From g.hyde at bigpond.net.au Sat Oct 1 13:54:52 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Fri Sep 30 22:55:03 2005 Subject: [SpamCop-List] Re: What the blazes happened here? References: Message-ID: "Mike Easter" wrote in message news:dhjd8h$r7c$1@news.spamcop.net... > Geoffrey Hyde wrote: > > www.spamcop.net/sc?id=z810628202zaf678942fb9d8fe752b4526c0b4f9903z > >> This is apparently some *very weird* and not-funny bounce message (I >> considered it for a bit, and reported it as spam - if their >> mailserver's broken or compromised, they better godamn well fix it >> fast!! - from a news posting I sent to LUGNET news server. > > I wouldn't have reported it as spam. It is some kind of problem with a > mailing list item. The normal SC mungeing interferes a little bit with > trying to interpret it.. If you want an unmunged email to analyze, please email me, as my address is not intentionally hidden, I handle spams on a case-by-case basis as I get them. I'm not posting using a mailing list, I'm posting using a NNTP server, which, as far as I know, is supposed to be a direct connection to the lugnet news server in question, therefore unless someone else received it through an unlikely echo off some compromised server, it's what I consider to be spam. The LUGNET mailserver is not supposed to send me anything back except an authorisation message, which I click a link in to take me to the the post authorisation screen. >> The posting attached is mine, yes, but I don't know what the hell it >> is they're playing with as far as the bounce message goes. And FWIW, >> it succeeded in being posted so LUGNET received it okay, don't know >> why this mailserver bounced it back. > > You email the LUG and the lug remails your item. Then, when someone on > the list has a mail problem, ideally the problem would go back to the > lug. But instead, you got the bounce. I don't know how a posting I made got onto a mailing list when I was supposed to have connected to a news server. News servers, in my experience, do not normally regurgitate posts to other people's mailservers or news clients, therefore the treatment of this bounce message as spam. I do know that some people use "news-by-mail" however that is not what I use, and if this has caused me to be an unlucky recipient of someone else's email, it's still spam IMHO. >> If a SC admin (or deputy) has valid reason to believe this is not spam >> please fill me in on as to why, and perhaps I'll consider having it >> cancelled. Until then it sounds like a duck, walks like a duck, >> looks like a duck (IE is spam) and will remain reported until I find >> reason to believe otherwise. > > You can't actually cancel a report. The ntc.net.pk server 202.83.174.53 > was reported as a spamsource. It is not currently listed in the SCbl > and so it doesn't currently have a SC 'problem' from your report or > others which might have occurred because of a misdirected bounce.. I'm glad, because time and repeated spam emails it's sending out will tell what happened here. If indeed it's not a spamsource, then great, they fixed the problem with the bounce to me. And that's fine. > The LUG tried to send your listitem to 664@nu.edu.pk and mail for > nu.edu.pk is handled by mail3.nu.edu.pk and lhr.nu.edu.pk - The headers > for the LUG mail minus some addresses due to SC mungeing can be seen at > your tracker. What you mean is the LUGNET news server picked this item up, and mailed it out on someone else's mailing list address, and somehow, by doing so, enabled me to get spammed by it. It's never happened to me before, and I don't know why it should suddenly start now, I have no valid reason that this message is sent to me, therefore I still consider what I got as spam. > If you/I engage the nu.edu.pk server in an smtp transaction it will > appear to accept mail addressed to 644 and it also appears to accept > mail addressed to a bogus username. Then after actually accepting that > mail, if it can't handle it, it is forcing itself to have to point its > bounce at something in the headers of the LUG mailer. "It's spam, but not as we know it, Jim" If it's going to bounce mail anywhere I fail to see why it should bounce it to me, I'm not (a) a LUGNET Admin, (b) an intended recipient, nor am I (c) a person in charge of the server who can fix this sort of problem. Therefore, I repeat, it IS TO ME, a SPAM email. And it will remain so. > Those headers say that you are the From and that the Sender is the LUG > and that the Reply-To is yours. > > Naturally it would have been better if the DSN went to the LUG and not > each of tho members of the list. Suboptimal handling of mailing list > items which bounce is very problematic. So I'd have to email someone at LUGNET who deals with this kind of problem? Sheesh! I wish they would get this "suboptimal" problem fixed up ASAP. > Your report will result in Amir Hanif in Islamabad getting the SC report > because he is the admin contact for National Telecom Corporation listed > in apnic for ntc.net.pk which is the netblock over the mail in and out > for nu.edu.pk which is National University of Computer & Engineering in > Lahore. Well, perhaps he will be able to explain things a bit better. As to the rest of your posts, I can't see what you're talking about very clearly. But it's plain the admins running the mailing list need to get better control over where it bounces messages to. Otherwise they're going to wind up having random people reported for having other people spammed, including myself. -- Cheers ... Geoffrey Hyde From nobody at spamcop.net Sat Oct 1 04:36:08 2005 From: nobody at spamcop.net (Claudio Valderrama C.) Date: Sat Oct 1 03:35:07 2005 Subject: [SpamCop-List] savvis.net Message-ID: Hello, does anyone know if savvis.net is trustable? I ask this because abuse at savvis.net refuses munged reports but I don't have knowledge whether they allow spammers to listwash or simple are too inflexible. Thanks. C. -- Claudio Valderrama C. SW developer, consultant. http://www.cvalde.net - http://www.firebirdsql.org From DougThegarden at invalid.com Sat Oct 1 10:01:40 2005 From: DougThegarden at invalid.com (Doug Thegarden) Date: Sat Oct 1 04:05:02 2005 Subject: [SpamCop-List] Spammer's self appraisal Message-ID: At the bottom of today's mortgage spam was the most honest self-appraisal yet: "If you prefer to be left out of this superfluous offer go here." Doug ;-) From porpoise1954 at yahoo.co.uk Sat Oct 1 10:38:31 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sat Oct 1 04:41:05 2005 Subject: [SpamCop-List] Re: savvis.net References: Message-ID: "Claudio Valderrama C." wrote in message news:dhle3c$1jd$1@news.spamcop.net... > Hello, does anyone know if savvis.net is trustable? > I ask this because abuse at savvis.net refuses munged reports but I don't > have knowledge whether they allow spammers to listwash or simple are too > inflexible. > Thanks. Look here: http://news.bbc.co.uk/1/hi/technology/3634572.stm From nobody at nowhere.invalid Sat Oct 1 12:24:06 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Oct 1 05:25:40 2005 Subject: [SpamCop-List] Re: savvis.net References: Message-ID: On Sat, 1 Oct 2005 03:36:08 -0400, Claudio Valderrama C. coughed into spamcop and left this in : > Hello, does anyone know if savvis.net is trustable? Not by a long chalk. This is a mirror of a site put up by a former employee of savvis. The original domain was later "stolen" by savvis via udrp. http://www.spamblocked.com/mirrors/www.savvis.info/ http://groups.google.com/group/news.admin.net-abuse.email/msg/870b3d7128442015?dmode=source In a nutshell, leaked memos made it clear that savvis knew full well that their network was a spam sewer, that they were profiting from spammers because they pay high bandwidth costs, and that official policy was to boot just enough of the small-time spammers to drop off the SpamHaus.org top 10 list. Yechhhh! Also look here: http://tinyurl.com/95p43 (expands to a search on NANAS). -- Steve unix soit qui mal y pense From redford_stone at INVERSE_OF_COLDmail.com Sat Oct 1 11:12:05 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Oct 1 06:15:03 2005 Subject: [SpamCop-List] Re: Pump & Dump--why? References: <290920050916518028%news@REMOVECAPSalanharper.com> <433C27AD.AE65876@spamcop.net> <433D42A8.9C5FB150@spamcop.net> Message-ID: Kenneth Brody wrote in news:433D42A8.9C5FB150 @spamcop.net: > > Perhaps it's a combination of both things I listed? Choice "A" leaves > the pumpers stuck with worthless paper, leading to choice (B). > According to Indigo, it appears to be more towards option B. Still, its quite a waste of resources to get people to actually go out and do the actual purchase (and not many would care for it if it can't be bought online.) From redford_stone at INVERSE_OF_COLDmail.com Sat Oct 1 11:14:55 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Oct 1 06:15:06 2005 Subject: [SpamCop-List] Re: Pump & Dump--why? References: <290920050916518028%news@REMOVECAPSalanharper.com> <433C27AD.AE65876@spamcop.net> Message-ID: "indigo" wrote in news:dhk4pj$a45$1@news.spamcop.net: > > I'm not sure how effective P&D's ever were -- they mostly pump penny > stocks (OTCBB or pink sheet stocks) which are not terribly easy to > purchase, especially online. Anyone smart enough to know how to do it > isn't likely to fall for the spam pumps IMO. The paid pumpers and > bashers on the Yahoo Finance message boards are much more effective > IRL. > > I think that early (several years ago) it was more practical since that not that many people were doing stock purchases online. But as you state, if this is indeed as difficult to get online, it won't be terribly effective. (Profits would be quite marginal.) The attempt through spam is almost sure to just get their trojaned hosts BLed for nothing. From redford_stone at INVERSE_OF_COLDmail.com Sat Oct 1 12:06:19 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Oct 1 07:10:25 2005 Subject: [SpamCop-List] Re: savvis.net References: Message-ID: "Porpoise" wrote in news:dhlhui$53j$1@news.spamcop.net: > > "Claudio Valderrama C." wrote in message > news:dhle3c$1jd$1@news.spamcop.net... >> Hello, does anyone know if savvis.net is trustable? >> I ask this because abuse at savvis.net refuses munged reports but I >> don't have knowledge whether they allow spammers to listwash or >> simple are too inflexible. >> Thanks. > > Look here: > http://news.bbc.co.uk/1/hi/technology/3634572.stm > > "As rumours about Savvis and the spammers grew on the internet, executives discussed different ways of keeping the customers and whether they could hide them by changing their names or their computer IP addresses." And why they ended up on the SPEWS sh!t list. "One of the Vice Presidents told me, 'Take no action against any Cable & wireless customer - they are profitable and they are off limits.'" Meaning the CEOs KNEW what they were doing. They KNEW these spammers were trouble. They KNEW that their "customers" were dubious in nature. But profits came before common sense and had some megalomaniacal misconception that they were just "too big" to be blacklisted. "Savvis itself says the company is firmly anti-spam, and Rob McCormick, the Chief Executive Officer, told the BBC that Savvis does have an excellent reputation for being anti-spam." Rule 1. "He disputed the figure of $2 million a month revenue from the spammers, and said the actual figure is only a tenth of that amount." $200,000 per month? Hardly "profitable".. considering there was an active campaign to bring spammers on board to their network. Again, looks like Rule 1. "Mr McCormick said the problem stemmed entirely from the spammers they inherited from C&W. 'The previous owner of that company allowed something to exist for a long period of time, and people are expecting that a few months after the acquisition of a bankrupt company it's suddenly our fault.'" When a company like Cable & Witless goes bankrupt, you have to ask why.. especially if one is going to purchase their assets. So C&W just happened to leave out their spammer infestation on their disclosure? Rule 1. "'Savvis does not believe illegal spamming is good....". As opposed to what? Legal spamming? WTF?? Savvis still blackhat, IMO.. From redford_stone at INVERSE_OF_COLDmail.com Sat Oct 1 12:09:59 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Oct 1 07:10:39 2005 Subject: [SpamCop-List] Re: www.Blackholes.US References: Message-ID: "St - Musaic.Net" wrote in news:mailman.88.1128101008.169.spamcop-list@news.spamcop.net: > > Message from http://www.blackholes.us: > "Disk crashed. Wierd things happened. Back online very soon now..." > > Ok... > Glad to hear they are not out-of-business for good. (Almost what happened to OpenRBL.) From redford_stone at INVERSE_OF_COLDmail.com Sat Oct 1 12:13:27 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Oct 1 07:15:04 2005 Subject: [SpamCop-List] Re: Pump & Dump--why? References: <290920050916518028%news@REMOVECAPSalanharper.com> Message-ID: "Bill Beyer" wrote in news:dhjosn$34l$1@news.spamcop.net: > > The majority of pump & dump I've taken the time to actually read > lately has a disclaimer that states that the company has been paid x > amount of dollars, not shares in the pumped stock. Now I know spammers > lie but if they're getting paid in cash instead of shares of stock > then I don't think they care what the stock does. All it takes is a > good sales pitch to get someone to believe that the price of the stock > can be materially changed by a spam campaign and then the spammers go > to work. Technically I guess this wouldn't be classified as a pump & > dump but they all get reported regardless. > > Why should spammers pay if they could steal instead? Rule 1. From bar_n0ne at hotmail.com Sat Oct 1 16:13:54 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Oct 1 07:15:06 2005 Subject: [SpamCop-List] Re: savvis.net References: Message-ID: "Redstone" wrote in message news:Xns96E229C6A69CFtinlc@216.154.195.61... > "Porpoise" wrote in > news:dhlhui$53j$1@news.spamcop.net: > > > > > "Claudio Valderrama C." wrote in message > > news:dhle3c$1jd$1@news.spamcop.net... > >> Hello, does anyone know if savvis.net is trustable? > >> I ask this because abuse at savvis.net refuses munged reports but I > >> don't have knowledge whether they allow spammers to listwash or > >> simple are too inflexible. > >> Thanks. Well , I hate to admit it but I no longer have a problem with being listwashed, I wish more spammers would do it. That being said, it is only a personal wish to reduce my spam. As far as I am concerned a listwashing spammer is a spammer, and needs to be stopped. My recent experience, though , is that spammers don't listwash, even the ones at spammis. From Kilgallen at SpamCop.net Sat Oct 1 07:18:28 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sat Oct 1 07:20:03 2005 Subject: [SpamCop-List] Re: savvis.net References: Message-ID: In article , Redstone writes: > When a company like Cable & Witless goes bankrupt, you have to ask why.. > especially if one is going to purchase their assets. When all you SpamCop readers purchase the assets of a firm, keep in mind you are also purchasing the liabilities (reputation). From Kilgallen at SpamCop.net Sat Oct 1 07:20:17 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sat Oct 1 07:25:04 2005 Subject: [SpamCop-List] Re: www.Blackholes.US References: Message-ID: In article , Redstone writes: > Glad to hear they are not out-of-business for good. (Almost what happened > to OpenRBL.) Can you say exactly what _did_ happen to OpenRBL behind the scenes ? From redford_stone at INVERSE_OF_COLDmail.com Sat Oct 1 12:22:06 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Oct 1 07:25:06 2005 Subject: [SpamCop-List] Question for everyone about SBC/Pacbell Message-ID: Quick question to everyone out there.. Is anyone still receiving trojaned open-proxy spam originating from SBC/Pacbell DSL IP space? The reason I ask is that a week ago I received an email from SBC (my ISP) stating that "port 25" blocking will be enforced as means of curtailing spam from their network. And it has been a while since I received any spam coming out of SBC/Pacbell DSL space. From redford_stone at INVERSE_OF_COLDmail.com Sat Oct 1 12:33:04 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Oct 1 07:35:03 2005 Subject: [SpamCop-List] Re: www.Blackholes.US References: Message-ID: Kilgallen@SpamCop.net (Larry Kilgallen) wrote in news:EwNmG3lVCxhY@eisner.encompasserve.org: > In article , Redstone > writes: > >> Glad to hear they are not out-of-business for good. (Almost what >> happened to OpenRBL.) > > Can you say exactly what _did_ happen to OpenRBL behind the scenes ? > I can only state what I heard from what I read here and on NANAE.. Something about it simply crashing and the owner not wanting to go through the effort (difficulty) of bringing it back online again. (Seems like he had it on "automatic" for all this time.. quite a feat.) From porpoise1954 at yahoo.co.uk Sat Oct 1 14:23:15 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sat Oct 1 08:25:03 2005 Subject: [SpamCop-List] Re: Pump & Dump--why? References: <290920050916518028%news@REMOVECAPSalanharper.com> <433C27AD.AE65876@spamcop.net> Message-ID: "Redstone" wrote in message news:Xns96E221102E9D6tinlc@216.154.195.61... > > The attempt through spam is almost sure to just get their trojaned hosts > BLed for nothing. > Yeah! Make 'em BLeed........... [;-)> From g.hyde at bigpond.net.au Sun Oct 2 00:12:42 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Sat Oct 1 09:15:03 2005 Subject: [SpamCop-List] Re: What the blazes happened here? References: Message-ID: "Mike Easter" wrote in message news:dhl2td$rnp$1@news.spamcop.net... > Geoffrey Hyde wrote: > >> I'm not posting using a mailing list, I'm posting using a NNTP server, >> which, as far as I know, is supposed to be a direct connection to the >> lugnet news server in question, therefore unless someone else >> received it through an unlikely echo off some compromised server, >> it's what I consider to be spam. The LUGNET mailserver is not >> supposed to send me anything back except an authorisation message, >> which I click a link in to take me to the the post authorisation >> screen. A lot of snippage, and I noticed this line in the headers after a look in it: Received: by ntc.net.pk with Internet Mail Service (5.5.2656.59) id ; Fri, 30 Sep 2005 12:54:12 +0500 How can I tell if this is a genuinely inserted line or a pathetic attempt to make something look legitimate? SpamCop (correctly, afaik) ignored it because there was no From. As for the munging the only munging I noticed was an where my email address usually is. It still is spam because I'm pretty sure a properly configured mailserver known to be handling list traffic would not have me identified as the sender, it would have itself as the sender or a specially configured reply-to address. -- Cheers ... Geoffrey Hyde From nobody at xyzzy.claranet.de Sat Oct 1 18:49:02 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sat Oct 1 11:55:04 2005 Subject: [SpamCop-List] Re: The (in)famous "Re[n]" spam References: <433AD35A.65A@xyzzy.claranet.de> <433C29BA.5FBD@xyzzy.claranet.de> Message-ID: <433EAFEE.6EB@xyzzy.claranet.de> [Update] > http://rfc-ignorant.org/tools/lookup.php?domain=enewstodaylive26mail.com > http://rfc-ignorant.org/tools/lookup.php?domain=enewstodayli27vemail.com > http://rfc-ignorant.org/tools/lookup.php?domain=enewsto28daylivemail.com There was also a "25" in this shawnts@popaccount.com series: http://rfc-ignorant.org/tools/lookup.php?domain=enewsto25daylivemail.com The next run is asdfsdfg78@yahoo.com - apparently the domains went just online (manual SC reports sent to a Chinese hoster): http://rfc-ignorant.org/tools/lookup.php?domain=alargebasket.com http://rfc-ignorant.org/tools/lookup.php?domain=afinepurchase.com http://rfc-ignorant.org/tools/lookup.php?domain=afineasset.com http://rfc-ignorant.org/tools/lookup.php?domain=alotofgoods.com Now it's whois.enom.com, unfortunately I don't see a whois data problem, and mail-abuse@yahoo-inc didn't answer yet. For the name servers protectitdomaindns.com he sticked to Joker, using protectitdomains@popaccount.com for the *-C addresses. Billing address is still domainz@web2mail.com , Frank From alain.guimberteau at laposte.net Sat Oct 1 23:29:33 2005 From: alain.guimberteau at laposte.net (Alain Guimberteau) Date: Sat Oct 1 16:30:17 2005 Subject: [SpamCop-List] Re: Unreported Spam Saved: Report Now - Timing Out References: Message-ID: the same since few days : Gateway Timeout The proxy server did not receive a timely response from the upstream server. Reference #1.c4926054.1128196774.1207fa5 "Kenneth Loafman" a écrit dans le message de news: um5ri1l60il5lt49f1ro20428u9mse73et@4ax.com... > On Sun, 18 Sep 2005 08:53:28 +0100, "David" wrote: > >> >>"David" wrote in message >>news:dgh2uj$8pb$1@news.spamcop.net... >>> Live reporting works perfectly - but trying to process spams sent in by >>> email times out : >>> >>> Gateway Timeout >>> The proxy server did not receive a timely response from the upstream >>> server. >>> Reference #1.4509fdd5.1126960831.10fae6c >>> >> >>24-hours on - This is still giving the same result - anyone else having >>this >>problem ? > > I'm getting something similar to that, but its manifesting itself in the > inability to get to mailsc.spamcop.net, probably due to the rapid DNS > swapping they do at Akamai. Since yesterday there have been 7 instances > where mailsc did not resolve, but later did. > > Thinking about setting up my own caching DNS again. > > ...Ken From philip at pch.home.cs.vu.nl Sun Oct 2 00:32:30 2005 From: philip at pch.home.cs.vu.nl (Philip Homburg) Date: Sat Oct 1 17:50:08 2005 Subject: [SpamCop-List] Re: IBM spamming? References: Message-ID: In article , Mike Easter wrote: > - I am satisfied to be a /passive/ but pledged antispammer, discarding >*all* [not just some] spam unread and unopened Wow, what kind of technology do you use to determine with 100% (yes really 100%, not just 99.9%) accuracy whether an e-mail is spam or not? I'm not going take the risk of deleting real mail unopened because it might be spam. Logical conclusion: some amount of spam has to be read to be classified as spam. -- That was it. Done. The faulty Monk was turned out into the desert where it could believe what it liked, including the idea that it had been hard done by. It was allowed to keep its horse, since horses were so cheap to make. -- Douglas Adams in Dirk Gently's Holistic Detective Agency From nobody at spamcop.net Sat Oct 1 23:45:59 2005 From: nobody at spamcop.net (N. Miller) Date: Sun Oct 2 01:50:04 2005 Subject: [SpamCop-List] Re: Question for everyone about SBC/Pacbell References: Message-ID: On Sat, 1 Oct 2005 11:22:06 +0000 (UTC), Redstone wrote: > Quick question to everyone out there.. > > Is anyone still receiving trojaned open-proxy spam originating from > SBC/Pacbell DSL IP space? > > The reason I ask is that a week ago I received an email from SBC (my ISP) > stating that "port 25" blocking will be enforced as means of curtailing > spam from their network. And it has been a while since I received any spam > coming out of SBC/Pacbell DSL space. I get about one-tenth as much proxy spam from SBC space (including all nine SBC domains) as I did a year ago. Until last March, SBC was ahead of, then, for a while, equal to Comcast as a proxy spam source. Now they are way behind Comcast. Indeed, indications are that Comcast is now the number one source of proxy spam among the U.S. HSI providers. I can add up my Bellsouth, SBC, USWest/Qwest, and Verizon proxy spam, and throw in Charter, Cox, Optimum Online, and Road Runner for good measure, and only just come short of equaling the proxy spam which comes from Comcast customers. I don't know if all of the block port 25 outbound; SBC, of course, and, I think Bellsouth. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at spamcop.net Sat Oct 1 23:59:34 2005 From: nobody at spamcop.net (N. Miller) Date: Sun Oct 2 02:00:03 2005 Subject: [SpamCop-List] Re: What the blazes happened here? References: Message-ID: <17dwn5r1hd7p6.dlg@news.spamcop.net> On Sat, 1 Oct 2005 23:12:42 +1000, Geoffrey Hyde wrote: > A lot of snippage, and I noticed this line in the headers after a look in > it: > > Received: by ntc.net.pk with Internet Mail Service (5.5.2656.59) id > ; Fri, 30 Sep 2005 12:54:12 +0500 > > How can I tell if this is a genuinely inserted line or a pathetic attempt to > make something look legitimate? SpamCop (correctly, afaik) ignored it > because there was no From. I am not familiar with the mail program, but it could be legitimate. Consider the following, out of context: Received: from Spooler by aosake.net (Mercury/32 v4.01b) ID MO000002; 11 Sep 2005 12:16:23 -0700 Received: from spooler by aosake.net (Mercury/32 v4.01b); 11 Sep 2005 12:15:32 -0700 I know how Mercury/32 works well enough to describe how they came to be. Here is the tracker so you can see them in context: http://www.spamcop.net/sc?id=z811128972za1f55e6617782f1d8924d1944e756e3dz SpamCop ignores them because they contain no useful information regarding identifying the source of the message, not because they are certain pathetic forgeries. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at spamcop.net Sun Oct 2 00:07:42 2005 From: nobody at spamcop.net (N. Miller) Date: Sun Oct 2 02:10:04 2005 Subject: [SpamCop-List] Re: IBM spamming? References: Message-ID: On Sat, 1 Oct 2005 23:32:30 +0200, Philip Homburg wrote: > In article , > Mike Easter wrote: >> - I am satisfied to be a /passive/ but pledged antispammer, discarding >>*all* [not just some] spam unread and unopened > Wow, what kind of technology do you use to determine with 100% (yes really > 100%, not just 99.9%) accuracy whether an e-mail is spam or not? > I'm not going take the risk of deleting real mail unopened because it > might be spam. > Logical conclusion: some amount of spam has to be read to be classified as > spam. Visual inspection rules: Is it from somebody I know? Yes? It isn't spam. No, do the headers show a reasonable source for the email (i.e., not a proxy SMTP client connecting to my mailhost)? Yes? It isn't spam. No, it is spam. By visual inspection of subject lines, something that can't be easily described, else it could equally easily be coded as a filter, I can readily see what is spam. On occasion I have missed ham in the first pass. I could easily use the message source (MSOE, Mozilla, Thunderbird), or header preview (Pegasus Mail) to check on the source. Even on the Dark Horse Comics web mail server I need not open the actual spam item; check the box, enter the destination email address, click on the "Redirect" button, and it arrives with original headers intact. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From philip at pch.home.cs.vu.nl Sun Oct 2 10:04:32 2005 From: philip at pch.home.cs.vu.nl (Philip Homburg) Date: Sun Oct 2 03:20:33 2005 Subject: [SpamCop-List] Re: IBM spamming? References: Message-ID: <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net> In article , N. Miller wrote: >Is it from somebody I know? Yes? It isn't spam. No, do the headers show a >reasonable source for the email (i.e., not a proxy SMTP client connecting >to my mailhost)? Yes? It isn't spam. No, it is spam. How am I supposed to know what reasonable sources are for e-mail from China? Some people do run their own mail servers on DSL lines? Do you suggest that I delete real mail from those people unopened in some mistaken believe that opening spam is harmful in any way? -- That was it. Done. The faulty Monk was turned out into the desert where it could believe what it liked, including the idea that it had been hard done by. It was allowed to keep its horse, since horses were so cheap to make. -- Douglas Adams in Dirk Gently's Holistic Detective Agency From AHaumer_gmxnet at nopspam.invalid Sun Oct 2 11:48:46 2005 From: AHaumer_gmxnet at nopspam.invalid (Anton Haumer) Date: Sun Oct 2 04:51:14 2005 Subject: [SpamCop-List] munging not sufficient Message-ID: <433F9EEE.E884EFB6@nopspam.invalid> Sometimes I get spam in which the spammer fakes my own email-address as from-address. SC sends reports to the right addresses, but it leaves the faked from-address unmunged indictaing the source of the report ... although the other occurences are munged. suggestion for improvement for SC ... Toni From bar_n0ne at hotmail.com Sun Oct 2 14:16:30 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun Oct 2 05:20:35 2005 Subject: [SpamCop-List] Re: munging not sufficient References: <433F9EEE.E884EFB6@nopspam.invalid> Message-ID: "Anton Haumer" wrote in message news:433F9EEE.E884EFB6@nopspam.invalid... > Sometimes I get spam in which the spammer > fakes my own email-address as from-address. > > SC sends reports to the right addresses, > but it leaves the faked from-address unmunged > indictaing the source of the report ... > although the other occurences are munged. > > suggestion for improvement for SC ... > > Toni In my experience, welkl formed From: and Reply to: addies along with cc:'d etc. have always been munged, have you gone back and looked at the actual report sent? (you can go to the past reports tab). In any case I really doubt it matters. The only thing I see spoammers scraping from SC reports are new addresses and aliases (they already have yours), new MX names, spamfilter scores to tune their spam with, and Recieved lines they may wish to use in faking mail routing. From nobody at nowhere.invalid Sun Oct 2 12:30:49 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Oct 2 05:35:03 2005 Subject: [SpamCop-List] Re: IBM spamming? References: <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net> Message-ID: On Sun, 2 Oct 2005 09:04:32 +0200, Philip Homburg coughed into spamcop and left this in <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net>: > How am I supposed to know what reasonable sources are for e-mail from > China? IME there are none. > Some people do run their own mail servers on DSL lines? Do you suggest > that I delete real mail from those people unopened in some mistaken believe > that opening spam is harmful in any way? If they run their mail servers on DSL lines with DHCP IP addresses the don't discard the mail, reject it at the SMTP level. -- Steve Everyone has a photographic memory. Some just don't have film. From AHaumer_gmxnet at nopspam.invalid Sun Oct 2 13:20:03 2005 From: AHaumer_gmxnet at nopspam.invalid (Anton Haumer) Date: Sun Oct 2 06:25:02 2005 Subject: [SpamCop-List] Re: munging not sufficient References: <433F9EEE.E884EFB6@nopspam.invalid> Message-ID: <433FB453.7E267817@nopspam.invalid> Berny wrote: > > > Sometimes I get spam in which the spammer > > fakes my own email-address as from-address. > > > > SC sends reports to the right addresses, > > but it leaves the faked from-address unmunged > > indictaing the source of the report ... > > although the other occurences are munged. > > > In my experience, welkl formed From: and Reply to: addies along with cc:'d > etc. have always been munged, have you gone back and looked at the actual > report sent? (you can go to the past reports tab). Yes I did - unmunged. > In any case I really doubt it matters. The only thing I see spoammers > scraping from SC reports are new addresses and aliases (they already have > yours), new MX names, spamfilter scores to tune their spam with, and > Recieved lines they may wish to use in faking mail routing. Yes I know but sometimes they try to verfiy the addresses ... Well, I prefer totally munged ;-) Toni From bar_n0ne at hotmail.com Sun Oct 2 15:24:55 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun Oct 2 06:25:11 2005 Subject: [SpamCop-List] Re: munging not sufficient References: <433F9EEE.E884EFB6@nopspam.invalid> <433FB453.7E267817@nopspam.invalid> Message-ID: "Anton Haumer" wrote in message news:433FB453.7E267817@nopspam.invalid... > Berny wrote: > > > > > Sometimes I get spam in which the spammer > > > fakes my own email-address as from-address. > > > > > > SC sends reports to the right addresses, > > > but it leaves the faked from-address unmunged > > > indictaing the source of the report ... > > > although the other occurences are munged. > > > > > In my experience, welkl formed From: and Reply to: addies along with cc:'d > > etc. have always been munged, have you gone back and looked at the actual > > report sent? (you can go to the past reports tab). > > Yes I did - unmunged. > > > In any case I really doubt it matters. The only thing I see spoammers > > scraping from SC reports are new addresses and aliases (they already have > > yours), new MX names, spamfilter scores to tune their spam with, and > > Recieved lines they may wish to use in faking mail routing. > > Yes I know > but sometimes they try to verfiy the addresses ... > > Well, I prefer totally munged ;-) > > Toni Intereresting, I couldn;t properly confirm since I am set to unmunged in my preferences, but I have a free account, so I get at least partially munged. There was a discussion about munging the from address a few years back and I'm sure it was munged at the time (after the discussion), but my spam's "reply to" and "from"s are unmunged, It looks like yours (and everybody elses) are also. From philip at pch.home.cs.vu.nl Sun Oct 2 14:21:14 2005 From: philip at pch.home.cs.vu.nl (Philip Homburg) Date: Sun Oct 2 07:50:16 2005 Subject: [SpamCop-List] Re: IBM spamming? References: <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net> Message-ID: <9s7lpeorft3nabni9prsehgbj3@inews_id.stereo.hq.phicoh.net> In article , Steven Maesslein wrote: >On Sun, 2 Oct 2005 09:04:32 +0200, Philip Homburg coughed into spamcop >and left this in ><7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net>: > >> How am I supposed to know what reasonable sources are for e-mail from >> China? > >IME there are none. In my experience there are. Even in China, there are people foolish enough to use my software :-) (or, at least, ask questions about it). >> Some people do run their own mail servers on DSL lines? Do you suggest >> that I delete real mail from those people unopened in some mistaken believe >> that opening spam is harmful in any way? > >If they run their mail servers on DSL lines with DHCP IP addresses the >don't discard the mail, reject it at the SMTP level. What's the point rejecting e-mail just because of technicalities (dynamic, no reverse DNS, TTLs too short)? I refuse mail from IP addresses and netblock that send (too much) spam. No spam, no block. (And then there is the small problem that there no complete list of all netblocks that consists of dynamic addresses). -- That was it. Done. The faulty Monk was turned out into the desert where it could believe what it liked, including the idea that it had been hard done by. It was allowed to keep its horse, since horses were so cheap to make. -- Douglas Adams in Dirk Gently's Holistic Detective Agency From nobody at nowhere.invalid Sun Oct 2 17:05:23 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Oct 2 10:10:03 2005 Subject: [SpamCop-List] Re: IBM spamming? References: <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net> <9s7lpeorft3nabni9prsehgbj3@inews_id.stereo.hq.phicoh.net> Message-ID: On Sun, 2 Oct 2005 13:21:14 +0200, Philip Homburg coughed into spamcop and left this in <9s7lpeorft3nabni9prsehgbj3@inews_id.stereo.hq.phicoh.net>: > In my experience there are. Even in China, there are people foolish enough to > use my software :-) (or, at least, ask questions about it). I feel sorry for you. I'm lucky enough to have no reason to accept mail from most of APNIC and all of LACNIC, so most of those areas are in the firewall, and what isn't in the firewall is in the DNSBL. > What's the point rejecting e-mail just because of technicalities (dynamic, > no reverse DNS, TTLs too short)? Because a real mail server shouldn't have any of those characteristics. If a machine which does exhibit them is trying to send you mail, the chances are it's a zombified Windows machine trying to send you a virus or spam. -- Steve A group of cats is a "conceit". They'd like it to be called a "pride" but that would fool nobody. -- Morely Dotes in NANAE, 2-FEB-2004 From nobody at spamcop.net Sun Oct 2 10:20:56 2005 From: nobody at spamcop.net (N. Miller) Date: Sun Oct 2 12:25:05 2005 Subject: [SpamCop-List] Re: IBM spamming? References: <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net> Message-ID: On Sun, 2 Oct 2005 09:04:32 +0200, Philip Homburg wrote: > How am I supposed to know what reasonable sources are for e-mail from > China? Run the connecting SMTP client IP address through a service like OpenRBL. > Some people do run their own mail servers on DSL lines? Do you suggest > that I delete real mail from those people unopened in some mistaken believe > that opening spam is harmful in any way? You can do whatever floats your boat. No laws. OTOH, I do run an MTA on a dynamic IP address, but you aren't likely to find my dynamic IP address connecting to your server. The problem is, too many places have my IP address in a DUL, and too many places use DULs to vet their incoming SMTP connections. In order not to face blocks at AOL, and other, I use my ISP SMTP server as a "smarthost". My MTA > my ISP MTA > your MX. You can try to force people to return to the 1995 way of running email on the Internet, but that is not going to happen. Anybody running an MTA in dynamic IP address space, and trying to run end-to-end connections ("Direct-to-MX") instead of smarthosting is asking for connectivity problems, and unreliable email. Personally, I do open spam for inspection. But I do it in a "safe" reader (it doesn't do scripts, or remote image calls); and, generally, only to get to the entire message source (I can view headers without opening the item, but I still have to open the item to get to the raw code). However, it is possible to do things Mike Easter's way, if a little inconvenient for what I am trying to do. You have to tailor the way you handle email to meet your particular requirements; what works for Mike, or me, might not work for you. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From baloo at ursine.ca Mon Oct 3 11:31:58 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Mon Oct 3 14:10:04 2005 Subject: [SpamCop-List] Re: Pump & Dump--why? References: <290920050916518028%news@REMOVECAPSalanharper.com> <433C27AD.AE65876@spamcop.net> Message-ID: Redstone wrote: > Kenneth Brody wrote in > news:433C27AD.AE65876@spamcop.net: > >> >> Perhaps not enough people fall for pump-and-dump nowadays to affect >> the price that much? >> >> Perhaps it's a "dump" instead, and they're simply trying to find >> enough people actually willing buy their shares? >> > > It is usually the case that not enough people fall for this scam. (Looks > like the education campaign have worked.) Well, this is a special case. Pump and dumps have been around almost as long as the stock market itself. The act itself is not legal and there have been movies (titles don't come to mind ATM) about people getting nailed for doing exactly that. From baloo at ursine.ca Mon Oct 3 12:20:27 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Mon Oct 3 15:10:05 2005 Subject: [SpamCop-List] Re: IBM spamming? References: <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net> Message-ID: Steven Maesslein wrote: > If they run their mail servers on DSL lines with DHCP IP addresses the > don't discard the mail, reject it at the SMTP level. Problem: Large parts of North America have no other choice for internet connectivity or hosting. From baloo at ursine.ca Mon Oct 3 12:27:14 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Mon Oct 3 15:10:09 2005 Subject: [SpamCop-List] Re: IBM spamming? References: <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net> Message-ID: <2p9813-v84.ln1@ursine.ca> N. Miller wrote: > You can do whatever floats your boat. No laws. OTOH, I do run an MTA on a > dynamic IP address, but you aren't likely to find my dynamic IP address > connecting to your server. The problem is, too many places have my IP > address in a DUL, and too many places use DULs to vet their incoming SMTP > connections. In order not to face blocks at AOL, and other, I use my ISP > SMTP server as a "smarthost". My MTA > my ISP MTA > your MX. I have my MTA set up to only use the smarthost if the destination site has the mistaken belief that dynamic IPs are always spammers. I don't run everything through the smarthost, because the site that operates that smarthost isn't trustworthy and frequently gets blocked by other sites. I'd switch in a heartbeat if there was any competition at all in my area. > You can try to force people to return to the 1995 way of running email on > the Internet, but that is not going to happen. Anybody running an MTA in > dynamic IP address space, and trying to run end-to-end connections > ("Direct-to-MX") instead of smarthosting is asking for connectivity > problems, and unreliable email. Yeah, but only sending to the ~2 dozen sites (looking at my logs) misconfigured badly enough to make it a problem. The rest of the net gets it right in this regaurd. From baloo at ursine.ca Mon Oct 3 12:37:57 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Mon Oct 3 15:10:13 2005 Subject: [SpamCop-List] Re: www.Blackholes.US References: Message-ID: <5da813-v84.ln1@ursine.ca> Thomas Mooney wrote: >> Message from http://www.blackholes.us: >> "Disk crashed. Wierd things happened. Back online very soon now..." > > Hallelujah! > > My spam has increased five-fold since blackholes.us went toes up. China and > Korea, mostly. A smattering of Brazil. I have the zonefiles from last March if you want to throw them up on your own DNS servers for your use. From baloo at ursine.ca Mon Oct 3 12:41:34 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Mon Oct 3 15:10:14 2005 Subject: [SpamCop-List] Re: www.Blackholes.US References: Message-ID: Redstone wrote: > (Seems like he had it on "automatic" for all this time.. quite a > feat.) That isn't surprising to me. All kinds of IPs came back as being owned by companies that haven't existed since the dot-com boom on OpenRBL... From someone at microsoft.com Mon Oct 3 22:09:01 2005 From: someone at microsoft.com (bob) Date: Mon Oct 3 21:10:03 2005 Subject: [SpamCop-List] added to block list and don't know why Message-ID: Our IP has hit SCbl and the IP is 66.12.37.217. I have no idea what is going on and a little upset at our domain server hostexcellence. They couldn't tell me anything and finally I telnet the mail server and find the SC block. In simple english what do we do to prevent this? I see the cause of the listing as: System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop). We don't use any auto-responders and I'm not sure what all the bouncing messages are about. We use basic Outlook for reading mail. Can anyone help us figure out how to get our outgoing mail service back and how to prevent this SC from blocking it in the future? Any help is greatly appreciated. From wb8tyw at qsl.network Mon Oct 3 23:25:37 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Mon Oct 3 22:30:10 2005 Subject: [SpamCop-List] Re: added to block list and don't know why In-Reply-To: References: Message-ID: bob wrote: > Our IP has hit SCbl and the IP is 66.12.37.217. I have no idea what is > going on and a little upset at our domain server hostexcellence. They > couldn't tell me anything and finally I telnet the mail server and find the > SC block. > > In simple english what do we do to prevent this? I see the cause of the > listing as: System has sent mail to SpamCop spam traps in the past week > (spam traps are secret, no reports or evidence are provided by SpamCop). Spam trap data requires a deputy to summarize. I only have access to the same data as anyone on the internet. In order for a mail server to send to spam traps, it either must have a security breach or it must be misconfigured to bounce undelivered e-mail to innocent victims of spam/virus forgeries. > We don't use any auto-responders and I'm not sure what all the bouncing > messages are about. We use basic Outlook for reading mail. Can anyone help > us figure out how to get our outgoing mail service back and how to prevent > this SC from blocking it in the future? It really takes a sample of reported spam from that I.P. to determine what is the issue to be fixed. Sometimes it is caused by a user or administrator of the mail server doing something stupid with an anti-spam or anti-virus product. > Any help is greatly appreciated. Plugging your I.P. address into moensted: http://www.moensted.dk/spam/?addr=66.12.37.217&Submit=Submit It shows that not only is spamcop.net listing you so is the PSBL. Looking at your spamcop.net listing shows that hostmaster(at)gte.net is supposed to be handling issues with problems on your mail server. But mail to that address is bouncing. When mail to a role account on a mail server is bouncing that is an an obvious indication that something is wrong with the management of that network. Having e-mail to the designated abuse contact bouncing will eventually cause more than just spamcop.net users to be blocking that address. http://psbl.surriel.com/evidence?ip=66.12.37.217&action=Check+evidence This is showing an illegal drug scam that was sent on September 29 from the I.P. address that you gave. There are no forwarding headers that were added by that mail server. That is very bad. That indicates that criminals have control of that mail server and do what they want with it. The security breach is either directly on the server, or on a computer connected to it over what should be a secure connection. Now there is public evidence of two serious problems with that mail server, and you can use it when you call who ever you are paying to maintain that server. More data: http://ops.mail-abuse.com/cgi-bin/nph-ops-sview?66.12.37.217 Old evidence that a computer at this I.P. address was controlled by one or more criminals since May 2005. -John wb8tyw@qsl.network Personal Opinion Only From richard at zuidhofRemove.nl Tue Oct 4 11:37:03 2005 From: richard at zuidhofRemove.nl (Richard Zuidhof) Date: Tue Oct 4 04:40:05 2005 Subject: [SpamCop-List] What is Cyveillance giving back? Message-ID: I notice every Spamcop report I make is copied to Cyveillance (http://www.cyveillance.com/spam.htm). This has been done for quite a long time now but I have not noticed any benefit for the Spamcop users. I would suspect that a compancy sitting on so much data about spam now and then would publish statistics or research information. Maybe they can take a look at what a company like Netcraft does in the market for webservers and webhosting. I really like to know more about trends in what spam is reported. Richard From bar_n0ne at hotmail.com Tue Oct 4 14:02:48 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue Oct 4 05:06:12 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: "Richard Zuidhof" wrote in message news:dhtevf$8ur$1@news.spamcop.net... > I notice every Spamcop report I make is copied to Cyveillance SNIP OK Folks, get ready to duck the flames, Deploy the NOMEX suits. From nobody at nowhere.invalid Tue Oct 4 12:06:04 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Oct 4 05:10:17 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: On Tue, 04 Oct 2005 10:37:03 +0200, Richard Zuidhof coughed into spamcop and left this in : > I notice every Spamcop report I make is copied to Cyveillance > (http://www.cyveillance.com/spam.htm). This has been done for quite a > long time now but I have not noticed any benefit for the Spamcop > users. Cyveillance is not there to help SC users. They are employed by big companies to watch out for trademark infringement. Originally, a deal was struck between JH and Cyveillance whereby Cyveillance helped JH with the bandwidth costs in return for copies of spam reports for them to scrutinize. To start with, Cy got more than they bargained for and had to stop the supply of spam because they couldn't keep up with it :) There is another problem, however. Cy also has a web spider that crawls across the 'Net looking for trademark infringements, but the spider doesn't observe a site's "robots.txt" file designed to deny robots access to certain resources. As such, my own opinion of Cy is that they are as abusive as spammers in that respect and part of the problem, not part of the solution. As a user of a SC mail account, I have the possibility of *not* sending Cy copies of spam reports. I take advantage of that possibility, and they are denied access to my own servers by firewall policy. -- Steve Health nuts are going to feel stupid someday, lying in hospitals dying of nothing. From nobody at nowhere.invalid Tue Oct 4 12:09:59 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Oct 4 05:10:20 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: On Tue, 4 Oct 2005 11:06:04 +0200, Steven Maesslein coughed into spamcop and left this in : > Cy also has a web spider that crawls across the 'Net looking for > trademark infringements, but the spider doesn't observe a site's > "robots.txt" file Apologies for the self-fup... I forgot to add that Cyveillance's spider also masquerades as a standard desktop browser (I forget whether it's IE or Moz but that's irrelevant) in an attempt to thwart protection that site owners might install based on the User-Agent string. -- Steve Are Linux users lemmings collectively jumping off of the cliff of reliable, well-engineered commercial software? -- Matt Welsh From bait-423c86b2-42ff9001 at good.julianhaight.com Tue Oct 4 04:46:35 2005 From: bait-423c86b2-42ff9001 at good.julianhaight.com (Chris F. Willoughby) Date: Tue Oct 4 06:50:24 2005 Subject: [SpamCop-List] Re: Public Spamtraps References: Message-ID: Not entirely sure why.. but the mailsc.spamcop.net page has one hidden on there somewhere as well. I only found it because I was trying to browse the site without using my mouse at the time. :) Chris "The 'Lost' Monster Is A Robot" wrote in message news:dhrp01$ao0$1@news.spamcop.net... > > > > I want to put some email links on my webpage with the title > "don't send email to these addresses unless you are a spammer." > I know of three email addresses that have asked for spam: > > uce@ftc.gov > spamrecycle@chooseyourmail.com > spamtrap@spambouncer.org > > Are here any others? > > > From Nobody at SpamCop.net.dev.null Tue Oct 4 08:44:02 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Tue Oct 4 08:45:04 2005 Subject: [SpamCop-List] How to Rattle This Guy's Cage? Message-ID: <43427912.17EDB4B5@SpamCop.net.dev.null> I've been getting a number of "mortgage application" phish spams associated with Leo Kuvayev/Michael Lindsay type spams. Some number of the spamvertised sites trace back to this registration: Associated spamcop report: http://www.spamcop.net/sc?id=z811637287zf16e455984c1806593b4b6ccd4d3f786z Server Used: [ whois.yesnic.com ] http://www.t0wn.com = [ ] ----------------------------------------------- Queried Domain Information as follows ----------------------------------------------- Domain Name : t0wn.com : :Registrant: : Name : James Bright Email : jamesbright12345@netscape.net Address : 101 Thomas St. Zipcode : 98109 Nation : US Tel : 12062030586 Fax : : :Administrative Contact: : Name : James Bright Email : jamesbright12345@netscape.net Address : 101 Thomas St. Zipcode : 98109 Nation : US Tel : 12062030586 Fax : : :Technical Contact: : Name : James Bright Email : jamesbright12345@netscape.net Address : 101 Thomas St. Zipcode : 98109 Nation : US Tel : 12062030586 Fax : : :Name Servers: : : :Dates & Status: : Created Date 2005-10-01 14: 21: 49 EDT Updated Date 2005-10-01 14: 21: 49 EDT Valid Date 2006-10-01 14: 21: 49 EDT Status REGISTRAR-HOLD _____________________________________________________ Notice that there is no IP associated with this registration. This cheeseburger has been the registered webhost for spammy's little webform pages for some time, and I've yet to get hold of Netscape to wake them up that these spammers are using AOL and Netscape webmail addresses. This particular webmail account has been in use for about a month. My repeated attempts to LART manually get slapped down by Netscape.net -- I don't have an account there, so talk to the hand. Can they register a site like this? And can they keep it current, now that they're providing even less information than they did originally? Notice that registrant gives only a ZIP code in southern California (probably phony). More to the point, why are guys like this still around? Why are their pages even accessible? Michael From amenex at amenex.com Tue Oct 4 11:27:25 2005 From: amenex at amenex.com (George Langford, Sc.D.) Date: Tue Oct 4 10:27:28 2005 Subject: [SpamCop-List] Quick Reporting returns empty data Message-ID: <20051004102725.l2as4soo08soo0wo@webmail.spamcop.net> Better look at the Quick Reporting system this AM. Here's a typical notification: > SpamCop.net > Here are the results of your submission: > > Processing spam: From: > Subject: > > > Processing spam: From: > Subject: > > > Processing spam: From: > Subject: > > > Processing spam: From: > Subject: Amenex From nobody at devnull.spamcop.net Tue Oct 4 10:56:39 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Oct 4 11:00:04 2005 Subject: [SpamCop-List] Re: Quick Reporting returns empty data References: Message-ID: "George Langford, Sc.D." wrote in message news:mailman.91.1128436049.169.spamcop-list@news.spamcop.net... > Better look at the Quick Reporting system this AM. > > Here's a typical notification: > > > SpamCop.net > > Here are the results of your submission: With your example and the discussion on-going at http://forum.spamcop.net/forums/index.php?showtopic=5055 it does appear that the issue may be at JT's end .. There have been notifications sent out .... From nobody at spamcop.net Tue Oct 4 11:13:09 2005 From: nobody at spamcop.net (Ellen) Date: Tue Oct 4 11:25:04 2005 Subject: [SpamCop-List] Re: added to block list and don't know why References: Message-ID: "bob" wrote in message news:dhskmu$r77$1@news.spamcop.net... > Our IP has hit SCbl and the IP is 66.12.37.217. I have no idea what is > going on and a little upset at our domain server hostexcellence. They > couldn't tell me anything and finally I telnet the mail server and find the > SC block. > > In simple english what do we do to prevent this? I see the cause of the > listing as: System has sent mail to SpamCop spam traps in the past week > (spam traps are secret, no reports or evidence are provided by SpamCop). > > We don't use any auto-responders and I'm not sure what all the bouncing > messages are about. We use basic Outlook for reading mail. Can anyone help > us figure out how to get our outgoing mail service back and how to prevent > this SC from blocking it in the future? > > Any help is greatly appreciated. > > You apparently have an infected pc on your lan sending spam. You can write to me at deputies admin.spamcop.net for more details. Make sure to include the IP. Ellen SpamCop From MikeE at ster.invalid Tue Oct 4 09:33:32 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 4 11:35:02 2005 Subject: [SpamCop-List] Re: Quick Reporting returns empty data References: Message-ID: WazoO wrote: > "George Langford, Sc.D." >> Better look at the Quick Reporting system this AM. >> >> Here's a typical notification: >> >>> SpamCop.net >>> Here are the results of your submission: > > With your example and the discussion on-going at > http://forum.spamcop.net/forums/index.php?showtopic=5055 > it does appear that the issue may be at JT's end .. > There have been notifications sent out .... The forum discussion seems to be about problems with quick and webmail Oct 4, and/but I don't know how to interpret the timestamps on the posts, ie what offset they belong to I submitted a 'package' of 5 spams by email to quick at 7:23 AM PDT [UTC -0700] and they were all satisfactorily parsed and processed 7:28 AM same offset.. -- Mike Easter kibitzer, not SC admin From kenbrody at spamcop.net Tue Oct 4 12:39:12 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Tue Oct 4 11:45:03 2005 Subject: [SpamCop-List] Strange "quick report" problem Message-ID: <4342A220.5C92A294@spamcop.net> I submitted several spams in my Inbox for quick reporting, and I got the following e-mail in reply: ========== SpamCop.net Here are the results of your submission: Processing spam: From: Subject: Processing spam: From: Subject: Processing spam: From: Subject: Processing spam: From: Subject: Processing spam: From: Subject: Processing spam: From: Subject: Processing spam: From: Subject: ========== -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From me at privacy.net Tue Oct 4 18:09:33 2005 From: me at privacy.net (Will Wilkinson) Date: Tue Oct 4 12:10:02 2005 Subject: [SpamCop-List] Re: Quick Reporting returns empty data References: Message-ID: <2l6$rwx9kqQDFwTt@steely-glint.lancre.net> In message , Mike Easter writes >WazoO wrote: >> "George Langford, Sc.D." > >>> Better look at the Quick Reporting system this AM. >>> >>> Here's a typical notification: >>> >>>> SpamCop.net >>>> Here are the results of your submission: >> >> With your example and the discussion on-going at >> http://forum.spamcop.net/forums/index.php?showtopic=5055 >> it does appear that the issue may be at JT's end .. >> There have been notifications sent out .... > >The forum discussion seems to be about problems with quick and webmail >Oct 4, and/but I don't know how to interpret the timestamps on the >posts, ie what offset they belong to > >I submitted a 'package' of 5 spams by email to quick at 7:23 AM PDT >[UTC -0700] and they were all satisfactorily parsed and processed 7:28 >AM same offset.. > My quick reporting submissions via the webmail interface have all shown: error:No IP found Processing spam: From: Subject: Since 09:00 BST [UTC +0100] today. Also posted on the forum. Will -- lancre dot net - The personal domain of Will and Cath Wilkinson. Send e-mail to news dot will at lancre dot net PGP Fingerprint E089 1736 A023 9E5C AFA3 0B40 E5DC D80A 9E1F D521 Public key can be obtained from ldap://certserver.pgp.com From MikeE at ster.invalid Tue Oct 4 10:17:40 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 4 12:20:03 2005 Subject: [SpamCop-List] Re: How to Rattle This Guy's Cage? References: <43427912.17EDB4B5@SpamCop.net.dev.null> Message-ID: Michael Brennan wrote: > I've been getting a number of "mortgage application" phish spams > associated with Leo Kuvayev/Michael Lindsay type spams. Some number > of the spamvertised sites trace back to this registration: > > Associated spamcop report: www.spamcop.net/sc?id=z811637287zf16e455984c1806593b4b6ccd4d3f786z spamvertising http://ykllmd2.t0wn.com/savings.asp Does not resolve; t0wn.com does not have nameservice > Domain Name : t0wn.com > : :Registrant: : > Name : James Bright > Email : jamesbright12345@netscape.net > Address : 101 Thomas St. > Zipcode : 98109 > Nation : US > Tel : 12062030586 It is /possible/ to snail by street address and zip5, but not in this case. That address is undeliverable. usps.com: Find a ZIP + 4? Code By Address Results This is a non-deliverable address. Mail sent to this address will be returned. This address is NON-DELIVERABLE 101 THOMAS ST SEATTLE WA 98109 - 4813 > : :Name Servers: : > : :Dates & Status: : > Created Date 2005-10-01 14: 21: 49 EDT > Updated Date 2005-10-01 14: 21: 49 EDT > Valid Date 2006-10-01 14: 21: 49 EDT > Status REGISTRAR-HOLD > Notice that there is no IP associated with this registration. There is no IP because there is no nameservice currently. > these spammers are using AOL and Netscape webmail > addresses. I don't think you can make much out of that. > Can they register a site like this? You have a legitimate beef to internic/icann via yesnic if the registration info is bogus http://wdprs.internic.net/ This form allows Internet users to submit reports to ICANN-Accredited Registrars concerning incomplete or inaccurate Whois data. > Notice that registrant gives only a ZIP code in southern California > (probably phony). The zip is Seattle WA. What will happen probably is that the registrant will say there was a typo, either wrong street name/number or wrong zip. Registrant 'forgot' to provide city and state. IMO, internic/icann should 'enforce' against registrars who 'blatantly' fail to obtain a complete address, such as city and state. There is also a place to turn in a beef about the registrar yesnic http://reports.internic.net/cgi/registrars/problem-report.cgi If you have a problem with one of the registrars, you should first try to resolve it with that registrar. But, that 'presumes' the problem is financial or something between you and the registrar. In this case, your beef would be that the registrar is failing to comply with ICANN's requirements of being an accredited registrar "If you would like to submit a complaint about a registrar for ICANN's records, please use the form below. As a courtesy, the form will forward your complaint to the registrar for review and further handling. (Please note that there is no guarantee that the registrar will reply.)" > More to the point, why are guys like this still around? Why are their > pages even accessible? -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Oct 4 10:43:03 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 4 12:45:02 2005 Subject: [SpamCop-List] Re: IBM spamming? References: Message-ID: Belatedly answering this; I was out of town and not visiting newsgroups a few days. Philip Homburg wrote: > Mike Easter >> - I am satisfied to be a /passive/ but pledged antispammer, >> discarding *all* [not just some] spam unread and unopened > > Wow, what kind of technology do you use to determine with 100% (yes > really 100%, not just 99.9%) accuracy whether an e-mail is spam or > not? > > I'm not going take the risk of deleting real mail unopened because it > might be spam. > > Logical conclusion: some amount of spam has to be read to be > classified as spam. One can achieve the highest percentage of 'knowing' their spam from nonspam by having a very good user configured spamfilter which writes its analysis in the headers. I would 'train' that pledged passive antispammer to examine any mail considered 'uncertain' - where uncertain is based on the question of whether the 'reader' should consider the analysis by the spamfilter [such as SpamPal or SpamAssassin or such] in 'question' ie the spamfilter said it was spam and the reader is doubting it, or the spamfilter said it was ham and the reader is doubting that. Such 'questioning' could cause the would-be 'reader' of some uncertain item to analyze the item by its headers first. I do not think that 'simply' opening unknown or unfiltered or questionable items or items which have a From or a Subject which 'sounds' like real mail is the correct approach. If one is playing a 'game' with spammers and keeping score and giving the spammer points if you open a mail to read it to determine if it is spam or not, and not giving the spammer points if you never 'open' [which implies making a 'mistake' and opening a spam you thought was a 'real' mail], the trained pledged passive antispammer should be able to bat nearly 1000. The fact that one might have to occasionally inspect headers or even inspect the interior or body of some kind of suspicious unknown is not the same thing as mistakenly opening and rendering a spam. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Oct 4 10:54:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 4 12:55:03 2005 Subject: [SpamCop-List] Re: munging not sufficient References: <433F9EEE.E884EFB6@nopspam.invalid> Message-ID: Anton Haumer wrote: > Sometimes I get spam in which the spammer > fakes my own email-address as from-address. Yes. > SC sends reports to the right addresses, > but it leaves the faked from-address unmunged Yes. > indictaing the source of the report ... > although the other occurences are munged. > > suggestion for improvement for SC ... SC leaves the From unmunged by design. IMO, I would interpret the rules about material changes to permit you to munge or delete the From, even tho' the rules do not say that 'precisely'. The rules say that you can munge your address in the body. The rules also state that if you do such mungeing, you have to 'declare it' and that you can't do such mungeing in the case of providers who don't accept mungeing. No deputy is going to make a declaration here which 'defies' anything which is stated in the faq -- that is, the faq is 'law' about material changes and if it isn't stated in the faq then it isn't officially approved even if it could be logically derived from what the faq permits. So, you are 'on your own' by mungeing your address in the From -- it isn't officially approved. I would also go by the rule that you can't even do that mungeing if the recipient doesn't accept mungeing and that you should declare it. Also, if a person is 'uncomfortable' about inadequate mungeing, they should also consider the fact that it is impossible for you to know with certainty that your 'persona' or address identity hasn't been concealed in a stealthy fashion somewhere in the header or body of the mail item. The only way you can be sure that you aren't providing your address to the report entity is to not send them a copy of the spam, like a mole reporter. Under that circumstance, what you would /like/ would be to be as 'important' as a spamtrap, whose reports do count but are not provided to the report addy -- not to be as 'unimportant' as a mole, whose reports /don't/ count and also aren't provided. -- Mike Easter kibitzer, not SC admin From AHaumer_gmxnet at nopspam.invalid Tue Oct 4 20:00:02 2005 From: AHaumer_gmxnet at nopspam.invalid (Anton Haumer) Date: Tue Oct 4 13:00:03 2005 Subject: [SpamCop-List] Re: munging not sufficient References: <433F9EEE.E884EFB6@nopspam.invalid> Message-ID: <4342B512.C614C2D1@nopspam.invalid> Mike Easter schrieb: > Also, if a person is 'uncomfortable' about inadequate mungeing, they > should also consider the fact that it is impossible for you to know with > certainty that your 'persona' or address identity hasn't been concealed > in a stealthy fashion somewhere in the header or body of the mail item. > The only way you can be sure that you aren't providing your address to > the report entity is to not send them a copy of the spam, like a mole > reporter. > > Under that circumstance, what you would /like/ would be to be as > 'important' as a spamtrap, whose reports do count but are not provided > to the report addy -- not to be as 'unimportant' as a mole, whose > reports /don't/ count and also aren't provided. > > -- > Mike Easter > kibitzer, not SC admin Thanks for your explanations. Well I'm unsure abput mungeing ... I could also consider: "If a spammer sees enough reports sent by me (unmunged!) he will avoid troubles and delete my address ..." Wrong? Toni From nobody at devnull.spamcop.net Tue Oct 4 13:01:30 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Oct 4 13:05:06 2005 Subject: [SpamCop-List] Re: Quick Reporting returns empty data References: Message-ID: "Mike Easter" wrote in message news:dhu7c8$lsh$1@news.spamcop.net... > WazoO wrote: > > > > With your example and the discussion on-going at > > http://forum.spamcop.net/forums/index.php?showtopic=5055 > > it does appear that the issue may be at JT's end .. > > There have been notifications sent out .... > > The forum discussion seems to be about problems with quick and webmail > Oct 4, and/but I don't know how to interpret the timestamps on the > posts, ie what offset they belong to I 'think' that as a Guest, the time displayed is 'probably' based on the server's time, i.e., Georgia .... GMT -5 ... > I submitted a 'package' of 5 spams by email to quick at 7:23 AM PDT > [UTC -0700] and they were all satisfactorily parsed and processed 7:28 > AM same offset.. Yeah, that's what I posted there sometime this morning, e-mail submittal worked fine, just something going on for the e-mail account users submitting from the web-mail accounts. From nobody at devnull.spamcop.net Tue Oct 4 13:04:00 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Oct 4 13:05:10 2005 Subject: [SpamCop-List] Re: Quick Reporting returns empty data References: Message-ID: Replying to cross-post this into the other newsgroups ... Don also posted this into the Forum discussion at http://forum.spamcop.net/forums/index.php?showtopic=5055 "SpamCop Admin" wrote in message news:nea5k1d2pmedts97o3aev1q24d9h0evehj@4ax.com... > Reporting from webmail is inserting a blank line between the header > lines and causing the parse to fail. > > I paged JeffT and sent him email about the problem. > > Unfortunately, that's all I can do. He is not up on IM, so he may be > away from his office. > > - Don D'Minion - SpamCop Admin - From MikeE at ster.invalid Tue Oct 4 12:07:05 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 4 14:10:04 2005 Subject: [SpamCop-List] Re: munging not sufficient References: <433F9EEE.E884EFB6@nopspam.invalid> <4342B512.C614C2D1@nopspam.invalid> Message-ID: Anton Haumer wrote: > Well I'm unsure abput mungeing ... > I could also consider: > "If a spammer sees enough reports sent by me (unmunged!) > he will avoid troubles and delete my address ..." > > Wrong? There are spammers and there are spammers and then there are spammers. Some spammers would like to believe that they have a legitimate mailing list which they bought and which they would like to improve by performing 'listwashing' - in which they /actually/ remove addresses which do not want that mail. Some other spammers would like for you to confuse those listwashing spammers with the other forms of list management, which is to move names around from one list to another. This class of spammer would consider list construction to be influenced by those who open their spam and read their spam and believe their spam and click on links in spam, including those links which are remove links. The vast majority of spammers are very simple in their list managment -- they only add addies, they never remove them or manage them in any way. They don't care if addies bounce, they don't care if addies try to remove, they don't care about anything except spewing spam to as many addresses as possible. They aren't paying postage. There is no need to remove dead or unwilling or any other kind of address. There are very very few spammers who go to the trouble of removing 'anti-s', but it occasionally does happen. Some antispammers cause spammers enough 'trouble' one way or another that the spammer would rather that those anti-s be removed from the list so they won't cause as much problem. There are even fewer spammers who would be inclined to try to retaliate against an anti- by some kind of revenge attack, which is another matter. So, we have spammers and spammers and spammers -- then we have mungers and mungers and mungers. There is no mungeing. There is 'simple' spamcop mungeing. Then there is uber-mungeing - in which there is additional mungeing beyond what SC performs - then uber-uber-mungeing which is beyond what SC permits -- then uber-alles-mungeing in which the mungeing is beyond all reason, rendering the 'evidence' relatively worthless to many abuse desks, some of whom won't even accept SC standard mungeing. -- Mike Easter kibitzer, not SC admin From gezgin at spamcop.net Tue Oct 4 23:34:04 2005 From: gezgin at spamcop.net (Gezgin) Date: Tue Oct 4 15:35:03 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: "Richard Zuidhof" wrote > I really like to know more about trends in what spam is > reported. Having contributed to Cyveillance since the outset, so would I. What good is it? -- Bob Kanyak's Doghouse http://www.kanyak.com From nobody at devnull.spamcop.net Tue Oct 4 15:36:21 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Oct 4 15:40:03 2005 Subject: [SpamCop-List] Re: munging not sufficient References: <433F9EEE.E884EFB6@nopspam.invalid> <4342B512.C614C2D1@nopspam.invalid> Message-ID: "Mike Easter" wrote in message news:dhugc4$sdq$1@news.spamcop.net... > Anton Haumer wrote: > > > Well I'm unsure abput mungeing ... > > I could also consider: > > "If a spammer sees enough reports sent by me (unmunged!) > > he will avoid troubles and delete my address ..." > > > > Wrong? > > There are spammers and there are spammers and then there are spammers. Added "over there" under the Parsing & Reporting Service block. Forum version of the SpamCop FAQ http://forum.spamcop.net/forums/index.php?showtopic=2238 This entry at "NEW! Insufficient Munging? Spammer 'Remove Lists'" http://forum.spamcop.net/forums/index.php?showtopic=5062 From blacklist-me at davjam.org Tue Oct 4 21:55:32 2005 From: blacklist-me at davjam.org (David Bolt) Date: Tue Oct 4 16:35:04 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: On Tue, 4 Oct 2005, Steven Maesslein wrote:- >On Tue, 4 Oct 2005 11:06:04 +0200, Steven Maesslein coughed into spamcop >and left this in : > >> Cy also has a web spider that crawls across the 'Net looking for >> trademark infringements, but the spider doesn't observe a site's >> "robots.txt" file > >Apologies for the self-fup... > >I forgot to add that Cyveillance's spider also masquerades as a standard >desktop browser (I forget whether it's IE or Moz but that's irrelevant) >in an attempt to thwart protection that site owners might install based >on the User-Agent string. Doesn't everyone have something similar to the following in their .htaccess files? # CYVEILLANCE Grabbing on 2003-05-19 # Deny from 63.100.163.0/24 Deny from 63.148.99.0/24 Deny from 65.118.41.0/24 # Regards, David Bolt -- Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/ AMD 1800 1Gb WinXP/SuSE 9.3 | AMD 2400 160Mb SuSE 8.1 | AMD 2400 256Mb SuSE 9.0 AMD 1300 512Mb SuSE 9.0 | Falcon 14Mb TOS 4.02 | STE 4Mb TOS 1.62 RPC600 129Mb RISCOS 3.6 | A3010 4Mb RISCOS 3.11 | A4000 4Mb RISCOS 3.11 From nobody at devnull.spamcop.net Tue Oct 4 18:03:17 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue Oct 4 17:05:03 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: Do a search of the old threads; lots of discussion on it at one time. "Gezgin" wrote in message news:dhulfc$g9$1@news.spamcop.net... : "Richard Zuidhof" wrote : : > I really like to know more about trends in what spam is : > reported. : : Having contributed to Cyveillance since the outset, so would : I. : : What good is it? : : -- : Bob : : Kanyak's Doghouse : http://www.kanyak.com : From philip at pch.home.cs.vu.nl Wed Oct 5 00:58:38 2005 From: philip at pch.home.cs.vu.nl (Philip Homburg) Date: Tue Oct 4 18:20:13 2005 Subject: [SpamCop-List] Re: IBM spamming? References: Message-ID: In article , Mike Easter wrote: >I would 'train' that pledged passive antispammer to examine any mail >considered 'uncertain' - where uncertain is based on the question of >whether the 'reader' should consider the analysis by the spamfilter >[such as SpamPal or SpamAssassin or such] in 'question' ie the >spamfilter said it was spam and the reader is doubting it, or the >spamfilter said it was ham and the reader is doubting that. Such >'questioning' could cause the would-be 'reader' of some uncertain item >to analyze the item by its headers first. My ISP maintains a SpamAssassin configuration. >From what I read in the newsgroups, one of the big problems is false positives. Some organizations (like Yahoo) try to trigger as many SA rules as possible). On the other hand, I regularly get spam that triggers almost no SA rules. I don't use the e-mail account at my ISP for real mail (other than announcements from my ISP), so I don't how big the false positive problem really is. My guess is that I'm not going to blindly trust any SA analysis. So, what you are proposing is for me a complete waste of time. I can safely open an e-mail and classify it as spam in a few seconds. Studying the SA analysis takes much longer and provides me with no benefits other than that it satisfies my curiosity with respect to the accuracy of SA. -- That was it. Done. The faulty Monk was turned out into the desert where it could believe what it liked, including the idea that it had been hard done by. It was allowed to keep its horse, since horses were so cheap to make. -- Douglas Adams in Dirk Gently's Holistic Detective Agency From nobody at spamcop.net Tue Oct 4 16:47:51 2005 From: nobody at spamcop.net (N. Miller) Date: Tue Oct 4 18:50:08 2005 Subject: [SpamCop-List] Re: How to Rattle This Guy's Cage? References: <43427912.17EDB4B5@SpamCop.net.dev.null> Message-ID: <462oa8nyzhdz.dlg@news.spamcop.net> On Tue, 04 Oct 2005 07:44:02 -0500, Michael Brennan wrote: > Notice that registrant gives only a ZIP code in southern California > (probably phony). I know that the San Andreas fault is a strike/slip fault, and the western side is moving northward. But it really isn't moving fast enough to locate San Diego, CA in the vicinity of Seattle, WA any time within the lifetimes of my children's children's children's children. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From MikeE at ster.invalid Tue Oct 4 17:50:06 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 4 19:50:13 2005 Subject: [SpamCop-List] Re: IBM spamming? References: Message-ID: Philip Homburg wrote: > Mike Easter >> I would 'train' that pledged passive antispammer to examine any mail >> considered 'uncertain' - > My ISP maintains a SpamAssassin configuration. You and I are not having an 'agreeable' or compatible discussion because we've lost track of the original premises. You are arguing against /one/ of the items on a list of options I provided - and the list of options was a set of choices for some person to make. You chose the passive antispammer whose goal was to not open [or even to report, since that would be a more active antispammer] any spam and who would be configured with a user configured SA or SP type filter. Instead, what you are saying is that you would make a different choice than being that passive antispammer with a user configured filter - and further that you would choose to open some spam. I also have this same argument or discussion with advanced antispammers who would choose to open some spam. I have no way to tell silly spamreaders from other spam openers without observing them in action; so I can't call you a silly spamreader -- all I know is that you 'want to' open spam for some reason or another. > From what I read in the newsgroups, one of the big problems is false > positives. Some organizations (like Yahoo) try to trigger as many SA > rules as possible). On the other hand, I regularly get spam that > triggers almost no SA rules. That is one of the disadvantages to using a provider controlled spamfilter which you cannot configure yourself. My personal choice is to not even use my provider provided spamfilter. I turn it off. > I don't use the e-mail account at my ISP for real mail (other than > announcements from my ISP), so I don't how big the false positive > problem really is. My guess is that I'm not going to blindly trust > any SA analysis. I wouldn't blindly trust any spamfilter which I did not personally configure. And I don't 'blindly' trust even my own personally configured spamfilter. > So, what you are proposing is for me a complete waste of time. I can > safely open an e-mail and classify it as spam in a few seconds. I have no idea whether you can 'safely' open an email or not. I also have no idea what you do or think or how you behave mentally while you are reading the spam you are opening. > Studying the SA analysis takes much longer and provides me with no > benefits other than that it satisfies my curiosity with respect to > the accuracy of SA. It is of much less use to 'study' some SA analysis which you do not control. The purpose of studying a spamfilter's analysis is for purposes of reconfiguring the filter. If you can't reconfigure the filter, the studying doesn't provide much 'function' -- except to whine to the provider about how the spam filter is or is not configured. -- Mike Easter kibitzer, not SC admin From edb2000 at spamcop.net Tue Oct 4 21:16:38 2005 From: edb2000 at spamcop.net (Don Wannit) Date: Tue Oct 4 23:20:03 2005 Subject: [SpamCop-List] Yeah, right... Message-ID: Sent to my SC address; as if claiming to be sending spam on behalf of charities makes it OK. Of all the addresses to send it to, wouldn't you think a @ spamcop.net address would be least likely of all to fall for it?. http://www.spamcop.net/sc?id=z812079714z71e85c2f86e62db36513c19129c622e3z -- Don Wannit A paid SpamCop user since 1999 From bar_n0ne at hotmail.com Wed Oct 5 10:04:04 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Oct 5 01:05:21 2005 Subject: [SpamCop-List] Re: munging not sufficient References: <433F9EEE.E884EFB6@nopspam.invalid> <4342B512.C614C2D1@nopspam.invalid> Message-ID: "WazoO" wrote in message news:dhuljm$pt$1@news.spamcop.net... > "Mike Easter" wrote in message > news:dhugc4$sdq$1@news.spamcop.net... > > Anton Haumer wrote: > > > > > Well I'm unsure abput mungeing ... > > > I could also consider: > > > "If a spammer sees enough reports sent by me (unmunged!) > > > he will avoid troubles and delete my address ..." > > > > > > Wrong? I have a suspicion that some of the big time US networked spammers (Lindsay for example) will remove some anti's from the lists they deliver to using "almost mainsleaze" services from companies like XO, and Spammis, er, Savvis, when SC reports become sufficiently annoying to these ISP's. but that is a small minority of overall spam, and the listwashing usually takes months to happen, and for all I know those ISP's simply block the sending of of any mail from their networks to aggressive complainers, doing the work for the spammer. Otherwise I would say Mike is right, most spammers list management consists of adding addresses whenever and wherever they find them. They don't even seem interested in removing duplicates. From edb2000 at spamcop.net Wed Oct 5 00:21:06 2005 From: edb2000 at spamcop.net (Don Wannit) Date: Wed Oct 5 02:25:05 2005 Subject: [SpamCop-List] Re: Public Spamtraps In-Reply-To: References: Message-ID: Dave Lerner wrote: > See Project Honeypot does look interesting. At my first reading of the various information on their web site, it looks like their goal is to collect information with potential use in prosecuting spammers (such as under CANSPAM, which explicitly makes harvesting email addresses illegal). I didn't see anything about feeding the caught spam injection IPs into a DNSbl. The closest I found is this passage in their discussion Message Board: > As soon as our volume of spam picks up we're also going to begin > sharing our data with other anti-spam services. For example, we've > already agreed to give any spamvertised URLs to the SURBL service. > We'd like to share our corpus of data with other open source > anti-spam projects in order to help the technical spam community as > well. Key to making the resource as valuable as possible is getting > as many honey pots installed as we can. We're off to a great start, > but probably need at least double the number of installed honey pots > before we're reliably capturing a sizable chunk of harvesters and > spammers on a virtually real-time basis. Sharing spamvertised URLs gleaned from spam sent to honeypot addresses is not at all the same as a DNSbl listing the IP addresses of the sources of those spam emails. Even though Project Honeypot is still a Public Beta, it sure would interest me, as a SpamCop email filtering service user, to have a DNSbl based on Project Honeypot to choose for deflecting/holding spam. Is there any official or semi-official notice by SpamCop of Project Honeypot? -- Don Wannit A paid SpamCop user since 1999 From edb2000 at spamcop.net Wed Oct 5 00:39:58 2005 From: edb2000 at spamcop.net (Don Wannit) Date: Wed Oct 5 02:40:03 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? In-Reply-To: References: Message-ID: David Bolt wrote: > On Tue, 4 Oct 2005, Steven Maesslein wrote:- > > >>On Tue, 4 Oct 2005 11:06:04 +0200, Steven Maesslein coughed into spamcop >>and left this in : >> >> >>>Cy also has a web spider that crawls across the 'Net looking for >>>trademark infringements, but the spider doesn't observe a site's >>>"robots.txt" file >> >>Apologies for the self-fup... >> >>I forgot to add that Cyveillance's spider also masquerades as a standard >>desktop browser (I forget whether it's IE or Moz but that's irrelevant) >>in an attempt to thwart protection that site owners might install based >>on the User-Agent string. > > > Doesn't everyone have something similar to the following in their > .htaccess files? > > > # CYVEILLANCE Grabbing on 2003-05-19 > # > Deny from 63.100.163.0/24 > Deny from 63.148.99.0/24 > Deny from 65.118.41.0/24 > # > I had them also at address 216.32.64.10 which was hosted/colo by layeredtech.com at some point in the past. Any idea whether that's old data, or maybe an attempt by Cyveillance to do some scanning from other than their well-known subnets? -- Don Wannit A paid SpamCop user since 1999 From bar_n0ne at hotmail.com Wed Oct 5 13:33:27 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Oct 5 04:35:12 2005 Subject: [SpamCop-List] kornets bit bucket, finally overflowed Message-ID: Larts going to Dave Null now, the pretense of handling abuse seems to have ended. From nobody at nowhere.invalid Wed Oct 5 11:57:45 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Oct 5 05:00:33 2005 Subject: [SpamCop-List] Re: Yeah, right... References: Message-ID: On Tue, 04 Oct 2005 20:16:38 -0700, Don Wannit coughed into spamcop and left this in : > http://www.spamcop.net/sc?id=z812079714z71e85c2f86e62db36513c19129c622e3z That's Bobby Soloway again. Still spamming and therefore in contempt of a court order. -- Steve "Thank you for calling the Incontinence hotline. Please hold." From hcd5rma02 at sneakemail.com Wed Oct 5 12:11:38 2005 From: hcd5rma02 at sneakemail.com (Arne Bolen) Date: Wed Oct 5 05:16:18 2005 Subject: [SpamCop-List] Re: IBM spamming? References: <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net> <2p9813-v84.ln1@ursine.ca> Message-ID: wrote in: > I have my MTA set up to only use the smarthost if the destination site > has the mistaken belief that dynamic IPs are always spammers. I don't > run everything through the smarthost, because the site that operates > that smarthost isn't trustworthy and frequently gets blocked by other > sites. I'd switch in a heartbeat if there was any competition at all > in my area. You could look outside your own area. There are plenty of mail providers you could use as a smarthost. From baloo at ursine.ca Wed Oct 5 11:02:16 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Wed Oct 5 13:10:04 2005 Subject: [SpamCop-List] Re: IBM spamming? References: <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net> <2p9813-v84.ln1@ursine.ca> Message-ID: Arne Bolen wrote: > You could look outside your own area. There are plenty of mail providers you > could use as a smarthost. The point is, I shouldn't have to pay someone else to do what I can do myself. From baloo at ursine.ca Wed Oct 5 12:48:24 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Wed Oct 5 15:10:02 2005 Subject: [SpamCop-List] Re: How to Rattle This Guy's Cage? References: <43427912.17EDB4B5@SpamCop.net.dev.null> <462oa8nyzhdz.dlg@news.spamcop.net> Message-ID: N. Miller wrote: > On Tue, 04 Oct 2005 07:44:02 -0500, Michael Brennan wrote: > >> Notice that registrant gives only a ZIP code in southern California >> (probably phony). > > I know that the San Andreas fault is a strike/slip fault, and the western > side is moving northward. But it really isn't moving fast enough to locate > San Diego, CA in the vicinity of Seattle, WA any time within the lifetimes > of my children's children's children's children. Never mind that roughly two thirds of Oregon and Washington residents are idiots from California dragging us down, no? From redford_stone at INVERSE_OF_COLDmail.com Wed Oct 5 20:39:34 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Oct 5 15:40:04 2005 Subject: [SpamCop-List] Re: Pump & Dump--why? References: <290920050916518028%news@REMOVECAPSalanharper.com> <433C27AD.AE65876@spamcop.net> Message-ID: "Porpoise" wrote in news:dhlv42$c91$1 @news.spamcop.net: > > > Yeah! Make 'em BLeed........... [;-)> > > Now that is a clever play on words. :-) From redford_stone at INVERSE_OF_COLDmail.com Wed Oct 5 20:42:43 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Oct 5 15:45:03 2005 Subject: [SpamCop-List] Re: Question for everyone about SBC/Pacbell References: Message-ID: "N. Miller" wrote in news:oxw86majwfj2$.dlg@news.spamcop.net: > > I get about one-tenth as much proxy spam from SBC space (including all > nine SBC domains) as I did a year ago. Until last March, SBC was ahead > of, then, for a while, equal to Comcast as a proxy spam source. Now > they are way behind Comcast. Indeed, indications are that Comcast is > now the number one source of proxy spam among the U.S. HSI providers. > I can add up my Bellsouth, SBC, USWest/Qwest, and Verizon proxy spam, > and throw in Charter, Cox, Optimum Online, and Road Runner for good > measure, and only just come short of equaling the proxy spam which > comes from Comcast customers. I don't know if all of the block port 25 > outbound; SBC, of course, and, I think Bellsouth. > I think that the static IPs (those that have an SBC business account) still have port 25 access. (So BLing them would be an IP that sticks on the same trojaned host.) But either case, this is good news. Other than trying to crack for identity-theft, it seems that spammers will have little to no use for SBC DSL connection. From redford_stone at INVERSE_OF_COLDmail.com Wed Oct 5 20:48:58 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Oct 5 15:50:03 2005 Subject: [SpamCop-List] Re: kornets bit bucket, finally overflowed References: Message-ID: "Berny" wrote in news:di034p$pqn$1@news.spamcop.net: > Larts going to Dave Null now, the pretense of handling abuse seems to > have ended. > > > That is until the clueless on their network complain that they can't send email. From nobody at nowhere.invalid Wed Oct 5 22:51:37 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Oct 5 15:55:02 2005 Subject: [SpamCop-List] Re: kornets bit bucket, finally overflowed References: Message-ID: On Wed, 5 Oct 2005 19:48:58 +0000 (UTC), Redstone coughed into spamcop and left this in : > That is until the clueless on their network complain that they can't send > email. Isn't that the normal state of affairs anyway? :) -- Steve I don't approve of political jokes... I've seen too many of them get elected. From spamcop at 1bigthink.com Wed Oct 5 16:58:43 2005 From: spamcop at 1bigthink.com (spamcop) Date: Wed Oct 5 15:58:43 2005 Subject: [SpamCop-List] Re: How to Rattle This Guy's Cage? In-Reply-To: References: <43427912.17EDB4B5@SpamCop.net.dev.null> <462oa8nyzhdz.dlg@news.spamcop.net> Message-ID: <6.2.3.4.0.20051005155811.06d8bfc0@mxt.1bigthink.com> At 02:48 PM 10/5/2005, you wrote: >N. Miller wrote: > > On Tue, 04 Oct 2005 07:44:02 -0500, Michael Brennan wrote: > > > >> Notice that registrant gives only a ZIP code in southern California > >> (probably phony). > > > > I know that the San Andreas fault is a strike/slip fault, and the western > > side is moving northward. But it really isn't moving fast enough to locate > > San Diego, CA in the vicinity of Seattle, WA any time within the lifetimes > > of my children's children's children's children. > >Never mind that roughly two thirds of Oregon and Washington residents >are idiots from California dragging us down, no? They want you to Cali-fornicate! From blacklist-me at davjam.org Thu Oct 6 00:57:56 2005 From: blacklist-me at davjam.org (David Bolt) Date: Wed Oct 5 19:05:03 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: On Tue, 4 Oct 2005, Don Wannit wrote:- >David Bolt wrote: >> # CYVEILLANCE Grabbing on 2003-05-19 >> # >> Deny from 63.100.163.0/24 >> Deny from 63.148.99.0/24 >> Deny from 65.118.41.0/24 Looks like time for a minor update is required. Now their entries are: Deny from 63.148.99.224/227 Deny from 65.118.41.192/27 Deny from 65.213.208.128/27 Deny from 65.222.176.96/27 >> # >> > > >I had them also at address 216.32.64.10 which was hosted/colo >by layeredtech.com at some point in the past. Any idea whether >that's old data, or maybe an attempt by Cyveillance to do some >scanning from other than their well-known subnets? No idea, although they could be. Then again, it may be someone completely different. Regards, David Bolt -- Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/ AMD 1800 1Gb WinXP/SuSE 9.3 | AMD 2400 160Mb SuSE 8.1 | AMD 2400 256Mb SuSE 9.0 AMD 1300 512Mb SuSE 9.0 | Falcon 14Mb TOS 4.02 | STE 4Mb TOS 1.62 RPC600 129Mb RISCOS 3.6 | A3010 4Mb RISCOS 3.11 | A4000 4Mb RISCOS 3.11 From blacklist-me at davjam.org Thu Oct 6 01:37:43 2005 From: blacklist-me at davjam.org (David Bolt) Date: Wed Oct 5 19:40:02 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: On Wed, 5 Oct 2005, David Bolt wrote:- >Deny from 63.148.99.224/227 Should be: Deny from 63.148.99.224/27 Regards, David Bolt -- Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/ AMD 1800 1Gb WinXP/SuSE 9.3 | AMD 2400 160Mb SuSE 8.1 | AMD 2400 256Mb SuSE 9.0 AMD 1300 512Mb SuSE 9.0 | Falcon 14Mb TOS 4.02 | STE 4Mb TOS 1.62 RPC600 129Mb RISCOS 3.6 | A3010 4Mb RISCOS 3.11 | A4000 4Mb RISCOS 3.11 From nobody at spamcop.net Wed Oct 5 22:40:06 2005 From: nobody at spamcop.net (Claudio Valderrama C.) Date: Wed Oct 5 21:40:34 2005 Subject: [SpamCop-List] To abuse.net or not to abuse.net Message-ID: Hello, where can I find information (if one) of the criterion used by SC to decide whether to query abuse.net or not? I today filled a spam report http://members.spamcop.net/sc?id=z812408191zbf76c957c7b6a6ea5617a5ba6001fe6dz where the source domain is controlled by gtdinternet.com. The ISP is gray hat for me, but that's not the issue: SC gets the contact address from the whois (jolea at gtdinternet.com) an account that doesn't pay attention to emails. I don't understand under which rule SC doesn't query abuse.net, so I went to abuse.net and extracted manually the correct abuse addresses (even if the ISP pays lip service to spam fighting). Thus why doesn't SC go to abuse.net in this case? C. -- Claudio Valderrama C. SW developer, consultant. http://www.cvalde.net - http://www.firebirdsql.org From nobody at devnull.spamcop.net Thu Oct 6 11:38:37 2005 From: nobody at devnull.spamcop.net (Patto) Date: Wed Oct 5 21:40:52 2005 Subject: [SpamCop-List] Quick reporting: The e-mail address could not be found Message-ID: When trying to send spam to my quick report address, I get the following "The e-mail address could not be found. Perhaps the recipient moved to a different e-mail organization, or there was a mistake in the address. Check the address and try again." Anyone else experiencing problems with quick reporting? From nobody at spamcop.net Wed Oct 5 22:45:24 2005 From: nobody at spamcop.net (Claudio Valderrama C.) Date: Wed Oct 5 21:45:02 2005 Subject: [SpamCop-List] Re: kornets bit bucket, finally overflowed References: Message-ID: "Redstone" wrote in message news:Xns96E68261786E5tinlc@216.154.195.61... > "Berny" wrote in > news:di034p$pqn$1@news.spamcop.net: > > > Larts going to Dave Null now, the pretense of handling abuse seems to > > have ended. > > That is until the clueless on their network complain that they can't send > email. This rejection state would be already normal for any target relying on http://korea.services.net/ :-) It's a pity that a supposed developed country like South Korea doesn't want to put pressure on its ISPs to be more decent. C. From dwvbo91q4001 at sneakemail.com Thu Oct 6 05:26:54 2005 From: dwvbo91q4001 at sneakemail.com (Tim P.) Date: Thu Oct 6 00:30:04 2005 Subject: [SpamCop-List] Amusing notes added by spammer??? Message-ID: I found this written under added notes section when checking for report responses to user defined recip's: /quote/ Monday, October 03, 2005 09:59:19 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] No action required. Nothing we can do on this end. Tuesday, October 04, 2005 09:05:35 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] This message did not come from us. Tuesday, October 04, 2005 09:06:10 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] This message did not come from us. Tuesday, October 04, 2005 09:12:40 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] This message did not come from us. Tuesday, October 04, 2005 09:12:59 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] This message did not come from us. Tuesday, October 04, 2005 09:13:20 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] This message did not come from us. Tuesday, October 04, 2005 09:14:18 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] PFJI_____________________________________oned@bellsouth.net Tuesday, October 04, 2005 09:29:18 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] All i hear is wan wan wan i got emailed. Bah! My grandma gets more spam than you. This spam didn't come from our network girlymen with nothing more to do that watch other people's mail. Get a real job! Let's see i get 2 - 5 spam emails a day and 40 spamcop reports to deal with? Who's worse? Tuesday, October 04, 2005 09:31:52 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] All i hear is wan wan wan i got emailed. Bah! My grandma gets more spam than you. This spam didn't come from our network girlymen with nothing more to do that watch other people's mail. Get a real job! Let's see i get 2 - 5 spam emails a day and 40 spamcop reports to deal with? Who's worse? Tuesday, October 04, 2005 09:42:26 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] spammers cost me money and waste my time. Spamcop costs me money and wastes my time because it doesn't do anything in the long run. It's short term bandaids don't do anything really. In fact spamcop makes it so that spammers can charge higher prices because to send spam it's "harder" now. /endquote/ Funny how they never respond directly. What a dufus. -- Tim P Very content SpamCop Subscriber since 4/2002 From nobody at devnull.spamcop.net Thu Oct 6 14:30:23 2005 From: nobody at devnull.spamcop.net (Patto) Date: Thu Oct 6 00:35:02 2005 Subject: [SpamCop-List] Re: Quick reporting: The e-mail address could not be found In-Reply-To: References: Message-ID: Patto wrote: > When trying to send spam to my quick report address, I get the following > "The e-mail address could not be found. Perhaps the recipient moved to > a different e-mail organization, or there was a mistake in the address. > Check the address and try again." > > Anyone else experiencing problems with quick reporting? Resubmitting a few minutes later succeeded. From MikeE at ster.invalid Thu Oct 6 00:18:05 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 6 02:20:08 2005 Subject: [SpamCop-List] Re: To abuse.net or not to abuse.net References: Message-ID: Claudio Valderrama C. wrote: > Hello, where can I find information (if one) of the criterion used by > SC to decide whether to query abuse.net or not? I can't answer the 'why' - but for source, SC does the whois on the RIR and notifies the admin/tech role address unless the RIR shows an abuse contact. For spamvertiser, SC does the whois on the RIR and notifies the abuse.net reg'd contacts for the domainname of the admin/tech. That is the case even if there isn't a reg'd abuse.net contact, in which case SC would use the default postmaster address instead of the listed admin/tech addy. > I today filled a spam report spamcop.net/sc?id=z812408191zbf76c957c7b6a6ea5617a5ba6001fe6dz That report shows that pattern. lacnic admin/tech contact, not abuse.net for spamsource which means that SC uses jolea instead of administrador.red soporte abuse postmaster all at gtdinternet.com whereas for spamvertiser, SC uses the default pm which is /not/ listed at abuse.net [nor even recommended by abuse.net, which recommends abuse@ instead of pm@ for the default notify address] instead of the lacnic listed netadmin@TELEX.CL Personally, when I do manual notifies, I don't notify in the 'style' of spamcop. My approach is to derive an estimation of the hat color of the IP based on whether or not it is listed in 'responsiveness index' such as spews or spamhaus. Separate from the responsiveness index, I include a 'language index' -- for example these IPs are Chilean. I would like to have about 4 'logical' addresses for a lacnic such as .cl. The two IPs in this case are 201.238.224.50 no rDNS spamsource and 200.29.162.253 no rDNS spamvertiser. SC's choices are the lacnic listed contact jolea@gtdinternet.com for source and the 'unlisted' default postmaster@telex.cl for spamvertiser. Those IPs are not spews or spamhaus listed, so I would try to use multiple addresses for the providers, namely the lacnic listed contact/s plus any abuse.net listeds. In this case that would be source: jolea@gtdinternet.com [lacnic contact] plus the abuse.net listings administrador.red@gtdinternet.com soporte@gtdinternet.com abuse@gtdinternet.com postmaster@gtdinternet.com (for gtdinternet.com) and spamvertiser: netadmin@TELEX.CL + since the spamvertiser domainname doesn't have an abuse.net listing, I would also notify the ASN parent or upstream adjacency on the basis of no abuse.net listing 200.29.162.253 = ASN6535 = Chilesat Servicios Empresariales netadmin@CHILESAT.NET + abuse.net has no reg'd contacts listed Since the 'routing' parent of telex.cl also has no abuse.net listings, you could justify notifying their upstream AS6429 Core Internet AT&T Chile netadmin@IP.TELMEXCHILE.CL and that's about as far as you can go. But all that gives you 3 rational notifies for the spamvertiser and 5 rational notifies for the spamsource. > The ISP is gray hat for me, but that's not the issue: SC gets the > contact address from the whois (jolea at gtdinternet.com) an account > that doesn't pay attention to emails. I don't understand under which > rule SC doesn't query abuse.net, so I went to abuse.net and extracted > manually the correct abuse addresses (even if the ISP pays lip > service to spam fighting). That's good to notify the way you did. You could also add additionals for the spamvertiser. > Thus why doesn't SC go to abuse.net in this case? >From the beginning; I don't know 'why' -- I just know that the algorithm's notify strategy is different for spamsource vs spamvertisers. -- Mike Easter kibitzer, not SC admin From pete+usenet at heypete.com Thu Oct 6 01:55:16 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Thu Oct 6 04:00:02 2005 Subject: [SpamCop-List] Not receiving email at SpamCop? Message-ID: Greetings all, Is there any way to still have SpamCop forward me mail in response to spam reports that I file, but send me any other messages? In other words, send mail addressed to [reportID]@reports.spamcop.net back to my private address, but things sent directly to heypete@spamcop.net should be bit-bucketed. Now that I've been working on getting better filters on my end, nearly 90% of the spam that I receive comes to my SpamCop address, which my server-level DNSbl filters aren't effective against...as SpamCop is clearly not blocked. I don't want to bother setting up filters on my actual SpamCop account, because I simply don't use the account and wouldn't want mail to pile up and waste disk space. Just binning/bouncing all mail except those in response to individual reports would be nice. Can this be done? Is there any way of maintaining the benefits of my account (i.e. quick reporting) without having to have the SpamCop email account? Maybe switch it over a reporting-only account, if such a thing exists (it's been a while since I've looked at the account options)? Cheers! -- Pete Stephenson HeyPete.com From nobody at nowhere.invalid Thu Oct 6 11:54:44 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Oct 6 04:56:05 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: On Wed, 5 Oct 2005 23:57:56 +0100, David Bolt coughed into spamcop and left this in : > Looks like time for a minor update is required. Now their entries are: > > Deny from 63.148.99.224/227 > Deny from 65.118.41.192/27 > Deny from 65.213.208.128/27 > Deny from 65.222.176.96/27 Thanks for the update! I didn't have the last 2 ranges but have just duly added them to the firewall :) -- Steve "Thank you for calling the Incontinence hotline. Please hold." From Nobody at SpamCop.net.dev.null Thu Oct 6 06:41:35 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Thu Oct 6 06:45:32 2005 Subject: [SpamCop-List] Re: How to Rattle This Guy's Cage? References: <43427912.17EDB4B5@SpamCop.net.dev.null> <462oa8nyzhdz.dlg@news.spamcop.net> Message-ID: <4344FF5F.79311033@SpamCop.net.dev.null> "N. Miller" wrote: > > On Tue, 04 Oct 2005 07:44:02 -0500, Michael Brennan wrote: > > > Notice that registrant gives only a ZIP code in southern California > > (probably phony). > > I know that the San Andreas fault is a strike/slip fault, and the western > side is moving northward. But it really isn't moving fast enough to locate > San Diego, CA in the vicinity of Seattle, WA any time within the lifetimes > of my children's children's children's children. > Thanks, guys, for the correction -- saw the "9" and thought it was another Newport Beach ZIP scribbled in by Michael Lindsay on the back of whatever postcards he uses to register his servers. Thanks for the suggestions about contacting yesnic and ICANN. Michael From Nobody at SpamCop.net.dev.null Thu Oct 6 06:47:50 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Thu Oct 6 06:50:04 2005 Subject: [SpamCop-List] Whitehats That Refuse Munged Reports? Message-ID: <434500D6.87C4F68C@SpamCop.net.dev.null> I notice that Earthlink refuses munged reports and I was wondering whether to LART them manually, using my webmail account, or just check the box. Is there a group of ISP's that it's generally OK to report unmunged to? Someone mentioned sjrb.ca upthread as a white hat, Spammis as a black hat. We've already discussed the abominable Brazilians at cert.br -- I've started unchecking the box next to cert.br, it seems pointless LARTing them. But it seems there are other diligent ISP's with real antispam policies who just don't accept munged SpamCop reports. Who are they, for future reference? TIA, Michael From nobody at spamcop.net Thu Oct 6 10:28:01 2005 From: nobody at spamcop.net (Anti-Spam) Date: Thu Oct 6 09:40:22 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: "Steven Maesslein" wrote in message news:slrndk4hfs.3uh.nobody@127.0.0.1... > On Tue, 04 Oct 2005 10:37:03 +0200, Richard Zuidhof coughed into spamcop > and left this in : > > > I notice every Spamcop report I make is copied to Cyveillance > > (http://www.cyveillance.com/spam.htm). This has been done for quite a > > long time now but I have not noticed any benefit for the Spamcop > > users. [...] > To start with, Cy got more than they bargained for and had to stop the > supply of spam because they couldn't keep up with it :) If they had to stop it, how come they're still included as a third party interested? Seems like a waste of CPU cycles, when the poor parser seems to have too much work as it is. Anyone have any theories? -- Bring in the death penalty for repeat spammers. Non-functional spambait addr: can43@ajhtxxi.net (generated by Webpoison) From MikeE at ster.invalid Thu Oct 6 08:13:17 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 6 10:15:03 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: Anti-Spam wrote: > If they had to stop it, how come they're still > included as a third party interested? I think JH believes that they are or might be the enemy of his/our enemies. I think Cy pays for the information and are now configured to soak it up without gagging. > Seems > like a waste of CPU cycles, when the poor > parser seems to have too much work as it > is. I think adding the additional notified doesn't waste any processing cycles, altho' giving the individual reporter the option to not or notify Cy is a tiny insignificant sub-cycle. > Anyone have any theories? -- Mike Easter kibitzer, not SC admin From nobody at nowhere.not Thu Oct 6 15:52:57 2005 From: nobody at nowhere.not (Robert Blair) Date: Thu Oct 6 10:55:02 2005 Subject: [SpamCop-List] Re: How to Rattle This Guy's Cage? References: <43427912.17EDB4B5@SpamCop.net.dev.null> <462oa8nyzhdz.dlg@news.spamcop.net> Message-ID: On Wed, 5 Oct 2005 18:48:24 UTC, baloo@ursine.ca wrote: > > I know that the San Andreas fault is a strike/slip fault, and the western > > side is moving northward. But it really isn't moving fast enough to locate > > San Diego, CA in the vicinity of Seattle, WA any time within the lifetimes > > of my children's children's children's children. > > Never mind that roughly two thirds of Oregon and Washington residents > are idiots from California dragging us down, no? The loudest complainers are the newcomers to an area. I currently live in CA and visit WA because some of my and my wife's family still lives there. How long has your family been in WA and/or OR? -- Robert Blair From nobody at nowhere.not Thu Oct 6 15:58:04 2005 From: nobody at nowhere.not (Robert Blair) Date: Thu Oct 6 11:00:02 2005 Subject: [SpamCop-List] Re: Whitehats That Refuse Munged Reports? References: <434500D6.87C4F68C@SpamCop.net.dev.null> Message-ID: On Thu, 6 Oct 2005 10:47:50 UTC, Michael Brennan wrote: > I notice that Earthlink refuses munged reports and I was wondering > whether to LART them manually, using my webmail account, or just check > the box. I do not send spamcop unmunged reports. Sometimes, if I have time, I manually LART using sneakemail and munging. -- Robert Blair From JG at coks.net Thu Oct 6 09:16:50 2005 From: JG at coks.net (JG) Date: Thu Oct 6 11:15:04 2005 Subject: [SpamCop-List] Voronin meds... Message-ID: Sample, 1 of 10 or so with same notify, all from the far east, most "no mastered" by SC.. http://www.spamcop.net/sc?id=z812628222z05c5ac6f6447494f3ad9310fba3650d9z This spammer seemed to be a little extra busy this past evening - I doubt he's targeting me alone. This just a normal "spam run"? From JG at coks.net Thu Oct 6 09:21:48 2005 From: JG at coks.net (JG) Date: Thu Oct 6 11:20:03 2005 Subject: [SpamCop-List] Re: Amusing notes added by spammer??? In-Reply-To: References: Message-ID: On 10/5/2005 9:26 PM Tim P. scribbled: > > > Funny how they never respond directly. > > What a dufus. Curious - how does spammer get those reports and how does obvious spammer get to deny it? From blacklist-me at davjam.org Thu Oct 6 17:20:29 2005 From: blacklist-me at davjam.org (David Bolt) Date: Thu Oct 6 11:50:02 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: On Thu, 6 Oct 2005, Anti-Spam wrote:- >"Steven Maesslein" wrote in message news:slrnd >k4hfs.3uh.nobody@127.0.0.1... >> On Tue, 04 Oct 2005 10:37:03 +0200, Richard Zuidhof coughed into spamcop >> and left this in : >> >> > I notice every Spamcop report I make is copied to Cyveillance >> > (http://www.cyveillance.com/spam.htm). This has been done for quite a >> > long time now but I have not noticed any benefit for the Spamcop >> > users. >[...] >> To start with, Cy got more than they bargained for and had to stop the >> supply of spam because they couldn't keep up with it :) > >If they had to stop it, how come they're still >included as a third party interested? When they first started accepting the reports, they couldn't cope with the volume, so they stopped accepting them. After adding the required hardware/bandwidth to cope with the volume, they started accepting them again. >Seems >like a waste of CPU cycles, when the poor >parser seems to have too much work as it >is. Whether they are included, or not, wouldn't make much of a noticeable difference to the how many CPU cycles the parser consumed. The parser still has to parse the spam to create the reports for all the other parties. If they weren't included, there would be a difference in the outgoing bandwidth, since there would be one less report sent per spam, but IIRC they are paying a little more than the bandwidth costs, dropping them would probably be a net loss to SpamCop. Regards, David Bolt -- Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/ AMD 1800 1Gb WinXP/SuSE 9.3 | AMD 2400 160Mb SuSE 8.1 | AMD 2400 256Mb SuSE 9.0 AMD 1300 512Mb SuSE 9.0 | Falcon 14Mb TOS 4.02 | STE 4Mb TOS 1.62 RPC600 129Mb RISCOS 3.6 | A3010 4Mb RISCOS 3.11 | A4000 4Mb RISCOS 3.11 From pete+usenet at heypete.com Thu Oct 6 09:52:25 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Thu Oct 6 11:55:03 2005 Subject: [SpamCop-List] Re: Not receiving email at SpamCop? References: Message-ID: In article , SpamCop Admin wrote: > Pete Stephenson wrote: > >-Is there any way to still have SpamCop forward me mail in response to > >-spam reports that I file, but send me any other messages? > >- > >-In other words, send mail addressed to [reportID]@reports.spamcop.net > >-back to my private address, but things sent directly to > >-heypete@spamcop.net should be bit-bucketed. > > Your SpamCop Email Filtering account is separated into two distinct > parts; the email service, and the reporting service. > > You can log into your reporting account at http://mailsc.spamcop.net/ > and change the contact address to anything you want so that our > *system* mail will go to that address instead of your @spamcop.net > email