From baloo at ursine.ca Sun May 1 00:14:00 2005 From: baloo at ursine.ca (Paul Johnson) Date: Sun May 1 03:10:27 2005 Subject: [SpamCop-List] Re: Submission by email References: <01c54c47$45163740$LocalHost@default> <1p3bk2-jds.ln1@ursine.ca> Message-ID: <8m8ek2-87v.ln1@ursine.ca> Steven Maesslein wrote: > You're preaching to the choir. [...] > Unless there's a Reply-To: header in there (such as the one inserted by > gmail users when they use gmail's network to send mail), which fscks up > the mailing list, and which is why I don't allow gmail addresses on > lists I run. Oh, OK. I think I lost proper track of the thread somewhere along the line... -- Paul Johnson Email and Instant Messenger (Jabber): baloo@ursine.ca http://ursine.ca/~baloo/ From baloo at ursine.ca Sun May 1 00:19:28 2005 From: baloo at ursine.ca (Paul Johnson) Date: Sun May 1 03:10:35 2005 Subject: [SpamCop-List] Re: Submission by email References: <01c54c47$45163740$LocalHost@default> <4s3bk2-jds.ln1@ursine.ca> Message-ID: Kenneth Loafman wrote: > On Fri, 29 Apr 2005 18:33:24 -0700, Paul Johnson wrote: > >>Kenneth Loafman wrote: >>> As a mailing list sender, you would insert your own Reply-To: to have it >>> reply back to the mailing list. What the user does with it after that >>> is none of your concern. >> >>NAK! Mailing list shouldn't be setting or touching reply-to. That's the >>user's field for the user to use. What you describe is the realm of the >>X-List, X-Mailing-List, X-Loop, or just about any other mailing list >>header. > > Then you must ban a lot of corporate mail as well. A lot of the folks > that use Outlook in business set their Reply-To: to their own address. > Don't know why they bother, but they do. We're talking a mailing list here. It might just be me, but in business environments, I generally see Outlook users use the distribution lists feature in Outlook. It's messy, but if you're writing only to people in the same environment as yourself, it's the quick and dirty fix that works for that environment. Though you have to go out of the way to set up the reply-to to be the same as from in Outlook... > BTW, you can override gmail's setting of the Reply-To:, or anyone's for > that matter. Depends on the mail list owner and how they want the replies > to default. Some default to the mail list and some to the original > author. Seems like a moot point. Right, but it's supposed to be a user-set heading none the less. It starts getting confusing and messy when third parties in between stomp on things like that. > Must be something else driving your decision to ban so many users from > your list. Not worth the effort. Not when a little user education fixes the problem, no. > Set the Reply-To: when you send the mail back out and go on. Once its in > your hands, it's yours, the user has no control over that field. Remember > "My server, My rules!". Once its in your control, its yours. Period. Right, but when you're offering services that require a certain level of inter-site consistency like email, changing headers inconsistent with documented standards is a Bad Thing(tm). -- Paul Johnson Email and Instant Messenger (Jabber): baloo@ursine.ca http://ursine.ca/~baloo/ From bar_n0ne at hotmail.com Sun May 1 14:04:02 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun May 1 05:06:48 2005 Subject: [SpamCop-List] Internic/Gandi registration problems take rediculously long to resolve Message-ID: for example: domain still misregistered complaint sent March 15 received below today. Now i don;t think I've seen whatshould.com since, in a spam. But even a cursory glance at the mailing addresses show illegitimacy that even a frenchman should recognize. city= three fingered tap on the keyboard? come on. Hello munged This message is in follow-up to the Whois Data Problem Report you submitted on March 15, 2005 regarding whatshould.com. As indicated to you at the time of submission, a copy of your report was forwarded to the sponsoring registrar for investigation. We would appreciate it if you could assist us in monitoring registrar compliance with Whois data accuracy obligations by selecting one of the options below: 1. The data inaccuracy was corrected. Please go to the following URL: References: Message-ID: Berny wrote: > for example: domain still misregistered complaint sent March 15 received > below today. > > Now i don;t think I've seen whatshould.com since, in a spam. > > But even a cursory glance at the mailing addresses show illegitimacy that > even a frenchman should recognize. > > city= three fingered tap on the keyboard? come on. Has Gandi ever nuked a domain because of wrong whois information? My experience: no. French providers (Gandi, Wanadoo...) seem to be totally clueless or intentionally supporting spammers: black hats. You can yose the registrar problem report form at: http://reports.internic.net/cgi/registrars/problem-report.cgi But if this helps? - kjz From bar_n0ne at hotmail.com Sun May 1 17:10:07 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun May 1 08:15:03 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve References: Message-ID: "Karl-Josef Ziegler" wrote in message news:d52fme$7v6$1@news.spamcop.net... > Berny wrote: > > for example: domain still misregistered complaint sent March 15 received > > below today. > > SNIP > > Has Gandi ever nuked a domain because of wrong whois information? > My experience: no. French providers (Gandi, Wanadoo...) seem to be > totally clueless or intentionally supporting spammers: black hats. > You can yose the registrar problem report form at: > > http://reports.internic.net/cgi/registrars/problem-report.cgi > > But if this helps? > > - kjz I personally think that most registrars look at spammers as a major source of revenue, thousands of throwaway names at $10.00 a hit or so, I suspect that there would be a serious drop in income if they actually used due diligence and put off spammer business. So, they are an integral part of the spam game with few exceptions. From kjz at despammed.com Sun May 1 21:57:39 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Sun May 1 15:00:03 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve In-Reply-To: References: Message-ID: Berny wrote: > I personally think that most registrars look at spammers as a major source > of revenue, thousands of throwaway names at $10.00 a hit or so, I suspect > that there would be a serious drop in income if they actually used due > diligence and put off spammer business. So, they are an integral part of the > spam game with few exceptions. Alas, that seems to be true. Domain registration is cheap and easy, but I think at the moment it's TOO cheap, TOO easy and TOO fast. Today I got spam for a spamvertized domain which was already set up in spammys DNS servers but still not showing any whois info. And with a revenue of US-$ 5000 a day(!) spammy can register a lot of throwaway domains. So most spam runs in these days have a fresh throwaway domain which only has the function to redirect to/protect the 'real' spamvertized website. ICANN should made an adress verification process mandatory in the registration procedure. E.g. a new domain first is set on registrar hold and an air mail letter with a security code is sent to the registrant. This security code must be verificated via a web form and only afterwards the domain is set in function. This process can be automated and the price will be only a little bit higher than an air mail stamp. More security at a low price increase. - kjz From jefferJones at not-valid-address-.com Sun May 1 16:10:40 2005 From: jefferJones at not-valid-address-.com (Jeffery Jones) Date: Sun May 1 15:10:03 2005 Subject: [SpamCop-List] Can't find admin of Ebay Phisher Message-ID: http://www.spamcop.net/sc?id=z758724962z736972e666372fcfbf40deab549fbdb1z Unable to locate admin for web site http://online-account-activation.com "Cannot find master for:http://online-account-activation.com/ebayisapi.dll&verifyregistrationshow" From nobody at devnull.spamcop.net Sun May 1 15:35:11 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun May 1 15:40:03 2005 Subject: [SpamCop-List] Re: Can't find admin of Ebay Phisher References: Message-ID: "Jeffery Jones" wrote in message news:v5aa711tj9ck70ncfi7npc750b2i8rdkef@4ax.com... > > http://www.spamcop.net/sc?id=z758724962z736972e666372fcfbf40deab549fbdb1z > > Unable to locate admin for web site http://online-account-activation.com > > "Cannot find master for:http://online-account-activation.com/ebayisapi.dll&verifyregistrationsho w" whois -h whois.enom.com online-account-activation.com ... Registration Service Provided By: Microsoft Contact: personal_address@css.one.microsoft.com Visit: http://support.msn.com/contactus.aspx?pk=PersonalAddress Domain name: online-account-activation.com Registrant Contact: greg kessler greg kessler (admin@online-account-activation.com) +1.6364586523 Fax: none 1748 Millstream chesterfield, MO 63017 US Administrative Contact: greg kessler greg kessler (admin@online-account-activation.com) +1.6364586523 Fax: none 1748 Millstream chesterfield, MO 63017 US Technical Contact: NOC MSN NOC MSN (MSN-PA-TECH@msn.com) +1.4258828080 Fax: none One Microsoft Way Redmond, WA 98052 US Billing Contact: NOC MSN NOC MSN (MSN-PA-BILL@MSN.COM) +1.4258828080 Fax: none One Microsoft Way Redmond, WA 98052 US Status: Locked Name Servers: pdomns1.msn.com pdomns2.msn.com Creation date: 25 Apr 2005 15:31:06 Expiration date: 25 Apr 2006 15:31:06 From f.yaskin at worldnet.att.net Sun May 1 16:37:34 2005 From: f.yaskin at worldnet.att.net (FY) Date: Sun May 1 15:40:06 2005 Subject: [SpamCop-List] Error-why? Message-ID: Here is the error: error: couldn't parse head Message body parser requires full, accurate copy of message More information on this error.. no links found Same result from OE Express, and from ATT Webmail, view source selected, and copy/pasted into spamcop. ?? Spam sent as follows: --------------------- Received: from mx1.mail.yahoo.com (p2184-ipad36sasajima.aichi.ocn.ne.jp[60.45.123.184](untrusted sender)) by worldnet.att.net (mtiwmxc11) with SMTP id <2005050114143401100pim6oe>; Sun, 1 May 2005 14:14:45 +0000 X-Originating-IP: [60.45.123.184] Reply-To: "Susan" From: "Susan" To: Subject: Antidote may help boost immune system Date: Sun, 01 May 2005 08:10:57 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--09-6[5]-3237-0[3]-080[3]" ----09-6[5]-3237-0[3]-080[3] Content-Type: ;text/plain; Content-Transfer-Encoding: 7Bit The Ancient Secret of Life 'THE ANTIDOTE' http://www.crocinamillion.info/fvd/ Kills ALL known deadly Viruses & Bacteria in the body that keep diseases, = namely: Influenza, SARS, Cancer, HIV etc. etc. active. A disease must be made DORMANT to stop infection. 'The ANTIDOTE' is the answer. http://www.crocinamillion.info/fvd/ WE ARE THE ONLY COMPANY IN THE WORLD WHO HAVE DEVELOPED AND ENHANCED THIS = PRODUCT FOR SALE. LEARN MORE http://www.crocinamillion.info/fvd/ The Antidote is a unique Anti-Microbial Peptide offering the widest range of healing power on the market today. It kills all known deadly VIRUSES and BACTERIA in the body. The initial research was carried out over several years ago by the BBC. The Antidote acts as an additive for your body's immune system. It will fight and protect your body from all virus and bacteria activated infections. The Antidote may be taken safely by children and adults even if on current medication. Take me off from emailing list http://www.myfriendlyshop.com/gone/ ----09-6[5]-3237-0[3]-080[3]-- From MikeE at ster.invalid Sun May 1 13:42:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 1 15:45:03 2005 Subject: [SpamCop-List] Re: Can't find admin of Ebay Phisher References: Message-ID: Jeffery Jones wrote: www.spamcop.net/sc?id=z758724962z736972e666372fcfbf40deab549fbdb1z > > Unable to locate admin for web site > http://online-account-activation.com > > "Cannot find master > for:http://online-account-activation.com/ebayisapi.dll&verifyregistratio nshow" Here's what I'm seeing at the tracker: Tracking link: http://online-account-activation.com/ebayisapi.dll&verifyregistrationshow No recent reports, no history available Resolves to 65.54.132.254 Routing details for 65.54.132.254 Reports routes for 65.54.132.254: routeid:13943319 65.52.0.0 - 65.55.255.255 to:abuse@hotmail.com Administrator found from whois records [refresh/show] Cached whois for 65.54.132.254 : abuse@hotmail.com Using abuse net on abuse@hotmail.com abuse net hotmail.com = abuse@hotmail.com Using best contacts abuse@hotmail.com Using rdns to route to correct Microsoft department host 65.54.132.254 = yourpersonaladdress.net (cached) abuse net yourpersonaladdress.net = postmaster@yourpersonaladdress.net Message-ID: FY wrote: > Here is the error: > error: couldn't parse head > Message body parser requires full, accurate copy of message > More information on this error.. > no links found Even when the parser doesn't work, the general result is that it will provide you with a tracking url. That tracker is a reflection of what you fed the parser and is useful for troubleshooting this. You should *NOT* be posting what you did here for several important reasons. - posting spam anywhere other than the ng spamcop.spam is against some 'rule' or tradition for a variety of reasons - it doesn't help for you to post the spam item here. I can take it and get the parser to parse it and then what does that prove? - here's a tracker which has parsed my rendition of what I made out of what you posted here http://www.spamcop.net/sc?id=z758744423z1fa6a7fc57989ff5a1873ee18c66b835z Maybe my version of your spam works because I structured it so that it would work. When you post something into a newsmessage, it gets 'bent' and isn't the same as the original. The closest you can come to showing us the original easily is to put it into the parser properly and post the tracker for the result in here. The next closest you can come would be to save the item as an .eml from OE and then attach that file to a message in spamcop.spam. Notice that if you examine my tracker's 'View entire message' - you see that the Received traceline is not folded improperly, which it was here, perhaps by your newsreader, perhaps not; and that there is a proper empty line between the Content-Type boundary information and the first boundary marker, which was not present in what you posted here -- perhaps caused by your newsreader, perhaps not. So, to re-iterate... do *NOT* post spam in here. Only trackers. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun May 1 14:35:33 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 1 16:35:03 2005 Subject: [SpamCop-List] Re: Error-why? References: Message-ID: Mike Easter wrote: www.spamcop.net/sc?id=z758744423z1fa6a7fc57989ff5a1873ee18c66b835z Report Spam to: Re: 60.45.123.184 (Administrator of network where email originates) To: abuse@ocn.ad.jp (Notes) Re: 60.45.123.184 (Third party interested in email source) To: Cyveillance spam collection (Notes) Re: http://www.crocinamillion.info/fvd/ (Administrator of network hosting website referenced in spam) To: daihy@china-netcom.com (Notes) To: postmaster@china-netcom.com (Notes) To: cnc-abuse@abuse.sprint.net (Notes) Re: http://www.myfriendlyshop.com/gone/ (Administrator To: postmaster@chinatietong.com To: crnet_mgr@chinatietong.com To: crnet_tec@chinatietong.com -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sun May 1 19:37:50 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun May 1 19:40:02 2005 Subject: [SpamCop-List] Re: Can't find admin of Ebay Phisher References: Message-ID: "Mike Easter" wrote in message news:d53bau$l1g$1@news.spamcop.net... > Jeffery Jones wrote: > www.spamcop.net/sc?id=z758724962z736972e666372fcfbf40deab549fbdb1z > > > > Unable to locate admin for web site > > http://online-account-activation.com > > > > "Cannot find master > > > for:http://online-account-activation.com/ebayisapi.dll&verifyregistratio > nshow" > > Here's what I'm seeing at the tracker: > > SC degrade the notify down to a default pm from a registered one; that > doesn't make any sense. My flow, could be wrong .... Name Servers: pdomns1.msn.com pdomns2.msn.com Creation date: 25 Apr 2005 15:31:06 'Brand new shiney' web-site/URL created by a silly/new MSN user ... equating "pdoms" to "personal domains" ,,,, Then noted that this URL is simply redirecting; 05/01/05 18:27:11 Browsing http://online-account-activation.com/ Fetching http://online-account-activation.com/ ... GET / HTTP/1.1 Host: online-account-activation.com Connection: close User-Agent: Sam Spade 1.14 HTTP/1.1 302 Found Connection: close Date: Sun, 01 May 2005 23:27:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" X-AspNet-Version: 1.1.4322 Location: http://www.pearland.co.id/usage/index.htm?eBayISAPI.dll&VerifyRegistrationShow Cache-Control: private Expires: Sat, 01 Jan 2000 08:00:00 GMT Content-Type: text/html Object moved

Object moved to here.

Personal Domains URL Forwarder You can probably guess at what's sitting 'there' My bet is that there's a database that has been fed with "don't use this reporting address" which is also mucking up the works, but the parser isn't outputting this data/error ...???? From nobody at devnull.spamcop.net Sun May 1 19:40:59 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun May 1 19:45:03 2005 Subject: [SpamCop-List] Re: Can't find admin of Ebay Phisher References: Message-ID: "Mike Easter" wrote in message news:d53bau$l1g$1@news.spamcop.net... > Jeffery Jones wrote: > www.spamcop.net/sc?id=z758724962z736972e666372fcfbf40deab549fbdb1z > > > > Unable to locate admin for web site > > http://online-account-activation.com > > > > "Cannot find master > > > for:http://online-account-activation.com/ebayisapi.dll&verifyregistratio > nshow" Noting also (ignoring some issues with SSfor WIN) but; 05/01/05 18:38:50 whois online-account-activation.com@pdomns1.msn.com whois -h pdomns1.msn.com online-account-activation.com ... failed, couldn't connect to host: Unknown error (0) From / at /.cn Mon May 2 16:47:00 2005 From: / at /.cn (Petzl) Date: Mon May 2 01:50:05 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: "WazoO" wrote in message news:d4pep4$jgq$1@news.spamcop.net... > "Pop" wrote in message > news:d4ov5o$b3i$1@news.spamcop.net... >> > >> Interesting; can you even report a spam from those accounts? That would >> suck. > > http://forum.spamcop.net/forums/index.php?showtopic=2782 > A big problem in accepting the compulsory email account with your provider is that they are mainly absolutely useless (I do not accept them) The worse fact is they then never seem to learn Right now a legacy email account from UU.net (ozemail) they are offering spam and virus filtering without whitelist. The only mail I still get is spam with legit mail disappearing There is still no doubt the only and best email account to have is a SpamCop one Petzl From nobody at nowhere.invalid Mon May 2 11:27:14 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon May 2 04:30:20 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: On Mon, 2 May 2005 15:47:00 +1000, Petzl coughed into spamcop and left this in : > Right now a legacy email account from UU.net (ozemail) they are offering > spam and virus filtering without whitelist. The only mail I still get is > spam with legit mail disappearing Well, UUNet sees everything pink anyway, so the chances are that the filter is working as designed :) -- Steve Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats. -- Howard Aiken From / at /.cn Mon May 2 20:12:49 2005 From: / at /.cn (Petzl) Date: Mon May 2 05:16:31 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: "Steven Maesslein" wrote in message news:slrnd7bp32.36p.nobody@127.0.0.1... > On Mon, 2 May 2005 15:47:00 +1000, Petzl coughed into spamcop and left > this in : > >> Right now a legacy email account from UU.net (ozemail) they are offering >> spam and virus filtering without whitelist. The only mail I still get is >> spam with legit mail disappearing > > Well, UUNet sees everything pink anyway, so the chances are that the > filter is working as designed :) > As I have SpamCop retrieve the email it only ends up in the VER folder UUnet have just made the legacy account less than worthless I only wanted to keep it as I have a couple of pieces of software which sends notification of upgrades these no longer get past UUnet but spam does and it is in the area of 1000 spamms a day plus Before UUnet started filtering my SpamCop email account accurately filtered the UUnet spew to SpamCop's (Very Easy Reporting) VER folder which it still does but legit email disappears before it is even forwarded to SpamCop Will now see if I can have these UUnet idiots turn off the forwarding Just another example of what happens in accepting the compulsory email account with your provider is that they are mainly absolutely useless (I do not now ever accept them) The worse fact is they then never seem to learn for the better The reason we have a problem with spam is because of Internet Providers and their inability to secure the e-mail address they dump you with or force you to have. If spam was effectively blocked spamming would have no point! Even Hotmail offer a superior service to a vast many and is always good to have for first contact, as well as those "subscriptions" you have to sign up with. Hotmail (Microsoft) actively hunt down suing and jailing Spammers who attack their customers Petzl From bar_n0ne at hotmail.com Mon May 2 15:17:09 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon May 2 06:20:04 2005 Subject: [SpamCop-List] st0ck spams Message-ID: Given the length of time the same st0ck spams for the same crappy little companies, I am becoming doubtful that the companies themselves are not involved. Pump and Dumpers usually move in and out quickly, a few days, or a week or so. The endless steady stream of crap for this stuff (like VOIP) is beginning to look more like either a massive joe job, (hard to believe) or an active promotion, undertaken on behalf of the principals. Remember a Pump and dumper is not a long term investor, they're looking to flip their gains or shorts quickly. This crap comes in steadily for months at a time. From nobody at nowhere.invalid Mon May 2 13:38:01 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon May 2 06:40:03 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: On Mon, 2 May 2005 19:12:49 +1000, Petzl coughed into spamcop and left this in : > UUnet have just made the legacy account less than worthless Heh - your legacy account is not the only e-mail account UUNet has made useless. Far from it. > Just another example of what happens in accepting the compulsory email > account with your provider is that they are mainly absolutely useless (I do > not now ever accept them) The worse fact is they then never seem to learn > for the better I agree. I don't even use the default account set up by my ISP since it's going to be essentially useless. I *do* have several domains of my own and my ISP allows me to run a mail server on my static IP address (for all their shortcomings they are rather pro-Linux at this ISP). > The reason we have a problem with spam is because of Internet Providers and > their inability to secure the e-mail address they dump you with or force you > to have. If spam was effectively blocked spamming would have no point! The fault lies further upstream of the ISP than that. Yes, it's one link in the chain that needs tightening up, but there's plenty to put right in the distribution chain too, such as ISPs allowing Windows machines (you'll notice I stopped using the term "zombified windows machines" a while back because of obvious redundancy) to spew unabated for months on end without pulling the plug on the luser. Another problem is ISPs like MCI, SBC and most Chinese outfits that seem to have a single clause in their enforced AUP "You can spam as much as you like as long as the cheque clears" > Even Hotmail offer a superior service to a vast many and is always good to > have for first contact, as well as those "subscriptions" you have to sign up > with. Hotmail (Microsoft) actively hunt down suing and jailing Spammers who > attack their customers I'd use a hotmail account if it was possible to get one without selling your soul by having to open a "Passport" account - whatever that is. -- Steve A group of cats is a "conceit". They'd like it to be called a "pride" but that would fool nobody. -- Morely Dotes in NANAE, 2-FEB-2004 From bar_n0ne at hotmail.com Mon May 2 16:22:36 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon May 2 07:25:04 2005 Subject: [SpamCop-List] Re: SBCGlobal) Software Factory solutions may be moving toXO/imedia References: Message-ID: "nospam" wrote in message news:BE95B135.14B73%nobody@spamcop.net... > latest turd for shopping spree/product testers/market research/free > satellite TV/free whatever came from XO/Imedia today at 65.182.142.2 > > spamvertizing still from MCI's stealthed server at 63.82.98.35 > > Seems SBewGlobal may have gotten too expensive or didn't like the heat > > Lets see how many months they give this fscker free reign over there. > > It might end for me, XO was a famous listwasher if I remember right. > Now at PacBell, and the spamvertized sites have moved also to 69.67.72.10 which isn't nearly as well stealthed as the MCI site was. Also XO is a 3d party interested in the sources and the sites, so hopefully we'll see the end of this crap soon. At least Software Factory Solutions may be on the run. Well Done CAT From / at /.cn Mon May 2 22:49:21 2005 From: / at /.cn (Petzl) Date: Mon May 2 07:50:02 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: "Steven Maesslein" wrote in message news:slrnd7c0o9.3ti.nobody@127.0.0.1... > On Mon, 2 May 2005 19:12:49 +1000, Petzl coughed into spamcop and left > this in : > >> UUnet have just made the legacy account less than worthless > > Heh - your legacy account is not the only e-mail account UUNet has made > useless. Far from it. ever got a single spam until UUnet took over Ozemail? >> Just another example of what happens in accepting the compulsory email >> account with your provider is that they are mainly absolutely useless (I >> do >> not now ever accept them) The worse fact is they then never seem to learn >> for the better > > I agree. I don't even use the default account set up by my ISP since > it's going to be essentially useless. I *do* have several domains of my > own and my ISP allows me to run a mail server on my static IP address > (for all their shortcomings they are rather pro-Linux at this ISP). In this case it is upto you to see that your IP remains clean >> The reason we have a problem with spam is because of Internet Providers >> and >> their inability to secure the e-mail address they dump you with or force >> you >> to have. If spam was effectively blocked spamming would have no point! > > The fault lies further upstream of the ISP than that. Yes, it's one link > in the chain that needs tightening up, but there's plenty to put right > in the distribution chain too, such as ISPs allowing Windows machines > (you'll notice I stopped using the term "zombified windows machines" a > while back because of obvious redundancy) to spew unabated for months on > end without pulling the plug on the luser. > > Another problem is ISPs like MCI, SBC and most Chinese outfits that seem > to have a single clause in their enforced AUP "You can spam as much as > you like as long as the cheque clears" But if ISP's gave the option to block China in its entirity allowing only whitelisted email through spaming becomes pointess The chinese, Korea, South America are all countries SpamCop allows blocking in this manner. It is also easily done Again the reason there are spammers is because providers are not interested enough to effectily stop it. They only want your cheque to clear and milk you like a cash cow >> Even Hotmail offer a superior service to a vast many and is always good >> to >> have for first contact, as well as those "subscriptions" you have to sign >> up >> with. Hotmail (Microsoft) actively hunt down suing and jailing Spammers >> who >> attack their customers > > I'd use a hotmail account if it was possible to get one without selling > your soul by having to open a "Passport" account - whatever that is. > I think HotMail have discontinued trying this? It was meant to evolve into a PayPal type of thingy but seems to of failed From nobody at nowhere.invalid Mon May 2 15:49:25 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon May 2 08:50:04 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: On Mon, 2 May 2005 21:49:21 +1000, Petzl coughed into spamcop and left this in : > ever got a single spam until UUnet took over Ozemail? I'd never heard of Ozemail until this thread. I was emphasizing UUNet's role in e-mail abuse, that's all. >> I agree. I don't even use the default account set up by my ISP since >> it's going to be essentially useless. I *do* have several domains of my >> own and my ISP allows me to run a mail server on my static IP address >> (for all their shortcomings they are rather pro-Linux at this ISP). > > In this case it is upto you to see that your IP remains clean Agreed. And it will stay clean unless I expose some out-of-date daemon with known vulnerabilities to the 'Net. Who knows, it might happen one day, but it won't happen within 15 seconds of connecting the machine to the 'Net, that's for sure. Touch wood - so far it's been connected since September 2001 with no compromise. > But if ISP's gave the option to block China in its entirity allowing only > whitelisted email through spaming becomes pointess The chinese, Korea, South > America are all countries SpamCop allows blocking in this manner. It is also > easily done The ISP's would also be sued left, right and centre by klooless lusers not aware of what they're doing when they check the "block" box. >> I'd use a hotmail account if it was possible to get one without selling >> your soul by having to open a "Passport" account - whatever that is. > > I think HotMail have discontinued trying this? It was meant to evolve into a > PayPal type of thingy but seems to of failed Quoting from the hotmail signup page (which happens to be hosted on the registernet.passport.net domain): "Complete this form to register for a Hotmail account, which is also a Microsoft .NET Passport. The Hotmail e-mail address and password you create are your .NET Passport credentials. You'll need them to access your Hotmail account and to sign in where you see the .NET Passport sign-in button: [button]" Blech... -- Steve Give a man a fish and he will eat for a day. Teach him how to fish, and he will sit in a boat and drink beer all day. From f.yaskin at worldnet.att.net Mon May 2 10:05:42 2005 From: f.yaskin at worldnet.att.net (FY) Date: Mon May 2 09:10:04 2005 Subject: [SpamCop-List] Re: Error-why? References: Message-ID: Thanks a lot for the lecture Mike. You could have saved yourself a lot of time and still made your point, by skipping the re-iteration, and most of the lecture, but I'm know you are trying to be helpful, and mindful of, uh, tradition. Having used Spamcop for at least a couple years, and ,000's of spams, and thru several mailreaders successfully, lets assume for a moment that the sender malformed the from line. I am disappointed that Spamcop chokes on what garden variety readers can successfully decode. But thanks, really. While I have your attention, any suggestions on getting the ones with the line breaks in the body url to decode without manually removing the breaks and spaces? fy "Mike Easter" wrote in message news:d53e14$mfd$1@news.spamcop.net... > FY wrote: > > Here is the error: > > error: couldn't parse head > > Message body parser requires full, accurate copy of message > > More information on this error.. > > no links found > > Even when the parser doesn't work, the general result is that it will > provide you with a tracking url. That tracker is a reflection of what > you fed the parser and is useful for troubleshooting this. > > You should *NOT* be posting what you did here for several important > reasons. > > - posting spam anywhere other than the ng spamcop.spam is against some > 'rule' or tradition for a variety of reasons > - it doesn't help for you to post the spam item here. I can take it > and get the parser to parse it and then what does that prove? > - here's a tracker which has parsed my rendition of what I made out of > what you posted here > http://www.spamcop.net/sc?id=z758744423z1fa6a7fc57989ff5a1873ee18c66b835z > > Maybe my version of your spam works because I structured it so that it > would work. When you post something into a newsmessage, it gets 'bent' > and isn't the same as the original. The closest you can come to showing > us the original easily is to put it into the parser properly and post > the tracker for the result in here. > > The next closest you can come would be to save the item as an .eml from > OE and then attach that file to a message in spamcop.spam. > > Notice that if you examine my tracker's 'View entire message' - you see > that the Received traceline is not folded improperly, which it was here, > perhaps by your newsreader, perhaps not; and that there is a proper > empty line between the Content-Type boundary information and the first > boundary marker, which was not present in what you posted here -- > perhaps caused by your newsreader, perhaps not. > > So, to re-iterate... do *NOT* post spam in here. Only trackers. > > -- > Mike Easter > kibitzer, not SC admin > From f.yaskin at worldnet.att.net Mon May 2 10:11:42 2005 From: f.yaskin at worldnet.att.net (FY) Date: Mon May 2 09:15:03 2005 Subject: [SpamCop-List] Re: Error-why?(revised) References: Message-ID: "Mike Easter" wrote in message news:d53e14$mfd$1@news.spamcop.net... > FY wrote: > > Here is the error: > > error: couldn't parse head > > Message body parser requires full, accurate copy of message > > More information on this error.. > > no links found > > Even when the parser doesn't work, the general result is that it will > provide you with a tracking url. That tracker is a reflection of what > you fed the parser and is useful for troubleshooting this. > > You should *NOT* be posting what you did here for several important > reasons. > > - posting spam anywhere other than the ng spamcop.spam is against some > 'rule' or tradition for a variety of reasons > - it doesn't help for you to post the spam item here. I can take it > and get the parser to parse it and then what does that prove? > - here's a tracker which has parsed my rendition of what I made out of > what you posted here > http://www.spamcop.net/sc?id=z758744423z1fa6a7fc57989ff5a1873ee18c66b835z > > Maybe my version of your spam works because I structured it so that it > would work. When you post something into a newsmessage, it gets 'bent' > and isn't the same as the original. The closest you can come to showing > us the original easily is to put it into the parser properly and post > the tracker for the result in here. > > The next closest you can come would be to save the item as an .eml from > OE and then attach that file to a message in spamcop.spam. > > Notice that if you examine my tracker's 'View entire message' - you see > that the Received traceline is not folded improperly, which it was here, > perhaps by your newsreader, perhaps not; and that there is a proper > empty line between the Content-Type boundary information and the first > boundary marker, which was not present in what you posted here -- > perhaps caused by your newsreader, perhaps not. > > So, to re-iterate... do *NOT* post spam in here. Only trackers. > > -- > Mike Easter > kibitzer, not SC admin > Thanks a lot for the lecture Mike. You could have saved yourself a lot of time and still made your point, by skipping the re-iteration, and most of the lecture, but I'm know you are trying to be helpful, and mindful of, uh, tradition. Having used Spamcop for at least a couple years, and ,000's of spams, and thru several mailreaders successfully, lets assume for a moment that the sender malformed the from line. I am (mildly)disappointed that Spamcop chokes on what garden variety readers can successfully decode. But thanks, really. fy From MikeE at ster.invalid Mon May 2 09:07:44 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 2 11:10:33 2005 Subject: [SpamCop-List] Re: Error-why?(revised) References: Message-ID: FY wrote: > "Mike Easter" >> FY wrote: >>> error: couldn't parse head >> - here's a tracker which has parsed my rendition of what I made >> out of what you posted here www.spamcop.net/sc?id=z758744423z1fa6a7fc57989ff5a1873ee18c66b835z >> see that the Received traceline is not folded improperly, which it >> is a proper empty line between the Content-Type boundary information > Thanks a lot for the lecture Mike. Yabbut, you never did properly communicate what was wrong in the first place -- after you had a chance to see what 'my' spam looks like in the tracker and you became familiar with whatever was wrong with yours. > that the sender malformed the from line. I am (mildly)disappointed > that Spamcop chokes on what garden variety readers can successfully decode. The reason you are supposed to not fix what causes the choke is based on this principle http://www.spamcop.net/fom-serve/cache/283.html -- Material changes to spam --"SpamCop does what it does and doesn't do for a reason. Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find. " When I make/forge changes to a spam in order to accomplish a parse for an item which I subsequently cancel, it is *only* for purposes of demonstration -- to enable discussion of what was wrong that caused the parse to fail. In this instance, we still haven't gotten to the part about what was wrong because no one here but you has seen the original item which wouldn't parse unbent yet. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Mon May 2 13:02:39 2005 From: eddie at eddie.web (eddie) Date: Mon May 2 12:05:07 2005 Subject: [SpamCop-List] Re: st0ck spams References: Message-ID: On Mon, 02 May 2005 14:17:09 +0400, Berny scratched out the following: > Given the length of time the same st0ck spams for the same crappy little > companies, I am becoming doubtful that the companies themselves are not > involved. Pump and Dumpers usually move in and out quickly, a few days, or > a week or so. The endless steady stream of crap for this stuff (like VOIP) > is beginning to look more like either a massive joe job, (hard to believe) > or an active promotion, undertaken on behalf of the principals. > > Remember a Pump and dumper is not a long term investor, they're looking to > flip their gains or shorts quickly. This crap comes in steadily for months > at a time. I think that sometimes the stock companies are behind it, or at least they know about it and give it their tacit approval. Certainly there are trading companies involved, as well as individuals. Be sure to copy the SEC on all P&D scam reports, as well as the FTC. -- Once movie theaters gave out steak knives Today they confiscate them From f.yaskin at worldnet.att.net Mon May 2 13:28:35 2005 From: f.yaskin at worldnet.att.net (FY) Date: Mon May 2 12:30:02 2005 Subject: [SpamCop-List] Re: Error-why?(revised) References: Message-ID: "Mike Easter" wrote in message news:d55fkd$2u9$1@news.spamcop.net... > FY wrote: > > "Mike Easter" > >> FY wrote: > > >>> error: couldn't parse head > > >> - here's a tracker which has parsed my rendition of what I made > >> out of what you posted here > > www.spamcop.net/sc?id=z758744423z1fa6a7fc57989ff5a1873ee18c66b835z > > > Thanks a lot for the lecture Mike. > > Yabbut, you never did properly communicate what was wrong in the first > place -- after you had a chance to see what 'my' spam looks like in the > tracker and you became familiar with whatever was wrong with yours. >> > When I make/forge changes to a spam in order to accomplish a parse for > an item which I subsequently cancel, it is *only* for purposes of > demonstration -- to enable discussion of what was wrong that caused the > parse to fail. > > In this instance, we still haven't gotten to the part about what was > wrong because no one here but you has seen the original item which > wouldn't parse unbent yet. OK, now I am confused.[pardon the Yoda].. Is not the spam in my original post, with full headers, which I was (my bad)NOT supposed to post, "the original item which wouldn't parse unbent yet.", other than the copy and paste? Is not the SC error message posted above it communicating what was wrong? If you mean what is wrong in my reader(s), as far as I know, nothing..I followed the procedures for copying spam unmolested. Frank From MikeE at ster.invalid Mon May 2 13:50:23 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 2 15:50:02 2005 Subject: [SpamCop-List] Re: Error-why?(revised) References: Message-ID: FY wrote: > Is not the spam in my original post, with full headers, which I was > (my bad)NOT supposed to post, "the original item which wouldn't parse > unbent yet.", other than the copy and paste? No. When you posted a newsagent bent spam here, you failed to demonstrate properly what kind of spam misconstruction it was that the parser failed to parse because the bent condition of a spam you posted here leaves too much guesswork as to what was the condition of the original, as you received it, and as it was stored by OE in the Message source section. Since /we/ can't access /your/ OE's message source of that original item, the best thing for you to do would be to properly submit it to the parser and then to paste the parser's tracker in here.... ... unless for some strange reason the parser fails to give a tracker, in which case some generally not well accepted system would have to be used, such as attaching the isolated and saved OE .eml file to a message in spamcop.spam. The reason I say 'not well accepted' is because not all mailuser agents are going to perform in exactly the same way to provide some kind of .eml or .txt file to attach. And, the attaching business so far has only been an experimental technique used to investigate the solving of problems which pasting of spams into the body of newsgroup messages causes. > Is not the SC error message posted above it communicating what was > wrong? Not sufficiently precisely. That SC message is the same message for a variety of conditions of spam which fail to parse. > If you mean what is wrong in my reader(s), as far as I know, > nothing..I followed the procedures for copying spam unmolested. The problem isn't the /copying/ of the spam. The spam copies just fine. The copied spam also gets submitted to the parser just fine unless the submitter makes some kind of mistake. The problem with what you posted here is what happens to an item after you paste it into the body of your newsmessage. When your OE newsagent sends the news message, it 'messes with it' and bends it and causes various 'unknown' things including the introduction of linewraps to happen to it which were not present in the original -- all of that depending upon how it is configured -- which we don't even want to know because 'we' - namely me - don't want you to show us your spam by pasting it into a news message. Especially not here; but also it would get just as bent even if you had pasted it into spamcop.spam. It is better to not bend it at all to show it to us. So, 'showing' the spam by pasting it into any newsgroup is no good. The way to show the spam is to paste it into the parser and copy the tracker and paste the tracker in here. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon May 2 18:14:10 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon May 2 18:15:46 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: "Steven Maesslein" wrote in message news:slrnd7c8el.4k7.nobody@127.0.0.1... > > >> I'd use a hotmail account if it was possible to get one without selling > >> your soul by having to open a "Passport" account - whatever that is. > > > > I think HotMail have discontinued trying this? It was meant to evolve into a > > PayPal type of thingy but seems to of failed > > Quoting from the hotmail signup page (which happens to be hosted on the > registernet.passport.net domain): > > "Complete this form to register for a Hotmail account, which is also a > Microsoft .NET Passport. > > The Hotmail e-mail address and password you create are your .NET > Passport credentials. You'll need them to access your Hotmail account > and to sign in where you see the .NET Passport sign-in button: [button]" Technically, signing up and creating a HotMail address automatically puts you into the PassPort 'database' (actually used when trying to login to the HotMail system) ... The intent of this is basically a 'common' account data set, where if you go to another 'location' that is set up to recognize/use the PassPort database, you can log into that site with the existing HotMail account data ... I have no idea what third-party outfits jumped into this, but the PassPort system is used throughout the Microsoft 'empire' ... the various product support groups, development sections, etc .... You can actually "register" a non-HotMail e-mail address with the PassPort system if you'd actually want to ,,, From nobody at devnull.spamcop.net Mon May 2 18:18:47 2005 From: nobody at devnull.spamcop.net (Cat) Date: Mon May 2 18:25:03 2005 Subject: [SpamCop-List] Re: SBCGlobal) Software Factory solutions may be moving toXO/imedia In-Reply-To: References: Message-ID: Berny wrote: > "nospam" wrote in message > news:BE95B135.14B73%nobody@spamcop.net... > >>latest turd for shopping spree/product testers/market research/free >>satellite TV/free whatever came from XO/Imedia today at 65.182.142.2 >> >>spamvertizing still from MCI's stealthed server at 63.82.98.35 >> >>Seems SBewGlobal may have gotten too expensive or didn't like the heat >> >>Lets see how many months they give this fscker free reign over there. >> >>It might end for me, XO was a famous listwasher if I remember right. >> > > > Now at PacBell, and the spamvertized sites have moved also to 69.67.72.10 > which isn't nearly as well stealthed as the MCI site was. Also XO is a 3d > party interested in the sources and the sites, so hopefully we'll see the > end of this crap soon. At least Software Factory Solutions may be on the > run. > > Well Done CAT Thanks! =) I did finally reach a human at SBC, someone named Dawn S. Her reply was something to the effect of "we do investigate and take action against spammers" followed by something along the lines of "your yahoo account has a bulk folder so you can just let your spam go there, and you never have to report any of it." Apparently, she mistakenly thinks that I'm gullible enough to believe that just letting it hit the bulk folder will actually send reports to the ISP, or she's just trying to brush it off with a "just hit delete" claim in hopes that she won't have to deal with SBC's irate spam victims. Her comment about just letting it go to the bulk folder and leaving it alone sounded very much like she just didn't want to hear about spamming customers, as if she's just trying to sweep it under the rug to forget about them. I replied back to her letting her know that I wasn't the average computer illiterate person who would actually believe her claims and that I knew that leaving spam alone in the bulk folder wouldn't actually get the spam reported to the ISP. After three more SBC spams copied to Dawn S, the SBC spew stopped, and I've started getting the same spam through XO now. From noah.boddie at newsgroup.nospam Mon May 2 19:39:02 2005 From: noah.boddie at newsgroup.nospam (Dwayne Conyers) Date: Mon May 2 18:40:04 2005 Subject: [SpamCop-List] The Spamityville Horror... Message-ID: Recently noticed some of the web-based BBS' that I read are rapidly being filled with spam -- faster than the moderators can keep up with. This is the "Hey, here's how you can make a million dollars with a shoestring, a bottle cap and a spoonfull of faeces" type of spam that only a mental derelict would fall for. Even worse, a private news server that my company hosts for members of the entertainment industry has been hit multiple times by a spammer who posts in Portugese. Why Portugese? Are these people really making enough money with their scheiss to persist this way, or izzit a sign of desperation? Is there actually that much profit in idiotic get-rich-quick schemes? Just blowing off some steam... -- I Shave With Occams Razor http://www.dwacon.com From nospam at dev.null Tue May 3 02:52:45 2005 From: nospam at dev.null (Anty Spam) Date: Mon May 2 19:50:10 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve References: Message-ID: "Berny" wrote in message news:d52624$41c$1@news.spamcop.net... > for example: domain still misregistered complaint sent March 15 received > below today. > ..SNIP ... > > domain: WHATSHOULD.COM > owner-address: daniel lessi > owner-address: 133 sjsj ed > owner-address: 90210 > owner-address: edghsuj > owner-address: California > owner-address: United States of America > owner-phone: +1.8434243587 > owner-e-mail: dl1217@gmail.com > admin-c: DL1021-GANDI > tech-c: AR41-GANDI > bill-c: DL1021-GANDI > nserver: ns3.mail18.biz > nserver: ns1.xzdns.biz > nserver: ns2.best-gifts.biz > nserver: ns4.mail18.biz > reg_created: 2005-03-12 04:42:31 > expires: 2006-03-12 04:42:31 > created: 2005-03-12 10:42:32 > changed: 2005-03-14 03:55:15 > No, not mis-registered. Gandi has been doing sweet blow all about it - not unusual. The report was sent to them, after a time delay, an automated process kicked in from ICANN that sent you the report to verify IF the correction has been made. You will notice that upon clicking on the link, you can add additional details here. These negative follow ups are registered, howver as to what is done is an opne question. Maybe next year ICANN, upon reviewing the results, might decide to take the matter up with Gandi in the next conference in ...???? 