From nttp.sc.s at bigsleep.org Fri Jul 1 01:46:30 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Thu Jun 30 20:50:20 2005 Subject: [SpamCop-List] Re: Pump and Dump References: <200506300357.1dNTVo6yc3Nl3oW0@strange.mail.mindspring.net> Message-ID: On 30 Jun 2005 Trish Roberts-Miller entered spamcop and left news:mailman.47.1120143425.169.spamcop-list@news.spamcop.net: > Fixed in 1.7.4, so upgrading will fix that. > -- > > You're a scholar and a gentleman. That's exactly the correct > description. Thanks! > > -- > Trish Roberts-Miller redball@mindspring.com > "I will put Chaos into fourteen lines" > You are welcome. Watch those little "sig delimiters" there, it's two dashes and a space, and it often makes everything grey below it, so you can snip that along with the sig. I think you can just remove the space too, which is what I did to the ones above. It's just a tip, because actually I almost didn't see your reply, my sig colors are so light I can hardly see sigs. -- | Ric | From nttp.sc.s at bigsleep.org Fri Jul 1 01:54:57 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Thu Jun 30 20:55:03 2005 Subject: [SpamCop-List] Re: Mainsleaze Spam References: <42C300D5.264E956C@SpamCop.net> Message-ID: On 30 Jun 2005 Porpoise entered spamcop and left news:da1b67$2sj$1@news.spamcop.net: > thereby enabling the webserver that served the image to log his IP > address and attach it to his email address Right, I thought I was being vaugely clear that they could insist that you signed up with an IP that they got from a tracking code. They have positive proof, you don't have any negative proof. -- | Ric | From nttp.sc.s at bigsleep.org Fri Jul 1 03:06:55 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Thu Jun 30 22:10:03 2005 Subject: [SpamCop-List] Re: HE.net's spammer Yfdirect talks References: Message-ID: On 30 Jun 2005 Mike Easter entered spamcop and left news:da18tg$1kt$1@news.spamcop.net: > You shouldn't be using spamcop as some kind of 'bludgeon' > in expressing a different point of view about being listwashed. I think this group, and/or the forum is a better place for that. I'm still not sure about HE myself. -- | Ric | From nttp.sc.s at bigsleep.org Fri Jul 1 03:13:02 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Thu Jun 30 22:15:03 2005 Subject: [SpamCop-List] Re: Pump and Dump References: <200506300357.1dNTVo6yc3Nl3oW0@strange.mail.mindspring.net> Message-ID: On 30 Jun 2005 Blammo entered spamcop and left news:Xns9685B4F46DBF7blammo@216.154.195.61: > Watch those little "sig delimiters" there, it's two dashes and a space Then again, maybe my fault for not adding a blank line there? It does start with a blank line and sometimes I type over that line, rather than adding another. -- | Ric | From bjtexas at hotmale.com Fri Jul 1 09:16:33 2005 From: bjtexas at hotmale.com (BJ) Date: Fri Jul 1 09:20:03 2005 Subject: [SpamCop-List] Re: Mainsleaze Spam References: <42C300D5.264E956C@SpamCop.net> Message-ID: Porpoise wrote: || "BJ" wrote in message || news:da13sm$uat$1@news.spamcop.net... ||| Porpoise wrote: ||||| "Blammo" wrote in message ||||| news:Xns96855C7BED57blammo@216.154.195.61... |||||| On 29 Jun 2005 Miss Betsy entered spamcop and left |||||| news:d9vbl1$unh$1@news.spamcop.net: |||||| ||||||| What he did, apparently, was click on something ||||||| inadvertently, realize that he didn't want to be there, ||||||| and ||||||| did something to 'escape'. What is happening is that he ||||||| is ||||||| getting emails from that 'click' even though he didn't ||||||| complete registration. ||||||| |||||| |||||| He doesn't have to click anything, just loading the |||||| message |||||| so that it shows the image is enough. |||||| ||||| ||||| How would that get his email address? ||| ||| The picture is tagged to a specific message sent to a ||| specific ||| email address. || || || So what you're saying now, is that he didn't inadvertantly || click on something, but that he received an email with an || image in it that he || opened - thereby enabling the webserver that served the image || to log his IP address and attach it to his email address - || thereby verifying that his email address was "live"? || || Either I'm very confused, or that wasn't what you said first || time round - which I understood to be that he had || "inadvertantly clicked a link on a webpage" - which wouldn't || [AFAIK] have any way of possibly attaching that to an email || address (unless he actually sent an email during that || process). If his mail client is set to read in HTML then he wouldn't even have to click on the image. The action is reading the mail message would be enough. BJ -- http://www.clubvb.com/Spam/WhatIsSpam.htm From Kilgallen at SpamCop.net Fri Jul 1 10:43:53 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Fri Jul 1 10:45:03 2005 Subject: [SpamCop-List] Re: The Anti-Spam Litigation Shop (Wired News) References: Message-ID: In article , "Berny" writes: > Worthy Donees could be sue-spammers.org SC, and SPEWS Who is going to risk endorsing a check made out to SPEWS ? From no at spam.invalid Fri Jul 1 08:48:50 2005 From: no at spam.invalid (Michael Wise) Date: Fri Jul 1 10:50:03 2005 Subject: [SpamCop-List] Re: HE.net's spammer Yfdirect talks References: Message-ID: In article , Blammo wrote: > > You shouldn't be using spamcop as some kind of 'bludgeon' > > in expressing a different point of view about being listwashed. > > I think this group, and/or the forum is a better place for that. > I'm still not sure about HE myself. HE is and has been a spam-tolerating hoster for years. Pretty much every mail server I admin _used_ to regularly get spam from their customers, and HE almost never even responds to LARTS...and certainly has never appropriately acted on one of the many I have sent them. Just use he.blackholes.us and be done with those morons. --Mike From no at spam.invalid Fri Jul 1 08:55:57 2005 From: no at spam.invalid (Michael Wise) Date: Fri Jul 1 11:00:02 2005 Subject: [SpamCop-List] Re: Pump and Dump References: <200506281105.1dNhEa1743Nl3pw0@timothy.mail.atl.earthlink.net> Message-ID: In article , Trish Roberts-Miller wrote: > I'll save you folks the long story, as the short version is long and > complicated enough. For the second time, my laptop was stolen out of my > office (if you are associated with a college campus, this does not shock > you, although it probably amazes everyone else). It was my secondary > laptop, and they left the main and most important one (although they > stole all the peripherals necessary to make the laptop function well, > such as a powercord, etc.)... Why isn't your university's IT staff putting phone-home software on staff portables? --Mike From no at spam.invalid Fri Jul 1 09:01:19 2005 From: no at spam.invalid (Michael Wise) Date: Fri Jul 1 11:05:02 2005 Subject: [SpamCop-List] Re: Pump and Dump References: <200506290055.1dNuBp4Z03Nl3pK0@gideon.mail.atl.earthlink.net> Message-ID: In article , Trish Roberts-Miller wrote: >... > I had no network set up; it was the laptop I use for conferences and travel. > That's why it had only my email password. (Luckily.) It shouldn't be left easily used at all. If it's a Mac as well, you're IT dept. is being less than responsible if they do not ensure that all staff PowerBooks/iBooks are a) configured to require non-trivial passwords on boot-up b) have open firmware passwords set (to prevent password resets from an OS X install disk, and c) have phone-home software (such as LapCop) installed. --Mike From redball at mindspring.com Fri Jul 1 11:14:58 2005 From: redball at mindspring.com (Trish Roberts-Miller) Date: Fri Jul 1 11:20:21 2005 Subject: [SpamCop-List] Phone Home Software? (OT--was "pump and dump") In-Reply-To: <200507011100.1dOmZX2yk3Nl3qW0@watson.mail.atl.earthlink.net> References: <200507011100.1dOmZX2yk3Nl3qW0@watson.mail.atl.earthlink.net> Message-ID: <42C55DF2.8050504@mindspring.com> <>Date: Fri, 01 Jul 2005 07:55:57 -0700 From: Michael Wise Subject: [SpamCop-List] Re: Pump and Dump To: spamcop-list@news.spamcop.net Message-ID: In article , Why isn't your university's IT staff putting phone-home software on staff portables? --Mike ------------------------------ I don't know what that is. (Keep in mind--this is the place that still hasn't replaced glass windows on offices, although they've repeatedly had rashes of thefts where people simply broke the glass and cleaned out the offices. Since I'm well into rant-mode I'll mention that the campus police officer who took the report seriously suggested that I call the police every time I see a strange person in my hall--this in a classroom building on a campus of 50k students. The police and IT are fighting over the former's insistence that all computers be attached to tables with permanent cables--IT keeps trying to point out this makes the notion of a portable computer more than a little problematic.) -- Trish Roberts-Miller redball@mindspring.com http://www.cwrl.utexas.edu/~robertsmiller/homepage.html "though we could fool each other, we should consider-- lest the parade of our mutual life get lost in the dark." ("A Ritual to Read to Each Other" Wm. Stafford) From porpoise1954 at yahoo.co.uk Fri Jul 1 17:23:11 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Fri Jul 1 11:25:03 2005 Subject: [SpamCop-List] Re: Phone Home Software? (OT--was "pump and dump") References: <200507011100.1dOmZX2yk3Nl3qW0@watson.mail.atl.earthlink.net> Message-ID: "Trish Roberts-Miller" wrote in message news:mailman.48.1120231221.169.spamcop-list@news.spamcop.net... ><>Date: Fri, 01 Jul 2005 07:55:57 -0700 > > (Keep in mind--this is the place that still hasn't replaced glass windows > on offices, although they've repeatedly had rashes of thefts where people > simply broke the glass and cleaned out the offices. Since I'm well into > rant-mode I'll mention that the campus police officer who took the report > seriously suggested that I call the police every time I see a strange > person in my hall--this in a classroom building on a campus of 50k > students. The police and IT are fighting over the former's insistence that > all computers be attached to tables with permanent cables--IT keeps trying > to point out this makes the notion of a portable computer more than a > little problematic.) Perhaps if they make the users who lost them paqy for them, they won't lose so many!!??!! I bet if they were their own, they wouldn't leave them laying around for people to walk off with........ From Kilgallen at SpamCop.net Fri Jul 1 14:00:35 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Fri Jul 1 14:05:03 2005 Subject: [SpamCop-List] Re: The Anti-Spam Litigation Shop (Wired News) References: Message-ID: In article , David Dean writes: > In article , > Kilgallen@SpamCop.net (Larry Kilgallen) wrote: > >> Who is going to risk endorsing a check made out to SPEWS ? > > You don't have to endorse with a signature, you can simply write "for > deposit only." Thus claiming that the account holder is rightfully SPEWS. From nobody at spamcop.net Fri Jul 1 19:19:52 2005 From: nobody at spamcop.net (StampOutSpam) Date: Fri Jul 1 14:25:02 2005 Subject: [SpamCop-List] Spammer phishing stupidity Message-ID: There was a bank phisher today that sent multiple copies of the same spam with the usual spammy mistakes in the message text. After reporting it, I entered some information, but when I tried to submit the form... JavaScript: "The card number is not valid." The spammer had disallowed the use of "0" in the credit card input field. That will keep a lot of people from being phished. From Kilgallen at SpamCop.net Fri Jul 1 15:16:41 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Fri Jul 1 15:20:03 2005 Subject: [SpamCop-List] Re: The Anti-Spam Litigation Shop (Wired News) References: Message-ID: In article , David Dean writes: > In article , > Kilgallen@SpamCop.net (Larry Kilgallen) wrote: > >> Thus claiming that the account holder is rightfully SPEWS. > > You don't have to specify what the account number is, and the bank is > not under any obligation to reveal it. But their processing systems typically stamp it on the back of the check. From no at spam.invalid Fri Jul 1 15:29:17 2005 From: no at spam.invalid (Michael Wise) Date: Fri Jul 1 17:30:04 2005 Subject: [SpamCop-List] Re: Phone Home Software? (OT--was "pump and dump") References: <200507011100.1dOmZX2yk3Nl3qW0@watson.mail.atl.earthlink.net> Message-ID: In article , Trish Roberts-Miller wrote: > In article , > > > Why isn't your university's IT staff putting phone-home software on > staff portables? > > --Mike > ------------------------------ > > I don't know what that is. Its software that sends out stealth emails to an admin/user-defined address whenever a computer's network environment has changed. These emails will usually contain the serial number, MAC address, and other identifying characteristics of the computer as well as the current IP address the computer is at or NAT'd behind. Armed with this info, it isn't very difficult to track down a stolen computer...should the thief be dumb enough to connect it to the Internet w/o reformatting the hard drive first (most thieves are that dumb when it comes to such things). The software I use for this on my and my clients' Macs, LapCop (http://homepage.mac.com/sweetcocoa/lapcop/), is $25...but educational pricing is only $4. > (Keep in mind--this is the place that still hasn't replaced glass > windows on offices, although they've repeatedly had rashes of thefts > where people simply broke the glass and cleaned out the offices. Since > I'm well into rant-mode I'll mention that the campus police officer who > took the report seriously suggested that I call the police every time I > see a strange person in my hall--this in a classroom building on a > campus of 50k students. The police and IT are fighting over the former's > insistence that all computers be attached to tables with permanent > cables--IT keeps trying to point out this makes the notion of a portable > computer more than a little problematic.) Perhaps your IT department hasn't heard that there are cable locking systems for laptops...and have been pretty much since laptops existed. For example, see: http://www.kensington.com/html/1434.html I've seen a guy, Charles Soto, on the Mac Manager's mail list whose sig says he's the IT director for UT (Austin campus). Perhaps you should look him up and ask him about implementing these solutions for you. --Mike --Mike From anon at coks.net Fri Jul 1 15:50:29 2005 From: anon at coks.net (J G) Date: Fri Jul 1 17:50:02 2005 Subject: [SpamCop-List] misdirection bounces from SC? Message-ID: Guy named Aubrey @ comfluent sent me a msg and I parsed it - http://www.spamcop.net/sc?id=z780980255z289e997965034bd6cadda394f583d16fz As I posted and whined a couple days ago, someone is using (forging) my email addy in the from field, causing misdirection bounces. Since then, I've been reporting them with notes to the effect that they are misdirected. Here, looks like got one from SC itself, which I dutifully reported (ID in Aubrey's msg)- this sound correct? (I don't know who comfluent is...) And if so, is Aubrey having a problem due to my munging my iD as a reporter *AND/OR* in the munging process, doe the sys mung the /false/ From: field (me) as well in the munging process? Hope that can make sense to someone... From MikeE at ster.invalid Fri Jul 1 16:12:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 1 18:15:04 2005 Subject: [SpamCop-List] Re: misdirection bounces from SC? References: Message-ID: J G wrote: > Guy named Aubrey @ comfluent sent me a msg and I parsed it - www.spamcop.net/sc?id=z780980255z289e997965034bd6cadda394f583d16fz The tracker is a good way to show us the response to the SC report, but when you submit something to the parser for demonstration purposes, you should cancel the report. The tracker was 'live' and reportable when I got to it, so I cancelled it. > As I posted and whined a couple days ago, someone is using (forging) > my email addy in the from field, causing misdirection bounces. > Since then, I've been reporting them with notes to the effect that > they are misdirected. You are correct, they are SC reportable. > Here, looks like got one from SC itself, which I dutifully reported > (ID in Aubrey's msg)- this sound correct? (I don't know who comfluent > is...) This was a response to the report 1458265444 -- since that was your report you are able to actually retrieve the report for the misdirected bounce which caused that report. We who aren't you aren't able to derive the original spam from the report. You the reporter can. But, it is pretty clear from the body of the response to the report that Aubrey is confirming or asserting that they routinely misdirect bounce to bogus Froms, altho' not in so many words. > And if so, is Aubrey having a problem due to my munging my iD as a > reporter *AND/OR* in the munging process, doe the sys mung the /false/ > From: field (me) > as well in the munging process? No; Aubrey is claiming that they /should/ be performing misdirected bounces. If you were going to engage in further dialog with Aubrey, you could start by pointing her^1 to the SC faq about misdirected bounces at http://www.spamcop.net/fom-serve/cache/329.html#bounces Problem: Misdirected bounces > Hope that can make sense to someone... ^1 her vs hir -- I started to use the gender neutral pronous 'hir' as I didn't know if Aubrey was male or female - in the US there are about 23000 men named Aubrey and about 9000 women -- but the response was from Aubrey Ellen Shomo, so I'm going with her, not hir. -- Mike Easter kibitzer, not SC admin From none.of at your.biz Fri Jul 1 16:16:36 2005 From: none.of at your.biz (R. Asby Dragon) Date: Fri Jul 1 18:20:03 2005 Subject: [SpamCop-List] Re: Mainsleaze Spam In-Reply-To: References: <42C300D5.264E956C@SpamCop.net> Message-ID: Robert Blair wrote: > On Wed, 29 Jun 2005 23:48:31 UTC, "Miss Betsy" > wrote: > > >>What he did, apparently, was click on something inadvertently, >>realize that he didn't want to be there, and did something to >>'escape'. What is happening is that he is getting emails from that >>'click' even though he didn't complete registration. > > > An inadvertent click is not a subscribe unless you also entered your > email address before you clicked. > > > >>My advice is to unsubscribe. Mainsleaze usually honors >>unsubscribes in 30 days. It's not really ethical, but it really >>isn't completely unsolicited either. > > > If you did not subscribe do not unsubscribe. > > > I have received many of what appears to be mainsleaze spam but have > not looked at them to track down if they are really mainsleaze (none > came from recognized sources so did not qualify to be "can spam" > complaint) or just a normal spammer trying to look legitimate. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ That's my take on much of the spam with "visible" company names. You have to read closely ; but often times there's disclaimer that they are coupons or time limited gift certificates with restrictions. I got a large number with $250 Starbucks stuff; called Starbucks (I'm local to the HQ); and then forwarded same with the WHOIS of the perps. Spam ceased .. including same spammer's offers for other "stuff". Spammer's URL and mailserver died as well. YMMV. From captain.sisko at deep.space.nine Fri Jul 1 19:20:09 2005 From: captain.sisko at deep.space.nine (Dwayne Conyers) Date: Fri Jul 1 18:25:02 2005 Subject: [SpamCop-List] Re: Spammer phishing stupidity In-Reply-To: References: Message-ID: StampOutSpam [mailto:nobody@spamcop.net] stamped out: > There was a bank phisher today that sent multiple > copies of the same spam with the usual spammy > mistakes in the message text. After reporting it, > I entered some information, but when I tried to > submit the form... > > JavaScript: "The card number is not valid." > > The spammer had disallowed the use of "0" in the > credit card input field. That will keep a lot > of people from being phished. I would say 30 days in the electric chair for those idiots... ____ The Runaway Bride... http://www.cafepress.com/dwacon/601709 From nttp.sc.s at bigsleep.org Sat Jul 2 00:47:09 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Fri Jul 1 19:50:02 2005 Subject: [SpamCop-List] Re: HE.net's spammer Yfdirect talks References: Message-ID: On 01 Jul 2005 Michael Wise entered spamcop and left news:no- DB5D34.07484901072005@news.cesmail.net: > HE is and has been a spam-tolerating hoster for years. Pretty much every > mail server I admin _used_ to regularly get spam from their customers, > and HE almost never even responds to LARTS...and certainly has never > appropriately acted on one of the many I have sent them. > I have seen other regulars here say that they DO act on LARTS. So here I have conflicting statements, and actually very little spam from HE. In my view they seem insignificant compared to, say, thePlanet. -- | Ric | From nttp.sc.s at bigsleep.org Sat Jul 2 00:53:10 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Fri Jul 1 19:55:03 2005 Subject: [SpamCop-List] Re: Spammer phishing stupidity References: Message-ID: On 01 Jul 2005 StampOutSpam entered spamcop and left news:opss8yjebtyhmg4h@powermac.local: > The spammer had disallowed the use of "0" in the credit card input > field. That will keep a lot of people from being phished. > Maybe they're reading this and they'll fix that. -- | Ric | From nobody at devnull.spamcop.net Fri Jul 1 20:19:26 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Fri Jul 1 20:15:02 2005 Subject: [SpamCop-List] Re: Mainsleaze Spam References: <42C300D5.264E956C@SpamCop.net> Message-ID: > I got a large number with $250 Starbucks stuff; called Starbucks (I'm > local to the HQ); and then forwarded same with the WHOIS of the perps. > > Spam ceased .. including same spammer's offers for other "stuff". > Spammer's URL and mailserver died as well. Tried that with Procter & Gamble - still getting the spam for Pampers. Miss Betsy From Vangu at rd.invalid Fri Jul 1 22:58:19 2005 From: Vangu at rd.invalid (Vanguard) Date: Fri Jul 1 23:00:02 2005 Subject: [SpamCop-List] Re: misdirection bounces from SC? References: Message-ID: "Mike Easter" wrote in message news:da4f40$t01$1@news.spamcop.net... > ^1 her vs hir -- I started to use the gender neutral pronous 'hir' as > I > didn't know if Aubrey was male or female - in the US there are about > 23000 men named Aubrey and about 9000 women -- but the response was > from > Aubrey Ellen Shomo, so I'm going with her, not hir. I thought "they" was considered the genderless pronoun. Although at one time it was meant to pluralize a group, it has come to also mean one entity without gender. See: Usage Note at http://dictionary.reference.com/search?q=they http://www.editorscanberra.org/they.htm http://www.randomhouse.com/wotd/index.pperl?date=19980501 I've been slipping in "they" or "them" instead of "he", "she", "him", "her", "his or her", "his/her", and other clumsy strings for about 20 years and don't recall anyone not understanding its use. I remember back in college, and because of the upswell in the feminist movement at the time, that we were perplexed as what to use that was elegant but genderless (see second to last paragraph in the Random House article as to why we got stuck). From no at spam.invalid Fri Jul 1 22:02:09 2005 From: no at spam.invalid (Michael Wise) Date: Sat Jul 2 00:05:02 2005 Subject: [SpamCop-List] Re: HE.net's spammer Yfdirect talks References: Message-ID: In article , Blammo wrote: > > HE is and has been a spam-tolerating hoster for years. Pretty much every > > mail server I admin _used_ to regularly get spam from their customers, > > and HE almost never even responds to LARTS...and certainly has never > > appropriately acted on one of the many I have sent them. > > > > I have seen other regulars here say that they DO act on LARTS. So here I > have conflicting statements, and actually very little spam from HE. In my > view they seem insignificant compared to, say, thePlanet. Compared to theplanet, they may be. However, please take into consideration that the sc newsgroups shouldn't be considered anything more than an augmentation resource when it comes to an understanding of overall spam trends and anti-spam dialog. Likewise, commentary from regulars to sc ng's is great, but still, an augmentation resource should be taken with a grain of salt. Although some, such as Mr. Easter, are frequenters at other resources, most are not. I'm not trying to denigrate or promote any source in particular...just point out that sc ng commentary is maybe 20-30% at best of basis to formulate an opinion on. But back to HE. I wouldn't exactly say they are black hat...but they are far from white hat. At present, I'm managing 12 mail servers with about 8,000 total accounts for clients as well as myself...and HE crops up quite frequently. The last spam run I witnessed from HE net space was two days ago. It was LART'd...and like so many LARTS to HE before it...was not even acknowledged by their abuse people. It has been my experience that HE responds to complaints rarely...and acts on them even more rarely. However, my comments shouldn't be accepted at face value and not as gospel. Please feel free to see for yourself. Also, Matthew Evans didn't create a special dnsbl for HE (he.blackholes.us) for no reason. --Mike From nttp.sc.s at bigsleep.org Sat Jul 2 06:25:26 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Sat Jul 2 01:30:04 2005 Subject: [SpamCop-List] Re: HE.net's spammer Yfdirect talks References: Message-ID: On 01 Jul 2005 Michael Wise entered spamcop and left news:no- 430212.21020901072005@news.cesmail.net: > However, please take into > consideration that the sc newsgroups shouldn't be considered anything > more than an augmentation resource when it comes to an understanding of > overall spam trends and anti-spam dialog. Good point. > However, my comments shouldn't be accepted at face value and not as > gospel. Please feel free to see for yourself. Of course, I appreciate your input. I do have several mail servers to collect spam stats from, but of course it nowhere near "global". > Also, Matthew Evans didn't > create a special dnsbl for HE (he.blackholes.us) for no reason. > I don't pay that any credit based on his reasoning for verio.blackholes.us. Besides, I expect that he.blackholes.us will block Outblaze as well, and I have my doubts as to it's accuracy. I think doing my own research will give me a better blacklist. both Spamcop and Senderbase are helpful for network blocking info. -- | Ric | From nobody at spamcop.net Sat Jul 2 18:26:30 2005 From: nobody at spamcop.net (Aaron Lawrence) Date: Sat Jul 2 01:30:07 2005 Subject: [SpamCop-List] submit to blacklist without sending any email Message-ID: In the case where spamcop is going to send reports to the spammer, rather than the lengthy and often ignored case of asking for an override, i would prefer to submit the spam for the blacklist without sending any emails. Is that possible? It seems not, because spamcop accepts it but keeps the spam as unreported. -- aaronl at consultant dot com For every expert, there is an equal and opposite expert. - Arthur C. Clarke From SCNews.5.myspamgobbler at spamgourmet.com Fri Jul 1 23:31:37 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Sat Jul 2 01:35:02 2005 Subject: [SpamCop-List] Re: misdirection bounces from SC? In-Reply-To: References: Message-ID: Vanguard wrote: > "Mike Easter" wrote in message > news:da4f40$t01$1@news.spamcop.net... > >> ^1 her vs hir -- I started to use the gender neutral pronous 'hir' as I >> didn't know if Aubrey was male or female - in the US there are about >> 23000 men named Aubrey and about 9000 women -- but the response was from >> Aubrey Ellen Shomo, so I'm going with her, not hir. > > > > I thought "they" was considered the genderless pronoun. Although at one > time it was meant to pluralize a group, it has come to also mean one > entity without gender. See: > > Usage Note at http://dictionary.reference.com/search?q=they > http://www.editorscanberra.org/they.htm > http://www.randomhouse.com/wotd/index.pperl?date=19980501 > > I've been slipping in "they" or "them" instead of "he", "she", "him", > "her", "his or her", "his/her", and other clumsy strings for about 20 > years and don't recall anyone not understanding its use. I remember > back in college, and because of the upswell in the feminist movement at > the time, that we were perplexed as what to use that was elegant but > genderless (see second to last paragraph in the Random House article as > to why we got stuck). I've also used they and them in the same manner very often. Maybe it stems from being involved in the women's liberation movement, though I was actively trying to make it a people's liberation movement. Men need(ed) liberation just as much, if not more so, as women. As for the middle name of Ellen, I have seen a few families that used a feminine middle name for the males. In the main scheme of things, what does it matter what gender someone is? Labels just have a tendency to separate us from each other. From MikeE at ster.invalid Fri Jul 1 23:41:19 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 2 01:45:03 2005 Subject: [SpamCop-List] Re: misdirection bounces from SC? References: Message-ID: Vanguard wrote: > "Mike Easter" >> ^1 her vs hir -- I started to use the gender neutral pronous 'hir' as >> I didn't know if Aubrey was male or female > I thought "they" was considered the genderless pronoun. Although at > one time it was meant to pluralize a group, it has come to also mean > one entity without gender. The gender neutral plural pronouns they and them are certainly used more frequently than the various 'awkward' choices or neologisms for the missing singular gender neutrals. To me, they and them sound plural, and don't seem to me to serve us well all of the time; consider this very application. When I was talking about Aubrey's system or servers, I actually used 'they' more than once. But when I shifted to discussing a conversation directly with Aubrey as a dialog, there needed to be a singular pronoun. Here's the context: "If you were going to engage in further dialog with Aubrey, you could start by pointing her^1 to the SC faq about misdirected bounces at ..." So, the usage of 'them' the plural in lieu of a singular pronoun would say "If you were going to engage in further dialog with Aubrey, you could start by pointing them to the SC faq about misdirected bounces at..." Seems kinda strange to me; but then 'pointing hir to the SC faq' probably seems strange to others. > because of the upswell in the feminist movement > at the time, I disagree with some of the 'manipulation' some feminist new-worders have tried to make on language to try to 'neutralize' words with 'er' or 'man' on them. Fortunately, modern women who are occupying a job with 'er' on it don't have any trouble being called an officer or an infantryman or a fireman, and actresses can proudly consider themselves screenactors as well. Since you cited some references supporting one point of view, I'll cite one that argues against using the plural pronouns in place of a gender neutral singular one. http://www.aetherlumina.com/gnp/ Gender Neutral Pronoun FAQ - 3.6. Why not just use "one", "they", "he/she", "it", "his or her"? ...and in that par cites such problems as we encountered with my example above "When Dr. Xia comes they will speak on the topic of blah blah" "If you see Aubrey, tell them that I need to get in touch with them." ... but the author of the faq sez that he uses them & they sometimes when appropriate. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Jul 2 00:02:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 2 02:05:02 2005 Subject: [SpamCop-List] Re: submit to blacklist without sending any email References: Message-ID: Aaron Lawrence wrote: > In the case where spamcop is going to send reports to the spammer, > rather than the lengthy and often ignored case of asking for an > override, i would prefer to submit the spam for the blacklist without > sending any emails. > > Is that possible? It seems not, because spamcop accepts it but keeps > the spam as unreported. No, I think that if you uncheck the source report, the source goes unreported and uncounted. I would like to see some changes in the spamvertiser URL handling, but I think that expecting the same kind of changes I would like for spamvertisers would be 'going too far' in the case of spamsource. I think SC's concept is that if a provider hasn't specifically requested to not be notified as a source, or if SC's system hasn't 'concluded' that the only notifies should be dev/nulled, that all source providers should be notified, except those hitting SC spamtraps. SC spamtraps get the treatment you want, but SC reporters don't get that option. I think that a reporter should be able to opt to report all spamvertisers to a devnull address without resolving the URL. In that way SC resources for resolving URLs, which are apparently in short supply, wouldn't be wasted just to get the URL to the statistics page -- which is of considerably less consequence than getting listed on the SCbl. -- Mike Easter kibitzer, not SC admin From bar_n0ne at hotmail.com Sat Jul 2 11:29:56 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Jul 2 02:30:03 2005 Subject: [SpamCop-List] MCI pimping too now? Message-ID: In it's ever expanding search for new ventures to generate cash, MCI now offers sexual services: http://www.gjb.stellarfornow.com/wmld/fbs/ host www.gjb.stellarfornow.com (checking ip) = 63.105.204.171 host 63.105.204.171 (getting name) no name Tracking link: http://www.gjb.stellarfornow.com/wmld/fbs/ No recent reports, no history available Resolves to 63.105.204.171 Routing details for 63.105.204.171 Report routing for 63.105.204.171: abuse@mci.com http://leaveforwhat.net host leaveforwhat.net (checking ip) = 63.105.204.165 host 63.105.204.165 (getting name) no name http://leaveforwhat.net/index2.php Tracking link: http://leaveforwhat.net [report history] Resolves to 63.105.204.165 Routing details for 63.105.204.165 Report routing for 63.105.204.165: abuse@mci.com From nttp.sc.s at bigsleep.org Sat Jul 2 08:17:05 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Sat Jul 2 03:20:02 2005 Subject: [SpamCop-List] Re: submit to blacklist without sending any email References: Message-ID: On 01 Jul 2005 Mike Easter entered spamcop and left news:da5amu$cep$1@news.spamcop.net: > SC spamtraps get the treatment you want, but SC reporters don't get > that option. > You just get a second account for mole reporting, wouldn't that satisfy that option? -- | Ric | From MikeE at ster.invalid Sat Jul 2 01:22:48 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 2 03:25:03 2005 Subject: [SpamCop-List] Re: submit to blacklist without sending any email References: Message-ID: Blammo wrote: > You just get a second account for mole reporting, wouldn't that > satisfy that option? Aaron wants to be able to 'report' or rather spamsubmit and have his submission count toward the SCbl without notifying the source provider. A nonnotifying SC report. The result would be similar to those for which SC derived notifies have been determined to be nonfunctional and SC has turned them into dev/nulls. Mole reporting won't count toward the SCbl. -- Mike Easter kibitzer, not SC admin From nttp.sc.s at bigsleep.org Sat Jul 2 08:28:14 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Sat Jul 2 03:30:03 2005 Subject: [SpamCop-List] Re: MCI pimping too now? References: Message-ID: On 01 Jul 2005 Berny entered spamcop and left news:da5c95$d7j$1@news.spamcop.net: > In it's ever expanding search for new ventures to generate cash, MCI now > offers sexual services: > I don't understand why this UUNet space is using mci for a contact, I'm sure there's a reason (what do I know?)... UUNET Technologies, Inc. 63.64.0.0/10 OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse-mail@mci.com Senderbase says: Elimnet Co. LTD. (KR) 63.105.192.0/20 -- | Ric | From nttp.sc.s at bigsleep.org Sat Jul 2 08:37:02 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Sat Jul 2 03:40:03 2005 Subject: [SpamCop-List] Re: submit to blacklist without sending any email References: Message-ID: On 02 Jul 2005 Mike Easter entered spamcop and left news:da5fc0$f6i$1@news.spamcop.net: > Mole reporting won't count toward the SCbl. > I think this has been discussed before, but you are saying that "registering reports in SpamCop's database" won't effect the blocking list in any way? That doesn't make any sense to me, what use is the database otherwise? Refering to: http://members.spamcop.net/fom-serve/cache/373.html Is this information perhaps used by Senderbase and other block lists? -- | Ric | From MikeE at ster.invalid Sat Jul 2 02:13:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 2 04:15:03 2005 Subject: [SpamCop-List] Re: submit to blacklist without sending any email References: Message-ID: Blammo wrote: > Mike Easter >> Mole reporting won't count toward the SCbl. >> > > I think this has been discussed before, but you are saying that > "registering reports in SpamCop's database" won't effect the blocking > list in any way? That doesn't make any sense to me, what use is the > database otherwise? There's something Ellen sed down below. > Refering to: http://members.spamcop.net/fom-serve/cache/373.html http://spamcop.net/fom-serve/cache/373.html 373 is not well written in terms of clarifying that mole reports only count in the aggregate and don't contribute to the SCbl. > Is this information perhaps used by Senderbase and other block lists? Here's what WazoO sez that Ellen sez at http://forum.spamcop.net/forums/index.php?showtopic=2030 #3 Yes, mole reporting exists. No, they don't count towards the blocklist. Yes, we look at the mole reports when we are evaluating a specific IP or IP range or working on an issue. No, we never send mole report headers to an ISP/hosting company/etc. We do appreciate the fact that people continue to report as moles. ISPs can sign up for summary reports -- daily or hourly -- and many have signed up. The summary reports are just that -- lists of IPs and counts of spams -- and if looked at or scripted by an ISP/hosting company they do indicate where there are problems or emerging issues. /Ellen -- Mike Easter kibitzer, not SC admin From nttp.sc.s at bigsleep.org Sat Jul 2 09:28:59 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Sat Jul 2 04:30:02 2005 Subject: [SpamCop-List] Re: submit to blacklist without sending any email References: Message-ID: On 02 Jul 2005 Mike Easter entered spamcop and left news:da5ias$gsd$1@news.spamcop.net: >> Refering to: http://members.spamcop.net/fom-serve/cache/373.html > > http://spamcop.net/fom-serve/cache/373.html > > oops! Thanks. -- | Ric | From nobody at nowhere.invalid Sat Jul 2 11:45:06 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Jul 2 04:50:30 2005 Subject: [SpamCop-List] Re: MCI pimping too now? References: Message-ID: On Sat, 2 Jul 2005 07:28:14 +0000 (UTC), Blammo coughed into spamcop and left this in : > I don't understand why this UUNet space is using mci for a contact, I'm > sure there's a reason (what do I know?)... It seems to be common practice with MCI/ScrewYouNet/WorldScum. Blocks SWIP'ed to clients still have MCI's abuse contact in the whois information. -- Steve I haven't lost my mind; I know exactly where I left it. From redford_stone at INVERSE_OF_COLDmail.com Sat Jul 2 15:23:29 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Jul 2 10:25:03 2005 Subject: [SpamCop-List] Re: HE.net's spammer Yfdirect talks References: Message-ID: "John Marion" wrote in news:da1961$1pg$1 @news.spamcop.net: > Thank you Mike > > And that is indeed a valuable lesson. :-) Next time just bit-bucket it.. or if you are adventureous, respond. :-) From no at spam.invalid Sat Jul 2 08:43:03 2005 From: no at spam.invalid (Michael Wise) Date: Sat Jul 2 10:45:02 2005 Subject: [SpamCop-List] Re: HE.net's spammer Yfdirect talks References: Message-ID: In article , Blammo wrote: > ... > > Also, Matthew Evans didn't > > create a special dnsbl for HE (he.blackholes.us) for no reason. > > > > I don't pay that any credit based on his reasoning for verio.blackholes.us. Verio has a well established (and well deserved) rep as as a spam sewer who ignores spam complaints. They have only themselves to blame for the existance of such a list. To be fair, after years of such incompetence and utter disregard for being a good netizen, they have cleaned their act up considerably. > Besides, I expect that he.blackholes.us will block Outblaze as well,... I don't get the connection? Do you have reason to believe Outblaze uses HE net space? >...and I have my doubts as to it's accuracy. Matthew does and always has made is zone data available for public viewing, so people are free to verify the accuracy of it. See: http://www.blackholes.us/zones/isp/he.txt > I think doing my own research will give me a better blacklist. both Spamcop > and Senderbase are helpful for network blocking info. Individual research and tailoring one's blacklists and other anti-spam methods to best suit their own situations is always best. SC, Spamhaus, blackholes.us, NANAE, the sc ng hierarchy, Spam-L, et al make great data points to take into consideration though. --Mike From windsorfoxNOSPAM at cox.net Sat Jul 2 14:23:45 2005 From: windsorfoxNOSPAM at cox.net (WindsorFox[SS]) Date: Sat Jul 2 14:25:03 2005 Subject: [SpamCop-List] ALGX and XO Message-ID: I am recieving insessant, constant garbage from ultimate free laptops .com. I Did the unsubscribe for 2 weeks and they still come. Now, Spamcop reports them to abuse@algx.com , but it seems like it should goto abuse@xo.com ?? These people are glib and could not care less if you paid them to. From Kilgallen at SpamCop.net Sat Jul 2 14:37:46 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sat Jul 2 14:40:02 2005 Subject: [SpamCop-List] Re: ALGX and XO References: Message-ID: In article , "WindsorFox[SS]" writes: > I am recieving insessant, constant garbage from ultimate free > laptops .com. I Did the unsubscribe for 2 weeks and they still come. NEVER unsubscribe from something to which you did not subscribe. There is no reason to believe that someone so unethical as to subscribe you without permission would behave honorably with regard to unsubscription. No major provider suggests its customer should reply to spammers but many advise against it. http://www.spamhaus.org/removelists.html From pxpearson at spamxcop.net Sat Jul 2 15:40:41 2005 From: pxpearson at spamxcop.net (Peter Pearson) Date: Sat Jul 2 17:50:06 2005 Subject: [SpamCop-List] Using IMAP for more flexible filtering Message-ID: I'm thinking of writing a Python program to create an IMAP connection to Spamcop and move the really blatant spam from my held-mail folder into my spam-for-sure folder. If anybody has advice or instructive insults, please tell. Motivation: I scan my held-mail folder for false positives, which while rare are frequent and important enough that I must. The chance I'll overlook a false positive is increased by the large number of obvious-spam messages, so I'd like to move the obvious-spam messages into my spam-for-sure folder, which I think would be easy with processing slightly more sophisticated than that allowed by Spamcop's filters. I could just pull all the messages to my computer and filter there, but then I lose the great convenience of reporting the whole bunch with three mouse clicks (select all, report as spam, OK). Does this sound reasonable? -- Peter Remove the two x's to get a good email address. From noone at nowhere.com Sat Jul 2 19:31:30 2005 From: noone at nowhere.com (Bob Itguy) Date: Sat Jul 2 18:35:03 2005 Subject: [SpamCop-List] SC still can't parse these links, needs updated Message-ID: http://www.spamcop.net/sc?id=z781341014z2b8c43c6aa34cf8458f6b0aa49d1eb52z From MikeE at ster.invalid Sat Jul 2 16:33:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 2 18:35:05 2005 Subject: [SpamCop-List] Re: Using IMAP for more flexible filtering References: Message-ID: Peter Pearson wrote: > Motivation: I scan my held-mail folder for false positives, > which while rare are frequent and important enough that I > must. What is your analysis of what causes those false positives? Say for your last 10 false positives, why were they positive? It would be very very good if you didn't have to dig thru' a big pile of spam to find the occasional false positive. You would be better off with a little bit of leak in the filter for a few missed spam than an occasional false positive -- if you could trade that off somehow. A little bit loose is more efficient than a little too tight. That spam pile is ugly. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Jul 2 16:55:06 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 2 18:55:03 2005 Subject: [SpamCop-List] Re: SC still can't parse these links, needs updated References: Message-ID: Bob Itguy wrote: www.spamcop.net/sc?id=z781341014z2b8c43c6aa34cf8458f6b0aa49d1eb52z The gig there is a graphic that shows a pharm promo and a link which is 'broken' with a space so SC can't deobfuscate. http://fnkwhwg.com. .cjsa96ckds97w2r8n1u.saveonpillz.info/#ycesfzxprn%2Eorg The browser or a GET function will convert that to http://fnkwhwg.com.cjsa96ckds97w2r8n1u.saveonpillz.info/#ycesfzxprn%2Eorg which does a frame thing to get to http://fnkwhwg.com.cjsa96ckds97w2r8n1u.saveonpillz.info/ES001/?affiliate_id=233670&campaign_id=21005 which is where the payload is. SC can parse it if there isn't a dot space dot, and determine the IP as 221.7.209.72 which is .cn - CNC Guangxi which is spamhaused for the ROKSO Leo Kuvayev / BadCow. -- which spamhause refers to as 'bulletproof spamhosting'. http://www.spamhaus.org/SBL/sbl.lasso?query=SBL28376 Maybe you wish SC could do the notify, but you actually aren't missing much or anything by it failing the deobfuscation step. The notify would be falling on deaf ears. The only benefit there would have been to deobfuscating it would be to publish the URL on the stats page for sc-surbl to scrape for its db. If SC had deobfuscated, its notify for that IP is a devnull Using postmaster#cnc-noc.net@devnull.spamcop.net for statistical tracking. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Jul 2 17:10:51 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 2 19:15:03 2005 Subject: [SpamCop-List] Re: SC still can't parse these links, needs updated References: Message-ID: Mike Easter wrote: > The only benefit there would have > been to deobfuscating it would be to publish the URL on the stats > page for sc-surbl to scrape for its db. Which brings up a different but related question. If SC deobfuscates a URL for the statistics page, how does it publish the URL, in the original form? Or in the deobfuscated form? And, if a person is using the sc-surbl or spamcopURI to filter -- how does that work for broken URLs? I'm not clear on this. Does the filter filter on the obfuscated string? It would see that it would have to. I think the SpamPal URL body plugin converts the URL to an IP and runs that IP against the chosen DNSBLs. -- Mike Easter kibitzer, not SC admin From notformail0405 at comcast.net Sat Jul 2 22:18:21 2005 From: notformail0405 at comcast.net (Gunter Herrmann) Date: Sat Jul 2 21:20:02 2005 Subject: [SpamCop-List] Re: The Anti-Spam Litigation Shop (Wired News) In-Reply-To: References: Message-ID: Hi! Larry Kilgallen wrote: > Who is going to risk endorsing a check made out to SPEWS ? Sergei ''Chip'' Didorenko from Irkutsk, the admin-c and tech-c for SPEWS? brgds -- Gunter Herrmann Naples, Florida, USA From devnull at spamcop.net Sun Jul 3 00:58:53 2005 From: devnull at spamcop.net (Frog Prince) Date: Sun Jul 3 00:05:03 2005 Subject: [SpamCop-List] Re: HE.net's spammer Yfdirect talks References: Message-ID: "Blammo" wrote in message news:Xns9686AAE4816C4blammo@216.154.195.61... | On 01 Jul 2005 Michael Wise entered spamcop and left news:no- | DB5D34.07484901072005@news.cesmail.net: | | > HE is and has been a spam-tolerating hoster for years. Pretty much every | > mail server I admin _used_ to regularly get spam from their customers, | > and HE almost never even responds to LARTS...and certainly has never | > appropriately acted on one of the many I have sent them. | > | | I have seen other regulars here say that they DO act on LARTS. So here I | have conflicting statements, and actually very little spam from HE. In my | view they seem insignificant compared to, say, thePlanet. | This is part of a begging response from the spammer in response to a hammer note from admin @ he.net From: abuse@he.net [mailto:abuse@he.net] Sent: Thursday, June 30, 2005 7:24 PM To: netops Subject: [HE_ABUSE#970275] Complaints regarding ce0830 You have received the following complaint regarding ce0830. You MUST respond directly to the complaintants within 48 hours, and respond to this email letting us know that every ones concerns have been addressed. From devnull at spamcop.net Sun Jul 3 01:00:53 2005 From: devnull at spamcop.net (Frog Prince) Date: Sun Jul 3 00:05:09 2005 Subject: [SpamCop-List] Re: The Anti-Spam Litigation Shop (Wired News) References: Message-ID: "David Dean" | > But their processing systems typically stamp it on the back of the check. | | This didn't happen at the bank I worked for, but may be true for some | banks. | These days they don't even send the cancled check to the bank. From agent01413 at my-deja.com Sun Jul 3 07:32:57 2005 From: agent01413 at my-deja.com (Socks the Whitehouse Cat) Date: Sun Jul 3 02:35:04 2005 Subject: [SpamCop-List] Re: The Anti-Spam Litigation Shop (Wired News) References: Message-ID: "Frog Prince" wrote in news:da7nvh$j0t$2 @news.spamcop.net: > > "David Dean" > >| > But their processing systems typically stamp it on the back of the > check. >| >| This didn't happen at the bank I worked for, but may be true for some >| banks. >| > These days they don't even send the cancled check to the bank. > > the info is easily subpoenaed -- Be careful about reading health books. You may die of a misprint. ~Mark Twain From nobody at nowhere.invalid Sun Jul 3 13:20:10 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Jul 3 06:25:14 2005 Subject: [SpamCop-List] Re: The Anti-Spam Litigation Shop (Wired News) References: Message-ID: On Sun, 3 Jul 2005 06:32:57 +0000 (UTC), Socks the Whitehouse Cat coughed into spamcop and left this in : > the info is easily subpoenaed >From Russia? -- Steve Recorded message on an answerphone: "This is not an answering machine, this is a telepathic thought-recording device. After the tone, think about your name, your number, and your reason for calling.... and I'll think about returning your call." From anon at coks.net Sun Jul 3 12:48:32 2005 From: anon at coks.net (J G) Date: Sun Jul 3 14:50:03 2005 Subject: [SpamCop-List] Mail Admin Reply... Message-ID: http://www.spamcop.net/sc?id=z781639333z0cb4ca8a5a8832a64cdc77c79a0458eaz http://www.spamcop.net/sc?id=z781640398z98d59d4eafa4683ac3ac9678662678a0z SC can't parse these, probably due to bad headers if they are anything like the others I've received.. This was an attempt to report the redirection bounce. The 1st one was rejected by my ISP with the msg. This IP is blocked for relay by Administrator The 2nd seems to block my own address (?) I requested clarification from Cox on that, but this is all giving me a headache. What can I infer from this? From nobody at devnull.spamcop.net Sun Jul 3 15:17:53 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jul 3 15:20:02 2005 Subject: [SpamCop-List] Re: Mail Admin Reply... References: Message-ID: "J G" wrote in message news:da9bra$d0d$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z781639333z0cb4ca8a5a8832a64cdc77c79a0458eaz > http://www.spamcop.net/sc?id=z781640398z98d59d4eafa4683ac3ac9678662678a0z > > SC can't parse these, probably due to bad headers if they are anything > like the others I've received.. I don't see a "valid" header in any of that stuff. Noting your penchant for the "/*" to indicate a quote, the 'easy (could be wrong)' guess is that you are "building" your own submittal by doing a cut/paste, perhaps into some text processor ..?? Then forwarding all this new construct "in-line" ... The lack of header data at the top could be because (you suggest) that this traffic was all internal to Cox, but the SpamCop parser simply sees that the header is incomplete, and the construct of the "included" spam is seen as not much more than "more text" ...???? The one header section that looks like it comes close to complete has white-space / new-line issues ... the stuff at the top has no 'real' "handling" data included (no IP addresses,. no hand-offs, etc ..) From anon at coks.net Sun Jul 3 13:44:19 2005 From: anon at coks.net (J G) Date: Sun Jul 3 15:45:03 2005 Subject: [SpamCop-List] Re: Mail Admin Reply... In-Reply-To: References: Message-ID: On 7/3/2005 12:17 PM WazoO scribbled: > "J G" wrote in message news:da9bra$d0d$1@news.spamcop.net... > >>http://www.spamcop.net/sc?id=z781639333z0cb4ca8a5a8832a64cdc77c79a0458eaz >>http://www.spamcop.net/sc?id=z781640398z98d59d4eafa4683ac3ac9678662678a0z >> >>SC can't parse these, probably due to bad headers if they are anything >>like the others I've received.. > > > I don't see a "valid" header in any of that stuff. Noting your > penchant for the "/*" to indicate a quote, the 'easy (could be > wrong)' guess is that you are "building" your own submittal > by doing a cut/paste, perhaps into some text processor ..?? > Then forwarding all this new construct "in-line" ... The lack > of header data at the top could be because (you suggest) > that this traffic was all internal to Cox, but the SpamCop > parser simply sees that the header is incomplete, and the > construct of the "included" spam is seen as not much more > than "more text" ...???? > > The one header section that looks like it comes close to > complete has white-space / new-line issues ... the stuff > at the top has no 'real' "handling" data included (no IP > addresses,. no hand-offs, etc ..) > > You could have a point about my added note. For the redirectional bounces side of incoming crap, I am using http://www.spamid.net/ since they dig out the offending sites better than SC, which, as I stated, has a problem with the headers. Spamid prepares an email for you and that is where I plug in the note, then paste in the whole misdirect spam. Thunderbird has an extension Quicktext which makes adding that note easier, but I'm probably spinning my wheels there. And some of these misdirects freeze up SpamID, so I then switch to Abuse for the Lart. I simply don't have the free time to do manual parsing and maintain my sanity at the same time, and as soon I I learn 1 thing, spammers come with something else - you know the story... From MikeE at ster.invalid Sun Jul 3 14:14:04 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 3 16:15:04 2005 Subject: [SpamCop-List] Re: Mail Admin Reply... References: Message-ID: J G wrote: www.spamcop.net/sc?id=z781639333z0cb4ca8a5a8832a64cdc77c79a0458eaz > This was an attempt to report the redirection bounce. The 1st one was > rejected by my ISP That is a complicated structure with 6 sets of headers, I'll number them from 1 to 6 from the top down. It would probably be better to start from the bottom, so I'll start from the top :-) At the top #1 is the header put directly in your mailbox by your cox system, no Received line in which cox is telling you it can't mail the item, but the submission to the parser obfuscated the To: Jumping down to the bottom #6 is the header of a spam sourced at/from 219.128.170.142 a multilisted .cn proxytrojan -- no body -- handled by an amadis.com server for recipients. That spam header was emailed as a newmail DSN by the amadis to a cox account, presumably yours. The next thing up the structure we see is you #5 trying to forward that mail to several addresses which the parser has munged out, and cox is trying to tell you that all of those addresses, whatever they are, are no good for various reasons, deactivated mailbox x 2, not a valid mailbox x2. The MTA which is telling that information is 66.28.189.140 rDNS mw140.mail2world.com so apparently those addresses must've called up that MX for some reason that I don't know. Now, jumping back up to the top #2 to find out what cox was telling you it couldn't mail we find you trying to mail something to 5 different obfuscated x/s and calling it a misdirected bounce, but the misdirected bounce you are trying to report is your own provider telling you that it can't mail something, which is header #3. So, now that we're closing in on the middle, I'll list the headers from top to bottom. - internal cox to you - you trying to email - internal cox to you - you trying to email - misdirected bounce - original spam headers In this case, feeding such a thing to the parser makes things more confusing than they would have been if you had posted it in .spam, because the parser munges out all of the important addresses which are causing the problem. The problems are several, not the least of which is you trying to report your own provider for 'misdirected bounces' when it is telling you that it can't complete the mail the way you have addressed it. In all of those headers, there is only one which belongs to a misdirected bounce; that is #5, all the rest of the headers are due to you doing something wrong. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Jul 3 14:32:37 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 3 16:35:03 2005 Subject: [SpamCop-List] Re: Mail Admin Reply... References: Message-ID: Mike Easter wrote: > So, now that we're closing in on the middle, I'll list the headers > from top to bottom. > > - internal cox to you > - you trying to email > - internal cox to you > - you trying to email > - misdirected bounce > - original spam headers This is from #4, you trying to email: From: Jeff Goodwin To: x, x, x, x Subject: Fwd [Spam Report]: Delivery Status Notification This is a misdirection bounce... whoever was those x/es, or at least one of those x/es didn't fly, so your mail admin told you that^1 in #3. ^1 Recipient: Reason: This IP is blocked for relay by Administrator When your admin told you that in #3, you tried to forward that cox admin mail with this #2 from you: From: Jeff Goodwin To: x, x, x, x, x Subject: Fwd [Spam Report]: Mail System Error - Returned Mail This is a misdirection bounce... Whoever or at least one of what was in those 5 x/es led to the same problem as before, resulting in the #1 headers with a similar 'content' as ^1 above. -- Mike Easter kibitzer, not SC admin From borgholio at storymind.com Sun Jul 3 14:41:21 2005 From: borgholio at storymind.com (Borgholio) Date: Sun Jul 3 16:45:04 2005 Subject: [SpamCop-List] Need advice with misdirected bounces. Message-ID: Got a reply from an ISP admin after reporting a misdirected bounce. Here's a snippet from the conversation. I'm not an expert in mailservers, so I'm wondering where I should go from here? Hello, On Sat, Jul 02, 2005 at 09:49:36AM -0700, Borgholio wrote: B> A true bounce is when the SMTP server refuses to accept delivery of the B> mail, and it is bounced back to the actual sender. There are a lot of conditions when server can generate bounce only after receiving message to queue. B> What your server does, B> is it actually accepts the email, decides it's invalid, then composes a B> whole new email and "bounces" it back to an invalid return address. This behaviour does not violate the standard. B> Thus, I receive a bounce for an email I never sent. I'm sorry. Server of our customer did this according to standard. The most of servers would do the same in such case. From anon at coks.net Sun Jul 3 14:42:25 2005 From: anon at coks.net (J G) Date: Sun Jul 3 16:45:07 2005 Subject: [SpamCop-List] Re: Mail Admin Reply... In-Reply-To: References: Message-ID: On 7/3/2005 1:32 PM Mike Easter scribbled: > Mike Easter wrote: > >>So, now that we're closing in on the middle, I'll list the headers >>from top to bottom. >> >> - internal cox to you >> - you trying to email >> - internal cox to you >> - you trying to email >> - misdirected bounce >> - original spam headers > > > This is from #4, you trying to email: > > > From: Jeff Goodwin > To: x, x, x, x > Subject: Fwd [Spam Report]: Delivery Status Notification > > This is a misdirection bounce... > > > whoever was those x/es, or at least one of those x/es didn't fly, so > your mail admin told you that^1 in #3. > > ^1 > Recipient: > Reason: This IP is blocked for relay by Administrator > > > When your admin told you that in #3, you tried to forward that cox admin > mail with this #2 from you: > > > From: Jeff Goodwin > To: x, x, x, x, x > Subject: Fwd [Spam Report]: Mail System Error - Returned Mail > > This is a misdirection bounce... > > > Whoever or at least one of what was in those 5 x/es led to the same > problem as before, resulting in the #1 headers with a similar 'content' > as ^1 above. > > good grief.... From anon at coks.net Sun Jul 3 15:11:15 2005 From: anon at coks.net (J G) Date: Sun Jul 3 17:10:02 2005 Subject: [SpamCop-List] Re: Mail Admin Reply... In-Reply-To: References: Message-ID: On 7/3/2005 1:14 PM Mike Easter scribbled: > J G wrote: > www.spamcop.net/sc?id=z781639333z0cb4ca8a5a8832a64cdc77c79a0458eaz > > >>This was an attempt to report the redirection bounce. The 1st one was >>rejected by my ISP > > > That is a complicated structure with 6 sets of headers, I'll number them > from 1 to 6 from the top down. It would probably be better to start > from the bottom, so I'll start from the top :-) > > At the top #1 is the header put directly in your mailbox by your cox > system, no Received line in which cox is telling you it can't mail the > item, but the submission to the parser obfuscated the To: > > Jumping down to the bottom #6 is the header of a spam sourced at/from > 219.128.170.142 a multilisted .cn proxytrojan -- no body -- handled by > an amadis.com server for recipients. That spam header was emailed as a > newmail DSN by the amadis to a cox account, presumably yours. What was sent to me was the misdirect bounce, not the spam, but for what I can tell, that could be what you are saying. > > The next thing up the structure we see is you #5 trying to forward that > mail to several addresses which the parser has munged out, and cox is > trying to tell you that all of those addresses, whatever they are, are > no good for various reasons, deactivated mailbox x 2, not a valid > mailbox x2. As mentioned in another post, I was using SpamID to parse the misdirect because it correctly, I believe, identified the source and automatically supplied abuse addys to Lart to - also as previously stated, I do not have the experience you do and need to rely on those addys as correct, but it seems we are all dealing with moving targets here which makes comprehension difficult at best. Net, net, SC just serves up the sender of the misdirected bounce,, which is about al I can say I can do myself. The only munging being done by this whole process is SC - everything I send with SpamID goes out raw. And the mails to Cox in this case are just my cluing in their spam report desk, not their abuse desk. > > The MTA which is telling that information is 66.28.189.140 rDNS > mw140.mail2world.com so apparently those addresses must've called up > that MX for some reason that I don't know. not do I - sorry to say this is where it becomes greek to me... > > Now, jumping back up to the top #2 to find out what cox was telling you > it couldn't mail we find you trying to mail something to 5 different > obfuscated x/s and calling it a misdirected bounce, but the misdirected > bounce you are trying to report is your own provider telling you that it > can't mail something, which is header #3. that is pretty obtuse, but, again, net net, could be me shooting myself in the foot and hitting my brain... > > So, now that we're closing in on the middle, I'll list the headers from > top to bottom. > > - internal cox to you > - you trying to email > - internal cox to you > - you trying to email > - misdirected bounce > - original spam headers > > In this case, feeding such a thing to the parser makes things more > confusing than they would have been if you had posted it in .spam, > because the parser munges out all of the important addresses which > are causing the problem. > > The problems are several, not the least of which is you trying to report > your own provider for 'misdirected bounces' when it is telling you that > it can't complete the mail the way you have addressed it. > > In all of those headers, there is only one which belongs to a > misdirected bounce; that is #5, all the rest of the headers are due to > you doing something wrong. > I have a headache - I have many more screwups to perform before I rest... Are you in the CIA?? p.s. Thanks for the efforts - you do your Phd thesis on this stuff? From MikeE at ster.invalid Sun Jul 3 15:14:02 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 3 17:15:04 2005 Subject: [SpamCop-List] Re: Need advice with misdirected bounces. References: Message-ID: Borgholio wrote: > Got a reply from an ISP admin after reporting a misdirected bounce. > Here's a snippet from the conversation. I'm not an expert in > mailservers, so I'm wondering where I should go from here? This is a common discussion in nanae. The problem and the 'right and wrong' of it can almost always be configured in a more healthy manner than the 'old fashioned' way of doing business which is now abusive. > On Sat, Jul 02, 2005 at 09:49:36AM -0700, Borgholio wrote: >> A true bounce is when the SMTP server refuses to accept delivery of >> the mail, and it is bounced back to the actual sender. > > There are a lot of conditions when server can generate bounce > only after receiving message to queue. ... but that doesn't justify 'routinely' configuring to send newmails to misdirected Froms. >> What your server does, >> is it actually accepts the email, decides it's invalid, then >> composes a whole new email and "bounces" it back to an invalid >> return address. You are correct about that. > This behaviour does not violate the standard. It may not violate the standard, but it is abusive, and it is reportable, and it will be reported, and those reports will get the server listed, and that is not a good situation for the server or for its clients -- so the server's admin should be reconfiguring according to some less abusive options which other and wiser admins are doing. And, at that point, there is also some information at the SC faq http://www.spamcop.net/fom-serve/cache/329.html#bounces Problem: Misdirected bounces -- [the faq gives information for Qmail and Exchange, and also supports the notion that this problem can be solved by configuring correctly] >> Thus, I receive a bounce for an email I never sent. > > I'm sorry. Server of our customer did this according to standard. > The most of servers would do the same in such case. Less and less and less servers are doing that now that servers are getting themselves blocklisted for doing it. -- Mike Easter kibitzer, not SC admin From anon at coks.net Sun Jul 3 15:23:44 2005 From: anon at coks.net (J G) Date: Sun Jul 3 17:25:02 2005 Subject: [SpamCop-List] Re: Need advice with misdirected bounces. In-Reply-To: References: Message-ID: Thank you Borgholio, I am not feeling so alone... > It may not violate the standard, but it is abusive, and it is > reportable, and it will be reported, and those reports will get the > server listed, and that is not a good situation for the server or for > its clients -- so the server's admin should be reconfiguring according > to some less abusive options which other and wiser admins are doing. > > And, at that point, there is also some information at the SC faq > http://www.spamcop.net/fom-serve/cache/329.html#bounces Problem: > Misdirected bounces -- [the faq gives information for Qmail and > Exchange, and also supports the notion that this problem can be solved > by configuring correctly] > Which is what caused me to open up cans of worms and doing so... > > Less and less and less servers are doing that now that servers are > getting themselves blocklisted for doing it. > oh that the results were faster acoming... From nobody at nowhere.invalid Mon Jul 4 00:28:23 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Jul 3 17:30:02 2005 Subject: [SpamCop-List] Re: Need advice with misdirected bounces. References: Message-ID: On Sun, 03 Jul 2005 13:41:21 -0700, Borgholio coughed into spamcop and left this in : > Got a reply from an ISP admin after reporting a misdirected bounce. Here's > a snippet from the conversation. I'm not an expert in mailservers, so I'm > wondering where I should go from here? > > Hello, > > On Sat, Jul 02, 2005 at 09:49:36AM -0700, Borgholio wrote: > B> A true bounce is when the SMTP server refuses to accept delivery of the > B> mail, and it is bounced back to the actual sender. Actually, in this case it isn't a bounce, it's a rejection. They're 2 totally different things, which you appear to know, but it would be useful to get the terminology right when discussing the matter with a mail admin - even if said mail admin doesn't get it right. > There are a lot of conditions when server can generate bounce > only after receiving message to queue. There are also a lot of conditions in which this unfortunate situation can be avoided entirely. > B> What your server does, > B> is it actually accepts the email, decides it's invalid, then composes a > B> whole new email and "bounces" it back to an invalid return address. > > This behaviour does not violate the standard. The standard, RFC821, was drafted in August 1982. Spam didn't account for 90+% SMTP connections in August 1982. It does now. Times have changed, needs have changed. > B> Thus, I receive a bounce for an email I never sent. > > I'm sorry. Server of our customer did this according to standard. > The most of servers would do the same in such case. Not as sorry as everyone else. Server of your customer will find itself in countless personal blocklists as a result of this irresponsible behaviour. -- Steve A lot of money is tainted. 