail, click on Options, then click on Manage your personal blacklist. You'll see all the entries you have so far. Now click on the "Click here" to add to your blacklist. Enter just the domain name you want to ban (assuming you want to ban everything from anyone in that domain, or any subdomain). Then click on the Submit button, then again on View your blacklist just to make sure you got everything right. Then click on Return to SpamCop Tools, and then on the Save Options button. Then click on the Return to Options button. Whew! I am not the first to say that the SC webmail interface is not particularly easy to use. However, I am an enthusiastic customer of the email filtering service, and have recommended it to others, and adopted it for my company's "info" email address. Now, if you are not talking about the SpamCop Email Filtering (paid) service, then you're REALLY posting in the wrong place! -- Don Wannit A paid SpamCop user since 1999 From w7el at eznec.com Tue May 10 11:53:55 2005 From: w7el at eznec.com (Roy Lewallen) Date: Tue May 10 13:55:06 2005 Subject: [SC-Help] Re: Personal blacklist problem In-Reply-To: References: Message-ID: WazoO wrote: > > Numerous Forum FAQ items that talk to various uses and > implementation of various filtering options available on a > SpamCop e-mail account exist. Both of your examples > seem to miss the mark a bit, but then, those FAQ entries > were developed by folks that do have and use their > SpamCop e-mail accounts ... > http://forum.spamcop.net/forums/index.php?showtopic=2238 > or again, try posting into the spamcop.mail newsgroup Thanks, I think the FAQ answered by question. Reading the information at http://www.spamcop.net/fom-serve/cache/304.html, there's no mention of wild cards for matching, and I'd assumed they could be used. No telling how the asterisks in my blacklist entries were interpreted. I'll have to go back and modify all my personal blacklist filters accordingly. This'll be something of a job since some of the most annoying spammers I filter have quite a few variations of email address. Surprisingly, just about all of them seemed to have been working with the asterisks present, but I see it's nothing I can count on. Thanks again. Roy Lewallen From w7el at eznec.com Tue May 10 14:32:39 2005 From: w7el at eznec.com (Roy Lewallen) Date: Tue May 10 16:35:03 2005 Subject: [SC-Help] Re: Personal blacklist problem In-Reply-To: References: Message-ID: Don Wannit wrote: > > Well, assuming that you're using SpamCop Filtered Email (otherwise, > why would you be posting here?), you're posting in the wrong place, > although a nearby one. There is a newsgroup specifically for SC > email/webmail questions -- spamcop.mail -- although there seems > to be some "herding" of us cats over to the web-based forum for > SC email support questions. You can find that forum at > http://forum.spamcop.net/forums/index.php?showforum=4 > > . . . > I am not the first to say that the SC webmail interface is not > particularly easy to use. However, I am an enthusiastic customer > of the email filtering service, and have recommended it to others, > and adopted it for my company's "info" email address. > > Now, if you are not talking about the SpamCop Email Filtering > (paid) service, then you're REALLY posting in the wrong place! Thanks very much for all, and apologies for posting this in the wrong group. It is, at least, the SpamCop service. Having now intercepted and reported over 94,000 spam messages with it, I'm also an enthusiastic customer. With my current settings, only about one in a thousand it catches is a legitimate email, and only about 3% of the spams get through. Some of those are repeat senders which can be filtered with the personal blacklist, so that's what I've been working on. Having learned of the FAQ, I discovered there that wild cards aren't recognized in the personal blacklist entries, which goes along with your recommendation. I'll be modifying my blacklist as you and the FAQ suggest. I've had considerable trouble using the web-based forums which don't like my firewall and browser settings. It's a nuisance to have to loosen the protections just for the occasional posting, and even then I sometimes have to try several times before a login is accepted. What's their attraction, anyway? Roy Lewallen From MikeE at ster.invalid Tue May 10 14:58:27 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 17:00:04 2005 Subject: [SC-Help] Re: Personal blacklist problem References: Message-ID: Roy Lewallen wrote: > I've had considerable trouble using the web-based forums which don't > like my firewall and browser settings. It's a nuisance to have to > loosen the protections just for the occasional posting, and even then > I sometimes have to try several times before a login is accepted. > What's their attraction, anyway? Well, I'm not attracted to them; but if I wanted to go there and I was having a browser security conflict, I would give the site a higher security clearance. I use all 4 of my browser's site classifications; restricted, internet, intranet, and trusted -- and all of them are custom configured. Restricted is extremely tight. Internet is very tight and interferes with a number of functions which a fair number of sites would like to use. Those sites which I would like to have more leeway I put into intranet. I don't usually use trusted, except for such as microsoft's update site. So, intranet is my most common upgraded security clearance. I've never posted in the forum; and when links are posted to something in there typically it takes me a lot of 'messing around' to try to find something. I don't like to go to the forum to read something which has been referred here. It takes too long. I would just as soon hunt it down from scratch with google or something. When I post a link to something on a webpage, I typically accompany my link with a little bit of clipping from the page or article to 'nail' what it is we are talking about or the essence of the article. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed May 11 04:53:34 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed May 11 04:56:42 2005 Subject: [SC-Help] Re: Personal blacklist problem References: Message-ID: "Roy Lewallen" wrote in message news:d5r5pb$ka5$1@news.spamcop.net... > > Having learned of the FAQ, I discovered there that wild cards aren't > recognized in the personal blacklist entries, which goes along with your > recommendation. I'll be modifying my blacklist as you and the FAQ suggest. I'd hit Jeff G. on the wildcard issue issue, he pointed me back to one of his old posts, found at http://forum.spamcop.net/forums/index.php?showtopic=3812&view=findpost&p=26132 Srill looking for some older data that may exist somewhere else, but this is at least something ..??? > I've had considerable trouble using the web-based forums which don't > like my firewall and browser settings. It's a nuisance to have to loosen > the protections just for the occasional posting, and even then I > sometimes have to try several times before a login is accepted. What's > their attraction, anyway? I've only recently been given access to the actual code, so still bringing myself up to speed. It's primarily based on .php script files, nothing unusual there ... plain old Port 80 traffic ... cookies, both session and real are used, the real one can be dropped, though you lose Tracking of Read/Unread items, and such (details found via the Help button on the Forum) ... and yes, there is some JavaScript, but most of that is long after you login .. when you try some certain actions (such as the "My Assistant" thing .. it generates a pop-up menu) ... I've got an iBook running wireless into an old silver flying disk router that gets its access via a Linksys wired router .. no problem ... a Win-98SE machine wired through a D-Link router that is then wired though the same Linksys router, also running the ancient @Guard firewall... no problem (after setting permissions in the software firewall) Give me something to work with to at least guess at why you'd be having problems .... Attraction? I couldn't answer that .... The only thing I'll point to is that for years, folks have been complaining about the lack of a FAQ that actually had any data. One fine day a long time ago, I took it upon myself to take the existing www.spamcop.net FAQ and build a different interface to it. Then started adding to it. Other folks helped directly, some helped because their posts were then available to point to. Bottom line, I did something about that which others bitched about. Sure there are better ways, better presentations, but again ... the Forum FAQ exists ... why not use it ... or better yet, contribute to it???? There was a huge cry for regular posting of a FAQ within the newsgroups .. over and over and over .... Miss Betsy tried this with her collaborative effort on the "Why am I Blocked?" FAQ. Document was a over a year old, many folks had been involved with its development ... more corrections/additions made after the first, second, and third newsgroup postings from all the offered criticisms ... you'll note that it's been a while since she's tried it again .... I'm probably wrong, but I actually don't remember anyone patting her on the back for her efforts ... just more corrections ... The Forum FAQ is a monster, again, never intended to be anything but a quick hack at the time, but it has grown.to include something on the majority of the queries brought up in the newsgroups. Certainly, there is data there that doesn't exist anywhere else without a lot of digging deep ... When I go looking for help/data, I'll use any resource available. I use 7 other support forums (ISPs choice for support of their hosting services, the support forum for the SpamCop Forum software application,) participate in / monitor over 30 newsgroups for software I use, the Microsoft peer-to-peer support newsgroups, and I'm not even going to try to guess at the others that I hit when I need to look something up ... I'm just bedazzled by some of the recent traffic over my doing something stupid suggesting that you hit the web-forum for an answer to your query ... Glad you found something of value ... thanks for the feedback. From TomJB.1p2r5g at mail.webservertalk.com Sun May 15 00:00:26 2005 From: TomJB.1p2r5g at mail.webservertalk.com (TomJB) Date: Sun May 15 09:40:26 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: <469-42791EA1-21@storefull-3276.bay.webtv.net> Message-ID: DJ Mike wrote: > *He moved on the 1st. At first, whoa007@pacbell.net as an interested > 3rd > party. He isn't any more but I add his email anyway. If any one is > near > San Jose, maybe they can drop him a line. > > 69.67.72.10, 69.67.72.20 > Reporting addresses: abuse@xo.com > CustName: Roger Graves > Address: 301 W. Capital Exp. > City: San Jose > StateProv: CA > PostalCode: 95136 > Country: US > NetRange: 69.67.72.0 - 69.67.72.255 > NetName: DATAMONITOR-BUSSINESS-INFORMATION > OrgTechHandle: NOC1264-ARIN > OrgTechName: Network Operations Center > OrgTechPhone: +1-408-268-4526 > OrgTechEmail: whoa007@pacbell.net * Hello - I've noticed this change to XO, or what I thought was XO IP's but after calling them they are denying they have any info. Can you tell me how you found these