From lujanero at gmail.com  Sat Apr  1 21:41:03 2006
From: lujanero at gmail.com (master)
Date: Sat Apr  1 19:45:03 2006
Subject: [SC-Help] JAPONESAS
Message-ID: <e0n6j0$8je$5@news.spamcop.net>

http://linkbux.com/go.php?link=513018




From nobody at spamcop.net  Fri Apr  7 00:02:44 2006
From: nobody at spamcop.net (Antispam Knight)
Date: Fri Apr  7 02:05:14 2006
Subject: [SC-Help] Re: Embedded images in spam not parsing
References: <dtsuel$u5g$1@news.spamcop.net> <dtt2v5$ut$1@news.spamcop.net>
Message-ID: <e14vaa$ig3$1@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:dtt2v5$ut$1@news.spamcop.net...
> Posted to .spam and .help, f/ups to .help
>
> nighthawke wrote:
>> Been getting spam that has no text in body, just a image.
>> Ideas on how to deal with it?
>
> That is a stock spam which has no links in the body anyway, even in the
> graphic -- all that is reported or reportable is the spamsource, which
> SC offers to do.

I paste the base64 .gif into 
http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/ & let it display. 
Of course there's *some* risk, since you have to allow it to come back 
binary, but it shows the pic so you can get the ticker symbol & user copy 
enforcement at sec.gov. Been doing this with every one of 'em.
AK

<snip> 


From chris.a.wright at gmail.com  Fri Apr  7 11:56:06 2006
From: chris.a.wright at gmail.com (Chris Wright)
Date: Fri Apr  7 06:00:03 2006
Subject: [SC-Help] Re: Embedded images in spam not parsing
In-Reply-To: <e14vaa$ig3$1@news.spamcop.net>
References: <dtsuel$u5g$1@news.spamcop.net> <dtt2v5$ut$1@news.spamcop.net>
	<e14vaa$ig3$1@news.spamcop.net>
Message-ID: <e15cv2$ph6$1@news.spamcop.net>

Antispam Knight wrote:
> "Mike Easter" <MikeE@ster.invalid> wrote in message 
> news:dtt2v5$ut$1@news.spamcop.net...
>> Posted to .spam and .help, f/ups to .help
>>
>> nighthawke wrote:
>>> Been getting spam that has no text in body, just a image.
>>> Ideas on how to deal with it?
>> That is a stock spam which has no links in the body anyway, even in the
>> graphic -- all that is reported or reportable is the spamsource, which
>> SC offers to do.
> 
> I paste the base64 .gif into 
> http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/ & let it display. 
> Of course there's *some* risk, since you have to allow it to come back 
> binary, but it shows the pic so you can get the ticker symbol & user copy 
> enforcement at sec.gov. Been doing this with every one of 'em.
> AK
> 
> <snip> 
> 
> 
Excuse my ignorance here, but what is the benefit of doing that?

ticker symbol and user copy enforcement? What do you mean by that?
And you mention gif, where most spam images I get are jpeg.

Not doubting you in anyway, just curious.

I have a guess at why you might want to do this, but don't want to 
embarrass myself.  I'll just say I thought so when you reply (and then 
the cynics can have their chuckle and say "yeah, right, as if he thought 
that'.)
From MikeE at ster.invalid  Fri Apr  7 06:21:20 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Fri Apr  7 08:25:03 2006
Subject: [SC-Help] Re: Embedded images in spam not parsing
References: <dtsuel$u5g$1@news.spamcop.net> <dtt2v5$ut$1@news.spamcop.net>
	<e14vaa$ig3$1@news.spamcop.net> <e15cv2$ph6$1@news.spamcop.net>
Message-ID: <e15lfu$upj$1@news.spamcop.net>

Chris Wright wrote:
> Antispam Knight wrote:
>> "Mike Easter"
>>> nighthawke wrote:

>>>> Been getting spam that has no text in body, just a image.
>>>> Ideas on how to deal with it?

>>> That is a stock spam which has no links in the body anyway, even in
>>> the graphic -- all that is reported or reportable is the
>>> spamsource, which SC offers to do.
>>
>> I paste the base64 .gif into
>> http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/ & let it
>> display. Of course there's *some* risk, since you have to allow it
>> to come back binary, but it shows the pic so you can get the ticker
>> symbol & user copy enforcement at sec.gov. Been doing this with
>> every one of 'em.
>> AK

> Excuse my ignorance here, but what is the benefit of doing that?

I'm going to stay out of the Chris-AK discussion about that, I'm just
poking my nose in here to make some minor clarifications.

> ticker symbol and user copy enforcement? What do you mean by that?
> And you mention gif, where most spam images I get are jpeg.

This item had the attachment a b64 vanylon.gif which depicted almost all
of the content of this announcement
http://www.advfn.com/news_Circle-Group-Holdings-Completes-Private-Placement-Friday-March-31--2006--9-05-a-_14852491.html
makeoneline or use http://snipurl.com/otyc

I started to paste the .gif into .spam, but then I saw that I could
simply make a link which contained all of the language of the graphic.

Personally, I don't know why the SEC would be interested in the spam
stock promotional graphic any more than they would be interested in the
website announcement at the link above.  The gist is that the AMEX CXN
company, makers of Z-Trim, announced some forward looking stuff about a
George Foreman promotion and some .au sales and then also made the
standard SEC required disclaimers.


-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Thu Apr 13 05:53:37 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Thu Apr 13 07:55:12 2006
Subject: [SC-Help] Re: spam
References: <e1k7pt$n69$1@news.spamcop.net>
Message-ID: <e1le3v$ags$1@news.spamcop.net>

Posting to .spam & .help;  f/ups to .help

die spammer wrote:
> the link points to http://dwjy8_.consiont.net/ but samspade is "Unable
> to connect to whois.jsp for consiont.net ... Aborting ..."

The whois I used for the domainname registration information was
whois.moniker.com

whois -h whois.moniker.com consiont.net ...
Contact [292406]:
        Dimitr Cheva chevad03@yahoo.com
        Velichkov 8
        Sofia
        Sofia
        262002
        BG
        Phone: +359.98228022

But the strategy for notifying is based on the IP address and the
website.

I don't think it is a good idea to have the label for the domainname end
in an underscore -- but it does resolve to 82.77.58.68 which is Romania
Data Systems whose ripe listed contact is contact-tech@rdsnet.ro and
whose abuse.net reg'd contact is abuse@rdsnet.ro &
contact-tech@rdsnet.ro

> I can go to the web page which seems to be canadian.

My GET function doesn't work on the url, the WebSniffer's GET doesn't
work on the url,

Connect to dwjy8_.consiont.net on port 80 ... failed
Error 1:
Error while fetching URL

My IDServe tool works on the URL

Initiating server query ...
Looking up IP address for domain: dwjy8_.consiont.net
The IP address for the domain is: 82.77.58.68
Connecting to the server on standard HTTP port: 80
[Connected]  Requesting the server's default page.
The server returned the following response headers:
HTTP/1.1 302 Found
Date: Thu, 13 Apr 2006 11:48:07 GMT
Server: Apache/2.0.54 (Fedora) DAV/2 t31b77d63
Location: http://dwjy8_.consiont.net/p/?&pid=1791
Content-Length: 1
Connection: close
Content-Type: text/html; charset=iso-8859-1
Query complete.

My browser doesn't work on the URL.

The information about domainname labels ending in an underscore sez the
support is 'inconsistent'.

-- 
Mike Easter
kibitzer, not SC admin

From not at here.invalid  Thu Apr 13 10:03:52 2006
From: not at here.invalid (Ellen)
Date: Thu Apr 13 11:45:04 2006
Subject: [SC-Help] Reporting System Maint Window
Message-ID: <e1lrlm$id6$1@news.spamcop.net>

Reporting System Maint Window

Thursday, April 13, 2006; 15:00-17:00 -0800; 3PM-5PM PDT
Operations will be performing upgrades during this maintenance window. You
may encounter brief system unavailablity and/or slow performance during this
time. Thanks for your patience.

The email system will not be affected by this maintenance.


Ellen
SpamCop

Followups/SpamCop

Please propagate to the forums.






From not at home.today  Thu Apr 13 21:17:01 2006
From: not at home.today (Ant)
Date: Thu Apr 13 15:20:02 2006
Subject: [SC-Help] Re: spam
References: <e1k7pt$n69$1@news.spamcop.net> <e1le3v$ags$1@news.spamcop.net>
Message-ID: <e1m83u$qlg$1@news.spamcop.net>

"Mike Easter" wrote:

> The information about domainname labels ending in an underscore sez
> the support is 'inconsistent'.

According to RFC 952 (DoD Internet host table specification) an
underscore is not part of the character set for host names. This
would also include the domain part. I don't know if there's an RFC
which updates this, but I've seen the problem before in this form:

http://user_name.example.net/

I could reach the site from some ISPs, but not others. At my place of
work, I got a specific error which mentioned the illegal char.


From psychonaut at nothingisreal.com  Fri Apr 14 04:00:01 2006
From: psychonaut at nothingisreal.com (Tristan Miller)
Date: Thu Apr 13 22:00:07 2006
Subject: [SC-Help] SpamCop doesn't parse routing info correctly
Message-ID: <1362842.JPBJm9ahh6@ID-187157.News.Individual.NET>

I'm running into an odd problem where SpamCop fails to correctly identify
the source of an e-mail.

Here's the situation: the spammer in question is a crazy guy who has been
mass mailing his incoherent rants to everyone in his address book for
years.  He always uses a Yahoo! Mail account, which he logs into at some
public access library terminal at the University of Arizona.  (He has
admitted as much.)  When I forward to SpamCop an offending e-mail that I
received at my personal account (psychonaut@nothingisreal.com), SpamCop
correctly identifies the source as an IP at the University of Arizona.  My
employer (spgb@worldsocialism.org) is also on the spammer's mailing list. 
However, when *they* (or I) send their copy of the very same e-mail to
SpamCop, it fails to identify the source as the University of Arizona. 
This is very strange, since both copies of the e-mail contain the same
Received header giving a U of A IP (128.196.165.21 =
PUB-E3.AHSL.Arizona.EDU):

Received: from [128.196.165.21] by web35715.mail.mud.yahoo.com via HTTP;
Wed, 12 Apr 2006 16:07:39 PDT

Both our domains, nothingisreal.com and worldsocialism.org, are hosted by
DreamHost.  The only major difference in our setup is that I use fetchmail
to download my mail via POP3 from mail.nothingisreal.com and deliver it to
a local mail server, whereas my employer checks mail via IMAP on
mail.worldsocialism.org.

I reproduce here the headers of the e-mail in question in case anyone wants
to check with SpamCop themselves.  (SpamCop seems to allow submission of
headers without a body for parsing purposes.)

Here is the version I received which SpamCop correctly parses. Tracking
URL:
<http://www.spamcop.net/sc?id=z919791081z249ddd61c3743f1bde510714fd343b2az>

Return-Path: <moreevilbaddeals@yahoo.com>
X-Original-To: psy@localhost
Delivered-To: psy@localhost.worldsocialism.org
Received: from localhost (localhost [127.0.0.1])
        by polecat.worldsocialism.org (Postfix) with ESMTP id 04EA6903D9
        for <psy@localhost>; Thu, 13 Apr 2006 00:15:50 +0100 (BST)
X-Original-To: psychonaut@nothingisreal.com
Delivered-To: frettchen@randymail-mx2.dreamhost.com
Received: from mail.nothingisreal.com [208.97.132.24]
        by localhost with POP3 (fetchmail-6.2.5)
        for psy@localhost (single-drop); Thu, 13 Apr 2006 00:15:50 +0100 (BST)
Received: from web35715.mail.mud.yahoo.com (web35715.mail.mud.yahoo.com
[66.163.179.169])
        by randymail-mx2.dreamhost.com (Postfix) with SMTP id B492913B3E0
        for <psychonaut@nothingisreal.com>; Wed, 12 Apr 2006 16:07:40 -0700 (PDT)
Received: (qmail 4652 invoked by uid 60001); 12 Apr 2006 23:07:39 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
 
h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;
 
b=rb80uMH7Kp4m/VGyzMC0i7vOkVAkMZ4UCxjNcwT5NIAsa2OhjLIOQiGfDr5u3GeGDVNiJh5gP4IrizKokJRF8JJ22pQ9LRZonUf2+SImTvUXUDFs1tQ9LHS8Y5VA/E/nM4GsuqMwaKflXpB9gec0jEg2CTyAnB6DWWQPf8/MIZw=  ;
Message-ID: <20060412230739.4650.qmail@web35715.mail.mud.yahoo.com>
Received: from [128.196.165.21] by web35715.mail.mud.yahoo.com via HTTP;
Wed, 12 Apr 2006 16:07:39 PDT
Date: Wed, 12 Apr 2006 16:07:39 -0700 (PDT)
From: L-ightist Economist <moreevilbaddeals@yahoo.com>
Subject: Fwd: Re: JB:  Emails Violated and Erased by Unknown; Cannot
Respond Immediately...EXPEL ME