'Taint yours and 'taint mine. From nospam at dev.null Mon Jul 4 02:21:39 2005 From: nospam at dev.null (Anty Spam) Date: Sun Jul 3 19:25:04 2005 Subject: [SpamCop-List] Re: Need advice with misdirected bounces. References: Message-ID: "Steven Maesslein" wrote in message news:slrndcgm3n.tgs.nobody@127.0.0.1... > On Sun, 03 Jul 2005 13:41:21 -0700, Borgholio coughed into spamcop and > left this in : > > > Got a reply from an ISP admin after reporting a misdirected bounce. Here's > > a snippet from the conversation. I'm not an expert in mailservers, so I'm > > wondering where I should go from here? .... SNIP..... > > This behaviour does not violate the standard. > > The standard, RFC821, was drafted in August 1982. > > Spam didn't account for 90+% SMTP connections in August 1982. It does > now. Times have changed, needs have changed. > Well put. Just as there is no law forcing you to lock your doors before going on holiday. But you do! From hwolfe at spamcop.net Sun Jul 3 19:26:43 2005 From: hwolfe at spamcop.net (Herb Wolfe) Date: Sun Jul 3 19:30:04 2005 Subject: [SpamCop-List] Re: Mainsleaze Spam In-Reply-To: References: <42C300D5.264E956C@SpamCop.net> Message-ID: Porpoise wrote: > "Mike Easter" wrote in message > news:da1kfp$7sd$1@news.spamcop.net... > >>I think this is where I came in. >> >> >>I wonder if Michael could clarify precisely what was clicked. Could it >>have been a subscription confirmatory link? >> >>I don't have a full picture of how insecurely he does whatever he does >>in email or websites or subscribing or accidentally clicking things and >>where he is and what he is doing when he is accidentally clicking them. > > > > I'm struggling with the same picture..... or, rather, lack of - it's not at > all clear what he "actually" did....... > > The impression I get from the original message is that Michael was dragging a scroll bar, the mouse slipped off the scroll bar and caused a click on an ad, which subscribed him to some list. As for how they got his home e-mail, rather than his hotmail address, it's rather simple. If he has that address stored in his browser settings, it can be read. From nobody at xyzzy.claranet.de Mon Jul 4 02:43:44 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Jul 3 19:55:02 2005 Subject: [SpamCop-List] Re: Need advice with misdirected bounces. References: Message-ID: <42C87830.404C@xyzzy.claranet.de> Steven Maesslein wrote: > Actually, in this case it isn't a bounce, it's a rejection. > They're 2 totally different things | Delivery SMTP systems MAY reject ("bounce") such messages | rather than deliver them. RfC 2821 disagrees with you. And I disagree with RfC 2821, so maybe we're on the same side: From my POV "reject" is the opposite of "accept", a "reject" is a 4xx or 5xx SMTP error. As soon as you have two MTAs B and C, B forwarding mails to C (e.g. B = MX and C = MDA, or B = outsourced backup MX), and A sends a mail to B, B does not necessarily know what C will do. Therefore B might decide to "accept" the mail from A. Later C could "reject" it (user over quota or other non-obvious trouble from B's POV). Because B had accepted it, right or wrong, it then must create a "bounce message". One perfectly sane situation is A = user (MUA), B = smart host (MSA), and C = MX. If C rejects the mail, B has to inform its own user, by a "bounce message" to A. > There are also a lot of conditions in which this unfortunate > situation can be avoided entirely. Yes, but not with the massive abuse supported by SpamCop, that will only destroy the reliability SMTP: B desperately needs a fair chance to identify potential "misdirected bounces" before it ever gets in this situation. It could use radical blocking if it is a backup MX. It could have some kind of access on the list of valid users before C says "no such user". It's very tricky for a "user over quota": At the moment there's no protocol to check the latter problem with C before B's decision to "accept" the mail. Afterwards it's too late. B can't simply delete the mail only because a user is over quota, any legit sender A wants to know that the mail didn't make it. The only real chance at the moment is to identify a potential "misdireted bounce" when B decides about "accept" vs. "reject". And for that the "return path" (the MAIL FROM in the mail sent to B) needs an SPF-FAIL sender policy, and B has to check it. Or B uses some way to guess like radical blocking. >> This behaviour does not violate the standard. > The standard, RFC821, was drafted in August 1982. RfC 2821 has exactly the same concept "accept => responsible", and 2821 was published April 2001 - not April the first I hope. > Spam didn't account for 90+% SMTP connections in August 1982. > It does now. Times have changed, needs have changed. Except from implementing SPF on the side of B, and publishing a sender policy allowing to identify and "reject" forgeries B has absolutely no chance in many common situations. And the SPF RfC is less than ten days old, it doesn't have an RfC number yet, that can take months. > Not as sorry as everyone else. Server of your customer will > find itself in countless personal blocklists as a result of > this irresponsible behaviour. What you say and what SpamCop does, that is irresponsible, you are forcing MTAs like B to silently ignore errors. Bye, Frank From smcgarrett at hawaii.com Sun Jul 3 20:04:47 2005 From: smcgarrett at hawaii.com (Steve McGarrett) Date: Sun Jul 3 20:05:03 2005 Subject: [SpamCop-List] Re: Using IMAP for more flexible filtering In-Reply-To: References: Message-ID: Peter Pearson wrote: > I'm thinking of writing a Python program to create an IMAP > connection to Spamcop and move the really blatant spam > from my held-mail folder into my spam-for-sure folder. > If anybody has advice or instructive insults, please tell. I do this already by using Thunderbird's IMAP support to access my held mail folder, then using Thunderbird's filters to move blatant spam to my spam-for-sure folder. I then manually move the remaining spam to my spam-for-sure folder. Finally, I log in to webmail to release and whitelist any false positives and quick report the messages in my spam-for-sure folder. The only problem I've been having lately is the spammers who've been sending out messages with sizes of 10-40k. These can cause the total size of the messages in my spam-for-sure folder to top the 100k limit allowed for a single report. BTW, I also have a search folder set up to search my Inbox for messages with the subject "SpamCop Quick reporting data" and the phrase "sent to: " in the body. This allows me to see if quick reporting is accidentally reporting my ISP's inbound mail server. It hasn't in over two years of checking, but it never hurts to be safe. Details: I never get legitimate email from China, Korea, Brazil, Argentina or Nigeria, so I have these blacklists, along with others, turned on in my SpamCop Tools. I also have my SpamAssassin limit set to 5. I've discovered that any false positives I get never have SpamAssassin scores higher than 7, although a good bit of the spam I get has scores of 5 or 6. The Thunderbird filters move messages in which "X-SpamCop-Disposition" contains "korea.services.net", "cn.rbl.cluecentral.net", etc. to my spam-for-sure folder. They also move messages in which "X-Spam-Level" contains "*******" (meaning SpamAssassin score is 7 or higher) to my spam-for-sure folder. What remains in my Held Mail folder is email trapped by various blocklists (including the SCBL) with a SpamAssassin score of six or lower. There are few enough of these to be handled manually with ease. Hope this helps. Aloha, McGarrett "LART 'em, Danno!" From nttp.sc.s at bigsleep.org Mon Jul 4 08:09:41 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Mon Jul 4 03:10:04 2005 Subject: [SpamCop-List] Re: HE.net's spammer Yfdirect talks References: Message-ID: On 02 Jul 2005 Michael Wise entered spamcop and left news:no-588B28.07430302072005@news.cesmail.net: >> Besides, I expect that he.blackholes.us will block Outblaze as well,... > > I don't get the connection? Do you have reason to believe Outblaze uses > HE net space? > According to Senderbase, some Outblaze servers are on HE http://www.senderbase.org/search?searchString=64.62.181.91 and some are on XO http://www.senderbase.org/search?searchString=205.158.62.67 As far as Verio goes, we now have the problem of Verio and NTT sharing IP space (I suppose), though the spam sourced from NTT space seems to be dropping, for me anyway. My major peeve right now is Kornet, and various ROKSO networks (long list, includes XO for one). -- | Ric | From nttp.sc.s at bigsleep.org Mon Jul 4 08:37:35 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Mon Jul 4 03:40:03 2005 Subject: [SpamCop-List] Re: Need advice with misdirected bounces. References: Message-ID: On 03 Jul 2005 Borgholio entered spamcop and left news:da9igl$gtj$1@news.spamcop.net: > On Sat, Jul 02, 2005 at 09:49:36AM -0700, Borgholio wrote: > B> A true bounce is when the SMTP server refuses to accept delivery of > the B> mail, and it is bounced back to the actual sender. > > There are a lot of conditions when server can generate bounce > only after receiving message to queue. > Perhaps they are using qmail, which always queues then bounces. There is always a way, such as for qmail there's at least one patch http://www.google.com/search?q=qmail-badrcptto.patch But then I've never had much luck explaining this type of thing to mail admins, who usually think they know everything. -- | Ric | From nttp.sc.s at bigsleep.org Mon Jul 4 08:45:38 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Mon Jul 4 03:50:03 2005 Subject: [SpamCop-List] Re: Need advice with misdirected bounces. References: Message-ID: On 04 Jul 2005 Blammo entered spamcop and left news:Xns9689687C90EDblammo@216.154.195.61: > http://www.google.com/search?q=qmail-badrcptto.patch > Would have been better to alter that search to http://www.google.com/search?q=qmail+badrcptto+patch -- | Ric | From pete+usenet at heypete.com Mon Jul 4 02:12:50 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Mon Jul 4 04:15:03 2005 Subject: [SpamCop-List] Re: HE.net's spammer Yfdirect talks References: Message-ID: In article , Blammo wrote: > I have seen other regulars here say that they DO act on LARTS. So here I > have conflicting statements, and actually very little spam from HE. In my > view they seem insignificant compared to, say, thePlanet. I host with HE specifically because they act against complaints[1], a fact which I've confirmed through discussion with HE abuse staff personnel and some Spamhaus.org staffers I know from my previous employment. While HE does do direct-sales to customers (such as myself), their facility is mostly geared toward resellers and organizations who buy resources by the rack. Occasionally those resellers have their own resellers, adding another hop for the abuse staff to chase the spammer through. Even if HE and their resellers nuke a particular spammer, the spammer could easily (purposely or inadvertently) move to another HE reseller. One of the disadvantages of being a major hosting provider offering reseller services is that you'll constantly have to be nuking spammers with no easy means of centralized account-denial. That said, HE does remarkably well with nuking spammers in my experience. My only connection to HE is as a customer; I have no financial interest in the company. Your mileage may vary. [1] They also offer the services I want at a reasonable price, of course. -- Pete Stephenson HeyPete.com From nobody at nowhere.invalid Mon Jul 4 13:12:09 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon Jul 4 06:15:12 2005 Subject: [SpamCop-List] Re: HE.net's spammer Yfdirect talks References: Message-ID: On Mon, 4 Jul 2005 07:09:41 +0000 (UTC), Blammo coughed into spamcop and left this in : > As far as Verio goes, we now have the problem of Verio and NTT sharing > IP space (I suppose), Hardly surprising given that Verio is owned by NTT... -- Steve Maintainer's Motto: If we can't fix it, it ain't broke. From glnews030922 at highspot.net Mon Jul 4 13:42:37 2005 From: glnews030922 at highspot.net (Graeme Leith) Date: Mon Jul 4 07:40:02 2005 Subject: [SpamCop-List] Re: Need advice with misdirected bounces. In-Reply-To: <42C87830.404C@xyzzy.claranet.de> References: <42C87830.404C@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Steven Maesslein wrote: > > >>Actually, in this case it isn't a bounce, it's a rejection. >>They're 2 totally different things > > > | Delivery SMTP systems MAY reject ("bounce") such messages > | rather than deliver them. > > RfC 2821 disagrees with you. And I disagree with RfC 2821, so > maybe we're on the same side: From my POV "reject" is the > opposite of "accept", a "reject" is a 4xx or 5xx SMTP error. Although RFC2821 widely implemented, it is not an internet standard[1]. RFC821 makes no provision for rejection after the SMTP transaction is complete. So you could argue that rejection after receipt violates the official mail standard. ;-) [1]: http://rfc.net/std1.html -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From crappy.trappy at ntlworld.com Mon Jul 4 17:22:15 2005 From: crappy.trappy at ntlworld.com (Tim) Date: Mon Jul 4 11:25:03 2005 Subject: [SpamCop-List] [MEDIA] China signs anti-spam pact Message-ID: http://www.theregister.co.uk/2005/07/04/china_spam/ Heh, we will have to wait and see! From porpoise1954 at yahoo.co.uk Mon Jul 4 19:27:47 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Mon Jul 4 13:30:03 2005 Subject: [SpamCop-List] Re: Mainsleaze Spam References: <42C300D5.264E956C@SpamCop.net> Message-ID: "Herb Wolfe" wrote in message news:da9s6n$mja$1@news.spamcop.net... > Porpoise wrote: > >> "Mike Easter" wrote in message >> news:da1kfp$7sd$1@news.spamcop.net... >> >> >> I'm struggling with the same picture..... or, rather, lack of - it's not >> at all clear what he "actually" did....... > > The impression I get from the original message is that Michael was > dragging a scroll bar, the mouse slipped off the scroll bar and caused a > click on an ad, That was my understanding of his original post. > which subscribed him to some list. As for how they got his home e-mail, > rather than his hotmail address, it's rather simple. If he has that > address stored in his browser settings, it can be read. That's the bit I'm struggling with. From borgholio at storymind.com Mon Jul 4 13:35:10 2005 From: borgholio at storymind.com (Borgholio) Date: Mon Jul 4 15:40:04 2005 Subject: [SpamCop-List] Re: Need advice with misdirected bounces. In-Reply-To: References: Message-ID: Mike Easter wrote: > Borgholio wrote: > >>Got a reply from an ISP admin after reporting a misdirected bounce. >>Here's a snippet from the conversation. I'm not an expert in >>mailservers, so I'm wondering where I should go from here? > > > This is a common discussion in nanae. The problem and the 'right and > wrong' of it can almost always be configured in a more healthy manner > than the 'old fashioned' way of doing business which is now abusive. > > >>On Sat, Jul 02, 2005 at 09:49:36AM -0700, Borgholio wrote: >> >>>A true bounce is when the SMTP server refuses to accept delivery of >>>the mail, and it is bounced back to the actual sender. >> >>There are a lot of conditions when server can generate bounce >>only after receiving message to queue. > > > ... but that doesn't justify 'routinely' configuring to send newmails to > misdirected Froms. > > >>>What your server does, >>>is it actually accepts the email, decides it's invalid, then >>>composes a whole new email and "bounces" it back to an invalid >>>return address. > > > You are correct about that. > > >>This behaviour does not violate the standard. > > > It may not violate the standard, but it is abusive, and it is > reportable, and it will be reported, and those reports will get the > server listed, and that is not a good situation for the server or for > its clients -- so the server's admin should be reconfiguring according > to some less abusive options which other and wiser admins are doing. > > And, at that point, there is also some information at the SC faq > http://www.spamcop.net/fom-serve/cache/329.html#bounces Problem: > Misdirected bounces -- [the faq gives information for Qmail and > Exchange, and also supports the notion that this problem can be solved > by configuring correctly] > > >>>Thus, I receive a bounce for an email I never sent. >> >>I'm sorry. Server of our customer did this according to standard. >>The most of servers would do the same in such case. > > > Less and less and less servers are doing that now that servers are > getting themselves blocklisted for doing it. > Thanks for all the info, Mike. As I said, I know the basics, but I feel ill-equipped to argue with a professional mail admin. What should I tell him? Or should I simply ignore him and continue to report these fake bounces, as he's obviously not going to stop? From nobody at devnull.spamcop.net Mon Jul 4 17:59:00 2005 From: nobody at devnull.spamcop.net (Pop) Date: Mon Jul 4 17:00:03 2005 Subject: [SpamCop-List] Re: [MEDIA] China signs anti-spam pact References: Message-ID: "Tim" wrote in message news:dabk60$j14$1@news.spamcop.net... > http://www.theregister.co.uk/2005/07/04/china_spam/ > > Heh, we will have to wait and see! I hope they come up with something better than the (u-)CAN SPAM Act! The US record is pathetic, and what public efforts have happened are just not big enough to seriously impact it. We're still working on avoiding spam, not killing the spammers on the spot, which is what's needed. ISP ethics? What's that!? Pop From nobody at nowhere.invalid Tue Jul 5 00:20:50 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon Jul 4 17:25:03 2005 Subject: [SpamCop-List] Re: [MEDIA] China signs anti-spam pact References: Message-ID: On Mon, 04 Jul 2005 16:22:15 +0100, Tim coughed into spamcop and left this in : > http://www.theregister.co.uk/2005/07/04/china_spam/ > > Heh, we will have to wait and see! Spam coming from China is far less of a problem than they make out because most people block China anyway. The real problem is spammers' sites hosted in China. Cut China off from the rest of the Internet. Problem solved. -- Steve There's no place like ~ From anon at coks.net Mon Jul 4 15:28:27 2005 From: anon at coks.net (J G) Date: Mon Jul 4 17:30:03 2005 Subject: [SpamCop-List] Re: Need advice with misdirected bounces. In-Reply-To: References: Message-ID: On 7/4/2005 12:35 PM Borgholio scribbled: > Mike Easter wrote: > >>Borgholio wrote: >> >> >>>Got a reply from an ISP admin after reporting a misdirected bounce. >>>Here's a snippet from the conversation. I'm not an expert in >>>mailservers, so I'm wondering where I should go from here? >> >> >>This is a common discussion in nanae. The problem and the 'right and >>wrong' of it can almost always be configured in a more healthy manner >>than the 'old fashioned' way of doing business which is now abusive. >> >> >> >>>On Sat, Jul 02, 2005 at 09:49:36AM -0700, Borgholio wrote: >>> >>> >>>>A true bounce is when the SMTP server refuses to accept delivery of >>>>the mail, and it is bounced back to the actual sender. >>> >>>There are a lot of conditions when server can generate bounce >>>only after receiving message to queue. >> >> >>... but that doesn't justify 'routinely' configuring to send newmails to >>misdirected Froms. >> >> >> >>>>What your server does, >>>>is it actually accepts the email, decides it's invalid, then >>>>composes a whole new email and "bounces" it back to an invalid >>>>return address. >> >> >>You are correct about that. >> >> >> >>>This behaviour does not violate the standard. >> >> >>It may not violate the standard, but it is abusive, and it is >>reportable, and it will be reported, and those reports will get the >>server listed, and that is not a good situation for the server or for >>its clients -- so the server's admin should be reconfiguring according >>to some less abusive options which other and wiser admins are doing. >> >>And, at that point, there is also some information at the SC faq >>http://www.spamcop.net/fom-serve/cache/329.html#bounces Problem: >>Misdirected bounces -- [the faq gives information for Qmail and >>Exchange, and also supports the notion that this problem can be solved >>by configuring correctly] >> >> >> >>>>Thus, I receive a bounce for an email I never sent. >>> >>>I'm sorry. Server of our customer did this according to standard. >>>The most of servers would do the same in such case. >> >> >>Less and less and less servers are doing that now that servers are >>getting themselves blocklisted for doing it. >> > > > Thanks for all the info, Mike. As I said, I know the basics, but I feel > ill-equipped to argue with a professional mail admin. What should I tell > him? Or should I simply ignore him and continue to report these fake > bounces, as he's obviously not going to stop? FWIW, I continued reporting misdirects I was receiving recently and, for the past 30 hours anyway, they stopped, down from 50 a day for a week.. From nobody at devnull.spamcop.net Mon Jul 4 18:29:31 2005 From: nobody at devnull.spamcop.net (Pop) Date: Mon Jul 4 17:30:07 2005 Subject: [SpamCop-List] Re: [MEDIA] China signs anti-spam pact References: Message-ID: "Steven Maesslein" wrote in message news:slrndcja1i.2ss.nobody@127.0.0.1... > On Mon, 04 Jul 2005 16:22:15 +0100, Tim coughed into > spamcop and left > this in : > >> http://www.theregister.co.uk/2005/07/04/china_spam/ >> >> Heh, we will have to wait and see! > > Spam coming from China is far less of a problem than > they make out > because most people block China anyway. > > The real problem is spammers' sites hosted in China. > > Cut China off from the rest of the Internet. Problem > solved. > > -- > Steve > > There's no place like ~ The US and Canada is a bigger spammer than China is. Cut the US and Canada off from the rest of the world, and problem solved too. Pop From borgholio at storymind.com Mon Jul 4 15:53:01 2005 From: borgholio at storymind.com (Borgholio) Date: Mon Jul 4 17:55:02 2005 Subject: [SpamCop-List] Re: Need advice with misdirected bounces. In-Reply-To: References: Message-ID: J G wrote: > > FWIW, I continued reporting misdirects I was receiving recently and, for > the past 30 hours anyway, they stopped, down from 50 a day for a week.. Oh yeah same here. Over the past month, misdirected bounces have dropped from dozens per day to only a handful. It seems pretty consistent too. From nospam at dev.null Tue Jul 5 01:48:09 2005 From: nospam at dev.null (Anty Spam) Date: Mon Jul 4 18:50:07 2005 Subject: [SpamCop-List] Re: [MEDIA] China signs anti-spam pact References: Message-ID: "Pop" wrote in message news:dac9nh$usa$1@news.spamcop.net... > > "Steven Maesslein" wrote in > message news:slrndcja1i.2ss.nobody@127.0.0.1... ... SNIP.... > > Cut China off from the rest of the Internet. Problem > > solved. ....SNIP.... > Cut the US and Canada off from the rest of the world, > and problem solved too. ....SNIP And there lies the problem. How many days did I not wish I was in control of spamblocks. Our country has a lot of commercial ties with China. Likewise America. Likewise 419'ers :-( Likewise a very efficent 419legal.org. If the economy had to suffer only "ONE" day at a time internationally, the equivalent of a internet Union strike, with all internet connectivity being cut off for a day, that would send a very clear message with little long term effects. This will send the message to the relevant goverments to sit up and do what they are supposed to do: PROTECT THE INTERNET. There lies the rub as well - This is where politics comes into play and parties and goverments try to build power bases. The internet is a world wide resource, not China, USA, Brazil or any other country's property. The golden path is protect and not control. Another thought: What is the ratio of spammers vs population of China, USA, Brazil etc. Nigeria (419's ;-) Cheers E From anon at coks.net Mon Jul 4 17:45:18 2005 From: anon at coks.net (J G) Date: Mon Jul 4 19:50:04 2005 Subject: [SpamCop-List] Re: [MEDIA] China signs anti-spam pact In-Reply-To: References: Message-ID: On 7/4/2005 3:48 PM Anty Spam scribbled: > And there lies the problem. How many days did I not wish I was in control of > spamblocks. Our country has a lot of commercial ties with China. Likewise > America. Then you must be Canuck - born there myself, so no ax to grind. But your slightly more socialist bend appears in the next paragraph... > > If the economy had to suffer only "ONE" day at a time internationally, the > equivalent of a internet Union strike, with all internet connectivity being > cut off for a day, that would send a very clear message with little long > term effects. This will send the message to the relevant goverments to sit > up and do what they are supposed to do: > PROTECT THE INTERNET. Nice thought, but not the job of government - Lord help us, getting the wags involved. > > There lies the rub as well - This is where politics comes into play and > parties and goverments try to build power bases. The internet is a world > wide resource, not China, USA, Brazil or any other country's property. > > The golden path is protect and not control. > but not the govy.. > Another thought: What is the ratio of spammers vs population of China, USA, > Brazil etc. Nigeria (419's ;-) Given population numbers, China probably shows well n this regard. What with all the the technology available, the Net should be able to take care of /itself/. Wishful thinking, maybe, but who brought up SC, open source, free ware, etc.? No doubt economically driven in the final analysis, but a lot of folks just helping out in between, which continues as I speak, and that was the idea at the start. That is what will control the net - you and me (when I learn a few more things)... From no at spam.invalid Mon Jul 4 18:23:51 2005 From: no at spam.invalid (Michael Wise) Date: Mon Jul 4 20:25:02 2005 Subject: [SpamCop-List] Re: [MEDIA] China signs anti-spam pact References: Message-ID: In article , "Pop" wrote: > > Spam coming from China is far less of a problem than > > they make out > > because most people block China anyway. > > > > The real problem is spammers' sites hosted in China. > > > > Cut China off from the rest of the Internet. Problem > > solved. > > > > -- > > Steve > > > > There's no place like ~ > > The US and Canada is a bigger spammer than China is. > Cut the US and Canada off from the rest of the world, > and problem solved too. It's not so much _where_ spam comes from...as most comes from 0wned Windoze PC's on broadband links (since the US leads the world in numbers of broadband connected boxes, it makes sense, that they also lead the work in0wened PC's...and therefor spam sources) as much as _who_ is hosting the spamvertised sites....and China takes the #1 honors for that. --Mike From nospam at dev.null Tue Jul 5 03:55:49 2005 From: nospam at dev.null (Anty Spam) Date: Mon Jul 4 20:55:03 2005 Subject: [SpamCop-List] Re: [MEDIA] China signs anti-spam pact References: Message-ID: "J G" wrote in message news:dachme$3it$1@news.spamcop.net... > On 7/4/2005 3:48 PM Anty Spam scribbled: > > > And there lies the problem. How many days did I not wish I was in control of > > spamblocks. Our country has a lot of commercial ties with China. Likewise > > America. > > Then you must be Canuck - born there myself, so no ax to grind. But > your slightly more socialist bend appears in the next paragraph... Nope: White in Southern Africa :-) Not socialisitic whatsover either. The years and many scars have taught me that everything is a tool. Law, mass action etc - unfortunately normally used for the wrong purpose. Okay, so you'll next ask who will be the judge of that ...;-) > > > > If the economy had to suffer only "ONE" day at a time internationally, the > > equivalent of a internet Union strike, with all internet connectivity being > > cut off for a day, that would send a very clear message with little long > > term effects. This will send the message to the relevant goverments to sit > > up and do what they are supposed to do: > > PROTECT THE INTERNET. > > Nice thought, but not the job of government - Lord help us, getting the > wags involved. How else could you enforce anti abuse measures? Not talking USA style either, heaven forbid! We only have to consider China Tiengtong. As such the small ray of hope reading the article that started this thread. Agreements will not solve the problem of spam. Punishment in terms of money is always the best. Unfortunately to do that effectively, you needs laws. Business tends to be creative and uses money to bypass restrictions. > > > > There lies the rub as well - This is where politics comes into play and > > parties and goverments try to build power bases. The internet is a world > > wide resource, not China, USA, Brazil or any other country's property. > > > > The golden path is protect and not control. > > > but not the govy.. The goverment should do so on the basis of international agreements. It is a sad fact that business will do anything for money. It is also a sad fact that money buys whatever is required to make more money. We only need to look at what is happening with ICANN. Was a good idea at the time? As such the likes of big ISPs/Telecoms companies will not be candidates. OK, what about individuals? How do I enforce spamcop rules via a pop account? I am too low in the chain. That's why there has to be a form of punishment if J Blogg living around the corner decides to sell porn via the internet to some poor 12 yr old kid in Russia or wherever. Look at Nigeria where 419's is not only a big source of revenue, it is also seen as a disgrace if you are caught 419ing. Note - caught. On paper it is illegal, in reality... > > > Another thought: What is the ratio of spammers vs population of China, USA, > > Brazil etc. Nigeria (419's ;-) > > Given population numbers, China probably shows well n this regard. > What with all the the technology available, the Net should be able to > take care of /itself/. Wishful thinking, maybe, but who brought up SC, > open source, free ware, etc. Good point and agreed 101% > No doubt economically driven in the final analysis, but a lot of folks > just helping out in between, which continues as I speak, and that was > the idea at the start. That is what will control the net - you and me > (when I learn a few more things)... Yes. No. www.spamcon.org ? All but a shell due to unwise laws. As such one for you argument. But then again, what would have happend if certian state spam laws were enacted, the ones cut off by CAN SPAM. The opposite I am sure. Nothing motivates certain individuals to sniff out spammers as the lure of $$$. I used to publish a lot of less know spammer info when I dug it up. This was well used :-) Cheers E From MikeE at ster.invalid Mon Jul 4 19:08:01 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 4 21:10:03 2005 Subject: [SpamCop-List] Re: [MEDIA] China signs anti-spam pact References: Message-ID: Anty Spam wrote: > Punishment in > terms of money is always the best. Unfortunately to do that > effectively, you needs laws. If you were king/emporer of the planet, exactly what antispam law would you make/dictate? That is, exactly what would be against the law, and exactly how would that law be policed and enforced? -- Mike Easter kibitzer, not SC admin From nospam at dev.null Tue Jul 5 04:54:40 2005 From: nospam at dev.null (Anty Spam) Date: Mon Jul 4 21:55:03 2005 Subject: [SpamCop-List] Re: [MEDIA] China signs anti-spam pact References: Message-ID: "Mike Easter" wrote in message news:dacmhi$67u$1@news.spamcop.net... > Anty Spam wrote: > > Punishment in > > terms of money is always the best. Unfortunately to do that > > effectively, you needs laws. > > If you were king/emporer of the planet, exactly what antispam law would > you make/dictate? In a nutshell. Respect for my fellow netizens. As such, if A does not want spam, it is illegal, whatever his reason. If I am a Islamic and do not wish to recieve porno spam, so be it. If I am against pornography in my childrens' mailbox, so be it. If I do no believe in whatever - i do not recieve it. Ah yes, no tricks that I as spammer now change domain name and suddenly repeat the spam. I think you get the idea. It is more than spamming. It is abuse in general of the internet. > That is, exactly what would be against the law, and exactly how would > that law be policed and enforced? > If in Russia, a law that stops my citizens from blasting the USA. If Usa Joe prooves that Igor Ruskie has been spamming him , Igor gets a fine. The money can be used for whatever charitable cause as decided by whatever appropriate body. Repeat offences can escalate to the guilty be imprisoned. Likewise USA Joe would get a fine or ??? in the USA for blasting Chung in China etc ... Enforcement should be done via the local goverment's officials getting the complaints, escalating abroad if required. Interpol style internatioanl coordinating group? The rules will not be one counrty's, but international by common consent. The law will only be applied locally based on the rules. The mechanism could be opt out or opt in. But a common mechanism is required. Not like the current situation I know this is idealistic, but I do not know a country where stealing is condoned. Even Nigeria will not publicly condone it. Spamming should have the same status. If this is not done, new technologies will replace the internet, only to have the circle repeat itself. Mail spam, Fax spam, currently email spam, ... The internet challenges are different to the predecessors in as far as their is not a cost differentiation in spamming Chung vs Joe to the abuser. However, chances of getting into trouble for spamming internationally is less for the individual, though not the bandwidth supplier/ISP. As such the spammer moving to a new net to repeat the excercise. American's using China? "I have a dream ..." :-) Cheers E From windsorfoxNOSPAM at cox.net Tue Jul 5 00:51:51 2005 From: windsorfoxNOSPAM at cox.net (WindsorFox[SS]) Date: Tue Jul 5 00:50:10 2005 Subject: [SpamCop-List] Re: ALGX and XO In-Reply-To: References: Message-ID: Larry Kilgallen wrote: > In article , "WindsorFox[SS]" writes: > >> I am recieving insessant, constant garbage from ultimate free >>laptops .com. I Did the unsubscribe for 2 weeks and they still come. > > > > NEVER unsubscribe from something to which you did not subscribe. > There is no reason to believe that someone so unethical as to > subscribe you without permission would behave honorably with > regard to unsubscription. > > No major provider suggests its customer should reply to spammers > but many advise against it. > > http://www.spamhaus.org/removelists.html Thanks for the news flash. Any idea why Spamcops reporting info is out of date and how to get it fixed?? From nobody at spamcop.net Mon Jul 4 23:10:13 2005 From: nobody at spamcop.net (Dar) Date: Tue Jul 5 01:15:03 2005 Subject: [SpamCop-List] Holidays for spammers... Message-ID: Holidays for spammers just means more time to send spam! I received at least twice the number of spam messages today. Sorry -- just my little venting rant. Dar From nobody at spamcop.net Mon Jul 4 23:10:55 2005 From: nobody at spamcop.net (Dar) Date: Tue Jul 5 01:15:07 2005 Subject: [SpamCop-List] Re: Holidays for spammers... References: Message-ID: > Holidays for spammers just means more time to send spam! > I received at least twice the number of spam messages today. > Sorry -- just my little venting rant. > > Dar I know, I know... it was only a holiday for the U.S. From bar_n0ne at hotmail.com Tue Jul 5 10:27:41 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue Jul 5 01:30:02 2005 Subject: [SpamCop-List] MCI's business Plan gets even stranger Message-ID: Now into Celebrity sex videos: Tracking message source: 63.13.186.44: Routing details for 63.13.186.44 Report routing for 63.13.186.44: abuse@mci.com Yum, this spam is fresh! and Tracking link: http://i9i9innn.com/2/ [report history] Resolves to 63.105.204.171 Routing details for 63.105.204.171 Report routing for 63.105.204.171: abuse@mci.com From anon at coks.net Mon Jul 4 23:51:58 2005 From: anon at coks.net (J G) Date: Tue Jul 5 01:55:03 2005 Subject: [SpamCop-List] Re: [MEDIA] China signs anti-spam pact In-Reply-To: References: Message-ID: On 7/4/2005 5:55 PM Anty Spam scribbled: > > Nope: White in Southern Africa :-) Not socialisitic whatsover either. The > years and many scars have taught me that everything is a tool. Law, mass > action etc - unfortunately normally used for the wrong purpose. Okay, so > you'll next ask who will be the judge of that ...;-) Sorry, "our country" just sounded closer to home... Unfortunately to do that effectively, you needs laws. Business > tends to be creative and uses money to bypass restrictions. But business, by and large, follows laws, without which we have no business - and we already have laws which are not followed as it is. Why more laws to be not followed? > >>>There lies the rub as well - This is where politics comes into play and >>>parties and goverments try to build power bases. The internet is a world >>>wide resource, not China, USA, Brazil or any other country's property. >>> >>>The golden path is protect and not control. Golden path? Whose map? > The goverment should do so on the basis of international agreements. bullshit It is a sad fact that business will do anything for money. thats business, but so will people do the same and that is what? human nature, the root problem It is also a sad fact that money buys whatever is required to make more money. thats business, again, and human nature, again. Human nature is capitalistic - better learn to deal wit it if you haven't already. How do I enforce spamcop rules via a pop account? ?? That's why there has to be a form of punishment if J Blogg living around the corner decides to sell porn... there are countless laws on the books of hundreds of countries that need only be enforced - we don't need another wheel, we need a people willing to enforce the laws they have all agreed to live under. People with spine... > Yes. No. www.spamcon.org ? All but a shell due to unwise laws. huh? As such one for you argument. But then again, what would have happend if certian state spam laws were enacted, the ones cut off by CAN SPAM. about 2000 more millionaire laywers and a few challenges to the constiutional law as written - and no, the net won't move the supreme court, painful as that may be. The opposite I am sure. Nothing motivates certain individuals to sniff out spammers as the > lure of $$$. Same lure as attracts spammers, and in the end the same result - bulls and bears make money, pigs get slaughtered. Figure out how to control sex and you may be onto something... > > Cheers > > E > BTW, using OE, you might want to look into quotefix... From anon at coks.net Mon Jul 4 23:56:16 2005 From: anon at coks.net (J G) Date: Tue Jul 5 02:00:02 2005 Subject: [SpamCop-List] Re: [MEDIA] China signs anti-spam pact In-Reply-To: References: Message-ID: On 7/4/2005 6:54 PM Anty Spam scribbled: > "I have a dream ..." :-) good grief... > > Cheers > > E > > > From nobody at devnull.spamcop.net Tue Jul 5 17:24:34 2005 From: nobody at devnull.spamcop.net (Patto) Date: Tue Jul 5 03:25:03 2005 Subject: [SpamCop-List] Re: Holidays for spammers... In-Reply-To: References: Message-ID: Dar wrote: >>Holidays for spammers just means more time to send spam! >>I received at least twice the number of spam messages today. >> Sorry -- just my little venting rant. >> >>Dar > > > I know, I know... it was only a holiday for the U.S. Well, that's where most of the spammers reside... From redford_stone at INVERSE_OF_COLDmail.com Tue Jul 5 11:05:45 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Tue Jul 5 06:10:03 2005 Subject: [SpamCop-List] Re: Holidays for spammers... References: Message-ID: "Dar" wrote in news:dad4p7$dfk$1@news.spamcop.net: >> Holidays for spammers just means more time to send spam! >> I received at least twice the number of spam messages today. >> Sorry -- just my little venting rant. >> >> Dar > > I know, I know... it was only a holiday for the U.S. > > Meaning that many abuse desks is closed. You aren't alone. Going to be a rude awakening for someone to open the abuse@ inbox to find a ton of reports. From bar_n0ne at hotmail.com Tue Jul 5 15:19:15 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue Jul 5 06:20:03 2005 Subject: [SpamCop-List] Wierd one, parsiong through localhosts Message-ID: http://www.spamcop.net/sc?id=z782280845z8e0e6f789f003b1353a324e368e322baz it finds the correct ISP, but parses right past the first received line through 2 "localhosts" to find another (perhaps forged?) received line from bezequint. I think 192.115.104.18 is the correct source, perhaps those local hosts are internal relays, but how can they be trusted? - tres etrange From nobody at xyzzy.claranet.de Tue Jul 5 13:19:18 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Tue Jul 5 06:25:03 2005 Subject: [SpamCop-List] Re: Need advice with misdirected bounces. References: <42C87830.404C@xyzzy.claranet.de> Message-ID: <42CA5EA6.6FF5@xyzzy.claranet.de> Graeme Leith wrote: > Although RFC2821 widely implemented, it is not an internet > standard[1]. It's a "proposed standard", the first first step of the normal standards process. The author intends to start working on a 2821bis this week, and he apparently hopes that this could be a "draft standard", the second step. The old RfC 821 is still a "full standard" (STD 10), but some of it is really obsolete today. Anything with ESMTP (EHLO instead of HELO, SMTP AUTH, etc.) is 2821 and some other RfCs. > RFC821 makes no provision for rejection after the SMTP > transaction is complete. Your last chance is the dot termiatig the "data" (= mail), if you say "250 okay" at this point you have the responsibility - incl. to create a "bounce message" if you can't deliver or forward the mail. But you can say "5xx thanks, but no thanks" even at this last moment, see the second state diagram in chapter 4.4 of RfC 821. There's also an error code "552 too much mail data" - okay, it is not exactly "die, spamer, die", but 5xx at the end of the mail data is allowed. > So you could argue that rejection after receipt violates the > official mail standard. ;-) Only if you said "250 okay", then you have acepted it and must not silently delete it for "frivolous reasons". If you simply rejected it (552 or other 5xx) it's perfectly legal. > [1]: http://rfc.net/std1.html shows the "obsoleted by 2821" - IETF magic, the official standard is obsolete. Bye From bar_n0ne at hotmail.com Tue Jul 5 15:21:09 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue Jul 5 06:25:09 2005 Subject: [SpamCop-List] Re: Holidays for spammers... References: Message-ID: "Redstone" wrote in message news:Xns968A1F800938Dtinlc@216.154.195.61... > "Dar" wrote in news:dad4p7$dfk$1@news.spamcop.net: > SNIP > > > Meaning that many abuse desks is closed. You aren't alone. > > Going to be a rude awakening for someone to open the abuse@ inbox to > find a ton of reports. > Umm...Why? .... . /dev/null is always zero size isn't it? From MikeE at ster.invalid Tue Jul 5 06:32:44 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 5 08:35:03 2005 Subject: [SpamCop-List] Re: Wierd one, parsiong through localhosts References: Message-ID: Berny wrote: www.spamcop.net/sc?id=z782280845z8e0e6f789f003b1353a324e368e322baz If reported today, reports would be sent to: Re: 62.219.236.145 (Administrator of network where email originates) Abbreviated Received lines *comment from (sa4.bezeqint.net [192.115.104.18]) by eurmta01.london.eur.slb.com from localhost by sa4.bezeqint.net *time-2h from sa4.bezeqint.net ([127.0.0.1]) by localhost from smtp.bezeqint.net (unknown [62.219.236.145]) by sa4.bezeqint.net from bound.nayzak.com ([66.179.229.20]) by berwick.spray.se *time+30d, bogusline from www.nayzak.com (202.145.54.77) by bound.nayzak.com *time, bogusline > it finds the correct ISP, but parses right past the first received > line through 2 "localhosts" to find another (perhaps forged?) > received line from bezequint. IMO SC finds the correct IP, the bezeqint user 'behind' the bezeqint server. The user IP 62.219.236.145 rDNS bzq-219-236-145.pop.bezeqint.net is SC blocklisted and is spamming thru' hir provider's smtp servers. Rather than the typical proxy/trojan abuse direct to mx, this is a spamsource inserting 2 boguslines and then spamming out its provider's smtp server. Altho' the rDNS sourcename has 'pop' in it, I don't think that is a popserver, because I can't make a sensible structure out of that. The IP is classified as a dynamic by njabldyna. > I think 192.115.104.18 is the correct source, perhaps those local > hosts are internal relays, but how can they be trusted? SC is trusting 192.115.104.18 rDNS sa4.bezeqint.net to be a server. bezeqint's MX is mailmx.bezeqint.net DNS 192.115.106.58. I think SC has it right. This is a good 'test' of the bezeqint abuse desk to be responsive to spam coming from their service. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Jul 5 06:38:43 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 5 08:40:02 2005 Subject: [SpamCop-List] Re: ALGX and XO References: Message-ID: WindsorFox[SS] wrote: > I am recieving insessant, constant garbage from ultimate free > laptops .com. I Did the unsubscribe for 2 weeks and they still come. > Now, Spamcop reports them to abuse@algx.com , but it seems like it > should goto abuse@xo.com ?? These people are glib and could not care > less if you paid them to. If you want to discuss how SC notifies for something you should post a tracker -- working with something like 'laptops.com' is not adequate information, especially in the context in which you placed it. It also sounds like you are having trouble unsubbing to something you subbed. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Jul 5 09:18:11 2005 From: nobody at spamcop.net (Ellen) Date: Tue Jul 5 09:20:09 2005 Subject: [SpamCop-List] Re: ALGX and XO References: Message-ID: "WindsorFox[SS]" wrote in message news:da6lui$23g$1@news.spamcop.net... > I am recieving insessant, constant garbage from ultimate free > laptops .com. I Did the unsubscribe for 2 weeks and they still come. > Now, Spamcop reports them to abuse@algx.com , but it seems like it > should goto abuse@xo.com ?? These people are glib and could not care > less if you paid them to. It would help to have an IP but TTBMK the algx abuse mailbox is still read even tho they have been bought by XO. Ellen From nobody at spamcop.net Tue Jul 5 09:26:44 2005 From: nobody at spamcop.net (Ellen) Date: Tue Jul 5 09:20:17 2005 Subject: [SpamCop-List] Re: Wierd one, parsiong through localhosts References: Message-ID: "Berny" wrote in message news:dadmr5$mrf$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z782280845z8e0e6f789f003b1353a324e368e322baz > > it finds the correct ISP, but parses right past the first received line > through 2 "localhosts" to find another (perhaps forged?) received line from > bezequint. > > I think 192.115.104.18 is the correct source, perhaps those local hosts are > internal relays, but how can they be trusted? > > - tres etrange > > We know those headers to be bezequint handing the email around thru their server farm. The source is 62.219.236.145. Ellen From nobody at devnull.spamcop.net Tue Jul 5 10:59:20 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue Jul 5 10:00:02 2005 Subject: [SpamCop-List] Re: [MEDIA] China signs anti-spam pact References: Message-ID: ... > Given population numbers, China probably shows well n > this regard. > What with all the the technology available, the Net > should be able to > take care of /itself/. Wishful thinking, maybe, but > who brought up SC, > open source, free ware, etc.? ... Wishful maybe, probably in fact, but just in case, I still participate in the good fight against them. It can't hurt and allows a certain amount of satisfaction that they're not being "bugged" and allowed totally free reign. Pop From nospam at dev.null Tue Jul 5 21:18:18 2005 From: nospam at dev.null (Anty Spam) Date: Tue Jul 5 14:20:03 2005 Subject: [SpamCop-List] Re: Holidays for spammers... References: Message-ID: "Dar" wrote in message news:dad4nt$dfe$1@news.spamcop.net... > Holidays for spammers just means more time to send spam! > I received at least twice the number of spam messages today. > Sorry -- just my little venting rant. > > Dar > Ditto here, lots of penny stock stuff. All from China :-) From wb8tyw at qsl.network Tue Jul 5 15:41:57 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Tue Jul 5 14:45:04 2005 Subject: [SpamCop-List] Re: Holidays for spammers... In-Reply-To: References: Message-ID: Redstone wrote: > "Dar" wrote in news:dad4p7$dfk$1@news.spamcop.net: > > >>>Holidays for spammers just means more time to send spam! >>>I received at least twice the number of spam messages today. >>> Sorry -- just my little venting rant. >>> >>>Dar >> >>I know, I know... it was only a holiday for the U.S. >> > Meaning that many abuse desks is closed. You aren't alone. > > Going to be a rude awakening for someone to open the abuse@ inbox to > find a ton of reports. Actually many may get is a load of complaints from their customers because some $major ISP or DNSBL blocked all their e-mail because they mishandled a critical abuse complaint prior to or during the weekend. Such blocks will usually take 24 to 72 hours to clear based on postings from customers on an internal forum for my broadband supplier. Once such scenario seems to be playing out this last weekend on news.admin.net-abuse.blocklisting for a Spamhaus.org escalation. -John wb8tyw@qsl.network Personal Opinion Only From nobody at devnull.spamcop.net Tue Jul 5 17:54:57 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue Jul 5 16:55:04 2005 Subject: [SpamCop-List] Re: Holidays for spammers... References: Message-ID: "Anty Spam" wrote in message news:daeira$7qj$1@news.spamcop.net... > "Dar" wrote in message > news:dad4nt$dfe$1@news.spamcop.net... >> Holidays for spammers just means more time to send >> spam! >> I received at least twice the number of spam >> messages today. >> Sorry -- just my little venting rant. >> >> Dar >> Spammers have no country, no caring family and no redeeming qualities, thus a holiday means nothing to them. All they care about is spamming and getting that sucker hooked. From noone at nowhere.com Tue Jul 5 22:23:13 2005 From: noone at nowhere.com (Bob Itguy) Date: Tue Jul 5 21:25:04 2005 Subject: [SpamCop-List] Re: SC still can't parse these links, needs updated References: Message-ID: Thanks, did as you said http://www.spamcop.net/sc?id=z782570148zb4a042312262f8c96e0923aa2566a71az Worked fine "Mike Easter" wrote in message news:da76th$b0f$1@news.spamcop.net... > Mike Easter wrote: >> The only benefit there would have >> been to deobfuscating it would be to publish the URL on the stats >> page for sc-surbl to scrape for its db. > > Which brings up a different but related question. > > If SC deobfuscates a URL for the statistics page, how does it publish > the URL, in the original form? Or in the deobfuscated form? > > And, if a person is using the sc-surbl or spamcopURI to filter -- how > does that work for broken URLs? I'm not clear on this. Does the filter > filter on the obfuscated string? It would see that it would have to. > > I think the SpamPal URL body plugin converts the URL to an IP and runs > that IP against the chosen DNSBLs. > > -- > Mike Easter > kibitzer, not SC admin > > From MikeE at ster.invalid Tue Jul 5 20:26:37 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 5 22:30:03 2005 Subject: [SpamCop-List] Re: SC still can't parse these links, needs updated References: Message-ID: Bob Itguy wrote: > Thanks, did as you said www.spamcop.net/sc?id=z782570148zb4a042312262f8c96e0923aa2566a71az Where did you see me tell you to change the content of the body of the spam into a deobfuscated link so SC could resolve it? And then to report the forged spam? Reports regarding this spam have already been sent: Re: http://vuibihjjeylv.com.bmqaxmj7fq5m29xmliw7.audiogramkb.info/#abbiqnjht.org (Administrator of network hosting website referenced in spam) Reportid: 1461488045 To: abuse@chinanet.cn.net Reportid: 1461488046 To: postmaster#cnc-noc.net@devnull.spamcop.net > Worked fine What I said was that if I fed that obfuscated link that SC could not de-obfuscate into a browser or my console's GET function that the browser and the console both converted it into a form that SC could resolve. I did not say 'change the spam to something that SC can parse and report.' The rules say to not be making material changes to spam that cause it to find a link, address, or url that it wouldn't have found. http://www.spamcop.net/fom-serve/cache/283.html Material changes to spam -- Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find. When I make changes or 'forgeries' to spams, it is done experimentally and SC's offer to report is cancelled. The purpose of such changes is to help with an understanding of problems encountered. In this case, I never even changed the url in the body of the spam experimentally, I only fed it nakedly to the parser to test for its ability to resolve. Sometimes urls may be resolvable nakedly but not in a spam. Or not in a spam at one time, but resolvable another time. -- Mike Easter kibitzer, not SC admin From noone at nowhere.com Tue Jul 5 23:53:22 2005 From: noone at nowhere.com (Bob Itguy) Date: Tue Jul 5 22:55:03 2005 Subject: [SpamCop-List] Re: SC still can't parse these links, needs updated References: Message-ID: "SC can parse it if there isn't a dot space dot" That's what I went by, not a problem, I won't do it again since it's a no-no...... "Mike Easter" wrote in message news:daffgs$pfl$1@news.spamcop.net... > Bob Itguy wrote: >> Thanks, did as you said > www.spamcop.net/sc?id=z782570148zb4a042312262f8c96e0923aa2566a71az > > Where did you see me tell you to change the content of the body of the > spam into a deobfuscated link so SC could resolve it? And then to > report the forged spam? > > Reports regarding this spam have already been sent: > Re: > http://vuibihjjeylv.com.bmqaxmj7fq5m29xmliw7.audiogramkb.info/#abbiqnjht.org > (Administrator of network hosting website referenced in spam) > Reportid: 1461488045 To: abuse@chinanet.cn.net > Reportid: 1461488046 To: postmaster#cnc-noc.net@devnull.spamcop.net > >> Worked fine > > What I said was that if I fed that obfuscated link that SC could not > de-obfuscate into a browser or my console's GET function that the > browser and the console both converted it into a form that SC could > resolve. > > I did not say 'change the spam to something that SC can parse and > report.' > > The rules say to not be making material changes to spam that cause it to > find a link, address, or url that it wouldn't have found. > > http://www.spamcop.net/fom-serve/cache/283.html Material changes to > spam -- Do not make any material changes to spam before submitting or > parsing which may cause SpamCop to find a link, address or URL it > normally would not, by design, find. > > When I make changes or 'forgeries' to spams, it is done experimentally > and SC's offer to report is cancelled. The purpose of such changes is > to help with an understanding of problems encountered. > > In this case, I never even changed the url in the body of the spam > experimentally, I only fed it nakedly to the parser to test for its > ability to resolve. Sometimes urls may be resolvable nakedly but not in > a spam. Or not in a spam at one time, but resolvable another time. > > > > -- > Mike Easter > kibitzer, not SC admin > > From noone at nowhere.com Tue Jul 5 23:55:45 2005 From: noone at nowhere.com (Bob Itguy) Date: Tue Jul 5 23:00:03 2005 Subject: [SpamCop-List] Re: SC still can't parse these links, needs updated References: Message-ID: And in any event my message was for someone that works at SpamCop in hopes that they would note the error that SC was having with these types of emails and hopefully fix it so that SC can become better at what it does, parse spam... "Bob Itguy" wrote in message news:dafh46$qg8$1@news.spamcop.net... > "SC can parse it if there isn't a dot space dot" > > That's what I went by, not a problem, I won't do it again since it's a > no-no...... > > "Mike Easter" wrote in message > news:daffgs$pfl$1@news.spamcop.net... >> Bob Itguy wrote: >>> Thanks, did as you said >> www.spamcop.net/sc?id=z782570148zb4a042312262f8c96e0923aa2566a71az >> >> Where did you see me tell you to change the content of the body of the >> spam into a deobfuscated link so SC could resolve it? And then to >> report the forged spam? >> >> Reports regarding this spam have already been sent: >> Re: >> http://vuibihjjeylv.com.bmqaxmj7fq5m29xmliw7.audiogramkb.info/#abbiqnjht.org >> (Administrator of network hosting website referenced in spam) >> Reportid: 1461488045 To: abuse@chinanet.cn.net >> Reportid: 1461488046 To: postmaster#cnc-noc.net@devnull.spamcop.net >> >>> Worked fine >> >> What I said was that if I fed that obfuscated link that SC could not >> de-obfuscate into a browser or my console's GET function that the >> browser and the console both converted it into a form that SC could >> resolve. >> >> I did not say 'change the spam to something that SC can parse and >> report.' >> >> The rules say to not be making material changes to spam that cause it to >> find a link, address, or url that it wouldn't have found. >> >> http://www.spamcop.net/fom-serve/cache/283.html Material changes to >> spam -- Do not make any material changes to spam before submitting or >> parsing which may cause SpamCop to find a link, address or URL it >> normally would not, by design, find. >> >> When I make changes or 'forgeries' to spams, it is done experimentally >> and SC's offer to report is cancelled. The purpose of such changes is >> to help with an understanding of problems encountered. >> >> In this case, I never even changed the url in the body of the spam >> experimentally, I only fed it nakedly to the parser to test for its >> ability to resolve. Sometimes urls may be resolvable nakedly but not in >> a spam. Or not in a spam at one time, but resolvable another time. >> >> >> >> -- >> Mike Easter >> kibitzer, not SC admin >> >> > > From MikeE at ster.invalid Tue Jul 5 21:31:15 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 5 23:35:02 2005 Subject: [SpamCop-List] Re: SC still can't parse these links, needs updated References: Message-ID: Bob Itguy wrote: > And in any event my message was for someone that works at SpamCop in > hopes that they would note the error that SC was having with these > types of emails and hopefully fix it so that SC can become better at > what it does, parse spam... Well, that's the reason I say and do some of the things I do 'forgery-wise' -- so that if the powers are lurking and they/he feels like tweaking something, some of the discovery of the mechanism for the problem process has already been done or 'fingered'. But, some 'errors' of html or urls which a browser or even a GET console tolerates 'shouldn't' be fixed in the parser. 'We' get me in trouble if I'm trying to be helpful for diagnosing and 'forging' experimentally and talking about the effect of those changes and then someone actually does the material change to the spam and reports with it. As a separate but slightly related issue... Of course, there's also the officially sanctioned derivatives of derivatives of derivatives of a spambody -- in which some kind of html of a spam is converted into a MAPI derivation of that html for storage and to fulfill Outlook's function as a mail client for Office's MAPI driven application suite. Then, an OL user wants to play like OL is a spamreporting tool, so it asks OL to provide the message source. Oops. The source which is no longer available in its original form. So, OL manufactures or recreates an html derivation of the MAPI spambody store for the 2nd derivative or derivative of the derivative. Then the OL reporter feeds that derived derivation into the bottom half of the SC parser which was designed to 'digest' OL and Eudora spambody submissions, and then the parser makes yet another derivation or hack of the doubly derived html. But, those changes of changed changes have been built in and approved - by design. 'Freestyle' user changes to help SC find something it wouldn't find are not approved. Unhappy admins of various hat colors are receiving these spamcop reports, and fostering the perception that SC allows its users to just manufacture their own spam links doesn't go over very well for spamcop's reputation. -- Mike Easter kibitzer, not SC admin From nttp.sc.s at bigsleep.org Wed Jul 6 07:04:46 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Wed Jul 6 02:05:02 2005 Subject: [SpamCop-List] Re: Need advice with misdirected bounces. References: <42C87830.404C@xyzzy.claranet.de> <42CA5EA6.6FF5@xyzzy.claranet.de> Message-ID: On 05 Jul 2005 Frank Ellermann entered spamcop and left news:42CA5EA6.6FF5@xyzzy.claranet.de: > There's also an error code "552 too much mail data" - okay, it > is not exactly "die, spamer, die", but 5xx at the end of the > mail data is allowed. > The important difference being that you are replying to the machine sending the message, specificly it's a response to a command: "Open the pod bay doors HAL". But then the spammer's line would be: "Badges? We don't need no stink'n badges!". Really, at that point it's like "Hey mister spammer! You forgot your change...". -- | Ric | From redford_stone at INVERSE_OF_COLDmail.com Wed Jul 6 09:23:31 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Jul 6 04:25:05 2005 Subject: [SpamCop-List] Re: Holidays for spammers... References: Message-ID: "Berny" wrote in news:dadmuo$mv9$1@news.spamcop.net: > > Umm...Why? .... . /dev/null is always zero size isn't it? > > Only for the blackhats.. not for the whitehats. From redford_stone at INVERSE_OF_COLDmail.com Wed Jul 6 09:28:43 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Jul 6 04:30:02 2005 Subject: [SpamCop-List] Re: Holidays for spammers... References: Message-ID: "John E. Malmberg" wrote in news:daek9l$961$1@news.spamcop.net: > > Such blocks will usually take 24 to 72 hours to clear based on > postings from customers on an internal forum for my broadband > supplier. > What sucks is when the mail server ends up on a difficult listing service like SPEWS. > > Once such scenario seems to be playing out this last weekend on > news.admin.net-abuse.blocklisting for a Spamhaus.org escalation. > Need to have a look at this. I wonder if it is about who I think it is. :-) From bar_n0ne at hotmail.com Wed Jul 6 13:52:22 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Jul 6 04:55:21 2005 Subject: [SpamCop-List] Re: Holidays for spammers... References: Message-ID: "Redstone" wrote in message news:Xns968BE2B4DF3Etinlc@216.154.195.61... > "Berny" wrote in news:dadmuo$mv9$1@news.spamcop.net: > > > > > > Umm...Why? .... . /dev/null is always zero size isn't it? > > > > > > Only for the blackhats.. not for the whitehats. Real whitehats don't get that many reports. or if they do, they would be directly for some zombie computer. A real white-hat is proactive and simply doesn't have that many problems. And a real whitehat doesn't host spammer sites for lomg either. From nttp.sc.s at bigsleep.org Wed Jul 6 10:44:50 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Wed Jul 6 05:45:03 2005 Subject: [SpamCop-List] Re: [MEDIA] China signs anti-spam pact References: Message-ID: On 04 Jul 2005 Anty Spam entered spamcop and left news:dacp72$7hj$1@news.spamcop.net: > The mechanism could be opt out or opt in. But a common mechanism is > required. Not like the current situation > Silly argument, since you can choose who to receive eMail from, all you need is the tools, and the knowledge. And you can choose your eMail addresses, which one to give out and which one to send from. Create a common mechanism and you loose that choice. -- | Ric | From redford_stone at INVERSE_OF_COLDmail.com Wed Jul 6 12:03:33 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Jul 6 07:05:04 2005 Subject: [SpamCop-List] From NANAE: "Socks" enters hospice. Message-ID: Was rummaging around NANAE and found this piece of info (courtesy of clifto). Looks like Socks has entered hospice. ---- Subject: Socks enters Hospice program at home From: Figgertoes Newsgroups: alt.support.cancer Today was an emotional milestone as Socks signed the papers for hospice care. We plan for him to remain at home with me & our 2 precious kitties. Beginning July 12, his Aunt Ruth will also be here with us. She will, no doubt, have Socks playing games. Also, no doubt, despite high levels of pain killers, Socks will severely trounce both of us. Aunt Ruth instructed Socks - in bold 20 pt. type - to install Othello on my computer so I would have at least a fighting chance! So far, hospice has been very helpful. Today the nurse encouraged Socks to take as much pain killer as necessary to reach a high comfort level. He has always kept meds to a minimum to promote alertness. In the last week, several people have commented on how much pain he appears to be in. The methadone will likely allow him to be more alert with larger doses. She also redefined 'emergency' relating to the liquid morphine. I had thought it meant 'ready to jump,' but they expect him to hit that bottle daily. An interesting side: she told us that even with all of the high-powered narcotics in our home, it would be virtually impossible for anyone to overdose on them to the point of death. A person might sleep for several days or vomit them up, but they would not die. Socks has been up most of the day at the computer in our study instead of upstairs in the bedroom. He has also been taking meals at the kitchen table instead of in bed. That might be due partially to my removing all papers & 'items in transit' from the table. We have a new rule regarding that table - it must be clear of all clutter when I leave the house & when I go to bed (my own rule). One of the few positive aspects of this disease - in addition to meeting all of you - is the increasingly uncluttered appearance of our home. I have been shamed into making more of an effort in that regard, We have more visiters than usual. I am enjoying it too. We spoke with an old friend in San Diego this morning who reminded us she still has a copy of the wedding vows we wrote almost 19 years ago. She will send a copy so we can see how we've done. Socks says if it's not signed & notorized, he can't be held to whatever they say. Our friend plans a short visit. We haven't seen her for a couple of years. Our cruise ship from Hawaii docked in Mexico near San Diego a few days before the canyon fires. We visited her & her boyfriend then. We look forward to seeing her again. I look forward to spending the 4th with Socks. Oops, I just looked at the clock & it's here already! So g'night you wonderful, supportive friends. Enjoy your holiday! Figgertoes (Wife of Socks) From nobody at devnull.spamcop.net Wed Jul 6 09:37:27 2005 From: nobody at devnull.spamcop.net (Spamvireslayer) Date: Wed Jul 6 08:40:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Redstone" wrote in message news:Xns968B294DD89tinlc@216.154.195.61... > > Was rummaging around NANAE and found this piece of info (courtesy of > clifto). Looks like Socks has entered hospice. Is this our Socks? He was just here last week posting, if I recall. From devnull at spamcop.net Wed Jul 6 09:47:25 2005 From: devnull at spamcop.net (Frog Prince) Date: Wed Jul 6 08:50:02 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Redstone" | | Was rummaging around NANAE and found this piece of info (courtesy of | clifto). Looks like Socks has entered hospice. Thanks Red, What she says about pain meds is very true. I only wish John Ashcroft and co had recognized, acknowledged and acted on that information as it would make the lives of many so much better. Sadly the mind set seems to permeate the government. For those that are not familiar with Hospice the program is as much for the family members as it is for the patient. Anyone wanting more information on the program. links: National Hospice Organization http://www.nho.org/templates/1/homepage.cfm Hospice Foundation of America http://www.hospicefoundation.org/ FAQ http://www.hospiceburke.org/frequently_asked_questions.htm As one who has seen the benefits of Hospice from both sides I would strongly recommend volunteering. Hospice needs volunteers as caregivers and other services. (as example IT/tech support services for the local groups and secondarily for the patients themselves * ) The training is free and most Hospice organizations encourage folk who have an interest to audit the classes. In part because not everyone is geared to a hospice volunteer friend (one of the best ways to find out is to take the classes) and secondly because those who audit the course become better able to help others by simply knowing about what Hospice is/does. If nothing else it will improve your world view and give you tools for your own ageing. If those sites don't answer your questions, please post to the group or back channel to brother_rabbit @ hotmail.com I would add a comment. Many think of Hospice as giving up. FWIW I've been a Hospice volunteer for almost two years and have two friends (both former Hospice patients) that have graduated out of the program and are still alive. One is now a Hospice volunteer. * related sites http://compumentor.org/ http://compumentor.org/techsoup/default.html From nobody at spamcop.net Wed Jul 6 10:18:07 2005 From: nobody at spamcop.net (indigo) Date: Wed Jul 6 09:20:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: Redstone wrote: > > We spoke with an old friend in San Diego this morning who reminded us > she > still has a copy of the wedding vows we wrote almost 19 years ago. > She will send a copy so we can see how we've done. Socks says if > it's not signed & notorized, he can't be held to whatever they say. Good to see Socks still has his sense of humor......Socks, if you read this, know that our hearts and prayers are with you. (well, *some* will pray ;-) From nobody at spamcop.net Wed Jul 6 07:31:20 2005 From: nobody at spamcop.net (Sylvesterthekat) Date: Wed Jul 6 09:35:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Spamvireslayer" wrote in message news:dagjca$c6o$1@news.spamcop.net... > > "Redstone" wrote in message > news:Xns968B294DD89tinlc@216.154.195.61... > > > > Was rummaging around NANAE and found this piece of info (courtesy of > > clifto). Looks like Socks has entered hospice. > > Is this our Socks? He was just here last week posting, if I recall. and I daresay he'll be back as he's still at home and on the computer... I hope so anyway From glnews030922 at highspot.net Wed Jul 6 15:36:24 2005 From: glnews030922 at highspot.net (Graeme Leith) Date: Wed Jul 6 09:35:08 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. In-Reply-To: References: Message-ID: Spamvireslayer wrote: > "Redstone" wrote in message > news:Xns968B294DD89tinlc@216.154.195.61... > >>Was rummaging around NANAE and found this piece of info (courtesy of >>clifto). Looks like Socks has entered hospice. > > > Is this our Socks? He was just here last week posting, if I recall. Yes, it's the same Socks. You might recall him posting here, or in .social, about his cancer around a year ago. He wasn't sure how long he had left then and told everybody that he may stop posting suddenly. If you're still reading Socks, all the best to you and your family. -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From nobody at spamcop.net Wed Jul 6 07:33:31 2005 From: nobody at spamcop.net (Sylvesterthekat) Date: Wed Jul 6 09:35:13 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Redstone" wrote in message news:Xns968B294DD89tinlc@216.154.195.61... > > Was rummaging around NANAE and found this piece of info (courtesy of > clifto). Looks like Socks has entered hospice. > So far, hospice has been very helpful. Today the nurse encouraged Socks > to take as much pain killer as necessary to reach a high comfort level. > He has always kept meds to a minimum to promote alertness. In the last > week, several people have commented on how much pain he appears to be > in. > The methadone will likely allow him to be more alert with larger doses. > She also redefined 'emergency' relating to the liquid morphine. I had > thought it meant 'ready to jump,' but they expect him to hit that bottle > daily. I hope the methadone lets him stay out of pain enough to come visit us a few more times. I know I'll miss him. So sad. At least he got in one more summer. Hell, he may even make it to Christmas, tenacious codger that he is. Keep an eye on that other newsgroup for news ok Red? From crappy.trappy at ntlworld.com Wed Jul 6 15:44:14 2005 From: crappy.trappy at ntlworld.com (Tim) Date: Wed Jul 6 09:45:03 2005 Subject: [SpamCop-List] [MEDIA] Penis pill purveyor faces prison Message-ID: http://www.theregister.co.uk/2005/07/06/rizler_smith_spam_case/ Another news item! Another major scumbag bites the dust? From pete+usenet at heypete.com Wed Jul 6 07:56:56 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Wed Jul 6 10:00:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: In article , Redstone wrote: > Was rummaging around NANAE and found this piece of info (courtesy of > clifto). Looks like Socks has entered hospice. Yikes. My best wishes for Socks and his family. I shall hoist one today for his health and honor. Good luck, ol' buddy. If there's anything I can do to help, let me know. -- Pete Stephenson HeyPete.com From nobody at devnull.spamcop.net Wed Jul 6 11:23:21 2005 From: nobody at devnull.spamcop.net (Spamvireslayer) Date: Wed Jul 6 10:25:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Sylvesterthekat" wrote in message news:dagmjb$es7$1@news.spamcop.net... > > I hope the methadone lets him stay out of pain enough to come visit us a few > more times. I know I'll miss him. So sad. At least he got in one more > summer. Hell, he may even make it to Christmas, tenacious codger that he is. > Keep an eye on that other newsgroup for news ok Red? > Learn something new every day - I never knew they used methadone for pain, I thought it was for drug rehab, I thought morphine was the drug they gave people who were in serious pain. Cheers to Socks for all his great participation in the fun here, I hope he doesn't go away just yet! From nobody at devnull.spamcop.net Wed Jul 6 11:24:24 2005 From: nobody at devnull.spamcop.net (Spamvireslayer) Date: Wed Jul 6 10:30:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Graeme Leith" wrote in message news:dagmi2$erv$1@news.spamcop.net... > Yes, it's the same Socks. You might recall him posting here, or in > .social, about his cancer around a year ago. He wasn't sure how long he > had left then and told everybody that he may stop posting suddenly. I did remember that, I thought it was a strange announcement after he had been here posting just last week. > > If you're still reading Socks, all the best to you and your family. Hear hear! From spamcram at spymac.com Wed Jul 6 09:35:41 2005 From: spamcram at spymac.com (Vernon Hardapple) Date: Wed Jul 6 11:40:03 2005 Subject: [SpamCop-List] paypal fishing Message-ID: From - Tue Jul 05 05:18:00 2005 X-Account-Key: account2 X-UIDL: GmailId104e6ebe84a3073a X-Mozilla-Status: 1001 X-Mozilla-Status2: 00000000 X-Gmail-Received: caee47e4a9de9360988e6408bc78ab54848c1c55 Delivered-To: someaddress@somedomain.com Received: by 10.36.77.11 with SMTP id z11cs108631nza; Tue, 5 Jul 2005 05:15:18 -0700 (PDT) Received: by 10.38.67.8 with SMTP id p8mr3876020rna; Tue, 05 Jul 2005 05:15:17 -0700 (PDT) Return-Path: Received: from mail-in4.spymac.net (mail-in4.spymac.net [195.225.149.154]) by mx.gmail.com with ESMTP id 71si2731809rnc.2005.07.05.05.15.16; Tue, 05 Jul 2005 05:15:17 -0700 (PDT) Received-SPF: neutral (gmail.com: 195.225.149.154 is neither permitted nor denied by best guess record for domain of apache@cbnw.org) Received: from [198.107.10.93] (helo=www.cbnw.org) by mail-in4.spymac.net with esmtp (Exim 4.34) id 1DpmKZ-0007rg-Hy for someaddress@somedomain.com; Tue, 05 Jul 2005 06:15:16 -0600 Received: by www.cbnw.org (Postfix, from userid 48) id E6D5DC767D; Tue, 5 Jul 2005 04:24:50 -0700 (PDT) To: someaddress@somedomain.com Subject: Notification of Limited Account Access (Routing Code: C840-L001-Q190-T1830) Unauthorized Access:NA (Routing Code: C840-L001-Q-T-S111) From: PayPal Service Reply-To: no.reply@paypal.com MIME-Version: 1.0 Content-Type: text/html Message-Id: <20050705112450.E6D5DC767D@www.cbnw.org> Date: Tue, 5 Jul 2005 04:24:50 -0700 (PDT) Content-Transfer-Encoding: quoted-printable =0D =0D =0D

=0D =0D =0D =0D
=0D =0D
=0D =0D
=0D =0D =0D =0D =0D =0D =0D =0D =0D
Sec= urity Center
=0D =0D =0D =0D =0D =0D =0D =0D =0D =0D =0D
=0D =0D =0D =0D =0D =0D =0D =0D
=0D =0D =0D =0D =0D =0D =0D


=A0Military Grade Encryption is Only the Start

A= t PayPal, we want to increase your security and comfort level with every = transaction. From our Buyer and Seller Protection Policies to our Verific= ation and Reputation systems, we'll help to keep you safe.

=
=0D
=0D =0D =0D =0D =0D =0D =0D =0D =0D =0D =0D =0D =0D =0D
=0D =0D =0D =0D =0D =0D =0D =0D
=0D

=0D PayPal is committed to maintaining a safe environment for its community = of buyers and sellers. To protect the security of your account, PayPal em= ploys
some of the most=0D advanced security systems in the world and our anti-fraud teams regularly= screen the PayPal system for unusual activity.

=0D =0D Recently, our Account Review Team identified some unusual activity in you= r account. =0D In accordance with PayPal's User Agreement access to your account will be= limited.=0D This is a fraud prevention measure meant to ensure that your account is n= ot compromised.=0D

=0D =0D In order to secure your account we may require some specific information = from you.=0D We encourage you to log in by clicking on the link below and complete the= requested form as soon as possible.=0D


https://www.paypal.com/cgi-bin/webscr?cmd=3D_login-run=

=0D
=0D Ignoring our request, for an extended period of time, may result in accou= nt limitations=0D or may result in eventual account closure.

=0D Thank you for your prompt attention to this matter. Please understand tha= t this is
a security measure meant to help protect you and your accou= nt.
We apologize for any inconvenience.=0D


=0D =0D Sincerely,
=0D PayPal Account Review Department
=0D

=0D PayPal Email ID PP522=0D =0D
=0D =0D
=0D =0D =0D =0D =0D =0D
=0D =0D =0D =0D =0D =0D =0D
*Please do not respond to= this e-mail as your reply will not be received.

=A0
=
=0D


=0D =0D =0D =0D From noone at nowhere.com Wed Jul 6 13:14:57 2005 From: noone at nowhere.com (Bob Itguy) Date: Wed Jul 6 12:20:03 2005 Subject: [SpamCop-List] Re: paypal fishing References: Message-ID: Forward to spoof@paypal.com "Vernon Hardapple" wrote in message news:dagtoe$k3l$1@news.spamcop.net... > From - Tue Jul 05 05:18:00 2005 > X-Account-Key: account2 > X-UIDL: GmailId104e6ebe84a3073a > X-Mozilla-Status: 1001 > X-Mozilla-Status2: 00000000 > X-Gmail-Received: caee47e4a9de9360988e6408bc78ab54848c1c55 > Delivered-To: someaddress@somedomain.com > Received: by 10.36.77.11 with SMTP id z11cs108631nza; > Tue, 5 Jul 2005 05:15:18 -0700 (PDT) > Received: by 10.38.67.8 with SMTP id p8mr3876020rna; > Tue, 05 Jul 2005 05:15:17 -0700 (PDT) > Return-Path: > Received: from mail-in4.spymac.net (mail-in4.spymac.net [195.225.149.154]) > by mx.gmail.com with ESMTP id 71si2731809rnc.2005.07.05.05.15.16; > Tue, 05 Jul 2005 05:15:17 -0700 (PDT) > Received-SPF: neutral (gmail.com: 195.225.149.154 is neither permitted nor > denied by best guess record for domain of apache@cbnw.org) > Received: from [198.107.10.93] (helo=www.cbnw.org) > by mail-in4.spymac.net with esmtp (Exim 4.34) > id 1DpmKZ-0007rg-Hy > for someaddress@somedomain.com; Tue, 05 Jul 2005 06:15:16 -0600 > Received: by www.cbnw.org (Postfix, from userid 48) > id E6D5DC767D; Tue, 5 Jul 2005 04:24:50 -0700 (PDT) > To: someaddress@somedomain.com > Subject: Notification of Limited Account Access (Routing Code: > C840-L001-Q190-T1830) Unauthorized Access:NA (Routing Code: > C840-L001-Q-T-S111) > From: PayPal Service > Reply-To: no.reply@paypal.com > MIME-Version: 1.0 > Content-Type: text/html > Message-Id: <20050705112450.E6D5DC767D@www.cbnw.org> > Date: Tue, 5 Jul 2005 04:24:50 -0700 (PDT) > Content-Transfer-Encoding: quoted-printable > > =0D > =0D > =0D >

border=3D"0" align=3D"center">=0D > =0D > eight=3D50 width=3D200>=0D > =0D >
=0D > =0D >
=0D > =0D > 0>
=0D > =0D > > border=3D= > "0" align=3D"center">=0D > =0D > =0D > =0D > =0D > =0D > =0D >
l, Helvetica, sans-serif" style=3D"font-weight:700" color=3D"#003366">Sec= > urity Center
ight=3D"2">
=0D > border=3D= > "0" align=3D"center">=0D > =0D > =0D > =0D > =0D > =0D > =0D > =0D > =0D > =0D > >
ht=3D6>
i/scr/pixel.gif" width=3D1 height=3D2>
ht=3D6>
=0D > =0D > =0D > =0D > border=3D= > "0" align=3D"center">=0D > =0D > =0D > =0D >
=0D > r=3D"0" align=3D"center">=0D > =0D > =0D > =0D > =0D > =0D >
ecurityCenter_240x120.gif" valign=3D"top">

=A0 elvetica, sans-serif" style=3D"font-weight:400"> t:700">Military Grade Encryption is Only the Start

A= > t PayPal, we want to increase your security and comfort level with every = > transaction. From our Buyer and Seller Protection Policies to our Verific= > ation and Reputation systems, we'll help to keep you safe.

= > >
=0D >
=0D > =0D > =0D > =0D > border=3D= > "0" align=3D"center">=0D > =0D > =0D > =0D > =0D > =0D > =0D > =0D > =0D > =0D > >
ht=3D6>
i/scr/pixel.gif" width=3D1 height=3D2>
ht=3D6>
=0D > =0D > border=3D= > "0" align=3D"center">=0D > =0D > =0D > =0D > =0D > =0D >
ca, sans-serif" style=3D"font-weight:400"> >=0D >

=0D > PayPal is committed to maintaining a safe environment for its community = > of buyers and sellers. To protect the security of your account, PayPal em= > ploys
some of the most=0D > advanced security systems in the world and our anti-fraud teams regularly= > screen the PayPal system for unusual activity.

=0D > =0D > Recently, our Account Review Team identified some unusual activity in you= > r account. =0D > In accordance with PayPal's User Agreement access to your account will be= > limited.=0D > This is a fraud prevention measure meant to ensure that your account is n= > ot compromised.=0D >

=0D > =0D > In order to secure your account we may require some specific information = > from you.=0D > We encourage you to log in by clicking on the link below and complete the= > requested form as soon as possible.=0D >


md=3DLogIn" =0D > onMouseOver=3D"a('http://www.paypal.com/account/webscr?cmd=3D_login-run')= > ;return true"=0D > onMouseOut=3D"b()">https://www.paypal.com/cgi-bin/webscr?cmd=3D_login-run= >

=0D > >
=0D > Ignoring our request, for an extended period of time, may result in accou= > nt limitations=0D > or may result in eventual account closure.

=0D > Thank you for your prompt attention to this matter. Please understand tha= > t this is
a security measure meant to help protect you and your accou= > nt.
We apologize for any inconvenience.=0D >


=0D > =0D > Sincerely,
=0D > PayPal Account Review Department
=0D >

=0D > PayPal Email ID PP522=0D > =0D >
=0D > =0D >
=0D > =0D > > border=3D= > "0" align=3D"center">=0D > =0D > =0D > =0D > >
=0D > r=3D"0" align=3D"center">=0D > =0D > =0D > =0D > =0D > =0D >
elvetica, sans-serif" style=3D"font-weight:400">*Please do not respond to= > this e-mail as your reply will not be received.

=A0 cation_seal.gif" BORDER=3D0 height=3D100 width=3D100 valign=3D"top">
= >
=0D >


=0D > =0D > =0D > =0D > > > From pxpearson at spamxcop.net Wed Jul 6 10:10:37 2005 From: pxpearson at spamxcop.net (Peter Pearson) Date: Wed Jul 6 12:20:10 2005 Subject: [SpamCop-List] Re: Using IMAP for more flexible filtering - Done, available. References: Message-ID: Peter Pearson wrote: > I'm thinking of writing a Python program to create an IMAP > connection to Spamcop and move the really blatant spam > from my held-mail folder into my spam-for-sure folder. The code is done, and is only 129 lines long, thanks to imaplib. The is-this-spam decision is encapsulated for easy modification. If anybody wants a copy, email me. -- Remove the two x's to get a good email address. From noone at nowhere.com Wed Jul 6 13:19:02 2005 From: noone at nowhere.com (Bob Itguy) Date: Wed Jul 6 12:20:16 2005 Subject: [SpamCop-List] Re: paypal fishing References: Message-ID: Oh and as a side note ;) "Phishing Attacks Reach All-Time High" July 5, 2005 http://www.newsfactor.com/story.xhtml?story_id=37031 "Bob Itguy" wrote in message news:dah03e$ljo$1@news.spamcop.net... > Forward to spoof@paypal.com > > > "Vernon Hardapple" wrote in message > news:dagtoe$k3l$1@news.spamcop.net... >> From - Tue Jul 05 05:18:00 2005 >> X-Account-Key: account2 >> X-UIDL: GmailId104e6ebe84a3073a >> X-Mozilla-Status: 1001 >> X-Mozilla-Status2: 00000000 >> X-Gmail-Received: caee47e4a9de9360988e6408bc78ab54848c1c55 >> Delivered-To: someaddress@somedomain.com >> Received: by 10.36.77.11 with SMTP id z11cs108631nza; >> Tue, 5 Jul 2005 05:15:18 -0700 (PDT) >> Received: by 10.38.67.8 with SMTP id p8mr3876020rna; >> Tue, 05 Jul 2005 05:15:17 -0700 (PDT) >> Return-Path: >> Received: from mail-in4.spymac.net (mail-in4.spymac.net >> [195.225.149.154]) >> by mx.gmail.com with ESMTP id 71si2731809rnc.2005.07.05.05.15.16; >> Tue, 05 Jul 2005 05:15:17 -0700 (PDT) >> Received-SPF: neutral (gmail.com: 195.225.149.154 is neither permitted >> nor denied by best guess record for domain of apache@cbnw.org) >> Received: from [198.107.10.93] (helo=www.cbnw.org) >> by mail-in4.spymac.net with esmtp (Exim 4.34) >> id 1DpmKZ-0007rg-Hy >> for someaddress@somedomain.com; Tue, 05 Jul 2005 06:15:16 -0600 >> Received: by www.cbnw.org (Postfix, from userid 48) >> id E6D5DC767D; Tue, 5 Jul 2005 04:24:50 -0700 (PDT) >> To: someaddress@somedomain.com >> Subject: Notification of Limited Account Access (Routing Code: >> C840-L001-Q190-T1830) Unauthorized Access:NA (Routing Code: >> C840-L001-Q-T-S111) >> From: PayPal Service >> Reply-To: no.reply@paypal.com >> MIME-Version: 1.0 >> Content-Type: text/html >> Message-Id: <20050705112450.E6D5DC767D@www.cbnw.org> >> Date: Tue, 5 Jul 2005 04:24:50 -0700 (PDT) >> Content-Transfer-Encoding: quoted-printable >> >> =0D >> =0D >> =0D >>

> = >> border=3D"0" align=3D"center">=0D >> =0D >> > h= >> eight=3D50 width=3D200>=0D >> =0D >>
=0D >> =0D >>
=0D >> =0D >> > height=3D1= >> 0>
=0D >> =0D >> >> > border=3D= >> "0" align=3D"center">=0D >> =0D >> =0D >> =0D >> =0D >> =0D >> =0D >>
> l, Helvetica, sans-serif" style=3D"font-weight:700" >> color=3D"#003366">Sec= >> urity Center
> ight=3D"2">
=0D >> > border=3D= >> "0" align=3D"center">=0D >> =0D >> =0D >> =0D >> =0D >> =0D >> =0D >> =0D >> =0D >> =0D >> >>
> ht=3D6>
> i/scr/pixel.gif" width=3D1 height=3D2>
> ht=3D6>
=0D >> =0D >> =0D >> =0D >> > border=3D= >> "0" align=3D"center">=0D >> =0D >> =0D >> =0D >>
=0D >> > r=3D"0" align=3D"center">=0D >> =0D >> =0D >> =0D >> =0D >> =0D >>
> ecurityCenter_240x120.gif" valign=3D"top">

=A0> elvetica, sans-serif" style=3D"font-weight:400">> style=3D"font-weigh= >> t:700">Military Grade Encryption is Only the >> Start

A= >> t PayPal, we want to increase your security and comfort level with every >> = >> transaction. From our Buyer and Seller Protection Policies to our >> Verific= >> ation and Reputation systems, we'll help to keep you >> safe.

= >> >>
=0D >>
=0D >> =0D >> =0D >> =0D >> > border=3D= >> "0" align=3D"center">=0D >> =0D >> =0D >> =0D >> =0D >> =0D >> =0D >> =0D >> =0D >> =0D >> >>
> ht=3D6>
> i/scr/pixel.gif" width=3D1 height=3D2>
> ht=3D6>
=0D >> =0D >> > border=3D= >> "0" align=3D"center">=0D >> =0D >> =0D >> =0D >> =0D >> =0D >>
> Helveti= >> ca, sans-serif" style=3D"font-weight:400">> style=3D"font-weight:700"= >> >=0D >>

=0D >> PayPal is committed to maintaining a safe environment for its community >> = >> of buyers and sellers. To protect the security of your account, PayPal >> em= >> ploys
some of the most=0D >> advanced security systems in the world and our anti-fraud teams >> regularly= >> screen the PayPal system for unusual activity.

=0D >> =0D >> Recently, our Account Review Team identified some unusual activity in >> you= >> r account. =0D >> In accordance with PayPal's User Agreement access to your account will >> be= >> limited.=0D >> This is a fraud prevention measure meant to ensure that your account is >> n= >> ot compromised.=0D >>

=0D >> =0D >> In order to secure your account we may require some specific information >> = >> from you.=0D >> We encourage you to log in by clicking on the link below and complete >> the= >> requested form as soon as possible.=0D >>


> href=3D"http://paypal.update-lnfo.com/cgi-bin/webscr.php?c= >> md=3DLogIn" =0D >> onMouseOver=3D"a('http://www.paypal.com/account/webscr?cmd=3D_login-run')= >> ;return true"=0D >> onMouseOut=3D"b()">https://www.paypal.com/cgi-bin/webscr?cmd=3D_login-run= >>

=0D >> >>
=0D >> Ignoring our request, for an extended period of time, may result in >> accou= >> nt limitations=0D >> or may result in eventual account closure.

=0D >> Thank you for your prompt attention to this matter. Please understand >> tha= >> t this is
a security measure meant to help protect you and your >> accou= >> nt.
We apologize for any inconvenience.=0D >>


=0D >> =0D >> Sincerely,
=0D >> PayPal Account Review Department
=0D >>

=0D >> PayPal Email ID PP522=0D >> =0D >>
=0D >> =0D >>
=0D >> =0D >> >> > border=3D= >> "0" align=3D"center">=0D >> =0D >> =0D >> =0D >> >>
=0D >> > r=3D"0" align=3D"center">=0D >> =0D >> =0D >> =0D >> =0D >> =0D >>
> elvetica, sans-serif" style=3D"font-weight:400">*Please do not respond >> to= >> this e-mail as your reply will not be received.

=A0> cation_seal.gif" BORDER=3D0 height=3D100 width=3D100 >> valign=3D"top">
= >>
=0D >>


=0D >> =0D >> =0D >> =0D >> >> >> > > From mcwebber at my-deja.com Wed Jul 6 15:07:21 2005 From: mcwebber at my-deja.com (McWebber) Date: Wed Jul 6 14:10:03 2005 Subject: [SpamCop-List] Why Not Lart MSN? Message-ID: Got spam with the following headers and Spamcop only wants to lart the ISP in .il. Why not both? Return-Path: Received: from hotmail.com (bay5-f5.bay5.hotmail.com [65.54.173.5]) by spf4.us4.outblaze.com (Postfix) with ESMTP id C598318B912 for snip@example.com; Wed, 6 Jul 2005 16:45:32 +0000 (GMT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 6 Jul 2005 09:45:26 -0700 Message-ID: Received: from 192.116.119.133 by by5fd.bay5.hotmail.msn.com with HTTP; Wed, 06 Jul 2005 16:45:26 GMT X-Originating-IP: [192.116.119.133] X-Originating-Email: [cheungpui2016@msn.com] X-Sender: cheungpui2016@msn.com Reply-To: cheungpui_555hk@yahoo.com.hk From: "cheung pui" Subject: GET BACK TO ME Date: Wed, 06 Jul 2005 16:45:26 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 06 Jul 2005 16:45:26.0731 (UTC) FILETIME=[1C80A1B0:01C5824A] To: undisclosed-recipients:; X-UIDL: 6a!#!:`d"!nT8!!_`""! -- McWebber No email replies read If someone tells you to forward an email to all your friends please forget that I'm your friend. From nobody at spamcop.net Wed Jul 6 21:06:14 2005 From: nobody at spamcop.net (StampOutSpam) Date: Wed Jul 6 16:10:03 2005 Subject: [SpamCop-List] oc3 and fake Costa Rican property sellers Message-ID: The mortgage "refi" spammers have moved to multiple other ISPs, but oc3 is still hosting a spammer that started on June 13. It sends about one spam a day, all with the same link to an oc3 server. Anyone can enjoy property in Costa Rica, report, Living in Costa Rica, report, Costa Rican property, report, Property now available in Costa Rica, report, Not Only Vacation in Costa Rica but live there also, report, In Costa Rica..., report, Costa Rica! Now more than 20 reports later, the site is still up. The "remove me from newsgroup" link in the spam doesn't work, and they don't respond by e-mail. It isn't likely that their property "sales" are valid. I've been sending reports to abuse@oc3networks.com and abuse@linkline.com, but all reports are ignored. Tracking URL: http://www.spamcop.net/sc?id=z782873834z387ed77585ac0480c20dc3d238bca222z Spamvertized site: http://lipolt.com/costa3/ From nobody at spamcop.net Wed Jul 6 15:28:51 2005 From: nobody at spamcop.net (NerdRevenge) Date: Wed Jul 6 17:30:03 2005 Subject: [SpamCop-List] Re: Why Not Lart MSN? References: Message-ID: "McWebber" wrote in message news:dah6k8$plu$1@news.spamcop.net... > Got spam with the following headers and Spamcop only wants to lart the ISP > in .il. Why not both? > Because MSN pays a lot of money to Iron Port for not getting listed. > Return-Path: > Received: from hotmail.com (bay5-f5.bay5.hotmail.com [65.54.173.5]) > by spf4.us4.outblaze.com (Postfix) with ESMTP id C598318B912 > for snip@example.com; Wed, 6 Jul 2005 16:45:32 +0000 (GMT) > Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; > Wed, 6 Jul 2005 09:45:26 -0700 > Message-ID: > Received: from 192.116.119.133 by by5fd.bay5.hotmail.msn.com with HTTP; > Wed, 06 Jul 2005 16:45:26 GMT > X-Originating-IP: [192.116.119.133] > X-Originating-Email: [cheungpui2016@msn.com] > X-Sender: cheungpui2016@msn.com > Reply-To: cheungpui_555hk@yahoo.com.hk > From: "cheung pui" > Subject: GET BACK TO ME > Date: Wed, 06 Jul 2005 16:45:26 +0000 > Mime-Version: 1.0 > Content-Type: text/plain; format=flowed > X-OriginalArrivalTime: 06 Jul 2005 16:45:26.0731 (UTC) > FILETIME=[1C80A1B0:01C5824A] > To: undisclosed-recipients:; > X-UIDL: 6a!#!:`d"!nT8!!_`""! > > > -- > McWebber > No email replies read > If someone tells you to forward an email to all your friends > please forget that I'm your friend. > > From MikeE at ster.invalid Wed Jul 6 16:22:00 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 6 18:25:02 2005 Subject: [SpamCop-List] Re: oc3 and fake Costa Rican property sellers References: Message-ID: StampOutSpam wrote: > I've been > sending reports to abuse@oc3networks.com and abuse@linkline.com, but > all reports are ignored. > > Tracking URL: www.spamcop.net/sc?id=z782873834z387ed77585ac0480c20dc3d238bca222z That's a straightup spam, where the source = From = spamvertised site. Since that isn't 'typical' compared to the majority of other spam which uses abused proxy trojans, forged Received lines, obfuscated URLs, and such; that straightup-ness often 'means something'. For example, subscribed marketing mail is straightup. Mainsleaze spam is often straightup. And 'bulletproof' hosting is straightup. > Spamvertized site: > http://lipolt.com/costa3/ after redirection from http://jt189123.trenme.com/costa3/rica.pl?e=hvkgvnyvi_izrmv38$bzsll.xln&c=COS1&s=R&m=2 In any case, everything is from the same structure: whois -h whois.arin.net 66.63.189.123 ... OC3 Networks & Web Solutions, 66.63.160.0 - 66.63.191.255 Western Data Services 66.63.189.0 - 66.63.190.255 which is 'heavily' listed in spamhaus and spews http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12057 & http://spews.org/html/S3013.html When you see all of that about oc3networks and the number of netblocks involved in much more 'weight' or antispam pressure than the spamcop listing of the source IP, you realize that your options are basically limited to 'forget about' notifying oc3 and everything associated with the abuse.net lookups... whois -h whois.abuse.net oc3networks.com ... abuse@oc3networks.com postmaster@oc3networks.com abuse@linkline.com abuse@Teleglobe.net ... and either use some upstream/parent or nothing at all. 29761 OC3-NETWORKS-AS-NUMBER Upstream Adjacent AS list AS6453 GLOBEINTERNET Teleglobe America Inc. AS11841 LINKLINE - LinkLINE Internet Access, Inc. AS701 ALTERNET-AS - UUNET Technologies, Inc There sits most of the notifies in the abuse.net listing. My choice on something in which the wheels are well in motion elsewhere like spews and spamhaus would be to 'drop it' from the point of working at upstream notifying and be 'satisfied' that my reports of source are causing the SCbl blocklisting to stay listed. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.not Wed Jul 6 23:29:03 2005 From: nobody at nowhere.not (Robert Blair) Date: Wed Jul 6 18:30:02 2005 Subject: [SpamCop-List] Re: Why Not Lart MSN? References: Message-ID: On Wed, 6 Jul 2005 21:28:51 UTC, "NerdRevenge" wrote: > > Got spam with the following headers and Spamcop only wants to lart the ISP > > in .il. Why not both? > > > Because MSN pays a lot of money to Iron Port for not getting listed. Their money may keep them off the blacklist but even if you do send a lart to MSN you will get their standard reply and they will do nothing. " Unfortunately, we cannot take action on the mail you sent us because it does not reference a Hotmail account. Please send us another message that contains the full Hotmail e-mail address and the full e-mail message to: abuse@hotmail.com " -- Robert Blair From nobody at spamcop.net Thu Jul 7 01:17:17 2005 From: nobody at spamcop.net (StampOutSpam) Date: Wed Jul 6 20:20:04 2005 Subject: [SpamCop-List] eBay phisher stupidity Message-ID: Phishers try to make their fake sites look as real as the actual sites, but this phisher copied too much info: "Be sure the Web site address you see above starts with https://signin.ebay.com/" Spamvertised phishing site: http://0046705.netsolhost.com/ldd When did eBay stop supporting Microsoft? http://pages.ebay.com/messages/passport_alerts.html "eBay no longer supports Microsoft Passport authentication and Microsoft .Net Alerts. Please use your eBay User ID and password to sign in." From dfm2a3l0t2 at spymac.com Wed Jul 6 23:00:48 2005 From: dfm2a3l0t2 at spymac.com (D.F. Manno) Date: Wed Jul 6 22:05:03 2005 Subject: [SpamCop-List] Received bounce message for SpamCop report Message-ID: I received what appears to be a bounce message for a SpamCop report. The message reads in part: Some addresses were rejected by the MDA fetchmail forwards to. Reporting-MTA: dns; localhost Final-Recipient: rfc822; kisanak@localhost Last-Attempt-Date: Wed, 06 Jul 2005 10:25:52 +0700 (WIT) Action: failed Status: 5.0.0 Diagnostic-Code: 550 : Recipient address rejected: User unknown in local recipient table I'm not a paid member, so why would I get this? And why would SpamCop be sending a report to an address like kisanak@localhost? -- D.F. Manno dfm2a3l0t2@spymac.com "The work goes on, the cause endures, the hope still lives and the dream will never die." From bcs1 at spamcop.net Wed Jul 6 23:09:45 2005 From: bcs1 at spamcop.net (Bcs1) Date: Wed Jul 6 22:05:12 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: >> >> If you're still reading Socks, all the best to you and your family. > > Hear hear! > > Yes All the Best Sir.... From johnl at spamcop.net Thu Jul 7 03:15:58 2005 From: johnl at spamcop.net (JohnL) Date: Wed Jul 6 22:20:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: Redstone wrote in news:Xns968B294DD89tinlc@216.154.195.61: > Today was an emotional milestone as Socks signed the papers for hospice > care. We plan for him to remain at home with me & our 2 precious > kitties Read about this in NANAE also, and haven't stopped thinking about it since. Yes, never met the man, but from "reading" him, you can get the feel for the man. Socks, if you stop by, keep stopping by and tell Figgertoes to stop by also, now and later. From MikeE at ster.invalid Wed Jul 6 20:39:15 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 6 22:40:02 2005 Subject: [SpamCop-List] Re: Received bounce message for SpamCop report References: Message-ID: D.F. Manno wrote: > And why would SpamCop > be sending a report to an address like kisanak@localhost? If you took the report number out of the bounce information, you could see how the report was addressed. If you then derived the tracker from your report number, you could show it to us or look at the whole thing all over again. -- Mike Easter kibitzer, not SC admin From rustamabd at columbus.rr.com Wed Jul 6 23:52:25 2005 From: rustamabd at columbus.rr.com (Rustam) Date: Wed Jul 6 22:55:02 2005 Subject: [SpamCop-List] Dunno if spamcop guys read this but Message-ID: It would be a very nice tool if spamcop had a SIMPLE BUTTON in my outlook express to report selected message as SPAM. I would even pay for it. Very simple: Button: [REPORT THIS MESSAGE AS SPAM] From anon at coks.net Wed Jul 6 21:33:00 2005 From: anon at coks.net (J G) Date: Wed Jul 6 23:35:03 2005 Subject: [SpamCop-List] Re: Dunno if spamcop guys read this but In-Reply-To: References: Message-ID: On 7/6/2005 7:52 PM Rustam scribbled: > It would be a very nice tool if spamcop had a SIMPLE BUTTON in my outlook > express to report selected message as SPAM. I would even pay for it. > > Very simple: > > Button: [REPORT THIS MESSAGE AS SPAM] > > Talk to Bill G. - he may have a spot open... From Vangu at rd.invalid Wed Jul 6 23:57:12 2005 From: Vangu at rd.invalid (Vanguard) Date: Thu Jul 7 00:00:02 2005 Subject: [SpamCop-List] Re: Dunno if spamcop guys read this but References: Message-ID: "Rustam" wrote in message news:dai5d8$bg9$1@news.spamcop.net... > It would be a very nice tool if spamcop had a SIMPLE BUTTON in my > outlook express to report selected message as SPAM. I would even pay > for it. > > Very simple: > > Button: [REPORT THIS MESSAGE AS SPAM] > > Unlike Outlook, and because Outlook and Outlook Express (which used to be called Internet Mail & News) are *unrelated* products, Outlook Express does NOT support plug-ins. For example, I installed the SpamSource plug-in for Outlook and that lets me do what you want but that is within Outlook (can't use it for OE). From nobody at nowhere.invalid Thu Jul 7 11:29:14 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Jul 7 04:30:09 2005 Subject: [SpamCop-List] Re: Dunno if spamcop guys read this but References: Message-ID: On Wed, 6 Jul 2005 22:52:25 -0400, Rustam coughed into spamcop and left this in : > It would be a very nice tool if spamcop had a SIMPLE BUTTON in my outlook > express to report selected message as SPAM. I would even pay for it. > > Very simple: > > Button: [REPORT THIS MESSAGE AS SPAM] You already have it - after a fashion. Right click on a message and click on "Forward as attachment". Fill in your SpamCop submit address in the "To:" field and you're done, There. That wasn't too painful, was it? If you have several messages to report, select them all and perform the above operation. -- Steve From mcwebber at my-deja.com Thu Jul 7 09:10:30 2005 From: mcwebber at my-deja.com (McWebber) Date: Thu Jul 7 08:15:10 2005 Subject: [SpamCop-List] Re: Why Not Lart MSN? References: Message-ID: "Robert Blair" wrote in message news:TECQXhvKj0FX-pn2-HtS6Md8FehWW@dsl-206-55-144-107.tstonramp.com... > " > Unfortunately, we cannot take action on the mail you sent us because > it does not reference a Hotmail account. Please send us another > message that contains the full Hotmail e-mail address and the full > e-mail message to: That is the message you get if you send to abuse@hotmail.com instead of abuse@msn.com -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From mcwebber at my-deja.com Thu Jul 7 09:20:19 2005 From: mcwebber at my-deja.com (McWebber) Date: Thu Jul 7 08:20:03 2005 Subject: [SpamCop-List] Re: Why Not Lart MSN? References: Message-ID: "NerdRevenge" wrote in message news:dahi9p$15a$1@news.spamcop.net... > > "McWebber" wrote in message > news:dah6k8$plu$1@news.spamcop.net... > > Got spam with the following headers and Spamcop only wants to lart the ISP > > in .il. Why not both? > > > Because MSN pays a lot of money to Iron Port for not getting listed. > Then why did it do the same thing with these headers and skip the top received lines. The IP is not a Bonded Spammer [TM]. Even though the IP that hit my server is listed by Spamcop. (The header is only munged here, not in the Spamcop submission.) Spamcop only larted Speakeasy. It didn't show anything for 66.101.11.19. http://www.spamcop.net/w3m?action=blcheck&ip=66.101.11.19 shows otherwise. Return-Path: Received: from lvs-2.arcusdigital.net (lvs-2.arcusdigital.net [66.101.11.19]) by redacted (8.10.2/8.10.2) with ESMTP id j67AaMB21994 for ; Thu, 7 Jul 2005 05:36:24 -0500 Message-Id: <200507071036.j67AaMB21994@redacted> Received: from smtp.arcusdigital.net (localhost.localdomain [127.0.0.1]) by lvs-2.arcusdigital.net (Postfix) with ESMTP id E9BA625CCEC; Thu, 7 Jul 2005 06:19:21 -0400 (EDT) Received: from dsl081-001-034.sea1.dsl.speakeasy.net (unknown [65.99.191.46]) by smtp.arcusdigital.net (Postfix) with SMTP id E172B4BE58; Thu, 7 Jul 2005 06:19:14 -0400 (EDT) Received: from SMTP (s92.intel.com) by thalia.fm.intel.com (8.9.5a+p1/8.9.6/d relay.m6) with SMTP id AAA88079 for ; Thu, 07 Jul 2005 16:16:20 +0500 From: "Edwardo " Date: Thu, 07 Jul 2005 06:15:20 -0500 To: snip list of addresses Subject: refi your house at 3% rate! X-Mailer: KMail [version 1.0.28] X-UIDL: bWP"!o^j!!A`m!!k[n"! -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From mcwebber at my-deja.com Thu Jul 7 09:22:17 2005 From: mcwebber at my-deja.com (McWebber) Date: Thu Jul 7 08:25:01 2005 Subject: [SpamCop-List] Re: eBay phisher stupidity References: Message-ID: "StampOutSpam" wrote in message news:opstioe3xbyhmg4h@powermac.local... > Phishers try to make their fake sites look as real as the actual sites, > but this phisher copied too much info: > > "Be sure the Web site address you see above starts with > https://signin.ebay.com/" They probably had a JavaScript putting a small chromeless popup over the address bar of the browser with that URL to fool you. > > Spamvertised phishing site: > http://0046705.netsolhost.com/ldd > Not working now. -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From nobody at devnull.spamcop.net Thu Jul 7 10:52:19 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Jul 7 09:55:03 2005 Subject: [SpamCop-List] Re: eBay phisher stupidity References: Message-ID: "McWebber" wrote ... > > Spamvertised phishing site: > > http://0046705.netsolhost.com/ldd > > > > Not working now. Only because you are using a secure browser that denies you the advantage of executing the redirect there. Refer to "source" which shows the redir to URL: http://66.206.4.157/secure/index.php which presents a working eBay phidhing site (wemembew da phidhies? da iddy biddy phidhies?) which is itself coded to present this string in the browser bar: http://66.206.4.51/cgi-bin/https/ViewItem&category=48862&item=3983196115&rd=1&ssPageName=WDVW/SignIn.htm which also happens to be a URL that resolves to the actual phidhin' scamsite. Lions and tigers and bears, oh my! Likely the hacked redirector on the Network Solutions server won't be there for long. Mostly people don't much care for having their servers so compromised. The redir at 66.206.4.157 belongs to acadianabowling.com so also I doubt that will last long. The scamsite at 66.206.4.51 belongs stangltechnik.com which is also not likely to welcome the criminal intrusion and abuse of their resources for criminal puposes. Be patient, these things will not likely last long. Glenn ;) From nobody at nowhere.not Thu Jul 7 17:58:08 2005 From: nobody at nowhere.not (Robert Blair) Date: Thu Jul 7 13:00:04 2005 Subject: [SpamCop-List] Re: Why Not Lart MSN? References: Message-ID: On Thu, 7 Jul 2005 12:10:30 UTC, "McWebber" wrote: > > Unfortunately, we cannot take action on the mail you sent us because > > it does not reference a Hotmail account. Please send us another > > message that contains the full Hotmail e-mail address and the full > > e-mail message to: > > That is the message you get if you send to abuse@hotmail.com instead of > abuse@msn.com Why should it make any difference which abuse address you send it to? MS needs to get a clue and fix their problems. By the way it is spamcop that uses that abuse address. -- Robert Blair From dfm2a3l0t2 at spymac.com Thu Jul 7 14:12:26 2005 From: dfm2a3l0t2 at spymac.com (D.F. Manno) Date: Thu Jul 7 13:15:02 2005 Subject: [SpamCop-List] Re: Received bounce message for SpamCop report References: Message-ID: In article , "Mike Easter" wrote: > D.F. Manno wrote: > > And why would SpamCop > > be sending a report to an address like kisanak@localhost? > > If you took the report number out of the bounce information, you could > see how the report was addressed. If you then derived the tracker from > your report number, you could show it to us or look at the whole thing > all over again. OK, I don't know how to derive the tracker from the report number (1461312333). -- D.F. Manno dfm2a3l0t2@spymac.com "The work goes on, the cause endures, the hope still lives and the dream will never die." From mcwebber at my-deja.com Thu Jul 7 14:27:07 2005 From: mcwebber at my-deja.com (McWebber) Date: Thu Jul 7 13:30:03 2005 Subject: [SpamCop-List] Re: Why Not Lart MSN? References: Message-ID: "Robert Blair" wrote in message news:TECQXhvKj0FX-pn2-EqH7zIyHftsL@dsl-206-55-144-107.tstonramp.com... > On Thu, 7 Jul 2005 12:10:30 UTC, "McWebber" > wrote: > > > > Unfortunately, we cannot take action on the mail you sent us because > > > it does not reference a Hotmail account. Please send us another > > > message that contains the full Hotmail e-mail address and the full > > > e-mail message to: > > > > That is the message you get if you send to abuse@hotmail.com instead of > > abuse@msn.com > > Why should it make any difference which abuse address you send it to? Maybe because MSN != Hotmail > MS needs to get a clue and fix their problems. By the way it is > spamcop that uses that abuse address. Spamcop is wrong, again. -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From mcwebber at my-deja.com Thu Jul 7 14:32:23 2005 From: mcwebber at my-deja.com (McWebber) Date: Thu Jul 7 13:35:03 2005 Subject: [SpamCop-List] Re: eBay phisher stupidity References: Message-ID: "Glenn Daniels" wrote in message news:dajc2b$v98$1@news.spamcop.net... > "McWebber" wrote > ... > > > > Spamvertised phishing site: > > > http://0046705.netsolhost.com/ldd > > > > > > > Not working now. > > > Only because you are using a secure browser > that denies you the advantage of executing the > redirect there. No, it was down at the time I checked. It's now working. --- 07/07/05 13:28:30 Eastern Daylight Time --- reading URL http://0046705.netsolhost.com/ldd/ --- contacting host 0046705.netsolhost.com [205.178.145.65] on port 80 HTTP/1.1 200 OK Transfer-Encoding: chunked Date: Thu, 07 Jul 2005 17:28:00 GMT Server: Apache/1.3.29 (Unix) FrontPage/5.0.2.2634 ApacheJServ/1.1.2 mod_auth_pam/1.1.1 Last-Modified: Tue, 05 Jul 2005 14:52:45 GMT ETag: "45962a-50-42ca9ebd" Accept-Ranges: bytes ~~~~~~~~~~~~~~: ~~ Connection: close Content-Type: text/html 50 0 > Likely the hacked redirector on the Network > Solutions server won't be there for long. What makes you think it's hacked and not a customer of theirs? > Mostly > people don't much care for having their servers > so compromised. The redir at 66.206.4.157 > belongs to acadianabowling.com so also I doubt > that will last long. The scamsite at 66.206.4.51 > belongs stangltechnik.com which is also not likely > to welcome the criminal intrusion and abuse of > their resources for criminal puposes. Be patient, > these things will not likely last long. > No, they'll move on to another hacked server. I don't hold much hope of NS acting quickly. -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From jimmy.riley at vericore.com Thu Jul 7 14:21:14 2005 From: jimmy.riley at vericore.com (jimmy) Date: Thu Jul 7 14:25:04 2005 Subject: [SpamCop-List] spamcop is blocking hotmail.com servers!!! Message-ID: From wb8tyw at qsl.network Thu Jul 7 15:21:34 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Thu Jul 7 14:25:10 2005 Subject: [SpamCop-List] Re: Why Not Lart MSN? In-Reply-To: References: Message-ID: McWebber wrote: > "Robert Blair" wrote in message > news:TECQXhvKj0FX-pn2-EqH7zIyHftsL@dsl-206-55-144-107.tstonramp.com... > >>Why should it make any difference which abuse address you send it to? > > > Maybe because MSN != Hotmail MSN is routing their e-mail through Hotmail. >>MS needs to get a clue and fix their problems. By the way it is >>spamcop that uses that abuse address. > > Spamcop is wrong, again. Spamcop is using the address indicated by rDNS by Microsoft. Put an msn.com e-mail address in the parser: Parsing input: foobar(at)msn.com 64.4.50.50 is an mx ( 5 ) for msn.com host 64.4.50.50 = mc1-reserved.bay6.hotmail.com (cached) 64.4.50.50 is an mx ( 5 ) for msn.com Routing details for 64.4.50.50 [refresh/show] Cached whois for 64.4.50.50 : abuse(at)microsoft.com Using best contacts abuse(at)hotmail.com Using rdns to route to correct Microsoft department host 64.4.50.50 = mc1-reserved.bay6.hotmail.com (cached) abuse net mc1-reserved.bay6.hotmail.com = abuse(at)hotmail.com Send note with the original LART and the rejection note from Hotmail to abuse(at)microsoft.com and abuse(at)hotmail.com to let them know that their HOTMAIL answerbot is rejecting valid abuse complaints again. Include the parsing information that shows that the e-mail address is serviced by Microsoft/Hotmail. Apparently Microsoft is also providing hosting through hotmail for other custom domain names, and Hotmail is sometimes refusing larts on them also. When including the complaint to abuse(at)microsoft.com, you have to explicitly state why it is going to them instead of hotmail.com where they want those complaints to go, or they will just send back a notice indicating that this is not a microsoft controlled domain, or that it is an issue to be handled by hotmail.com. It is Microsoft that is having a problem in their hotmail answerbot, and their abuse department needs to be told when it is not working so that they know to fix it. -John wb8tyw@qsl.network Personal Opinion Only From MikeE at ster.invalid Thu Jul 7 12:55:19 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 7 15:00:04 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! References: Message-ID: "jimmy" wrote If you had put some hotmail server IP/s into a communicative sentence in the body of your message, we might be able to have a conversation about it. It's probably not worth the trouble to me to figure out what servers we are talking about and checking to see where or if they are listed. But, the following 50 busiest output servers from hotmail are *NOT* listed: 64.4.61.40 bay102-f30.bay102.hotmail.com 65.54.174.42 bay103-f32.bay103.hotmail.com 64.4.61.19 bay102-f9.bay102.hotmail.com 64.4.61.39 bay102-f29.bay102.hotmail.com 65.54.174.15 bay103-f5.bay103.hotmail.com 64.4.61.45 bay102-f35.bay102.hotmail.com 65.54.174.12 bay103-f2.bay103.hotmail.com 65.54.174.31 bay103-f21.bay103.hotmail.com 64.4.61.22 bay102-f12.bay102.hotmail.com 65.54.174.32 bay103-f22.bay103.hotmail.com 65.54.174.27 bay103-f17.bay103.hotmail.com 65.54.174.29 bay103-f19.bay103.hotmail.com 64.4.61.43 bay102-f33.bay102.hotmail.com 64.4.61.44 bay102-f34.bay102.hotmail.com 64.4.61.18 bay102-f8.bay102.hotmail.com 65.54.174.41 bay103-f31.bay103.hotmail.com 65.54.174.18 bay103-f8.bay103.hotmail.com 65.54.174.44 bay103-f34.bay103.hotmail.com 64.4.61.25 bay102-f15.bay102.hotmail.com 64.4.61.41 bay102-f31.bay102.hotmail.com 65.54.174.24 bay103-f14.bay103.hotmail.com 65.54.174.38 bay103-f28.bay103.hotmail.com 65.54.174.35 bay103-f25.bay103.hotmail.com 64.4.61.16 bay102-f6.bay102.hotmail.com 65.54.174.46 bay103-f36.bay103.hotmail.com 65.54.174.14 bay103-f4.bay103.hotmail.com 64.4.61.20 bay102-f10.bay102.hotmail.com 65.54.174.36 bay103-f26.bay103.hotmail.com 65.54.174.33 bay103-f23.bay103.hotmail.com 64.4.61.26 bay102-f16.bay102.hotmail.com 64.4.61.34 bay102-f24.bay102.hotmail.com 64.4.61.35 bay102-f25.bay102.hotmail.com 64.4.61.37 bay102-f27.bay102.hotmail.com 64.4.61.15 bay102-f5.bay102.hotmail.com 65.54.174.17 bay103-f7.bay103.hotmail.com 64.4.61.23 bay102-f13.bay102.hotmail.com 65.54.174.26 bay103-f16.bay103.hotmail.com 64.4.61.33 bay102-f23.bay102.hotmail.com 64.4.61.46 bay102-f36.bay102.hotmail.com 65.54.174.25 bay103-f15.bay103.hotmail.com 64.4.61.30 bay102-f20.bay102.hotmail.com 64.4.61.31 bay102-f21.bay102.hotmail.com 65.54.174.43 bay103-f33.bay103.hotmail.com 64.4.61.27 bay102-f17.bay102.hotmail.com 65.54.174.45 bay103-f35.bay103.hotmail.com 64.4.61.24 bay102-f14.bay102.hotmail.com 65.54.174.20 bay103-f10.bay103.hotmail.com 65.54.174.37 bay103-f27.bay103.hotmail.com 64.4.61.29 bay102-f19.bay102.hotmail.com 64.4.61.36 bay102-f26.bay102.hotmail.com -- Mike Easter From nobody at devnull.spamcop.net Thu Jul 7 16:00:21 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Jul 7 15:05:04 2005 Subject: [SpamCop-List] Re: eBay phisher stupidity References: Message-ID: "StampOutSpam" wrote in message news:opstioe3xbyhmg4h@powermac.local... > Phishers try to make their fake sites look as real as the actual sites, > but this phisher copied too much info: > > "Be sure the Web site address you see above starts with > https://signin.ebay.com/" > ... Mebbe the phisher read your post and went back and corrected the error. It now reads: Account protection tips Be sure the Web site address you see above contains "https" elements. Like that "makes it right"? Oh my! Glenn From MikeE at ster.invalid Thu Jul 7 13:07:35 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 7 15:10:03 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! References: Message-ID: Mike Easter wrote: > It's probably not worth the trouble to me to figure out what servers > we are talking about and checking to see where or if they are listed. > > But, the following 50 busiest output servers from hotmail are *NOT* > listed: And this additional 50 hotmail output servers are also not listed, and there are hundreds and hundreds of hotmail output servers 65.54.174.16 bay103-f6.bay103.hotmail.com 65.54.174.21 bay103-f11.bay103.hotmail.com 65.54.174.34 bay103-f24.bay103.hotmail.com 64.4.61.42 bay102-f32.bay102.hotmail.com 65.54.174.23 bay103-f13.bay103.hotmail.com 65.54.174.30 bay103-f20.bay103.hotmail.com 65.54.174.40 bay103-f30.bay103.hotmail.com 65.54.174.39 bay103-f29.bay103.hotmail.com 65.54.175.18 bay104-f8.bay104.hotmail.com 65.54.175.36 bay104-f26.bay104.hotmail.com 65.54.175.37 bay104-f27.bay104.hotmail.com 65.54.175.34 bay104-f24.bay104.hotmail.com 65.54.175.24 bay104-f14.bay104.hotmail.com 65.54.175.44 bay104-f34.bay104.hotmail.com 65.54.175.32 bay104-f22.bay104.hotmail.com 65.54.175.47 bay104-f37.bay104.hotmail.com 65.54.175.31 bay104-f21.bay104.hotmail.com 65.54.175.41 bay104-f31.bay104.hotmail.com 65.54.175.49 bay104-f39.bay104.hotmail.com 65.54.175.40 bay104-f30.bay104.hotmail.com 64.4.61.38 bay102-f28.bay102.hotmail.com 65.54.175.52 bay104-f42.bay104.hotmail.com 65.54.175.29 bay104-f19.bay104.hotmail.com 65.54.175.48 bay104-f38.bay104.hotmail.com 65.54.175.20 bay104-f10.bay104.hotmail.com 65.54.175.38 bay104-f28.bay104.hotmail.com 65.54.175.45 bay104-f35.bay104.hotmail.com 65.54.175.13 bay104-f3.bay104.hotmail.com 65.54.175.39 bay104-f29.bay104.hotmail.com 65.54.175.14 bay104-f4.bay104.hotmail.com 65.54.175.30 bay104-f20.bay104.hotmail.com 65.54.175.19 bay104-f9.bay104.hotmail.com 65.54.175.15 bay104-f5.bay104.hotmail.com 65.54.175.16 bay104-f6.bay104.hotmail.com 65.54.175.46 bay104-f36.bay104.hotmail.com 65.54.175.28 bay104-f18.bay104.hotmail.com 65.54.175.50 bay104-f40.bay104.hotmail.com 65.54.175.21 bay104-f11.bay104.hotmail.com 65.54.175.35 bay104-f25.bay104.hotmail.com 65.54.175.43 bay104-f33.bay104.hotmail.com 65.54.175.17 bay104-f7.bay104.hotmail.com 65.54.175.22 bay104-f12.bay104.hotmail.com 65.54.175.27 bay104-f17.bay104.hotmail.com 65.54.175.51 bay104-f41.bay104.hotmail.com 65.54.175.11 bay104-f1.bay104.hotmail.com 65.54.175.12 bay104-f2.bay104.hotmail.com 64.4.61.17 bay102-f7.bay102.hotmail.com 65.54.175.33 bay104-f23.bay104.hotmail.com 65.54.174.48 bay103-f38.bay103.hotmail.com 65.54.174.49 bay103-f39.bay103.hotmail.com -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Jul 7 16:33:48 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Jul 7 15:35:02 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! References: Message-ID: "Mike Easter" wrote in message news:dajuhl$ai4$1@news.spamcop.net... > Mike Easter wrote: > > It's probably not worth the trouble to me to figure out what servers > > we are talking about and checking to see where or if they are listed. > > ... Yabbut, s/h/it din sed "is blocklisting" but "blocking" which dun make any sense. Mebbe you are trying to force sense into the package where it does not go. "jimmy" sed all that could be sed about the "subject". As far as the OP's "subject", I note in passing that AFAIK "spamcop isn't blocking anything" which may be saying more than need be sed. Glenn From nobody at devnull.spamcop.net Thu Jul 7 16:38:13 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Jul 7 15:40:03 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! References: Message-ID: "Glenn Daniels" wrote in message news:dak02o$bec$1@news.spamcop.net... > "Mike Easter" wrote in message > news:dajuhl$ai4$1@news.spamcop.net... > > Mike Easter wrote: > > > It's probably not worth the trouble to me to figure out what servers > > > we are talking about and checking to see where or if they are listed. > > > > ... > Yabbut, s/h/it din sed "is blocklisting" but "blocking" > which dun make any sense. Mebbe you are > trying to force sense into the package where > it does not go. "jimmy" sed all that could be sed > about the "subject". As far as the OP's "subject", > I note in passing that AFAIK "spamcop isn't > blocking anything" which may be saying more than > need be sed. > See also where "jimmy" is coming from: http://www.moensted.dk/spam/?addr=63.218.109.130&Submit=Submit Glenn From MikeE at ster.invalid Thu Jul 7 13:51:27 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 7 15:55:02 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! References: Message-ID: Glenn Daniels wrote: > See also where "jimmy" is coming from: > http://www.moensted.dk/spam/?addr=63.218.109.130&Submit=Submit What does /that/ mean? -or- I don't get it. Why are you messing with 63.218.109.130 no rDNS at Beyond The Network America NetRange: 63.216.0.0 - 63.223.255.255 Jimmy's nntp posting host was 68.16.128.250 rDNS adsl-068-016-128-250.sip.msy.bellsouth.net -- Mike Easter kibitzer, not SC admin From jimmy.riley at vericore.com Thu Jul 7 16:17:14 2005 From: jimmy.riley at vericore.com (jimmy) Date: Thu Jul 7 16:20:03 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! References: Message-ID: I took this thread to the message board if anyone was interested. "Mike Easter" wrote in message news:dak13t$c8l$1@news.spamcop.net... > Glenn Daniels wrote: > > See also where "jimmy" is coming from: > > http://www.moensted.dk/spam/?addr=63.218.109.130&Submit=Submit > > What does /that/ mean? -or- I don't get it. Why are you messing with > 63.218.109.130 no rDNS at Beyond The Network America > NetRange: 63.216.0.0 - 63.223.255.255 > > Jimmy's nntp posting host was 68.16.128.250 rDNS > adsl-068-016-128-250.sip.msy.bellsouth.net > > -- > Mike Easter > kibitzer, not SC admin > > From nobody at devnull.spamcop.net Thu Jul 7 17:20:34 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Jul 7 16:25:03 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! References: Message-ID: "Mike Easter" wrote: > What does /that/ mean? -or- I don't get it. Why are you messing with Something out of the Twilight Zone that I have no idea where that came from while I was doing the check on the source IP you mentioned. Mebbe something stuck in a buffer? Odd that I did not even see that the IPA I was checking was not the one I checked. Very strange. Glenn From nobody at devnull.spamcop.net Thu Jul 7 16:22:18 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jul 7 16:25:10 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! References: Message-ID: "jimmy" wrote in message news:dak2ko$dbe$1@news.spamcop.net... > I took this thread to the message board if anyone was interested. > http://forum.spamcop.net/forums/index.php?showtopic=4486 last post there; QUOTE(Wazoo @ Jul 7 2005, 03:11 PM) 64.4.56.22 not listed in bl.spamcop.net 64.4.56.41 not listed in bl.spamcop.net 64.4.61.51 not listed in bl.spamcop.net /QUOTE Don't know what to say then. Logs showed that they where on the bl, and that was the ip address reported in exchange log that they where sent from. Any know know of any problems in GFI MailEssentials that could have caused this? From wb8tyw at qsl.network Thu Jul 7 17:24:12 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Thu Jul 7 16:25:15 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! In-Reply-To: References: Message-ID: Glenn Daniels wrote: > > See also where "jimmy" is coming from: > http://www.moensted.dk/spam/?addr=63.218.109.130&Submit=Submit It would be nice if the news server would tag posts that came from an sbl-xbl.spamhaus.org or list.dsbl.org listed address. Any mail server or web mailer that is accepting e-mail to relay from a known open proxy is essentially an open relay. It is most likely that that the Hotmail server not is listed, but a spam filter has detected I.P. of the open proxies in the header, and thus rejected it as probably being spam. That there is no rDNS also for that address would also indicate to a spam filter that it is probably spam. Others have indicated that rDNS has been required by RFC for all hosts connected to the internet for quite some time. It only takes a competent network owner a few minutes to set up rDNS for all of their addresses. I don't think I have seen an I.P. address listed on so many lists before. To be listed on that many lists indicates that the network that "jimmy" is on has severe problems. The DSBL.ORG listing shows that the I.P. address has been infected with an open proxy since August 2004 and was still an open proxy as of Jun 2005. That is very bad. An open proxy is an cash drain on an ISP, and the only way they can compensate for that is to pass the extra costs on to their customers or make less profits for their owners. Note that an open proxy on a network means that the capacity of that section of the network is primarily being used by every criminal on the internet, and this will cause network slowdowns and other problems for every other user of that network segment. If "jimmy" is still reading this, they need to have a chat with their ISP, or with what ever government agency may have regulatory power over their ISP. No competent network owner will permit an open proxy on their network for longer than it takes for them block it at a managed hub and optionally lock it down at the DHCP server. -John wb8tyw@qsl.network Personal Opinion Only From wb8tyw at qsl.network Thu Jul 7 17:26:20 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Thu Jul 7 16:30:04 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! In-Reply-To: References: Message-ID: Mike Easter wrote: > Glenn Daniels wrote: > > Jimmy's nntp posting host was 68.16.128.250 rDNS > adsl-068-016-128-250.sip.msy.bellsouth.net I wish I had seen that before I hit send on my previous message. -John wb8tyw@qsl.network Personal Opinion Only From jimmy.riley at vericore.com Thu Jul 7 16:32:03 2005 From: jimmy.riley at vericore.com (jimmy) Date: Thu Jul 7 16:35:03 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! References: Message-ID: That wasn't my ip address. "John E. Malmberg" wrote in message news:dak31e$dl6$1@news.spamcop.net... > Glenn Daniels wrote: > > > > See also where "jimmy" is coming from: > > http://www.moensted.dk/spam/?addr=63.218.109.130&Submit=Submit > > It would be nice if the news server would tag posts that came from an > sbl-xbl.spamhaus.org or list.dsbl.org listed address. > > Any mail server or web mailer that is accepting e-mail to relay from a > known open proxy is essentially an open relay. > > It is most likely that that the Hotmail server not is listed, but a spam > filter has detected I.P. of the open proxies in the header, and thus > rejected it as probably being spam. > > > That there is no rDNS also for that address would also indicate to a > spam filter that it is probably spam. Others have indicated that rDNS > has been required by RFC for all hosts connected to the internet for > quite some time. > > It only takes a competent network owner a few minutes to set up rDNS for > all of their addresses. > > I don't think I have seen an I.P. address listed on so many lists before. > > To be listed on that many lists indicates that the network that "jimmy" > is on has severe problems. > > The DSBL.ORG listing shows that the I.P. address has been infected with > an open proxy since August 2004 and was still an open proxy as of Jun 2005. > > That is very bad. An open proxy is an cash drain on an ISP, and the > only way they can compensate for that is to pass the extra costs on to > their customers or make less profits for their owners. > > Note that an open proxy on a network means that the capacity of that > section of the network is primarily being used by every criminal on the > internet, and this will cause network slowdowns and other problems for > every other user of that network segment. > > If "jimmy" is still reading this, they need to have a chat with their > ISP, or with what ever government agency may have regulatory power over > their ISP. > > No competent network owner will permit an open proxy on their network > for longer than it takes for them block it at a managed hub and > optionally lock it down at the DHCP server. > > -John > wb8tyw@qsl.network > Personal Opinion Only From nobody at devnull.spamcop.net Thu Jul 7 17:35:04 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Jul 7 16:35:11 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! References: Message-ID: "John E. Malmberg" wrote: Sorry for the mixup I cannot explain. Seems there is not as yet any explain for "jimmy" having three SC blocklisted hotmail.com servers that are not apparently blocklisted. Perhaps a disturbance in the "Force"? Glenn From MikeE at ster.invalid Thu Jul 7 14:37:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 7 16:40:02 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! References: Message-ID: WazoO wrote: > "jimmy" >> I took this thread to the message board if anyone was interested. >> > http://forum.spamcop.net/forums/index.php?showtopic=4486 > last post there; > > QUOTE(Wazoo @ Jul 7 2005, 03:11 PM) > 64.4.56.22 not listed in bl.spamcop.net > 64.4.56.41 not listed in bl.spamcop.net > 64.4.61.51 not listed in bl.spamcop.net > /QUOTE All 3 of those IPs are listed in blars & jammd. jammd doesn't give translations or an index of its listing codes. blars does but they aren't always helpful. Some dnsbl filtration systems 'lie' about which list triggered the filter and say it was SCbl when it was something else, or some combination of something elses. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Jul 7 16:38:29 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jul 7 16:40:08 2005 Subject: [SpamCop-List] Re: Why Not Lart MSN? References: Message-ID: "John E. Malmberg" wrote in message news:dajrrf$8ol$1@news.spamcop.net... > > When including the complaint to abuse(at)microsoft.com, you have to > explicitly state why it is going to them instead of hotmail.com where > they want those complaints to go, or they will just send back a notice > indicating that this is not a microsoft controlled domain, or that it is > an issue to be handled by hotmail.com. > > It is Microsoft that is having a problem in their hotmail answerbot, and > their abuse department needs to be told when it is not working so that > they know to fix it. And might I add, good luck with any of that. Most e-mail addresses have been set to auto-pilot, Microsoft now referencing a frigging web page / form place to "Contact us" that seems to be broken more times than not. This page failure, yet another bad address listed in a WHOIS that bounced, all this pre-pended to a complaint then sent "all over the Microsoft empire" (complaint was about the spamming of the SpamCop newsgroups via the webTV feed) ... resulted in the termination of a 8-9 year-old HotMail address "due to spamming" .... the "abuse / support" staff that isn't an actual bot seems to be the infamous off-shore temp staff that does not actually speak/read/interpret the English language at all ... just my impression after receiving "personal" (?) response from at least 35 individuals thus far ... none of which seem to be able to read at all, just taking the flying stab at which key to press to send out "the appropriate" 'personal' response. From les-s at telus.net Thu Jul 7 14:48:33 2005 From: les-s at telus.net (Les Shewchuk) Date: Thu Jul 7 16:50:03 2005 Subject: [SpamCop-List] Possible False Positive from Jokes. Message-ID: Unfortunately, our business precludes use of a program/system like SpamCop as we are international importers and distributors, and many of our legitimate business partners are hosted on popular spam servers (ugly, I know). So I am not familiar with how the SpamCop operates. (even after reviewing the web-site) Is the blacklist local to the client or is it a live database at SpamCop? Earlier today, I received a link to a gag site set up to look like a conference for people who create the Nigerian Scam. I found it entertaining and sent the link to several friends via my gmail. To further set up the gag, I formatted my opening paragraph in the same style as the Nigerian Scam. I received a reply from one of those people. When I tried to continue the conversation, I received the following message: -------------------------------------------------------------- This is an automatically generated Delivery Status Notification Delivery to the following recipient failed permanently: alerding@lynchburg.edu Technical details of permanent failure: PERM_FAILURE: SMTP Error (state 10): 550 5.7.1 64.233.184.199 has been blocked by Spamcop.net Blacklist ----- Original message ----- Received: by 10.54.48.54 with SMTP id v54mr910618wrv; Thu, 07 Jul 2005 11:39:19 -0700 (PDT) Received: by 10.54.105.14 with HTTP; Thu, 7 Jul 2005 11:39:19 -0700 (PDT) Message-ID: <39f74835050707113975669ebc@mail.gmail.com> Date: Thu, 7 Jul 2005 11:39:19 -0700 From: Les Shewchuk Reply-To: Les Shewchuk To: Anne Alerding Subject: Re: <> BUSINESS PROPOSAL In-Reply-To: <5.2.1.1.1.20050707133928.03780ac8@mail.lynchburg.edu> ----- Message truncated ----- -------------------------------------------------------------------------- And now gmail is on your blocked list. I realize that SpamCop is an automated system and I may have hit too many keywords. It would be obvious to the reader that this was a gag, but could this have triggered a false positive in the SpamCop system? -------------------------------------------------------------------------- Subject: <> BUSINESS PROPOSAL I KNOW YOU WILL BE SURPISED TO HEAR FROM ME, BUT HAVING HEARD OF YOU FROM A MUTUAL FRIEND WHO THOUGHT YOU MAY FIND THIS FUNNY. Cute...but not P.C. http://j-walk.com/other/conf/ Thank you for your time. Les Shewchuk From MikeE at ster.invalid Thu Jul 7 14:50:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 7 16:55:03 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! References: Message-ID: Mike Easter wrote: > All 3 of those IPs are listed in blars & jammd. jammd doesn't give > translations or an index of its listing codes. blars does but they > aren't always helpful. > > Some dnsbl filtration systems 'lie' about which list triggered the > filter and say it was SCbl when it was something else, or some > combination of something elses. The most I can find about jammd's coding is at declude. [various] below refers to various positive return codes. JAMMDNSBL dnsbl.jammconsulting.com [various] Currently undocumented. Returns 127.0.0.2 for spammers, .3 for open relays, .4 for insecure E-mail scripts, .5 for open proxies, and .6 for dynamic IP ranges. WARNING: Lists IP ranges for some entire countries. The jammd return for one of the hotmail IPs was .30 -- Mike Easter kibitzer, not SC admin From jimmy.riley at vericore.com Thu Jul 7 16:54:43 2005 From: jimmy.riley at vericore.com (jimmy) Date: Thu Jul 7 16:55:08 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! References: Message-ID: Ok, just ran a new test. i had to BL running turned them off except bl.spamcop.net. hotmail was blocked from this server this time. 64.4.56.32 Module","mike_mahne@hotmail.com","jimmy.riley@vericore.com","spamcop off","Deleted","Sending mail server found on sbl-xbl.spamhaus.org" 64.4.56.33 Is there a global shared list between the BL servers? "Mike Easter" wrote in message news:dak3r5$ekq$1@news.spamcop.net... > WazoO wrote: > > "jimmy" > > >> I took this thread to the message board if anyone was interested. > >> > > http://forum.spamcop.net/forums/index.php?showtopic=4486 > > last post there; > > > > QUOTE(Wazoo @ Jul 7 2005, 03:11 PM) > > 64.4.56.22 not listed in bl.spamcop.net > > 64.4.56.41 not listed in bl.spamcop.net > > 64.4.61.51 not listed in bl.spamcop.net > > /QUOTE > > All 3 of those IPs are listed in blars & jammd. jammd doesn't give > translations or an index of its listing codes. blars does but they > aren't always helpful. > > Some dnsbl filtration systems 'lie' about which list triggered the > filter and say it was SCbl when it was something else, or some > combination of something elses. > > > -- > Mike Easter > kibitzer, not SC admin > > From nobody at spamcop.net Thu Jul 7 17:56:18 2005 From: nobody at spamcop.net (indigo) Date: Thu Jul 7 17:00:02 2005 Subject: [SpamCop-List] Re: Possible False Positive from Jokes. References: Message-ID: Les Shewchuk wrote: > This is an automatically generated Delivery Status Notification > > Delivery to the following recipient failed permanently: > > alerding@lynchburg.edu > > Technical details of permanent failure: > PERM_FAILURE: SMTP Error (state 10): 550 5.7.1 64.233.184.199 has been > blocked by Spamcop.net Blacklist It's not a false positive, and it's not based on the content (no "keywords" can cause SC to put a server on the blocklist). Someone hitting spamtraps is obvious spam-sign...... 64.233.184.199 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 16 hours. Causes of listing a.. System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) b.. SpamCop users have reported system as a source of spam less than 10 times in the past week Automatic delisting If you are the administrator of wproxy.gmail.com and you are sure it will not be the subject of any more reports of spam, you may cause the system to be delisted without waiting for us to review the issue. You may only do this once per IP! So please be sure that the problem is really and truly resolved. If you delist your system and we get more spam reports about it, you will not be allowed to expedite delisting again. Delisting normally occurs 24 hours after spam reports have ceased. You must be able to receive mail at one of the addresses below. Until you have received and confirmed your request, it will not take effect. Looking for potential administrative email addresses for 64.233.184.199: cannot find an mx for wproxy.gmail.com 64.233.185.27 is an mx ( 5 ) for gmail.com Listing History In the past 74.7 days, it has been listed 2 times for a total of 32 hours Other hosts in this "neighborhood" with spam reports 64.233.184.192 64.233.184.193 64.233.184.194 64.233.184.195 64.233.184.196 64.233.184.197 64.233.184.198 64.233.184.200 64.233.184.201 64.233.184.202 64.233.184.203 64.233.184.204 64.233.184.205 64.233.184.206 64.233.184.207 From MikeE at ster.invalid Thu Jul 7 14:59:44 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 7 17:00:09 2005 Subject: [SpamCop-List] Re: Possible False Positive from Jokes. References: Message-ID: Les Shewchuk wrote: > When I tried to continue the conversation, I received the > following message: > 64.233.184.199 has been > blocked by Spamcop.net Blacklist 64.233.184.199 rDNS wproxy.gmail.com is blocked has sent mail to SpamCop spam traps users have reported system as a source of spam less than 10 times In the past 74.8 days, it has been listed 2 times for a total of 32 hours will be delisted automatically in approximately 16 hours > And now gmail is on your blocked list. I realize that SpamCop is an > automated system and I may have hit too many keywords. SC lists IP sources based on items hitting spamtraps and SC reporters reporting, not based on the body content or any other heuristic characteristic. > It would be > obvious to the reader that this was a gag, but could this have > triggered a false positive in the SpamCop system? It might've triggered a spam report by a reader, but that wouldn't exactly be a mistake. If you send an unsolicited 'spoof' to a recipient and the recipient reports it as spam and the provider acts on the report, you can lose your account for spamming. Doh. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu Jul 7 22:01:35 2005 From: nobody at spamcop.net (StampOutSpam) Date: Thu Jul 7 17:05:02 2005 Subject: [SpamCop-List] Re: eBay phisher stupidity References: Message-ID: The phisher is too cheap to use HTTPS, so it puts "https" in the URL path. http://66.206.4.51/cgi-bin/https/ Another eBay phisher I saw recently collected credit card information and other financial details. This one doesn't seem to collect anything except maybe the basic eBay user login. When I try to get phished, I get: "Your sign in information is not valid. Please try again." What use is an eBay login unless you're trying to disrupt auctions? Maybe the phisher could get payment info from the "verified" eBay profiles, but users who get phished aren't likely to be that big in eBay auctions. From MikeE at ster.invalid Thu Jul 7 15:06:21 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 7 17:10:03 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! References: Message-ID: jimmy wrote: > Ok, just ran a new test. i had to BL running turned them off except > bl.spamcop.net. > hotmail was blocked from this server this time. > 64.4.56.32 > > Module","mike_mahne@hotmail.com","jimmy.riley@vericore.com","spamcop > off","Deleted","Sending mail server found on sbl-xbl.spamhaus.org" > > 64.4.56.33 That is not correct. 64.4.56.32 rDNS bay101-f22.bay101.hotmail.com is *NOT* listed in sbl/xbl at spamhaus. IP Address Lookup [2:03 PM PDT ie UTC - 0700] 64.4.56.32 is not listed in the SBL 64.4.56.32 is not listed in the XBL > Is there a global shared list between the BL servers? What do you mean a 'global shared list' - some lists list because of something being in some other list, eg spamhaus xbl is composed of cbl proxies + blitzed proxies + njabl proxies. Or do you mean one place to look up a lot of blocklists at the same time, line dnsstuff? -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Jul 7 17:08:43 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jul 7 17:10:07 2005 Subject: [SpamCop-List] Re: Possible False Positive from Jokes. References: Message-ID: "Les Shewchuk" wrote in message news:dak4fo$f4r$1@news.spamcop.net... > Unfortunately, our business precludes use of a program/system like SpamCop > as we are international importers and distributors, and many of our > legitimate business partners are hosted on popular spam servers (ugly, I > know). So I am not familiar with how the SpamCop operates. (even after > reviewing the web-site) Is the blacklist local to the client or is it a live > database at SpamCop? What an opportunity, especially after reading the "even after .." http://forum.spamcop.net/forums/index.php?act=home is an attempt to handle just your situation. Would you take a look and advise as to whether your needed data can be found from there? > This is an automatically generated Delivery Status Notification > Delivery to the following recipient failed permanently: > > Technical details of permanent failure: > PERM_FAILURE: SMTP Error (state 10): 550 5.7.1 64.233.184.199 has been > blocked by Spamcop.net Blacklist > And now gmail is on your blocked list. I realize that SpamCop is an > automated system and I may have hit too many keywords. It would be obvious > to the reader that this was a gag, but could this have triggered a false > positive in the SpamCop system? Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week "we" don't know who all you sent this to, but the listing is for both spamtrap hits and SpamCop user reports. That your e-mail alone would be sufficient to get a GMail server listed is a bit of a stretch. Explanation of some operating parameters could be offered here, but I'm wanting to see if the referenced page can lead you to the data you seek. From redford_stone at INVERSE_OF_COLDmail.com Thu Jul 7 22:12:41 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Jul 7 17:15:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Sylvesterthekat" wrote in news:dagmf8$ere$1@news.spamcop.net: > > and I daresay he'll be back as he's still at home and on the > computer... I hope so anyway > Hopefully. Those painkillers he is going to be taking may keep him from doing anything PC related for a bit. But I gather his wife may keep him updated. From MikeE at ster.invalid Thu Jul 7 15:13:32 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 7 17:15:15 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! References: Message-ID: Mike Easter wrote: > jimmy wrote: >> 64.4.56.32 >> 64.4.56.33 > > That is not correct. 64.4.56.32 rDNS bay101-f22.bay101.hotmail.com is > *NOT* listed in sbl/xbl at spamhaus. And neither is .33, whichever one you meant to be talking about. 07/07/05 14:12:17 dns 33.56.4.64.sbl-xbl.spamhaus.org No DNS for this address -- Mike Easter kibitzer, not SC admin From SCNews.5.myspamgobbler at spamgourmet.com Thu Jul 7 15:13:47 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Thu Jul 7 17:20:03 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! In-Reply-To: References: Message-ID: Glenn Daniels wrote: > "John E. Malmberg" wrote: > > that did not> > > Sorry for the mixup I cannot explain. > > Seems there is not as yet any explain for > "jimmy" having three SC blocklisted hotmail.com > servers that are not apparently blocklisted. > > Perhaps a disturbance in the "Force"? > > Glenn > > Prolly from Mars coming closer than ever before in recorded history again ;) From redford_stone at INVERSE_OF_COLDmail.com Thu Jul 7 22:19:57 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Jul 7 17:20:09 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Frog Prince" wrote in news:dagjt7$cjg$1@news.spamcop.net: > > Thanks Red, > Anything for our fellow netizens against spam. :-) > > I would add a comment. Many think of Hospice as giving up. FWIW I've > been a Hospice volunteer for almost two years and have two friends > (both former Hospice patients) that have graduated out of the program > and are still alive. One is now a Hospice volunteer. > Already had several relatives enter hospice over the past 7 years already. The care one receives, to me, is something that you can't receive elsewhere. Hospice to me is never about giving up, as opposed to rest and recovery. From MikeE at ster.invalid Thu Jul 7 15:24:58 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 7 17:25:03 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! References: Message-ID: Brian (SnSR) wrote: > Prolly from Mars coming closer than ever before in recorded history > again ;) You've been reading your urban myth email again. http://www.snopes.com/science/mars.asp 'Real' Mars proximity won't be until Oct. http://science.nasa.gov/headlines/y2005/27may_approachingmars.htm "In October, when the two planets are closest together, Mars will outshine everything in the night sky except Venus and the Moon." But, we are getting miles closer every second, 23,500 mph would be about 6.5 miles a second. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Jul 7 17:32:54 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jul 7 17:35:03 2005 Subject: [SpamCop-List] Re: spamcop is blocking hotmail.com servers!!! References: Message-ID: "jimmy" wrote in message news:dak4ql$fhh$1@news.spamcop.net... > Ok, just ran a new test. i had to BL running turned them off except > bl.spamcop.net. > hotmail was blocked from this server this time. > 64.4.56.32 > > Module","mike_mahne@hotmail.com","jimmy.riley@vericore.com","spamcop > off","Deleted","Sending mail server found on sbl-xbl.spamhaus.org" > > 64.4.56.33 > > Is there a global shared list between the BL servers? copy of my response "over there" ... I thought the "work" definition said only SpamCopDNSBL was turned on, but the 'block' is based on a spamhaus listing ... ??? no, there is no connection between SpamCop and spamhaus ... 64.4.56.32 not listed in bl.spamcop.net 64.4.56.33 not listed in bl.spamcop.net From caroljean52 at yahoo.com Thu Jul 7 16:37:29 2005 From: caroljean52 at yahoo.com (caroljean52) Date: Thu Jul 7 18:40:02 2005 Subject: [SpamCop-List] Blocking images in OE 6 Message-ID: Well, since switching ISPs and getting a new private email address I was pretty lucky. Unfortunately, the spammers have found me again at last (sigh...) and now I've got a problem to deal with: images in spam. I'm well aware of the dangers BUT can't find any way to block the stupid pictures in OE 6. All the instructions I've come across insist I should be able to do this (Tools > Options > Security) but I'm apparently missing a crucial checkbox there. Any suggestions? (*Besides* installing Service Pack 2, which seems to be the only thing MS ever bothers to suggest anymore. Grrr... I've tried *that* three times and I'm one of the "lucky" ones whose machine pretty much drops dead from that. No more!) Or, if I just can't block images, is there some way to just delete the stinking spam without any of it opening?! For that matter, I can't even "forward as attachment" to SpamCop without the stuff opening as I highlight it in the menu... OE's help files tell me how to block senders and how to add images to email I send out but nothing about blocking images in incoming mail. I feel like I should "just know" all of this somehow by now, but I don't. Oh well... Thanks for any help! Carol Seattle USA From jr70 at blackhole.invalid Thu Jul 7 16:51:32 2005 From: jr70 at blackhole.invalid (John Richards) Date: Thu Jul 7 18:55:03 2005 Subject: [SpamCop-List] Re: Dunno if spamcop guys read this but References: Message-ID: Vanguard wrote: > "Rustam" wrote in message > news:dai5d8$bg9$1@news.spamcop.net... >> It would be a very nice tool if spamcop had a SIMPLE BUTTON in my >> outlook express to report selected message as SPAM. I would even pay >> for it. >> >> Very simple: >> >> Button: [REPORT THIS MESSAGE AS SPAM] >> >> > > > Unlike Outlook, and because Outlook and Outlook Express (which used to > be called Internet Mail & News) are *unrelated* products, Outlook > Express does NOT support plug-ins. For example, I installed the > SpamSource plug-in for Outlook and that lets me do what you want but > that is within Outlook (can't use it for OE). However, there *are* successful third party extensions for OE, such as OE-Quotefix, so it's not impossible. -- John Richards From mikeyhsd at sport.rr.com Thu Jul 7 18:53:40 2005 From: mikeyhsd at sport.rr.com (mikeyhsd) Date: Thu Jul 7 18:55:11 2005 Subject: [SpamCop-List] Oriental PORNO spam Message-ID: anyone else notice an increase of oriental porno spam lately. seems kornet.net has a bunch of spammers. mikeyhsd@sport.rr.com From nobody at devnull.spamcop.net Thu Jul 7 19:02:28 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jul 7 19:05:07 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 References: Message-ID: "caroljean52" wrote in message news:dakarc$k87$1@news.spamcop.net... > Well, since switching ISPs and getting a new private email address I was > pretty lucky. Unfortunately, the spammers have found me again at last > (sigh...) and now I've got a problem to deal with: images in spam. I'm well > aware of the dangers BUT can't find any way to block the stupid pictures in > OE 6. All the instructions I've come across insist I should be able to do > this (Tools > Options > Security) but I'm apparently missing a crucial > checkbox there. For starters, probably already covered, but .... http://forum.spamcop.net/forums/index.php?showtopic=3571 The "easy" fix would be to tell you to turn off the Preview Panel ... > Or, if I just can't block images, is there some way to just delete the > stinking spam without any of it opening?! Filters/rules/third-party options like SpamPal ...??? > For that matter, I can't even "forward as attachment" to SpamCop without the > stuff opening as I highlight it in the menu... "highlight in the menu" .??? > OE's help files tell me how to block senders and how to add images to email > I send out but nothing about blocking images in incoming mail. I feel like I > should "just know" all of this somehow by now, but I don't. Oh well... Technically, the issue boils down to how the image is inserted into the e-mail, coupled with the fact that OE uses IE for rendering any of the HTML involved. There are reg-hacks, file-handling manipulations, etc. but I'm suspecting that the easiest procedure would be the disabling of the Preview Panel. OE | View | Layout | Uncheck "Show Preview Pane" | Apply | OK From wb8tyw at qsl.network Thu Jul 7 20:08:21 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Thu Jul 7 19:10:04 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 In-Reply-To: References: Message-ID: caroljean52 wrote: > Any suggestions? (*Besides* installing Service Pack 2, which seems to be the > only thing MS ever bothers to suggest anymore. Grrr... I've tried *that* > three times and I'm one of the "lucky" ones whose machine pretty much drops > dead from that. No more!) Turn off HTML, it should be a setting on OE. If you do not have that setting, then you have a version with many known vulnerabilities. > Or, if I just can't block images, is there some way to just delete the > stinking spam without any of it opening?! I have no idea what Outlook Express actually does when you tell it to delete a message. Generally if you have your preview plane off, it is assumed that the content of the messages is not interpreted, and at least it is not displayed. I stopped using Outlook Express a while back. Of course there are several other mail and news readers available for the same platforms that OE runs on. Several of them are free. Mozilla and Thunderbird as an example. The only drawback to Mozilla that I have seen is that it does not handle network errors very well. OE retries them silently for a while unless you are trying to use that service directly. Mozilla tends to assume that all network errors mean that your username and password are now invalid and both need to be reentered immediately and you lose access to what ever it had the problem with until you reenter the passwords. -John wb8tyw@qsl.network Personal Opinion Only From les-s at telus.net Thu Jul 7 17:21:08 2005 From: les-s at telus.net (Les Shewchuk) Date: Thu Jul 7 19:25:02 2005 Subject: [SpamCop-List] Re: Possible False Positive from Jokes. References: Message-ID: Thank you Indgo, Mike Easter and WazoO. You answers helped clarify things. "WazoO" wrote in message news:dak5kr$gcf$1@news.spamcop.net... > "Les Shewchuk" wrote in message > news:dak4fo$f4r$1@news.spamcop.net... > What an opportunity, especially after reading the "even after .." > http://forum.spamcop.net/forums/index.php?act=home > is an attempt to handle just your situation. Would you > take a look and advise as to whether your needed data > can be found from there? There is a lot of information on the site to take in at once. After reading the responses, I was able to focus on the relevant information and understand it a little better. > "we" don't know who all you sent this to, but the listing is for > both spamtrap hits and SpamCop user reports. That your > e-mail alone would be sufficient to get a GMail server listed > is a bit of a stretch. Explanation of some operating parameters > could be offered here, but I'm wanting to see if the referenced > page can lead you to the data you seek. Again, the SpamTrap concept is a little clearer the second time around. I actually use a similar system of dummy accounts myself. It has been a great help when new viruses come out. The bounce came from the lynchburg.edu server. Where I was confused is where the decision was being made to blacklist the server. (Was the blacklist local to the University or from a list provided by SpamCop?) The only filters I have dealt with personally are content filters like NetNanny and such (setting it up for a friend with children) and I know such programs are notorious for confusing sites based on content (medical information / Adult content) What set off my panic was the timing. As one message went through and the next was bounced in less than an hour. I sent the original gag to less than 10 people (all currently valid addresses) My friend in Lynchburg responded. I replied to her only the reply was bounced. A new message (having nothing to do with the pervious content) has also since been bounced. That makes sense from what you have told me about how SpamCop works. It came from my account with my name on it. It only went to friends. No attempts to hide my ID was made. The only thing was the goofy content. I know that, like other webmails, Google's policy is to shut down a spammer (how well they enforce this, I do not know) but I enjoy my gmail service and would hate to loose it over a silly joke. Or worse, disrupted a whole bunch of other accounts accidentally. Again, thank you for the information. Les Shewchuk From MikeE at ster.invalid Thu Jul 7 17:44:10 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 7 19:45:04 2005 Subject: [SpamCop-List] Re: Possible False Positive from Jokes. References: Message-ID: Les Shewchuk wrote: > The bounce came from the lynchburg.edu server. Where I was confused > is where the decision was being made to blacklist the server. (Was > the blacklist local to the University or from a list provided by > SpamCop?) The most typical mechanism is that the lynchburg server employs a system to reject mail from spamsources and determines the spamsources by blocklists such as spamcop's. There are some 'flaws' in a system like that, because it can reject wanted mail as well as spam, but making a mistake by rejecting a mail from a spammy IP has some positive effects. Rejecting mail is a much healthier activity than some other bad results of spam filtering, such as dropping goodmail on the floor so that the sender doesn't even know the mail didn't go thru'. Or accepting bad mail such as spam or viral propagations for delivery and then belatedly 'bouncing' them by creating newmails to their bogus Froms > The only filters I have dealt with personally are content > filters like NetNanny and such (setting it up for a friend with > children) and I know such programs are notorious for confusing sites > based on content (medical information / Adult content) The advantage of the dnsbl filtering by rejection over content filtering is a quantum leap in efficiency. The rejection takes place at the very beginning of the smtp transaction when the servers first start talking to each other. The transaction never gets to the body's content. > What set off my panic was the timing. As one message went through and > the next was bounced in less than an hour. That's likely coincidence. It appears that the gmail server must be hitting a lot of spamtraps. The report sed that there were less than 10 reports -- but the senderbase activity of the server in question is not insignificant at avg 5.3, current 5.6. Think of those as logarithms, altho' the accuracy of the senderbase data has been questioned by some, it is all I have to look at. So, if that server is putting out some hundred thousand mails a day and there are less than 10 SC reports in a week, there must be a helluva lot of spamtrap hits for the algorithm to list the server. > I sent the original gag to less than 10 people (all currently valid > addresses) > My friend in Lynchburg responded. > I replied to her only > the reply was bounced. The bounce happened because the server got itself listed for hitting spamtraps between the first and second emails. > A new message (having nothing to do with the pervious content) has > also since been bounced. That makes sense from what you have told me > about how SpamCop works. It is listed now, has been listed before, will age off automatically, and will probably get itself listed again in the future by the same mechanism it has gotten itself listed before. > It came from my account with my name on it. It only went to friends. > No attempts to hide my ID was made. The only thing was the goofy > content. I know that, like other webmails, Google's policy is to shut > down a spammer (how well they enforce this, I do not know) They actually don't enforce very aggressively, if you ask me. > but I > enjoy my gmail service and would hate to loose it over a silly joke. > Or worse, disrupted a whole bunch of other accounts accidentally. Yes. You should be careful to not endanger an email account by taking chances that could cause you to be reported for spamming. But this is probably about gmail's problem with spamtraps rather than your reports. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Fri Jul 8 01:48:37 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Jul 7 19:50:04 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 References: Message-ID: "caroljean52" wrote in message news:dakarc$k87$1@news.spamcop.net... > Well, since switching ISPs and getting a new private email address I was > pretty lucky. Unfortunately, the spammers have found me again at last > (sigh...) and now I've got a problem to deal with: images in spam. I'm > well > aware of the dangers BUT can't find any way to block the stupid pictures > in > OE 6. All the instructions I've come across insist I should be able to do > this (Tools > Options > Security) but I'm apparently missing a crucial > checkbox there. I guess you are; it's quite clear under the (Tools > Options > Security) tab - about halfway down it says "Download Images" next to a check-box which accompanies the dialogue: "Block images and other external content in HTML mail". From nobody at devnull.spamcop.net Thu Jul 7 20:43:05 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jul 7 20:45:02 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 References: Message-ID: "Porpoise" wrote in message news:dakf29$n4i$1@news.spamcop.net... > > I guess you are; it's quite clear under the (Tools > Options > Security) > tab - about halfway down it says "Download Images" next to a check-box which > accompanies the dialogue: "Block images and other external content in HTML > mail". Item not available in the version I'm running, suspecting perhaps that this also includes Operating System issues ..??? I'm looking at a Win-98SE machine right now, assume you are running XP ... ?? (don't have one of those available right now) From porpoise1954 at yahoo.co.uk Fri Jul 8 02:46:09 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Jul 7 20:50:08 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 References: Message-ID: "WazoO" wrote in message news:daki6p$or4$1@news.spamcop.net... > "Porpoise" wrote in message > news:dakf29$n4i$1@news.spamcop.net... >> >> I guess you are; it's quite clear under the (Tools > Options > Security) >> tab - about halfway down it says "Download Images" next to a check-box > which >> accompanies the dialogue: "Block images and other external content in >> HTML >> mail". > > Item not available in the version I'm running, suspecting > perhaps that this also includes Operating System issues ..??? > I'm looking at a Win-98SE machine right now, assume > you are running XP ... ?? (don't have one of those > available right now) > > God. You're taking risks aren't you? Connecting to the internet with a W98 machine.....!! I guess there could be some difference according to which OS it's running on....... From nobody at spamcop.net Thu Jul 7 18:57:50 2005 From: nobody at spamcop.net (NerdRevenge) Date: Thu Jul 7 20:55:10 2005 Subject: [SpamCop-List] Re: Oriental PORNO spam References: Message-ID: "mikeyhsd" wrote in message news:dakbpk$ks2$1@news.spamcop.net... > anyone else notice an increase of oriental porno spam lately. > seems kornet.net has a bunch of spammers. > > mikeyhsd@sport.rr.com Iraq? > From nobody at devnull.spamcop.net Thu Jul 7 21:02:13 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jul 7 21:05:03 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 References: Message-ID: "Porpoise" wrote in message news:dakie6$p05$1@news.spamcop.net... > > God. You're taking risks aren't you? Connecting to the internet > with a W98 machine.....!! ??? I'm the guy that fixes everyone else's stuff ... I don't understand your amazement. > I guess there could be some difference according to which OS > it's running on....... I was more wondering if this was yet another case of someone confusing Outlook with Outllok Express .... all I had to go on was the different OE version numbers in the posts, noting that caroljean52 is using an even older version than I am, even though she pointed to XP being in use. From MikeE at ster.invalid Thu Jul 7 20:59:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 7 23:00:03 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 References: Message-ID: caroljean52 wrote: X-Newsreader: Microsoft Outlook Express 6.00.2600.0000 I'm currently using Win98se + OE 6.00.2600.1123 > BUT can't find any way to block > the stupid pictures in OE 6. Pictures display if you render html which can happen if you preview or if you open your spam, neither of which are necessary for submitting it for parsing. > All the instructions I've come across > insist I should be able to do this (Tools > Options > Security) but > I'm apparently missing a crucial checkbox there. Tools/ Options/ Security/ is where you can have OE use IE in restricted mode, and it is also where you can configure to not open attachments which is another issue. If you configure for IE in restricted mode, that is tighter, because you can custom configure restricted so that it doesn't do much of anything. > Or, if I just can't block images, is there some way to just delete the > stinking spam without any of it opening?! You can delete it or you can report it -- either without opening or previewing it. > For that matter, I can't even "forward as attachment" to SpamCop > without the stuff opening as I highlight it in the menu... That sounds like you are previewing. Don't do that. That is in the OE/ View/ Layout/ uncheck show Preview Pane. If you don't preview, nothing gets 'rendered' just because an item is selected. You need to be able to select so that you can delete it, or show the message source, or forward it as an attachment. -- Mike Easter kibitzer, not SC admin From devnull at spamcop.net Fri Jul 8 01:05:31 2005 From: devnull at spamcop.net (Frog Prince) Date: Fri Jul 8 00:15:02 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Redstone" | > I would add a comment. Many think of Hospice as giving up. FWIW I've | > been a Hospice volunteer for almost two years and have two friends | > (both former Hospice patients) that have graduated out of the program | > and are still alive. One is now a Hospice volunteer. | | Already had several relatives enter hospice over the past 7 years | already. The care one receives, to me, is something that you can't | receive elsewhere. | | Hospice to me is never about giving up, as opposed to rest and recovery. Hospice often takes away the block to open discussion between loved ones. A chance to say things that you never had the courage to say. Like when my dad was dying. We all knew it but pretended it was not going to happen. The result was that I did not take the opportunity to say what I wanted to say. Almost missed the opportunity with my kids when I had the heart attack. Now make a point to call/wright them often now even if it is only a passing though. Another is the chance to enjoy that time that one has left without undue pain and suffering. Interesting thing about being a hospice volunteer, the volunteer is a trusted next door neighbor that lives a bit further away. As such the volunteers are privilege to share a lot of the patients thoughts and feelings. I get dumped on several times over the course of our visits. One patent thanked me for being the one safe person he could 'land on hard' was the phase he used. From johnl at spamcop.net Fri Jul 8 05:21:19 2005 From: johnl at spamcop.net (JohnL) Date: Fri Jul 8 00:25:02 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Frog Prince" wrote in news:dakue8$viu$2@news.spamcop.net: > One patent thanked me for being the one safe person he could 'land on > hard' was the phase he used. > And that's what would make it too hard for me to do. I wouldn't mind the "landing on hard", it's just taking that and putting it away later that would be so hard. People like you, FP, should have everyone's respect for helping someone thru the hard times. From jr70 at blackhole.invalid Thu Jul 7 22:51:02 2005 From: jr70 at blackhole.invalid (John Richards) Date: Fri Jul 8 00:55:04 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 References: Message-ID: Porpoise wrote: > "caroljean52" wrote in message > news:dakarc$k87$1@news.spamcop.net... >> Well, since switching ISPs and getting a new private email address I was >> pretty lucky. Unfortunately, the spammers have found me again at last >> (sigh...) and now I've got a problem to deal with: images in spam. I'm >> well >> aware of the dangers BUT can't find any way to block the stupid pictures >> in >> OE 6. All the instructions I've come across insist I should be able to do >> this (Tools > Options > Security) but I'm apparently missing a crucial >> checkbox there. > > I guess you are; it's quite clear under the (Tools > Options > Security) > tab - about halfway down it says "Download Images" next to a check-box which > accompanies the dialogue: "Block images and other external content in HTML > mail". I believe these options were added in the latest version, OE for XP SP2. -- John Richards From caroljean52 at yahoo.com Fri Jul 8 00:10:26 2005 From: caroljean52 at yahoo.com (caroljean52) Date: Fri Jul 8 02:15:07 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 References: Message-ID: Thanks to all for helping me with this. Turning off preview does the trick. I knew it would be something simple once I knew where to look. (View > Layout does make sense now that I know what it is, but would I have ever thought to look there in the first place? Obviously not!) Thanks again! Carol Seattle USA From caroljean52 at yahoo.com Fri Jul 8 00:35:06 2005 From: caroljean52 at yahoo.com (caroljean52) Date: Fri Jul 8 02:40:02 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 References: Message-ID: "WazoO" wrote: > noting > that caroljean52 is using an even older version than I am, > even though she pointed to XP being in use. Yeah, can't update OE without SP2, but unfortunately, SP2 and my machine have Big Issues--one of that "tiny minority" with major problems with SP2. After three rounds of trying to get it to work, I just plain gave up! The only reason I'm using OE at all in the first place is that newsgroups I read regularly from one particular server just don't seem to work on anything but OE. (At one point they worked on Netscape--which I used just for newsgroups, not mail--but Netscape "improved" their stuff so much that the newer versions won't run on this machine at all.) Don't know if it's something at their end or something at my end, but at this point in time, I'm just going with what works! Carol (non-geek) Seattle USA From nobody at nowhere.invalid Fri Jul 8 09:54:32 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri Jul 8 02:55:03 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 References: Message-ID: On Thu, 7 Jul 2005 15:37:29 -0700, caroljean52 coughed into spamcop and left this in : > For that matter, I can't even "forward as attachment" to SpamCop without the > stuff opening as I highlight it in the menu... Deactivate the preview pane. You'll be able to select messages to your heart's content without ever opening them. In order to open a message you'll have to double click on it, and it'll open in its own window. Alternatively, simply don't use OE. Thunderbird is a good alternative, and it'll import your adress book, mail store and settings from OE. -- Steve And 1.1.81 is officially BugFree(tm), so if you receive any bug-reports on it, you know they are just evil lies. -- Linus Torvalds From nobody at nowhere.invalid Fri Jul 8 09:56:12 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri Jul 8 03:00:03 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 References: Message-ID: On Fri, 8 Jul 2005 01:46:09 +0100, Porpoise coughed into spamcop and left this in : > God. You're taking risks aren't you? Connecting to the internet with a W98 > machine.....!! s/98// -- Steve QOTD - "It was so cold last Winter that I even saw a lawyer with his hands in his own pockets" From porpoise1954 at yahoo.co.uk Fri Jul 8 09:18:51 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Fri Jul 8 03:20:03 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 References: Message-ID: "WazoO" wrote in message news:dakjal$q1m$1@news.spamcop.net... > "Porpoise" wrote in message > news:dakie6$p05$1@news.spamcop.net... >> >> God. You're taking risks aren't you? Connecting to the internet >> with a W98 machine.....!! > > ??? I'm the guy that fixes everyone else's stuff ... I don't understand > your amazement. Well, given that M$ withdrew suppport for that OS a while ago, there won't have been any security hotfixes for a while.... > >> I guess there could be some difference according to which OS >> it's running on....... > > I was more wondering if this was yet another case of someone > confusing Outlook with Outllok Express .... all I had to go on > was the different OE version numbers in the posts, noting > that caroljean52 is using an even older version than I am, > even though she pointed to XP being in use. Huh? version 6.0 is an older version than you're running?? From nobody at devnull.spamcop.net Fri Jul 8 17:22:32 2005 From: nobody at devnull.spamcop.net (Patto) Date: Fri Jul 8 03:25:04 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 In-Reply-To: References: Message-ID: caroljean52 wrote: > ... > Any suggestions? (*Besides* installing Service Pack 2, which seems to be the > only thing MS ever bothers to suggest anymore. Grrr... I've tried *that* > three times and I'm one of the "lucky" ones whose machine pretty much drops > dead from that. No more!) > ... Regarding XP SP2; I have only seen problems when anyone tried to install SP2 on a system that was infected with some kind of malware. If your system is 100% clean, you shouldn't have any problems. From redford_stone at INVERSE_OF_COLDmail.com Fri Jul 8 09:45:55 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Fri Jul 8 04:50:51 2005 Subject: [SpamCop-List] Re: Oriental PORNO spam References: Message-ID: "mikeyhsd" wrote in news:dakbpk$ks2$1 @news.spamcop.net: > anyone else notice an increase of oriental porno spam lately. > seems kornet.net has a bunch of spammers. > Had a porn spammer bombarding me more than 24 times daily. (Approx 1 spam every 45 to 60 minutes. Same spam too.) Stopped abruptly since Wednesday. ISP (ee.net) must of finally pulled the plug. From nobody at devnull.spamcop.net Fri Jul 8 07:50:27 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Fri Jul 8 07:45:06 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 References: Message-ID: "caroljean52" wrote in message news:dal5cl$3in$1@news.spamcop.net... > Thanks to all for helping me with this. Turning off preview does the trick. > I knew it would be something simple once I knew where to look. (View > > Layout does make sense now that I know what it is, but would I have ever > thought to look there in the first place? Obviously not!) I always forget where it is so don't feel bad. 'Security' seems to me the logical place to look. Miss Betsy (also non-geek) From devnull at spamcop.net Fri Jul 8 10:48:30 2005 From: devnull at spamcop.net (Frog Prince) Date: Fri Jul 8 09:50:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "JohnL" | | > One patent thanked me for being the one safe person he could 'land on | > hard' was the phase he used. | > | | And that's what would make it too hard for me to do. | I wouldn't mind the "landing on hard", it's just taking that and putting | it away later that would be so hard. I expect that you do it quite often for you S.O. and don't notice either landing or the aftermath. You hurt for her but don't harbor any resentment. If there is a sadness, it is in watching her fight the pain. There is a bit of joy as well as by accepting the 'landing' without retaliation you give her a release. Like I said I've been on both sides and accepting the 'abuse' is a gift you have given her that you will never fully understand and she will likely never be able to articulate much less explain. It is a gift of understanding and love. | People like you, FP, should have everyone's respect for helping someone | thru the hard times. I was not always that way. One of the things taught in the Hospice volunteer program is how to deal with that eventually. Works in Hospice but also works in the real world. Rephrased 'Be careful what you take offense as the less you are offended the less you have to forgive.' ergo less stress. The other thing that Hospice does is teach the volunteers how to deal with loss. (all loss not only the loss of a loved one) I only wish I had that training at a very much younger age. I don't mean to harp on the option but all should consider auditing the Hospice training. You may only confirm that Hospice is not your calling but you will come away with a much better understanding that will help others and no less help yourself. From mcwebber at my-deja.com Fri Jul 8 11:02:25 2005 From: mcwebber at my-deja.com (McWebber) Date: Fri Jul 8 10:05:03 2005 Subject: [SpamCop-List] Re: eBay phisher stupidity References: Message-ID: "StampOutSpam" wrote in message news:opstj90x16yhmg4h@powermac.local... > The phisher is too cheap to use HTTPS, so it puts "https" in the URL path. > > http://66.206.4.51/cgi-bin/https/ > > Another eBay phisher I saw recently collected credit card information and > other financial details. This one doesn't seem to collect anything except > maybe the basic eBay user login. When I try to get phished, I get: > "Your sign in information is not valid. Please try again." The phishers have scripts that do a GET on your login info and return an error if it's wrong. They don't want to be bothered with lots of fake user/pw as I'm sure they used to get lots of. > > What use is an eBay login unless you're trying to disrupt auctions? To put up a fake auction on an inactive eBay user's name. Especially if you get hold of one with lots of good feedback posted. Suddenly you get an auction for a laptop that doesn't exist from a trusted seller. -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From mcwebber at my-deja.com Fri Jul 8 11:20:39 2005 From: mcwebber at my-deja.com (McWebber) Date: Fri Jul 8 10:20:02 2005 Subject: [SpamCop-List] Re: Why Not Lart MSN? References: Message-ID: "John E. Malmberg" wrote in message news:dajrrf$8ol$1@news.spamcop.net... > McWebber wrote: > > "Robert Blair" wrote in message > > news:TECQXhvKj0FX-pn2-EqH7zIyHftsL@dsl-206-55-144-107.tstonramp.com... > > > >>Why should it make any difference which abuse address you send it to? > > > > > > Maybe because MSN != Hotmail > > MSN is routing their e-mail through Hotmail. The email addresses say @msn.com not @hotmail.com so that's a clue. It wouldn't say @msn.com if they were Hotmail users. You can lart both, but the @msn.com is the account that needs to be killed off. > > >>MS needs to get a clue and fix their problems. By the way it is > >>spamcop that uses that abuse address. > > > > Spamcop is wrong, again. > > Spamcop is using the address indicated by rDNS by Microsoft. That's all well and good, but it doesn't accomplish much if the goal is to get the spammer's account knocked off. You can stand there with your fingers in your ears ignoring the bounces or you can take action that may have a positive outcome. > Apparently Microsoft is also providing hosting through hotmail for other > custom domain names, and Hotmail is sometimes refusing larts on them also. No, the domains are not hosted by Hotmail, if you do a DNS lookup on them. The mail may be routed through Hotmail SMTP but the DNS shows either microsoft.com or msn.com. ebay-billing-updatingworld.com Found authoritative nameserver: pdomns1.msn.com -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From mcwebber at my-deja.com Fri Jul 8 11:58:21 2005 From: mcwebber at my-deja.com (McWebber) Date: Fri Jul 8 11:00:02 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 References: Message-ID: "caroljean52" wrote in message news:dal5cl$3in$1@news.spamcop.net... > Thanks to all for helping me with this. Turning off preview does the trick. > I knew it would be something simple once I knew where to look. (View > > Layout does make sense now that I know what it is, but would I have ever > thought to look there in the first place? Obviously not!) > I have a plugin for IE ToggleImages.exe that I have as a shortcut in my Links menu. It turns off image loading in IE. I don't use OE for email but IIRC it uses the IE engine so turning off image loading in IE may turn it off in OE as well. In IE there is also under Tools -- Options -- Advanced. A checkbox under Multimedia "Show Pictures" which turns off image loading. Good for dialup users often. You can then right click on any picture and "Show Picture" They're supposed to be for IE5 but I've always been using them in IE6 as well. Some handy items. http://www.microsoft.com/windows/ie/previous/webaccess/default.mspx -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From nobody at executespammers.org Fri Jul 8 12:23:14 2005 From: nobody at executespammers.org (Paul) Date: Fri Jul 8 11:25:03 2005 Subject: [SpamCop-List] sudden collosal jump in spam Message-ID: Spam traffic jumped to enormous proportions for us last week - like several thousand every minute. One of our IS guys thought it was a DoS attack, but a log analysis showed that were comming from lots of differnt IP addresses, a large chunk in China and Korea. Our aging server couldn't handle the flood at all and we had to throttle the maximum number of connections to 10 and the maximum number of message deliveries per connection to 2. This has helped, though the pounding continues (yes I know we need a better solution but it's out of my hands). Anyone else notice a sudden jump? Paul From nobody at devnull.spamcop.net Fri Jul 8 12:58:55 2005 From: nobody at devnull.spamcop.net (Pop) Date: Fri Jul 8 12:00:08 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 References: Message-ID: ... > Any suggestions? (*Besides* installing Service Pack > 2, which seems to be the > only thing MS ever bothers to suggest anymore. > Grrr... I've tried *that* > three times and I'm one of the "lucky" ones whose > machine pretty much drops > dead from that. No more!) ... It's about 95% likely that whatever is fouling up the SP2 install is the root of this problem too since you seem to indicate things aren't where they should be. Anything else, IMO, is looking for bandaids to stop a hemorrhage - and the SP2 issue must be addressed first. You'll be having other problems, too. You must be one of the ones who needs to follow the MS instructions to the letter for SP2. Did you? Pop From nobody at spamcop.net Fri Jul 8 13:56:35 2005 From: nobody at spamcop.net (indigo) Date: Fri Jul 8 13:00:02 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 References: Message-ID: Mike Easter wrote: > > That sounds like you are previewing. Don't do that. That is in the > OE/ View/ Layout/ uncheck show Preview Pane. > To make it easier on myself, I put the preview pane icon on to OE toolbar at home. If I see any spam that sneaked past SpamPal, I click on the button to turn off the preview pane, mark and delete the spam (or forward it to SC if I'm in a reporting mood), then click again to turn back on previewing. It's a lot faster and easier than using the menu commands. From glnews030922 at highspot.net Fri Jul 8 19:24:34 2005 From: glnews030922 at highspot.net (Graeme Leith) Date: Fri Jul 8 13:25:02 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 In-Reply-To: References: Message-ID: caroljean52 wrote: > Yeah, can't update OE without SP2, but unfortunately, SP2 and my machine > have Big Issues--one of that "tiny minority" with major problems with SP2. > After three rounds of trying to get it to work, I just plain gave up! SP2 fixes major vulnerabilities with both IE and OE. If you can't get it installed, I would highly recommend that you use other software for your email and web browsing. If you don't, you *will* get infected with malware, no matter how careful you think your security practices are. -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From glnews030922 at highspot.net Fri Jul 8 19:27:25 2005 From: glnews030922 at highspot.net (Graeme Leith) Date: Fri Jul 8 13:25:10 2005 Subject: [SpamCop-List] Re: sudden collosal jump in spam In-Reply-To: References: Message-ID: Paul wrote: > Spam traffic jumped to enormous proportions for us last week - like several > thousand every minute. One of our IS guys thought it was a DoS attack, but a > log analysis showed that were comming from lots of differnt IP addresses, a > large chunk in China and Korea. Our aging server couldn't handle the flood > at all and we had to throttle the maximum number of connections to 10 and > the maximum number of message deliveries per connection to 2. This has > helped, though the pounding continues (yes I know we need a better solution > but it's out of my hands). > > Anyone else notice a sudden jump? Is it a dictionary attack landing in a catch all mailbox, or is it targeted? Personally, I've seen an increase in dictionary attacks over the last couple of weeks, but it's still about an order of magnitude below the level it was six months ago. -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From nobody at executespammers.org Fri Jul 8 15:25:13 2005 From: nobody at executespammers.org (Paul) Date: Fri Jul 8 14:25:02 2005 Subject: [SpamCop-List] Re: sudden collosal jump in spam References: Message-ID: "Graeme Leith" wrote in message news:damcq8$q79$3@news.spamcop.net... > Is it a dictionary attack landing in a catch all mailbox, or is it targeted? > > Personally, I've seen an increase in dictionary attacks over the last > couple of weeks, but it's still about an order of magnitude below the > level it was six months ago. Dictionary, only more random than I ever remember. A lot of the names now have numbers and random crap in them, like the spammers are now trying to go through every alphanumeric permuation. That greatly distubes me because of the bandwidth implications. Paul From nobody at devnull.spamcop.net Fri Jul 8 15:05:55 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Jul 8 15:10:03 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 References: Message-ID: "Porpoise" wrote in message news:dal9ej$5vr$1@news.spamcop.net... > > "WazoO" wrote in message > news:dakjal$q1m$1@news.spamcop.net... > > > > ??? I'm the guy that fixes everyone else's stuff ... I don't understand > > your amazement. > > Well, given that M$ withdrew suppport for that OS a while ago, there won't > have been any security hotfixes for a while.... Not true / accurate, actually. > Huh? version 6.0 is an older version than you're running?? caroljean52 - :Microsoft Outlook Express 6.00.2600.0000 me: - Microsoft Outlook Express 6.00.2800.1437 you - Microsoft Outlook Express 6.00.2900.2180 From pete+usenet at heypete.com Fri Jul 8 13:47:13 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Fri Jul 8 15:50:02 2005 Subject: [SpamCop-List] Re: sudden collosal jump in spam References: Message-ID: In article , "Paul" wrote: > Dictionary, only more random than I ever remember. A lot of the names now > have numbers and random crap in them, like the spammers are now trying to go > through every alphanumeric permuation. That greatly distubes me because of > the bandwidth implications. *nods* One of my previous mail hosts asked me to take my business (and MX records) elsewhere due to the vast amount of connections and bandwidth use my domain required because of all the spam. It's now presently on my webhost's system, which can easily handle the load, but offers minimal spam protection (no DNSbls, and about 90%-99% of all incoming spam is listed on one DNSbl or another[1]). I'm getting hit with several hundred spams a day, just to my personal address, most of them from Asia. Whoever says spam isn't expensive has never been on the receiving end of so much of it... [1] If anyone here knows of any web/mail host that offers good prices and services (i.e. if it can provide the same services as listed in the $9.95/month plan at http://he.net/hosting_prices.html), plus DNSbl querying and rejection, let me know. Some of the more exotic features aren't necessary, but good amounts of bandwidth, speed, reliability, and CGI are important. -- Pete Stephenson HeyPete.com From pef1 at sbcglobal.net Fri Jul 8 16:31:16 2005 From: pef1 at sbcglobal.net (PEF) Date: Fri Jul 8 16:35:03 2005 Subject: [SpamCop-List] New tactics blocking too much. Message-ID: <42CEE294.1D8CE5CB@sbcglobal.net> As a 20's and 30's group leader, I have always used Bcc to the group of 35 people to protect their privacy. Email goes out once a week. Just this week SPAMCOP has interfered with the delivery to 3 people from the group. How does one teach a filter company the difference between good and bad filtering? This interruption is harmful to the maintenance of the group and a violation of the free speech act. All of the recipients of the weekly email have signed up for it. It is NOT SPAM. Frustrated. From nobody at nowhere.invalid Fri Jul 8 23:46:34 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri Jul 8 16:50:03 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> Message-ID: On Fri, 08 Jul 2005 15:31:16 -0500, PEF coughed into spamcop and left this in <42CEE294.1D8CE5CB@sbcglobal.net>: > Content-Type: text/html; charset=us-ascii > Content-Transfer-Encoding: 7bit > > > ??? -- Steve From pete+usenet at heypete.com Fri Jul 8 15:24:35 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Fri Jul 8 17:25:03 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> Message-ID: In article <42CEE294.1D8CE5CB@sbcglobal.net>, PEF wrote: > As a 20's and 30's group leader, I have always used Bcc to the group > of 35 people to protect their privacy. Email goes out once a week. > Just this week SPAMCOP has interfered with the delivery to 3 people > from the group. How does one teach a filter company the difference > between good and bad filtering? This interruption is harmful to the > maintenance of the group and a violation of the free speech act. All > of the recipients of the weekly email have signed up for it. It is > NOT SPAM. PEF, Could you provide any error messages received? SpamCop doesn't really care if the recipient's address is in the "To", "CC", or "BCC" fields, but rather is concerned with the IP address of the sending mail system. Any error messages you have would be most helpful in determining what caused your messages to be blocked. Cheers! -- Pete Stephenson HeyPete.com From nobody at devnull.spamcop.net Fri Jul 8 18:09:30 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Jul 8 18:10:03 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> Message-ID: "PEF" wrote in message news:42CEE294.1D8CE5CB@sbcglobal.net... > As a 20's and 30's group leader, I have always > used Bcc to the group of 35 people to protect > their privacy. Email goes out once a week. Just > this week SPAMCOP has interfered with the > delivery to 3 people from the group. How does > one teach a filter company the difference > between good and bad filtering? This interruption > is harmful to the maintenance of the group and > a violation of the free speech act. All of the > recipients of the weekly email have signed up > for it. It is NOT SPAM. > > Frustrated. Why am I Blocked? FAQ http://forum.spamcop.net/forums/index.php?showtopic=972 SpamCop blocks nothing. Any "blocking" action takes place at the recipient's end. Providing the IP address of the e-mail server involved may have allowed someone to point to some data to explain the situation. From porpoise1954 at yahoo.co.uk Sat Jul 9 00:03:48 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Fri Jul 8 18:15:03 2005 Subject: [SpamCop-List] Re: Blocking images in OE 6 References: Message-ID: "WazoO" wrote in message news:damiqj$ueb$1@news.spamcop.net... > "Porpoise" wrote in message > news:dal9ej$5vr$1@news.spamcop.net... >> >> >> Well, given that M$ withdrew suppport for that OS a while ago, there >> won't >> have been any security hotfixes for a while.... > > Not true / accurate, actually. You are correct (I missed the stay of execution until June 30, 2006). > >> Huh? version 6.0 is an older version than you're running?? > > caroljean52 - :Microsoft Outlook Express 6.00.2600.0000 > me: - Microsoft Outlook Express 6.00.2800.1437 > you - Microsoft Outlook Express 6.00.2900.2180 Surely only minor updates.......... From porpoise1954 at yahoo.co.uk Sat Jul 9 00:11:18 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Fri Jul 8 18:15:10 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> Message-ID: > "PEF" wrote in message > news:42CEE294.1D8CE5CB@sbcglobal.net... > As a 20's and 30's group leader, I have always > used Bcc to the group of 35 people to protect > their privacy. Email goes out once a week. Just > this week SPAMCOP has interfered with the > delivery to 3 people from the group. How does > one teach a filter company the difference > between good and bad filtering? Spamcop isn't a filter company. Therefore it does not have good or bad filtering. It does, however, maintain a list of IP addresses which members may have reported as having sent spam, or have been caught sending emails to spamtraps. This list of IP addresses is then available to third parties to "flag" messages coming from any of the IP addresses on that list. > This interruption is harmful to the maintenance of the group and > a violation of the free speech act. All of the > recipients of the weekly email have signed up > for it. It is NOT SPAM. > Frustrated. Someone either reported it as spam, or it hit a spamtrap, or someone else has been sending spam through the same server - causing your mail to also get blocked by the recipient's mailserver - this is called "collateral damage". From pef1 at sbcglobal.net Fri Jul 8 18:29:40 2005 From: pef1 at sbcglobal.net (PEF) Date: Fri Jul 8 18:35:02 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> Message-ID: <42CEFE54.C204A45E@sbcglobal.net> Here is what I got that caused me to post in the first place. (copied from reply to group mail) : Connected to 69.89.239.177 but sender was rejected. Remote host said: 501 5.7.1 ... Sender refused by the DNSBL bl.spamcop.net : 209.87.135.202 does not like recipient. Remote host said: 550 BLOCKED [bl.spamcop.net][68.142.229.97] Giving up on 209.87.135.202. : 65.109.149.32 does not like recipient. Remote host said: 553 5.3.0 ... Mail from 68.142.229.97 blocked using SPAMCOP. See Giving up on 65.109.149.32. PEF wrote: > As a 20's and 30's group leader, I have always > used Bcc to the group of 35 people to protect > their privacy. Email goes out once a week. Just > this week SPAMCOP has interfered with the > delivery to 3 people from the group. How does > one teach a filter company the difference > between good and bad filtering? This interruption > is harmful to the maintenance of the group and > a violation of the free speech act. All of the > recipients of the weekly email have signed up > for it. It is NOT SPAM. > > Frustrated. > From nobody at devnull.spamcop.net Fri Jul 8 19:39:23 2005 From: nobody at devnull.spamcop.net (Pop) Date: Fri Jul 8 18:40:02 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> Message-ID: "PEF" wrote in message news:42CEE294.1D8CE5CB@sbcglobal.net... As a 20's and 30's group leader, I have always used Bcc to the group of 35 people to protect their privacy. Email goes out once a week. Just this week SPAMCOP has interfered with the delivery to 3 people from the group. How does one teach a filter company the difference between good and bad filtering? This interruption is harmful to the maintenance of the group and a violation of the free speech act. All of the recipients of the weekly email have signed up for it. It is NOT SPAM. Frustrated. ===> Well, someone you sent it to thought it was spam because they apparently reported it as spam. Spamcop isn't a "filtering company". OTHER companies use spamcop's lists to block mail with, spamcop does not except for its paying members. So it's not spamcop that did the blocking; someone using spamcop's list, among many, MANY others in the world, Do you use a confirmed optin or can anyone sign just anyone up? Any chance they mistook your mail for spam? Did you change the look somehow? Something in the subject line? No ID? Food for thought. On newsgroups, you should use Plain Text; HTML can't/isn't read by many people on groups. From "pef1" at sbcglobal.net Fri Jul 8 19:22:52 2005 From: "pef1" at sbcglobal.net (PEF) Date: Fri Jul 8 19:25:03 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> Message-ID: It would be very unlikely that these 3 would simultaneously choose to block this mail. The sign up is done by request in person. No "opting" or automation. Thanks for the information on the functions of spamcop though. It might kill the usefulness of email all together. To bad but I guess good things don't last. Back to web page announcements. PF Pop wrote: > > "PEF" wrote in message > news:42CEE294.1D8CE5CB@sbcglobal.net... > As a 20's and 30's group leader, I have always > used Bcc to the group of 35 people to protect > their privacy. Email goes out once a week. Just > this week SPAMCOP has interfered with the > delivery to 3 people from the group. How does > one teach a filter company the difference > between good and bad filtering? This interruption > is harmful to the maintenance of the group and > a violation of the free speech act. All of the > recipients of the weekly email have signed up > for it. It is NOT SPAM. > Frustrated. > > ===> Well, someone you sent it to thought it was spam > because they apparently reported it as spam. Spamcop > isn't a "filtering company". > OTHER companies use spamcop's lists to block mail with, > spamcop does not except for its paying members. So > it's not spamcop that did the blocking; someone using > spamcop's list, among many, MANY others in the world, > Do you use a confirmed optin or can anyone sign just > anyone up? > Any chance they mistook your mail for spam? Did you > change the look somehow? Something in the subject > line? No ID? > Food for thought. > > On newsgroups, you should use Plain Text; HTML > can't/isn't read by many people on groups. From nobody at devnull.spamcop.net Fri Jul 8 19:36:54 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Jul 8 19:40:02 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> <42CEFE54.C204A45E@sbcglobal.net> Message-ID: "PEF" wrote in message news:42CEFE54.C204A45E@sbcglobal.net... > Here is what I got that caused me to > post in the first place. > (copied from reply to group mail) > > : > Connected to 69.89.239.177 but sender was rejected. > Remote host said: 501 5.7.1 ... Sender refused by > the DNSBL > bl.spamcop.net > > : > 209.87.135.202 does not like recipient. > Remote host said: 550 BLOCKED [bl.spamcop.net][68.142.229.97] > Giving up on 209.87.135.202. > > : > 65.109.149.32 does not like recipient. > Remote host said: 553 5.3.0 ... Mail from > 68.142.229.97 > blocked using SPAMCOP. See > > Giving up on 65.109.149.32. Current datum; http://www.spamcop.net/w3m?action=checkblock&ip=68.142.229.97 68.142.229.97 not listed in bl.spamcop.net appears to have been recently delisted ... http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=68.142.229.97 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ......... 