address. Mail from SpamCop, such as replies to your reports, > and our "SpamCop Quick reporting data" responses, will go to the > address you set. Mail from the staff, such as warnings about > reporting errors, will NOT usually go to that address unless we happen > to notice the setting and use that address instead of your > @spamcop.net address. Excellent. That address is correctly configured with my personal address, which is as I would prefer. *check* > Your Email account can also be set to forward your mail to anywhere > you want, such as our bit bucket at nobody@devnull.spamcop.net so that > any mail that gets past the filters on your @spamcop.net address will > go to the trash. Ah, excellent. Done. *check* > Before abandoning the email service part of your account and using it > as just a reporting account, you might want to consider the > ramifications. For example, if you continue to use the SpamCop > filters, large amounts of mail will be diverted to your Held Mail > folder for reporting, which will accumulate if you don't report/delete > it, and will eventually overwhelm the system. Nope, no filters have been used with the account for about two or more years now, so no mail has been accumulating. I double-checked that all filters were disabled, so there should be no mail accumulating on the system. > If you're not going to report the spam, you shouldn't use the filters. > It would be best to log into the account and disable all the blocking > lists and SpamAssassin filtering so that nothing will be diverted to > your Held Mail folder for reporting. That way, all mail to your > @spamcop.net address will be sent to the trash. Excellent, thank you for your informative response Don. Hopefully all of this will result in me having less spam, as well as reporting only the egregious offenders that slip through the variety of DNSbls I use (those already on the DNSbls are known to be spammers, and the ball's already in their provider's court). -- Pete Stephenson HeyPete.com From anthony.edwards at uk.easynet.net Thu Oct 6 20:07:51 2005 From: anthony.edwards at uk.easynet.net (Anthony Edwards) Date: Thu Oct 6 15:10:03 2005 Subject: [SpamCop-List] Re: Whitehats That Refuse Munged Reports? References: <434500D6.87C4F68C@SpamCop.net.dev.null> Message-ID: On Thu, 06 Oct 2005 05:47:50 -0500, Michael Brennan wrote: > But it seems there are other diligent ISP's with real antispam policies > who just don't accept munged SpamCop reports. In an ideal world, I would ignore munged reports from all sources, not just SpamCop. They are by their very nature less reliable, and there is an element of risk for an abuse team in taking action on munged reports, albeit the level of risk is not too great providing the abuse team use common sense and are reasonably experienced. However, munging of complaints has become almost a de facto standard, with the result that we accept them. -- Anthony Edwards * anthony.edwards@uk.easynet.net Abuse Team Manager * Tel: 0800 053 0588 Easynet Ltd * DDI: 0161 227 0707 http://www.uk.easynet.net * Fax: 0845 333 4503 From anthony.edwards at uk.easynet.net Thu Oct 6 20:12:47 2005 From: anthony.edwards at uk.easynet.net (Anthony Edwards) Date: Thu Oct 6 15:15:03 2005 Subject: [SpamCop-List] Re: Whitehats That Refuse Munged Reports? References: <434500D6.87C4F68C@SpamCop.net.dev.null> Message-ID: On Thu, 6 Oct 2005 14:58:04 +0000 (UTC), Robert Blair wrote: > I do not send spamcop unmunged reports. I am curious as to why. Putting my non-work end user hat on, I have never sent a munged report (via SpamCop, or manually) and never will. I make complaints, and am happy to provide Unsolicited Bulk Email examples in full, complete and unedited, and to stand by them. What does one gain by sending munged reports, given that it is almost universally accepted that munged reports are of less use to abuse desks tasked with enforcing their network's Acceptable Use Policy? -- Anthony Edwards * anthony.edwards@uk.easynet.net Abuse Team Manager * Tel: 0800 053 0588 Easynet Ltd * DDI: 0161 227 0707 http://www.uk.easynet.net * Fax: 0845 333 4503 From MikeE at ster.invalid Thu Oct 6 13:42:01 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 6 15:45:03 2005 Subject: [SpamCop-List] Re: Whitehats That Refuse Munged Reports? References: <434500D6.87C4F68C@SpamCop.net.dev.null> Message-ID: Anthony Edwards wrote: > Michael Brennan >> But it seems there are other diligent ISP's with real antispam >> policies who just don't accept munged SpamCop reports. > > In an ideal world, I would ignore munged reports from all sources, > not just SpamCop. They are by their very nature less reliable, Yes. The purpose of submitting a copy of a spam to an abuse desk is to provide 'evidence' of the act -- and 'legalistically' evidence should be 'preserved' and not contaminated and/or 'modified' ie changed [ie 'munged'] by the 'crimescene' evidence handler. > and > there is an element of risk for an abuse team in taking action on > munged reports, Yes. When someone is sending evidence to the abuse desk, they are establishing a channel of communication in which there should be a mutual trust of some kind. The reporter is saying "I trust you to work with me in acting on this piece of good evidence." And the abuse desk is saying, "I trust that you are submitting to me a genuine piece of evidence in good faith that hasn't been changed or altered from the original for some reason or another." > albeit the level of risk is not too great providing > the abuse team use common sense and are reasonably experienced. Where said experience is having to guess at how many ways a piece of munged evidence has or has not been altered in its handling. No mungeing vs standard SC mungeing vs some other kind of uber-mungeing vs uber-uber and Mungeland-uber-alles mungeing. > However, munging of complaints has become almost a de facto standard, > with the result that we accept them. Unfortunately, some reporters lose track of what reporting to an abuse desk really means. They think that making a report is a form of punishment or bitching or tonguelashing -- so if they can do their tonguelashing anonymously they prefer that to 'signing' the gripe. But, the real problem is in the absence of trust. The reporter can't trust the 'chosen' notified to be white, gray, or blackhatted. So the common channel of trust in the communication described above doesn't exist. Further, the reporter doesn't believe that the abuse desk needs the To-like addressees of the spamitem in order to investigate the item which is either sourced from the notified's netspace or spamvertising in the notified's netspace. -- Mike Easter kibitzer, not SC admin From baloo at ursine.ca Thu Oct 6 13:34:50 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Thu Oct 6 16:10:02 2005 Subject: [SpamCop-List] Re: How to Rattle This Guy's Cage? References: <43427912.17EDB4B5@SpamCop.net.dev.null> <462oa8nyzhdz.dlg@news.spamcop.net> Message-ID: Robert Blair wrote: > On Wed, 5 Oct 2005 18:48:24 UTC, baloo@ursine.ca wrote: > >> > I know that the San Andreas fault is a strike/slip fault, and the western >> > side is moving northward. But it really isn't moving fast enough to locate >> > San Diego, CA in the vicinity of Seattle, WA any time within the lifetimes >> > of my children's children's children's children. >> >> Never mind that roughly two thirds of Oregon and Washington residents >> are idiots from California dragging us down, no? > > The loudest complainers are the newcomers to an area. I currently > live in CA and visit WA because some of my and my wife's family still > lives there. Yeah, they complain that the locals aren't just like them, and complain louder when we won't change to suit them. > How long has your family been in WA and/or OR? Three generations. Tom McCall said it best. From nobody at devnull.spamcop.net Thu Oct 6 16:44:10 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Oct 6 16:45:04 2005 Subject: [SpamCop-List] Re: Not receiving email at SpamCop? References: Message-ID: "SpamCop Admin" wrote in message news:e8hak19cie4n42dchd1qb3lunhd2qmqaff@4ax.com... > Pete Stephenson wrote: > >-Is there any way to still have SpamCop forward me mail in response to > >-spam reports that I file, but send me any other messages? > > Your SpamCop Email Filtering account is separated into two distinct > parts; the email service, and the reporting service. Added to the Forum version of the SpamCop FAQ .. http://forum.spamcop.net/forums/index.php?showtopic=2238 Listed under the SpamCop E-Mail Account section, entry at; http://forum.spamcop.net/forums/index.php?showtopic=5075 Thanks for the question and well-composed answer! From dwvbo91q4001 at sneakemail.com Fri Oct 7 05:01:34 2005 From: dwvbo91q4001 at sneakemail.com (Tim P.) Date: Fri Oct 7 00:05:03 2005 Subject: [SpamCop-List] Re: Amusing notes added by spammer??? References: Message-ID: JG wrote in news:di3fas$mg2$1@news.spamcop.net: > On 10/5/2005 9:26 PM Tim P. scribbled: > >> >> >> Funny how they never respond directly. >> >> What a dufus. > > Curious - how does spammer get those reports and how does obvious > spammer get to deny it? I will occasionally give one suspected spammer an opportunity to reply via those fill in the blank recipients. I direct a copy back from that, and the link is what leads to a whole barrage of comments from "other" previous recipts who also clicked the target link to respond. Obviously, most are not what I had sent, but rather a conglomeration of what other reporters have also done and it ends up under the "This is a report regarding ." ...where there is nothing [nullspace] after the "regarding". A generic, if you will. A lot of comments are about resolutions like "terminated" "suspended" "dropped" etc. and some are comic relief such as that shown. -- Tim P Very content SpamCop Subscriber since 4/2002 From JG at coks.net Thu Oct 6 22:50:58 2005 From: JG at coks.net (JG) Date: Fri Oct 7 00:50:03 2005 Subject: [SpamCop-List] Re: Amusing notes added by spammer??? In-Reply-To: References: Message-ID: On 10/6/2005 9:01 PM Tim P. scribbled: > I will occasionally give one suspected spammer an opportunity to reply > via those fill in the blank recipients. I direct a copy back from that, > and the link is what leads to a whole barrage of comments from "other" > previous recipts who also clicked the target link to respond. Obviously, > most are not what I had sent, but rather a conglomeration of what other > reporters have also done and it ends up under the "This is a report > regarding ." ...where there is nothing [nullspace] after the > "regarding". A generic, if you will. > > A lot of comments are about resolutions like "terminated" "suspended" > "dropped" etc. and some are comic relief such as that shown. criminy, the more you learn, the dumber you feel. Thanks, Tim... From JG at coks.net Thu Oct 6 22:52:23 2005 From: JG at coks.net (JG) Date: Fri Oct 7 00:55:03 2005 Subject: [SpamCop-List] OT Re: How to Rattle This Guy's Cage? In-Reply-To: References: <43427912.17EDB4B5@SpamCop.net.dev.null> <462oa8nyzhdz.dlg@news.spamcop.net> Message-ID: On 10/6/2005 12:34 PM baloo@ursine.ca scribbled: > Three generations. Tom McCall said it best. Tom McCall, the bus test driver?? From nobody at nowhere.not Fri Oct 7 10:22:29 2005 From: nobody at nowhere.not (Robert Blair) Date: Fri Oct 7 05:25:08 2005 Subject: [SpamCop-List] Re: Whitehats That Refuse Munged Reports? References: <434500D6.87C4F68C@SpamCop.net.dev.null> Message-ID: On Thu, 6 Oct 2005 19:12:47 UTC, Anthony Edwards wrote: > > I do not send spamcop unmunged reports. > > I am curious as to why. Putting my non-work end user hat on, I have > never sent a munged report (via SpamCop, or manually) and never will. In the past I have been harassed by a spammer or two. > I make complaints, and am happy to provide Unsolicited Bulk Email > examples in full, complete and unedited, and to stand by them. > > What does one gain by sending munged reports, given that it is almost > universally accepted that munged reports are of less use to abuse > desks tasked with enforcing their network's Acceptable Use Policy? My munging does not not affect the receive headers except where my email address has been added so there should not be a problem tracking the source. Even if they don't like munged reports it is additional evidence for unmunged reports. The manual LARTs (munged) I send sometimes receive a kill response. Now I don't know that it was my LART that caused the response but the desired results was received. -- Robert Blair From scotto at spamcop.net Fri Oct 7 06:45:01 2005 From: scotto at spamcop.net (Scott Starkey) Date: Fri Oct 7 06:50:18 2005 Subject: [SpamCop-List] Oh, man... Message-ID: I accidently zigged when I should have zagged, and accidentally marked a legitimate email as spam. Is there any way I can cancel a spam-report? I'll go hit my head against the wall now. :-p Thanks for any advice. -- Scott S. From nobody at spamcop.net Fri Oct 7 08:24:32 2005 From: nobody at spamcop.net (Ellen) Date: Fri Oct 7 08:00:06 2005 Subject: [SpamCop-List] Re: Oh, man... References: Message-ID: "Scott Starkey" wrote in message news:di5jjo$ugt$1@news.spamcop.net... > I accidently zigged when I should have zagged, and accidentally marked a > legitimate email as spam. Is there any way I can cancel a spam-report? > > I'll go hit my head against the wall now. :-p > > Thanks for any advice. > -- Scott S. > > Write apologies to anyone that received a report. Send a report number and your registered SC email address and a brief explanation to deputies admin.spamcop.net. Ellen SpamCop From Nobody at SpamCop.net.dev.null Fri Oct 7 09:46:20 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Fri Oct 7 09:50:04 2005 Subject: [SpamCop-List] Did I Do Something Wrong? Message-ID: <43467C2C.F250CB26@SpamCop.net.dev.null> With reference to this SpamCop report: http://www.spamcop.net/sc?id=z812966391zfb9ca9f19a793f248e2d60480280a1b7z I got a failure message when I tried to open the file. SpamCop said, "Failed to load spam header: 812966391 / fb9ca9f19a793f248e2d60480280a1b7 " "Cannot open database connection in putRow" Is this a SpamCop problem, or do I need to do something? Regards, Michael From nobody at spamcop.net Fri Oct 7 11:12:05 2005 From: nobody at spamcop.net (Anti-Spam) Date: Fri Oct 7 10:30:03 2005 Subject: [SpamCop-List] Re: Did I Do Something Wrong? References: <43467C2C.F250CB26@SpamCop.net.dev.null> Message-ID: "Michael Brennan" wrote in message news:43467C2C.F250CB26@SpamCop.net.dev.null... > With reference to this SpamCop report: > > http://www.spamcop.net/sc?id=z812966391zfb9ca9f19a793f248e2d60480280a1b7z > > I got a failure message when I tried to open the file. SpamCop said, > > "Failed to load spam header: 812966391 / > fb9ca9f19a793f248e2d60480280a1b7 " > "Cannot open database connection in putRow" > > Is this a SpamCop problem, or do I need to do something? It's not you. It's a server error, and it usually resolves itself after a while (2-60 minutes). However, reloading the same page doesn't always work. Sometimes, I've had to re-enter the parsing page for a particular spam from the home page (or whatever your normal bookmark is) or the SC notification e-mail for the item. Haven't fathomed that part, yet. -- Bring in the death penalty for repeat spammers. Non-functional spambait addr: address@oxdzfj.com (generated by Webpoison) From edb2000 at spamcop.net Fri Oct 7 08:55:48 2005 From: edb2000 at spamcop.net (Don Wannit) Date: Fri Oct 7 11:00:02 2005 Subject: [SpamCop-List] Re: Whitehats That Refuse Munged Reports? In-Reply-To: References: <434500D6.87C4F68C@SpamCop.net.dev.null> Message-ID: Mike Easter wrote: > ... Mungeland-uber-alles mungeing. Wow! -- Don Wannit A paid SpamCop user since 1999 From porpoise1954 at yahoo.co.uk Fri Oct 7 17:12:49 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Fri Oct 7 11:15:03 2005 Subject: [SpamCop-List] Re: Whitehats That Refuse Munged Reports? References: <434500D6.87C4F68C@SpamCop.net.dev.null> Message-ID: "Don Wannit" wrote in message news:di629l$7dq$1@news.spamcop.net... > Mike Easter wrote: >> ... Mungeland-uber-alles mungeing. > > Wow! ????????????? Wow! ?????????????????????????????? ?????????????????????? From DougThegarden at invalid.com Fri Oct 7 17:50:20 2005 From: DougThegarden at invalid.com (Doug Thegarden) Date: Fri Oct 7 11:55:04 2005 Subject: [SpamCop-List] Ig Nobel Spam Message-ID: Our friends and colleagues in Nigeria have just been honoured at Harvard with the award of an Ig Nobel Prize for Literature. Their citation reads: "LITERATURE: The Internet entrepreneurs of Nigeria, for creating and then using e-mail to distribute a bold series of short stories, thus introducing millions of readers to a cast of rich characters -- General Sani Abacha, Mrs. Mariam Sanni Abacha, Barrister Jon A Mbeki Esq., and others -- each of whom requires just a small amount of expense money so as to obtain access to the great wealth to which they are entitled and which they would like to share with the kind person who assists them." http://www.improb.com/ig/ig-pastwinners.html Doug From nobody at spamcop.net Fri Oct 7 11:10:16 2005 From: nobody at spamcop.net (Ellen) Date: Fri Oct 7 12:00:04 2005 Subject: [SpamCop-List] Re: Did I Do Something Wrong? References: <43467C2C.F250CB26@SpamCop.net.dev.null> Message-ID: "Michael Brennan" wrote in message news:43467C2C.F250CB26@SpamCop.net.dev.null... > With reference to this SpamCop report: > > http://www.spamcop.net/sc?id=z812966391zfb9ca9f19a793f248e2d60480280a1b7z > > I got a failure message when I tried to open the file. SpamCop said, > > "Failed to load spam header: 812966391 / > fb9ca9f19a793f248e2d60480280a1b7 " > "Cannot open database connection in putRow" > > Is this a SpamCop problem, or do I need to do something? > Seems to have been a transient error -- it looks OK now. Let me know if you continue having the problem. Ellen SpamCop From baloo at ursine.ca Fri Oct 7 09:58:28 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Fri Oct 7 12:10:03 2005 Subject: [SpamCop-List] Re: OT Re: How to Rattle This Guy's Cage? References: <43427912.17EDB4B5@SpamCop.net.dev.null> <462oa8nyzhdz.dlg@news.spamcop.net> Message-ID: <4iii13-m4u.ln1@ursine.ca> JG wrote: > On 10/6/2005 12:34 PM baloo@ursine.ca scribbled: > > > Three generations. Tom McCall said it best. > > Tom McCall, the bus test driver?? The Oregon governor. From amenex at amenex.com Fri Oct 7 19:17:58 2005 From: amenex at amenex.com (George Langford, Sc.D.) Date: Fri Oct 7 18:18:01 2005 Subject: [SpamCop-List] Irate site admin Message-ID: <20051007181758.f0gw40wg4040wsgk@webmail.spamcop.net> http://www.spamcop.net/sc?id=z813102572zd827126980eac5887370c11a28dce826z Received an email addressed to 1524173573@reports.spamcop.net Site admin sent an irate email saying, "this is not a spam," that "Those email belong to people who subscribe to a list on our servers." Not mine. I never subscribed. What's going on ? I looked at the spamvertised website. It's in French, which I can't read without a dictionary. About stuff in which I have no interest. If I get another one, I'll report that one, too. One clue: "66.129.147.135 is an open proxy" 66.129.147.135 sent the email. 66.129.147.132 is the IP of the spamvertised website. George Langford, Sc.D. Principal Consultant Amenex Associates, Inc. amenex@amenex.com http://www.amenex.com/ From MikeE at ster.invalid Fri Oct 7 17:12:47 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 7 19:15:33 2005 Subject: [SpamCop-List] Re: Irate site admin References: Message-ID: George Langford, Sc.D. wrote: www.spamcop.net/sc?id=z813102572zd827126980eac5887370c11a28dce826z That spam is a bit atypical in that it is straightup - no bogosity. The >From = the source = the spamvertised site. That straightup condition is often or sometimes seen in items in which the sender doesn't think they need to be obscuring or obfuscating or bogusing anything. > Received an email addressed to 1524173573@reports.spamcop.net > > Site admin sent an irate email saying, "this is not a spam," > that "Those email belong to people who subscribe to a list > on our servers." It is possible that the admin 'thinks' that you subscribed. It is possible that there is some kind of bad list management going on, such as no opt-in confirmation of an online subscribing system. Or maybe he made some kind of bad deal in which he believes he is mailing wanted mail. Or thinks that people who don't want his mail will unsub. Or bought into some kind of wrong/bad promotion idea. He may be being screwed by a spammer promoter list purchase/seller. > Not mine. I never subscribed. What's going on ? > I looked at the spamvertised website. It's in French, which > I can't read without a dictionary. About stuff in which I have > no interest. If I get another one, I'll report that one, too. The admin has a problem if it is a bogus subscription, because he isn't equipped to deal with bogus subscribes and so everyone like yours could generate a report which will contribute to the listing of the IP. > One clue: "66.129.147.135 is an open proxy" > 66.129.147.135 sent the email. > 66.129.147.132 is the IP of the spamvertised website. The volume statistics for the source IP look like a more typical abused proxy Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 4.1 47054% Last 30d 2.2 577% Average 1.4 The site appears to be a business doing video productions for business, promotions, etc. Even the spam is straightup about content, including the name and snail address and telno of the same individual who is the registrant for the spamvertised domainname. I believe/think that [probably] the registrant of the domainname and the sender of the spam and the owner of the website and the business are all one and the same and somehow might not have a clue they are spamming. I also think they should continue to be reported -- hopefully Michel Savoy's IP will become SC blocklisted and he will start having trouble emailing and eventually enough will happen to clue enable him. The IP for the site is also the IP for 40 other websites but the site doesn't appear in sightings, nor the source IP. -- Mike Easter kibitzer, not SC admin From JG at coks.net Fri Oct 7 17:58:44 2005 From: JG at coks.net (JG) Date: Fri Oct 7 20:00:02 2005 Subject: [SpamCop-List] Re: OT Re: How to Rattle This Guy's Cage? In-Reply-To: <4iii13-m4u.ln1@ursine.ca> References: <43427912.17EDB4B5@SpamCop.net.dev.null> <462oa8nyzhdz.dlg@news.spamcop.net> <4iii13-m4u.ln1@ursine.ca> Message-ID: On 10/7/2005 8:58 AM baloo@ursine.ca scribbled: > JG wrote: > >>On 10/6/2005 12:34 PM baloo@ursine.ca scribbled: >> >> >>>Three generations. Tom McCall said it best. >> >>Tom McCall, the bus test driver?? > > > The Oregon governor. Oh, I'd have to think the other McCall is probably unknown to anyone under 55 anyway... From spamcop at bcs-israel.com Sat Oct 8 04:08:09 2005 From: spamcop at bcs-israel.com (Dick Cardy) Date: Fri Oct 7 20:15:03 2005 Subject: [SpamCop-List] Error in credit card payment form Message-ID: I need to add fuel to my account so I tried to use the credit card payment method. I filled out the form and I get the error message 'Invalid State. Please use 30 characters or less.' The problem is caused by the fact that the state field is mandatory and here we do not have a state. Once you realise that the you can get away with entering the character - in the state field you get authorised with a page that says 'Thanks for your support! This page serves as your invoice.' A slight moan my local tax authority will not accept this as an invoice. Dick From JG at coks.net Fri Oct 7 18:56:50 2005 From: JG at coks.net (JG) Date: Fri Oct 7 20:55:03 2005 Subject: [SpamCop-List] Re: Error in credit card payment form In-Reply-To: References: Message-ID: On 10/7/2005 6:08 PM Dick Cardy scribbled: ... This page serves as your invoice.' A slight moan my local tax > authority will not accept this as an invoice. > > Dick > > SC is tax deductible?? From spamcop at bcs-israel.com Sat Oct 8 11:47:21 2005 From: spamcop at bcs-israel.com (Dick Cardy) Date: Sat Oct 8 03:50:02 2005 Subject: [SpamCop-List] Re: Error in credit card payment form References: Message-ID: "JG" wrote in message news:di75d0$t9j$1@news.spamcop.net... > On 10/7/2005 6:08 PM Dick Cardy scribbled: > > ... This page serves as your invoice.' A slight moan my local tax > > authority will not accept this as an invoice. > > > > Dick > > > > > SC is tax deductible?? I can claim it as a business expense Dick From redford_stone at INVERSE_OF_COLDmail.com Sat Oct 8 11:17:05 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Oct 8 06:20:21 2005 Subject: [SpamCop-List] Re: kornets bit bucket, finally overflowed References: Message-ID: Steven Maesslein wrote in news:slrndk8bm9.cec.nobody@127.0.0.1: > > Isn't that the normal state of affairs anyway? :) > Unfortunately, that is the case considering how Kornet/Hanaro keeps lying to Spamhaus.org about cleaning up their act. (The continuously have to relist IPs recently removed.) From nobody at nowhere.not Sat Oct 8 11:17:50 2005 From: nobody at nowhere.not (Robert Blair) Date: Sat Oct 8 06:20:37 2005 Subject: [SpamCop-List] Re: How to Rattle This Guy's Cage? References: <43427912.17EDB4B5@SpamCop.net.dev.null> <462oa8nyzhdz.dlg@news.spamcop.net> Message-ID: On Thu, 6 Oct 2005 19:34:50 UTC, baloo@ursine.ca wrote: > Three generations. My family has been in WA for five generations. > Tom McCall said it best. So what did Tom have to say. -- Robert Blair From redford_stone at INVERSE_OF_COLDmail.com Sat Oct 8 11:21:22 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Oct 8 06:25:03 2005 Subject: [SpamCop-List] Re: kornets bit bucket, finally overflowed References: Message-ID: "Claudio Valderrama C." wrote in news:di1vdn$sc7$1@news.spamcop.net: > > This rejection state would be already normal for any target relying on > http://korea.services.net/ >:-) > And blackholes.us (http://www.blackholes.us) is going to be up and running again soon enough to lend a hand. :-) > > It's a pity that a supposed developed country like South Korea doesn't > want to put pressure on its ISPs to be more decent. > > C. > > Too many people who don't want to use firewalls of any kind.. too many people who LOVE to click on ALL attachments they get in their email.. incoming email probably never filters for their customers. It is either complete laziness or the spammers are paying Kornet and Hanaro big money. From g.hyde at bigpond.net.au Sat Oct 8 21:47:39 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Sat Oct 8 06:50:03 2005 Subject: [SpamCop-List] Re: kornets bit bucket, finally overflowed References: Message-ID: "Redstone" wrote in message news:Xns96E922282A080tinlc@216.154.195.61... > Too many people who don't want to use firewalls of any kind.. too many > people who LOVE to click on ALL attachments they get in their email.. > incoming email probably never filters for their customers. It sounds to me like most of the people at kornet are way too eager to just let any virus or trojan program poke it's nose uninvited onto their computer hard drive, and infect it with a program which was not wanted and which would more than likely help hackers and spammers alike. > It is either complete laziness or the spammers are paying Kornet and > Hanaro big money. I wonder how big their pockets are when it comes to buying up-to-date antivirus technology to keep the aforementioned trojan/virus from infecting their computer? I guess we'll find out all too soon. -- Cheers ... Geoffrey Hyde From bar_n0ne at hotmail.com Sat Oct 8 17:31:49 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Oct 8 08:35:06 2005 Subject: [SpamCop-List] Re: kornets bit bucket, finally overflowed References: Message-ID: "Redstone" wrote in message SNIPPED> > It is either complete laziness or the spammers are paying Kornet and > Hanaro big money. No, they're probably stupid enough to host spammers for small money. From nobody at devnull.spamcop.net Sat Oct 8 10:34:09 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sat Oct 8 09:35:03 2005 Subject: [SpamCop-List] Deputies Message-ID: Thought you probably should see this: --------------------- Content-type: text/html; charset=iso-8859-1 Help | Site Map | Text size: - + Report Spam Filtered Email Blocking List Statistics Login SpamCop v 1.493 Copyright (C) 1998-2005, IronPort Systems, Inc. All rights reserved. Failed to load spam header: 813369102 / 68f33dcdaea283231426f84708c297cb Cannot open database connection in putRow begin 666 05logo.png MB5!.1PT*&@H````-24A$4@```2 ````H" ,```!I>==K````,U!,5$5NB;&> ML,OS]?E):YYA?ZN&G+[;X>SGZ_*VQ-A5=:1ZDKB2IL6JNM+"SM_/V.7___\] M89TE4[NT[?O0[M>5D^MKUBS[XW M"Z>QJXN&O2]3#VB2*$:E"FA4GU23=P1>]!';E81:16N<+!EFJ%3E, M:5=LYU% AZ_1-Q^\T[04^8=4Q1;-MGIMOK(\%.9_"T@4'3Y3C'J4KHIB/@L! MFEGKK'EVGH3-V6)[Z1(6@&\W::=*#9#JSJUF_\.2>U7V/2"LR?AIJ&(2LDSZ MHZYQU5@`LY\(4*(DXX^.L1*7]3&"'"K@:EM'+55?ZA1S-? XOP<$2829N],W MC#IM?IWN%%9P>PUQ;02D8C(?P(Z/;JH`3S5[EV@UY*%,3!O[&LE_^ *(C?'N M)BP]G;2,+Z>8D@J;T_@$D"S:93I>8]U,TG#QT; P= ;V[SF,'20\Z;SO$0Q M*T7.G&-O:@.L\LJAQ3XRY#A)/ANM4R0!-2 2&'RWP"*Z7\%1.W4ZW9O>@7H-*67XPN@K33_SP%I.15N]#T@ M,#YDMG?_`)#%^]V/``DO_0!06&)'6-$\UXW:[@$Y#0(U4L4RJR9\]9^TWK,] MZ#L@\&%"WS$8I0^ MNCT\Q7P2M5<-5V1E3W\,J')E=A-%EV\@_M*.A51>=QX"*@?95&JF_>+Y*19O MT@O_5;F%F+[?Q,L%4?@"J!P-HV\&:8RE)F_'1K\`5+S;*-Q*YHK'6T!:IHC4 M+EA438(),8U3?SO\1H-*W_=:8E2Z%X:J<090Y4*D2TA:\G&G*O/*#. MVE[XS>]!?T/Y!>FWJP-JJ -JJ -JZ$VYMK:)_6$-MA#JBA7S1U 2I 2^RG3,`````$E%3D2N0F"" ` end From nobody at devnull.spamcop.net Sat Oct 8 10:37:50 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sat Oct 8 09:40:03 2005 Subject: [SpamCop-List] Re: Did I Do Something Wrong? References: <43467C2C.F250CB26@SpamCop.net.dev.null> Message-ID: Ellen, just got the same message a few minutes ago, 10-08-05 09:33 EST. "Ellen" wrote in message news:di65vk$a7t$1@news.spamcop.net... : : "Michael Brennan" wrote in message : news:43467C2C.F250CB26@SpamCop.net.dev.null... : > With reference to this SpamCop report: : > : > http://www.spamcop.net/sc?id=z812966391zfb9ca9f19a793f248e2d60480280a1b7z : > : > I got a failure message when I tried to open the file. SpamCop said, : > : > "Failed to load spam header: 812966391 / : > fb9ca9f19a793f248e2d60480280a1b7 " : > "Cannot open database connection in putRow" : > : > Is this a SpamCop problem, or do I need to do something? : > : : Seems to have been a transient error -- it looks OK now. Let me know if you : continue having the problem. : : Ellen : SpamCop : : From nobody at devnull.spamcop.net Sat Oct 8 10:39:27 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sat Oct 8 09:40:10 2005 Subject: [SpamCop-List] Re: Did I Do Something Wrong? References: <43467C2C.F250CB26@SpamCop.net.dev.null> Message-ID: But it's gone now; 09:38. All is fine. "Pop" wrote in message news:di8i3b$k36$1@news.spamcop.net... : Ellen, just got the same message a few minutes ago, 10-08-05 : 09:33 EST. : : "Ellen" wrote in message : news:di65vk$a7t$1@news.spamcop.net... :: :: "Michael Brennan" wrote in : message :: news:43467C2C.F250CB26@SpamCop.net.dev.null... :: > With reference to this SpamCop report: :: > :: > : http://www.spamcop.net/sc?id=z812966391zfb9ca9f19a793f248e2d60480280a1b7z :: > :: > I got a failure message when I tried to open the file. : SpamCop said, :: > :: > "Failed to load spam header: 812966391 / :: > fb9ca9f19a793f248e2d60480280a1b7 " :: > "Cannot open database connection in putRow" :: > :: > Is this a SpamCop problem, or do I need to do something? :: > :: :: Seems to have been a transient error -- it looks OK now. Let me : know if you :: continue having the problem. :: :: Ellen :: SpamCop :: :: : : From nobody at devnull.spamcop.net Sat Oct 8 10:40:03 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sat Oct 8 09:40:15 2005 Subject: [SpamCop-List] Re: Deputies References: Message-ID: Problem gone - now all OK. "Pop" wrote in message news:di8hsf$ju5$1@news.spamcop.net... : Thought you probably should see this: : --------------------- : : Content-type: text/html; charset=iso-8859-1 : : Help | Site Map : | Text size: - + : : Report Spam Filtered Email Blocking List Statistics Login : SpamCop v 1.493 Copyright (C) 1998-2005, IronPort Systems, Inc. : All rights reserved. : : Failed to load spam header: 813369102 / : 68f33dcdaea283231426f84708c297cb : Cannot open database connection in putRow : : : From MikeE at ster.invalid Sat Oct 8 07:58:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 8 10:00:04 2005 Subject: [SpamCop-List] Re: Deputies References: Message-ID: Pop wrote: > Thought you probably should see this: But presumably you didn't mean to send this... > begin 666 05logo.png > MB5!.1PT*& There's a flaw in the way XP copies/paste things that are supposed to be pasted into plaintext news and mail messages. I get 'stupid' little meaningless graphics attachments from a friend whois XP when he's trying to send me just the plaintext of a snip from an online article. That is, I blame it on XP, because when my friend was W98 pasting from the same kind of source I didn't see it. I'm not XP, so I don't know how to configure it out. But if someone can figure out how to avoid it 'sneaking in' there, I'd like to hear about it. My presumption is that Pop didn't want to send it -- and he shouldn't 'have to' send something he doesn't intend to and apparently can't see being pasted into the newsmessage. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Sun Oct 9 01:01:03 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sat Oct 8 18:05:16 2005 Subject: [SpamCop-List] Re: Deputies References: Message-ID: <4348419F.3BB2@xyzzy.claranet.de> Mike Easter wrote: > There's a flaw in the way XP copies/paste things that are > supposed to be pasted into plaintext news and mail messages. Actually it's cute as far as the clipboard is concerned, if it preserves the inline pictures of a HTML page. But then OE also tries to be smart converting it to a UUE, and that's one piece of smart software too many... ;-) > But if someone can figure out how to avoid it 'sneaking in' > there, I'd like to hear about it. Can you tell OE to be really stupid and disable UUE ? Nobody needs UUE today, obsoleted by MIME for at least a decade. Bye From MikeE at ster.invalid Sat Oct 8 17:03:50 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 8 19:05:03 2005 Subject: [SpamCop-List] Re: Deputies References: <4348419F.3BB2@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Mike Easter wrote: > >> There's a flaw in the way XP copies/paste things that are >> supposed to be pasted into plaintext news and mail messages. > > Actually it's cute as far as the clipboard is concerned, if it > preserves the inline pictures of a HTML page. But then OE also > tries to be smart converting it to a UUE, and that's one piece > of smart software too many... ;-) > >> But if someone can figure out how to avoid it 'sneaking in' >> there, I'd like to hear about it. > > Can you tell OE to be really stupid and disable UUE ? Nobody > needs UUE today, obsoleted by MIME for at least a decade. Bye You could paste it into something like Notepad which won't take the graphic, and then recopy it from notepad into OE, but that seems like a stupid step trying to defeat something which shouldn't be working like that in the first place.. If MS in its infinite wisdom decided to let the clipboard work like that, they should've made it the clipboard configurable for dropping or keeping the graphic/s. And OE shouldn't be 'accepting' a graphic pasted into a plaintext body 'secretly'. Plaintext does not include uue encoded graphics. In the plaintext mode, OE should be dropping the graphic just like notepad does. -- Mike Easter kibitzer, not SC admin From tfm3 at nospam.teleproc.com Sat Oct 8 20:27:19 2005 From: tfm3 at nospam.teleproc.com (Thomas Mooney) Date: Sat Oct 8 20:30:24 2005 Subject: [SpamCop-List] Hats off to uk.easynet.net Message-ID: I received a piece of spam at 17:43 (-0500), reported it to spamcop at 17:57, and received the following message at 18:21. > Hi > > Thank you for your report concerning this Unsolicited Bulk Email > incident. > > The account concerned has been identified and suspended under the terms > of our Acceptable Use Policy, which may be viewed at: > > http://www.uk.easynet.net/legal/acceptable.asp > > Please accept our apologies for any inconvenience that this incident may > have caused. > > Kind regards Colour me impressed. If only more ISPs were this responsive. I can't even get my own ISP (Time Warner / RoadRunner) to take action against obvious hacking attempts by someone who, judging by the similarity of his IPA to my IPA, is probably in my neighborhood! Grrr. Well done uk.easynet.net! -- TFM3 Note: Spam-resistant e-mail address From porpoise1954 at yahoo.co.uk Sun Oct 9 02:31:04 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sat Oct 8 20:35:03 2005 Subject: [SpamCop-List] Re: Deputies References: <4348419F.3BB2@xyzzy.claranet.de> Message-ID: "Mike Easter" wrote in message news:di9j8f$6al$1@news.spamcop.net... > Frank Ellermann wrote: > > You could paste it into something like Notepad which won't take the > graphic, and then recopy it from notepad into OE, but that seems like a > stupid step trying to defeat something which shouldn't be working like > that in the first place.. > > If MS in its infinite wisdom decided to let the clipboard work like > that, they should've made it the clipboard configurable for dropping or > keeping the graphic/s. And OE shouldn't be 'accepting' a graphic pasted > into a plaintext body 'secretly'. Plaintext does not include uue > encoded graphics. In the plaintext mode, OE should be dropping the > graphic just like notepad does. I'm not quite sure what the apparent problem is here (that everyone is beefing about). I find, if I don't select an inline graphic when I do the copy, it then then doesn't paste into the new mail. Alternatively, if it's done as a forward, you drop the attachment portion. I haven't had any problems with C&Ping stuff that I didn't want to (XP+OE6) From MikeE at ster.invalid Sat Oct 8 19:52:56 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 8 21:55:08 2005 Subject: [SpamCop-List] Re: Deputies References: <4348419F.3BB2@xyzzy.claranet.de> Message-ID: Porpoise wrote: > "Mike Easter" >> You could paste it into something like Notepad which won't take the >> graphic, and then recopy it from notepad into OE, but that seems >> like a stupid step trying to defeat something which shouldn't be >> working like that in the first place.. >> >> If MS in its infinite wisdom decided to let the clipboard work like >> that, they should've made it the clipboard configurable for dropping >> or keeping the graphic/s. And OE shouldn't be 'accepting' a graphic >> pasted into a plaintext body 'secretly'. Plaintext does not include >> uue encoded graphics. In the plaintext mode, OE should be dropping >> the graphic just like notepad does. > > I'm not quite sure what the apparent problem is here (that everyone is > beefing about). I find, if I don't select an inline graphic when I do > the copy, it then then doesn't paste into the new mail. > Alternatively, if it's done as a forward, you drop the attachment > portion. > > I haven't had any problems with C&Ping stuff that I didn't want to > (XP+OE6) I'm at the disadvantage of not being XP, so I don't understand what its clipboard to OE problem is. What I see on the receiving end is that people, Pop in this case and an email friend of mine in another case, attempt to copy a 'piece' of plaintext from a webpage to paste into an OE plaintext email or news message. My sense of it is that in the process of copying the plaintext into the clipboard, if any graphic 'element' is caught up in the scan or highlight of the intended text, then that graphic is silently or 'invisibly' pasted into the body of the OE plaintext message be it news or be it a mail. Presumably the copy/paster cannot 'see' any such graphic pasting into the OE message body. That is an abnormal functionality of XP's relationship between its clipboard copy/paste function and the plaintext body function of OE -- as I see the apparent 'picture' of the issue. It is my contention in this case that Pop did not intend nor know that he was pasting a graphic into his plaintext news message. If I am wrong about that, then he should step forward and clear the air. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Sun Oct 9 11:33:57 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Oct 9 04:35:22 2005 Subject: [SpamCop-List] Re: Hats off to uk.easynet.net References: Message-ID: On Sat, 8 Oct 2005 19:27:19 -0500, Thomas Mooney coughed into spamcop and left this in : > Colour me impressed. If only more ISPs were this responsive. Colour me cynical but you'd be surprised how many ISPs *say* "We've nuked the spammer" but in actual fact *do* nothing at all. -- Steve There are only 10 kinds of people in the world: Those who understand binary, and those who don't. From PossumTrot at dont.spam.me Sun Oct 9 09:03:36 2005 From: PossumTrot at dont.spam.me (Possum Trot) Date: Sun Oct 9 11:05:10 2005 Subject: [SpamCop-List] Re: kornets bit bucket, finally overflowed References: Message-ID: "Redstone" wrote in message news:Xns96E922282A080tinlc@216.154.195.61... > > Too many people who don't want to use firewalls of any kind.. too many > people who LOVE to click on ALL attachments they get in their email.. > incoming email probably never filters for their customers. > > It is either complete laziness or the spammers are paying Kornet and > Hanaro big money. My bet is on the latter. Does anyone have an email address for someone in the Korean Embassy in D.C. who we can politely cc: on any Kornet Spam report? A few thousand will show them depth or their problem. From nobody at devnull.spamcop.net Sun Oct 9 12:25:15 2005 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Sun Oct 9 11:25:03 2005 Subject: [SpamCop-List] Re: Hats off to uk.easynet.net In-Reply-To: References: Message-ID: Thomas Mooney wrote: > I received a piece of spam at 17:43 (-0500), reported it to spamcop at > 17:57, and received the following message at 18:21. > > >>Hi >> >>Thank you for your report concerning this Unsolicited Bulk Email >>incident. >> >>The account concerned has been identified and suspended under the terms >>of our Acceptable Use Policy, which may be viewed at: >> >>http://www.uk.easynet.net/legal/acceptable.asp >> >>Please accept our apologies for any inconvenience that this incident may >>have caused. >> >>Kind regards > > > Colour me impressed. If only more ISPs were this responsive. I can't even > get my own ISP (Time Warner / RoadRunner) to take action against obvious > hacking attempts by someone who, judging by the similarity of his IPA to my > IPA, is probably in my neighborhood! Grrr. Well done uk.easynet.net! Ok, not related to uk.easynet.net, except for the uk part... I got some phish emails last week, and the "phish" web site was up and running for at least three days on an IP under "onetel.net.uk" - try to find an "abuse" address either via spamcop or through their web site. Nada. Google only finds news articles talking about cocaine abuse or sex abuse. -- Help fight spam by "educating" the lax, zombie-hosting ISPs: http://pages.infinit.net/filmore/educateYourISP.htm From anthony.edwards at uk.easynet.net Sun Oct 9 16:58:51 2005 From: anthony.edwards at uk.easynet.net (Anthony Edwards) Date: Sun Oct 9 12:00:03 2005 Subject: [SpamCop-List] Re: Hats off to uk.easynet.net References: Message-ID: On Sun, 09 Oct 2005 11:25:15 -0400, Sofa King Tyred of Lar Ting wrote: > I got some phish emails last week, and the "phish" web site was up and > running for at least three days on an IP under "onetel.net.uk" - try to > find an "abuse" address either via spamcop or through their web site. abuse@abuse:~$ whois -h whois.abuse.net onetel.net.uk abuse@onetel.net.uk (for onetel.net.uk) postmaster@onetel.net.uk (for onetel.net.uk) Also, taking an IP address at random (MX for the onetel.net.uk domain): abuse@abuse:~$ whois 212.67.121.123 % This is the RIPE Whois query server #1. % The objects are in RPSL format. % % Note: the default output of the RIPE Whois server % is changed. Your tools may need to be adjusted. See % http://www.ripe.net/db/news/abuse-proposal-20050331.html % for more details. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html % Note: This output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '212.67.120.0 - 212.67.127.255' inetnum: 212.67.120.0 - 212.67.127.255 netname: UK-ONETEL descr: OneTel.UK ISP Services country: GB admin-c: DB12327-RIPE tech-c: DB12327-RIPE tech-c: OI94-RIPE status: ASSIGNED PA mnt-by: ONETEL-MTNER source: RIPE # Filtered person: Doreen Barton address: 114a Cromwell Rd address: London address: SW7 4TP address: United Kingdom phone: +44 (0)207 331 9777 fax-no: +44(0)207 331 9877 e-mail: Doreenb@onetel.net.uk nic-hdl: DB12327-RIPE source: RIPE # Filtered person: OneTel_UK ISP_Object address: 114a Cromwell Rd address: London address: SW7 4TP address: United Kingdom phone: +44 (0)207 331 9777 fax-no: +44(0)207 331 9877 e-mail: isp@onetel.net.uk nic-hdl: OI94-RIPE source: RIPE # Filtered % Information related to '212.67.120.0/23AS12708' route: 212.67.120.0/23 descr: ONETEL.NET - UK descr: Please mail to abuse@onetel.net.uk origin: AS12708 mnt-by: ONETEL-MTNER source: RIPE # Filtered -- Anthony Edwards * anthony.edwards@uk.easynet.net Abuse Team Manager * Tel: 0800 053 0588 Easynet Ltd * DDI: 0161 227 0707 http://www.uk.easynet.net * Fax: 0845 333 4503 From dfm2a3l0t2 at spymac.com Sun Oct 9 13:37:37 2005 From: dfm2a3l0t2 at spymac.com (D.F. Manno) Date: Sun Oct 9 12:40:03 2005 Subject: [SpamCop-List] Re: kornets bit bucket, finally overflowed References: Message-ID: In article , "Possum Trot" wrote: > Does anyone have an email address for someone in > the Korean Embassy in D.C. who we can politely cc: on any Kornet Spam > report? A few thousand will show them depth or their problem. The U.S. has no diplomatic relations with North Korea, thus there is no North Korean embassy in the U.S. The South Korean embassy's Web site lists the following email addresses: # Political Section: political_usa@mofat.go.kr # Economic Section: economic_usa@mofat.go.kr # Congressional Section: congress_usa@mofat.go.kr # Consular Section: consular_usa@mofat.go.kr # Education Section: education_usa@mofat.go.kr # Cultural Section: information_usa@mofat.go.kr # Military Affair section: milattache@hotmail.com (Why is the South Korean military attache using a Hotmail account?) -- D.F. Manno | dfm2a3l0t2@spymac.com The worst government is the most moral. One composed of cynics is often very tolerant and humane. But when fanatics are on top there is no limit to oppression.--H.L. Mencken, "Minority Report" (1956) From MikeE at ster.invalid Sun Oct 9 12:11:16 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 9 14:15:03 2005 Subject: [SpamCop-List] Re: Public Spamtraps References: Message-ID: The 'Lost' Monster Is A Robot wrote: > Here is a site that claims to be another kind of honypot: > > Some of the ideas on that page are silly, others are 'meaningful'. > Is there anything like these that feeds the SpamCop BL? Spamcop uses spamtraps. It is not appropriate to publicize SC spamtraps. Email to SC spamtraps generate spamcop reports and SCbl listings. It is possible for the SC parser to be fooled by well constructed forgeries. Publicizing the traps opens the door to 'mailicious' stunts or spoofs which could cause bad listings. > Also, what do you think of this? > > Bringing Spammers to Their Knees > Blue Security hopes you'll join thousands of others > in an army capable of crippling spammers' Web sites. > > > > There are a variety of vigilante attacks, many of which are very flawed in their concept, frequently abusive, and which have a serious potential for misdirecting the vigilante abuse. A number are wrapped around the idea of spamvampire and its offspring. There is a huge difference between spamcop and other listing service's 'legitimate' spamtraps and Blue Security's variety of vigilante-ism. The other problem with some vigilante approaches is that if you don't know what you are doing and expose yourself unwisely, you make yourself the target of an enemy which is much stronger and more tech savvy than you are. -- Mike Easter kibitzer, not SC admin From SC.10.myspamgobbler at spamcowboy.net Sun Oct 9 13:34:48 2005 From: SC.10.myspamgobbler at spamcowboy.net (Brian) Date: Sun Oct 9 15:40:17 2005 Subject: [SpamCop-List] Re: kornets bit bucket, finally overflowed In-Reply-To: References: Message-ID: D.F. Manno wrote: > In article , > "Possum Trot" wrote: > >> Does anyone have an email address for someone in >> the Korean Embassy in D.C. who we can politely cc: on any Kornet Spam >> report? A few thousand will show them depth or their problem. > > The U.S. has no diplomatic relations with North Korea, thus there is no North > Korean embassy in the U.S. > > The South Korean embassy's Web site lists the following email addresses: > > # Political Section: > political_usa@mofat.go.kr > # Economic Section: > economic_usa@mofat.go.kr > # Congressional Section: > congress_usa@mofat.go.kr > # Consular Section: > consular_usa@mofat.go.kr > # Education Section: > education_usa@mofat.go.kr > # Cultural Section: > information_usa@mofat.go.kr > # Military Affair section: > milattache@hotmail.com > > (Why is the South Korean military attache using a Hotmail account?) Most likely for the hotmail spam filter to block spam from KR space ;) -- Brian SC.10.myspamgobbler@spamcowboy.net From spambait at whodat.net Sun Oct 9 17:00:56 2005 From: spambait at whodat.net (Darrel Toepfer) Date: Sun Oct 9 17:05:16 2005 Subject: [SpamCop-List] Spamcop Replies To Process Message-ID: I haven't gotten any replies to my submissions to SpamCop for the past 2 days (they have the URL inclosed), could someone post the reply emailservers IP address? I remember it as spamcop.ironport or something another but don't have an old reply to check against my filters... Thanks... From nobody at xyzzy.claranet.de Sun Oct 9 21:14:01 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Oct 9 17:35:03 2005 Subject: [SpamCop-List] Re: 66.218.64.0 - 66.218.95.255:network-abuse@cc.yahoo-inc.com References: <43456728.12D5@xyzzy.claranet.de> Message-ID: <43495DE9.60F4@xyzzy.claranet.de> Ellen wrote in spamcop.routing: > Thanks -v please. The problem is still the same: | Cached whois for 66.218.77.68 : network-abuse@cc.yahoo-inc.com | Using abuse net on network-abuse@cc.yahoo-inc.com | abuse net cc.yahoo-inc.com = postmaster@cc.yahoo-inc.com | Using best contacts postmaster@cc.yahoo-inc.com | postmaster@cc.yahoo-inc.com bounces (7 sent : 7 bounces) | Using postmaster#cc.yahoo-inc.com@devnull.spamcop.net for statistical tracking. I went through the usual "five reloads to get an geocities IP" procedure, used "refresh/show" to get rid of any old cached routing info, another round of five reloads to use whatever is now in the cache, but it was still the same old Dave Null. Bye, Frank P.S.: X-Post + fup2 spamcop, because spmacop.routing is apparently not exported to a list with a Web archive (?) From nobody at xyzzy.claranet.de Mon Oct 10 00:37:20 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Oct 9 17:40:03 2005 Subject: [SpamCop-List] Re: Spamcop Replies To Process References: Message-ID: <43498D90.91E@xyzzy.claranet.de> Darrel Toepfer wrote: > could someone post the reply emailservers IP address? I > remember it as spamcop.ironport or something another but > don't have an old reply to check against my filters... Received: from vmx1.spamcop.net ([204.15.82.27]) by quack.de.clara.net with esmtp [...] Received: from sc-app2.ironport.com (HELO spamcop.net) (204.15.82.21) by vmx1.spamcop.net with SMTP; 09 Oct 2005 Without digging deeper I'd say don't block 204.15.82.0/24, bye From spambait at whodat.net Sun Oct 9 18:09:58 2005 From: spambait at whodat.net (Darrel Toepfer) Date: Sun Oct 9 18:10:03 2005 Subject: [SpamCop-List] Re: Spamcop Replies To Process In-Reply-To: <43498D90.91E@xyzzy.claranet.de> References: <43498D90.91E@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Darrel Toepfer wrote: > >>could someone post the reply emailservers IP address? I >>remember it as spamcop.ironport or something another but >>don't have an old reply to check against my filters... > > Received: from vmx1.spamcop.net ([204.15.82.27]) by > quack.de.clara.net with esmtp [...] > Received: from sc-app2.ironport.com (HELO spamcop.net) > (204.15.82.21) by vmx1.spamcop.net with SMTP; 09 Oct 2005 > > Without digging deeper I'd say don't block 204.15.82.0/24, bye Thanks the old ranges I had were: 64.74.133.224 - 64.74.133.255 216.154.195.50 Looked in my mail server logs (doh!) and last message received was at 6:42am central time... Who do I need to write to, with my subscribed email address to verify or clear the problem? From nobody at xyzzy.claranet.de Mon Oct 10 01:07:40 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Oct 9 18:15:03 2005 Subject: [SpamCop-List] Re: Deputies References: <4348419F.3BB2@xyzzy.claranet.de> Message-ID: <434994AC.507D@xyzzy.claranet.de> Mike Easter wrote: > You could paste it into something like Notepad which won't > take the graphic, and then recopy it from notepad into OE, > but that seems like a stupid step trying to defeat something > which shouldn't be working like that in the first place.. IMHO you can't say that it should not work like that, the clipboard is just a buffer for anything, and in the case of a HTML page keeping the pictures (and maybe other inline objects) is nice. AFAIK it's the job of the source object to put as much info as possible into this buffer (the copy part), and it's the job of the target object to grab what it can handle (the paste part), e.g. only text. The clipboard offers essential conversions like OEM to UniCode or v.v. between source and target, but it is no "do what I mean" process. And the target (here OE) can handle MIME multipart/mixed mail with text/html plus image/png parts. So the interface between clipboard and OE works fine, and apparently better than before if as you said it didn't work that way before XP. > If MS in its infinite wisdom decided to let the clipboard > work like that, they should've made it the clipboard > configurable for dropping or keeping the graphic/s. Actually it's the job of OE to get it right if the user wants no text/html within multipart/mixed, and only text/plain with no nonsense like an embedded UUE. It's tricky, sometimes (especially ten years ago) the OE user might really want an embedded UUE, e.g. to send a picture or other binary to somebody without MIME UA. Or to bypass stupid multipart/* filters at the receiver. So how should OE "know" what the user really wants ? It's not exactly obvious. And the new clipboard also can't "know" this. It's a typical "feature or bug" issue, maybe you can disable UUE somehow globally, and use it only when necessary (?) Bye From spambait at whodat.net Sun Oct 9 18:21:14 2005 From: spambait at whodat.net (Darrel Toepfer) Date: Sun Oct 9 18:25:03 2005 Subject: [SpamCop-List] Re: Spamcop Replies To Process In-Reply-To: References: <43498D90.91E@xyzzy.claranet.de> Message-ID: Darrel Toepfer wrote: > Looked in my mail server logs (doh!) and last message received was at > 6:42am central time... Who do I need to write to, with my subscribed > email address to verify or clear the problem? The subscribed account exists and the domain is accepting mail as tested from 3 external domains. The email to process stopped as of the time listed above on Saturday... I'm stumped as the IP ranges for SMTP from SpamCop aren't blocked and I need to see if they are being bounced or if this is a product of the Level3/Cogent backbone connectivity war... I've never been able to access my account via the web since the site switchover quite awayz back... From nobody at xyzzy.claranet.de Mon Oct 10 01:23:45 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Oct 9 18:30:04 2005 Subject: [SpamCop-List] Re: Spamcop Replies To Process References: <43498D90.91E@xyzzy.claranet.de> Message-ID: <43499871.44B@xyzzy.claranet.de> Darrel Toepfer wrote > Who do I need to write to, with my subscribed email address > to verify or clear the problem? How did you block, was it 4xx ? Then the other side (SC) is supposed to try it for about 100 hours. If it was 5xx I'm not sure what SC does. The one time when SC came to the conclusion that my ISP blocks or bounces (?) SC reports I found a note on my SC welcome page, http://www.spamcop.net/ (+ cookie). It didn't explain what the problem was and I never found out, but it offered a "problem solved" button or similar, that worked. Some submitted spams lost IIRC, but there's always enough fresh spam... ;-) Bye From nobody at xyzzy.claranet.de Mon Oct 10 01:30:35 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Oct 9 18:35:03 2005 Subject: [SpamCop-List] Re: Spamcop Replies To Process References: <43498D90.91E@xyzzy.claranet.de> Message-ID: <43499A0B.A70@xyzzy.claranet.de> Darrel Toepfer wrote: > I've never been able to access my account via the web since > the site switchover quite awayz back... That was weird depending on the browser , did you test this: ? Bye From spambait at whodat.net Sun Oct 9 20:19:10 2005 From: spambait at whodat.net (Darrel Toepfer) Date: Sun Oct 9 20:20:06 2005 Subject: [SpamCop-List] Re: Spamcop Replies To Process In-Reply-To: <43499A0B.A70@xyzzy.claranet.de> References: <43498D90.91E@xyzzy.claranet.de> <43499A0B.A70@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Darrel Toepfer wrote: > >>I've never been able to access my account via the web since >>the site switchover quite awayz back... > > That was weird depending on the browser , did you test this: > ? Bye "No user found for input:" when I plug in my subscribed email address. I dunno what the username and password is anymore... From spambait at whodat.net Sun Oct 9 21:18:24 2005 From: spambait at whodat.net (Darrel Toepfer) Date: Sun Oct 9 21:20:02 2005 Subject: [SpamCop-List] Re: Spamcop Replies To Process In-Reply-To: <43499871.44B@xyzzy.claranet.de> References: <43498D90.91E@xyzzy.claranet.de> <43499871.44B@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > The one time when SC came to the conclusion that my ISP blocks > or bounces (?) SC reports I found a note on my SC welcome page, > http://www.spamcop.net/ (+ cookie). It didn't explain what the > problem was and I never found out, but it offered a "problem > solved" button or similar, that worked. Some submitted spams > lost IIRC, but there's always enough fresh spam... ;-) Bye Problem resolved create a new account. The old one was being forwarding to a domain I no longer have, that collected in a catch all account of ones I do... argh.... Thanks for the help... From mark.c at somewhere.invalid Mon Oct 10 04:02:22 2005 From: mark.c at somewhere.invalid (Mark C) Date: Sun Oct 9 23:05:03 2005 Subject: [SpamCop-List] "x.x.x.x does not report source IP correctly" - Either ISP DNS problem or spamcop flagging? Message-ID: http://www.spamcop.net/sc?id=z813916710zec3c27a5152f65183685f3265ce86afez I reported some spam, and got a message like so: 203.96.152.177 does not report source IP correctly No source IP address found, cannot proceed. (see report link above.) >From searching the forums, I think that either: 1) My ISP has their mailserver DNS stuffed up and it needs to be repaired. (Because linda-4.paradise.net.nz does not resolve to 203.96.152.177 and 203.96.152.177 does not have a rDNS, and likewise with smtp-1.paradise.net.nz.) OR 2) A deputy needs to unflag 203.96.152.177 as "does not report source IP correctly" http://forum.spamcop.net/forums/index.php?showtopic=4188&hl=does++report++source++correctly# OR 3) Something else... If (1), what exactly do I tell my ISP to do, or can someone from spamcop sort them out? Thanks, Mark From MikeE at ster.invalid Sun Oct 9 23:08:25 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 10 01:10:03 2005 Subject: [SpamCop-List] Re: "x.x.x.x does not report source IP correctly" - Either ISP DNS problem or spamcop flagging? References: Message-ID: Mark C wrote: >www.spamcop.net/sc?id=z813916710zec3c27a5152f65183685f3265ce86afez That is a mailhosted parse about: Abbreviated Received lines *comment from (203.96.152.177) by internal-pop3-3.paradise.net.nz *serves you from ([203.96.152.177]) by linda-4.paradise.net.nz *serves you from ([201.12.173.60]) by smtp-1.paradise.net.nz *sourceline from unknown (HELO overdose) (192.168.61.199) by 201.12.173.60 *bogusline ... in which SC breaks the chain prematurely because of a mailhost line problem. > I reported some spam, and got a message like so: > > 203.96.152.177 does not report source IP correctly > No source IP address found, cannot proceed. If your mailhost configuration doesn't match what SC is parsing for it there's a big problem. An 'experimental' non-mailhosted parse of exactly the same spam works just fine on those headers: http://www.spamcop.net/sc?id=z813947345z77762f795eccda72932f5250198374abz Report Spam to: Re: 201.12.173.60 (Administrator of network where email originates) To: mail-abuse@cert.br (Notes) To: mail-abuse@nic.br (Notes) To: Internal spamcop handling: (spambr) (Notes) To: postmaster@cert.br (Notes) Re: http://194.135.81.30/subs/unsub.php?email=x (Administrator of network hosting website referenced in spam) To: postmaster@in-telecom.ru (Notes) That is a correct parse of the headers and the body. Your parse of the headers doesn't work because mailhosted header parsing is supposed to match what you have configured for your mailhost. > From searching the forums, I think that either: > > 1) My ISP has their mailserver DNS stuffed up and it needs to be > repaired. (Because linda-4.paradise.net.nz does not resolve to > 203.96.152.177 and 203.96.152.177 does not have a rDNS, and > likewise with smtp-1.paradise.net.nz.) A very important reason that you mailhost is to 'fix' or prevent problems with how your mailhost is configured. > OR > > 2) A deputy needs to unflag 203.96.152.177 as "does not report > source IP correctly" > http://forum.spamcop.net/forums/index.php?showtopic=4188&hl=does++report++source++correctly# I didn't go read that forum link. Sorry. I may get around to it later. > OR > > 3) Something else... 