Here is the version my employer received which SpamCop doesn't correctly
parse.  Tracking URL:
<http://www.spamcop.net/sc?id=z919793041z85093855a4505837202f64fc298ebaa6z>

Return-Path: <moreevilbaddeals@yahoo.com>
X-Original-To: spgb@worldsocialism.org
Delivered-To: spgb@randymail-mx1.dreamhost.com
Received: from enforcer.dreamhost.com (enforcer.dreamhost.com
[66.33.220.4])
        by randymail-mx1.dreamhost.com (Postfix) with ESMTP id D18C434339
        for <spgb@worldsocialism.org>; Wed, 12 Apr 2006 16:07:47 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
        by enforcer.dreamhost.com (Postfix) with ESMTP id AE0C017D010
        for <spgb@worldsocialism.org>; Wed, 12 Apr 2006 16:07:47 -0700 (PDT)
Received: from enforcer.dreamhost.com ([127.0.0.1])
        by localhost (enforcer [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id 04356-06 for <spgb@worldsocialism.org>;
        Wed, 12 Apr 2006 16:07:46 -0700 (PDT)
Received: from hesl01uker.he.local (smtpout.btconnect.com [213.123.26.90])
        by enforcer.dreamhost.com (Postfix) with ESMTP id ED6DF17D025
        for <spgb@worldsocialism.org>; Wed, 12 Apr 2006 16:07:45 -0700 (PDT)
Received: from c2bthimr02.btconnect.com ([194.73.73.202]) by
hesl01uker.he.local with Microsoft SMTPSVC(6.0.3790.211);
         Thu, 13 Apr 2006 00:07:42 +0100
Received: from web35715.mail.mud.yahoo.com (web35715.mail.mud.yahoo.com
[66.163.179.169])
        by c2bthimr02.btconnect.com (MOS 3.5.9-GR)
        with SMTP id FRP26850;
        Thu, 13 Apr 2006 00:06:54 +0100 (BST)
Received: (qmail 4652 invoked by uid 60001); 12 Apr 2006 23:07:39 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
 
h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;
 
b=rb80uMH7Kp4m/VGyzMC0i7vOkVAkMZ4UCxjNcwT5NIAsa2OhjLIOQiGfDr5u3GeGDVNiJh5gP4IrizKokJRF8JJ22pQ9LRZonUf2+SImTvUXUDFs1tQ9LHS8Y5VA/E/nM4GsuqMwaKflXpB9gec0jEg2CTyAnB6DWWQPf8/MIZw=  ;
Message-ID: <20060412230739.4650.qmail@web35715.mail.mud.yahoo.com>
Received: from [128.196.165.21] by web35715.mail.mud.yahoo.com via HTTP;
Wed, 12 Apr 2006 16:07:39 PDT
Date: Wed, 12 Apr 2006 16:07:39 -0700 (PDT)
From: L-ightist Economist <moreevilbaddeals@yahoo.com>
Subject: Fwd: Re: JB:  Emails Violated and Erased by Unknown; Cannot
Respond Immediately...EXPEL ME

-- 
   _
  _V.-o  Tristan Miller [en,(fr,de,ia)]  ><  Space is limited
 / |`-'  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  <>  In a haiku, so it's hard
(7_\\    http://www.nothingisreal.com/   ><  To finish what you
From MikeE at ster.invalid  Thu Apr 13 21:26:23 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Thu Apr 13 23:30:11 2006
Subject: [SC-Help] Re: SpamCop doesn't parse routing info correctly
References: <1362842.JPBJm9ahh6@ID-187157.News.Individual.NET>
Message-ID: <e1n4os$h8p$1@news.spamcop.net>

Using cite marks per par instead of per line to prevent shortlines.

Tristan Miller wrote:

> I'm running into an odd problem where SpamCop fails to correctly
identify the source of an e-mail.

Correct.  SC breaks the parse chain prematurely on one of your examples
because of a noncompliant server.

> When I forward to SpamCop an offending e-mail that I received at my
personal account (psychonaut@nothingisreal.com), SpamCop correctly
identifies the source as an IP at the University of Arizona.

Using SC to determine the source of this kind of mail is appropriate,
but you shouldn't be SC reporting these as spam -- I'm assuming that you
are not.

> My employer (spgb@worldsocialism.org) is also on the spammer's mailing
list.  However, when they (or I) send their copy of the very same e-mail
to SpamCop, it fails to identify the source as the University of
Arizona.

Correct.  SC correctly parses yours at nothingisreal;  SC incorrectly
parses the worldsocialism because there is a noncompliant MTA mailserver
in the chain..

> This is very strange, since both copies of the e-mail contain the same
Received header giving a U of A IP (128.196.165.21 =
PUB-E3.AHSL.Arizona.EDU):

Yes, but there is a lot between the sourceline and the last MTA.  SC
trips on the way for worldsocialism because of a noncompliant server
line.  See abbreviated headers below.

> Both our domains, nothingisreal.com and worldsocialism.org, are hosted
by DreamHost.  The only major difference in our setup is that I use
fetchmail to download my mail via POP3 from mail.nothingisreal.com and
deliver it to a local mail server, whereas my employer checks mail via
IMAP on mail.worldsocialism.org.

The headers are distinctly different.

> Here is the version I received which SpamCop correctly parses.

  Abbreviated Received tracelines *comment
  from localhost (localhost [127.0.0.1]) by polecat.worldsocialism.org
*serves you
  from mail.nothingisreal.com [208.97.132.24] by localhost *serves you
  from (web35715.mail.mud.yahoo.com [66.163.179.169]) by
randymail-mx2.dreamhost.com *serves you
  from [128.196.165.21] by web35715.mail.mud.yahoo.com *sourceline

SC correctly parses those lines by chaining from each upper 'from' field
IP to each lower 'by' field domainname.

> Here is the version my employer received which SpamCop doesn't
correctly parse.

  Abbreviated Received tracelines *comment
  from enforcer.dreamhost.com [66.33.220.4]) by
randymail-mx1.dreamhost.com *serves recipient
  from localhost (localhost [127.0.0.1]) by enforcer.dreamhost.com
*serves recipient
  from enforcer.dreamhost.com ([127.0.0.1]) by localhost *serves
recipient
  from hesl01uker.he.local (smtpout.btconnect.com [213.123.26.90]) by
enforcer.dreamhost.com *serves recipient, funky helo
  from c2bthimr02.btconnect.com ([194.73.73.202]) by hesl01uker.he.local
*serves recipient, funky line
  from (web35715.mail.mud.yahoo.com [66.163.179.169]) by
c2bthimr02.btconnect.com *serves recipient
  from [128.196.165.21] by web35715.mail.mud.yahoo.com *sourceline

SC incorrectly parses those lines because it breaks the chain
prematurely because of the funky  213.123.26.90 rDNS
smtpout.btconnect.com which is handling its Received traceline
non-compliantly.

It is calling itself hesl01uker.he.local in its line that it stamps # 5
from the top and SC cannot associate the IP with that name.  As a
result, SC cannot get past the IP 213.123.26.90 and 'has to' name it as
source.

If that recipient were reporting spam with spamcop, they would have to
configure themselves with mailhosting, because SC would always name that
server as the source of any mail with such headers.

In the above headers, the item goes from source 128 > mud.yahoo >
btconnect > dreamhost

The bad server line belongs to btconnect.

In your headers, the item goes from source 128 > dreamhost without the
intervening btconnect, so the bad line does not appear in your headers.

-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Thu Apr 13 21:38:59 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Thu Apr 13 23:40:02 2006
Subject: [SC-Help] Re: SpamCop doesn't parse routing info correctly
References: <1362842.JPBJm9ahh6@ID-187157.News.Individual.NET>
	<e1n4os$h8p$1@news.spamcop.net>
Message-ID: <e1n5gh$hp0$1@news.spamcop.net>

Mike Easter wrote:

> In your headers, the item goes from source 128 > dreamhost without the
> intervening btconnect, so the bad line does not appear in your
> headers.

I accidentally left out yahoo.

In your headers, the item goes from source 128 > mud.yahoo > dreamhost
without the intervening btconnect, so the bad line does not appear in
your headers.


-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Fri Apr 14 06:14:54 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Fri Apr 14 08:15:12 2006
Subject: [SC-Help] Re: SpamCop doesn't parse routing info correctly
References: <1362842.JPBJm9ahh6@ID-187157.News.Individual.NET>
Message-ID: <e1o3nq$62l$1@news.spamcop.net>

Tristan Miller wrote:

> Here is the version my employer received which SpamCop doesn't
> correctly parse.

> X-Original-To: spgb@worldsocialism.org
> Delivered-To: spgb@randymail-mx1.dreamhost.com

There's something about those headers I don't understand.

worldsocialism.org has MXes

  fltr-in1.mail.dreamhost.com A (Address) 66.33.206.230
  fltr-in2.mail.dreamhost.com A (Address) 66.33.206.231

... which call themselves enforcer and deathwish

So it would seem that the yahoo server should send to mail.dreamhost
[enforcer or deathwish] instead of using the btconnect.

The item goes from source 128 > mud.yahoo > btconnect > dreamhost -- 
specifically...

  Abbreviated partial Received tracelines *comment changed
  from hesl01uker.he.local (smtpout.btconnect.com [213.123.26.90]) by
enforcer.dreamhost.com *serves recipient, funky helo
  from c2bthimr02.btconnect.com ([194.73.73.202]) by hesl01uker.he.local
*serves yahoo, funky line
  from (web35715.mail.mud.yahoo.com [66.163.179.169]) by
c2bthimr02.btconnect.com *serves yahoo
  from [128.196.165.21] by web35715.mail.mud.yahoo.com *sourceline

... so the btconnect belongs to yahoo, as part of its output route;  not
the recipient as I had *commented earlier.

I don't understand why yahoo is sending to that btconnect or rather
'using' that btconnect to reach the dreamhost.

nothingisreal.com has MXes

  mx1.balanced.randy.mail.dreamhost.com. A  208.97.132.30
  mx2.balanced.randy.mail.dreamhost.com. A  208.97.132.31

In the mail which went from mud.yahoo to the nothingisreal, the headers
are as expected for randymail

  Abbreviated partial Received tracelines *comment
  from (web35715.mail.mud.yahoo.com [66.163.179.169]) by
randymail-mx2.dreamhost.com *serves you
  from [128.196.165.21] by web35715.mail.mud.yahoo.com *sourceline

source 128 > mud.yahoo > randymail-mx2.dreamhost.com

So, for worldsocialism.org I'm wondering why didn't mud.yahoo just send
to a mail.dreamhost.com [enforcer or deathwish] instead of using the
btconnect?


-- 
Mike Easter
kibitzer, not SC admin

From psychonaut at nothingisreal.com  Fri Apr 14 14:52:03 2006
From: psychonaut at nothingisreal.com (Tristan Miller)
Date: Fri Apr 14 08:55:02 2006
Subject: [SC-Help] Re: SpamCop doesn't parse routing info correctly
References: <1362842.JPBJm9ahh6@ID-187157.News.Individual.NET>
	<e1n4os$h8p$1@news.spamcop.net>
Message-ID: <12059061.o5WSEuXLln@ID-187157.News.Individual.NET>

Greetings.

In article <e1n4os$h8p$1@news.spamcop.net>, Mike Easter wrote:
>> When I forward to SpamCop an offending e-mail that I received at my
> personal account (psychonaut@nothingisreal.com), SpamCop correctly
> identifies the source as an IP at the University of Arizona.
> 
> Using SC to determine the source of this kind of mail is appropriate,
> but you shouldn't be SC reporting these as spam -- I'm assuming that you
> are not.

Why shouldn't I be?  As far as I can tell from the FAQ on what is
appropriate to report as spam
<http://www.spamcop.net/fom-serve/cache/125.html>, these messages qualify. 
They are both unsolicited and bulk.  The sender has been sending them
(sometimes several a day) to a large and growing mailing list of people
for years.  He refuses to stop sending mail despite repeated requests. 
AFAIK nobody has opted in to his list; in fact, people sometimes use
"Reply to all" to complain and ask how to get rid of him.  He tries to
circumvent filters and block lists by using public access terminals in
libraries and creating new Yahoo! Mail accounts every few weeks.  I think
this fits the definition of spam listed in the FAQ.

> Correct.  SC correctly parses yours at nothingisreal;  SC incorrectly
> parses the worldsocialism because there is a noncompliant MTA mailserver
> in the chain..

OK, perhaps I should report this to BT Connect, then.

Regards,
Tristan

-- 
   _
  _V.-o  Tristan Miller [en,(fr,de,ia)]  ><  Space is limited
 / |`-'  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  <>  In a haiku, so it's hard
(7_\\    http://www.nothingisreal.com/   ><  To finish what you
From MikeE at ster.invalid  Fri Apr 14 07:30:31 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Fri Apr 14 09:35:06 2006
Subject: [SC-Help] Re: SpamCop doesn't parse routing info correctly
References: <1362842.JPBJm9ahh6@ID-187157.News.Individual.NET>
	<e1n4os$h8p$1@news.spamcop.net>
	<12059061.o5WSEuXLln@ID-187157.News.Individual.NET>
Message-ID: <e1o85j$a6r$1@news.spamcop.net>

Tristan Miller wrote:
> Mike Easter wrote:

>> Using SC to determine the source of this kind of mail is appropriate,
>> but you shouldn't be SC reporting these as spam -- I'm assuming that
>> you are not.
>
> Why shouldn't I be?