to belong to XO? I also was getting the spam when it was coming from SBC - I called SBC and screemed at them for 1/2 hr & finally was able to talk to management, the next day the spam changed to XO. -- TomJB ------------------------------------------------------------------------ Posted via http://www.webservertalk.com ------------------------------------------------------------------------ View this thread: http://www.webservertalk.com/message1033117.html From bar_n0ne at hotmail.com Sun May 15 19:06:20 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun May 15 10:10:04 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: <469-42791EA1-21@storefull-3276.bay.webtv.net> Message-ID: "TomJB" wrote in message news:TomJB.1p2r5g@mail.webservertalk.com... > > DJ Mike wrote: > > *He moved on the 1st. At first, whoa007@pacbell.net as an interested > > 3rd > > party. He isn't any more but I add his email anyway. If any one is > > near > > San Jose, maybe they can drop him a line. > > > > 69.67.72.10, 69.67.72.20 > > Reporting addresses: abuse@xo.com > > CustName: Roger Graves > > Address: 301 W. Capital Exp. > > City: San Jose > > StateProv: CA > > PostalCode: 95136 > > Country: US > > NetRange: 69.67.72.0 - 69.67.72.255 > > NetName: DATAMONITOR-BUSSINESS-INFORMATION > > OrgTechHandle: NOC1264-ARIN > > OrgTechName: Network Operations Center > > OrgTechPhone: +1-408-268-4526 > > OrgTechEmail: whoa007@pacbell.net * > > Hello - I've noticed this change to XO, or what I thought was XO IP's > but after calling them they are denying they have any info. Can you > tell me how you found these to belong to XO? I also was getting the > spam when it was coming from SBC - I called SBC and screemed at them > for 1/2 hr & finally was able to talk to management, the next day the > spam changed to XO. > > > > -- > TomJB > ------------------------------------------------------------------------ > Posted via http://www.webservertalk.com > ------------------------------------------------------------------------ > View this thread: http://www.webservertalk.com/message1033117.html > Well SC, at least, thinks the IP's belong to XO, I think DNSStuff also does. Do I know anything better? not really. From bar_n0ne at hotmail.com Sun May 15 20:37:53 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun May 15 11:55:05 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: <469-42791EA1-21@storefull-3276.bay.webtv.net> Message-ID: SNIP > > Well SC, at least, thinks the IP's belong to XO, I think DNSStuff also does. > Do I know anything better? not really. > > seems to be the whole Whoa.com, in ROKSO >From DNSSTUFF: Location: United States [City: San Jose, California] NOTE: More information appears to be available at NET-69-67-72-0-1. Whoa USA Inc WHOA-USA-INC (NET-69-67-64-0-1) 69.67.64.0 - 69.67.79.255 Roger Graves DATAMONITOR-BUSSINESS-INFORMATION (NET-69-67-72-0-1) 69.67.72.0 - 69.67.72.255 # ARIN WHOIS database, last updated 2005-05-14 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database Note the huge IP range for WHOA, and the sub range for Datamonitor which is the part the Software Factory Solutions is using. Location: Unknown Looking up !NET-69-67-64-0-1 at whois.arin.net. NOTE: More information appears to be available at NOC1264-ARIN. Using 20 day old cached answer (or, you can get fresh results). Hiding E-mail address (you can get results with the E-mail address). OrgName: Whoa USA Inc OrgID: WHOAU Address: P.O Box 20482 Address: NOC City: San Jose StateProv: CA PostalCode: 95160 Country: US NetRange: 69.67.64.0 - 69.67.79.255 CIDR: 69.67.64.0/20 NetName: WHOA-USA-INC NetHandle: NET-69-67-64-0-1 Parent: NET-69-0-0-0-0 NetType: Direct Allocation NameServer: NS1.OASISVN.COM NameServer: NS2.OASISVN.COM Comment: RegDate: 2003-08-07 Updated: 2003-08-07 OrgTechHandle: NOC1264-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-408-268-4526 OrgTechEmail: *******@pacbell.net # ARIN WHOIS database, last updated 2005-04-24 19:10 and Location: Unknown Looking up !NET-69-67-72-0-1 at whois.arin.net. NOTE: More information appears to be available at NOC1264-ARIN. Using 6 day old cached answer (or, you can get fresh results). Hiding E-mail address (you can get results with the E-mail address). CustName: Roger Graves Address: 301 W. Capital Exp. City: San Jose StateProv: CA PostalCode: 95136 Country: US RegDate: 2003-08-13 Updated: 2003-08-13 NetRange: 69.67.72.0 - 69.67.72.255 CIDR: 69.67.72.0/24 NetName: DATAMONITOR-BUSSINESS-INFORMATION NetHandle: NET-69-67-72-0-1 Parent: NET-69-67-64-0-1 NetType: Reassigned <-------------------What does that mean? Comment: RegDate: 2003-08-13 Updated: 2003-08-13 OrgTechHandle: NOC1264-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-408-268-4526 OrgTechEmail: *******@pacbell.net # ARIN WHOIS database, last updated 2005-05-07 19:10 and from SpamHaus ROKSO whoa.com: (sorry if this is styled) ID 4 Results for "whoa.com" ROK2429 Philip Adelberg / Interweb Hosting - Lying to clients about their spamming ROK2565 Quang Dangtran - Whoa Medical - Main Info ROK2400 Ruslan Ibragimov / send-safe.com - Main Info ROK2072 Webfinity/Dynamic Pipe - Misc Info / Partners in spam and for just whoa: ID 13 Results for "whoa" ROK2453 Elmed / Nikola Anastasov - Dmitry Sklyarov ROK2799 Michael Lindsay / iMedia Networks - Main info ROK4989 Michael Lindsay / iMedia Networks - mini-voip.com ROK3964 Phil Doroff / Five Elements, Inc - PARTNER IN SPAM: Bryce Edward Case Jr. / aka YTCracker ROK2429 Philip Adelberg / Interweb Hosting - Lying to clients about their spamming ROK2565 Quang Dangtran - Whoa Medical - Main Info ROK2581 Quang Dangtran - Whoa Medical - Domain information ROK3299 Quang Dangtran - Whoa Medical - whoausainc.com / big-penis-forever.com ROK4934 Quang Dangtran - Whoa Medical - Hijacking trojaned PCs/Proxies ROK2400 Ruslan Ibragimov / send-safe.com - Main Info ROK4743 Ryan Pitylak / Steve Goudreault / Mart Trotter - Domains [Jan 2005] (almost 3000!) ROK4778 Ryan Pitylak / Steve Goudreault / Mart Trotter - Domains [2004 - 2005] ROK2072 Webfinity/Dynamic Pipe - Misc Info / Partners in spam From nobody at spamcop.net Sun May 15 11:54:04 2005 From: nobody at spamcop.net (Ellen) Date: Sun May 15 14:40:04 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: <469-42791EA1-21@storefull-3276.bay.webtv.net> Message-ID: "TomJB" wrote in message news:TomJB.1p2r5g@mail.webservertalk.com... > > DJ Mike wrote: > > *He moved on the 1st. At first, whoa007@pacbell.net as an interested > > 3rd > > party. He isn't any more but I add his email anyway. If any one is > > near > > San Jose, maybe they can drop him a line. > > > > 69.67.72.10, 69.67.72.20 > > Reporting addresses: abuse@xo.com > > CustName: Roger Graves > > Address: 301 W. Capital Exp. > > City: San Jose > > StateProv: CA > > PostalCode: 95136 > > Country: US > > NetRange: 69.67.72.0 - 69.67.72.255 > > NetName: DATAMONITOR-BUSSINESS-INFORMATION > > OrgTechHandle: NOC1264-ARIN > > OrgTechName: Network Operations Center > > OrgTechPhone: +1-408-268-4526 > > OrgTechEmail: whoa007@pacbell.net * > > Hello - I've noticed this change to XO, or what I thought was XO IP's > but after calling them they are denying they have any info. Can you > tell me how you found these to belong to XO? I also was getting the > spam when it was coming from SBC - I called SBC and screemed at them > for 1/2 hr & finally was able to talk to management, the next day the > spam changed to XO. > > Announced by XO: BGP routing table entry for 69.67.72.0/21, version 37736930 Paths: (49 available, best #27, table Default-IP-Routing-Table) Not advertised to any peer 3549 2828 AS2828: Search results for: AS2828 OrgName: XO Communications OrgID: XOXO Address: Corporate Headquarters Address: 11111 Sunset Hills Road City: Reston StateProv: VA PostalCode: 20190-5339 Country: US See also: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL12587 Ellen From steevian at yahoo.com Tue May 17 02:06:17 2005 From: steevian at yahoo.com (Steve Johnson) Date: Tue May 17 04:06:24 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM - "Consumer Research Corp" SPAM Message-ID: <20050517080617.83039.qmail@web51303.mail.yahoo.com> Hello Ellen, Can you please tell me where you were able to find this info and if you know who to talk to at "XO.com" I would appreaciate that info also, I haven't had much luck with them, they gave me a big laugh and 'click' on the phone last time. The listing at SPAMHAUS http://www.spamhaus.org/sbl/sbl.lasso?query=SBL12587 refers to a different range, are you suggesting "Quang Dangtran - Whoa Medical" is responsible for this? Any idea on who "Roger Graves DATAMONITOR-BUSSINESS-INFORMATION" is?? Thanks much. -------- Announced by XO: BGP routing table entry for 69.67.72.0/21, version 37736930 Paths: (49 available, best #27, table Default-IP-Routing-Table) Not advertised to any peer 3549 2828 AS2828: Search results for: AS2828 OrgName: XO Communications OrgID: XOXO Address: Corporate Headquarters Address: 11111 Sunset Hills Road City: Reston StateProv: VA PostalCode: 20190-5339 Country: US See also: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL12587 Ellen __________________________________ Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone. http://mobile.yahoo.com/learn/mail From steevian at yahoo.com Tue May 17 03:01:05 2005 From: steevian at yahoo.com (Steve Johnson) Date: Tue May 17 05:01:20 2005 Subject: [SC-Help] "Consumer Research Corp" SPAMMING - XO IP Block 69.67.72.0/21 Message-ID: <20050517090105.35134.qmail@web51306.mail.yahoo.com> According to this, the block where SPAM is coming from "69.67.72.0/21" belongs to XO: http://www.cidr-report.org/cgi-bin/as-report?as=AS2828 I have called XO about 4 times and all I get is them totally denying this block isnot theirs & one person in their Ops even laughed at the suggestion. Anyone who is interested, please help me in pressuring "XO" to try a little harder to be a responsible ISP, thanks! Here's a small sample of the intense SPAMMING from this "XO CUSTOMER:" --- Money to shop wrote: > X-Apparently-To: steevian@yahoo.com via 206.190.37.237; Tue, 17 > May 2005 00:37:17 -0700 > X-YahooFilteredBulk: 69.67.72.70 > Authentication-Results: mta273.mail.scd.yahoo.com > from=jxpzfbc.tradepointone.com; domainkeys=neutral (no sig) > X-Originating-IP: [69.67.72.70] > Return-Path: > Received: from 69.67.72.70 (EHLO eicmssgnq.tradepointone.com) > (69.67.72.70) > by mta273.mail.scd.yahoo.com with SMTP; Tue, 17 May 2005 00:34:59 > -0700 > From: "Money to shop" > To: > Subject: Start secret shopping today > Date: Tue, 17 May 2005 00:37:42 -0800 > MIME-Version: 1.0 > Content-Type: text/html; > Content-Length: 1478 > --- Money to shop wrote: > X-Apparently-To: steevian@yahoo.com via 206.190.37.30; Tue, 17 > May 2005 00:56:26 -0700 > X-YahooFilteredBulk: 69.67.72.67 > Authentication-Results: mta217.mail.scd.yahoo.com > from=dkjxsxzwkod.tradepointone.com; domainkeys=neutral (no sig) > X-Originating-IP: [69.67.72.67] > Return-Path: > Received: from 69.67.72.67 (EHLO hibibivv.tradepointone.com) > (69.67.72.67) > by mta217.mail.scd.yahoo.com with SMTP; Tue, 17 May 2005 00:56:18 > -0700 > From: "Money to shop" > To: > Subject: Get a one thousand dollar gift card to shop with > Date: Tue, 17 May 2005 00:59:01 -0800 > MIME-Version: 1.0 > Content-Type: text/html; > Content-Length: 1509 > --- Mowers wrote: > X-Apparently-To: steevian@yahoo.com via 206.190.37.25; Mon, 16 > May 2005 22:16:07 -0700 > X-YahooFilteredBulk: 69.67.72.59 > Authentication-Results: mta110.mail.scd.yahoo.com > from=jhyrujgwvmu.freeserving.com; domainkeys=neutral (no sig) > X-Originating-IP: [69.67.72.59] > Return-Path: > Received: from 69.67.72.59 (EHLO dwxprco.freeserving.com) > (69.67.72.59) > by mta110.mail.scd.yahoo.com with SMTP; Mon, 16 May 2005 22:15:28 > -0700 > From: "Mowers" > To: > Subject: Get a top name lawn tractor FREE*! > Date: Mon, 16 May 2005 22:18:09 -0800 > MIME-Version: 1.0 > Content-Type: text/html; > Content-Length: 1506 > --- Consumer Feedback wrote: > X-Apparently-To: steevian@yahoo.com via 206.190.37.22; Mon, 16 > May 2005 19:36:44 -0700 > X-YahooFilteredBulk: 69.67.72.61 > Authentication-Results: mta317.mail.scd.yahoo.com > from=nxjjjgidssf.tradepointone.com; domainkeys=neutral (no sig) > X-Originating-IP: [69.67.72.61] > Return-Path: > Received: from 69.67.72.61 (EHLO nxjjjgidssf.tradepointone.com) > (69.67.72.61) > by mta317.mail.scd.yahoo.com with SMTP; Mon, 16 May 2005 19:36:06 > -0700 > From: "Consumer Feedback" > > To: > Subject: This amazing new Cell phone could be yours Free! > Date: Mon, 16 May 2005 19:38:46 -0800 > MIME-Version: 1.0 > Content-Type: text/html; > Content-Length: 1492 > --- Satellite offer wrote: > X-Apparently-To: steevian@yahoo.com via 206.190.37.30; Mon, 16 > May 2005 15:09:33 -0700 > X-YahooFilteredBulk: 69.67.72.21 > Authentication-Results: mta183.mail.dcn.yahoo.com > from=udyuqzm.servingones.com; domainkeys=neutral (no sig) > X-Originating-IP: [69.67.72.21] > Return-Path: > Received: from 69.67.72.21 (EHLO vsgwsqbrgli.servingones.com) > (69.67.72.21) > by mta183.mail.dcn.yahoo.com with SMTP; Mon, 16 May 2005 15:09:07 > -0700 > From: "Satellite offer" > To: > Subject: All you need and a lifetime subscription to Sirius > Satellite! > Date: Mon, 16 May 2005 15:11:43 -0800 > MIME-Version: 1.0 > Content-Type: text/html; > Content-Length: 1520 > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From bar_n0ne at hotmail.com Tue May 17 14:29:37 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue May 17 05:30:03 2005 Subject: [SC-Help] Re: "Consumer Research Corp" SPAMMING - XO IP Block 69.67.72.0/21 References: Message-ID: "Steve Johnson" wrote in message news:mailman.1.1116320474.169.spamcop-help@news.spamcop.net... > According to this, the block where SPAM is coming from "69.67.72.0/21" belongs to > XO: > > http://www.cidr-report.org/cgi-bin/as-report?as=AS2828 > > > I have called XO about 4 times and all I get is them totally denying this block > isnot theirs & one person in their Ops even laughed at the suggestion. > > Anyone who is interested, please help me in pressuring "XO" to try a little harder > to be a responsible ISP, thanks! > > Here's a small sample of the intense SPAMMING from this "XO CUSTOMER:" > > SNIP > > Received: from 69.67.72.70 (EHLO eicmssgnq.tradepointone.com) > > SNIP > > Received: from 69.67.72.67 (EHLO hibibivv.tradepointone.com) > > (69.67.72.67) > > SNIP > > Received: from 69.67.72.59 (EHLO dwxprco.freeserving.com) > > (69.67.72.59) > > SNIP > > Received: from 69.67.72.61 (EHLO nxjjjgidssf.tradepointone.com) > > (69.67.72.61) > > SNIP > > Received: from 69.67.72.21 (EHLO vsgwsqbrgli.servingones.com) > > (69.67.72.21) SNIPPED Yep same trash I've been getting since he started spamming me from CalPOP/ATMLinkinc using a site at MCI some 6 or more months back. There used to be a site that listed email addies of lawyers for, and senior management of ISP's so you could gripe, but it got shut down a few years back, it was called the bitch-list or something like that. Basically you have a few tactics, you can try to discover email addresses for investor relations, Senior VP's and up, and start bitching (politely and professionally) about their spam in the Yahoo group for their stock. You can possibly complain upstream if they are a subsidiary of a larger comms company. That was a tactic that either worked or was concident with the Verio cleanup. (have seen only 2 spams and 3 spamvertizers from Verio in some 2 years and I get a lot (300+/day) of spam.) Complaints were being sent to NTT at the time. I have no idea who owns XO. I've found remarks in certain newsgroups like : "is so and so near bankruptcy?" --- "they are going after spam gang business" for example. That sort of tactic (with others) has managed to annoy MCI enough to kick some spammers/spam support services eventually (although in that case they already were in Ch.11). From steevian at yahoo.com Tue May 17 04:15:02 2005 From: steevian at yahoo.com (Steve Johnson) Date: Tue May 17 06:15:08 2005 Subject: [SC-Help] RE:SPAM from your block: 69.67.72.021 [#2446202] -- XO.COM re "CONSUMER RESEARCH CORP" SPAMMING In-Reply-To: Message-ID: <20050517101503.17842.qmail@web51303.mail.yahoo.com> Hi Kevin, Thanks for the info & sorry to bother you, I too work in support & know how that goes... but if you read my email you would know I have tried emailing and calling abuse & your net ops, etc., several times and have had no response at best - so I thought I'd try a few other email addresses. Yes I do have a 'further question,' can you open a ticket on this issue since your abuse will not take action or even acknowledge that this is your block - what does that tell me?! Maybe someone in support could investigate why you continue to allow huge amounts of SPAMMING activity from your IP block: 69.67.72.0/21 ??? Thanks. --- support@xo.com wrote: > > Hello Steve, > > Thank you for your email. > > You will need to direct this situation to our Network Investigations department > for any possible resolution or addressing of this situation. They can be reached > through http://support.xo.com/abuse or abuse@xo.com. > > Let us know if you have any further questions. > > Customer Care is available 24 hours a day, 7 days a week to assist you. For the > most efficient handling of your inquiries, submit a trouble ticket from the XO > Gateway (go to http://admin.xo.com, select 'Care' and then 'Contact Customer > Support'). You may also contact Customer Care over the phone by calling > 888-575-6398. > > Best regards, > Kevin C. > Web Site Hosting Support Team > XO Communications > > --Original Message-- > From: steevian@yahoo.com > Date: 05/17/05 > To: support@xo.com > Subject: SPAM from your block: 69.67.72.021[#2446202] > > This e-mail message is a reply to a Web page using the > form2mail script. The reply was generated by a web page > at xo.com. > > > Subject: SPAM from your block: 69.67.72.021 > > > > ADMIN KEY:s65jfk35 > First Name: Steve > Last Name: Johnson > Company Name: na > Address 1: na > Address 2: > City: na > State: WI > Zip: 53706 > Phone: (111)222-3333 ext: > Fax: -- > Email: steevian@yahoo.com > > > > Comments: > TO SPAMCOP, cc XO: > > According to this, the block where SPAM is coming from "69.67.72.0/21" belongs to > XO: > > http://www.cidr-report.org/cgi-bin/as-report?as=AS2828 > > I have called XO about 4 times and all I get is them totally denying this block > isnot theirs & one person in their Ops even laughed at the suggestion. > > Anyone who is interested, please help me in pressuring "XO" to try a little harder > to be a responsible ISP, thanks! > > Here's a small sample of the intense SPAMMING from this "XO CUSTOMER:" > > > --- Money to shop wrote: > > X-Apparently-To: steevian@yahoo.com via 206.190.37.237; Tue, 17 > > May 2005 00:37:17 -0700 > > X-YahooFilteredBulk: 69.67.72.70 > > Authentication-Results: mta273.mail.scd.yahoo.com > > from=jxpzfbc.tradepointone.com; domainkeys=neutral (no sig) > > X-Originating-IP: [69.67.72.70] > > Return-Path: > > Received: from 69.67.72.70 (EHLO eicmssgnq.tradepointone.com) > > (69.67.72.70) > > by mta273.mail.scd.yahoo.com with SMTP; Tue, 17 May 2005 00:34:59 > > -0700 > > From: "Money to shop" > > To: > > Subject: Start secret shopping today > > Date: Tue, 17 May 2005 00:37:42 -0800 > > MIME-Version: 1.0 > > Content-Type: text/html; > > Content-Length: 1478 > > > > > --- Money to shop wrote: > > X-Apparently-To: steevian@yahoo.com via 206.190.37.30; Tue, 17 > > May 2005 00:56:26 -0700 > > X-YahooFilteredBulk: 69.67.72.67 > > Authentication-Results: mta217.mail.scd.yahoo.com > > from=dkjxsxzwkod.tradepointone.com; domainkeys=neutral (no sig) > > X-Originating-IP: [69.67.72.67] > > Return-Path: > > Received: from 69.67.72.67 (EHLO hibibivv.tradepointone.com) > > (69.67.72.67) > > by mta217.mail.scd.yahoo.com with SMTP; Tue, 17 May 2005 00:56:18 > > -0700 > > From: "Money to shop" > > To: > > Subject: Get a one thousand dollar gift card to shop with > > Date: Tue, 17 May 2005 00:59:01 -0800 > > MIME-Version: 1.0 > > Content-Type: text/html; > > Content-Length: 1509 > > > > > --- Mowers wrote: > > X-Apparently-To: steevian@yahoo.com via 206.190.37.25; Mon, 16 > > May 2005 22:16:07 -0700 > > X-YahooFilteredBulk: 69.67.72.59 > > Authentication-Results: mta110.mail.scd.yahoo.com > > from=jhyrujgwvmu.freeserving.com; domainkeys=neutral (no sig) > > X-Originating-IP: [69.67.72.59] > > Return-Path: > > Received: from 69.67.72.59 (EHLO dwxprco.freeserving.com) > > (69.67.72.59) > > by mta110.mail.scd.yahoo.com with SMTP; Mon, 16 May 2005 22:15:28 > > -0700 > > From: "Mowers" > > To: > > Subject: Get a top name lawn tractor FREE*! > > Date: Mon, 16 May 2005 22:18:09 -0800 > > MIME-Version: 1.0 > > Content-Type: text/html; > > Content-Length: 1506 > > > > > --- Consumer Feedback wrote: > > X-Apparently-To: steevian@yahoo.com via 206.190.37.22; Mon, 16 > > May 2005 19:36:44 -0700 > > X-YahooFilteredBulk: 69.67.72.61 > > Authentication-Results: mta317.mail.scd.yahoo.com > > from=nxjjjgidssf.tradepointone.com; domainkeys=neutral (no sig) > > X-Originating-IP: [69.67.72.61] > > Return-Path: > > Received: from 69.67.72.61 (EHLO nxjjjgidssf.tradepointone.com) > > (69.67.72.61) > > by mta317.mail.scd.yahoo.com with SMTP; Mon, 16 May 2005 19:36:06 > > -0700 > > From: "Consumer Feedback" > > > > To: > > Subject: This amazing new Cell phone could be yours Free! > > Date: Mon, 16 May 2005 19:38:46 -0800 > > MIME-Version: 1.0 > > Content-Type: text/html; > > Content-Length: 1492 > > > > > --- Satellite offer wrote: > > X-Apparently-To: steevian@yahoo.com via 206.190.37.30; Mon, 16 > > May 2005 15:09:33 -0700 > > X-YahooFilteredBulk: 69.67.72.21 > > Authentication-Results: mta183.mail.dcn.yahoo.com > > from=udyuqzm.servingones.com; domainkeys=neutral (no sig) > > X-Originating-IP: [69.67.72.21] > > Return-Path: > > Received: from 69.67.72.21 (EHLO vsgwsqbrgli.servingones.com) > > (69.67.72.21) > > by mta183.mail.dcn.yahoo.com with SMTP; Mon, 16 May 2005 15:09:07 > > -0700 > > From: "Satellite offer" > > To: > > Subject: All you need and a lifetime subscription to Sirius > > Satellite! > > Date: Mon, 16 May 2005 15:11:43 -0800 > > MIME-Version: 1.0 > > Content-Type: text/html; > > Content-Length: 1520 > > > > > __________________________________ Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone. http://mobile.yahoo.com/learn/mail From bar_n0ne at hotmail.com Tue May 17 15:35:20 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue May 17 06:40:02 2005 Subject: [SC-Help] Re: RE:SPAM from your block: 69.67.72.021 [#2446202] -- XO.COM re"CONSUMER RESEARCH CORP" SPAMMING References: Message-ID: Hi Steve, "Steve Johnson" wrote in message news:mailman.2.1116324909.169.spamcop-help@news.spamcop.net... > > Hi Kevin, > SNIPPED I copied that post to spamcop, I think it will get more eyes there than in .help, which seems to be withering. (news.spamcop.net/spamcop), people seem to have drifted over to the forums for SC help. Also this group is intended more for difficulties with using SpamCop, rather than dealing with spam per se, which is more the domain of the spamcop group. From TomJB.1p6f4z at mail.webservertalk.com Tue May 17 04:44:05 2005 From: TomJB.1p6f4z at mail.webservertalk.com (TomJB) Date: Tue May 17 09:10:03 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: <469-42791EA1-21@storefull-3276.bay.webtv.net> Message-ID: Ellen wrote: > *"TomJB" wrote in message > news:TomJB.1p2r5g@mail.webservertalk.com... > > > > DJ Mike wrote: > > > > Hello - I've noticed this change to XO, or what I thought was XO > IP's > > but after calling them they are denying they have any info. Can > you > > tell me how you found these to belong to XO? I also was getting > the > > spam when it was coming from SBC - I called SBC and screemed at > them > > for 1/2 hr & finally was able to talk to management, the next day > the > > spam changed to XO. > > > > > > Announced by XO: > > BGP routing table entry for 69.67.72.0/21, version 37736930 > Paths: (49 available, best #27, table Default-IP-Routing-Table) > Not advertised to any peer > 3549 2828 > > AS2828: > Search results for: AS2828 > > > > OrgName: XO Communications > OrgID: XOXO > Address: Corporate Headquarters > Address: 11111 Sunset Hills Road > City: Reston > StateProv: VA > PostalCode: 20190-5339 > Country: US > > See also: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL12587 > > > > Ellen * Thanks, I had not ever checked out CIDR but according to them, the block where the SPAM is coming from "69.67.72.0/21" belongs to XO: http://www.cidr-report.org/cgi-bin/as-report?as=AS2828 I have called XO about 4 times and all I get is them totally denying this block isnot theirs & one person in their Ops even laughed at the suggestion. Anyone who is interested, please help me in pressuring "XO" to try a little harder to be a responsible ISP, thanks![/B] -- TomJB ------------------------------------------------------------------------ Posted via http://www.webservertalk.com ------------------------------------------------------------------------ View this thread: http://www.webservertalk.com/message1033117.html From nobody at spamcop.net Tue May 17 10:50:00 2005 From: nobody at spamcop.net (Ellen) Date: Tue May 17 09:55:02 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM - "Consumer Research Corp"SPAM References: Message-ID: "Steve Johnson" wrote in message news:mailman.0.1116317184.169.spamcop-help@news.spamcop.net... > > Hello Ellen, > > Can you please tell me where you were able to find this info and if you know who to > talk to at "XO.com" I would appreaciate that info also, I haven't had much luck with > them, they gave me a big laugh and 'click' on the phone last time. The information came from checking route-views using telnet: http://www.routeviews.org/ You can try http://www.fixedorbit.com/search.htm altho I have found them to be inaccurate from time to time as they don't seem to update as often as they should. Once you get the AS number from fixedorbit, you can use this url to pull up the details from the cidr-report -- just change the number after the AS in the url to the one you are interested in: http://www.cidr-report.org/cgi-bin/as-report?as=AS2828&view=4637 halfway down the page is a list of the ranges announced by the ASN. So you would want to use that to check to see if the block was really announced by the ASN or if fixedorbit was out of date. There is probably a less painful way to do this but as I just telnet into route-views I don't know what that is. You can also try one or more of the looking glass sites -- just remember that the results you are getting are for that looking glass only; here is a link to a bunch of them: http://www.traceroute.org/#Looking Glass So for example you could try the qwest USA one and put in the IP and select BGP for the query type. You might want to try a few of them geographically scattered to make sure that you got complete information. You can then look up the ASNs at fixedorbit to see who they belong to or use ARIN/RIPE/etc to look up that information. In any case you need to sanity check the information that you have gathered. > > The listing at SPAMHAUS http://www.spamhaus.org/sbl/sbl.lasso?query=SBL12587 refers > to a different range, are you suggesting "Quang Dangtran - Whoa Medical" is > responsible for this? yes The Rokso listing is for the /20: Address Range 69.67.64.0 - 69.67.79.255What I rerouted was 69.67.72.0/2169.67.72.0 - 69.67.79.255Which is a subset of the /20.I see 69.67.64.0/21 as being announced by AS701 which is mci.com. XO should be well aware of what is happening -- there are over 3000 reports for the last week for 69.67.72.0/24. > > Any idea on who "Roger Graves DATAMONITOR-BUSSINESS-INFORMATION" is?? nope, no idea -- I tend to not be able to keep track of the names and aliases of all those spammers as I am, in general, very bad at retaining names. A select few however I have no problem with :-) Ellen From bar_n0ne at hotmail.com Tue May 17 19:05:15 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue May 17 10:10:03 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM - "Consumer Research Corp"SPAM References: Message-ID: following this up to .spamcop where it probably belongs sorry for the repeat in .help I got lazy "Ellen" wrote in message news:d6ct26$lj3$2@news.spamcop.net... > > > "Steve Johnson" wrote in message > news:mailman.0.1116317184.169.spamcop-help@news.spamcop.net... > > > > Hello Ellen, > > > > Can you please tell me where you were able to find this info and if you > know who to > > talk to at "XO.com" I would appreaciate that info also, I haven't had much > luck with > > them, they gave me a big laugh and 'click' on the phone last time. > > The information came from checking route-views using telnet: > > http://www.routeviews.org/ > > You can try http://www.fixedorbit.com/search.htm altho I have found them to > be inaccurate from time to time as they don't seem to update as often as > they should. Once you get the AS number from fixedorbit, you can use this > url to pull up the details from the cidr-report -- just change the number > after the AS in the url to the one you are interested in: > > http://www.cidr-report.org/cgi-bin/as-report?as=AS2828&view=4637 > > halfway down the page is a list of the ranges announced by the ASN. So you > would want to use that to check to see if the block was really announced by > the ASN or if fixedorbit was out of date. There is probably a less painful > way to do this but as I just telnet into route-views I don't know what that > is. You can also try one or more of the looking glass sites -- just remember > that the results you are getting are for that looking glass only; here is a > link to a bunch of them: > > http://www.traceroute.org/#Looking Glass > > So for example you could try the qwest USA one and put in the IP and select > BGP for the query type. You might want to try a few of them geographically > scattered to make sure that you got complete information. You can then look > up the ASNs at fixedorbit to see who they belong to or use ARIN/RIPE/etc to > look up that information. In any case you need to sanity check the > information that you have gathered. > > > > > > The listing at SPAMHAUS > http://www.spamhaus.org/sbl/sbl.lasso?query=SBL12587 refers > > to a different range, are you suggesting "Quang Dangtran - Whoa Medical" > is > > responsible for this? > > yes > > The Rokso listing is for the /20: > Address Range 69.67.64.0 - 69.67.79.255What I rerouted was > 69.67.72.0/2169.67.72.0 - 69.67.79.255Which is a subset of the /20.I see > 69.67.64.0/21 as being announced by AS701 which is mci.com. XO should be > well aware of what is happening -- there are over 3000 reports for the last > week for 69.67.72.0/24. > > > > > Any idea on who "Roger Graves DATAMONITOR-BUSSINESS-INFORMATION" is?? > > nope, no idea -- I tend to not be able to keep track of the names and > aliases of all those spammers as I am, in general, very bad at retaining > names. A select few however I have no problem with :-) > > > Ellen > > From ob1db at spamcop.net Wed May 18 00:29:14 2005 From: ob1db at spamcop.net (David Butler) Date: Tue May 17 23:35:03 2005 Subject: [SC-Help] SC Logic goofup ? Message-ID: Why does SC goof up this logic ??? Parsing input: sobiex.bj host sobiex.bj (checking ip) = 81.91.233.2 host 81.91.233.2 (getting name) no name No recent reports, no history available Routing details for 81.91.233.2 [refresh/show] Cached whois for 81.91.233.2 : agbaholou@opt.bj jakinocho@sobiex.bj agbaholou@intnet.bj gbedissin@intnet.bj Using abuse net on jakinocho@sobiex.bj No abuse net record for sobiex.bj Using default postmaster contacts postmaster@sobiex.bj postmaster@sobiex.bj bounces when there are 4 good notifies ?? Using AFRINIC: inetnum: 81.91.233.0 - 81.91.233.63 netname: SOBIEX-NET descr: Sobiex Informatique (SOBIEX) descr: SOBIEX country: BJ admin-c: JA551-AFRINIC admin-c: LA212-AFRINIC tech-c: AG2749-AFRINIC status: ASSIGNED PA notify: ril@intnet.bj notify: agbaholou@intnet.bj notify: jakinocho@sobiex.bj mnt-by: OPT-NTIC-MNT mnt-lower: OPT-NTIC-MNT changed: agbaholou@intnet.bj 20030711 changed: hostmaster@afrinic.net 20050205 remarks: data has been transferred from RIPE Whois Database 20050221 source: AFRINIC person: Jacob AKINOCHO address: SOBIEX Informatique address: 01 B.P. 3885 address: Cotonou (Rep. du Benin) phone: +229 31 43 19 fax-no: +229 31 27 72 e-mail: jakinocho@sobiex.bj nic-hdl: JA551-AFRINIC notify: agbaholou@intnet.bj notify: ril@intnet.bj mnt-by: OPT-NTIC-MNT changed: agbaholou@intnet.bj 20030708 changed: hostmaster@afrinic.net 20050205 remarks: data has been transferred from RIPE Whois Database 20050221 source: AFRINIC person: Louis Agbaholou address: Office des Postes et Telecommications (OPT) address: Reseau Internet address: B.P. 5959 address: Cotonou (Rep. du Benin) phone: +229 31 4990 fax-no: +229 31 3843 e-mail: agbaholou@intnet.bj e-mail: agbaholou@opt.bj mnt-by: OPT-NTIC-MNT nic-hdl: LA212-AFRINIC notify: agbaholou@opt.bj notify: ril@intnet.bj changed: agbaholou@intnet.bj 20020727 changed: hostmaster@afrinic.net 20050205 remarks: data has been transferred from RIPE Whois Database 20050221 source: AFRINIC person: Adolphe Gbedissin address: Office des Postes et Telecommications (OPT) address: Reseau Internet address: B.P. 5959 address: Cotonou (Rep. du Benin) phone: +229 31 8888 fax-no: +229 31 3843 e-mail: gbedissin@intnet.bj nic-hdl: AG2749-AFRINIC notify: gbedissin@intnet.bj changed: gbedissin@intnet.bj 20010802 changed: hostmaster@afrinic.net 20050205 remarks: data has been transferred from RIPE Whois Database 20050221 source: AFRINICSame four that SC ignored!I see this on other SC parses as well. Good notify exists, SC queries Abuse.net nonetheless, Abuse.net info is default which does not work! From cashbox at