2007??? and ????try???? to resolve. Frustrating. You may try: http://rip.gandi.net/index-en.html , but I can guarantee you it will take at least 15 days. Despite - sorry to do this to you - http://www.icann.org/announcements/advisory-03apr03.htm :-( However, "IF" you feel like trying to get into a mail argument with the whois chap at Gandi - support-en@support.gandi.net However, under similar circumstance I got: "Please use our interface for one or several domains, and take care to argue about false data (which data are false, why). The come back to me and tell me the compalints links, I will see if I can speed the 15 fays delay manually." I tried - and wiated 15 days.... Cheers E From f.yaskin at worldnet.att.net Mon May 2 21:07:19 2005 From: f.yaskin at worldnet.att.net (FY) Date: Mon May 2 20:10:08 2005 Subject: [SpamCop-List] Re: Error-why? with tracking URL References: Message-ID: OK, Mike, I got another with the same format and error from SC. Here is the tracking url. This was submitted from ATT Webmail: http://www.spamcop.net/sc?id=z759118320z438d92754b29196f81b0f423102d8913z And this was submitted from OE http://www.spamcop.net/sc?id=z759119449zce492efb03dbde10301b13e28bb8a9dfz Skip to Reports So what's up? "Mike Easter" wrote in message news:d5606b$bmj$1@news.spamcop.net... > FY wrote: > Follow thread above if you are interested From f.yaskin at worldnet.att.net Mon May 2 21:13:50 2005 From: f.yaskin at worldnet.att.net (FY) Date: Mon May 2 20:15:04 2005 Subject: [SpamCop-List] Re: Link Resolving Failures References: Message-ID: "A.J." wrote in message news:d4udmn$a4u$1@news.spamcop.net... > "A.J." wrote in message > : > > I've received several spams over the past week or so with hyperlinks like > > this: > > > > > > > SRC="cid:weovwgph_coafueav_ooeazvze" border="0" ALT=""> > > > > (From > > ) > > The line breaks in the URL (but not the extraneous or > SRC=> tags) are copied verbatim from the original. > > > > SpamCop adds a second "http://" to the beginning of this mess when > > attempting to straighten it out, resulting in: > > > > === > > Resolving link obfuscation > > http://http://foztetdpbqm.com&omifjg4c5k1h6ujift4%2eiliacgnkln%2ecom/ > > Percent unescape: > > http://http://foztetdpbqm.com&omifjg4c5k1h6ujift4.iliacgnkln.com/ > > host http (getting name) no name > > http is not a hostname > > http is not a hostname > > === > > > > Manually removing the extra line breaks still leaves SpamCop with a problem: > > > > === > > Resolving link obfuscation > > http://foztetdpbqm.com&omifjg4c5k1h6ujift4%2eiliacgnkln%2ecom/ > > Percent unescape: > > http://foztetdpbqm.com&omifjg4c5k1h6ujift4.iliacgnkln.com/ > > host foztetdpbqm.com (checking ip) ip not found ; foztetdpbqm.com > > discarded as fake. > > host foztetdpbqm.com (checking ip) ip not found ; foztetdpbqm.com > > discarded as fake. > > > > Tracking link: http://foztetdpbqm.com&omifjg4c5k1h6ujift4.iliacgnkln.com/ > > [report history] > > Resolves to 82.114.48.67 > > Routing details for 82.114.48.67 > > [refresh/show] Cached whois for 82.114.48.67 : abuse@tautel.ru > > Using abuse net on abuse@tautel.ru > > abuse net tautel.ru = abuse@tautel.ru, postmaster@tautel.ru > > Using best contacts abuse@tautel.ru postmaster@tautel.ru > > === > > > > SC interprets the TLD as ending at the "&" following the first ".com" > > (foztetdpbqm.com), rather than at the next "/" as it should (iliacgnkln.com > > - the real domain), causing it to interpret the URL as fake. The tracker > > appears to function correctly; however, using other tools I come up with a > > different IP address: 218.7.112.241 > > I noticed today that both of the above issues seem to have been fixed. > > WTG SC team! Or apparently not. See below, same obfuscation. Same failure. http://www.spamcop.net/sc?id=z759120944z15b5d414a9477214bcf929963c922640z From MikeE at ster.invalid Mon May 2 18:45:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 2 20:45:03 2005 Subject: [SpamCop-List] Re: Error-why? with tracking URL References: Message-ID: FY wrote: > OK, Mike, I got another with the same format and error from SC. > > Here is the tracking url. Good job ;-) > This was submitted from ATT Webmail: www.spamcop.net/sc?id=z759118320z438d92754b29196f81b0f423102d8913z > > And this was submitted from OE www.spamcop.net/sc?id=z759119449zce492efb03dbde10301b13e28bb8a9dfz > Skip to Reports > > > So what's up? They both show the same condition of a part of what is supposed to be in the body 'squished up' into the header - I also addressed that in the bent one posted here earlier. The bent one also appeared to show a Received traceline folding problem, but these 'true' renditions of the original don't show that -- so I'll assume that the earlier bent one folding problem was an artifact of the posting -- which is what I was 'harping' about. A very important 'requirement' of headers is the format in which there is a fieldname which is single continuous 'word' without any spaces followed by a colon and a space followed by the field's elements or contents. There can be /properly/ folded lines to allow the field's elements to encompass more than one line, but there can't be anything 'organized' like a fieldname which isn't. So, if you look at the headerlines of your tracker items, as you get to the bottom of the header, you see that the fieldname condition is 'screwed up' by there being an item which isn't a proper fieldname, namely appearance of a boundary delimitor which belongs in the first part of the body 'squished up' into the header. There needs to be an empty space between the last proper headerline which is properly constructed with a fieldname and the first line of the body, which in this case is a boundary delimitor. That's a lot of words to say what this tracker will show: http://www.spamcop.net/sc?id=z759126058zf2428d7891188485a64b3e4fd44854afz That header shows a proper header in which all of the fieldnames are properly constructed, and then the last fieldname is Content-Type: and then follows a properly folded content for the fieldname, including that it is distributed on 2 lines appropriately, as is the Received: line further up distributed on 3 lines with leading whitespace. Then follows an empty line. This is the structural element which was missing before. That empty line separates the headers from the elements of the body. The first element of the body is the boundary delimitor which was defined in what was the last part of the header in this case, namely the Content-Type -- which defined the boundary delimitor. That first boundary delimitor is known as the 'prologue' or prolog. The boundary delimitor is followed by a description of what is contained in that boundaried section, which in this case is plaintext. After all of the plaintext comes the last delimitor, in this case -- in some other cases some other kind of delimited section could follow. Here, the last delimitor which is structured appropriately, ends the message body. SpamCop uses all of that 'stuff' to find things. It pays attention to boundary delimitors and content type descriptors and all that jazz -- so when the stuff is misconstructed, it causes problems in the interpretation. -- Mike Easter kibitzer, not SC admin From onyx0 at gamebox.net Tue May 3 04:25:44 2005 From: onyx0 at gamebox.net (Onyx) Date: Mon May 2 21:25:23 2005 Subject: [SpamCop-List] Failed delivery nightmare Message-ID: Ok, I just recieved cca 100 messages notifying me of failed delivery of emails I didn't send and they keep coming, woo hoo. Apparently, spammer vermin used email on my domain as a return address for their spam. Two questions: 1. What would be the best way to deal with this? 2. Could this possibly get my domain listed on anti-spam lists? Thank you. From zypher at spamcop.net Mon May 2 21:36:47 2005 From: zypher at spamcop.net (Ron B.) Date: Mon May 2 21:40:04 2005 Subject: [SpamCop-List] AOL Filters Block Emergency Weather E-Mails Message-ID: AOL Filters Block Emergency Weather E-Mails POSTED: 3:25 pm CDT May 2, 2005 VERO BEACH, Fla. -- Efforts by one Florida county to put out weather alerts by e-mail have hit a high-tech roadblock: AOL is tagging the messages as spam. The problem dates back to last year's unusually busy hurricane season when Indian River County was hit by two major storms -- Frances and Jeanne. Some 4,200 people signed up for the county's e-mail alert service, which offers quick alerts on hurricanes, tornadoes and other weather emergencies. But a county computer software engineer says because e-mail is sent out in large numbers, "it becomes a pattern for spam senders." The county is working with AOL to fix the problem. In the meantime, AOL users are being told to put the county's e-mail account in their computer's address book so their computers know to accept the messages. Copyright 2005 by The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. From f.yaskin at worldnet.att.net Mon May 2 22:47:52 2005 From: f.yaskin at worldnet.att.net (FY) Date: Mon May 2 21:50:14 2005 Subject: [SpamCop-List] Re: Error-why? Last question References: Message-ID: "Mike Easter" wrote in message news:d56hgh$l0j$1@news.spamcop.net... > FY wrote: > > OK, Mike, I got another with the same format and error from SC. > > > > Here is the tracking url. > > Good job ;-) > > > This was submitted from ATT Webmail: > www.spamcop.net/sc?id=z759118320z438d92754b29196f81b0f423102d8913z > > > > And this was submitted from OE > www.spamcop.net/sc?id=z759119449zce492efb03dbde10301b13e28bb8a9dfz > > Skip to Reports > > > > > > So what's up? > > They both show the same condition of a part of what is supposed to be in > the body 'squished up' into the header - I also addressed that in the > bent one posted here earlier. The bent one also appeared to show a > Received traceline folding problem, but these 'true' renditions of the > original don't show that -- so I'll assume that the earlier bent one > folding problem was an artifact of the posting -- which is what I was > 'harping' about. > SpamCop uses all of that 'stuff' to find things. It pays attention to > boundary delimitors and content type descriptors and all that jazz -- so > when the stuff is misconstructed, it causes problems in the > interpretation. OK, got that. Thanks.So, from the lack of interest on SC's part, in reconstituting/decoding formatting that mailreaders seem to have no problem with, I draw the conclusion that SC is much more interested in the SOURCE ISPs of the spam, rather than the morons behind the spamvertised web sites? (Hoping I'm wrong , but hey...Truth and Soul!) Frank From MikeE at ster.invalid Mon May 2 20:38:30 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 2 22:40:21 2005 Subject: [SpamCop-List] Re: Error-why? Last question References: Message-ID: FY wrote: > OK, got that. Thanks.So, from the lack of interest on SC's part, in > reconstituting/decoding formatting that mailreaders seem to have no > problem with, I draw the conclusion that SC is much more interested > in the SOURCE ISPs of the spam, rather than the morons behind the > spamvertised web sites? (Hoping I'm wrong , but hey...Truth and Soul!) However important anyone may think that disrupting the relationships between the spamsites and their providers may be, realize that the various spamfighting tools are designed for specific purposes. If you start trying to drive a nail with a screwdriver, you're going to find that it doesn't work as well as a hammer -- likewise some other tool related examples. In the case of spamcop, its parser is designed to determine spamsources *primarily* [IMO] and secondarily do things like feed possible relays to the relay testers for 'handling' like testing/listing and to notify providers for spamsources and spamvertisers. But, while it /notifies/ providers for source and spamvertiser, the notification business is totally toothless except for the toothiness of the provider -- that is, the result of a notify of a whitehat vs grayhat vs blackhat vs pinkhat provider has a very wide range of outcomes -- some of which are better for the spammer/spammersupport than the spammee/notifier. OTOH -- besides a parser/notifier, SC is something else. SC is maintainer of the SCbl, the blocklist of spamsources; which for various reasons has turned out to be a very powerful blocklist. Powerful because it is popular. Popular because it is unique in its mechanism of listing and delisting compared to the many other db/s. So, the SCbl is nothing to be sneezed at. It is a blocklist to be respected. But, the SCbl is simply a blocklist of spamsources. SC doesn't make any kind of list of spamvertisers of similar import. The only thing that SC does with its spamvertisers is to put them on a page. It happens that from that page, a different blocklisting service, sc-surbl 'scrapes' the SC scraped spamvertisers and makes its own list from that. The sc-surbl is *not* a powerful list like the SCbl; but it /is/ a list. There are a lot of lists. So, what all of that comes down to is that the business which SC performs of finding the spamvertisers in the body isn't as important as the business of SC finding the spamsource -- because the spamsource determination feeds the SCbl, whereas the spamvertiser discoveries tends to notify blackhat providers of things about spamcop reporters and doesn't feed anything very potent at all. If you want to get into taking action against the business of spamsupport, which is what spamvertiser providers are doing, then you will have to appreciate blocklists which put leverage against them, such as spews and to a lesser extent spamhaus. What spews does is spews business. What SC does is SC's business. The two lists are very very different and SC's doesn't do anything about spamvertisers or spam support. -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Mon May 2 23:46:20 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Mon May 2 22:50:02 2005 Subject: [SpamCop-List] Re: The Spamityville Horror... In-Reply-To: References: Message-ID: Dwayne Conyers wrote: > Recently noticed some of the web-based BBS' that I read are rapidly > being filled with spam -- faster than the moderators can keep up with. I would recommend not allowing postings from anything that is known to be an open proxy. Unfortunately the xbl.spamhaus.org can not be used as a gate for it as it now contains the NJABL dynablock zone which should block most legitimate posters. And if that does not lower the noise level, start blocking postings from netblocks where spam postings have been received from and post a message that such postings are blocked until their ISP stops all the network abuse. > > Why Portugese? Apparently the spammers that use other languages have not found it yet. > Are these people really making enough money with their scheiss to > persist this way, or izzit a sign of desperation? Only the ones selling the get rich quick schemes. The ones spamming have usually spent their last cash on buying the spamming kit, and never make back anything close to their initial investment. > Is there actually that much profit in idiotic get-rich-quick schemes? Apparently there is in selling the spamming kits, and every time some media article profiles the riches of the "spam kings" there is a rise in the number of suckers that sign up. Posting a note on the web site that BBS posters must read before posting indicating that the people posting spam are victims of scam artist, and that no one other than the people selling the scam to these victims have ever made any money at it may also help, in your Portugese case see if you can get that accurately translated. From postings here and elsewhere, it appears that the people selling the scams are blaming the various anti-spam organizations for the reason that none of their suckers are making any money. A good scam artist can get some pretty expensive property on a seller financing with only a minimal down payment, and it can take over a decade to evict them for non-payment. It is possible to create quite an illusion of wealth that way. -John wb8tyw@qsl.network Personal Opinion Only From spamtrap at mrsmith.com Mon May 2 23:50:25 2005 From: spamtrap at mrsmith.com (Mr. Smith) Date: Mon May 2 22:55:02 2005 Subject: [SpamCop-List] Re: stupid spam of the week References: Message-ID: "Danny Goodman" wrote in message news:mailman.146.1114894446.4572.spamcop-list@news.spamcop.net... >>> You could at least omit the link or make it unclickable. > >> why? What bad happens when you click on it? > > Some spammers get paid on click-throughs. Any publicly available link to a > spamvertised site encourages curious folks to click, perhaps putting coin > into the spammer's pocket. > > Just another one of the insidious, indirect ways that keeps the spam > economy > going while one thinks he or she is doing nothing to contribute. Well, I kind of can see that. But in the larger scheme of things, if one spammer is simply giving another spammer money, but neither you or I are actually buying anything -- that basically defeats the economic model But this is all a stretch anyway. Let's be real for a second -- posting a spam link in an anti-spam newsgroup ain't going to do anything. It ain't going support no spammer. And it certainly ain't not isn't going qualify as "free advertising". I think we all know that -- this is just shop talk. And I don't see any reason not to post a simple link. I may be naive, but if I post such a link --- I trust you guys to do the right thing. -Marc From MikeE at ster.invalid Mon May 2 20:58:08 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 2 23:00:04 2005 Subject: [SpamCop-List] Re: The Spamityville Horror... References: Message-ID: John E. Malmberg wrote: > Unfortunately the xbl.spamhaus.org can not be used as a gate for it as > it now contains the NJABL dynablock zone which should block most > legitimate posters. No. xbl is composed of cbl, blitzed opm and most recently one subset of njabl, just the open proxy subset, the 127.0.0.9. It does not include the other njabl returns, .2 open relays, .3 dynamics, .4 spamsources, .5 multistage relays, or .8 script sources. That is my understanding based on the words at spamhaus which say "the NJABL open proxy IPs list from www.njabl.org" I do not have any specific confirmation of that opinion of mine from anyone else. I posted it in a discussion in alt.spam and no one rebutted it there. -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Tue May 3 00:13:09 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Mon May 2 23:15:03 2005 Subject: [SpamCop-List] Re: Failed delivery nightmare In-Reply-To: References: Message-ID: Onyx wrote: > Ok, I just recieved cca 100 messages notifying me of failed delivery of > emails I didn't send and they keep coming, woo hoo. Apparently, spammer > vermin used email on my domain as a return address for their spam. > > Two questions: > 1. What would be the best way to deal with this? First of all, check your mail server to make sure that it will not relay for a spammer forging a real user on your domain. Apparently there is a popular mail server software out there that is designed to do that and there is no way to disable that feature except to enable SMTP-AUTH for all e-mail. This is what I have picked up from the admin(at)dsbl.org list's public archives. Then assuming that your mail server is not the one that is affected by this feature: File abuse reports about the delayed bounces with each mail server that is doing the delayed bounce. Such delayed bounces are not reportable by spamcop.net: See a recent post in spamcop.help by Larry Kilgallen for a sample text: : As I report that spam (the message claiming I sent a message " I did not) I include something like the following text in my : SpamCop report: Believe it or not, spammers lie. Please adjust your software to not send these meaningless warnings blindly to the "From:" address, but instead respond within the SMTP dialog, so your comments get to the actual originator rather than pestering an innocent bystander. While the bounces are allowed by RFC, it is from a time when third party open relays were also allowed. Most mail servers do an SMTP reject, which means that any bounce message will come from the original sending mail server, and the only ones of those that are relaying spam are either the domain that should receive the abuse report of one of their users, or an open relay. Open relays should be blocked on site. When mail servers do not do an SMTP reject, and do an accept and bounce, then they are participating in a DDOS to victims like you. There have also been several recent posts on news.admin.net-abuse.email about the practice of abusive bouncing of spam. There are some mail server operators that claim that it is not practical to convert to SMTP rejects instead of bouncing. These mail server operations must be bigger than AOL.COM which had several years ago announced on the SPAM-L mailing list that they recognized that such bounces where abusive to the rest of the internet and were switching over to only using SMTP rejects. It seems that for every example of someone claiming that their network is too large to convert, an example can be found of a larger network that did so. And I suspect that it is a much lower operational cost to use SMTP rejects instead of doing the accept and then bouncing. > 2. Could this possibly get my domain listed on anti-spam lists? Only if the mail server operator is either incompetent, or is so small that it is unlikely that they will ever receive a legitimate e-mail from your domain. According to posts on news.admin.net-abuse.email, even the conservative spamhaus.org will eventually list I.P. addresses that bounce spam to forged addresses. It is far more likely that the I.P. addresses of the mail servers that are bouncing the spam will get put on local and public blocking lists than the I.P. address of your domain. Most medium to large mail servers pay a metered rate for their bandwidth, and accepting fake bounces or spam needlessly increases their operating costs. So if the only e-mail they have ever seen from an I.P. address is spam or fake bounces, many mail server operators that are paying for bandwidth out of their profits or pockets will block that I.P. address. -John wb8tyw@qsl.network Personal Opinion Only From wb8tyw at qsl.network Tue May 3 00:20:16 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Mon May 2 23:25:02 2005 Subject: [SpamCop-List] Re: The Spamityville Horror... In-Reply-To: References: Message-ID: Mike Easter wrote: > John E. Malmberg wrote: > > >>Unfortunately the xbl.spamhaus.org can not be used as a gate for it as >>it now contains the NJABL dynablock zone which should block most >>legitimate posters. > > No. > > xbl is composed of cbl, blitzed opm and most recently one subset of > njabl, just the open proxy subset, the 127.0.0.9. > > It does not include the other njabl returns, .2 open relays, .3 > dynamics, .4 spamsources, .5 multistage relays, or .8 script sources. > > That is my understanding based on the words at spamhaus which say "the > NJABL open proxy IPs list from www.njabl.org" > > I do not have any specific confirmation of that opinion of mine from > anyone else. I posted it in a discussion in alt.spam and no one > rebutted it there. If you can get a clarification please post. I do notice that spamhaus.org representatives post in the news.admin.net-abuse.email occasionally, but there is a lot of noise there. But it does indicate a risk of using an anti-spam blocking list for other purposes. -John wb8tyw@qsl.network Personal Opinion Only From nobody at devnull.spamcop.net Tue May 3 01:40:58 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue May 3 01:45:31 2005 Subject: [SpamCop-List] Re: Error-why? Last question References: Message-ID: "Mike Easter" wrote in message news:d56o3h$oia$1@news.spamcop.net... gmail From rg at nospam.please Tue May 3 02:46:05 2005 From: rg at nospam.please (rg) Date: Tue May 3 01:50:05 2005 Subject: [SpamCop-List] ieypzkbc.tatzwz.info doesn't resolve on first try. (Or second, third, etc.) Message-ID: Below is the report for http://www.spamcop.net/sc?id=z759058001zcc15a0f3201f890a3416b31a01900fbaz You will notice the section: Resolving link obfuscation http://ieypzkbc.tatzwz.info/?29f3922cb8d56f5cd48f092a595a8f47 http://ohgbtn.tatzwz.info/?29f3922cb8d56f5cd48f092a595a8f47 I have to submit them separately: http://www.spamcop.net/sc?track=http%3A%2F%2Fohgbtn.tatzwz.info%2F%3F29f3922cb8d56f5cd48f092a595a8f47%0D%0A Then resubmit and cancel the spam report a few times before it finally ends up resolving. SUGGESTION: Increase the DNS timeout and retry numbers! Thanks! Report follows as copied from my PC, since you can't tell what will resolve when you use the report link: Help | Site Map | Text size: - + rgerharz Report Spam Mailhosts Statistics Past Reports Preferences SpamCop v 1.439 (C) Ironport Systems Inc., 1998-2005 , All rights reserved. Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z759058001zcc15a0f3201f890a3416b31a01900fbaz Skip to Reports Received: from a213-22-193-212.netcabo.pt ([213.22.193.212]) by rwcrmxc18.comcast.net (rwcrmxc18) with SMTP id <20050502191935r1800ftreoe>; Mon, 2 May 2005 19:19:59 +0000 X-Originating-IP: [213.22.193.212] From: "Viola Bain" Reply-To: "Viola Bain" To: x, x, x, x, x, x, x, x, x, x Subject: Isidro said hi Date: Mon, 02 May 2005 15:19:31 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--77996649553783422" View entire message Parsing header: Received: from a213-22-193-212.netcabo.pt ([213.22.193.212]) by rwcrmxc18.comcast.net (rwcrmxc18) with SMTP id <20050502191935r1800ftreoe>; Mon, 2 May 2005 19:19:59 +0000 213.22.193.212 found host 213.22.193.212 (getting name) = a213-22-193-212.netcabo.pt. a213-22-193-212.netcabo.pt is 213.22.193.212 Possible spammer: 213.22.193.212 Received line accepted Tracking message source: 213.22.193.212: Routing details for 213.22.193.212 [refresh/show] Cached whois for 213.22.193.212 : abuse@tvcabo.pt Using abuse net on abuse@tvcabo.pt abuse net tvcabo.pt = abuse@tvcabo.pt, postmaster@tvcabo.pt, abuse@netcabo.pt Using best contacts abuse@tvcabo.pt postmaster@tvcabo.pt abuse@netcabo.pt postmaster@tvcabo.pt redirects to abuse@tvcabo.pt Yum, this spam is fresh! Message is 0 hours old 213.22.193.212 not listed in dnsbl.njabl.org 213.22.193.212 not listed in dnsbl.njabl.org 213.22.193.212 not listed in cbl.abuseat.org 213.22.193.212 listed in dnsbl.sorbs.net ( 127.0.0.10 ) 213.22.193.212 not listed in relays.ordb.org. 213.22.193.212 not listed in query.bondedsender.org 213.22.193.212 not listed in iadb.isipp.com Finding links in message body Recurse multipart: Parsing HTML part Resolving link obfuscation http://ieypzkbc.tatzwz.info/?29f3922cb8d56f5cd48f092a595a8f47 http://ohgbtn.tatzwz.info/?29f3922cb8d56f5cd48f092a595a8f47 Please make sure this email IS spam: From: "Viola Bain" (Isidro said hi) ----77996649553783422 Content-Type: text/html; View full message Report Spam to: Re: 213.22.193.212 (Administrator of network where email originates) To: abuse@netcabo.pt (Notes) To: abuse@tvcabo.pt (Notes) Re: 213.22.193.212 (Third party interested in email source) To: Cyveillance spam collection (Notes) Additional notes (optional - max 2000 characters): ATTENTION: Report only those e-mail addresses and web sites that you think your spammer has used. Avoid checking any boxes left empty unless you know that your spammer has used the addresses or sites thus identified. Each false report that you submit means wasted time for a network administrator, so take care. The last thing SpamCop wants are network administrators so accustomed to false claims that they no longer take these spam reports seriously. Comments for:abuse@netcabo.pt (213.22.193.212) Return to report Comments for:abuse@tvcabo.pt (213.22.193.212) Return to report Comments for:spamcop@imaphost.com (213.22.193.212) Return to report (C) Ironport Systems Inc., 1998-2005 , All rights reserved. HTML4 / CSS2 Firefox recommended - Policies and Disclaimers From nobody at nowhere.invalid Tue May 3 11:21:50 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue May 3 04:25:41 2005 Subject: [SpamCop-List] Re: Failed delivery nightmare References: Message-ID: On Mon, 02 May 2005 23:13:09 -0400, John E. Malmberg coughed into spamcop and left this in : > Such delayed bounces are not reportable by spamcop.net They are now, and have been for a few months. -- Steve I haven't lost my mind; I know exactly where I left it. From m at remove.this.part.rtij.nl Tue May 3 12:27:50 2005 From: m at remove.this.part.rtij.nl (Martijn Lievaart) Date: Tue May 3 05:31:10 2005 Subject: [SpamCop-List] Re: Failed delivery nightmare References: Message-ID: On Tue, 03 May 2005 03:25:44 +0200, Onyx wrote: > Two questions: > 1. What would be the best way to deal with this? - Get rid of any catch all domains - Firewall the worst bouncers, maybe after an email telling them to fix their systems. - Inform your ISP, they may get bogus complaints. - Other than that, not much you can do I'm afraid. > 2. Could this possibly get my domain listed on anti-spam lists? No, not very likely. It happens every day to someone. M4 -- Ah, the beauty of OSS. Hundreds of volunteers worldwide volunteering their time inventing and implementing new, exciting ways for software to suck. -- Toni Lassila in the Monastry From m at remove.this.part.rtij.nl Tue May 3 12:29:58 2005 From: m at remove.this.part.rtij.nl (Martijn Lievaart) Date: Tue May 3 05:35:06 2005 Subject: [SpamCop-List] Re: The Spamityville Horror... References: Message-ID: On Mon, 02 May 2005 23:20:16 -0400, John E. Malmberg wrote: > But it does indicate a risk of using an anti-spam blocking list for > other purposes. I recommended this approach (blocking open proxies based on a dnsbl) to a friend of mine who moderates a forum and he has been very satisfied with the results. M4 -- Ah, the beauty of OSS. Hundreds of volunteers worldwide volunteering their time inventing and implementing new, exciting ways for software to suck. -- Toni Lassila in the Monastry From wb8tyw at qsl.network Tue May 3 07:51:42 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Tue May 3 06:55:03 2005 Subject: [SpamCop-List] Re: Failed delivery nightmare In-Reply-To: References: Message-ID: Steven Maesslein wrote: > On Mon, 02 May 2005 23:13:09 -0400, John E. Malmberg coughed into > spamcop and left this in : >>Such delayed bounces are not reportable by spamcop.net > > They are now, and have been for a few months. A typo on my part, I meant to type now instead of not. In this case though it may not have been obvious. -John wb8tyw@qsl.network Personal Opinion Only From Ilgaz at spamcop.net Tue May 3 14:54:24 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Tue May 3 06:55:08 2005 Subject: [SpamCop-List] Re: AOL Filters Block Emergency Weather E-Mails References: Message-ID: On 2005-05-03 04:36:47 +0300, "Ron B." said: > > AOL Filters Block Emergency Weather E-Mails > > POSTED: 3:25 pm CDT May 2, 2005 > > VERO BEACH, Fla. -- Efforts by one Florida county to put out weather > alerts by e-mail have hit a high-tech roadblock: AOL is tagging the > messages as spam. > > The problem dates back to last year's unusually busy hurricane season > when Indian River County was hit by two major storms -- Frances and > Jeanne. > > Some 4,200 people signed up for the county's e-mail alert service, > which offers quick alerts on hurricanes, tornadoes and other weather > emergencies. > > But a county computer software engineer says because e-mail is sent out > in large numbers, "it becomes a pattern for spam senders." > > The county is working with AOL to fix the problem. In the meantime, AOL > users are being told to put the county's e-mail account in their > computer's address book so their computers know to accept the messages. > > Copyright 2005 by The Associated Press. All rights reserved. This > material may not be published, broadcast, rewritten or redistributed. You must know how many morons out there marking stuff as "Spam" from the lists/stuff they SIGNED UP for. Could be a factor too. E.g. I missed a very critical update from a very known, awarded OS X software house, Panic.com because of those yahoo morons clicking "its spam" It ended up in junk folder of Yahoo. :) I think there should be a way/method developed for those clueless. They can mark spam whatever they like, others won'T be affected after a certain point of false positives by them Ilgaz Ocal From smjg_1998 at yahoo.com Tue May 3 15:18:27 2005 From: smjg_1998 at yahoo.com (Stewart Gordon) Date: Tue May 3 09:20:05 2005 Subject: [SpamCop-List] A novel approach to spamming Message-ID: A spammer's come up with an interesting idea. Rather than just sending the spam content, this one told a joke. And it even had a topical subject line - so at first glance it looks like the kind of email a friend might pass on. That's until you get to the bottom, where the Stupid Person's AdvertiseMent itself is found. Nonetheless, Entourage managed to mark it as spam. Though very probably by the rule I set up rather than by its own heuristics. Has anyone else had anything like this? Just noticed at the very bottom: "Click on this link to keep up my beginning of making spam not so boring thing. Have a nice day." Hmm.... Well, at least it's another novel thing that this person actually admits spamming.... Stewart. PS For those who are interested and not yet sick of the same thing as the character in the joke, I've posted it over on .social. -- My e-mail is valid but not my primary mailbox. Please keep replies on the 'group where everyone may benefit. From m at remove.this.part.rtij.nl Tue May 3 16:43:09 2005 From: m at remove.this.part.rtij.nl (Martijn Lievaart) Date: Tue May 3 09:50:04 2005 Subject: [SpamCop-List] Re: The Spamityville Horror... References: Message-ID: On Tue, 03 May 2005 11:29:58 +0200, Martijn Lievaart wrote: > On Mon, 02 May 2005 23:20:16 -0400, John E. Malmberg wrote: > >> But it does indicate a risk of using an anti-spam blocking list for >> other purposes. > > I recommended this approach (blocking open proxies based on a dnsbl) to > a friend of mine who moderates a forum and he has been very satisfied with > the results. Followup on self, see also nanabl, thread "The MCI problem", specifically msgid M4 -- Ah, the beauty of OSS. Hundreds of volunteers worldwide volunteering their time inventing and implementing new, exciting ways for software to suck. -- Toni Lassila in the Monastry From not at home.today Tue May 3 16:01:21 2005 From: not at home.today (Ant) Date: Tue May 3 10:05:04 2005 Subject: [SpamCop-List] Re: ieypzkbc.tatzwz.info doesn't resolve on first try. (Or second, third, etc.) References: Message-ID: "rg" wrote: > Below is the report for > http://www.spamcop.net/sc?id=z759058001zcc15a0f3201f890a3416b31a01900fbaz > > You will notice the section: > Resolving link obfuscation [...] Yes, and no information is given about what the parser did with those links before the "Please make sure this email IS spam" message. I first noticed this in the middle of March this year, and reported it here with the subject "Links found, but not parsed". The problem continues to regularly occur, but no Spamcop person has commented on it to my knowledge. > I have to submit them separately: [...] > Then resubmit and cancel the spam report a few times before it finally ends > up resolving. You don't need to cancel. Just refresh the parse page in your browser or go to the "report spam" link if you've visited another page, and you can then follow the "unreported spam, report now" link. I will sometimes resolve the spamvertized URLs separately, or refresh the the parse once, but if the links still aren't resolved I submit the report anyway. It's not worth the hassle. > SUGGESTION: Increase the DNS timeout and retry numbers! I'm not sure if this is the problem. My understanding is that when a lookup times out you get a message "unable to resolve..." [report snipped] From ron.shafii at hossequipment.com Tue May 3 10:38:03 2005 From: ron.shafii at hossequipment.com (Ron Shafii) Date: Tue May 3 10:40:04 2005 Subject: [SpamCop-List] spam posed as returned mail Message-ID: The last 2 weeks I've been receiving SPAM to tune of hundreds posed as RETURNED TO SENDER or Block Email with a virus attached. The virus name, origination IP and subject are not very consistent, therefore creating rules to bounce the mail is difficult. What is consistent is the means by which our spam server accepts these messages and quarantines them. The message itself is posed as a Return To Sender or Bounced email. If it weren't for blocking all attachments there's a good chance it wouldn't even get caught in our spam server and would get sent to the end user. Currently we are using Imail server from IPswitch. When I submit this SPAM to spamcop it also detects my mail server as a possible source of SPAM. Thanks ahead of time for any constructive reponses. below are two examples; Received: from lkhqo.net [216.227.86.141] by mail.dozernet.com (SMTPD-8.20) id A5A2025C; Tue, 03 May 2005 09:07:30 -0500 From: info@cvip.net To: joan@hossequipment.com Date: Tue, 03 May 2005 13:34:33 UTC Subject: FwD: Your email was blocked Importance: Normal X-Priority: 3 (Normal) Message-ID: <5f6e.9ed8efa32e23da7@hossequipment.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="======c0cd44.0fabda1e2eb" Content-Transfer-Encoding: 7bit This is a multi-part message in MIME format. X-IMAIL-SPAM-DNSBL: (v6net,85a2009e00002886,65.77.130.111) X-RCPT-TO: Status: U X-IMail-Rule: B~name=.{1,30}\.zip!AND!F!~dummy:dummy-File_Attachments@dozernet.com Data- NAME=ERROR-MAIL_INFO.ZIP X-UIDL: 411163348 X-IMail-ThreadID: 85a2009e00002886 This is an automatically generated E-Mail Delivery Status Notification. Mail-Header, Mail-Body and Error Description are attached error-mail_info.zip (Binary attachment) the zip file contains W32.Sober.O@mm ------------------------------------------- Here's Another ------------------------------------------- Received: from smtp1.dnb.com [204.254.175.106] by mail.dozernet.com with ESMTP (SMTPD-8.20) id AAF3048C; Mon, 02 May 2005 22:07:31 -0500 Received: from unknown (0.0.0.0) by smtp1.dnb.com with ; 02 May 2005 23:07:53 -0400 Date: 02 May 2005 23:07:53 -0400 To: postmaster@dozernet.com From: Mail Delivery System Subject: Delivery Status Notification (Failure) MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="8327904216949392.unknown" Message-Id: <200505022207424.SM03464@smtp1.dnb.com> X-IMAIL-SPAM-DNSBL: (v6net,eaf30149000007e0,65.77.130.111) X-RCPT-TO: Status: U X-IMail-Rule: B~name=.{1,30}\.zip!AND!F!~dummy:dummy-File_Attachments@dozernet.com Data- NAME=ERROR-MAIL_INFO.ZIP X-UIDL: 411163241 X-IMail-ThreadID: eaf30149000007e0 The following message to was undeliverable. The reason for the problem: 5.1.1 - Bad destination email address 'ldap reject' Final-Recipient: rfc822;csc.austral@dnb.com Action: failed Status: 5.0.0 (permanent failure) Diagnostic-Code: smtp; 5.1.1 - Bad destination email address 'ldap reject' (delivery attempts: 0) Reporting-MTA: dns; unknown This is an automatically generated E-Mail Delivery Status Notification. Mail-Header, Mail-Body and Error Description are attached error-mail_info.zip (Binary attachment) From onyx0 at gamebox.net Tue May 3 18:27:14 2005 From: onyx0 at gamebox.net (Onyx) Date: Tue May 3 11:30:04 2005 Subject: [SpamCop-List] Re: Failed delivery nightmare References: Message-ID: John E. Malmberg wrote: > First of all, check your mail server to make sure that it will not > relay for a spammer forging a real user on your domain. Apparently > there is a popular mail server software out there that is designed to > do that and there is no way to disable that feature except to enable > SMTP-AUTH for all e-mail. I don't run my own, I use mail server from my hosting provider. The originating IP's of spam messages with my forged domain name are from all over the world.. > Then assuming that your mail server is not the one that is affected by > this feature: > > File abuse reports about the delayed bounces with each mail server > that is doing the delayed bounce. Hello carpal tunnel syndrome... Besides bounces, I also got a fair number of those i'm-away autoresponders, they seem to be popular as well. Thanks to all for good info and help. From MikeE at ster.invalid Tue May 3 09:48:43 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 3 11:50:03 2005 Subject: [SpamCop-List] Re: spam posed as returned mail References: Message-ID: Ron Shafii wrote: > The last 2 weeks I've been receiving SPAM to tune of hundreds posed as > RETURNED TO SENDER or Block Email with a virus attached. > below are two examples; First, a housekeeping issue. For various reasons, spam and spamlike and other mailitems are not 'supposed to be' posted into the discussion groups; but instead they are supposed to be submitted to the parser to get a tracking url and the tracker posted here and the report cancelled. As a weak alternative, the newsgroup spamcop.spam has been designated for pasting such items into news messages. Then that message would be referred to and discussed here, not discussed there in .spam. Second, about these items you posted here. Altho' you didn't completely describe their structure sufficiently for me to be sure, I think they are of 2 different types. The first one is simply a virus propagation 'dressed up' in a DSN [delivery status notification] suit. That is, a fake DSN. It looks like the 2nd one is actually a DSN of a fake DSN, but I would have to see the complete originals [as a tracker url, not pasted here] to be sure. Third, about this remark > When I submit this SPAM to spamcop it also detects my mail server as a > possible source of SPAM. That doesn't make sense. I'm assuming your mailserver is dozernet and that it is serving your hossequipment domain. I can't see how the parser would name hoss or dozer as the source of either of those headers. This is a tracker for the first one, to demonstrate what a tracking url is/looks like/ and to show you that your server isn't named as source. http://www.spamcop.net/sc?id=z759331281za04d52c564dc5a70d5b2a2174c620adbz > Thanks ahead of time for any constructive reponses. -- Mike Easter kibitzer, not SC admin From dannyg at dannyg.com Tue May 3 10:14:52 2005 From: dannyg at dannyg.com (Danny Goodman) Date: Tue May 3 12:15:08 2005 Subject: [SpamCop-List] Re: stupid spam of the week In-Reply-To: <200505030545.j435jmRu083946@dannyg.com> Message-ID: > But in the larger scheme of things, if one > spammer is simply giving another spammer money, but neither you or I are > actually buying anything -- that basically defeats the economic model I think the spammers who sell spammer kits and services to wannabe spammers would disagree. So would mortgage spammers (who get paid handsomely for filled-out leads apps, not completed mortgages--no coin out of the spammee's pocket). Wherever money changes hands profitably, the recipient has an incentive to continue. The spam economy thrives on far more than sales of creams, medz, inkjet carts, and JackRabbits. Danny http://www.dannyg.com http://www.spamwars.com From borgholio at storymind.com Tue May 3 11:56:12 2005 From: borgholio at storymind.com (Borgholio) Date: Tue May 3 14:00:03 2005 Subject: [SpamCop-List] Quick reporting via email? Message-ID: I forgot...how do I submit spam via email for quick-reporting? From MikeE at ster.invalid Tue May 3 12:07:13 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 3 14:10:03 2005 Subject: [SpamCop-List] Re: Quick reporting via email? References: Message-ID: Borgholio wrote: > I forgot...how do I submit spam via email for quick-reporting? Quick reporting is disabled due to careless use. ... but you can beseech admin for access at service admin.SC on a casebycase basis -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue May 3 15:13:25 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Tue May 3 14:15:03 2005 Subject: [SpamCop-List] Re: A novel approach to spamming References: Message-ID: "Stewart Gordon" wrote in message > A spammer's come up with an interesting idea. Rather than just sending > the spam content, this one told a joke. And it even had a topical > subject line - so at first glance it looks like the kind of email a > friend might pass on. Received a similar last week. Munged it abusively and posted it in .spam. Some say that having had all the offensive parts so munged it is actually ROTFL funny. Unfortunately something or other got screwed up in the munging and then the parser would not parse it, so I could not post a tracker. Where, oh where, did I go wrong... Glenn From ron.shafii at hossequipment.com Tue May 3 14:18:50 2005 From: ron.shafii at hossequipment.com (Ron Shafii) Date: Tue May 3 14:20:03 2005 Subject: [SpamCop-List] Re: spam posed as returned mail References: Message-ID: Mr. Easter thanks a lot for the tips. Sorry for not following the rules. I was a little hesistant revealing my mailserver info online anyhow. too late. here's a link from SPAMCOP regarding the spam I previously mentioned, which was parsing our ip address as a possible source of spam. http://www.spamcop.net/sc?id=z759369967zf5f08711459561ae426f911b4e192414z http://www.spamcop.net/sc?id=z759371087z622d4f17d0a654ca301570c73e40e43fz I wonder if I am misreading it. www.hossequipment.com (Administrator of network hosting website referenced in spam) Is this sending a copy of the email back to me or is it parsing me as a spammer? Sorry if I am lame at this, but I'm new to SPAM techniques and prevention. "Mike Easter" wrote in message news:d586d6$pjh$1@news.spamcop.net... > Ron Shafii wrote: > >> The last 2 weeks I've been receiving SPAM to tune of hundreds posed as >> RETURNED TO SENDER or Block Email with a virus attached. > >> below are two examples; > > First, a housekeeping issue. > > For various reasons, spam and spamlike and other mailitems are not > 'supposed to be' posted into the discussion groups; but instead they > are supposed to be submitted to the parser to get a tracking url and the > tracker posted here and the report cancelled. As a weak alternative, > the newsgroup spamcop.spam has been designated for pasting such items > into news messages. Then that message would be referred to and > discussed here, not discussed there in .spam. > > Second, about these items you posted here. > > Altho' you didn't completely describe their structure sufficiently for > me to be sure, I think they are of 2 different types. The first one is > simply a virus propagation 'dressed up' in a DSN [delivery status > notification] suit. That is, a fake DSN. It looks like the 2nd one is > actually a DSN of a fake DSN, but I would have to see the complete > originals [as a tracker url, not pasted here] to be sure. > > Third, about this remark > >> When I submit this SPAM to spamcop it also detects my mail server as a >> possible source of SPAM. > > That doesn't make sense. I'm assuming your mailserver is dozernet and > that it is serving your hossequipment domain. I can't see how the > parser would name hoss or dozer as the source of either of those > headers. > > This is a tracker for the first one, to demonstrate what a tracking url > is/looks like/ and to show you that your server isn't named as source. > > http://www.spamcop.net/sc?id=z759331281za04d52c564dc5a70d5b2a2174c620adbz > >> Thanks ahead of time for any constructive reponses. > > > -- > Mike Easter > kibitzer, not SC admin > From MikeE at ster.invalid Tue May 3 12:41:37 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 3 14:40:22 2005 Subject: [SpamCop-List] Re: spam posed as returned mail References: Message-ID: Ron Shafii wrote: > here's a link from SPAMCOP regarding the spam I previously mentioned, > which was parsing our ip address as a possible source of spam. www.spamcop.net/sc?id=z759369967zf5f08711459561ae426f911b4e192414z What you are seeing about hoss is that the parser parses for source, which is 209.177.232.252 rDNS nsc209.177.232-252.newsouth.net at NewSouth Communications notify abuse@nuvox.net abuse@newsouth.net postmaster@newsouth.net (for newsouth.net) ... and also provides a notify addy for any links it finds in the body, presuming the links are a spamvertiser -- while cautioning you to be sure that the item is spam. The link in the body is a trailer attached by your AV agent which has your hossequipment website's URL. SC sees the URL and is providing an address to notify the provider for hoss. If your AV scanner is normally able to look inside zip attachments, then it needs to be updated for the sober if it isn't recognizing its viral template. www.spamcop.net/sc?id=z759371087z622d4f17d0a654ca301570c73e40e43fz This is the same condition and the same source 209.177.232.252 at newsouth and also shows your hoss website URL in the body in the AV stamped trailer. > www.hossequipment.com (Administrator of network hosting website > referenced in spam) > > Is this sending a copy of the email back to me or is it parsing me as > a spammer? If you feed that item to the parser as a spam and it contains your website in the trailer, SC is going to offer to notify the provider for hoss unless you uncheck it. It will also put that URL on its statistics page where another blocklister of spamvertised websites will pick it up for inclusion in its listing of spamvertisers. Whenever you see an IB innocent bystander named as a spamvertiser in a parse, including your own, you should uncheck it for notification as spamvertiser, as it is not a spamvertiser. > Sorry if I am lame at this, but I'm new to SPAM techniques and > prevention. SpamCop parses spams to notify for spamsource and spamvertisers. The algorithm can't read, so it doesn't know what the body of the item sez, and it is up to the alert spamcop reporter to oversee what the algorithm is offering to report about. -- Mike Easter kibitzer, not SC admin From borgholio at storymind.com Tue May 3 12:48:44 2005 From: borgholio at storymind.com (Borgholio) Date: Tue May 3 14:50:04 2005 Subject: [SpamCop-List] Re: Quick reporting via email? In-Reply-To: References: Message-ID: Mike Easter wrote: > Borgholio wrote: > >>I forgot...how do I submit spam via email for quick-reporting? > > > Quick reporting is disabled due to careless use. > > ... but you can beseech admin for access at service admin.SC on a > casebycase basis > What's the address? From MikeE at ster.invalid Tue May 3 12:56:25 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 3 14:55:05 2005 Subject: [SpamCop-List] Re: Quick reporting via email? References: Message-ID: Borgholio wrote: > Mike Easter wrote: >> ... but you can beseech admin for access at service admin.SC on >> a casebycase basis > > What's the address? Errm.... what I sed: service at admin dot spamcop dot net. -- Mike Easter kibitzer, not SC admin From borgholio at storymind.com Tue May 3 12:59:35 2005 From: borgholio at storymind.com (Borgholio) Date: Tue May 3 15:00:04 2005 Subject: [SpamCop-List] Re: Quick reporting via email? In-Reply-To: References: Message-ID: Mike Easter wrote: > Borgholio wrote: > >>Mike Easter wrote: > > >>>... but you can beseech admin for access at service admin.SC on >>>a casebycase basis >> >>What's the address? > > > Errm.... what I sed: service at admin dot spamcop dot net. > Whoops..missed that. Thanks. From nobody at spamcop.net Tue May 3 17:21:45 2005 From: nobody at spamcop.net (Ellen) Date: Tue May 3 17:05:51 2005 Subject: [SpamCop-List] Re: Quick reporting via email? References: Message-ID: "Mike Easter" wrote in message news:d58egs$u52$1@news.spamcop.net... > Borgholio wrote: > > I forgot...how do I submit spam via email for quick-reporting? > > Quick reporting is disabled due to careless use. > > ... but you can beseech admin for access at service admin.SC on a > casebycase basis > Beseech? not for quick submit -- that requires grovel :-) E From nobody at spamcop.net Tue May 3 18:46:50 2005 From: nobody at spamcop.net (Anti-Spam) Date: Tue May 3 17:50:15 2005 Subject: [SpamCop-List] "One in 20 'fall for online fraud'" Message-ID: If 1% lost money through phishing, does that mean 4% are falling for non-phishing fraud? No wonder there is so much non-phishing spam. -- Bring in the death penalty for repeat spammers. Non-functional spambait addr: oura@ylhowyddliy.net (generated by Webpoison) From nospam at dev.null Wed May 4 03:08:26 2005 From: nospam at dev.null (Anty Spam) Date: Tue May 3 20:05:05 2005 Subject: [SpamCop-List] Re: A novel approach to spamming References: Message-ID: "Stewart Gordon" wrote in message news:d57tn4$kgd$1@news.spamcop.net... > A spammer's come up with an interesting idea. Rather than just sending > the spam content, this one told a joke. And it even had a topical > subject line - so at first glance it looks like the kind of email a > friend might pass on. > > That's until you get to the bottom, where the Stupid Person's > AdvertiseMent itself is found. > > Nonetheless, Entourage managed to mark it as spam. Though very probably > by the rule I set up rather than by its own heuristics. > > Has anyone else had anything like this? ...Snip... Yes a while ago. Was porno related spam to a well know Canadian chain of similar sites. From ticket at web-hosting-support.com Tue May 3 21:25:08 2005 From: ticket at web-hosting-support.com (Support) Date: Tue May 3 22:30:15 2005 Subject: [SpamCop-List] blocklisted need help id'ing abuse Message-ID: Dear Deputies, I need some help, we have a user somewhere on our servers that is sending mail to spam traps. Our servers are setup to identify every piece of mail with a UID/GID in the headers, if you could kindly lookup who is causing the spam trap block I would appreciate it. web11.thehostingnet.com 66.6.223.140 Thanks, Jeremy Technical Support Web-hosting-support.com From MikeE at ster.invalid Tue May 3 20:59:51 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 3 23:00:02 2005 Subject: [SpamCop-List] Re: blocklisted need help id'ing abuse References: Message-ID: Support wrote: > I need some help, we have a user somewhere on our servers that is > sending mail to spam traps. Our servers are setup to identify every > piece of mail with a UID/GID in the headers, if you could kindly > lookup who is causing the spam trap block I would appreciate it. > > web11.thehostingnet.com 66.6.223.140 According to the information available from the website lookup, that IP is listed because of reports from reporters, not spamtrap hits: http://www.spamcop.net/w3m?action=checkblock&ip=66.6.223.140 Causes of listing SpamCop users have reported system as a source of spam less than 10 times in the past week and according to the routing information, the spamcop reports are going to pajo and internetwebhosting, the latter of which is presumably you. Reporting addresses: abuse@pajo.com Third parties interested in reports: abuse@internetwebhosting.com Altho' copies of the spam aren't available for spamtrap reports, spamtrap hits don't seem to be the current cause of the listing. Also, it looks like the listing is due to expire in 12 hours. If that is an output server, I would think that it would only get listed for backscatter problems, not for a user passing spam thru' it. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed May 4 01:03:32 2005 From: nobody at spamcop.net (Ellen) Date: Wed May 4 01:30:31 2005 Subject: [SpamCop-List] Re: blocklisted need help id'ing abuse References: Message-ID: "Support" wrote in message news:d59bq6$df8$1@news.spamcop.net... > Dear Deputies, > > I need some help, we have a user somewhere on our servers that is sending > mail to spam traps. Our servers are setup to identify every piece of > mail with a UID/GID in the headers, if you could kindly lookup who is > causing the spam trap block I would appreciate it. > > web11.thehostingnet.com 66.6.223.140 > > Thanks, > > Jeremy > Technical Support > Web-hosting-support.com > > Answered in email. Ellen From rg at nospam.please Wed May 4 02:46:00 2005 From: rg at nospam.please (rg) Date: Wed May 4 01:50:03 2005 Subject: [SpamCop-List] Re: ieypzkbc.tatzwz.info doesn't resolve on first try. (Or second, third, etc.) References: Message-ID: Yeah, refresh worked. It took about ten attempts, though! Wish they'd fix this... Thanks! "Ant" wrote in message news:d5807s$lv9$1@news.spamcop.net... > "rg" wrote: > >> Below is the report for >> http://www.spamcop.net/sc?id=z759058001zcc15a0f3201f890a3416b31a01900fbaz >> >> You will notice the section: >> Resolving link obfuscation > [...] > > Yes, and no information is given about what the parser did with those > links before the "Please make sure this email IS spam" message. > > I first noticed this in the middle of March this year, and reported it > here with the subject "Links found, but not parsed". The problem > continues to regularly occur, but no Spamcop person has commented on > it to my knowledge. > >> I have to submit them separately: [...] >> Then resubmit and cancel the spam report a few times before it finally >> ends >> up resolving. > > You don't need to cancel. Just refresh the parse page in your browser > or go to the "report spam" link if you've visited another page, and > you can then follow the "unreported spam, report now" link. > > I will sometimes resolve the spamvertized URLs separately, or refresh > the the parse once, but if the links still aren't resolved I submit > the report anyway. It's not worth the hassle. > >> SUGGESTION: Increase the DNS timeout and retry numbers! > > I'm not sure if this is the problem. My understanding is that when a > lookup times out you get a message "unable to resolve..." > > [report snipped] > > From zitt at _no_spam_bigfoot.com Wed May 4 01:25:16 2005 From: zitt at _no_spam_bigfoot.com (John Zitterkopf) Date: Wed May 4 03:30:34 2005 Subject: [SpamCop-List] Popped hotmail spam w/ reporting confusion Message-ID: http://www.spamcop.net/sc?id=z759554231za1b9b8679752d1eb4227775630378465z I did not sign up for these "offers" which come 3-5/day. When I attempt to report it; it comes across with the following ?useless? reports: Re: 216.21.208.203 (Administrator of network where email originates) To: abuse#virtumundo.com@devnull.spamcop.net (Notes) Re: 216.21.208.203 (Third party interested in email source) To: Internal spamcop handling: (ironport) (Notes) Should this be reported to the internal handler? ------ full headers with email address removed: Return-Path: Delivered-To: spamcop-net-x Received: (qmail 7039 invoked from network); 3 May 2005 05:17:37 -0000 Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade2.cesmail.net with SMTP; 3 May 2005 05:17:37 -0000 Received: from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with ESMTP; 03 May 2005 01:17:24 -0400 X-IronPort-AV: i="3.92,147,1112587200"; d="scan'208,217"; a="220171863:sNHT41282976" X-Message-Status: n X-SID-PRA: Visit Orlando X-SID-Result: Pass X-Message-Info: H83ySVbTRY1PVhh5crlmkWM5my1izH8A8a/In5hognU= Received: from popgate.cesmail.net [192.168.1.201] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for x (single-drop); Tue, 03 May 2005 01:17:24 -0400 (EDT) Received: from vm208-203.adknowledgemail.com ([216.21.208.203]) by mc9-f26.