My thoughts were not that it wasn't unsolicited and unwanted, but more
that the 'butt' of a SC report, the arizona.edu spamsource, might be
'misdirected' [sorta] and if listed could potentially cause 'collateral'
damage.  But, OTOH, maybe it isn't a library terminal at all.  And, on
another hand, maybe a spamcop report might cause some interest on
arizona.edu's part.

In reality, the entity which should be taking action is yahoo against
its webmailer account moreevilbaddeals@yahoo.com so if I were manually
reporting, I would be 'talking' to yahoo.  But, I see below that s/he
adds new yahoo accounts, or rather perhaps just changes from one to
another without losing any..

It is hard to say what 128.196.165.21  rDNS  PUB-E3.AHSL.Arizona.EDU
really is, because you can't trust your antagonist to be telling the
truth about that, but it seems that 'correspondence' with the arin
listed contact abuse@arizona.edu with a manual notify, just like the
manual notify to yahoo, would be more 'interesting' than simply
performing a SC report.

Tristan Miller wrote:
> mass mailing his incoherent rants to everyone in his address book for
> years.  He always uses a Yahoo! Mail account, which he logs into at
> some public access library terminal at the University of Arizona.  (He
has
> admitted as much.)


> He tries to circumvent filters and block lists by using
> public access terminals in libraries and creating new Yahoo! Mail
> accounts every few weeks.  I think this fits the definition of spam
> listed in the FAQ.

It is unwanted and unsolicited -- it isn't typical spam.  It is more
like 'social' spam, being on someone's mailing list you don't want to be
on.  As a result of its difference from typical spam, the typical
spamcop report isn't really quite on the money, ie accurately directed.
Unless maybe that isn't a library terminal but a dormitory access.

>> Correct.  SC correctly parses yours at nothingisreal;  SC incorrectly
>> parses the worldsocialism because there is a noncompliant MTA
>> mailserver in the chain..
>
> OK, perhaps I should report this to BT Connect, then.

I'm still trying to figure out why that btconnect is in there.  I'm now
thinking it is part of the apparatus for yahoo.  Server admins are often
'reluctant' to improve on their configuration -- because it isn't really
bothering /them/ - it just doesn't parse right.  If your employer
recipient were reporting spams which named the btconnect server, they
might get SCbl listed and interested.

-- 
Mike Easter
kibitzer, not SC admin

From psychonaut at nothingisreal.com  Fri Apr 14 17:10:45 2006
From: psychonaut at nothingisreal.com (Tristan Miller)
Date: Fri Apr 14 11:15:03 2006
Subject: [SC-Help] Re: SpamCop doesn't parse routing info correctly
References: <1362842.JPBJm9ahh6@ID-187157.News.Individual.NET>
	<e1n4os$h8p$1@news.spamcop.net>
	<12059061.o5WSEuXLln@ID-187157.News.Individual.NET>
	<e1o85j$a6r$1@news.spamcop.net>
Message-ID: <81793859.tpV3IgNtBu@ID-187157.News.Individual.NET>

Greetings.

In article <e1o85j$a6r$1@news.spamcop.net>, Mike Easter wrote:
>>> Using SC to determine the source of this kind of mail is appropriate,
>>> but you shouldn't be SC reporting these as spam -- I'm assuming that
>>> you are not.
>>
>> Why shouldn't I be?
> 
> My thoughts were not that it wasn't unsolicited and unwanted, but more
> that the 'butt' of a SC report, the arizona.edu spamsource, might be
> 'misdirected' [sorta] and if listed could potentially cause 'collateral'
> damage.  But, OTOH, maybe it isn't a library terminal at all.  And, on
> another hand, maybe a spamcop report might cause some interest on
> arizona.edu's part.

I sent a manual report to abuse@arizona.edu a few days ago and got a
response back from an IT administrator.  They've confirmed that the source
is a public access library terminal.  This is in line with what the
spammer himself admits -- he makes no attempt to disguise his identity,
freely giving out his name, birthdate, photograph, and often mentions that
he's sending his mails from a public library terminal.  As I said, we're
pretty sure he's mentally ill.  His e-mails consist of nothing but
incoherent rants that go on for pages and pages about the World Socialist
Party of the United States, of which his late father was a member.  This
apparently explains his choice of spam recipients -- I recognize some of
the e-mail addresses as belonging to members and departments of the WSPUS
and affiliated parties overseas.

> In reality, the entity which should be taking action is yahoo against
> its webmailer account moreevilbaddeals@yahoo.com so if I were manually
> reporting, I would be 'talking' to yahoo.

I've been manually reporting to Yahoo! for months and they never take any
action.  At worst the reports are ignored, and at best I get an automated
response.

>>> Correct.  SC correctly parses yours at nothingisreal;  SC incorrectly
>>> parses the worldsocialism because there is a noncompliant MTA
>>> mailserver in the chain..
>>
>> OK, perhaps I should report this to BT Connect, then.
> 
> I'm still trying to figure out why that btconnect is in there.  I'm now
> thinking it is part of the apparatus for yahoo.  Server admins are often
> 'reluctant' to improve on their configuration -- because it isn't really
> bothering /them/ - it just doesn't parse right.  If your employer
> recipient were reporting spams which named the btconnect server, they
> might get SCbl listed and interested.

My employer is receiving the spam at spgb@worldsocialism.org.  The spammer
is sending to socialistparty@btconnect.com, an obsolete address which
forwards to spgb@worldsocialism.org.

I've since set up mailhosts for my employer's SpamCop account.  The
automatic configuration wouldn't work for socialistparty@btconnect.com,
but the administrators waived it.  SpamCop now correctly identifies the
University of Arizona IP for the spam.

Regards,
Tristan

-- 
   _
  _V.-o  Tristan Miller [en,(fr,de,ia)]  ><  Space is limited
 / |`-'  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  <>  In a haiku, so it's hard
(7_\\    http://www.nothingisreal.com/   ><  To finish what you
From MikeE at ster.invalid  Fri Apr 14 09:52:10 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Fri Apr 14 11:55:03 2006
Subject: [SC-Help] Re: SpamCop doesn't parse routing info correctly
References: <1362842.JPBJm9ahh6@ID-187157.News.Individual.NET>
	<e1n4os$h8p$1@news.spamcop.net>
	<12059061.o5WSEuXLln@ID-187157.News.Individual.NET>
	<e1o85j$a6r$1@news.spamcop.net>
	<81793859.tpV3IgNtBu@ID-187157.News.Individual.NET>
Message-ID: <e1ogf5$f50$1@news.spamcop.net>

Tristan Miller wrote:

> This is in line with
> what the spammer himself admits -- he makes no attempt to disguise
> his identity, freely giving out his name, birthdate, photograph, and
> often mentions that he's sending his mails from a public library
> terminal.  As I said, we're pretty sure he's mentally ill.

Oh, I see.  I'm beginning to get the picture.

> His
> e-mails consist of nothing but incoherent rants that go on for pages
> and pages about the World Socialist Party of the United States, of
> which his late father was a member.  This apparently explains his
> choice of spam recipients -- I recognize some of the e-mail addresses
> as belonging to members and departments of the WSPUS and affiliated
> parties overseas.

He is simply proselytizing his point of view to 'you' people --- who
don't want to hear it.  I'm surprised there isn't some clever way to
filter him out, depending upon what kind of filter tools you have at
your disposal.

> I've been manually reporting to Yahoo! for months and they never take
> any action.  At worst the reports are ignored, and at best I get an
> automated response.

That would be yahoo all right.  They simply consider this
'correspondence'.

>> I'm still trying to figure out why that btconnect is in there.

> My employer is receiving the spam at spgb@worldsocialism.org.  The
> spammer is sending to socialistparty@btconnect.com, an obsolete
> address which forwards to spgb@worldsocialism.org.

Ah, so!  I now understand the btconnect being in there perfectly.

> I've since set up mailhosts for my employer's SpamCop account.  The
> automatic configuration wouldn't work for
> socialistparty@btconnect.com, but the administrators waived it.

Waived?  I don't understand that yet.

> SpamCop now correctly identifies the University of Arizona IP for the
> spam.

Not according to what I see at your originally posted employer's header
example
http://www.spamcop.net/sc?id=z919793041z85093855a4505837202f64fc298ebaa6z

Supposed receiving system not associated with any of your mailhosts

If reported today, reports would be sent to:
Re: 213.123.26.90 (Administrator of network where email originates)
Internal spamcop handling: (bt)

That tracker shows a mailhosted account, but since the btconnect
mailhosting wouldn't work for some reason I don't understand, the
spamsource isn't correctly identitified.

That is, SC is still tripping on the same place for the same reason.  If
you had been successful at mailhosting the btconnect, the parse result
would be/ should be/ correct.


-- 
Mike Easter
kibitzer, not SC admin

From nobody at devnull.spamcop.net  Fri Apr 14 11:40:37 2006
From: nobody at devnull.spamcop.net (Guy Macon)
Date: Fri Apr 14 13:45:03 2006
Subject: [SC-Help] Re: SpamCop doesn't parse routing info correctly
References: <1362842.JPBJm9ahh6@ID-187157.News.Individual.NET>
	<e1n4os$h8p$1@news.spamcop.net>
	<12059061.o5WSEuXLln@ID-187157.News.Individual.NET>
	<e1o85j$a6r$1@news.spamcop.net>
Message-ID: <e1omql$ilb$1@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:e1o85j$a6r$1@news.spamcop.net...

>It is hard to say what 128.196.165.21  rDNS  PUB-E3.AHSL.Arizona.EDU
>really is, because you can't trust your antagonist to be telling the
>truth about that

There is a reasonable chance that it is this: [ 
http://www.ahsl.arizona.edu/computing/ ].
If so, this usage violates [ 
http://www.ahsl.arizona.edu/policies/usepolicy.cfm ].

I have found that sending snailmail is often more effective than email when 
dealing
with universities, so the OP might wish to drop a stamp on the user if email 
fails.







From MikeE at ster.invalid  Fri Apr 14 12:47:53 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Fri Apr 14 14:50:03 2006
Subject: [SC-Help] Re: SpamCop doesn't parse routing info correctly
References: <1362842.JPBJm9ahh6@ID-187157.News.Individual.NET>
	<e1n4os$h8p$1@news.spamcop.net>
	<12059061.o5WSEuXLln@ID-187157.News.Individual.NET>
	<e1o85j$a6r$1@news.spamcop.net> <e1omql$ilb$1@news.spamcop.net>
Message-ID: <e1oqom$lic$1@news.spamcop.net>

Guy Macon wrote:
> "Mike Easter"

>> It is hard to say what 128.196.165.21  rDNS  PUB-E3.AHSL.Arizona.EDU
>> really is,

> There is a reasonable chance that it is this: [
> http://www.ahsl.arizona.edu/computing/ ].
> If so, this usage violates [
> http://www.ahsl.arizona.edu/policies/usepolicy.cfm ].

Ah so, the Arizona Health Sciences Library branch.  I certainly agree
with that.

There are also a supervisor and a computer operator

Staff:

Jose Solorzano
Supervisor
 jose@ahsl.arizona.edu
520-626-2738

Tessie O'Talley
Computer Operator
 otalley@ahsl.arizona.edu
520-626-6707

> I have found that sending snailmail is often more effective

Arizona Health Sciences Center
3rd Floor Rm 3215
1501 N Campbell Ave
Tucson, AZ 85724

As to blocking things from ahsl.arizona.edu, I'll bet if you tagged
everything from 128.196.164.0/23 so that you would get 128.196.164.0 -
128.196.165.255 that all of the ahsl stuff would be in there.  This item
is from .165.21 and the MX for the ahsl names is in .164.2 .

My SpamPal can tag on IPs and IP ranges.

-- 
Mike Easter
kibitzer, not SC admin

From psychonaut at nothingisreal.com  Fri Apr 14 22:51:23 2006
From: psychonaut at nothingisreal.com (Tristan Miller)
Date: Fri Apr 14 16:55:03 2006
Subject: [SC-Help] Re: SpamCop doesn't parse routing info correctly
References: <1362842.JPBJm9ahh6@ID-187157.News.Individual.NET>
	<e1n4os$h8p$1@news.spamcop.net>
	<12059061.o5WSEuXLln@ID-187157.News.Individual.NET>
	<e1o85j$a6r$1@news.spamcop.net>
	<81793859.tpV3IgNtBu@ID-187157.News.Individual.NET>
	<e1ogf5$f50$1@news.spamcop.net>
Message-ID: <1620993.W5yZSbzVym@ID-187157.News.Individual.NET>

Greetings.