bellsouth.net Wed May 18 11:13:43 2005 From: cashbox at bellsouth.net (JOE AHEARN) Date: Wed May 18 10:13:52 2005 Subject: [SC-Help] RE:SPAM from your block: 69.67.72.021 [#2446202] -- XO.COM re"CONSUMER RESEARCH CORP" SPAMMING References: <20050517101503.17842.qmail@web51303.mail.yahoo.com> Message-ID: <004e01c55bb3$cc9c5c00$6101a8c0@JOSEPH> Joe Ahearn -- Are you talking about the Viagra spam emails? I am getting 15 or 20 every day. Blocking them doesn't stop them. My daughter in Texas is getting them too. Joe ----- Original Message ----- From: "Steve Johnson" To: "Joe Ahearn" Cc: ; Sent: Tuesday, May 17, 2005 6:15 AM Subject: [SC-Help] RE:SPAM from your block: 69.67.72.021 [#2446202] -- XO.COM re"CONSUMER RESEARCH CORP" SPAMMING > > Hi Kevin, > > Thanks for the info & sorry to bother you, I too work in support & know > how that > goes... but if you read my email you would know I have tried emailing and > calling > abuse & your net ops, etc., several times and have had no response at > best - so I > thought I'd try a few other email addresses. > > Yes I do have a 'further question,' can you open a ticket on this issue > since your > abuse will not take action or even acknowledge that this is your block - > what does > that tell me?! Maybe someone in support could investigate why you continue > to allow > huge amounts of SPAMMING activity from your IP block: 69.67.72.0/21 ??? > > Thanks. > > > --- support@xo.com wrote: >> >> Hello Steve, >> >> Thank you for your email. >> >> You will need to direct this situation to our Network Investigations >> department >> for any possible resolution or addressing of this situation. They can be >> reached >> through http://support.xo.com/abuse or abuse@xo.com. >> >> Let us know if you have any further questions. >> >> Customer Care is available 24 hours a day, 7 days a week to assist you. >> For the >> most efficient handling of your inquiries, submit a trouble ticket from >> the XO >> Gateway (go to http://admin.xo.com, select 'Care' and then 'Contact >> Customer >> Support'). You may also contact Customer Care over the phone by calling >> 888-575-6398. >> >> Best regards, >> Kevin C. >> Web Site Hosting Support Team >> XO Communications >> >> --Original Message-- >> From: steevian@yahoo.com >> Date: 05/17/05 >> To: support@xo.com >> Subject: SPAM from your block: 69.67.72.021[#2446202] >> >> This e-mail message is a reply to a Web page using the >> form2mail script. The reply was generated by a web page >> at xo.com. >> >> >> Subject: SPAM from your block: 69.67.72.021 >> >> >> >> ADMIN KEY:s65jfk35 >> First Name: Steve >> Last Name: Johnson >> Company Name: na >> Address 1: na >> Address 2: >> City: na >> State: WI >> Zip: 53706 >> Phone: (111)222-3333 ext: >> Fax: -- >> Email: steevian@yahoo.com >> >> >> >> Comments: >> TO SPAMCOP, cc XO: >> >> According to this, the block where SPAM is coming from "69.67.72.0/21" >> belongs to >> XO: >> >> http://www.cidr-report.org/cgi-bin/as-report?as=AS2828 >> >> I have called XO about 4 times and all I get is them totally denying this >> block >> isnot theirs & one person in their Ops even laughed at the suggestion. >> >> Anyone who is interested, please help me in pressuring "XO" to try a >> little harder >> to be a responsible ISP, thanks! >> >> Here's a small sample of the intense SPAMMING from this "XO CUSTOMER:" >> >> >> --- Money to shop wrote: >> > X-Apparently-To: steevian@yahoo.com via 206.190.37.237; Tue, 17 >> > May 2005 00:37:17 -0700 >> > X-YahooFilteredBulk: 69.67.72.70 >> > Authentication-Results: mta273.mail.scd.yahoo.com >> > from=jxpzfbc.tradepointone.com; domainkeys=neutral (no sig) >> > X-Originating-IP: [69.67.72.70] >> > Return-Path: >> > Received: from 69.67.72.70 (EHLO eicmssgnq.tradepointone.com) >> > (69.67.72.70) >> > by mta273.mail.scd.yahoo.com with SMTP; Tue, 17 May 2005 00:34:59 >> > -0700 >> > From: "Money to shop" >> > To: >> > Subject: Start secret shopping today >> > Date: Tue, 17 May 2005 00:37:42 -0800 >> > MIME-Version: 1.0 >> > Content-Type: text/html; >> > Content-Length: 1478 >> > >> >> >> --- Money to shop wrote: >> > X-Apparently-To: steevian@yahoo.com via 206.190.37.30; Tue, 17 >> > May 2005 00:56:26 -0700 >> > X-YahooFilteredBulk: 69.67.72.67 >> > Authentication-Results: mta217.mail.scd.yahoo.com >> > from=dkjxsxzwkod.tradepointone.com; domainkeys=neutral (no sig) >> > X-Originating-IP: [69.67.72.67] >> > Return-Path: >> > Received: from 69.67.72.67 (EHLO hibibivv.tradepointone.com) >> > (69.67.72.67) >> > by mta217.mail.scd.yahoo.com with SMTP; Tue, 17 May 2005 00:56:18 >> > -0700 >> > From: "Money to shop" >> > To: >> > Subject: Get a one thousand dollar gift card to shop with >> > Date: Tue, 17 May 2005 00:59:01 -0800 >> > MIME-Version: 1.0 >> > Content-Type: text/html; >> > Content-Length: 1509 >> > >> >> >> --- Mowers wrote: >> > X-Apparently-To: steevian@yahoo.com via 206.190.37.25; Mon, 16 >> > May 2005 22:16:07 -0700 >> > X-YahooFilteredBulk: 69.67.72.59 >> > Authentication-Results: mta110.mail.scd.yahoo.com >> > from=jhyrujgwvmu.freeserving.com; domainkeys=neutral (no sig) >> > X-Originating-IP: [69.67.72.59] >> > Return-Path: >> > Received: from 69.67.72.59 (EHLO dwxprco.freeserving.com) >> > (69.67.72.59) >> > by mta110.mail.scd.yahoo.com with SMTP; Mon, 16 May 2005 22:15:28 >> > -0700 >> > From: "Mowers" >> > To: >> > Subject: Get a top name lawn tractor FREE*! >> > Date: Mon, 16 May 2005 22:18:09 -0800 >> > MIME-Version: 1.0 >> > Content-Type: text/html; >> > Content-Length: 1506 >> > >> >> >> --- Consumer Feedback wrote: >> > X-Apparently-To: steevian@yahoo.com via 206.190.37.22; Mon, 16 >> > May 2005 19:36:44 -0700 >> > X-YahooFilteredBulk: 69.67.72.61 >> > Authentication-Results: mta317.mail.scd.yahoo.com >> > from=nxjjjgidssf.tradepointone.com; domainkeys=neutral (no sig) >> > X-Originating-IP: [69.67.72.61] >> > Return-Path: >> > Received: from 69.67.72.61 (EHLO nxjjjgidssf.tradepointone.com) >> > (69.67.72.61) >> > by mta317.mail.scd.yahoo.com with SMTP; Mon, 16 May 2005 19:36:06 >> > -0700 >> > From: "Consumer Feedback" >> > >> > To: >> > Subject: This amazing new Cell phone could be yours Free! >> > Date: Mon, 16 May 2005 19:38:46 -0800 >> > MIME-Version: 1.0 >> > Content-Type: text/html; >> > Content-Length: 1492 >> > >> >> >> --- Satellite offer wrote: >> > X-Apparently-To: steevian@yahoo.com via 206.190.37.30; Mon, 16 >> > May 2005 15:09:33 -0700 >> > X-YahooFilteredBulk: 69.67.72.21 >> > Authentication-Results: mta183.mail.dcn.yahoo.com >> > from=udyuqzm.servingones.com; domainkeys=neutral (no sig) >> > X-Originating-IP: [69.67.72.21] >> > Return-Path: >> > Received: from 69.67.72.21 (EHLO vsgwsqbrgli.servingones.com) >> > (69.67.72.21) >> > by mta183.mail.dcn.yahoo.com with SMTP; Mon, 16 May 2005 15:09:07 >> > -0700 >> > From: "Satellite offer" >> > To: >> > Subject: All you need and a lifetime subscription to Sirius >> > Satellite! >> > Date: Mon, 16 May 2005 15:11:43 -0800 >> > MIME-Version: 1.0 >> > Content-Type: text/html; >> > Content-Length: 1520 >> > >> >> >> > > > > > __________________________________ > Yahoo! Mail Mobile > Take Yahoo! Mail with you! Check email on your mobile phone. > http://mobile.yahoo.com/learn/mail > _______________________________________________ > SpamCop-Help mailing list > SpamCop-Help@news.spamcop.net > http://news.spamcop.net/mailman/listinfo/spamcop-help > From notanks at coks.net Sun May 22 10:00:38 2005 From: notanks at coks.net (Jeff G.) Date: Sun May 22 12:00:03 2005 Subject: [SC-Help] Re: Help with login In-Reply-To: References: Message-ID: On 4/9/2005 12:43 AM Larry J. scribbled: > With MSIE browser, I can get logged in to my free account. With > Firefox, I can't. I'm not sure when/why this started with Firefox, > but it worked before. > > Also, attempting to change my email address on Spamcop's preferences > page - the confirmation email never gets sent to the address I enter. > > Thanks..! > Yes, another Jeff G. lurking about... With the FF, have you recently upgraded to 1.04? If so, check your firewall s/w... if no s/w, try clearing cache, cookies, history. Running any extensions? From BNRAGMAOKKXT at spammotel.com Sun May 22 20:57:22 2005 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Sun May 22 16:00:02 2005 Subject: [SC-Help] Re: No Submission Returns from SpamCop References: Message-ID: Canopus on 22/05/2005 wrote: > ...and a very strange message when I log into the reporting page, > quote: > > "Your email address, .com has returned a bounce: > Subject: Delivery Status Notification (Failure) > Reason: 5.4.7 - Delivery expired (message too old) > 421-'aamta05-winn.mailhost.ntl.com connection refused from > [64.74.133.248]' > > Well the address SpamCop is trying to send to is correct and working, > I have no problems sending to it from other of my accounts. Every > time I log on recently I've seen this message and clicked on the > "Problem Solved" button as as far as I know there should be no > problem my end. The only other thing I can think of is that my IP > NTLWorld is blocking mail from SpamCop. The "message to old" reason > seems a bit ridiculous, none of the spam submission replies should be > more than two days old even if there had been a hiccup at SpamCop. > > Anyone else having this problem? The problem seems to be continuing. I get two or three returns then none so I log in to SpamCop Reporting and see the above message again. My mail box for that account is empty, I have no problem sending myself a mail from another account to that one and it arrives almost immediately so why are SpamCop returns being bounced I ask myself...and anyone else who may have a clue? Confused and frustrated, Rob From BNRAGMAOKKXT at spammotel.com Tue May 24 13:49:42 2005 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Tue May 24 08:50:02 2005 Subject: [SC-Help] Re: No Submission Returns from SpamCop References: Message-ID: SpamCop Admin on 23/05/2005 wrote: > aamta03-winn.mailhost.ntl.com is rejecting all mail from > 64.74.133.248. I'm getting the same bounces from ntlworld.com users > trying to reset their passwords. > > I'm trying to contact them but I'm not hopeful. All I can suggest is > that users hammer them until they fix it. > > - Don - Trying to contact them through their web forms, the only way besides costly phone calls, is a nightmare and the only replies I get are, quote in part: "Due to the security procedures we have in place at ntl:, in compliance with the Data Protection Act, we cannot accept any change of information regarding customer's personal or account details via e-mail. "In order to maintain security we ask our customers to call us on 0800 052 2000 or 0044 1256 751 045 if calling from outside the UK and we can then proceed with the relevant changes. "Our customer service team will be more than happy to explain or resolve any billing queries or make changes to your account or package and provide details once the relevant checks have been passed...." Which as you can see is totally irrelevant to the topic. Either no one is bothering to read the feedback or they are using these rote replies to avoid answering the question. NTL users who are having this problem may like to try the forum at http://www.chetnet.co.uk/portal/ where I have heard some very helpful people with contacts inside