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Mon, 2 May 2005 22:05:54 -0700 Received: from adknowledgemail.com (10.10.50.51) by vm208-203.adknowledgemail.com with ESMTP; 02 May 2005 23:42:13 -0500 X-ClientHost: 122105116116119097114101064104111116109097105108046099111109 X-MailingID: 4687767 From: Visit Orlando To: 0 Errors-To: errors@adknowledgemail.com Reply-To: return@adknowledgemail.com Subject: Visit Orlando and see the magic for yourself. Mime-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 8bit Message-ID: X-OriginalArrivalTime: 03 May 2005 05:05:55.0180 (UTC) FILETIME=[C91232C0:01C54F9D] Date: 2 May 2005 22:05:55 -0700 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on blade2.cesmail.net X-Spam-Level: ************ X-Spam-Status: hits=12.9 tests=DOMAIN_RATIO,HTML_90_100,HTML_MESSAGE, MIME_HTML_ONLY,MSGID_FROM_MTA_HOTMAIL,SARE_HEAD_HDR_XCLIHST, SARE_RD_TO_BAD_TLD,X_MESSAGE_INFO version=3.0.2 X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.201 216.21.208.203 10.10.50.51 X-SpamCop-Disposition: Blocked SpamAssassin=12 From nobody at devnull.spamcop.net Wed May 4 03:48:04 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed May 4 03:50:03 2005 Subject: [SpamCop-List] Re: Popped hotmail spam w/ reporting confusion References: Message-ID: "John Zitterkopf" wrote in message news:d59tct$m4t$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z759554231za1b9b8679752d1eb4227775630378465z Tracking URL provided, so repeated posting of "header contents" was redundent. > When I attempt to report it; it comes across with the following ?useless? > reports: > > Re: 216.21.208.203 (Administrator of network where email originates) > To: abuse#virtumundo.com@devnull.spamcop.net (Notes) Feeds the SpamCopDNSBL for possible inclusion. > Re: 216.21.208.203 (Third party interested in email source) > To: Internal spamcop handling: (ironport) (Notes) > > Should this be reported to the internal handler? Question seems odd ... Statement indicates that it "was" reported to an "internal address" ... reason explained as "Message source bonded by IronPort, reporting" (Tech/Full details turned on) .. or see the following data; http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=216.21.208.203 From SCNews.5.myspamgobbler at spamgourmet.com Wed May 4 08:51:15 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Wed May 4 10:55:03 2005 Subject: [SpamCop-List] Re: Popped hotmail spam w/ reporting confusion In-Reply-To: References: Message-ID: John Zitterkopf wrote: > http://www.spamcop.net/sc?id=z759554231za1b9b8679752d1eb4227775630378465z > > I did not sign up for these "offers" which come 3-5/day. > > When I attempt to report it; it comes across with the following ?useless? > reports: > > Re: 216.21.208.203 (Administrator of network where email originates) > To: abuse#virtumundo.com@devnull.spamcop.net (Notes) > > > Re: 216.21.208.203 (Third party interested in email source) > To: Internal spamcop handling: (ironport) (Notes) > > Should this be reported to the internal handler? > > ------ > Tracking message source: 216.21.208.203: Routing details for 216.21.208.203 [refresh/show] Cached whois for 216.21.208.203 : postmaster@virtumundo.com Using abuse net on postmaster@virtumundo.com abuse net virtumundo.com = abuse@virtumundo.com Using best contacts abuse@virtumundo.com abuse@virtumundo.com refuses SpamCop reports Using abuse#virtumundo.com@devnull.spamcop.net for statistical tracking. Whois reports back with adknowledge.com. abuse.net returns isprelations@adknowledge.com as the abuse address for 216.21.208.203. The reason for the report to Ironport is that 216.21.208.203 is a bonded sender. This will cost them for each spam. So, yes, report away if it is truly spam. The spamvertized domain also belongs to adknowledge, as does the network, so reporting them to themselves is not likely to accomplish much. Domain Name: AK2.CC Administrative Contact, Technical Contact: Adknowledge sysrenew@adknowledge.com 4600 Madison Suite 500 Kansas City, MO 64112 US (816) 931-1771 From nospam at fuck-off-and-die.com Thu May 5 05:17:39 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Wed May 4 18:35:06 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve References: Message-ID: <5abca81a7ce44460a39fa3cda2849ed5@alt.sex.wanted.photos.nude> Karl-Josef Ziegler, , the liverish, wooden-headed gnawing mammal, and crockery maker and pig attendant on the farm, gabbed: > ICANN should made an adress verification process mandatory in the > registration procedure. E.g. a new domain first is set on registrar > hold and an air mail letter with a security code is sent to the > registrant. This security code must be verificated via a web form and > only afterwards the domain is set in function. This process can be > automated BWAHAHAHAHAHAHAHAHAHAAHA! That's right, ignore all the privacy laws in numerous countries, ignore all the globe-shrinking benefits of modern technology, ignore the general public's demand for instant gratification wrought through selfish, "I want it and I want it now and I want it cheaper!" Pavlovian training, and go back to the bad old days of snail-mail and increased cost. BWAHAHAHAHAAHA! > and the price will be only a little bit higher than an air > mail stamp. More security at a low price increase. BWAHAHAHAAHAHAAHA! Buy the printing equipment, create or purchase the relevant software to interface with the registration database and print the mail, buy the mail packaging machinery, hire staff to manage and maintain all the gear and hope to fuck nothing ever gets lost in the mail, eh. From eddie at eddie.web Wed May 4 21:38:25 2005 From: eddie at eddie.web (eddie) Date: Wed May 4 20:40:03 2005 Subject: [SpamCop-List] Re: "One in 20 'fall for online fraud'" References: Message-ID: On Tue, 03 May 2005 17:46:50 -0400, Anti-Spam scratched out the following: > > > If 1% lost money through phishing, does that mean 4% are falling for > non-phishing fraud? No wonder there is so much non-phishing spam. The most interesting thing is that it's probably the same 4% over and over and over, like Homer Simpson slamming the car door on his finger, over and over and over, yelling Ouch! each time and then doing it again :) -- Once movie theaters gave out steak knives Today they confiscate them From jr70 at blackhole.invalid Wed May 4 22:54:16 2005 From: jr70 at blackhole.invalid (John Richards) Date: Thu May 5 00:55:06 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve References: Message-ID: "Karl-Josef Ziegler" wrote in message news:d538qr$jfa$1@news.spamcop.net... > ICANN should made an adress verification process mandatory in the > registration procedure. E.g. a new domain first is set on registrar hold > and an air mail letter with a security code is sent to the registrant. > This security code must be verificated via a web form and only > afterwards the domain is set in function. This process can be automated > and the price will be only a little bit higher than an air mail stamp. > More security at a low price increase. There should be an exemption for non-commercial domain owners. I own a vanity domain, but it is for personal use only. I used my registrar's address as the address listed in my domain registration. I don't want stalkers and other malcontents coming to my residence. -- John Richards From zitt at _no_spam_bigfoot.com Thu May 5 00:43:21 2005 From: zitt at _no_spam_bigfoot.com (John Zitterkopf) Date: Thu May 5 02:45:04 2005 Subject: [SpamCop-List] Re: Popped hotmail spam w/ reporting confusion References: Message-ID: > The reason for the report to Ironport is that 216.21.208.203 is a bonded > sender. This will cost them for each spam. So, yes, report away if it is > truly spam. Ah. I was just "concerned" that Ironport being Spamcop's parent... that something wasn't working right. In the future; I'll be reporting to that address. Thanks. John From 79ytka802 at sneakemail.com Thu May 5 09:48:16 2005 From: 79ytka802 at sneakemail.com (Aviatrix) Date: Thu May 5 03:50:03 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve In-Reply-To: References: Message-ID: John Richards wrote: > There should be an exemption for non-commercial domain owners. > I own a vanity domain, but it is for personal use only. I used my > registrar's address as the address listed in my domain registration. I > don't want stalkers and other malcontents coming to my > residence. > The .uk registry allows private individuals to opt out of having their address listed in the public Whois - but still requires them to *provide* this information, and will delete domains that are registered with false addresses. Also, if they receive reports of an opted-out domain being used for any commercial purposes the address goes straight back into the Whois. From noone at nowhere.com Thu May 5 12:15:15 2005 From: noone at nowhere.com (Robert) Date: Thu May 5 11:15:03 2005 Subject: [SpamCop-List] Re: Popped hotmail spam w/ reporting confusion References: Message-ID: > The reason for the report to Ironport is that 216.21.208.203 is a bonded > sender. This will cost them for each spam. So, yes, report away if it is > truly spam. Just out of curiosity, how is a cost rendered to a bonded sender? Robert From SCNews.5.myspamgobbler at spamgourmet.com Thu May 5 10:15:15 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Thu May 5 12:20:08 2005 Subject: [SpamCop-List] Re: Popped hotmail spam w/ reporting confusion In-Reply-To: References: Message-ID: Robert wrote: >>The reason for the report to Ironport is that 216.21.208.203 is a bonded >>sender. This will cost them for each spam. So, yes, report away if it is >>truly spam. > > > Just out of curiosity, how is a cost rendered to a bonded sender? > > Robert > > http://www.bondedsender.com/fees.jsp The Debit Rate = the rate at which participating senders will be charged for each complaint received after a sender has exceeded the allowable complaint rate. The current debit rate is $20 per complaint. From MikeE at ster.invalid Thu May 5 10:23:54 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 5 12:25:03 2005 Subject: [SpamCop-List] Re: Popped hotmail spam w/ reporting confusion References: Message-ID: Robert wrote: >> The reason for the report to Ironport is that 216.21.208.203 is a >> bonded sender. This will cost them for each spam. So, yes, report >> away if it is truly spam. > > Just out of curiosity, how is a cost rendered to a bonded sender? The concept for bonded senders and similar programs is for there to be a program by which senders of bulk mail 'promise' on penalty of charges or fines or penalties or whatever you want to call it to play by the rules of the program - which are kinda loose from an anti-'s point of view. Then, when anti-s notify about a spam, the program's process examines the issue to determine if the bulk mailer has broken the [loose] rules, and if so, then the bulker has to pay. The theoretical advantage to a bulker of joining such a program is that you get to have your IP on a list which is a wannabe whitelist of bonded senders -- and further that there are different 'degrees' or classes of bonded sender-ness. So some bonded senders get to play by looser rules than others. In nanae there is also the argument that by being 'involved with' IronPort's bonded sender programs, you get some special handling by IronPort's antispam hard/soft/ware and IronPort's antispam blocklisting 'insight' - namely the spamcop information and system. The nanae-ites claim that getting a SC ding as a bonded sender doesn't count the same way as getting a ding as a non-bonded sender -- or maybe some bonded senders get SC dinged differently from others. You would have to be on the 'inside' of SC or IronPort to know the truth or fiction of those accusations. -- Mike Easter kibitzer, not SC admin From kjz at despammed.com Thu May 5 19:26:19 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Thu May 5 12:30:03 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve In-Reply-To: References: Message-ID: John Richards wrote: > There should be an exemption for non-commercial domain owners. > I own a vanity domain, but it is for personal use only. I used my > registrar's address as the address listed in my domain registration. > I don't want stalkers and other malcontents coming to my > residence. And there are countries which require by law that on each website (also private ones, not only commercials!) the owner and email contact must be mentioned. There must be shown a person who is legally responsible for the content of each website. Otherwise you will have the risk to pay a penalty. - kjz From MikeE at ster.invalid Thu May 5 10:29:06 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 5 12:30:13 2005 Subject: [SpamCop-List] Re: Popped hotmail spam w/ reporting confusion References: Message-ID: Mike Easter wrote: > The nanae-ites claim that getting a SC ding as a bonded sender doesn't > count the same way as getting a ding as a non-bonded sender -- or > maybe some bonded senders get SC dinged differently from others. You > would have to be on the 'inside' of SC or IronPort to know the truth > or fiction of those accusations. The other nanae gripe is that vis spam; bulkers, bonded senders, ironport, spamcop, and reporters represent farmer, fox, henhouse, and chickens, not in any particular order. -- Mike Easter kibitzer, not SC admin From OokUseNet at emberts.UpYoursSpammer.com Thu May 5 21:58:57 2005 From: OokUseNet at emberts.UpYoursSpammer.com (Ook) Date: Fri May 6 00:15:03 2005 Subject: [SpamCop-List] Sober virus Message-ID: I'm being innundated with sober virus emails - 1000+ a day at 75K a pop. It overflowed my mail server limit and my email stopped until I could get my ISP to increase the limit. I'm guessing there is nothing that can be done about this - is anyone else being flooded with these? Is there hope that this flood will slow down soon? From nobody at spamcop.net Thu May 5 23:49:47 2005 From: nobody at spamcop.net (N. Miller) Date: Fri May 6 01:50:04 2005 Subject: [SpamCop-List] Re: Sober virus References: Message-ID: On Thu, 5 May 2005 20:58:57 -0600, Ook wrote: > I'm being innundated with sober virus emails - 1000+ a day at 75K a pop. It > overflowed my mail server limit and my email stopped until I could get my > ISP to increase the limit. I'm guessing there is nothing that can be done > about this - is anyone else being flooded with these? Is there hope that > this flood will slow down soon? I saw three in a pacbell.net account. I haven't seen any in any other account. Maybe I am too reclusive. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at spamcop.net Fri May 6 00:42:50 2005 From: nobody at spamcop.net (RandallW) Date: Fri May 6 02:45:04 2005 Subject: [SpamCop-List] pump and dump & webpresence.com Message-ID: I've been receiving pump and dump mail for months; it WAS being hosted on a server where the Spamcop pinging was not timing out ( for the admin address ). Then the spam moved to webpresence.com, causing pingouts for the admin ( some supposed Victor Allan ). By a Google search I noticed there was some discussion of this on the Spamcop forum, with speculation that the spam is something done by one of The Big 50 Spammers. Has anyone called the number on the registration of webpresence.com? Is webpresence supposed to be an ISP? Does Victor Allan actually exist? From baloo at ursine.ca Fri May 6 00:18:01 2005 From: baloo at ursine.ca (Paul Johnson) Date: Fri May 6 03:10:19 2005 Subject: [SpamCop-List] Re: Sober virus References: Message-ID: Ook wrote: > I'm being innundated with sober virus emails - 1000+ a day at 75K a pop. > It overflowed my mail server limit and my email stopped until I could get > my ISP to increase the limit. I'm guessing there is nothing that can be > done about this - is anyone else being flooded with these? Not if their mail server filters out viruses at SMTP time like they should be... http://ursine.ca/Rejecting_Viruses_The_Right_Way -- Paul Johnson Email and Instant Messenger (Jabber): baloo@ursine.ca http://ursine.ca/~baloo/ From wb8tyw at qsl.network Fri May 6 04:40:19 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Fri May 6 03:45:03 2005 Subject: [SpamCop-List] Re: Sober virus In-Reply-To: References: Message-ID: Ook wrote: > I'm being innundated with sober virus emails - 1000+ a day at 75K a pop. It > overflowed my mail server limit and my email stopped until I could get my > ISP to increase the limit. I'm guessing there is nothing that can be done > about this - is anyone else being flooded with these? Is there hope that > this flood will slow down soon? I have only seen one thing that appear to obviously be a virus being relayed through an Earthlink mail server. I do not know which one it was because I do not have a scanner. What is important is if this is a direct to MX virus. Such viruses are usually very effectively blocked by the SORBS DUHL or the NJABL dynablock list when used with the cbl.abuseat.org as the viruses that are not coming from DHCP pools tend to get listed very quickly in the cbl.abuseat.org. -John wb8tyw@qsl.network Personal Opinion Only From nobody at nowhere.invalid Fri May 6 11:00:46 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri May 6 04:05:03 2005 Subject: [SpamCop-List] Re: Sober virus References: Message-ID: On Thu, 5 May 2005 20:58:57 -0600, Ook coughed into spamcop and left this in : > I'm guessing there is nothing that can be done about this Well, there is. Switch to a competent ISP. One that filters out viruses from your inbound mail, for example. -- Steve Q: Why is Christmas just like a day at the office? A: You do all of the work and the fat guy in the suit gets all the credit. From PossumTrot at dont.spam.me Fri May 6 08:16:39 2005 From: PossumTrot at dont.spam.me (Possum Trot) Date: Fri May 6 10:20:03 2005 Subject: [SpamCop-List] Anyone know the MS address to report suspected piracy? Message-ID: From nobody at spamcop.net Fri May 6 11:32:19 2005 From: nobody at spamcop.net (Anti-Spam) Date: Fri May 6 10:40:03 2005 Subject: [SpamCop-List] Re: Anyone know the MS address to report suspected piracy? References: Message-ID: "Possum Trot" wrote in message news:d5fucu$ojf$1@news.spamcop.net... > "piracy at microsoft dot com" PS. More reporting addresses can be found at . -- Bring in the death penalty for repeat spammers. Non-functional spambait addr: can@njtaxk.com (generated by Webpoison) From nobody at devnull.spamcop.net Fri May 6 11:39:15 2005 From: nobody at devnull.spamcop.net (Pop) Date: Fri May 6 10:40:11 2005 Subject: [SpamCop-List] Email Address Finder at DNS Stuff Message-ID: Has anyone here tried the e-mail address tester on http://www.dnsstuff.com/ ? I looked briefly at them on google and they seem fine, and I think I've seen them mentioned here a few times, but never the address tester. NANAE folk seem to mention it a lot too. I put a few addresses into it, and it does seem to be able to say whether an e-mail address exists or not, but ... I was wondering what kind of pitfalls there are to using it. It seems "too good to be true". TIA, Pop From nobody at devnull.spamcop.net Fri May 6 11:42:17 2005 From: nobody at devnull.spamcop.net (Pop) Date: Fri May 6 10:45:03 2005 Subject: [SpamCop-List] Re: Sober virus References: Message-ID: "Ook" wrote in message news:d5eqsv$7a8$1@news.spamcop.net... > I'm being innundated with sober virus emails - 1000+ a day at 75K a pop. > It overflowed my mail server limit and my email stopped until I could get > my ISP to increase the limit. I'm guessing there is nothing that can be > done about this - is anyone else being flooded with these? Is there hope > that this flood will slow down soon? > Talk to your ISP; they can shut that off easily if they're at all competent. Did you TELL them it was a virus? Pop From MikeE at ster.invalid Fri May 6 09:34:27 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 6 11:35:22 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: Pop wrote: > Has anyone here tried the e-mail address tester on > http://www.dnsstuff.com/ ? I just did, to see what you are talking about. > I looked briefly at them on google and they seem fine, and I think > I've seen them mentioned here a few times, but never the address > tester. NANAE folk seem to mention it a lot too. I use the tools there all the time, but not that domain mx tester at the bottom of the middle column in the 'other tests' section called: E-mail Test - Enter E-mail address or domain ? - Are there problems sending mail to a user or domain? and then you push the 'Mail Test' button. > I put a few addresses into it, and it does seem to be able to say > whether an e-mail address exists or not, but ... I was wondering what > kind of pitfalls there are to using it. It seems "too good to be > true". That tool simply finds the mxes for a domainname and checks to see if it can connect to all of the mxes. It doesn't test for the username in any way. The tool in SamSpade for win has a little algorithm by which it connects with the mx and checks a rcpt to for the username to get some kind of result, and then it checks a rcpt to a bogusname to compare. Sometimes you can find out that a username doesn't exist at the domainname, sometimes you can't. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Fri May 6 12:45:20 2005 From: eddie at eddie.web (eddie) Date: Fri May 6 11:50:02 2005 Subject: [SpamCop-List] Re: Anyone know the MS address to report suspected piracy? References: Message-ID: On Fri, 06 May 2005 07:16:39 -0700, Possum Trot scratched out the following: ,zilch. Here's an excellent website with many reporting addresses, including piracy: http://banspam.javawoman.com/report3/piracy1.html -- Once movie theaters gave out steak knives Today they confiscate them From phantom523 at no-spam.gmail.com Fri May 6 12:21:20 2005 From: phantom523 at no-spam.gmail.com (Lance) Date: Fri May 6 12:25:03 2005 Subject: [SpamCop-List] Zero hour is up Message-ID: Our mail servers 216.229.64.71, 216.229.64.72, 216.229.64.73 are currently still showing as blocked even the it has reached the zero hour. When exactally does the delisting happen? Thanks, Lance From nobody at spamcop.net Fri May 6 13:50:53 2005 From: nobody at spamcop.net (indigo) Date: Fri May 6 12:55:02 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: Mike Easter wrote: > The tool in SamSpade for win has a little algorithm by which it > connects with the mx and checks a rcpt to for the username to get > some kind of result, and then it checks a rcpt to a bogusname to > compare. Which tool it that? I tried the SMTP tool and that didn't work. Nothing else looks obvious as to the tool you're referring to..... From Vanguard at domain.invalid Fri May 6 13:24:04 2005 From: Vanguard at domain.invalid (Vanguard) Date: Fri May 6 13:25:03 2005 Subject: [SpamCop-List] Re: Anyone know the MS address to report suspected piracy? References: Message-ID: "Possum Trot" wrote in message news:d5fucu$ojf$1@news.spamcop.net... > > Um, how about Microsoft? http://www.microsoft.com/piracy/Reporting.mspx From averyc at spamcop.net Fri May 6 14:49:06 2005 From: averyc at spamcop.net (Christopher Avery) Date: Fri May 6 14:50:05 2005 Subject: [SpamCop-List] web4presence.com? Message-ID: My wife gets a lot of spam that spamcop says should be reported to abuse@web4presence.com. But of course that email address is being /dev/null'ed by spamcop. Is there any information about this spammer somewhere? Also, can spamcop find an upstream provider to report to instead? Thanks. -- -- Chris Avery averyc@spamcop.net From nobody at spamcop.net Fri May 6 16:36:45 2005 From: nobody at spamcop.net (Ellen) Date: Fri May 6 15:55:02 2005 Subject: [SpamCop-List] Re: Zero hour is up References: Message-ID: "Lance" wrote in message news:d5g5if$stb$1@news.spamcop.net... > Our mail servers 216.229.64.71, delisted: 5/6/2005 11:05:01 AM -0400 216.229.64.72, delisted: 5/6/2005 11:05:01 AM -0400 216.229.64.73 delisted: 5/6/2005 11:05:01 AM -0400 > are currently > still showing as blocked even the it has reached the zero hour. When > exactally does the delisting happen? > Once an IP reaches the "0" hour then it can take up to 2 or 3 hours for the information to propagate thru the various cron jobs to the mirrors. Will be delisted in 0 hours means it has started into the delist process. Ellen From MikeE at ster.invalid Fri May 6 14:00:25 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 6 16:00:02 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: indigo wrote: > Mike Easter wrote: >> The tool in SamSpade for win has a little algorithm by which it >> connects with the mx and checks a rcpt to for the username to get >> some kind of result, and then it checks a rcpt to a bogusname to >> compare. > > Which tool it that? I tried the SMTP tool and that didn't work. > Nothing else looks obvious as to the tool you're referring to..... You start by putting an email addy into the L window; there needs to be some preliminary configuration in options such as an email address for the mail from command part. Then the Basics menu will have a functional selection called 'SMTP Verify'. That algorithm tries to use expn and vrfy, which 'never' work, and it also does the rcpt to I described. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Fri May 6 23:52:30 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri May 6 16:55:28 2005 Subject: [SpamCop-List] Re: Sober virus References: Message-ID: On Fri, 6 May 2005 10:42:17 -0400, Pop coughed into spamcop and left this in : > Talk to your ISP; they can shut that off easily if they're at all competent. > Did you TELL them it was a virus? If the ISP was competent, it would't need telling. Its antivirus filters would already be up to date and the viral flood would be a non-story by now. -- Steve Stupidity is NOT a handicap. Park elsewhere! From nttp.sc.s at bigsleep.org Sat May 7 00:00:33 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Fri May 6 19:05:06 2005 Subject: [SpamCop-List] Re: "One in 20 'fall for online fraud'" References: Message-ID: On 04 May 2005 eddie entered spamcop and left news:pan.2005.05.05.00.38.25.362000@eddie.web: > like Homer Simpson slamming the car door on his finger, > over and over and over, yelling Ouch! each time and then doing it > again :) > More like Lisa's shock experiment on Bart. That'd probably work on Homer too, just hook a shocker up to his donut. -- | Ric | From agent01413 at my-deja.com Sat May 7 00:32:00 2005 From: agent01413 at my-deja.com (Socks the Whitehouse Cat) Date: Fri May 6 19:35:03 2005 Subject: [SpamCop-List] Re: web4presence.com? References: Message-ID: "Christopher Avery" wrote in news:d5ge7f$1ti$1@news.spamcop.net: > My wife gets a lot of spam that spamcop says should be reported to > abuse@web4presence.com. But of course that email address is being > /dev/null'ed by spamcop. > > Is there any information about this spammer somewhere? Also, can > spamcop find an upstream provider to report to instead? Thanks. > OPENRBL WHOIS says to use postmaster@jriad.info for that one -- "...Life is not a journey to the grave with the intention of arriving safely in one pretty and well preserved piece, but to slide across the finish line broadside, thoroughly used up, worn out, leaking oil, and shouting GERONIMO!!!" -- Bill McKenna, date unknown From nobody at devnull.spamcop.net Fri May 6 21:17:27 2005 From: nobody at devnull.spamcop.net (Pop) Date: Fri May 6 20:20:10 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: "Mike Easter" wrote in message news:d5g2md$r1d$1@news.spamcop.net... > Pop wrote: >> Has anyone here tried the e-mail address tester on >> http://www.dnsstuff.com/ ? > ... > > That tool simply finds the mxes for a domainname and checks to see if it > can connect to all of the mxes. It doesn't test for the username in any > way. > ... > -- > Mike Easter > kibitzer, not SC admin > Thanks, Mike, the dns stuff explanation is about what I expected to hear, but fiddling with it some more tonight, looking for a pattern or whatever, I'm getting 100% correct responses. I did notice it's using a "relay recipient table", whatever that is, and there are both smtp and mx information. There's a lot I don't know, so here's my arguement so you can maybe figure out where I'm coming from: If I use nobody@spamcop.net, I get several lines of: "Got an unknown RCPT TO response: 550 sorry, no such user here" Using My personal address, I get: " [Successful connect: Got a good response [250 Ok]]" Another of my real addresses, this one at Yahoo: "Got a good response [250 recipient ok]]" My own address but munged to uselessness: "Got an unknown RCPT TO response: 550 : Recipient address rejected: User unknown in relay recipient table" So, there are at least two different negative responses: user rejected, and no such user. BTW, how/where/how-important is, a "relay recipient table"? I've tested it with every address I can think of without looking them up; probably about fifteen of them, and each time it says the recipient is "OK". But, frogging up the addresses gets me the 550. I guess the key is what 250, 520, and 550 messages are. Occasionally I'll get: "Could not connect: Connection closed before I received all my data" but if I retry it, it'll usually work and other smtp's or mx's will instead have the those messages and the previous couldn't connects now work. Soooo, knowing better than to say you're wrong (I always *lose* when I say that!), I'm still wondering about what the down-side is. I mean other than the obvious problems that can come up such as abandoned accounts, anymail goes to one address type stuff, which I think I understand. I suppose it reverts to whatever the "relay recipient table" is, but ... I don't know what the implication is. Regards, Pop From jr70 at blackhole.invalid Fri May 6 18:29:24 2005 From: jr70 at blackhole.invalid (John Richards) Date: Fri May 6 20:30:04 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve References: Message-ID: "Karl-Josef Ziegler" wrote in message news:d5dhf4$hge$1@news.spamcop.net... > John Richards wrote: > >> There should be an exemption for non-commercial domain owners. >> I own a vanity domain, but it is for personal use only. I used my >> registrar's address as the address listed in my domain registration. >> I don't want stalkers and other malcontents coming to my >> residence. > > And there are countries which require by law that on each website (also > private ones, not only commercials!) the owner and email contact must be > mentioned. There must be shown a person who is legally responsible for > the content of each website. Otherwise you will have the risk to pay a > penalty. Then how can registrars like GoDaddy.com legally offer "private" registration which hides the owner's personal information? https://www.godaddy.com/gdshop/dbp/landing.asp?se=%2B&ci=717 -- John Richards From MikeE at ster.invalid Fri May 6 21:06:26 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 6 23:05:07 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: Pop wrote: > "Mike Easter" >> That tool simply finds the mxes for a domainname and checks to see >> if it can connect to all of the mxes. It doesn't test for the >> username in any way. > If I use nobody@spamcop.net, I get several lines of: > "Got an unknown RCPT TO response: 550 sorry, no such user here" You are correct. That tester /does/ test for rcpt to - I misinterpreted what I saw before. But testing the rcpt to is all it does, it doesn't also test with a bogus rcpt to. You would need to do that as a separate operation for the mxes which accept any username for the domain they serve. > Using My personal address, I get: > " [Successful connect: Got a good response [250 Ok]]" > > Another of my real addresses, this one at Yahoo: > "Got a good response [250 recipient ok]]" Many mxes will give you a 250 no matter what username is attached to their domainname. > My own address but munged to uselessness: > "Got an unknown RCPT TO response: 550 : Recipient address rejected: > User unknown in relay recipient table" "My own address but munged to uselessness" is ambiguous as to how it was munged. If I use uselessness@yahoo.com I get a 250 OK. > So, there are at least two different negative responses: user > rejected, and no such user. The tool is saying/ telling you/ what the mx server sed. The words attached to the 550 or whatever reject code is used. > BTW, how/where/how-important is, a "relay recipient table"? That sounds like term that would be used for the domains that a mx is serving for. > I've tested it with every address I can think of without looking them > up; probably about fifteen of them, and each time it says the > recipient is "OK". But, frogging up the addresses gets me the 550. "frogging up the addresses" is ambiguous again. I'm assuming that when you frog up an address, you are changing the username only somehow. When you describe your experiment, you should make it clear to who is reading what has been changed. > I guess the key is what 250, 520, and 550 messages are. A 250 means the mx is saying OK continue with the transaction. Any kind of 5xx means that transaction is permanently rejected. > Occasionally I'll get: > "Could not connect: Connection closed before I received all my data" > but if I retry it, it'll usually work and other smtp's or mx's will > instead have the those messages and the previous couldn't connects > now work. > > Soooo, knowing better than to say you're wrong (I always *lose* when > I say that!), No. I was wrong. The tool is looking at the username in the rcpt to. But, don't overinterpret what the meaning of accepting a username means. In some cases an mx will say 250 to a bogus username as well as a good username. > I'm still wondering about what the down-side is. The downside is only in the misinterpretation of what you are seeing. > I > mean other than the obvious problems that can come up such as > abandoned accounts, anymail goes to one address type stuff, which I > think I understand. I suppose it reverts to whatever the "relay > recipient table" is, but ... I don't know what the implication is. An mx might handle any number of different domainnames. So, if your addressees domainname is in the list of acceptable domainnames, it can be accepted. Not if it is not. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri May 6 23:06:11 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri May 6 23:10:07 2005 Subject: [SpamCop-List] Spamvertized URL resolving issue - Someone from SpamCop responds Message-ID: For those of you that have been asking for input from "Someone from SpamCop" ... here's your response. The Forum FAQ http://forum.spamcop.net/forums/index.php?showtopic=2238 Contains an entry titled; New! SpamCop reporting of spamvertized sites - some philosophy Which links to an entry that includes commentary from myself, Mike Easter, Don (and by extension, Ellen) http://forum.spamcop.net/forums/index.php?showtopic=4085 and for those not happy with the HTML version, a LoFi view http://forum.spamcop.net/forums/lofiversion/index.php/t4085.html From MikeE at ster.invalid Fri May 6 21:21:34 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 6 23:20:03 2005 Subject: [SpamCop-List] Re: Spamvertized URL resolving issue - Someone from SpamCop responds References: Message-ID: WazoO wrote: > New! SpamCop reporting of spamvertized sites - some philosophy > > Which links to an entry that includes commentary from > myself, Mike Easter, Don (and by extension, Ellen) > http://forum.spamcop.net/forums/index.php?showtopic=4085 Altho' in that response there's not any confirmation or denial or commentary about whether or not the parser intentionally bails 'immediately' - without waiting for any resolution under some conditions of resource management or something. That is, there's the condition of the parser not finding a url, the condition of the parser finding an url but the url resolving poorly/ too slowly/ not/ for the SC resolver, and the /other/ condition of the parser finding an url and not trying to resolve it. That 'other' condition seems to me to be something new or different which the parser didn't do at some time in the past -- realizing that the parser is a dynamic thing, always changing. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri May 6 23:53:54 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri May 6 23:55:03 2005 Subject: [SpamCop-List] Re: Spamvertized URL resolving issue - Someone from SpamCop responds References: Message-ID: "Mike Easter" wrote in message news:d5hc48$h43$1@news.spamcop.net... > > Altho' in that response there's not any confirmation or denial or > commentary about whether or not the parser intentionally bails > 'immediately' - without waiting for any resolution under some > conditions of resource management or something. Although I surely agree, I did leave a bit of a hint that this wasn't something put together on a whim. There's been quite a bit of dialog just to get this far with a getting an "official" response ... just doing the best I can In Don's / Ellen's defense, some of what you are pointing out is probably covered under the "best not discussed" phrase .. hard to guess what Julian's exact words might have been From nobody at devnull.spamcop.net Sat May 7 00:04:08 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat May 7 00:05:03 2005 Subject: [SpamCop-List] Re: binary files References: Message-ID: "Karen" wrote in message news:pan.2005.05.06.17.50.30.401412@spamcop.net... > I've noticed something new in my last several email reports but do not see > anything similar in my webpage of held mail: I see no one has responded yet ... perhaps due to this being a SpamCop e-mail account issue which would normally be posted into the spamcop.mail newsgroup .. for perhaps a quicker answer, there are a number of other e-mail account folks over in the web forum, which is where JT has 'pushed' as the primary e-mail account support spot .... http://forum.spamcop.net/forums/ To hopefully speed things up, I've 'posted' your query 'over there' .. maybe by the time you see this, answers will be in place ..??? http://forum.spamcop.net/forums/index.php?showtopic=4132 From SCNews.5.myspamgobbler at spamgourmet.com Fri May 6 22:22:05 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Sat May 7 00:25:04 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff In-Reply-To: References: Message-ID: Mike Easter wrote: > Pop wrote: > >>"Mike Easter" >> >>>That tool simply finds the mxes for a domainname and checks to see >>>if it can connect to all of the mxes. It doesn't test for the >>>username in any way. > > >>If I use nobody@spamcop.net, I get several lines of: >>"Got an unknown RCPT TO response: 550 sorry, no such user here" > > > You are correct. That tester /does/ test for rcpt to - I misinterpreted > what I saw before. But testing the rcpt to is all it does, it doesn't > also test with a bogus rcpt to. You would need to do that as a separate > operation for the mxes which accept any username for the domain they > serve. > > >>Using My personal address, I get: >>" [Successful connect: Got a good response [250 Ok]]" >> >>Another of my real addresses, this one at Yahoo: >>"Got a good response [250 recipient ok]]" > Yahoo responds the same whether a username is good or not. There are two ways that I know of to test yahoo addresses. One is by going to http://edit.yahoo.com/config/eval_register?.v=&.intl=&new=1&.done=http%3a//mail.yahoo.com&.src=ym&.partner=&.p=&promo=&.last= and entering in the username part of the address in Yahoo! ID: and click the "Check Availability of This ID" button. If it returns "Yahoo! ID uselessness is unavailable.", then the email address is likely valid. If it returns " Congratulations, the ID rti4396 is available!", then you have an invalid address. The other is to put the username part of the email address into http://profiles.yahoo.com/"username" without the quotes. If it returns a profile, then the account is likely to still be active. If it returns "Sorry, but the profile you are looking for is not currently available," then it is not a valid address. I use likely because I'm not sure about a lot of things that Yahoo does. > > Many mxes will give you a 250 no matter what username is attached to > their domainname. > > >>My own address but munged to uselessness: >>"Got an unknown RCPT TO response: 550 : Recipient address rejected: >>User unknown in relay recipient table" > > > "My own address but munged to uselessness" is ambiguous as to how it was > munged. If I use uselessness@yahoo.com I get a 250 OK. > That's because uselessness@yahoo.com is a valid email address according to my tests. Must be someone with low self esteem. The tool that I use often is the email dossier at http://centralops.net/co/ . Not that it is necessarily any better than any other, I just find it convenient. The domain dossier I use often as well. From SCNews.5.myspamgobbler at spamgourmet.com Fri May 6 22:32:08 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Sat May 7 00:35:02 2005 Subject: [SpamCop-List] Re: web4presence.com? In-Reply-To: References: Message-ID: Socks the Whitehouse Cat wrote: > "Christopher Avery" wrote in > news:d5ge7f$1ti$1@news.spamcop.net: > > >>My wife gets a lot of spam that spamcop says should be reported to >>abuse@web4presence.com. But of course that email address is being >>/dev/null'ed by spamcop. >> >>Is there any information about this spammer somewhere? Also, can >>spamcop find an upstream provider to report to instead? Thanks. >> > > > OPENRBL WHOIS says to use postmaster@jriad.info for that one > Both addresses belong to the spammers. I have been reporting a lot of web4presence spam to the FTC and the SEC for awhile now. I keep hoping that they gather enough evidence and shut them down. There spew is the only mail I get to a couple of old hotmail accounts and it makes it past the spam filters. I keep reporting it as spam to hotmail, but it doesn't seem to matter. It usually comes as a pair, one pump and dump and one give-a-way that I believe is used as an email harvester. The last one I checked out goes through three redirects before getting to the spam content. This is Ralsky. http://www.spamhaus.org/SBL/sbl.lasso?query=SBL25586 From nobody at spamcop.net Fri May 6 23:27:58 2005 From: nobody at spamcop.net (N. Miller) Date: Sat May 7 01:30:03 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: <1ounpf63l5yqx.dlg@news.spamcop.net> On Fri, 6 May 2005 20:17:27 -0400, Pop wrote: > Occasionally I'll get: > "Could not connect: Connection closed before I received all my data" > but if I retry it, it'll usually work and other smtp's or mx's will instead > have the those messages and the previous couldn't connects now work. If you tried that experiment on my domain, the fourth failed RCPT TO would cause that problem for you. I expect that some domains will also log connections where the connecting server bails on the nth successful RCPT TO because that appears to be a "dictionary attack" on that domain. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at spamcop.net Sat May 7 01:50:13 2005 From: nobody at spamcop.net (NerdRevenge) Date: Sat May 7 03:45:06 2005 Subject: [SpamCop-List] Re: Zero hour is up References: Message-ID: "Lance" wrote in message news:d5g5if$stb$1@news.spamcop.net... > Our mail servers 216.229.64.71, 216.229.64.72, 216.229.64.73 are currently > still showing as blocked even the it has reached the zero hour. When > exactally does the delisting happen? > Once the spam stops > Thanks, Lance > From bar_n0ne at hotmail.com Sat May 7 14:07:55 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat May 7 05:10:24 2005 Subject: [SpamCop-List] Cavtel.net, pretty Cavalier? (sober) Message-ID: I've been getting a steady stream (>100 in a day) of sober viruses from the same IP at Cavtel.net: 66.160.72.2 Both manual and SC larts have no effect after more than 36 hours of the spew. By the way folks, if you do use SC to lart, uncheck the links, they are innocent. This virus also seems to be designed to be a joe job generator. From nobody at nowhere.invalid Sat May 7 12:44:55 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat May 7 05:45:06 2005 Subject: [SpamCop-List] Re: Cavtel.net, pretty Cavalier? (sober) References: Message-ID: On Sat, 7 May 2005 13:07:55 +0400, Berny coughed into spamcop and left this in : > I've been getting a steady stream (>100 in a day) of sober viruses from the > same IP at Cavtel.net: Why has your ISP been letting them get to your mailspool in the first place? I'm extremely lucky in that hardly any viruses are ever sent to me, but this month so far 2 of those were sent. The antivirus running on my server (ClamAV) detected them and procmail shunted them away from my mailbox: ------- Possible virus: Worm.Sober.P FOUND --------- >From MAILER-DAEMON Tue May 3 08:30:39 2005 Subject: Delivery Status Notification (Failure) Folder: /usr/local/junk/viruses200505 80881 ------- Possible virus: Worm.Sober.P FOUND --------- >From xxxx@xxxxxxxxx Sat May 7 08:39:20 2005 Subject: Returned mail: see transcript for details Folder: /usr/local/junk/viruses200505 77457 -- Steve Tomorrow is cancelled due to lack of interest. From bar_n0ne at hotmail.com Sat May 7 15:53:17 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat May 7 06:55:03 2005 Subject: [SpamCop-List] Re: Cavtel.net, pretty Cavalier? (sober) References: Message-ID: "Steven Maesslein" wrote in message news:slrnd7p3gn.3hm.nobody@127.0.0.1... > On Sat, 7 May 2005 13:07:55 +0400, Berny coughed into spamcop and left > this in : > SNIP > Why has your ISP been letting them get to your mailspool in the first > place? Ask Yahoo that. I have no idea if Yahoo fails to catch them, or doesn;t check until you try to open them, or what. I only discovered it was a "sober" when I pressed "view oringinal mail"-during a SC parse. It seems there was enough of the mime text available for Norton to noticeand recognize that the browser cache was "infected". From kjz at despammed.com Sat May 7 14:02:13 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Sat May 7 07:05:02 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve In-Reply-To: References: Message-ID: John Richards wrote: > Then how can registrars like GoDaddy.com legally offer "private" registration > which hides the owner's personal information? > https://www.godaddy.com/gdshop/dbp/landing.asp?se=%2B&ci=717 Because GoDaddy is located in USA which have no such requirements. Registrars in other countries may have other legal regulations. That's one of the general problems with the net: it's global but law enforcement only is national. So criminals can evade to the country with the 'softest' legislation. - kjz From nobody at nowhere.invalid Sat May 7 14:32:00 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat May 7 07:35:03 2005 Subject: [SpamCop-List] Re: Cavtel.net, pretty Cavalier? (sober) References: Message-ID: On Sat, 7 May 2005 14:53:17 +0400, Berny coughed into spamcop and left this in : >> Why has your ISP been letting them get to your mailspool in the first >> place? > > Ask Yahoo that. Yahpoo! Uhh, OK, say no more. It all makes sense now. -- Steve There are only 10 kinds of people in the world: Those who understand binary, and those who don't. From nobody at devnull.spamcop.net Sat May 7 11:05:12 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sat May 7 10:10:04 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: ... >> Another of my real addresses, this one at Yahoo: >> "Got a good response [250 recipient ok]]" > > Many mxes will give you a 250 no matter what username is attached to > their domainname. ===> Yes, that I understand. I learned that right here at SC, in fact. I think one could determine that though by munging an address or two and see what happens. > >> My own address but munged to uselessness: >> "Got an unknown RCPT TO response: 550 : Recipient address rejected: >> User unknown in relay recipient table" > > "My own address but munged to uselessness" is ambiguous as to how it was > munged. If I use uselessness@yahoo.com I get a 250 OK. ===> OOPS! I didn't notice that! So much for my "testing" abilities! It brings out your point rather well; always finish the tests! > >> So, there are at least two different negative responses: user >> rejected, and no such user. > > The tool is saying/ telling you/ what the mx server sed. The words > attached to the 550 or whatever reject code is used. > >> BTW, how/where/how-important is, a "relay recipient table"? > > That sounds like term that would be used for the domains that a mx is > serving for. > >> I've tested it with every address I can think of without looking them >> up; probably about fifteen of them, and each time it says the >> recipient is "OK". But, frogging up the addresses gets me the 550. > > "frogging up the addresses" is ambiguous again. I'm assuming that when > you frog up an address, you are changing the username only somehow. > When you describe your experiment, you should make it clear to who is > reading what has been changed. ===> Yeah, you're right. I'd change one character in the username to see what happened. Had they come back with a hit, I'd have tried adding or deleting a character to see what happened, but never had to. > >> I guess the key is what 250, 520, and 550 messages are. > > A 250 means the mx is saying OK continue with the transaction. Any kind > of 5xx means that transaction is permanently rejected. > >> Occasionally I'll get: >> "Could not connect: Connection closed before I received all my data" >> but if I retry it, it'll usually work and other smtp's or mx's will >> instead have the those messages and the previous couldn't connects >> now work. ... > No. I was wrong. The tool is looking at the username in the rcpt to. > But, don't overinterpret what the meaning of accepting a username means. > In some cases an mx will say 250 to a bogus username as well as a good > username. ===> Yup. I'll try to keep that in mind. > >> I'm still wondering about what the down-side is. > > The downside is only in the misinterpretation of what you are seeing. > ... > An mx might handle any number of different domainnames. So, if your > addressees domainname is in the list of acceptable domainnames, it can > be accepted. Not if it is not. ===> Ah, I see! So there could be multiple "John@"s which means you wouldn't know that. But, this would only be an issue in the case of a forged address, true? The user's address would contain the relevant domainname unless he was forging it. Which makes it more widespread than just in the mx serves multiple domainnames case. I'll have to remember that too, in case it makes any difference in the future. > > -- > Mike Easter > kibitzer, not SC admin > Just FYI, what I'm doing is probing around trying to verify some addresses of some scum who have invaded a newsgroup and are disrupting it to the point of near uselessness. Mostly just to see if I can do it, but it might come in handy if they don't go away in a reasonable length of time. Regards, Pop From nobody at devnull.spamcop.net Sat May 7 11:14:31 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sat May 7 10:15:03 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: ... > > Yahoo responds the same whether a username is good or not. ===> Yup, as Mike pointed out! I didn't finish the work on that one! I looked for myelf just for grins, and you're 100% correct. There are two > ways that I know of to test yahoo addresses. > > One is by going to > http://edit.yahoo.com/config/eval_register?.v=&.intl=&new=1&.done=http%3a//mail.yahoo.com&.src=ym&.partner=&.p=&promo=&.last= > and entering in the username part of the address in Yahoo! ID: and click > the "Check Availability of This ID" button. > > If it returns "Yahoo! ID uselessness is unavailable.", then the email > address is likely valid. If it returns " Congratulations, the ID > rti4396 is available!", then you have an invalid address. ===> Fortunately I'm not too interested in the Yahoo's et al, but that might work. I'll check it out more fully to see how accurate it is. I'm wondering if they actually remove old addresses or not. I've heard they don't. Course, a past ISP I had did that, too. My old address is still there, and it's been years since I used them. I can't access the account, but I can send mail to it. So, there are gotcha's all over the place. > > The other is to put the username part of the email address into > http://profiles.yahoo.com/"username" without the quotes. If it returns a > profile, then the account is likely to still be active. ===> I don't think profiles are very useful. It's a simply keyclick to keep your profile off the screen as I recall. I've tried to access my own profile at Yahoo and it won't let me. So, to appearances, that way, I'm not there. But, IF it found a profile, you're right, it would be a verification. Just not finding it isn't a verification it's NOT there. Thanks for the input Regards, Pop From SCNews.5.myspamgobbler at spamgourmet.com Sat May 7 08:40:26 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Sat May 7 10:45:04 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff In-Reply-To: References: Message-ID: Pop wrote: > ... > >>The other is to put the username part of the email address into >>http://profiles.yahoo.com/"username" without the quotes. If it returns a >>profile, then the account is likely to still be active. > > ===> I don't think profiles are very useful. It's a simply keyclick to keep > your profile off the screen as I recall. I've tried to access my own > profile at Yahoo and it won't let me. So, to appearances, that way, I'm not > there. But, IF it found a profile, you're right, it would be a > verification. Just not finding it isn't a verification it's NOT there. > That's not true. There is no way to hide your profile, so it is a good way to determine that it's _not_ there. From Yahoo Help: "It is not possible to delete the profile associated with your main Yahoo! ID on the My Profiles page. Profiles for your main Yahoo! ID or your Yahoo! Mail account can only be deleted by closing your account and removing all of the information they contain. If you don't want any information displayed on the profile for your Yahoo! ID or Mail account, simply remove all of the content in the profile." From MikeE at ster.invalid Sat May 7 09:34:55 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 7 11:35:07 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: Pop wrote: > Just FYI, what I'm doing is probing around trying to verify some > addresses of some scum who have invaded a newsgroup and are > disrupting it to the point of near uselessness. Mostly just to see > if I can do it, but it might come in handy if they don't go away in a > reasonable length of time. Disruptive trolls don't normally use a good From; in fact they would be more likely to spoof someone else's identity; so I wouldn't be looking at the From at all. I would be sizing them up from their ability to obscure themselves; are they using a newsserver that provides the nntp or are they not; are they using an anonymizing remailer or are they not; can you recognize their 'handwriting' and other nyms they've posted under. Things like that. The From would be the last thing [namely not at all] I would use to help me figure out a disruptive troll -- Mike Easter kibitzer, not SC admin From not at home.today Sat May 7 17:51:18 2005 From: not at home.today (Ant) Date: Sat May 7 11:55:30 2005 Subject: [SpamCop-List] Re: Spamvertized URL resolving issue - Someone from SpamCop responds References: Message-ID: "WazoO" wrote: > For those of you that have been asking for input from > "Someone from SpamCop" ... here's your response. > > The Forum FAQ > http://forum.spamcop.net/forums/index.php?showtopic=2238 > > Contains an entry titled; > New! SpamCop reporting of spamvertized sites - some philosophy > > Which links to an entry that includes commentary from > myself, Mike Easter, Don (and by extension, Ellen) > http://forum.spamcop.net/forums/index.php?showtopic=4085 Thanks for that information, but it does not address the problem of the parser finding a link and giving no message about the tracking of that link. If the parser has problems it will often say "no links found" or "cannot resolve". However, when it says nothing at all after "resolving link obfuscation" and showing a link which it *has* found, we are left wondering if there has been an error, or if this is by design. I can accept the reasons why it sometimes can't find links or cannot resolve them, and that sometimes things are "best not discussed", but I believe completion should be evident for all attempted or abandoned link resolutions. A message simply stating "tracking abandoned" would be better than nothing. That way people do not have to waste time, or Spamcop's resources, in repeatedly refreshing the parse because they think there has been some sort of error. From MikeE at ster.invalid Sat May 7 10:06:13 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 7 12:05:03 2005 Subject: [SpamCop-List] Re: Spamvertized URL resolving issue - Someone from SpamCop responds References: Message-ID: Ant wrote: > we are left wondering if there has been an error, or if this is by > design. > I can accept the reasons why it sometimes can't find links or cannot > resolve them, and that sometimes things are "best not discussed", > but I believe completion should be evident for all attempted or > abandoned link resolutions. A message simply stating "tracking > abandoned" would be better than nothing. That way people do not have > to waste time, or Spamcop's resources, in repeatedly refreshing the > parse because they think there has been some sort of error. I'm not much of a fan of security by obscurity -- and your point about the resource management or misuse by refreshing is an excellent one. Perhaps there's a cache process or something. I can't figger it out yet. Sometimes the parser wants to spend a really really long time not resolving something; and sometimes it doesn't want to spend any time at all not resolving something. Like "I've already decided that I'm not going to mess with that." vs "I keep thinking I'm going to get this one resolved." -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Sat May 7 10:14:04 2005 From: nobody at spamcop.net (N. Miller) Date: Sat May 7 12:15:03 2005 Subject: [SpamCop-List] Re: Cavtel.net, pretty Cavalier? (sober) References: Message-ID: On Sat, 7 May 2005 14:53:17 +0400, Berny wrote: > "Steven Maesslein" wrote in message > news:slrnd7p3gn.3hm.nobody@127.0.0.1... >> On Sat, 7 May 2005 13:07:55 +0400, Berny coughed into spamcop and left >> this in : >> SNIP >> Why has your ISP been letting them get to your mailspool in the first >> place? > Ask Yahoo that. I have no idea if Yahoo fails to catch them, or doesn;t > check until you try to open them, or what. > > I only discovered it was a "sober" when I pressed "view oringinal > mail"-during a SC parse. It seems there was enough of the mime text > available for Norton to noticeand recognize that the browser cache was > "infected". Are you downloading the contents of your Bulk Mail folder? In my case, Yahoo! has been routing viral infected email to the Bulk Mail folder on a regular basis; the ones that their virus checker is missing. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From dhill at cricalix.net Sat May 7 21:24:08 2005 From: dhill at cricalix.net (Duncan Hill) Date: Sat May 7 15:25:25 2005 Subject: [SpamCop-List] Re: Cavtel.net, pretty Cavalier? (sober) References: Message-ID: Berny wrote: > I've been getting a steady stream (>100 in a day) of sober viruses from > the same IP at Cavtel.net: > > 66.160.72.2 66-160-72-114-ntkk.cavtel.net has been hitting one of $dayjob's nodes fairly heavily - ~6400 at last check. The AV engines are doing their job though. Can't remember if I larted abuse or not, but I think at this point that IP address is going into a blackhole. From wb8tyw at qsl.network Sat May 7 18:02:12 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Sat May 7 17:05:06 2005 Subject: [SpamCop-List] Re: Cavtel.net, pretty Cavalier? (sober) In-Reply-To: References: Message-ID: Duncan Hill wrote: > Berny wrote: > >>I've been getting a steady stream (>100 in a day) of sober viruses from >>the same IP at Cavtel.net: >> >>66.160.72.2 Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html Find out what DHCP list your ISP is using and then ask them why it is missing this range and when the omission is going to be corrected. > 66-160-72-114-ntkk.cavtel.net has been hitting one of $dayjob's nodes fairly > heavily - ~6400 at last check. The AV engines are doing their job though. > Can't remember if I larted abuse or not, but I think at this point that IP > address is going into a blackhole. Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html Find out why your $dayjob is still accepting e-mail from DHCP pools, or why the DHCP pool list they are using does not have this range as above. Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=66.160.72.114 And if they are using the sbl-xbl.spamhaus.org the virus should not even be getting to the virus screening software. Accepting spam/viruses from DHCP or sbl-xbl.spamhaus.org listed addresses only increases the cost of operating the mail servers. If an I.P. address is listed in as a DHCP address or in the sbl-xbl.spamhaus.org, if there is a real mail server there they are used to most of the world refusing their e-mail already. Currently MAP-DUL and SORBS-DUHL, and the PDL are not listing either I.P. address as dynamic. Of course these virus infections are probably causing network slowdowns and outages for cavtel.net customers on the same subnet so how ever bad your network is being hit, the damage to the real customers of cavtel.net is probably worse. -John wb8tyw@qsl.network Personal Opinion Only From wb8tyw at qsl.network Sat May 7 18:13:55 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Sat May 7 17:15:03 2005 Subject: [SpamCop-List] Re: Spamvertized URL resolving issue - Someone from SpamCop responds In-Reply-To: References: Message-ID: As a further date point, some of the pirated software spammers were apparently running both the web sites and the DNS servers on zombied computers. One ISP administrator showed up on this forum where he discovered such services running on a zombie after receiving a spamcop.net report. So when one of those zombies was taken out, there might be a delay before a backup or a replacement zombie was being brought in. Tracing back the registration of the DNS server of a web server that is running on a zombie will sometimes show that the DNS server is only used by the spammer, and in some cases it will show that the domain for the DNS server is actually also a through away domain that is pointed to by a DNS server that is owned by the spammer. Such spammers may have taken measures to make sure that the DNS servers only answer queries from source that they do not think are spam reporting services. -John wb8tyw@qsl.network Personal Opinion Only From bar_n0ne at hotmail.com Sun May 8 10:18:45 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun May 8 01:20:05 2005 Subject: [SpamCop-List] Re: Cavtel.net, pretty Cavalier? (sober) References: Message-ID: "Duncan Hill" wrote in message news:d5j4ja$d9c$1@news.spamcop.net... > Berny wrote: > > > I've been getting a steady stream (>100 in a day) of sober viruses from > > the same IP at Cavtel.net: > > > > 66.160.72.2 > > 66-160-72-114-ntkk.cavtel.net has been hitting one of $dayjob's nodes fairly > heavily - ~6400 at last check. The AV engines are doing their job though. > Can't remember if I larted abuse or not, but I think at this point that IP > address is going into a blackhole. Please LART, it's not been listed at all, so either I'm the only SC reporter getting these, or the only one LARTing, accordoing to Ironport, mail volume out of the box is low, so that next reporter ought to get it listed. From bar_n0ne at hotmail.com Sun May 8 10:36:06 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun May 8 01:40:02 2005 Subject: [SpamCop-List] Re: Cavtel.net, pretty Cavalier? (sober) References: Message-ID: "N. Miller" wrote in message news:ytor9m2i3eep$.dlg@news.spamcop.net... > On Sat, 7 May 2005 14:53:17 +0400, Berny wrote: > > Are you downloading the contents of your Bulk Mail folder? In my case, > Yahoo! has been routing viral infected email to the Bulk Mail folder on a > regular basis; the ones that their virus checker is missing. No I am not.. I do report the entire contents though. I have no idea how some user in VA got that addy, It's only exposed in spams, or by a yahoo profiles cruiser. From cchamb2 at qwest.net Sun May 8 11:19:32 2005 From: cchamb2 at qwest.net (Charles Chambers) Date: Sun May 8 13:20:03 2005 Subject: [SpamCop-List] E-mail reporting Message-ID: Anyone noticed that e-mail reporting now has a lower priority than web-based reporting? I submit spam through the web interface, and I can confirm it in about 15 seconds. I submit through e-mail, and I may have a 10 minute wait until SpamCop has processed it. From salvisberg at spamcop.net Sun May 8 21:03:30 2005 From: salvisberg at spamcop.net (Hans Salvisberg) Date: Sun May 8 13:55:02 2005 Subject: [SpamCop-List] Re: E-mail reporting In-Reply-To: References: Message-ID: Charles Chambers wrote: > Anyone noticed that e-mail reporting now has a lower priority than web-based > reporting? That's only reasonable. You wouldn't want to wait 10 minutes glued to your web browser, would you? > I submit spam through the web interface, and I can confirm it in about 15 > seconds. I submit through e-mail, and I may have a 10 minute wait until > SpamCop has processed it. Three weeks ago the backlog was more like 10 hours, so I'm pretty happy with 10 minutes. Besides, some of those 10 minutes might also be spent in transit. Hans From MikeE at ster.invalid Sun May 8 11:59:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 8 14:00:02 2005 Subject: [SpamCop-List] Re: X-SpamCop-Checked Header Problem References: Message-ID: Hans Salvisberg wrote: www.spamcop.net/sc?id=z761051069z4a4e0561461b900de21e392678382551z > > lists > > X-SpamCop-Checked: 192.168.1.101 209.239.38.159 > X-SpamCop-Disposition: Blocked bl.spamcop.net Yep. > and I was under the impression, that the last IP listed would be the > one that was blacklisted. But it's not so. That is also what the faq sez http://www.spamcop.net/fom-serve/cache/312.html Why did this message get held? -- "The LAST IP in the X-SpamCop-Checked list is the one that resulted in the message being held" > The one that appparently caused the message to be held is > 194.230.198.46, which may very well be blacklisted (it's a dial-up > modem of a large not-so-great ISP), even though this particular > message is not spam. The parser determines 194.230.198.46 to be the source. Source determination is not necessarily the same thing as why an item was flagged. Abbreviated Received lines *comment from unknown (192.168.1.101) by blade6.cesmail.net *serves you from host.idesigns.net (209.239.38.159) by mailgate.cesmail.net *serves you, spews2 listed from (mail.gmx.net [213.165.64.20]) by host.idesigns.net *serves you? from pop-zh-12-1-dialup-46.freesurf.ch [194.230.198.46] by mail.gmx.net *sourceline > Is the X-SpamCop-Checked header unreliable? I don't know your mailhost condition and I'm not able to interpret the condition of the parse on/for your mailhost setup, so I don't know if idesigns is 'yours' or not, so I put a ? beside it in the *comment section above At the present time, 209.239.38.159 rDNS host.idesigns.net is not SCbl listed, but it is possible that it might have been at the time the item was flagged, it which case the SC X-line would be correct -- but since it isn't currently listed, it doesn't confirm. SC trusts the idesigns and gmx servers to be a server/s, so it parses back thru' both the idesigns server and the gmx server to get to the 194 dynamic .ch IP. The spews2 situation is a class 2 listing for a /25 netblock which is a 'threat' because the provider isn't getting rid of a spamvertiser 1, 209.239.38.227, host.vh3.jbx.com 2, 209.239.38.128/25, alabanza.com (host.vh3.jbx.com) Spews wants Alabanza to get rid of host.vh3.jbx.com, and is saying that if alabanza doesn't do that, it is going to block the 128 IPs 209.239.38.128-209.239.38.255 which would include the idesigns server. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sun May 8 14:40:25 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun May 8 14:45:03 2005 Subject: [SpamCop-List] Re: E-mail reporting References: Message-ID: "Charles Chambers" wrote in message news:d5lhg8$hsl$1@news.spamcop.net... > Anyone noticed that e-mail reporting now has a lower priority than web-based > reporting? That's per the original concept of adding in the e-mail submittal capability. Office worker arrives in the morning, fires up e-mail app, handles/submits spam for processing, then actually gets to working at the real job, able to handle the actual parsing results and sending of complaints/reports as time became available during the rest of the day ....and this 'solution' was offered to resolve the complaints from folks that didn't want to hover over their screens, waiting for the web-page submittal process to finish up, especially when the "estimated time to process" was coming up with numbers like 7983 seconds ..... (coding error) From nospam at dev.null Sun May 8 22:32:26 2005 From: nospam at dev.null (Anty Spam) Date: Sun May 8 15:30:03 2005 Subject: [SpamCop-List] Report away -mail addresses dead Message-ID: Hi All The following email addresses are now dead. So please do http://wdprs.internic.net/ if you meet them in domains. whoisofdomain@yahoo.ca kjhsdfjh23kjh4kjhs@yahoo.ca jahesh321@yahoo.com tokubetuyuushi@yahoo.co.jp Cheers E PS: Maybe some overzealous harvester gets this, and bounces itself out of existence. Well... I may dream ;-) From devnull at spamcop.net Sun May 8 16:54:16 2005 From: devnull at spamcop.net (Frog Prince) Date: Sun May 8 16:25:03 2005 Subject: [SpamCop-List] Re: E-mail reporting References: Message-ID: "Charles Chambers" | Anyone noticed that e-mail reporting now has a lower priority than web-based | reporting? | | I submit spam through the web interface, and I can confirm it in about 15 | seconds. I submit through e-mail, and I may have a 10 minute wait until | SpamCop has processed it. Works for me. fire up the old coffee pot, slam a few email reports, do a bit (or a lot) of caffeine then tag the bad boys go out of the porch and hold down the hammock until lunch. From sbb78247 at gmail.com Sun May 8 22:55:14 2005 From: sbb78247 at gmail.com (sbb78247) Date: Sun May 8 22:55:02 2005 Subject: [SpamCop-List] fucking test Message-ID: aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! From sbb78247 at gmail.com Sun May 8 23:00:28 2005 From: sbb78247 at gmail.com (sbb78247) Date: Sun May 8 23:05:07 2005 Subject: [SpamCop-List] and Message-ID: you all suck From nobody at nowhere.invalid Mon May 9 12:09:14 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon May 9 05:11:27 2005 Subject: [SpamCop-List] Re: and References: Message-ID: On Sun, 8 May 2005 22:00:28 -0500, sbb78247 coughed into spamcop and left this in : > you all suck Spanked spammer? -- Steve The only person to get all of his work done by Friday was Robinson Crusoe From bar_n0ne at hotmail.com Mon May 9 14:18:06 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon May 9 05:20:30 2005 Subject: [SpamCop-List] Re: and References: Message-ID: "Steven Maesslein" wrote in message news:slrnd7ua5q.35a.nobody@127.0.0.1... > On Sun, 8 May 2005 22:00:28 -0500, sbb78247 coughed into spamcop and > left this in : > > > you all suck > > Spanked spammer? tourettes From Ilgaz at spamcop.net Mon May 9 16:34:03 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Mon May 9 08:35:13 2005 Subject: [SpamCop-List] Grow up References: Message-ID: On 2005-05-09 05:55:14 +0300, "sbb78247" said: > aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! Your test (!) works and I think it will mysteriously stop working not allowing further "tests" when some admin wakes up ;) I'd remove spamcop from my subscribed news servers for future. E.g. "host unreachable" etc ;) Ilgaz Ocal From salvisberg at spamcop.net Mon May 9 15:49:40 2005 From: salvisberg at spamcop.net (Hans Salvisberg) Date: Mon May 9 08:40:04 2005 Subject: [SpamCop-List] Re: X-SpamCop-Checked Header Problem In-Reply-To: References: Message-ID: Thank you for your analysis, Mike! Mike Easter wrote: >>X-SpamCop-Checked: 192.168.1.101 209.239.38.159 >>X-SpamCop-Disposition: Blocked bl.spamcop.net > > The parser determines 194.230.198.46 to be the source. Source > determination is not necessarily the same thing as why an item was > flagged. Yes, but I'd expect IP lookup to proceed along the chain back to what SC determines to be the source, stopping at the first IP that's blacklisted, and that X-SpamCop-Checked would reflect that path. Am I wrong here? > Abbreviated Received lines *comment > from unknown (192.168.1.101) by blade6.cesmail.net *serves you > from host.idesigns.net (209.239.38.159) by mailgate.cesmail.net > *serves you, spews2 listed > from (mail.gmx.net [213.165.64.20]) by host.idesigns.net *serves you? > from pop-zh-12-1-dialup-46.freesurf.ch [194.230.198.46] by > mail.gmx.net *sourceline Starting at the bottom: the sender connected through a dial-up modem to GMX, where he presumably used a WebMail application to send the message. > I don't know your mailhost condition and I'm not able to interpret the > condition of the parse on/for your mailhost setup, so I don't know if > idesigns is 'yours' or not, so I put a ? beside it in the *comment > section above IDesigns.net is indeed part of my mailhosts setup. > At the present time, 209.239.38.159 rDNS host.idesigns.net is not SCbl > listed, but it is possible that it might have been at the time the item > was flagged, it which case the SC X-line would be correct -- but since > it isn't currently listed, it doesn't confirm. Hmm, so there's no history data, is there? Given that 209.239.38.159 is in my mailhosts, would SC still block on it, if it were blacklisted? > SC trusts the idesigns and gmx servers to be a server/s, so it parses > back thru' both the idesigns server and the gmx server to get to the 194 > dynamic .ch IP. That's definitely correct, and freesurf.ch is notorious for not cleaning up. > The spews2 situation is a class 2 listing for a /25 netblock which is a > 'threat' because the provider isn't getting rid of a spamvertiser > > 1, 209.239.38.227, host.vh3.jbx.com > 2, 209.239.38.128/25, alabanza.com (host.vh3.jbx.com) > > Spews wants Alabanza to get rid of host.vh3.jbx.com, and is saying that > if alabanza doesn't do that, it is going to block the 128 IPs > 209.239.38.128-209.239.38.255 which would include the idesigns server. Alabanza is IDesigns' upstream provider. I don't know whether IDesigns have any relation with host.vh3.jbx.com, but I have high regards for them. I searched for this information and found http://www.spews.org/html/S1903.html, but it's somewhat cryptic to me. Why would spews block an entire /25 netblock based on a single address? 209.239.38.227 does still point to host.vh3.jbx.com, but the spam listed at the bottom of the page dates from 2002, so how current is this? Should I give IDesigns a heads up about this? Hans From Ilgaz at spamcop.net Mon May 9 16:38:58 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Mon May 9 08:40:11 2005 Subject: [SpamCop-List] Re: Sober virus References: Message-ID: On 2005-05-06 05:58:57 +0300, "Ook" said: > I'm being innundated with sober virus emails - 1000+ a day at 75K a > pop. It overflowed my mail server limit and my email stopped until I > could get my ISP to increase the limit. I'm guessing there is nothing > that can be done about this - is anyone else being flooded with these? > Is there hope that this flood will slow down soon? One of real rare times that Yahoo mail doesn't put sober stuff to Bulk mail as all other viruses. They directly purge at server level. It shows a clue about the amazing volume they get. They tend to stay away from "purging" normally. If you see the posts/flames because some peoples ISP purchased Spamcop and marking stuff as spam, you may understand why :) Ilgaz Ocal From MikeE at ster.invalid Mon May 9 07:47:51 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 09:50:34 2005 Subject: [SpamCop-List] Re: X-SpamCop-Checked Header Problem References: Message-ID: Hans Salvisberg wrote: > Thank you for your analysis, Mike! YW. Bitte sch?n. De rien. That's probably the extent of my French, except what I need for crossword puzzles ;-) > Mike Easter wrote: >>> X-SpamCop-Checked: 192.168.1.101 209.239.38.159 >>> X-SpamCop-Disposition: Blocked bl.spamcop.net >> >> The parser determines 194.230.198.46 to be the source. Source >> determination is not necessarily the same thing as why an item was >> flagged. > > Yes, but I'd expect IP lookup to proceed along the chain back to what > SC determines to be the source, stopping at the first IP that's > blacklisted, and that X-SpamCop-Checked would reflect that path. Am I > wrong here? Correct. Proceed along the chain until it gets to something blocked; no need to go further. We're assuming it found the 209 to be SCbl listed then, not now. >> Abbreviated Received lines *comment >> from unknown (192.168.1.101) by blade6.cesmail.net *serves you >> from host.idesigns.net (209.239.38.159) by mailgate.cesmail.net >> *serves you, spews2 listed >> from (mail.gmx.net [213.165.64.20]) by host.idesigns.net *serves >> you? from pop-zh-12-1-dialup-46.freesurf.ch [194.230.198.46] by >> mail.gmx.net *sourceline > > Starting at the bottom: the sender connected through a dial-up modem > to GMX, where he presumably used a WebMail application to send the > message. Correct that dialup source relays thru' the gmx. I don't see evidence of a webmailer in the spam, instead I see Outlook mail application. Assuming the item is not spam and does not contain bogosity, the source's email address is gmx.ch and so the source has 'permission' to use the gmx server. >> I don't know your mailhost condition and I'm not able to interpret >> the condition of the parse on/for your mailhost setup, so I don't >> know if idesigns is 'yours' or not, so I put a ? beside it in the >> *comment section above > > IDesigns.net is indeed part of my mailhosts setup. > >> At the present time, 209.239.38.159 rDNS host.idesigns.net is not >> SCbl listed, but it is possible that it might have been at the time >> the item was flagged, it which case the SC X-line would be correct >> -- but since it isn't currently listed, it doesn't confirm. > > Hmm, so there's no history data, is there? Given that 209.239.38.159 > is in my mailhosts, would SC still block on it, if it were blacklisted? Yes. The filter doesn't know parser mailhosts information. Think about the sequence. When the mail is coming in to the SC mail filter, it is using its filtering strategies of SpamAssassin and how you've configured for filtering including whatever whitelist information you have provided. So, the filtering process takes place on that basis and for that reason if the 209 were listed it would get flagged. The business about your mailhost doesn't arise until you have submitted the flagged item for parsing. It is the parser which knows your mailhost, not the filter. >> SC trusts the idesigns and gmx servers to be a server/s, so it parses >> back thru' both the idesigns server and the gmx server to get to the >> 194 dynamic .ch IP. > > That's definitely correct, and freesurf.ch is notorious for not > cleaning up. > > >> The spews2 situation is a class 2 listing for a /25 netblock which >> is a 'threat' because the provider isn't getting rid of a >> spamvertiser >> >> 1, 209.239.38.227, host.vh3.jbx.com >> 2, 209.239.38.128/25, alabanza.com (host.vh3.jbx.com) >> >> Spews wants Alabanza to get rid of host.vh3.jbx.com, and is saying >> that if alabanza doesn't do that, it is going to block the 128 IPs >> 209.239.38.128-209.239.38.255 which would include the idesigns >> server. > > Alabanza is IDesigns' upstream provider. I don't know whether IDesigns > have any relation with host.vh3.jbx.com, but I have high regards for > them. Alabanza 'owns' all of the netspace that idesigns uses for its mx and nameservice and thus controls/assigns the rDNS by which the Alabanza IPs resolve back to idesigns. mail.idesigns.net A (Address) 216.147.38.230 ns.idesigns.net A (Address) 209.239.38.160 ns2.idesigns.net A (Address) 209.239.47.29 NetRange: 216.147.0.0 - 216.147.127.255 CIDR: 216.147.0.0/17 NetName: ALABANZA-BALT-2 NetRange: 209.239.32.0 - 209.239.63.255 CIDR: 209.239.32.0/19 NetName: ALABANZA-BALT-1 > I searched for this information and found > http://www.spews.org/html/S1903.html, but it's somewhat cryptic to me. > Why would spews block an entire /25 netblock based on a single > address? Spews is 'assertive' about its efforts to motivate a provider to stop a spamsupport. That includes blocking innocent bystanders when the spews block starts expanding. An example of the expansion would be that first would be the /32 which is presently blocked as a spews1, the threat is to expand to the /25 by showing the spews2. If that /25 became a spews1, then the next thing might be to threaten the entire Alabanza /19 as a spews2. The spews business of collateral damage is nasty and a lot of people don't like its arbitrariness. You can imagine how unhappy you would be if spews blocking were affecting your mail and you were an innocent bystander as a client of idesigns, who also isn't a spammer. The concept is that if alabanza were too problematic about spam support, then idesigns, who is not a spammer, should be paying their money to someone who isn't helping spammers. That is, if alabanza were a big spam supporter, then idesigns, an alabanza customer, is also indirectly supporting a spam supporter. > 209.239.38.227 does still point to host.vh3.jbx.com, but the spam > listed > at the bottom of the page dates from 2002, so how current is this? > Should I give IDesigns a heads up about this? Sure. I think it is the responsibility of idesigns to know about the spews listing and I especially think it would be their responsibility if you got any more information about the SCbl listing which we didn't see. If idesigns has something misconfigured which is causing their server to get itself SCbl listed, that could seriously affect your mail. In the old days the listing history of an IP was available. Now only the deputies can look in there and see that if it isn't currently listed. -- Mike Easter kibitzer, not SC admin From l.rem.mayne at uea.ac.uk Mon May 9 16:05:26 2005 From: l.rem.mayne at uea.ac.uk (Leon Mayne) Date: Mon May 9 10:10:05 2005 Subject: [SpamCop-List] Spam excuse Message-ID: "Spam Clause - You are recieving this e-mail as a part of our promotional activity. If you are not interested, please delete it. - Thankyou. WebSamrat Team" Oh right, so if it's for your promotional activity then I guess that's OK. If only I'd thought of using my delete button eh? From bar_n0ne at hotmail.com Mon May 9 19:28:09 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon May 9 10:30:04 2005 Subject: [SpamCop-List] Re: Sober virus References: Message-ID: "Ilgaz" wrote in message news:d5nll2$ir6$2@news.spamcop.net... > On 2005-05-06 05:58:57 +0300, "Ook" > said: > > > I'm being innundated with sober virus emails - 1000+ a day at 75K a > > pop. It overflowed my mail server limit and my email stopped until I > > could get my ISP to increase the limit. I'm guessing there is nothing > > that can be done about this - is anyone else being flooded with these? > > Is there hope that this flood will slow down soon? > > One of real rare times that Yahoo mail doesn't put sober stuff to Bulk > mail as all other viruses. > > They directly purge at server level. > > It shows a clue about the amazing volume they get. They tend to stay > away from "purging" normally. If you see the posts/flames because some > peoples ISP purchased Spamcop and marking stuff as spam, you may > understand why :) > > Ilgaz Ocal > They put all of my sobers in bulk, and the lame sender took 4 days to get shut down, and I'm not even sure s/he was. I wish they had purged mine so i never see them From nobody at spamcop.net Mon May 9 11:32:30 2005 From: nobody at spamcop.net (indigo) Date: Mon May 9 10:35:03 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: Mike Easter wrote: > indigo wrote: > > Mike Easter wrote: > >> The tool in SamSpade for win has a little algorithm by which it > >> connects with the mx and checks a rcpt to for the username to get > >> some kind of result, and then it checks a rcpt to a bogusname to > >> compare. > > > > Which tool it that? I tried the SMTP tool and that didn't work. > > Nothing else looks obvious as to the tool you're referring to..... > > You start by putting an email addy into the L window; there needs to > be some preliminary configuration in options such as an email address > for the mail from command part. What kind of "preliminary configs" are you referring to? From SCNews.5.myspamgobbler at spamgourmet.com Mon May 9 10:02:10 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Mon May 9 12:05:03 2005 Subject: [SpamCop-List] Re: Sober virus In-Reply-To: References: Message-ID: Berny wrote: > "Ilgaz" wrote in message > news:d5nll2$ir6$2@news.spamcop.net... > >>On 2005-05-06 05:58:57 +0300, "Ook" >> said: >> >> >>>I'm being innundated with sober virus emails - 1000+ a day at 75K a >>>pop. It overflowed my mail server limit and my email stopped until I >>>could get my ISP to increase the limit. I'm guessing there is nothing >>>that can be done about this - is anyone else being flooded with these? >>>Is there hope that this flood will slow down soon? >> >>One of real rare times that Yahoo mail doesn't put sober stuff to Bulk >>mail as all other viruses. >> >>They directly purge at server level. >> >>It shows a clue about the amazing volume they get. They tend to stay >>away from "purging" normally. If you see the posts/flames because some >>peoples ISP purchased Spamcop and marking stuff as spam, you may >>understand why :) >> >>Ilgaz Ocal >> > > > They put all of my sobers in bulk, and the lame sender took 4 days to get > shut down, and I'm not even sure s/he was. > > I wish they had purged mine so i never see them > > I'm not certain of this, but it may be something that you can configure with Yahoo. Look in options. From eddie at eddie.web Mon May 9 15:21:44 2005 From: eddie at eddie.web (eddie) Date: Mon May 9 14:25:09 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: On Mon, 09 May 2005 15:34:03 +0300, Ilgaz scratched out the following: > On 2005-05-09 05:55:14 +0300, "sbb78247" said: > >> aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! > > Your test (!) works and I think it will mysteriously stop working not > allowing further "tests" when some admin wakes up ;) > > I'd remove spamcop from my subscribed news servers for future. E.g. "host > unreachable" etc ;) > > Ilgaz Ocal Some server scrambled your post into totally meaningless drivel, or someone is using your name and posting garbage. I would look into the problem if I were you, which, thankfully, I am not -- Once movie theaters gave out steak knives Today they confiscate them From eddie at eddie.web Mon May 9 15:23:32 2005 From: eddie at eddie.web (eddie) Date: Mon May 9 14:25:23 2005 Subject: [SpamCop-List] Re: and References: Message-ID: On Sun, 08 May 2005 22:00:28 -0500, sbb78247 scratched out the following: > you all suck awrrrrm that's so 16-year old and soooo verrrry 20th century Only girly-men use "suck" these days. Real men know the new word. Fried Spam smells so great, especially when one more sucker is dead. -- Once movie theaters gave out steak knives Today they confiscate them From rowen at cesmail.net Mon May 9 12:21:13 2005 From: rowen at cesmail.net (Russell E. Owen) Date: Mon May 9 15:19:03 2005 Subject: [SpamCop-List] secure pop? Message-ID: Any hope of supporting SSH authentication for the spamcop POP server (for subscription email users)? I realize that by not support SMTP you take care of the problem of spammers posing as me sending email, but it's still seems a needless security risk to know that others could trivially get my email. -- Russell From nobody at spamcop.net Mon May 9 16:32:11 2005 From: nobody at spamcop.net (indigo) Date: Mon May 9 15:35:03 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: eddie wrote: > On Mon, 09 May 2005 15:34:03 +0300, Ilgaz scratched out the following: > > > On 2005-05-09 05:55:14 +0300, "sbb78247" said: > > > >> aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! > > > > Your test (!) works and I think it will mysteriously stop working > > not allowing further "tests" when some admin wakes up ;) > > > > I'd remove spamcop from my subscribed news servers for future. E.g. > > "host unreachable" etc ;) > > > > Ilgaz Ocal > > Some server scrambled your post into totally meaningless drivel, or > someone is using your name and posting garbage. I would look into the > problem if I were you, which, thankfully, I am not English is not Ilgaz's native language (pretty obvious if you actually read the posting name). Go ridicule the spammer instead of him. From nobody at devnull.spamcop.net Mon May 9 15:41:37 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon May 9 15:45:02 2005 Subject: [SpamCop-List] Re: secure pop? References: Message-ID: "Russell E. Owen" wrote in message news:mailman.149.1115666344.4572.spamcop-list@news.spamcop.net... > Any hope of supporting SSH authentication for the spamcop POP server > (for subscription email users)? I realize that by not support SMTP you > take care of the problem of spammers posing as me sending email, but > it's still seems a needless security risk to know that others could > trivially get my email. On another foray to drag yet another user to the SpamCop e-mail support areas .... try the spamcop.mail newsgroup (so little traffic it was asked recently if it really existed) or head over to the Forum. Don't know how you are logging in now, but for a bit of an indirect answer, see http://forum.spamcop.net/forums/index.php?showtopic=1579&view=findpost&p=10197 that discussion also includes a link to a Jeff G. entry about setting things up at http://forum.spamcop.net/forums/index.php?showtopic=152 And if you still aren't happy, there is a Forum section I created just for "New Feature requests, Suggestions, etc." in hopes of keeping all these items in one place for those involved to 'find' rather than scattered and buried in all kinds of placed. From hans at salvisberg.invalid Mon May 9 23:04:04 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Mon May 9 15:55:03 2005 Subject: [SpamCop-List] Re: X-SpamCop-Checked Header Problem In-Reply-To: References: Message-ID: Mike Easter wrote: > YW. Bitte sch?n. De rien. That's probably the extent of my French, > except what I need for crossword puzzles ;-) It's a start :-) > Correct that dialup source relays thru' the gmx. I don't see evidence > of a webmailer in the spam, instead I see Outlook mail application. Yes, of course. I let myself be distracted by my (wrong) idea of how gmx.ch operates. > Yes. The filter doesn't know parser mailhosts information. Think about > the sequence. When the mail is coming in to the SC mail filter, it is > using its filtering strategies of SpamAssassin and how you've configured > for filtering including whatever whitelist information you have > provided. So, the filtering process takes place on that basis and for > that reason if the 209 were listed it would get flagged. That makes sense. So, I could presumably whitelist 209 to get the message to pass, even if 209 was blacklisted (I certainly don't expect that, I'm just wondering), but that would circumvent SpamAssassin for all email going through 209. > The concept is that if alabanza were too problematic about spam support, > then idesigns, who is not a spammer, should be paying their money to > someone who isn't helping spammers. That is, if alabanza were a big > spam supporter, then idesigns, an alabanza customer, is also indirectly > supporting a spam supporter. That's pretty heavy, but I've suffered enough from spam to relate to the concept. More coming up... Thanks again! Hans From hans at salvisberg.invalid Mon May 9 23:04:51 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Mon May 9 15:55:11 2005 Subject: [SpamCop-List] www.soft-top100.com resolves, but SC doesn't know about it... Message-ID: http://www.spamcop.net/sc?id=z761477845zdd8fc3d6291246baee3e336468e343a8z spamvertises http://www.soft-top100.com/, which resolves to 217.107.217.8, but SC can't find anything. However, http://whois.webhosting.info/217.107.217.8 shows ALL-DISKS.COM. ALL-THE-PILLS.COM. ALL-THE-SOFT.COM. ALLSOFT-CDS.COM. ALLSOFT-DISKS.COM. ALLTABLETS.COM. Four of these are anonymous, but two reveal some information: http://whois.webhosting.info/ALL-THE-SOFT.COM. http://whois.webhosting.info/ALLTABLETS.COM. Anything we can do about this? Hans P.S. This spammer harvested my SC address off this newsgroup! From hans at salvisberg.invalid Mon May 9 23:05:03 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Mon May 9 15:55:17 2005 Subject: [SpamCop-List] Anyone from =?iso-8859-1?q?W=FCrzburg=2C_Germany=3F_Is_it_legal_to_peddle_pre?= =?iso-8859-1?q?scription_drugs_over_the_Internet_in_Germany=3F?= Message-ID: http://www.spamcop.net/sc?id=z761484882zc765cbd002e9d466068ee91600edcc5fz spamvertises elongates.net, which belongs to Helmut Fischer in W?rzburg: http://whois.webhosting.info/elongates.net The funniest part is how his email address is obfuscated as a graphic to save him from being spammed... elongates.net resolves to 210.21.119.131, which seems to host 31 other fine domains: http://whois.webhosting.info/210.21.119.131 Hans From MikeE at ster.invalid Mon May 9 14:27:38 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 16:30:32 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: indigo wrote: > Mike Easter wrote: >> You start by putting an email addy into the L window; there needs to >> be some preliminary configuration in options such as an email address >> for the mail from command part. > > What kind of "preliminary configs" are you referring to? Just that one I mentioned for the address is all you need to do the smtp test: SSwin/ Edit/ Basics tab - Email address. That way it has something to put when it is saying 'mail from'. Then, paste the target addy into what it calls the 'address box' -- namely the left window. Until you have an email addy in there, the basics menu will have most things grayed out. If you just put a domainname in there, the smtp veryify is grayed out. If you put an email address in there, the Basics menu SMTP verify will become operational. The same conditions apply to the little tool icons in the tool bar. My usual configuration is to have everything in the View menu checked except scripts. That way I have 3 windows at the top, the addressbox, the whois box, and the dns box. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon May 9 14:37:31 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 16:40:05 2005 Subject: [SpamCop-List] Re: X-SpamCop-Checked Header Problem References: Message-ID: Hans Salvisberg wrote: > Mike Easter wrote: > That makes sense. So, I could presumably whitelist 209 to get the > message to pass, even if 209 was blacklisted (I certainly don't expect > that, I'm just wondering), but that would circumvent SpamAssassin for > all email going through 209. Except I don't know if SpamCop will/can do that; and I'm not sure it would work the way you want it to if it did. That is, you don't want everything which 'shows' a 209 in the headers to get passed -- because it is always going to be in there. What you would like most is if your 209 server didn't get itself blocklisted in any blocklists which you use, especially the SCbl. My SpamPal has an 'ignore' list for IPs, but I'm not completely sure how that works, or whether it would work in the way you are thinking about. What you are thinking is 'don't flag an item if my provider's server is what trips the SCbl'. Theoretically the mailhosts configuration should save you from reporting your own provider if you accidentally submitted a presumed spamitem which got caught by the filter. That is, in this case, the item we're talking about was caught by the filter, but the IP which caused it to be caught wouldn't be named as the source if you were to 'carelessly' try to report a non-spam. That is, at least your false or bad report wouldn't be naming your own provider. You would be naming your 'friend's' IP. >> The concept is that if alabanza were too problematic about spam >> support, then idesigns, who is not a spammer, should be paying their >> money to someone who isn't helping spammers. That is, if alabanza >> were a big spam supporter, then idesigns, an alabanza customer, is >> also indirectly supporting a spam supporter. > > That's pretty heavy, but I've suffered enough from spam to relate to > the concept. More coming up... -- Mike Easter kibitzer, not SC admin From amenex at amenex.com Mon May 9 18:25:50 2005 From: amenex at amenex.com (George Langford, Sc.D.) Date: Mon May 9 17:25:57 2005 Subject: [SpamCop-List] Demise of phish reporting at millersmiles.co.uk ? Message-ID: <200505092125.j49LPo0M023461@voicenet.com> Here's what cesmail.net said about an email I tried to send to phish@millersmiles.co.uk (about a phish, naturally): > Final-Recipient: rfc822;phish@millersmiles.co.uk > Action: failed > Status: 5.0.0 (permanent failure) > Diagnostic-Code: smtp; 5.1.0 - Unknown address error 554-' > : Relay access denied' (delivery attempts: 0) > Reporting-MTA: dns; c60.cesmail.net This has happened to the last two phishes that I reported. Oops: http://www.millersmiles.co.uk/ - looks like it's been swallowed. What's a good second choice for a phish phighting website ? From rowen at cesmail.net Mon May 9 15:40:46 2005 From: rowen at cesmail.net (Russell E. Owen) Date: Mon May 9 17:43:17 2005 Subject: [SpamCop-List] Re: secure pop? References: Message-ID: In article , "WazoO" wrote: > "Russell E. Owen" wrote in message > news:mailman.149.1115666344.4572.spamcop-list@news.spamcop.net... > > Any hope of supporting SSH authentication for the spamcop POP server > > (for subscription email users)? I realize that by not support SMTP you > > take care of the problem of spammers posing as me sending email, but > > it's still seems a needless security risk to know that others could > > trivially get my email. > > On another foray to drag yet another user to the SpamCop e-mail > support areas .... try the spamcop.mail newsgroup (so little traffic > it was asked recently if it really existed) or head over to the Forum. > Don't know how you are logging in now, but for a bit of an indirect > answer, see > http://forum.spamcop.net/forums/index.php?showtopic=1579&view=findpost&p=10197 > that discussion also includes a link to a Jeff G. entry about setting > things up at http://forum.spamcop.net/forums/index.php?showtopic=152 That's great! For anyone else who was wondering. the first link says spamcop pop supports SSL. And indeed it does. Once I told Eudora to use the alternate port SSL started working. Regarding the 2nd link (about setting things up), I did not see anything about SSL. It'd be nice if SSL info was added to the standard "how to set things up" page. I have subscribed to the email group and will ask there about such things in the future. Thanks for the tip. -- Russell From nanae at splorfING.net Mon May 9 23:41:14 2005 From: nanae at splorfING.net (David) Date: Mon May 9 17:45:04 2005 Subject: [SpamCop-List] Re: Demise of phish reporting at millersmiles.co.uk ? References: Message-ID: "George Langford, Sc.D." wrote in message news:mailman.150.1115673959.4572.spamcop-list@news.spamcop.net... > Here's what cesmail.net said about an email I tried to send > to phish@millersmiles.co.uk (about a phish, naturally): > >> Final-Recipient: rfc822;phish@millersmiles.co.uk >> Action: failed >> Status: 5.0.0 (permanent failure) >> Diagnostic-Code: smtp; 5.1.0 - Unknown address error 554-' >> : Relay access denied' (delivery attempts: 0) >> Reporting-MTA: dns; c60.cesmail.net > > This has happened to the last two phishes that I reported. > > Oops: http://www.millersmiles.co.uk/ - looks like it's been swallowed. > > What's a good second choice for a phish phighting website ? Site is still good from here ... I understood spoof@millersmiles.co.uk was reporting address ??? -- David Remove the ING to reply by email From nobody at devnull.spamcop.net Mon May 9 17:42:01 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon May 9 17:45:09 2005 Subject: [SpamCop-List] Re: Demise of phish reporting at millersmiles.co.uk ? References: Message-ID: "George Langford, Sc.D." wrote in message news:mailman.150.1115673959.4572.spamcop-list@news.spamcop.net... > > What's a good second choice for a phish phighting website ? Yet again, the Forum FAQ has a number of address lists available, to include a direct link to the Anti-Phishing Working Group .... Plain text list of that FAQ entry was posted recently into the three main spamcop newsgroups ... see http://forum.spamcop.net/forums/index.php?showtopic=2238 From Ilgaz at spamcop.net Tue May 10 01:47:04 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Mon May 9 17:50:05 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: On 2005-05-09 22:32:11 +0300, "indigo" said: > > > eddie wrote: >> On Mon, 09 May 2005 15:34:03 +0300, Ilgaz scratched out the following: >> >>> On 2005-05-09 05:55:14 +0300, "sbb78247" said: >>> >>>> aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! >>> >>> Your test (!) works and I think it will mysteriously stop working >>> not allowing further "tests" when some admin wakes up ;) >>> >>> I'd remove spamcop from my subscribed news servers for future. E.g. >>> "host unreachable" etc ;) >>> >>> Ilgaz Ocal >> >> Some server scrambled your post into totally meaningless drivel, or >> someone is using your name and posting garbage. I would look into the >> problem if I were you, which, thankfully, I am not > > English is not Ilgaz's native language (pretty obvious if you actually read > the posting name). Go ridicule the spammer instead of him. I guess it was a parsing error his side. ;) I am downing the level of post. It means, after such crap being posted, some spamcop Admin will see it and be sure they know how to block IPs on such issues. So, his "test" won't work. Ilgaz Ocal ps: I am fine with entire thread being deleted of course (when it happens) From nono at nonono.no Tue May 10 00:46:29 2005 From: nono at nonono.no (Carter) Date: Mon May 9 17:55:05 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: Ilgaz wrote: > On 2005-05-09 05:55:14 +0300, "sbb78247" said: > >> aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! > > Your test (!) works and I think it will mysteriously stop working not > allowing further "tests" when some admin wakes up ;) > > I'd remove spamcop from my subscribed news servers for future. E.g. > "host unreachable" etc ;) > > Ilgaz Ocal Fuck off, you turkish named cunt. -- (><) Carter From Ilgaz at spamcop.net Tue May 10 01:52:51 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Mon May 9 17:55:12 2005 Subject: [SpamCop-List] =?iso-8859-1?q?Re=3A_Anyone_from_W=FCrzburg=2C_?= =?iso-8859-1?q?Germany=3F_Is_it_legal_to_pe?= =?iso-8859-1?q?ddle_prescription_drugs_ov?= =?iso-8859-1?q?er_the_Internet_in_Germany=3F?= References: Message-ID: On 2005-05-09 23:05:03 +0300, Hans Salvisberg said: > http://www.spamcop.net/sc?id=z761484882zc765cbd002e9d466068ee91600edcc5fz > > spamvertises elongates.net, which belongs to Helmut Fischer in W?rzburg: > > http://whois.webhosting.info/elongates.net > > The funniest part is how his email address is obfuscated as a graphic to > save him from being spammed... > > elongates.net resolves to 210.21.119.131, which seems to host 31 other > fine domains: > > http://whois.webhosting.info/210.21.119.131 > > Hans >From what I know, hear etc. That guy has no chance if some german figures it. :) Speaking about jail, not speaking about some $10 dialup cancelled. I had a friend got arrested for politely hitting the phone cabins glass (with coin) and showing his watch to some phone talking guy. To hurry. Guess what happened? He smiled , hung up, called another number and very politely left. 5 mins later, he came with cops. *g* Yes, guy got arrested as a tourist for that. I mean, speaking about the system in Germany. Now, imagine selling that stuff when you are based in Germany. Will look the reporting addresses tomorrow ;) Or, will find some germans to look into. Thanks Ilgaz Ocal From Ilgaz at spamcop.net Tue May 10 01:55:15 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Mon May 9 18:00:06 2005 Subject: [SpamCop-List] Re: www.soft-top100.com resolves, but SC doesn't know about it... References: Message-ID: On 2005-05-09 23:04:51 +0300, Hans Salvisberg said: > http://www.spamcop.net/sc?id=z761477845zdd8fc3d6291246baee3e336468e343a8z > > spamvertises http://www.soft-top100.com/, which resolves to 217.107.217.8, > but SC can't find anything. > > However, > > http://whois.webhosting.info/217.107.217.8 > > shows > > ALL-DISKS.COM. > ALL-THE-PILLS.COM. > ALL-THE-SOFT.COM. > ALLSOFT-CDS.COM. > ALLSOFT-DISKS.COM. > ALLTABLETS.COM. > > Four of these are anonymous, but two reveal some information: > > http://whois.webhosting.info/ALL-THE-SOFT.COM. > http://whois.webhosting.info/ALLTABLETS.COM. > > Anything we can do about this? > > Hans > > P.S. This spammer harvested my SC address off this newsgroup! Well its clear that they found a tactic to make DNS block to Spamcop. There are other similar reports here too, I remember them. I guess Spamcop will find a way out. If it requires some user level help, my OS X is in their serve :) Lets wait for someone actually knows advanced DNS. Ilgaz Ocal From nono at nonono.no Tue May 10 00:57:36 2005 From: nono at nonono.no (Carter) Date: Mon May 9 18:00:13 2005 Subject: [SpamCop-List] Re: fucking test References: Message-ID: sbb78247 wrote: > aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! That's what my gf was screaming last night. -- (><) Carter From Ilgaz at spamcop.net Tue May 10 01:58:20 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Mon May 9 18:00:18 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: On 2005-05-06 17:39:15 +0300, "Pop" said: > Has anyone here tried the e-mail address tester on http://www.dnsstuff.com/ ? > I looked briefly at them on google and they seem fine, and I think I've > seen them mentioned here a few times, but never the address tester. > NANAE folk seem to mention it a lot too. > > I put a few addresses into it, and it does seem to be able to say > whether an e-mail address exists or not, but ... I was wondering what > kind of pitfalls there are to using it. It seems "too good to be true". > > TIA, > > Pop Its web based and I don't know the guy. Can be good or bad, you can never be sure. Maybe it uses VRFY command existing in some SMTP servers. As a general rule, check the information etc before using such sites. There is no "elite" stuff there and I'd suggest (of course) Ironport's andr Spamcop's www services instead. Ilgaz Ocal From Ilgaz at spamcop.net Tue May 10 02:02:03 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Mon May 9 18:05:07 2005 Subject: [SpamCop-List] Re: secure pop? References: Message-ID: On 2005-05-09 21:21:13 +0300, "Russell E. Owen" said: > Any hope of supporting SSH authentication for the spamcop POP server > (for subscription email users)? I realize that by not support SMTP you > take care of the problem of spammers posing as me sending email, but > it's still seems a needless security risk to know that others could > trivially get my email. > > -- Russell Check Wazoo's post. Also, www help of spamcop is pretty complete. I think they do support some SSL and APOP. To try, I must mess with Eudora pro settings which are SSL IMAP, not a good idea :) You have to use pop btw? IMAP with a good client designed for good offline etc is more secure and really practical for spamcop features. Held Mail is an IMAP folder for instance. Ilgaz Ocal From Ilgaz at spamcop.net Tue May 10 02:04:53 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Mon May 9 18:05:18 2005 Subject: [SpamCop-List] Re: Sober virus References: Message-ID: On 2005-05-09 19:02:10 +0300, "Brian (SnSR)" said: > Berny wrote: >> "Ilgaz" wrote in message >> news:d5nll2$ir6$2@news.spamcop.net... >> >>> On 2005-05-06 05:58:57 +0300, "Ook" >>> said: >>> >>> >>>> I'm being innundated with sober virus emails - 1000+ a day at 75K a >>>> pop. It overflowed my mail server limit and my email stopped until I >>>> could get my ISP to increase the limit. I'm guessing there is nothing >>>> that can be done about this - is anyone else being flooded with these? >>>> Is there hope that this flood will slow down soon? >>> >>> One of real rare times that Yahoo mail doesn't put sober stuff to Bulk >>> mail as all other viruses. >>> >>> They directly purge at server level. >>> >>> It shows a clue about the amazing volume they get. They tend to stay >>> away from "purging" normally. If you see the posts/flames because some >>> peoples ISP purchased Spamcop and marking stuff as spam, you may >>> understand why :) >>> >>> Ilgaz Ocal >>> >> >> >> They put all of my sobers in bulk, and the lame sender took 4 days to get >> shut down, and I'm not even sure s/he was. >> >> I wish they had purged mine so i never see them >> >> > > > I'm not certain of this, but it may be something that you can configure > with Yahoo. Look in options. Filters are the weakest part of Yahoo. You have to see it to believe how lame it is. Don't ask why the heck I bought it. It just sounded good idea to me. Well, now using Spamcop mail exclusively and Yahoo for mail list etc junk. Got URL at my iCal application to open browser to cancel my account at Dec. something. :) Ilgaz Ocal From MikeE at ster.invalid Mon May 9 16:13:58 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 18:15:03 2005 Subject: [SpamCop-List] Re: www.soft-top100.com resolves, but SC doesn't know about it... References: Message-ID: Hans Salvisberg wrote: www.spamcop.net/sc?id=z761477845zdd8fc3d6291246baee3e336468e343a8z > > spamvertises http://www.soft-top100.com/, which resolves to > 217.107.217.8, but SC can't find anything. When I accessed the tracker [the 2nd time], SC resolved it: Tracking link: http://www.soft-top100.com [report history] Resolves to 217.107.217.8 Routing details for 217.107.217.8 [refresh/show] Cached whois for 217.107.217.8 : magdesiev@webrider.ru uljashin@webrider.ru De-referencing magdesiev@webrider.ru abuse net webrider.ru = abuse@webrider.ru De-referencing uljashin@webrider.ru abuse net webrider.ru = abuse@webrider.ru Using best contacts abuse@webrider.ru When I accessed it the 1st time, SC 'passed'. Sometimes I try to guess about why something didn't resolve based on -1- did the parser spend a lot of time 'doing something' or did it finish pretty fast -2- if SC failed to resolve the url then I resolve it and I also take it to dnsstuff to 'diagnose' nameservice weaknesses -3- if SC failed to resolve it and didn't spend any time on it and neither my resolver nor dnsstuff's resolver had any trouble or delay or weaknesses of the nameservice, I conclude that the parser didn't feel like resolving links at that time. Under those circumstances I assume that the parser has prioritized its resources to be doing other than resolving /any/ urls. Then, there's also a problem with notifying about that IP at webride. 