4.7 .. 1185% Last 30 days .. 4.7 ... 1315% Average ......... 3.5 Possibly on a downward trend, perhaps the spammer got removed? That said, you are pointing to a "shared" server, so the immediate cause probably isn't necessarily "your" e-mail. Any e-mail leaving that server headed to an ISP that used the SpamCopDNSBL for blocking would have generated such a response (if the ISP didn't simply delete the incoming e-mail) ... and note that the 'recommended' usage of the SpamCopDNSBL is to "tag / handle" the impacted e-mail. That an ISP chose to use this list for "blocking" e-mail is that ISP's decision. From "pef1" at sbcglobal.net Fri Jul 8 20:01:35 2005 From: "pef1" at sbcglobal.net (PEF) Date: Fri Jul 8 20:05:03 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> <42CEFE54.C204A45E@sbcglobal.net> Message-ID: Thanks. I will try to not be paranoid about it. I still think hosting a web page might be more effective for this group anyway. We'll see how it goes. PF WazoO wrote: > > "PEF" wrote in message > news:42CEFE54.C204A45E@sbcglobal.net... > > Here is what I got that caused me to > > post in the first place. > > (copied from reply to group mail) > > > > : > > Connected to 69.89.239.177 but sender was rejected. > > Remote host said: 501 5.7.1 ... Sender refused by > > the DNSBL > > bl.spamcop.net > > > > : > > 209.87.135.202 does not like recipient. > > Remote host said: 550 BLOCKED [bl.spamcop.net][68.142.229.97] > > Giving up on 209.87.135.202. > > > > : > > 65.109.149.32 does not like recipient. > > Remote host said: 553 5.3.0 ... Mail from > > 68.142.229.97 > > blocked using SPAMCOP. See > > > > Giving up on 65.109.149.32. > > Current datum; > http://www.spamcop.net/w3m?action=checkblock&ip=68.142.229.97 > 68.142.229.97 not listed in bl.spamcop.net > appears to have been recently delisted ... > > http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=68.142.229.97 > Volume Statistics for this IP > Magnitude Vol Change vs. Average > Last day ......... 4.7 .. 1185% > Last 30 days .. 4.7 ... 1315% > Average ......... 3.5 > > Possibly on a downward trend, perhaps the spammer got removed? > > That said, you are pointing to a "shared" server, so the > immediate cause probably isn't necessarily "your" e-mail. > Any e-mail leaving that server headed to an ISP that used > the SpamCopDNSBL for blocking would have generated > such a response (if the ISP didn't simply delete the incoming > e-mail) ... and note that the 'recommended' usage of the > SpamCopDNSBL is to "tag / handle" the impacted e-mail. > That an ISP chose to use this list for "blocking" e-mail is > that ISP's decision. From nobody at spamcop.net Fri Jul 8 18:06:03 2005 From: nobody at spamcop.net (N. Miller) Date: Fri Jul 8 20:10:02 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> Message-ID: On Fri, 08 Jul 2005 15:31:16 -0500, PEF wrote: > As a 20's and 30's group leader, I have always > used Bcc to the group of 35 people to protect > their privacy. Email goes out once a week. Just > this week SPAMCOP has interfered with the > delivery to 3 people from the group. SpamCop can't interfere with email delivery, except to SC's own email users. SpamCop can't block email coming to my server; unless I decide to block incoming email based on the SpamCop list. But that is the mail server administrator's decision, not SpamCop's decision. > How does one teach a filter company the difference > between good and bad filtering? One would contact them and explain to them the difference. Which filter company is causing the problem? Brightmail? SpamAssassin? > This interruption is harmful to the maintenance of > the group... Which is not SpamCop's, or anybody else's problem. > ...and a violation of the free speech act. Which free speech act would that be? AFAIK, the U.S. Constitution prohibits government from interfering with freedom of speech, but does not regulate how SpamCop handles email directed to their users, or how I handle email directed to my users. > All of the recipients of the weekly email have signed > up for it. It is NOT SPAM. Perhaps those recipients losing email need to contact the administrators of their service to effect some kind of program which lessens the adverse impact on their service. That is between the recipients, and their providers; SpamCop has no role in that at all. > Frustrated. So am I; too much spam. I stopped using my ISP's email, account, for the most part. I rely on email to my own domain, now; I have much tighter control over rejecting unwanted messages. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at spamcop.net Fri Jul 8 18:08:05 2005 From: nobody at spamcop.net (N. Miller) Date: Fri Jul 8 20:10:12 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> Message-ID: On Fri, 08 Jul 2005 18:22:52 -0500, PEFNo bulk mail wrote: > Thanks for the information > on the functions of spamcop though. > It might kill the usefulness of > email all together. To bad but > I guess good things don't last. I doubt it. Spam is the bigger problem. In fact, I don't have the SCBL blocking email on my mail server. But I have other DNSBLs in place which to block connection attempts to my mail server. However, it is my decision which DNSBLs, if any, to use for blocking connections to my server. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From jason.mangiafico at verizon.net Fri Jul 8 22:35:17 2005 From: jason.mangiafico at verizon.net (JM) Date: Fri Jul 8 21:40:03 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> Message-ID: quoting: > As a 20's and 30's group leader, I have always > used Bcc to the group of 35 people to protect > their privacy. Email goes out once a week. Just > this week SPAMCOP has interfered with the > delivery to 3 people from the group. How does > one teach a filter company the difference > between good and bad filtering? This interruption > is harmful to the maintenance of the group and > a violation of the free speech act. All of the > recipients of the weekly email have signed up > for it. It is NOT SPAM. > > Frustrated. The receiving system's administrators have all the power to whitelist you. If they won't whitelist you, then they are they problem, not Spamcop. html version dumped. From nobody at devnull.spamcop.net Fri Jul 8 21:44:26 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Jul 8 21:45:03 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> <42CEFE54.C204A45E@sbcglobal.net> Message-ID: "PEF No bulk mail accepted.>" <"pef1"@sbcglobal.net> wrote in message news:dan46i$9gl$1@news.spamcop.net... > Thanks. I will try to not > be paranoid about it. I > still think hosting a web > page might be more effective > for this group anyway. > We'll see how it goes. My head hurts I'm not sure what you mean by "hosting a web page" .. but ... one of my last attempts at creating a web page for 'new visitors' is found at http://forum.spamcop.net/forums/index.php?act=home still a work in progress, still accepting input ... Take a look at some traffic in the spamcop.help newsgroups for the background ...24 June looks like a good entry spot ... The Forums exist at http://forum.spamcop.net/forums/ From MikeE at ster.invalid Fri Jul 8 19:52:32 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 8 21:55:03 2005 Subject: [SpamCop-List] Re: Bad report... References: Message-ID: Posted to spamcop & .spam; f/ups to spamcop Discussions in spamcop.help or spamcop, not .spam; let's do spamcop this time J G wrote: www.spamcop.net/sc?id=z783630929ze9dc1d917534e4443f8a425208f7abb4z > > Copied myself in and got msg back with same subject and sender as > original - what form of animal is thie? > Have reported to bad reports already... What I'm seeing in that tracker is two headers smushed together at the top and the rest 'shuffled' together with a spamreport body, then another piece of the header detached and displaced from the smushing, and then the original spambody. I can probably use my imagination and dissect out the 2 parts from the smushed together header at the top and the 'sandwich' below -- but my question is "Why are we doing this and what happened to what you have parsed?" The smushed headers are those from a spamcop report merged with those from a spam -- for best reconstruction you will be aided by viewing the original spam displayed 'properly' in the tracker display at http://www.spamcop.net/sc?id=z783628419z080fd52b60a336fdd33375f6343d994ez;action=display So, once you 'understand' the exact structure of those headers and spambody, you re-examine the parts of the display of your tracker you posted http://www.spamcop.net/sc?id=z783630929ze9dc1d917534e4443f8a425208f7abb4z;action=display Then, we have to 'de-construct' the original spam from the 'Brundlefly' [Jeff Goldblum's chimera with/in The Fly] disaster it has become. So, we take the section from the top of the headers down to the 2nd Return-Path line and separate there; those belong to the spamcop report. Then we take the section from the Return-Path: AntoneMccauley down to the X-Arrival time line -- all of which belong to the original spam headers. Then comes the body which belongs to the spamcop report. Put that back up with the top part above. Then, replace the partial headers which follow with an amalgam of the headers I've described above which start with Return-Path: AntoneMccauley Except, I think we have to remove some parts of the spam headers which we create from the amalgamation, because some of those parts are from yet another set of headers which don't belong to either the original spam or to the spamcop report headers. You have a triple chimera, just like the story in The Fly when there was an attempt to fix the problem, remember? The Brundle-telepod-fly. -- Mike Easter kibitzer, not SC admin From anon at coks.net Fri Jul 8 20:03:57 2005 From: anon at coks.net (J G) Date: Fri Jul 8 22:05:03 2005 Subject: [SpamCop-List] Re: Bad report... In-Reply-To: References: Message-ID: On 7/8/2005 6:52 PM Mike Easter scribbled: > Posted to spamcop & .spam; f/ups to spamcop > > Discussions in spamcop.help or spamcop, not .spam; let's do spamcop > this time > > J G wrote: > www.spamcop.net/sc?id=z783630929ze9dc1d917534e4443f8a425208f7abb4z > >>Copied myself in and got msg back with same subject and sender as >>original - what form of animal is thie? >>Have reported to bad reports already... > > > What I'm seeing in that tracker is two headers smushed together at the > top and the rest 'shuffled' together with a spamreport body, then > another piece of the header detached and displaced from the smushing, > and then the original spambody. > > I can probably use my imagination and dissect out the 2 parts from the > smushed together header at the top and the 'sandwich' below -- but my > question is "Why are we doing this and what happened to what you have > parsed?" > > The smushed headers are those from a spamcop report merged with those > from a spam -- for best reconstruction you will be aided by viewing the > original spam displayed 'properly' in the tracker display at > http://www.spamcop.net/sc?id=z783628419z080fd52b60a336fdd33375f6343d994ez;action=display > > So, once you 'understand' the exact structure of those headers and > spambody, you re-examine the parts of the display of your tracker you > posted > http://www.spamcop.net/sc?id=z783630929ze9dc1d917534e4443f8a425208f7abb4z;action=display > > Then, we have to 'de-construct' the original spam from the 'Brundlefly' > [Jeff Goldblum's chimera with/in The Fly] disaster it has become. > > So, we take the section from the top of the headers down to the 2nd > Return-Path line and separate there; those belong to the spamcop > report. Then we take the section from the Return-Path: AntoneMccauley > down to the X-Arrival time line -- all of which belong to the original > spam headers. Then comes the body which belongs to the spamcop report. > Put that back up with the top part above. Then, replace the partial > headers which follow with an amalgam of the headers I've described above > which start with Return-Path: AntoneMccauley > > Except, I think we have to remove some parts of the spam headers which > we create from the amalgamation, because some of those parts are from > yet another set of headers which don't belong to either the original > spam or to the spamcop report headers. > > You have a triple chimera, just like the story in The Fly when there was > an attempt to fix the problem, remember? The Brundle-telepod-fly. > never saw the movie... I routnely submitted this to sC and SC did all the smushing. I had no knowledge of what was transpiring. I now randomly cc myself to see if cox is becoming a pita by deleting reports. Instead of the usual SC report to myself, I got back what appeared to be the orig spam, 2nd time. I posted here thinking this may be some new spammer trick after seeing the bad report notation in the source. I received communication from one Don @ SC asking me to be more careful. I told him what happened and he took a 2nd look. Came back with some gobblety gook about headers running into each other and causing the report to pick up the original spam headers. Said he'd never seen this before. I told him I had posted here and he said you'd have something to chew on - guess so... From MikeE at ster.invalid Fri Jul 8 20:18:42 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 8 22:20:03 2005 Subject: [SpamCop-List] Re: Bad report... References: Message-ID: J G wrote: > I routnely submitted this to sC and SC did all the smushing. Okay... altho'/and SC provides you with a copy of what it started with, which is not exactly 'normal'. But then, it is possible that the original spam had 2 sets of Return-Path, and besides the 'quaint' headers done by your own provider, there's a whole additional set or 'group' of headers which don't 'belong'. Under more ordinary circumstances, I would just assume that it is typical spammer insanity of junk bogosity -- but when we are trying to figure out some combination of your system and spamcop's system screwing something up, I can't really be sure we are talking about spammer insanity. Maybe we are talking about server or mailuser agent or spamcop database corruption. > I had no > knowledge of what was transpiring. I now randomly cc myself to see if > cox is becoming a pita by deleting reports. Well, that creates an interesting 'wrinkle'. Normally 'we' don't get to see what SC is sending out as reports -- we only see them when we are previewing the report. When you send yourself a copy, you get to doublecheck what SC is doing. > Instead of the usual SC > report to myself, I got back what appeared to be the orig spam, 2nd > time. I posted here thinking this may be some new spammer trick > after seeing the bad report notation in the source. I received > communication from one Don @ SC asking me to be more careful. I told > him what happened and he took a 2nd look. Came back with some > gobblety gook about headers running into each other and causing the > report to pick up the original spam headers. Said he'd never seen > this before. I told him I had posted here and he said you'd have > something to chew on - guess so... The business about what we haven't seen before is also influenced by the fact that we don't usually ask for copies of SC reports to be sent to us. So saying we don't [ever] see it is deprecated by the fact that we don't normally /get/ it. -- Mike Easter kibitzer, not SC admin From nttp.sc.s at bigsleep.org Sat Jul 9 05:06:28 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Sat Jul 9 00:10:03 2005 Subject: [SpamCop-List] Re: sudden collosal jump in spam References: Message-ID: On 08 Jul 2005 Paul entered spamcop and left news:damgbl$sqp$1@news.spamcop.net: > A lot of the names now > have numbers and random crap in them, like the spammers are now trying > to go through every alphanumeric permuation. I havn't checked lately, but I have seen what look like message Ids from news. I thought these were random at first, then realized they were just scraped. -- | Ric | From "pef1" at sbcglobal.net Sat Jul 9 00:49:55 2005 From: "pef1" at sbcglobal.net (PEF) Date: Sat Jul 9 00:55:04 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> <42CEFE54.C204A45E@sbcglobal.net> Message-ID: By hosting a web page, I mean that I have my own web server and currently have more success posting to it than fighting to keep up with changes in how email does or does not work. The example is here: http://ss5.sytes.net/20sN30s.html Thanks for all the info though. PF WazoO wrote: > > "PEF No bulk mail accepted.>" <"pef1"@sbcglobal.net> wrote in message > news:dan46i$9gl$1@news.spamcop.net... > > Thanks. I will try to not > > be paranoid about it. I > > still think hosting a web > > page might be more effective > > for this group anyway. > > We'll see how it goes. > > My head hurts I'm not sure what you mean > by "hosting a web page" .. but ... one of my last > attempts at creating a web page for 'new visitors' > is found at http://forum.spamcop.net/forums/index.php?act=home > still a work in progress, still accepting input ... > Take a look at some traffic in the spamcop.help > newsgroups for the background ...24 June looks > like a good entry spot ... > > The Forums exist at http://forum.spamcop.net/forums/ From spamcram at spymac.com Sat Jul 9 01:54:05 2005 From: spamcram at spymac.com (Vernon Hardapple) Date: Sat Jul 9 03:55:03 2005 Subject: [SpamCop-List] SpamCop's bl.spamcop.net too aggressive? Message-ID: Has anyone had any problems rejecting all domains listed in bl.spamcop.net? From spamcram at spymac.com Sat Jul 9 01:54:37 2005 From: spamcram at spymac.com (Vernon Hardapple) Date: Sat Jul 9 03:55:15 2005 Subject: [SpamCop-List] SpamCop's bl.spamcop.net too aggressive? Message-ID: Has anyone had any problems rejecting domains found in bl.spamcop.net? Vernon From nttp.sc.s at bigsleep.org Sat Jul 9 09:05:44 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Sat Jul 9 04:10:03 2005 Subject: [SpamCop-List] Re: SpamCop's bl.spamcop.net too aggressive? References: Message-ID: On 09 Jul 2005 Vernon Hardapple entered spamcop and left news:danvs0$nhs$2@news.spamcop.net: > Has anyone had any problems rejecting domains found in bl.spamcop.net? > Generally not a good idea. Would probably be better to use a scoring system, checking several block lists and using bl.spamcop as the "kicker". Also a whitelist helps. If you are using Sendmail, take a look at http://www.nspasm.org/ -- | Ric | From bar_n0ne at hotmail.com Sat Jul 9 13:08:13 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Jul 9 04:10:10 2005 Subject: [SpamCop-List] Re: SpamCop's bl.spamcop.net too aggressive? References: Message-ID: "Vernon Hardapple" wrote in message news:danvr0$nhs$1@news.spamcop.net... > Has anyone had any problems rejecting all domains listed in bl.spamcop.net? No, Some people get annoyed to find they are using spammy mailservers, but at least they know their mail wasn't delivered, and use alternate means to get in touch, either hotmail or yahoo, or non-email methods. It works great From nobody at devnull.spamcop.net Sat Jul 9 08:22:43 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Sat Jul 9 08:20:02 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> Message-ID: "PEF No bulk mail accepted.>" <"pef1"@sbcglobal.net> wrote in message news:dan1tv$84j$1@news.spamcop.net... Thanks for the information > on the functions of spamcop though. > It might kill the usefulness of > email all together. To bad but > I guess good things don't last. > > Back to web page announcements. I missed most of the discussion on this subject, but you are a very pessimistic person. There are all kinds of reasons why email gets blocked (and by all kinds of lists). At least spamcop lets you know that the email was blocked. I have emails of mine blocked by spamassassin, but that's a long story. How many emails have never made it to the recipient because they choose not to see their 'junk' mail? And suppose someone's service is interrupted by backhoe or thunderstorm or virus? Don't you think it would be better to snail mail everything with Proof of Delivery or return receipt? Miss Betsy From Kilgallen at SpamCop.net Sat Jul 9 10:43:10 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sat Jul 9 10:45:12 2005 Subject: [SpamCop-List] Re: SpamCop's bl.spamcop.net too aggressive? References: Message-ID: In article , Vernon Hardapple writes: > Has anyone had any problems rejecting all domains listed in bl.spamcop.net? It is guaranteed that nobody has that problem. bl.spamcop.net lists IP addresses, not domains. From edhager at spamcop.net Sat Jul 9 11:35:14 2005 From: edhager at spamcop.net (Ed Hager) Date: Sat Jul 9 13:40:03 2005 Subject: [SpamCop-List] Blocked my forwards Message-ID: My hosting company's server showed up in bl.spamcop.net. The admin fixed the problem and the listing has expired. That's cool. My problem was that Spam Cop started blocking all of my e-mail because I am forwarding e-mail from my host to Spam Cop. I have that mail server configured under the mailhost configuration page. It would be nice if I had an option to accept all e-mail that comes from my own mail server. I know that I could end up getting some spam but loosing valid e-mails can be way worse. Ed From SCNews.5.myspamgobbler at spamgourmet.com Sat Jul 9 11:55:13 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Sat Jul 9 14:00:02 2005 Subject: [SpamCop-List] Re: Blocked my forwards In-Reply-To: References: Message-ID: Ed Hager wrote: > My hosting company's server showed up in bl.spamcop.net. The admin fixed > the problem and the listing has expired. That's cool. > > My problem was that Spam Cop started blocking all of my e-mail because I am > forwarding e-mail from my host to Spam Cop. I have that mail server > configured under the mailhost configuration page. It would be nice if I had > an option to accept all e-mail that comes from my own mail server. I know > that I could end up getting some spam but loosing valid e-mails can be way > worse. > > Ed > > Your spamcop mail account has a whitelist which can be found in options/spamcop tools/manage your personal whitelist. From nobody at devnull.spamcop.net Sat Jul 9 14:47:48 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Jul 9 14:50:02 2005 Subject: [SpamCop-List] Re: Blocked my forwards References: Message-ID: "Ed Hager" wrote in message news:dap1sg$89m$1@news.spamcop.net... > My hosting company's server showed up in bl.spamcop.net. The admin fixed > the problem and the listing has expired. That's cool. > > My problem was that Spam Cop started blocking all of my e-mail because I am > forwarding e-mail from my host to Spam Cop. I have that mail server > configured under the mailhost configuration page. It would be nice if I had > an option to accept all e-mail that comes from my own mail server. I know > that I could end up getting some spam but loosing valid e-mails can be way > worse. Terminology issue seems to be at issue here. 1. The MailHost Configuration only has ties to your Reporting account / parsing. 2. I'm not aware of the SpamCop Filtered e-mail system "blocking" anything. The incoming e-mail that gets identified s "not worthy" gets moved to one's Held Mail folder. 3. There is a "whitelist" function. The Forum FAQ has a number of entries dealing with filtering options you may want to look through. It sounds like there may be more data there for you to discover also .. http://forum.spamcop.net/forums/ From edhager at spamcop.net Sat Jul 9 15:27:52 2005 From: edhager at spamcop.net (Ed Hager) Date: Sat Jul 9 17:30:03 2005 Subject: [SpamCop-List] Re: Blocked my forwards References: Message-ID: I use the term "blocked" becase the MIME header reads: X-SpamCop-Disposition: Blocked bl.spamcop.net Yes, all of my e-mail was moved to the "held" folder which I don't POP. I use IMAP to clean it out and check for "lost" e-mails but I don't really pay attention to 99% of the e-mails that end up there. So, from my point of view, it was "blocked" from being delivered to my in-box. So let's review. Another customer of the company that hosts my domain sent out spam. Spam Cop added that server to bl.spamcop.net. I have my e-mail account on that server forwarding all e-mail to Spam Cop (which is suggested in the Spam Cop documentation). Since the server doing the forwarding is now in bl.spamcop.net, every single e-mail that is forwarded gets blocked. The whitelist is not reasonable in this case because I would have to white list every single sender address. If I was going to do that, I wouldn't bother *paying* for a Spam Cop account and I would just have my e-mail client separate e-mail based on whether the sender was in my address book or not. I use Spam Cop because it has the smarts to figure out what is spam and what is not without a lot of configuration on my part. My original point was that Spam Cop has a way for me to identify my mail server. Yes, I already knew how that was used, I am just making a suggestion. If messages come in and are marked as spam because may mail host is in the bl.spamcop.net list, Spam Cop should have an option to ignore the "blocking" based on that server and analyze the others server addresses. The white list function is based on the e-mail address of the sender not which mail server the message went through so if I put my mail host in there, would it even work? Plus, I don't want that to work because then it would white list every single e-mail that gets forwarded because every single e-mail goes through my mail server. I basically need an option that says "if Spam Cop is blocking a message only because it is coming from my mail server, allow that message to be delivered to my in-box". Yes, I could probably configure my e-mail client to filter messages based on the contents of the MIME headers inserted by Spam Cop. Once again, I am not looking for a way to fix this myself, I am making a suggestion that would improve Spam Cop's service. Ed "WazoO" wrote in message news:dap64k$ae3$1@news.spamcop.net... > "Ed Hager" wrote in message > news:dap1sg$89m$1@news.spamcop.net... >> My hosting company's server showed up in bl.spamcop.net. The admin fixed >> the problem and the listing has expired. That's cool. >> >> My problem was that Spam Cop started blocking all of my e-mail because I > am >> forwarding e-mail from my host to Spam Cop. I have that mail server >> configured under the mailhost configuration page. It would be nice if I > had >> an option to accept all e-mail that comes from my own mail server. I >> know >> that I could end up getting some spam but loosing valid e-mails can be >> way >> worse. > > Terminology issue seems to be at issue here. > > 1. The MailHost Configuration only has ties to your > Reporting account / parsing. > 2. I'm not aware of the SpamCop Filtered e-mail > system "blocking" anything. The incoming e-mail > that gets identified s "not worthy" gets moved to > one's Held Mail folder. > 3. There is a "whitelist" function. > > The Forum FAQ has a number of entries dealing > with filtering options you may want to look through. > It sounds like there may be more data there for you > to discover also .. > http://forum.spamcop.net/forums/ > > From tfm3 at nospam.teleproc.com Sat Jul 9 19:00:44 2005 From: tfm3 at nospam.teleproc.com (Thomas Mooney) Date: Sat Jul 9 19:05:17 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> Message-ID: "Steven Maesslein" wrote in message news:slrndctpha.47o.nobody@127.0.0.1... > > Content-Type: text/html; charset=us-ascii > > Content-Transfer-Encoding: 7bit > > > > > > > > ??? I believe you snipped a bit of relevant content. I'm not a fan of html in newsgroups either, but plain text was readily available. <...snip fore> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="------------17551755782324F69597807E" X-Trace: news.spamcop.net 1120854727 1949 68.75.165.146 (8 Jul 2005 20:32:07 GMT) X-Complaints-To: news@news.spamcop.net NNTP-Posting-Date: Fri, 8 Jul 2005 20:32:07 +0000 (UTC) X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en Xref: news.spamcop.net spamcop:148520 --------------17551755782324F69597807E Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit As a 20's and 30's group leader, I have always used Bcc to the group of 35 people to protect their privacy. Email goes out once a week. Just this week SPAMCOP has interfered with the delivery to 3 people from the group. How does one teach a filter company the difference between good and bad filtering? This interruption is harmful to the maintenance of the group and a violation of the free speech act. All of the recipients of the weekly email have signed up for it. It is NOT SPAM. Frustrated. --------------17551755782324F69597807E Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit From nttp.sc.s at bigsleep.org Sun Jul 10 00:14:21 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Sat Jul 9 19:15:03 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> Message-ID: On 09 Jul 2005 Thomas Mooney entered spamcop and left news:dapkur$i9m$1@news.spamcop.net: > "Steven Maesslein" wrote in message > news:slrndctpha.47o.nobody@127.0.0.1... >> > Content-Type: text/html; charset=us-ascii >> > Content-Transfer-Encoding: 7bit >> > >> > >> > >> >> ??? > > I believe you snipped a bit of relevant content. I'm not a fan of > html in newsgroups either, but plain text was readily available. > Yes, I have no complaint, Communicator writes perfectly legible HTML, though I didn't even have to look at it. It is rather pointless, but nothing to really bitch about. -- | Ric | From nttp.sc.s at bigsleep.org Sun Jul 10 00:24:42 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Sat Jul 9 19:25:03 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> Message-ID: On 09 Jul 2005 Miss Betsy entered spamcop and left news:daof6r$ur6$1@news.spamcop.net: > There are all kinds of reasons why email gets blocked (and by all > kinds of lists). At least spamcop lets you know that the email was > blocked. > I agree with your post, however this message, possibly the bl.spamcop.net txt record, or the message entered for that rule, isn't much help to anyone being blocked. It is much more useful to generate an error message that points to a help page on the server that's blocking them. -- | Ric | From MikeE at ster.invalid Sat Jul 9 17:41:31 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 9 19:45:02 2005 Subject: [SpamCop-List] Re: Blocked my forwards References: Message-ID: Ed Hager wrote: > My hosting company's server showed up in bl.spamcop.net. The admin > fixed the problem and the listing has expired. That's cool. But while you are 'talking about' that -- we have no idea /what/ you are talking about. Some IP or another got blocklistedd and you are 'thinking about' that IP while you are talking here, but you are not communicating what you are talking about. >From this/my end, this whole discussion is not really very interesting. We need to be talking about /something/ specific. > My problem was that Whatever your problem was, if you want to talk about it here, you have to define what it is you are talking about. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Jul 9 17:44:31 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 9 19:45:09 2005 Subject: [SpamCop-List] Re: Blocked my forwards References: Message-ID: Ed Hager wrote: > I basically need an option that says "if Spam Cop is blocking a > message only because it is coming from my mail server, allow that > message to be delivered to my in-box". I don't understand what you are talking about there. Could you explain that in more [useful] words? -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sat Jul 9 19:45:39 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Jul 9 19:50:03 2005 Subject: [SpamCop-List] Re: Blocked my forwards References: Message-ID: "Ed Hager" wrote in message news:dapfgs$f37$1@news.spamcop.net... > > Yes, I could probably configure my e-mail client to filter messages based on > the contents of the MIME headers inserted by Spam Cop. Once again, I am not > looking for a way to fix this myself, I am making a suggestion that would > improve Spam Cop's service. This paragraph suggests an entry into the "New Feature / Suggestion" Forum section ... however ... as this is a SpamCop Filtered E-Mail Account issue, this should be posted in the spamcop.mail newsgroup or in the SpamCop E-Mail Account section of the Forum ... I have taken a copy of this and posted it in the Forum, hoping that one of the E-Mail account users can come up with something to answer / explain ... Item can be found at http://forum.spamcop.net/forums/index.php?showtopic=4500 From nobody at devnull.spamcop.net Sat Jul 9 19:49:42 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Jul 9 19:50:10 2005 Subject: [SpamCop-List] Re: Received bounce message for SpamCop report References: Message-ID: "D.F. Manno" wrote in message news:dfm2a3l0t2-2A4AA7.13122607072005@news.cesmail.net... > In article , > "Mike Easter" wrote: > > > If you took the report number out of the bounce information, you could > > see how the report was addressed. If you then derived the tracker from > > your report number, you could show it to us or look at the whole thing > > all over again. > > OK, I don't know how to derive the tracker from the report number > (1461312333). New Forum FAQ entry at http://forum.spamcop.net/forums/index.php?showtopic=4498 Seems as if Jeff G and I were of the same thought, he posted his first, so you've presently got two walk-throughs to try From nobody at devnull.spamcop.net Sat Jul 9 20:50:09 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Sat Jul 9 20:45:03 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> Message-ID: "Blammo" wrote in message news:Xns968EA71F4A843blammo@216.154.195.61... > I agree with your post, however this message, possibly the bl.spamcop.net > txt record, or the message entered for that rule, isn't much help to anyone > being blocked. It is much more useful to generate an error message that > points to a help page on the server that's blocking them. > You are absolutely correct! But that would take a responsible ISP... Miss Betsy From SCNews.5.myspamgobbler at spamgourmet.com Sat Jul 9 18:48:01 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Sat Jul 9 20:55:03 2005 Subject: [SpamCop-List] Re: Blocked my forwards In-Reply-To: References: Message-ID: Ed Hager wrote: > I use the term "blocked" becase the MIME header reads: > > X-SpamCop-Disposition: Blocked bl.spamcop.net > > Yes, all of my e-mail was moved to the "held" folder which I don't POP. I > use IMAP to clean it out and check for "lost" e-mails but I don't really pay > attention to 99% of the e-mails that end up there. So, from my point of > view, it was "blocked" from being delivered to my in-box. > > So let's review. Another customer of the company that hosts my domain sent > out spam. Spam Cop added that server to bl.spamcop.net. I have my e-mail > account on that server forwarding all e-mail to Spam Cop (which is suggested > in the Spam Cop documentation). Since the server doing the forwarding is now > in bl.spamcop.net, every single e-mail that is forwarded gets blocked. > > > My original point was that Spam Cop has a way for me to identify my mail > server. Yes, I already knew how that was used, I am just making a > suggestion. If messages come in and are marked as spam because may mail host > is in the bl.spamcop.net list, Spam Cop should have an option to ignore the > "blocking" based on that server and analyze the others server addresses. > Whitelisting the server would deal with this. But see full answer below. > The white list function is based on the e-mail address of the sender not > which mail server the message went through so if I put my mail host in > there, would it even work? Plus, I don't want that to work because then it > would white list every single e-mail that gets forwarded because every > single e-mail goes through my mail server. > > I basically need an option that says "if Spam Cop is blocking a message only > because it is coming from my mail server, allow that message to be delivered > to my in-box". > > Yes, I could probably configure my e-mail client to filter messages based on > the contents of the MIME headers inserted by Spam Cop. Once again, I am not > looking for a way to fix this myself, I am making a suggestion that would > improve Spam Cop's service. > > Ed > Another option would be to POP the email into your SpamCop account instead of forwarding. This would eliminate this situation from occurring and SpamCop could still function as a spam filter without classifying all of your mail as spam when/if your hosting company's server gets listed in the future. From nttp.sc.s at bigsleep.org Sun Jul 10 02:39:21 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Sat Jul 9 21:40:09 2005 Subject: [SpamCop-List] Re: Blocked my forwards References: Message-ID: On 09 Jul 2005 Mike Easter entered spamcop and left news:dapngs$jqp$1@news.spamcop.net: > Ed Hager wrote: >> I basically need an option that says "if Spam Cop is blocking a >> message only because it is coming from my mail server, allow that >> message to be delivered to my in-box". > > I don't understand what you are talking about there. Could you explain > that in more [useful] words? > > I think he wants to grey-list his mailserver IP. Sounds like a reasonable request. -- | Ric | From nobody at nowhere.not Sun Jul 10 04:20:42 2005 From: nobody at nowhere.not (Robert Blair) Date: Sat Jul 9 23:25:03 2005 Subject: [SpamCop-List] Re: Blocked my forwards References: Message-ID: On Sat, 9 Jul 2005 21:27:52 UTC, "Ed Hager" wrote: > So let's review. Another customer of the company that hosts my domain sent > out spam. Spam Cop added that server to bl.spamcop.net. I have my e-mail > account on that server forwarding all e-mail to Spam Cop (which is suggested > in the Spam Cop documentation). Since the server doing the forwarding is now > in bl.spamcop.net, every single e-mail that is forwarded gets blocked. Why are you still using an ISP that has spammers on its system? I would have been long gone. I do not support ISPs that have spammers. -- Robert Blair From MikeE at ster.invalid Sat Jul 9 21:41:39 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 9 23:45:03 2005 Subject: [SpamCop-List] Re: Received bounce message for SpamCop report References: Message-ID: WazoO wrote: > "D.F. Manno" >> "Mike Easter" >>> If you took the report number out of the bounce information, you >>> could see how the report was addressed. If you then derived the >>> tracker from your report number, you could show it to us or look at >>> the whole thing all over again. >> >> OK, I don't know how to derive the tracker from the report number >> (1461312333). > > New Forum FAQ entry at > http://forum.spamcop.net/forums/index.php?showtopic=4498 > Seems as if Jeff G and I were of the same thought, he posted > his first, so you've presently got two walk-throughs to try That's cool. I think seeing two different people ezplain it 'at the same time' each in their own way is better than just one or the other. I suppose I could try it myself as yet a third iteration, but I won't. -- Mike Easter kibitzer, not SC admin From bar_n0ne at hotmail.com Sun Jul 10 19:17:23 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun Jul 10 10:20:09 2005 Subject: [SpamCop-List] Dumb Send-safe spammer fsck'd up Message-ID: Boatload of spams today and yesteday, with spammy subject lines, but no payload. The usual mix of Enhancers, mortgages and Medz (going by the subject line) Sent from Zombies all over. Happy that the spammer spent his bux and got fsck'd, sad that the sendsafe guys got their moneys. From nobody at executespammers.org Sun Jul 10 12:54:40 2005 From: nobody at executespammers.org (Paul) Date: Sun Jul 10 11:55:04 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> Message-ID: "PEF" wrote in message news:42CEE294.1D8CE5CB@sbcglobal.net... <...> between good and bad filtering? This interruption is harmful to the maintenance of the group and a violation of the free speech act. All of the <...> I believe you are referring to the First Amendment - not commonly referred to as an act. I may not be so enamored with the our country at the moment, but finding a reason to post this still gives me a tingle of pride: (from http://www.firstamendmentcenter.org/about.aspx?item=about_firstamd) The First Amendment "Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances." The first amendment only bars the US government from silencing you - other than this, generally, you have zero rights guaranteed by law to send anything to anybody, though I do agree with your sentiment in principle; communication is like water as should be allowed to flow freely for everybody. Unfortunately reality introduces several practical limitations; spam is a classic example of a tragedy of the commons. http://en.wikipedia.org/wiki/Tragedy_of_the_commons This effect, combined with the law of increasing returns, is why pure capitalism fails, and why regulation is required for most social processes involving the exchange, generation, and consumption of resources - including information. You are seeing the detrimental effects of not enough regulation in a system that requires it... give it another 10-20 years. Paul From dfm2a3l0t2 at spymac.com Sun Jul 10 13:29:23 2005 From: dfm2a3l0t2 at spymac.com (D.F. Manno) Date: Sun Jul 10 12:30:03 2005 Subject: [SpamCop-List] Re: Received bounce message for SpamCop report References: Message-ID: In article , "WazoO" wrote: > "D.F. Manno" wrote in message > > > OK, I don't know how to derive the tracker from the report number > > (1461312333). > > New Forum FAQ entry at > http://forum.spamcop.net/forums/index.php?showtopic=4498 > Seems as if Jeff G and I were of the same thought, he posted > his first, so you've presently got two walk-throughs to try For some reason Jeff's post isn't showing up here, but this worked. Thanks for pointing it out. Here's the tracker in question: http://www.spamcop.net/sc?id=z782481019zbc1d5dcb51a0082daa051c6c8c953354z And here's the original question: I received what appears to be a bounce message for a SpamCop report. The message reads in part: Some addresses were rejected by the MDA fetchmail forwards to. Reporting-MTA: dns; localhost Final-Recipient: rfc822; kisanak@localhost Last-Attempt-Date: Wed, 06 Jul 2005 10:25:52 +0700 (WIT) Action: failed Status: 5.0.0 Diagnostic-Code: 550 : Recipient address rejected: User unknown in local recipient table I'm not a paid member, so why would I get this? And why would SpamCop be sending a report to an address like kisanak@localhost? -- D.F. Manno dfm2a3l0t2@spymac.com "The work goes on, the cause endures, the hope still lives and the dream will never die." From mcwebber at my-deja.com Sun Jul 10 13:44:16 2005 From: mcwebber at my-deja.com (McWebber) Date: Sun Jul 10 12:45:02 2005 Subject: [SpamCop-List] Re: Received bounce message for SpamCop report References: Message-ID: "D.F. Manno" wrote in message news:dfm2a3l0t2-DAB4AD.12292310072005@news.cesmail.net... > > Here's the tracker in question: > > http://www.spamcop.net/sc?id=z782481019zbc1d5dcb51a0082daa051c6c8c953354z > > And here's the original question: > > I received what appears to be a bounce message for a SpamCop report. The > message reads in part: > > > Some addresses were rejected by the MDA fetchmail forwards to. > > Reporting-MTA: dns; localhost > > Final-Recipient: rfc822; kisanak@localhost > Last-Attempt-Date: Wed, 06 Jul 2005 10:25:52 +0700 (WIT) > Action: failed > Status: 5.0.0 > Diagnostic-Code: 550 : Recipient address rejected: > User unknown in local recipient table > > > I'm not a paid member, so why would I get this? And why would SpamCop be > sending a report to an address like kisanak@localhost? Where did the bounce come from? The report shows it sent to three places. My guess would be internally one of them forwarded that way and it was rejected and bounced to you. -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From david.payer-no-spam-Thanks! at ia-omni.com Sun Jul 10 17:32:08 2005 From: david.payer-no-spam-Thanks! at ia-omni.com (David Payer) Date: Sun Jul 10 17:35:03 2005 Subject: [SpamCop-List] Re: SpamCop's bl.spamcop.net too aggressive? References: Message-ID: Yes. I have recommended people not use SpamCop as a standard RBL because it is too agressive and blacklists based on bounces as well as actual content. It is unsuitable for use by ISPs in my opinion. (as an ISP owner). David P.. "Vernon Hardapple" wrote in message news:danvr0$nhs$1@news.spamcop.net... > Has anyone had any problems rejecting all domains listed in bl.spamcop.net? From dfm2a3l0t2 at spymac.com Sun Jul 10 21:01:47 2005 From: dfm2a3l0t2 at spymac.com (D.F. Manno) Date: Sun Jul 10 20:05:07 2005 Subject: [SpamCop-List] Re: Received bounce message for SpamCop report References: Message-ID: In article , "McWebber" wrote: > Where did the bounce come from? > The report shows it sent to three places. My guess would be internally one > of them forwarded that way and it was rejected and bounced to you. Here's the headers of the bounce message (with my address munged): Received: from cavtel.net (unverified [64.83.1.224]) by cavtel.net (Cavalier email server mail05) with ESMTP id 69902317 for ; Tue, 05 Jul 2005 23:25:59 -0400 Return-Path: Received: from permemail05.alumniconnections.com (unverified [198.212.10.108]) by cavtel.net (Cavalier email server mail04) with ESMTP id 13563311 for ; Tue, 05 Jul 2005 23:25:59 -0400 Return-Path: Received: (from smmsp@localhost) by permemail05.alumniconnections.com (8.12.11/8.12.11) id j663PwtN006689 for ; Tue, 5 Jul 2005 23:25:58 -0400 (EDT) Received: from vmx1.spamcop.net(64.74.133.248) by permemail05 via smap (V2.1) id xma_6600_1120620343; Tue, 5 Jul 05 23:25:43 -0400 Received: from sc-app3.eq.ironport.com (HELO spamcop.net) (192.168.19.203) by vmx1.spamcop.net with SMTP; 05 Jul 2005 20:25:42 -0700 X-SpamCop-Reply-Ids: 1461312333 X-Spamcop-Return-Path: Received: from sc-smtp1.eq.ironport.com (sc-smtp1.eq.ironport.com [192.168.18.81]) by sc-app3.eq.ironport.com (Postfix) with ESMTP id 7623814347 for <1461312333@reports.spamcop.net>; Tue, 5 Jul 2005 20:24:25 -0700 (PDT) Received: from ip50-84.cbn.net.id (HELO kisanak.local) (202.158.50.84) by sc-smtp1.eq.ironport.com with ESMTP; 05 Jul 2005 20:24:24 -0700 Received: from localhost (localhost [127.0.0.1]) by kisanak.local (Postfix) with SMTP id C175DE4124 for <1461312333@reports.spamcop.net>; Wed, 6 Jul 2005 10:25:52 +0700 (WIT) From: FETCHMAIL-DAEMON@kisanak.local To: 1461312333@reports.spamcop.net MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="foo-mani-padme-hum-6738-6399-1120620352" Message-Id: <20050706032552.C175DE4124@kisanak.local> Date: Wed, 6 Jul 2005 10:25:52 +0700 (WIT) Subject: (No subject header) X-SpamDetect: : 0.339000 From: does not include a real name=0.3 X-IP-stats: Incoming Last 0, First 137, in=700, out=0, spam=0 X-External-IP: 198.212.10.108 X-Rcpt-To: X-IP-stats: Incoming Outgoing Last 0, First 137, in=8827179, out=2, spam=0 Known=true X-External-IP: 64.83.1.224 Status: U X-UIDL: 1120620359.7981_3519759.rcmdxmail05 -- D.F. Manno dfm2a3l0t2@spymac.com "The work goes on, the cause endures, the hope still lives and the dream will never die." From Kilgallen at SpamCop.net Sun Jul 10 23:06:37 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sun Jul 10 23:10:02 2005 Subject: [SpamCop-List] Re: SpamCop's bl.spamcop.net too aggressive? References: Message-ID: In article , "David Payer" writes: > Yes. I have recommended people not use SpamCop as a standard RBL because it > is too agressive and blacklists based on bounces as well as actual content. To me false bounces are just as much of an interruption as sales pitches. Spam is about conSent, not conTent. From wb8tyw at qsl.network Mon Jul 11 01:34:16 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Mon Jul 11 00:35:02 2005 Subject: [SpamCop-List] Re: SpamCop's bl.spamcop.net too aggressive? In-Reply-To: References: Message-ID: Larry Kilgallen wrote: > In article , "David Payer" writes: > >>Yes. I have recommended people not use SpamCop as a standard RBL because it >>is too agressive and blacklists based on bounces as well as actual content. > > To me false bounces are just as much of an interruption as sales > pitches. Spam is about conSent, not conTent. The false bounces can be worse than spam. Mail servers that are accepting and then bouncing can be easily made to participate in a denial of service attack against other domains or e-mail addresses. During a recent worm outbreak, I received about 2000 bounces from the worm forging one of my e-mail addresses. Less than 5 viruses made it through to me. This was in a 24 hour period. I only have an effective quota of 5 MB for mail on that account, and this was the only time I came close to hitting it in over 5 years of use being very lazy at deleting read mail. Two mail servers of one U.S. residential ISP were generating bounces for unknown recipients at a rate of 20 per second each in bursts. I suspect that the spamcop.net listing of them saved me from getting more bounces. Also sbl.spamhaus.org is now listing i.p. addresses of mail servers that abusively bounce spam/viruses back to known forged addresses. Unfortunately they do not take nominations, and it seems to get a lot to get spamhaus.org to take this action. IIRC: I saw a discussion about that on N.A.N-A.E before finding out that spamcop.net had changed their policy. While I will agree that spamcop.net is too aggressive for most ISP use, listing the few mail servers that are still configured to accept and bounce instead of using SMTP rejects is not one of the reasons. And for every person that has one that complains about how expensive it would be for them to change over to use SMTP rejects instead of bouncing, I usually immediately hear from a larger network that only uses SMTP rejects because it less abusive and that it saves them money for not having to process the undeliverable mail on their internal servers. It may not be possible to immediately get rid of all accept and bounce situations, such as an over quota condition, but any outfit that is large enough to deploy multiple levels of mail servers should have the money or in house skill to make sure that they never accept and bounce mail addressed to a non-existent user, or destined for a mail server that is temporarily out of service. Several years ago (IIRC) Larry posted on one of the spamcop.net newsgroups that he had read a posting from AOL on the SPAM-L database that AOL was converting to only use SMTP rejects because AOL recognized how harmful it was to bounce to a possibly forged address, and AOL was asking for some tolerance because it was going to take them some time to do the conversion completely. I would think that what ever convinced AOL to change their system was probably a good enough argument for everyone else who is still accepting and then bouncing mail that it is possible to determine would never get delivered before it was accepted in the first place. -John wb8tyw@qsl.network Personal Opinion Only From nobody at spamcop.net Mon Jul 11 01:20:54 2005 From: nobody at spamcop.net (N. Miller) Date: Mon Jul 11 03:25:04 2005 Subject: [SpamCop-List] Re: SpamCop's bl.spamcop.net too aggressive? References: Message-ID: On Sat, 09 Jul 2005 00:54:37 -0700, Vernon Hardapple wrote: > Has anyone had any problems rejecting domains found in bl.spamcop.net? > > Vernon I am having trouble finding domains listed in the SCBL; it seems that they don't list domains. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From mcwebber at my-deja.com Mon Jul 11 08:59:02 2005 From: mcwebber at my-deja.com (McWebber) Date: Mon Jul 11 08:00:06 2005 Subject: [SpamCop-List] Re: Received bounce message for SpamCop report References: Message-ID: "D.F. Manno" wrote in message news:dfm2a3l0t2-FE91E4.20014710072005@news.cesmail.net... > > Here's the headers of the bounce message (with my address munged): > > Here's the culprit that bounced it back to Spamcop. > Received: from ip50-84.cbn.net.id (HELO kisanak.local) (202.158.50.84) > by sc-smtp1.eq.ironport.com with ESMTP; 05 Jul 2005 20:24:24 -0700 > Received: from localhost (localhost [127.0.0.1]) > by kisanak.local (Postfix) with SMTP id C175DE4124 > for <1461312333@reports.spamcop.net>; Wed, 6 Jul 2005 10:25:52 +0700 > (WIT) It was thier internal forwarding. postmaster@cbn.net.id abuse@cbn.net.id Spamcop sent it as From: 1461312333@reports.spamcop.net My guess would be cbn.net.id has a user named kisanak and the forward to kisanak@localhost was rejected by one of their own servers. -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From Kilgallen at SpamCop.net Mon Jul 11 08:47:22 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Mon Jul 11 08:50:03 2005 Subject: [SpamCop-List] Re: SpamCop's bl.spamcop.net too aggressive? References: Message-ID: In article , "John E. Malmberg" writes: > It may not be possible to immediately get rid of all accept and bounce > situations, such as an over quota condition, but any outfit that is > large enough to deploy multiple levels of mail servers should have the > money or in house skill to make sure that they never accept and bounce > mail addressed to a non-existent user, or destined for a mail server > that is temporarily out of service. > > Several years ago (IIRC) Larry posted on one of the spamcop.net > newsgroups that he had read a posting from AOL on the SPAM-L database > that AOL was converting to only use SMTP rejects because AOL recognized > how harmful it was to bounce to a possibly forged address, and AOL was > asking for some tolerance because it was going to take them some time to > do the conversion completely. Note that AOL is still working on the conversion project. They have a _very_ complication email system. From Hostmaster at argolink.net Mon Jul 11 09:50:13 2005 From: Hostmaster at argolink.net (Hostmaster (ARGO)) Date: Mon Jul 11 09:55:04 2005 Subject: [SpamCop-List] Some more info. Message-ID: Hello- We are a webhosting company and we are running thur some problem with the bl.spamcop.net .. our mail server 64.8.120.8 is been blacklisted but ,, But i dont' find any info about why ? I sign up as an ISP?ASP and I get the reports since Firday .. but no info of what is been sent, or the email or the link so i can turn off that account.. Can any one point me where to go ? From SCNews.5.myspamgobbler at spamgourmet.com Mon Jul 11 08:17:34 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Mon Jul 11 10:25:02 2005 Subject: [SpamCop-List] Re: Some more info. In-Reply-To: References: Message-ID: Hostmaster (ARGO) wrote: > Hello- > > We are a webhosting company and we are running thur some problem with the > bl.spamcop.net .. our mail server 64.8.120.8 is been blacklisted but ,, > But i dont' find any info about why ? I sign up as an ISP?ASP and I get the > reports since Firday .. but no info of what is been sent, or the email or > the link so i can turn off that account.. > > Can any one point me where to go ? > > At this point, 64.8.120.8 is not listed. Senderbase shows a significant amount of email coming from that space though http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=64.8.120.8 Just being a spamcop user, I don't have information that the deputies have that will show why your server was listed. You could ask them at deputies admin.spamcop.net. From Hostmaster at argolink.net Mon Jul 11 11:39:01 2005 From: Hostmaster at argolink.net (Hostmaster (ARGO)) Date: Mon Jul 11 11:40:09 2005 Subject: [SpamCop-List] Re: Some more info. References: Message-ID: Thanks.. in that case I will email them and let see what we can find out... "Brian (SnSR)" wrote in message news:datv6i$tif$1@news.spamcop.net... > Hostmaster (ARGO) wrote: >> Hello- >> >> We are a webhosting company and we are running thur some problem with the >> bl.spamcop.net .. our mail server 64.8.120.8 is been blacklisted but ,, >> But i dont' find any info about why ? I sign up as an ISP?ASP and I get >> the reports since Firday .. but no info of what is been sent, or the >> email or the link so i can turn off that account.. >> >> Can any one point me where to go ? > > At this point, 64.8.120.8 is not listed. Senderbase shows a significant > amount of email coming from that space though > http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=64.8.120.8 > > Just being a spamcop user, I don't have information that the deputies have > that will show why your server was listed. You could ask them at deputies > admin.spamcop.net. From nobody at spamcop.net Mon Jul 11 12:05:05 2005 From: nobody at spamcop.net (Ellen) Date: Mon Jul 11 12:00:03 2005 Subject: [SpamCop-List] Re: Some more info. References: Message-ID: "Hostmaster (ARGO)" wrote in message news:dattel$sn0$1@news.spamcop.net... > Hello- > > We are a webhosting company and we are running thur some problem with the > bl.spamcop.net .. our mail server 64.8.120.8 is been blacklisted but ,, > But i dont' find any info about why ? I sign up as an ISP?ASP and I get the > reports since Firday .. but no info of what is been sent, or the email or > the link so i can turn off that account.. > > Can any one point me where to go ? > > Reports on spam from this IP are being sent to abuse@argolink.net. There were 2 reports sent on 7/10 and one on 7/9. There were also reports sent on 7/8, 7/5, 7/3, 7/1 etc. I see no indication in our database that there are any bounces sending to the above email address. You can write to me a deputies admin.spamcop.net for further information. Ellen SpamCop From agent01413 at my-deja.com Mon Jul 11 17:35:09 2005 From: agent01413 at my-deja.com (Socks) Date: Mon Jul 11 12:40:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: Redstone wrote in news:Xns968B294DD89tinlc@216.154.195.61: > > Was rummaging around NANAE and found this piece of info (courtesy of > clifto). Looks like Socks has entered hospice. > just for the record - I am under hospice care. I have been given something like 2 months to live. hospice care these days is handled at home, so I am in my own bed, following the Tour de France online, reading books, ands staying as comfortable as possible. I've been fighting lung cancer for 4 years now. Well wishes are appreciated. From agent01413 at my-deja.com Mon Jul 11 17:36:19 2005 From: agent01413 at my-deja.com (Socks) Date: Mon Jul 11 12:40:18 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: Graeme Leith wrote in news:dagmi2$erv$1 @news.spamcop.net: > If you're still reading Socks, all the best to you and your family. i'll hang as long as able From nobody at spamcop.net Mon Jul 11 11:06:25 2005 From: nobody at spamcop.net (GregR) Date: Mon Jul 11 13:10:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. In-Reply-To: References: Message-ID: Socks wrote: > just for the record - > > I am under hospice care. I have been given something like 2 months to > live. hospice care these days is handled at home, so I am in my own bed, > following the Tour de France online, reading books, ands staying as > comfortable as possible. > > I've been fighting lung cancer for 4 years now. Well wishes are > appreciated. Well, then consider yourself well-wished. :-) I'd also like to thank you for your contributions to the anti-spam effort over the years, and to the SC groups in particular - you've always been a voice of reason and good humor, and I've enjoyed reading what you've posted. And I'm sure it goes without saying, but this group is always here whenever you'd care to chat. -- GregR - Another Beemer Biker ...o&o> From ivan at gmail.com Mon Jul 11 20:07:11 2005 From: ivan at gmail.com (Ivan Leo Puoti) Date: Mon Jul 11 13:10:13 2005 Subject: [SpamCop-List] stupid phiser Message-ID: http://www.unicreditsbanca.com/ The idea of using images from the original site wasn't that good, the real bank has got a huge warning on the front page that more or less translates to "warning about false email don't insert any access information and delete the email". Apart from the fact that the grammar in the email is wrong so nobody with any sense will trust it. Ivan. From johnl at spamcop.net Mon Jul 11 18:10:39 2005 From: johnl at spamcop.net (JohnL) Date: Mon Jul 11 13:15:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: GregR wrote in news:dau8uf$3mj$1@news.spamcop.net: > Well, then consider yourself well-wished. :-) And MANY more! From nobody at devnull.spamcop.net Mon Jul 11 14:38:07 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Mon Jul 11 13:40:03 2005 Subject: [SpamCop-List] Re: stupid phiser References: Message-ID: "Ivan Leo Puoti" wrote ... > http://www.unicreditsbanca.com/ > The idea of using images from the original site wasn't that good, the real bank has got a huge... ... Dunno whut you saw when you went there, but the site is now defaced. I had heard of vigilantes defacing phishing sites, but had not seen one, so thanks for the URL. Glenn From nobody at spamcop.net Mon Jul 11 14:42:41 2005 From: nobody at spamcop.net (indigo) Date: Mon Jul 11 13:45:02 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: Socks wrote: > > just for the record - > > I am under hospice care. I have been given something like 2 months to > live. hospice care these days is handled at home, so I am in my own > bed, following the Tour de France online, reading books, ands staying > as comfortable as possible. Weren't you told "six months to go" over a year ago? > > I've been fighting lung cancer for 4 years now. Well wishes are > appreciated. Keep fighting it, Socks, you know we're all with you. From agent01413 at my-deja.com Mon Jul 11 18:46:45 2005 From: agent01413 at my-deja.com (Socks) Date: Mon Jul 11 13:50:02 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Spamvireslayer" wrote in news:dagpit$h4l$1@news.spamcop.net: >> > Learn something new every day - I never knew they used methadone for > pain, I thought it was for drug rehab, I thought morphine was the drug > they gave people who were in serious pain. > that is something new for everyone. i can vouch that it works. generally, pain wakes me up acouple times at night. then i sleep all morning. almost noon now, and i just was out for 3 hours striaght. now i can catch up on posts From agent01413 at my-deja.com Mon Jul 11 18:47:24 2005 From: agent01413 at my-deja.com (Socks) Date: Mon Jul 11 13:50:15 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: Pete Stephenson wrote in news:pete+usenet- AA29FA.06565606072005@news.cesmail.net: > In article , > Redstone wrote: > >> Was rummaging around NANAE and found this piece of info (courtesy of >> clifto). Looks like Socks has entered hospice. > > Yikes. > > My best wishes for Socks and his family. I shall hoist one today for his > health and honor. > > Good luck, ol' buddy. If there's anything I can do to help, let me know. > only one? I never do thing by half. empty a keg for me From agent01413 at my-deja.com Mon Jul 11 18:50:16 2005 From: agent01413 at my-deja.com (Socks) Date: Mon Jul 11 13:55:05 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "indigo" wrote in news:daub2i$59k$1@news.spamcop.net: > > > Socks wrote: >> >> just for the record - >> >> I am under hospice care. I have been given something like 2 months to >> live. hospice care these days is handled at home, so I am in my own >> bed, following the Tour de France online, reading books, ands staying >> as comfortable as possible. > > Weren't you told "six months to go" over a year ago? > I was told six months in May, 2001. From nobody at devnull.spamcop.net Mon Jul 11 15:04:57 2005 From: nobody at devnull.spamcop.net (Spamvireslayer) Date: Mon Jul 11 14:10:02 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Socks" wrote in message news:Xns969078669B9AAagent01413mydejacom@216.154.195.61... > > I was told six months in May, 2001. Proof that you should never listen to those arbitrary numbers for any other reason than to get your affairs in order - then you can get on with proving them wrong. Good on ya, Socks, you're an inspiration. From nobody at spamcop.net Mon Jul 11 15:22:13 2005 From: nobody at spamcop.net (indigo) Date: Mon Jul 11 14:25:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: Spamvireslayer wrote: > "Socks" wrote in message > news:Xns969078669B9AAagent01413mydejacom@216.154.195.61... > > > > I was told six months in May, 2001. > > Proof that you should never listen to those arbitrary numbers for any > other reason than to get your affairs in order - then you can get on > with proving them wrong. Good on ya, Socks, you're an inspiration. My dear Mom fought off the big C for 12 years -- average lifespan back then (survival rate) was 5 years or less. You can do it, Socks, keep a goal in your head, some date you want to be around for, make it to that one, pick another, and so on......your brain can accomplish remarkable things if you stay positive (and it looks like you are, so keep hanging in there). From pete+usenet at heypete.com Mon Jul 11 12:43:09 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Mon Jul 11 14:45:01 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: In article , Socks wrote: > only one? I never do thing by half. empty a keg for me If they make soda in kegs, then I certainly would drink such a thing! (I drink alcohol rarely.) Glad to see you still posting. Hang in there... -- Pete Stephenson HeyPete.com From mrcics2000-spamcop-nomail at nomail.yahoo.com Mon Jul 11 16:21:35 2005 From: mrcics2000-spamcop-nomail at nomail.yahoo.com (Mike B) Date: Mon Jul 11 16:25:04 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> <42CEFE54.C204A45E@sbcglobal.net> Message-ID: "PEF" wrote in message news:42CEFE54.C204A45E@sbcglobal.net > Here is what I got that caused me to > post in the first place. > (copied from reply to group mail) > As a subscriber to your email list, I won't be very happy knowing you posted my email address in clear in a public forum where it can be harvested by spammers. You go to all the consideration of sending the email as bcc, but then post the email en clair to this group? Are you for real? -- Mike B From MikeE at ster.invalid Mon Jul 11 15:06:16 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 11 17:10:04 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> <42CEFE54.C204A45E@sbcglobal.net> Message-ID: Mike B wrote: > > > As a subscriber to your email list, I won't be very happy knowing you > posted my email address in clear in a public forum where it can be > harvested by spammers. Argument about the significance of newsmessage body exposing an email address. That's a complicated bit of netiquette which is going to elicit different opinions. The OP is sufficiently unconcerned about posting hir own address in the From of a newsgroup posting. A much more likely place for harvesting than the From of a newsgroup message would be a 'naked' mailto on a website, such as the one demonstrated at the OP referred website http://ss5.sytes.net/20s&30s.html see Suzanne's address at the bottom. So, you could say that the OP isn't 'sensitive' to the issue of exposing addresses in spots which are statistically associated either with a very high [the naked mailto on a website] frequency or with a not nearly as high frequency [the newsgroup From and this isn't even usenet but spamcop]. >From past 'old' studies see below on the frequency of addresses appearing unmunged in the /body/ being harvested by spambots, those studies indicate that that risk is absent. That is, spambots don't harvest from newsbodies, they harvest from the xover, ie the From. I think I'm having a little trouble explaining the reach from the netiquette to the mathematics of the netiquette -- but what I'm trying to say is that you Mike B feel that it is rude or reckless to expose someone else's email address in the body of a newsgroup posting -- but that mathematically speaking that belief is not supported by any statistics showing that the harvesting of those addresses is likely to happen at all. This old study http://www.cdt.org/speech/spam/030319spamreport.shtml exposed hundreds 250 of virgin email addresses in various ways on the web and in newsgroups and counted the resultant about 10000 spams so that they could say which kind of exposures generated spams the 'worst'. The naked mailto/s and similar web exposures were the worst and accounted for 97% of the spam. The unmunged newsgroup Froms caused less than 3% and there were no spams to unmunged body exposures of email addies. There's a lot more to the study than that, and there probably needs to be a new study because of the changes in consequences of such as viral mechanics, but if you are going to argue that the OP shouldn't have posted those addresses, you will have to back up your claim of it being a breach of netiquette with some kind of evidence that the addresses were 'endangered' by the exposure. -- Mike Easter kibitzer, not SC admin From mrcics2000-spamcop-nomail at nomail.yahoo.com Mon Jul 11 17:38:27 2005 From: mrcics2000-spamcop-nomail at nomail.yahoo.com (Mike B) Date: Mon Jul 11 17:40:03 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> <42CEFE54.C204A45E@sbcglobal.net> Message-ID: "Mike Easter" wrote in message news:daun03$cvp$1@news.spamcop.net First, let me thank you for pointing me to that excellent study. It was very informative. > Argument about the significance of newsmessage body exposing an email > address. > > That's a complicated bit of netiquette which is going to elicit > different opinions. The OP is sufficiently unconcerned about posting > hir own address in the From of a newsgroup posting. A much more > likely place for harvesting than the From of a newsgroup message > would be a 'naked' mailto on a website, such as the one demonstrated > at the OP referred website http://ss5.sytes.net/20s&30s.html see > Suzanne's address at the bottom. > > So, you could say that the OP isn't 'sensitive' to the issue of > exposing addresses in spots which are statistically associated either > with a very high [the naked mailto on a website] frequency or with a > not nearly as high frequency [the newsgroup From and this isn't even > usenet but spamcop]. > > From past 'old' studies see below on the frequency of addresses > appearing unmunged in the /body/ being harvested by spambots, those > studies indicate that that risk is absent. That is, spambots don't > harvest from newsbodies, they harvest from the xover, ie the From. >From the study you referred to, Section 2, paragraph 3. "In a very few cases (<1% of all USENET-related spam we received), messages were sent to addresses referenced in the message text." > > I think I'm having a little trouble explaining the reach from the > netiquette to the mathematics of the netiquette -- but what I'm trying > to say is that you Mike B feel that it is rude or reckless to expose > someone else's email address in the body of a newsgroup posting -- but > that mathematically speaking that belief is not supported by any > statistics showing that the harvesting of those addresses is likely to > happen at all. I must admit I did not base my response on a study of any kind, more on empirical results from having accidentally exposed a prior email address of mine in usenet postings. Sometime last year, I upgraded the dialer from my ISP. Unbeknownst to me, the installation of the dialer also reset some settings on Outlook Express and I posted with my email address unmunged. Ever since that time I have been receiving steadily increasing amounts of spam - now about as high as 60 - 100/day. Admittedly this is from the headers, not from the message body, but based on the results you quote, and assuming the spamcop forums are harvested (which is a big assumption, I admit) those people whose addresses were posted above can now expect a small trickle of spam. And that email address was *never* published on a web page. I have several times done a Google search for it and have never come up with a hit. If you want to verify, I will supply the email address to you via email. > > This old study http://www.cdt.org/speech/spam/030319spamreport.shtml > exposed hundreds 250 of virgin email addresses in various ways on the > web and in newsgroups and counted the resultant about 10000 spams so > that they could say which kind of exposures generated spams the > 'worst'. > > The naked mailto/s and similar web exposures were the worst and > accounted for 97% of the spam. The unmunged newsgroup Froms caused > less than 3% and there were no spams to unmunged body exposures of > email addies. There's a lot more to the study than that, and there > probably needs to be a new study because of the changes in > consequences of such as viral mechanics, but if you are going to > argue that the OP shouldn't have posted those addresses, you will > have to back up your claim of it being a breach of netiquette with > some kind of evidence that the addresses were 'endangered' by the > exposure. I may have used kinder words to mention to the OP the netiquette involved in publishing 3rd parties' email addresses on the net, and for not having done that, I will apologize. I thought it was shortsighted of the OP to send an email to subscribers of his list using BCC addresses and then to simply publish those addresses in a public place for all to see/use. -- Mike B From devnull at spamcop.net Mon Jul 11 18:49:31 2005 From: devnull at spamcop.net (Frog Prince) Date: Mon Jul 11 17:55:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Socks" | > Was rummaging around NANAE and found this piece of info (courtesy of | > clifto). Looks like Socks has entered hospice. | > | | | just for the record - | | I am under hospice care. I have been given something like 2 months to | live. hospice care these days is handled at home, so I am in my own bed, | following the Tour de France online, reading books, ands staying as | comfortable as possible. | | I've been fighting lung cancer for 4 years now. Well wishes are | appreciated. You have that and our continuing prayers as well. From nobody at devnull.spamcop.net Mon Jul 11 18:35:13 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Mon Jul 11 18:30:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Socks" wrote in message news:Xns96906BAB68834agent01413mydejacom@216.154.195.61... > I've been fighting lung cancer for 4 years now. Well wishes are > appreciated. Here are some 'well wishes' - I am terrible about attributions, but this signature certainly epitomizes your attitude (sorry if it was yours) Life is not a journey to the grave with the intention of arriving safely in one pretty and well preserved piece, but to slide across the finish line broadside, thoroughly used up, worn out, leaking oil, and shouting GERONIMO!!! Bill McKenna, date unknown Hope I have the interest in life you have so that I post when I am in hospice! Miss Betsy From nobody at devnull.spamcop.net Mon Jul 11 18:43:07 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Mon Jul 11 18:40:02 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> <42CEFE54.C204A45E@sbcglobal.net> Message-ID: "Mike B" wrote in message news:dauosl$ebl$1@news.spamcop.net... > I may have used kinder words to mention to the OP the netiquette involved in > publishing 3rd parties' email addresses on the net, and for not having done > that, I will apologize. I thought it was shortsighted of the OP to send an > email to subscribers of his list using BCC addresses and then to simply > publish those addresses in a public place for all to see/use. I agree with you completely. The OP doesn't seem to be at all interested in learning how to use the Internet effectively. Whether or not, the risk is very great of being harvested, being careful of others' email addresses is the very first responsibility of someone who has been entrusted with them for a purpose. IMHO, you were not unkind or rude in your first statement. Miss Betsy From nobody at spamcop.net Mon Jul 11 16:54:12 2005 From: nobody at spamcop.net (N. Miller) Date: Mon Jul 11 19:15:03 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> <42CEFE54.C204A45E@sbcglobal.net> Message-ID: <1mdhjujg6gwcl.dlg@news.spamcop.net> On Mon, 11 Jul 2005 16:38:27 -0500, Mike B wrote: > I may have used kinder words to mention to the OP the netiquette involved in > publishing 3rd parties' email addresses on the net, and for not having done > that, I will apologize. I thought it was shortsighted of the OP to send an > email to subscribers of his list using BCC addresses and then to simply > publish those addresses in a public place for all to see/use. I don't know. After years of just letting my news clients use a default configuration for the "so-and-so wrote:" commentary, I decided it would be a kinder and gentler thing to configure the client to not include the poster's email address in the commentary. I will agree with Miss Betsy on this one, though I do understand that harvesting email addresses from news article bodies is, by empirical evidence, rare. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From captain.sisko at deep.space.nine Mon Jul 11 21:32:24 2005 From: captain.sisko at deep.space.nine (Dwayne Conyers) Date: Mon Jul 11 20:35:03 2005 Subject: [SpamCop-List] Fresh Spam... Stale on Delivery Message-ID: I got a deluge of over 60 spams and they were summarily dumped into the junk folder by Outlook... and given I sort by date, they all came in dated two days old or older. Is this a new tactic to prevent Spamcop reporting? --- Now featuring J Lo Lingerie by Jennifer Lopez http://www.cafepress.com/dwacon From nobody at spamcop.net Mon Jul 11 23:07:29 2005 From: nobody at spamcop.net (Dave Lerner) Date: Mon Jul 11 22:10:07 2005 Subject: [SpamCop-List] Re: Fresh Spam... Stale on Delivery In-Reply-To: References: Message-ID: Dwayne Conyers wrote on 07/11/2005 08:32 PM: > I got a deluge of over 60 spams and they were summarily dumped into the > junk folder by Outlook... and given I sort by date, they all came in > dated two days old or older. > > Is this a new tactic to prevent Spamcop reporting? Can you post the tracking URL for one of them? From captain.sisko at deep.space.nine Mon Jul 11 23:37:22 2005 From: captain.sisko at deep.space.nine (Dwayne Conyers) Date: Mon Jul 11 22:40:02 2005 Subject: [SpamCop-List] Re: Fresh Spam... Stale on Delivery In-Reply-To: References: Message-ID: Dave Lerner [mailto:nobody@spamcop.net] ink wired: > Can you post the tracking URL for one of them? I will next time they come in -- I just nuk'd them since no use reporting to SC. --- In your pants (Black Vulcan) www.dwacon.com From eric5b at invalid.tld Mon Jul 11 21:32:20 2005 From: eric5b at invalid.tld (eric5b) Date: Mon Jul 11 23:35:03 2005 Subject: [SpamCop-List] Links not parsed Message-ID: In the message news://news.spamcop.net/davdgm$pdj$1@news.spamcop.net posted in spamcop.spam the following links http://www.softdemand.biz http://www.softdemand.biz/uns.htm are not parsed. Eric From notspam at alias.hotpop.com Mon Jul 11 22:32:14 2005 From: notspam at alias.hotpop.com (JV) Date: Tue Jul 12 00:35:03 2005 Subject: [SpamCop-List] Russian Spam Group Message-ID: I have not been here for several months, more important issues at hand. Any news of the work against the RSG? From nobody at nowhere.invalid Tue Jul 12 09:26:24 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Jul 12 02:30:04 2005 Subject: [SpamCop-List] Re: Fresh Spam... Stale on Delivery References: Message-ID: On Mon, 11 Jul 2005 20:32:24 -0400, Dwayne Conyers coughed into spamcop and left this in : > Is this a new tactic to prevent Spamcop reporting? Old as the hills - however, if your mailserver if configured correctly, it doesn't work. SpamCop relies on the datestamps in the "Received:" headers, in particular the datestamp provided by the last trusted relay in the chain (the MX for your domain in theory), not on the "Date:" header which, as you've seen, is as easy to forge as any other header. -- Steve Shin, n. : a device for finding furniture in the dark. From redford_stone at INVERSE_OF_COLDmail.com Tue Jul 12 12:10:12 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Tue Jul 12 07:15:04 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: Socks wrote in news:Xns96906BDE07660agent01413mydejacom@216.154.195.61: > > > i'll hang as long as able Geez, you've got some tough balls. :-) From redford_stone at INVERSE_OF_COLDmail.com Tue Jul 12 12:11:11 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Tue Jul 12 07:15:23 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: JohnL wrote in news:Xns969071B381FF7johnlspamcopnet@ 216.154.195.61: > GregR wrote in news:dau8uf$3mj$1@news.spamcop.net: > >> Well, then consider yourself well-wished. :-) > > And MANY more! I'll third that. :-) From redford_stone at INVERSE_OF_COLDmail.com Tue Jul 12 12:15:10 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Tue Jul 12 07:20:02 2005 Subject: [SpamCop-List] Re: stupid phiser References: Message-ID: "Glenn Daniels" wrote in news:dauapa$544$1@news.spamcop.net: > ... > Dunno whut you saw when you went there, but > the site is now defaced. I had heard of vigilantes > defacing phishing sites, but had not seen one, > so thanks for the URL. > > Glenn > > Most of these scamsites are hosted on infected broadband boxes. Obviously they are easy to crack since the machine was already cracked. Either case, the site is down. From redford_stone at INVERSE_OF_COLDmail.com Tue Jul 12 12:17:07 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Tue Jul 12 07:20:10 2005 Subject: [SpamCop-List] Re: Dumb Send-safe spammer fsck'd up References: Message-ID: "Berny" wrote in news:daralk$k19$1@news.spamcop.net: > > Happy that the spammer spent his bux and got fsck'd, sad that the > sendsafe guys got their moneys. > > No honor among thieves. From nttp.sc.s at bigsleep.org Tue Jul 12 12:40:50 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Tue Jul 12 07:45:02 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> <42CEFE54.C204A45E@sbcglobal.net> Message-ID: On 11 Jul 2005 Mike B entered spamcop and left news:dauosl$ebl$1@news.spamcop.net: > Sometime last year, I upgraded the dialer from my > ISP. Unbeknownst to me, the installation of the dialer also reset some > settings on Outlook Express and I posted with my email address > unmunged. Ever since that time I have been receiving steadily > increasing amounts of spam - now about as high as 60 - 100/day. > Admittedly this is from the headers, not from the message body, but > based on the results you quote, and assuming the spamcop forums are > harvested (which is a big assumption, I admit) those people whose > addresses were posted above can now expect a small trickle of spam. I inadvertantly cross-posted ONE message, from a private to public news group, with an eMail address I've never before or since used again. that message has been indexed by Google, and has been getting a steady stream of spam ever since. The cause of this must be either news or Google, or both, with maybe some from a dictionary attack. Another address on the same server of the same age (about 5 years) gets maybe 1 a week at the most, definately dictionary because it is never "to me". BTW that first eMail also appears on Google groups unmunged in a reply to my message. That message is now 4 years old. However Google never used to munge addresses, and it's hard to say for sure how (or how many ways) the address got spam-listed. There are other possibilities such as viruses. It is interesting to compare the spam received at that address and another address that is 9 years old, they are nearly equal, however the older one at least gets some dnsbl blocking and at one time was getting over 100/day. I feel like I'm back-paddling up Niagra Falls (maybe I can grab that rock over there). -- | Ric From nobody at devnull.spamcop.net Tue Jul 12 08:01:32 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Tue Jul 12 08:00:04 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> <42CEFE54.C204A45E@sbcglobal.net> Message-ID: "Blammo" wrote in message news:Xns96912FC87C791blammo@216.154.195.61... > On 11 Jul 2005 Mike B entered spamcop and left > news:dauosl$ebl$1@news.spamcop.net: > BTW that first eMail also appears on Google groups unmunged in a reply to > my message. That message is now 4 years old. However Google never used to > munge addresses, and it's hard to say for sure how (or how many ways) the > address got spam-listed. There are other possibilities such as viruses. I have an address that was published online in a document (I forget now what kind, but it required something special to scrape it). It took me 6 months to convince the people who put it there to take it down. At first all I received were Nigerian spam. Shortly after the email address was changed, I received a deluge of sobig. Now I am getting various kinds of spam starting with the [#], but now on all topics (and all thru trojanned machines it appears). I don't know whether it was the original posting or the virus. The address is not dictionary prone. Another address that I had that was posted online on a web page received all kinds of spam. Then that address was changed. The original one still gets some, but not nearly as much as the second one. IIRC, the FTC did an experiment about that and once an address can no longer be scraped, spam does fall off. Miss Betsy From bar_n0ne at hotmail.com Tue Jul 12 17:06:50 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue Jul 12 08:10:03 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> <42CEFE54.C204A45E@sbcglobal.net> Message-ID: "Blammo" wrote in message news:Xns96912FC87C791blammo@216.154.195.61... > On 11 Jul 2005 Mike B entered spamcop and left > news:dauosl$ebl$1@news.spamcop.net: > >SNIPPED Well, at least 1/2 of the time my hotmail address is the reply to in usenet (style) postings, it gets maybe one spam a day since December 2003. I haven't tried to track down which OE configuration is at fault but at this rate I don't care. And I can massively LART those few, it's a sport., By the way, before then It was getting 20-30 a day., if i extrapolate what the spam growth would have been by comparing to another account that went unfiltered until this past spring, it would be getting about 100 a day. ( The other account went from 1 or 2 a week back in '94 to 250 - 300 per day until filtering was started this spring. (Yeah, I got the immigration spam too, from those lawyers) Now it's back down to 10/20 per day.), assuming the filter effectiveness has not changed I suspect another 3-400 spams are being dropped on the floor. From nttp.sc.s at bigsleep.org Tue Jul 12 13:08:51 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Tue Jul 12 08:10:12 2005 Subject: [SpamCop-List] Re: Fresh Spam... Stale on Delivery References: Message-ID: On 11 Jul 2005 Dwayne Conyers entered spamcop and left news:dav32q$jal$1@news.spamcop.net: > I got a deluge of over 60 spams and they were summarily dumped into the > junk folder by Outlook... and given I sort by date, they all came in > dated two days old or older. > I never sort junk mail by date, but by order received. A large number of messages could indicate that your mail server had problems and is catching up with the queue, or maybe you're just "lucky". -- | Ric From nttp.sc.s at bigsleep.org Tue Jul 12 13:42:50 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Tue Jul 12 08:45:03 2005 Subject: [SpamCop-List] Re: New tactics blocking too much. References: <42CEE294.1D8CE5CB@sbcglobal.net> <42CEFE54.C204A45E@sbcglobal.net> Message-ID: On 12 Jul 2005 Berny entered spamcop and left news:db0bot$95d$1@news.spamcop.net: > Now it's back down to 10/20 per day.), assuming the filter > effectiveness has not changed I suspect another 3-400 spams are being > dropped on the floor. > Since ISPs don't give us any stats on blocked/filtered messages, it's hard to know how effective thier efforts are. However that is changing, there are programs that provide users with their own logs. But I don't believe spammers (or even legit companies for that matter) remove addresses for any particular reason, they just get new lists. -- | Ric From agent01413 at my-deja.com Tue Jul 12 13:59:19 2005 From: agent01413 at my-deja.com (Socks) Date: Tue Jul 12 09:00:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Miss Betsy" wrote in news:daurr7$g35$1 @news.spamcop.net: > "Socks" wrote in message > news:Xns96906BAB68834agent01413mydejacom@216.154.195.61... > >> I've been fighting lung cancer for 4 years now. Well wishes are >> appreciated. > > Here are some 'well wishes' - I am terrible about attributions, but > this signature certainly epitomizes your attitude (sorry if it was > yours) > > Life is not a journey to the grave with the intention of arriving > safely in one pretty and well preserved piece, but to slide across > the finish line broadside, thoroughly used up, worn out, leaking > oil, and shouting GERONIMO!!! Bill McKenna, date unknown > > Hope I have the interest in life you have so that I post when I am > in hospice! > > Miss Betsy > I stole that sig well before you did :-) I forget where I first saw it, but the attribution of Bill McKenna matches the attribution that I gave to it when I started posting it. I honestly dont remember where I first saw it. I used it on mail before using it on usenet by several months. From mcwebber at my-deja.com Tue Jul 12 11:27:58 2005 From: mcwebber at my-deja.com (McWebber) Date: Tue Jul 12 10:30:03 2005 Subject: [SpamCop-List] Re: Fresh Spam... Stale on Delivery References: Message-ID: "Dwayne Conyers" wrote in message news:dav32q$jal$1@news.spamcop.net... > > I got a deluge of over 60 spams and they were summarily dumped into the > junk folder by Outlook... and given I sort by date, they all came in > dated two days old or older. > > Is this a new tactic to prevent Spamcop reporting? > That date header may be fake, but Spamcop will ignore it since it's looking at the date you received it. -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From bar_n0ne at hotmail.com Tue Jul 12 20:12:18 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue Jul 12 11:15:02 2005 Subject: [SpamCop-List] Internap flogging morgage leads nowadays Message-ID: quote-source.net and s-t-o-p.info From PossumTrot at dont.spam.me Tue Jul 12 11:34:21 2005 From: PossumTrot at dont.spam.me (Possum Trot) Date: Tue Jul 12 13:40:02 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Socks" wrote in message news:Xns969078669B9AAagent01413mydejacom@216.154.195.61... > "indigo" wrote in news:daub2i$59k$1@news.spamcop.net: >> >> Weren't you told "six months to go" over a year ago? >> > > I was told six months in May, 2001. Isn't that just another example of doctors' "practicing medicine"? Best wishes. We'll miss your action and counsel. From nobody at spamcop.net Tue Jul 12 11:52:19 2005 From: nobody at spamcop.net (GregR) Date: Tue Jul 12 13:55:02 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. In-Reply-To: References: Message-ID: Redstone wrote: > I'll third that. :-) Two more and we've got a fifth. :-) -- GregR - Another Beemer Biker ...o&o> From mcwebber at my-deja.com Tue Jul 12 16:14:15 2005 From: mcwebber at my-deja.com (McWebber) Date: Tue Jul 12 15:20:09 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "GregR" wrote in message news:db100h$l24$1@news.spamcop.net... > Redstone wrote: > > > I'll third that. :-) > > Two more and we've got a fifth. :-) > How many more for a liter? From johnl at spamcop.net Tue Jul 12 20:21:23 2005 From: johnl at spamcop.net (JohnL) Date: Tue Jul 12 15:25:02 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "McWebber" wrote in news:db14tl$o8f$1 @news.spamcop.net: > "GregR" wrote in message > news:db100h$l24$1@news.spamcop.net... >> Two more and we've got a fifth. :-) >> > > How many more for a liter? > > > Liter? How 'bout a barrel? ;-) From nobody at devnull.spamcop.net Tue Jul 12 16:33:50 2005 From: nobody at devnull.spamcop.net (Spamvireslayer) Date: Tue Jul 12 15:40:02 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "JohnL" wrote in message news:Xns969187DEE6489johnlspamcopnet@216.154.195.61... > > Liter? > How 'bout a barrel? ;-) I think it was dear Socks who mentioned a keg.....he gets the IV, we get the tap..... From devnull at spamcop.net Tue Jul 12 18:54:39 2005 From: devnull at spamcop.net (Frog Prince) Date: Tue Jul 12 18:00:02 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "McWebber" | > | > > I'll third that. :-) | > | > Two more and we've got a fifth. :-) | > | | How many more for a liter? A fifth or a liter drink that much whisky and you're invisible regardless. | | From porpoise1954 at yahoo.co.uk Wed Jul 13 00:05:57 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Jul 12 18:10:02 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "McWebber" wrote in message news:db14tl$o8f$1@news.spamcop.net... > > How many more for a liter? > > You mean a litre? ;-) From nobody at devnull.spamcop.net Tue Jul 12 20:20:10 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Tue Jul 12 20:15:09 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Socks" wrote in message news:Xns9691470DFF63Eagent01413mydejacom@216.154.195.61... > > Life is not a journey to the grave with the intention of arriving > > safely in one pretty and well preserved piece, but to slide across > > the finish line broadside, thoroughly used up, worn out, leaking > > oil, and shouting GERONIMO!!! Bill McKenna, date unknown > > > > Hope I have the interest in life you have so that I post when I am > > in hospice! > I stole that sig well before you did :-) I forget where I first saw it, > but the attribution of Bill McKenna matches the attribution that I gave to > it when I started posting it. I honestly dont remember where I first saw > it. > > I used it on mail before using it on usenet by several months. So it was yours! I wish you a safe landing! It won't be long before I follow you (considering the age of the universe). Keep an ear out for another GERONIMO!! Miss Betsy From user at domain.invalid Tue Jul 12 21:50:11 2005 From: user at domain.invalid (user@domain.invalid) Date: Tue Jul 12 22:55:03 2005 Subject: [SpamCop-List] hey Message-ID: hey guys I was wondering if anyone of you knew sarf@spamcop.net he is a old friend and trying to get in contact with him.. if anyone knows could you let me know or send me a e-maila airsoftguy@comcast.net From nobody at nowhere.not Wed Jul 13 07:35:15 2005 From: nobody at nowhere.not (Robert Blair) Date: Wed Jul 13 02:40:16 2005 Subject: [SpamCop-List] Wrong reporting address for 220.66.66.57 ? Message-ID: I received the following reply to a LART. " Thank you for reporting 220.66.66.57 spam incident to KREONET. By the way, the host 220.66.66.57 is not serviced by KREONET, but KREN. The host 220.66.66.57 is assigned Yong-In University. Therefore I am forwarding your message to the Yong-In University admin contact. " The whois seems to confirm it. Whois 220.66.66.57 Çѱ¹ÀÎÅͳÝÁ¤º¸¼¾ÅÍ(www.nic.or.kr)¿¡¼­ Á¦°øÇÏ´Â Whois ¼­ºñ½º ÀÔ´Ï´Ù. query: 220.66.66.57 # ENGLISH KRNIC is not a ISP but a National Internet Registry similar to APNIC. The followings are information of the organization that is using the IPv4 address. IPv4 Address : 220.66.64.0-220.66.67.255 Network Name : KREN-LLINE-YONGIN Connect ISP Name : KREN Connect Date : 20021222 Registration Date : 20040421 [ Organization Information ] Organization ID : ORG281112 Org Name : Yong-In Unoversity State : KYONGGI Address : 470, Samga-Dong, Yongin-Si Zip Code : 449-714 -- Robert Blair From asterix at no_where.net Wed Jul 13 11:09:58 2005 From: asterix at no_where.net (Asterix) Date: Wed Jul 13 04:10:03 2005 Subject: [SpamCop-List] Is http://geuc.awesomereplicaz.com blocking Spamcop ? Message-ID: <1gzmurv.1iqueda1kvqxc8N%asterix@no_where.net> Today I got a mail promoting http://geuc.awesomereplicaz.com. Spamcop discarded the address as fake ("could not resolve"), but the site is alive and kicking. Are they blocking Spamcop from DNS ? -- I recommend Macs to my friends, and Windows machines to those whom I don't mind billing by the hour From nobody at nowhere.invalid Wed Jul 13 11:12:42 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Jul 13 04:15:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: On Tue, 12 Jul 2005 23:05:57 +0100, Porpoise coughed into spamcop and left this in : >> How many more for a liter? > > You mean a litre? ;-) Or a litter (of kittens...) -- Steve In most countries selling harmful things like drugs is punishable. Then how come people can sell Microsoft software and go unpunished? -- Hasse Skrifvars From bar_n0ne at hotmail.com Wed Jul 13 14:50:47 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Jul 13 05:55:17 2005 Subject: [SpamCop-List] Re: Is http://geuc.awesomereplicaz.com blocking Spamcop ? References: <1gzmurv.1iqueda1kvqxc8N%asterix@no_where.net> Message-ID: "Asterix" wrote in message news:1gzmurv.1iqueda1kvqxc8N%asterix@no_where.net... > Today I got a mail promoting http://geuc.awesomereplicaz.com. > Spamcop discarded the address as fake ("could not resolve"), but the > site is alive and kicking. Are they blocking Spamcop from DNS ? > > -- > I recommend Macs to my friends, and Windows machines > to those whom I don't mind billing by the hour Dozens of Spammer Nameservices do, or have just sufficiently Pokey DNS that SC gives up. If you google this newsgroup for "resolv" you will find endless discussion on this topic. There is also a "Pinned" item in the forum. (See Help on the SC main page) From redford_stone at INVERSE_OF_COLDmail.com Wed Jul 13 11:16:15 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Jul 13 06:20:12 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Spamvireslayer" wrote in news:db161c$p7d$1@news.spamcop.net: > > "JohnL" wrote in message > news:Xns969187DEE6489johnlspamcopnet@216.154.195.61... >> >> Liter? >> How 'bout a barrel? ;-) > > I think it was dear Socks who mentioned a keg.....he gets the IV, we > get the tap..... > > How about a bushel? :-) From redford_stone at INVERSE_OF_COLDmail.com Wed Jul 13 11:17:35 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Jul 13 06:20:28 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Frog Prince" wrote in news:db1e98$u0a$2@news.spamcop.net: > > "McWebber" >| > >| > > I'll third that. :-) >| > >| > Two more and we've got a fifth. :-) >| > >| >| How many more for a liter? > > A fifth or a liter drink that much whisky and you're invisible > regardless. All depends on the whiskey.. are we talking about "made in the south" whiskey or yankee whiskey? :-) From nstrom at ananzi.co.za Wed Jul 13 08:15:26 2005 From: nstrom at ananzi.co.za (Nathan Strom) Date: Wed Jul 13 07:20:03 2005 Subject: [SpamCop-List] Missing redirector - redir.internet.com Message-ID: Spamcop doesn't seem to recognize the redirector used for this spamvertised URL: http://redir.internet.com/rss/click/ltnrbmxs.edgravewas.com/ (which redirects to http://ltnrbmxs.edgravewas.com/) From nobody at spamcop.net Wed Jul 13 07:27:05 2005 From: nobody at spamcop.net (Ellen) Date: Wed Jul 13 07:40:10 2005 Subject: [SpamCop-List] Re: Wrong reporting address for 220.66.66.57 ? References: Message-ID: "Robert Blair" wrote in message news:TECQXhvKj0FX-pn2-pKqdp3jCdnlL@localhost... > I received the following reply to a LART. > > " > Thank you for reporting 220.66.66.57 spam incident to KREONET. > > By the way, the host 220.66.66.57 is not serviced by KREONET, > > but KREN. > > The host 220.66.66.57 is assigned Yong-In University. > > Therefore I am forwarding your message to the Yong-In University admin > contact. > " > > > > The whois seems to confirm it. > > Whois 220.66.66.57 > > Çѱ¹ÀÎÅͳÝÁ¤º¸¼¾ÅÍ(www.nic.or.kr)¿¡¼­ Á¦°øÇÏ´Â Whois ¼­ºñ½º ÀÔ´Ï´Ù. > > query: 220.66.66.57 > > # ENGLISH > > KRNIC is not a ISP but a National Internet Registry similar to APNIC. > The followings are information of the organization that is using the > IPv4 address. > > IPv4 Address : 220.66.64.0-220.66.67.255 > Network Name : KREN-LLINE-YONGIN > Connect ISP Name : KREN > Connect Date : 20021222 > Registration Date : 20040421 > > [ Organization Information ] > Organization ID : ORG281112 > Org Name : Yong-In Unoversity > State : KYONGGI > Address : 470, Samga-Dong, Yongin-Si > Zip Code : 449-714 > > I see we have reporting addresses of jycha@yongin.ac.kr jyyoo@yongin.ac.kr kren@snu.ac.kr Any clue as to which one might be wrong? Do you have a report number? Ellen From bar_n0ne at hotmail.com Wed Jul 13 17:16:03 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Jul 13 08:20:03 2005 Subject: [SpamCop-List] Re: Missing redirector - redir.internet.com References: Message-ID: "Nathan Strom" wrote in message news:db2t5j$mfa$1@news.spamcop.net... > Spamcop doesn't seem to recognize the redirector used for this spamvertised > URL: > > http://redir.internet.com/rss/click/ltnrbmxs.edgravewas.com/ > > (which redirects to http://ltnrbmxs.edgravewas.com/) Maybe they're part of the spam support service? what is that anyway? a clicktracker? From devnull at spamcop.net Wed Jul 13 09:29:17 2005 From: devnull at spamcop.net (Frog Prince) Date: Wed Jul 13 08:30:04 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Redstone" | All depends on the whiskey.. are we talking about "made in the south" | whiskey or yankee whiskey? :-) free booze and you get picky about the source? From porpoise1954 at yahoo.co.uk Wed Jul 13 15:09:17 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Jul 13 09:10:04 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Steven Maesslein" wrote in message news:slrndd9j7q.2u4.nobody@127.0.0.1... > On Tue, 12 Jul 2005 23:05:57 +0100, Porpoise coughed into spamcop and > left this in : > >>> How many more for a liter? >> >> You mean a litre? ;-) > > Or a litter (of kittens...) > Or a lighter (of the cigar variety....) (or the opposite of heavy....) From kenbrody at spamcop.net Wed Jul 13 14:01:07 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Wed Jul 13 13:05:03 2005 Subject: [SpamCop-List] Possible SC bug -- blank line in headers Message-ID: <42D548D3.1629C9CE@spamcop.net> I received an e-mail today with a blank line within the headers which are added by SpamCop. Note that I have not yet POPped this to my system, and I'm using the webmail interface at the moment, so it can't be that this line was added by something other than SpamCop. The final lines in the header are: ========== X-Virus-Scanned: munge at munge X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on blade4 X-Spam-Level: X-Spam-Status: hits=0.7 tests=AWL,FORGED_RCVD_HELO,J_CHICKENPOX_54 version=3.0.2 X-SpamCop-Checked: 192.168.1.103 209.94.103.11 64.18.1.107 192.136.111.52 64.18.5.10 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 192.136.111.59 192.168.253.44 3.2.0.111127.0.0.1 127.0.0.1 127.0.0.1 X-SpamCop-Whitelisted: munge@munge.munge ========== Note the rather lenghty "X-SpamCop-Checked" line. (It is all on one line. If it shows as more than one, something has wrapped it.) Is it possible that SC was about to wrap the line for the next IP, but there was none, leaving the newline without anything following? While in this case the effect was minimal (the "X-SpamCop-Whitelisted" line, plus the blank following it, appeared as part of the body), I can see cases where the first line is critical to properly reading the e-mail when it's not plain text, or perhaps BASE64 encoded. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From nobody at nowhere.not Wed Jul 13 18:32:46 2005 From: nobody at nowhere.not (Robert Blair) Date: Wed Jul 13 13:35:02 2005 Subject: [SpamCop-List] Re: Wrong reporting address for 220.66.66.57 ? References: Message-ID: On Wed, 13 Jul 2005 10:27:05 UTC, "Ellen" wrote: > I see we have reporting addresses of > > jycha@yongin.ac.kr > jyyoo@yongin.ac.kr > kren@snu.ac.kr > > Any clue as to which one might be wrong? Do you have a report number? Report number is 1465943060. Last night I put in the IP 220.66.66.57 into spamcop and got KREONET abuse@kreonet.re.kr (plus others I do not remember) as the reporting address but this morning it seems to come up with the correct abuse address. Cached whois for 220.66.66.57 : jycha@yongin.ac.kr jyyoo@yongin.ac.kr kren@snu.ac.kr Using last resort contacts jycha@yongin.ac.kr jyyoo@yongin.ac.kr kren@snu.ac.kr The gremlins are at it again. Here is part of the reply that contained the spam -----Original Message----- From: Bob [mailto:1465943060@reports.spamcop.net] Sent: Tuesday, July 12, 2005 11:15 AM To: abuse@kreonet.re.kr Subject: [SpamCop (220.66.66.57) id:1465943060]Semen production increases 500% Complete no-quibb.. [ SpamCop V1.466 ] This message is brief for your comfort. Please use links below for details. Email from 220.66.66.57 / Mon, 11 Jul 2005 19:14:36 -0700 http://www.spamcop.net/w3m?i=z1465943060zd9b95b52e824f9c09f6935b034689 89az [ Offending message ] Return-Path: X-Original-To: x Delivered-To: x Received: from worldnet.att.net (unknown [220.66.66.57]) by mx1.pacifier.net (Postfix) with ESMTP id 323207BF8 for ; Mon, 11 Jul 2005 19:14:36 -0700 (PDT) To: x Date: Tue, 12 Jul 2005 02:12:30 +0000 Message-ID: MIME-Version: 1.0 Subject: Semen production increases 500% Complete no-quibble guarantee From: "Georgina Colton" Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit X-DateReceived: Mon, 11 Jul 2005 19:18:38 -0700 -- Robert Blair From skiwi at spamcop.net Wed Jul 13 12:02:32 2005 From: skiwi at spamcop.net (Skiwi) Date: Wed Jul 13 14:05:02 2005 Subject: [SpamCop-List] Webmail - can Romania be added to the 'country blacklist' selection? Message-ID: Thought / Suggestion - for Spamcop webmail / forwarding, can Romania be added to the 'country blacklist' selection? (i.e., along with Brazil et. al.) From Vangu at rd.invalid Wed Jul 13 14:36:16 2005 From: Vangu at rd.invalid (Vanguard) Date: Wed Jul 13 14:40:03 2005 Subject: [SpamCop-List] Re: Possible SC bug -- blank line in headers References: <42D548D3.1629C9CE@spamcop.net> Message-ID: "Kenneth Brody" wrote in message news:42D548D3.1629C9CE@spamcop.net... >I received an e-mail today with a blank line within the headers which > are added by SpamCop. Note that I have not yet POPped this to my > system, and I'm using the webmail interface at the moment, so it can't > be that this line was added by something other than SpamCop. > > The final lines in the header are: > > ========== > X-Virus-Scanned: munge at munge > X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on blade4 > X-Spam-Level: > X-Spam-Status: hits=0.7 tests=AWL,FORGED_RCVD_HELO,J_CHICKENPOX_54 > version=3.0.2 > X-SpamCop-Checked: 192.168.1.103 209.94.103.11 64.18.1.107 > 192.136.111.52 64.18.5.10 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 > 127.0.0.1 127.0.0.1 127.0.0.1 192.136.111.59 192.168.253.44 > 3.2.0.111127.0.0.1 127.0.0.1 127.0.0.1 > > X-SpamCop-Whitelisted: munge@munge.munge > ========== > > Note the rather lenghty "X-SpamCop-Checked" line. (It is all on one > line. > If it shows as more than one, something has wrapped it.) Is it > possible > that SC was about to wrap the line for the next IP, but there was > none, > leaving the newline without anything following? > > While in this case the effect was minimal (the "X-SpamCop-Whitelisted" > line, plus the blank following it, appeared as part of the body), I > can > see cases where the first line is critical to properly reading the > e-mail > when it's not plain text, or perhaps BASE64 encoded. You sure the blank line that you see is actually a blank line in the message? It could be that there are many tab characters appended onto the X-SpamCop-Checked: header so line-wrap makes it look like there is a blank line when, in fact, it is a wrapped line of tabs at the end of it. I am not familiar with the webmail interface provided by SpamCop but most webmail interfaces do not show you what is really in the message, and even getting the raw data of the message into something like Notepad will show the pseudo-blank line if word wrapping is enabled. From nobody at spamcop.net Wed Jul 13 13:37:12 2005 From: nobody at spamcop.net (Sylvesterthekat) Date: Wed Jul 13 15:40:04 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Socks" wrote in message news:Xns969077CE1FCA5agent01413mydejacom@216.154.195.61... > that is something new for everyone. i can vouch that it works. generally, > pain wakes me up acouple times at night. then i sleep all morning. almost > noon now, and i just was out for 3 hours striaght. now i can catch up on > posts you sleep better than i do! enjoy the time you have left, we'll be sorry to see you gone From jzeitlin at spamcop.net Wed Jul 13 16:40:32 2005 From: jzeitlin at spamcop.net (=?ISO-8859-1?Q?E=F6nw=EB?=) Date: Wed Jul 13 15:45:04 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: On Mon, 11 Jul 2005 14:22:13 -0400, "indigo" wrote: >Spamvireslayer wrote: >> "Socks" wrote in message >> news:Xns969078669B9AAagent01413mydejacom@216.154.195.61... >> > I was told six months in May, 2001. >> Proof that you should never listen to those arbitrary numbers for any >> other reason than to get your affairs in order - then you can get on >> with proving them wrong. Good on ya, Socks, you're an inspiration. >My dear Mom fought off the big C for 12 years -- average lifespan back then >(survival rate) was 5 years or less. You can do it, Socks, keep a goal in >your head, some date you want to be around for, make it to that one, pick >another, and so on......your brain can accomplish remarkable things if you >stay positive (and it looks like you are, so keep hanging in there). I have a friend on a mailing list elsenet, who was given a small number of months. At least twelve years ago. Every year, on his 'rebirthday' (the day they unbelievingly told him he appears to be in remission), he posts a toast to the list: "FUCK CANCER!". He thinks (and so do his spice) that that attitude was part of the reason that he's still around to make the toast... -- E?nw? (SpamCop subscriber, not staff/admin) From nobody at devnull.spamcop.net Wed Jul 13 15:43:59 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jul 13 15:45:18 2005 Subject: [SpamCop-List] Re: Webmail - can Romania be added to the 'country blacklist' selection? References: Message-ID: "Skiwi" wrote in message news:db3kvp$3rs$1@news.spamcop.net... > Thought / Suggestion - for Spamcop webmail / forwarding, can Romania be > added to the 'country blacklist' selection? (i.e., along with Brazil et. > al.) The last time I pointed out that JT doesn't spend time here, I was slapped hard by seeing JT make a post within 15 minutes, so won't go there again. The SpamCop filtered e-mail account stuff is normally handled in the spamcop.mail newsgroup (basically dead) or over in the Forum (in this case the "New Feature/Suggestion" section. Is there a BL for that already? If so, point to it. From nobody at spamcop.net Wed Jul 13 13:45:58 2005 From: nobody at spamcop.net (Sylvesterthekat) Date: Wed Jul 13 15:50:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Socks" wrote in message news:Xns969078669B9AAagent01413mydejacom@216.154.195.61... > I was told six months in May, 2001. And just look at all the wonderful things you've witnessed in that time that you might otherwise have missed! Um.. well.. yeah. I'm sure there must have been some wonderful things. From click1510 at earthlink.net Wed Jul 13 14:50:34 2005 From: click1510 at earthlink.net (CO-DBA-SC-EL) Date: Wed Jul 13 16:55:02 2005 Subject: [SpamCop-List] Re: SpamCop's bl.spamcop.net too aggressive? References: Message-ID: There is a problem. We are not a spammer. Last week I started getting some bounces to some of our legitimate emails which we finally tracked to the recipient using bl.spamcop.net. Other email never bounced but was presumably blackholed by other users of that list. Upon further investigation, we found that: * Our IP address is *not* listed in bl.spamcop.net. Of course it may have been listed for a while, as a result of worm/virus return address spoofing, and reports to spamcop by idiots who still believe that spam comes from the listed return address. But even in that case spamcop should have been able to parse and detect that the spam did not really come from our server. * A bl.spamcop.net check yesterday showed us not listed. Yet we got several bounces today. A bl.spamcop.net within 30 minutes of those bounces did not show us listed. * Our hosting service has apparently introduced recently (don't know when) a DNS zone entry for a 3rd name server that is flagged by dnsreports.com as a "stealth name server" that could cause problems. Efforts are under way to get the host to fix this up, but in the meantime... * When checking our domain name for blacklists at dnsstuff.com, it cannot resolve the domain name and needs an IP address. This may or may not be related to the stealth name server issue above. However a quick Google showed that it is a fairly common problem. * So, it is still possible that the spamcop parser got confused when it found the domain name in the fake return address and and may have flagged us. Or does bl.spamcop.net also pick up blacklist entries from other blacklists that are more vulnerable to spoofing? Of course, this is of extremely grave concern, because we are dependent on email for business transactions with our clients. I wonder whether someone else has run into similar problems? Obviously, the warnings on spamcop.net are not being heeded by postmasters, and we do not want to badmouth spamcop. BTW, we have had two paying customer accounts for several years and all our incoming mail is filtered by spamcop, so we're not too naive about how this stuff works. C. From nobody at spamcop.net Wed Jul 13 18:24:22 2005 From: nobody at spamcop.net (Ellen) Date: Wed Jul 13 17:40:08 2005 Subject: [SpamCop-List] Re: Wrong reporting address for 220.66.66.57 ? References: Message-ID: "Robert Blair" wrote in message news:TECQXhvKj0FX-pn2-wx1Ik76ddr4O@localhost... > On Wed, 13 Jul 2005 10:27:05 UTC, "Ellen" wrote: > > > I see we have reporting addresses of > > > > jycha@yongin.ac.kr > > jyyoo@yongin.ac.kr > > kren@snu.ac.kr > > > > Any clue as to which one might be wrong? Do you have a report number? > > Report number is 1465943060. > > Last night I put in the IP 220.66.66.57 into spamcop and got KREONET > abuse@kreonet.re.kr (plus others I do not remember) as the reporting > address but this morning it seems to come up with the correct abuse > address. Yeah -- I would like to explain this but I can't ... I suppose I could make something up. I am befuddled. Ellen From nobody at spamcop.net Wed Jul 13 18:33:09 2005 From: nobody at spamcop.net (Ellen) Date: Wed Jul 13 17:40:18 2005 Subject: [SpamCop-List] Re: SpamCop's bl.spamcop.net too aggressive? References: Message-ID: "CO-DBA-SC-EL" wrote in message news:db3ur0$boa$1@news.spamcop.net... > There is a problem. > > We are not a spammer. Last week I started getting some bounces to some of > our legitimate emails which we finally tracked to the recipient using > bl.spamcop.net. Other email never bounced but was presumably blackholed by > other users of that list. > Upon further investigation, we found that: > * Our IP address is *not* listed in bl.spamcop.net. What is the IP address, I can look and see if it has been listed. >Of course it may have > been listed for a while, as a result of worm/virus return address spoofing, > and reports to spamcop by idiots who still believe that spam comes from the > listed return address. Before you call people idiots you might want to know the following: 1) SC completely ignores from addresses 2) IPs are listed if they are found to be the injecting IP when the Received headers are parsed. Random domain names and email addresses in headers; x-headers; the body of the spam do not lead to listings. >But even in that case spamcop should have been able > to parse and detect that the spam did not really come from our server. Unless it did come from your server. > * A bl.spamcop.net check yesterday showed us not listed. Yet we got several > bounces today. A bl.spamcop.net within 30 minutes of those bounces did not > show us listed. We have no control over receiving servers that 1) cache results for periods of time well beyong the TTL and/or 2) randomly return the wrong text message when they reject. > * Our hosting service has apparently introduced recently (don't know when) a > DNS zone entry for a 3rd name server that is flagged by dnsreports.com as a > "stealth name server" that could cause problems. Efforts are under way to > get the host to fix this up, but in the meantime... I have no idea what that would mean in a parse of a set of headers but without the IP I can't look at the database. > * When checking our domain name for blacklists at dnsstuff.com, it cannot > resolve the domain name and needs an IP address. This may or may not be > related to the stealth name server issue above. However a quick Google > showed that it is a fairly common problem. > * So, it is still possible that the spamcop parser got confused when it > found the domain name in the fake return address and and may have flagged > us. Again, I reiterate we look at the IPs in the headers. Now it is possible to have such deficient headers that an intermediary server gets tagged as the injection because the parser can't chain the headers together. > > Or does bl.spamcop.net also pick up blacklist entries from other blacklists > that are more vulnerable to spoofing? We do check IPs against a couple of other lists such as cbl, njabl but no one has ever said those are anything other than well run lists and they are smart enough to not be conned by spoofing. If you do not wish to discuss your IP in public write to me at deputies admin.spamcop.net and we'll see what is going on. Ellen SpamCop From nstrom at ananzi.co.za Wed Jul 13 20:10:18 2005 From: nstrom at ananzi.co.za (Nathan Strom) Date: Wed Jul 13 19:10:03 2005 Subject: [SpamCop-List] Re: Missing redirector - redir.internet.com References: Message-ID: On Wed, 13 Jul 2005 16:16:03 +0400, "Berny" wrote in : > >"Nathan Strom" wrote in message >news:db2t5j$mfa$1@news.spamcop.net... >> Spamcop doesn't seem to recognize the redirector used for this >spamvertised >> URL: >> >> http://redir.internet.com/rss/click/ltnrbmxs.edgravewas.com/ >> >> (which redirects to http://ltnrbmxs.edgravewas.com/) > > >Maybe they're part of the spam support service? what is that anyway? a >clicktracker? > Yeah, it's some sort of clicktracker used by internet.com, which is a legit site. It's just spammer abuse of a public redirector. http://redir.internet.com/rss/click/www.google.com goes to www.google.com, for example. The right thing for internet.com to do would be to only allow their redirector to redirect to sites they have approved. From nttp.sc.s at bigsleep.org Thu Jul 14 00:14:10 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Wed Jul 13 19:15:03 2005 Subject: [SpamCop-List] Re: Possible SC bug -- blank line in headers References: <42D548D3.1629C9CE@spamcop.net> Message-ID: On 13 Jul 2005 Vanguard entered spamcop and left news:db3mv0$5a3$1@news.spamcop.net: > It could be that there are many tab characters appended onto > the X-SpamCop-Checked: header so line-wrap makes it look like there is a > blank line when, in fact, it is a wrapped line of tabs at the end of it. I seriously doubt Spamcop put any tabs in that header. Normal preformatted HTML will not wrap at spaces or tabs. I'm sure that must be preformatted, otherwise there would be a line wrap much sooner at one of the spaces. There is a space after the last IP, then two new lines. Also a tab just before version=3.0.2, so I'm quite sure that this post is an accurate copy of the headers, as far as they are displayed in web mail. I don't have a mail account either, and I have no way of knowing if this is a header problem or a web mail problem. The best way to check that is to get the message via IMAP with something that won't alter the message. But Netscape / Mozilla / Thunderbird shouldn't alter the source for that header anyway, using either POP or IMAP. It's entirely possible that the admin was trying to figure out a way to get that header to wrap like the Spam-Status header, or that there is some header length limit. But here I'm driving while blind. -- | Ric | From mcwebber at my-deja.com Wed Jul 13 20:14:02 2005 From: mcwebber at my-deja.com (McWebber) Date: Wed Jul 13 19:20:03 2005 Subject: [SpamCop-List] Re: Missing redirector - redir.internet.com References: Message-ID: "Nathan Strom" wrote in message news:db4707$h14$1@news.spamcop.net... > > Yeah, it's some sort of clicktracker used by internet.com, which is a legit > site. It's just spammer abuse of a public redirector. > > http://redir.internet.com/rss/click/www.google.com > > goes to www.google.com, for example. > > The right thing for internet.com to do would be to only allow their redirector > to redirect to sites they have approved. Ha, ha, ha. With millions of sites being redirected, that would probably be impossible, as is the case with virtually every redirector for larger sites. When the Internet reverts to being powered by coal and steam and every link examined by lawyers and accountants wearing green eyeshades that may happen. -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From skiwi at spamcop.net Wed Jul 13 18:42:10 2005 From: skiwi at spamcop.net (Skiwi) Date: Wed Jul 13 20:45:02 2005 Subject: [SpamCop-List] Re: Webmail - can Romania be added to the 'country blacklist' selection? In-Reply-To: References: Message-ID: WazoO wrote: > "Skiwi" wrote in message > news:db3kvp$3rs$1@news.spamcop.net... > >>Thought / Suggestion - for Spamcop webmail / forwarding, can Romania be >>added to the 'country blacklist' selection? (i.e., along with Brazil et. >>al.) > > > The last time I pointed out that JT doesn't spend time here, > I was slapped hard by seeing JT make a post within 15 > minutes, so won't go there again. The SpamCop filtered > e-mail account stuff is normally handled in the > spamcop.mail newsgroup (basically dead) or over in the > Forum (in this case the "New Feature/Suggestion" section. > Is there a BL for that already? If so, point to it. Cheers! It was more of a plaintative bleat, but a good suggetsion - now, what is the forum again? :-) From anon at coks.net Wed Jul 13 19:12:08 2005 From: anon at coks.net (J G) Date: Wed Jul 13 21:15:12 2005 Subject: [SpamCop-List] Re: Webmail - can Romania be added to the 'country blacklist' selection? In-Reply-To: References: Message-ID: On 7/13/2005 5:42 PM Skiwi scribbled: > Cheers! It was more of a plaintative bleat, but a good suggetsion - now, > what is the forum again? :-) http://forum.spamcop.net/forums/index.php? From gts-newsdotspamcopdotnetatmypantsdotcomREMOVEALLCAPSANDEXAMPLEDOTCOM at EXAMPLE.COM Wed Jul 13 20:59:29 2005 From: gts-newsdotspamcopdotnetatmypantsdotcomREMOVEALLCAPSANDEXAMPLEDOTCOM at EXAMPLE.COM (Greg Samson) Date: Wed Jul 13 23:00:03 2005 Subject: [SpamCop-List] What to do when spamcop takes a URL and gives back nothing...? Message-ID: Relevant reference: http://www.spamcop.net/sc?id=z785646979zaed42804f0813ed628ef213fbbf080f8z The spamcop parser said this about the redirected URL: Resolving link obfuscation http://rds.yahoo.com/s=7876477/k=computer/v=1/sid=p/l=ws1/r=1/ss=93106246/ipc=us/she=0/h=0/sig=95sttb283/exp=698093953/*-http://google.com.pr33n.net/del.asp Yahoo redirection = http://google.com.pr33n.net/del.asp http://rds.yahoo.com/s=0801551/k=computer/v=9/sid=z/l=ws1/r=1/ss=49156110/ipc=us/she=0/h=0/sig=92mius2460/exp=190411827/*-http://google.com.pr33n.net/home.asp Yahoo redirection = http://google.com.pr33n.net/home.asp ...and then reported no addresses to send to, or anything else about those URLs beyond that point. Sam Spade/Personal lookups demonstrate that pr33n.net is registered through Yesnic with bogus WHOIS information - no big surprise there - and its netblock is part of CNC-NOC/CNCGroup, also not a surprise. Why doesn't the spamcop parser find any reporting addresses? -- demunge FROM: to contact me directly From MikeE at ster.invalid Wed Jul 13 21:35:25 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 13 23:40:09 2005 Subject: [SpamCop-List] Re: What to do when spamcop takes a URL and gives back nothing...? References: Message-ID: Greg Samson wrote: > Relevant reference: > > http://www.spamcop.net/sc?id=z785646979zaed42804f0813ed628ef213fbbf080f8z > > The spamcop parser said this about the redirected URL: > Yahoo redirection = http://google.com.pr33n.net/home.asp > > ...and then reported no addresses to send to, or anything else about > those URLs beyond that point. Sometimes SC chooses to not resolve after the de-obfuscation step. Sometimes SC tries to resolve and can't. Sometimes SC tries to resolve and can sometimes and can't other times. Sometimes SC can never resolve; sometimes SC can sometimes resolve. Sometimes SC can't ever resolve as a part of the parsing reporting operation, but /can/ resolve as an 'isolated' or 'naked' resolve, such as this: Parsing input: http://google.com.pr33n.net/home.asp Routing details for 221.10.201.178 [refresh/show] Cached whois for 221.10.201.178 : abuse@cnc-noc.net Using abuse net on abuse@cnc-noc.net abuse net cnc-noc.net = antispam@public.zz.ha.cn, postmaster@cnc-noc.net Using best contacts antispam@public.zz.ha.cn postmaster@cnc-noc.net antispam@public.zz.ha.cn redirects to abuse@chinanet.cn.net postmaster@cnc-noc.net bounces (6 sent : 6 bounces) Using postmaster#cnc-noc.net@devnull.spamcop.net for statistical tracking. 221.10.201.178 is spamhaused as the 221.10.201.0/24 in SBL25746 which is also about the ROKSO MailTrain. 221.10.201.0/24 is listed on the Register Of Known Spam Operations (ROKSO) database as being assigned to, under the control of, or providing service to a known professional spam operation run by MailTrain. There are 19 other major spamhaus listings for the cnc group including another ROKSO besides mailtrain. The point of that whole story is that not notifying the cnc .cn group is no loss -- they are blackhat and unresponsive. Because they are .cn, it is a big waste of time to even think about researching the upstream possibilities, altho' we can mess with that if you like. An alternate attack route might be the domainname registration. > Sam Spade/Personal lookups demonstrate that pr33n.net is registered > through Yesnic with bogus WHOIS information - no big surprise there - > and its netblock is part of CNC-NOC/CNCGroup, also not a surprise. If you want to attack the bogosity of the registration info, you can do that here http://wdprs.internic.net/ Whois Data Problem Report System > Why doesn't the spamcop parser find any reporting addresses? The 'why' has been asked many time in many places and there are alternate theories. This is an example of one of the URLs which can be resolved by naked parsing, but even after you get there, you have significant problem about anything useful to notify. -- Mike Easter kibitzer, not SC admin From anon at coks.net Wed Jul 13 23:21:41 2005 From: anon at coks.net (J G) Date: Thu Jul 14 01:25:04 2005 Subject: [SpamCop-List] La Salle Bank phish Message-ID: http://www.spamcop.net/sc?id=z785678540ze192380a9fad80ab01598f81a12b6813z Why doesn't SC pick up emailhoax@abnamro.com on this phish? From anon at coks.net Wed Jul 13 23:35:12 2005 From: anon at coks.net (J G) Date: Thu Jul 14 01:35:03 2005 Subject: [SpamCop-List] Re: What to do when spamcop takes a URL and gives back nothing...? In-Reply-To: References: Message-ID: On 7/13/2005 8:35 PM Mike Easter scribbled: > Greg Samson wrote: > >>Relevant reference: >> >> > > http://www.spamcop.net/sc?id=z785646979zaed42804f0813ed628ef213fbbf080f8z > >>The spamcop parser said this about the redirected URL: > > >> Yahoo redirection = http://google.com.pr33n.net/home.asp >> >>...and then reported no addresses to send to, or anything else about >>those URLs beyond that point. > > > Sometimes SC chooses to not resolve after the de-obfuscation step. > Sometimes SC tries to resolve and can't. Sometimes SC tries to resolve > and can sometimes and can't other times. Sometimes SC can never > resolve; sometimes SC can sometimes resolve. Sometimes SC can't ever > resolve as a part of the parsing reporting operation, but /can/ resolve > as an 'isolated' or 'naked' resolve, such as this: > > Parsing input: http://google.com.pr33n.net/home.asp > Routing details for 221.10.201.178 > [refresh/show] Cached whois for 221.10.201.178 : abuse@cnc-noc.net > Using abuse net on abuse@cnc-noc.net > abuse net cnc-noc.net = antispam@public.zz.ha.cn, postmaster@cnc-noc.net > Using best contacts antispam@public.zz.ha.cn postmaster@cnc-noc.net > antispam@public.zz.ha.cn redirects to abuse@chinanet.cn.net > postmaster@cnc-noc.net bounces (6 sent : 6 bounces) > Using postmaster#cnc-noc.net@devnull.spamcop.net for statistical > tracking. > > > 221.10.201.178 is spamhaused as the 221.10.201.0/24 in SBL25746 which > is also about the ROKSO MailTrain. > > 221.10.201.0/24 is listed on the Register Of Known Spam Operations > (ROKSO) database as being assigned to, under the control of, or > providing service to a known professional spam operation run by > MailTrain. > > There are 19 other major spamhaus listings for the cnc group including > another ROKSO besides mailtrain. > > The point of that whole story is that not notifying the cnc .cn group is > no loss -- they are blackhat and unresponsive. Because they are .cn, it > is a big waste of time to even think about researching the upstream > possibilities, altho' we can mess with that if you like. > > An alternate attack route might be the domainname registration. > > >>Sam Spade/Personal lookups demonstrate that pr33n.net is registered >>through Yesnic with bogus WHOIS information - no big surprise there - >>and its netblock is part of CNC-NOC/CNCGroup, also not a surprise. > > > If you want to attack the bogosity of the registration info, you can do > that here http://wdprs.internic.net/ Whois Data Problem Report System > > >>Why doesn't the spamcop parser find any reporting addresses? > > > The 'why' has been asked many time in many places and there are > alternate theories. This is an example of one of the URLs which can be > resolved by naked parsing, but even after you get there, you have > significant problem about anything useful to notify. > > > > Make the 1st half of that post your sig, Mike - forget the 2nd half... From SCNews~5~myspamgobbler at spamcowboy.net Thu Jul 14 00:02:48 2005 From: SCNews~5~myspamgobbler at spamcowboy.net (Brian) Date: Thu Jul 14 02:10:11 2005 Subject: [SpamCop-List] Re: Webmail - can Romania be added to the 'country blacklist' selection? In-Reply-To: References: Message-ID: WazoO wrote: > "Skiwi" wrote in message > news:db3kvp$3rs$1@news.spamcop.net... > >>Thought / Suggestion - for Spamcop webmail / forwarding, can Romania be >>added to the 'country blacklist' selection? (i.e., along with Brazil et. >>al.) > > > The last time I pointed out that JT doesn't spend time here, > I was slapped hard by seeing JT make a post within 15 > minutes, so won't go there again. The SpamCop filtered > e-mail account stuff is normally handled in the > spamcop.mail newsgroup (basically dead) or over in the > Forum (in this case the "New Feature/Suggestion" section. > Is there a BL for that already? If so, point to it. > > Wazo0, I know that you put a lot of time and energy into the forum, and I commend your effort, but, I'm confused as to why you continuously call the spamcop.mail newsgroup 'basically dead'. Although there is not a lot of conversation taking place there, compared to this newgroup, since 1 Jun, there have been 30 posts. You make it sound like a person will never get a response to anything posted there when that is not the case. From redford_stone at INVERSE_OF_COLDmail.com Thu Jul 14 08:59:27 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Jul 14 04:00:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. References: Message-ID: "Frog Prince" wrote in news:db31fm$ou9$1 @news.spamcop.net: > > free booze and you get picky about the source? > Since it is the summer, "confederate moonshine" is the booze of the season. (Winter time is ideal for "union rum".) :-) From redford_stone at INVERSE_OF_COLDmail.com Thu Jul 14 09:04:41 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Jul 14 04:05:03 2005 Subject: [SpamCop-List] Re: La Salle Bank phish References: Message-ID: J G wrote in news:db4sma$sv6$1@news.spamcop.net: > http://www.spamcop.net/sc?id=z785678540ze192380a9fad80ab01598f81a12b6813z > > Why doesn't SC pick up emailhoax@abnamro.com on this phish? > Abnamro.com is the parent company for La Salle Bank. I think they are just gathering statistics on this phish, and to me, it isn't as important if they are unable to stop this scammer. The important link is the phisher's scamsite which is usually located someplace in Korea. (Kornet.net or Thrunet.net) From nobody at devnull.spamcop.net Thu Jul 14 08:29:01 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jul 14 08:30:04 2005 Subject: [SpamCop-List] Re: Webmail - can Romania be added to the 'country blacklist' selection? References: Message-ID: "Brian" wrote in message news:db4vb2$ufb$1@news.spamcop.net... > > Wazo0, I know that you put a lot of time and energy into the forum, and > I commend your effort, but, I'm confused as to why you continuously call > the spamcop.mail newsgroup 'basically dead'. > > Although there is not a lot of conversation taking place there, compared > to this newgroup, since 1 Jun, there have been 30 posts. You make it > sound like a person will never get a response to anything posted there > when that is not the case. As you say, as compared to the other newsgroups, even spamcop.help ... there is very little traffic. The e-mail sections of the Forum have been (much too) active of late. My observations, my thoughts, my opinions, but I'm not sure why there'd be a difference of opinion. The only reason I added it to my 'subscribed' was because the traffic is so low. I've not been anything but a free-report account holder all these yeas due to the lack of funds, so any and all effort has been voluntary with the goal of making a better resource. The (Forum) FAQ was updated again yesterday, will probably have some more stuff added today ... the Glossary has been recently updated with anchor tags, re-sorted, more words to be added, and although I started that work, another Forum user did the major re-work of the current version. All I can say is that these resources didn't exist before, and I can't figure out why it's such an issue that they exist now. I'm really getting bored with all this, you know. I get taken to task at pointing to the Forum too much, I get taken to task because I include the pointer to a specific newsgroup. I ask for help in the attempt to build a whole different bridge, and see that even though folks are quoting stuff (which one would normally presume would get around the various kill-files I'm in) I don't see the same complainers coming forward with anything to help. From nobody at devnull.spamcop.net Thu Jul 14 15:12:12 2005 From: nobody at devnull.spamcop.net (Pop) Date: Thu Jul 14 14:15:03 2005 Subject: [SpamCop-List] Question abour "refuses munged..." Message-ID: Sorry; I closed the window and lost the tracker but this comes from the Past Reports tab: http://www.spamcop.net/sc?id=z785858404ze8634c8f48f87054914958d4e228e07bz When a spamcop parse shows a box for: Empty check box, note that Savvis doesn't accept munged reports, and then another Checked box, to report to Savvis, and both addresses are the same, both are named as the email originator, WHICH ONE takes precedence? Hmm, on the Past Reports Parse, it shows addresses for one as the savvis network and the other as email origin. That's slightly different than the originally parsed page details, and of course says it's already been sent. So, I still wonder what to do in such a situation? This one's a spam from GM; NO Idea how I got on their lists! It comes every week I think. And I report it each week, after three warnings "way back when". TIA, Pop From kenbrody at spamcop.net Thu Jul 14 14:59:07 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Thu Jul 14 15:05:03 2005 Subject: [SpamCop-List] Re: Possible SC bug -- blank line in headers References: <42D548D3.1629C9CE@spamcop.net> Message-ID: <42D6A7EB.EE97BEE5@spamcop.net> Vanguard wrote: [...] > > X-SpamCop-Checked: 192.168.1.103 209.94.103.11 64.18.1.107 192.136.111.52 64.18.5.10 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 192.136.111.59 192.168.253.44 3.2.0.111127.0.0.1 127.0.0.1 127.0.0.1 > > > > X-SpamCop-Whitelisted: munge@munge.munge > > ========== > > > > Note the rather lenghty "X-SpamCop-Checked" line. (It is all on one > > line. If it shows as more than one, something has wrapped it.) Is it > > possible that SC was about to wrap the line for the next IP, but there > > was none, leaving the newline without anything following? > > > > While in this case the effect was minimal (the "X-SpamCop-Whitelisted" ^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > line, plus the blank following it, appeared as part of the body), I ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > can see cases where the first line is critical to properly reading the > > e-mail > when it's not plain text, or perhaps BASE64 encoded. > > You sure the blank line that you see is actually a blank line in the > message? It could be that there are many tab characters appended onto > the X-SpamCop-Checked: header so line-wrap makes it look like there is a > blank line when, in fact, it is a wrapped line of tabs at the end of it. > I am not familiar with the webmail interface provided by SpamCop but > most webmail interfaces do not show you what is really in the message, > and even getting the raw data of the message into something like Notepad > will show the pseudo-blank line if word wrapping is enabled. No, it was really an empty line. Aside from showing it as such in the "message source" window, you have the fact that SC's webmail interface shows the "X-SpamCop-Whitelisted" line as part of the message body, meaning that the truly-blank line ended the header. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From spamcram at spymac.com Thu Jul 14 15:44:25 2005 From: spamcram at spymac.com (Vernon Hardapple) Date: Thu Jul 14 17:45:04 2005 Subject: [SpamCop-List] blank spam Message-ID: I get lots of spam that is blank. Spamcop, of course, doesn't do anything with these. Are spammers just fishing for good addresses or something? Vernon From anon at coks.net Thu Jul 14 16:00:17 2005 From: anon at coks.net (J G) Date: Thu Jul 14 18:00:02 2005 Subject: [SpamCop-List] Re: blank spam In-Reply-To: References: Message-ID: On 7/14/2005 2:44 PM Vernon Hardapple scribbled: > I get lots of spam that is blank. Spamcop, of course, doesn't do > anything with these. > > Are spammers just fishing for good addresses or something? > > Vernon don't know what they are doing it for. SC expects to find a body, so in the box you paste into, at the end, leave a blank line and insert [no body]. SC will accept the crap... From ivan at gmail.com Fri Jul 15 01:51:24 2005 From: ivan at gmail.com (Ivan Leo Puoti) Date: Thu Jul 14 18:55:03 2005 Subject: [SpamCop-List] If you want a laugh Message-ID: Read the X-legal header of this spam http://www.spamcop.net/sc?id=z785975285zf84a08c328b525dab68f76e2719af842z;action=display Ivan. From captain.sisko at deep.space.nine Thu Jul 14 20:29:24 2005 From: captain.sisko at deep.space.nine (Dwayne Conyers) Date: Thu Jul 14 19:30:03 2005 Subject: [SpamCop-List] Re: If you want a laugh In-Reply-To: References: Message-ID: I think Moe Howard said it best. That is the most intelligent imbecile I've ever seen... --- Now featuring J Lo Lingerie by Jennifer Lopez http://www.cafepress.com/dwacon From spamcop-list-at-news.spamcop.net at musaic.net Fri Jul 15 04:33:39 2005 From: spamcop-list-at-news.spamcop.net at musaic.net (St - Musaic.Net) Date: Thu Jul 14 21:33:55 2005 Subject: [SpamCop-List] ...OpenRBL... Message-ID: <48958798.20050715033339@musaic.net> http://openrbl.org - things are happening... -- St From nobody at devnull.spamcop.net Thu Jul 14 22:08:53 2005 From: nobody at devnull.spamcop.net (Cat) Date: Thu Jul 14 22:10:03 2005 Subject: [SpamCop-List] Re: From NANAE: "Socks" enters hospice. In-Reply-To: References: Message-ID: Socks wrote: > I've been fighting lung cancer for 4 years now. Well wishes are > appreciated. Sending many well wishes and good thoughts in your direction. From dfm2a3l0t2 at spymac.com Fri Jul 15 00:01:41 2005 From: dfm2a3l0t2 at spymac.com (D.F. Manno) Date: Thu Jul 14 23:05:13 2005 Subject: [SpamCop-List] Re: If you want a laugh References: Message-ID: In article , Ivan Leo Puoti wrote: > Read the X-legal header of this spam > http://www.spamcop.net/sc?id=z785975285zf84a08c328b525dab68f76e2719af842z;acti > on=display I almost hope I get one of those so I can report the hell out of it. -- D.F. Manno dfm2a3l0t2@spymac.com "The work goes on, the cause endures, the hope still lives and the dream will never die." From nobody at spamcop.net Thu Jul 14 22:00:37 2005 From: nobody at spamcop.net (N. Miller) Date: Fri Jul 15 00:05:07 2005 Subject: [SpamCop-List] Re: Question abour "refuses munged..." References: Message-ID: <78z7q5c1k09z$.dlg@news.spamcop.net> On Thu, 14 Jul 2005 14:12:12 -0400, Pop wrote: > Sorry; I closed the window and lost the tracker but > this comes from the Past Reports tab: > http://www.spamcop.net/sc?id=z785858404ze8634c8f48f87054914958d4e228e07bz > > When a spamcop parse shows a box for: > > Empty check box, note that Savvis doesn't accept munged > reports, > > and then another > > Checked box, to report to Savvis, and > > both addresses are the same, both are named as the > email originator, > > WHICH ONE takes precedence? As I recall, when there is a "refused munged reports", SpamCop leaves the box unchecked for sending a report to the ISP, but has a checked box for internal purposes. IOW, SC will not send the report to the ISP, but will include the report for statistical and BL purposes. Or something like that... -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at devnull.spamcop.net Fri Jul 15 16:10:12 2005 From: nobody at devnull.spamcop.net (Patto) Date: Fri Jul 15 02:15:15 2005 Subject: [SpamCop-List] Re: blank spam In-Reply-To: References: Message-ID: Vernon Hardapple wrote: > I get lots of spam that is blank. Spamcop, of course, doesn't do > anything with these. > > Are spammers just fishing for good addresses or something? > > Vernon Since nobody is reading the crap, spammers don't bother to include any contents anymore. Makes it faster to deliver, and they can probably double their productivity :) From glnews030922 at highspot.net Fri Jul 15 12:38:25 2005 From: glnews030922 at highspot.net (Graeme Leith) Date: Fri Jul 15 06:40:02 2005 Subject: [SpamCop-List] Re: If you want a laugh In-Reply-To: References: Message-ID: Ivan Leo Puoti wrote: > Read the X-legal header of this spam > http://www.spamcop.net/sc?id=z785975285zf84a08c328b525dab68f76e2719af842z;action=display *Splorf* His disclaimer seems to be wrong on at least two counts: The message wasn't (U-)CAN-SPAM compliant as it didn't include a postal address for the sender. So claiming to be in compliance with all international laws is clearly false. The web site referenced has been nuked by the ISP. Perhaps he wasn't as compliant with his web hosts AUP as he thought. ;-) -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From nttp.sc.s at bigsleep.org Fri Jul 15 14:09:01 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Fri Jul 15 09:10:04 2005 Subject: [SpamCop-List] Re: SpamCop's bl.spamcop.net too aggressive? References: Message-ID: On 13 Jul 2005 CO-DBA-SC-EL entered spamcop and left news:db3ur0$boa$1@news.spamcop.net: > * When checking our domain name for blacklists at dnsstuff.com, it > cannot resolve the domain name and needs an IP address. This may or > may not be related to the stealth name server issue above. However a > quick Google showed that it is a fairly common problem. > Domain names are not used for outgoing eMail, so I really don't see what that has to do with getting listed, or why you would attempt to look it up. -- | Ric | From kenbrody at spamcop.net Fri Jul 15 15:41:42 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Fri Jul 15 18:00:03 2005 Subject: [SpamCop-List] Re: blank spam References: Message-ID: <42D80366.E7CDFE13@spamcop.net> Patto wrote: > > Vernon Hardapple wrote: > > I get lots of spam that is blank. Spamcop, of course, doesn't do > > anything with these. > > > > Are spammers just fishing for good addresses or something? > > > > Vernon > > Since nobody is reading the crap, spammers don't bother to include any > contents anymore. Makes it faster to deliver, and they can probably > double their productivity :) The ones I have looked at all try to generate return receipts. (I forget the header line that does this.) I guess they're looking for valid addresses, as reading the spam on an unprotected system will send them an e-mail. This could also be a form a DOS attack, if all of these receipts go to a third party. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From none at none.none Fri Jul 15 20:02:54 2005 From: none at none.none (Pete) Date: Fri Jul 15 20:05:04 2005 Subject: [SpamCop-List] Auna.es Message-ID: Why does spamcop still try to mail abuse@auna.es? When you check the DNS information for auna.NET, the registrant email address that pops up is dominios.administracion@auna.es . It seems as though auna.es is actually auna.net, or am I missing a link here? From redford_stone at INVERSE_OF_COLDmail.com Sat Jul 16 08:40:18 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Jul 16 03:45:14 2005 Subject: [SpamCop-List] Re: Auna.es References: Message-ID: "Pete" wrote in news:db9irf$m42$1@news.spamcop.net: > Why does spamcop still try to mail abuse@auna.es? When you check the > DNS information for auna.NET, the registrant email address that pops > up is dominios.administracion@auna.es . It seems as though auna.es is > actually auna.net, or am I missing a link here? > > > It is because the proper abuse for Auna is abuse-at-auna.es. (Plug the IP address into RIPE's whois and you will see.) The abuse address is the registered abuse for forwarding abuse reports. Only problem is the Auna does not want to accept reports from SpamCop. From redford_stone at INVERSE_OF_COLDmail.com Sat Jul 16 08:45:07 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Jul 16 03:50:02 2005 Subject: [SpamCop-List] Re: ...OpenRBL... References: Message-ID: "St - Musaic.Net" wrote in news:mailman.50.1121391238.169.spamcop-list@news.spamcop.net: > http://openrbl.org Ahh... looks like someone has decided to host Openrbl and re-open its services. Excellent. :-) (Odd.. the format of the completewhois.org site looks strangely familiar. Hmmm.) From redford_stone at INVERSE_OF_COLDmail.com Sat Jul 16 08:55:44 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Jul 16 04:00:02 2005 Subject: [SpamCop-List] Re: If you want a laugh References: Message-ID: Ivan Leo Puoti wrote in news:db6q9c$56p$1@news.spamcop.net: > Read the X-legal header of this spam > http://www.spamcop.net/sc? id=z785975285zf84a08c328b525dab68f76e2719af84 > 2z;action=display > > Ivan. LOL! Reminds me of the same garbage Empire Towers tried to pull. (Threats of "SEVERE legal punishment".) Hope they do start sending more spam with that crapola. It'll give the mail admins something to filter. Site isn't on any blacklists yet.. but that may change in the near future. From click1510 at earthlink.net Sat Jul 16 13:00:40 2005 From: click1510 at earthlink.net (CO-DBA-SC-EL) Date: Sat Jul 16 15:05:03 2005 Subject: [SpamCop-List] Re: SpamCop's bl.spamcop.net too aggressive? References: Message-ID: Ric, Ellen, Thanks for responding. I understand that the parser looks at the IP addresses and ignores the obviously bogus return addresses, etc. Ellen, the address is 198.66.59.37 but the ISP's mail service apparently sometimes uses 198.66.59.34 -- I know, I know this is an ISP with a checkered history regarding spam but we never had problems in the many years we've been with them. Also, the moving options have been restricted by some problems with the registrar (NS), which took years to solve but finally got resolved yesterday (yeah! free for the first time since Internic registration!). The reason why I mentioned the DNS issue is that there was an extra name server record in our zone file at the ISP that was out of sync with the registrar's record. When doing the spammer lookup test at dnsstuff.com it can no longer resolve the domain name to an IP address, whereas it could before the ISP added that extra record some time in the last few weeks; I know that this is not an authoritative test, but it led to the testing using dnsreport.com which indicated the DNS problem (now solved, at least until the ISP decides to "improve" the zone file again). Whatever confuses the dnsstuf.com lookup might in turn lead someone to decide that the domain name is spoofed. I agree with Ellen that the recipient may have been returning a random error message when their spam detector flagged something else than an actual spamcop listing. For all we know, it may just have been a SA false positive. However, since many people (including us) simply blackhole incontrovertly obvious spam, and we therefore don't know how many other emails from us were lost or why we got other bounces with no explanation whatsoever, we had to follow that tenuous lead, especially since it may have been the result of yet another spammer dirty trick to try to induce spamcop into misinterpreting some headers. Unfortunately the bounce was so mangled that I doubt anything useful could be learned from it in terms of the header pattern that may have caused it So, basically, we're SOL on this one I guess. C_O From click1510 at earthlink.net Sat Jul 16 13:07:08 2005 From: click1510 at earthlink.net (CO-DBA-SC-EL) Date: Sat Jul 16 15:10:03 2005 Subject: [SpamCop-List] Re: SpamCop's bl.spamcop.net too aggressive? References: Message-ID: Oops. The MX record points to 198.66.41.34. 198.66.41.34 is the zone record address. C_O From nobody at spamcop.net Sat Jul 16 16:52:06 2005 From: nobody at spamcop.net (Ellen) Date: Sat Jul 16 16:00:02 2005 Subject: [SpamCop-List] Re: SpamCop's bl.spamcop.net too aggressive? References: Message-ID: "CO-DBA-SC-EL" wrote in message news:dbblgs$kqn$1@news.spamcop.net... > Ric, Ellen, > > Thanks for responding. > > I understand that the parser looks at the IP addresses and ignores the > obviously bogus return addresses, etc. > Ellen, the address is 198.66.59.37 but the ISP's mail service apparently > sometimes uses 198.66.59.34 -- Please leave some part of the previous emails quoted in your response -- I no longer have the slightest idea of what we were talking about. In any case, I looked at all 3 IPs you mentioned. The one in the next post has had no activity at all. IP 198.66.59.37 shows one report from 7/6 which appears to be a message to a bcc list with text consisting of one word: test. IP 198.66.59.34 also shows no activity. None of the 3 IPs show any listings at all. Ellen From ratpic2 at gmail.com Sat Jul 16 16:30:36 2005 From: ratpic2 at gmail.com (ratpic2) Date: Sat Jul 16 18:35:03 2005 Subject: [SpamCop-List] NEW WEBSITE Message-ID: New Adult Links Site and Webmaster Resources 100% free no popups or hidden adds. We are dedicated to a clean site for all to enjoy... visit us at http://www.xxx-eutopia.com/ From MikeE at ster.invalid Sat Jul 16 17:05:49 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 16 19:10:06 2005 Subject: [SpamCop-List] Re: NEW WEBSITE References: Message-ID: 67.160.170.238 rDNS c-67-160-170-238.hsd1.or.comcast.net GeoPinpoint = Salem, OR USA 94% certainty xxx-eutopia.com [also csayers.com and ayersmedia.com] registered to Chad Ayers, Salem OR. Wife Sue, dog Missy, emails Chad@CSAyers.com chad@chadayers.us Snurled googlemaps of 2000 Robins Lane SE http://snipurl.com/gay7 near Battle Creek Golf Course. -- Mike Easter kibitzer, not SC admin From bud at telus.net Sat Jul 16 17:43:21 2005 From: bud at telus.net (Bud) Date: Sat Jul 16 19:45:03 2005 Subject: [SpamCop-List] Re: NEW WEBSITE References: Message-ID: "Mike Easter" wrote in message news:dbc3sc$s9h$1@news.spamcop.net... > 67.160.170.238 rDNS c-67-160-170-238.hsd1.or.comcast.net > GeoPinpoint = Salem, OR USA 94% certainty > > xxx-eutopia.com [also csayers.com and ayersmedia.com] registered to Chad > Ayers, Salem OR. Wife Sue, dog Missy, emails Chad@CSAyers.com > chad@chadayers.us > > Snurled googlemaps of 2000 Robins Lane SE http://snipurl.com/gay7 near > Battle Creek Golf Course. > > > -- > Mike Easter > kibitzer, not SC admin Good one Mike, email is on the way. -- Bud From ivan at gmail.com Sun Jul 17 03:05:37 2005 From: ivan at gmail.com (Ivan Leo Puoti) Date: Sat Jul 16 20:10:03 2005 Subject: [SpamCop-List] Jail for Nigerian bank fraudster Message-ID: Yes for once it's true http://news.bbc.co.uk/1/hi/world/africa/4690031.stm Ivan. From MikeE at ster.invalid Sat Jul 16 18:35:04 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 16 20:40:02 2005 Subject: [SpamCop-List] Re: NEW WEBSITE References: Message-ID: Mike Easter wrote: > 67.160.170.238 rDNS c-67-160-170-238.hsd1.or.comcast.net Confirmation Chad Ayers = 67.170.163.207 similar to above Jun 5 67.170.163.207 rDNS c-67-170-163-207.hsd1.or.comcast.net snurled googleup of Chad Ayers persona posting from that IP June 5 http://snipurl.com/gayu More Chad Ayers domains: 01000011.ORG ALLSCRIPT.INFO AYERSFAMILY.INFO CAMBOY.INFO CAPPETTI.INFO CHADAYERS.INFO CONDON-OREGON.INFO CONDONOREGON.INFO FOSSIL-OREGON.INFO FOSSILOREGON.INFO MYPRIZEWISE.INFO PIGGERS.INFO SFFE.ORG SUEAYERS.INFO CHADAYERS.US FOSSILOR.INFO -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Sun Jul 17 14:20:41 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Jul 17 07:25:03 2005 Subject: [SpamCop-List] Re: NEW WEBSITE References: Message-ID: On Sat, 16 Jul 2005 16:43:21 -0700, Bud coughed into spamcop and left this in : > Good one Mike, email is on the way. Don't you mean "anvil" rather than "e-mail"? :o) -- Steve Microsoft Palladium: "Where the hell do you think YOU'RE going today?" From nobody at spamcop.net Sun Jul 17 17:21:01 2005 From: nobody at spamcop.net (me-no-no) Date: Sun Jul 17 11:25:04 2005 Subject: [SpamCop-List] Pill Mill - Abel Rodriguez - Action - At last ! [News] Message-ID: Albeit a "drop in the ocean" - I guess every droplet helps! ******************************************* "Florida authorities arrest 10 in massive Internet drug sweep" (an Associated Press report 07/15/05 ) MIAMI - Law enforcement agents arrested 10 people Friday for illegally selling prescription painkillers and other controlled drugs worth more than $10 million on the Internet, in a sweep authorities called the largest state crackdown of its kind. Florida Attorney General Charlie Crist said those arrested were using licensed pharmacies to get pills, then reselling the drugs on the Internet without prescriptions. Calling it a "horrific drug operation," Crist said. "Internet pill pushers operate without regard for the law or medical necessity, and certainly without regard to safety. Their primary focus is on making a quick buck." Crist said the arrests represent "Florida's largest state prosecution of an organization filling orders for Internet drugs." The accused head of the "pill mill" was Abel Rodriguez, who authorities said filled more than $10 million worth of orders since late 2003, including hydrocodone, a painkiller also known as "synthetic heroin" that can kill if misused.......more...... http://www.wfts.com/stories/2005/07/050715drugnet.shtml ******************************************* Ciao Meno From nobody at devnull.spamcop.net Sun Jul 17 12:26:22 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sun Jul 17 11:30:03 2005 Subject: [SpamCop-List] How To Fix it; throw it out Message-ID: IT's a NY Times article and you have to sign up to actually read it, but it's harmless signup. http://www.nytimes.com/2005/07/17/technology/17spy.html?th&emc=th&oref=login In essence, it's about a lot of stupid, "comfortable" executive twits tossing out their old computers rather than get them fixed or protected, and buying new ones. It's pathetic and abhorrant, but these are the people who don't know any better, don't bother to find out or can't, for whatever reason, and either pay to have it fixed or outright buy another computer. It doesn't even really mention the poorer masses of those wishing to find the internet; only the riche ones, but it's definitely indicative a an attitude of the masses, IMO. Sickening. Yaaaayyyyyy spamcop! This is part of the good fight spamcop is fighting. Now if there was only some way to educate the masses Pop From nobody at spamcop.net Sun Jul 17 13:54:17 2005 From: nobody at spamcop.net (N. Miller) Date: Sun Jul 17 15:55:03 2005 Subject: [SpamCop-List] Parser failed to de-obuscate properly Message-ID: http://www.spamcop.net/sc?id=z786982627z255bdaec9772539c70215c7210e3f186z The parser found "Tracking link: http://fmqqbfikrqhs.org." when working this spam. Yes, a "dot" ('.') after the "org" is wrong. But "http://fmqqbfikrqhs.org" isn't the correct site, either. Sam Spade says: ------------------------------------------------------------------------- |07/17/05 12:34:59 dns http://fmqqbfikrqhs.org.%20.ndsgoxot8e4xub9gmtsplw%2Esimplemedico.info |URL http://fmqqbfikrqhs.org.%20.ndsgoxot8e4xub9gmtsplw%2Esimplemedico.info is http://fmqqbfikrqhs.org. .ndsgoxot8e4xub9gmtsplw.simplemedico.info |Canonical name: fmqqbfikrqhs.org. .ndsgoxot8e4xub9gmtsplw.simplemedico.info |Addresses: | 210.22.50.89 ------------------------------------------------------------------------- I couldn't see a legal way to report this to the webhost through SpamCop, so I followed through on the Sam Spade workup and sent the notify manually. I did submit the raw IP address to SpamCop to verify where the notifies should go. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at nowhere.invalid Sun Jul 17 23:35:57 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Jul 17 16:40:02 2005 Subject: [SpamCop-List] Re: Parser failed to de-obuscate properly References: Message-ID: On Sun, 17 Jul 2005 12:54:17 -0700, N. Miller coughed into spamcop and left this in : > Yes, a "dot" ('.') after the "org" is wrong. Actually, no it isn't :) $ dig news.spamcop.net. <----- Note the final '.' ; <<>> DiG 9.3.0 <<>> news.spamcop.net. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14850 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 8, ADDITIONAL: 8 ;; QUESTION SECTION: ;news.spamcop.net. IN A ;; ANSWER SECTION: news.spamcop.net. 3457 IN A 216.154.195.61 ;; AUTHORITY SECTION: spamcop.net. 153727 IN NS asia3.akam.net. spamcop.net. 153727 IN NS ns1-11.akam.net. spamcop.net. 153727 IN NS ns1-73.akam.net. spamcop.net. 153727 IN NS ns1-90.akam.net. spamcop.net. 153727 IN NS ns1-93.akam.net. spamcop.net. 153727 IN NS ns1-109.akam.net. spamcop.net. 153727 IN NS ns1-117.akam.net. spamcop.net. 153727 IN NS use1.akam.net. ;; ADDITIONAL SECTION: use1.akam.net. 74166 IN A 63.209.170.136 asia3.akam.net. 18993 IN A 61.200.81.105 ns1-11.akam.net. 18993 IN A 193.108.91.11 ns1-73.akam.net. 18993 IN A 193.108.91.73 ns1-90.akam.net. 18993 IN A 193.108.91.90 ns1-93.akam.net. 18993 IN A 193.108.91.93 ns1-109.akam.net. 18993 IN A 193.108.91.109 ns1-117.akam.net. 18993 IN A 193.108.91.117 ;; Query time: 10 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Sun Jul 17 22:35:09 2005 ;; MSG SIZE rcvd: 350 -- Steve Good judgment comes from bad experience, and a lot of that comes from bad judgment. From mjh at spamcop.net Sun Jul 17 17:18:39 2005 From: mjh at spamcop.net (Mike) Date: Sun Jul 17 17:20:03 2005 Subject: [SpamCop-List] HTML embed tag in Date or From headers; not masked on Held Email page! Message-ID: Recently I've received several spam emails with an HTML tag in the Date or From header fields. The tag is used to point to a flash animation on some spam server. The problem is that on the SpamCop "Held Email" page the From and Date headers are shown without any "de-HTML-ing" of the text. So the actual Held Email page includes these HTML tags, causing my browser to download the flash when rendering the page! Not good. So far all of the spam web servers have been offline because I don't actually get any flash displayed on the page. However, today one of servers was up and serving the flash file. It redirected the browser to open a spam web site. I managed to reload the Held Email page and hit the Stop button before it could redirect. I queued these emails for reporting. Here are the tracking URLs. All of these have a bad Date header. I have seen other ones (which I don't have tracking URLs for) that have a similar HTML tag in the From header. Hopefully the SpamCop code that creates the "Held Email" web page can be updated to check the headers for angle brackets and "escape" them when creating the page, so the browser won't try to parse this as HTML. http://www.spamcop.net/sc?id=z787003883zbe2837a4348279f0d6609cf239bf9137z http://www.spamcop.net/sc?id=z787003887z53881c73aecb117c62a201a3a962a294z http://www.spamcop.net/sc?id=z787003891z73ead58b0b2b54886da20ca2b819a3c8z http://www.spamcop.net/sc?id=z787003895z74417089ff85a323f20ecef077082077z Mike Hall mjh@spamcop.net From nobody at devnull.spamcop.net Sun Jul 17 18:16:38 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jul 17 18:20:03 2005 Subject: [SpamCop-List] Re: HTML embed tag in Date or From headers; not masked on Held Email page! References: Message-ID: "Mike" wrote in message news:dbehvf$813$1@news.spamcop.net... > Recently I've received several spam emails with an HTML tag in > the Date or From header fields. The tag is used to point to a flash > animation on some spam server. Forwarded to JT, but not sure the problem is on him. You failed to mention the browser in use, noting that you posted with Thunderbird. Do 'we' assume FireFox? It may not matter, but .... From nobody at devnull.spamcop.net Sun Jul 17 23:55:22 2005 From: nobody at devnull.spamcop.net (PopTart) Date: Sun Jul 17 19:00:04 2005 Subject: [SpamCop-List] Re: How To Fix it; throw it out References: Message-ID: Pop wrote: > IT's a NY Times article and you have to sign up to > actually read it, but it's harmless signup. > > http://www.nytimes.com/2005/07/17/technology/17spy.html?th&emc=th&oref=login > > In essence, it's about a lot of stupid, "comfortable" > executive twits tossing out their old computers rather > than get them fixed or protected, and buying new ones. > > It's pathetic and abhorrant, but these are the people > who don't know any better, don't bother to find out or > can't, for whatever reason, and either pay to have it > fixed or outright buy another computer. It doesn't > even really mention the poorer masses of those wishing > to find the internet; only the riche ones, but it's > definitely indicative a an attitude of the masses, IMO. > > Sickening. Yaaaayyyyyy spamcop! This is part of the > good fight spamcop is fighting. Now if there was only > some way to educate the masses > > Pop > > What the fuck does this have to do with spam, you stupid moron? -- From anon at coks.net Sun Jul 17 17:07:13 2005 From: anon at coks.net (J G) Date: Sun Jul 17 19:10:02 2005 Subject: [SpamCop-List] Re: How To Fix it; throw it out In-Reply-To: References: Message-ID: On 7/17/2005 3:55 PM PopTart scribbled: > Pop wrote: > > >>IT's a NY Times article and you have to sign up to >>actually read it, but it's harmless signup. >> >>http://www.nytimes.com/2005/07/17/technology/17spy.html?th&emc=th&oref=login >> >>In essence, it's about a lot of stupid, "comfortable" >>executive twits tossing out their old computers rather >>than get them fixed or protected, and buying new ones. >> >>It's pathetic and abhorrant, but these are the people >>who don't know any better, don't bother to find out or >>can't, for whatever reason, and either pay to have it >>fixed or outright buy another computer. It doesn't >>even really mention the poorer masses of those wishing >>to find the internet; only the riche ones, but it's >>definitely indicative a an attitude of the masses, IMO. >> >>Sickening. Yaaaayyyyyy spamcop! This is part of the >>good fight spamcop is fighting. Now if there was only >>some way to educate the masses >> >>Pop >> >> > > > What the fuck does this have to do with spam, you stupid moron? > > -- nice mouth - you're obviously one of the masses that needs education - start in charm school... From nobody at devnull.spamcop.net Sun Jul 17 20:51:15 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sun Jul 17 20:05:02 2005 Subject: [SpamCop-List] OT Re: How To Fix it; throw it out References: Message-ID: "J G" wrote in message news:dbeo85$bm8$1@news.spamcop.net... > On 7/17/2005 3:55 PM PopTart scribbled: > >> Pop wrote: >> >> >>>IT's a NY Times artic