NTL hang out. Rob From BNRAGMAOKKXT at spammotel.com Tue May 24 19:44:10 2005 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Tue May 24 14:45:03 2005 Subject: [SC-Help] Re: No Submission Returns from SpamCop References: Message-ID: Canopus on 24/05/2005 wrote: > NTL users who are having this problem may like to try the forum at > http://www.chetnet.co.uk/portal/ > where I have heard some very helpful people with contacts inside NTL > hang out. > > Rob Well after signing up with that forum and posting a polite and factual message there I was informed that my post had been pulled due to the forum being for technical support only. However, the administrator who pulled my message and informed me about it did then go on to make a few inquiries, I quote his message to me under this paragraph, but, please note what he says, this is neither an official nor unofficial NTL answer, it is just one individual also trying to figure out what is going on. So, quote: "Rightly or wrongly I cannot judge, and this is categorically not an official or unofficial ntl: answer in any way. "It appears that the IP 64.74.133.248 is listed in several different "offender's lists" as being an originator of the the German spam (Sober.Q) apparently ntl: are not alone as an ISP in listing that IP. "This may explain the situation." I cannot see in any way that spamcop.net is the originator of Sober.Q, it looks as if a major Joe Job has been pulled on spamcop.net. Rob From MikeE at ster.invalid Tue May 24 13:25:47 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 24 15:30:03 2005 Subject: [SC-Help] Re: No Submission Returns from SpamCop References: Message-ID: Canopus wrote: > "It appears that the IP 64.74.133.248 is listed in several different > "offender's lists" as being an originator of the the German spam > (Sober.Q) apparently ntl: are not alone as an ISP in listing that IP. That is a meaningless statement without naming any such 'offender list'. A thorough lookup of all of the lists in which 64.74.133.248 appears shows only blars, fiveten, an internap blackholes.us, and a country list for .us I saw a Dutch reference to a list I'd never heard of, but the page/site was dead, so I don't know what that was about. Newsgroups: nl.internet.misbruik From: Bas Janssen Subject: Re: [ANN] dns blocklist voor spammende sober.p hosts Message-ID: Date: 17 May 2005 11:08:53 GMT -- Mike Easter kibitzer, not SC admin From notanks at coks.net Tue May 24 21:32:13 2005 From: notanks at coks.net (Jeff G.) Date: Tue May 24 23:35:03 2005 Subject: [SC-Help] RE:SPAM from your block: 69.67.72.021 [#2446202] -- XO.COM re"CONSUMER RESEARCH CORP" SPAMMING In-Reply-To: References: <20050517101503.17842.qmail@web51303.mail.yahoo.com> Message-ID: On 5/18/2005 7:13 AM JOE AHEARN scribbled: > Joe Ahearn -- > Are you talking about the Viagra spam emails? I am getting 15 or 20 every > day. Blocking them doesn't stop them. My daughter in Texas is getting them > too. Joe > ----- Original Message ----- > From: "Steve Johnson" > To: "Joe Ahearn" > Cc: ; > Sent: Tuesday, May 17, 2005 6:15 AM > Subject: [SC-Help] RE:SPAM from your block: 69.67.72.021 [#2446202] -- > XO.COM re"CONSUMER RESEARCH CORP" SPAMMING > > > >>Hi Kevin, >> >>Thanks for the info & sorry to bother you, I too work in support & know >>how that >>goes... but if you read my email you would know I have tried emailing and >>calling >>abuse & your net ops, etc., several times and have had no response at >>best - so I >>thought I'd try a few other email addresses. >> >>Yes I do have a 'further question,' can you open a ticket on this issue >>since your >>abuse will not take action or even acknowledge that this is your block - >>what does >>that tell me?! Maybe someone in support could investigate why you continue >>to allow >>huge amounts of SPAMMING activity from your IP block: 69.67.72.0/21 ??? >> >>Thanks. >> >> >>--- support@xo.com wrote: >> >>>Hello Steve, >>> >>>Thank you for your email. >>> >>>You will need to direct this situation to our Network Investigations >>>department >>>for any possible resolution or addressing of this situation. They can be >>>reached >>>through http://support.xo.com/abuse or abuse@xo.com. >>> >>>Let us know if you have any further questions. >>> >>>Customer Care is available 24 hours a day, 7 days a week to assist you. >>>For the >>>most efficient handling of your inquiries, submit a trouble ticket from >>>the XO >>>Gateway (go to http://admin.xo.com, select 'Care' and then 'Contact >>>Customer >>>Support'). You may also contact Customer Care over the phone by calling >>>888-575-6398. >>> >>>Best regards, >>>Kevin C. >>>Web Site Hosting Support Team >>>XO Communications >>> >>>--Original Message-- >>>From: steevian@yahoo.com >>>Date: 05/17/05 >>>To: support@xo.com >>>Subject: SPAM from your block: 69.67.72.021[#2446202] >>> >>>This e-mail message is a reply to a Web page using the >>>form2mail script. The reply was generated by a web page >>>at xo.com. >>> >>> >>>Subject: SPAM from your block: 69.67.72.021 >>> >>> >>> >>>ADMIN KEY:s65jfk35 >>>First Name: Steve >>>Last Name: Johnson >>>Company Name: na >>>Address 1: na >>>Address 2: >>>City: na >>>State: WI >>>Zip: 53706 >>>Phone: (111)222-3333 ext: >>>Fax: -- >>>Email: steevian@yahoo.com >>> >>> >>> >>>Comments: >>>TO SPAMCOP, cc XO: >>> >>>According to this, the block where SPAM is coming from "69.67.72.0/21" >>>belongs to >>>XO: >>> >>>http://www.cidr-report.org/cgi-bin/as-report?as=AS2828 >>> >>>I have called XO about 4 times and all I get is them totally denying this >>>block >>>isnot theirs & one person in their Ops even laughed at the suggestion. >>> >>>Anyone who is interested, please help me in pressuring "XO" to try a >>>little harder >>>to be a responsible ISP, thanks! >>> >>>Here's a small sample of the intense SPAMMING from this "XO CUSTOMER:" >>> >>> >>>--- Money to shop wrote: >>> >>>>X-Apparently-To: steevian@yahoo.com via 206.190.37.237; Tue, 17 >>>>May 2005 00:37:17 -0700 >>>>X-YahooFilteredBulk: 69.67.72.70 >>>>Authentication-Results: mta273.mail.scd.yahoo.com >>>> from=jxpzfbc.tradepointone.com; domainkeys=neutral (no sig) >>>>X-Originating-IP: [69.67.72.70] >>>>Return-Path: >>>>Received: from 69.67.72.70 (EHLO eicmssgnq.tradepointone.com) >>>>(69.67.72.70) >>>> by mta273.mail.scd.yahoo.com with SMTP; Tue, 17 May 2005 00:34:59 >>>>-0700 >>>>From: "Money to shop" >>>>To: >>>>Subject: Start secret shopping today >>>>Date: Tue, 17 May 2005 00:37:42 -0800 >>>>MIME-Version: 1.0 >>>>Content-Type: text/html; >>>>Content-Length: 1478 >>>> >>> >>> >>>--- Money to shop wrote: >>> >>>>X-Apparently-To: steevian@yahoo.com via 206.190.37.30; Tue, 17 >>>>May 2005 00:56:26 -0700 >>>>X-YahooFilteredBulk: 69.67.72.67 >>>>Authentication-Results: mta217.mail.scd.yahoo.com >>>> from=dkjxsxzwkod.tradepointone.com; domainkeys=neutral (no sig) >>>>X-Originating-IP: [69.67.72.67] >>>>Return-Path: >>>>Received: from 69.67.72.67 (EHLO hibibivv.tradepointone.com) >>>>(69.67.72.67) >>>> by mta217.mail.scd.yahoo.com with SMTP; Tue, 17 May 2005 00:56:18 >>>>-0700 >>>>From: "Money to shop" >>>>To: >>>>Subject: Get a one thousand dollar gift card to shop with >>>>Date: Tue, 17 May 2005 00:59:01 -0800 >>>>MIME-Version: 1.0 >>>>Content-Type: text/html; >>>>Content-Length: 1509 >>>> >>> >>> >>>--- Mowers wrote: >>> >>>>X-Apparently-To: steevian@yahoo.com via 206.190.37.25; Mon, 16 >>>>May 2005 22:16:07 -0700 >>>>X-YahooFilteredBulk: 69.67.72.59 >>>>Authentication-Results: mta110.mail.scd.yahoo.com >>>> from=jhyrujgwvmu.freeserving.com; domainkeys=neutral (no sig) >>>>X-Originating-IP: [69.67.72.59] >>>>Return-Path: >>>>Received: from 69.67.72.59 (EHLO dwxprco.freeserving.com) >>>>(69.67.72.59) >>>> by mta110.mail.scd.yahoo.com with SMTP; Mon, 16 May 2005 22:15:28 >>>>-0700 >>>>From: "Mowers" >>>>To: >>>>Subject: Get a top name lawn tractor FREE*! >>>>Date: Mon, 16 May 2005 22:18:09 -0800 >>>>MIME-Version: 1.0 >>>>Content-Type: text/html; >>>>Content-Length: 1506 >>>> >>> >>> >>>--- Consumer Feedback wrote: >>> >>>>X-Apparently-To: steevian@yahoo.com via 206.190.37.22; Mon, 16 >>>>May 2005 19:36:44 -0700 >>>>X-YahooFilteredBulk: 69.67.72.61 >>>>Authentication-Results: mta317.mail.scd.yahoo.com >>>> from=nxjjjgidssf.tradepointone.com; domainkeys=neutral (no sig) >>>>X-Originating-IP: [69.67.72.61] >>>>Return-Path: >>>>Received: from 69.67.72.61 (EHLO nxjjjgidssf.tradepointone.com) >>>>(69.67.72.61) >>>> by mta317.mail.scd.yahoo.com with SMTP; Mon, 16 May 2005 19:36:06 >>>>-0700 >>>>From: "Consumer Feedback" >>>> >>>>To: >>>>Subject: This amazing new Cell phone could be yours Free! >>>>Date: Mon, 16 May 2005 19:38:46 -0800 >>>>MIME-Version: 1.0 >>>>Content-Type: text/html; >>>>Content-Length: 1492 >>>> >>> >>> >>>--- Satellite offer wrote: >>> >>>>X-Apparently-To: steevian@yahoo.com via 206.190.37.30; Mon, 16 >>>>May 2005 15:09:33 -0700 >>>>X-YahooFilteredBulk: 69.67.72.21 >>>>Authentication-Results: mta183.mail.dcn.yahoo.com >>>> from=udyuqzm.servingones.com; domainkeys=neutral (no sig) >>>>X-Originating-IP: [69.67.72.21] >>>>Return-Path: >>>>Received: from 69.67.72.21 (EHLO vsgwsqbrgli.servingones.com) >>>>(69.67.72.21) >>>> by mta183.mail.dcn.yahoo.com with SMTP; Mon, 16 May 2005 15:09:07 >>>>-0700 >>>>From: "Satellite offer" >>>>To: >>>>Subject: All you need and a lifetime subscription to Sirius >>>>Satellite! >>>>Date: Mon, 16 May 2005 15:11:43 -0800 >>>>MIME-Version: 1.0 >>>>Content-Type: text/html; >>>>Content-Length: 1520 >>>> >>> >>> >>> >> >> >> >>__________________________________ >>Yahoo! Mail Mobile >>Take Yahoo! Mail with you! Check email on your mobile phone. >>http://mobile.yahoo.com/learn/mail >>_______________________________________________ >>SpamCop-Help mailing list >>SpamCop-Help@news.spamcop.net >>http://news.spamcop.net/mailman/listinfo/spamcop-help >> > > > I'm sorry, new here and all, but can't help but notice that XO.com does not come up on either of 3 programs I use, so what is the problem with XO here - 69.67.72.70 is popping up as Pacbell, after 4 or 5 XO relays - true? I'll put my helmet on and duck here... From nobody at devnull.spamcop.net Wed May 25 00:32:18 2005 From: nobody at devnull.spamcop.net (Cat) Date: Wed May 25 00:35:04 2005 Subject: [SC-Help] RE:SPAM from your block: 69.67.72.021 [#2446202] -- XO.COM re"CONSUMER RESEARCH CORP" SPAMMING In-Reply-To: References: <20050517101503.17842.qmail@web51303.mail.yahoo.com> Message-ID: Jeff G. wrote: > I'm sorry, new here and all, but can't help but notice that XO.com does > not come up on either of 3 programs I use, so what is the problem with > XO here - > 69.67.72.70 is popping up as Pacbell, after 4 or 5 XO relays - true? > I'll put my helmet on and duck here... How are you coming upwith Pacbell? I can't find any possible way that Pacbell is linked to it except that the spammer's address through whois is whoa007@pacbell.net. Everything else that I've tried with traceroute comes up with XO IP 206.173.204.234 (an XO IP) as the next hop up in the chain above all of the 69.67.72.xx IPs. From notanks at coks.net Tue May 24 23:29:24 2005 From: notanks at coks.net (Jeff G.) Date: Wed May 25 01:30:02 2005 Subject: OT Re: [SC-Help] RE:SPAM from your block: 69.67.72.021 [#2446202] -- XO.COM re"CONSUMER RESEARCH CORP" SPAMMING In-Reply-To: References: <20050517101503.17842.qmail@web51303.mail.yahoo.com> Message-ID: On 5/24/2005 9:32 PM Cat scribbled: > Jeff G. wrote: > > > >>I'm sorry, new here and all, but can't help but notice that XO.com does >>not come up on either of 3 programs I use, so what is the problem with >>XO here - >> 69.67.72.70 is popping up as Pacbell, after 4 or 5 XO relays - true? >>I'll put my helmet on and duck here... > > > How are you coming upwith Pacbell? I can't find any possible way that > Pacbell is linked to it except that the spammer's address through whois > is whoa007@pacbell.net. Everything else that I've tried with traceroute > comes up with XO IP 206.173.204.234 (an XO IP) as the next hop up in the > chain above all of the 69.67.72.xx IPs. Hop IP Address Host Name Sent Recv RTT Av RTT Min RTT Max RTT % Loss 1 10.81.48.1 [Unknown] 1 1 34 ms 34 ms 34 ms 34 ms 0.000% 2 68.4.8.225 [Unknown] 1 1 34 ms 34 ms 34 ms 34 ms 0.000% 3 68.4.15.225 [Unknown] 1 1 35 ms 35 ms 35 ms 35 ms 0.000% 4 68.4.14.222 ip68-4-14-222.oc.oc.cox.net 1 1 35 ms 35 ms 35 ms 35 ms 0.000% 5 68.4.14.253 rsmtdsrj01-ge704.rd.oc.cox.net 1 1 35 ms 35 ms 35 ms 35 ms 0.000% 6 65.59.168.1 so-4-0.hsa2.Tustin1.Level3.net 1 1 39 ms 39 ms 39 ms 39 ms 0.000% 7 4.68.114.21 [Unknown] 1 1 44 ms 44 ms 44 ms 44 ms 0.000% 8 209.247.8.113 as-0-0.bbr2.LosAngeles1.Level3.net 1 1 51 ms 51 ms 51 ms 51 ms 0.000% 9 4.68.96.82 so-0-0-0.gar2.LosAngeles1.Level3.net 1 1 56 ms 56 ms 56 ms 56 ms 0.000% 10 209.0.227.34 xo-level3-oc12.LosAngeles1.Level3.net 1 1 57 ms 57 ms 57 ms 57 ms 0.000% 11 65.106.5.45 p4-0-0.RAR1.LA-CA.us.xo.net 1 1 57 ms 57 ms 57 ms 57 ms 0.000% 12 65.106.0.18 p6-0-0.RAR2.SanJose-CA.us.xo.net 1 1 67 ms 67 ms 67 ms 67 ms 0.000% 13 65.106.5.162 65.106.5.162.ptr.us.xo.net 1 1 65 ms 65 ms 65 ms 65 ms 0.000% 14 207.88.80.30 ge13-0.CLR2.Fremont-CA.us.xo.net 1 1 65 ms 65 ms 65 ms 65 ms 0.000% 15 206.173.204.234 206.173.204.234.ptr.us.xo.net 1 1 72 ms 72 ms 72 ms 72 ms 0.000% 16 69.67.72.70 [Unknown] 1 1 73 ms 73 ms 73 ms 73 ms 0.000% what does this say about XO? I'll owe you a solid... From jeffg at spamcop.net Wed May 25 10:14:44 2005 From: jeffg at spamcop.net (Jeff G.) Date: Wed May 25 09:20:03 2005 Subject: OT Re: [SC-Help] RE:SPAM from your block: 69.67.72.021 [#2446202] -- XO.COM re"CONSUMER RESEARCH CORP" SPAMMING References: <20050517101503.17842.qmail@web51303.mail.yahoo.com> Message-ID: Jeff G. at coks.net wrote: > On 5/24/2005 9:32 PM Cat scribbled: > >> Jeff G. [at coks.net] wrote: >> >> >> >>> I'm sorry, new here and all, but can't help but notice that XO.com >>> does not come up on either of 3 programs I use, so what is the >>> problem with XO here - >>> 69.67.72.70 is popping up as Pacbell, after 4 or 5 XO relays - true? >>> I'll put my helmet on and duck here... >> >> >> How are you coming upwith Pacbell? I can't find any possible way that >> Pacbell is linked to it except that the spammer's address through >> whois is whoa007@pacbell.net. Everything else that I've tried with >> traceroute comes up with XO IP 206.173.204.234 (an XO IP) as the >> next hop up in the chain above all of the 69.67.72.xx IPs. > > > Hop IP Address Host Name Sent > Recv RTT Av RTT Min RTT Max RTT % Loss > > 1 10.81.48.1 [Unknown] 1 > 1 34 ms 34 ms 34 ms 34 ms 0.000% > 2 68.4.8.225 [Unknown] 1 > 1 34 ms 34 ms 34 ms 34 ms 0.000% > 3 68.4.15.225 [Unknown] 1 > 1 35 ms 35 ms 35 ms 35 ms 0.000% > 4 68.4.14.222 ip68-4-14-222.oc.oc.cox.net 1 > 1 35 ms 35 ms 35 ms 35 ms 0.000% > 5 68.4.14.253 rsmtdsrj01-ge704.rd.oc.cox.net 1 > 1 35 ms 35 ms 35 ms 35 ms 0.000% > 6 65.59.168.1 so-4-0.hsa2.Tustin1.Level3.net 1 > 1 39 ms 39 ms 39 ms 39 ms 0.000% > 7 4.68.114.21 [Unknown] 1 > 1 44 ms 44 ms 44 ms 44 ms 0.000% > 8 209.247.8.113 as-0-0.bbr2.LosAngeles1.Level3.net 1 > 1 51 ms 51 ms 51 ms 51 ms 0.000% > 9 4.68.96.82 so-0-0-0.gar2.LosAngeles1.Level3.net 1 > 1 56 ms 56 ms 56 ms 56 ms 0.000% > 10 209.0.227.34 xo-level3-oc12.LosAngeles1.Level3.net 1 > 1 57 ms 57 ms 57 ms 57 ms 0.000% > 11 65.106.5.45 p4-0-0.RAR1.LA-CA.us.xo.net 1 > 1 57 ms 57 ms 57 ms 57 ms 0.000% > 12 65.106.0.18 p6-0-0.RAR2.SanJose-CA.us.xo.net 1 > 1 67 ms 67 ms 67 ms 67 ms 0.000% > 13 65.106.5.162 65.106.5.162.ptr.us.xo.net 1 > 1 65 ms 65 ms 65 ms 65 ms 0.000% > 14 207.88.80.30 ge13-0.CLR2.Fremont-CA.us.xo.net 1 > 1 65 ms 65 ms 65 ms 65 ms 0.000% > 15 206.173.204.234 206.173.204.234.ptr.us.xo.net 1 > 1 72 ms 72 ms 72 ms 72 ms 0.000% > 16 69.67.72.70 [Unknown] 1 > 1 73 ms 73 ms 73 ms 73 ms 0.000% > > what does this say about XO? > I'll owe you a solid... I certainly hope that the OP has been contacting abuse@pacbell.net, postmaster@oasisvn.com, and abuse@oasisvn.com about the abuse (including spam and lack of RDNS) from 69.67.64.0/20 per the following. 05/25/05 08:44:22 IP block 69.67.72.70@whois.ripe.net Trying 69.67.72.70 at ARIN Trying 69.67.72 at ARIN Whoa USA Inc WHOA-USA-INC (NET-69-67-64-0-1) 69.67.64.0 - 69.67.79.255 Roger Graves DATAMONITOR-BUSSINESS-INFORMATION (NET-69-67-72-0-1) 69.67.72.0 - 69.67.72.255 # ARIN WHOIS database, last updated 2005-05-24 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. 05/25/05 08:44:33 whois !NET-69-67-72-0-1@whois.arin.net whois -h whois.arin.net !net-69-67-72-0-1 ... CustName: Roger Graves Address: 301 W. Capital Exp. City: San Jose StateProv: CA PostalCode: 95136 Country: US RegDate: 2003-08-13 Updated: 2003-08-13 NetRange: 69.67.72.0 - 69.67.72.255 CIDR: 69.67.72.0/24 NetName: DATAMONITOR-BUSSINESS-INFORMATION NetHandle: NET-69-67-72-0-1 Parent: NET-69-67-64-0-1 NetType: Reassigned Comment: RegDate: 2003-08-13 Updated: 2003-08-13 OrgTechHandle: NOC1264-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-408-268-4526 OrgTechEmail: whoa007@pacbell.net # ARIN WHOIS database, last updated 2005-05-24 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. 05/25/05 08:44:46 whois !NET-69-67-64-0-1@whois.arin.net whois -h whois.arin.net !net-69-67-64-0-1 ... OrgName: Whoa USA Inc OrgID: WHOAU Address: P.O Box 20482 Address: NOC City: San Jose StateProv: CA PostalCode: 95160 Country: US NetRange: 69.67.64.0 - 69.67.79.255 CIDR: 69.67.64.0/20 NetName: WHOA-USA-INC NetHandle: NET-69-67-64-0-1 Parent: NET-69-0-0-0-0 NetType: Direct Allocation NameServer: NS1.OASISVN.COM NameServer: NS2.OASISVN.COM Comment: RegDate: 2003-08-07 Updated: 2003-08-07 OrgTechHandle: NOC1264-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-408-268-4526 OrgTechEmail: whoa007@pacbell.net # ARIN WHOIS database, last updated 2005-05-24 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. 05/25/05 09:02:26 Abuse address lookup for pacbell.net whois -h whois.abuse.net pacbell.net ... abuse@pacbell.net (for pacbell.net) 05/25/05 09:02:11 Abuse address lookup for NS1.OASISVN.COM whois -h whois.abuse.net ns1.oasisvn.com ... postmaster@ns1.oasisvn.com (default, no info) postmaster@oasisvn.com (default, no info) No abuse address is registered with abuse.net Complaints should go to abuse@(the domain) with copies to postmaster@(the domain) (Including a suggestion that they register with abuse.net, by emailing update@abuse.net might be a good idea too) -- Best Regards, [the original] Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please reply via Forum, Group, or List only. From nobody at devnull.spamcop.net Wed May 25 18:29:33 2005 From: nobody at devnull.spamcop.net (Cat) Date: Wed May 25 18:30:02 2005 Subject: OT Re: [SC-Help] RE:SPAM from your block: 69.67.72.021 [#2446202] -- XO.COM re"CONSUMER RESEARCH CORP" SPAMMING In-Reply-To: References: <20050517101503.17842.qmail@web51303.mail.yahoo.com> Message-ID: Jeff G. wrote: > 14 207.88.80.30 ge13-0.CLR2.Fremont-CA.us.xo.net 1 1 > 65 ms 65 ms 65 ms 65 ms 0.000% > 15 206.173.204.234 206.173.204.234.ptr.us.xo.net 1 1 > 72 ms 72 ms 72 ms 72 ms 0.000% > 16 69.67.72.70 [Unknown] 1 1 > 73 ms 73 ms 73 ms 73 ms 0.000% > > what does this say about XO? > I'll owe you a solid... Are you saying that you don't see that XO is the next hop up from the spammer's netblock? It's plainly obvious in the traceroute that you posted that XO is the upstream. I'm also getting the same results with XO as upstream. From NoSpam at NoSpam.com Wed May 25 20:39:15 2005 From: NoSpam at NoSpam.com (Tom Ruehle) Date: Wed May 25 21:40:03 2005 Subject: [SC-Help] oc3@devnull.spamcop.net Message-ID: I have been getting what I think is spam. Spam cop directs the reports to 'oc3@devnull.spamcop.net'. Is this because oc3 is a known spammer or because oc3 is legit? From MikeE at ster.invalid Wed May 25 19:53:50 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 25 21:55:04 2005 Subject: [SC-Help] Re: oc3@devnull.spamcop.net References: Message-ID: Tom Ruehle wrote: > I have been getting what I think is spam. Spam cop directs the > reports to 'oc3@devnull.spamcop.net'. Is this because oc3 is a known > spammer or because oc3 is legit? Known unresponsive provider, spewed and spamhaused. Lotta stuff in the thread over in spamcop. Newsgroups: spamcop Subject: Where's oc3@devnull? Date: Sun, 22 May 2005 04:24:34 -0000 -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu May 26 00:36:15 2005 From: nobody at spamcop.net (Mike Nuss) Date: Wed May 25 23:40:02 2005 Subject: [SC-Help] got sigalarm, taking too long to process, aborted. Message-ID: When I try to parse this spam, it dies saying "got sigalarm, taking too long to process, aborted. Perhaps you can wait a few minutes and reload?" I've tried reloading a few times and it happens every time. http://www.spamcop.net/sc?id=z767382389z893a7c2da918417b72328b2c45d05f2bz From MikeE at ster.invalid Thu May 26 03:38:21 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 26 05:40:03 2005 Subject: [SC-Help] Re: got sigalarm, taking too long to process, aborted. References: Message-ID: Mike Nuss wrote: > When I try to parse this spam, it dies saying "got sigalarm, taking > too long to process, aborted. Perhaps you can wait a few minutes and > reload?" I've tried reloading a few times and it happens every time. > www.spamcop.net/sc?id=z767382389z893a7c2da918417b72328b2c45d05f2bz Maybe we should make 3 different threads out of this because the tracker is making 3 completely different kinds of mistakes. This is a mailhosts parse, it is also too old, 37 hours. Abbreviated Received lines *comment from clifford.webservepro.com ([66.205.65.100]) by mail2.ammasso.com *serves you? from c-24-21-53-70.hsd1.or.comcast.net (c-24-21-53-70.hsd1.or.comcast.net [24.21.53.70]) by clifford.webservepro.com *sourceline from 248.160.90.32 by 24.21.53.70 *bogusline SC misparses the headers and wants to name webservepro before it bails on the sigalarm, so it names nothing. When parsing the same spam for me not mailhosted, it correctly sources the proxified comcast, but bails on the body and names nothing. It seems to me that the parser is handling the body problem badly. Where 'the body problem' is what causes the sigalarm. In addition, it parses the headers wrong before it gets down to the body and bails. At least the 'bailing' keeps it from wanting to make a bad report on the source on your tracker . The problem is that the spambody consists of 6 similar URLs, all of which SC finds and then spends an inordinate amount of time trying to resolve each one, fails on all of them, and then aborts with the sigalarm on the last one.. http://customersupport.thewatchconnection4u.com/ http://helpdesk.thewatchconnection4u.com/ http://support.thewatchconnection4u.com/ http://shipping.thewatchconnection4u.com/ http://customerservice.thewatchconnection4u.com/ http://processing.thewatchconnection4u.com/ Those all resolve properly for me to 219.254.32.69 no rDNS. abuse@hanaro.com which is spamhaused with a ton of websites, so nothing much would be lost by just 'showing' them and not trying to resolve them.. If I manufacture a spam with only one of those, SC offers to report properly, even tho' it is 37 hours old http://www.spamcop.net/sc?id=z767863052z9d2cacecf09672891660f642b5505938z Tracking link: http://shipping.thewatchconnection4u.com/ No recent reports, no history available Cannot resolve http://shipping.thewatchconnection4u.com/ Report Spam to: Re: 24.21.53.70 (Administrator of network where email originates) To: abuse@comcast.net (Notes) So, now we're up to 3 different SC problems for one spam. In your mailhosted one, it parses the item's headers wrong, unless webservpro doesn't serve you, in which case it parses mine wrong for trusting webservpro to be a server. It offers to report a 37 hour old spam for my manufactured one. And in some ways the worst part because of the waste of resources is the gagging and bailing on the flakey nameserved body urls. It should 'quit' working on the body issues before it spends too much time there and has to bail. This is another example of how I think the parser should be changed about how it handles body parses. This could all be done very smoothly by simply finding all of the url/s and providing a devnull address for them. I have a feeling that this parser signalarm is being caused by the parser trying too hard to resolve too many urls for which it is blocked or the domainname has flakey nameservice, which it does: Looking up at ns1.magellan25.com.... Reports 1 A record(s). 719ms. Looking up at ns1.samantha10.com.... Timed out. Looking up at ns2.magellan25.com.... Reports 1 A record(s). 706ms. Looking up at ns2.samantha10.com.... Timed out. Average of all 4 nameservers: 956ms (plus 2159ms overhead). Score: F It has 4 nameservers, 2 of them timeout and the other 2 are pokey. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu May 26 10:06:46 2005 From: nobody at spamcop.net (Ellen) Date: Thu May 26 12:00:03 2005 Subject: [SC-Help] Re: got sigalarm, taking too long to process, aborted. References: Message-ID: "Mike Nuss" wrote in message news:d73g7f$413$1@news.spamcop.net... > When I try to parse this spam, it dies saying "got sigalarm, taking too > long to process, aborted. Perhaps you can wait a few minutes and > reload?" I've tried reloading a few times and it happens every time. > > http://www.spamcop.net/sc?id=z767382389z893a7c2da918417b72328b2c45d05f2bz The first question to ask is whether you have all your mailhosts defined or not as you are the only person reporting the IP: clifford.webservepro.com ([66.205.65.100]) Ellen From MikeE at ster.invalid Thu May 26 10:15:09 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 26 12:20:02 2005 Subject: [SC-Help] Re: got sigalarm, taking too long to process, aborted. References: Message-ID: Ellen wrote: > The first question to ask is whether you have all your mailhosts > defined or not as you are the only person reporting the IP: > clifford.webservepro.com ([66.205.65.100]) Of course I don't know anything about Mike's mailhost situation, but I 'assumed' a relationship between his/the ammasso mailbox and the webservepro mtx from this: ammasso.com Primary NS: ns1.webservepro.com MXes mx6.webservepro.com mail.ammasso.com > from clifford.webservepro.com ([66.205.65.100]) by mail2.ammasso.com -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu May 26 14:19:24 2005 From: nobody at spamcop.net (Mike Nuss) Date: Thu May 26 13:20:04 2005 Subject: [SC-Help] Re: got sigalarm, taking too long to process, aborted. In-Reply-To: References: Message-ID: Mike Easter wrote: > Ellen wrote: > > >>The first question to ask is whether you have all your mailhosts >>defined or not as you are the only person reporting the IP: >>clifford.webservepro.com ([66.205.65.100]) > > > Of course I don't know anything about Mike's mailhost situation, but I > 'assumed' a relationship between his/the ammasso mailbox and the > webservepro mtx from this: > > ammasso.com > Primary NS: ns1.webservepro.com > MXes mx6.webservepro.com mail.ammasso.com > > >>from clifford.webservepro.com ([66.205.65.100]) by mail2.ammasso.com > > > Yes, webservepro is our secondary mx. I didn't realize it hadn't gotten added. I have added it to my mailhosts now. Mike From nothing at valid.com Mon May 30 11:51:22 2005 From: nothing at valid.com (Frede Hansen) Date: Mon May 30 06:55:03 2005 Subject: [SC-Help] HTML spam, Spamcop says: No links found Message-ID: I am getting a lot of HTML based spam, where Spamcop fails, since there is no way to attach the HTML in the report. Then offcause i try simply to paste the links that the HTML is hiding, but then: No links found , i am just told. And now when i look thrue the reports i have made, Spamcop has filed no reports about these damn porn HTML based mails i get a lot of each week. How come that this report system cant see the links i add manualy ? -- Frede Hansen Sic gorgiamus allos subjectatos nunc From scamper at trisk.com Mon May 30 06:06:53 2005 From: scamper at trisk.com (Garen Erdoisa) Date: Mon May 30 07:10:03 2005 Subject: [SC-Help] Re: HTML spam, Spamcop says: No links found In-Reply-To: References: Message-ID: Frede Hansen wrote: > I am getting a lot of HTML based spam, where Spamcop fails, > since there is no way to attach the HTML in the report. > Then offcause i try simply to paste the links that the HTML is hiding, > but then: No links found , i am just told. > And now when i look thrue the reports i have made, Spamcop has filed no > reports about these damn porn HTML based mails i get a lot of each week. > > How come that this report system cant see the links i add manualy ? See spamcop's faq on how to get various email clients to reveal the hidden links. http://www.spamcop.net/fom-serve/cache/19.html Basically, spamcop needs the email in it's "raw" form. If you paste in a decoded email, quite often you will miss those hidden hypertext links. Garen From nothing at valid.com Mon May 30 16:23:42 2005 From: nothing at valid.com (Frede Hansen) Date: Mon May 30 11:25:03 2005 Subject: [SC-Help] Re: HTML spam, Spamcop says: No links found References: Message-ID: Garen Erdoisa wrote in news:d7es57$dao$1 @news.spamcop.net: > Frede Hansen wrote: >> I am getting a lot of HTML based spam, where Spamcop fails, >> since there is no way to attach the HTML in the report. >> Then offcause i try simply to paste the links that the HTML is hiding, >> but then: No links found , i am just told. >> And now when i look thrue the reports i have made, Spamcop has filed no >> reports about these damn porn HTML based mails i get a lot of each week. >> >> How come that this report system cant see the links i add manualy ? > > See spamcop's faq on how to get various email clients to reveal the > hidden links. > > http://www.spamcop.net/fom-serve/cache/19.html > > Basically, spamcop needs the email in it's "raw" form. If you paste in a > decoded email, quite often you will miss those hidden hypertext links. > > Garen > Apperently you did not understand what i was writing. I HAVE decoded the link. This is the link hiding in the HTML in each mail: http://lewallenbn.com/eaf82f274095b6f896cd4892d/AhECYl9RUFRfIhg6HkkEGwQHHDA HEx5MAgk=.htm But still, the reportform cant see it. The error must be in the reportform. -- Frede Hansen Sic gorgiamus allos subjectatos nunc From MikeE at ster.invalid Mon May 30 10:09:19 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 30 12:10:03 2005 Subject: [SC-Help] Re: HTML spam, Spamcop says: No links found References: Message-ID: Frede Hansen wrote: > How come that this report system cant see the links i add manualy ? Any time you want to talk about a result of a parse, the best way to do it is to post the tracking url from the top of the page. This is true even if you have already submitted your report. You can resubmit the same spam item, copy the tracking url, then cancel the report for that parse, and paste the tracker in here. By doing that, we can see the entire spam, and we can also see how SC handles the item at the time we access the tracker. This is a tracker and its environment on the parser's page: Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z769399110z9f6130b022795acb4dbbbea97f490debz -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon May 30 14:42:53 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon May 30 14:45:02 2005 Subject: [SC-Help] Re: HTML spam, Spamcop says: No links found References: Message-ID: "Frede Hansen" wrote in message news:Xns966682BCA8AE5cornerred@216.154.195.61... > I am getting a lot of HTML based spam, where Spamcop fails, > since there is no way to attach the HTML in the report. As the reference to the www.spamcop.net FAQ didn't seem to help, perhaps some data found over in the Forum may help. http://forum.spamcop.net/forums/ For example, the entry in the "How to Use ... Reporting" Forum section titled; " OE6 Secure handling of e-mail - Why Forward won't work" Whether you use OE or not, there are some concepts there that may help to explain what you are doing wrong. > Then offcause i try simply to paste the links that the HTML is hiding, > but then: No links found , i am just told. And this is going to get you into trouble as this is in violation of rules and guidelines to the use of your SpamCop Reporting account. That you are having issues would seem to increase your chances of getting nailed on this. The act of "pasting stuff into your e-mail/spam submittal" is wrong, but that you are having problems is probably based on what you are attempting to manipulate and the way you are doing it. See the above URL for some background on e-mail construction, HTML rendering, etc. Not only do you not identify the OS and applications involved in your e-mail handling, but you also don't actually state just how you are handling your submittal. From nothing at valid.com Mon May 30 19:50:47 2005 From: nothing at valid.com (Frede Hansen) Date: Mon May 30 14:55:03 2005 Subject: [SC-Help] Re: HTML spam, Spamcop says: No links found References: Message-ID: "Mike Easter" wrote in news:d7fdre$lp6$1 @news.spamcop.net: > Frede Hansen wrote: >> How come that this report system cant see the links i add manualy ? > > Any time you want to talk about a result of a parse, the best way to do > it is to post the tracking url from the top of the page. This is true > even if you have already submitted your report. You can resubmit the > same spam item, copy the tracking url, then cancel the report for that > parse, and paste the tracker in here. > > By doing that, we can see the entire spam, and we can also see how SC > handles the item at the time we access the tracker. > > This is a tracker and its environment on the parser's page: > > > Here is your TRACKING URL - it may be saved for future reference: > http://www.spamcop.net/sc? id=z769399110z9f6130b022795acb4dbbbea97f490debz > > Thanks i will remember it the next time. -- Frede Hansen Sic gorgiamus allos subjectatos nunc