'Something else' is when your mailhost configuration is b0rken you are supposed to fix it. > If (1), what exactly do I tell my ISP to do, or can someone from > spamcop sort them out? If you can fix your mailhost all by yourself, you should do that. If you can't do that mailhost fixing, then you should get a deputy to fix it for you and quit reporting in the meantime until the mailhost is fixed. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Oct 9 23:20:48 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 10 01:25:03 2005 Subject: [SpamCop-List] Re: "x.x.x.x does not report source IP correctly" - Either ISP DNS problem or spamcop flagging? References: Message-ID: Mike Easter wrote: > Mark C wrote: >> www.spamcop.net/sc?id=z813916710zec3c27a5152f65183685f3265ce86afez > > That is a mailhosted parse about: > > Abbreviated Received lines *comment > from (203.96.152.177) by internal-pop3-3.paradise.net.nz *serves you > from ([203.96.152.177]) by linda-4.paradise.net.nz *serves you > from ([201.12.173.60]) by smtp-1.paradise.net.nz *sourceline > from unknown (HELO overdose) (192.168.61.199) by 201.12.173.60 > *bogusline > > ... in which SC breaks the chain prematurely because of a mailhost > line problem. To say this another way, in case the preceding was confusing, the concept of configuring your mailhosts with SC is so that SC is expecting to see the top 2 and a half lines of what I abbreviated above because you have provided lines stamped by your provider in the configuration phase. If you have configured for a different appearance of the behavior of your mailhost than what appears in this item, then the headers above don't match with what you have told SC that your provider does with its headers. > If you can fix your mailhost all by yourself, you should do that. That means - this parse result indicates a discrepancy between how your mailhosting is configured and what you are submitting. Sometimes someone can fix that all by themselves by 'adding' a mailhost. Sometimes people have a hard time with mailhost problems and have to let a deputy intervene. > If > you can't do that mailhost fixing, then you should get a deputy to fix > it for you and quit reporting in the meantime until the mailhost is > fixed. -- Mike Easter kibitzer, not SC admin From bait-423c86b2-42ff9001 at good.julianhaight.com Mon Oct 10 02:41:33 2005 From: bait-423c86b2-42ff9001 at good.julianhaight.com (Chris F. Willoughby) Date: Mon Oct 10 04:46:13 2005 Subject: [SpamCop-List] Re: "x.x.x.x does not report source IP correctly" - Either ISP DNS problem or spamcop flagging? References: Message-ID: If it makes you feel any better I have similar issues with my ISPs e-mail server.. I've never been able to convince them it's their problem or to do anything about it. So.. a good portion of the spam I try to report comes back with that same error. :( Chris "Mark C" wrote in message news:dicljt$ngk$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z813916710zec3c27a5152f65183685f3265ce86afez > > I reported some spam, and got a message like so: > > 203.96.152.177 does not report source IP correctly > No source IP address found, cannot proceed. > > (see report link above.) > > From searching the forums, I think that either: > > 1) My ISP has their mailserver DNS stuffed up and it needs to be > repaired. (Because linda-4.paradise.net.nz does not resolve to > 203.96.152.177 and 203.96.152.177 does not have a rDNS, and > likewise with smtp-1.paradise.net.nz.) > > OR > > 2) A deputy needs to unflag 203.96.152.177 as "does not report > source IP correctly" > http://forum.spamcop.net/forums/index.php?showtopic=4188&hl=does++report++source++correctly# > > OR > > 3) Something else... > > If (1), what exactly do I tell my ISP to do, or can someone from > spamcop sort them out? > > Thanks, > Mark From mwnospam at comcast.net Mon Oct 10 06:51:17 2005 From: mwnospam at comcast.net (spamacyde) Date: Mon Oct 10 05:55:24 2005 Subject: [SpamCop-List] Spam Whose Message Body Consists Only of Text Information but Appears as Binary in the Message Source Message-ID: I am refering to Spam Cop Report 1526310086. This is spam advertising a stock. The message is all text. However the source looks like binary. Is the spammer trying to confuse things? Would it be more valuable (though less convenient to me) to forward the email rather than paste the source in the Spamcop reporting form? Thanks From nobody at spamcop.net Mon Oct 10 10:35:41 2005 From: nobody at spamcop.net (Ellen) Date: Mon Oct 10 10:00:03 2005 Subject: [SpamCop-List] Re: "x.x.x.x does not report source IP correctly" - Either ISP DNS problem or spamcop flagging? References: Message-ID: "Mark C" wrote in message news:dicljt$ngk$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z813916710zec3c27a5152f65183685f3265ce86afez > > I reported some spam, and got a message like so: > > 203.96.152.177 does not report source IP correctly > No source IP address found, cannot proceed. > Slight snafu -- the system was issuing that alert but still parsing. Fixed. Ellen SpamCop From MikeE at ster.invalid Mon Oct 10 08:39:36 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 10 10:40:03 2005 Subject: [SpamCop-List] Re: Spam Whose Message Body Consists Only of Text Information but Appears as Binary in the Message Source References: Message-ID: spamacyde wrote: > I am refering to Spam Cop Report 1526310086. This is spam > advertising a stock. The message is all text. However the source > looks like binary. Is the spammer trying to confuse things? Would > it be more valuable (though less convenient to me) to forward the > email rather than paste the source in the Spamcop reporting form? 'Spam Cop Report 1526310086' is not how you 'talk about' something, because we can't see the spam from your reportid. You talk about something with a tracker. A tracker looks like http://www.spamcop.net/sc?id=z814078117z1adebaf7aba767058b789cbffe8781d4z and, in fact, that particular tracker is a stock spam and the body is b64 encoded, so if you would like, we can talk about the item in my tracker rather than your reportid, because it demonstrates what you are talking about. The way you convert a reportid into a tracker is to put your reportid into the gizmo here http://www.spamcop.net/mcgi?action=histmenu The result is a reportid# which has been converted into a link, which link is the tracker like I posted above. Here is a graphic http://forum.spamcop.net/forums/index.php?showtopic=4498 FAQ Entry: Getting a Tracking URL from a Report ID -- Mike Easter kibitzer, not SC admin From gezgin at spamcop.net Mon Oct 10 19:23:14 2005 From: gezgin at spamcop.net (Gezgin) Date: Mon Oct 10 11:25:02 2005 Subject: [SpamCop-List] Cannot open database connection in putRow Message-ID: http://mailsc.spamcop.net/ seems to be having some problems... (16:22 UTC) -- Bob Kanyak's Doghouse http://www.kanyak.com From gezgin at spamcop.net Mon Oct 10 19:29:13 2005 From: gezgin at spamcop.net (Gezgin) Date: Mon Oct 10 11:30:03 2005 Subject: [SpamCop-List] Re: Cannot open database connection in putRow References: Message-ID: Musta been a hiccup. Working fine now. Bob "Gezgin" wrote in message news:die113$en7$1@news.spamcop.net... > http://mailsc.spamcop.net/ seems to be having some > problems... > > (16:22 UTC) > > -- > Bob > > Kanyak's Doghouse > http://www.kanyak.com > From dwvbo91q4001 at sneakemail.com Mon Oct 10 16:39:52 2005 From: dwvbo91q4001 at sneakemail.com (Tim P.) Date: Mon Oct 10 11:40:02 2005 Subject: [SpamCop-List] Re: Cannot open database connection in putRow References: Message-ID: "Gezgin" wrote in news:die1ca$eu9$1 @news.spamcop.net: > Musta been a hiccup. Working fine now. > > Bob > > "Gezgin" wrote in message > news:die113$en7$1@news.spamcop.net... >> http://mailsc.spamcop.net/ seems to be having some >> problems... >> >> (16:22 UTC) >> >> -- >> Bob >> >> Kanyak's Doghouse >> http://www.kanyak.com >> > > Intermittent for me too. Must be a faulty server again. -- Tim P Very content SpamCop Subscriber since 4/2002 From dwvbo91q4001 at sneakemail.com Mon Oct 10 17:35:11 2005 From: dwvbo91q4001 at sneakemail.com (Tim P.) Date: Mon Oct 10 12:40:26 2005 Subject: [SpamCop-List] Cannot Log in - server problems? Message-ID: The server must be experiencing problems this morning. I was able to report a batch of spams this morning but then at about 9am on the service was spotty. It would take it's time to process, then it came back with a text page of what was supposed to be html. I would be prompted to log in repeatedly and now it appears my user id is not even in the database. Confirmation? -- Tim P Very content SpamCop Subscriber since 4/2002 From hcd5rma02 at sneakemail.com Mon Oct 10 20:11:35 2005 From: hcd5rma02 at sneakemail.com (Arne Bolen) Date: Mon Oct 10 13:15:02 2005 Subject: [SpamCop-List] Realtime stats of how efficient spam is Message-ID: Yesterday a spammer started to send out a mail which looks like a confirmation of a subscription to a mailinglist. The mail has the following content: Hello! It has been requested that the following address: xxx@xxx.xxx should be added to the communism community mailing list. You have been successfully subscribed to our mail list. Thank you. To unsubscribe from our mail list, just follow this link: http://194.135.81.30/subs/unsub.php?email=xxx@xxx.xxx Click this link, or copy and paste the address into your browser. The email address is the address the mail is sent to. When clicking on the unsubscribe link you come to a simpel page which informs you that " Your e-mail address was successfully deleted from our mailing list. " As an extra service the spammer has a webcounter on the confirmation page. This counter is actually very interesting, it shows the huge amount of people being fooled by this mail. The spammer must be very happy, on less than 2 days he has collected more than 61825 real mail addresses. The stats can be viewed at: http://www.webstats4u.com/s?tab=1&link=1&id=3744516 The stats shows most visitors are from UK, Australia and New Zealand. I am amazed that so many people are clicking on an unsubscribe link without thinking. Maybe people dislike being subscribed to a "communism community mailing list" so much they stop using the brain. From nobody at spamcop.net Mon Oct 10 12:48:37 2005 From: nobody at spamcop.net (Ellen) Date: Mon Oct 10 13:25:02 2005 Subject: [SpamCop-List] Re: Cannot open database connection in putRow References: Message-ID: "Tim P." wrote in message news:Xns96EB6C82C9A20dwvbo91q4001sneakema@216.154.195.61... > "Gezgin" wrote in news:die1ca$eu9$1 > @news.spamcop.net: > > > Musta been a hiccup. Working fine now. > > > > Bob > > > > "Gezgin" wrote in message > > news:die113$en7$1@news.spamcop.net... > >> http://mailsc.spamcop.net/ seems to be having some > >> problems... > >> > >> (16:22 UTC) > >> > >> -- > >> Bob > >> > >> Kanyak's Doghouse > >> http://www.kanyak.com > >> > > > > > > Intermittent for me too. Must be a faulty server again. > Operations is working on a couple of problems -- I think, altho I am not sure, that the exact error you see may vary. In any case, when they fix the problems that they have found, we can which errors are still being see, if any. Thanks Ellen SpamCop From dogs32 at hotmail.com Mon Oct 10 13:41:17 2005 From: dogs32 at hotmail.com (Jeff) Date: Mon Oct 10 13:45:03 2005 Subject: [SpamCop-List] Error in Spamcop! Message-ID: SpamCop v 1.493 Copyright (C) 1998-2005, IronPort Systems, Inc. All rights reserved. Failed to load spam header: 814048022 / 969619ff065f61da11112cd313aa4da8 Cannot open database connection in putRow This need to be fixed ASAP! I can't report Spam now, thanks to your technical glitches all the time. This isn't the first time its happened either. Where is the maintenance on your server and network? Obviously non-existent as far as I'm concerned. Please fix it soon, have lots of spam to report. From baloo at ursine.ca Mon Oct 10 11:45:00 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Mon Oct 10 14:10:04 2005 Subject: [SpamCop-List] Re: OT Re: How to Rattle This Guy's Cage? References: <43427912.17EDB4B5@SpamCop.net.dev.null> <462oa8nyzhdz.dlg@news.spamcop.net> <4iii13-m4u.ln1@ursine.ca> Message-ID: JG wrote: > On 10/7/2005 8:58 AM baloo@ursine.ca scribbled: > >> JG wrote: >> >>>On 10/6/2005 12:34 PM baloo@ursine.ca scribbled: >>> >>> >>>>Three generations. Tom McCall said it best. >>> >>>Tom McCall, the bus test driver?? >> >> >> The Oregon governor. > Oh, I'd have to think the other McCall is probably unknown to anyone > under 55 anyway... It's rather hard to ignore his legacy, if for no other reason than history class at almost every grade level and everything being named after him. You would literally have to live under a rock or be from California to live on the pacific coast and not know who he is. From nobody at spamcop.net Mon Oct 10 14:34:17 2005 From: nobody at spamcop.net (Ellen) Date: Mon Oct 10 14:25:06 2005 Subject: [SpamCop-List] Transient Problems was Re: Cannot Log in - server problems? References: Message-ID: "Tim P." wrote in message news:Xns96EB75E4033CEdwvbo91q4001sneakema@216.154.195.61... > The server must be experiencing problems this morning. > > I was able to report a batch of spams this morning but then at about 9am on > the service was spotty. It would take it's time to process, then it came > back with a text page of what was supposed to be html. I would be prompted > to log in repeatedly and now it appears my user id is not even in the > database. > > Confirmation? > > -- We are experiencing some transient system problems. System operations and engineering is aware of these problems and they are working on them. I don't have an ETA at this point. Thanks. Ellen SpamCop From jeffg at spamcop.net Mon Oct 10 15:28:38 2005 From: jeffg at spamcop.net (Jeff G.) Date: Mon Oct 10 14:30:02 2005 Subject: [SpamCop-List] Re: Error in Spamcop! References: Message-ID: "Jeff" wrote in message news:die93u$jf0$1@news.spamcop.net... > Failed to load spam header: 814048022 / 969619ff065f61da11112cd313aa4da8 > Cannot open database connection in putRow > > This need to be fixed ASAP! I can't report Spam now, thanks to your > technical glitches all the time. This isn't the first time its happened > either. Where is the maintenance on your server and network? Obviously > non-existent as far as I'm concerned. > > Please fix it soon, have lots of spam to report. Please see the following message. Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only, as PMs and Emails may be posted, reported, and/or ridiculed. ----- Original Message ----- From: "Ellen" Message-ID: Newsgroups: spamcop Sent: Monday 2005/10/10 11:48 Subject: Re: Cannot open database connection in putRow On the web at: http://news.spamcop.net/pipermail/spamcop-list/2005-October/105278.html > Operations is working on a couple of problems -- I think, altho I am not > sure, that the exact error you see may vary. In any case, when they fix the > problems that they have found, we can which errors are still being see, if > any. Thanks > > Ellen > SpamCop From jeffg at spamcop.net Mon Oct 10 15:33:26 2005 From: jeffg at spamcop.net (Jeff G.) Date: Mon Oct 10 14:35:02 2005 Subject: [SpamCop-List] Re: Cannot Log in - server problems? References: Message-ID: "Tim P." wrote in message news:Xns96EB75E4033CEdwvbo91q4001sneakema@216.154.195.61... > The server must be experiencing problems this morning. > > I was able to report a batch of spams this morning but then at about 9am on > the service was spotty. It would take it's time to process, then it came > back with a text page of what was supposed to be html. I would be prompted > to log in repeatedly and now it appears my user id is not even in the > database. > > Confirmation? Please see the following message. Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only, as PMs and Emails may be posted, reported, and/or ridiculed. ----- Original Message ----- From: "Ellen" Message-ID: Newsgroups: spamcop Sent: Monday 2005/10/10 11:48 Subject: Re: Cannot open database connection in putRow On the web at: http://news.spamcop.net/pipermail/spamcop-list/2005-October/105278.html > Operations is working on a couple of problems -- I think, altho I am not > sure, that the exact error you see may vary. In any case, when they fix the > problems that they have found, we can which errors are still being see, if > any. Thanks > > Ellen > SpamCop From nobody at devnull.spamcop.net Mon Oct 10 19:53:24 2005 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Mon Oct 10 18:55:29 2005 Subject: [SpamCop-List] Re: Hats off to uk.easynet.net In-Reply-To: References: Message-ID: Anthony Edwards wrote: > On Sun, 09 Oct 2005 11:25:15 -0400, Sofa King Tyred of Lar Ting > wrote: > > >>I got some phish emails last week, and the "phish" web site was up and >>running for at least three days on an IP under "onetel.net.uk" - try to >>find an "abuse" address either via spamcop or through their web site. > > > abuse@abuse:~$ whois -h whois.abuse.net onetel.net.uk [useful, but highly unfriendly to non technical users, stuff deleted] Thanks for using your linux system to give me info that I can not easily get with windows. My point was, if an ISP doesn't have an easily findable "abuse" email on their main web page, I don't consider them to be too responsible (or professional) these days. If it takes more than two clicks from the main page to find the abuse email, that's obfuscation and shirking, albeit unintentional (or ignorant). Phishers exploit that to the hilt - ever wonder why phish emails arrive most often on Sundays of long weekends? It's not because phishers have time on their hands, but likely because the competent technical staff aren't around to shut down the rogue sites... and that people tend to be at their home computers... From nobody at xyzzy.claranet.de Tue Oct 11 01:59:39 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon Oct 10 19:05:03 2005 Subject: [SpamCop-List] Re: 66.218.64.0 - 66.218.95.255:network-abuse@cc.yahoo-inc.com References: <43456728.12D5@xyzzy.claranet.de> <43495DE9.60F4@xyzzy.claranet.de> Message-ID: <434AF25B.7125@xyzzy.claranet.de> Frank Ellermann wrote: > The problem is still the same: Not yet fixed, reports still go Dave Null: http://www.spamcop.net/sc?id=z814197540z03142d85f721bedf8ddb2500807369a3z http://www.spamcop.net/sc?id=z813846482z8efbb672cff90d883343c34f82c378e7z The spamvertized URLs are apparently also not shown on It's not a problem of the Dave Null address, other URLs with reports to postmaster#cc.yahoo-inc.com@devnull.spamcop.net are shown as spamvertized URL, only geocities URLs never make it (?) on the "inprogress" page used as input for SURBL. Not that they could do much there, geocities is of course white listed, because it has legit users, but it's a matter of principle, when I need about five reloads until SC finds the IP I want some effect, either a valid report or a "vote" for SURBL or ideally both. Bye, Frank From jeffg at spamcop.net Mon Oct 10 20:38:28 2005 From: jeffg at spamcop.net (Jeff G.) Date: Mon Oct 10 19:40:11 2005 Subject: [SpamCop-List] Re: Strange "quick report" problem References: <4342A220.5C92A294@spamcop.net> Message-ID: "Kenneth Brody" wrote in message news:4342A220.5C92A294@spamcop.net... > I submitted several spams in my Inbox for quick reporting, and I got the > following e-mail in reply: > > ========== > SpamCop.net > Here are the results of your submission: > > Processing spam: From: > Subject: > > > Processing spam: From: > Subject: > > > Processing spam: From: > Subject: > > > Processing spam: From: > Subject: > > > Processing spam: From: > Subject: > > > Processing spam: From: > Subject: > > > Processing spam: From: > Subject: The described symptom (failure of the "Report as Spam" type of Quick Reporting from Webmail due to blank lines in the headers of the messages) is no longer a problem as of Oct 6 2005 at 12:15 PM EDT -0400 (16:15 UTC -0000) per Steven Underwood's post http://forum.spamcop.net/forums/index.php?showtopic=5055&view=findpost&p=33793 and personal experience. However, forwarding from Webmail is still subject to blank lines in the headers of the forwarded messages, and JT is still working on that. I suggest that SpamCop Email System Customers who want to do full reporting should either copy from the Webmail "Message Source" page and paste into the Parser or use Very Easy Reporting (VER) to submit for Reporting until this problem is fixed, and then they can go back to using Webmail's message list to forward to their Submit Addresses. -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only, as PMs and Emails may be posted, reported, and/or ridiculed. From nobody at xyzzy.claranet.de Tue Oct 11 03:47:32 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon Oct 10 20:50:09 2005 Subject: [SpamCop-List] 12 domains4sale (was: The (in)famous "Re[n]" spam) References: <433AD35A.65A@xyzzy.claranet.de> <433C29BA.5FBD@xyzzy.claranet.de> <433EAFEE.6EB@xyzzy.claranet.de> Message-ID: <434B0BA4.2477@xyzzy.claranet.de> Hijacking the old "Leo" thread: I just got 12 fresh Re:[n] spams, and reported them manually. Each had its very own spamvertized domain: skittery.com nihilisms.net hulaing.com sauntered.net nettling.net refashion.net zardosht.net pressers.net satirised.com ionising.net loudening.com vocally.net But all of them are already shut down / parked / for sale. Thank you, Godaddy. And sorry for two useless reports until I got the idea that this problem is is already solved. Spammers, stay away from this registrar, Godaddy is faster than you. Bye From bar_n0ne at hotmail.com Tue Oct 11 09:24:45 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue Oct 11 00:25:19 2005 Subject: [SpamCop-List] Re: 66.218.64.0 - 66.218.95.255:network-abuse@cc.yahoo-inc.com References: <43456728.12D5@xyzzy.claranet.de> <43495DE9.60F4@xyzzy.claranet.de> <434AF25B.7125@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:434AF25B.7125@xyzzy.claranet.de... > Frank Ellermann wrote: > > > The problem is still the same: > > Not yet fixed, reports still go Dave Null: > > http://www.spamcop.net/sc?id=z814197540z03142d85f721bedf8ddb2500807369a3z > http://www.spamcop.net/sc?id=z813846482z8efbb672cff90d883343c34f82c378e7z > > The spamvertized URLs are apparently also not shown on > > > It's not a problem of the Dave Null address, other URLs with > reports to postmaster#cc.yahoo-inc.com@devnull.spamcop.net > are shown as spamvertized URL, only geocities URLs never make > it (?) on the "inprogress" page used as input for SURBL. > > Not that they could do much there, geocities is of course > white listed, because it has legit users, but it's a matter > of principle, when I need about five reloads until SC finds > the IP I want some effect, either a valid report or a "vote" > for SURBL or ideally both. > Bye, Frank > > > It might be timing, reported links only make it to that page if the spam was received by the earliest trusted MX within the last 20 some odd minutes. (20-30 minutes) From bar_n0ne at hotmail.com Tue Oct 11 09:28:51 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue Oct 11 00:30:02 2005 Subject: [SpamCop-List] Re: Realtime stats of how efficient spam is References: Message-ID: "Arne Bolen" wrote in message news:die7c8$i9k$1@news.spamcop.net... > Yesterday a spammer started to send out a mail which looks like a > confirmation of a subscription to a mailinglist. The mail has the following > content: > > Hello! > It has been requested that the following address: > xxx@xxx.xxx > should be added to the communism community mailing list. > You have been successfully subscribed to our mail list. > Thank you. > To unsubscribe from our mail list, just follow this link: > http://194.135.81.30/subs/unsub.php?email=xxx@xxx.xxx > Click this link, or copy and paste the address into your browser. > > The email address is the address the mail is sent to. When clicking on the > unsubscribe link you come to a simpel page which informs you that " Your > e-mail address was successfully deleted from our mailing list. " > > As an extra service the spammer has a webcounter on the confirmation page. > This counter is actually very interesting, it shows the huge amount of > people being fooled by this mail. The spammer must be very happy, on less > than 2 days he has collected more than 61825 real mail addresses. The stats > can be viewed at: > > http://www.webstats4u.com/s?tab=1&link=1&id=3744516 > > The stats shows most visitors are from UK, Australia and New Zealand. > > I am amazed that so many people are clicking on an unsubscribe link without > thinking. Maybe people dislike being subscribed to a "communism community > mailing list" so much they stop using the brain. Ummmmm..... and exactly how was your behaviour different, or an improvement over those peoples? > From bar_n0ne at hotmail.com Tue Oct 11 09:36:10 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue Oct 11 00:40:03 2005 Subject: [SpamCop-List] Re: OT Re: How to Rattle This Guy's Cage? References: <43427912.17EDB4B5@SpamCop.net.dev.null> <462oa8nyzhdz.dlg@news.spamcop.net> <4iii13-m4u.ln1@ursine.ca> Message-ID: wrote in message news:stlq13-a5l.ln1@ursine.ca... > JG wrote: > > On 10/7/2005 8:58 AM baloo@ursine.ca scribbled: > > > >> JG wrote: > >> > >>>On 10/6/2005 12:34 PM baloo@ursine.ca scribbled: > >>> > >>> > >>>>Three generations. Tom McCall said it best. > >>> > >>>Tom McCall, the bus test driver?? > >> > >> > >> The Oregon governor. > > Oh, I'd have to think the other McCall is probably unknown to anyone > > under 55 anyway... > > It's rather hard to ignore his legacy, if for no other reason than > history class at almost every grade level and everything being named > after him. You would literally have to live under a rock or be from > California to live on the pacific coast and not know who he is. Ummm... I'm from Vancouver, (on the West Coast and NOT in California) and while I can't say I never heard of him, I can say that I don't hear much of anything, and certainly nothing named after him. OTOH, I pretty much ignore Oregon and any doings by people there. In fact since their wonderful Tourism promotions of the '70s that pretty much said 'come and spend your money and then please fsck off', I've more or less avoided the place except to pass through or buy fuel in times of shortages. (No I don't go out of my way, but it was my small revenge to exacerbate shortages there instead of elsewhere.) From nobody at xyzzy.claranet.de Tue Oct 11 07:53:58 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Tue Oct 11 01:00:03 2005 Subject: [SpamCop-List] Re: 66.218.64.0 - 66.218.95.255:network-abuse@cc.yahoo-inc.com References: <43456728.12D5@xyzzy.claranet.de> <43495DE9.60F4@xyzzy.claranet.de> <434AF25B.7125@xyzzy.claranet.de> Message-ID: <434B4566.49E9@xyzzy.claranet.de> Berny wrote: [ ] > It might be timing, reported links only make it to that page > if the spam was received by the earliest trusted MX within > the last 20 some odd minutes. (20-30 minutes) Are you talking about the "age" column on this page ? It says: "Lists IP or address and quantity for reported spam within the last 30 minutes." On the parent page , so that's apparently "reported", not your theory "received". It's not impossible but very unlikely that I could report spam "manually" (= via mailto:submit, not mailto:quick) within 30 minutes after it hit an MX of one of my ISPs. There's a delay until I note that new spam arrived (= POP poll every 10 min.), another delay until I actually POP it, some time to check and submit it (direct to vmx1), but then I normally wait for SC's feedback mail with the reporting links => another full POP poll cycle (my 10 minutes are already on the border to abusive), and last but not least "manual" SpamCop reports take their time, especially the reload - reload - reload - ... (up to 11 times) until SpamCop admits that geocities URLs have IPs. Bye, Frank From bar_n0ne at hotmail.com Tue Oct 11 10:29:51 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue Oct 11 01:30:03 2005 Subject: [SpamCop-List] Re: 66.218.64.0 - 66.218.95.255:network-abuse@cc.yahoo-inc.com References: <43456728.12D5@xyzzy.claranet.de> <43495DE9.60F4@xyzzy.claranet.de> <434AF25B.7125@xyzzy.claranet.de> <434B4566.49E9@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:434B4566.49E9@xyzzy.claranet.de... > Berny wrote: > > [ ] > > It might be timing, reported links only make it to that page > > if the spam was received by the earliest trusted MX within > > the last 20 some odd minutes. (20-30 minutes) > > Are you talking about the "age" column on this page ? It says: Yes > > "Lists IP or address and quantity for reported spam within the > last 30 minutes." Yes > > On the parent page , > so that's apparently "reported", not your theory "received". SNIP I know what it says, but that's what's been my experience watching that page after a submission. If the spam is old, it just doesn't make it on the list. Further, if one looks at the number of web pages listed there, the amount of duplication, and, considers the report volume (from daily stats) there is no way (IMHO) that that list can represent more than a tiny fraction of the spamvertized sites resolved and LARTED, even if we allow for most reports to be "Quick" and for few sites being parsed. From jeffg at spamcop.net Tue Oct 11 03:29:09 2005 From: jeffg at spamcop.net (Jeff G.) Date: Tue Oct 11 02:30:06 2005 Subject: [SpamCop-List] Re: What the blazes happened here? References: Message-ID: "Geoffrey Hyde" wrote in message news:dhisaf$hb9$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z810628202zaf678942fb9d8fe752b4526c0b4f9903z > > This is apparently some *very weird* and not-funny bounce message You should reply to System Administrator if "X-Return-Path: x" refers to "news-gateway@lugnet.com" or some other address that's not yours (because the bounce was sent to the wrong address (yours, from the From or Reply-To header)), and you should reply to "news@lugnet.com" and "postmaster@lugnet.com" if "X-Return-Path: x" refers to one of your addresses (because the wrong address was used as the Return-Path (SMTP Envelope Sender, MAIL FROM)). Of course, either reply should use less munging than was present in your SpamCop Reports -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only, as PMs and Emails may be posted, reported, and/or ridiculed. From bar_n0ne at hotmail.com Tue Oct 11 12:21:46 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue Oct 11 03:25:09 2005 Subject: [SpamCop-List] Occasional wierdness in DNSstuff Message-ID: occasionally I notice that the "DNS lookup" (Row 1 Column 3) in DNSStuff yields a differnet IP for a site than does the "Domain Info" (Row 5 Col 1), Any Ideas what that means? From Nobody at SpamCop.net.dev.null Tue Oct 11 03:50:24 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Tue Oct 11 03:55:05 2005 Subject: [SpamCop-List] "Registrar-Lock"? Message-ID: <434B6EC0.E5EE88F6@SpamCop.net.dev.null> Chasing down a spamvertised webpage, I came across this return for a whois lookup: Spampage: http://yotdgd2b.brave-123.net/savings.asp _____________________________________________ whoisWhois: @whois. Server Used: [ whois.crsnic.net ] http://yotdgd2b.brave-123.net/savings.asp = [ ] !!! whois.enom.com failed to respond *** displaying Referrer's Records (whois.crsnic.net): Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: BRAVE-123.NET Registrar: ENOM INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: NS1.HELLO-123.NET Name Server: NS2.HELLO-123.NET Status: REGISTRAR-LOCK Updated Date: 10-oct-2005 Creation Date: 06-oct-2005 Expiration Date: 06-oct-2006 >>> Last update of whois database: Mon 10 Oct 2005 14: 13: 15 EDT <<< What does the term "REGISTRAR-LOCK" mean, and what does this record indicate? Ref: Tracking URL of the spam report involved http://www.spamcop.net/sc?id=z814033557z796cf92c6e38f0cfdfcaeadc09a3763bz Cordial TIA, Michael From bar_n0ne at hotmail.com Tue Oct 11 13:14:46 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue Oct 11 04:15:05 2005 Subject: [SpamCop-List] Re: 66.218.64.0 - 66.218.95.255:network-abuse@cc.yahoo-inc.com References: <43456728.12D5@xyzzy.claranet.de> <43495DE9.60F4@xyzzy.claranet.de> <434AF25B.7125@xyzzy.claranet.de> <434B4566.49E9@xyzzy.claranet.de> Message-ID: "Berny" wrote in message news:difikk$9vt$1@news.spamcop.net... > > "Frank Ellermann" wrote in message > news:434B4566.49E9@xyzzy.claranet.de... > > Berny wrote: > > SNIP > > Further, if one looks at the number of web pages listed there, the amount of > duplication, and, considers the report volume (from daily stats) there is no > way (IMHO) that that list can represent more than a tiny fraction of the > spamvertized sites resolved and LARTED, even if we allow for most reports to > be "Quick" and for few sites being parsed. Here's my back of the envelope calculation: 5 spam/s per http://www.spamcop.net/spamgraph.shtml?spamstats 5*60*30 = 9000 spams reported per 1/2 hour suppose 1 in 5 have at least 1 parsed link, then we have 9000/5 = 1800 links reported on a typical day I see about 50 issues on the referenced page; http://www.spamcop.net/w3m?action=inprogress;type=www Supposing that each one is from a unique spam turdlet, then, at least 1800 - 50 = 1750 of the 1800 reports sent must have been "quick" reports. That ratio seems too high to me, maybe someone else can comment on the ratio of "quick" versus "full" reports. Now, I'm actually being generous I think, because usually there are 2 or more issues listed per turdlet, (for the same host in most cases) the link and the "unsub". Also my link parsing ratio is better than 1 in 5, others may be different of course. (this ratio includes spam without links as well as spam where the link didn't parse) From Nobody at SpamCop.net.dev.null Tue Oct 11 04:24:22 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Tue Oct 11 04:25:03 2005 Subject: [SpamCop-List] Re: "Registrar-Lock"? References: <434B6EC0.E5EE88F6@SpamCop.net.dev.null> Message-ID: <434B76B6.2FA32F4B@SpamCop.net.dev.null> Michael Brennan wrote: > > Chasing down a spamvertised webpage, I came across this return for a > whois lookup: > > Spampage: http://yotdgd2b.brave-123.net/savings.asp > > What does the term "REGISTRAR-LOCK" mean, and what does this record > indicate? > > Ref: Tracking URL of the spam report involved > http://www.spamcop.net/sc?id=z814033557z796cf92c6e38f0cfdfcaeadc09a3763bz > > Cordial TIA, > Michael Further to my last, parsing another mortgage-application phish with a spamvertised page on the same domain, I did a DNS lookup on SamSpade.org and got this result: Server Used: [ whois.crsnic.net ] klqx2.brave-123.net -- Domain not found. Does that mean that someone took down brave-123.net? Michael From nobody at nowhere.invalid Tue Oct 11 11:27:53 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Oct 11 04:30:03 2005 Subject: [SpamCop-List] Re: Hats off to uk.easynet.net References: Message-ID: On Mon, 10 Oct 2005 18:53:24 -0400, Sofa King Tyred of Lar Ting coughed into spamcop and left this in : >> abuse@abuse:~$ whois -h whois.abuse.net onetel.net.uk > > [useful, but highly unfriendly to non technical users, stuff deleted] > > Thanks for using your linux system to give me info that I can not easily > get with windows. What's difficult about going to http://www.abuse.net/lookup.phtml and entering the domain you want to know about? You'll get the same info. Although, in all honesty, their DB is down momentarily. There are ways to find out information of this kind regardless of the O/S you use. If you didn't know where to look for it, that's one thing, but you can't blame your inability to find it on a Linux/Windows incompatibility. -- Steve A group of cats is a "conceit". They'd like it to be called a "pride" but that would fool nobody. -- Morely Dotes in NANAE, 2-FEB-2004 From redford_stone at INVERSE_OF_COLDmail.com Tue Oct 11 10:43:58 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Tue Oct 11 05:45:23 2005 Subject: [SpamCop-List] Re: Pump & Dump--why? References: <290920050916518028%news@REMOVECAPSalanharper.com> <433C27AD.AE65876@spamcop.net> Message-ID: baloo@ursine.ca wrote in news:eh6813-7q3.ln1@ursine.ca: > > Well, this is a special case. Pump and dumps have been around almost > as long as the stock market itself. The act itself is not legal and > there have been movies (titles don't come to mind ATM) about people > getting nailed for doing exactly that. > I wish the SEC was a bit more forthcoming about what do they do with these scams I forward them. From redford_stone at INVERSE_OF_COLDmail.com Tue Oct 11 10:45:27 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Tue Oct 11 05:50:02 2005 Subject: [SpamCop-List] Re: kornets bit bucket, finally overflowed References: Message-ID: "Geoffrey Hyde" wrote in news:di885u$esp$1@news.spamcop.net: > > I wonder how big their pockets are when it comes to buying up-to-date > antivirus technology to keep the aforementioned trojan/virus from > infecting their computer? I guess we'll find out all too soon. > > You are assuming they actually buy it. :-) From redford_stone at INVERSE_OF_COLDmail.com Tue Oct 11 10:47:14 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Tue Oct 11 05:50:14 2005 Subject: [SpamCop-List] Re: kornets bit bucket, finally overflowed References: Message-ID: "Berny" wrote in news:di8e7o$hun$1@news.spamcop.net: > > No, they're probably stupid enough to host spammers for small money. > > Now that would be funny. :-) I remember an article where Ralsky mentioned that the cost for hosting in China is quite high. (Basicly buying "protection" to have them "look the other way.") From redford_stone at INVERSE_OF_COLDmail.com Tue Oct 11 10:48:50 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Tue Oct 11 05:50:20 2005 Subject: [SpamCop-List] Re: kornets bit bucket, finally overflowed References: Message-ID: "D.F. Manno" wrote in news:dfm2a3l0t2-88B05D.12373709102005@news.cesmail.net: > > The U.S. has no diplomatic relations with North Korea, thus there is > no North Korean embassy in the U.S. > I don't think North Korea has any internet access. (Unless they access through some dedicated link through South Korea.) From redford_stone at INVERSE_OF_COLDmail.com Tue Oct 11 10:51:28 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Tue Oct 11 05:55:04 2005 Subject: [SpamCop-List] Re: "Registrar-Lock"? References: <434B6EC0.E5EE88F6@SpamCop.net.dev.null> <434B76B6.2FA32F4B@SpamCop.net.dev.null> Message-ID: Michael Brennan wrote in news:434B76B6.2FA32F4B@SpamCop.net.dev.null: > > Further to my last, parsing another mortgage-application phish with a > spamvertised page on the same domain, I did a DNS lookup on > SamSpade.org and got this result: > > Server Used: [ whois.crsnic.net ] > > klqx2.brave-123.net -- Domain not found. > > > Does that mean that someone took down brave-123.net? > > > Michael > Got the same spam today. It could be either that they didn't pay off their "protection" money to the blackhat ISP. (Have a feeling that they are located in China.) or they shut down their DNS servers for some reason or another. From redford_stone at INVERSE_OF_COLDmail.com Tue Oct 11 11:48:08 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Tue Oct 11 06:50:28 2005 Subject: [SpamCop-List] [MEDIA] Botnet taken down. Message-ID: "A huge network of 100,000 PCs was used to conduct a denial-of-service attack against an unidentified U.S. company in an extortion attempt, and for many other nefarious deeds, according to Dutch police." http://informationweek.com/story/showArticle.jhtml?articleID=171204550 (http://tinyurl.com/bp3k3) http://news.zdnet.co.uk/0,39020330,39228020,00.htm (http://tinyurl.com/c6nyk) ---- With all the spam reports we send ISPs, why does it take a major police effort to get them to actually do something about these zombies? From redford_stone at INVERSE_OF_COLDmail.com Tue Oct 11 11:49:19 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Tue Oct 11 06:50:50 2005 Subject: [SpamCop-List] Re: www.Blackholes.US References: Message-ID: baloo@ursine.ca wrote in news:uja813-v84.ln1@ursine.ca: > > That isn't surprising to me. All kinds of IPs came back as being > owned by companies that haven't existed since the dot-com boom on > OpenRBL... You mean like Aegis? :-) From nospam at dev.null Tue Oct 11 14:46:09 2005 From: nospam at dev.null (No Spam) Date: Tue Oct 11 07:50:04 2005 Subject: [SpamCop-List] Re: Hats off to uk.easynet.net In-Reply-To: References: Message-ID: Sofa King Tyred of Lar Ting wrote: ..SNIP... > > My point was, if an ISP doesn't have an easily findable "abuse" email on > their main web page, I don't consider them to be too responsible (or > professional) these days. If it takes more than two clicks from the main > page to find the abuse email, that's obfuscation and shirking, albeit > unintentional (or ignorant). > Yahoo and Hotmail? And most free mail providers ? > Phishers exploit that to the hilt - ever wonder why phish emails arrive > most often on Sundays of long weekends? It's not because phishers have > time on their hands, but likely because the competent technical staff > aren't around to shut down the rogue sites... and that people tend to be > at their home computers... I have noticed this too. From MikeE at ster.invalid Tue Oct 11 06:02:02 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 11 08:05:03 2005 Subject: [SpamCop-List] Re: Occasional wierdness in DNSstuff References: Message-ID: Berny wrote: > occasionally I notice that the "DNS lookup" (Row 1 Column 3) in > DNSStuff yields a differnet IP for a site than does the "Domain Info" > (Row 5 Col 1), Any Ideas what that means? I don't know what you are seeing re IP in the col1 row5 'domain info' section because I hadn't checked it out until your question, but that isn't a 'proper' tool to be using to get the dns IP resolution of a domainname. That col1 row5 'domain info' tool is designed to feed the query into a section of http://www.whois.sc/ - which has better domainname registrar whois lookup facilities [plus extras] than does the one at dnsstuff col1 row3 'whois lookup' The col3 row1 'dns lookup' tool in its default configuration is a proper tool for determining an A record for a domainname. It can also do alternatives to the A record. When I tinkered with a couple of examples at www.whois.sc - namely dnjzrbgliy.aimcup.info from a recent spam and www.dnsstuff.com - the whois.sc tool didn't give me the IP for the .info site, but it did give me much better information than dnsstuff's whois lookup tool. The whois.sc tool gave a surprising amount of information about the dnsstuff domainname and website and also gave its IP. That's an interesting tool/site, I may use it some more now that I know about it. -- Mike Easter kibitzer, not SC admin From nospam at dev.null Tue Oct 11 15:13:14 2005 From: nospam at dev.null (No Spam) Date: Tue Oct 11 08:15:04 2005 Subject: [SpamCop-List] Re: Hats off to uk.easynet.net In-Reply-To: References: Message-ID: Steven Maesslein wrote: > > What's difficult about going to http://www.abuse.net/lookup.phtml and > entering the domain you want to know about? You'll get the same info. > Nope: $ whois -h whois.abuse.net yahoo.com abuse@yahoo.com (for yahoo.com) > Although, in all honesty, their DB is down momentarily. Back up and also says abuse@yahoo.com > > There are ways to find out information of this kind regardless of the > O/S you use. If you didn't know where to look for it, that's one thing, > but you can't blame your inability to find it on a Linux/Windows > incompatibility. > Fact is the abuse@yahoo.com will retry, keep on hitting their "abuse" filters, recognising 419 complaints etc till it times out after something like 5 days. Now digging about on their site with a lot of effort, you dig up: Yahoo Mail abuse Also listed at RFCI http://www.rfc-ignorant.com/tools/detail.php?domain=yahoo.com&submitted=1123294881&table=abuse It is extremely frustrating to write mails to get them bounced, then back to the sending service provider's web, dig dig and waste a lot of time trying to protect others and also protect your own. In this day and age and known issues surrounding mail abuse, any responsible service provider , especially free ones, will have an easily accessible abuse link and address. The web abuse forms are also not practical in as far as mail and http use different protocols and may be subject to different firewall rules, especially in a corporate enironment. Mail will work with no internet access. Also of note is that "special" secret abuse addresses get given to certain parties. While this in itself is not all bad, it does reflect on the abuse address provider and raises questions. There is in fact a discussion that is just about finished on SURBL re spamcops special address for geocities. Figure... There is absolutely no dowbt in my mind that certain service provider deliberately make reporting a difficult as possible. Maybe that is their idea on reducing abuse reports. E From bar_n0ne at hotmail.com Tue Oct 11 17:14:15 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue Oct 11 08:15:15 2005 Subject: [SpamCop-List] Re: Occasional wierdness in DNSstuff References: Message-ID: "Mike Easter" wrote in message news:dig9jq$m89$1@news.spamcop.net... > Berny wrote: > > occasionally I notice that the "DNS lookup" (Row 1 Column 3) in > > DNSStuff yields a differnet IP for a site than does the "Domain Info" > > (Row 5 Col 1), Any Ideas what that means? > > I don't know what you are seeing re IP in the col1 row5 'domain info' > section because I hadn't checked it out until your question, but that > isn't a 'proper' tool to be using to get the dns IP resolution of a > domainname. > > That col1 row5 'domain info' tool is designed to feed the query into a > section of http://www.whois.sc/ - which has better domainname registrar > whois lookup facilities [plus extras] than does the one at dnsstuff col1 > row3 'whois lookup' > > The col3 row1 'dns lookup' tool in its default configuration is a proper > tool for determining an A record for a domainname. It can also do > alternatives to the A record. > > When I tinkered with a couple of examples at www.whois.sc - namely > dnjzrbgliy.aimcup.info from a recent spam and www.dnsstuff.com - the > whois.sc tool didn't give me the IP for the .info site, but it did give > me much better information than dnsstuff's whois lookup tool. > > The whois.sc tool gave a surprising amount of information about the > dnsstuff domainname and website and also gave its IP. That's an > interesting tool/site, I may use it some more now that I know about it. > > > > -- > Mike Easter > kibitzer, not SC admin This link is an example of what I'm talking about http://zsd.loppylinks.com/extra/angelsweet3 I fed DNSStuff loppylinks.com in both places , that Whois tool resolves to an IP in Internap space, is it maybe blowing through a redirect from hanaro? From MikeE at ster.invalid Tue Oct 11 06:27:26 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 11 08:30:02 2005 Subject: [SpamCop-List] Re: "Registrar-Lock"? References: <434B6EC0.E5EE88F6@SpamCop.net.dev.null> Message-ID: Michael Brennan wrote: > Chasing down a spamvertised webpage, I came across this return for a > whois lookup: > > Spampage: http://yotdgd2b.brave-123.net/savings.asp Your information for brave-123.net is different from mine. > Domain Name: BRAVE-123.NET > Registrar: ENOM INC. > Whois Server: whois.enom.com > Referral URL: http://www.enom.com > Name Server: NS1.HELLO-123.NET > Name Server: NS2.HELLO-123.NET > Status: REGISTRAR-LOCK > Updated Date: 10-oct-2005 > Creation Date: 06-oct-2005 > Expiration Date: 06-oct-2006 >>> Last update of whois database: > Mon 10 Oct 2005 14: 13: 15 EDT <<< I'm not getting that. enom, crsnic, and internic give me nothing dnsstuff gives me different information than you have and sez it is at namecheap.com which gives me nothing except to say that the name is available. Registration Service Provided By: NameCheap.com Contact: *******@NameCheap.com Visit: http://www.namecheap.com/ Domain name: brave-123.net Registrant Contact: NB nicholas brown **************@netscape.net) +1.2062020838 Fax: +1.5555555555 1201 N NORTHLAKE WAY Seattle, WA 98103 US Administrative Contact: NB nicholas brown **************@netscape.net) +1.2062020838 Fax: +1.5555555555 1201 N NORTHLAKE WAY Seattle, WA 98103 US Technical Contact: NB nicholas brown **************@netscape.net) +1.2062020838 Fax: +1.5555555555 1201 N NORTHLAKE WAY Seattle, WA 98103 US Billing Contact: NB nicholas brown **************@netscape.net) +1.2062020838 Fax: +1.5555555555 1201 N NORTHLAKE WAY Seattle, WA 98103 US Status: Locked Name Servers: ns1.hulk-123.com ns2.hulk-123.com Creation date: 06 Oct 2005 09:49:32 Expiration date: 06 Oct 2006 09:49:32 but the information at dnssstuff also said this "Using 1 day old cached answer (or, you can get fresh results)." and then the link for the fresh results gave me nothing Very puzzling about the discrepancy at namecheap. My guess is that the one day old information is the most accurate, but maybe not. > What does the term "REGISTRAR-LOCK" mean, and what does this record > indicate? It just means that the information can't be changed or the domainname moved without the registrant getting the registrar to 'unlock' the registration. Which is basically the way it is supposed to be. -- Mike Easter kibitzer, not SC admin From nospam at dev.null Tue Oct 11 15:31:33 2005 From: nospam at dev.null (No Spam) Date: Tue Oct 11 08:35:03 2005 Subject: [SpamCop-List] Re: Whitehats That Refuse Munged Reports? In-Reply-To: References: <434500D6.87C4F68C@SpamCop.net.dev.null> Message-ID: Anthony Edwards wrote: > I am curious as to why. Putting my non-work end user hat on, I have > never sent a munged report (via SpamCop, or manually) and never will. > Dangerous .... > I make complaints, and am happy to provide Unsolicited Bulk Email > examples in full, complete and unedited, and to stand by them. > > What does one gain by sending munged reports, given that it is almost > universally accepted that munged reports are of less use to abuse > desks tasked with enforcing their network's Acceptable Use Policy? > The answer is simple: Practical experience. I have tried this is the early days. After a certain report to Brazil I got bounces to mail I never sent. My ISP queried me and I had to send him some evidence of the original mail that were attached in the bounces. Luckily they has a clue. The bounces were from worms, spam etc etc using my mail address. I closed the account. Since then, unless I know the originating net to be above board, munged reports only, thank you. So take a tip: Been there - seen it - done it - got the (prickly) badge. Bets of luck Regards E From gordon at usenet2.hostroute.co.uk Tue Oct 11 14:37:36 2005 From: gordon at usenet2.hostroute.co.uk (Gordon Hudson) Date: Tue Oct 11 08:40:03 2005 Subject: [SpamCop-List] Gmail seems to be regularly in bl.spamcop.net Message-ID: http://www.spamcop.net/bl.shtml?72.14.204.193 Look at the list of adjacent IP's also blacklisted. This is interesting given that gmail is pretty much a manual sending system (one email at a time). Does anyone know what sort of spam incidents they are having? Maybe it is a hotmail type vulnerability? Gordon From MikeE at ster.invalid Tue Oct 11 06:46:21 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 11 08:50:04 2005 Subject: [SpamCop-List] Re: "Registrar-Lock"? References: <434B6EC0.E5EE88F6@SpamCop.net.dev.null> <434B76B6.2FA32F4B@SpamCop.net.dev.null> Message-ID: Michael Brennan wrote: > Does that mean that someone took down brave-123.net? Altho' the information about the domainname registration is 'erratic' the site http://yotdgd2b.brave-123.net/savings.asp resolves to 211.147.228.105 and a GET shows a payload there for The American Refinance Mortgage Specialist 211.147.228.105 is the .cn etrust which is spews and spamhaus listed about ROKSO Leo Kuvayev spamhaus does a /31 for the 2 IPs 104 and 105, whereas spews shows all this: 1, 211.147.224.95, myvirtualusa.com 1, 211.147.224.0 - 211.147.255.255, myvirtualusa.com (World Crossing Telecom(GuangZhou) Ltd.) 1, 211.147.214.0 - 211.147.255.255, cnnic.net.cn (myvirtualusa.com (World Crossing Telecom(GuangZhou) Ltd.)) showing a progression which started with a single IP and marched up to become 42 class Cs or almost 11000 IPs Apparently spews view of that GuangZhou business is somewhat different from the way I'm seeing the netblocks in the apnic registration. I think spews and spamhaus are considering everything which has a gzidc.com notify to be 'gzidc.com' [for spamhaus] or GuangZhou [for spews]. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue Oct 11 09:49:13 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue Oct 11 08:50:12 2005 Subject: [SpamCop-List] Re: Realtime stats of how efficient spam is References: Message-ID: "Arne Bolen" wrote in message news:die7c8$i9k$1@news.spamcop.net... : Yesterday a spammer started to send out a mail which looks like a : confirmation of a subscription to a mailinglist. The mail has the following : content: : : Hello! : It has been requested that the following address: : xxx@xxx.xxx : should be added to the communism community mailing list. : You have been successfully subscribed to our mail list. : Thank you. : To unsubscribe from our mail list, just follow this link: : http://194.135.81.30/subs/unsub.php?email=xxx@xxx.xxx : Click this link, or copy and paste the address into your browser. : : The email address is the address the mail is sent to. When clicking on the : unsubscribe link you come to a simpel page which informs you that " Your : e-mail address was successfully deleted from our mailing list. " : : As an extra service the spammer has a webcounter on the confirmation page. : This counter is actually very interesting, it shows the huge amount of : people being fooled by this mail. The spammer must be very happy, on less : than 2 days he has collected more than 61825 real mail addresses. The stats : can be viewed at: : : http://www.webstats4u.com/s?tab=1&link=1&id=3744516 : : The stats shows most visitors are from UK, Australia and New Zealand. : : I am amazed that so many people are clicking on an unsubscribe link without : thinking. Maybe people dislike being subscribed to a "communism community : mailing list" so much they stop using the brain. : Counters can be set to "start" counting at any number the implementer wishes; perhaps it started at 61824, you have no way of knowing. From MikeE at ster.invalid Tue Oct 11 07:03:32 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 11 09:05:04 2005 Subject: [SpamCop-List] Re: Occasional wierdness in DNSstuff References: Message-ID: Berny wrote: > "Mike Easter" >> Berny wrote: >>> occasionally I notice that the "DNS lookup" (Row 1 Column 3) in >>> DNSStuff yields a differnet IP for a site than does the "Domain >>> Info" (Row 5 Col 1), Any Ideas what that means? >> >> I don't know what you are seeing re IP in the col1 row5 'domain info' >> section because I hadn't checked it out until your question, but that >> isn't a 'proper' tool to be using to get the dns IP resolution of a >> domainname. > This link is an example of what I'm talking about > http://zsd.loppylinks.com/extra/angelsweet3 > > I fed DNSStuff loppylinks.com in both places , that Whois tool > resolves to an IP in Internap space, is it maybe blowing through a > redirect from hanaro? Don't use the C1R5 domain info tool to get the IP. The tool at whois.sc is very interesting, but it isn't the way to get an IP from a domainname. That name is 222.233.52.48 -- I don't know where the whois.sc got 64.74.96.243 http://zsd.loppylinks.com/extra/angelsweet3 redirects to http://www.loppylinks.com/extra/angelsweet3/ which is still 222.233.52.48 -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Oct 11 07:10:39 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 11 09:15:03 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net References: Message-ID: Gordon Hudson wrote: > http://www.spamcop.net/bl.shtml?72.14.204.193 > > Look at the list of adjacent IP's also blacklisted. > > This is interesting given that gmail is pretty much a manual sending > system (one email at a time). Gmail is both a webmailer and a pop/smtp functioning server. > Does anyone know what sort of spam incidents they are having? I only know that in webmail function, the item will only parse back as far as the server because the webmailer doesn't show the sender's IP In smtp mode, the sending IP is seen 'behind' the gmail server > Maybe it is a hotmail type vulnerability? Ellen has commented that SC is working with gmail about how their servers are configured and how they are getting themselves blocklisted. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Oct 11 09:02:41 2005 From: nobody at spamcop.net (N. Miller) Date: Tue Oct 11 11:05:13 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net References: Message-ID: On Tue, 11 Oct 2005 13:37:36 +0100, Gordon Hudson wrote: > http://www.spamcop.net/bl.shtml?72.14.204.193 > > Look at the list of adjacent IP's also blacklisted. > > This is interesting given that gmail is pretty much a manual sending system > (one email at a time). > Does anyone know what sort of spam incidents they are having? > Maybe it is a hotmail type vulnerability? Not quite. Apparently, it has something to do with being unable to trace email past the GMail injection point when email was sent using the web mail interface. Since the SpamCop parser can't trace the source past the GMail output server, it will list the GMail output server as the source. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From kenbrody at spamcop.net Tue Oct 11 12:10:26 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Tue Oct 11 11:40:28 2005 Subject: [SpamCop-List] Re: "Registrar-Lock"? References: <434B6EC0.E5EE88F6@SpamCop.net.dev.null> Message-ID: <434BD5E2.E211E808@spamcop.net> Michael Brennan wrote: > > Chasing down a spamvertised webpage, I came across this return for a > whois lookup: > > Spampage: http://yotdgd2b.brave-123.net/savings.asp > _____________________________________________ > > whoisWhois: [...] > Status: REGISTRAR-LOCK [...] > What does the term "REGISTRAR-LOCK" mean, and what does this record > indicate? [...] See for a good description. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From kenbrody at spamcop.net Tue Oct 11 12:12:27 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Tue Oct 11 11:40:48 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net References: Message-ID: <434BD65B.D343B693@spamcop.net> "N. Miller" wrote: > > On Tue, 11 Oct 2005 13:37:36 +0100, Gordon Hudson wrote: > > > http://www.spamcop.net/bl.shtml?72.14.204.193 > > > > Look at the list of adjacent IP's also blacklisted. > > > > This is interesting given that gmail is pretty much a manual sending system > > (one email at a time). > > Does anyone know what sort of spam incidents they are having? > > Maybe it is a hotmail type vulnerability? > > Not quite. Apparently, it has something to do with being unable to trace > email past the GMail injection point when email was sent using the web mail > interface. Since the SpamCop parser can't trace the source past the GMail > output server, it will list the GMail output server as the source. As I recall, the problem isn't that SpamCop's parser can't trace the source, it's that GMail's servers don't include the source. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From 96q7vwa02 at sneakemail.com Tue Oct 11 08:53:25 2005 From: 96q7vwa02 at sneakemail.com (Fred K.) Date: Tue Oct 11 12:00:02 2005 Subject: [SpamCop-List] Re: [MEDIA] Botnet taken down. References: Message-ID: "Redstone" wrote in message news:Xns96EC26B4881D8tinlc@216.154.195.61... > > "A huge network of 100,000 PCs was used to conduct a denial-of-service > attack against an unidentified U.S. company in an extortion attempt, and > for many other nefarious deeds, according to Dutch police." > With all the spam reports we send ISPs, why does it take a major police > effort to get them to actually do something about these zombies? The answer is simple: In the economics of the ISP business, it cost too much to use this data to mount clean-up operations. On the other hand some ISPs make lots of $$$$$s allowing spam traffic intentionally. Fred K. From nobody at devnull.spamcop.net Tue Oct 11 12:43:16 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Oct 11 12:45:04 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net References: Message-ID: "Gordon Hudson" wrote in message news:digbmi$ntf$1@news.spamcop.net... > http://www.spamcop.net/bl.shtml?72.14.204.193 > > Look at the list of adjacent IP's also blacklisted. > > This is interesting given that gmail is pretty much a manual sending system > (one email at a time). > Does anyone know what sort of spam incidents they are having? > Maybe it is a hotmail type vulnerability? http://forum.spamcop.net/forums/index.php?showtopic=3973 includes some dialog with Google GMail support ... though nothing about actually fixing anything ... From baloo at ursine.ca Tue Oct 11 10:42:13 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Tue Oct 11 13:10:05 2005 Subject: [SpamCop-List] Re: OT Re: How to Rattle This Guy's Cage? References: <43427912.17EDB4B5@SpamCop.net.dev.null> <462oa8nyzhdz.dlg@news.spamcop.net> <4iii13-m4u.ln1@ursine.ca> Message-ID: <5k6t13-jml.ln1@ursine.ca> Berny wrote: > Ummm... I'm from Vancouver, (on the West Coast and NOT in California) and > while I can't say I never heard of him, I can say that I don't hear much of > anything, and certainly nothing named after him. Wow, you don't get out. Tom McCall fought for the US's first bottle bill, the cleanup of the Willamette River, fought to continue the prohibition of private ownership of ocean beach, and more or less made "Go fuck yourself" the state's official position towards California and Californians. And if you're truly in Vancouver, I'm shocked you could somehow miss Tom McCall Waterfront Park, which only runs for about a mile between Willamette Greenway and Bill Naito Parkway along the river in Portland. > OTOH, I pretty much ignore Oregon and any doings by people there. In > fact since their wonderful Tourism promotions of the '70s that > pretty much said 'come and spend your money and then please fsck > off', I've more or less avoided the place except to pass through or > buy fuel in times of shortages. (No I don't go out of my way, but it > was my small revenge to exacerbate shortages there instead of > elsewhere.) Not to mention cheaper since you don't pay the massive insurance overhead self-serve stations pay down here. From baloo at ursine.ca Tue Oct 11 11:01:05 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Tue Oct 11 13:10:17 2005 Subject: [SpamCop-List] Re: "Registrar-Lock"? References: <434B6EC0.E5EE88F6@SpamCop.net.dev.null> Message-ID: Michael Brennan wrote: > What does the term "REGISTRAR-LOCK" mean, and what does this record > indicate? REGISTRAR-LOCK is the verisign-equivilent to every other registry's "CLIENT TRANSFER PROHIBITED". Typically, most registrars set the initial status to CLIENT TRANSFER PROHIBITED or REGISTRAR-LOCK, and the domain owner can unlock it from their account at their registrar when they want to register name servers or transfer the domain. From kenbrody at spamcop.net Tue Oct 11 15:22:32 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Tue Oct 11 14:25:03 2005 Subject: [SpamCop-List] Disclaimer of the week? Message-ID: <434C02E8.F42BD4FF@spamcop.net> I just received spam with the following disclaimer at the top. > (I take SPAM very seriously because I hate it as much as you > do. If for some reason you wish to lose your competitive advantage > in the real estate investment marketplace by no longer receiving > these valuable messages packed with incredibly valuable tips, > tricks and articles... Please! Go to the bottom of this email > and opt out.) > > Sorry about the disclaimer, but it?s a necessary evil in todays > world. Hey, just because the e-mail address this was addressed to was one I used in a real estate investment forum doesn't mean I want to receive _your_ e-mail about it. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From Kilgallen at SpamCop.net Tue Oct 11 15:18:29 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Tue Oct 11 15:20:02 2005 Subject: [SpamCop-List] Re: "Registrar-Lock"? References: <434B6EC0.E5EE88F6@SpamCop.net.dev.null> Message-ID: In article , baloo@ursine.ca writes: > Michael Brennan wrote: >> What does the term "REGISTRAR-LOCK" mean, and what does this record >> indicate? > > REGISTRAR-LOCK is the verisign-equivilent to every other registry's > "CLIENT TRANSFER PROHIBITED". The interface that DomainDiscover gives me calls it "locking". From gordon at usenet2.hostroute.co.uk Tue Oct 11 22:13:44 2005 From: gordon at usenet2.hostroute.co.uk (Gordon Hudson) Date: Tue Oct 11 16:15:02 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net References: Message-ID: "N. Miller" wrote in message news:cb7l2x2jcvbv.dlg@news.spamcop.net... > On Tue, 11 Oct 2005 13:37:36 +0100, Gordon Hudson wrote: > > Not quite. Apparently, it has something to do with being unable to trace > email past the GMail injection point when email was sent using the web > mail > interface. Since the SpamCop parser can't trace the source past the GMail > output server, it will list the GMail output server as the source. Surely gmail is the source though? They should be stopping thier users from spamming rather than passing the buck back onto the companies who provided their internet connection and who did not provide the mail service. Or am I misunderstanding? From gordon at usenet2.hostroute.co.uk Tue Oct 11 22:25:53 2005 From: gordon at usenet2.hostroute.co.uk (Gordon Hudson) Date: Tue Oct 11 16:30:04 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net References: Message-ID: "Gordon Hudson" wrote in message news:dih6dr$7ql$1@news.spamcop.net... > > "N. Miller" wrote in message > news:cb7l2x2jcvbv.dlg@news.spamcop.net... >> On Tue, 11 Oct 2005 13:37:36 +0100, Gordon Hudson wrote: >> > >> Not quite. Apparently, it has something to do with being unable to trace >> email past the GMail injection point when email was sent using the web >> mail >> interface. Since the SpamCop parser can't trace the source past the GMail >> output server, it will list the GMail output server as the source. > > Surely gmail is the source though? > > Actually reading through that forum discussion shows that they ARE the source. If my customers used SMTP AUTH to send out spam WE would get the spamcop reports. We would then stop the person who did it from using our service. If the spamcop report went to the abuse address for the IP address of the persons internet connection I expect it would be ignored as they would see that the mail had come from our server. Gmail should be stopping spammers using their servers, not expecting the buck to be passed to the company who provided their internet connection that allowed them to use gmail. Maybe spamcop has changed the way it attributes blame, but for reports to the internet connection ISP it would need changes ot the way abuse issues are handled by ISP's because the emphasis is currently on the originating mail server. I did notice that we have had a few rogue reports caused by customers using our mail forwarding service, where the forwarding server IP got the report rather than the originating mail server. The next time I see one I will forward it to the deputies to check out. The problemw ith doing that is that the customer is ending up getting thier own receiving account terminated as they have reported it as a spammer (if you see what I mean). From nospam at dev.null Tue Oct 11 23:53:29 2005 From: nospam at dev.null (No Spam) Date: Tue Oct 11 16:55:03 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net In-Reply-To: References: Message-ID: Gordon Hudson wrote: > "N. Miller" wrote in message > news:cb7l2x2jcvbv.dlg@news.spamcop.net... > >>On Tue, 11 Oct 2005 13:37:36 +0100, Gordon Hudson wrote: >> > > >>Not quite. Apparently, it has something to do with being unable to trace >>email past the GMail injection point when email was sent using the web >>mail >>interface. Since the SpamCop parser can't trace the source past the GMail >>output server, it will list the GMail output server as the source. > > > Surely gmail is the source though? > > They should be stopping thier users from spamming rather than passing the > buck back onto the companies who provided their internet connection and who > did not provide the mail service. > Or am I misunderstanding? > > I could not agree more! This is also the situation with Hotmail etc. Hotmail gets no blame, but the poor internet shop / publicly available net access provider get the rap. 419'ers have also twigged to this. Thisis becomming common practice for them. Here is an example: http://www.spamcop.net/sc?id=z814631559z14b31fa2eabe38b3b0f6ecc2a00bf393z Now try and get a gmail/hotmail account closed for this. "Mail did not originate from us ....blah-de-blah" Well, in that case, the mail did not originate at the internet connectivity provider either, it originated with an spammer ????? The point is, the mail service provider should bear the can for this. This is where the definition of mail starts. My five cents worth. Cheers E From nospam at dev.null Wed Oct 12 00:41:21 2005 From: nospam at dev.null (No Spam) Date: Tue Oct 11 17:45:03 2005 Subject: [SpamCop-List] namesdatabase.com Message-ID: Hi All http://www.spamcop.net/sc?id=z814641177z033c5abfc29e1c082b38a96dd37d762bz namesdatabase.com: What's this about - In reality that is? Harvesting? The fact that it was sent to a "special treatment" e-mail address made me suspicious immediately (I have NO friends at the email address where this mail was recieved, plenty of Alan's, Leo's etc though) Sorry for the severe munging - volatile mail address :-) However, it would be brain dead to respond to something like this. Cheers E From MikeE at ster.invalid Tue Oct 11 15:53:47 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 11 17:55:02 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net References: Message-ID: No Spam wrote: > Gordon Hudson wrote: >> Surely gmail is the source though? Gmail should enforce against their users who spam. >> They should be stopping thier users from spamming rather than >> passing the buck back onto the companies who provided their internet >> connection and who did not provide the mail service. Correct. >> Or am I misunderstanding? No misunderstanding. See the hotmail situation below. > I could not agree more! > > This is also the situation with Hotmail etc. Hotmail gets no blame, > but the poor internet shop / publicly available net access provider > get the rap. It is the configuration by design of SC to parse past the intermediate or relay servers to name as source the 'originating' IP. It is not the design or wish of SC to be naming output servers as the source IP. > 419'ers have also twigged to this. Thisis becomming common practice > for them. > > Here is an example: www.spamcop.net/sc?id=z814631559z14b31fa2eabe38b3b0f6ecc2a00bf393z Abbreviated Received lines *comment from [64.4.31.28] (HELO hotmail.com) by cgp3.sentechsa.net from mail pickup service by hotmail.com from 216.139.164.163 by by13fd.bay13.hotmail.msn.com *sourceline SC calls the panamsat in .za the source, not hotmail. However, if you notify hotmail and microsoft and msn about that item, it is extremely likely that they will terminate the account which sent that, namely winner2005-08@hotmail.com The reason you have to name all 3 is because each of those entities typically does not enforce for the other; msn won't terminate a hotmail account for an infraction, hotmail won't terminate a msn account, microsoft won't terminate a hotmail or msn account, etc. It isn't always 'apparent' which abuse desk should be notified, so one policy is to simply notify all 3. 64.4.31.28 rDNS bay13-f28.bay13.hotmail.com The arin sez OrgName: MS Hotmail OrgAbuseEmail: abuse@microsoft.com but abuse.net on the domainname sez abuse@hotmail.com but abuse.net on the domainname of the receiving server by13fd.bay13.hotmail.msn.com sez whois.abuse.net hotmail.msn.com ... abuse@msn.com (for msn.com) > Now try and get a gmail/hotmail account closed for this. > > "Mail did not originate from us ....blah-de-blah" That's what you get from notifying hotmail instead of msn or vice versa if you notify 'wrong' according to the desk. When you notify the correct one, you typically get an 'account was terminated'. With gmail you don't get much of anything. > Well, in that case, the mail did not originate at the internet > connectivity provider either, it originated with an spammer ????? > > The point is, the mail service provider should bear the can for this. > This is where the definition of mail starts. Hotmail and msn will 'do it' - but they are picky about how they are notified. If you notify all 3, 2 of them will/may say it didn't come from them and one will/may say the account got terminated. -- Mike Easter kibitzer, not SC admin From nospam at dev.null Wed Oct 12 01:17:38 2005 From: nospam at dev.null (No Spam) Date: Tue Oct 11 18:20:03 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net In-Reply-To: References: Message-ID: Mike Easter wrote: > No Spam wrote: > ... snip ... > >>419'ers have also twigged to this. Thisis becomming common practice >>for them. >> >>Here is an example: > > www.spamcop.net/sc?id=z814631559z14b31fa2eabe38b3b0f6ecc2a00bf393z > > Abbreviated Received lines *comment > from [64.4.31.28] (HELO hotmail.com) by cgp3.sentechsa.net > from mail pickup service by hotmail.com > from 216.139.164.163 by by13fd.bay13.hotmail.msn.com *sourceline > > SC calls the panamsat in .za the source, not hotmail. ??? Sender relay: 216.139.164.163 Routing details for 216.139.164.163 [refresh/show] Cached whois for 216.139.164.163 : postmaster@panamsat.com Using abuse net on postmaster@panamsat.com Registrant: PanAmSat Corporation 20 WESTPORT RD WILTON, CT 06897-4522 US Domain Name: PANAMSAT.COM Administrative Contact, Technical Contact: Mazzeo, Robert RMazzeo {AT} PanAmSat.com PanAmSat 20 WESTPORT RD WILTON, CT 06897 US 203-210-8372 fax: 203-210-8694 IP is not ZA? sentechsa.net is ZA = the recipient mailbox = mine (some of the good guys here too - 419legal etc, bad guys way north in .NG :-) > However, if you notify hotmail and microsoft and msn about that item, it > is extremely likely that they will terminate the account which sent > that, namely winner2005-08@hotmail.com > Mail has gone out to abuse@hotmail .com re winner2005-08@hotmail.com , will see ... > The reason you have to name all 3 is because each of those entities > typically does not enforce for the other; msn won't terminate a hotmail > account for an infraction, hotmail won't terminate a msn account, > microsoft won't terminate a hotmail or msn account, etc. It isn't > always 'apparent' which abuse desk should be notified, so one policy is > to simply notify all 3. Point taken - good tip. Thx. Never thought of that... > > 64.4.31.28 rDNS bay13-f28.bay13.hotmail.com > The arin sez > OrgName: MS Hotmail > OrgAbuseEmail: abuse@microsoft.com > but abuse.net on the domainname sez > abuse@hotmail.com > but abuse.net on the domainname of the receiving server > by13fd.bay13.hotmail.msn.com sez > > whois.abuse.net hotmail.msn.com ... > abuse@msn.com (for msn.com) > > >>Now try and get a gmail/hotmail account closed for this. >> >>"Mail did not originate from us ....blah-de-blah" > > > That's what you get from notifying hotmail instead of msn or vice versa > if you notify 'wrong' according to the desk. When you notify the > correct one, you typically get an 'account was terminated'. With gmail > you don't get much of anything. > As regards gmail: I have noticed same. Now unless 1 + 1 != 2 .. The subject thread started off as "Gmail seems to be regularly in bl.spamcop.net" ???? What's hatched in the nest ?? > >>Well, in that case, the mail did not originate at the internet >>connectivity provider either, it originated with an spammer ????? >> >>The point is, the mail service provider should bear the can for this. >>This is where the definition of mail starts. > > > Hotmail and msn will 'do it' - but they are picky about how they are > notified. If you notify all 3, 2 of them will/may say it didn't come > from them and one will/may say the account got terminated. > > Seen that, "lads" with peronalized msn domain , mail via hotmail etc etc. Took a weeks worth of mails :-( Thx Cheers E From MikeE at ster.invalid Tue Oct 11 16:23:47 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 11 18:25:03 2005 Subject: [SpamCop-List] Re: namesdatabase.com References: Message-ID: No Spam wrote: www.spamcop.net/sc?id=z814641177z033c5abfc29e1c082b38a96dd37d762bz > > namesdatabase.com: What's this about - In reality that is? Harvesting? My primary position is that people mostly shouldn't be reading their spam and that they mostly shouldn't be believing their spam and that they mostly shouldn't be clicking on spam links. That being sed, if you want to learn what namesdatabase is all about without clicking on any links you found in a spam, you can go read it here http://namesdatabase.com/explanation.htm?c= "This page contains an extended explanation of the services provided by The Names Database at NamesDatabase.com. " > The fact that it was sent to a "special treatment" e-mail address made > me suspicious immediately (I have NO friends at the email address > where this mail was recieved, plenty of Alan's, Leo's etc though) > > Sorry for the severe munging - volatile mail address :-) > > However, it would be brain dead to respond to something like this. It isn't possible for me to comment on the meaning of this part of the spambody in your tracker: XXXXX@yahoo.com (XXXXXXX) initiated this to XXXXXXX at 10-04-2005 10:14 on namesdatabase.com from the IP address A.B.C.D. When I get a greeting card or a joke initiated by one of my 'friends' who might also be inclined to include me in their social spam and to spread my address around with scores of other addresses plastered into a social spam To or CC instead of the BCC, the greeting card typically gives me the kind of information above, or at least an email address and a name. But only /you/ can tell if your addy was fed into the system by a friend or not because I don't know what was in that X mungeing. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Oct 11 16:41:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 11 18:45:04 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net References: Message-ID: No Spam wrote: > Mike Easter wrote: >> from 216.139.164.163 by by13fd.bay13.hotmail.msn.com *sourceline >> >> SC calls the panamsat in .za the source, not hotmail. > > > ??? > Sender relay: 216.139.164.163 I misspoke a little bit, but not very much. I should have said SC calls the 216.139.164.163 no rDNS in .za the source, not hotmail. Here's the structure: whois -h whois.arin.net 216.139.164.163 ... Pan Am Sat 216.139.160.0 - 216.139.191.255 TechEmail: bsg@panamsat.com Qkon QKON30 216.139.164.160 - 216.139.164.175 TechEmail: wbotha@qkon.com panamsat's arin geographical addy is in GA, US OrgName: Pan Am Sat OrgID: PNAM Address: 2857 Fork Creek Church Road City: Ellenwood StateProv: GA whereas qkon's arin geographic addy is in Pretoria, ZA OrgName: Qkon OrgID: QKON Address: No 8 Pieter Street Highveld Technopark City: Pretoria Country: ZA When I have a parent/child relationship like qkon/panamsat, I prefer to notify the child about spamsource, unless something about the responsiveness or the accessibility of abuse addresses causes me to notify both the parent and the child. In this case, the /24 is listed in spamhaus, so that is a good reason to notify the parent, or even the parent's upstream, since panamsat has 14 different listings in spamhaus, ranging from single IPs to a /23 as well as /24s. > IP is not ZA? Yes, the IP is Qkon which is in .za. If you like domainname registrations, not only is the arin geography in .za, but so is the netsol registration. > sentechsa.net is ZA = the recipient mailbox = mine > (some of the good guys here too - 419legal etc, bad guys way north in > .NG :-) I didn't even look at sentechsa. >> However, if you notify hotmail and microsoft and msn about that >> item, it is extremely likely that they will terminate the account >> which sent that, namely winner2005-08@hotmail.com >> > > Mail has gone out to abuse@hotmail .com re winner2005-08@hotmail.com > , will see ... I'm not sure that hotmail is the right one. Maybe. > As regards gmail: I have noticed same. Now unless 1 + 1 != 2 .. > The subject thread started off as "Gmail seems to be regularly in > bl.spamcop.net" ???? What's hatched in the nest ?? Gmail is regularly in SC whereas hotmail is less likely because of the gmail header stamp decisions by gmail. -- Mike Easter kibitzer, not SC admin From nospam at dev.null Wed Oct 12 02:18:18 2005 From: nospam at dev.null (No Spam) Date: Tue Oct 11 19:20:37 2005 Subject: [SpamCop-List] Re: namesdatabase.com In-Reply-To: References: Message-ID: Mike Easter wrote: > No Spam wrote: > www.spamcop.net/sc?id=z814641177z033c5abfc29e1c082b38a96dd37d762bz > >>namesdatabase.com: What's this about - In reality that is? Harvesting? > > > My primary position is that people mostly shouldn't be reading their > spam and that they mostly shouldn't be believing their spam and that > they mostly shouldn't be clicking on spam links. > No wayz I gonna click anywhere near it with the embedded links in M$ :-) My Solaris box is nearly rebuilt. Then a bit of fancy footwork and ... > That being sed, if you want to learn what namesdatabase is all about > without clicking on any links you found in a spam, you can go read it > here http://namesdatabase.com/explanation.htm?c= "This page contains an > extended explanation of the services provided by The Names Database at > NamesDatabase.com. " > Sure, the "official" story. But what scams? Sorry, did not explain that very well. There is something more than meets the eye here... > >>The fact that it was sent to a "special treatment" e-mail address made >>me suspicious immediately (I have NO friends at the email address >>where this mail was recieved, plenty of Alan's, Leo's etc though) >> >>Sorry for the severe munging - volatile mail address :-) >> >>However, it would be brain dead to respond to something like this. > > > It isn't possible for me to comment on the meaning of this part of the > spambody in your tracker: > > XXXXX@yahoo.com (XXXXXXX) initiated this to XXXXXXX at 10-04-2005 10:14 > on namesdatabase.com from the IP address A.B.C.D. > > > When I get a greeting card or a joke initiated by one of my 'friends' > who might also be inclined to include me in their social spam and to > spread my address around with scores of other addresses plastered into a > social spam To or CC instead of the BCC, the greeting card typically > gives me the kind of information above, or at least an email address and > a name. > > But only /you/ can tell if your addy was fed into the system by a friend > or not because I don't know what was in that X mungeing. > Like I said, I have no "friends" at this mail address. Plenty of parties with axes to grind though due to lost sites, mail addresses being pulled etc - the "fighting" address for reporting abuse. (As such the "Uber" thing ;-) And no, I definitely do not know the party it came from. Somebody in the UK. As such, my suspicion that something is "lurking" here, a scam of sorts. If found a thread re this "facility" on surbl.org about a year ago, potential abuses etc. Decision was to whitelist based on legit uses. Spamhaus yields zip. Ditto BL's. Plenty of "noise" on Google re this site Most interesting is http://castlecops.com/postp601462.html Plenty of reports of parties purported to send that didn't. I hoped somebody knew the game plan. Appears to be a site for collecting addresses for ?spamming? As Monty Python the wise said: "This is my theory and my theory alone ". Or is it...? Cheers E From g.hyde at bigpond.net.au Wed Oct 12 10:19:21 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Tue Oct 11 19:30:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Botnet taken down. References: Message-ID: "Redstone" wrote in message news:Xns96EC26B4881D8tinlc@216.154.195.61... [snip] > With all the spam reports we send ISPs, why does it take a major police > effort to get them to actually do something about these zombies? With all the stuff clogging the US authorities at least, how on earth do you expect them to make a case for going after these trojaned PC's and shutting the flow off where the problem is? After seeing how badly the intelligence agencies responded to obvious information regarding the 9/11 hijackings, I fail to see how they're ever going to get rid of zombified computers and the people installing trojans/hacks/adware/spyware on them. It would take a major internet collapse for the governments of the countries concerned to force the action to be taken, and you can rest assured those taking the action would be acting slowly and like someone trying to find a black cat in a pitch-black room in the middle of the night on a moonless night without a torch. -- Cheers ... Geoffrey Hyde From g.hyde at bigpond.net.au Wed Oct 12 10:25:28 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Tue Oct 11 19:30:15 2005 Subject: [SpamCop-List] Something fishy about this report, but I don't quite know what ... Message-ID: http://www.spamcop.net/sc?id=z814661517z3a48d51c5355a1846ef363591ae773a4z I can't seem to place my finger on the problem with this report, optusnet apparently is letting spam through somehow, but I don't see why spamcop reported who it did. Did the SC parser fail or am I seeing faked header information? Or am I totally off-base here? Ever since seeing the email I'm not sure if the report addresses are correct. Can someone see if this really should have been reported to where SC had me send the reports to? Also, why did SC give this message: ISP does not wish to receive reports regarding http://www.cnn.com/2000/us/02/01/alaska.airlines.list/ - no date available about the link it found in the body of the text? Is this spammer trying something fishy? -- Cheers ... Geoffrey Hyde From nobody at xyzzy.claranet.de Wed Oct 12 02:24:39 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Tue Oct 11 19:30:20 2005 Subject: [SpamCop-List] Re: 66.218.64.0 - 66.218.95.255:network-abuse@cc.yahoo-inc.com References: <43456728.12D5@xyzzy.claranet.de> <43495DE9.60F4@xyzzy.claranet.de> <434AF25B.7125@xyzzy.claranet.de> <434B4566.49E9@xyzzy.claranet.de> Message-ID: <434C49B7.7EA8@xyzzy.claranet.de> Berny wrote: > 5*60*30 = 9000 spams reported per 1/2 hour > suppose 1 in 5 have at least 1 parsed link, then we have > 9000/5 = 1800 links reported Yes, there are obviously less URLs on the stats page. > at least 1800 - 50 = 1750 of the 1800 reports sent must have > been "quick" reports. That ratio seems too high to me, maybe > someone else can comment on the ratio of "quick" versus > "full" reports. The ratio could be plausible for my "normal" procedure (= not yet in this geocities + Re:[n] campaign), but I guess that most users stay away from quick reporting, because it's dangerous and less effective. I've just tested it with some more "old" Re:[n] spams, the "Leo meets Godaddy"-series: skittery.com nihilisms.net hulaing.com sauntered.net nettling.net refashion.net zardosht.net pressers.net satirised.com ionising.net loudening.com vocally.net mincingly.com obeisances.net jacquiot.com hosannaing.com neutralise.net seacycles.net nullifying.net supineness.net slaveries.net That didn't show up on the "spamvertized" URLs page. I've disabled the abuse@godaddy (because the 21 domains are already down) in most cases, so maybe that would be never shown, but I kept it intentionally in one case, and that URL also didn't make it on the stats page. So for "old" spam your theory is apparently correct. I'll test it again for "fresh" spam (less than three hours old). If the limit is 30 minutes many users would have no chance to "vote" for any spamvertized URL wrt SC.SURBL.org Or in other words I could stop all "manual" SC reports because they have absolutely no effect (except from wasting my time). Bye, Frank From nospam at dev.null Wed Oct 12 02:27:05 2005 From: nospam at dev.null (No Spam) Date: Tue Oct 11 19:30:25 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net In-Reply-To: References: Message-ID: Mike Easter wrote: > No Spam wrote: > >>Mike Easter wrote: > > >>> from 216.139.164.163 by by13fd.bay13.hotmail.msn.com *sourceline >>> >>>SC calls the panamsat in .za the source, not hotmail. >> >> >>??? >>Sender relay: 216.139.164.163 > > > I misspoke a little bit, but not very much. I should have said > > SC calls the 216.139.164.163 no rDNS in .za the source, not hotmail. > > Here's the structure: > > whois -h whois.arin.net 216.139.164.163 ... > Pan Am Sat 216.139.160.0 - 216.139.191.255 > TechEmail: bsg@panamsat.com > Qkon QKON30 216.139.164.160 - 216.139.164.175 > TechEmail: wbotha@qkon.com > > panamsat's arin geographical addy is in GA, US > > OrgName: Pan Am Sat > OrgID: PNAM > Address: 2857 Fork Creek Church Road > City: Ellenwood > StateProv: GA > > whereas qkon's arin geographic addy is in Pretoria, ZA > > OrgName: Qkon > OrgID: QKON > Address: No 8 Pieter Street Highveld Technopark > City: Pretoria > Country: ZA > Yep, scheck, as per usual I was overhasty and you were right. In my backyard. Have some "actions" to take here ...THX!! > When I have a parent/child relationship like qkon/panamsat, I prefer to > notify the child about spamsource, unless something about the > responsiveness or the accessibility of abuse addresses causes me to > notify both the parent and the child. > > In this case, the /24 is listed in spamhaus, so that is a good reason to > notify the parent, or even the parent's upstream, since panamsat has 14 > different listings in spamhaus, ranging from single IPs to a /23 as well > as /24s. > > >>IP is not ZA? > > > Yes, the IP is Qkon which is in .za. If you like domainname > registrations, not only is the arin geography in .za, but so is the > netsol registration. > Agree - thx for the correction. > >>sentechsa.net is ZA = the recipient mailbox = mine >>(some of the good guys here too - 419legal etc, bad guys way north in >>.NG :-) > > > I didn't even look at sentechsa. > > >>>However, if you notify hotmail and microsoft and msn about that >>>item, it is extremely likely that they will terminate the account >>>which sent that, namely winner2005-08@hotmail.com >>> >> >>Mail has gone out to abuse@hotmail .com re winner2005-08@hotmail.com >>, will see ... > > > I'm not sure that hotmail is the right one. Maybe. > Russian Roulette? Nearly by the sounds of it. > >>As regards gmail: I have noticed same. Now unless 1 + 1 != 2 .. >>The subject thread started off as "Gmail seems to be regularly in >>bl.spamcop.net" ???? What's hatched in the nest ?? > > > Gmail is regularly in SC whereas hotmail is less likely because of the > gmail header stamp decisions by gmail. > > Thx Keep well, 01H26 SAST Good ZZZZ's E From MikeE at ster.invalid Tue Oct 11 17:31:29 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 11 19:35:02 2005 Subject: [SpamCop-List] Re: namesdatabase.com References: Message-ID: Mike Easter wrote: > you can go read it > here http://namesdatabase.com/explanation.htm?c= Or, if you want to learn even more about namesdatabase, you can see how often spams from or about them are submitted to sightings, or you can read about them a little bit in nanae, or the most comprehensive description appears in a genealogy ng http://snipurl.com/iek1 snurled googlegroups to Newsgroups: soc.genealogy.computing Subject: Re: The Names Database Date: 8 Jun 2004 12:03:43 -0700 Message-ID: <2b379589.0406081103.7c29a65e@posting.google.com> .. which message describes the gig which is worked by Gabriel Weinberg, where he is trading the pay services of his namesdatabase gig for email addresses of people. The site itself describes how it sends repetitive unsolicited emails, which explains why there are so many sightings. You would think the source would be listed somewhere besides spamcannibal > But only /you/ can tell if your addy was fed into the system by a > friend or not because I don't know what was in that X mungeing. -- Mike Easter kibitzer, not SC admin From six.million at dollar.man Tue Oct 11 20:46:56 2005 From: six.million at dollar.man (dwåcôn) Date: Tue Oct 11 19:50:03 2005 Subject: [SpamCop-List] Blue Frog Message-ID: From: http://www.wired.com/wired/archive/13.10/posts.html?pg=4 "This is a message that spells out, 'I am a spammer,'" says Eran Reshef, his voice echoing in the receiver from half a world away. Reshef is the CEO of Blue Security, a startup he founded in Herzliya Pituach, Israel, and we're examining an email typical of a dozen I receive daily. The subject line contains an offer for bargain-basement "generic Viagra." I've long since burned through my animosity for spammers. I use the best filter I can find and delete the garbage that makes it through. I've learned the hard way that trying to opt out from junk email only attracts more of it. Reshef wants me to tap into my dormant rage and fight back. Don't worry, he tells me, you'll have a posse. He's organizing thousands of weary victims like me and leading us in a kind of distributed denial- of-service attack. It's a weapon normally employed by malicious hackers who use hijacked PCs to flood unsuspecting companies, but Reshef is out to cripple offensive bulk emailers. "That," he says, "is the only way to get their attention." Reshef doesn't use the incendiary DDoS moniker for his brand of spammer attack. He tells me he prefers "active deterrence" and walks me through a typical counterattack. I download his Blue Frog software - named after a cute-but-deadly poisonous frog found in South American rain forests - which creates an email account in my name and seeds it around the Web to attract unsolicited offers. The company's analysts sift through the messages and find, say, a Viagra spammer who's violating key provisions of the Can-Spam Act of 2003. They'll email the Viagra spammer in an attempt to opt out on behalf of Blue users and check the domain against block lists from antispam outfits like Spamhaus.org. "It's important that we play the game," Reshef says, "and give them a chance to say, 'No, this is a mistake, let's fix it.'" If rebuffed, Blue Security will send an automated script to my PC, or what it calls my frog, and hundreds of others. The script orders the frogs to visit the Viagra site, root around for the purchasing form, and use it to file a complaint. Users can submit offending emails to Blue Security, but otherwise the process is automatic. The net effect is an onslaught of data traffic that gums up the servers at this "pharmacy," bringing them to a standstill and forcing the operator to remove our email addresses from their list. Since the firm's launch in late July, Reshef has endured a firestorm of criticism for his brand of vigilantism. Some antispam groups condemn his tactic as unethical and possibly illegal. "It looks simultaneously naive and counterproductive," says John Levine, a board member at the Coalition Against Unsolicited Commercial E-mail. "Sooner or later, they are going to DDoS something that doesn't deserve it." Blue Security isn't the first to generate controversy by attacking spammers head-on. Last year, Lycos Europe launched a Make Love Not Spam campaign, which bombarded offending sites with screensavers. But in the face of criticism, and after some targets directed traffic back to Lycos, the company ended its campaign. The group Artists Against 419 uses online flash mobs to drain the bandwidth of Nigerian email scam sites. Reshef calls the criticism unfounded. He says Blue Security complains once for each spam received, something every US citizen has a right to do so under Can-Spam. And the company often stops short of that; it doesn't take several thousand complaints for a spammer to take notice. The 25,000-plus Blue users who've donated their processing power to harass generic-Viagra salespeople seem unconcerned with the ethics of it all. The system's biggest hurdle is less moral than practical anyway. Resourceful spammers may simply find ways to circumvent the frogs: They've already tried altering the purchase forms. Ultimately, Reshef must prove he can protect people like me before he can offer his wares to corporations. Two weeks after signing up for the service, my inbox continues to fill up with "Walium CiAllis V'iagra" and "Zap the fat with a bodywrap" emails. Which has me wondering, will my posse ever be big enough? -- Jennifer Lopez Lingerie *plus* Gourmet Goodies www.cafepress.com/dwacon From nobody at spamcop.net Tue Oct 11 17:51:44 2005 From: nobody at spamcop.net (RandallW) Date: Tue Oct 11 19:55:02 2005 Subject: [SpamCop-List] I guess his spam works Message-ID: Apparently some spammer wasn't sure his spam is being sent out, so he sent a test to his victims today! *snipped headers* From: "Spamtest" To: Subject: =?koi8-r?B?+sHLwdo=?= From baloo at ursine.ca Tue Oct 11 17:20:38 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Tue Oct 11 20:10:03 2005 Subject: [SpamCop-List] Re: "Registrar-Lock"? References: <434B6EC0.E5EE88F6@SpamCop.net.dev.null> Message-ID: <6vtt13-468.ln1@ursine.ca> Larry Kilgallen wrote: > In article , baloo@ursine.ca writes: >> Michael Brennan wrote: >>> What does the term "REGISTRAR-LOCK" mean, and what does this record >>> indicate? >> >> REGISTRAR-LOCK is the verisign-equivilent to every other registry's >> "CLIENT TRANSFER PROHIBITED". > > The interface that DomainDiscover gives me calls it "locking". Right, because DomainDiscover is a registRAR, not a registRY. The registrars call it whatever they think has the greatest added value. From baloo at ursine.ca Tue Oct 11 17:22:59 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Tue Oct 11 20:10:12 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net References: Message-ID: Gordon Hudson wrote: > Surely gmail is the source though? Nope, just relay. > They should be stopping thier users from spamming rather than passing the > buck back onto the companies who provided their internet connection and who > did not provide the mail service. > Or am I misunderstanding? They should be stopping their own users as well as revealing where it came from to keep working the chain. Spam is theft, no matter how you cut it, their ISP probably wants to know too. From nobody at devnull.spamcop.net Tue Oct 11 20:15:01 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Oct 11 20:15:03 2005 Subject: [SpamCop-List] yet another FAQ attempt Message-ID: Took me way too long in working through the installation of this thing, but .. it's there and I'm in the process of populating it. Not that I relish the idea of going through the process of removing if it's still of no value, but .... offering up yet another opportunity for some Wazoo bashing ... just a bit of a repeat, but this is all done on my own time, obviously on my own initiative, and am well aware of the anti-forum sentiment ... but, input, yay/nay, something beyond the usual complaining that it's not NNTP would be appreciated. http://forum.spamcop.net/forums/index.php?act=faq From nobody at xyzzy.claranet.de Wed Oct 12 03:23:33 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Tue Oct 11 20:30:03 2005 Subject: [SpamCop-List] Re: Something fishy about this report, but I don't quite know what ... References: Message-ID: <434C5785.2859@xyzzy.claranet.de> Geoffrey Hyde wrote: > I can't seem to place my finger on the problem with this > report, optusnet apparently is letting spam through somehow, > but I don't see why spamcop reported who it did. Apparently that's some WebMail interface at optusnet abused by 213.255.248.13. You can go to http://webmail04.syd.optusnet.com.au to see what it might be. I'm lost why SC reported to the dialin provider of 213.255.248.13 instead of the Webmail provider optusnet IMHO that's wrong, optusnet has a registered Webmail user who sends 419 spams, they should want to know this. OTOH the ISP for 213.255.248.13 might not be interested what their user does with the services of a 3rd party (= optusnet) > Also, why did SC give this message: > ISP does not wish to receive reports regarding > http://www.cnn.com/2000/us/02/01/alaska.airlines.list/ The spam is a typical 419-story with a link to some CNN report. It makes no sense to bother CNN with it. Bye, Frank From nobody at xyzzy.claranet.de Wed Oct 12 03:50:58 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Tue Oct 11 21:05:03 2005 Subject: [SpamCop-List] Re: yet another FAQ attempt References: Message-ID: <434C5DF2.4482@xyzzy.claranet.de> WazoO wrote: > I'm in the process of populating it. No idea why you want two FAQs, will this new forum FAQ replace the old forum FAQ ? > input, yay/nay, something beyond the usual complaining that > it's not NNTP would be appreciated. I read the password entry, and that info is AFAIK obsolete: | Free reporting accounts don't require login, All accounts require "login" and an existing password. The "login" info is stored in a cookie, the cookie can be deleted by an explicit "logout" or any other way to destroy cookies. As long as the "login" cookie exists the machine (or rather the browser using the same cookie file or directory) is automatically logged in - nothing unusual, but not what you'd want after leaving an internet cafe, or if several users surf with the same Windows "admin" account. Therefore an explicit logout can be a good idea. IIRC there's also an interface working without "login" cookie, but I've never tested it. The three differences between free and paid reporting accounts are: 1 - paid accounts can send reports to 3rd parties 2 - paid accounts can "appeal" (but maybe that is obsolete) 3 - of course no nagging for paid accounts Otherwise free and paid SC _reporting_ accounts are identical, especially no differences wrt to paswords or "login" cookies. Bye, Frank From nobody at spamcop.net Tue Oct 11 21:35:18 2005 From: nobody at spamcop.net (Ellen) Date: Tue Oct 11 21:15:03 2005 Subject: [SpamCop-List] Re: Something fishy about this report, but I don't quite know what ... References: Message-ID: "Geoffrey Hyde" wrote in message news:dihhmi$eds$2@news.spamcop.net... > http://www.spamcop.net/sc?id=z814661517z3a48d51c5355a1846ef363591ae773a4z > > I can't seem to place my finger on the problem with this report, optusnet > apparently is letting spam through somehow, but I don't see why spamcop > reported who it did. Did the SC parser fail or am I seeing faked header > information? Webmail system run by optusnet - we usually report the injecting IP. I will also force relaying reports to optusnet. > > Or am I totally off-base here? Ever since seeing the email I'm not sure if > the report addresses are correct. Can someone see if this really should > have been reported to where SC had me send the reports to? Looks fine to me. I also added abuse@sky-vision.net for reports for the injecting IP. I suspect it is probably a compromised machine or some employee doing a little creative spamming in their spare time. > > Also, why did SC give this message: > > ISP does not wish to receive reports regarding > http://www.cnn.com/2000/us/02/01/alaska.airlines.list/ - no date available > > about the link it found in the body of the text? Is this spammer trying > something fishy? yeah the spammer is trying to look legit and so points to some news article on cnn in an attempt to make his 419 scam more "real" Ellen SpamCop From MikeE at ster.invalid Tue Oct 11 19:19:42 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 11 21:20:03 2005 Subject: [SpamCop-List] Re: yet another FAQ attempt References: Message-ID: WazoO wrote: > Took me way too long in working through the installation > of this thing, but .. it's there and I'm in the process of > populating it. Not that I relish the idea of going through > the process of removing if it's still of no value, but .... > offering up yet another opportunity for some Wazoo > bashing ... just a bit of a repeat, but this is all done on > my own time, obviously on my own initiative, and am > well aware of the anti-forum sentiment ... but, input, > yay/nay, something beyond the usual complaining that > it's not NNTP would be appreciated. > > http://forum.spamcop.net/forums/index.php?act=faq That looks like a good idea. Lots of navigational tools. Hierarchies make for ease of drilling down into an area and jumping back out in case you need to drill into another different hierarchy. When there's too much on a page or too many pages to have to 'read' or scan thru' to find something and not enough 'structure' to navigate with, it becomes tedious and the tedium creates a 'bailout' reaction. It may be hard for the organizer to sense what causes the seeker's tedium, because he the organizer already knows where things are, so he is able to scoot around more quickly or adeptly than someone who is looking for an answer who hasn't already read all of the material.. A hierachy structure 'forces' some kind of organization -- even when the organization might be somewhat imperfect; like some outline formats which are harder to build or 'force' into the outline structure than it was to originally write the essay or theme. -- Mike Easter kibitzer, not SC admin From g.hyde at bigpond.net.au Wed Oct 12 12:26:51 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Tue Oct 11 21:30:03 2005 Subject: [SpamCop-List] Re: Something fishy about this report, but I don't quite know what ... References: <434C5785.2859@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:434C5785.2859@xyzzy.claranet.de... > Geoffrey Hyde wrote: > >> I can't seem to place my finger on the problem with this >> report, optusnet apparently is letting spam through somehow, >> but I don't see why spamcop reported who it did. > > Apparently that's some WebMail interface at optusnet abused by > 213.255.248.13. I went to the OptusNet website, and even went so far as to call their enquiries line, and apparently they haven't heard of the webmail address used in the scam email, and think it's a bogus address that someone's spoofed. I don't know if there's a further line of pursuit available through OptusNet, or if it's even worth the bother to track them down, but perhaps someone has already gone to the trouble of finding their email abuse department. If so please pass this information on to me. > You can go to http://webmail04.syd.optusnet.com.au to see what > it might be. I'm lost why SC reported to the dialin provider > of 213.255.248.13 instead of the Webmail provider optusnet Apparently OptusNet doesn't specify that it's a webmail system and SpamCop doesn't trust that the use of "webmail" in an address line means it's looking at an actual webmail system. Perhaps that is good because I'm not sure what OptusNet would actually do with a SpamCop report if they actually received it. > IMHO that's wrong, optusnet has a registered Webmail user who > sends 419 spams, they should want to know this. OTOH the ISP > for 213.255.248.13 might not be interested what their user does > with the services of a 3rd party (= optusnet) Could be. Either that or OptusNet are clueless as to who's abusing their service. I really don't know, in these cases, I trust SpamCop to pick the proper reporting addresses. I would like to know if SpamCop isn't sure though. >> Also, why did SC give this message: >> ISP does not wish to receive reports regarding >> http://www.cnn.com/2000/us/02/01/alaska.airlines.list/ > > The spam is a typical 419-story with a link to some CNN report. > It makes no sense to bother CNN with it. Ahh I see. Many