217.107.217.8 cname webrider.ru is listed in spews and spamhause. Either one would suggest non-responsiveness -- the implication being that the parent or upstream should be notified in addition. That IP is AS8342 or abuse@rtcomm.ru -- Then you have to decide if you are happy enough leaving it there. > Anything we can do about this? My notifies would be the non-responsive webrider, the parent and router rtcomm, the piracy business which would be the various general antipiracy groups plus the specifics for the ones being marketed, Adobe, MS, and others. -- Mike Easter kibitzer, not SC admin From SCNews.5.myspamgobbler at spamgourmet.com Mon May 9 16:15:26 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Mon May 9 18:20:03 2005 Subject: [SpamCop-List] Re: Demise of phish reporting at millersmiles.co.uk ? In-Reply-To: References: Message-ID: George Langford, Sc.D. wrote: > Here's what cesmail.net said about an email I tried to send > to phish@millersmiles.co.uk (about a phish, naturally): > > >>Final-Recipient: rfc822;phish@millersmiles.co.uk >>Action: failed >>Status: 5.0.0 (permanent failure) >>Diagnostic-Code: smtp; 5.1.0 - Unknown address error 554-' >>: Relay access denied' (delivery attempts: 0) >>Reporting-MTA: dns; c60.cesmail.net > > > This has happened to the last two phishes that I reported. > > Oops: http://www.millersmiles.co.uk/ - looks like it's been swallowed. > > What's a good second choice for a phish phighting website ? Maybe just a temporary thing as it is working now. Phish reporting address is spoof@millersmiles.co.uk . From pantheus at suespammers.org Mon May 9 17:13:40 2005 From: pantheus at suespammers.org (Ken Knull) Date: Mon May 9 19:15:11 2005 Subject: [SpamCop-List] Re: Demise of phish reporting at millersmiles.co.uk ? References: Message-ID: On Mon, 09 May 2005 16:42:01 -0500, WazoO wrote: > "George Langford, Sc.D." wrote in message > news:mailman.150.1115673959.4572.spamcop-list@news.spamcop.net... >> >> What's a good second choice for a phish phighting website ? > > Yet again, the Forum FAQ has a number of address lists available, to > include a direct link to the Anti-Phishing Working Group .... Plain text > list of that FAQ entry was posted recently into the three main spamcop > newsgroups ... see > http://forum.spamcop.net/forums/index.php?showtopic=2238 Damn, Wazoo, quit touting the forum ... MANY of us refuse to be involved "over there" when adequate and faster access is here. Is your sole goal, along with the JeffG simply to troll here to "try" to swing those who appreciate nntp over to a slow forum? From nobody at devnull.spamcop.net Mon May 9 19:40:44 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon May 9 19:45:03 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: "Stretch" wrote in message news:stretch-964BA3.16131209052005@news.cesmail.net... > > I'm struggling to educate these people, but the money is just to strong > in this situation. I can see them making the business decision to spam > "just this once", burn the bridge with our ISP, and move to another. > > Any recommendations? My Clue-By-Four is getting all splintered > battering on some very dense heads... Frequently Asked Question .. and as such, already handled in a thing called a FAQ ... either drill down to it via the Help button in the www.spamcop.net web page or browse down the Forum FAQ at http://forum.spamcop.net/forums/index.php?showtopic=2238 From nobody at spamcop.net Mon May 9 17:54:46 2005 From: nobody at spamcop.net (N. Miller) Date: Mon May 9 20:00:04 2005 Subject: [SpamCop-List] Re: and References: Message-ID: <3pybby02g3bq.dlg@news.spamcop.net> On Mon, 09 May 2005 14:23:32 -0400, eddie wrote: > On Sun, 08 May 2005 22:00:28 -0500, sbb78247 scratched out the following: > >> you all suck > > awrrrrm that's so 16-year old and soooo verrrry 20th century > Only girly-men use "suck" these days. Real men know the new word. > Fried Spam smells so great, especially when one more sucker is dead. One of the oddities of the U.S. culture is that it is more acceptable to be a manly girl than it is to be a girly man. :P -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at devnull.spamcop.net Mon May 9 19:57:53 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon May 9 20:00:20 2005 Subject: [SpamCop-List] Re: Demise of phish reporting at millersmiles.co.uk ? References: Message-ID: "Ken Knull" wrote in message news:pan.2005.05.09.23.13.40.383501@suespammers.org... > On Mon, 09 May 2005 16:42:01 -0500, WazoO wrote: > > >> What's a good second choice for a phish phighting website ? > > > > Yet again, the Forum FAQ has a number of address lists available, to > > include a direct link to the Anti-Phishing Working Group .... Plain text > > list of that FAQ entry was posted recently into the three main spamcop > > newsgroups ... see > > http://forum.spamcop.net/forums/index.php?showtopic=2238 > > Damn, Wazoo, quit touting the forum ... MANY of us refuse to be > involved "over there" when adequate and faster access is here. > > Is your sole goal, along with the JeffG simply to troll here to "try" to > swing those who appreciate nntp over to a slow forum? On the other hand, it is absurd to keep seeing the same questions over and over, yet the answers actually exist in a continually updated document ... (and I'm not even going to bring up the typical "Google it!" response) I've passed on JT's offer to even buy some other software to build a knowledgeable/FAQ thing that many could contribute to at least three times 'here' with very little response. Check the archives for the years of bitching about the www.spamcop.net FAQ. The only thing I'm "pushing for" would be more input to offer answers to even more "Frequently Asked Questions" .. flush out the "How to Use ...." section From D.Gray at picture.oscar.wilde Tue May 10 02:18:45 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Mon May 9 20:20:03 2005 Subject: [SpamCop-List] Getting beyond an open proxy? Message-ID: Recently I got a flood of viral-laden emails with various strangers in the From: fields, all of whom were English-speaking academics from various countries. I have strong reasons to believe that these originated from an infected machine belonging to a certain headhunting agency in New Zealand. It would not be the first time they have flooded their contacts' inboxes with viruses like this - in August something quite similar happened and they admitted they were the source. For the previous infection it was relatively easy to source the emails to them because the earliest Received line had as the source a New Zealand ISP that they use. This time the earliest Received line is forged. The helo is the domain part of my own email address, but the IP number does not match, and cannot be reverse-DNS'ed. All of the emails had the same IP number. I did a search on Google at the time for the IP number and a Russian website showed it as an open proxy in Hong Kong, but it since seems to have disappeared from that Russian list. I reported the problem to the New Zealand company, and claimed that they were infected AGAIN. They deny everything, saying: "We pride ourselves on our strong sense of confidentiality and take measures to ensure that confidentiality is preserved at all times." (yeah right, not in August they didn't) They go on to threaten me with a defamation action if I don't cease spreading false and unsubstantiated information. They claim that their IT support people have confirmed that the virus emails are originating at .edu.au below, that is, my own email server. Rubbish, as any fool knows from the headers. I've told them what I think of their IT experts. I asked them to remove me from their address book - the virus-laden emails stopped the instant they did so. I can't send these messages through SC for a tracking ref because they are redirected to a forwarding alias, which picks up the virus, strips it and reports it to me elsewhere with the following auto-message. I've included one below, appropriately munged but not too much. My question is, can anyone find out anything about 202.174.155.163? Am I right in thinking this is some kind of anonymising open proxy used by the virus email source? Is there any way of saying anything about where the message originated? Cheers. --Start of body of auto-message-- The Declude Virus software on .org has reported that you were sent an E-mail from , containing the W32/Netsky.Z@mm virus in the Notice.zip attachment. The subject of the E-mail was "Important". The E-mail containing the virus has been quarantined to prevent further damage. Headers Follow: Received: from [202.174.155.163] (helo=.edu.au) by ..edu.au with esmtp (Exim 4.34) id 1DPkoe-0006os-09 for @.edu.au; Mon, 25 Apr 2005 01:22:56 +0800 From: To: @.edu.au Subject: Important Date: Sun, 24 Apr 2005 23:26:28 +0600 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0009_00005C33.00005403" X-Priority: 1 X-MSMail-Priority: High X-Broken-Reverse-DNS: no host name found for IP address 202.174.155.163 Message-Id: <@..edu.au> --End of auto-message-- From usenet2 at DE.LETE.THISljvideo.com Tue May 10 01:26:30 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Mon May 9 20:30:03 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: Waiving the right to remain silent, Stretch wrote: > The Board of Directors sends out a newsletter and various announcements > via USsnail and are trying to cut costs by sending out what they can > electronically. They're eyeing the membership email list with great > interest dispite my admonishments about sending bulk unsolicited email. Unfortunately the mind-set of too many operators of non-profits. They somehow think that being a NP gives them the right to do all sorts of less than above-board things. My wife consults for NPs seeking grants, so I do have a certain knowledge of their ways. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "Ninety eight percent of the adults in this country are decent, hardworking, honest Americans. It's the other lousy two percent that get all the publicity. But then, we elected them." -Lily Tomlin From usenet2 at DE.LETE.THISljvideo.com Tue May 10 01:30:38 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Mon May 9 20:35:05 2005 Subject: [SpamCop-List] Re: and References: Message-ID: Waiving the right to remain silent, "sbb78247" wrote: > you all suck I love the smell of fried spammer in the morning..! -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "Ninety eight percent of the adults in this country are decent, hardworking, honest Americans. It's the other lousy two percent that get all the publicity. But then, we elected them." -Lily Tomlin From MikeE at ster.invalid Mon May 9 18:45:18 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 20:45:02 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: Dorian Gray wrote: > My question is, can anyone find out anything about 202.174.155.163? > Am I right in thinking this is some kind of anonymising open proxy > used by the virus email source? 202.174.155.163 no rDNS of the Bangladesh speedcast inetnum: 202.174.155.160 - 202.174.155.167 netname: DNS-BD notify trouble: send spam reports to support@speedcast.com trouble: and abuse reports to noc@speedcast.com is an open port 8080 [currently online and abusable] proxy which is on numerous blocklists such as cbl and dsbl for hitting spamtraps and testing proxy positive and other blocklists such spamcop for spamsource > Is there any way of saying anything > about where the message originated? No. The abusable proxy completely conceals what abused it. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon May 9 19:18:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 21:20:08 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: Dorian Gray wrote: > I reported the problem to the New Zealand company, and claimed that > they were infected AGAIN. They deny everything, I have no opinion on the business of how you analyzed the headers. Posting some part of a munged header as if we were going to talk about how to parse it or the accuracy of your parsing doesn't work. I don't understand the concept of how you accused some NZ co. of providing for someone who was abusing a Bangladesh proxy -- if in fact this IP which we are discussing here was the source of the item. The other thing I don't have a supporting opinion on your analysis of is the concept of someone intentionally propagating virms. That almost never happens, altho' it seem that people are always supposing it, for some reason or another. The first thing you should assume about any viral propagation is that it is being propagated in the normal infected machine propagation style -- not that some evil virus writer has chosen email viral propagations to do some intentional dirty work. The ratio of simple infected propagations to intentional 'dropping' must be about a zillion to one. So, mathematically and logically, I would say that there is something wrong with your analysis of this situation. -- Mike Easter kibitzer, not SC admin From D.Gray at picture.oscar.wilde Tue May 10 03:22:59 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Mon May 9 21:25:04 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: In article , "Mike Easter" wrote: > Dorian Gray wrote: > > My question is, can anyone find out anything about 202.174.155.163? > > Am I right in thinking this is some kind of anonymising open proxy > > used by the virus email source? > > 202.174.155.163 no rDNS of the Bangladesh speedcast > is an open port 8080 [currently online and abusable] proxy which is on > numerous blocklists such as cbl and dsbl for hitting spamtraps and > testing proxy positive and other blocklists such spamcop for spamsource > > > Is there any way of saying anything > > about where the message originated? > > No. The abusable proxy completely conceals what abused it. Thanks for your objective and informative reply Mike. I couldn't find that info when I tried. But I see it is as I feared. You answered my questions fully, but can I draw you (or others) to give an opinion on my battle with this company, and whether you would have drawn the same conclusions as I have, and whether you think I should stick to my guns? I have already told them that defamation law requires that they have an intact reputation, which they blew in August. Also, can you think of any other facts/tests for determining infection within this company? (Apart from having a competent IT person find the infection. :) I thought of asking them to re-add me to their address book, and see if the virus-laden emails start again. How do we protect the world from internet menaces like this company? Thanks. From SCNews.5.myspamgobbler at spamgourmet.com Mon May 9 19:48:22 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Mon May 9 21:50:06 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam In-Reply-To: References: Message-ID: WazoO wrote: > "Stretch" wrote in message > news:stretch-964BA3.16131209052005@news.cesmail.net... > >>I'm struggling to educate these people, but the money is just to strong >>in this situation. I can see them making the business decision to spam >>"just this once", burn the bridge with our ISP, and move to another. >> >>Any recommendations? My Clue-By-Four is getting all splintered >>battering on some very dense heads... > > > Frequently Asked Question .. and as such, already handled in a > thing called a FAQ ... either drill down to it via the Help button > in the www.spamcop.net web page or browse down the Forum > FAQ at http://forum.spamcop.net/forums/index.php?showtopic=2238 > > WazoO, I also am getting very tired of opening one of your messages, hoping to see some intelligent insight of your's (I do believe that is possible) and seeing nothing useful, only you trying to direct someone to a place that they are not. PLEASE STOP If it bothers you so much to see the same questions than stay away. From MikeE at ster.invalid Mon May 9 19:53:57 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 21:55:03 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: Dorian Gray wrote: > Recently I got a flood of viral-laden emails with various > strangers in the From: fields, all of whom were > English-speaking academics from various countries. I have strong > reasons to believe that these originated from an infected machine > belonging to a certain headhunting > agency in New Zealand. Why do you think /that/? > This time the earliest Received line is > forged. The helo is the domain part of my own email address, but the > IP number does not match, and cannot be reverse-DNS'ed. All of the > emails had the same IP number. This business of *describing* headers is very very uninteresting and nonproductive. If you can't produce them, simply state that you determined the source to be such and such. Maybe you were right and maybe you were wrong. If you want to produce them in their entirety, put the headers into the webparser, copy the tracking url, and paste it in here. If you want to *gently* munge something like an address before the parse, go ahead. I don't understand any good reason to be mungeing hostnames in the 'from' or 'by' fields. -- Mike Easter kibitzer, not SC admin From SCNews.5.myspamgobbler at spamgourmet.com Mon May 9 19:58:31 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Mon May 9 22:00:03 2005 Subject: [SpamCop-List] Re: Sober virus In-Reply-To: References: Message-ID: Ilgaz wrote: > On 2005-05-09 19:02:10 +0300, "Brian (SnSR)" > said: > >> Berny wrote: >> >>> "Ilgaz" wrote in message >>> news:d5nll2$ir6$2@news.spamcop.net... >>> >>>> On 2005-05-06 05:58:57 +0300, "Ook" >>>> said: >>>> >>>> >>>>> I'm being innundated with sober virus emails - 1000+ a day at 75K a >>>>> pop. It overflowed my mail server limit and my email stopped until I >>>>> could get my ISP to increase the limit. I'm guessing there is nothing >>>>> that can be done about this - is anyone else being flooded with these? >>>>> Is there hope that this flood will slow down soon? >>>> >>>> >>>> One of real rare times that Yahoo mail doesn't put sober stuff to Bulk >>>> mail as all other viruses. >>>> >>>> They directly purge at server level. >>>> >>>> It shows a clue about the amazing volume they get. They tend to stay >>>> away from "purging" normally. If you see the posts/flames because some >>>> peoples ISP purchased Spamcop and marking stuff as spam, you may >>>> understand why :) >>>> >>>> Ilgaz Ocal >>>> >>> >>> >>> They put all of my sobers in bulk, and the lame sender took 4 days to >>> get >>> shut down, and I'm not even sure s/he was. >>> >>> I wish they had purged mine so i never see them >>> >>> >> >> >> I'm not certain of this, but it may be something that you can >> configure with Yahoo. Look in options. > > > Filters are the weakest part of Yahoo. You have to see it to believe how > lame it is. > > Don't ask why the heck I bought it. It just sounded good idea to me. > Well, now using Spamcop mail exclusively and Yahoo for mail list etc junk. > > Got URL at my iCal application to open browser to cancel my account at > Dec. something. :) > > Ilgaz Ocal > Spam Filter SpamGuard is ON [Turn SpamGuard OFF - What's this?] For messages SpamGuard identifies as Spam: Immediately delete these messages upon receipt. (Note: If you choose this option, you will not be able to review the messages before they are deleted.) Save these messages in the Bulk Folder for From D.Gray at picture.oscar.wilde Tue May 10 04:35:28 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Mon May 9 22:35:03 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: In article , "Mike Easter" wrote: > The other thing I don't have a supporting opinion on your analysis of is > the concept of someone intentionally propagating virms. I never said such a thing, didn't imply it, and don't think it. If that's what you thought I think then you might need to do a reformulate your opinions with your view corrected... These people are incompetent, not malicious. Last time, they admitted they were infected and fixed it. This time they're claiming they're too careful ever to be infected. So Mike, after you've reset your presumptions, care to offer a view on what I (really) said? My question about how to protect the world from them was not because they are trying to do nasty things, but because they have built up an extensive address book of academics and then unwittingly cause viral havoc with it. The previous viral infection is not the only case in my dealings with them where the IT incompetence has reared its head. The problem is their default reaction with IT problems is to assume the other party is to blame, even when it is clear to anyone competent that it isn't. BTW, if you look at the munging of the headers that were contained in the body of the auto-report I got, you will see that the helo is recognisably not associated with the IP address shown. You will also see that I've munged various strings and given them labels which you can see repeated. In other words, you don't need to know anything more than what I've given to respond sensibly, or at least as sensibly as you could if I didn't munge at all. Cheers. From Kilgallen at SpamCop.net Mon May 9 22:38:39 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Mon May 9 22:40:03 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: In article , "Brian (SnSR)" writes: > WazoO wrote: >> "Stretch" wrote in message >> news:stretch-964BA3.16131209052005@news.cesmail.net... >> >>>I'm struggling to educate these people, but the money is just to strong >>>in this situation. I can see them making the business decision to spam >>>"just this once", burn the bridge with our ISP, and move to another. >>> >>>Any recommendations? My Clue-By-Four is getting all splintered >>>battering on some very dense heads... >> >> >> Frequently Asked Question .. and as such, already handled in a >> thing called a FAQ ... either drill down to it via the Help button >> in the www.spamcop.net web page or browse down the Forum >> FAQ at http://forum.spamcop.net/forums/index.php?showtopic=2238 >> >> > WazoO, > > I also am getting very tired of opening one of your messages, hoping to > see some intelligent insight of your's (I do believe that is possible) > and seeing nothing useful, only you trying to direct someone to a place > that they are not. > > PLEASE STOP Amen. From MikeE at ster.invalid Mon May 9 20:59:19 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 23:00:02 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: Dorian Gray wrote: > care to offer a view on > what I (really) said? No. I have no clue about what you are talking about. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon May 9 21:23:22 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 23:25:02 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: I'm going to put this part up at the top first, and then in context down below: > Am I right in thinking this is some kind of anonymising open proxy > used by the virus email source? No. Viral propagations don't use open proxies to anoymize themselves. Dorian Gray wrote: > Recently I got a flood of viral-laden emails with various > strangers in the From: fields, all of whom were > English-speaking academics from various countries. That simply means that the propagation had access to such addies to put them into the To, From, envelope rcpt to or whatever. > I have strong > reasons to believe that these originated from an infected machine > belonging to a certain headhunting > agency in New Zealand. That doesn't make any sense regarding anything you have exposed here. We are getting websites and infected user IPs all mixed up somehow. > It would not be the first time they have > flooded their contacts' inboxes with viruses like this - in August > something quite similar happened and they admitted they were the > source. www.academic-search.net = 210.48.1.214 inetnum: 210.48.0.0 - 210.48.127.255 netname: ICONZ-NZ descr: ICONZ, Internet Service Provider Mail for academic-search.net is handled by mx-f.maxnet.net.nz & mx-us.maxnet.net.nz The nameservice and incoming mail is handled by more than one provider. How the outgoing is handled isn't apparent. Saying that 'they' admitted 'they' were the source isn't informative to me. I doubt that you are saying that the website was the source. > For the previous infection it was relatively easy to source the emails > to them because the earliest Received line had as the source a New > Zealand ISP that they use. This time the earliest Received line is > forged. The helo is the domain part of my own email address, but the > IP number does not match, and cannot be reverse-DNS'ed. All of the > emails had the same IP number. I did a search on Google at the time > for the IP number and a Russian website showed it as an open proxy in > Hong Kong, but it since seems to have disappeared from that Russian > list. > > I reported the problem to the New Zealand company, and claimed that > they were infected AGAIN. They deny everything, saying: When you are tracking a viral propagator, if you parse the headers correctly, you should arrive at the source IP of the infected propagator. Viral propagators are not like spammers who abuse open proxies. Viral propagators propagate. That's what they do. I'm not sure why we are talking about the IP 202.174.155.163. Either you think it is the source of the propagation or you have erred in your analysis of the headers or something. I also don't see what 202.174.155.163 has to do with your NZ co. You didn't answer that yet. > Am I right in thinking this is some kind of anonymising open proxy > used by the virus email source? No. Viral propagations don't use open proxies to anoymize themselves. -- Mike Easter kibitzer, not SC admin From edb2000 at spamcop.net Tue May 10 00:13:08 2005 From: edb2000 at spamcop.net (Don Wannit) Date: Tue May 10 02:15:04 2005 Subject: [SpamCop-List] Re: fucking test In-Reply-To: References: Message-ID: Carter wrote: > sbb78247 wrote: > > >>aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! > > > That's what my gf was screaming last night. Your Gay Friend? Why would we care in the least if your are gay? It has nothing whatsoever to do with fighting spam and spammer sleaze. From nospam at fuck-off-and-die.com Tue May 10 15:36:38 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Tue May 10 04:56:37 2005 Subject: [SpamCop-List] Re: fucking test References: Message-ID: <6d746235f6a04453bb2d26463987ba88@comp.graphics.slash.and.burn> Don Wannit, , the snakelike, ill-composed jizz receptacle, and lady living in a rural location who embroiders flowers on muslin, revealed: > Carter wrote: > >> sbb78247 wrote: >> >> >>> aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! >> >> >> That's what my gf was screaming last night. > > > Your Gay Friend? Why would we care in the least if your are gay? You tell me why you care then everyone will know. From nobody at nowhere.invalid Tue May 10 12:18:32 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue May 10 05:20:37 2005 Subject: [SpamCop-List] Re: and References: Message-ID: On Tue, 10 May 2005 00:30:38 +0000 (UTC), Larry J. coughed into spamcop and left this in : > Waiving the right to remain silent, "sbb78247" wrote: > >> you all suck > > I love the smell of fried spammer in the morning..! It smells like..... Perhaps I won't complete that sentence on second thoughts. 'Scuse me while I wipe the barf off my keyboard. -- Steve Why is it that people say they slept like a baby when babies wake up every two hours? From nobody at nowhere.invalid Tue May 10 12:20:26 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue May 10 05:25:05 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: On Mon, 09 May 2005 16:13:13 -0700, Stretch coughed into spamcop and left this in : > Any recommendations? My Clue-By-Four is getting all splintered > battering on some very dense heads... Send them over to NANAE to tell of their intentions. They won't know what hit them in the replies! -- Steve Everyone has a photographic memory. Some just don't have film. From hans at salvisberg.invalid Tue May 10 13:16:20 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Tue May 10 06:05:05 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam In-Reply-To: References: Message-ID: Stretch wrote: > We have an email list server where members must physically go to our web > site, login, and click a button to sign up to join the list. Then they > have to confirm their joining by replying to an email. Most don't > bother with the second step and to date, we have 12 members of of 800 > who've successfully signed up. Are you sure your system is fool-proof? I run a similar operation and my experience is that a lot of people are challenged with (for us) simple things like replying to an email message. Asking for a click on a (short, i.e. non-breaking!) web link would be easier than an email reply. Do you make it abundantly clear that clicking the button is only the lesser half of the sign-up process? Do they eagerly wait for the email, so they can do the second step? Would they tell you if they never got the email? 12 out of 800 really is awfully low... In my group, we've managed to position the mailing lists as a primary benefit of membership, and people who join are eager to get on the lists. They declare their wish and give their email address when they sign up for membership, and I enter their address into the lists without any further confirmation. There is a certain risk of entering a wrong address, and it happens sometimes, but then the welcome message usually bounces. Maybe you can offer a discount on the membership fee for those who join the email list, or raise the fee for those who don't, which would only be fair... Offering alternatives to the BoD will be easier than just telling them not to do that. Hans From nobody at nowhere.invalid Tue May 10 13:13:22 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue May 10 06:15:02 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: On Tue, 10 May 2005 12:16:20 +0200, Hans Salvisberg coughed into spamcop and left this in : > They declare their wish and give their email address when they sign up > for membership, and I enter their address into the lists without any > further confirmation. What steps do you take to ensure that the e-mail address given by a member actually belongs to that member? What you're describing sounds like it would allow any new member to sign up with you and give someone else's e-mail address, which is liable to get you blocklisted. -- Steve Recorded message on an answerphone: "This is not an answering machine, this is a telepathic thought-recording device. After the tone, think about your name, your number, and your reason for calling.... and I'll think about returning your call." From hans at salvisberg.invalid Tue May 10 13:30:23 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Tue May 10 06:20:03 2005 Subject: [SpamCop-List] Re: Anyone from =?iso-8859-1?q?W=FCrzburg=2C_Germany=3F_Is_it_legal_to_peddle_pre?= =?iso-8859-1?q?scription_drugs_over_the_Internet_in_Germany=3F?= In-Reply-To: References: Message-ID: Ilgaz wrote: > From what I know, hear etc. That guy has no chance if some german > figures it. :) Speaking about jail, not speaking about some $10 dialup > cancelled. Yes, let's hope some German friend picks it up. > I had a friend got arrested for politely hitting the phone cabins glass > (with coin) and showing his watch to some phone talking guy. To hurry. > > Guess what happened? He smiled , hung up, called another number and very > politely left. 5 mins later, he came with cops. *g* Yes, guy got > arrested as a tourist for that. > > I mean, speaking about the system in Germany. Now, imagine selling that > stuff when you are based in Germany. I live in Switzerland, which is a neighboring country to Germany, and I'm not aware of such harsh police measures in Germany. You painted this way too black IMO. I also have ties to the U.S., and even though I never had a close encounter with either country's police (nor any personal reason to fear such an encounter) I'd rather be arrested ten times by German police than once by U.S. authorities... In fact just being a foreigner wanting to visit the U.S. is reason enough for the U.S. authorities to treat you as a criminal and take your fingerprints (unless you present a biometric passport which lets them electronically retrieve equivalent identifying information). But nevertheless, I also think that Helmut Fischer from W?rzburg will be in deep trouble if we find someone who knows how to turn him in. Hans From nobody at devnull.spamcop.net Tue May 10 07:13:09 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Tue May 10 07:10:26 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: "Dorian Gray" wrote in message news:D.Gray-87B3A7.02225910052005@news.cesmail.net... > How do we protect the world from internet menaces like this company? Offline when someone acts against the mores of the group, the proper etiquette is to give them the 'cut direct' according to Miss Manners. The internet equivalent of that is to block them with a polite message that you don't want emails from them because of spam or viruses or whatever. Offline, one can force others to do what you want them to. Online, it is not very easy to control what others do. OTOH, they can't force you either. That leaves 'netiquette' to make the internet workable. In the old days, it worked just fine. Those who were technically ignorant welcomed the advice of those who knew what they were doing so everyone was competent and everyone was 'polite' Now the 'offliners' have invaded and are trying to impose offline values, but it isn't working. the only way to stop obnoxious behavior is to ignore it, to reject it at the server level if possible. If not, to either report (politely) or delete. If this is a company, then when no one gets their emails, perhaps that will solve the problem. Persistence is the key to assertive behavior that gets changes. Assertiveness is always polite also. IOW, 'please stop sending virmen, it is not a good practice for you or me,' repeatedly to as high up in the company as you can reach if you are interested in keeping them in business. Miss Betsy From nobody at devnull.spamcop.net Tue May 10 08:49:34 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 10 07:50:05 2005 Subject: [SpamCop-List] OT: Re: Educating non-techies not to spam References: Message-ID: "Brian (SnSR)" wrote in message news:d5p3te$eru$1@news.spamcop.net... > WazoO wrote: >> "Stretch" wrote in message >> news:stretch-964BA3.16131209052005@news.cesmail.net... >> >>>I'm struggling to educate these people, but the money is just to strong ... >> thing called a FAQ ... either drill down to it via the Help button >> in the www.spamcop.net web page or browse down the Forum >> FAQ at http://forum.spamcop.net/forums/index.php?showtopic=2238 >> >> > WazoO, > > I also am getting very tired of opening one of your messages, hoping to > see some intelligent insight of your's (I do believe that is possible) and > seeing nothing useful, only you trying to direct someone to a place that > they are not. > > PLEASE STOP > > If it bothers you so much to see the same questions than stay away. > Well, that's one line of thought. Another is, his advice, AFAIK, always does get you into the ballpark you need where the information you get is pre-meditated and approved for use, as opposed to regurgitated re-speak. It also lets anyone else reading know that the FAQs or whatever exist, which has been a fairly recent problem, and often times others than the OP are helped with the reference. IMO, the best practice is to lurk around long enough to know the players and if you know some aren't posting the way -you- prefer, organized the way -you- prefer, just glance, don't read, OR ignore, OR killfile, and so on. There are many ways to not let that stuff bother you. After all, this is an open area, albeit fairly well operated and monitored, and with a -very- minimal amount of trash-talk compared to almost all others of its kind, technical or not. It may not be perfect, but appreciate it for the knowledge it contains and that which the constant participants provide. The last point is, don't try to PO those who may one day be able to provide help you need where no one else can. Some here are quite specialized. Pop From Nobody at Spamcop.net Tue May 10 07:53:32 2005 From: Nobody at Spamcop.net (Nobody) Date: Tue May 10 07:55:02 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: <4280A0BC.E92CD670@Spamcop.net> Ilgaz wrote: > > On 2005-05-09 05:55:14 +0300, "sbb78247" said: > > > aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! > > Your test (!) works and I think it will mysteriously stop working not > allowing further "tests" when some admin wakes up ;) > > I'd remove spamcop from my subscribed news servers for future. E.g. > "host unreachable" etc ;) Concur. Excellent suggestion for our village idiot. Regards, Michael From nobody at devnull.spamcop.net Tue May 10 08:57:16 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 10 08:00:04 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: "Larry Kilgallen" wrote in message news:ZeLtKAKfnr6e@eisner.encompasserve.org... > In article , "Brian (SnSR)" > writes: >> WazoO wrote: >>> "Stretch" wrote in message >>> news:stretch-964BA3.16131209052005@news.cesmail.net... >>> >>>>I'm struggling to educate these people, but the money is just to strong >>>>in this situation. I can see them making the business decision to spam >>>>"just this once", burn the bridge with our ISP, and move to another. >>>> >>>>Any recommendations? My Clue-By-Four is getting all splintered >>>>battering on some very dense heads... >>> >>> >>> Frequently Asked Question .. and as such, already handled in a >>> thing called a FAQ ... either drill down to it via the Help button >>> in the www.spamcop.net web page or browse down the Forum >>> FAQ at http://forum.spamcop.net/forums/index.php?showtopic=2238 >>> >>> >> WazoO, >> >> I also am getting very tired of opening one of your messages, hoping to >> see some intelligent insight of your's (I do believe that is possible) >> and seeing nothing useful, only you trying to direct someone to a place >> that they are not. >> >> PLEASE STOP > > Amen. In no way is this intended to be a flame: Larry, I'd agree with you -if- the references were wrong or misleading, but if they are accurate, then what's so bad about that? Are they often wrong or misled? Many technical newsgroups have naturally occurring "paired" posters where one says where the info is located for a horse's mouth source, and then someone comes along right behind them with a more verbose answer, sometimes simply gleaned from the given references, sometimes from the horse's ass, but at least inconcistencies come to light that way. To my way of thinking, it's the best of both worlds. It's just too easy to bypass Wazoo if I don't feel like just seeing a reference and not a verbose answer, but ... if it's MY question, I really appreciate both! The more similar responses, the better I feel about the accuracy and if they help me to interpret a reference, well, great; that just adds to my confidence level. Regards, Pop From Nobody at Spamcop.net Tue May 10 07:57:48 2005 From: Nobody at Spamcop.net (Nobody) Date: Tue May 10 08:00:13 2005 Subject: [SpamCop-List] Re: and References: Message-ID: <4280A1BC.FE6FBA52@Spamcop.net> sbb78247 wrote: > > you all suck Moron. Go back to chickenboning for Ralsky. See if he'll pay you. We'll be along to mop you up again in a bit. Regards, Michael From nobody at devnull.spamcop.net Tue May 10 09:02:21 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 10 08:05:03 2005 Subject: [SpamCop-List] Re: Demise of phish reporting at millersmiles.co.uk ? References: Message-ID: "WazoO" wrote in message news:d5olfc$5l7$1@news.spamcop.net... > "George Langford, Sc.D." wrote in message > news:mailman.150.1115673959.4572.spamcop-list@news.spamcop.net... >> >> What's a good second choice for a phish phighting website ? > > Yet again, the Forum FAQ has a number of address lists > available, to include a direct link to the Anti-Phishing Working > Group .... Plain text list of that FAQ entry was posted > recently into the three main spamcop newsgroups ... see > http://forum.spamcop.net/forums/index.php?showtopic=2238 > > Thank you Wazoo; good info. Pop From nobody at devnull.spamcop.net Tue May 10 09:07:02 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 10 08:10:03 2005 Subject: [SpamCop-List] Re: Demise of phish reporting at millersmiles.co.uk ? References: Message-ID: ... > Damn, Wazoo, quit touting the forum ... MANY of us refuse to be > involved "over there" when adequate and faster access is here. > > Is your sole goal, along with the JeffG simply to troll here to "try" to > swing those who appreciate nntp over to a slow forum? It is your right to not read ANY post here you wish to ignore. You have identified a poster you cannot appreciate; now youre armed to keep your liver from quivering quite so badly. Or, you could try another ng that is more to your liking. You have many solutions available to you. Perhaps someone could send you a location for the netiquette RFC and FYI; it would appear you have not read them. They specifically address newsgroups in addition to email etc.. I will abstain from giving you that URL because I know you prefer not to see references, but, that's really your loss. You'll never know what you are missing. Ignorance can be bliss, I guess. From nobody at devnull.spamcop.net Tue May 10 09:19:38 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 10 08:20:04 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: ... >> I put a few addresses into it, and it does seem to be able to say whether >> an e-mail address exists or not, but ... I was wondering what kind of >> pitfalls there are to using it. It seems "too good to be true". >> >> TIA, >> >> Pop > > Its web based and I don't know the guy. Can be good or bad, you can never > be sure. > > Maybe it uses VRFY command existing in some SMTP servers. > > As a general rule, check the information etc before using such sites. > > There is no "elite" stuff there and I'd suggest (of course) Ironport's > andr Spamcop's www services instead. > > Ilgaz Ocal > AFAIK, SC cannot verify whether or not an email address exists and is accepting emails. Or did I miss something somewhere? If you're talking about using the spam copy box for processing, all that does is give you the addresses to complain to, not whether or not the user email name is valid. Provide a pointer, please? From nobody at devnull.spamcop.net Tue May 10 09:22:21 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 10 08:25:03 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: bye arsehole From Kilgallen at SpamCop.net Tue May 10 08:48:30 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Tue May 10 08:50:21 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: In article , "Pop" writes: > > "Larry Kilgallen" wrote in message > news:ZeLtKAKfnr6e@eisner.encompasserve.org... >> In article , "Brian (SnSR)" >> writes: >>> WazoO, >>> >>> I also am getting very tired of opening one of your messages, hoping to >>> see some intelligent insight of your's (I do believe that is possible) >>> and seeing nothing useful, only you trying to direct someone to a place >>> that they are not. >>> >>> PLEASE STOP >> >> Amen. > > In no way is this intended to be a flame: > > Larry, I'd agree with you -if- the references were wrong or misleading, but > if they are accurate, then what's so bad about that? Are they often wrong > or misled? How would you feel if I responded to every spamcop.geeks complaint about an operating system with the advice to use my own favorite ? Even if I were right on that subject, repeating something to those who had heard it over and over again would be obnoxious. > Many technical newsgroups have naturally occurring "paired" posters where > one says where the info is located for a horse's mouth source, and then > someone comes along right behind them with a more verbose answer, sometimes > simply gleaned from the given references, sometimes from the horse's ass, > but at least inconcistencies come to light that way. To my way of thinking, > it's the best of both worlds. It's just too easy to bypass Wazoo if I don't > feel like just seeing a reference and not a verbose answer, but ... if it's > MY question, I really appreciate both! The more similar responses, the > better I feel about the accuracy and if they help me to interpret a > reference, well, great; that just adds to my confidence level. Not all of us have that much reading time available. From Nobody at Spamcop.net Tue May 10 08:53:51 2005 From: Nobody at Spamcop.net (Nobody) Date: Tue May 10 08:55:03 2005 Subject: [SpamCop-List] Re: pump and dump & webpresence.com References: Message-ID: <4280AEDF.587A7F2E@Spamcop.net> RandallW wrote: > > I've been receiving pump and dump mail for months; it WAS being hosted on a > server where the Spamcop pinging was not timing out ( for the admin > address ). Then the spam moved to webpresence.com, causing pingouts for the > admin ( some supposed Victor Allan ). > > By a Google search I noticed there was some discussion of this on the > Spamcop forum, with speculation that the spam is something done by one of > The Big 50 Spammers. > > Has anyone called the number on the registration of webpresence.com? Is > webpresence supposed to be an ISP? > > Does Victor Allan actually exist? I don't know anything about Victor Allan, sorry, but have you been turning this spew to SEC's enforcement address? They have the ball on this pump-and-dump stuff. Best regards, Michael From nobody at spamcop.net Tue May 10 11:38:12 2005 From: nobody at spamcop.net (indigo) Date: Tue May 10 10:40:15 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: Mike Easter wrote: > indigo wrote: > > Mike Easter wrote: > > >> You start by putting an email addy into the L window; there needs > >> to be some preliminary configuration in options such as an email > >> address for the mail from command part. > > > > What kind of "preliminary configs" are you referring to? > > Just that one I mentioned for the address is all you need to do the > smtp test: > > SSwin/ Edit/ Basics tab - Email address. > > That way it has something to put when it is saying 'mail from'. > > Then, paste the target addy into what it calls the 'address box' -- > namely the left window. I tried doing that, but still get the same error message: 05/10/05 10:36:32 SMTP Verify somebody@mycompany.com, at  Host  doesn't exist, trying  instead Still doing something wrong...... From D.Gray at picture.oscar.wilde Tue May 10 17:01:18 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Tue May 10 11:00:04 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: In article , "Mike Easter" wrote: > > > Am I right in thinking this is some kind of anonymising open proxy > > used by the virus email source? > > No. Viral propagations don't use open proxies to anoymize themselves. I think maybe this one does. > Dorian Gray wrote: > > Recently I got a flood of viral-laden emails with various > > strangers in the From: fields, all of whom were > > English-speaking academics from various countries. > > That simply means that the propagation had access to such addies to put > them into the To, From, envelope rcpt to or whatever. The question is who would have such an address book, especially given the concentration of New Zealand and Australian addresses in it. The other point is that NONE of my academic contacts have my address (the one that received the virus emails) in their address book, because it has effectively been obsolete for 3 years, and I informed all of my academic contacts of my new address back then, and I have been in contact with all of them using the new address. BUT I know that THIS company still had my old address in their address books, and I since I used to use yahoo addresses for other companies, I don't think ANY other company has the address that received these emails. This all narrows down things considerably. You also missed the point that I stopped receiving the viral-laden emails at the instant that they removed me from their address book. > > It would not be the first time they have > > flooded their contacts' inboxes with viruses like this - in August > > something quite similar happened and they admitted they were the > > source. > > www.academic-search.net = 210.48.1.214 > inetnum: 210.48.0.0 - 210.48.127.255 > netname: ICONZ-NZ > descr: ICONZ, Internet Service Provider > Mail for academic-search.net is handled by mx-f.maxnet.net.nz & > mx-us.maxnet.net.nz > The nameservice and incoming mail is handled by more than one provider. > How the outgoing is handled isn't apparent. > > Saying that 'they' admitted 'they' were the source isn't informative to > me. I doubt that you are saying that the website was the source. Their previous infection was with the W32/Bagle.AI@mm virus. The earliest Received line in those messages started: Received: from port54-17-53.adsl.maxnet.co.nz ([210.54.17.53] helo=server.com) by This is apparently not an open proxy - I guess the W32/Bagle.AI@mm virus is not as sophisticated as the W32/Netsky.Z@mm virus. But the headers did not lead me to decide conclusively that the company with the website http://www.academic-search.net was the source - although it lead me to suspect them strongly. I was convinced when I forwarded them a list of the addresses in the From field for each message I received, and they admitted that every address was in their contacts list. They said they were sorry that being infected had caused everyone trouble, and then disinfected their systems. > When you are tracking a viral propagator, if you parse the headers > correctly, you should arrive at the source IP of the infected > propagator. Since the earliest Received line is obviously forged, as you can see in my original post, this is apparently not necessarily the case. From D.Gray at picture.oscar.wilde Tue May 10 17:13:36 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Tue May 10 11:15:04 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: In article , "Miss Betsy" wrote: > "Dorian Gray" wrote in message > news:D.Gray-87B3A7.02225910052005@news.cesmail.net... > > > How do we protect the world from internet menaces like this > > company? > > Offline when someone acts against the mores of the group, the > proper etiquette is to give them the 'cut direct' according to > Miss Manners. I'm not familiar with the phrase "cut direct", what does it mean? > the only way to stop obnoxious > behavior is to ignore it, to reject it at the server level if > possible. If not, to either report (politely) or delete. If this > is a company, then when no one gets their emails, perhaps that will > solve the problem. Unfortunately, there is little or no penalty for this company in this case, since the emails with the viruses do not appear to come from them. The people who are adversely affected are the recipients, and the innocent bystanders who get listed in the forged From: fields of the emails. There is not much to say that the emails came from an infected system in this company, so no-one blocks them. > Persistence is the key to assertive behavior that gets changes. > Assertiveness is always polite also. IOW, 'please stop sending > virmen, it is not a good practice for you or me,' repeatedly to as > high up in the company as you can reach if you are interested in > keeping them in business. I'm trying that - their response so far this time seems to be: "cease and desist or we could take action for defamation". I think their attitude is that because no-one can tell for sure that they are the source of these emails (and only some will be able to guess as I have), they don't have to care unless I tell the others of my suspicions. I think you understand my motives for contacting them - I was trying to help them out and help protect everyone in their address book at the same time. Since I think I know what was happening, I thought they would appreciate me telling them so they could fix it. But as I said above, they see my knowledge as the threat, rather that their infection, since no-one else knows about the latter. > Miss Betsy Thanks for that, and the rest of your post - it was well-considered. From MikeE at ster.invalid Tue May 10 09:18:54 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 11:20:03 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: indigo wrote: > I tried doing that, but still get the same error message: > > 05/10/05 10:36:32 SMTP Verify somebody@mycompany.com, at  > Host  doesn't exist, trying  instead > > Still doing something wrong...... Do you mean that nothing is inside that little box representing a non-printing char? "at  Host  doesn't exist, trying  instead" On my system, what goes into the 'box' after the 'at' is the mx for the domain I'm testing. If you aren't 'talking to' the mx, the transaction isn't going to take place. >From an 'infrastructure' point of view, SS is taking the domainname of the address and finding out what its mx is and contacting that mx to start the script. So, the dns which SS is using would have to be working so as to get the mx, and you would have to have access out your port 25 to be able to talk to the mx. What happens if you try to telnet it? In the specific example of somebody@mycompany.com, there really is a mycompany.com and its mx is mailgate.kcl.net and if I try to verify the username somebody the mx refuses to verify or expand, but it offers to accept mail to somebody and it also offers to accept mail to a bogus37722. So, to connect to that mx by telnet, you could give the command telnet mailgate.kcl.net 25 [there's no colon between 'net' and '25' - just a space] When I do that, I'm talking to the mx for mycompany.com. If you can't do that, then I suspect your port 25 is blocked. If you can do that, I suspect something is funny with your SSwin situation. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue May 10 09:27:44 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 11:30:02 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: Mike Easter wrote: > So, to connect to that mx by telnet, you could give the command > > telnet mailgate.kcl.net 25 That's using telnet from your run command. You can also just open up your telnet app and type in the values. If you do it by opening telnet, the run command would just be telnet, then the Connect menu/ Remote system - will give you a dialog to input hostname mailgate.kcl.net and then port 25. I used to do it that way, but the advantage of putting it on the Run commandline is that Run will remember the command, so you can use it again. Telnet will also remember recent functions, so that memory will be available in the Connect menu. There are better more powerful telnetters. I have never been a commandline kinda person. I much prefer scripts. Live commandlines make me crazy. -- Mike Easter kibitzer, not SC admin From D.Gray at picture.oscar.wilde Tue May 10 17:36:33 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Tue May 10 11:40:04 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: In article , "Mike Easter" wrote: > Dorian Gray wrote: > > care to offer a view on > > what I (really) said? > > No. I have no clue about what you are talking about. Thanks for your very first reply, which confirmed that 202.174.155.163 is an open proxy (in Bangladesh) and that beyond this, it is not possible *from the headers*, *without additional information* to determine the source. As you would have seen if your properly examined the headers I posted, 202.174.155.163 is the apparent source of the message, and the earliest Received line is forging so that the forged hostname makes it looks like the message came from the domain of the recipient address. Everything else in the Received lines is legitimate and the regular path that my emails take, and I've munged things appropriately in the headers I provided. I never asked you or intended for you to confirm or discuss my "analysis" of the headers - there was nothing to discuss! From the headers, all I wanted to know was information about the 202.174.155.163, and since things cannot be tracked further, you can forget about the headers. Unfortunately, all of your other posts were full of presumptions and misunderstandings, and really didn't make much sense. My strong belief that this company is unwittingly the source of the virus-laden emails is not based on an analysis of the headers (and I thought that was clear), but rather is based on a history and various other clues, most of which I outlined for you to think about. You chose not to - your prerogative. From hans at salvisberg.invalid Tue May 10 19:38:02 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Tue May 10 12:30:04 2005 Subject: [SpamCop-List] Re: secure pop? In-Reply-To: References: Message-ID: Hi Ilgaz, Ilgaz wrote: > You have to use pop btw? IMAP with a good client designed for good > offline etc is more secure and really practical for spamcop features. > Held Mail is an IMAP folder for instance. Can you quick-report and/or queue for reporting from a Held Email IMAP folder? Hans From hans at salvisberg.invalid Tue May 10 19:38:06 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Tue May 10 12:30:19 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam In-Reply-To: References: Message-ID: Steven Maesslein wrote: > On Tue, 10 May 2005 12:16:20 +0200, Hans Salvisberg coughed into spamcop > and left this in : > > >>They declare their wish and give their email address when they sign up >>for membership, and I enter their address into the lists without any >>further confirmation. > > > What steps do you take to ensure that the e-mail address given by a > member actually belongs to that member? What you're describing sounds > like it would allow any new member to sign up with you and give someone > else's e-mail address, which is liable to get you blocklisted. We have the advantage of being a local group, and we usually know and have talked to the people who sign up. Also, membership is not free, and I have yet to hear of a case where someone PAYED for the pleasure of signing up someone else's email address. Stretch didn't specifically say this, but since they send out regular paper mailings, I assume membership is not free. Also, it seems that his members sign up electronically, which would mean giving a credit card number, and who would give their credit card number to sign up someone else's email address? Hans From clewis at nortelnetworks.com Tue May 10 17:29:08 2005 From: clewis at nortelnetworks.com (Chris Lewis) Date: Tue May 10 12:30:25 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: According to Dorian Gray : > In article , > "Mike Easter" wrote: > > No. Viral propagations don't use open proxies to anoymize themselves. > I think maybe this one does. Exceedingly unlikely. While the IP may have a proxy on it, it's unlikely to be the _source_ of the virus. Given how many things individual machines get infected with, it should be no surprise that a given IP may be doing several different things at once. > > Dorian Gray wrote: > > That simply means that the propagation had access to such addies to put > > them into the To, From, envelope rcpt to or whatever. > The question is who would have such an address book, especially given > the concentration of New Zealand and Australian addresses in it. Anybody (like you) who received the last blast of these _may_ have all of them in their address books - especially those forged in the from lines. Depending on their addressbook collection parameters. > Their previous infection was with the W32/Bagle.AI@mm virus. The > earliest Received line in those messages started: > Received: from port54-17-53.adsl.maxnet.co.nz ([210.54.17.53] > helo=server.com) > by > This is apparently not an open proxy - I guess the W32/Bagle.AI@mm virus > is not as sophisticated as the W32/Netsky.Z@mm virus. Ectually, it's the other way around. But not all viruses/proxies emit the same thing to the same people. > Since the earliest Received line is obviously forged, as you can see in > my original post, this is apparently not necessarily the case. The "by" IP isn't forged. If the received line was forged, there'd be more of them. -- Chris Lewis, Una confibula non set est It's not just anyone who gets a Starship Cruiser class named after them. From MikeE at ster.invalid Tue May 10 10:59:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 13:00:08 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: Dorian Gray wrote: > "Mike Easter" >> >>> Am I right in thinking this is some kind of anonymising open proxy >>> used by the virus email source? >> >> No. Viral propagations don't use open proxies to anoymize >> themselves. > > I think maybe this one does. It is that kind of thinking on your part that causes me to think that you think that someone is intentionally email virms. >> Dorian Gray wrote: >>> Recently I got a flood of viral-laden emails with various >>> strangers in the From: fields, all of whom were >>> English-speaking academics from various countries. >> >> That simply means that the propagation had access to such addies to >> put them into the To, From, envelope rcpt to or whatever. > > The question is who would have such an address book, especially given > the concentration of New Zealand and Australian addresses in it. I didn't say anything about an 'address book'. Modern virms don't use address books AB; that is, they don't /just/ use ABs. They scrape from everywhere. You should never suspect that when you get a virm that the propagator of your virm had you in the AB > The > other point is that NONE of my academic contacts have my address (the > one that received the virus emails) in their address book, Now I'm perceiving that 'thinking' that 'I can figure out who propagated me this virm by who has this address' -- don't try to do that. > because it > has effectively been obsolete for 3 years, and I informed all of my > academic contacts of my new address back then, and I have been in > contact with all of them using the new address. BUT I know that THIS > company still had my old address in their address books, and I since I > used to use yahoo addresses for other companies, I don't think ANY > other company has the address that received these emails. You are deriving improper conclusions based on your suspicions and some kind of logical applied to the old vs new address business. > This all narrows down things considerably. You also missed the point > that I stopped receiving the viral-laden emails at the instant that > they removed me from their address book. These 'points' are your points. I don't choose to share them. It isn't a matter of 'missing' - it is a matter of rejecting. > Since the earliest Received line is obviously forged, as you can see > in my original post, this is apparently not necessarily the case. I can't see anything from your original post that has to do with my knowing the earliest received line is obviously forged. I can't say anything about the received lines if I haven't seen them. All you provided was part of one munged line and I don't know whether that line was forged or real. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue May 10 14:27:46 2005 From: nobody at spamcop.net (Anti-Spam) Date: Tue May 10 13:30:04 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: "Dorian Gray" wrote in message news:D.Gray-A3F3F9.16011810052005@news.cesmail.net... > In article , > "Mike Easter" wrote: > > > Dorian Gray wrote: > > > Recently I got a flood of viral-laden emails with various > > > strangers in the From: fields, all of whom were > > > English-speaking academics from various countries. > > > > That simply means that the propagation had access to such addies to put > > them into the To, From, envelope rcpt to or whatever. > > The question is who would have such an address book, especially given > the concentration of New Zealand and Australian addresses in it. The > other point is that NONE of my academic contacts have my address (the > one that received the virus emails) in their address book, because it > has effectively been obsolete for 3 years, and I informed all of my > academic contacts of my new address back then, and I have been in > contact with all of them using the new address. BUT I know that THIS > company still had my old address in their address books, and I since I > used to use yahoo addresses for other companies, I don't think ANY other > company has the address that received these emails. One issue you will have to live with (my condolences) is that there are viruses out there that also steal address books on the compromised machine, or search them for e-mail and compile a list of all senders and receivers, and send these to a server controlled by the virus author, which then shares this list with other copies of the virus, etc. Happened to me a few years back, where someone I knew got infected, and it's now been at least a couple of years since a virus has hit my filter from an address or even a domain I recognise. (i.e. I don't know anyone in es, br, mx, pt, or co, but most of the virii that try to get through my filter come from local ISPs in those countries.) -- Bring in the death penalty for repeat spammers. Non-functional spambait addr: thel26@clmgmbbjm.com (generated by Webpoison) From MikeE at ster.invalid Tue May 10 12:15:50 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 14:15:02 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: Dorian Gray wrote: > Their previous infection was with the W32/Bagle.AI@mm virus. The > earliest Received line in those messages started: The earliest Received line may or may not be the source of an item. You seem to use that term as a method of communicating a 'description' of headers. I am typically suspicious that someone may have made a mistake in parsing headers if the conclusions they derive from their parsing are not logical -- as in the previous posts in this thread in which you are claiming that a NZ co. is somehow propagating thru' a Bangladesh open proxy. > Received: from port54-17-53.adsl.maxnet.co.nz ([210.54.17.53] > helo=server.com) > by That IP's 'relationship' is more consistent with the NZ website you mentioned earlier, because of the website's relationship with maxnet, as I described earlier. In this IP's situation, notifying the provider for the 210.54.17.53 rDNS port54-17-53.adsl.maxnet.co.nz is a little annoying because the provider for the domainnames for maxnet.co.nz and for netgate.net.nz don't give an abuse.net reg'd addy -- so you are left to fish around for the proper notify. I would notify those default postmasters and also Netgate's upstream provider; because a big outfit like netgate needs to have a good abuse address. That is, my gripe to netgate would be about the propagation of their user. My gripe to their upstream would be because they don't have a reg'd abuse address. route: 210.54.0.0/17 descr: NetGate Telecom New Zealand Limited origin: AS4648 notify: noc@netgate.net.nz whois -h whois.abuse.net netgate.net.nz ... No abuse address is registered with abuse.net Upstream Adjacent AS list AS10026 ANC Asia Netcom Corporation AS1239 SPRINTLINK - Sprint AS4637 REACH Reach Network Border AS I guess I would pick sprint. The whole idea is to get netgate to wish that you weren't 'pestering' sprint about netgate not having a good abuse address. > This is apparently not an open proxy - I guess the W32/Bagle.AI@mm > virus is not as sophisticated as the W32/Netsky.Z@mm virus. Both of those viruses propagate by using their own smtp engine. They don't have some kind of complex strategy of propagating thru' an open proxy. [However] It is common for some virus infections to open a backdoor which can lead to them becoming a trojan. Bagle opens up a 1080 backdoor. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue May 10 12:46:25 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 14:45:03 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: Corrections of several typo/s along the way Mike Easter wrote: > Viral propagations don't use open proxies to anoymize themselves. s/anoymize/anonymize/ you think that someone is intentionally email virms. s/email/emailing/ You are deriving improper conclusions based on your suspicions and some kind of logical applied to the old vs new address business. s/logical/logic/ I would notify those default postmasters Nah. I would notify abuse@global-gateway.net.nz postmaster@global-gateway.net.nz nic@global-gateway.net.nz I missed that in the initial evaluation of how to notify for 210.54.17.53 rDNS port54-17-53.adsl.maxnet.co.nz -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue May 10 13:05:49 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 15:05:05 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: Kenneth Loafman wrote: > It would help if instead of pointing to the FAQ itself, the poster > would point to the answer in the FAQ... Lots less to read. The ng/s could also be used as a place to 'pin' things. There could be a group for announcements which was restricted [or moderated or robomoderated] to just be for faq/ish things or updated faq/s or whatever. Items in there would of course have msgid/s and it would be very easy to refer to an item if there got to be dozens or scores of them. -- Mike Easter kibitzer, not SC admin From D.Gray at picture.oscar.wilde Tue May 10 21:12:34 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Tue May 10 15:15:02 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: In article , Dorian Gray wrote: > Unfortunately, there is little or no penalty for this company in this > case, since the emails with the viruses do not appear to come from them. I should clarify: by "do not *appear* to come from them", I meant "do not obviously (provably from headers) come from them", but as I made clear elsewhere, my strong belief is that the virus-laden email *do* actually come from them. > > Miss Betsy > > Thanks for that, and the rest of your post - it was well-considered. From zypher at spamcop.net Tue May 10 15:42:46 2005 From: zypher at spamcop.net (Ron B.) Date: Tue May 10 15:45:27 2005 Subject: [SpamCop-List] Stopping Spam (From Scientific American) Message-ID: Stopping Spam What can be done to stanch the flood of junk e-mail messages? By Joshua Goodman, David Heckerman and Robert Rounthwaite http://www.sciam.com/article.cfm?chanID=sa006&colID=1&articleID=000F3A4B-BF70-1238-BF7083414B7FFE9F From nobody at spamcop.net Tue May 10 17:28:44 2005 From: nobody at spamcop.net (indigo) Date: Tue May 10 16:30:04 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: Mike Easter wrote: > > Do you mean that nothing is inside that little box representing a > non-printing char? > Nope. > "at  Host  doesn't exist, trying  instead" > > > What happens if you try to telnet it? I have never been able to get the built in winbloze telnet proggie to work -- it won't let me type any commands in the window! From MikeE at ster.invalid Tue May 10 14:38:39 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 16:40:04 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: indigo wrote: > I have never been able to get the built in winbloze telnet proggie to > work -- it won't let me type any commands in the window! Well, you can't type anything in there [the little console] until 'something is happening'. Let's just do this with the example I gave earlier. Click Start/ Run/ [appears an alert with an field available, into that field paste...] telnet mailgate.kcl.net 25 ... if your port 25 isn't blocked, your little telnet console will open up with the mx's answer... 220 mailgate.kcl.net ESMTP Postfix ... then you will be able to type something. If you type 'quit' then y'all disengage. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue May 10 14:44:57 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 16:45:04 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: Mike Easter wrote: > indigo wrote: >> I have never been able to get the built in winbloze telnet proggie to >> work -- it won't let me type any commands in the window! > > Well, you can't type anything in there [the little console] until > 'something is happening'. Oh, I forgot about a little bit of configuring. I have mine configured in this way: Telnet/ Terminal menu/ Preferences - these are checked Terminal options: local echo, blinking cursor, block cursor Emulation: VT-100/ANSI -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue May 10 20:10:02 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 10 19:15:11 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: Well, I guess that's why we're all entitled to our own opinions: ... > > How would you feel if I responded to every spamcop.geeks complaint about > an operating system with the advice to use my own favorite ? Even if > I were right on that subject, repeating something to those who had heard > it over and over again would be obnoxious. ===> ?? I was talking about giving only a link as a response, not people posting opinions. ?? If you were to always post just a URL as a response, if I was casually interested, I might skip your post. But, if I were more than casually interested, and no more verbose post was presented, then I'd go back and rethink using the link after all. If there's a reasonable length written response, that's a lot more efficient than jumping over to a web site and perusing for the information if I already have what I need and find it to be a usable response. ... >> it's the best of both worlds. It's just too easy to bypass Wazoo if I >> don't >> feel like just seeing a reference and not a verbose answer, but ... if >> it's >> MY question, I really appreciate both! The more similar responses, the >> better I feel about the accuracy and if they help me to interpret a >> reference, well, great; that just adds to my confidence level. > > Not all of us have that much reading time available. ===> It's time consuming to bypass Wazoo (or anyone else for that matter)? I don't understand. Please re-read what I've said rather than my reiterating it all here. Either you mis-understood my language, or we're stuck in a syntax loop. Any time it's MY question, I will make the time available if I need the answer badly enough. But I fail to see any way it requires "too much" reading time. What's quicker to read: A direct response which one finds is correct, or perusing a web site someone provided a link to? Both are good, and both have their places, and both are useful in different ways. Guess all I mean is, I fail to see your point, but it's no big deal, really. Like I said at the top ... Pop From nobody at devnull.spamcop.net Tue May 10 20:12:57 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 10 19:15:29 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: ... > It would help if instead of pointing to the FAQ itself, the poster would > point to the answer in the FAQ... Lots less to read. > > ...Ken > That's true, but in reality I think it's asking a lot of the poster to do that. I could easily and happily refer you to, say a netiquette RFC, but trying to tell you just where the newsgroup is mentioned would be more work than I was willing to do for someone else. The questioner really should be willing to do the footwork, don't you think, than to expect the responder to do it? Just my two cents, Pop From nobody at devnull.spamcop.net Tue May 10 20:16:23 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 10 19:20:02 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: "Mike Easter" wrote in message news:d5r0ii$hau$1@news.spamcop.net... > Kenneth Loafman wrote: >> It would help if instead of pointing to the FAQ itself, the poster >> would point to the answer in the FAQ... Lots less to read. > > The ng/s could also be used as a place to 'pin' things. There could be > a group for announcements which was restricted [or moderated or > robomoderated] to just be for faq/ish things or updated faq/s or > whatever. > > Items in there would of course have msgid/s and it would be very easy to > refer to an item if there got to be dozens or scores of them. > > -- > Mike Easter > kibitzer, not SC admin > Now, -that- would be great! Yeah, I know, some will complain it smells of a windows forum, but I still think that's a good way to do it. I mentioned same a few/several weeks back and was pretty promptly and roundly put down for it. Since I wasn't about to volunteer to do any of the actual work (not enough experience/resources or I'd be happy to), I quietly went away . But, it was and still is a good idea. Regards, Pop From sbb78247 at stilldon'tfuckincare.invalid Tue May 10 19:49:10 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Tue May 10 19:50:06 2005 Subject: [SpamCop-List] Re: fucking test References: Message-ID: and all of y'all can still go fuck yourself From sbb78247 at stilldon'tfuckincare.invalid Tue May 10 19:50:08 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Tue May 10 19:50:25 2005 Subject: [SpamCop-List] Re: and References: Message-ID: Steven Maesslein wrote: > On Sun, 8 May 2005 22:00:28 -0500, sbb78247 coughed into spamcop and > left this in : > >> you all suck > > Spanked spammer? not even close Nigel and you still suck From sbb78247 at stilldon'tfuckincare.invalid Tue May 10 20:32:13 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Tue May 10 20:35:03 2005 Subject: [SpamCop-List] Re: and References: Message-ID: eddie wrote: > On Sun, 08 May 2005 22:00:28 -0500, sbb78247 scratched out the > following: > >> you all suck > > awrrrrm that's so 16-year old and soooo verrrry 20th century > Only girly-men use "suck" these days. Real men know the new word. > Fried Spam smells so great, especially when one more sucker is dead. oh i am sorry that i didn't use the proper metrosexual faggot term. but you still suck or as you would have it, a large vaccuum that is only challenged by the space between your ears. you know being politically correct and all that shit From nobody at devnull.spamcop.net Tue May 10 22:16:16 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Tue May 10 22:15:03 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) References: Message-ID: "Ron B." wrote in message news:d5r2rm$ilm$1@news.spamcop.net... > > > > Stopping Spam > > > What can be done to stanch the flood of junk e-mail messages? > By Joshua Goodman, David Heckerman and Robert Rounthwaite > > > http://www.sciam.com/article.cfm?chanID=sa006&colID=1&articleID=000F3A4B-BF70-1238-BF7083414B7FFE9F Just goes to show you that scientists can be as dumb as the rest of the world. Miss Betsy From nobody at devnull.spamcop.net Tue May 10 22:25:32 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Tue May 10 22:25:03 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: "Dorian Gray" wrote in message news:D.Gray-A22C5B.16133610052005@news.cesmail.net... > In article , > "Miss Betsy" wrote: > > > "Dorian Gray" wrote in message > > news:D.Gray-87B3A7.02225910052005@news.cesmail.net... > > > > > How do we protect the world from internet menaces like this > > > company? > > > > Offline when someone acts against the mores of the group, the > > proper etiquette is to give them the 'cut direct' according to > > Miss Manners. > > I'm not familiar with the phrase "cut direct", what does it mean? That means obviously ignoring the person, as in not acknowledging that they are there. > > the only way to stop obnoxious > > behavior is to ignore it, to reject it at the server level if > > possible. If not, to either report (politely) or delete. If this > > is a company, then when no one gets their emails, perhaps that will > > solve the problem. > > Unfortunately, there is little or no penalty for this company in this > case, since the emails with the viruses do not appear to come from them. > The people who are adversely affected are the recipients, and the > innocent bystanders who get listed in the forged From: fields of the > emails. There is not much to say that the emails came from an infected > system in this company, so no-one blocks them. The only trusted IP address is the address where the email was received from. If you know that, then you can definitely say it comes from them. If it isn't their IP address, then it doesn't come from them. Sometimes trojans do not use the usual port for email and virus activity is discovered by looking at other logs. Since I am not technically fluent, I am not quite sure what it is that you would tell them to look for. Still, the IP address is consistent. Perhaps you are saying that you think that someone in their organization is 'creating' the virus rather than just inadvertently propogating it. That is something that can be proven, but it takes real experts to track down. If you have evidence of that sort, you should be talking to law enforcement. Miss Betsy From nobody at devnull.spamcop.net Tue May 10 22:36:02 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Tue May 10 22:35:05 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: "Mike Easter" wrote in message news:d5r0ii$hau$1@news.spamcop.net... > Kenneth Loafman wrote: > > It would help if instead of pointing to the FAQ itself, the poster > > would point to the answer in the FAQ... Lots less to read. > > The ng/s could also be used as a place to 'pin' things. There could be > a group for announcements which was restricted [or moderated or > robomoderated] to just be for faq/ish things or updated faq/s or > whatever. > > Items in there would of course have msgid/s and it would be very easy to > refer to an item if there got to be dozens or scores of them. Since I don't have a lot of experience with other ngs, I don't know how they work. In this particular one, however, IMHO, it doesn't hurt to have FAQ answer now and then (or even a regular post). IMHO, the complaintant voiced his opinion, but I don't agree with him. I agree with Kenneth that it was a waste of time to be given the 'whole' FAQ instead the link to the answer, but as a source of information, it certainly isn't a bad answer and regulars can certainly skip over them (I often skipped Larry K's answers when I suspected they were just one of his templates). Miss Betsy From nobody at devnull.spamcop.net Tue May 10 22:40:17 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Tue May 10 22:35:26 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: Another argument is to ask them what they hope to accomplish with this mass mailing when it is obvious that most of the membership are not 'online' types? and don't even answer confirmation emails? They are going to magically read something else? Miss Betsy From eddie at eddie.web Tue May 10 23:48:59 2005 From: eddie at eddie.web (eddie) Date: Tue May 10 22:50:02 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) References: Message-ID: On Tue, 10 May 2005 14:42:46 -0500, Ron B. scratched out the following: > > > > Stopping Spam > > > What can be done to stanch the flood of junk e-mail messages? By Joshua > Goodman, David Heckerman and Robert Rounthwaite snip Scientific American has little or nothing to do with Science. Perhaps a long time ago it was a legit publication, but no longer. http://www.dartreview.com/issues/1.21.02/lomborg.html Like all other soft-science groups, their main goal, as Michael Crichton aptly put it is to create a "State of Fear." Crichton says that the dictum of the medial is to "simplify and exaggerate, just like Walt Disney told his cartoonists to do." -- Once movie theaters gave out steak knives Today they confiscate them From eddie at eddie.web Tue May 10 23:50:55 2005 From: eddie at eddie.web (eddie) Date: Tue May 10 22:55:04 2005 Subject: [SpamCop-List] Re: and References: Message-ID: On Tue, 10 May 2005 19:32:13 -0500, sbb78247 scratched out the following: > eddie wrote: >> On Sun, 08 May 2005 22:00:28 -0500, sbb78247 scratched out the >> following: >> >>> you all suck >> >> awrrrrm that's so 16-year old and soooo verrrry 20th century Only >> girly-men use "suck" these days. Real men know the new word. Fried Spam >> smells so great, especially when one more sucker is dead. > > oh i am sorry that i didn't use the proper metrosexual faggot term. but > you still suck or as you would have it, a large vaccuum that is only > challenged by the space between your ears. you know being politically > correct and all that shit Gotcha! Why you can't even spell vacuum, you moron. I take it back, your aren't even 16, you are probably closer to 12, studying cucumbers in class. -- Once movie theaters gave out steak knives Today they confiscate them From eddie at eddie.web Tue May 10 23:51:46 2005 From: eddie at eddie.web (eddie) Date: Tue May 10 22:55:17 2005 Subject: [SpamCop-List] Re: and References: Message-ID: On Tue, 10 May 2005 18:50:08 -0500, sbb78247 scratched out the following: > Steven Maesslein wrote: >> On Sun, 8 May 2005 22:00:28 -0500, sbb78247 coughed into spamcop and >> left this in : >> >>> you all suck >> >> Spanked spammer? > > not even close Nigel > > and you still suck Sucking may be cool, but man, you blow. -- Once movie theaters gave out steak knives Today they confiscate them From MikeE at ster.invalid Tue May 10 21:43:36 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 23:45:05 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) References: Message-ID: Ron B. wrote: > Stopping Spam > What can be done to stanch the flood of junk e-mail messages? > By Joshua Goodman, David Heckerman and Robert Rounthwaite > > http://www.sciam.com/article.cfm?chanID=sa006&colID=1&articleID=000F3A4B-BF70-1238-BF7083414B7FFE9F I tho't it was a well written article. I had never heard of the authors, here's what SciAm sez about them: JOSHUA GOODMAN, DAVID HECKERMAN and ROBERT ROUNTHWAITE have worked together on ways to stop spam for many years. Heckerman and Rounthwaite, with others, created the first machine-learning spam filter in 1997. Heckerman manages the Machine Learning and Applied Statistics (MLAS) group at Microsoft Research. Goodman and Rounthwaite helped to organize the Microsoft product team that delivers the anti-spam technologies deployed in Exchange, Outlook, MSN and Hotmail. Rounthwaite is currently the group's chief architect. Goodman is a member of the MLAS team and does research on spam and e-mail-related topics. Miss Betsy wrote: > Just goes to show you that scientists can be as dumb as the rest of > the world. How do you mean? The thread isn't about SciAm spam, it is a pointer to the article. Did you mean the article was dumb? eddie wrote: > Scientific American has little or nothing to do with Science. > Perhaps a long time ago it was a legit publication, but no longer. SciAm has always been about writing about science for some subset of the masses -- its science is pretty good. The issues of what is and what is not junk science to further a political agenda is a complicated subject. > http://www.dartreview.com/issues/1.21.02/lomborg.html I haven't read the articles from that 2002 Jan SciAm - but clearly that editorialist had an agenda. You can't discredit SciAm just because you have a point of view about the environment and global warming that differs with some scientific points of view put forward in that edition. The editorialist was a fan of a book he was 'featuring' in the article. The authors and articles in SciAm apparently weren't. > Like all other soft-science groups, their main goal, as Michael > Crichton aptly put it is to create a "State of Fear." Crichton says > that the dictum of the medial is to "simplify and exaggerate, just > like Walt Disney told his cartoonists to do." There is both political and real science and junk science promulgated on both sides of the global warming debate. A smart scientist would keep an open mind to both sides of the argument and watch out for junk science, it is very misleading. Incidentally; there's another interesting article in the May issue, His Brain, Her Brain - which fortunately is available in its entirety online, not just a teaser version http://www.sciam.com/article.cfm?chanID=sa006&articleID=000363E3-1806-1264-980683414B7F0000 -- Mike Easter kibitzer, not SC admin From cchamb2 at qwest.net Tue May 10 22:05:28 2005 From: cchamb2 at qwest.net (Charles Chambers) Date: Wed May 11 00:05:11 2005 Subject: [SpamCop-List] Re: E-mail reporting References: Message-ID: "Charles Chambers" wrote in message news:d5lhg8$hsl$1@news.spamcop.net... > Anyone noticed that e-mail reporting now has a lower priority than > web-based reporting? > > I submit spam through the web interface, and I can confirm it in about 15 > seconds. I submit through e-mail, and I may have a 10 minute wait until > SpamCop has processed it. Not a problem. I can be patient. It's just that I *am* glued to my browser when I'm bouncing phishing spam - the e-mail forwarding process is used when I'm checking my Yahoo mail. OE spam goes through the web interface. From zypher at spamcop.net Wed May 11 00:26:16 2005 From: zypher at spamcop.net (Ron B.) Date: Wed May 11 00:30:04 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) In-Reply-To: References: Message-ID: eddie wrote: > On Tue, 10 May 2005 14:42:46 -0500, Ron B. scratched out the following: > > >> >> >>Stopping Spam >> >> >>What can be done to stanch the flood of junk e-mail messages? By Joshua >>Goodman, David Heckerman and Robert Rounthwaite > > snip > > Scientific American has little or nothing to do with Science. > Perhaps a long time ago it was a legit publication, but no longer. > http://www.dartreview.com/issues/1.21.02/lomborg.html > Like all other soft-science groups, their main goal, as Michael Crichton > aptly put it is to create a "State of Fear." Crichton says that the dictum > of the medial is to "simplify and exaggerate, just like Walt Disney told > his cartoonists to do." > Did you actually read the article? From zypher at spamcop.net Wed May 11 00:27:25 2005 From: zypher at spamcop.net (Ron B.) Date: Wed May 11 00:30:19 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) In-Reply-To: References: Message-ID: Miss Betsy wrote: > "Ron B." wrote in message > news:d5r2rm$ilm$1@news.spamcop.net... > >> >> >>Stopping Spam >> >> >>What can be done to stanch the flood of junk e-mail messages? >>By Joshua Goodman, David Heckerman and Robert Rounthwaite >> >> >> > > http://www.sciam.com/article.cfm?chanID=sa006&colID=1&articleID=000F3A4B-BF70-1238-BF7083414B7FFE9F > > Just goes to show you that scientists can be as dumb as the rest of > the world. > > Miss Betsy > > Really? It what ways were the authors "... dumb as the rest of the world."? From baloo at ursine.ca Tue May 10 22:55:07 2005 From: baloo at ursine.ca (Paul Johnson) Date: Wed May 11 01:10:03 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) References: Message-ID: http://ursine.ca/Top_Posting Mike Easter wrote: > I had never heard of the authors, here's what SciAm sez about them: You do realize that the biographical blurbs are written by the authors of the article and not the editor or publisher, right? > Heckerman manages the Machine Learning and Applied Statistics (MLAS) > group at Microsoft Research. I have a hard time believing such a department exists, and if it does, it helps explain why Microsoft can't be bothered to fix security problems with it's operating systems that have existed since 1981. > Goodman and Rounthwaite helped to organize the Microsoft product team that > delivers the anti-spam technologies deployed in Exchange, Outlook, MSN and > Hotmail. Oh, yeah, blocking mail based on the From: header really works... -- Paul Johnson Email and Instant Messenger (Jabber): baloo@ursine.ca http://ursine.ca/~baloo/ From zypher at spamcop.net Wed May 11 01:20:04 2005 From: zypher at spamcop.net (Ron B.) Date: Wed May 11 01:25:03 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) In-Reply-To: References: Message-ID: Paul Johnson wrote: > http://ursine.ca/Top_Posting > > Mike Easter wrote: > > >>I had never heard of the authors, here's what SciAm sez about them: > > > You do realize that the biographical blurbs are written by the authors of > the article and not the editor or publisher, right? > > >>Heckerman manages the Machine Learning and Applied Statistics (MLAS) >>group at Microsoft Research. > > > I have a hard time believing such a department exists, and if it does, it > helps explain why Microsoft can't be bothered to fix security problems with > it's operating systems that have existed since 1981. > > >>Goodman and Rounthwaite helped to organize the Microsoft product team that >>delivers the anti-spam technologies deployed in Exchange, Outlook, MSN and >>Hotmail. > > > Oh, yeah, blocking mail based on the From: header really works... > Um, have _you_ actually read the article? From nobody at spamcop.net Wed May 11 04:04:57 2005 From: nobody at spamcop.net (Claudio Valderrama C.) Date: Wed May 11 03:05:05 2005 Subject: [SpamCop-List] Intermitent problem with bora.net Message-ID: Hello. I want to know if someone else has been observing this astray behavior. Take this URL, for example: http://members.spamcop.net/sc?id=z762161327z10fc569dff3bf9d5ac21bbbef74989a6z You'll observe that it detected security at bora.net and from abuse.net, abuse at bora.net, so far so good. However, the following problem seems to happen daily or near 24 hours: when the lart should be sent to that address, SC detects that the IP is from bora.net, but tries to send to something like users123 at bora.net (I don't remember the exact account name) It doesn't attempt to contact abuse.net either. Then I have to refresh the contact information. Then SC discovers security at bora.net and gets abuse at bora.net from abuse.net. It works on all emails I'm reporting. I close the session, etc. The next day, some of the spam again comes from the domain and again SC gives that strange address resembling users123 at bora.net until I ask it to refresh the cached information. It has happened three days already. Is it normal? It seems that the SC parser is doing strange things the last weeks. I see several people having trouble with addresses SC doesn't resolve (even though I insist two times) but that you manually can resolve. C. -- Claudio Valderrama C. www.cvalde.net - www.firebirdSql.org From mrichter at cpl.net Wed May 11 01:41:11 2005 From: mrichter at cpl.net (Mike Richter) Date: Wed May 11 03:45:03 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) In-Reply-To: References: Message-ID: Ron B. wrote: > > > Stopping Spam > > > What can be done to stanch the flood of junk e-mail messages? > By Joshua Goodman, David Heckerman and Robert Rounthwaite > > > http://www.sciam.com/article.cfm?chanID=sa006&colID=1&articleID=000F3A4B-BF70-1238-BF7083414B7FFE9F Logical enough, but whether it proves practical and then salable are open questions. 'Selling' Bayesian filters is tough enough and they are easier to feed. Of course, it cures only the symptom of spam arriving in the IN box; unless most people sign up to the approach, it will do nothing noticeable about the spew on the Internet. Mike -- mrichter@cpl.net http://www.mrichter.com/ From nobody at devnull.spamcop.net Wed May 11 04:05:27 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed May 11 04:10:02 2005 Subject: [SpamCop-List] Re: secure pop? References: Message-ID: "Russell E. Owen" wrote in message news:mailman.151.1115674997.4572.spamcop-list@news.spamcop.net... > In article , > "WazoO" wrote: > > > On another foray to drag yet another user to the SpamCop e-mail > > support areas .... try the spamcop.mail newsgroup (so little traffic > > it was asked recently if it really existed) or head over to the Forum. > > Don't know how you are logging in now, but for a bit of an indirect > > answer, see > > http://forum.spamcop.net/forums/index.php?showtopic=1579&view=findpost&p=10197 > > that discussion also includes a link to a Jeff G. entry about setting > > things up at http://forum.spamcop.net/forums/index.php?showtopic=152 > > That's great! > > For anyone else who was wondering. the first link says spamcop pop > supports SSL. And indeed it does. Once I told Eudora to use the > alternate port SSL started working. > > Regarding the 2nd link (about setting things up), I did not see anything > about SSL. It'd be nice if SSL info was added to the standard "how to > set things up" page. Done. I edited that entry later that day, amazed that in over a year no one had pointed out a typo in the URL for the SSL connection ... Talked to Jeff G. last night, he edited it some more, adding in some data. Think it needs more? From MikeE at ster.invalid Wed May 11 04:20:23 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 11 06:20:03 2005 Subject: [SpamCop-List] Re: Intermitent problem with bora.net References: Message-ID: Claudio Valderrama C. wrote: spamcop.net/sc?id=z762161327z10fc569dff3bf9d5ac21bbbef74989a6z > You'll observe that it detected security at bora.net and from > abuse.net, abuse at bora.net, so far so good. The strategy SC employs should be explained/described for this. This is a spam sourced from 61.35.132.217 no rDNS which is inetnum: 61.35.132.192 - 61.35.132.255 netname: KOREANA4033336D If you look at the contact information in apnic you get KJ92-AP = b4033336@users.bora.net whois -h whois.abuse.net users.bora.net ... abuse@bora.net If SC were to use the abuse/tech contact it would be kj92, else abuse. OTOH - it is SC's routine to go past apnic to krnic or nic.or.kr The contact info at krnic is [ ISP Network Abuse Contact Information ] E-mail : security@bora.net and admin/tech are ipadm@nic.bora.net Also the org sez Org Name : DACOM Corporation Service Name : BORANET > However, the following problem seems to happen daily or near 24 > hours: when the lart should be sent to that address, SC detects that > the IP is from bora.net, but tries to send to something like > users123 at bora.net (I don't remember the exact account name) > It doesn't attempt to contact abuse.net either. This pasting from the verbose information may explain some steps: Tracking details Display data: <== link here "whois 61.35.132.217@whois.arin.net" (Getting contact from whois.arin.net ) Redirect to apnic: "whois 61.35.132.217@whois.apnic.net" (Getting contact from whois.apnic.net mirror) Display data: <== link here whois.apnic.net redirects to krnic Display data: <== link here "whois 61.35.132.217@whois.krnic.net" (Getting contact from whois.krnic.net) (old krnic) Found ISP IP Admin Contact Information : ipadm@nic.bora.net Found ISP IP Tech Contact Information : ipadm@nic.bora.net Found ISP Network Abuse Contact Information : security@bora.net Assuming /24 network for cache whois: 61.35.132.0 - 61.35.132.255 : ipadm@nic.bora.net, security@bora.net Routing details for 61.35.132.217 De-referencing ipadm@nic.bora.net abuse net bora.net = abuse@bora.net Using abuse net on security@bora.net abuse net bora.net = abuse@bora.net Using best contacts abuse@bora.net > Then I have to refresh the contact information. Then SC discovers > security at bora.net and gets abuse at bora.net from abuse.net. > It works on all emails I'm reporting. I close the session, etc. The > next day, some of the spam again comes from the domain and again SC > gives that strange address resembling users123 at bora.net until I > ask it to refresh the cached information. > It has happened three days already. > Is it normal? There are several different results you could get depending upon the cache and the accessibility of registrars. > It seems that the SC parser is doing strange things the last weeks. I > see several people having trouble with addresses SC doesn't resolve > (even though I insist two times) but that you manually can resolve. The business about problems resolving body urls is another matter altogether. -- Mike Easter kibitzer, not SC admin From hans at salvisberg.invalid Wed May 11 13:45:03 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Wed May 11 06:35:05 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam In-Reply-To: References: Message-ID: Stretch wrote: > I changed the list server to just enroll people without a confirmation. > We still only have 12 people out of the 800. Most of these people are > not technical and I'm constantly holding their hands to login to the > site. Now you'll have another problem (there's always one more, isn't there...): the mailboxes of this type of audience tend to get full or otherwise cease to work. My mailer removes them after four bounces in a row (should be tuned to your traffic). There's only so much we can do at our end. Also, there'll always be one on the list that catches the latest worm, so you have to be careful about what email addresses you send over the list. Hans From bar_n0ne at hotmail.com Wed May 11 15:44:22 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed May 11 06:45:05 2005 Subject: [SpamCop-List] Re: SBCGlobal) Software Factory solutionsSFSFL and PACBell and Whoa007 @pacbell References: Message-ID: "Cat" wrote in message news:d5693r$gdb$1@news.spamcop.net... SNIP . > After three more SBC spams copied to Dawn S, the SBC spew stopped, and > I've started getting the same spam through XO now. This guy just moves around with impunity, 5 or more turdlets a day, all SOS, product testing , free this and that, rate the shops, free-- whateverrs (now including kitchen and garden appliances) Contact is still contact@hotteststuffaround.com Registrar has been changed to names4ever, but the names have been recycled, using topserver.com, freeserving.com and others, nameservice from ns1/2.lockingpoint.com. Whoa007 has some kind of ROKSO listing. spew server and web hoster is 69.67.72.* ( don't know how to express it as a /whatever Can't anyone run him over with a heavy vehicle when he checks his mail in Laval Quebec? From bar_n0ne at hotmail.com Wed May 11 15:48:41 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed May 11 06:50:04 2005 Subject: [SpamCop-List] Re: SBCGlobal) Software Factory solutionsSFSFL and PACBell and Whoa007 @pacbell References: Message-ID: OOPS "Berny" wrote in message news:d5snme$jg8$1@news.spamcop.net... > > "Cat" wrote in message > news:d5693r$gdb$1@news.spamcop.net... > > SNIP > . > > After three more SBC spams copied to Dawn S, the SBC spew stopped, and > > I've started getting the same spam through XO now. > > This guy just moves around with impunity, 5 or more turdlets a day, all SOS, > product testing , free this and that, rate the shops, free-- whateverrs (now > including kitchen and garden appliances) > OOPs > Contact is still contact@hotteststuffaround.com WRONG Should read:: thehottestthingaround.com > > Registrar has been changed to names4ever, but the names have been recycled, > using topserver.com, freeserving.com and others, nameservice from > ns1/2.lockingpoint.com. > > Whoa007 has some kind of ROKSO listing. > > spew server and web hoster is 69.67.72.* ( don't know how to express it as a > /whatever > > Can't anyone run him over with a heavy vehicle when he checks his mail in > Laval Quebec? > > From sbb78247 at stilldon'tfuckincare.invalid Wed May 11 07:06:12 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Wed May 11 07:10:05 2005 Subject: [SpamCop-List] Re: and References: Message-ID: eddie wrote: > On Tue, 10 May 2005 18:50:08 -0500, sbb78247 scratched out the > following: > >> Steven Maesslein wrote: >>> On Sun, 8 May 2005 22:00:28 -0500, sbb78247 coughed into spamcop and >>> left this in : >>> >>>> you all suck >>> >>> Spanked spammer? >> >> not even close Nigel >> >> and you still suck > > Sucking may be cool, but man, you blow. said the expert From sbb78247 at stilldon'tfuckincare.invalid Wed May 11 07:05:27 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Wed May 11 07:10:22 2005 Subject: [SpamCop-List] Re: and References: Message-ID: eddie wrote: > On Tue, 10 May 2005 19:32:13 -0500, sbb78247 scratched out the > following: > >> eddie wrote: >>> On Sun, 08 May 2005 22:00:28 -0500, sbb78247 scratched out the >>> following: >>> >>>> you all suck >>> >>> awrrrrm that's so 16-year old and soooo verrrry 20th century Only >>> girly-men use "suck" these days. Real men know the new word. Fried >>> Spam smells so great, especially when one more sucker is dead. >> >> oh i am sorry that i didn't use the proper metrosexual faggot term. >> but you still suck or as you would have it, a large vaccuum that is >> only challenged by the space between your ears. you know being >> politically correct and all that shit > > Gotcha! > Why you can't even spell vacuum, you moron. I take it back, your > aren't even 16, you are probably closer to 12, studying cucumbers in > class. OH MY a spell lamer! You know, I caught the end of your movie last night on the satelite - Eddie and the Loosers, i mean Cruisers From nobody at nowhere.invalid Wed May 11 15:32:41 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed May 11 08:35:03 2005 Subject: [SpamCop-List] Re: and References: Message-ID: On Wed, 11 May 2005 06:05:27 -0500, sbb78247 coughed into spamcop and left this in : > You know, I caught the end of your movie last night on the satelite - Eddie > and the Loosers, i mean Cruisers Speaking of luzers, [spamcop, spamcop.*] Score:: =-9999 %Expires: From: "Heid." Path: \.MISMATCH! Buh bye :) -- Steve Windows is.... A 32-bit extension to a 16-bit graphical interface, sitting on an 8-bit operating system, originally written for a 4-bit processor by a 2-bit company without ONE BIT of common sense. From nobody at spamcop.net Wed May 11 10:24:38 2005 From: nobody at spamcop.net (Mike Nuss) Date: Wed May 11 09:25:05 2005 Subject: [SpamCop-List] Can't read ISP's reply Message-ID: I don't speak Portuguese, but the administrator seems to be saying that they are not responsible for the IP address the spam came from. Is this a spamcop routing issue or is it that these people can't manage their netblock? It looks like the person Spamcop sent the report to forwarded it to Mr. Martinez, who is claiming it is not his IP. I can't make out most of this so it's hard to tell what's going on - maybe someone who can read Portuguese could elaborate? This is the message I received: ------------------------- Conforme j? informado anteriormente, n?o somos mais respons?veis pelo IP em quest?o! Marcelo Martinez Administra??o de Rede /Seguran?a T.I. U.O. Tecnologia da Informa??o Tel.: +55 11.3177.4631 Fax.: +55 11.3177.4569 martinez@sebraesp.com.br -----Mensagem original----- De: Security-Embratel [mailto:abuse@embratel.net.br] Enviada em: ter?a-feira, 10 de maio de 2005 18:31 Para: DnsAdmin Cc: 1421860354@reports.spamcop.net Assunto: [Spam-c #844913] [SpamCop (200.231.248.135) id:1421860354] Caro administrador, Recebemos a mensagem abaixo, reclamando de um SPAM/UCE originado em sua rede. Favor analisar o conteudo da reclamacao, identificando o usuario que esta fazendo USO ABUSIVO/NAO AUTORIZADO dos recursos da rede, e/ou a utilizacao de servidor(es) como relay para envio de SPAM/UCE; Solicitamos que sejam tomadas as providencias cabiveis, objetivando inibir tal comportamento. Favor manter a Equipe de Seguranca Internet EMBRATEL informada, sobre suas providencias, enviando e-mail para (spamc@embratel.net.br), mantendo o Subject ('Assunto') original desta mensagem. E' importante que vc responda a este incidente pois nosso sistema ira enviar uma copia para o originador da reclamacao. Agradecemos antecipadamente, ================================================================= Internet Security Team Network Operation Center EMBRATEL - BRAZIL _____________________________________________ [received by email] From 1421860354.af22a1c8@bounces.spamcop.net Tue May 10 18:30:32 2005 Received: from wks05.rjo.embratel.net.br (wks05.rjo.embratel.net.br [200.255.253.239]) by srv05.embratel.net.br (8.11.6/8.11.6/EBT) with ESMTP id j4ALUWK26531 for ; Tue, 10 May 2005 18:30:32 -0300 Received: by wks05.rjo.embratel.net.br (Postfix) id ED71D106D4; Tue, 10 May 2005 18:30:32 -0300 (EST) Received: from vmx2.spamcop.net (vmx2.spamcop.net [64.74.133.250]) by wks05.rjo.embratel.net.br (Postfix) with ESMTP id 2E3711066F for ; Tue, 10 May 2005 18:30:31 -0300 (EST) Received: from sc-app5.eq.ironport.com (HELO spamcop.net) (192.168.19.205) by vmx2.spamcop.net with SMTP; 10 May 2005 14:30:30 -0700 From: "Michael Nuss" <1421860354@reports.spamcop.net> To: spamc@embratel.net.br Subject: [SpamCop (200.231.248.135) id:1421860354] Precedence: list Message-ID: Date: 10 May 2005 17:24:19 -0000 X-SpamCop-sourceip: X-Mailer: http://www.spamcop.net/ v1.446 X-OSBF-Lua-Version: 1.0b12 X-OSBF-Lua-Score: 1000.00/0.00 >From: "Michael Nuss" <1421860354@reports.spamcop.net> >To: spamc@embratel.net.br >Subject: [SpamCop (200.231.248.135) id:1421860354] [ SpamCop V1.446 ] This message is brief for your comfort. Please use links below for details. Email from 200.231.248.135 / 10 May 2005 17:24:19 -0000 http://www.spamcop.net/w3m?i=z1421860354zaf22a1c8f8381368591d786017406561z 200.231.248.135 is open proxy, see: http://www.spamcop.net/mky-proxies.html [ Offending message ] Return-Path: Delivered-To: x Received: (qmail 25735 invoked from network); 10 May 2005 17:24:21 -0000 Received: from unknown (192.168.1.101) by blade4.cesmail.net with QMQP; 10 May 2005 17:24:21 -0000 Received: from tehun.pair.com (209.68.2.71) by mailgate.cesmail.net with SMTP; 10 May 2005 17:24:21 -0000 Received: (qmail 471 invoked by uid 3379); 10 May 2005 17:24:21 -0000 Delivered-To: nmx-fromtheshadows:net-x Received: (qmail 453 invoked from network); 10 May 2005 17:24:19 -0000 Received: from unknown (HELO 209.68.2.71) (200.231.248.135) by tehun.pair.com with SMTP; 10 May 2005 17:24:19 -0000 Received: from castigate.fresh.de ([213.130.63.233]) by continuant.freeze.com (InterMail vK.4.04.00.00 909-602-860 license 142609cy34tb5hdj1wl019a5l52j8n19) with ESMTP id <20036429298958.BOZG313.continuant@castigate.fresh.de> for ; Tue, 10 May 2005 13:20:40 -0500 Received: from Callie ([202.59.169.10]) by castigate.fresh.de (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) with ESMTPA id <0BXW005ALKZ6[2 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on blade4 X-Spam-Level: *** X-Spam-Status: hits=3.7 tests=MISSING_DATE,MISSING_SUBJECT, RCVD_HELO_IP_MISMATCH,RCVD_NUMERIC_HELO version=3.0.2 X-SpamCop-Checked: 192.168.1.101 209.68.2.71 209.68.2.71 200.231.248.135 X-SpamCop-Disposition: Blocked brazil.blackholes.us From Kilgallen at SpamCop.net Wed May 11 09:40:28 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Wed May 11 09:45:28 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: <3oHCCtYCax5X@eisner.encompasserve.org> In article , "Pop" writes: > Well, I guess that's why we're all entitled to our own opinions: > ... >> >> How would you feel if I responded to every spamcop.geeks complaint about >> an operating system with the advice to use my own favorite ? Even if >> I were right on that subject, repeating something to those who had heard >> it over and over again would be obnoxious. > ===> ?? I was talking about giving only a link as a response, not people > posting opinions. ?? Some of us took it that you were talking about redirecting people elsewhere as part of an effort to "convert" people to the other tool. The poster has repeatedly done that. I do hope someone is regularly cluttering up the web forums with exhortations to switch to the NNTP newsgroups. But I am not about to check. From sam at logan1.loganet.net Wed May 11 09:34:33 2005 From: sam at logan1.loganet.net (Sam) Date: Wed May 11 09:48:54 2005 Subject: [SpamCop-List] Re: and In-Reply-To: Message-ID: :0 * ^From:.sbb78247 /dev/null plonk -- Sam Morris, Owner Loganet Internet Service Logan IA, United States of America 712-644-3578 From kjz at despammed.com Wed May 11 16:59:59 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Wed May 11 10:00:03 2005 Subject: [SpamCop-List] Re: Anyone from =?iso-8859-1?q?W=FCrzburg=2C_Germany=3F_Is_it_legal_to_peddle_pre?= =?iso-8859-1?q?scription_drugs_over_the_Internet_in_Germany=3F?