In article <e1ogf5$f50$1@news.spamcop.net>, Mike Easter wrote:
> He is simply proselytizing his point of view to 'you' people --- who
> don't want to hear it.  I'm surprised there isn't some clever way to
> filter him out, depending upon what kind of filter tools you have at
> your disposal.

As an experienced user, I have no problem filtering out his messages. 
However, the same cannot be said for the dozens (hundreds?) of other
people he spams.  My employer and various other people on his mailing list
want to know how to block him.  Rather than prepare twenty different
responses giving instructions for each person's particular combination of
operating system and software, I figure it's best to tell everyone to
report the problem to SpamCop and hope that Yahoo! and/or his ISPs
permanently suspend him for TOS violations.

>> I've since set up mailhosts for my employer's SpamCop account.  The
>> automatic configuration wouldn't work for
>> socialistparty@btconnect.com, but the administrators waived it.
> 
> Waived?  I don't understand that yet.

When the automated mailhosts configuration failed, the SpamCop web page
gave me an option to request manual configuration by a SpamCop
administrator.  They call this a "waiver".

>> SpamCop now correctly identifies the University of Arizona IP for the
>> spam.
> 
> Not according to what I see at your originally posted employer's header
> example
> http://www.spamcop.net/sc?id=z919793041z85093855a4505837202f64fc298ebaa6z

That was an old submission.  Submissions made after mailhosts configuration
are processed correctly.

Regards,
Tristan

-- 
   _
  _V.-o  Tristan Miller [en,(fr,de,ia)]  ><  Space is limited
 / |`-'  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  <>  In a haiku, so it's hard
(7_\\    http://www.nothingisreal.com/   ><  To finish what you
From psychonaut at nothingisreal.com  Fri Apr 14 22:55:59 2006
From: psychonaut at nothingisreal.com (Tristan Miller)
Date: Fri Apr 14 17:15:03 2006
Subject: [SC-Help] Re: SpamCop doesn't parse routing info correctly
References: <1362842.JPBJm9ahh6@ID-187157.News.Individual.NET>
	<e1n4os$h8p$1@news.spamcop.net>
	<12059061.o5WSEuXLln@ID-187157.News.Individual.NET>
	<e1o85j$a6r$1@news.spamcop.net> <e1omql$ilb$1@news.spamcop.net>
	<e1oqom$lic$1@news.spamcop.net>
Message-ID: <3226896.o2Mzhp0O0k@ID-187157.News.Individual.NET>

Greetings.

In article <e1oqom$lic$1@news.spamcop.net>, Mike Easter wrote:
> Guy Macon wrote:
>>> It is hard to say what 128.196.165.21  rDNS  PUB-E3.AHSL.Arizona.EDU
>>> really is,
> 
>> There is a reasonable chance that it is this: [
>> http://www.ahsl.arizona.edu/computing/ ].
>> If so, this usage violates [
>> http://www.ahsl.arizona.edu/policies/usepolicy.cfm ].
> 
> Ah so, the Arizona Health Sciences Library branch.  I certainly agree
> with that.
> 
> There are also a supervisor and a computer operator
> 
> Staff:
> 
> Jose Solorzano
> Supervisor
>  jose@ahsl.arizona.edu
> 520-626-2738
> 
> Tessie O'Talley
> Computer Operator
>  otalley@ahsl.arizona.edu
> 520-626-6707
> 
>> I have found that sending snailmail is often more effective
> 
> Arizona Health Sciences Center
> 3rd Floor Rm 3215
> 1501 N Campbell Ave
> Tucson, AZ 85724

Thanks for this information.  I'll try writing and/or calling next week.

Regards,
Tristan

-- 
   _
  _V.-o  Tristan Miller [en,(fr,de,ia)]  ><  Space is limited
 / |`-'  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  <>  In a haiku, so it's hard
(7_\\    http://www.nothingisreal.com/   ><  To finish what you
From MikeE at ster.invalid  Fri Apr 14 15:17:37 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Fri Apr 14 17:20:04 2006
Subject: [SC-Help] Re: SpamCop doesn't parse routing info correctly
References: <1362842.JPBJm9ahh6@ID-187157.News.Individual.NET>
	<e1n4os$h8p$1@news.spamcop.net>
	<12059061.o5WSEuXLln@ID-187157.News.Individual.NET>
	<e1o85j$a6r$1@news.spamcop.net>
	<81793859.tpV3IgNtBu@ID-187157.News.Individual.NET>
	<e1ogf5$f50$1@news.spamcop.net>
	<1620993.W5yZSbzVym@ID-187157.News.Individual.NET>
Message-ID: <e1p3hd$r7n$1@news.spamcop.net>

Tristan Miller wrote:

>  I figure it's best to
> tell everyone to report the problem to SpamCop and hope that Yahoo!
> and/or his ISPs permanently suspend him for TOS violations.

Considerting some of the elements of this particular issue, ie he is a
known and identifiable meatspace identity who sounds pretty whacky such
that the recipients of his missives consider him to be mentally ill -- 
and have for some time -- and that he posts from the Arizona Health
Sciences Library IP via yahoo webmailer accounts.  I find myself
wondering if his composing and mailing these essays might be
'therapeutic' for him.

> When the automated mailhosts configuration failed, the SpamCop web
> page gave me an option to request manual configuration by a SpamCop
> administrator.  They call this a "waiver".

Hmm.  Interesting use of the word.

>>> SpamCop now correctly identifies the University of Arizona IP for
>>> the spam.
>>
>> Not according to what I see at your originally posted employer's
>> header example
>>
http://www.spamcop.net/sc?id=z919793041z85093855a4505837202f64fc298ebaa6z
>
> That was an old submission.  Submissions made after mailhosts
> configuration are processed correctly.

When I parsed that tracker at the beginning of this conversation, it
didn't parse as a mailhost.  Since then, you said that the account which
corresponds to that tracker has become mailhosted, and in fact, it
parses with the appearance of a mailhosted account.

But, even tho' it parses with the appearance of a mailhosted account
called 'gountchev' now, as opposed to before when the thread started,
the mailhosted account does not have the whacky btconnect server calling
itself hesl01uker.he.local in its Received traceline associated with the
gountchev account.  SC sez

<snip>
4: Received: from c2bthimr02.btconnect.com ([194.73.73.202]) by
hesl01uker.he.local with Microsoft SMTPSVC(6.0.3790.211); Thu, 13 Apr
2006 00:07:42 +0100
Hostname verified: c2bthimr02.btconnect.com

Possible forgery. Supposed receiving system not associated with any of
your mailhosts
Will not trust anything beyond this header
</snip>

Where 'supposed receiving system' being mentioned is hesl01uker.he.local

Perhaps the deputy manually configured the mailhost for some whacky name
or another that s/he saw, such as hesl02uker.he.local [there is such a
server as that] or some other -- or perhaps when there is a manual
configuration, things don't work the same as expected.

I'm just guessing that the mailhost configuring for the btconnect server
family is incomplete.


-- 
Mike Easter
kibitzer, not SC admin

From post.please.this.email.is.not.valid at example.com  Sat Apr 15 20:15:51 2006
From: post.please.this.email.is.not.valid at example.com (DougW)
Date: Sat Apr 15 20:20:03 2006
Subject: [SC-Help] polyakov spammer munge
Message-ID: <e1s2bm$iqu$1@news.spamcop.net>

Your basic spam but this time
polyakov is using the following
pattern.

www.<><>^|.g28b.net?#meltdown.com
www.<><>^|.n89g.net?#tenor.com

etc.

loverly ain't it. :/



-- 
DougW 


From devnull at spamcop.net  Sun Apr 16 10:36:41 2006
From: devnull at spamcop.net (Frog Prince)
Date: Sun Apr 16 09:40:14 2006
Subject: [SC-Help] Re: SpamCop doesn't parse routing info correctly
References: <1362842.JPBJm9ahh6@ID-187157.News.Individual.NET>
	<e1n4os$h8p$1@news.spamcop.net>
	<12059061.o5WSEuXLln@ID-187157.News.Individual.NET>
	<e1o85j$a6r$1@news.spamcop.net> <e1omql$ilb$1@news.spamcop.net>
Message-ID: <e1thab$aq7$1@news.spamcop.net>


"Guy Macon"

| >It is hard to say what 128.196.165.21  rDNS  PUB-E3.AHSL.Arizona.EDU
| >really is, because you can't trust your antagonist to be telling the
| >truth about that
|
| There is a reasonable chance that it is this: [
| http://www.ahsl.arizona.edu/computing/ ].
| If so, this usage violates [
| http://www.ahsl.arizona.edu/policies/usepolicy.cfm ].
|
| I have found that sending snailmail is often more effective than email
when
| dealing
| with universities, so the OP might wish to drop a stamp on the user if
email
| fails.
|

I've found, in the few cases where the university did not seem to care about
a complaint that a CC with a cover letter to the char person of the
legislative agency controlling the funding of the university about the abuse
and lack of response usually gets the attention of someone at the university
who will make things happen.

Money talks ... ** walks



From rowan at sylvester-bradley.org  Sun Apr 16 09:26:36 2006
From: rowan at sylvester-bradley.org (rowan)
Date: Sun Apr 16 11:30:02 2006
Subject: [SC-Help] 
	Loads of spam showing "Delviery Status Notification", "Failure
	Notice" etc.
Message-ID: <1145201196.288571.50190@u72g2000cwu.googlegroups.com>

I've recently started receiving loads of spam messages which purport to
be delivery failure messages. They are always addressed to a
non-existent user at my domain, e.g. ojvnyo@, ejrzx@, rrl@ etc. They
can have a variety of failure messages, and purport to tell me that a
message that I sent to an address that I have never sent to in my life
could not be delivered. The message sometimes contains a load of Base64
code, presumably some kind of malware, or a scanned page of text.
Sometimes there's no obvious payload.

Where are these messages coming from? Why have they suddenly started
(or at least, suddenly started finding me)? Why are they getting
through my ISP's spam filter (which is normally very good)? What can I
do to get rid of them?

Many thanks for you help - Rowan

From post.please.this.email.is.not.valid at example.com  Sun Apr 16 12:47:29 2006
From: post.please.this.email.is.not.valid at example.com (DougW)
Date: Sun Apr 16 12:50:04 2006
Subject: [SC-Help] 
	Re: Loads of spam showing "Delviery Status Notification", "Failure
	Notice" etc.
References: <1145201196.288571.50190@u72g2000cwu.googlegroups.com>
Message-ID: <e1tsf0$gap$1@news.spamcop.net>

rowan did pass the time by typing:
> I've recently started receiving loads of spam messages which purport to
> be delivery failure messages. They are always addressed to a
> non-existent user at my domain, e.g. ojvnyo@, ejrzx@, rrl@ etc. They
> can have a variety of failure messages, and purport to tell me that a
> message that I sent to an address that I have never sent to in my life
> could not be delivered. The message sometimes contains a load of Base64
> code, presumably some kind of malware, or a scanned page of text.
> Sometimes there's no obvious payload.
>
> Where are these messages coming from? Why have they suddenly started
> (or at least, suddenly started finding me)? Why are they getting
> through my ISP's spam filter (which is normally very good)? What can I
> do to get rid of them?

Well, copy out the bit of base64 stuff and paste it into the form
located here: http://www.toastedspam.com/decode64  That will let you
see what is in there.  Odds are it's a gif pump&dump

They are getting through because most ISPs have made exceptions for
bounce and faiure messages.  And some spam filters also have these
"features" in them.

First thing to do is turn off your catch-all for roll accounts.
If they are coming in on postmaster or abuse then filter/flag.
(There are others here more suited to answer that question than I)


-- 
rbg 


From MikeE at ster.invalid  Sun Apr 16 11:02:10 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Apr 16 13:05:03 2006
Subject: [SC-Help] 
	Re: Loads of spam showing "Delviery Status Notification", "Failure
	Notice" etc.
References: <1145201196.288571.50190@u72g2000cwu.googlegroups.com>
Message-ID: <e1ttai$gtc$1@news.spamcop.net>

rowan wrote:
> I've recently started receiving loads of spam messages which purport
> to be delivery failure messages. They are always addressed to a
> non-existent user at my domain, e.g. ojvnyo@, ejrzx@, rrl@ etc. They
> can have a variety of failure messages, and purport to tell me that a
> message that I sent to an address that I have never sent to in my life
> could not be delivered. The message sometimes contains a load of
> Base64 code, presumably some kind of malware, or a scanned page of
> text. Sometimes there's no obvious payload.

Spending a lot of words trying to describe some mail or spam doesn't
actually sufficiently describe it.

The best way to 'talk about' something spam around here is to show one
or more by posting a tracking URL or 'tracker'.

A tracker looks like:

Here is your TRACKING URL - it may be saved for future reference:
http://www.spamcop.net/sc?id=z921452706z5f80c3536f02ccd15f431f0fc87fc372z

You get it by submitting one of those spams you are trying to describe
to the webparser, then copying the tracker, then cancelling the report,
then pasting the tracker in here.

That way anyone can look at the time and say things like, "That's not
actually a delivery status notification - failure, it is a bogus
ne.'  -or-  'Yep that's a DSN failure all right -- a spammer has elected
your address to be the bogus From.'

We can also comment on the reportability of servers which belatedly
bounce spam - or the non-reportability of spam which isn't mailed to
you - or other alternatives.  We can comment on what is the payload
which isn't obvious.  All that stuff.  But not with your description
words which can never be adequate for even remarking on the issue.

> Where are these messages coming from? Why have they suddenly started
> (or at least, suddenly started finding me)? Why are they getting
> through my ISP's spam filter (which is normally very good)? What can I
> do to get rid of them?

Comments after you post a tracker or two.

-- 
Mike Easter
kibitzer, not SC admin

From not at home.today  Sun Apr 16 20:06:32 2006
From: not at home.today (Ant)
Date: Sun Apr 16 14:10:03 2006
Subject: [SC-Help] 
	Re: Loads of spam showing "Delviery Status Notification", "Failure
	Notice" etc.
References: <1145201196.288571.50190@u72g2000cwu.googlegroups.com>
Message-ID: <e1u13r$j8g$1@news.spamcop.net>

"rowan" wrote:

> I've recently started receiving loads of spam messages which purport to
> be delivery failure messages. They are always addressed to a
> non-existent user at my domain, e.g. ojvnyo@, ejrzx@, rrl@ etc.

I, and a lot of customers at my old ISP, am getting the same because
we have unlimited email addresses of the form:
<[anything]@[account name].[ISP name].co.uk>

> They
> can have a variety of failure messages, and purport to tell me that a
> message that I sent to an address that I have never sent to in my life
> could not be delivered.

They are genuine non-delivery messages from mail servers that have
accepted the mail, and then decided to bounce it later. The spammer
has forged your address in the "From:" line. These NDRs are called
backscatter, and this belated bouncing should not be happening
nowadays.

> The message sometimes contains a load of Base64
> code, presumably some kind of malware, or a scanned page of text.
> Sometimes there's no obvious payload.

All mine are pump & dump stock spams in the form of gif images,
so there is no URL to click on.

> Where are these messages coming from? Why have they suddenly started
> (or at least, suddenly started finding me)? Why are they getting
> through my ISP's spam filter (which is normally very good)?

Lots of people are asking the same questions. Mine are being tagged
as spam when a copy of the actual spam is attached, because the body
also contains the usual spammy hash-busting text.

> What can I do to get rid of them?

Don't accept mail for non-existant users.


From not at home.today  Mon Apr 17 03:28:07 2006
From: not at home.today (Ant)
Date: Sun Apr 16 21:30:02 2006
Subject: [SC-Help] 
	Re: Loads of spam showing "Delviery Status Notification", "Failure
	Notice" etc.
References: <1145201196.288571.50190@u72g2000cwu.googlegroups.com>
	<e1u13r$j8g$1@news.spamcop.net>
Message-ID: <e1uqvn$1ol$1@news.spamcop.net>

"Ant" wrote:

> "rowan" wrote:
>> I've recently started receiving loads of spam messages which purport to
>> be delivery failure messages. They are always addressed to a
>> non-existent user at my domain, e.g. ojvnyo@, ejrzx@, rrl@ etc.
>
> I, and a lot of customers at my old ISP, am getting the same because
> we have unlimited email addresses of the form:
> <[anything]@[account name].[ISP name].co.uk>

I've noticed your (rowan) IP address (84.64.107.134) belongs to
Energis, so would I be correct in assuming you're a customer of
Wanadoo UK? Which domain(s) of yours is/are affected (e.g.
wanadoo.co.uk, fsnet.co.uk, freeserve... etc.)?

I also have an fsnet account, and there is some discussion in the
group wanadoouk.help.misc (not available on google groups, but may be
on an nntp server near you, but not the Energis one because WooUK no
longer provide newsgroups!) about this. People are wondering if
customers with legacy email addresses (freeserve, fsnet, fslife, etc.)
at this ISP are being targeted. I doubt we're being singled out,
myself, but it's possible the spammer has reached the letter "f" in
domains to use for a bogus sender.


The rest of this post has nothing to do with your question, but
others may know something.

>From your headers:

Path: news.spamcop.net!newsfeed-3001.bay.webtv.net!news.glorb.com!
 postnews.google.com!u72g2000cwu.googlegroups.com!not-for-mail

Message-ID: <1145201196.288571.50190@u72g2000cwu.googlegroups.com>

Rowan's post came from Google Groups and ended up here via webtv.
Does news.spamcop.net have new peering arrangements? I thought GG
posts never made it to the nntp server.


From MikeE at ster.invalid  Sun Apr 16 20:58:50 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Apr 16 23:00:03 2006
Subject: [SC-Help] 
	Re: Loads of spam showing "Delviery Status Notification", "Failure
	Notice" etc.
References: <1145201196.288571.50190@u72g2000cwu.googlegroups.com>
	<e1u13r$j8g$1@news.spamcop.net> <e1uqvn$1ol$1@news.spamcop.net>
Message-ID: <e1v099$4m1$1@news.spamcop.net>

Ant wrote:
> Rowan's post came from Google Groups and ended up here via webtv.
> Does news.spamcop.net have new peering arrangements?

No.  That 'route' is an unreliable 'back channel' accidental non-peering
'funky' way for an item to sometimes be able to be posted from GG and
'magically' propagate into the 'actual' non-peering news.spamcop.net
newsserver.

Nothing you post in reply is likely to ever propagate back to the GG
place where the OP posted from or is reading.  It is something like an
unstable wormhole vis some TV show I forget the name of just now.

> I thought GG
> posts never made it to the nntp server.

Almost never.  Occasionally thru' the webtv unstable wormhole.

-- 
Mike Easter
kibitzer, not SC admin

From not at home.today  Mon Apr 17 14:31:15 2006
From: not at home.today (Ant)
Date: Mon Apr 17 08:45:03 2006
Subject: [SC-Help] 
	Re: Loads of spam showing "Delviery Status Notification", "Failure
	Notice" etc.
References: <1145201196.288571.50190@u72g2000cwu.googlegroups.com>
	<e1u13r$j8g$1@news.spamcop.net> <e1uqvn$1ol$1@news.spamcop.net>
	<e1v099$4m1$1@news.spamcop.net>
Message-ID: <e202b3$n6s$1@news.spamcop.net>

"Mike Easter" wrote:

> Ant wrote:
>> Rowan's post came from Google Groups and ended up here via webtv.
>> Does news.spamcop.net have new peering arrangements?
>
> No.  That 'route' is an unreliable 'back channel' accidental non-peering
> 'funky' way for an item to sometimes be able to be posted from GG and
> 'magically' propagate into the 'actual' non-peering news.spamcop.net
> newsserver.

What's with this webtv deal anyway? I thought the only way of
accessing these groups was by nntp direct to the server, or through
the mailing list.

> Nothing you post in reply is likely to ever propagate back to the GG
> place where the OP posted from or is reading.

That's what I thought, and indeed there are no replies to the OP on
Google. Too bad -- I'm not going there.

> It is something like an
> unstable wormhole vis some TV show I forget the name of just now.

The Outer Limits? Although probably that series was made before the
concept of wormholes came about.


From MikeE at ster.invalid  Mon Apr 17 08:53:33 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Mon Apr 17 10:55:02 2006
Subject: [SC-Help] 
	Re: Loads of spam showing "Delviery Status Notification", "Failure
	Notice" etc.
References: <1145201196.288571.50190@u72g2000cwu.googlegroups.com>
	<e1u13r$j8g$1@news.spamcop.net> <e1uqvn$1ol$1@news.spamcop.net>
	<e1v099$4m1$1@news.spamcop.net> <e202b3$n6s$1@news.spamcop.net>
Message-ID: <e20a5d$san$1@news.spamcop.net>

Ant wrote:

> What's with this webtv deal anyway? I thought the only way of
> accessing these groups was by nntp direct to the server, or through
> the mailing list.

We would have to hear from a webtv user about how their news works
exactly, and perhaps from a news admin about how there's a
news.spamcop.net feed with the webtv news gizmo..

I think that it is a little bit like the old AOL news system, in which
AOL had their own news 'gizmo' with its own proprietary interface for
AOLers and that it would propagate in and out of usenet at large for
those newsgroups which AOL chose to provide.

But the webtv is not exactly like the AOL system, because I don't think
it propagates to the larger usenet [or maybe some does and some
doesn't].  There are a 'bunch' of webtv groups, such as those
alt.discuss listed here
http://www.wtv-zone.com/bluefox/yellow_pages.html  The Official
Unofficial Yellow Pages For WebTV News Groups

The webtv spamcop groups are called news.spamcop.* where * = <nil>,
geeks, social, & spam

So, maybe there's a webtv 'newsserver' accessible to webtv/ers or
perhaps with a proprietary interface and it handles some usenet, some
private/public newsservers and some webtv only groups.


-- 
Mike Easter
kibitzer, not SC admin

From chris.a.wright at gmail.com  Tue Apr 18 10:24:13 2006
From: chris.a.wright at gmail.com (Chris Wright)
Date: Tue Apr 18 04:25:14 2006
Subject: [SC-Help] 
 Re: Loads of spam showing "Delviery Status Notification", "Failure
 Notice" etc.
In-Reply-To: <e1u13r$j8g$1@news.spamcop.net>
References: <1145201196.288571.50190@u72g2000cwu.googlegroups.com>
	<e1u13r$j8g$1@news.spamcop.net>
Message-ID: <e227nd$smr$1@news.spamcop.net>

Ant wrote:
> "rowan" wrote:
> 
>> I've recently started receiving loads of spam messages which purport to
>> be delivery failure messages. They are always addressed to a
>> non-existent user at my domain, e.g. ojvnyo@, ejrzx@, rrl@ etc.
> 
> I, and a lot of customers at my old ISP, am getting the same because
> we have unlimited email addresses of the form:
> <[anything]@[account name].[ISP name].co.uk>
> 
>> They
>> can have a variety of failure messages, and purport to tell me that a
>> message that I sent to an address that I have never sent to in my life
>> could not be delivered.
> 
> They are genuine non-delivery messages from mail servers that have
> accepted the mail, and then decided to bounce it later. The spammer
> has forged your address in the "From:" line. These NDRs are called
> backscatter, and this belated bouncing should not be happening
> nowadays.
> 
>> The message sometimes contains a load of Base64
>> code, presumably some kind of malware, or a scanned page of text.
>> Sometimes there's no obvious payload.
> 
> All mine are pump & dump stock spams in the form of gif images,
> so there is no URL to click on.
> 
>> Where are these messages coming from? Why have they suddenly started
>> (or at least, suddenly started finding me)? Why are they getting
>> through my ISP's spam filter (which is normally very good)?
> 
> Lots of people are asking the same questions. Mine are being tagged
> as spam when a copy of the actual spam is attached, because the body
> also contains the usual spammy hash-busting text.
> 
>> What can I do to get rid of them?
> 
> Don't accept mail for non-existant users.
> 
> 
How difficult is it for a mail server to determine if the header is 
forged and not reply with a 'Delivery Failure' message.
I've seen a massive increase in this type of abuse in the past 2 weeks.
Originally, I had the catchall set up to forward to a 'honeypot', but 
since the deluge of Non Delivery Messages, I've switched it off.
But I am sure it can't be that difficult for the server to determine 
that the header was faked and therefore ditch the message in the first 
place.
From not at home.today  Wed Apr 19 01:35:13 2006
From: not at home.today (Ant)
Date: Sun Apr 30 18:22:06 2006
Subject: [SC-Help] 
	Re: Loads of spam showing "Delviery Status Notification", "Failure
	Notice" etc.
References: <1145201196.288571.50190@u72g2000cwu.googlegroups.com>
	<e1u13r$j8g$1@news.spamcop.net> <e1uqvn$1ol$1@news.spamcop.net>
	<e1v099$4m1$1@news.spamcop.net> <e202b3$n6s$1@news.spamcop.net>
	<e20a5d$san$1@news.spamcop.net>
Message-ID: <e23q4e$i86$1@news.spamcop.net>

"Mike Easter" wrote:

> Ant wrote:
>> What's with this webtv deal anyway? I thought the only way of
>> accessing these groups was by nntp direct to the server, or through
>> the mailing list.
>
> We would have to hear from a webtv user about how their news works
> exactly,

I reckon there's a high probability they wouldn't know anything beyond
the user interface.

> and perhaps from a news admin about how there's a
> news.spamcop.net feed with the webtv news gizmo..

It's possible that there is no special arrangement. The software
might send a post from the local webtv group when it gets one from a
webtv-er; then it may scrape the real spamcop group for new articles
at regular intervals, much like a human would do with his/her news
agent.

> There are a 'bunch' of webtv groups, such as those
> alt.discuss listed here
> http://www.wtv-zone.com/bluefox/yellow_pages.html  The Official
> Unofficial Yellow Pages For WebTV News Groups
>
> The webtv spamcop groups are called news.spamcop.* where * = <nil>,
> geeks, social, & spam

I couldn't find the spamcop groups by way of that link.

> So, maybe there's a webtv 'newsserver' accessible to webtv/ers or
> perhaps with a proprietary interface and it handles some usenet, some
> private/public newsservers and some webtv only groups.

For sure.


From not at home.today  Wed Apr 19 01:37:43 2006
From: not at home.today (Ant)
Date: Sun Apr 30 18:22:09 2006
Subject: [SC-Help] 
	Re: Loads of spam showing "Delviery Status Notification", "Failure
	Notice" etc.
References: <1145201196.288571.50190@u72g2000cwu.googlegroups.com>
	<e1u13r$j8g$1@news.spamcop.net> <e227nd$smr$1@news.spamcop.net>
Message-ID: <e23q4f$i86$2@news.spamcop.net>

"Chris Wright" wrote:

> How difficult is it for a mail server to determine if the header is
> forged and not reply with a 'Delivery Failure' message.

I don't know, but they should have spam defences in place and should
not late-bounce what they detect as spam.

Spamcop has something on misdirected bounces here:
http://www.spamcop.net/fom-serve/cache/329.html

There are ways to detect spam other than examining the headers or body
such as using carefully selected DNSBls (blocklists). Mail servers
shouldn't allow known spam sources to connect in the first place.

> I've seen a massive increase in this type of abuse in the past 2 weeks.
> Originally, I had the catchall set up to forward to a 'honeypot', but
> since the deluge of Non Delivery Messages, I've switched it off.
> But I am sure it can't be that difficult for the server to determine
> that the header was faked and therefore ditch the message in the first
> place.

Of course real NDRs/DSNs don't have bogus headers.


From MikeE at ster.invalid  Tue Apr 18 21:25:00 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Apr 30 18:23:33 2006
Subject: [SC-Help] 
	Re: Loads of spam showing "Delviery Status Notification", "Failure
	Notice" etc.
References: <1145201196.288571.50190@u72g2000cwu.googlegroups.com>
	<e1u13r$j8g$1@news.spamcop.net> <e1uqvn$1ol$1@news.spamcop.net>
	<e1v099$4m1$1@news.spamcop.net> <e202b3$n6s$1@news.spamcop.net>
	<e20a5d$san$1@news.spamcop.net> <e23q4e$i86$1@news.spamcop.net>
Message-ID: <e24ai8$oqu$1@news.spamcop.net>

Ant wrote:
> "Mike Easter" wrote:

>> We would have to hear from a webtv user about how their news works
>> exactly,
>
> I reckon there's a high probability they wouldn't know anything beyond
> the user interface.

Well, you know how that works.  Somewhere there is a highly technically
competent webtv/er -- who could explain to you or me rationally why they
do their connectivity that way and just how everything works.

>> and perhaps from a news admin about how there's a
>> news.spamcop.net feed with the webtv news gizmo..
>
> It's possible that there is no special arrangement. The software
> might send a post from the local webtv group when it gets one from a
> webtv-er; then it may scrape the real spamcop group for new articles
> at regular intervals, much like a human would do with his/her news
> agent.

Well, there's a little bit of a 'special' or atypical arrangement if a
webtv/er gets to feed the news.spamcop.net newserver thru' the webtv
proprietary interface. -- whereas google's newsfeed basically doesn't -- 
except when it rarely does.

Of course, there's a lot of different ways you could do things, like
gmane or Hamster.  Let Hamster be your own newsserver and access
whatever newsservers it wanted to.

>> http://www.wtv-zone.com/bluefox/yellow_pages.html

>> The webtv spamcop groups are called news.spamcop.* where * = <nil>,
>> geeks, social, & spam
>
> I couldn't find the spamcop groups by way of that link.

I didn't get the webtv spamcop names there, I got it from the nntp info
page http://www.spamcop.net/help.shtml#nntp -- in the Delivery method -
WebTV link properties.

>> So, maybe there's a webtv 'newsserver' accessible to webtv/ers or
>> perhaps with a proprietary interface and it handles some usenet, some
>> private/public newsservers and some webtv only groups.
>
> For sure.

The reason I put that 'newsserver' in quotes was because AOL's wasn't
actually a nntp newsserver, but something else -- but I don't know
enough to understand exactly what it was.

You can build all kinds of funky things if you know what you are doing.
Stephen Gielda of cotse and packetderm and missingamendment fame - the
privacy dude - built a handy dandy little nntp posting thing so that you
don't have to access the newsserver directly.  He called it
'news2remail' -- but it isn't a standard remailer, but just another
cotse privacy tool.  He's got a lot of neat things at his site, and the
service is very economical.

-- 
Mike Easter
kibitzer, not SC admin

From not at home.today  Thu Apr 20 03:37:00 2006
From: not at home.today (Ant)
Date: Sun Apr 30 18:27:17 2006
Subject: [SC-Help] 
	Re: Loads of spam showing "Delviery Status Notification", "Failure
	Notice" etc.
References: <1145201196.288571.50190@u72g2000cwu.googlegroups.com>
	<e1u13r$j8g$1@news.spamcop.net> <e1uqvn$1ol$1@news.spamcop.net>
	<e1v099$4m1$1@news.spamcop.net> <e202b3$n6s$1@news.spamcop.net>
	<e20a5d$san$1@news.spamcop.net> <e23q4e$i86$1@news.spamcop.net>
	<e24ai8$oqu$1@news.spamcop.net>
Message-ID: <e26ooq$vj7$1@news.spamcop.net>

"Mike Easter" wrote:

> Ant wrote:
>> I reckon there's a high probability they wouldn't know anything beyond
>> the user interface.
>
> Well, you know how that works.  Somewhere there is a highly technically
> competent webtv/er -- who could explain to you or me rationally why they
> do their connectivity that way and just how everything works.

Yeah. Saw the word "user" in relation to something I see as not
requiring computing/network knowledge and just started typing. You
know how that works; on Usenet one gets conditioned to seeing it
prefixed with "l" in the mind's eye (no offence to webtv-ers implied).
I should know better.

> Well, there's a little bit of a 'special' or atypical arrangement if a
> webtv/er gets to feed the news.spamcop.net newserver thru' the webtv
> proprietary interface. -- whereas google's newsfeed basically doesn't --
> except when it rarely does.

I meant there might be no special peering arrangement in the sense
that required cooperation, permission or action from a spamcop news
admin. However, obviously spamcop is aware of the need to cater for
webtv users, as shown by the FAQ link you just provided.

> Of course, there's a lot of different ways you could do things, like
> gmane or Hamster.  Let Hamster be your own newsserver and access
> whatever newsservers it wanted to.

I was thinking something like that might be behind the interface for
webtv.

>>> The webtv spamcop groups are called news.spamcop.* where * = <nil>,
>>> geeks, social, & spam
>>
>> I couldn't find the spamcop groups by way of that link.
>
> I didn't get the webtv spamcop names there, I got it from the nntp info
> page http://www.spamcop.net/help.shtml#nntp -- in the Delivery method -
> WebTV link properties.

The only difference between the two types of link is that the webtv
ones don't specify the server (there's actually a colon after "news",
not a period as you indicated above). So if your default server was
news.spamcop.net, both sets of links would work for non-webtv users.

> The reason I put that 'newsserver' in quotes was because AOL's wasn't
> actually a nntp newsserver, but something else -- but I don't know
> enough to understand exactly what it was.

Clearly there's something at webtv which understands the "news:"
scheme identifier, and directs the request to their default
thing-a-ma-jig which handles it.

> You can build all kinds of funky things if you know what you are doing.
> Stephen Gielda of cotse and packetderm and missingamendment fame - the
> privacy dude - built a handy dandy little nntp posting thing so that you
> don't have to access the newsserver directly.  He called it
> 'news2remail' -- but it isn't a standard remailer, but just another
> cotse privacy tool.  He's got a lot of neat things at his site, and the
> service is very economical.

Was that an ad for Cotse? ;)  My impression of Steve is a competent
guy who provides a valuable service for some. So far, I've not had the
need for what he offers. I take it the "amendment" is a US privacy
thing? In the UK I believe we're better protected in that regard.


From mm883i at duxmail.com  Thu Apr 20 14:29:29 2006
From: mm883i at duxmail.com (Mike Heins)
Date: Sun Apr 30 18:30:11 2006
Subject: [SC-Help] Disgusted about Geocities/Yahoo
Message-ID: <e28gdr$smb$1@news.spamcop.net>

As a long time paying customer of SpamCop, who refers many other people, 
I am *disgusted* with the continuing issues recognizing and reporting 
Geocities URLs. This has been going on for close to a year now, and that 
is ridiculous.

We are at the hairy edge of taking two steps -- 1) letting all of our 
Spamcop accounts lapse, and 2) assigning a disqualifying SpamAssassin 
score to the string geocities.

Why are you doing nothing, Ironport and Spamcop?
From spam_hjp at yahoo.com  Thu Apr 20 15:26:44 2006
From: spam_hjp at yahoo.com (Jim)
Date: Sun Apr 30 18:30:46 2006
Subject: [SC-Help] Re: Disgusted about Geocities/Yahoo
In-Reply-To: <e28gdr$smb$1@news.spamcop.net>
References: <e28gdr$smb$1@news.spamcop.net>
Message-ID: <e28jq4$ua7$1@news.spamcop.net>

Mike Heins wrote:
> As a long time paying customer of SpamCop, who refers many other people, 
> I am *disgusted* with the continuing issues recognizing and reporting 
> Geocities URLs. This has been going on for close to a year now, and that 
> is ridiculous.
> 
> We are at the hairy edge of taking two steps -- 1) letting all of our 
> Spamcop accounts lapse, and 2) assigning a disqualifying SpamAssassin 
> score to the string geocities.
> 
> Why are you doing nothing, Ironport and Spamcop?

Disgusted here also.  Why can't we get an answer to why Geocities/Yahoo and others do not alway 
create a report?  Is anything being done to correct the problem?  As a paying customer I believe 
I should get an answer on what or what not is being done about this problem.


Jim

hjp at spamcop dot net
From no_one at nowhere.com  Thu Apr 20 19:30:37 2006
From: no_one at nowhere.com (caballo loco)
Date: Sun Apr 30 18:32:32 2006
Subject: [SC-Help] Re: No longer getting back spam reporting link emails
References: <s148229fsdmsr4c04g414v2g9lbcm72kag@4ax.com>
	<e0164v$cpg$1@news.spamcop.net> <lo9822p6igluaf6idh8vplm6sg45bd23ka@4ax.com>
	<qjbd221fnfiklt2sequ37i2op70mgcai53@4ax.com> <e06c2c$75s$1@news.spamcop.net>
	<mkim2213r85rb27se2hcfstt1sbf1tk4um@4ax.com>
Message-ID: <e292b7$6b3$1@news.spamcop.net>

Who is Shaw????

BTW I have been having same problem for the last month or so ( I mean having
beenn getting spam reporting link).

"Michael Fullerton" <fullerm@spam.killer.remove.cyber-matrix.com> wrote in
message news:mkim2213r85rb27se2hcfstt1sbf1tk4um@4ax.com...
> "Mike Easter" <MikeE@ster.invalid> wrote:
>
> >Michael Fullerton wrote:
> >> Michael Fullerton
> >>> "Mike Easter"
> >>>> Michael Fullerton wrote:
> >
> >>>>> I am no longer getting back spam reporting link emails. I recently
> >>>>> did some changes to my email accounts and there might have been a
> >>>>> few bounces but I can login to SC and there are no alerts. My ISPs
> >>>>> do not block any email.
> >>>>
> >>>> Try putting your own address or alternate address of yours as an
> >>>> additional To or CC to the submit and see if you get that.
> >>>
> >>> I just tried it and I got the CC email. The link also came back so I
> >>> guess complaining here works. (:
> >>
> >> There is still a problem. I sent in two reports early this morning and
> >> nothing has arrived yet. I have had this problem sporadically for the
> >> last month or so. It has gotten really bad this last several days.
> >
> >You may have more than one pattern of trouble.  Troubleshooting
> >inconsistent problems requires that the entire troubleshooting operation
> >be performed each time, or during a problem and also not a problem.
>
> I switched to a different SMTP server instead of Shaw and all reports
> are now coming back. Does that mean SC is blocking Shaw?
>
> BTW regarding the backwards smiley, I just do that to be different and
> to annoy those that cannot stand those who are.
>
> ___
> VirusCop - Free Windows virus reporting utility
> http://www.viruscop.org/


From MikeE at ster.invalid  Thu Apr 20 18:27:07 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Apr 30 18:33:37 2006
Subject: [SC-Help] Re: No longer getting back spam reporting link emails
References: <s148229fsdmsr4c04g414v2g9lbcm72kag@4ax.com>
	<e0164v$cpg$1@news.spamcop.net> <lo9822p6igluaf6idh8vplm6sg45bd23ka@4ax.com>
	<qjbd221fnfiklt2sequ37i2op70mgcai53@4ax.com> <e06c2c$75s$1@news.spamcop.net>
	<mkim2213r85rb27se2hcfstt1sbf1tk4um@4ax.com> <e292b7$6b3$1@news.spamcop.net>
Message-ID: <e298sl$9dr$1@news.spamcop.net>

caballo loco wrote:
> Who is Shaw????
>
> BTW I have been having same problem for the last month or so ( I mean
> having beenn getting spam reporting link).

Your remarks lack context and therefore meaning.

In order to carry on a conversation in which you are referring to
something you saw in a prior post, you should put your remark or
question into context with the remark which you have only in /you/r
mind, not the mind of the reader, that you are thinking about when you
start typing.

That is, the first thing you do when you hit 'Reply' is to eliminate all
of the words and lines from that previous post which you aren't replying
to -- that way your reply or question or remark has context and meaning,
instead of not having context or meaning.

Then, the next thing you do after you have trimmed away everything which
you aren't talking about, so that the only thing/s which is/are left are
the things you /are/ talking about, is to put your question, such as
'Who is Shaw' right under some currently unknown Shaw remark to which
you refer.  After leaving an empty line between the previous post and
your question which comes after the earlier remark.

Then, if you need to leave some other words previously posted about
'same problem' also not in context or meaning - you put your 'same
problem' remark right under the part which is talking about whatever
problem you are having the same of so that it has some meaning to
someone reading here besides you.

When you stick your remarks up there in the top of nowhere while pushing
a bunch of space occupying junk down below your words as if your words
were not only the most important, but also everyone here knows exactly
what you have in your mind when you start typing -- then your words here
are actually not important at all, because they don't mean anything to
anyone but you.

Here is an article for new news users about trimming, contextualizing,
and attributing.  None of which you did.

http://members.fortunecity.com/nnqweb/nquote.html
news.newusers.questions - Quoting Style in Newsgroup Postings

-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Thu Apr 20 18:41:43 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Apr 30 18:33:41 2006
Subject: [SC-Help] Re: No longer getting back spam reporting link emails
References: <s148229fsdmsr4c04g414v2g9lbcm72kag@4ax.com>
	<e0164v$cpg$1@news.spamcop.net> <lo9822p6igluaf6idh8vplm6sg45bd23ka@4ax.com>
	<qjbd221fnfiklt2sequ37i2op70mgcai53@4ax.com> <e06c2c$75s$1@news.spamcop.net>
	<mkim2213r85rb27se2hcfstt1sbf1tk4um@4ax.com> <e292b7$6b3$1@news.spamcop.net>
Message-ID: <e299o1$9nv$1@news.spamcop.net>

re:  trimming, contextualizing, and attributing, .like this
hand-reformatting of your post to lend clarity to the old conversation.

caballo loco wrote:
> "Michael Fullerton"
>>>>>> Michael Fullerton wrote:

>>>>>>> I am no longer getting back spam reporting link emails.

> BTW I have been having same problem for the last month or so ( I mean
> having beenn getting spam reporting link).

Try putting your own address or alternate address of yours as an
additional To or CC to the submit and see if you get that, as mentioned
earlier when we were conversing in this old thread almost a month ago.

>> I switched to a different SMTP server instead of Shaw and all reports
>> are now coming back. Does that mean SC is blocking Shaw?

> Who is Shaw????

Shaw Communications of Calgary Alberta Canada.

68.144.145.20  = a shawcable.net user IP
Shaw High-Speed Internet


-- 
Mike Easter
kibitzer, not SC admin

From .  Thu Apr 20 22:26:12 2006
From: . (MaddonaMia)
Date: Sun Apr 30 18:33:43 2006
Subject: [SC-Help] spamcop n00b proceed w/caution
Message-ID: <uJednes61tWeqNXZRVn-vQ@comcast.com>

1st time poster here. Plz have mercy.

i fwd'd my spam to the email spamcop gave me upon my signup. out of 5 fwd's
i got 3 spamcop autoresponders back with the below message

SpamCop encountered errors while saving spam for processing: SpamCop could
not find your spam message in this email.

i tried to find an faq info at spamcop. their faq'sa/help referred me to the
newsgroups. any ideas? TIA


From MikeE at ster.invalid  Thu Apr 20 22:38:51 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Apr 30 18:33:55 2006
Subject: [SC-Help] Re: spamcop n00b proceed w/caution
References: <uJednes61tWeqNXZRVn-vQ@comcast.com>
Message-ID: <e29nkk$g5a$1@news.spamcop.net>

MaddonaMia wrote:

> i fwd'd my spam to the email spamcop gave me upon my signup. out of 5
> fwd's i got 3 spamcop autoresponders back with the below message
>
> SpamCop encountered errors while saving spam for processing: SpamCop
> could not find your spam message in this email.

One way to troubleshoot spam reporting problems encountered with
forwarding as attachment is to paste the complete spam into the
webparser instead of using the forward as attachment method.

Some problems encountered with trying to email your spam submit do not
occur with the webparser, such as using Forward instead of Forward as
attachment.

Your newsagent is OE Outlook Express.  Assuming that is also your
mailuser agent, you would get the raw spam with complete headers by
selecting the spam item and using File/ Properties/ Details tab/ Message
source button and select all copy and paste it into the webparser which
is seen at http://www.spamcop.net/ when you are logged in.

> i tried to find an faq info at spamcop. their faq'sa/help referred me
> to the newsgroups. any ideas?

The faq tells how to use your OE mailuser agent to copy the spam with
complete headers for pasting into the webparser here
http://www.spamcop.net/fom-serve/cache/119.html  Outlook Express 4, 5
and 6



-- 
Mike Easter
kibitzer, not SC admin

From vxpy7do02 at sneakemail.com  Fri Apr 21 12:29:07 2006
From: vxpy7do02 at sneakemail.com (anon)
Date: Sun Apr 30 18:37:17 2006
Subject: [SC-Help] Re: spamcop n00b proceed w/caution
References: <uJednes61tWeqNXZRVn-vQ@comcast.com>
	<e29nkk$g5a$1@news.spamcop.net>
Message-ID: <e2b89n$7qg$1@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:e29nkk$g5a$1@news.spamcop.net...
> MaddonaMia wrote:
>
>> i fwd'd my spam to the email spamcop gave me upon my signup. out of 5
>> fwd's i got 3 spamcop autoresponders back with the below message
>>

**
Didn't then OP say he FORWARDED the submittal - not forward as attachment?

Sounds like that may be the problem.

Also OP should look at the link below for the correct way to handle oe mail.

-- 
A SpamCop user and forum reader,
Not Admin
***

>> SpamCop encountered errors while saving spam for processing: SpamCop
>> could not find your spam message in this email.
>
> One way to troubleshoot spam reporting problems encountered with
> forwarding as attachment is to paste the complete spam into the
> webparser instead of using the forward as attachment method.
>
> Some problems encountered with trying to email your spam submit do not
> occur with the webparser, such as using Forward instead of Forward as
> attachment.
>
> Your newsagent is OE Outlook Express.  Assuming that is also your
> mailuser agent, you would get the raw spam with complete headers by
> selecting the spam item and using File/ Properties/ Details tab/ Message
> source button and select all copy and paste it into the webparser which
> is seen at http://www.spamcop.net/ when you are logged in.
>
>> i tried to find an faq info at spamcop. their faq'sa/help referred me
>> to the newsgroups. any ideas?
>
> The faq tells how to use your OE mailuser agent to copy the spam with
> complete headers for pasting into the webparser here
> http://www.spamcop.net/fom-serve/cache/119.html  Outlook Express 4, 5
> and 6
>
>
>
> -- 
> Mike Easter
> kibitzer, not SC admin
> 

From MikeE at ster.invalid  Fri Apr 21 16:27:38 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Apr 30 18:37:25 2006
Subject: [SC-Help] Re: spamcop n00b proceed w/caution
References: <uJednes61tWeqNXZRVn-vQ@comcast.com>
	<e29nkk$g5a$1@news.spamcop.net> <e2b89n$7qg$1@news.spamcop.net>
Message-ID: <e2bm8k$ehd$1@news.spamcop.net>

anon wrote:
> "Mike Easter"
>> MaddonaMia wrote:
>>
>>> i fwd'd my spam to the email spamcop gave me upon my signup. out of
>>> 5 fwd's i got 3 spamcop autoresponders back with the below message

> Didn't then OP say he FORWARDED the submittal - not forward as
> attachment?

Yabbut you have to spin/interpret what someone sez vs means.  Consider
that s/he 'said' s/he email submitted somehow 5 times and of those, 3
times SC encountered errors.

What does /that/ mean?  We should get busy guessing and interpreting and
then re-interpreting.

> Sounds like that may be the problem.

/Sometimes/ s/he forwards not as attachment?    I don't think so -- but
I'm guessing of course.


-- 
Mike Easter
kibitzer, not SC admin

From not at here.invalid  Wed Apr 26 10:04:58 2006
From: not at here.invalid (Ellen)
Date: Sun Apr 30 19:09:15 2006
Subject: [SC-Help] Maint window today 2pm - 4pm PDT
Message-ID: <e2nr9q$bgu$1@news.spamcop.net>

Reporting System Maintenance Window Wed April 26, 2006

The reporting system will be undergoing maintenance 4/26/06 from 2PM PDT 
(-0700) to 4PM PDT (-0700). The reporting system will be unavailable for 
part or all of the time. No spam submitted for parsing will be lost but 
expect delays after the system comes back up as the servers work through the 
backlog.

This maintenance window does *not* affect the email system which will 
continue to operate as usual.



Ellen
SpamCop


Follow-ups to spamcop.

Please propagate to the forums. 


From leslie.gottlieb at verizon.net  Thu Apr 27 11:13:03 2006
From: leslie.gottlieb at verizon.net (Leslie S. Gottlieb)
Date: Sun Apr 30 19:22:41 2006
Subject: [SC-Help] ikarma stock spam
Message-ID: <e2qjhd$p7c$1@news.spamcop.net>

What is werid about this is that I had just e-mailed and browsed the site 
that my mail is forged from (www.wpi.edu). Do I have a virus? Is anyone 
stopping this ikarma stock spammer at all?

Return-Path: <ndq@garysalter.com>
Received: from mx26.nyc.untd.com (mx26.nyc.untd.com [10.140.24.86])
 by maildeliver25.lax.untd.com with SMTP id AABCFBVGWA544DLA
 for <lesliepearson@juno.com> (sender <ndq@garysalter.com>);
 Thu, 27 Apr 2006 06:53:25 -0700 (PDT)
Received: from mail1.wpi.edu (MAIL1.WPI.EDU [130.215.36.91])
 by mx26.nyc.untd.com with SMTP id AABCFBVGWANGD5N2
 for <lesliepearson@juno.com> (sender <ndq@garysalter.com>);
 Thu, 27 Apr 2006 06:53:24 -0700 (PDT)
Received: from alum.WPI.EDU (ALUM.WPI.EDU [130.215.36.126])
 by mail1.wpi.edu (8.13.6/8.13.6) with ESMTP id k3RDrOwv021245
 for <lesliepearson@juno.com>; Thu, 27 Apr 2006 09:53:24 -0400
Received: from mail1.wpi.edu (MAIL1.WPI.EDU [130.215.36.91])
 by alum.WPI.EDU (8.13.6/8.13.6) with ESMTP id k3RDrOCT068933
 for <lsgottlieb@alum.wpi.edu>; Thu, 27 Apr 2006 09:53:24 -0400 (EDT)
Received: from mcafee.wpi.edu (MCAFEE.WPI.EDU [130.215.36.86])
 by mail1.wpi.edu (8.13.6/8.13.6) with SMTP id k3RDrOtQ021238
 for <lsgottlieb@alum.wpi.edu>; Thu, 27 Apr 2006 09:53:24 -0400
Received: from (130.215.36.186) by mcafee.wpi.edu via smtp
  id 558d_76ba9722_d5f4_11da_8821_00304811e63a;
 Thu, 27 Apr 2006 09:48:09 -0400
Received: from utility5.wpi.edu (UTILITY5.WPI.EDU [130.215.36.226])
 by SMTP.WPI.EDU (8.13.6/8.13.6) with ESMTP id k3RDrMv1014928
 for <lsgottlieb@alum.wpi.edu>; Thu, 27 Apr 2006 09:53:23 -0400
Received: from CPE-144-136-143-225.qld.bigpond.net.au 
(CPE-144-136-143-225.qld.bigpond.net.au [144.136.143.225])
 by utility5.wpi.edu (8.13.6/8.13.6) with SMTP id k3RDqthl032551
 for <lsgottlieb@alum.wpi.edu>; Thu, 27 Apr 2006 09:53:18 -0400
Received: from kceb.dyq ([144.136.112.153])
 by CPE-144-136-143-225.qld.bigpond.net.au (8.13.2/8.13.2) with SMTP id 
k3RDvcFN035065;
 Thu, 27 Apr 2006 23:57:38 +1000
Message-ID: <000d01c66a01$e06366ea$99708890@kceb.dyq>
From: "Maude Gomez" <ndq@garysalter.com>
To: <lsgottlieb@ALUM.WPI.EDU>
Subject: levity hoot
Date: Thu, 27 Apr 2006 23:44:29 +1000
MIME-Version: 1.0
Content-Type: multipart/related;
 type="multipart/alternative";
 boundary="----=_NextPart_000_0009_01C66A55.B20F7662"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1158
X-Perlmx-Spam: Gauge=XXXXXXXXII, Probability=82%, 
Report='KNOWN_FINANCIAL_CAMPAIGN 8, HTML_90_100 0.1, __CT 0, 
__CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __CTYPE_MULTIPART_ALT 0, 
__EMBEDDED_IMG 0, __EXTRA_MPART_TYPE_1 0, __EXTRA_MPART_TYPE_N1 0, 
__HAS_MSGID 0, __HAS_MSMAIL_PRI 0, __HAS_X_MAILER 0, __HAS_X_PRIORITY 0, 
__MIME_HTML 0, __MIME_VERSION 0, __RUS_MIME_NO_TEXT 0, __SANE_MSGID 0, 
__TAG_EXISTS_HTML 0'
X-ContentStamp: 0:0:2865347872
X-UNTD-Peer-Info: 
130.215.36.91|MAIL1.WPI.EDU|mail1.wpi.edu|ndq@garysalter.com
X-UNTD-UBE:-1

This is a multi-part message in MIME format.







-- 
Leslie Gottlieb 


From test at yahoo.com  Fri Apr 28 00:52:56 2006
From: test at yahoo.com (Dan French)
Date: Sun Apr 30 19:32:58 2006
Subject: [SC-Help] Daughters email account being attacked: Best action?
Message-ID: <e2sdv3$m7d$1@news.spamcop.net>

My daughter decided to start reporting spam to spamcop.  Well, one spammer 
sent her 500+ spam e-mail's to her account.

What is the best course of action to take?
 -- email address not valid, please post any response.

Thank you,

Dan 


From MikeE at ster.invalid  Fri Apr 28 02:08:03 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Apr 30 19:33:02 2006
Subject: [SC-Help] Re: Daughters email account being attacked: Best action?
References: <e2sdv3$m7d$1@news.spamcop.net>
Message-ID: <e2sigt$oo1$1@news.spamcop.net>

Dan French wrote:
> My daughter decided to start reporting spam to spamcop.  Well, one
> spammer sent her 500+ spam e-mail's to her account.

It is extremely unlikely that a 'spammer' [for some value of spammer, to
be discussed as a separate topic] is 'retaliating' by sending her 500
spams because of her SC reporting for several reasons:

 - 500 spams isn't a 'retalitaion'.  Altho' it is slightly inconvenient,
it wouldn't even temporarily fill a mailbox to result in the effect of a
denial of service for mailbox too full
 - a SC report is sent to the providers for the spamvertiser and for the
spamsource and the identity of the reporter is not 'announced'.  The
identity of the reporter is only provided by the report ID and SC uses a
'standard' munge or obfuscation in an attempt to mask occurrences of the
recipient's email address
 - many people who converse here in these newsgroups and forums have
reported tens of thousands of spams for years without any mungeing or SC
obfuscation of the reporting address -- emailed 'directly' from the
spammed address without any kind of retaliation
 - there are much more likely explanations of receiving 500 spams, which
order of the various likelihoods would require a more precise
characterization of exactly what you mean when you say 'a spammer sent
her 500+ spam'

If she received 500 'identical' spams from identical source IPs, it is
far more likely that the 'mechanism' for the spamsending was
'hiccupping' and some normal spam generation process went awry and sent
a 'lot' of spams to the same recipient/s.

If she suddenly started getting a lot more spam of a wide and diverse
nature so that she is now getting 500 spams in a much shorter time than
she did prior to becoming a spamcop reporter, it is more likely that she
has begun to report spam in an insecure manner, discussed below, and as
a consequence of the insecure spam handling she has gotten herself onto
many more spam lists.

> What is the best course of action to take?

The first course of action is for 'us' -- we correspondents here, me,
you, and other readers and posters here - to better characterize exactly
what you mean when you say 'one spammer sent her 500+ spam'.


First, we need to get a little past the word 'spammer' -- because the
definition is fuzzy.  A spam email typically has a source IP address -- 
that isn't a 'person', but an IP like 24.18.225.174.   That spam email
has a From email address and handle, but that is typically bogus;  also
doesn't represent a 'person'.  The spam also typically has a 'payload'
or spamvertiser.  That spamvertiser might be called a 'spammer' by some,
but the spamvertiser most often doesn't email a spam from its mail
system, except in the case of what I call 'straightup' spam which has
honest From which is the same as the source and the spamvertised.

There may be a tendency for some people to call the spamvertiser the
'spammer' -- but that isn't strictly true.  The spamvertiser is the
spamvertiser;  the spamsource is the spamsource;  the From is bogus -- 
there is no 'spammer' in the evidence of the spam.

These days the most common method of spam sending is by injecting the
spam via a proxified or compromised and abused user IP -- so therefore
the true 'source' or spammer-injector is not determinable.

Lest the reader drop off to sleep because this post is getting too long,
I'll save the topic of insecure spam handling by spamcop reporters which
causes them to get more spam for another post.

-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Fri Apr 28 02:21:02 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Apr 30 19:33:04 2006
Subject: [SC-Help] Re: Daughters email account being attacked: Best action?
References: <e2sdv3$m7d$1@news.spamcop.net> <e2sigt$oo1$1@news.spamcop.net>
Message-ID: <e2sj97$p0l$1@news.spamcop.net>

Mike Easter wrote:

> If she suddenly started getting a lot more spam of a wide and diverse
> nature so that she is now getting 500 spams in a much shorter time
> than she did prior to becoming a spamcop reporter, it is more likely
> that she has begun to report spam in an insecure manner, discussed
> below, and as a consequence of the insecure spam handling she has
> gotten herself onto many more spam lists.

The topic of spamcop reporters getting more spam after becoming
reporters has been discussed before, where the sense of the reporter's
increase is that it isn't just due to the progressively increasing
nature of a given address which is getting spam to get more and more
spam as time goes on.

A new spamcop reporter might handle their spam insecurely -- just like a
non-reporter might handle their spam insecurely, but some people begin
to handle more spam insecurely as a consequence of becoming a reporter.
Whereas a non-reporter might handle very little spam insecurely because
they delete all or almost all of it unopened, some reporters open all
the spam they are receiving and now reporting insecurely and online.

This insecure reporting 'telegraphs' the information to spam generators
via web bugs that a particular address is both receiving and opening its
spam -- and such an address is more valuable.  That address may go onto
more spam lists than before and consequently get more spam than before.

A spam reporter should not be handling spam insecurely in the course of
reporting it.



-- 
Mike Easter
kibitzer, not SC admin

From HerbEppel at gmail.com  Fri Apr 28 13:50:04 2006
From: HerbEppel at gmail.com (Herbert Eppel)
Date: Sun Apr 30 19:33:55 2006
Subject: [SC-Help] 
 Re: Loads of spam showing "Delviery Status Notification", "Failure
 Notice" etc.
In-Reply-To: <e1ttai$gtc$1@news.spamcop.net>
References: <1145201196.288571.50190@u72g2000cwu.googlegroups.com>
	<e1ttai$gtc$1@news.spamcop.net>
Message-ID: <e2svi6$v0d$1@news.spamcop.net>

On 16.04.2006 18:02 UK Time, Mike Easter wrote:
> rowan wrote:
>> I've recently started receiving loads of spam messages which purport
>> to be delivery failure messages. They are always addressed to a
>> non-existent user at my domain, e.g. ojvnyo@, ejrzx@, rrl@ etc. They
>> can have a variety of failure messages, and purport to tell me that a
>> message that I sent to an address that I have never sent to in my life
>> could not be delivered. The message sometimes contains a load of
>> Base64 code, presumably some kind of malware, or a scanned page of
>> text. Sometimes there's no obvious payload.
> 
> Spending a lot of words trying to describe some mail or spam doesn't
> actually sufficiently describe it.
> 
> The best way to 'talk about' something spam around here is to show one
> or more by posting a tracking URL or 'tracker'.
> 
> A tracker looks like:
> 
> Here is your TRACKING URL - it may be saved for future reference:
> http://www.spamcop.net/sc?id=z921452706z5f80c3536f02ccd15f431f0fc87fc372z
> 
> You get it by submitting one of those spams you are trying to describe
> to the webparser, then copying the tracker, then cancelling the report,
> then pasting the tracker in here.
> 
> That way anyone can look at the time and say things like, "That's not
> actually a delivery status notification - failure, it is a bogus
> ne.'  -or-  'Yep that's a DSN failure all right -- a spammer has elected
> your address to be the bogus From.'
> 
> We can also comment on the reportability of servers which belatedly
> bounce spam - or the non-reportability of spam which isn't mailed to
> you - or other alternatives.  We can comment on what is the payload
> which isn't obvious.  All that stuff.  But not with your description
> words which can never be adequate for even remarking on the issue.
> 
>> Where are these messages coming from? Why have they suddenly started
>> (or at least, suddenly started finding me)? Why are they getting
>> through my ISP's spam filter (which is normally very good)? What can I
>> do to get rid of them?
> 
> Comments after you post a tracker or two.

Hi,

I have the same problem as the one reported by Rowan on 16 April, and I 
would like to get to the bottom of it, but I'm not quite sure how to 
create a tracker.

Mike said "You get it by submitting one of those spams you are trying to 
describe to the webparser", but I'm not sure where I can find this 
webparser and how exactly I can submit messages.

Can you help?

Thank you.

Herbert Eppel
-- 
www.HETranslation.co.uk

From MikeE at ster.invalid  Fri Apr 28 08:06:41 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Apr 30 19:35:50 2006
Subject: [SC-Help] 
	Re: Loads of spam showing "Delviery Status Notification", "Failure
	Notice" etc.
References: <1145201196.288571.50190@u72g2000cwu.googlegroups.com>
	<e1ttai$gtc$1@news.spamcop.net> <e2svi6$v0d$1@news.spamcop.net>
Message-ID: <e2t7hb$3bn$1@news.spamcop.net>

Herbert Eppel wrote:

> I have the same problem as the one reported by Rowan on 16 April, and
> I would like to get to the bottom of it, but I'm not quite sure how to
> create a tracker.

Okay.

> Mike said "You get it by submitting one of those spams you are trying
> to describe to the webparser", but I'm not sure where I can find this
> webparser and how exactly I can submit messages.
>
> Can you help?

Sure.

First you have to become a [theoretical or real] free or paid SpamCop
reporter by registering.

http://www.spamcop.net/anonsignup.shtml  Getting Started

Be sure you read all of the rules about the responsibilities of being a
reporter;  and the faq about how to obtain complete headers of spam with
your mailuser agent.  Naturally the responsibilities apply to those SC
reports which are going to be actually sent, not just parsed and copy a
tracker and then cancelled if that is what is your interest and purpose.

You will be emailed an authorization letter which contains the username
which is the email address you provided, a password which is 8
alphanumerics case sensitive, and a link to a couple of different ways
to log in, with or without cookies.

When you are properly logged in, this page will display a webparser
http://www.spamcop.net/  Welcome, xxxx

You paste your spam into that parser which spam with complete headers
was obtained by the guidelines here
http://www.spamcop.net/fom-serve/cache/19.html  How do I get my email
program to reveal the full, unmodified email?

If your mailuser agent is Tbird, you use this link
http://www.spamcop.net/fom-serve/cache/21.html  Netscape, Mozilla and
Thunderbird

Then you paste the spam into the webparser which will provide a tracking
UJRL at the top of the page which is in this environment

Here is your TRACKING URL - it may be saved for future reference:
http://www.spamcop.net/sc?id=z921452706z5f80c3536f02ccd15f431f0fc87fc372z

You copy that tracker so that you can paste it into a news message here
and then you cancel the report, unless you have chosen to send it
according to the responsibilities described in the rules.

> Thank you.

YW.

-- 
Mike Easter
kibitzer, not SC admin

From HerbEppel at gmail.com  Fri Apr 28 16:33:43 2006
From: HerbEppel at gmail.com (Herbert Eppel)
Date: Sun Apr 30 19:35:56 2006
Subject: [SC-Help] 
 Re: Loads of spam showing "Delviery Status Notification", "Failure
 Notice" etc.
In-Reply-To: <e2t7hb$3bn$1@news.spamcop.net>
References: <1145201196.288571.50190@u72g2000cwu.googlegroups.com>
	<e1ttai$gtc$1@news.spamcop.net> <e2svi6$v0d$1@news.spamcop.net>
	<e2t7hb$3bn$1@news.spamcop.net>
Message-ID: <e2t951$43c$1@news.spamcop.net>

On 28.04.2006 15:06 UK Time, Mike Easter wrote:

>> Can you help?
> 
> Sure.

Hi Mike,

thanks for the detailed instructions.

I'll report back, although probably not until some time next week.

Regards

Herbert Eppel
-- 
www.HETranslation.co.uk