thanks. -- Cheers ... Geoffrey Hyde From MikeE at ster.invalid Tue Oct 11 19:40:37 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 11 21:45:03 2005 Subject: [SpamCop-List] Re: Something fishy about this report, but I don't quite know what ... References: Message-ID: Geoffrey Hyde wrote: www.spamcop.net/sc?id=z814661517z3a48d51c5355a1846ef363591ae773a4z Abbreviated Received lines *comment from mail14.syd.optusnet.com.au ([211.29.132.195]) by imta06ps.mx.bigpond.com from (webmail04.syd.optusnet.com.au [211.29.132.238]) by mail14.syd.optusnet.com.au from ([213.255.248.138]) by webmail04.syd.optusnet.com.au *sourceline > I can't seem to place my finger on the problem with this report, > optusnet apparently is letting spam through somehow, but I don't see > why spamcop reported who it did. Did the SC parser fail or am I > seeing faked header information? An optus client, liuw1@optusnet.com.au, used optus webmailer accessing from 213.255.248.138 no rDNS of Mega Hertz in Lagos .ng to send the 419. > Or am I totally off-base here? Ever since seeing the email I'm not > sure if the report addresses are correct. Can someone see if this > really should have been reported to where SC had me send the reports > to? The ripe listed abuse contact for Mega Hertz is mojeed99@yahoo.com - which yahoo address is probably bothering you. There is additional structure for Mega Hertz, which is the routing route: 213.255.240.0/20 descr: SkyVision Network Services and a deputy has included SkyVision at their request, which can be seen in routing details. Another notified is optus, which wants to hear about who is using its services to spam; which is a smart configuration by optus. > Also, why did SC give this message: > > ISP does not wish to receive reports regarding > http://www.cnn.com/2000/us/02/01/alaska.airlines.list/ - no date > available > > about the link it found in the body of the text? Is this spammer > trying something fishy? The cnn link is an innocent bystander. The 419er is using the cnn article about the 88 people killed in the crash of Alaska Airlines 261 as part of the scam. cnn doesn't want to be notified as if they were a spamvertiser about their news article being included as a link in a spam . -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue Oct 11 21:43:38 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Oct 11 21:45:11 2005 Subject: [SpamCop-List] Re: yet another FAQ attempt References: <434C5DF2.4482@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:434C5DF2.4482@xyzzy.claranet.de... > WazoO wrote: > > > I'm in the process of populating it. > > No idea why you want two FAQs, will this new forum FAQ replace > the old forum FAQ ? http://forum.spamcop.net/forums/index.php?showtopic=5108 Actually, this will make three .... will it replace anything? Not up to me .... although a couple of Deputies weighed in on the attempted Portal page and gave me a 'looks good' .. that was the end of that discussion .... > > input, yay/nay, something beyond the usual complaining that > > it's not NNTP would be appreciated. > > I read the password entry, and that info is AFAIK obsolete: > > | Free reporting accounts don't require login, Point taken, but ....geeze ... whacking code all day, screwing with converting HTML, BBCode and web-page formatting to get the thing working and legible .... data noted, changes needed, but once again, this was taken directly from the www.spamcop.net version of the SpamCop FAQ ..... I can work on the data in the Forum, but the original source is not under my control .... Sending a note upstream to point out the lack of update on this data/page to reflect the current realities. From nobody at devnull.spamcop.net Tue Oct 11 22:33:39 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Oct 11 22:35:03 2005 Subject: [SpamCop-List] Re: yet another FAQ attempt References: <434C5DF2.4482@xyzzy.claranet.de> Message-ID: "WazoO" wrote in message news:dihpoa$jmk$1@news.spamcop.net... > "Frank Ellermann" wrote in message > news:434C5DF2.4482@xyzzy.claranet.de... > > > > I read the password entry, and that info is AFAIK obsolete: > > > > | Free reporting accounts don't require login, > > Point taken, but ....geeze ... whacking code all day, screwing with > converting HTML, BBCode and web-page formatting to get > the thing working and legible .... data noted, changes needed, but > once again, this was taken directly from the www.spamcop.net > version of the SpamCop FAQ ..... I can work on the data in the > Forum, but the original source is not under my control .... > > Sending a note upstream to point out the lack of update > on this data/page to reflect the current realities. OK, started my e-mail on the FAQ entry, went to gather data, and note that yes, I lied .... that particular entry was written up by Don, one of the original staff members hired by Julian way back when. Looks like you skipped your chance to offer your comments directly into this FAQ thing ..... From bar_n0ne at hotmail.com Wed Oct 12 11:30:21 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Oct 12 02:35:24 2005 Subject: [SpamCop-List] SC Sadistics Message-ID: (Lies, Damned Lies, and Statistics) I'm just wondering but the top report targets in http://www.spamcop.net/w3m?action=hoshame must be reports regarding the source (sender) of the spam. Is that true? Now that kornet and the hana-nets have aggressively pursued spammer hosting business over the lasat few months, virtually every spam excluding pump and Dump that I get wants to report spamvertised sites there, or, in China railways or the famous chinese Knick-Knockers and several other chinese ISP's (_Internet _Spam _Providers). But they are hardly a blip in the top 200 report targets.. And they _send_ out between 30 and 50% of the spam I receive also. (English, not Korean or Chinese spams) From f_dekruijf at hotmail.com Wed Oct 12 11:01:35 2005 From: f_dekruijf at hotmail.com (Freek) Date: Wed Oct 12 04:05:27 2005 Subject: [SpamCop-List] I wonder why spamcop can't find the abuse address Message-ID: In my spamreport http://www.spamcop.net/sc?id=z814778533z48d0acf79a7665af2f953d229f1a371fz the following showed up: Re: 220.117.221.58 (Administrator of network where email originates) on source nomaster@devnull.spamcop.net 220.117.221.58 To: nomaster@devnull.spamcop.net (Notes) Using jwhois I found: inetnum: 220.116.0.0 - 220.127.255.255 netname: KORNET descr: KOREA TELECOM descr: Network Management Center country: KR admin-c: DL248-AP tech-c: GK40-AP remarks: *********************************************** remarks: KRNIC of NIDA is the National Internet Registry remarks: in Korea under APNIC. If you would like to remarks: find assignment information in detail remarks: please refer to the NIDA Whois DB remarks: http://whois.nida.or.kr/english/index.html remarks: *********************************************** status: ALLOCATED PORTABLE notify: security@hanaro.com .............. I wonder why spamcop is not able to find that same information. -- Freek From bar_n0ne at hotmail.com Wed Oct 12 13:15:02 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Oct 12 04:20:02 2005 Subject: [SpamCop-List] Re: I wonder why spamcop can't find the abuse address References: Message-ID: "Freek" wrote in message news:diift0$5ol$1@news.spamcop.net... > In my spamreport > http://www.spamcop.net/sc?id=z814778533z48d0acf79a7665af2f953d229f1a371fz > > the following showed up: > Re: 220.117.221.58 (Administrator of network where email originates) > on source nomaster@devnull.spamcop.net 220.117.221.58 > To: nomaster@devnull.spamcop.net (Notes) > > Using jwhois I found: > inetnum: 220.116.0.0 - 220.127.255.255 > netname: KORNET SNIP > > I wonder why spamcop is not able to find that same information. And what would be the point?, the IP get's blocked jsut the same, a report would be bit binned just the same. From Nobody at SpamCop.net.dev.null Wed Oct 12 04:50:04 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Wed Oct 12 04:56:07 2005 Subject: [SpamCop-List] Re: "Registrar-Lock"? References: <434B6EC0.E5EE88F6@SpamCop.net.dev.null> Message-ID: <434CCE3C.AC3F1AD1@SpamCop.net.dev.null> Mike Easter wrote: > > Michael Brennan wrote: > > Chasing down a spamvertised webpage, I came across this return for a > > whois lookup: > > > > Spampage: http://yotdgd2b.brave-123.net/savings.asp > > Your information for brave-123.net is different from mine. > > > Domain Name: BRAVE-123.NET > > Registrar: ENOM INC. > > Whois Server: whois.enom.com > > Referral URL: http://www.enom.com > > Name Server: NS1.HELLO-123.NET > > Name Server: NS2.HELLO-123.NET > > Status: REGISTRAR-LOCK > > Updated Date: 10-oct-2005 > > Creation Date: 06-oct-2005 > > Expiration Date: 06-oct-2006 >>> Last update of whois database: > > Mon 10 Oct 2005 14: 13: 15 EDT <<< > > I'm not getting that. enom, crsnic, and internic give me nothing > > dnsstuff gives me different information than you have and sez it is at > namecheap.com which gives me nothing except to say that the name is > available. I ran it through SamSpade's online lookup. > > Registration Service Provided By: NameCheap.com > Contact: *******@NameCheap.com > Visit: http://www.namecheap.com/ > > Domain name: brave-123.net > > Registrant Contact: > NB > nicholas brown **************@netscape.net) > +1.2062020838 > Fax: +1.5555555555 > 1201 N NORTHLAKE WAY > Seattle, WA 98103 > US > > Administrative Contact: > NB > nicholas brown **************@netscape.net) > +1.2062020838 > Fax: +1.5555555555 > 1201 N NORTHLAKE WAY > Seattle, WA 98103 > US > > Technical Contact: > NB > nicholas brown **************@netscape.net) > +1.2062020838 > Fax: +1.5555555555 > 1201 N NORTHLAKE WAY > Seattle, WA 98103 > US > > Billing Contact: > NB > nicholas brown **************@netscape.net) > +1.2062020838 > Fax: +1.5555555555 > 1201 N NORTHLAKE WAY > Seattle, WA 98103 > US > > Status: Locked > > Name Servers: > ns1.hulk-123.com > ns2.hulk-123.com > > Creation date: 06 Oct 2005 09:49:32 > Expiration date: 06 Oct 2006 09:49:32 > > > but the information at dnssstuff also said this "Using 1 day old cached > answer (or, you can get fresh results)." and then the link for the fresh > results gave me nothing > > Very puzzling about the discrepancy at namecheap. My guess is that the > one day old information is the most accurate, but maybe not. I got the same information for "Nicholas Brown" registering another spampage in another "mortgage-application" phishing spam [I've got a fresh one in my inbox as I type] which I LARTed on on October 9 (Sunday), tracking URL here: http://www.spamcop.net/sc?id=z813885989zfcadb152a67bc0b743b342e35527be76z I looked up his spampage on SamSpade again and got this: Server Used: [ whois.yesnic.com ] http://pr0per.net/fine.asp = [ 211.147.228.105 ] ----------------------------------------------- Queried Domain Information as follows ----------------------------------------------- Domain Name : pr0per.net : :Registrant: : Name : Nicholas Brown Email : nich0lasbrown@netscape.net Address : 1201 N NORTHLAKE WAY Zipcode : 98103 Nation : US Tel : 2062020838 Fax : : :Administrative Contact: : Name : Nicholas Brown Email : nich0lasbrown@netscape.net Address : 1201 N NORTHLAKE WAY Zipcode : 98103 Nation : US Tel : 2062020838 Fax : : :Technical Contact: : Name : Nicholas Brown Email : nich0lasbrown@netscape.net Address : 1201 N NORTHLAKE WAY Zipcode : 98103 Nation : US Tel : 2062020838 Fax : : :Name Servers: : ns1.pr0per.com ns2.pr0per.com : :Dates & Status: : Created Date 2005-10-05 18: 22: 43 EDT Updated Date 2005-10-05 18: 22: 43 EDT Valid Date 2006-10-05 18: 22: 43 EDT Status ACTIVE Reverse DNS on the IP gives Etrust, with an e-mail address in there for liucheng@gzidc.com and an admin e-mail address at netadmin@ehomenet.com. I checked the address on "Northlake Way" using MapQuest and USPS.com. Address is bogus for Zip Code 98103 and is not found in Seattle or suburbs Phinney, Wallingford, Meridian, Fremont, or Green Lake either (all nearby that Zip) with or without Zip Code attached. Ergo, the registration is bogus in 3D space. Reverse phone lookup on registered contact number (206)202-0838 yielded no listings. I put all that in the comments section of the LART, mentioning LK's name in passing as having been a source for very similar spams in the past, and sent it off. Maybe Cyveillance did something with it. I also filed a complaint (actually, two -- two different spams/registrations) to Internic about Yesnic on the bad registration address data, as we'd previously discussed about another of these bogus Seattle-area registrations. I didn't try to e-mail the Netscape contact address or call up the phone number (unlisted CLEC number, again, in Seattle) to verify that they were bogus as well. I've tried to LART Netscape on these support mailboxes before and got 554 rejection notices (I think it was 554's, I didn't keep them -- LOL). Yahoo! on the other hand has looked into them and replied in a reasonably short time. > > What does the term "REGISTRAR-LOCK" mean, and what does this record > > indicate? > > It just means that the information can't be changed or the domainname > moved without the registrant getting the registrar to 'unlock' the > registration. Which is basically the way it is supposed to be. > Since then, I sent another complaint last night on a similarly registered (with radiant bogosity) spampage in another mortgage phish UBE to Joker.com, using my throwaway account, and if I don't hear anything back from them pdq, I'll forward that info to Internic as well, and let them explain to Internic how they registered one spamvertised webpage for William Troy, and another for Troy Williams, at the same street number and street, in different Zip codes hundreds of miles apart, on the same AOL mail account, a few days apart. As of six hours ago or so, Joker hadn't replied yet -- and they've had a full business day to look into it. Beyond mailing a note to Internic, that's about all I can do. Who knows, maybe that's too much. Well, it's more than I want to do with one or two spams. Is anyone chasing these spampage registrations down on a regular basis, to see whether these registrars are playing by the rules? I'd rather someone else did it, if only for reasons of efficiency and relative advantage. I wouldn't want to put my elbow in the gravyboat, trying to correct something that is obviously wrong and bad, if someone else can do it better. Regards, Michael From Nobody at SpamCop.net.dev.null Wed Oct 12 04:59:55 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Wed Oct 12 05:00:12 2005 Subject: [SpamCop-List] Slightly Off-Topic......What Are These? Message-ID: <434CD08B.133013CE@SpamCop.net.dev.null> Had run into a number of webpages while searching online that throw lots of keywords up in a jumble.....are these drive-by sites, Trojanizing spammers, or what? Typical search return example (redacted for decency): BANCANET - hu.zgora.pl - bancanet ... cheap air fairs civil war flag writing a paper accord headlight ... old women pics sport saller nylon foot smelling femlae modles ... squad com creampie [redacted Saxon] kor hmm21 stregis com nude pictures ... What's up with this? Leo lurking behind rocks, waiting to pounce with a payload? Regards, Michael From nobody at nowhere.not Wed Oct 12 10:32:27 2005 From: nobody at nowhere.not (Robert Blair) Date: Wed Oct 12 05:35:32 2005 Subject: [SpamCop-List] Re: OT Re: How to Rattle This Guy's Cage? References: <43427912.17EDB4B5@SpamCop.net.dev.null> <462oa8nyzhdz.dlg@news.spamcop.net> <4iii13-m4u.ln1@ursine.ca> <5k6t13-jml.ln1@ursine.ca> Message-ID: On Tue, 11 Oct 2005 16:42:13 UTC, baloo@ursine.ca wrote: > Tom McCall fought for the US's first bottle > bill, the cleanup of the Willamette River, fought to continue the > prohibition of private ownership of ocean beach, Private ownership of the coast and rivers has not been allowed in California for a long time. > and more or less made > "Go fuck yourself" the state's official position towards California > and Californians. Sounds like he was a newcomer to the state with the attitude that now that I am here keep out everyone else, in other words a jerk. > Not to mention cheaper since you don't pay the massive insurance > overhead self-serve stations pay down here. Insurance has very little to do with it, it is mostly taxes which in California are higher than most other states. I am on vacation in Europe where gas costs about $7.00 a gallon, mostly taxes. -- Robert Blair From nobody at nowhere.not Wed Oct 12 10:49:39 2005 From: nobody at nowhere.not (Robert Blair) Date: Wed Oct 12 05:50:26 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net References: Message-ID: On Tue, 11 Oct 2005 21:53:47 UTC, "Mike Easter" wrote: > The reason you have to name all 3 is because each of those entities > typically does not enforce for the other; msn won't terminate a hotmail > account for an infraction, hotmail won't terminate a msn account, > microsoft won't terminate a hotmail or msn account, etc. It isn't > always 'apparent' which abuse desk should be notified, so one policy is > to simply notify all 3. If that is true why doesn't spamcop report all three. Whenever I get the message "not from here" spamcop has always reported to hotmail. I will start adding the other two abuse addresses but it would be much nicer if spamcop did it. -- Robert Blair From bar_n0ne at hotmail.com Wed Oct 12 15:30:02 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Oct 12 06:35:04 2005 Subject: [SpamCop-List] Re: "Registrar-Lock"? References: <434B6EC0.E5EE88F6@SpamCop.net.dev.null> <434CCE3C.AC3F1AD1@SpamCop.net.dev.null> Message-ID: "Michael Brennan" wrote in message news:434CCE3C.AC3F1AD1@SpamCop.net.dev.null... SNIP > > Is anyone chasing these spampage registrations down on a regular basis, > to see whether these registrars are playing by the rules? I'd rather > someone else did it, if only for reasons of efficiency and relative > advantage. I wouldn't want to put my elbow in the gravyboat, trying to > correct something that is obviously wrong and bad, if someone else can > do it better. > > Regards, > Michael Wow, You are dedicated, yeah there are a few, like you, I find Internic and registrars take weeks to respond, Most of these spam sites only have a short half life anyway, by the time you get them shut down they are abandoned already for the most part. Most (if not all) registrars consider spammers free money, spammy registers a bunch (many) of site names and DNS for a coupl of hundred bucks ,uses them on a spam run, and moves on. A gravy train for registrars, unless they have to exeercise due diligence. My experience on following up on bogus registrations was: Send complaint to the registrar and internic ( web forms and all of that) 4 weeks later Internic contacts me and asks if things are fixed, I check , they are not, respond appropriately (webforms again) never heard more, checked again weeks later, bogosity still in place, never bothered again. I think the best is if one can get their DNS servers shut down, they are not quite as throw-away as their site names. Best of course is if the server rooms would be hit by a TOW missile, or a tomahawk, or a serious tsunami. From MikeE at ster.invalid Wed Oct 12 05:36:17 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 12 07:40:26 2005 Subject: [SpamCop-List] Re: SC Sadistics References: Message-ID: Berny wrote: > (Lies, Damned Lies, and Statistics) > > I'm just wondering but the top report targets in > http://www.spamcop.net/w3m?action=hoshame must be reports regarding > the source (sender) of the spam. Is that true? Yes. > Now that kornet and the hana-nets have aggressively pursued spammer > hosting business over the lasat few months, virtually every spam > excluding pump and Dump that I get wants to report spamvertised sites > there, or, in China railways or the famous chinese Knick-Knockers and > several other chinese ISP's (_Internet _Spam _Providers). > > But they are hardly a blip in the top 200 report targets.. And they > _send_ out between 30 and 50% of the spam I receive also. (English, > not Korean or Chinese spams) Of the top 200 IPs which are listed in the top section, a third of them do not rDNS. The far and away #1 'domainname' in the bottom section is 'lacking dns'; over 4x as much as 2nd place.. If you grab some of those individual non resolving IPs which appear in the top section and run them thru' whois apnic, you will see your friends the .cn and .kr providers. So, that page is missing .cn and .kr 'effect' or appearance because they don't rDNS. If you could get all of the 'good guys' to rDNS, you would have a powerful filtering tool. -- Mike Easter kibitzer, not SC admin From bar_n0ne at hotmail.com Wed Oct 12 17:01:17 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Oct 12 08:15:04 2005 Subject: [SpamCop-List] Re: SC Sadistics References: Message-ID: "Mike Easter" wrote in message news:diisfg$cgn$1@news.spamcop.net.. . SNIP > So, that page is missing .cn and .kr 'effect' or appearance because they > don't rDNS. Ahhh!, thanks Mike, that explains a lot!! D%$# the good guys that don't rDNS. I've seen that a lot in intranets, where most net things seem to work, except for a few bugaboos, which always track to a bad, or no, rDNS. Of course, the spammy wouldn't care about that, (s)he doesn't use any transactional services, where (s)he hosts his/her spamsite. D%$# I hate having to worry about "sexist" language. From bar_n0ne at hotmail.com Wed Oct 12 17:11:19 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Oct 12 08:15:17 2005 Subject: [SpamCop-List] Re: SC Sadistics References: Message-ID: "Mike Easter" wrote in message news:diisfg$cgn$1@news.spamcop.net.. . SNIP > So, that page is missing .cn and .kr 'effect' or appearance because they > don't rDNS. Ahhh!, thanks Mike, that explains a lot!! D%$# the good guys that don't rDNS. I've seen that a lot in intranets, where most net things seem to work, except for a few bugaboos, which always track to a bad, or no, rDNS. Of course, the spammy wouldn't care about that, (s)he doesn't use any transactional services, where (s)he hosts his/her spamsite. D%$# I hate having to worry about "sexist" language. From MikeE at ster.invalid Wed Oct 12 06:21:42 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 12 08:25:03 2005 Subject: [SpamCop-List] Re: "Registrar-Lock"? References: <434B6EC0.E5EE88F6@SpamCop.net.dev.null> <434CCE3C.AC3F1AD1@SpamCop.net.dev.null> Message-ID: Michael Brennan wrote: > Mike Easter wrote: >> >> Michael Brennan wrote: >>> Chasing down a spamvertised webpage, I came across this return for a >>> whois lookup: >>> >>> Spampage: http://yotdgd2b.brave-123.net/savings.asp >> >> Your information for brave-123.net is different from mine. >> I'm not getting that. enom, crsnic, and internic give me nothing >> >> dnsstuff gives me different information than you have and sez it is >> at namecheap.com which gives me nothing except to say that the name >> is available. > > Our looking was Oct 11 and at that time the name resolved and there was a website. On Oct 12 I'm finding brave-123.net to not resolve and both the fresh and cached results at dnsstuff and samspade [using crsnic] are empty. There is general agreement that the name is available, including at namecheap.com which is the last place which the cache said it was registered -- "brave-123.net seems to be available". > I ran it through SamSpade's online lookup. Empty now. When brave-123.net doesn't resolve it is 'functionally' dead. When the name is available for registration, it would seem to be really really permanently dead. You can register it yourself and do what you want with it. >> >> Registration Service Provided By: NameCheap.com >> Domain name: brave-123.net >> nicholas brown **************@netscape.net) >> but the information at dnssstuff also said this "Using 1 day old >> cached answer (or, you can get fresh results)." and then the link >> for the fresh results gave me nothing >> >> Very puzzling about the discrepancy at namecheap. My guess is that >> the one day old information is the most accurate, but maybe not. > > > > I got the same information for "Nicholas Brown" registering another > spampage in another "mortgage-application" phishing spam [I've got a > fresh one in my inbox as I type] which I LARTed on on October 9 > (Sunday), tracking URL here: > > http://www.spamcop.net/sc?id=z813885989zfcadb152a67bc0b743b342e35527be76z > > I looked up his spampage on SamSpade again and got this: > Server Used: [ whois.yesnic.com ] > > http://pr0per.net/fine.asp = [ 211.147.228.105 ] pr0per.net does not resolve for me at this time with my resolvers nor with the resolver/s at dnsstuff -- that makes it 'functionally' dead as of say noon UTC. The name is registered with yesnic which sez that it doesn't have nameservice Name Server: No nameserver Status: REGISTRAR-HOLD Updated Date: 11-oct-2005 Creation Date: 05-oct-2005 > Reverse DNS on the IP gives Etrust, You mean to say something else. The IP which you got for the DNS 211.147.228.105 doesn't rDNS. The apnic whois gives etrust. > with an e-mail address in there > for liucheng@gzidc.com and an admin e-mail address at > netadmin@ehomenet.com. Be careful about what you look at in the RIRs like apnic. There is a difference between 'changed' information lines and the admin/tech lines. The admin/tech for etrust is nic-hdl JL2165-AP which is netadmin@ehomenet.com -- whereas the gzidc addy only appears in 'changed' information lines. Normally SC notifies are directed at admin/tech or abuse contact information lines, not changed information contacts. However, in this case of etrust which is spamhaused and spewed, the 'fine points' of the contact information is pretty much a waste of time. I'm only elaborating here for those situations in which your lookup information is relevant. It isn't relevant as I type this because the name doesn't DNS to the IP in question, and it isn't very relevant if the IP were still the same because etrust is nonresponsive. > I checked the address on "Northlake Way" using MapQuest and USPS.com. > Address is bogus for Zip Code 98103 and is not found in Seattle or > suburbs Phinney, Wallingford, Meridian, Fremont, or Green Lake either > (all nearby that Zip) with or without Zip Code attached. > > Ergo, the registration is bogus in 3D space. Correct. I would consider 98103 to be Seattle. > Reverse phone lookup on registered contact number (206)202-0838 > yielded no listings. Yabbut that lookup 'doesn't count' if the registrant can be reached there. > I put all that in the comments section of the LART, mentioning LK's > name in passing as having been a source for very similar spams in the > past, and sent it off. Maybe Cyveillance did something with it. I > also filed a complaint (actually, two -- two different > spams/registrations) to Internic about Yesnic on the bad registration > address data, as we'd previously discussed about another of these > bogus Seattle-area registrations. Okey dokey. > I didn't try to e-mail the Netscape contact address or call up the > phone number (unlisted CLEC number, again, in Seattle) to verify that > they were bogus as well. I've tried to LART Netscape on these support > mailboxes before and got 554 rejection notices (I think it was 554's, > I didn't keep them -- LOL). Yahoo! on the other hand has looked into > them and replied in a reasonably short time. The 'old idea' that there was some value in attacking the registrant email address provider doesn't often work. The concept was that there was an AUP against using some free account for commercial and similar purposes, and that the domainname registration information was a misuse of the free account. What is and isn't free can't be assumed, nor can it be assumed that netscape has a policy against using the account nich0lasbrown with a zero for the yesnic registration purposes. > Since then, I sent another complaint last night on a similarly > registered (with radiant bogosity) spampage in another mortgage phish > UBE to Joker.com, using my throwaway account, and if I don't hear > anything back from them pdq, I'll forward that info to Internic as > well, and let them explain to Internic how they registered one > spamvertised webpage for William Troy, and another for Troy Williams, > at the same street number and street, in different Zip codes hundreds > of miles apart, on the same AOL mail account, a few days apart. As > of six hours ago or so, Joker hadn't replied yet -- and they've had a > full business day to look into it. I think the beefs to a registrar about bogus information should be submitted thru' the internic form page at http://wdprs.internic.net/ Whois Data Problem Report System because some registrars only pay attention to what is submitted to them via the internic process, which is supposed to oversee whether or not they are taking care of business. One other advantage of submitting thru' that system is that it 'sets up' griping about the registrar itself on a different page To submit a complaint about an accredited registrar go to the Registrar Problem Report form. http://reports.internic.net/cgi/registrars/problem-report.cgi > Beyond mailing a note to Internic, that's about all I can do. Who > knows, maybe that's too much. Well, it's more than I want to do with > one or two spams. Attacking the domainname bogus information registration process is tedious, but it is of some value if a registrar is motivated. Altho' the brave-123.net and the pr0per.net do not currently resolve and are functionally dead and the brave-123 is really dead, the pr0per is able to be resuscitated. Some domainname situations are that the spamvertiser has hundreds of name registrations to cycle thru'. However, if the registrar is 'motivated', theoretically it might be possible for you to kill hundreds of registrations at the same time, because the registrar might choose to do something about everything that your 'Nicholas Brown' has registered. Or, the registrar might choose to do as little as possible. > Is anyone chasing these spampage registrations down on a regular > basis, to see whether these registrars are playing by the rules? There are many varieties of spamfighting. Attacking domainname registrations is a popular angle. > I'd > rather someone else did it, if only for reasons of efficiency and > relative advantage. I wouldn't want to put my elbow in the > gravyboat, trying to correct something that is obviously wrong and > bad, if someone else can do it better. The whole idea about spamfighting is doing what trips your trigger -- and figgering out the best way to do it. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Oct 12 07:01:06 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 12 09:05:06 2005 Subject: [SpamCop-List] Re: SC Sadistics References: Message-ID: Berny wrote: > spammy wouldn't care about that, (s)he doesn't use any transactional > services, where (s)he hosts his/her spamsite. > > D%$# I hate having to worry about "sexist" language. Part of the problem is a 'deficiency' of our language - which lacks singular gender-neutral pronouns, but has plurals they and them. There isn't an easy or generally accepted way of dealing with the problem, altho' the issue has been thoroughly studied and debated -- ranging from how proper it is or isn't to use the plural for the singular or to 'create' neologisms for the singulars. Personally I prefer to create my neologistic preferences s/he and hir, which is only 2, as opposed to some other choices which are discussed on this site http://www.aetherlumina.com/gnp/ Gender-Neutral Pronoun Frequently Asked Questions (GNP FAQ) The wikipedia now has an interesting article about the situation in English, the neologistic proposals, and the pronoun availability in a number of other languages http://en.wikipedia.org/wiki/Gender-neutral_pronoun -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Oct 12 07:13:15 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 12 09:15:02 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net References: Message-ID: Robert Blair wrote: > "Mike Easter" >> The reason you have to name all 3 is because each of those entities >> typically does not enforce for the other; msn won't terminate a >> hotmail account for an infraction, hotmail won't terminate a msn >> account, microsoft won't terminate a hotmail or msn account, etc. >> It isn't always 'apparent' which abuse desk should be notified, so >> one policy is to simply notify all 3. > > If that is true why doesn't spamcop report all three. Whenever I get > the message "not from here" spamcop has always reported to hotmail. I > will start adding the other two abuse addresses but it would be much > nicer if spamcop did it. For years I have 'considered' the different factors which go into how SC derives its notifies; and how its 'responsibilty' as a massive notifier of many millions [2.6 million spam last week, multiple notifies per spam] of addresses affect the decisions about whether to notify less addresses rather than more. My own philosophy is quite different from SC's, in which I can consider that quite a number of different addresses can be logically considered for a notify for various reasons which SC doesn't consider. I might want to notify more addresses than SC because there is likely to be a language barrier. Or because a provider is known to be unresponsive as indicated by listings in spews and/or spamhaus. Or because a provider doesn't have a reg'd abuse.net contact. Or because a the notified is an upstream of and unresponsive or unlisted contact. SC uses its algorithms to derive the notified, and then subtracts addresses based on experience of bounces and such -- so SC is configured to notify considerably differently than I do -- but I like to take SC's experience into account. So, I consider my notifying 'superior' to SC's because I am using more tools to derive the contacts, and also because I am at more 'liberty' to make more notifications because I'm not notifying as many millions per week as SC is. 'Excessive' notifications from SC could make some desks crazy. -- Mike Easter kibitzer, not SC admin From ori at unknown.com Wed Oct 12 17:50:14 2005 From: ori at unknown.com (Ori) Date: Wed Oct 12 10:50:07 2005 Subject: [SpamCop-List] found my email along with thousands in japanese server Message-ID: Hi, I found my email along with thousands of emails on several files in this server: http://i-map.cc/upload/ Any idea where do we go from here? Thanks, Ori From skiwi at spamcop.net Wed Oct 12 09:11:03 2005 From: skiwi at spamcop.net (Skiwi) Date: Wed Oct 12 11:15:03 2005 Subject: [SpamCop-List] Who the hell are FreshAddress.com? It looks fishy but legit at the same time... Message-ID: http://www.spamcop.net/sc?id=z814890815zc1b2913d20f49f05692e47b3b1db2a54z (cancelled) Spam in entirety pasted in spamcop.spam (with some munging) TIA! Greg... From MikeE at ster.invalid Wed Oct 12 09:14:52 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 12 11:15:16 2005 Subject: [SpamCop-List] Re: found my email along with thousands in japanese server References: Message-ID: Ori wrote: > I found my email along with thousands of emails on several files in > this server: > http://i-map.cc/upload/ Dontcha' just hate it when that happens? > Any idea where do we go from here? Change your email addy? But, seriously, there is nothing you can do to remove your addy from the mailing lists or millions CDs of spammers. >From the outset, you can protect an addy by making it very randomized, which also makes it ugly and awkward -- but prevents the process by which spammers gather lots of usernames from various places and then attach them to lots of different domainnnames from various places -- which I wouldn't call a 'dictionary', but I guess some people do. Then, further protect an address by not exposing it mostly on websites as a naked mailto, and also not in the From of newsgroup messages. Then, further, have a 'system' or method for using for giving out your email when it is required or needed for something, so that you can easily jettison that email if it turns out to be misused by the company you gave it to. That strategy could also be applied to your friends, who cannot be relied upon to not misuse your address -- by plastering it into the To containing scores of addresses of a social spam, or by giving it to greeting card or other scams, or by having it harvested by their system becoming virm infected. So -- you can defend an address from 'unnecessary' exposure. Once it is out there, you can't 're-hide' it. It is a piece of 'public' or semipublic information to be abused by those who do that. -- Mike Easter kibitzer, not SC admin From ori at unknown.com Wed Oct 12 18:21:49 2005 From: ori at unknown.com (Ori) Date: Wed Oct 12 11:20:05 2005 Subject: [SpamCop-List] Re: found my email along with thousands in japanese server References: Message-ID: Understood, just thought about limiting the exposure if that is at all possible... "Mike Easter" wrote in message news:dij99b$jcu$1@news.spamcop.net... > Ori wrote: > >> I found my email along with thousands of emails on several files in >> this server: >> http://i-map.cc/upload/ > > Dontcha' just hate it when that happens? > >> Any idea where do we go from here? > > Change your email addy? > > But, seriously, there is nothing you can do to remove your addy from the > mailing lists or millions CDs of spammers. > > From the outset, you can protect an addy by making it very randomized, > which also makes it ugly and awkward -- but prevents the process by > which spammers gather lots of usernames from various places and then > attach them to lots of different domainnnames from various places -- > which I wouldn't call a 'dictionary', but I guess some people do. > > Then, further protect an address by not exposing it mostly on websites > as a naked mailto, and also not in the From of newsgroup messages. > > Then, further, have a 'system' or method for using for giving out your > email when it is required or needed for something, so that you can > easily jettison that email if it turns out to be misused by the company > you gave it to. > > That strategy could also be applied to your friends, who cannot be > relied upon to not misuse your address -- by plastering it into the To > containing scores of addresses of a social spam, or by giving it to > greeting card or other scams, or by having it harvested by their system > becoming virm infected. > > So -- you can defend an address from 'unnecessary' exposure. Once it is > out there, you can't 're-hide' it. It is a piece of 'public' or > semipublic information to be abused by those who do that. > > -- > Mike Easter > kibitzer, not SC admin > From MikeE at ster.invalid Wed Oct 12 10:06:43 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 12 12:10:28 2005 Subject: [SpamCop-List] Re: Who the hell are FreshAddress.com? It looks fishy but legit at the same time... References: Message-ID: Skiwi wrote: www.spamcop.net/sc?id=z814890815zc1b2913d20f49f05692e47b3b1db2a54z > (cancelled) > > Spam in entirety pasted in spamcop.spam (with some munging) Such outfits as HP & Sony 'do things' with such outfits as freshaddress - so the result is a straightup item for which reporting would be rather useless. Here's an April thread in nanae http://snipurl.com/if5r From: "McWebber" Newsgroups: news.admin.net-abuse.email Subject: [Mainsleeze] Sony / freshaddress.com / epending Date: Fri, 22 Apr 2005 17:10:25 -0400 Message-ID: -- Mike Easter kibitzer, not SC admin From firewoman at default.domain.not.available Wed Oct 12 13:13:24 2005 From: firewoman at default.domain.not.available (Firewoman) Date: Wed Oct 12 12:15:04 2005 Subject: [SpamCop-List] Re: Blue Frog References: Message-ID: "dwåcôn" wrote in message news:dihitf$fcl$1@news.spamcop.net... > From: http://www.wired.com/wired/archive/13.10/posts.html?pg=4 > > "This is a message that spells out, 'I am a spammer,'" says Eran Reshef, > his voice echoing in the receiver from half a world away. Reshef is the > CEO of Blue Security, a startup he founded in Herzliya Pituach, Israel, > and we're examining an email typical of a dozen I receive daily. The > subject line contains an offer for bargain-basement "generic Viagra." I've > long since burned through my animosity for spammers. I use the best filter > I can find and delete the garbage that makes it through. I've learned the > hard way that trying to opt out from junk email only attracts more of it. > > Reshef wants me to tap into my dormant rage and fight back. Don't worry, > he tells me, you'll have a posse. He's organizing thousands of weary > victims like me and leading us in a kind of distributed denial- of-service > attack. It's a weapon normally employed by malicious hackers who use > hijacked PCs to flood unsuspecting companies, but Reshef is out to cripple > offensive bulk emailers. "That," he says, "is the only way to get their > attention." > Attacking a spamvertised site isn't the right way to 'get back at' a spammer. Here's a link to the USENET thread on the subject of Blue Frog's initiative: http://groups.google.com/group/news.admin.net-abuse.email/browse_frm/thread/da392c7ad6d4dedc Here's a link to the SC Forums discussion: http://forum.spamcop.net/forums/index.php?showtopic=5004 From baloo at ursine.ca Wed Oct 12 11:44:34 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Wed Oct 12 14:10:04 2005 Subject: [SpamCop-List] Re: OT Re: How to Rattle This Guy's Cage? References: <43427912.17EDB4B5@SpamCop.net.dev.null> <462oa8nyzhdz.dlg@news.spamcop.net> <4iii13-m4u.ln1@ursine.ca> <5k6t13-jml.ln1@ursine.ca> Message-ID: <2luv13-ilh.ln1@ursine.ca> Robert Blair wrote: > On Tue, 11 Oct 2005 16:42:13 UTC, baloo@ursine.ca wrote: > >> Tom McCall fought for the US's first bottle >> bill, the cleanup of the Willamette River, fought to continue the >> prohibition of private ownership of ocean beach, > > Private ownership of the coast and rivers has not been allowed in > California for a long time. > > >> and more or less made >> "Go fuck yourself" the state's official position towards California >> and Californians. > > Sounds like he was a newcomer to the state with the attitude that now > that I am here keep out everyone else, in other words a jerk. Nope. He's a native to a little desert town called Prineville, Oregon. >> Not to mention cheaper since you don't pay the massive insurance >> overhead self-serve stations pay down here. > > Insurance has very little to do with it, it is mostly taxes which in > California are higher than most other states. I am on vacation in > Europe where gas costs about $7.00 a gallon, mostly taxes. Ask a station manager sometime, and compare gas prices in Portland ($2.60/gal) to Vancouver ($2.78/gal). If you can get gas in Vancouver for Portland prices, I gaurantee you've pulled up to a MINI island at a station that prohibits self-service. I can pay Vancouver prices in Portland, but I have to drive around and find a station with a FULL service island instead of the usual MINI service islands... From baloo at ursine.ca Wed Oct 12 11:52:28 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Wed Oct 12 14:10:27 2005 Subject: [SpamCop-List] Re: SC Sadistics References: Message-ID: Mike Easter wrote: > Berny wrote: > >> spammy wouldn't care about that, (s)he doesn't use any transactional >> services, where (s)he hosts his/her spamsite. >> >> D%$# I hate having to worry about "sexist" language. > > Part of the problem is a 'deficiency' of our language - which lacks > singular gender-neutral pronouns, but has plurals they and them. English and Spanish (and probably others) both have gender-neutral pronouns, they just happen to be the same as the masculine pronouns. It's not sexist, it's how the language developed. ("But it's not politically correct!" Yeah, well, too bad.) From usenet2 at DE.LETE.THISljvideo.com Wed Oct 12 20:32:07 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Wed Oct 12 15:35:38 2005 Subject: [SpamCop-List] Re: found my email along with thousands in japanese server References: Message-ID: Waiving the right to remain silent, "Ori" said: > Hi, > I found my email along with thousands of emails on several files > in this server: > http://i-map.cc/upload/ > Any idea where do we go from here? Geeze... You searched through all that for your address..? -- Larry J. - Remove spamtrap in ALLCAPS to e-mail The United States is the greatest country in the world..! Eleven million illegal aliens can't be wrong. From nobody at spamcop.net Wed Oct 12 14:48:52 2005 From: nobody at spamcop.net (N. Miller) Date: Wed Oct 12 16:50:35 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net References: Message-ID: On Tue, 11 Oct 2005 21:13:44 +0100, Gordon Hudson wrote: > "N. Miller" wrote in message > news:cb7l2x2jcvbv.dlg@news.spamcop.net... >> On Tue, 11 Oct 2005 13:37:36 +0100, Gordon Hudson wrote: >> Not quite. Apparently, it has something to do with being unable to trace >> email past the GMail injection point when email was sent using the web >> mail interface. Since the SpamCop parser can't trace the source past the >> GMail output server, it will list the GMail output server as the source. > Surely gmail is the source though? > > They should be stopping thier users from spamming rather than passing the > buck back onto the companies who provided their internet connection and who > did not provide the mail service. > Or am I misunderstanding? Maybe. If I lose my GMail account, getting another is no trouble, no fee. I have to pay for my Internet connection, though, and I only have four possible choices; burn all four bridges and I am back on dial-up. The point of trying to find the Internet connection provider is that they do, mostly, have AUP/TOS provisions against spamming. If the objective is to get the spammer's account closed, why just stop at the mail account? Why not "go for the jugular", and get is connectivity shut down, as well? -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From ori at unknown.com Thu Oct 13 00:17:35 2005 From: ori at unknown.com (Ori) Date: Wed Oct 12 17:15:03 2005 Subject: [SpamCop-List] Re: found my email along with thousands in japanese server References: Message-ID: Not really just searched google for my address and it came up in a few places "Larry J." wrote in message news:Xns96ED7F8BDDCC8thefrogprince@216.154.195.61... > Waiving the right to remain silent, "Ori" said: > >> Hi, >> I found my email along with thousands of emails on several files >> in this server: >> http://i-map.cc/upload/ >> Any idea where do we go from here? > > Geeze... You searched through all that for your address..? > > -- > Larry J. - Remove spamtrap in ALLCAPS to e-mail > > The United States is the greatest country in the world..! > Eleven million illegal aliens can't be wrong. From nobody at xyzzy.claranet.de Thu Oct 13 00:14:51 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Wed Oct 12 17:20:03 2005 Subject: [SpamCop-List] Re: Who the hell are FreshAddress.com? It looks fishy but legit atthe same time... References: Message-ID: <434D7CCB.4EE4@xyzzy.claranet.de> Legit as far as I can judge it, it's a service to map old addresses to fresh addresses. With maximal privacy you should never get mail from them (that's what I use, works for years now). With less privacy you get something like your "spam" if somebody wants to get your fresh address for a known old address (in your case "somebody" was HP). But above all that should only happen for your address, with your account. Did you maybe forget that you have an account at freshaddress.com ? It works like a confirmed opt-in, only the owner of the fresh address (= you) can select his privacy preferences. If it's no PEBKAC on your side ask freshaddress.com what the hell is going on. Bye, Frank From nospam at dev.null Thu Oct 13 01:25:53 2005 From: nospam at dev.null (No Spam) Date: Wed Oct 12 18:30:04 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net In-Reply-To: References: Message-ID: Mike Easter wrote: > No Spam wrote: ...snip.... > However, if you notify hotmail and microsoft and msn about that item, it > is extremely likely that they will terminate the account which sent > that, namely winner2005-08@hotmail.com > > The reason you have to name all 3 is because each of those entities > typically does not enforce for the other; msn won't terminate a hotmail > account for an infraction, hotmail won't terminate a msn account, > microsoft won't terminate a hotmail or msn account, etc. It isn't > always 'apparent' which abuse desk should be notified, so one policy is > to simply notify all 3. > > 64.4.31.28 rDNS bay13-f28.bay13.hotmail.com > The arin sez > OrgName: MS Hotmail > OrgAbuseEmail: abuse@microsoft.com > but abuse.net on the domainname sez > abuse@hotmail.com > but abuse.net on the domainname of the receiving server > by13fd.bay13.hotmail.msn.com sez > > whois.abuse.net hotmail.msn.com ... > abuse@msn.com (for msn.com) > Okay, make that 2 possibilities for complaints: Abuse@hotmail.com bounces due to evidence being attached? Guess they are trying to reduce their complaints. From - Wed Oct 12 21:32:01 2005 X-Account-Key: account3 X-UIDL: 3863 X-Mozilla-Status: 0001 X-Mozilla-Status2: 10000000 Return-Path: <> X-SpamCatcher-Score: 80 [XXXXXXXXX] Received: from bay0-pcs2.bay0.hotmail.com ([65.54.241.240] verified) by cgp3.sentechsa.net (CommuniGate Pro SMTP 4.3.5) with ESMTP id 76450673 for X; Wed, 12 Oct 2005 02:31:26 +0200 Received: from localhost (localhost) by bay0-pcs2.bay0.hotmail.com (8.12.10/8.12.10) id j9C0V2AR002072; Tue, 11 Oct 2005 17:31:02 -0700 (PDT) Date: Tue, 11 Oct 2005 17:31:02 -0700 (PDT) From: Mail Delivery Subsystem Message-Id: <200510120031.j9C0V2AR002072@bay0-pcs2.bay0.hotmail.com> To: X MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="j9C0V2AR002072.1129077062/bay0-pcs2.bay0.hotmail.com" Subject: Returned mail: see transcript for details Auto-Submitted: auto-generated (failure) X-Antivirus: AVG for E-mail 7.0.344 [267.11.14] This is a MIME-encapsulated message --j9C0V2AR002072.1129077062/bay0-pcs2.bay0.hotmail.com The original message was received at Tue, 11 Oct 2005 17:30:51 -0700 (PDT) from root@localhost ----- The following addresses had permanent fatal errors ----- abuse@css.one.microsoft.com (reason: 550 5.7.1 ) ----- Transcript of session follows ----- ... while talking to mailc.microsoft.com.: >>> DATA <<< 550 5.7.1 554 5.0.0 Service unavailable --j9C0V2AR002072.1129077062/bay0-pcs2.bay0.hotmail.com Content-Type: message/delivery-status Reporting-MTA: dns; bay0-pcs2.bay0.hotmail.com Arrival-Date: Tue, 11 Oct 2005 17:30:51 -0700 (PDT) Final-Recipient: RFC822; abuse@css.one.microsoft.com Action: failed Status: 5.7.1 Remote-MTA: DNS; mailc.microsoft.com Diagnostic-Code: SMTP; 550 5.7.1 Last-Attempt-Date: Tue, 11 Oct 2005 17:31:02 -0700 (PDT) .... I see the are on http://www.rfc-ignorant.com. If they weren't, I guess the would be after today ;-0 Cheers E From MikeE at ster.invalid Wed Oct 12 17:00:48 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 12 19:05:05 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net References: Message-ID: No Spam wrote: > Mike Easter wrote: >> 64.4.31.28 rDNS bay13-f28.bay13.hotmail.com >> The arin sez >> OrgName: MS Hotmail >> OrgAbuseEmail: abuse@microsoft.com >> but abuse.net on the domainname sez >> abuse@hotmail.com >> but abuse.net on the domainname of the receiving server >> by13fd.bay13.hotmail.msn.com sez >> >> whois.abuse.net hotmail.msn.com ... >> abuse@msn.com (for msn.com) > Okay, make that 2 possibilities for complaints: Abuse@hotmail.com > bounces due to evidence being attached? Well, actually the bounce you are showing isn't a bounce for the abuse@hotmail -- but instead is a bounce for abuse@css.one.microsoft.com [which might just be an 'additional' spinoff from the hotmail item]. When you email some addy and some other addy bounces it for some reason, such as content in this case, that doesn't necessarily mean that the original addy didn't [already] get it [before/while it was being additionally forwarded to another additional addy]. One would /assume/ that the process which you are observing is there being an additional notified evolving from the mail to abuse@hotmail -- but the additional notified bounced it instead of receiving it. One would not /necessarily/ assume that the css.one addy was supposed to be getting the item /instead/ of the abuse@hotmail. > Content-Type: multipart/report; report-type=delivery-status; > Subject: Returned mail: see transcript for details > Auto-Submitted: auto-generated (failure) > X-Antivirus: AVG for E-mail 7.0.344 [267.11.14] > > This is a MIME-encapsulated message > > --j9C0V2AR002072.1129077062/bay0-pcs2.bay0.hotmail.com > > The original message was received at Tue, 11 Oct 2005 17:30:51 -0700 > (PDT) from root@localhost > > ----- The following addresses had permanent fatal errors ----- > abuse@css.one.microsoft.com > (reason: 550 5.7.1 content filter on gateway (207.46.121.52).Reason...uage, graphics, or > spam-like characteristics. Removing these may let the e-mail through > the filter.>) > > ----- Transcript of session follows ----- > ... while talking to mailc.microsoft.com.: > >>> DATA > <<< 550 5.7.1 on gateway (207.46.121.52) 207.46.121.52 = mail6.microsoft.com Your abuse@hotmail would have tried to go to one of the hotmail MXes, not the MS MX -- so one would assume that the process that tried to mail to the MS MX was initiated by the hotmail system creating another different mail addressed to the css.one addy, because that address uses such a MS MX Mail for css.one.microsoft.com is handled by mailc.microsoft.com mailb.microsoft.com maila.microsoft.com > I see the are on http://www.rfc-ignorant.com. If they weren't, I guess > the would be after today ;-0 The evidence at rfc-i sez this: http://rfc-ignorant.org/tools/detail.php?domain=hotmail.com&submitted=1123837931&table=abuse from a 2005 Aug listing and cites the same message you are seeing, including the gateway IP, so it could have been snipped from a similar 'other address' bouncing. I'm not convinced that abuse@hotmail hasn't received the item which abuse@css.one.microsoft.com gateway bounced. It is possible, but my first guess is that they have it. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Oct 12 17:19:05 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 12 19:20:03 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net References: Message-ID: No Spam wrote: > I see the are on http://www.rfc-ignorant.com. This is a useful 31 msg thread to read in nanae - snurled GG http://snipurl.com/ig42 starts at From: Charles Hawtrey Newsgroups: news.admin.net-abuse.email Subject: Any source of clue at Hotmail? Message-ID: Date: Wed, 24 Aug 2005 02:31:37 GMT It is all about this problem and all of the addresses we've discussed. -- Mike Easter kibitzer, not SC admin From g.hyde at bigpond.net.au Thu Oct 13 10:21:42 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Wed Oct 12 19:25:02 2005 Subject: [SpamCop-List] More "blank" phishing emails with HTML attached. Message-ID: http://www.spamcop.net/sc?id=z815006161ze5a0e363616842a42b543792e33aa97cz The spammers are getting worse at it - I checked this one's headers out and sent out the spam reports as per SC reporting recommendations. I was wondering if anyone is collecting these phishing emails? They seem to be getting this habit of dropping into my email inbox, I'm quite happy to report them for the spammer they are though. -- Cheers ... Geoffrey Hyde From nospam at dev.null Thu Oct 13 02:56:59 2005 From: nospam at dev.null (No Spam) Date: Wed Oct 12 20:00:04 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net In-Reply-To: References: Message-ID: Mike Easter wrote: > No Spam wrote: > > >>I see the are on http://www.rfc-ignorant.com. > > > > This is a useful 31 msg thread to read in nanae - snurled GG > http://snipurl.com/ig42 > > starts at > From: Charles Hawtrey > Newsgroups: news.admin.net-abuse.email > Subject: Any source of clue at Hotmail? > Message-ID: > Date: Wed, 24 Aug 2005 02:31:37 GMT > > > It is all about this problem and all of the addresses we've discussed. > > Hmmm Quite a lot going on there again. Picke dup this one: http://tqmcube.com/hotmail.htm (Deposited my egg) Also larted away at all addresses relating to Hotmail I could find making them aware of threads - though it appears they might not care? Anyway, as regards your theory that they "might" be getting these but that the complaint is being redirected elsewhere as well: I immediately got a response to the last lart - autoresponder and not a bounce? It also had this gem in it: "To report e-mail abuse originating from a Hotmail account, please contact: abuse@hotmail.com." Urggggggg!!!! Anybody know where can I find the email equiv. of an alarm clock and sledge hammer ?? :-) Cheers E From nospam at dev.null Thu Oct 13 03:10:05 2005 From: nospam at dev.null (No Spam) Date: Wed Oct 12 20:15:03 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net In-Reply-To: References: Message-ID: baloo@ursine.ca wrote: > Gordon Hudson wrote: > >>Surely gmail is the source though? > > > Nope, just relay. > > >>They should be stopping thier users from spamming rather than passing the >>buck back onto the companies who provided their internet connection and who >>did not provide the mail service. >>Or am I misunderstanding? > > > They should be stopping their own users as well as revealing where it > came from to keep working the chain. Spam is theft, no matter how you > cut it, their ISP probably wants to know too. I think we need to look things said in this thread. The Hotmail discussion spinoff is a very real example of why the source may be useles. The ISP in these web based mailboxes are most likely internet cafes etc. As such the owner may receive a complaint etc from his hosting ISP a day or two later if notified. The real spammer is longggg gone. The cafe owner did not provide any mail service. TO effectively break the chain, we need to stop the mail source - mail. As such both parties should be notified. Eg: ISP:- In the local context and example here, the owner of the originating IP will be wary if he get a warning from the ISP. As such if party X appears again, he may be asked to leave. However, he will simply go elsewhere and at no additional cost use another access point. Breaking the gmail/hotmail link as well makes it a bit more difficult. In the case of Lads (419'ers), this also destroys valuable leads in the new mails he has not read (also protecting naive respondents) However, In the case of SC, I wish both parties could be notified. Cheers E From nospam at dev.null Thu Oct 13 03:22:57 2005 From: nospam at dev.null (No Spam) Date: Wed Oct 12 20:25:03 2005 Subject: [SpamCop-List] Re: Gmail seems to be regularly in bl.spamcop.net In-Reply-To: References: Message-ID: N. Miller wrote: > On Tue, 11 Oct 2005 21:13:44 +0100, Gordon Hudson wrote: > > >>"N. Miller" wrote in message >>news:cb7l2x2jcvbv.dlg@news.spamcop.net... > > >>>On Tue, 11 Oct 2005 13:37:36 +0100, Gordon Hudson wrote: > > >>>Not quite. Apparently, it has something to do with being unable to trace >>>email past the GMail injection point when email was sent using the web >>>mail interface. Since the SpamCop parser can't trace the source past the >>>GMail output server, it will list the GMail output server as the source. > > >>Surely gmail is the source though? >> >>They should be stopping thier users from spamming rather than passing the >>buck back onto the companies who provided their internet connection and who >>did not provide the mail service. >>Or am I misunderstanding? > > > Maybe. If I lose my GMail account, getting another is no trouble, no fee. I > have to pay for my Internet connection, though, and I only have four > possible choices; burn all four bridges and I am back on dial-up. > In reality, a lot of these parties use intenet cafes and like. As such he pays for 30mins on the air and is gone. He may or may not try again at the same place. Depends on brain matter density. > The point of trying to find the Internet connection provider is that they > do, mostly, have AUP/TOS provisions against spamming. If the objective is > to get the spammer's account closed, why just stop at the mail account? Why > not "go for the jugular", and get is connectivity shut down, as well? > Based on the above, this does not preotect this type of abuse taking place. In my travels as consultant, I have visted many hotels where connectivity is free. Tomorrow I may be gone. If I was doing a dirty, what would I be doing tonight? There was actually a good article on the other side of this issue on 419legal.org a few months back: Shop owner noticed a large group of people around on system. As a single female she could do nothing. However, later on the complaints rolled in... INTERESTING: As I was writing this, another Lad's 419 came in. He is very busy in Israel. Same Lad, different parts of Israel via different ISP's all reporting to Gilat. Uses hotmail for sending, drop box has now changed to a yahoo acct I am still doing the hotmail hoops, but the drop box at walla.com was closed in 2 hrs after I reported. Grrrrrrrr........ From nospam at dev.null Thu Oct 13 03:36:56 2005 From: nospam at dev.null (No Spam) Date: Wed Oct 12 20:40:04 2005 Subject: [SpamCop-List] Re: namesdatabase.com In-Reply-To: References: Message-ID: Mike Easter wrote: > Mike Easter wrote: > > >>you can go read it >>here http://namesdatabase.com/explanation.htm?c= > > > Or, if you want to learn even more about namesdatabase, you can see how > often spams from or about them are submitted to sightings, or you can > read about them a little bit in nanae, or the most comprehensive > description appears in a genealogy ng > > http://snipurl.com/iek1 snurled googlegroups to > > Newsgroups: soc.genealogy.computing > Subject: Re: The Names Database > Date: 8 Jun 2004 12:03:43 -0700 > Message-ID: <2b379589.0406081103.7c29a65e@posting.google.com> > > .. which message describes the gig which is worked by Gabriel Weinberg, > where he is trading the pay services of his namesdatabase gig for email > addresses of people. > > The site itself describes how it sends repetitive unsolicited emails, > which explains why there are so many sightings. You would think the > source would be listed somewhere besides spamcannibal > > > >>But only /you/ can tell if your addy was fed into the system by a >>friend or not because I don't know what was in that X mungeing. > > Thx - what I was looking for. Owner appear to be "interesting" character. From nobody at xyzzy.claranet.de Thu Oct 13 06:49:38 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Oct 13 00:00:26 2005 Subject: [SpamCop-List] Geocities (was: 66.218.64.0 - 66.218.95.255:network-abuse@cc.yahoo-inc.com) References: <43456728.12D5@xyzzy.claranet.de> <43495DE9.60F4@xyzzy.claranet.de> <434AF25B.7125@xyzzy.claranet.de> <434B4566.49E9@xyzzy.claranet.de> <434C49B7.7EA8@xyzzy.claranet.de> Message-ID: <434DD952.3015@xyzzy.claranet.de> Update: The reporting address for geocities.com now apparenly works. OTOH SpamCop now needs up to 70 (!) "reloads" until it finds an IP for a spamvertized geocities.com URLs. That's a weird bug, maybe the various geocities IPs should be hardwired in whatever passes as /etc/hosts on the side of SpamCop ? Bye http://www.spamcop.net/sc?id=z815049295z4703b91cef4a432532c8e8eee456f8edz http://www.spamcop.net/sc?id=z815049296z10c7568c41c0505be45a5bdc9fccf08bz http://www.spamcop.net/sc?track=http://uk.geocities.com From nobody at devnull.spamcop.net Thu Oct 13 09:37:26 2005 From: nobody at devnull.spamcop.net (Pop) Date: Thu Oct 13 08:40:08 2005 Subject: [SpamCop-List] Re: Who the hell are FreshAddress.com? It looks fishy but legit at the same time... References: Message-ID: "Mike Easter" wrote in message news:dijcah$l3d$1@news.spamcop.net... : Skiwi wrote: : www.spamcop.net/sc?id=z814890815zc1b2913d20f49f05692e47b3b1db2a54z : > (cancelled) : > : > Spam in entirety pasted in spamcop.spam (with some munging) : Emphasis added: : --Such outfits as HP & Sony 'do things'-- with such outfits as : freshaddress - so the result is a --straightup-- item for which reporting : would be rather useless. I can't understand why you say that?: It would seem to be "good business" to simply remove old addresses. Those guys have no business using an old address, finding/looking for the new one, etc., regardless of where I am right now. I subscribe by email address, and that's the ONLY email address I'd better get email to, and I'd better have asked for it from the address they mailed to. Anything else is promptly LARTed. Also, what do you mean by "--straightup-- item"? Regards, Pop From nobody at devnull.spamcop.net Thu Oct 13 09:57:52 2005 From: nobody at devnull.spamcop.net (Pop) Date: Thu Oct 13 09:00:03 2005 Subject: [SpamCop-List] Re: yet another FAQ attempt References: Message-ID: "WazoO" wrote in message news:dihki5$gm4$1@news.spamcop.net... : Took me way too long in working through the installation : of this thing, but .. it's there and I'm in the process of : populating it. Not that I relish the idea of going through : the process of removing if it's still of no value, but .... : offering up yet another opportunity for some Wazoo : bashing ... just a bit of a repeat, but this is all done on : my own time, obviously on my own initiative, and am : well aware of the anti-forum sentiment ... but, input, : yay/nay, something beyond the usual complaining that : it's not NNTP would be appreciated. : : http://forum.spamcop.net/forums/index.php?act=faq Boy, you sure can persevere, Wazoo! You take a thankless job, suffer incredible abuse, and then must get low on abuse and come back to ask for more!! Seriously, I think that format's --great--. It's not only broken down into manageable segments/sizes for future management, but ... it's organized so that if I'm not where I need to be, I can just go "oh, I must want..." instead of "OH GOD, where do I look now!?!?!? Of course, it's only as good as the content will be, but I know from experience that you have the wherewithal to get the content accurate where you have control. And, you'll feel plenty of taps on the shoulder about the ones you miss ! I'm actually finding myself sort of -renewed- about spamcop, too. It's a powerful tool and becomes more powerful thanks to your contributions. NOW I'm looking forward to reading it to learn from. IT's only been, what, 5 years? again. There'll be lots of complaints regardless of what you do, but this should help everyone involved. Best Regards, Pop From nobody at spamcop.net Thu Oct 13 10:19:15 2005 From: nobody at spamcop.net (indigo) Date: Thu Oct 13 09:20:02 2005 Subject: [SpamCop-List] Flood of pump'n'dumps Message-ID: Coming from Brazil, purporting to be from news@reuters.com. Anyone else seeing these? I *am* registered with Reuters for their stock screening website, but sure as hell not by using my work email address! From MikeE at ster.invalid Thu Oct 13 08:48:19 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 13 10:50:03 2005 Subject: [SpamCop-List] Re: Who the hell are FreshAddress.com? It looks fishy but legit at the same time... References: Message-ID: Pop wrote: > "Mike Easter" > Emphasis added: >> --Such outfits as HP & Sony 'do things'-- with such outfits as >> freshaddress - so the result is a --straightup-- item for which >> reporting would be rather useless. > > I can't understand why you say that?: I knew I was going to have to explain myself on that, so I carefully included the 'rather' for the useless part. But, starting from the top. Sony & HP 'do things' which is to 'share' their mailing lists with their 'assoiciates'. How bad that is is pretty bad from a consent point of view. Those of us who believe that we should not have to ask to be removed from a list we didn't ask to be put on means that it is just as bad for mainsleaze to be passing around their lists as it is for spammers to be selling their millions CDs. What I meant by 'rather useless' is that my concept of a 'report' is that a report is reporting a spam to a provider whose job is supposed to be 'against' their client spamming or spamvertising. The job of a provider is *not* to server as a listwasher for their spamming or spamvertising client. So, if you report a mainsleaze, you can either report munged or you can report unmunged. If you report unmunged, you are just trying to listwash yourself. If you believe that you are dealing with a listwashing process you might as well unsub. Except that unsubbing is not a good idea for real spammers. Unsubbing is only a good idea for lists which you have signed up with. Is this a list you signed up with? Don't believe what you read in the spam. If you go read the thread I provided in nanae, you find that HP and Sony spam. This is about spam, not about unsubbing to a list someone put themselves on intentionally. > It would seem to be "good business" to simply remove old > addresses. Those guys have no business using an old address, > finding/looking for the new one, etc., regardless of where I am > right now. I subscribe by email address, and that's the ONLY > email address I'd better get email to, and I'd better have asked > for it from the address they mailed to. Anything else is > promptly LARTed. > > Also, what do you mean by "--straightup-- item"? What I call a 'straightup' spam, in its purest sense, is when the spam's header/body is 'honest' from the point of view that there isn't bogosity. That is, even the From is 'real'. The From = the source = the spamvertiser. The 'entity' which sent you the mail claimed to send you the mail and the mail is about 'them' or their site. That is typical for mainsleaze and legitimate newsletters. I think it is important to 'consider' the straightup-ness of an item when you are evaluating something. The exact opposite of straightup is 'normal' spam, which has a bogus From, which has bogosity and forgery in the headers or proxy/trojan abuse, and is spamvertising something which isn't even the source of the item. There are some gray zones in the straightup situation - in this case we have freshaddress being straightup, but it allegedly was generated from a HP mailing list. -- Mike Easter kibitzer, not SC admin From borgholio at storymind.com Thu Oct 13 17:57:12 2005 From: borgholio at storymind.com (Borgholio) Date: Thu Oct 13 20:00:05 2005 Subject: [SpamCop-List] Is reporting to 3rd parties worth it? Message-ID: Since I don't get any real feedback when I send spam to places such as uce@ftc.gov and webcomplaints@ora.fda.gov, I'm left wondering how much of an impact it really has? Does anybody ever take a look at these emails, or are they simply collected for the sake of statistics? From nobody at devnull.spamcop.net Fri Oct 14 00:25:30 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Oct 13 23:25:03 2005 Subject: [SpamCop-List] Re: Is reporting to 3rd parties worth it? References: Message-ID: "Borgholio" wrote in message > Since I don't get any real feedback when I send spam to places such as > uce@ftc.gov and webcomplaints@ora.fda.gov, I'm left wondering how much of an > impact it really has? Does anybody ever take a look at these emails, or are > they simply collected for the sake of statistics? I see two distinctly different ways of sending spam to the addies you mention. One way is to simply send the spamitem as an attachment. For legal purposes it may be useful for statistics, but not usable for purposes of prosecution as you register no complaint and cannot be referenced as a complainant in legal proceedings. I send many spamitems in this mode. I also render a formal complaint in many cases. I choose my cases as I think the complaining may serve some purpose as I find the complaining quite loathesome, even as possibly necessary. It may be a matter of sheer coincidence, but I have been repeatedly pleased to find that spamvertised sites I have "nailed" are often "nuked" in a matter of hours. As I so despise complaining, I make it an exercise in seeing how little I can complain while building a compelling argument for further investigation and possible prosecution by law enforcement agents. Spamsending is for the most part civil tort: try moving your focus away from your personal grievance over the simple trespass for which law enforcement has no jurisdiction. Shift your focus to the details of the criminality involved as best you are able. It may be possible to complain of criminal spamsending as manifest by forged headers and abuse of open proxies (relay rape). It may be possible to complain that a spamitem is not "CAN SPAM" compliant. It may be possible to allege possible criminal wrongdoing by the spamvertised site, such as fraud or theft by deception. Take care not to make false claims or simply manufacture allegation without supporting evidence, lest those who read submissions learn to write you off as a "kook". When you contribute, bear in mind that the FTC's prosecutions often reference tens of thousands of /complaints/. A "naked" spamitem is not a complaint. It is a statistic. A complaint, with or without spamitem, but with provisional documentation in support of the complaint, may or may not lead to a successful prosecution. But it is a without which not for law enforcement. A bank is robbed: a statistic. No complaint, no complainant, where is the crime? So, yes, I think they see every complaint. Don't ask how that is possible, as I have no idea. Yes, they absorb a lot of spam in the process and use it to keep stats. They might not actually see or read any spamitems, but I have a fair degree of certainty that they take legitimate complaints quite seriously and take action accordingly. Fortunately or not, I sense few complaints are are actually registered along with the many spamitems they receive. Actually, I have been very satisfied with the results of the complaints I have made. And it pleases me that they do not acknowledge my complaints, as I would really rather not to be complaining anyway and need no reminder of having complained. Complaining is a pain, but a necessary part of creating change. So it sort of comes down to the individual: do you intend to send generic "ammunition" for all-purpose use against spamsending, or are you intending to send a "shaped charge" which has a fair chance of seriously impacting a specific problem? I do both, one for what good it might do, the other for what good I expect it will do. What is the strategy of the moment. Your questions are widely shared. The answers are privately held for those as may care to respond. My answers are not widely shared and may be considered as contrarian. But they work for me. They work very well for me. Hope this helps, cheers, Glenn From hans at salvisberg.invalid Fri Oct 14 10:24:59 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Fri Oct 14 03:25:03 2005 Subject: [SpamCop-List] How to get the attention of abuse@walla.net.il ? Message-ID: Every once in a while I get a piece of spam like this: http://www.spamcop.net/sc?id=z815474930zdc9c9dc0e2fecb302f1da7a7d451239ez and I keep complaining to walla.com / walla.net.il, but the spammer keeps using those addresses and I've never had a reply from walla. Hans From hans at salvisberg.invalid Fri Oct 14 10:39:55 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Fri Oct 14 03:40:02 2005 Subject: [SpamCop-List] Stupid but aggressive spammer Message-ID: In the last two weeks or so I keep receiving spam like this: http://www.spamcop.net/sc?id=z815480911zc348696d114d13ffaa53eafe7461b9e0z Somehow, SC seems unable to learn that this is spam and keeps delivering it. Now, to add insult to injury, the spammer starts spamming my SC address: http://www.spamcop.net/sc?id=z815481600ze19ffdb0f47cf8e7fd91eb1c6b3b42fdz Apparently, the SC reports go directly to the spammer... Hans From MikeE at ster.invalid Fri Oct 14 02:14:58 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 14 04:15:04 2005 Subject: [SpamCop-List] Re: How to get the attention of abuse@walla.net.il ? References: Message-ID: Hans Salvisberg wrote: > Every once in a while I get a piece of spam like this: > www.spamcop.net/sc?id=z815474930zdc9c9dc0e2fecb302f1da7a7d451239ez This is a semi-straightup spam [from = spamvertised payload (mail address)] source = mozcom in the .ph whereas the from and spamvertised addies walla are .il > and I keep complaining to walla.com / walla.net.il, but the spammer > keeps using those addresses and I've never had a reply from walla. SC notifies the mozcom source and you add the .il spamvertised and From domainname. Some considerations for that type of item would be to notify about it with a manual notify unmunged and from the spammed address with copies to the source provider and others, ie walla. The source provider is listed in dnsbl for hitting spamtraps and it is ASN6163 which has 3 upstream providers you could consider notifying for non-responsiveness of mozcom. But I'm not sure I would take the upstream route for 'just' being a source before trying the other, ie unmungeing. If you have already been notifying unmunged, then I would add the upstreams, especially the .ph LD co. postmaster@pldt.com.ph & riresurreccion@pldt.com.ph (for pldt.com.ph) Upstream Adjacent AS list AS4775 GLOBE-TELECOM-AS AS701 ALTERNET-AS - UUNET AS9299 IPG-AS-AP Philippine Long Distance Telephone Company Then, you can look at the domain registation information for walla.com, which is just teletel, nothing to help there. The addies I would use for walla are abuse@walla.net.il & assi@walla.net.il I don't know about the 'wisdom' of going upstream for an unresponsive provider for the spamvertised email addresses - I would still put the unmungeing ahead of that. But if you wanted to notify teletel's upstream it is up from as13074 which is AS8551 BEZEQ-INTERNATIONAL-AS abuse@bezeqint.net The idea of unmungeing is to accomplish or facilitate being listwashed. Sometimes when you are contacting someone's upstreams about their unresponsiveness it provides motivation for them to take you off the list, so you want everyone to see whoall you are notifying and who you are and what you are notifying about, ie the unresponsiveness of those you've been notifying. Until you are unmunged, it isn't so easy to remove you from a list because of standard SC mungeing. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Oct 14 02:35:56 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 14 04:40:03 2005 Subject: [SpamCop-List] Re: Stupid but aggressive spammer References: Message-ID: Hans Salvisberg wrote: > In the last two weeks or so I keep receiving spam like this: > >www.spamcop.net/sc?id=z815480911zc348696d114d13ffaa53eafe7461b9e0z That item is sourced from a .my IP listed in dnsbl for hitting spamtraps and spamvertising http://ionizehkc.otenowan.com & SC notifies the .my source provider but not the nomaster .kr spamvertiser. > Somehow, SC seems unable to learn that this is spam and keeps > delivering it. Now, to add insult to injury, the spammer starts > spamming my SC address: > www.spamcop.net/sc?id=z815481600ze19ffdb0f47cf8e7fd91eb1c6b3b42fdz That item is sourced from a .pe IP listed in dnsbl & SC for spamtraps and for SC reporters and spamvertises http://bloomyuqm.otenowan.com & SC notifies the .pe source provider but not the nomaster .kr spamvertiser > Apparently, the SC reports go directly to the spammer... Why do you say that? The spamvertiser is spews listed as the /23 http://spews.org/html/S2687.html but the notifies to the source providers in .pe and .my don't have much in common. Generally the spamvertiser is the one who calls the shots, and the spamvertiser isn't being notified because both of these are nomastered. That is, SC couldn't figure out how to notify the .kr provider 'effectively' because of the kornet bounces experience. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri Oct 14 06:45:20 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Fri Oct 14 05:50:22 2005 Subject: [SpamCop-List] Re: Stupid but aggressive spammer References: Message-ID: "Hans Salvisberg" wrote > In the last two weeks or so I keep receiving spam like this: > > http://www.spamcop.net/sc?id=z815480911zc348696d114d13ffaa53eafe7461b9e0z > > Somehow, SC seems unable to learn that this is spam and keeps delivering > it. Now, to add insult to injury, the spammer starts spamming my SC address: > > http://www.spamcop.net/sc?id=z815481600ze19ffdb0f47cf8e7fd91eb1c6b3b42fdz > > Apparently, the SC reports go directly to the spammer... > Doubtful. There is recently a run of "new" domain names hosted at 220.80.107.187, and with each new registration I am receiving a "new" spamitem altho for the same boilerplate website using the same boilerplate spambody changed only for the payload URL. All have forged headers and each item I have seen comes from a different IPA. No two from the same source, so it is rather doubtful that the spamsender is at all concerned for what resource is being abused that gets reported. It is not likely that the spamsourcing IPAs have a clue as to the source of the abuse of their resources. Some may or may not care, but chances of reports going to the spamsender are remote. And none of these items is being reported to the spamvertiser as might share a reporting address back to a spamsending "affiliate" because abuse/at/kornet.net is offline. OTOH, I have no clue how your spamcop addy has gotten to a spamsender and marvel at the sheer insanity of sending spam to addresses where it is certain to be unwelcome. There one may sense that spamsenders are not the brightest pins in the cushion. Thank your deity that you did not get the mind of a spamsender. Maybe you contact deputies/at/spamcop.net and explore your options for changing your email address, or make a wilful decision to be oblivious to the abuse, understanding that the spamsender lacks the mentation to act wilfully or personally. Consider the severity of the spamsender's psychosocial dwarfism, and be mindful of the sentiment "There but for the grace of God, go I". If you are wilfully able to be not offended by a turd in a toilet, you are also wilfully able to not take offense at the turdlet in your Inbox. It is simply there, it is not there for you to personally take offense. The more you care about the turdlet, the more you will be diminished by it. "Whitelists" are your friend. On one spamabused account I have, only "whitelisted" mail appears in my Inbox. Yes, a rare good email ends up in the spam folder, but it is far easier to extend the whitelist to the newfound exception than it is to endlessly blocklist all the possible variations of what is unwanted. My rule is simple, if it is not specifically "wanted" in, then it is necessarily "unwanted". Saves me no end of grief. As best you are able, make the problem of spam the least of your concerns in this life. I am certain you can direct your energies in more pleasant and rewarding directions. Have a Most Excellent Day! Glenn From nospam at dev.null Fri Oct 14 13:48:27 2005 From: nospam at dev.null (No Spam) Date: Fri Oct 14 06:50:28 2005 Subject: [SpamCop-List] Re: Stupid but aggressive spammer In-Reply-To: References: Message-ID: Glenn Daniels wrote: > "Hans Salvisberg" wrote > >>In the last two weeks or so I keep receiving spam like this: >> >>http://www.spamcop.net/sc?id=z815480911zc348696d114d13ffaa53eafe7461b9e0z >> >>Somehow, SC seems unable to learn that this is spam and keeps delivering >>it. Now, to add insult to injury, the spammer starts spamming my SC > > address: > >>http://www.spamcop.net/sc?id=z815481600ze19ffdb0f47cf8e7fd91eb1c6b3b42fdz >> >>Apparently, the SC reports go directly to the spammer... >> > > > Doubtful. There is recently a run of "new" domain > names hosted at 220.80.107.187, and with each new > registration I am receiving a "new" spamitem altho > for the same boilerplate website using the same > boilerplate spambody changed only for the payload > URL. All have forged headers and each item I have > seen comes from a different IPA. No two from the > same source, so it is rather doubtful that the > spamsender is at all concerned for what resource > is being abused that gets reported. It is not likely > that the spamsourcing IPAs have a clue as to the > source of the abuse of their resources. Some may > or may not care, but chances of reports going to > the spamsender are remote. And none of these > items is being reported to the spamvertiser as > might share a reporting address back to a > spamsending "affiliate" because abuse/at/kornet.net > is offline. ...snip... Party is Leo Kuvayev: --- 10/14/05 10:08:05 GMT --- resolving host "otenowan.com", please wait... otenowan.com [220.80.107.187] http://www.spamhaus.org/sbl/sbl.lasso?query=SBL31256 Names Leo Kuvayev, reknown for these "games" As regards boilerplate you see, I am seeing same. Actually a few differnet ones, drugs & software. Sometimes a few of each per day. Payload URL keeps changing, about 1 per day. Not that I advise reading spam or visting, but I did an interesting excercise from a Unix box. (Guess I need not explain :-) His drug sites (one of?), pretends to be from "My Canadian Pharmacy", uses their address etc etc. Only one problem, the real "My Canadian Pharmacy" has closed. The Better Business Bureau has also issued an alert: http://www.bbb.org/alerts/article.asp?ID=597 As such, referring to this, I have also started doing some damage to his infrastructure. (He is currently nr#1 in my sights) The amazing thing is how persistent he is. He also has a problem with mail formatting, as such my mail reader does some funny things, allowing me to ID him immediately in the list portion of the mail reader - and keep tabs on him :-) I am currently busy with a page dedicated to him and his (non)fans. Will notify group when done. Also: http://www.ago.state.ma.us/sp.cfm?pageid=986&id=1416 http://www.ago.state.ma.us/sp.cfm?pageid=986&id=1426 Cheers E From MikeE at ster.invalid Fri Oct 14 08:13:51 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 14 10:15:04 2005 Subject: [SpamCop-List] Re: Stupid but aggressive spammer References: Message-ID: No Spam wrote: > http://www.spamhaus.org/sbl/sbl.lasso?query=SBL31256 > Names Leo Kuvayev, reknown for these "games" Brand spanking new spamhaus listing 14-Oct-2005 07:39 GMT | SR08 That wasn't there a few hours ago. Kuvayev also picked up a little default judgment of 37mil USD http://www.informationweek.com/story/showArticle.jhtml?articleID=172301006 Massachusetts Hits "Internet Spam Gang" With $37 Million Fine Oct. 13, 2005 MS/hotmail honeypot sting: "The state's investigation was assisted by information provided by Microsoft, officials said. Microsoft's Internet Safety Enforcement team had set up phony Hotmail accounts, "trapping" more than 45,000 messages believed to have been sent by the Internet Spam Gang." -- Mike Easter kibitzer, not SC admin From mwnospam at comcast.net Sat Oct 15 08:18:04 2005 From: mwnospam at comcast.net (spamacyde) Date: Sat Oct 15 07:20:15 2005 Subject: [SpamCop-List] Shaw Cable Refuses Munged Reports Message-ID: Since Shaw Cable refuses munged reports, do I want to have Spamcop report spam to them? Why should this be my decision? Doesn't Spamcop know whether they are trustworthy or not? Thanks in advance. From bar_n0ne at hotmail.com Sat Oct 15 17:00:29 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Oct 15 08:05:36 2005 Subject: [SpamCop-List] Re: Shaw Cable Refuses Munged Reports References: Message-ID: "spamacyde" wrote in message news:diqoht$rnu$1@news.spamcop.net... > Since Shaw Cable refuses munged reports, do I want to have Spamcop report > spam to them? Why should this be my decision? Doesn't Spamcop know whether > they are trustworthy or not? > > Thanks in advance. > > I think they are trustworthy, they are a major ISP. Others may have a different opinion. I've never seen spamvertizing from their network, and most senders seem to be zombied PC's or otherwise compromised systems. I don;t know how SC could be expected to keep up with all the possible abuse addresses.and their "trustworthyness" If you're not sure don't tick them. This is as good a place as any to find out. You can also vet comments from others by googling for the ISP here (this "group"), and in NANAE. From mwnospam at comcast.net Sat Oct 15 09:21:37 2005 From: mwnospam at comcast.net (spamacyde) Date: Sat Oct 15 08:25:03 2005 Subject: [SpamCop-List] Re: Shaw Cable Refuses Munged Reports References: Message-ID: "Berny" wrote in message news:diqr11$stj$1@news.spamcop.net... > > "spamacyde" wrote in message > news:diqoht$rnu$1@news.spamcop.net... > > Since Shaw Cable refuses munged reports, do I want to have Spamcop report > > spam to them? Why should this be my decision? Doesn't Spamcop know > whether > > they are trustworthy or not? > > > > Thanks in advance. > > > > > > I think they are trustworthy, they are a major ISP. Others may have a > different opinion. > > I've never seen spamvertizing from their network, and most senders seem to > be zombied PC's or otherwise compromised systems. > > I don;t know how SC could be expected to keep up with all the possible abuse > addresses.and their "trustworthyness" > > If you're not sure don't tick them. > > This is as good a place as any to find out. You can also vet comments from > others by googling for the ISP here (this "group"), and in NANAE. > > Ok, What are legitimate reasons for refusing munged reports? From bar_n0ne at hotmail.com Sat Oct 15 17:25:28 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Oct 15 08:30:02 2005 Subject: [SpamCop-List] Re: Shaw Cable Refuses Munged Reports References: Message-ID: "spamacyde" wrote in message news:diqs92$tj3$1@news.spamcop.net... > SNIP > > What are legitimate reasons for refusing munged reports? > It's real evidence.maybe they want to be sure they have a legit complaint. From nobody at devnull.spamcop.net Sat Oct 15 14:07:58 2005 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Sat Oct 15 13:10:23 2005 Subject: [SpamCop-List] Re: Hats off to uk.easynet.net In-Reply-To: References: Message-ID: No Spam wrote: > Sofa King Tyred of Lar Ting wrote: > ..SNIP... > >> >> My point was, if an ISP doesn't have an easily findable "abuse" email >> on their main web page, I don't consider them to be too responsible >> (or professional) these days. If it takes more than two clicks from >> the main page to find the abuse email, that's obfuscation and >> shirking, albeit unintentional (or ignorant). >> > > Yahoo and Hotmail? And most free mail providers ? For Yahoo, I entered "yahoo email abuse" on their search page... the first item that comes up is this (2 clicks): http://help.yahoo.com/help/us/mail/spam Hotmail is probably the same, but I didn't try. From nobody at spamcop.net Sat Oct 15 11:19:56 2005 From: nobody at spamcop.net (N. Miller) Date: Sat Oct 15 13:20:03 2005 Subject: [SpamCop-List] Re: Shaw Cable Refuses Munged Reports References: Message-ID: On Sat, 15 Oct 2005 08:21:37 -0400, spamacyde wrote: > What are legitimate reasons for refusing munged reports? Possibly the same legitimate reason for the desire to confront one's accuser in person in a court of law... -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nospam at dev.null Sat Oct 15 20:20:11 2005 From: nospam at dev.null (No Spam) Date: Sat Oct 15 13:25:03 2005 Subject: [SpamCop-List] Re: Stupid but aggressive spammer In-Reply-To: References: Message-ID: Mike Easter wrote: > No Spam wrote: > > >>http://www.spamhaus.org/sbl/sbl.lasso?query=SBL31256 >>Names Leo Kuvayev, reknown for these "games" > > > Brand spanking new spamhaus listing 14-Oct-2005 07:39 GMT | SR08 > > That wasn't there a few hours ago. > Yep, Leo has also been busy > Kuvayev also picked up a little default judgment of 37mil USD > http://www.informationweek.com/story/showArticle.jhtml?articleID=172301006 > Massachusetts Hits "Internet Spam Gang" With $37 Million Fine Oct. 13, > 2005 > > MS/hotmail honeypot sting: "The state's investigation was assisted by > information provided by Microsoft, officials said. Microsoft's Internet > Safety Enforcement team had set up phony Hotmail accounts, "trapping" > more than 45,000 messages believed to have been sent by the Internet > Spam Gang." > Thx for the aricle. The article make it look like these actions resolved the issue: "The Kuvayev-led operation involved a complicated web of online sites and domain names that offered illegal products ranging from counterfeit drugs and pirated software to pornography, phony designer watches and mortgage loans. In a statement, Reilly said: ?This judgment should serve as a deterrent to those who use the Internet for illicit purposes.? Fact is Leo and clan are still doing the same. Their base has just changed. Also a pity that Hotmail still allows Leo and clan to use Hotmail for email addresses to register new domains. Cheers E From nospam at dev.null Sat Oct 15 20:43:28 2005 From: nospam at dev.null (No Spam) Date: Sat Oct 15 13:45:03 2005 Subject: [SpamCop-List] Re: Hats off to uk.easynet.net In-Reply-To: References: Message-ID: Sofa King Tyred of Lar Ting wrote: > No Spam wrote: > >> Sofa King Tyred of Lar Ting wrote: >> ..SNIP... >> >>> >>> My point was, if an ISP doesn't have an easily findable "abuse" email >>> on their main web page, I don't consider them to be too responsible >>> (or professional) these days. If it takes more than two clicks from >>> the main page to find the abuse email, that's obfuscation and >>> shirking, albeit unintentional (or ignorant). >>> >> >> Yahoo and Hotmail? And most free mail providers ? > > > For Yahoo, I entered "yahoo email abuse" on their search page... the > first item that comes up is this (2 clicks): > > http://help.yahoo.com/help/us/mail/spam > > Hotmail is probably the same, but I didn't try. Go to the next step. "How do I report unsolicited mail?" This says: "If the spam or abusive email is being sent from a Yahoo! Mail account (i.e.,user@yahoo.com), the "This Is Spam" report will receive special attention. " Okay, they are referring to their Yahoo mail aservice. I am not a mailbox holder at Yahoo!, now what? Congrats: You have just jumped the first hoop. Now let's try the "please send a report to the Yahoo! Customer Care team .." which is actually for international Yahoo! abuse. Suddenly you have to login on to Yahoo!. Hoop nr 2. What wrong with this picture? Why am I jumping the hoops? You are welcome to try Hotmail. You will get: http://oe.bay5.msnmail.hotmail.com/cgi-bin/dasp/ua_info.asp?pg=contact_hotmail&back=svcs&from=svcs&_lang=EN This says: report_spam@msn.com and abuse@msn.com The result of using this is: " report_spam@msn.com SMTP error from remote mailer after RCPT TO:: host mx4.hotmail.com [65.54.190.230]: 550 Requested action not taken: mailbox unavailable: Whereas abuse@msn.com has a spam filter on. Ditto abuse@hotmails.com (whois -h whois.abse.net hotmail.com). Anything dodgy is bounced. " ----- The following addresses had permanent fatal errors ----- abuse@css.one.microsoft.com (reason: 550 5.7.1 ) ----- Transcript of session follows ----- ... while talking to maila.microsoft.com.: >>>>>> DATA <<< 550 5.7.1 554 5.0.0 Service unavailable" (Mike and I where theorising about this in another thread. So I played a bit) Stripping everything out related to spam and rather asking where to report spam get an ack and case number. Answer yet outstanding. That is another hoop. Well, I am now a professional hoop jumper.... Also see http://tqmcube.com/hotmail.htm Cheers E From MikeE at ster.invalid Sat Oct 15 12:20:02 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 15 14:20:12 2005 Subject: [SpamCop-List] Re: Shaw Cable Refuses Munged Reports References: Message-ID: spamacyde wrote: > What are legitimate reasons for refusing munged reports? Imagine if law enforcement detectives were gathering up evidence at the crime scene. The chief investigator instructs them, "It is OK if you want to doctor the evidence a little bit, just don't doctor it too much." "OK boss. You got it." It is similar to a SC report going to an abuse desk. SC sez, "Trust me. There have been no other mungeings to the evidence other than what is programmed into the algorithm which algorithmic programming you can't see. You can trust that the SC reporter wouldn't dare make any changes to the evidence because we have these rules which you can read if you like -- but you can't read the mind of the reporter and you can't read the algorithm. But surely you can trust me, I'm SC." "No thanks. I have more than enough evidence to look at when something happens. I would just as soon not look at any munged to some unknown extent evidence. But, keep up the good work; just don't send any of it to me." -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Oct 15 12:28:34 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 15 14:30:03 2005 Subject: [SpamCop-List] Re: Shaw Cable Refuses Munged Reports References: Message-ID: Mike Easter wrote: > "No thanks. I have more than enough evidence to look at when > something happens. I would just as soon not look at any munged to > some unknown extent evidence. But, keep up the good work; just > don't send any of it to me." However, that being sed.... ... the provider who ignores SC reports does so at their peril, as it regards source reporting. Whether the provider chooses to see the munged evidence or not, it counts toward the SC blocklist, just like the 'invisible' unreported but counted spamtrap hits. Ignoring SC reports of spamvertising is 'harmless' - since SC spamvertising reporting is almost completely toothless except for the minor effect of the statistics page and the sc-surbl, which isn't really very much I don't think. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sat Oct 15 15:16:40 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Oct 15 15:20:03 2005 Subject: [SpamCop-List] KnowledgeBase thing - Was - Re: yet another FAQ attempt References: Message-ID: "Mike Easter" wrote in message news:dihobb$ipa$1@news.spamcop.net... > WazoO wrote: > > > > http://forum.spamcop.net/forums/index.php?act=faq > > That looks like a good idea. Lots of navigational tools. Hierarchies > make for ease of drilling down into an area and jumping back out in case > you need to drill into another different hierarchy. Well, I've added enough that there's something to at least "walk through" at this point. Yet, once again, not a lot of "help" showing up to this point. Now "help" is a bit conditional, as the way the thing works right now, only I can actually make the entries ... and that's a pain, to say the least ... pulling content from the www.spamcop.net FAQ pages requires changing of code bits, formatting, and (being bitten hard already for "content") looking at that part of the entry also (have been adding to the stuffing of the Deputy InBox with queries, suggested changes, even asked the "legal" question a bit ago on the impact of the "IronPort copyright" line as compared to my converting (an example) of several www.spamcop.net FAQ pages to a single screen in the KnowledgeBase View ..... So I'm stuck with trying to handle format, content, changing links, even had to edit a graphic and place a copy of the 'new' pic on the Forum server ... just to handle an "appearance" issue .... As an aside ... I just buried the only 'girl' in my life for the last 10+ years last night ... a wonderful white German Shepard ... so, though not really in the mood to trudge through all this stuff, there's yet more empty time involved at present ... > When there's too much on a page or too many pages to have to 'read' or > scan thru' to find something and not enough 'structure' to navigate > with, it becomes tedious and the tedium creates a 'bailout' reaction. > It may be hard for the organizer to sense what causes the seeker's > tedium, because he the organizer already knows where things are, so he > is able to scoot around more quickly or adeptly than someone who is > looking for an answer who hasn't already read all of the material.. And this is yet another place I'm looking for "help" on .... some of the decisions on just "where" an entry should be placed are really iffy at times ... current structure looks like (still in flux, so just a snapshot); Overview of SpamCop Services Those pesky & geeky details (Some Definitions, some Explanations, some Scenarios) SpamCop Parsing & Reporting Service Member and account management questions MailHost Configuration of a Reporting Account Parsing Issues Reporting Issues Reporting by E-mail issues Browser Issues SpamCop Email System & Accounts Sign-up, connect to, management SpamCop Blocking List Service Admin, ISP, Host Just the average Internet E-mail user General Information about SpamCop Help for abuse-desks & administrators Help with SpamCop reports and spam in general Interacting with SpamCop and it's users Assistance stopping spam SpamCop Forum General Information about Spam Other Data, Tools & Lists You'll note that neither version of the existing FAQ quite matches up with this structure .... and, as you suggest, it's difficult to guess where someone might "look" to find a specific answer .... > A hierachy structure 'forces' some kind of organization -- even when the > organization might be somewhat imperfect; like some outline formats > which are harder to build or 'force' into the outline structure than it > was to originally write the essay or theme. Once again, all I can say is that I'm trying ... just wondering where all the folks that take the time to bitch and complain are at when an opportunity to "fix" things is offered ...even did some digging up of some history .. http://forum.spamcop.net/forums/index.php?showtopic=5108&view=findpost&p=34087 (Yeah, pretty much Forum oriented, but the newsgroup traffic/archives have been pointed out before / included in some of those Forums ...) From nobody at devnull.spamcop.net Sat Oct 15 16:34:21 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sat Oct 15 15:35:03 2005 Subject: [SpamCop-List] Re: KnowledgeBase thing - Was - Re: yet another FAQ attempt References: Message-ID: "WazoO" wrote in message news:dirkio$ajg$1@news.spamcop.net... : "Mike Easter" wrote in message : news:dihobb$ipa$1@news.spamcop.net... : > WazoO wrote: : > > : > > http://forum.spamcop.net/forums/index.php?act=faq : > : > That looks like a good idea. Lots of navigational tools. Hierarchies : > make for ease of drilling down into an area and jumping back out in case : > you need to drill into another different hierarchy. : : Well, I've added enough that there's something to at least "walk through" : at this point. Yet, once again, not a lot of "help" showing up to this : point. Now "help" is a bit conditional, as the way the thing works : right now, only I can actually make the entries ... and that's a pain, to : say the least ... pulling content from the www.spamcop.net FAQ pages : requires changing of code bits, formatting, and (being bitten hard already : for "content") looking at that part of the entry also (have been adding to : the stuffing of the Deputy InBox with queries, suggested changes, even : asked the "legal" question a bit ago on the impact of the "IronPort : copyright" line as compared to my converting (an example) of several : www.spamcop.net FAQ pages to a single screen in the KnowledgeBase : View ..... Personally, I wasn't aware that you expected detailed critiques yet. I felt like it was still IP and this wasn't the time yet. I'm aware you explained things, probably rather well, in the part I snipped, but ... I'll make you this offer: -- In a past life I was (now am "Ex-") a technical writer for telecom. Lots of similarity. If you'd like to post (here would be best, IMO) a couple of specific things you'd like to see in a critique, I'll give you a FWIW as best I can. I'm a free reporter, so there are areas I'm not real familiar with, which might be an advantage in doing a critique. I don't want to just go off making comments on anything and everything because it's (IMO) basically a waste of time to do it that way; too much forest view to pick out the trees. Meantime, I'll look over the structure and see if I have much to say on what takes me where when and why. I suspect that's your first interest. Regards, Pop From MikeE at ster.invalid Sat Oct 15 14:24:28 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 15 16:25:03 2005 Subject: [SpamCop-List] Re: KnowledgeBase thing - Was - Re: yet another FAQ attempt References: Message-ID: WazoO wrote: > Well, I've added enough that there's something to at least "walk > through" at this point. I'm not quite clear, from an organizational structure point of view, if I were creating an Outline format, like in highschool, of hierarchies such as I. A. 1. a) (1) (a) (i) etc how to deal with the 'framework' or substructuring of Articles in a Category as contrasted with Sub-Categories under a Category What is your thinking there? If I have a category as a Roman I., and I have both Sub-categories and Articles to deal with, should I make the articles 1,2,3 directly under the Roman I and the Sub-categories into A, B, C? Or some other way? The point is not to force you or my outline into some 'undesirable' or 'illegal' structure, but to clarify the similarities and differences of articles vs sub-categories -- how is an article part of the 'substructure' and how is a sub-category part of the substructure of a category? Articles are articles, but sub-categories are what? I don't know if I'm explaining my organizational dilemma adequately other than I'm having trouble making a typical outline of the structure. > As an aside ... I just buried the only 'girl' in my life for the last > 10+ years last night ... a wonderful white German Shepard ... I'm sorry for the loss of your beloved. Her 'ghost' will be around in your perceptions for quite a while. Very eerie. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Sat Oct 15 23:30:23 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sat Oct 15 16:35:03 2005 Subject: [SpamCop-List] Re: KnowledgeBase thing References: Message-ID: <435166DF.4025@xyzzy.claranet.de> Pop wrote: > If you'd like to post (here would be best, IMO) a couple of > specific things you'd like to see in a critique, I'll give > you a FWIW as best I can. I'm a free reporter, so there are > areas I'm not real familiar with +1 (excl. "1 year of heavy use" which lasted for about 6 weeks) For a few selected topics like "how to interpret and update abuse.net entries" or "how do the abuse and whois zones of RFCI work" (perfectly irrelevant for SC, but maybe interesting for some users) or "WTF is SURBL" or "how can I use ICANN's WDPRS" I could offer some informed guesses, and if it's about routing, AS numbers, etc. I could at least ask "did you check that with Mike and / or Ellen"... ;-) Bye, Frank From nobody at devnull.spamcop.net Sat Oct 15 16:43:14 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Oct 15 16:45:04 2005 Subject: [SpamCop-List] Re: KnowledgeBase thing - Was - Re: yet another FAQ attempt References: Message-ID: "Pop" wrote in message news:dirljn$b5d$1@news.spamcop.net... > > Personally, I wasn't aware that you expected detailed critiques > yet. I felt like it was still IP and this wasn't the time yet. It's the age old question yet again, should I continue to spend the time and energy on it, continue the search for yet another tool, or do the obvious and say to hell with it ...??? > I'm aware you explained things, probably rather well, in the part > I snipped, but ... I'll make you this offer: > If you'd like to post (here would be best, IMO) Yeah, the NNTP/Forum thing again ... let me just point out again the 'problems' in converting form/format between the things ... the same issues arising in the posting of 'spam samples' (to either venue) carries that extra load .. but ... I'm trying to include both sides in the effort ... > a couple of > specific things you'd like to see in a critique, I'll give you a > FWIW as best I can. Here's one I just walked into .... http://www.spamcop.net/fom-serve/cache/4.html The title covers way too much ground. The existing "answer" will no doubt further fuel the NNTP/Forum debate. However, my 'solution' (?) is almost reaching the "this one isn't worth including anywhere as is at all" ... rather the qyestions need to be split out, along with the more specific/generalized answers .... for instancel there really isn't a newsgroup for "suggest a feature" ... On the other hand, I did vreate a Forum section to address this concept (that the only items actioned thus far seem to be Forum suggestions ... what can I say?) http://forum.spamcop.net/forums/index.php?showforum=10 "How can I report a bug?" ...???? There are bugs and there are bugs ... but the daily run of issues aren't usually SpamCop bugs, more usually issues with other tools involved during user interaction with the SpamCop toolset .... but the "answer" would/should include all venues ... as I did at http://forum.spamcop.net/forums/index.php?act=faq&article=20 "How can I get help?" answer made me laugh ... "Obviously, your first resource is this FAQ." ... going back to "this FAQ" was the reason for the Forum version way back when .... and as above, though included in the list of possible resources, the years of complaints about it sure doesn't totally concur with the "Obviously" description. (On the other hand, yet another suggested change to that FAQ was implemeted this morning by RW, once again pointing out that "this FAQ" is far from dead .... ) The point here is that there is an existing entry, but I don't see it as finctional in this "other" venue ... total re-write, ignoring it altogether, splitting it apart, gernerating a complete new page of data to insert below the existing text ... (and again, where would one place that result?) ... > I'm a free reporter, so there are areas I'm > not real familiar with, which might be an advantage in doing a > critique. I also am only a free-report account holder, so I also have to "trust" a lot of folks answering my queries > I don't want to just go off making comments on anything and > everything because it's (IMO) basically a waste of time to do it > that way; too much forest view to pick out the trees. > Meantime, I'll look over the structure and see if I have much > to say on what takes me where when and why. I suspect that's > your first interest. Yep .... the last go-round on the Portal page entrance to the FAQ seemed to get more involved in the (display) code ... a bit further down the road than the "what should the content include" question I originally was asking for ....the issues were valid (and addressed) .. but weren't answering the original request for input ... As it was, one of the first items placed got me jumped on for content both here and in the Forum .... each entry now contains the Source: line to "reflect" that criticism back to the source material, as compared to "me screwing up yet again .." That first entered item was originally posted Apr 11 2004, 03:14 AM, but the "obsolete" complaints only arrived with the inclusion into this KnowledgeBase thing .... (again, content added after the fact, but .... ) Gotta quit, this is turning into yet another monster ... From nobody at devnull.spamcop.net Sat Oct 15 18:28:07 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Oct 15 18:30:05 2005 Subject: [SpamCop-List] Re: KnowledgeBase thing - Was - Re: yet another FAQ attempt References: Message-ID: "Mike Easter" wrote in message news:diroho$cnm$1@news.spamcop.net... > > I'm not quite clear, from an organizational structure point of view, if > I were creating an Outline format, like in highschool, of hierarchies > such as I. A. 1. a) (1) (a) (i) etc how to deal with the 'framework' or > substructuring of Articles in a Category as contrasted with > Sub-Categories under a Category What is your thinking there? Not part of this tool ... I create a 'root' category ... I can place articles to / under that category ... I can make a sub-category under that 'root' and add articles under that sub-category. (as I attempted to explain in the Forum discussion on this thing http://forum.spamcop.net/forums/index.php?showtopic=5108&view=findpost&p=34049 there are various modes of 'sorting' those entries (be it categories or articles) ... but ... nothing like the typical numbering scheme (OK, maybe by using part of the limited Title space, but ... ) .. one of the more 'interesting' sort modes looks like the "number of views" .. in theory driving the most common items to the top of the list, but ... as noted, there's an opening for confusion there, as in the titles (currently) with Chapter/Section numbers included ... > The point is not to force you or my outline into some 'undesirable' or > 'illegal' structure, but to clarify the similarities and differences of > articles vs sub-categories -- how is an article part of the > 'substructure' and how is a sub-category part of the substructure of a > category? Articles are articles, but sub-categories are what? ?? listed at the bottom of the 'window' of the higher order category ... if that's actually the question ..??? http://forum.spamcop.net/forums/index.php?act=faq&cat=1 has "articles" inserted under that "root category" .. however also listed under those articles is the "Sub-Category" of "Those pesky & geeky details" that contains 3 "articles" at present .... > I don't know if I'm explaining my organizational dilemma adequately > other than I'm having trouble making a typical outline of the structure. Why I offered up the "layout" of categories in another post ... this "view" is not offered to the user (though eventually do plan on adding that "tree" to a post somewhere) ... but that offered list was to demonstrate just what you've said here .. albeit vastly different words ... just where do I 'stick' things such that the 'flow' and content will be (easily) found by the person just arriving .... > I'm sorry for the loss of your beloved. Her 'ghost' will be around in > your perceptions for quite a while. Very eerie. Yeah, the lack of those big black eyes, under the pink ears, peeking around to see if I'll pay her some attention keeps me going to the front door, thinking that she's been outside entirely too long ... that 0230 neighborhood walk this morning was just too strange without her doing the "investigating" for me From nobody at devnull.spamcop.net Sat Oct 15 18:47:05 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Oct 15 18:50:02 2005 Subject: [SpamCop-List] Re: KnowledgeBase thing References: <435166DF.4025@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:435166DF.4025@xyzzy.claranet.de... > > For a few selected topics like "how to interpret and update > abuse.net entries" or "how do the abuse and whois zones of RFCI > work" (perfectly irrelevant for SC, but maybe interesting for > some users) or "WTF is SURBL" or "how can I use ICANN's WDPRS" > I could offer some informed guesses, and if it's about routing, > AS numbers, etc. I could at least ask "did you check that with > Mike and / or Ellen"... ;-) I've 'stolen' a number of Mike's posts for the Forum version of the FAQ .... invitation/request was made long ago for some "generic" walk-throughs on some of those geeky type research rambles .. though Mike Easter has provided many, many of these, I just haven't found the one that seemed to totally stand on its own ... either focusing in on a specific line item or focused enough that a bit of munging would make it entirely useless (again, because the results were based on a specific item) ... That said, I've 'stolen' stuff from wherever it showed up ... (though attribution is included) .... and at least one of your specific items just came up in the Forum, Jeff G. wrote up a (proposed) FAQ entry on it .... SURBL in this case, but would also point out that another proposed entry was recently offered up to explain "Innocent Bystander" (actually headed for the Forum / SpamCop Glossary) ... Bottom line, look at the lack of data in the "How to Use ... Research Tools" Forum section at http://forum.spamcop.net/forums/index.php?showforum=16 As far as your "other non-SpamCop" stuff .. have you looked at the "Other information, help and links" section of the Forum version of the SpamCop FAQ? Again, the www.spamcop.net page http://www.spamcop.net/fom-serve/cache/7.html was the starting point, but you'll note the size difference in the content when looking at the Forum version http://forum.spamcop.net/forums/index.php?showtopic=2238 And yet, this also feeds back into the organizational question of the KnowledgeBase version I'm trying to glue together ... most of that long list needs to get "grouped" From nobody at devnull.spamcop.net Sat Oct 15 19:34:49 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Oct 15 19:35:10 2005 Subject: [SpamCop-List] Re: KnowledgeBase thing References: <435166DF.4025@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:435166DF.4025@xyzzy.claranet.de... > > For a few selected topics like "how to interpret and update > abuse.net entries" or "how do the abuse and whois zones of RFCI > work" (perfectly irrelevant for SC, but maybe interesting for > some users) or "WTF is SURBL" or "how can I use ICANN's WDPRS" > I could offer some informed guesses, and if it's about routing, > AS numbers, etc. I could at least ask "did you check that with > Mike and / or Ellen"... ;-) Under SpamCop Parsing & Reporting Service ... a new category entered ... "SpamCop interaction with other Resources" Could be a better title, but trying to stay within the 50 character limit .... anyway, awaiting input to flush it out .... again, my druthers would be the Forum so as to minimize the re-formatting necessary, but ..... From MikeE at ster.invalid Sat Oct 15 17:54:26 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 15 19:55:03 2005 Subject: [SpamCop-List] Re: KnowledgeBase thing - Was - Re: yet another FAQ attempt References: Message-ID: WazoO wrote: > "Mike Easter" >> I'm not quite clear, from an organizational structure point of view, OK - even if we forget about my 'outline' hierarchy -- but there's another point to bringing up that type of structure. >> if I were creating an Outline format, like in highschool, > Not part of this tool ... I create a 'root' category ... I can place > articles to / > under that category ... I can make a sub-category under that 'root' > and add articles under that sub-category. Yeah, I understand and can see that structure; but I have a little problem with it. My idea of the old fashioned hs outline or any other hierarchal structure which has a similar purpose, is that it should be pretty clear where you are going if you decide to look at a category -- but it is possible you might have made a mistake and might need to try a different category. So, it seems to me that 'everything' in a category should be in sub-categories - not articles. Articles are to be contained only in subcategories, not categories, because of some reasons I'm trying to express below. That is, it looks to me like your articles are in one sense 'the end of the line' from the structure's point of view. Once a person is 'into' an article, there shouldn't be any further ambiguity about whether or not someplace else would be a better place to be. A person might follow some trails found in an article for more information as branches from an article, but from 'the great scheme of things', your hierarchy organization is over when at the article level. Or, besides a hs outline, I'll use another example; the Encyclopedia Britannica deadtree version. Its organization is to have 3 parts. There is a Propedia or Outline of Knowledge, which contains 'everything' in one book or volume of organization; there is a Macropedia or Ready Reference and Index in 10 volumes; and there is a Micropedia or Knowledge in Detail in 20 volumes. I'm not saying that is an ideal structure for this situation; but your front page is sort of like a propedia. And the 'mass' of the web faq and the forum posts are like the micropedia, kinda disorderly in an ordered sort of way. In the case of the EB and any faq in the forum, the micropedia isn't actually a good place to start looking for something unless you already know where to find it, because its organization is 'editorially' derived, even tho' there is some concept of alphabetical in the EB's micro. It is hard to describe; but if you were to start EB researching something, you would typically start with either the Propedia or the Macropedia to find out where to find the 'good stuff' in detail which would be in some article in the micro that might not be 'alphabetized' like your original idea, but as a part of a larger discussion of something or other. However, after you had read quite a bit in the micro because you are such a good encyclopedia 'student' ;-) , you might know how to go find something by going to the micro 'directly' because you know where it was organized into. Back to your faq, if someone is looking for something, deciding to look into one of the categories should lead to a pretty high probability that they are heading in the right direction. When they are looking into the category, I would think that everything which is in that category could/should be characterized into sub-categories [let's don't be doing articles at this stage, because there are likely to become too many articles for one easy view]. Or put another way, we should be able to look at a branch of the original tree and realize that we've taken the wrong branch or the right branch by the character or names or 'definitions' of the subcategories. Or, we might even make a list of 'things' to describe a subcategory which aren't exactly articles, but more like keywords. Then, the very carefully named and selected and created sub-categories with their keywords [maybe] are where all the articles live. So, the heart of the organization is in the creation and naming and characterizing of the categories and subcategories. Ideally there would be no ambiguity or debate about where some article was living; altho' it is certainly conceivable that an article's link might be found in more than one category and subcategory. There're some few things wrong with spamcop's site map at http://www.spamcop.net/sitemap.shtml but it is a classical hierarchy. >> The point is not to force you or my outline into some 'undesirable' >> or 'illegal' structure, but to clarify the similarities and >> differences of articles vs sub-categories -- how is an article part >> of the 'substructure' and how is a sub-category part of the >> substructure of a category? Articles are articles, but >> sub-categories are what? > > ?? listed at the bottom of the 'window' of the higher order category > ... if that's actually the question ..??? Yeah yeah -- but I think that organizationally all of the articles should be found in subcategories. > http://forum.spamcop.net/forums/index.php?act=faq&cat=1 > has "articles" inserted under that "root category" .. however also > listed under those articles is the "Sub-Category" of "Those pesky > & geeky details" that contains 3 "articles" at present .... Yes, that shows me that you are using subcategories to organize the articles. I think that should be consistent. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Oct 16 03:01:32 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 16 05:06:12 2005 Subject: [SpamCop-List] Re: KnowledgeBase thing - Was - Re: yet another FAQ attempt References: Message-ID: Mike Easter wrote: > WazoO wrote: >> Not part of this tool ... I create a 'root' category ... I can place >> articles to / >> under that category ... I can make a sub-category under that 'root' >> and add articles under that sub-category. > > Yeah, I understand and can see that structure; but I have a little > problem with it. > Yes, that shows me that you are using subcategories to organize the > articles. I think that should be consistent. Here's my 'picture' or snapshot of the work in progress from 3 different 'focal depths' Format Category Overview of SpamCop Services SpamCop Parsing & Reporting Service SpamCop Email System & Accounts SpamCop Blocking List Service General Information about SpamCop Help for abuse-desks & administrators SpamCop Forum General Information about Spam Other Data, Tools & Lists Test Format Category Sub-category Overview of SpamCop Services Those pesky & geeky details SpamCop Parsing & Reporting Service Member and account management questions MailHost Configuration of a Reporting Account Parsing Issues Reporting Issues Reporting by E-mail issues Browser Issues SpamCop interaction with other Resources SpamCop Email System & Accounts Sign-up, connect to, management SpamCop Blocking List Service Admin, ISP, Host Just the average Internet E-mail user General Information about SpamCop Help for abuse-desks & administrators Help with SpamCop reports and spam in general Interacting with SpamCop and it's users Assistance stopping spam SpamCop Forum General Information about Spam Other Data, Tools & Lists Test Format Category Article Sub-category Article Category Overview of SpamCop Services How does SpamCop reporting work? Password Problems How do I sign up? What is SpamCop? Types of SpamCop Reports Rules - Must Read!!! Those pesky & geeky details What is an IP Address? What is a Domain Name (Server)? What is rDNS? SpamCop Parsing & Reporting Service How do I get started reporting spam? How do I submit spam via email? What is "mole" reporting? What is Quick Reporting? How can I unsend a report? Member and account management questions Why do I have to authorize my membership? MailHost Configuration of a Reporting Account How do I configure Mailhosts for SpamCop? Walk-through of a MailHost Configuration Parsing Issues Reporting Issues Reporting by E-mail issues Browser Issues Firefox Cookie Exception for Reporting IE Cookie Exception for Reporting SpamCop interaction with other Resources SpamCop Email System & Accounts What is this SpamCop Mail Service? How do I sign up? What is the cost? Sign-up, connect to, management SpamCop Blocking List Service What is the SpamCop Blocking List (SCBL)? How can I be de-listed? (Dispute Resolution) Admin, ISP, Host Just the average Internet E-mail user General Information about SpamCop What is SpamCop's history? Help for abuse-desks & administrators Introduction - What is this thing? How does it work? Help with SpamCop reports and spam in general Interacting with SpamCop and it's users Assistance stopping spam SpamCop Forum SECTION 1 - Pre-Registration SECTION 2 - Registration SECTION 3 - Maintaining & Updating Your Account SECTION 4 - My Controls & Forum Settings SECTION 5 - Login & Navigation SECTION 6 - Troubleshooting & Quick Links SECTION 7 - Change of Username Section 8 - SpamCop's System & Active Staff General Information about Spam Other Data, Tools & Lists Test -- Mike Easter kibitzer, not SC admin From bar_n0ne at hotmail.com Sun Oct 16 14:13:49 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun Oct 16 05:16:20 2005 Subject: [SpamCop-List] hi-5 another E-mail address collector, similar to sms.ac Message-ID: I've been ignoring hi-5 invitations, finally decided to see what it was after receiving another invite (from a known contact), Similar to what I've read about the SMS.ac scam, it wants you to sign in to your yahoo, hotmail etc. accounts through their interface to add contacts from your address books. To add contacts of your own is pretty tricky if you just know the persons contact information, so the whole enterprise seems to be geared to opening your address books up. ( No I didn't add anyone (except the invitor), didn't supply any passwords, other than a new password to register. No it cannot be used to divine my usual passwords). Also when you register as you poke around the interface it implies that it is preparing to send dozens of invitations to lots of people (no idea where they come from, who they are, but they are not from any of my address books, perhaps they are contacts of the invitor) I spent a few minutes canceling requests. I only hope the system doesn't use my registered name to spam these "innocents". From bar_n0ne at hotmail.com Sun Oct 16 14:20:31 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun Oct 16 05:26:22 2005 Subject: [SpamCop-List] SPUR-M brought to you by Yahoo/Geocities now Message-ID: in this case http:// www. geocities.com/pgwh3wm36dogi/ spaces inserted so it's not clickable From bar_n0ne at hotmail.com Sun Oct 16 14:25:36 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun Oct 16 05:30:07 2005 Subject: [SpamCop-List] Re: SPUR-M brought to you by Yahoo/Geocities now References: Message-ID: "Berny" wrote in message news:dit611$kur$1@news.spamcop.net... > SNIPPED and SC almost steadfastly refuses to parse the geocities link, even though it's the freshest of spam. took > 10 tries, in fact geocities links are almost the only ones that SC doesn't seem to want to bother with Of course the SURBL may not want to bother either From nobody at devnull.spamcop.net Sun Oct 16 11:01:06 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sun Oct 16 10:05:02 2005 Subject: [SpamCop-List] Re: KnowledgeBase thing - Was - Re: yet another FAQ attempt References: Message-ID: "WazoO" wrote in message news:dirpl2$ded$1@news.spamcop.net... : "Pop" wrote in message : news:dirljn$b5d$1@news.spamcop.net... Well, I might have to respond to this in pieces because of all the input from you and Mike, but I've decided to try, as long as my meds hold up . I see huge potential here this time from an "everyuser" standpoint. I think it was Chris Heng said something like; the "average" user of computers really means the "neophyte": Someone who may have used it for a decade or so, but -only- uses small parts of the overall package. The average user has no idea how it works nor does he care. When something goes wrong, he just wants to be told how to fix it; the details be damned! Since the average user is 80%+ of the users, he -has- to be given the info he needs, and he doesn't care about the other 20%-. And vice-versa. It's a tough audience! : > : > Personally, I wasn't aware that you expected detailed critiques : > yet. I felt like it was still IP and this wasn't the time yet. : : It's the age old question yet again, should I continue to spend the : time and energy on it, continue the search for yet another tool, : or do the obvious and say to hell with it ...??? Well, how about this: It's one small step for Wazoo, but one giant leap for spamcop-kind? Say to hell with it? Yes, IFF it's turned to drudgery, you have trouble restarting on it every time you address it, it's boring, and/or you feel you've done all you're capable of. If you aren't finding some sort of reward, tangible or not, you won't do a good job. No one would under those conditions. It's a thankless task not being done for ego, obviously, unless ... you strongly believe in delayed gratification and know that comes from results, not KUDOS. Find another tool? IMO, only you can answer that reasonably. In my heart I don't feel another tool will help that much but ... that's me. All I gotta do is site here and criticize, hopefully positive criticism. YMMV, and you're the one has to live with its results. I personally don't think there is yet (although it's close) a good head-around what's needed for presentation and sequence of the presentation, but you're very close. But if there's a tool that frees a bunch of brain cells to let you conentrate on the more important things, then yeah, another tool maybe. It's almost always the monkey work that gets in the way of a project; that sort of tool would be great. But, what the heck is it?? : : > I'm aware you explained things, probably rather well, in the part : > I snipped, but ... I'll make you this offer: : > If you'd like to post (here would be best, IMO) : : Yeah, the NNTP/Forum thing again ... let me just point out again : the 'problems' in converting form/format between the things ... the : same issues arising in the posting of 'spam samples' (to either : venue) carries that extra load .. but ... I'm trying to include both : sides in the effort ... OOPS! I meant here, but ONLY because that's where my chair was and where I read your post! I don't -really- care where. I was on the ng, and thus that thread seemed a likely place to respond. 20-20 hindsight but ... . I think you're able to post both places simultaneiously? : : > a couple of : > specific things you'd like to see in a critique, I'll give you a : > FWIW as best I can. : : Here's one I just walked into .... : http://www.spamcop.net/fom-serve/cache/4.html : The title covers way too much ground. The existing "answer" will : no doubt further fuel the NNTP/Forum debate. However, my : 'solution' (?) is almost reaching the "this one isn't worth including : anywhere as is at all" ... rather the qyestions need to be split out, : along with the more specific/generalized answers .... for instancel : there really isn't a newsgroup for "suggest a feature" ... On the other : hand, I did vreate a Forum section to address this concept (that the : only items actioned thus far seem to be Forum suggestions ... what : can I say?) http://forum.spamcop.net/forums/index.php?showforum=10 : : "How can I report a bug?" ...???? There are bugs and there are bugs ... : but the daily run of issues aren't usually SpamCop bugs, more usually : issues with other tools involved during user interaction with the SpamCop : toolset .... but the "answer" would/should include all venues ... as I did : at : http://forum.spamcop.net/forums/index.php?act=faq&article=20 : : "How can I get help?" answer made me laugh ... "Obviously, your first : resource is this FAQ." ... going back to "this FAQ" was the reason for : the Forum version way back when .... and as above, though included : in the list of possible resources, the years of complaints about it sure : doesn't totally concur with the "Obviously" description. (On the other : hand, yet another suggested change to that FAQ was implemeted this : morning by RW, once again pointing out that "this FAQ" is far from : dead .... ) : : The point here is that there is an existing entry, but I don't see it as : finctional in this "other" venue ... total re-write, ignoring it altogether, : splitting it apart, gernerating a complete new page of data to insert : below the existing text ... (and again, where would one place that : result?) ... Yeah, I see the quandary. You may already do this, but have you heard of the a-b-c method of grouping tasks? It means three "piles" or lists of tasks. The A pile has to be reacted to ASAP and is highest priority. The B pile, well, it has to be gotten to, but not to the exclusion of anything in A. Do B while there are lulls in A (writer's block, etc.). The C pile is less important that A or B but not UNimportant. However, if the C pile becomes stagnant or nearly so, then IT needs to be sorted into a-b-c and that C pile discarded. Deleted. Round filed. Bit binned. What's left goes into A or B until C is empty and the process proceeds again with a new a-b-c list set. Changes in any of the piles may easily mean changes in what lives in A or B or C, so there needs to be repetitive attention paid to the piles; as in at the closure of ANY IP process. IP = in process, not ... : : > I'm a free reporter, so there are areas I'm : > not real familiar with, which might be an advantage in doing a : > critique. : : I also am only a free-report account holder, so I also have to : "trust" a lot of folks answering my queries OUCH! You really enjoy abuse, don't you? : : > I don't want to just go off making comments on anything and : > everything because it's (IMO) basically a waste of time to do it : > that way; too much forest view to pick out the trees. : > Meantime, I'll look over the structure and see if I have much : > to say on what takes me where when and why. I suspect that's : > your first interest. : : Yep .... the last go-round on the Portal page entrance to the FAQ : seemed to get more involved in the (display) code ... a bit further : down the road than the "what should the content include" question : I originally was asking for ....the issues were valid (and addressed) .. : but weren't answering the original request for input ... Yeah, that's one of the reasons I never got involved in those dialogs; well, plus I don't know what I'm talking about lots of times ;-} I seem to recall at one time you were working with someone else on this but it seems you're -it- now. I respectfully submit that you could seriously use a Project Manager like person. Not a boss, but someone to manage the overall project details. To manage the -project-, not you. That's not me because I'm incredibly unreliable due to my health, but, as tyrannical a manager as I think he might be ;=], I feel like a Mike Easter would make a plausible candidate. He can take it if you have to tell him to go away, long's he gets the last word that is, has a wild eye for detail, and usually gets to the bottom of a problem he tackles. It would depend, of course, on his (whoever) being behind the concept you presently have or it might cause a complete shutdown of your efforts for a re-evaluation. Again. I do not think re-evaluation, again, is necessary at this point. But, that's only MO. : : As it was, one of the first items placed got me jumped on for : content both here and in the Forum .... each entry now contains : the Source: line to "reflect" that criticism back to the source : material, as compared to "me screwing up yet again .." That : first entered item was originally posted Apr 11 2004, 03:14 AM, : but the "obsolete" complaints only arrived with the inclusion into : this KnowledgeBase thing .... (again, content added after the fact, : but .... ) You're an experienced tech writer, that's all that means! You'll always screw up; again. It comes with the territory; as long as you have the support of the majors, you'll be able to judge your success by the results. I haven't heard anyone tell you not to do this. I also haven't heard anyone say someone else would be better. And in particular I haven't seen anyone say "Give it to me, I'll do it right!". Have you? The pro-active stage, for now, is past and the remainder of the job is reactive - it's the nature of this beast. As in software, there's always time to fix it "later" when the originators spaghetti'd it, right? It's the job of us peons to revolt against taxes, you know. : : Gotta quit, this is turning into yet another monster ... : Me too! Gonna go read some more. : From sstuckey at digital-voice.com Sun Oct 16 13:28:11 2005 From: sstuckey at digital-voice.com (Scott Stuckey) Date: Sun Oct 16 12:30:23 2005 Subject: [SpamCop-List] Does spamcop or abuse do anything? Message-ID: Hmm. I have reported about 60 emails to Spamcop and to the offending abuse reporting. Nothing has been done, and in fact the spam is INCREASING. We do nothing with these emails and only submit them to spamcop. Is there any REAL way to stop the offenders? From MikeE at ster.invalid Sun Oct 16 12:29:38 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 16 14:30:02 2005 Subject: [SpamCop-List] Re: Does spamcop or abuse do anything? References: Message-ID: Scott Stuckey wrote: > Hmm. I have reported about 60 emails to Spamcop and to the offending > abuse reporting. > > Nothing has been done, and in fact the spam is INCREASING. The most common situation about typical spam is that nothing about spamcop reporting directly causes a reduction in your spam. One can spend significantly more words describing why that is so. Another but much less common situation is that some particular configurations of spamcop reporters can cause a spamcop reporter to get /more/ spam than before because of the reporting process causing a worsening of insecure or 'bad' spamhanding. One can spend quite a few more words describing why that is so. > We do nothing with these emails and only submit them to spamcop. > > Is there any REAL way to stop the offenders? There are many ways to be a spamfighter; more importantly, there are many ways to handle your Inbox's mail. I think the first priority is to handle your inbox in a manner which is comfortable and non-frustrating and secure and in which your wanted mail is 'right there' and your spam is nearly invisible except when you want to see it for handling or reporting purposes - which should be 'enjoyable' or 'sporting' and most definitely not insecure. Your spam and your goodmail should not be mixed up together in the inbox. The inbox was not designed to be a place for handling spam by looking at its subjects and froms. All or nearly all of your spam should be in the Junk folder. None of your goodmail should be in the Junk. -- Mike Easter kibitzer, not SC admin From none at none.none Sun Oct 16 15:00:53 2005 From: none at none.none (Pete) Date: Sun Oct 16 15:05:03 2005 Subject: [SpamCop-List] Re: SPUR-M brought to you by Yahoo/Geocities now References: Message-ID: Spamcop has great difficulty with most links nowadays, which is why I will not renew my subscription when it comes up again. I know the SCBL is most important to them, but I do see success in shutting down some sites and I'd like to continue to do so. I'll go my own way when my account expires, and I suggest the same for everyone else. "Berny" wrote in message news:dit6ai$lju$1@news.spamcop.net... > > "Berny" wrote in message > news:dit611$kur$1@news.spamcop.net... >> SNIPPED > > and SC almost steadfastly refuses to parse the geocities link, even though > it's the freshest of spam. > > took > 10 tries, in fact geocities links are almost the only ones that SC > doesn't seem to want to bother with > > > Of course the SURBL may not want to bother either > > From skiwi at spamcop.net Sun Oct 16 13:24:56 2005 From: skiwi at spamcop.net (Skiwi) Date: Sun Oct 16 15:25:03 2005 Subject: [SpamCop-List] Re: Who the hell are FreshAddress.com? It looks fishy but legit at the same time... In-Reply-To: <434D7CCB.4EE4@xyzzy.claranet.de> References: <434D7CCB.4EE4@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Legit as far as I can judge it, it's a service to map old > addresses to fresh addresses. With maximal privacy you > should never get mail from them (that's what I use, works > for years now). With less privacy you get something like > your "spam" if somebody wants to get your fresh address > for a known old address (in your case "somebody" was HP). > > But above all that should only happen for your address, > with your account. Did you maybe forget that you have an > account at freshaddress.com ? It works like a confirmed > opt-in, only the owner of the fresh address (= you) can > select his privacy preferences. If it's no PEBKAC on > your side ask freshaddress.com what the hell is going on. > > Bye, Frank > Frank, Thanks... I gave my old address only to HP using an online one I have for such purposes... GREG... From MikeE at ster.invalid Sun Oct 16 13:47:37 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 16 15:50:02 2005 Subject: [SpamCop-List] Re: SPUR-M brought to you by Yahoo/Geocities now References: Message-ID: Pete wrote: > I do see success in shutting down > some sites and I'd like to continue to do so. Everyone should do their spamfighting and mail management in the way that suits them best. > I'll go my own way > when my account expires, and I suggest the same for everyone else. I don't understand why you would suggest that everyone here go some 'other way' than submitting spam to spamcop - or whatever it is you are suggesting. If it is a troll post looking for an argument, you should be more specific about what you are arguing about. If you are arguing whether or not you would rather pay for a spamcop reporting account or do something else, there's no argument there. If there's an argument that you don't think people should submit spam to spamcop, then you are going to have to provide some more 'ammunition' for your premise than simply alluding to some problem or condition of SC 'having trouble' with spamvertised links. > Spamcop has great difficulty with most links nowadays, which is why I > will not renew my subscription when it comes up again. Personally, I don't find that for my spam that SC's standard reporting to the providers of the spamvertised links was sufficiently useful that I wanted to do that. What to do about spamvertised links can be a completely separate subject from a discussion about whether or not people 'should be' feeding their spam to spamcop. So, I disagree with your 'advice' in which you 'suggest the same for everyone else' [here]. You are saying in effect, "You people here shouldn't be spamcop reporters." -- Mike Easter kibitzer, not SC admin From Nobody at SpamCop.net.dev.null Sun Oct 16 17:15:14 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Sun Oct 16 17:20:15 2005 Subject: [SpamCop-List] Re: munging not sufficient References: <433F9EEE.E884EFB6@nopspam.invalid> <4342B512.C614C2D1@nopspam.invalid> Message-ID: <4352C2E2.6D0871E9@SpamCop.net.dev.null> WazoO wrote: > > > There are spammers and there are spammers and then there are spammers. > > Added "over there" under the Parsing & Reporting Service block. > Forum version of the SpamCop FAQ > http://forum.spamcop.net/forums/index.php?showtopic=2238 > This entry at "NEW! Insufficient Munging? Spammer 'Remove Lists'" > http://forum.spamcop.net/forums/index.php?showtopic=5062 Thanks for providing a "low-fi" version: my Netscape 4.75 can post that version properly, whereas the various "full" widescreen(?) versions won't post up properly in NS on my five-year-old, 800x600 12" screen, although they do post up readably and in my screen-width format in IE 5.5. Appreciate it, Michael From jbfrommi at sbcglobal.net Sun Oct 16 19:31:02 2005 From: jbfrommi at sbcglobal.net (Joyce Bogoian) Date: Sun Oct 16 18:35:03 2005 Subject: [SpamCop-List] Ralsky busted Message-ID: Just heard on the local news that Ralsky of West Bloomfield has been busted and faces 20 years in jail. Can't find anything on the internet about it though. From nobody at spamcop.net Sun Oct 16 19:36:16 2005 From: nobody at spamcop.net (Joyce) Date: Sun Oct 16 18:40:04 2005 Subject: [SpamCop-List] Ralsky busted Message-ID: Just heard on the local news that Alan Ralsky of West Bloomfield has been busted and faces 20 years in prison. I looked on the internet but can't find anything about it. From johnl at in.newsgroup.only Sun Oct 16 23:36:52 2005 From: johnl at in.newsgroup.only (JohnL) Date: Sun Oct 16 18:40:17 2005 Subject: [SpamCop-List] Re: Ralsky busted References: Message-ID: Joyce Bogoian wrote in news:diukb2$eem$1 @news.spamcop.net: > Just heard on the local news that Ralsky of West Bloomfield has been > busted and faces 20 years in jail. Can't find anything on the internet > about it though. > >From the N.A.N.A.E. NG... http://www.detnews.com/2005/technology/0510/16/B01-349738.htm From nobody at spamcop.net Sun Oct 16 19:42:38 2005 From: nobody at spamcop.net (Joyce) Date: Sun Oct 16 18:45:04 2005 Subject: [SpamCop-List] Re: Ralsky busted In-Reply-To: References: Message-ID: JohnL wrote: > > >>Just heard on the local news that Ralsky of West Bloomfield has been >>busted and faces 20 years in jail. Can't find anything on the internet >>about it though. >> >> >> > >From the N.A.N.A.E. NG... >http://www.detnews.com/2005/technology/0510/16/B01-349738.htm > > Thanks, could you do me a favor and delete your post. I posted without realizing that my real email addy was showing then cancelled it and reposted. From johnl at in.newsgroup.only Sun Oct 16 23:48:29 2005 From: johnl at in.newsgroup.only (JohnL) Date: Sun Oct 16 18:50:04 2005 Subject: [SpamCop-List] Re: Ralsky busted References: Message-ID: Joyce wrote in news:diul0q$f46$1@news.spamcop.net: > Thanks, could you do me a favor and delete your post. I posted without > realizing that my real email addy was showing then cancelled it and > reposted. I'll try, but I don't think SC allows deleting of posts any longer. Also, you posted in HTML, that's a no no. :) From nobody at spamcop.net Sun Oct 16 19:49:59 2005 From: nobody at spamcop.net (Joyce) Date: Sun Oct 16 18:50:13 2005 Subject: [SpamCop-List] Re: Ralsky busted In-Reply-To: References: Message-ID: JohnL wrote: >Joyce wrote in news:diul0q$f46$1@news.spamcop.net: > > > >>Thanks, could you do me a favor and delete your post. I posted without >>realizing that my real email addy was showing then cancelled it and >>reposted. >> >> > >I'll try, but I don't think SC allows deleting of posts any longer. > >Also, you posted in HTML, that's a no no. :) > > Oh, my, I didn't try to post in HTML. ==:-o It let me cancel my post, so I hope it's gone, it had my full name and real email address on it. From johnl at in.newsgroup.only Sun Oct 16 23:53:19 2005 From: johnl at in.newsgroup.only (JohnL) Date: Sun Oct 16 18:55:03 2005 Subject: [SpamCop-List] Re: Ralsky busted References: Message-ID: Joyce wrote in news:diulek$fa6$1@news.spamcop.net: > Oh, my, I didn't try to post in HTML. ==:-o Hey, S### happens at times. ;-) > > It let me cancel my post, so I hope it's gone, it had my full name and > real email address on it. I cancelled mine also, but I think it "shows" it's working, but the post doesn't go away. :( From nobody at spamcop.net Sun Oct 16 19:57:19 2005 From: nobody at spamcop.net (Joyce) Date: Sun Oct 16 19:00:03 2005 Subject: [SpamCop-List] Re: Ralsky busted In-Reply-To: References: Message-ID: JohnL wrote: >Joyce wrote in news:diulek$fa6$1@news.spamcop.net: > > > >>Oh, my, I didn't try to post in HTML. ==:-o >> >> > >Hey, S### happens at times. ;-) > > >>It let me cancel my post, so I hope it's gone, it had my full name and >>real email address on it. >> >> > >I cancelled mine also, but I think it "shows" it's working, but the post >doesn't go away. :( > > You're right. It doesn't go away, I went and check in IE and it was still there. I wonder if there's somebody that I can write to that would cancel them for me? *heavy sigh* From crappy.trappy at ntlworld.com Mon Oct 17 01:25:43 2005 From: crappy.trappy at ntlworld.com (Tim) Date: Sun Oct 16 19:30:02 2005 Subject: [SpamCop-List] Re: Ralsky busted In-Reply-To: References: Message-ID: > > From the N.A.N.A.E. NG... > http://www.detnews.com/2005/technology/0510/16/B01-349738.htm "I'm not a spammer," Ralsky said. "I'm a commercial e-mailer." They are the same thing! What a deluded twat Ralsky is. I can't believe he thinks he is doing nothing wrong! Just hope this is the end of his spamming for good!!! From usenet2 at DE.LETE.THISljvideo.com Mon Oct 17 00:50:23 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Sun Oct 16 19:55:09 2005 Subject: [SpamCop-List] Re: Ralsky busted References: Message-ID: Waiving the right to remain silent, JohnL said: > Joyce Bogoian wrote in > news:diukb2$eem$1 @news.spamcop.net: > >> Just heard on the local news that Ralsky of West Bloomfield has >> been busted and faces 20 years in jail. Can't find anything on >> the internet about it though. >> > > From the N.A.N.A.E. NG... > http://www.detnews.com/2005/technology/0510/16/B01-349738.htm Yay..! "Warrants unsealed last week revealed that agents in September seized computers, laptops, financial records and disks from the 8,000- square-foot home of Alan M. Ralsky. The $750,000 West Bloomfield mini-mansion was built off profits..." Where I live, you would have to add another zero to the price of an 8,000 sq.ft. home. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "I've come here to enjoy nature. Don't talk to me about the environment!" - 'Denny Crane' From nobody at xyzzy.claranet.de Mon Oct 17 03:03:58 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Oct 16 20:10:03 2005 Subject: [SpamCop-List] Re: Ralsky busted References: Message-ID: <4352EA6E.38FB@xyzzy.claranet.de> Joyce wrote: > It doesn't go away Same here, that's a new feature. For some time there was a problem with a troll, probably that's why SC disabled it. > I wonder if there's somebody that I can write to that > would cancel them for me? *heavy sigh* Sure, deputies AT can do everything. Don't panic, spammers harvesting fresh addresses here are excessively stupid (and yes, my address is valid). Supersedes also doesn't work anymore (JFTR). Bye, Frank From johnl at in.newsgroup.only Mon Oct 17 01:10:43 2005 From: johnl at in.newsgroup.only (JohnL) Date: Sun Oct 16 20:15:03 2005 Subject: [SpamCop-List] Re: Ralsky busted References: <4352EA6E.38FB@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote in news:4352EA6E.38FB@xyzzy.claranet.de: > Supersedes also doesn't work anymore (JFTR). Yeah, I tried that myself. ;-) From nobody at spamcop.net Sun Oct 16 21:27:02 2005 From: nobody at spamcop.net (Joyce) Date: Sun Oct 16 20:30:18 2005 Subject: [SpamCop-List] Re: Ralsky busted In-Reply-To: <4352EA6E.38FB@xyzzy.claranet.de> References: <4352EA6E.38FB@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: >Joyce wrote: > > > >>It doesn't go away >> >> > >Same here, that's a new feature. For some time there was >a problem with a troll, probably that's why SC disabled it. > > > >>I wonder if there's somebody that I can write to that >>would cancel them for me? *heavy sigh* >> >> > >Sure, deputies AT can do everything. Don't panic, spammers >harvesting fresh addresses here are excessively stupid (and >yes, my address is valid). > >Supersedes also doesn't work anymore (JFTR). Bye, Frank > > Thanks eversomuch, Frank! What is supersedes? I wrote to deputies, so hopefully they will cancel the posts for me. I am in a panic. My last email address was getting spammed about 200 per day and I couldn't take it if this one went the same way. From MikeE at ster.invalid Sun Oct 16 18:33:26 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 16 20:35:03 2005 Subject: [SpamCop-List] Re: Ralsky busted References: <4352EA6E.38FB@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Same here, that's a new feature. For some time there was > a problem with a troll, probably that's why SC disabled it. Most or nearly all of the various configurations that were designed to be anti-troll were absolutely worthless against the 'particular' and main trollperson, and mostly never did anything but cause various problems, with one exception. Some of the moves were not well thought-out strategies at all. My personal opinion about those tactics or countermeasures was that the only thing that the spamcop news manager /should/ have done about countering the troll problem was to put the nntp posting host into the overview and to have done nothing else. A regular normal poster got blocked and the cancel business was lost. > Supersedes also doesn't work anymore (JFTR). Bye, Frank -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Oct 16 18:37:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 16 20:40:02 2005 Subject: [SpamCop-List] Re: Ralsky busted References: <4352EA6E.38FB@xyzzy.claranet.de> Message-ID: Joyce wrote: > I am in a panic. My last > email address was getting spammed about 200 per day and I couldn't > take it if this one went the same way. Don't panic. I don't think standard From XOVER harvesting bots are what work this newsserver. I think there are some spammers who lurk in here, but not for purposes of harvesting Froms. IMO your 'little' From exposure here isn't very important; and your addy cite by Frank is even less important. Easy for me to say, since it isn't mine ;-) -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Mon Oct 17 03:36:32 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Oct 16 20:40:12 2005 Subject: [SpamCop-List] Re: SPUR-M brought to you by Yahoo/Geocities now References: Message-ID: <4352F210.3F3@xyzzy.claranet.de> Berny wrote: > took > 10 tries, in fact geocities links are almost the > only ones that SC doesn't seem to want to bother with On the "solid" base of N = 1 cases I guess that this issue also depends on the FQDN: sg.geocities worked immediately. But nslookup -q=ns uk.geocities vs. sg.geocities offers no clue why that might be relevant, both say that the canonical name is geocities, period. And there are six name servers ns(1|4|5).yahoo.com plus (use1|eur1|ns1-92).akam.net Exactly the same six IPs in the same order in the additional info. Therefore my conclusion is that SpamCop delberately throttles some but not all geocities complaints. Which is strange, after all it's perfectly okay if Yahoo! wants to be an organization like say Kornet, they could disable all SC reports or trash them as they see fit - without playing games with SC users ?!? Bye, Frank From nobody at xyzzy.claranet.de Mon Oct 17 04:07:04 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Oct 16 21:15:12 2005 Subject: [SpamCop-List] Re: Ralsky busted References: <4352EA6E.38FB@xyzzy.claranet.de> Message-ID: <4352F938.33F7@xyzzy.claranet.de> Joyce wrote: > What is supersedes? A new article simultaneously cancelling an old article - most news servers support this. So instead of two articles... 1st with header field Control: cancel 2nd ordinary article with the new text ...you'd do both in one article with new text adding a header field Supersedes: . Plus the usual caveats like same From and same Newsgroups as in the old superseded article. > I wrote to deputies, so hopefully they will cancel the > posts for me. Yes, but it's still Sunday for Ellen, so better hold your breath until tomorrow. Bye, Frank From nobody at xyzzy.claranet.de Mon Oct 17 04:18:50 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Oct 16 21:20:03 2005 Subject: [SpamCop-List] Re: Ralsky busted References: <4352EA6E.38FB@xyzzy.claranet.de> Message-ID: <4352FBFA.2084@xyzzy.claranet.de> JohnL wrote: >> Supersedes also doesn't work anymore (JFTR). > Yeah, I tried that myself. ;-) Yes, I saw your two tests at the same time as my second test (that was a Supersedes). With news admins you never know... Our cancel attempts were technically fine (checked in control.cancel), they only had no effect. Bye, Frank From johnl at in.newsgroup.only Mon Oct 17 02:29:53 2005 From: johnl at in.newsgroup.only (JohnL) Date: Sun Oct 16 21:30:03 2005 Subject: [SpamCop-List] Re: Ralsky busted References: <4352EA6E.38FB@xyzzy.claranet.de> <4352FBFA.2084@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote in news:4352FBFA.2084 @xyzzy.claranet.de: > Our cancel attempts > were technically fine (checked in control.cancel), > they only had no effect. > Bye, Frank Cancels were fine, server was not. ;-) From sorcerer2 at hotmail.com Sun Oct 16 22:55:58 2005 From: sorcerer2 at hotmail.com (Sir Sorcerer) Date: Sun Oct 16 22:00:02 2005 Subject: [SpamCop-List] Decoding problems Message-ID: RE: http://www.spamcop.net/sc?id=z816460354z92a8d31f32a0c5286d7d37ba0af55dbcz and numerous others... It appears that links such as http://edu37-s.213-81-187.telecom.sk/%20/https:/www.paypal.com/cgi-bin/login _submit/update.html Are not properly detected because of the %20 causing a ascii space to the decoder. From borgholio at storymind.com Sun Oct 16 20:01:04 2005 From: borgholio at storymind.com (Borgholio) Date: Sun Oct 16 22:05:04 2005 Subject: [SpamCop-List] Re: Ralsky busted In-Reply-To: References: <4352EA6E.38FB@xyzzy.claranet.de> Message-ID: Mike Easter wrote: > Frank Ellermann wrote: > > >>Same here, that's a new feature. For some time there was >>a problem with a troll, probably that's why SC disabled it. > > > Most or nearly all of the various configurations that were designed to > be anti-troll were absolutely worthless against the 'particular' and > main trollperson, and mostly never did anything but cause various > problems, with one exception. > > Some of the moves were not well thought-out strategies at all. > > My personal opinion about those tactics or countermeasures was that the > only thing that the spamcop news manager /should/ have done about > countering the troll problem was to put the nntp posting host into the > overview and to have done nothing else. A regular normal poster got > blocked and the cancel business was lost. > > >>Supersedes also doesn't work anymore (JFTR). Bye, Frank > > Yeah I was that normal poster. Was without my daily dose of .social for a month. Not fun. :) From nobody at devnull.spamcop.net Sun Oct 16 22:02:27 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Oct 16 22:05:15 2005 Subject: [SpamCop-List] Re: Ralsky busted References: <4352EA6E.38FB@xyzzy.claranet.de> Message-ID: "Joyce" wrote in message news:diur4h$iq8$1@news.spamcop.net... > Frank Ellermann wrote: > >Joyce wrote: > > > >Same here, that's a new feature. For some time there was > >a problem with a troll, probably that's why SC disabled it. > > > >>I wonder if there's somebody that I can write to that > >>would cancel them for me? *heavy sigh* > > > >Sure, deputies AT can do everything. Don't panic, spammers > >harvesting fresh addresses here are excessively stupid (and > >yes, my address is valid). > > > >Supersedes also doesn't work anymore (JFTR). Bye, Frank > > Thanks eversomuch, Frank! What is supersedes? I wrote to deputies, so > hopefully they will cancel the posts for me. I am in a panic. My last > email address was getting spammed about 200 per day and I couldn't take > it if this one went the same way. Not sure why this has gone on so long with the bad advice still standing. The Deputies have no control/access to the spamcop.net newsgroup server. This resource is running on JT's hardware on the opposite coast, as is the Forum. The only Admin person with access to the newsserver is JT. From johnl at in.newsgroup.only Mon Oct 17 03:07:35 2005 From: johnl at in.newsgroup.only (JohnL) Date: Sun Oct 16 22:10:02 2005 Subject: [SpamCop-List] Re: Ralsky busted References: <4352EA6E.38FB@xyzzy.claranet.de> Message-ID: Borgholio wrote in news:div0km$lsl$1@news.spamcop.net: > Yeah I was that normal poster. Was without my daily dose of .social > for a month. Not fun. :) Normal? YOU???? From nobody at devnull.spamcop.net Sun Oct 16 23:17:34 2005 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Sun Oct 16 22:20:03 2005 Subject: [SpamCop-List] Re: Hats off to uk.easynet.net In-Reply-To: References: Message-ID: No Spam wrote: [hoop details deleted] > Well, I am now a professional hoop jumper.... > > Also see http://tqmcube.com/hotmail.htm > > Cheers Ok - I see your point - seems it's easier to report it through SpamCop since their connection seems to be a "Vulcan mind meld" compared to what you just showed. Anyway, your point is subtly different than my intended point, but I see that the terms I used ("obfuscation" and "shirking") do appear to hold up in your hoops. From borgholio at storymind.com Sun Oct 16 20:42:52 2005 From: borgholio at storymind.com (Borgholio) Date: Sun Oct 16 22:45:05 2005 Subject: [SpamCop-List] Re: Ralsky busted In-Reply-To: References: <4352EA6E.38FB@xyzzy.claranet.de> Message-ID: JohnL wrote: > Borgholio wrote in > news:div0km$lsl$1@news.spamcop.net: > > >>Yeah I was that normal poster. Was without my daily dose of .social >>for a month. Not fun. :) > > > Normal? YOU???? Compared to the other .socialites, yes. :) From MikeE at ster.invalid Sun Oct 16 21:06:21 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 16 23:10:03 2005 Subject: [SpamCop-List] Re: Decoding problems References: Message-ID: Sir Sorcerer wrote: www.spamcop.net/sc?id=z816460354z92a8d31f32a0c5286d7d37ba0af55dbcz > and numerous others... X-Content-Type: text/html X-SpamCop-note: Converted to text/plain by SpamCop (outlook/eudora hack) That doesn't represent a proper 'portrayal' of the original spam. It is a hack of a hack of a hack. Once upon a time 'something' or another was an original spam. Then that original item was hacked by something like Outlook or Eudora turning it into a MAPI conversion of the original html body. Then that was hacked yet *again* by turning it /back/ from a MAPI conversion into a pretense or resemblance of the original html. Then it was hacked *AGAIN* by spamcop's OL/Eudora hackhackhack hack. So, now we are supposedly going to talk about some kind of minor problem with whatever became of what used to be in the body of some original spam that is long gone. Destroyed. The tracker displays a 'fake' spam remanufactured from the ghost of the vestiges of something else that we don't know what it used to be. The only thing left with any integrity is the original headers, almost all of which survive the processes because OL preserves the headers during that slicing and dicing.. > It appears that links such as > > http://edu37-s.213-81-187.telecom.sk/%20/https:/www.paypal.com/cgi-bin/login > _submit/update.html > > Are not properly detected because of the %20 causing a ascii space to > the decoder. If there were such a condition in the original, it wouldn't be a legitimate link. If you can find a copy of the original spam somewhere without it ever having been a part of OL's stored messages, and if you can also find a way to 'present' that original, we can take a look at that original spambody and see what the original link used to look like. Maybe it was no good and maybe it was 'real'. -- Mike Easter kibitzer, not SC admin From johnl at in.newsgroup.only Mon Oct 17 04:20:31 2005 From: johnl at in.newsgroup.only (JohnL) Date: Sun Oct 16 23:25:02 2005 Subject: [SpamCop-List] Re: Ralsky busted References: <4352EA6E.38FB@xyzzy.claranet.de> Message-ID: Borgholio wrote in news:div332$lsl$2 @news.spamcop.net: > Compared to the other .socialites, yes. :) Now _that's_ debatable. ;-) From borgholio at storymind.com Sun Oct 16 21:29:16 2005 From: borgholio at storymind.com (Borgholio) Date: Sun Oct 16 23:30:02 2005 Subject: [SpamCop-List] Re: Ralsky busted In-Reply-To: References: <4352EA6E.38FB@xyzzy.claranet.de> Message-ID: JohnL wrote: > Borgholio wrote in news:div332$lsl$2 > @news.spamcop.net: > > >>Compared to the other .socialites, yes. :) > > > Now _that's_ debatable. ;-) Of course it is. :) From nobody at xyzzy.claranet.de Mon Oct 17 06:58:07 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon Oct 17 00:00:06 2005 Subject: [SpamCop-List] Re: Ralsky busted References: <4352EA6E.38FB@xyzzy.claranet.de> Message-ID: <4353214F.6E9E@xyzzy.claranet.de> WazoO wrote: > Not sure why this has gone on so long with the bad advice > still standing. The Deputies have no control/access to the > spamcop.net newsgroup server. This resource is running on > JT's hardware on the opposite coast, as is the Forum. The > only Admin person with access to the newsserver is JT. Never heard about this, and the warning I got for a complaint with SC about something here was from Don, not JT. If you know a better address than deputies AT just post it. From johnl at in.newsgroup.only Mon Oct 17 05:03:19 2005 From: johnl at in.newsgroup.only (JohnL) Date: Mon Oct 17 00:05:04 2005 Subject: [SpamCop-List] Re: Ralsky busted References: <4352EA6E.38FB@xyzzy.claranet.de> <4353214F.6E9E@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote in news:4353214F.6E9E@xyzzy.claranet.de: > WazoO wrote: > >> Not sure why this has gone on so long with the bad advice >> still standing. The Deputies have no control/access to the >> spamcop.net newsgroup server. This resource is running on >> JT's hardware on the opposite coast, as is the Forum. The >> only Admin person with access to the newsserver is JT. > > Never heard about this, and the warning I got for a complaint > with SC about something here was from Don, not JT. If you > know a better address than deputies AT just post it. > > While it _is_ JT's servers that support the NG's, which he seems to forget about quite a bit, Ellen does have a way to get to him faster than the average person. ;-) I've always received faster results going thru Ellen then ever from JT. (Sorry Ellen, but your dedication to service makes you the way to go ) From nobody at xyzzy.claranet.de Mon Oct 17 07:23:45 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon Oct 17 00:30:04 2005 Subject: [SpamCop-List] Re: Decoding problems References: Message-ID: <43532751.575B@xyzzy.claranet.de> Mike Easter wrote: > Once upon a time 'something' or another was an original spam. LOL. > Then it was hacked *AGAIN* by spamcop's OL/Eudora > hackhackhack hack. It appears to be rather fine, only replacing the alleged text/html by text/plain might be a bit overzealous... > it wouldn't be a legitimate link. ...nothing wrong with the link, TTBOMK %20 should be okay. Spamcop's plain text parser is of course seriously confused - not its job to parse HTML - but OTOH a report to spoof@ebay for this crap is not too bad. Bye, Frank From devnull at spamcop.net Mon Oct 17 01:13:54 2005 From: devnull at spamcop.net (Frog Prince) Date: Mon Oct 17 00:30:16 2005 Subject: [SpamCop-List] Re: Ralsky busted References: <4352EA6E.38FB@xyzzy.claranet.de> Message-ID: "Borgholio" | >>Yeah I was that normal poster. Was without my daily dose of .social | >>for a month. Not fun. :) | > | > | > Normal? YOU???? | | Compared to the other .socialites, yes. :) I'd bet you are more the standard deviant than the norm From nobody at devnull.spamcop.net Mon Oct 17 14:30:44 2005 From: nobody at devnull.spamcop.net (Patto) Date: Mon Oct 17 00:35:03 2005 Subject: [SpamCop-List] ReportPhish.org ? Message-ID: I have been reporting all phishes to the address specified at http://www.reportphish.org/ for a few weeks now. But I have started wondering if this is really worth the effort. They do not say anything on their website _what_ they are actually doing with these reports. Does anybody here know something more about ReportPhish.org than the little information that can be found on their website? From johnl at in.newsgroup.only Mon Oct 17 05:32:11 2005 From: johnl at in.newsgroup.only (JohnL) Date: Mon Oct 17 00:35:13 2005 Subject: [SpamCop-List] Re: Ralsky busted References: <4352EA6E.38FB@xyzzy.claranet.de> Message-ID: "Frog Prince" wrote in news:div98t$r7b$1 @news.spamcop.net: > I'd bet you are more the standard deviant than the norm Nah, he's more the exceptional deviant. From borgholio at storymind.com Sun Oct 16 22:49:23 2005 From: borgholio at storymind.com (Borgholio) Date: Mon Oct 17 00:50:03 2005 Subject: [SpamCop-List] Re: Ralsky busted In-Reply-To: References: <4352EA6E.38FB@xyzzy.claranet.de> Message-ID: JohnL wrote: > "Frog Prince" wrote in news:div98t$r7b$1 > @news.spamcop.net: > > >>I'd bet you are more the standard deviant than the norm > > > Nah, he's more the exceptional deviant.