= In-Reply-To: References: Message-ID: Hans Salvisberg wrote: > http://www.spamcop.net/sc?id=z761484882zc765cbd002e9d466068ee91600edcc5fz > > spamvertises elongates.net, which belongs to Helmut Fischer in W?rzburg: I got the same spam and it has some characteristics which point to Leo Kuvayev in Russia as the real originator. - kjz From hans at salvisberg.invalid Wed May 11 17:25:52 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Wed May 11 10:15:12 2005 Subject: [SpamCop-List] Who to Notify? In-Reply-To: References: Message-ID: Hi Mike, Thanks for your heuristics re SC weblink resolution. Mike Easter wrote: > My notifies would be the non-responsive webrider, the parent and router > rtcomm, the piracy business which would be the various general > antipiracy groups plus the specifics for the ones being marketed, Adobe, > MS, and others. If you notify anti-piracy groups (I did), does it make sense to notify the provider at the same time? Ideally, if the latter does their job, the website might be gone when the former get around to take a look. And if the former do thier job, they'll contact the provider, and if their clout doesn't knock the site off the Internet, I can save my breath... Hans From jay at Advertisnet.com Wed May 11 10:17:40 2005 From: jay at Advertisnet.com (JHT4) Date: Wed May 11 10:20:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: I also found our authenticating outbound smtp server 216.176.166.220 blocked for 1 hour last night about 9pm central us, with no info given for us to track down the guilty customer. Mike, could you lookup our ip the way you did Davids? Or is there an appropriate interface/process for this? Thanks, Jay Teutenberg "Mike Easter" wrote in message news:d4uhio$c4k$1@news.spamcop.net... > David Rubinstein wrote: >> I need some help, we have a user somewhere on our servers that is >> sending mail to spam traps. Our servers are setup to identify every >> piece of mail with a UID/GID in the headers, if you could kindly >> lookup who is causing the spam trap block I would appreciate it. >> >> web19.thehostingnet.com 66.6.223.34 > > I'm not a deputy, but until one comes along I'll kibitz. > > 66.6.223.34 rDNS web19.thehostingnet.com is not currently SC > blocklisted according to the web based SCbl lookup^1, in spite of the > fact that external db lookups such dnsstuff and senderbase show it to be > SCbl/ed when I looked at 4:49 PM PDT (-0700 UTC) > > http://www.spamcop.net/w3m?action=checkblock&ip=66.6.223.34 > > The parser is designed to not name the server if there is a user IP > 'behind' the item. Typically servers get named because of backscatter; > misdirected bouncing to bogus spam Froms, out of office autoresponders > to bogus Froms, viral propagation notifications to bogus Froms. > > If your server makes newmails addressed to Froms under any of those > circumstances, that will get the server listed. See > http://www.spamcop.net/fom-serve/cache/14.html Messages which may be > reported: > > > -- > Mike Easter > kibitzer, not SC admin > From MikeE at ster.invalid Wed May 11 08:37:35 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 11 10:40:14 2005 Subject: [SpamCop-List] Re: Can't read ISP's reply References: Message-ID: Mike Nuss wrote: > I don't speak Portuguese, but the administrator seems to be saying > that they are not responsible for the IP address the spam came from. I don't either, but that's what it looks like to me. In the beginning the spam was sourced from 200.231.248.135 no rDNS whois -h whois.registro.br 200.231.248.135 ... inetnum: 200.231.248/23 aut-num: AS4230 owner-c/tech-c: AEC134 = dnsadmin@sebraesp.com.br abuse-c: GSE6 = abuse@embratel.net.br owner: SERVICO DE APOIO AS MICRO E PEQUENAS EMPRESAS DE sebraesp.com.br = SERVICO DE APOIO AS MICRO E PEQUENAS EMPRESAS DE I would notify the abuse.net reg'd postmaster@sebraesp.com.br mail-abuse@nic.br dnsadmin@sebraesp.com.br abuse@embratel.net.br It looks to me like your report was sent to embratel who sent it to Marcelo at sebraesp. Marcelo is saying they aren't in charge of the IP, but registro and embratel think/say they are. It is possible that Marcelo doesn't realize that the target IP is 200.231.248.135 and that earlier or lower Received lines in the original spam are bogus. Some desks have incompetent parsers, so maybe Marcelo is. Abbreviated Received lines *comment from unknown (HELO 209.68.2.71) (200.231.248.135) by tehun.pair.com *sourceline from castigate.fresh.de ([213.130.63.233]) by continuant.freeze.com *bogusline from Callie ([202.59.169.10]) by castigate.fresh.de *bogusline -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed May 11 08:43:38 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 11 10:45:06 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: <3oHCCtYCax5X@eisner.encompasserve.org> Message-ID: Larry Kilgallen wrote: > I do hope someone is regularly cluttering up the web forums with > exhortations to switch to the NNTP newsgroups. I have never seen such a thing there, but there is a line at the top of the forums with links. SPAMCOP HOME ? ORIGINAL FAQ ? FORUM FAQ ? NEWSGROUPS ? WEBMAIL ? SSL WEBMAIL -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed May 11 08:59:05 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 11 11:00:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: JHT4 wrote: > I also found our authenticating outbound smtp server 216.176.166.220 > blocked for 1 hour last night about 9pm central us, with no info > given for us to track down the guilty customer. > > Mike, could you lookup our ip the way you did Davids? > > Or is there an appropriate interface/process for this? 216.176.166.220 rDNS 8of4.advertisnet.com is not currently SCbl listed. When an IP is currently listed you can see why by putting it in here http://www.spamcop.net/bl.shtml but when it isn't currently listed you can't get any history. Deputies can look back at the IP's listing history. There's a problem about 216.176.166.220 in that no one is being notified of spamcop reports because the admin/you has decided they don't want to hear about it. Parsing input: 216.176.166.220 host 216.176.166.220 = 8of4.advertisnet.com (cached) ISP does not wish to receive report regarding 216.176.166.220 216.176.160.0 - 216.176.175.255:jay@dam.net NetName: ADVERINTERSER TechHandle: JT1339-ARIN TechName: Teutenberg, Jay TechEmail: jay@dam.net > Thanks, > Jay Teutenberg If you hadn't turned off the reports, you would get spamreports which contain copies of the spam; except when they come from spamtrap hits. There is also a problem with some other IPs in your netblock 216.176.173.181 rDNS c173-p181.advertisnet.com is proxified and spewing out spam and is SCbl listed. 216.176.173.199 rDNS c173-p199.advertisnet.com is proxified and hitting spamtraps and isn't SCbl listed at present 216.176.163.26 rDNS c163-p26.advertisnet.com is proxified and hitting spamtraps and isn't SCbl listed at present I don't understand why you would turn off SC notifies. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed May 11 09:02:16 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 11 11:05:02 2005 Subject: [SpamCop-List] Re: Who to Notify? References: Message-ID: Hans Salvisberg wrote: > Thanks for your heuristics re SC weblink resolution. YW > Mike Easter wrote: >> My notifies would be the non-responsive webrider, the parent and >> router rtcomm, the piracy business which would be the various general >> antipiracy groups plus the specifics for the ones being marketed, >> Adobe, MS, and others. > > If you notify anti-piracy groups (I did), does it make sense to notify > the provider at the same time? Ideally, if the latter does their job, > the website might be gone when the former get around to take a look. In the case of the non-responsive .ru providers, their notification by you probably doesn't do anything. > And if the former do thier job, they'll contact the provider, and if > their clout doesn't knock the site off the Internet, I can save my > breath... -- Mike Easter kibitzer, not SC admin From kjz at despammed.com Wed May 11 19:23:05 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Wed May 11 12:25:05 2005 Subject: [SpamCop-List] Re: Anyone from =?iso-8859-1?q?W=FCrzburg=2C_Germany=3F_Is_it_legal_to_peddle_pre?= =?iso-8859-1?q?scription_drugs_over_the_Internet_in_Germany=3F?= In-Reply-To: References: Message-ID: Hans Salvisberg wrote: > http://www.spamcop.net/sc?id=z761484882zc765cbd002e9d466068ee91600edcc5fz > > spamvertises elongates.net, which belongs to Helmut Fischer in W?rzburg: Street exists, but no house number 7a, no Mr. Fischer, wrong ZIP code, wrong phone no. Domain is now on Registrar Hold. Maybe, Leo used some faked data from his pillz selling form for registration? also look at: http://whois.webhosting.info/CONNOTING.COM - kjz From nobody at devnull.spamcop.net Wed May 11 12:32:51 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed May 11 12:35:02 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: <3oHCCtYCax5X@eisner.encompasserve.org> Message-ID: "Larry Kilgallen" wrote in message news:3oHCCtYCax5X@eisner.encompasserve.org... > > Some of us took it that you were talking about redirecting people > elsewhere as part of an effort to "convert" people to the other > tool. The poster has repeatedly done that. Convert? Whatever ... pointing to yet another support resource that does in fact hold answers to a query is hardly an attempt to cast spells, break arms, or mis-guide people ... let's point out the obvious, the use of Google for instance in tryng to research one's issues would tend to remove a major portion of the "asking for help/explanations" in either venue .. pointing to the existing/expanding Forum FAQ saves much wear and tear on folks having to re-type the same data. You want a specific link, whereas my view is generally that if the user hadn't done the preliminary resach to begin with (query already answered in the www.spamcop.net FAQ doe instance) then it's likely that there's a lot more that the user has no clue on ... thus my normal point of reference is "the whole thing" such that those other questions not thought of yet will already be on-screen. "The poster" - geeze .. having been around since the yellow page days, one would think you'd be a bit more precise/direct ... > I do hope someone is regularly cluttering up the web forums with > exhortations to switch to the NNTP newsgroups. But I am not about > to check. As Mike Easter points out, per a bit of conversation in spamcop.mail, I added links at the top of the displayed Forum page that includes a link (that for most folks will connect them) to the SpamCop news server with 'all' newsgroups showing ... Start here for instance, even trying to take into account your text only access mode .... just a few of the references made Kind of bull if you want to make the challenge but not look at the evidence .... http://forum.spamcop.net/forums/index.php?showtopic=3486&view=findpost&p=23252 http://forum.spamcop.net/forums/lofiversion/index.php/t3486.html or the corresponding newsgroup post seen at http://news.spamcop.net/pipermail/spamcop-list/2005-January/096737.html http://forum.spamcop.net/forums/index.php?showtopic=3948&view=findpost&p=27206 from a user that "saw my references to the newsgroups and checked it out http://forum.spamcop.net/forums/index.php?showtopic=4049&view=findpost&p=27164 http://forum.spamcop.net/forums/lofiversion/index.php/t4049.html user having issues with posting to the newsgroups with OE6 http://forum.spamcop.net/forums/lofiversion/index.php/t4049.html http://forum.spamcop.net/forums/index.php?showtopic=4044&view=findpost&p=27123 http://forum.spamcop.net/forums/index.php?showtopic=3486&view=findpost&p=26964 From nobody at devnull.spamcop.net Wed May 11 13:43:54 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed May 11 12:45:05 2005 Subject: [SpamCop-List] gone OT: Re: Educating non-techies not to spam References: <3oHCCtYCax5X@eisner.encompasserve.org> Message-ID: "Larry Kilgallen" wrote in message news:3oHCCtYCax5X@eisner.encompasserve.org... > In article , "Pop" > writes: >> Well, I guess that's why we're all entitled to our own opinions: >> ... >>> >>> How would you feel if I responded to every spamcop.geeks complaint about >>> an operating system with the advice to use my own favorite ? Even if >>> I were right on that subject, repeating something to those who had heard >>> it over and over again would be obnoxious. >> ===> ?? I was talking about giving only a link as a response, not people >> posting opinions. ?? > > Some of us took it that you were talking about redirecting people > elsewhere as part of an effort to "convert" people to the other > tool. The poster has repeatedly done that. ===> Nahh, I don't particularly care for the forum and seldom go there, but I will admit the forum/s in the online world do have their places. I think for myself, and I expect other to do the same. That's not to say though, that I wouldn't recommend forums to someone that appeared as though they'd be better served with a forum. AFAIR, I have never posted a word here professing the advantages or disadvantages of either means. > > I do hope someone is regularly cluttering up the web forums with > exhortations to switch to the NNTP newsgroups. But I am not about > to check. ===> Why? I wouldn't consider that fair. It would be OK to note now and then that the group/s exists, same as here for the forums, but to exhort anyone to either isn't reasonable. Knowing both exist, is reasonable though. Other than that, let nature cause either to profit or become deceased if it so decrees. They stand on their merits or they fall on their merits. Regards, Pop From DougThegarden at hotmail.com Wed May 11 19:21:14 2005 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Wed May 11 13:25:04 2005 Subject: [SpamCop-List] Latest Google tool Message-ID: http://j-walk.com/other/googlecb/index.htm What is Google Content Blocker? Google's mission is to organize the world's advertising for maximum exposure to Web users. Unfortunately, annoying Web content often overwhelms the page, causing many users to become distracted and overlook the ads. That's where Google Content Blocker comes in. It effectively blocks all Web site content, leaving only the advertisements. How does Google Content Blocker work? After you install Google Content Block, just surf the Web as you normally do. When we find a site that has content, we will block that content so you see only the ads. It all happens automatically, with no effort on your part. What types of ads will I see? Once the content is removed from a Web site, you will see all of the original ads, unencumbered by annoying content. Doug ;-) From nobody at devnull.spamcop.net Wed May 11 15:19:18 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed May 11 14:20:05 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: "Kenneth Loafman" wrote in message news:kth4819ej5mhdih2g3d8ngom4knmm8nbug@4ax.com... > On Tue, 10 May 2005 19:12:57 -0400, "Pop" > wrote: > >>... >>> It would help if instead of pointing to the FAQ itself, the poster would >>> point to the answer in the FAQ... Lots less to read. >>> >>> ...Ken >>> >> >>That's true, but in reality I think it's asking a lot of the poster to do >>that. I could easily and happily refer you to, say a netiquette RFC, but >>trying to tell you just where the newsgroup is mentioned would be more >>work >>than I was willing to do for someone else. The questioner really should >>be >>willing to do the footwork, don't you think, than to expect the responder >>to >>do it? >> >>Just my two cents, >> >>Pop > > As an infrequent FAQ reader, I'd probably make sure the info was in the > FAQ before just sending off an answer. So, by the time I had verified it > to be there, I would be able to link directly. Just being thorough. > > ...Ken > Good point. I'll often bypass the FAQs initially if I have no idea where to look, hoping someone I know is knowledgeable will respond, and leave the FAQs for "relaxing" reading while I have to remain at the computer anyway. When I do read the FAQs, I'll often end up so bored I don't remember what I read, or I'll remember it, but not which FAQ it came from, making them, for me, better as "general reference" links than they are answers for a specific question I can't figure out how what to look for. I'm not talking just about SC: I'm talking about FAQs in general. FAQs are especially useful once you learn you way around one, but initially they take a lot of reading and searching and shotgunning. YMMV of course, and I'd ask readers becoming annoyed with my method to remember that this poster has short-term memory retrieval problems. I "remember", but not until a day or so later, if at all, unless I properly motivate myself to recall something. I've learned SC's FAQs to a "fair" degree only, but it's much better than some! Regards, Pop --- Who? Who's Dale Carnegie?! From nobody at devnull.spamcop.net Wed May 11 15:32:17 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed May 11 14:35:07 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: <3oHCCtYCax5X@eisner.encompasserve.org> Message-ID: ... > Start here for instance, even trying to take into account your > text only access mode .... just a few of the references made > Kind of bull if you want to make the challenge but not look > at the evidence .... > > http://forum.spamcop.net/forums/index.php?showtopic=3486&view=findpost&p=23252 > http://forum.spamcop.net/forums/lofiversion/index.php/t3486.html > or the corresponding newsgroup post seen at > http://news.spamcop.net/pipermail/spamcop-list/2005-January/096737.html > > http://forum.spamcop.net/forums/index.php?showtopic=3948&view=findpost&p=27206 > from a user that "saw my references to the newsgroups and checked it out > > http://forum.spamcop.net/forums/index.php?showtopic=4049&view=findpost&p=27164 > http://forum.spamcop.net/forums/lofiversion/index.php/t4049.html > user having issues with posting to the newsgroups with OE6 > > http://forum.spamcop.net/forums/lofiversion/index.php/t4049.html > > http://forum.spamcop.net/forums/index.php?showtopic=4044&view=findpost&p=27123 > > http://forum.spamcop.net/forums/index.php?showtopic=3486&view=findpost&p=26964 > > That's tellin' 'em! lol I had to think twice about saying I sometimes bypassed your posts, in public, but I thought I made it obvious why your postings are desirable and had no intention to feed anyone who thinks they need specifics handed to them on a platter. What it amounts to is, I read first what I think will give me the most usable, quickest answer. Sometimes that's you, usually I check your post anyway, and I'm seldom disappointed. To me it's all relative and I don't mind being pointed to a solution as long as the solution is actually there, and yours are pretty accurate, even if I do say so myself, and I do say so. You might see all this as left-handed compliments, but I have this nasty habit of saying what I mean. Actually, your reference posts ARE often useful in that they have pointed out that they not only exist, but the links TO them also. I just wish someone (I can't; too unreliable or I'd offer to) could take it upon themselves to auto-post pieces of the FAQs on a periodic basis, just to keep them in front of everyone. I seldom think of them myself, because I don't go to the main page of the site all that often. I know I probably should, but I don't. my 2 centses Pop From usenet2 at DE.LETE.THISljvideo.com Wed May 11 19:40:43 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Wed May 11 14:45:04 2005 Subject: [SpamCop-List] 419 scam reporting at FBI Message-ID: Where to send 419 scams to the FBI..? I've tried 419@fbi.gov and fraud@fbi.gov. Both bounce. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "Ninety eight percent of the adults in this country are decent, hardworking, honest Americans. It's the other lousy two percent that get all the publicity. But then, we elected them." -Lily Tomlin From Vanguard at domain.invalid Wed May 11 14:44:28 2005 From: Vanguard at domain.invalid (Vanguard) Date: Wed May 11 14:45:14 2005 Subject: [SpamCop-List] Re: Latest Google tool References: Message-ID: "Doug Thegarden" wrote in message news:d5teu8$mr$1@news.spamcop.net... > http://j-walk.com/other/googlecb/index.htm > > What is Google Content Blocker? > ... > That's where Google Content Blocker comes in. It effectively blocks > all Web site content, leaving only the advertisements. Hmm, I thought the advertisements *were* the overwhelming and distracting content. > Once the content is removed from a Web site, you will see all of the > original ads, unencumbered by annoying content. Interesting. I wonder if someone will reverse engineer their program so it can be reversed in its behavior. Instead of only showing the ads, it would instead remove the ads. Nah, there already exists ad-block software. From zypher at spamcop.net Wed May 11 14:45:43 2005 From: zypher at spamcop.net (Ron B.) Date: Wed May 11 14:50:04 2005 Subject: [SpamCop-List] Re: Latest Google tool In-Reply-To: References: Message-ID: Vanguard wrote: > "Doug Thegarden" wrote in message > news:d5teu8$mr$1@news.spamcop.net... > >> http://j-walk.com/other/googlecb/index.htm >> >> What is Google Content Blocker? >> ... >> That's where Google Content Blocker comes in. It effectively blocks >> all Web site content, leaving only the advertisements. > > > Hmm, I thought the advertisements *were* the overwhelming and > distracting content. > >> Once the content is removed from a Web site, you will see all of the >> original ads, unencumbered by annoying content. > > > Interesting. I wonder if someone will reverse engineer their program so > it can be reversed in its behavior. Instead of only showing the ads, it > would instead remove the ads. Nah, there already exists ad-block software. > It's a joke, son. From zypher at spamcop.net Wed May 11 14:51:38 2005 From: zypher at spamcop.net (Ron B.) Date: Wed May 11 14:55:03 2005 Subject: [SpamCop-List] Re: 419 scam reporting at FBI In-Reply-To: References: Message-ID: Larry J. wrote: > Where to send 419 scams to the FBI..? > > I've tried 419@fbi.gov and fraud@fbi.gov. Both bounce. From: United States - Additional Country Specific Instructions - United States 1. The United States Secret Service continues to be tasked as the primary US law enforcement agency in dealing with Advance Fee Fraud (419) matters. US Citizens or Residents with No Financial Loss may email 419er documents to the United States Secret Service at 419.fcd@usss.treas.gov where they are archived for future datamining. Only No Loss reports are to be sent to this email address. Due to the sheer volume of materials received, USSS does not respond to submissions to this address. 2. United States Citizens and Residents who HAVE suffered a Financial Loss are instructed to contact the nearest Field Office of the United States Secret Service (USSS) by telephone. 3. You may also file a Financial Loss complaint online with the Internet Fraud Complaint Center (IFCC), which is being renamed the Internet Crime Complaint Center (IC3). This organization is a partnership of the National White Collar Crime Center (NW3C) and the Federal Bureau of Investigation (FBI). From MikeE at ster.invalid Wed May 11 12:56:11 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 11 14:55:13 2005 Subject: [SpamCop-List] Re: 419 scam reporting at FBI References: Message-ID: Larry J. wrote: > Where to send 419 scams to the FBI..? It is treasury who is interested in 419s. Advisory http://www.secretservice.gov/alert419.shtml The notify is 419.fcd@usss.treas.gov Supposed to say 'no monetary loss' SEC info for addy http://www.sec.gov/answers/nigeria.htm > I've tried 419@fbi.gov and fraud@fbi.gov. Both bounce. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed May 11 14:51:07 2005 From: nobody at spamcop.net (N. Miller) Date: Wed May 11 16:55:03 2005 Subject: [SpamCop-List] Re: SBCGlobal) Software Factory solutionsSFSFL and PACBell and Whoa007 @pacbell References: Message-ID: <2a5l23mdxndq.dlg@news.spamcop.net> On Wed, 11 May 2005 14:44:22 +0400, Berny wrote: > spew server and web hoster is 69.67.72.* ( don't know how to express it as a > /whatever By a Sam Spade check, that would be a 69.67.72.0/24: ------------------------------------------------------- 05/11/05 13:44:52 IP block 69.67.72.1@whois.arin.net Trying 69.67.72.1 at ARIN Trying 69.67.72 at ARIN Whoa USA Inc WHOA-USA-INC (NET-69-67-64-0-1) 69.67.64.0 - 69.67.79.255 Roger Graves DATAMONITOR-BUSSINESS-INFORMATION (NET-69-67-72-0-1) 69.67.72.0 - 69.67.72.255 # ARIN WHOIS database, last updated 2005-05-10 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. ------------------------------------------------------- 69.67.72.0 - 69.67.72.255 is the same as 69.67.72.0/24. But the Spamhaus listing is larger: 69.67.64.0/20. That covers the entire range of 69.67.64.0 - 69.67.79.255 in that Sam Spade listing. I like to use this for CIDR calculations: http://grox.net/utils/whatmask/ -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at devnull.spamcop.net Wed May 11 16:52:13 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed May 11 16:55:30 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: "JHT4" wrote in message news:d5t46n$qdn$1@news.spamcop.net... > I also found our authenticating outbound smtp server 216.176.166.220 > blocked for 1 hour last night about 9pm central us, with no info given for > us to track down the guilty customer. > > Mike, could you lookup our ip the way you did Davids? See that Mike has already replied. > Or is there an appropriate interface/process for this? But he didn't mention Miss Betsy's compilation in the "Why am I Blocked?" FAQ entry .. found at http://forum.spamcop.net/forums/index.php?showtopic=972 seen both as an entry in the Forum FAQ at http://forum.spamcop.net/forums/index.php?showtopic=2238 and as a Pinned entry in the "SpamCop Blocklist Help" section of the support Forum found at http://forum.spamcop.net/forums/ Again, a Frequently Asked Question that has much data available for your perusal. From usenet2 at DE.LETE.THISljvideo.com Wed May 11 22:50:52 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Wed May 11 17:55:05 2005 Subject: [SpamCop-List] Re: 419 scam reporting at FBI References: Message-ID: Waiving the right to remain silent, "Mike Easter" wrote: > It is treasury who is interested in 419s. > > Advisory http://www.secretservice.gov/alert419.shtml > The notify is 419.fcd@usss.treas.gov > Supposed to say 'no monetary loss' > SEC info for addy http://www.sec.gov/answers/nigeria.htm Thanks, Mike & Ron. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "Ninety eight percent of the adults in this country are decent, hardworking, honest Americans. It's the other lousy two percent that get all the publicity. But then, we elected them." -Lily Tomlin From usenet2 at DE.LETE.THISljvideo.com Wed May 11 22:55:13 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Wed May 11 18:00:03 2005 Subject: [SpamCop-List] Re: Can't read ISP's reply References: Message-ID: Waiving the right to remain silent, Mike Nuss wrote: > I don't speak Portuguese, but the administrator seems to be saying that > they are not responsible for the IP address the spam came from. Babelfish does a half-assed job of translating it: "Expensive administrator, We receive the message below, complaining of a SPAM/UCE originated in its net. Favor to analyze the conteudo of reclamacao, identifying to the usuario that this making AUTHORIZED USE ABUSIVO/NAO of the resources of the net, and/or utilizacao of servidor(es) as relay for SPAM/UCE sending; We request that they are taken you provide them cabiveis, objectifying to inhibit such behavior. Favor to keep the Team of Security InterNet EMBRATEL informed, on its you provide, sending email for (spamc@embratel.net.br), keeping the Subject (' Subject ') original of this message. Important E ' that vc answer to this incident therefore our system anger to send one copies for the originador of reclamacao. We are thankful anticipatedly," -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "Ninety eight percent of the adults in this country are decent, hardworking, honest Americans. It's the other lousy two percent that get all the publicity. But then, we elected them." -Lily Tomlin From jay at advertisnet.com Wed May 11 21:11:48 2005 From: jay at advertisnet.com (Jay Teutenberg) Date: Wed May 11 21:15:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: "Mike Easter" wrote in message news:d5t6fv$rok$1@news.spamcop.net... > JHT4 wrote: >> I also found our authenticating outbound smtp server 216.176.166.220 >> blocked for 1 hour last night about 9pm central us, with no info >> given for us to track down the guilty customer. >> >> Mike, could you lookup our ip the way you did Davids? >> >> Or is there an appropriate interface/process for this? > > 216.176.166.220 rDNS 8of4.advertisnet.com is not currently SCbl > listed. > > When an IP is currently listed you can see why by putting it in here > http://www.spamcop.net/bl.shtml found that, saw my ip would be delisted in a hour > > but when it isn't currently listed you can't get any history. Deputies > can look back at the IP's listing history. ok, will send email. > > There's a problem about 216.176.166.220 in that no one is being > notified of spamcop reports because the admin/you has decided they don't > want to hear about it. I dont recall logging into spamcop as a user before, I got my pw mailed to me and got in tho, it was system created... I think I opened up notifications appropriately. > > Parsing input: 216.176.166.220 > host 216.176.166.220 = 8of4.advertisnet.com (cached) > ISP does not wish to receive report regarding 216.176.166.220 > 216.176.160.0 - 216.176.175.255:jay@dam.net > > NetName: ADVERINTERSER > TechHandle: JT1339-ARIN > TechName: Teutenberg, Jay > TechEmail: jay@dam.net > >> Thanks, >> Jay Teutenberg > > If you hadn't turned off the reports, you would get spamreports which > contain copies of the spam; except when they come from spamtrap hits. if they dont want to give us the offending headers of spamtrap hits , how are we supposed to deal with it? email deputies is the process? or perhaps the notifications give the necessary info. > > There is also a problem with some other IPs in your netblock > > 216.176.173.181 rDNS c173-p181.advertisnet.com is proxified and > spewing out spam and is SCbl listed. > 216.176.173.199 rDNS c173-p199.advertisnet.com is proxified and > hitting spamtraps and isn't SCbl listed at present > 216.176.163.26 rDNS c163-p26.advertisnet.com is proxified and > hitting spamtraps and isn't SCbl listed at present Normally we filter port 25 at our border router for our dial ups, but I found the filters had been left off for one of the upstreams, its back on now, that should fix the 173.x ips, the other appears to be a dedicated customers compromised machine, and I have put someone on the case to deal with them (and null routed them until they fix) > I don't understand why you would turn off SC notifies. Im not sure I did. thanks for your help, Jay From MikeE at ster.invalid Wed May 11 20:00:00 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 11 22:00:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: Jay Teutenberg wrote: > "Mike Easter" > if they dont want to give us the offending headers of spamtrap hits , > how are we supposed to deal with it? email deputies is the process? > or perhaps the notifications give the necessary info. I don't know what the deputies say when they handle something with email, but when they speak publicly sometimes they will 'characterize' an issue at a spamtrap. Normally the parser's algorithm will parse past the output server to name the source IP behind it and the output server doesn't get listed. The kind of thing which will get an output server in trouble is backscatter problems - belated bounces as I described in an earlier post in a similar thread http://www.spamcop.net/fom-serve/cache/14.html Even if you were not getting the spamtrap items, if your notify addy were getting the normal reports that would be very useful. >> I don't understand why you would turn off SC notifies. > > Im not sure I did. I'm sure you can fix it since you are already an authorized ISP with pw http://www.spamcop.net/fom-serve/cache/94.html "use the "Request Reports" menu item to specify which networks you would like to receive reports about. At any time, you may use the "show routes" menu item to view which networks you are configured to receive reports about." I'm also noticing that that page sez you can get recent reports on your own "In addition, your ISP account allows you to spot-check any IP address for recent reports." > thanks for your help, YW. Tnx for stopping the misbehaving IPs from your network. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu May 12 04:13:50 2005 From: nobody at spamcop.net (Claudio Valderrama C.) Date: Thu May 12 03:15:20 2005 Subject: [SpamCop-List] Re: Intermitent problem with bora.net References: Message-ID: Mike Easter wrote: > > There are several different results you could get depending upon the > cache and the accessibility of registrars. That may explain the issue, thanks. C. From hans at salvisberg.invalid Thu May 12 12:59:25 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Thu May 12 05:50:30 2005 Subject: [SpamCop-List] Re: Anyone from =?iso-8859-1?q?W=FCrzburg=2C_Germany=3F_Is_it_legal_to_peddle_pre?= =?iso-8859-1?q?scription_drugs_over_the_Internet_in_Germany=3F?= In-Reply-To: References: Message-ID: Hi kjz Karl-Josef Ziegler wrote: > Hans Salvisberg wrote: > > >>http://www.spamcop.net/sc?id=z761484882zc765cbd002e9d466068ee91600edcc5fz >> >>spamvertises elongates.net, which belongs to Helmut Fischer in W?rzburg: > > > Street exists, but no house number 7a, no Mr. Fischer, wrong ZIP code, > wrong phone no. The phone number looked phony, but the ZIP code /is/ in W?rzburg, and with the (intentional?) obfuscation "Wuezburg" the address looked real enough that the post office might actually succeed in delivering mail, even though the address may not be 100% correct. > Domain is now on Registrar Hold. Great! > Maybe, Leo used some > faked data from his pillz selling form for registration? > > also look at: > > http://whois.webhosting.info/CONNOTING.COM Yeah. Helmut Fischer is also listed here: http://eclecticdjs.com/mike/spam/spam-05-05.html Thanks! Hans From agent01413 at my-deja.com Thu May 12 12:03:53 2005 From: agent01413 at my-deja.com (Socks the Whitehouse Cat) Date: Thu May 12 07:05:08 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: "Mike Easter" wrote in news:d5t6fv$rok$1 @news.spamcop.net: > > 216.176.166.220 rDNS 8of4.advertisnet.com is not currently SCbl > listed. > > When an IP is currently listed you can see why by putting it in here > http://www.spamcop.net/bl.shtml > > but when it isn't currently listed you can't get any history. Deputies > can look back at the IP's listing history. one good resource is to check news.admin.net-abuse.sightings. http://openrbl.org has good links too. After I report a piece of spam to spamcop, I will frequently plug the originating IPA into openrbl to see what other dnsbls have picked up the spam run. the google search link on that page is configured to show sightings after the initial query is done there. I think the amalgamation of information from multiple sources is a far better resource for getting as much as you need than anything else that I have used. -- See NANAE kooks, including Barbara Schwarz: http://www.morningmist.org/nanae/kookfaq.html From MikeE at ster.invalid Thu May 12 06:32:09 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 12 08:35:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: Socks the Whitehouse Cat wrote: > "Mike Easter" >> but when it isn't currently listed you can't get any history. >> Deputies can look back at the IP's listing history. That statement turned out to be wrong. The admin for an IP can get its listing history. http://www.spamcop.net/fom-serve/cache/94.html > one good resource is to check news.admin.net-abuse.sightings. > http://openrbl.org has good links too. I used to use openrbl for that, now I use dnsstuff. What is useful about sightings for a server is to see if there's anything weird about how it stamps its lines for its relays for a user IP and to see if there's any recent backscatter there. > After I report a piece of > spam to spamcop, I will frequently plug the originating IPA into > openrbl to see what other dnsbls have picked up the spam run. the > google search link on that page is configured to show sightings after > the initial query is done there. I think the amalgamation of > information from multiple sources is a far better resource for > getting as much as you need than anything else that I have used. Yes -- if you are determining your own notifies independently from SC's there's a lot of useful information. E.g. if an IP is listed in spews or spamhaus the likelihood is that it is non-responsive and needs some better strategy for notifying than simply the nonresponsive entity But, I interpreted the discussion to be about the SCbl listing, since that was an admin asking about a SCbl listing. The first place I looked was in dnsstuff and it wasn't listed in SCbl or anywhere else. The next place I looked was at IronPort; that's how I found those other IPs I told him about. -- Mike Easter kibitzer, not SC admin From kjz at despammed.com Thu May 12 15:42:27 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Thu May 12 08:45:03 2005 Subject: [SpamCop-List] Re: Anyone from =?iso-8859-1?q?W=FCrzburg=2C_Germany=3F_Is_it_legal_to_peddle_pre?= =?iso-8859-1?q?scription_drugs_over_the_Internet_in_Germany=3F?= In-Reply-To: References: Message-ID: Hans Salvisberg wrote: > The phone number looked phony, but the ZIP code /is/ in W?rzburg, and > with the (intentional?) obfuscation "Wuezburg" the address looked real > enough that the post office might actually succeed in delivering mail, > even though the address may not be 100% correct. Yes, ZIP code (97078) is for Wuerzburg, but this street has another ZIP code (97080). - kjz From nobody at devnull.spamcop.net Thu May 12 09:46:56 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Thu May 12 09:45:03 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) References: Message-ID: > Miss Betsy wrote: > > > Just goes to show you that scientists can be as dumb as the rest of > > the world. > > How do you mean? The thread isn't about SciAm spam, it is a pointer to > the article. > > Did you mean the article was dumb? The article was very unscientific and since it is presumably aimed at 'scientists', the editors were dumb to allow it. AFAICT, it was written by the writers of content filters and had nothing to do with the control of spam, but merely a comparison of different kinds of content filters. It should have been entitled, "How to use filters to stop spam from entering your inbox." Miss Betsy From MikeE at ster.invalid Thu May 12 08:23:32 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 12 10:25:12 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) References: Message-ID: Miss Betsy wrote: > The article was very unscientific and since it is presumably aimed > at 'scientists', the editors were dumb to allow it. SciAm isn't a scientific 'journal' -- it is a magazine for the general public of a scientific 'bent'. Some examples of filter science that the article talked about were Bayesian training programs using discriminative linear logic to weigh later decisions heavier, speeding up algorithms by 'sequential minimal optimization' and 'sequential generalized iterative scaling' to accomplish the same filtering more than 2 orders of magnitude faster, n-gram enabling, benign vs porno image discimination errors. There was a discussion of proof systems including captcha/hip methods, micropayments, and smtp standards change. > AFAICT, it was > written by the writers of content filters Correct. > and had nothing to do > with the control of spam, but merely a comparison of different > kinds of content filters. The thrust of the article was keeping spam out of the inbox; about 40% of it was content filtering. The reason spam works is because human beings are reading their spam and buying spam promoted products. Antispam efforts are swimming upstream against the tide of human behavior, like prohibition. And then there's the issue of wanted or acceptable 'spam' see below. > It should have been entitled, "How to use > filters to stop spam from entering your inbox." Actually the overview 'title' was "Guarding Your In-Box" I found one of the par/s about the definition of spam interesting, in that it applied to a realworld experience of the investigators themselves. .... We recently received an e-mailed proposal, for example, to turn a short story we had published on the Internet into a motion picture. This communication met the requirements of the law: unsolicited, commercial, from an unknown sender, but almost no one would call it spam. An alternative definition might include the fact that spam is typically mass-mailed. But we recently solicited papers for a technical conference to discuss e-mail systems and anti-spam methods by sending requests to 50 people we had never met who had published on this topic. None of them complained. Perhaps the best characterization of spam is that it is poorly targeted and unwanted. Formulating a precise definition of spam is exceedingly difficult, but, like pornography, we certainly know it when we see it flooding our mailboxes. So, it comes down to 'poorly targeted and unwanted'? That's pretty tricky to scientifically target. -- Mike Easter kibitzer, not SC admin From sbb78247 at stilldon'tfuckincare.invalid Thu May 12 23:21:06 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Thu May 12 23:25:19 2005 Subject: [SpamCop-List] like i said Message-ID: fuck off you nazis From sbb78247 at stilldon'tfuckincare.invalid Thu May 12 23:20:08 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Thu May 12 23:25:47 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: Pop wrote: > bye arsehole is that what you said to your last boyfriend? From zypher at spamcop.net Thu May 12 23:34:12 2005 From: zypher at spamcop.net (Ron B.) Date: Thu May 12 23:35:05 2005 Subject: [SpamCop-List] Re: Grow up In-Reply-To: References: Message-ID: sbb78247 wrote: > Pop wrote: > >>bye arsehole > > > is that what you said to your last boyfriend? > > Please stop feeding this troll. Replying to their posts and taking them seriously only gives them new fuel to add to their fire, and sooner or later, you will find yourself under a barrage of personal attacks and flames. The only way to deal with trolls is just to ignore them and to go about your business having fun talking with other people on Usenet. Forget about the trolls and they will not bother you again. http://www.usenet.com/articles/usenet_trolls.htm From redwolfe_98 at nospam.com Fri May 13 01:01:24 2005 From: redwolfe_98 at nospam.com (redwolfe_98) Date: Fri May 13 00:05:08 2005 Subject: [SpamCop-List] Spamcop Feedback Message-ID: i notice that sometimes spamcop cannot process, trace, url's in spam where the url has an unusual ending, lke http://www.xyz.com/chk.. maybe spamcom could set things up to work the way that "samspade.org" does where it ignores the part of the url that comes at the end, after ".com", and then spamcop would be able to trace the url.. for example, instead of trying to trace http://www.xyz.com/chk it would trace http://www.xyz.com , ignoring the part on the end of the url, and then maybe spamcop would trace those url's that it otherwise, sometimes does not trace, and then we could better report those url's for spamming... From nobody at devnull.spamcop.net Fri May 13 15:46:06 2005 From: nobody at devnull.spamcop.net (Patto) Date: Fri May 13 01:50:03 2005 Subject: [SpamCop-List] Re: like i said In-Reply-To: References: Message-ID: sbb78247 wrote: > fuck off you nazis he, he, he - fried spam again; my favorite! From oren.freidenstein at you.bogus-grouchy-freebooter.org Fri May 13 09:49:37 2005 From: oren.freidenstein at you.bogus-grouchy-freebooter.org (Oren Freidenstein) Date: Fri May 13 02:50:31 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: <7b4887176a81415b8366f9e5489b9b24@you.tinpot-openmouthed-pudding.org> Ron B., wrote: > Please stop feeding this troll. Ok. *PLONK* From nttp.sc.s at bigsleep.org Fri May 13 09:18:27 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Fri May 13 04:20:22 2005 Subject: [SpamCop-List] Re: SBCGlobal) Software Factory solutionsSFSFL and PACBell and Whoa007 @pacbell References: <2a5l23mdxndq.dlg@news.spamcop.net> Message-ID: On 11 May 2005 N. Miller entered spamcop and left news:2a5l23mdxndq.dlg@news.spamcop.net: > I like to use this for CIDR calculations: > I finally figured out how to do that with the scientific calculator, here I use the carot ^ for the button [x^y]. e.g. /24 2 ^ (32 - 24) = 256 - 1 = 255 This gives you the number of addresses minus the one you already have. Converting to dotted quad is a little clumsy, you need to divide by 256 for any number greater than 255 to get each quad, (then subtract 1) adding the result to the first address. Converting back probably makes this more clear: e.g. 69.67.64.0 - 69.67.79.255 each dotted quad = 256, and we have to add one to include the "0" address. (79 - 64 + 1) * 256 = 4096 32 - (4096 log / 2 log) = 20 69.67.64.0 - 69.67.79.255 = 69.67.64.0/20 Another example: 69.67.0.0 - 69.68.255.255 I know this = 69.67.0.0/15 69.68.255.255 - 69.67.0.0 = (68 - 67 + 1) * 256 * 256 = 131072 Or I think you could expand that to say (69 - 69 + 1) * (68 - 67 + 1) * (255 - 0 + 1) * (255 - 0 + 1) = 131072 32 - (131072 log / 2 log) = 15 converting back... 2 ^ (32 - 15) = 131072 131072 / 256 = 512 [0.0.0.255] 512 / 256 = 2 [0.0.255.0] 2 - 1 = 1 [0.1.0.0] 69.67.0.0 + 0.1.255.255 = 69.68.255.255 or hex(131072 - 1) = 1FFFF CIDR seems complicated, but its simply the number of fixed bits in the address range. IPv4 contain 32 bits, so a range of one address would have 32 fixed bits or /32. 2 ^ (32 - 32) = 1 binary is multiples of 2 (2^y), so /32 = 1 /31 = 2 /30 = 4 /29 = 8 /28 = 16 -- | Ric | From nobody at nowhere.invalid Fri May 13 11:29:28 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri May 13 04:30:03 2005 Subject: [SpamCop-List] Re: SBCGlobal) Software Factory solutionsSFSFL and PACBell and Whoa007 @pacbell References: <2a5l23mdxndq.dlg@news.spamcop.net> Message-ID: On Fri, 13 May 2005 08:18:27 +0000 (UTC), Blammo coughed into spamcop and left this in : > CIDR seems complicated.... You hit the nail square on the head there. It 'seems' complicated when you're not used to working in binary, but in actual fact it's really easy. Give it a bit of practice and you won't even need your scientific calculator any more - you'll be doing it mentally. -- Steve genius, n: A chemist who discovers a laundry additive that rhymes with "bright". From 0rio85a02 at sneakemail.com Fri May 13 02:40:59 2005 From: 0rio85a02 at sneakemail.com (Fred k) Date: Fri May 13 05:45:24 2005 Subject: [SpamCop-List] Eternal Optimism Message-ID: a.. Massachusetts fires legal broadside at spam gang ... as failed junk mailers escape FTC fine http://go.theregister.com/news/http://www.theregister.co.uk/2005/05/12/spam_lawsuit/ Fred k From hans at salvisberg.invalid Fri May 13 14:05:41 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Fri May 13 06:55:09 2005 Subject: [SpamCop-List] Re: Anyone from =?iso-8859-1?q?W=FCrzburg=2C_Germany=3F_Is_it_legal_to_peddle_pre?= =?iso-8859-1?q?scription_drugs_over_the_Internet_in_Germany=3F?= In-Reply-To: References: Message-ID: Karl-Josef Ziegler wrote: > I got the same spam and it has some characteristics which point to Leo > Kuvayev in Russia as the real originator. Fred k already posted the reference, but I'll still add it here as it specifically mentions Leo Kuvayev: http://www.theregister.co.uk/2005/05/12/spam_lawsuit/ http://www.ago.state.ma.us/sp.cfm?pageid=986&id=1416 This would also explain why the domains we talked about went on REGISTRAR-HOLD, if they really are connected to Leo Kuvayev as you suspect. Hans From sbb78247 at stilldon'tfuckincare.invalid Fri May 13 07:06:27 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Fri May 13 07:10:04 2005 Subject: [SpamCop-List] Re: like i said References: Message-ID: Patto wrote: > sbb78247 wrote: >> fuck off you nazis > > he, he, he - fried spam again; my favorite! not even close you censorship nazi From MikeE at ster.invalid Fri May 13 06:24:36 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 13 08:25:05 2005 Subject: [SpamCop-List] Re: Spamcop Feedback References: Message-ID: redwolfe_98 wrote: > i notice that sometimes spamcop cannot process, trace, url's in spam > where the url has an unusual ending, lke http://www.xyz.com/chk.. > maybe spamcom could set things up to work the way that "samspade.org" > does where it ignores the part of the url that comes at the end, > after ".com", and then spamcop would be able to trace the url.. for > example, instead of trying to trace http://www.xyz.com/chk it would > trace http://www.xyz.com , ignoring the part on the end of the url, > and then maybe spamcop would trace those url's that it otherwise, > sometimes does not trace, and then we could better report those url's > for spamming... I don't think that would make any difference, but it is very easy for you to test the result of your theory by feeding the parser the modified item. You can even test the result of feeding the parser an entire spam forged to contain your modified url as long as you cancel any offered reports on spam forgeries. -- Mike Easter kibitzer, not SC admin From bar_n0ne at hotmail.com Fri May 13 18:32:17 2005 From: bar_n0ne at hotmail.com (Berny) Date: Fri May 13 09:35:12 2005 Subject: [SpamCop-List] wierd website resolving to 127.0.0.1! Message-ID: tracker: h ttp://www.spamcop.net/sc?id=z762673943zf424b2a95bd2ccec629d75ff7677c7b1z tracert at home gave the same result for www.xlyrl.locationspots.com I checked with DNS stuff and the nameservice resolves to that, is that a new way to shut down a website? or a "new" way to attack a vulnerable computer? From nospam at fuck-off-and-die.com Fri May 13 20:19:48 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Fri May 13 09:35:39 2005 Subject: [SpamCop-List] Re: wierd website resolving to 127.0.0.1! References: Message-ID: Berny, , the gripping, vegetarian lost soul, and minor, worthless author of usenet posts, noted: > tracker: > > h > ttp://www.spamcop.net/sc?id=z762673943zf424b2a95bd2ccec629d75ff7677c7b1z > > tracert at home gave the same result for www.xlyrl.locationspots.com > > I checked with DNS stuff and the nameservice resolves to that, > > is that a new way to shut down a website? or a "new" way to attack a > vulnerable computer? Check your fucking hosts file, you dumb cunt. From DougThegarden at hotmail.com Fri May 13 15:54:24 2005 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Fri May 13 09:55:04 2005 Subject: [SpamCop-List] Re: wierd website resolving to 127.0.0.1! In-Reply-To: References: Message-ID: Kadaitcha Man wrote: > Kindatetchy Man shurely? Doug From bar_n0ne at hotmail.com Fri May 13 19:49:08 2005 From: bar_n0ne at hotmail.com (Berny) Date: Fri May 13 10:50:03 2005 Subject: [SpamCop-List] Re: wierd website resolving to 127.0.0.1! References: Message-ID: "Doug Thegarden" wrote in message news:d62bid$g1i$1@news.spamcop.net... > Kadaitcha Man wrote: > > > > Kindatetchy Man shurely? > > Doug And I did check my Hosts files bythe way, butit would have been too much coincidence for me and SC to have that entry. From SCNews.5.myspamgobbler at spamgourmet.com Fri May 13 09:04:27 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Fri May 13 11:05:04 2005 Subject: [SpamCop-List] Re: wierd website resolving to 127.0.0.1! In-Reply-To: References: Message-ID: Berny wrote: > tracker: > > h > ttp://www.spamcop.net/sc?id=z762673943zf424b2a95bd2ccec629d75ff7677c7b1z > > tracert at home gave the same result for www.xlyrl.locationspots.com > > I checked with DNS stuff and the nameservice resolves to that, > > is that a new way to shut down a website? or a "new" way to attack a > vulnerable computer? > > It's a way to permanently shut down a domain. From MikeE at ster.invalid Fri May 13 09:16:16 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 13 11:15:08 2005 Subject: [SpamCop-List] Re: wierd website resolving to 127.0.0.1! References: Message-ID: Berny wrote: www.spamcop.net/sc?id=z762673943zf424b2a95bd2ccec629d75ff7677c7b1z>h > www.xlyrl.locationspots.com = 127.0.0.1 > is that a new way to shut down a website? or a "new" way to attack a > vulnerable computer? If the resolution doesn't result in a website, then the 'site' is dead. The registrar for locationspots is SPOT DOMAIN LLC DBA DOMAINSITE.COM - who is also providing the nameservice and is at http://www.domainsite.com They are also 'absorbing' the registration information information -- that is, they are listed as the registrant [as well as the registrar] for the domain's contact information. I think it would be interesting for you to contact them with a manual notify and see if they respond; that is, they are the 'registered' spamvertisers and are providing spam support. SC's design is to notify the webspace provider which is normally a good strategy, and generally the business about how the domain registration is handled is a separate issue which spamfighters do 'on their own' -- sometimes by completing the bad registration form at internic. I'm not sure whether this is a bad policy by domainsite to hide the registrant or if the domainname is really registered to the registrar, but the point is that you got a spam, and it is even an 'illegal' spam by CANSPAM terms, because it has a bogus headerline and other 'illegal' characteristics and the registered owner of the spamming domainname is the registrar domainsite. So, you could legitimately notify internic at both places, the place where you complain about registrars and the place where you complain about bad registration information^1. You can also notify domainsite to see how they respond, if at all. ^1 To submit a complaint about an accredited registrar go to the Registrar Problem Report form. http://reports.internic.net/cgi/registrars/problem-report.cgi To report incomplete or inaccurate Registrar Whois data, please visit the new Whois Data Problem Report System. http://wdprs.internic.net/ It is possible that domainsite's 'idea' is that they have killed the spamsupport by waylaying the nameservice resolution and thus the access to some website which was there before - but that doesn't explain their approach to how they are handling the registration information, by putting themselves as the registrant. That looks to me like a 'policy' decision that isn't in keeping with the ICANN rules. All of the registrant and nameservice information is 'fresh' - ie updated yesterday, so it is possible that the registrar is acting responsibly instead of irresponsibly - it is hard to say without the earlier information and knowing if domainsite is white or blackhat. The domainname was registered over a year ago. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Fri May 13 12:32:46 2005 From: eddie at eddie.web (eddie) Date: Fri May 13 11:35:03 2005 Subject: [SpamCop-List] comcast "selling" illegal cable descramblers Message-ID: Besides being ironic, I wonder if one could use the comcast spew as a defense for using such an illegal device. Showing that the spam promoting the device came from comcast might be considered that comcast is promoting it. You could claim you thought it was a comcast advertisement. It's funny, at least to me. -- Once movie theaters gave out steak knives Today they confiscate them From MikeE at ster.invalid Fri May 13 09:39:26 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 13 11:40:06 2005 Subject: [SpamCop-List] Re: wierd website resolving to 127.0.0.1! References: Message-ID: Mike Easter wrote: > If the resolution doesn't result in a website, then the 'site' is > dead. The registrar for locationspots is SPOT DOMAIN LLC DBA > DOMAINSITE.COM - who is also providing the nameservice and is at > http://www.domainsite.com > > They are also 'absorbing' the registration information information -- > that is, they are listed as the registrant [as well as the registrar] > for the domain's contact information. They also own their own webspace under internap whois -h whois.arin.net 69.25.212.135 ... Internap Network Services 69.25.0.0 - 69.25.255.255 Name.com 69.25.212.128 - 69.25.212.191 name and domainsite are both dba/s of spot domain. OTOH, those entities get an attaboy from me for suing Verisign and ICANN over the Verisign gig here http://www.whois.sc/news/2004-02/wls-lawsuit.html Domain registrars sue ICANN, VeriSign -- Mike Easter kibitzer, not SC admin From mrichter at cpl.net Fri May 13 11:20:19 2005 From: mrichter at cpl.net (Mike Richter) Date: Fri May 13 13:25:31 2005 Subject: [SpamCop-List] Re: Spamcop Feedback In-Reply-To: References: Message-ID: redwolfe_98 wrote: > i notice that sometimes spamcop cannot process, trace, url's in spam where > the url has an unusual ending, lke http://www.xyz.com/chk.. maybe spamcom > could set things up to work the way that "samspade.org" does where it > ignores the part of the url that comes at the end, after ".com", and then > spamcop would be able to trace the url.. for example, instead of trying to > trace http://www.xyz.com/chk it would trace http://www.xyz.com , ignoring > the part on the end of the url, and then maybe spamcop would trace those > url's that it otherwise, sometimes does not trace, and then we could better > report those url's for spamming... > > In your example, xyz.com is the domain hosting the spamvertized site. SC reports to the abuse desk for that domain. '/chk' is the specific page being referenced in the spam, but there is no way to report to its owner. Mike -- mrichter@cpl.net http://www.mrichter.com/ From agent01413 at my-deja.com Fri May 13 18:58:34 2005 From: agent01413 at my-deja.com (Socks the Whitehouse Cat) Date: Fri May 13 14:00:04 2005 Subject: [SpamCop-List] Re: like i said References: Message-ID: "sbb78247" wrote in news:d629qj.3cg.1@133.256.1.103.MISMATCH: > fuck off you nazis > > godwin in one. you lose -- See NANAE kooks, including Barbara Schwarz: http://www.morningmist.org/nanae/kookfaq.html From agent01413 at my-deja.com Fri May 13 18:59:44 2005 From: agent01413 at my-deja.com (Socks the Whitehouse Cat) Date: Fri May 13 14:00:15 2005 Subject: [SpamCop-List] Re: like i said References: Message-ID: "sbb78247" wrote in news:d63533.23c.1@133.256.1.103.MISMATCH: > Patto wrote: >> sbb78247 wrote: >>> fuck off you nazis >> >> he, he, he - fried spam again; my favorite! > > not even close you censorship nazi > i love the smell of fried spammer nads in the morning. i wonder if his mommy knows that he's palying with her computer. someone will get his britches warmed. -- See NANAE kooks, including Barbara Schwarz: http://www.morningmist.org/nanae/kookfaq.html From Vanguard at domain.invalid Fri May 13 14:09:46 2005 From: Vanguard at domain.invalid (Vanguard) Date: Fri May 13 14:20:04 2005 Subject: [SpamCop-List] Why can't Spamcop's parser find URL links in body? Message-ID: See http://www.spamcop.net/sc?id=z763127086z1600142eb6ae87f8924f27973158fac1z for my spam report. Notice it says no links were found in the body of the e-mail. Yet there is a link: Does SpamCop's parser have a problem of knowing to terminate the parsing at the first illegal character used in the domain portion of the URL? Isn't the URL pointing to ntoslal.net (which is what the deobfuscators say it is), or is it bramiadcjlj.com? I know that I can specify either http://support.microsoft.com/?id=300698 as a URL to a Microsoft KB article but http://support.microsoft.com?id=300698 also works, so I figure the domain URL parsing stops at the first character that isn't allowed in a domain, and that would the ampersand ("&") character. Even if the domain is no longer registered, shouldn't the parser note the domain from the URL (so you are reminded that there is a URL to site within the body without having to view the entire message) and also note that there was no lookup on it at that time? -- ____________________________________________________________ ** Post your replies to the newsgroup - Share with others ** For e-mail Reply: remove "DELETE", add "~VN56~" to Subject. ____________________________________________________________ From Vanguard at domain.invalid Fri May 13 14:24:27 2005 From: Vanguard at domain.invalid (Vanguard) Date: Fri May 13 14:25:04 2005 Subject: [SpamCop-List] Re: Why can't Spamcop's parser find URL links in body? References: Message-ID: I would've thought the first part of the domain portion of the URL would've been truncated at the "&" character and the first part used. But according to another SpamCop parse shown at http://www.spamcop.net/sc?id=z763048974zd6c29db5fcdb5b26b51ea2ea24dbe1f9z, it trashes the first part before the "&" and uses the second half. The deobfuscators that I've used return the first part before the ampersand. In fact, a real easy deobfuscator is to simply use the ping.exe program. When I run: ping kwmsbgk.net&trjqauq2hnd6l2ipv2jgc5.bokarknjkjl.com it is trying to ping kwmsbgk.net. It seems SpamCop's parser is using the wrong portion of the obfuscated URL. As a result, SpamCop will be sending it spam reports to wrong recipients, something that I've heard accused of SpamCop. For this particular spam report, I decided to deselect the Chinese contacts because they were based on the domain extracted from the URL but SpamCop used the wrong portion of that URL. From news at schmide.com Fri May 13 12:36:53 2005 From: news at schmide.com (Schmide) Date: Fri May 13 14:40:05 2005 Subject: [SpamCop-List] Spam Gang (DOH) Message-ID: http://www.theinquirer.net/?article=23212 The wheels of justice turn slooooooow From nobody at spamcop.net Fri May 13 16:36:19 2005 From: nobody at spamcop.net (Ellen) Date: Fri May 13 15:40:07 2005 Subject: [SpamCop-List] Re: Why can't Spamcop's parser find URL links in body? References: Message-ID: "Vanguard" wrote in message news:d62rcr$q59$1@news.spamcop.net... > I would've thought the first part of the domain portion of the URL > would've been truncated at the "&" character and the first part used. > But according to another SpamCop parse shown at > http://www.spamcop.net/sc?id=z763048974zd6c29db5fcdb5b26b51ea2ea24dbe1f9z, > it trashes the first part before the "&" and uses the second half. The > deobfuscators that I've used return the first part before the ampersand. > In fact, a real easy deobfuscator is to simply use the ping.exe program. > When I run: > > ping kwmsbgk.net&trjqauq2hnd6l2ipv2jgc5.bokarknjkjl.com > > it is trying to ping kwmsbgk.net. It seems SpamCop's parser is using > the wrong portion of the obfuscated URL. As a result, SpamCop will be > sending it spam reports to wrong recipients, something that I've heard > accused of SpamCop. For this particular spam report, I decided to > deselect the Chinese contacts because they were based on the domain > extracted from the URL but SpamCop used the wrong portion of that URL. > The & is invalid in a url -- however some versions of firefox, opera and safari will accept that url and bring it up as ntoslal.netsxwgzihurfngdush5utq4x.bramiadcjlj.com/ -- if you remove the ntoslal.net from the front of it you get to the same site. And ping seems to handle it the same way as those browsers. The nameservers for bramiadcjlj.com accept wildcards: host sxwgzihurfngdush5utq4x.bramiadcjlj.com sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 82.78.42.131 sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 218.7.112.241 host ntoslal.net.sxwgzihurfngdush5utq4x.bramiadcjlj.com ntoslal.net.sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 82.78.42.131 ntoslal.net.sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 218.7.112.241 host lskdejslkdjf.bramiadcjlj.com lskdejslkdjf.bramiadcjlj.com has address 218.7.112.241 lskdejslkdjf.bramiadcjlj.com has address 82.78.42.131 The parse is finding the correct reporting address(es). Ellen From 79ytka802 at sneakemail.com Sat May 14 00:01:27 2005 From: 79ytka802 at sneakemail.com (Aviatrix) Date: Fri May 13 18:05:05 2005 Subject: [SpamCop-List] Re: like i said In-Reply-To: References: Message-ID: Why are you all feeding the troll? From spam at spam.no.not.spam Sat May 14 01:02:18 2005 From: spam at spam.no.not.spam (sparkle) Date: Fri May 13 18:05:24 2005 Subject: [SpamCop-List] What's this mean? Message-ID: I just sent a spamcop report and the spamcop page reported: To: abuse@above.net (refuses munged reports) (Notes) The option to send a report was unchecked. Out of interest, what is the explanation for that? From nobody at devnull.spamcop.net Fri May 13 18:28:37 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri May 13 18:30:05 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: "sparkle" wrote in message news:d6385h$lg6$0@pita.alt.net... > I just sent a spamcop report and the spamcop page reported: > > To: abuse@above.net (refuses munged reports) (Notes) > > Out of interest, what is the explanation for that? http://www.spamcop.net/fom-serve/cache/75.html specifically, the item "You've munged the header..." http://www.spamcop.net/fom-serve/cache/267.html From MikeE at ster.invalid Fri May 13 16:47:35 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 13 18:50:03 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: WazoO wrote: > "sparkle" wrote in message > news:d6385h$lg6$0@pita.alt.net... >> I just sent a spamcop report and the spamcop page reported: >> >> To: abuse@above.net (refuses munged reports) (Notes) >> Out of interest, what is the explanation for that? The standard SC config is to 'SC munge' a standard SC report -- the concept being to hide the email addy of the reporter and to 'stand between' as an anonymizer for the reporter and replace the reporter with a report id #- by which issues can be responded to and resolved. Some providers do not want to receive munged reports. One reason for that is because they look upon the evidence like 'legal' evidence and don't want it tampered with - they want the original in its entirety. So, the provider can register their insistence that they receive unmunged. See below - bottom. If you are default configured to SC munge, the provider won't get your report. It still counts toward the SCbl about a source, the provider just doesn't receive the notify. If you choose to check the unchecked box, SC will ask you if you are sure that you want to unmunge and if you say yes, then that notified will get an unmunged report. Some reporters choose to configure unmunge all of their reports. > http://www.spamcop.net/fom-serve/cache/75.html > specifically, the item "You've munged the header..." > http://www.spamcop.net/fom-serve/cache/267.html And those links are for the admins - the first the general admin faq page, and the 2nd is an explanation to an admin about the standard or default SC mungeing. It shows the admin where to go to have their preferences recorded about receiving munged headers or not. If the OP were an admin that would help them understand why they get a munged report. -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Fri May 13 20:00:18 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Fri May 13 19:05:02 2005 Subject: [SpamCop-List] Re: What's this mean? In-Reply-To: References: Message-ID: sparkle wrote: > I just sent a spamcop report and the spamcop page reported: > > To: abuse@above.net (refuses munged reports) (Notes) > > The option to send a report was unchecked. > > Out of interest, what is the explanation for that? If you are a paying member you have the option of always sending unmunged reports. Otherwise the default is to send munged reports where spamcop.net attempts to remove information that would identify the specific e-mail address that was spammed. This munging by spamcop is incomplete as spammers will often put codes in their spam to identify what address is complaining. So if you check the box, above.net will get a copy of the spam that reveals the e-mail address that was spammed to them. Some reporters never mung their reports. Now the importance of sending a munged report really depends if the notification is going to the spam source, which is usually an open proxy or to the host of the spamvertised website. In the case of a the spam source, if it is an open proxy, the network owner usually has no idea who the spammer is, so they can not pass it on to a spammer. So if you do not check the box, they will not get a notification that bandwidth is being stolen from them. (Some networks do not care, and just pass those extra costs on to their customers) In the case of a web site, the network owner may just be passing on the complaints directly to the spammer instead of dealing with them. If they pass it on to the spammer instead of removing the spammer, that spammer may remove you from his lists that spamvertise their sites on that network and then sell your now validated e-mail address to other spammers. Earthlink wants unmunged reports, but Earthlink publicly admits to suing spammers that spam through their network. You will have to use your own judgment as to if you want to send an unmunged report or not. If you use your favorate search engine for the ISP name and the words listwashing and spam, you may find what others think about that ISP. -John wb8tyw@qsl.network Personal Opinion Only From nobody at devnull.spamcop.net Fri May 13 19:26:36 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri May 13 19:30:03 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: "Mike Easter" wrote in message news:d63amc$55q$1@news.spamcop.net... > WazoO wrote: > > > http://www.spamcop.net/fom-serve/cache/75.html > > specifically, the item "You've munged the header..." > > http://www.spamcop.net/fom-serve/cache/267.html > > And those links are for the admins - the first the general admin faq > page, and the 2nd is an explanation to an admin about the standard or > default SC mungeing. It shows the admin where to go to have their > preferences recorded about receiving munged headers or not. If the OP > were an admin that would help them understand why they get a munged > report. Ok fine ... I was attempting to offer the explanation for the action. If you believe it was just the word "mung" that was behind the query; http://forum.spamcop.net/forums/index.php?showtopic=2530 From MikeE at ster.invalid Fri May 13 17:46:23 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 13 19:45:03 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: WazoO wrote: > Ok fine ... I was attempting to offer the explanation for the action. > If you believe it was just the word "mung" that was behind the query; > http://forum.spamcop.net/forums/index.php?showtopic=2530 That link shows the glossary including for munged Oh, I get it, perhaps you and I read her query differently. Maybe you interpreted it as her not knowing what munge meant, or maybe what a munged report meant. I interpreted her as meaning that she didn't understand why SC was unchecking the box and not wanting to send a report. That is, she was asking what she should do based on asking what that meant. Reposting her at the bottom. It seemed to me that she would be wondering if she should check the box. That forum link would help her with an understanding of generic munge [my choice of the words] -- but not about what to do when SC presents her with her options to respond for the report. sparkle wrote: Subject: What's this mean? > I just sent a spamcop report and the spamcop page reported: > > To: abuse@above.net (refuses munged reports) (Notes) > > The option to send a report was unchecked. > > Out of interest, what is the explanation for that? -- Mike Easter kibitzer, not SC admin From spam at spam.no.not.spam Sat May 14 02:56:46 2005 From: spam at spam.no.not.spam (sparkle) Date: Fri May 13 20:00:03 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: Mike Easter MikeE@ster.invalid, wrote in message 63e4j$79j$1@news.spamcop.net: > WazoO wrote: >> Ok fine ... I was attempting to offer the explanation for the action. >> If you believe it was just the word "mung" that was behind the query; >> http://forum.spamcop.net/forums/index.php?showtopic=2530 > > That link shows the glossary including for munged > > Oh, I get it, perhaps you and I read her query differently. Maybe you > interpreted it as her not knowing what munge meant, or maybe what a > munged report meant. > > I interpreted her as meaning that she didn't understand why SC was > unchecking the box and not wanting to send a report. That is, she was > asking what she should do based on asking what that meant. Reposting > her at the bottom. :) xxx >> The option to send a report was unchecked. >> >> Out of interest, what is the explanation for that? From nobody at devnull.spamcop.net Fri May 13 21:13:18 2005 From: nobody at devnull.spamcop.net (Pop) Date: Fri May 13 20:15:04 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: ... > > Please stop feeding this troll. ===> You just added food for the troll by virtue of this post. > > Replying to their posts and taking them seriously > only gives them new > fuel to add to their fire, and sooner or later, you > will find yourself > under a barrage of personal attacks and flames. ===> Is that a threat? Do you REALLY think I'll respond to your threats in the way you want me to? The only way to deal > with trolls is just to ignore them and to go about > your business having > fun talking with other people on Usenet. ===> Check the name of this newsgroup. Forget about the trolls and > they will not bother you again. ===> Oh, I didn't know that! U sure are smart. > > http://www.usenet.com/articles/usenet_trolls.htm ===> Bye, to you, too. From nobody at devnull.spamcop.net Fri May 13 20:29:12 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri May 13 20:30:21 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: "Mike Easter" wrote in message news:d63e4j$79j$1@news.spamcop.net... > > I interpreted her as meaning that she didn't understand why SC was > unchecking the box and not wanting to send a report. That is, she was > asking what she should do based on asking what that meant. Reposting > her at the bottom. > > It seemed to me that she would be wondering if she should check the box. I interpreted it the same way, that's why I offered the link to the explanation "behind the (unchecked) box amd message" Bottom line, sparkle appears to be happy at this point. From MikeE at ster.invalid Fri May 13 18:40:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 13 20:40:04 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: WazoO wrote: > "Mike Easter" >> It seemed to me that she would be wondering if she should check the >> box. > > I interpreted it the same way, that's why I offered the link to > the explanation "behind the (unchecked) box amd message" Yabbut; the faq doesn't really have an item aimed at the reporter about this. Those faq links are aimed at admins. I looked around for something in the faq, but actually the best place would've been the section in Preferences: Spam Munging > Bottom line, sparkle appears to be happy at this point. Yes. She could also go visit her Preferences section. It sez it in a lot fewer words than I did. -- Mike Easter kibitzer, not SC admin From spamtrap at secnap.net Fri May 13 22:10:04 2005 From: spamtrap at secnap.net (Michael Scheidell) Date: Fri May 13 21:10:03 2005 Subject: [SpamCop-List] forged dates fool spamcop? Message-ID: looks like a forged date fools spamcop. I have had about 10 like this (last 10 I tried to report) if spammer puts a date 3 days ago in email, spamcop won't list it. it WAS sent at 20:38:42 EDT, wasn't it? or it took 15 days to travel 25 meters from one host on the same network to another. (does anyone requeue email up for 15 days?) Received: from smarthost3.tiscali.dk (smarthost3.tiscali.dk [62.79.79.29]) by 0.mail.spammertrap.net (Postfix) with ESMTP id 2BF3018F3B7 for ; Fri, 13 May 2005 20:38:42 -0400 (EDT) Received: from cpmail.dk.tiscali.com (mail.tiscali.dk [212.54.64.159]) by smarthost3.tiscali.dk (8.13.1/8.13.1) with ESMTP id j3QCO4WA088728; Tue, 26 Apr 2005 14:24:04 +0200 (CEST) >From x Fri May 13 20:38:48 2005 Return-Path: X-Original-To: spamtrap Received: by mail.secnap.net (Postfix, from userid 1001) id 3157E2066; Fri, 13 May 2005 20:38:48 -0400 (EDT) X-Original-To: x Received: from 0.mail.spammertrap.net (feci.hackertrap.net [10.80.0.94]) by mail.secnap.net (Postfix) with ESMTP id F40CB205E for ; Fri, 13 May 2005 20:38:47 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by 0.mail.spammertrap.net (Postfix) with ESMTP id B228918F3BE for ; Fri, 13 May 2005 20:38:47 -0400 (EDT) Received: from smarthost3.tiscali.dk (smarthost3.tiscali.dk [62.79.79.29]) by 0.mail.spammertrap.net (Postfix) with ESMTP id 2BF3018F3B7 for ; Fri, 13 May 2005 20:38:42 -0400 (EDT) Received: from cpmail.dk.tiscali.com (mail.tiscali.dk [212.54.64.159]) by smarthost3.tiscali.dk (8.13.1/8.13.1) with ESMTP id j3QCO4WA088728; Tue, 26 Apr 2005 14:24:04 +0200 (CEST) (envelope-from x) Received: from [213.255.201.15] by cpmail.dk.tiscali.com with HTTP; Tue, 26 Apr 2005 06:03:38 +0200 Date: Tue, 26 Apr 2005 05:03:38 +0100 Message-ID: <421E________FE57@cpfe9.be.tisc.dk> From: "walter smith" Subject: respond a.s.a.p if you love yourself and family Reply-To: agent06_larry@excite.com To: x MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit From MikeE at ster.invalid Fri May 13 19:44:51 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 13 21:45:03 2005 Subject: [SpamCop-List] Re: forged dates fool spamcop? References: Message-ID: Michael Scheidell wrote: > looks like a forged date fools spamcop. > I have had about 10 like this (last 10 I tried to report) Usually the cause of too old disturbances is /not/ forged date fooling SC -- but something else. In this case tiscali => spammertrap The best way to talk about a parsing is to post a tracker which is at the top of the parse and looks like this: http://www.spamcop.net/sc?id=z763240921z1e2e4e0fdf57d5e2399e5b1d749ad2b9z That is the tracker for the parse of the body-less headers you posted here. Much better. It doesn't say the item is too old.and wants to name the source as 213.255.201.15 rDNS mel.cool-talk.us which is SCbl listed and spews and others. Abbreviated Received lines *comment from (feci.hackertrap.net [10.80.0.94]) by mail.secnap.net *serves you from localhost (localhost [127.0.0.1]) by 0.mail.spammertrap.net *serves you from (smarthost3.tiscali.dk [62.79.79.29]) by 0.mail.spammertrap.net 13 May *serves you from (mail.tiscali.dk [212.54.64.159]) by smarthost3.tiscali.dk 26 Apr *serves you, timestamp from [213.255.201.15] by cpmail.dk.tiscali.com *sourceline Those comments are based on the SC interpretation that the relays of spammertrap and tiscali are trusted to be servers. The tiscali servers are listed for hitting spamtraps; but that doesn't keep them from being trusted to be servers. The timestamp discrepancy resides between when tiscali received the item from the .ng source. I have no way of knowing what your mailhost configuration is. That item has headers which appear to have been sent from the .ng source to tiscali to spammertrap to you. Unfortunately some of the clues which might be derived from the body are missing. You are proposing that the item actually originated at the tiscali smarthost IP and that the bottom 2 lines are forged. I think it originated in from the .ng IP and got stuck in the tiscali system. There are items almost identical to that one in sightings which do not have the timestamp discrepancy. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri May 13 19:48:00 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 13 21:50:05 2005 Subject: [SpamCop-List] Re: forged dates fool spamcop? References: Message-ID: Mike Easter wrote: > The timestamp discrepancy resides between when tiscali received the > item from the .ng source. Oops. I didn't finish the sentence. The 17 day timestamp discrepancy resides between when tiscali received the item from the .ng source and when it sent it on to spammertrap. -- Mike Easter kibitzer, not SC admin From agent01413 at my-deja.com Sat May 14 03:15:23 2005 From: agent01413 at my-deja.com (Socks the Whitehouse Cat) Date: Fri May 13 22:20:04 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: sparkle wrote in news:d6385h$lg6$0@pita.alt.net: > I just sent a spamcop report and the spamcop page reported: > > To: abuse@above.net (refuses munged reports) (Notes) > > The option to send a report was unchecked. > > Out of interest, what is the explanation for that? rather than cutting down abuse by terminating spammers, above.net wants to reduce abuse complaints by helping its spammers list wash. if you send munged reports, they can't list wash. The address I use to report spam manually is not the address I use to receive spam, so i just manually report those with addresses elided without spamcop's help. -- See NANAE kooks, including Barbara Schwarz: http://www.morningmist.org/nanae/kookfaq.html From nobody at spamcop.net Fri May 13 20:31:18 2005 From: nobody at spamcop.net (N. Miller) Date: Fri May 13 22:35:03 2005 Subject: [SpamCop-List] Re: comcast "selling" illegal cable descramblers References: Message-ID: <18p5qu5w31fdi$.dlg@news.spamcop.net> On Fri, 13 May 2005 11:32:46 -0400, eddie wrote: > Besides being ironic, I wonder if one could use the comcast spew as a > defense for using such an illegal device. Showing that the spam promoting > the device came from comcast might be considered that comcast is promoting > it. You could claim you thought it was a comcast advertisement. > It's funny, at least to me. I doubt it, but you failed to include a tracker for the spam item that you think is a Comcast spew. My guess is that a Comcast customer's computer with a spamming proxy was used to promote a site not hosted by Comcast. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From sbb78247 at stilldon'tfuckincare.invalid Sat May 14 00:44:52 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Sat May 14 00:45:04 2005 Subject: [SpamCop-List] Re: like i said References: Message-ID: Aviatrix wrote: > Why are you all feeding the troll? because they are fucking stupid? i think they have a problem with free speach whether they agree or not. freedom of speach is a given right to every man, woman, mutant or whatever. if you don't like it, you are cordially invited to KISS MY ARSE. From sbb78247 at stilldon'tfuckincare.invalid Sat May 14 00:48:55 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Sat May 14 00:50:02 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: Pop wrote: > ... >> >> Please stop feeding this troll. > ===> You just added food for the troll by virtue of > this post. >> >> Replying to their posts and taking them seriously >> only gives them new >> fuel to add to their fire, and sooner or later, you >> will find yourself >> under a barrage of personal attacks and flames. > ===> Is that a threat? Do you REALLY think I'll > respond to your threats in the way you want me to? > > The only way to deal >> with trolls is just to ignore them and to go about >> your business having >> fun talking with other people on Usenet. > ===> Check the name of this newsgroup. > Forget about the trolls and >> they will not bother you again. > ===> Oh, I didn't know that! U sure are smart. >> >> http://www.usenet.com/articles/usenet_trolls.htm ===> Bye, to you, >> too. BAAAAAAHAHAHAHHAHAHAHAHA!! what a maroon if you hate free speach so much, why don't you live in say cuba? From sbb78247 at stilldon'tfuckincare.invalid Sat May 14 00:49:58 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Sat May 14 00:55:03 2005 Subject: [SpamCop-List] Re: forged dates fool spamcop? References: Message-ID: Michael Scheidell wrote: > looks like a forged date fools spamcop. > I have had about 10 like this (last 10 I tried to report) > > > if spammer puts a date 3 days ago in email, spamcop won't list it. > it WAS sent at 20:38:42 EDT, wasn't it? > > or it took 15 days to travel 25 meters from one host on the same > network to another. > (does anyone requeue email up for 15 days?) > > > Received: from smarthost3.tiscali.dk (smarthost3.tiscali.dk > [62.79.79.29]) by 0.mail.spammertrap.net (Postfix) with ESMTP id > 2BF3018F3B7 for ; Fri, 13 May 2005 20:38:42 -0400 (EDT) > Received: from cpmail.dk.tiscali.com (mail.tiscali.dk [212.54.64.159]) > by smarthost3.tiscali.dk (8.13.1/8.13.1) with ESMTP id j3QCO4WA088728; > Tue, 26 Apr 2005 14:24:04 +0200 (CEST) > > > From x Fri May 13 20:38:48 2005 > Return-Path: > X-Original-To: spamtrap > Received: by mail.secnap.net (Postfix, from userid 1001) > id 3157E2066; Fri, 13 May 2005 20:38:48 -0400 (EDT) > X-Original-To: x > Received: from 0.mail.spammertrap.net (feci.hackertrap.net > [10.80.0.94]) by mail.secnap.net (Postfix) with ESMTP id F40CB205E > for ; Fri, 13 May 2005 20:38:47 -0400 (EDT) > Received: from localhost (localhost [127.0.0.1]) > by 0.mail.spammertrap.net (Postfix) with ESMTP id B228918F3BE > for ; Fri, 13 May 2005 20:38:47 -0400 (EDT) > Received: from smarthost3.tiscali.dk (smarthost3.tiscali.dk > [62.79.79.29]) by 0.mail.spammertrap.net (Postfix) with ESMTP id > 2BF3018F3B7 for ; Fri, 13 May 2005 20:38:42 -0400 (EDT) > Received: from cpmail.dk.tiscali.com (mail.tiscali.dk [212.54.64.159]) > by smarthost3.tiscali.dk (8.13.1/8.13.1) with ESMTP id j3QCO4WA088728; > Tue, 26 Apr 2005 14:24:04 +0200 (CEST) > (envelope-from x) > Received: from [213.255.201.15] by cpmail.dk.tiscali.com with HTTP; > Tue, 26 Apr 2005 06:03:38 +0200 > Date: Tue, 26 Apr 2005 05:03:38 +0100 > Message-ID: <421E________FE57@cpfe9.be.tisc.dk> > From: "walter smith" > Subject: respond a.s.a.p if you love yourself and family > Reply-To: agent06_larry@excite.com > To: x > MIME-Version: 1.0 > Content-Type: text/plain; charset="US-ASCII" > Content-Transfer-Encoding: 7bit oh fuck me dead, you are an anal retentive fuck aren't you From sbb78247 at stilldon'tfuckincare.invalid Sat May 14 00:51:31 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Sat May 14 00:55:16 2005 Subject: [SpamCop-List] Re: Spam Gang (DOH) References: Message-ID: Schmide wrote: > http://www.theinquirer.net/?article=23212 > > The wheels of justice turn slooooooow OH MY, this will never stick From sbb78247 at stilldon'tfuckincare.invalid Sat May 14 00:52:57 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Sat May 14 00:55:22 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: sparkle wrote: > I just sent a spamcop report and the spamcop page reported: > > To: abuse@above.net (refuses munged reports) (Notes) > > The option to send a report was unchecked. > > Out of interest, what is the explanation for that? no one give a fuck? From none.of at your.biz Fri May 13 23:25:01 2005 From: none.of at your.biz (R. Asby Dragon) Date: Sat May 14 01:30:04 2005 Subject: [SpamCop-List] Re: comcast "selling" illegal cable descramblers In-Reply-To: <18p5qu5w31fdi$.dlg@news.spamcop.net> References: <18p5qu5w31fdi$.dlg@news.spamcop.net> Message-ID: N. Miller wrote: > On Fri, 13 May 2005 11:32:46 -0400, eddie wrote: > > >>Besides being ironic, I wonder if one could use the comcast spew as a >>defense for using such an illegal device. Showing that the spam promoting >>the device came from comcast might be considered that comcast is promoting >>it. You could claim you thought it was a comcast advertisement. >>It's funny, at least to me. > > > I doubt it, but you failed to include a tracker for the spam item that you > think is a Comcast spew. My guess is that a Comcast customer's computer > with a spamming proxy was used to promote a site not hosted by Comcast. > Methinks that was what the OP was implying.... From usenet2 at DE.LETE.THISljvideo.com Sat May 14 06:39:17 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Sat May 14 01:40:04 2005 Subject: [SpamCop-List] Re: wierd website resolving to 127.0.0.1! References: Message-ID: Waiving the right to remain silent, Kadaitcha Man said: > Berny, , the gripping, vegetarian lost > soul, and minor, worthless author of usenet posts, noted: > >> tracker: >> >> >677c7b1z>h >> ttp://www.spamcop.net/sc?id=z762673943zf424b2a95bd2ccec629d75ff7 >> 677c7b1z >> >> tracert at home gave the same result for >> www.xlyrl.locationspots.com >> >> I checked with DNS stuff and the nameservice resolves to that, >> >> is that a new way to shut down a website? or a "new" way to >> attack a vulnerable computer? > > Check your fucking hosts file, you dumb cunt. What's this asshole doing here..? In case you don't know, "Kadaitcha Man" is an Aussie who swoops in on various forums and usenet news groups with comments like the one here. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail The United States is the greatest country in the world..! Twenty-five million illegal aliens can't be wrong. From usenet2 at DE.LETE.THISljvideo.com Sat May 14 06:40:48 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Sat May 14 01:45:02 2005 Subject: [SpamCop-List] Re: like i said References: Message-ID: Waiving the right to remain silent, "sbb78247" said: > Aviatrix wrote: >> Why are you all feeding the troll? > > because they are fucking stupid? > > i think they have a problem with free speach whether they agree > or not. freedom of speach is a given right to every man, woman, > mutant or whatever. if you don't like it, you are cordially > invited to KISS MY ARSE. Aw, go clean up your chicken bones, you little loser. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail The United States is the greatest country in the world..! Twenty-five million illegal aliens can't be wrong. From usenet2 at DE.LETE.THISljvideo.com Sat May 14 06:41:25 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Sat May 14 01:45:14 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: Waiving the right to remain silent, "Ron B." said: > Replying to their posts and taking them seriously only gives > them new fuel to add to their fire, and sooner or later, you > will find yourself under a barrage of personal attacks and > flames. The only way to deal with trolls is just to ignore them > and to go about your business having fun talking with other > people on Usenet. Forget about the trolls and they will not > bother you again. Aw, this one is particularly fun to slap around... -- Larry J. - Remove spamtrap in ALLCAPS to e-mail The United States is the greatest country in the world..! Twenty-five million illegal aliens can't be wrong. From nospam at fuck-off-and-die.com Sat May 14 12:37:54 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Sat May 14 01:55:02 2005 Subject: [SpamCop-List] Re: wierd website resolving to 127.0.0.1! References: Message-ID: Larry J., , the blasted, thrown and twisted measle, and person who wears tents because no regular clothes will fit, incited: > What's this asshole doing here..? Oh, so that's why you remind me of Cyclops. From nobody at nowhere.invalid Sat May 14 12:36:08 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat May 14 05:40:27 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: On Fri, 13 May 2005 15:47:35 -0700, Mike Easter coughed into spamcop and left this in : > Some providers do not want to receive munged reports. One reason for > that is because they look upon the evidence like 'legal' evidence and > don't want it tampered with With above.net that's hardly likely to be the case. above.net is a well-known sewer that more than likely wants to pass full details on to their pet spammers so that they can listwash. "Legal evidence" doesn't come into the equation because the last place above.net wants to be is in a court. http://groups-beta.google.com/group/news.admin.net-abuse.sightings/search?q=above.net&scoring=d -- Steve Computers are like air conditioners They stop working properly when you open Windows From nobody at nowhere.invalid Sat May 14 12:40:33 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat May 14 05:45:04 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: On Fri, 13 May 2005 19:00:18 -0400, John E. Malmberg coughed into spamcop and left this in : > In the case of a the spam source, if it is an open proxy, the network > owner usually has no idea who the spammer is, so they can not pass it > on to a spammer. So if you do not check the box, they will not get a > notification that bandwidth is being stolen from them. If the network's main concern is bandwidth being stolen then they couldn't care less about the spammed e-mail address and there's no justification for them wanting unmunged reports. > Earthlink wants unmunged reports, but Earthlink publicly admits to suing > spammers that spam through their network. And that's why Earthlink is the only network to which I send unmunged reports. -- Steve Sign spotted in a Laundromat: AUTOMATIC WASHING MACHINES: PLEASE REMOVE ALL YOUR CLOTHES WHEN THE LIGHT GOES OUT From nobody at nowhere.invalid Sat May 14 12:44:15 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat May 14 05:45:18 2005 Subject: [SpamCop-List] Re: wierd website resolving to 127.0.0.1! References: Message-ID: On Sat, 14 May 2005 05:39:17 +0000 (UTC), Larry J. coughed into spamcop and left this in in response to a missive from Kadaitcha Troll: > What's this asshole doing here..? Being invisible until someone pokes a hole in the killfile :) -- Steve The average nutritional value of promises is roughly zero. From bar_n0ne at hotmail.com Sat May 14 14:48:04 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat May 14 05:50:03 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: "Steven Maesslein" wrote in message news:slrnd8bhk8.3f5.nobody@127.0.0.1... > On Fri, 13 May 2005 15:47:35 -0700, Mike Easter coughed into spamcop and > left this in : > > > Some providers do not want to receive munged reports. One reason for > > that is because they look upon the evidence like 'legal' evidence and > > don't want it tampered with > > With above.net that's hardly likely to be the case. above.net is a > well-known sewer that more than likely wants to pass full details on to > their pet spammers so that they can listwash. "Legal evidence" doesn't > come into the equation because the last place above.net wants to be is > in a court. > > http://groups-beta.google.com/group/news.admin.net-abuse.sightings/search?q=above.net&scoring=d > > -- > Steve > > Computers are like air conditioners > They stop working properly when you open Windows I see no evidence of listwashing, I do see better and better forgeries of recieved lines and better evasion of spam scoring systems. From nobody at devnull.spamcop.net Sat May 14 06:50:28 2005 From: nobody at devnull.spamcop.net (Peter) Date: Sat May 14 05:55:03 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: sbb, if you have all this time to waste why don't you learn how to spell at an English class? The word is S P E E C H . "sbb78247" wrote in message news:d653b2.2d0.1@133.256.1.103.MISMATCH... > Pop wrote: >> ... >>> >>> Please stop feeding this troll. >> ===> You just added food for the troll by virtue of >> this post. >>> >>> Replying to their posts and taking them seriously >>> only gives them new >>> fuel to add to their fire, and sooner or later, you >>> will find yourself >>> under a barrage of personal attacks and flames. >> ===> Is that a threat? Do you REALLY think I'll >> respond to your threats in the way you want me to? >> >> The only way to deal >>> with trolls is just to ignore them and to go about >>> your business having >>> fun talking with other people on Usenet. >> ===> Check the name of this newsgroup. >> Forget about the trolls and >>> they will not bother you again. >> ===> Oh, I didn't know that! U sure are smart. >>> >>> http://www.usenet.com/articles/usenet_trolls.htm ===> Bye, to you, >>> too. > > > BAAAAAAHAHAHAHHAHAHAHAHA!! what a maroon > > if you hate free speach so much, why don't you live in say cuba? > > From nobody at nowhere.invalid Sat May 14 13:54:06 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat May 14 06:55:04 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: On Sat, 14 May 2005 05:50:28 -0400, Peter coughed into spamcop and left this in : > sbb, if you have all this time to waste why don't you learn how to spell at > an English class? > The word is S P E E C H Guys'n'gals, please just ignore the troll. .:\:/:. +-------------------+ .:\:\:/:/:. | PLEASE DO NOT | :.:\:\:/:/:.: | FEED THE TROLLS | :=.' - - '.=: | | '=(\ 9 9 /)=' | Thank you, | ( (_) ) | Management | /`-vvv-'\ +-------------------+ / \ | | @@@ / /|,,,,,|\ \ | | @@@ /_// /^\ \\_\ @x@@x@ | | |/ WW( ( ) )WW \||||/ | | \| __\,,\ /,,/__ \||/ | | | jgs (______Y______) /\/\/\/\/\/\/\/\//\/\\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ -- Steve Linux: the choice of a GNU generation -- ksh @ cis . ufl . edu put this on Tshirts in '93 From nospam at fuck-off-and-die.com Sat May 14 18:21:33 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Sat May 14 07:40:04 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: Peter, , the stigmatic, cast-off ratsbane, and ankle biter, yapped: > sbb, if you have all this time to waste why don't you learn how to > spell at an English class? > The word is S P E E C H Now, see? You too are an anti-free speech nazi. If you truly believed in free speech, you would not have spell lamed, you fucktard cunt. From MikeE at ster.invalid Sat May 14 07:42:27 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 14 09:45:02 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: Steven Maesslein wrote: > Guys'n'gals, please just ignore the troll. People who don't ignore trolls cause more trouble than the trolls. When things get bad, I just kf all the people who respond to them. -- Mike Easter kibitzer, not SC admin From spamcop-news.5.rafael at spamgourmet.com Sat May 14 17:18:17 2005 From: spamcop-news.5.rafael at spamgourmet.com (rafael) Date: Sat May 14 10:20:08 2005 Subject: [SpamCop-List] p***.dip.t-dialin.net abuse contact Message-ID: Spamcop always comes up with abuse -at- t-ipnet.de (Deutsche Telekom) as abuse contact for dip.t-dialin.net. From my understanding, t-ipnet.de is associated with the upstream provider for the actual German ISP T-Online.de. t-ipnet.de always replies to reports with the remark that the message has been forwarded to the T-Online abuse desk and that you can see for yourself from the IP that it belongs to T-Online. Wouldn't it be better to have the reports sent to T-Online directly? Rafael Example: http://www.spamcop.net/sc?id=z763418515zeb8295e6bee98b982a0eabb106f323ffz From MikeE at ster.invalid Sat May 14 09:02:02 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 14 11:00:06 2005 Subject: [SpamCop-List] Re: p***.dip.t-dialin.net abuse contact References: Message-ID: rafael wrote: > Example: www.spamcop.net/sc?id=z763418515zeb8295e6bee98b982a0eabb106f323ffz Source: 84.179.243.136 rDNS p54B3F388.dip.t-dialin.net inetnum: 84.136.0.0 - 84.191.255.255 descr: Deutsche Telekom AG admin-c: DTIP = ripe.dtip@telekom.de tech-c: DTST = abuse@t-ipnet.de > Spamcop always comes up with abuse -at- t-ipnet.de (Deutsche Telekom) > as abuse contact for dip.t-dialin.net. From my understanding, > t-ipnet.de is associated with the upstream provider for the actual > German ISP T-Online.de. SC is going to derive its notify from the admin/tech or the abuse.net lookup on the admintech domainname. > t-ipnet.de always replies to reports with the remark that the message > has been forwarded to the T-Online abuse desk and that you can see > for yourself from the IP that it belongs to T-Online. .. and, in fact, if you use abuse.net's reg'd on the rDNS of the IP you get whois -h whois.abuse.net p54b3f388.dip.t-dialin.net ... abuse@t-dialin.net (for t-dialin.net) > Wouldn't it be better to have the reports sent to T-Online directly? If you mean abuse@t-online.de or even -- you would have to argue that point in routing. The way routing handles an issue in which the advice is to notify differently because there is 'something wrong with' the formulaic notify mechanism is to take some netblock and notify for it differently. Exactly which netblock are you suggesting be notified differently? That is, your argument can't be that 'if an IP rDNSes to t-dialin.net then SC should notify abuse@t-online.de' - because that isn't how the algorithm works. The algorithm takes the IP to the appropriate RIR, in this case ripe, and determines the contacts. If there is going to be a special routing entered into the routing db, it would have to be based on some 'family' of IPs. I don't see the family of IPs you would have in mind about the dialin; but if you come up with some subset of Deutsche Telekom or if you believe that entire /10 above 84.136.0.0 - 84.191.255.255 should be notified as t-online then you would argue it in the routing ng. I don't know that there is very much wrong with letting abuse desks route certain issues to 'their' preferred desks. If they feel something is a very separate entity, they can always change the way they have it structured in ripe. -- Mike Easter kibitzer, not SC admin From sbb78247 at stilldon'tfuckincare.invalid Sat May 14 12:12:26 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Sat May 14 12:15:06 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: Larry J. wrote: > Waiving the right to remain silent, "Ron B." > said: > >> Replying to their posts and taking them seriously only gives >> them new fuel to add to their fire, and sooner or later, you >> will find yourself under a barrage of personal attacks and >> flames. The only way to deal with trolls is just to ignore them >> and to go about your business having fun talking with other >> people on Usenet. Forget about the trolls and they will not >> bother you again. > > Aw, this one is particularly fun to slap around... is that what you say to your willy while you are wanking? From kjz at despammed.com Sat May 14 22:19:11 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Sat May 14 15:20:19 2005 Subject: [SpamCop-List] Re: p***.dip.t-dialin.net abuse contact In-Reply-To: References: Message-ID: rafael wrote: > Spamcop always comes up with abuse -at- t-ipnet.de (Deutsche Telekom) as > abuse contact for dip.t-dialin.net. From my understanding, t-ipnet.de is > associated with the upstream provider for the actual German ISP T-Online.de. Yes, this should be better. It's all the German Telekom, but T-Ipnet normally are IPs given from an IP-pool to different resellers; dip... (Dial In Pool) are the IPs used as a poll for T-Online, a daughter company of Telekom. And the latter has the abuse desk at abuse (at) t-online.de. abuse (at) t-ipnet.de is another abuse desk which will forward the mails to abuse (at) t-online.de but this will introduce a delay of a few days. And yes, the Ripe records of Telekom are not always correct and no, they will not change it because of Spamcop. - kjz From nobody at devnull.spamcop.net Sat May 14 22:46:33 2005 From: nobody at devnull.spamcop.net (Fernando) Date: Sat May 14 17:50:06 2005 Subject: [SpamCop-List] "Cannot resolve http://www.promovendas.org" Message-ID: Just faced this issue and that's occuring with other (major) spamvertized sites coming from Brazil. Resolving link obfuscation http://www.promovendas.org host www.promovendas.org (checking ip) ip not found ; www.promovendas.org discarded as fake. Tracking link: http://www.promovendas.org [report history] Cannot resolve http://www.promovendas.org By the time of this report, the above site is alive and well, doing what it does best, selling crap goods. www.promovendas.org is 200.223.52.21 and contacts are: -(1)- abuse@telemar.net.br (sadly) -(2)- hostmaster@dialserver.com (probably spam friendly host) Sincerely, Fernando. From MikeE at ster.invalid Sat May 14 16:54:01 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 14 18:55:04 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" References: Message-ID: Fernando wrote: > Cannot resolve http://www.promovendas.org I don't know if you have any interest in researching some of these issues, but I think they are educational; and one of the main reasons I started messing around with the hobby or sport of spamfighting was for its educational value. First, there's the issue of 'watching' SC try to resolve that. If you put the naked url into the parser, you can see SC sit there and work on something for quite a number of seconds. That tells you something about what is going on in the background.. Then, if you want, you can resolve it yourself, and depending upon what kind of tool you are using, you get certain information. For example, my simple tool tells me that it doesn't have a 'straight' A address, but instead it has a CNAME which has an A address. 05/14/05 15:34:14 dns www.promovendas.org Mail for www.promovendas.org is handled by smtp.promovendas.org mail.promovendas.org Canonical name: promovendas.org Aliases: www.promovendas.org Addresses: 200.223.52.21 But then, things start getting much more informative when you use the better tools at DNS stuff. The two I like for this kinda stuff are the dns timing and the dns report -- because they show me all kinds of pieces and parts to the information. Here's the dns timing: http://www.dnsstuff.com/tools/dnstime.ch?name=www.promovendas.org&type=A I don't want to paste in everything that is available there, and the tables are a little trouble too Time to look up www.promovendas.org A record Looking up at ns4.pontonews.net.... [Had to look up A record for ns4.pontonews.net; assume +200ms]...Reports 2 A record(s). 445ms. Looking up at ns3.pontonews.net.... [Had to look up A record for ns3.pontonews.net; assume +200ms]...Reports 2 A record(s). 6060ms. Average of all 2 nameservers: 3252ms (plus 297ms overhead). Score: F Took off 3 points for ".org" TLD (extra lookups may be required to find the parent servers). Took off 8 points for having no glue at a parent server [adds 2 extra packets to lookup]. Took off 6 points for having no glue for ns4.pontonews.net [adds 2 extra packets to lookup]. Took off 2 points since ns4.pontonews.net allows recursive lookups (if lots of people are using the server, it can slow down). Took off 6 points for having no glue for ns3.pontonews.net [adds 2 extra packets to lookup]. Took off 2 points since ns3.pontonews.net allows recursive lookups (if lots of people are using the server, it can slow down). Took off 3 points for having a CNAME (www.promovendas.org is really promovendas.org., which could potentially cause extra lookups). Took off 25 points for >700ms average response time. That timing is a 'reflection' or a different point of view of the kind of information you can get at the dnsreport which is similarly affected by the problems with the nameservice http://www.dnsreport.com/tools/dnsreport.ch?domain=www.promovendas.org DNS Report for promovendas.org Which is especially 'good' [ie interesting/bad] in the nameserver section FAIL Missing (stealth) nameservers FAIL: You have one or more missing (stealth) nameservers. The following nameserver(s) are listed (at your nameservers) as nameservers for your domain, but are not listed at the the parent nameservers (therefore, they may or may not get used, depending on whether your DNS servers return them in the authority section for other requests, per RFC2181 5.4.1). You need to make sure that these stealth nameservers are working; if they are not responding, you may have serious problems! The DNS Report will not query these servers, so you need to be very careful that they are working roperly. -- ns2.dialserver.com.br. -- ns1.dialserver.com.br. -- This is listed as an ERROR because there are some cases where nasty problems can occur (if the TTLs vary from the NS records at the root servers and the NS records point to your own domain, for example). And there's some more about problems with the stealths FAIL Stealth NS record leakage Your DNS servers leak stealth information in non-NS requests: Stealth nameservers are leaked [ns1.dialserver.com.br.]! Stealth nameservers are leaked [ns2.dialserver.com.br.]! This can cause some serious problems (especially if there is a TTL discrepancy). If you must have stealth NS records (NS records listed at the authoritative DNS servers, but not the parent DNS servers), you should make sure that your DNS server does not leak the stealth NS records in response to other queries. So, you can see that the nameservice for that url is a mess. Whether or not it intentionally blocks spamcop or if it is just too overall pokey can't be determined from our observations. -- Mike Easter kibitzer, not SC admin From hans at salvisberg.invalid Sun May 15 04:39:30 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Sat May 14 21:30:11 2005 Subject: [SpamCop-List] Re: secure pop? In-Reply-To: References: Message-ID: Ilgaz wrote: > On 2005-05-10 19:38:02 +0300, Hans Salvisberg > said: >> Can you quick-report and/or queue for reporting from a Held Email IMAP >> folder? > > There is this page: (sign in) > http://mailsc.spamcop.net/ > > You will see "held mail" tab. I guess its fine for you. Yes, I'm using that for my primary account. In fact, I have it open in a tab in Firefox at all times. However, I also manage a second SC account (for a non-profit organization). I don't know if I could have two browser tabs open, logged into two different accounts at the same time, but I don't really want to anyway, because the second account only gets one or two pieces of spam per day, so it's not worth it. Here's where IMAP comes in: that second account is set to forward to a different domain (where a non-tech person takes care of the legitimate messages), so the Inbox is always empty, but I can use IMAP to check the Held Mail folder. My task is to occasionally check the Held Mail folder and make sure that no false positives are trapped. If I feel the urge, I also report the spam, if it's not too old yet. Checking the Held Mail is very efficient with IMAP and Thunderbird: just click the folder and TB will log in and show what's there. However, I haven't found a way to do any of the operations that http://mailsc.spamcop.net/ offers, except for Delete. > ps: A good IMAP client can also move the (spam) messages to held mail > from your inbox without touching anything in message but I am not sure > how efficient it is compared to web based marking from your inbox in > webmail or equal. Interesting! I tried doing it the other way: I dragged a (false positive) message from Held Mail to the Inbox, but it stays there instead of being forwarded. For anything but Delete I have to log in manually, which is a pain... Hans From none.of at your.biz Sat May 14 20:27:06 2005 From: none.of at your.biz (R. Asby Dragon) Date: Sat May 14 22:30:04 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" In-Reply-To: References: Message-ID: Mike Easter wrote: > Fernando wrote: > >>Cannot resolve http://www.promovendas.org > > So, you can see that the nameservice for that url is a mess. > Whether or not it intentionally blocks spamcop or if it is just too > overall pokey can't be determined from our observations. I suspect the "slow/broken" DNS is primarily intended to defeat SC and possibly other spamtools; either "reporting" or blocking by lookups on message body URLs. That doesn't stop anyone with *other* tools (SSW; DNSSTUFF; et al) from finding the real stuff. They are hoping that the "average Joe" SpamCop user will take it as "just shit that happens" and move on. However: there's a balance point on slow DNS-- most folks won't wait 30 seconds for a page to "look like it's loading" and move on . They will think that the link is dead. How many people *really* watch the lower "status" bar of their browser to see the steps in retrieving a webpage?? A good example: http://www.hitsforyoursite.com/ (the latest "frontend" site for SPACEISP.COM) That one took over 2 minutes to resolve this AM; on a reasonable DSL hookup. Overall there's so much of this crap going on that I've been adding a line for spamvertised sites in the message body; a complete duplicate (including appropriate HTML tags if needed). I substitute the IP address for the domain in this line and say so in the notes. I realize that this isn't what's "supposed to be"; but I figure that it's still a valid report going to the right place. I do check my "substitute line" to see that it goes to the same place. (I'm also doing the same on blatent redirects like Amateurmatch ..) From edb2000 at spamcop.net Sat May 14 23:11:45 2005 From: edb2000 at spamcop.net (Don Wannit) Date: Sun May 15 01:15:04 2005 Subject: [SpamCop-List] Deputies: SC clock might need resetting Message-ID: or as they say, "Clock Police!" Reports I just submitted seconds ago are showing up in the Past Reports history of recent reports with a datetime of roughly 25 minutes earlier than I submitted them. Seems like SC might have improved on the slow processing time some users have complained about recently. But this is certainly unexpectedly prompt! -- Don Wannit A paid SpamCop user since 1999 From agent01413 at my-deja.com Sun May 15 06:38:54 2005 From: agent01413 at my-deja.com (Socks the Whitehouse Cat) Date: Sun May 15 01:40:03 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: "sbb78247" wrote in news:d653b2.2d0.1@133.256.1.103.MISMATCH: > > BAAAAAAHAHAHAHHAHAHAHAHA!! what a maroon > > if you hate free speach so much, why don't you live in say cuba? PLONK -- See NANAE kooks, including Barbara Schwarz: http://www.morningmist.org/nanae/kookfaq.html From nobody at devnull.spamcop.net Sun May 15 14:40:01 2005 From: nobody at devnull.spamcop.net (Fernando) Date: Sun May 15 09:40:43 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" References: Message-ID: "R. Asby Dragon" wrote: >I suspect the "slow/broken" DNS is primarily intended to defeat SC and >possibly other spamtools; either "reporting" or blocking by lookups on >message body URLs. Me too. www.promovendas.org is a seasoned low-life person as well as www.super.vendas.nom.br which I'm pretty sure is the same criminal coming from a different route. Again, SpamCop failed to find a decent address to report (just reported): www.super.vendas.nom.br, best report contact is abuse@comdominio.com.br not a mere statistical address as "mail-abuse@nic.br". Wake up people, SpamCop is losing ground! We should get more involved in manually (trying) to trace these spam gang connections and offer higher quality reports, quick! Sincerely, Fernando. From nospam at fuck-off-and-die.com Sun May 15 20:36:03 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Sun May 15 09:55:07 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" References: