From redford_stone at INVERSE_OF_COLDmail.com Thu Sep 1 08:29:39 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Sep 1 03:30:02 2005 Subject: [SpamCop-List] Re: Dumbest of the dumb References: Message-ID: "Pop" wrote in news:detin5$h84$1 @news.spamcop.net: >: > And a few egotistical bass turds who think everyone has to be an > expert before they can touch a keyboard, from the sound of it. > They forget they were newbies once too. Education, not whining > and moaning is what's needed, not castrating dummies like wrote > the above. Get real; your "cute" is rather "ugly". > > Hey, ding-dong.. re-read what I said.. I meant TERMINALLY DUMB. Meaning those who are NOT willing to LEARN anything about using PCs properly. I know I was a newbie once. I educated myself on PC usage, and I educated others.. I still do to this day. However, I still encounter people who refuse to do things like update their software or install a simple firewall/filter like ZoneAlarm. (And then come back to me complaining that their machine was compromised.) My words of what I originally wrote above is carefully chosen. The only "castrating dummy" seems to be yourself since you decided to not read what I wrote and drew a stupid conclusion. You could have inquired about what I meant and I would of gladly explained. Your "ugly" is still "ugly". It was not appreciated. From redford_stone at INVERSE_OF_COLDmail.com Thu Sep 1 08:33:07 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Sep 1 03:35:02 2005 Subject: [SpamCop-List] Re: Dumbest of the dumb References: <4314CEF9.B5C3816E@spamcop.net> Message-ID: Kenneth Brody wrote in news:4314CEF9.B5C3816E@spamcop.net: > > I see nothing in the quoted material suggesting the banning of newbies. > > There's a world of difference between "terminally dumb" and "newbie". > Education will not help the terminally dumb. > Thank you, Kenneth.. you interpreted my words correctly. Hey Pop, you can learn something from Kenneth here. ("Egotistical" indeed.) From redford_stone at INVERSE_OF_COLDmail.com Thu Sep 1 08:46:05 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Sep 1 03:50:02 2005 Subject: [SpamCop-List] Re: Cleaning up and preventing malware (was mypctuneup.com) References: Message-ID: Brian wrote in news:df3e94$tuh$1@news.spamcop.net: > > > ZoneAlarm is also good. I've used both and have a preference for > Sygate, but like I said, that will likely change soon once Symantec > gets their hands on it. Who knows what will evolve, but it most likely > will not be good. > Anyone remember good ol' ATguard? :-) From redford_stone at INVERSE_OF_COLDmail.com Thu Sep 1 08:52:48 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Sep 1 03:55:03 2005 Subject: [SpamCop-List] Re: And what's with frontline.net Spammer or just black hat? References: Message-ID: "Berny" wrote in news:deog5p$2ds$1@news.spamcop.net: > "Mainsleaze" from banddly.com,,, (Sounds like a Ralsky name) > > Pills, mortgages and eye surgery so far > > > Received several of these a few days ago.. LARTed and haven't received anything new so far. I believe they do have a Spamhaus listing. From redford_stone at INVERSE_OF_COLDmail.com Thu Sep 1 08:54:27 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Sep 1 03:55:04 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities References: Message-ID: "Berny" wrote in news:deofnj$273$1@news.spamcop.net: > Between whatever securiyt weekness that allows mass creation of > spamvertizing sites and SC's steadfast refusal to parse > http://uk.geocities.com/*whatever*, means that the half life of these > spamsites is increased, because many of us would rather not go through > more hoops to LART these. > > Have you gone to Geocities webform to report it? Did it before and it worked.. though sometimes it took a bit longer than usual. From redford_stone at INVERSE_OF_COLDmail.com Thu Sep 1 09:08:16 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Sep 1 04:10:03 2005 Subject: [SpamCop-List] Spammer URL generator trashed. Message-ID: Trying to find a link in a spam for LARTing, I came across this: that one is just an 'ordinary' thread. The weirdness starts here http://snipurl.com/hd66 From: "Mike Easter" Date: Wed, 17 Aug 2005 13:30:05 -0700 Message-ID: <43039e41$0$66678$892e7fe2@authen.white.readfreenews.net> where I start trying to figure out what is going on with the regurgitation. I was all screwed up in the beginning because the OP was a comcast poster and the JLA condition comes from RR. But, the point is about the problems of webforums which feed into nntp newsgroups. What that has to do with 'this place' [trying to come back on topic] is that a good ie properly integrated webforum to newsgroup condition would be desirable for something like spamcop - but that many discussions about trying to do it, such as the recent one in news.software.readers seem to show up more problems than solutions -- even tho' many people would like to make it work properly. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Sep 1 10:01:44 2005 From: nobody at devnull.spamcop.net (Pop) Date: Thu Sep 1 09:05:03 2005 Subject: [SpamCop-List] Re: OT: Re: Cleaning up and preventing malware (was mypctuneup.com) References: Message-ID: "Pete Stephenson" wrote in message news:pete+usenet-7557BA.15315831082005@news.cesmail.net... : In article , : "Pop" wrote: : : > Boy I'm glad you'll never get to work on my system. You have a : > half assed idea of reality but apparently no true knowledge of : > what you're doing. Symantec and McAfee have nothing to do with : > malware being on a system to start with, and much more. : : I've found that Symantec and McAfee to be quite bloated and overpriced : for what they do. There are far better programs out there available : cheaper (or free) than those offered by Symantec/McAfee that do a better : job. ===> Yeah, I can agree with that if we're talking antivirus and maybe firewall stuff. I use one of the Symantec suites (SystemWorks) quite successfully and happily becaise it's more "turnkey" than the separate pieces and as long as a system is well maintained I don't find any problems with Symantec in particular; haven't used McAfee in a long time. I got the first suite as a gift and liked it so have kept the upgrades going so far. Not sure it's a permanent situation though. : : I've found Grisoft AVG to be a bit "lighter" in terms of resources than : Norton Antivirus, as well as being faster and detecting just as much : stuff. ===> Yup; that's what I usually advise others to use. It works well and is easy to use once they get used to it. I think it's more forgiving of os difficulties, too. : : SpyBot and Adaware are much better than many "commercial" spyware : removal programs I've tried. ===> Staples, for sure. I use them, plus Sypware Guard I think it is, and WinPatrol. : : Given a choice, I'd much prefer other software over Symantec and McAfee : products. If they user didn't pay for their software (i.e. with the : Norton Antivirus 30-day trial that comes with many new PCs), I advise : them to uninstall it and install AVG Free. If they have paid for it, I : recommend they run both, then uninstall Norton when the paid time period : expires. ===> Umm, I usually play that part by ear: It depends on the owner and what kind of attitudes they have. One of my problems with the original post was the implication that Norton for example was a must to remove and working on a system almost required its removal. Bad attitude and incorrect. I can agree with the cost issue but not the difficulty of running the software on a well mainatined machine. Personally I've used the Norton products since their days of free software and don't mind giving them back buck or two for their many years of free support. I even still use one of their old programs (chmod.com), believe it or not. I almost couldn't believe it was capable of running so well on XP et al, but it does and to date no other program does that stuff as easily or as quickly. And no, that's Peter Norton's chmod, not the Unix chmod. It does an operation to all folders with built in reduncancy check so it won't try to copy to the destination or itself. Small and fast. : : Just my $0.02. I've fixed and maintained several PCs without using any : commercial software at all, and they tend to run a bit better than those : with big-name security/anti-virus software. Maybe I've trained teh users : a bit better. :) ===> I wouldn't doubt that! Training is everything these days. Sometimes I can agree 100% with the whole para, sometimes I can't; depends on a lot of things such as speed, maintenance, etc., and what suite or parts thereof are being used for what. Regards, Pop : : -- : Pete Stephenson : HeyPete.com From nobody at devnull.spamcop.net Thu Sep 1 10:15:34 2005 From: nobody at devnull.spamcop.net (Pop) Date: Thu Sep 1 09:20:02 2005 Subject: [SpamCop-List] Re: OT: Re: Cleaning up and preventing malware (was mypctuneup.com) References: Message-ID: "Brian" wrote in message news:df5iku$bmq$1@news.spamcop.net... : Pete Stephenson wrote: : > In article , : > "Pop" wrote: : > : > : >>Boy I'm glad you'll never get to work on my system. You have a : >>half assed idea of reality but apparently no true knowledge of : >>what you're doing. Symantec and McAfee have nothing to do with : >>malware being on a system to start with, and much more. : > : > : > I've found that Symantec and McAfee to be quite bloated and overpriced : > for what they do. There are far better programs out there available : > cheaper (or free) than those offered by Symantec/McAfee that do a better : > job. : > : : This is the feeling of many people that deal with security. ===> It's also not the feeling of many people that deal with security. : : > I've found Grisoft AVG to be a bit "lighter" in terms of resources than : > Norton Antivirus, as well as being faster and detecting just as much : > stuff. : > : > SpyBot and Adaware are much better than many "commercial" spyware : > removal programs I've tried. : > : : Some people feel that because it's from BIG COMPANY that it's better. : Time and time again the opposite has proven to be true. ===> And some people don't feel that way. : : > Given a choice, I'd much prefer other software over Symantec and McAfee : > products. If they user didn't pay for their software (i.e. with the : > Norton Antivirus 30-day trial that comes with many new PCs), I advise : > them to uninstall it and install AVG Free. If they have paid for it, I : > recommend they run both, then uninstall Norton when the paid time period : > expires. : > : : I recommend they uninstall it even if they have just purchased it. It's : not a good idea to have two anti-virus or firewalls (other than Windows) : installed at the same time. This usually causes conflicts and you end up : with less protection. ===> I don't believe anyone has recommended running parallel anything here. Moot point, IMO. : : > Just my $0.02. I've fixed and maintained several PCs without using any : > commercial software at all, and they tend to run a bit better than those : > with big-name security/anti-virus software. Maybe I've trained teh users : > a bit better. :) : > : : I totally agree. I've worked on many computers over the years and have : had excellent results with the arsenal that I've mentioned. The scans : come up clean. The paid versions offer a little more functionality and : ease of operation, but they are not necessary. ===> Older ones will, that's definitely true. Not true of anything approaching the GHz rates though. Today's new apps are written for today's machines. You forget too that sometimes "necessary" is in the eye of the beholder. And how do you think the "big names" got their big names? It wasn't just marketing and never was. Talking a user into something they don't feel comfortable with, because you think you can show how smart you are, often leaves that user with an uncomfortable confidence in you. The computers run faster, : though my process also 'tunes' them. ===> Uhh, I respectfully submit that computers do not require "tuning". Tuning hasn't been required since they days of Brainiac. : : The training is also a key part. I usually work on people's computers : with them there. As I'm going through their computer I'm also showing : them how to "Practice Safe Hex." ===> And that's a great thing to do. : : No matter how much protection you provide - short of disabling Internet : access - the user always has control and can click the button that will : install some nasties. ===> True. But you can certainly make it more difficult to do. Even asking for a virus shouldn't result in a virus being placed on the machine without a notification. But then, like you said ... Regards, Pop : : : -- : Brian : SC.10.myspamgobbler@spamcowboy.net From nobody at nowhere.net Thu Sep 1 10:25:33 2005 From: nobody at nowhere.net (PJ6) Date: Thu Sep 1 09:30:03 2005 Subject: [SpamCop-List] FTC Message-ID: If I were to file a complaint with the FTC to take advantage of the CAN SPAM act, does it stand a chance of doing anything, or is this just a throwaway report that goes nowhere? https://rn.ftc.gov/pls/dod/wsolcq$.startup?Z_ORG_CODE=PU01 Paul From nobody at spamcop.net Thu Sep 1 10:54:28 2005 From: nobody at spamcop.net (indigo) Date: Thu Sep 1 09:55:03 2005 Subject: [SpamCop-List] Re: Cleaning up and preventing malware (was mypctuneup.com) References: Message-ID: Redstone wrote: > Brian wrote in > news:df3e94$tuh$1@news.spamcop.net: > > > > > > > ZoneAlarm is also good. I've used both and have a preference for > > Sygate, but like I said, that will likely change soon once Symantec > > gets their hands on it. Who knows what will evolve, but it most > > likely will not be good. > > > > Anyone remember good ol' ATguard? :-) Still use it at home. Love it. From MikeE at ster.invalid Thu Sep 1 08:16:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 1 10:20:03 2005 Subject: [SpamCop-List] Re: FTC References: Message-ID: PJ6 wrote: > If I were to file a complaint with the FTC to take advantage of the > CAN SPAM act, does it stand a chance of doing anything, or is this > just a throwaway report that goes nowhere? I don't think that 'you can spam' is a very worthwhile act. If ask me the dichotomy or choice between 'a chance of doing anything' vs a 'report that goes nowhere' -- I would vote for a 'qualified' nowhere over /doing/ anything. However, that being sed, I do think that the FTC amasses a big pile of digital information, and that some 'ones' may use that pile to look thru' when they are working on some 'project' or case or research or something. I don't think that the information /goes/ nowhere -- it goes into a pile which /is/ worth more than nothing.. > https://rn.ftc.gov/pls/dod/wsolcq$.startup?Z_ORG_CODE=PU01 I certainly wouldn't be filling out that form. If anything, I would be including a copy of my spams to spam@uce.gov - The information at the link you posted for which a/the preceding link is here http://www.ftc.gov/bcp/conline/edcams/spam/index.html -- has a lot more 'positive' or favorable 'attitude' about canspam than most other more critical information you might choose to read. Start with the links here http://spamlinks.net/legal.htm#us-nat-active CAN-SPAM, or S.877 / HR 2214 is now active in the US. It fails to address the main issues with spam, that spam is sent unsolicited, and in bulk. .. and then follow those links to the various sites which discuss the problems with canspam. The one at spamhaus is pretty good. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu Sep 1 09:49:12 2005 From: nobody at spamcop.net (Ellen) Date: Thu Sep 1 10:20:05 2005 Subject: [SpamCop-List] Re: Cleaning up and preventing malware (was mypctuneup.com) References: Message-ID: -- "Mike Easter" wrote in message news:df4u8r$tev$1@news.spamcop.net... > > Some other places which welcome HJT logs are Tom Coyote's webforum > http://forums.tomcoyote.org/index.php?showforum=27 HijackThis Logs and > Spyware/Malware Removal > > There's a HJT tutorial place > http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm HijackThis > Tutorial - How to Analyse a HijackThis log > > The tutorial place was liked by many folks posting to spyware info > http://forums.spywareinfo.com/index.php? which also accepts HJT logs. > > Iamnotageek also has a HJT gizmo, but that forum gets on some people's > nerves [including mine] because of its integration [usurpation/theft] > with NNTP causing some trouble in the usenet groups. > Thanks Ellen From nobody at spamcop.net Thu Sep 1 09:59:27 2005 From: nobody at spamcop.net (Ellen) Date: Thu Sep 1 10:20:07 2005 Subject: [SpamCop-List] Re: Cleaning up and preventing malware (was mypctuneup.com) References: Message-ID: "Redstone" wrote in message news:Xns96C47D412F45tinlc@216.154.195.61... > > > > Anyone remember good ol' ATguard? :-) > On my yes, I really loved the old atguard and used it for years :-) Ellen From kjz at despammed.com Thu Sep 1 19:10:49 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Thu Sep 1 12:15:03 2005 Subject: [SpamCop-List] Re: FTC In-Reply-To: References: Message-ID: PJ6 wrote: > If I were to file a complaint with the FTC to take advantage of the CAN SPAM > act, does it stand a chance of doing anything, or is this just a throwaway > report that goes nowhere? For me it seems that all these reports are going in a large 'spam database'. Maybe that this database is analyzed from time to time by some government organizations. - kjz From click1510 at earthlink.net Thu Sep 1 14:03:49 2005 From: click1510 at earthlink.net (CO-DBA-SC-EL) Date: Thu Sep 1 16:05:04 2005 Subject: [SpamCop-List] Re: Track TCP/IP transmissions made by background processes References: Message-ID: I suggest you try the Security forum at www.broadbandreports.com. Read the forum FAQ before posting. There are active helpers there. -- C_O "Jeff" wrote in message news:detdr1$ecs$1@news.spamcop.net... > Thanks! I'll give it a try! > > "Doug Thegarden" wrote in message > news:detdno$e8t$2@news.spamcop.net... >> Jeff wrote: >> > I have some background processes that are running that I can't stop. >> > When I try to stop them, they simply spawn a new process and rename >> > themselves as a .exe file with a random 7 character filename. Neither >> > ad-aware nor Microsoft's spyware software detects them, nor does >> > Norton Antivirus. I'm assuming these programs are either sending or >> > receiving transmissions over the internet without me knowing. Is >> > there a way to find out if they're transmitting or receiving data >> > over the internet? >> > >> >> TCPView will list all the processes and tell you where they are going. >> http://www.sysinternals.com/Utilities/TcpView.html >> >> Doug > > From MikeE at ster.invalid Thu Sep 1 18:09:54 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 1 20:10:02 2005 Subject: [SpamCop-List] Re: outblaze bulk mailer? References: <3kvhu2-brv.ln1@news.invalid.99computer> Message-ID: Mike wrote: www.spamcop.net/sc?id=z801715901z949efe8305a957cccb51521a30011140z Your email provider alleges: "You have received this message in accordance with the published terms and conditions for your being provided with this email account. If you do not wish to receive promotions from this advertiser again please click here, your request will be honored within 10 days." Where click here = newsletter-mail-unsubscribe@dm1.outblaze.com www.spamcop.net/sc?id=z802035950zbf0b123e9e6828e463210a0934005b06z Similarly: "You have received this message in accordance with the published terms and conditions for your being provided with this email account. If you do not wish to receive promotions from this advertiser again please click here, your request will be honored within 10 days." with the same click here outblaze bulk mail unsub. It appears that in outblaze's opinion, your mail.comaccount allows some unlimited number of partners to require you to unsub from each of their spams. It will be interesting to see what happens when spamcop fires off report missives to them, in a sense 'threatening' them with blocklisting because a spamcop reporter is reporting these items as spam -- whereas apparently they - outblaze/mail.com - consider themselves entitled to allow their partners to require you to unsub under their bulk mail agreements with the spamvertisers and you the client. Presumably that is why mail.com sends you the informational bulk mail permissions link; somehow that is supposed to convince you that you have given the partners of outblaze/mail.com permission to require this opting out practice. Evidence that outblaze thinks it is OK because it is outblaze's bulk mailer which is sending you the spams, not that of the spamvertiser. Tres interesant. -- Mike Easter kibitzer, not SC admin From zypher at spamcop.net Thu Sep 1 20:38:40 2005 From: zypher at spamcop.net (Ron B.) Date: Thu Sep 1 20:40:04 2005 Subject: [SpamCop-List] Burn Survivor Mailing List Message-ID: http://www.spamcop.net/sc?id=z802056257zc273fc326aff613279fdc2bb7d65b378z points to a canceled Spamcop report. I am not a member of the list nor ever even heard of it. Is this an attempt to confirm my e-mail addy? If so, it was sent to my Spamcop account. From MikeE at ster.invalid Thu Sep 1 18:44:45 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 1 20:45:03 2005 Subject: [SpamCop-List] Re: outblaze bulk mailer? References: <3kvhu2-brv.ln1@news.invalid.99computer> Message-ID: Mike Easter wrote: > Your email provider alleges: > > "You have received this message in accordance with the published terms > Evidence that outblaze thinks it is OK because it is outblaze's bulk > mailer which is sending you the spams, not that of the spamvertiser. > > Tres interesant. http://snipurl.com/hdpo Snurled googlegroups of 8 message thread starting here Newsgroups: news.admin.net-abuse.email Subject: Outblaze.com Spams Outblaze Customers for Known Spammer Message-ID: Date: Wed, 31 Aug 2005 04:47:14 GMT 'hot off the press' - perhaps the thread is still ongoing. The thread shows several paid, not free, mail.com clients who are supposed to be getting the ad-free service who are getting spammed at the behest of outblaze for the known spammer www.DatingSecretsOnline.com [evidence in sightings] as well as your realage, which has a lot more in sightings than the other one. It seems the nanaeites are confused by their allegiance to Suresh and outblaze as alleged 'good guys' and this obvious abuse of the paid mail.com accounts. I'm not sure that my reading of the privacy and bulk mail policies convince me that they have the right to optout spam you even if you are a free account. I think I would contact truste to see what they think about these 'anti-privacy' and opt-out policies. I notice that Suresh isn't jumping up and clearing the air about the whole mess. Maybe someone will claim it was some kind of mistake. Or that Suresh's company has gone over to the dark side. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Sep 1 19:17:15 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 1 21:20:04 2005 Subject: [SpamCop-List] Re: outblaze bulk mailer? References: <3kvhu2-brv.ln1@news.invalid.99computer> Message-ID: Mike Easter wrote: > I think I would contact truste to see what they think about these > 'anti-privacy' and opt-out policies. Disregard any suggestions about truste. This problem with outblaze has nothing to do with truste stickers on websites and what truste can police about that. This issue is purely about whether or not your agreement with mailcom/outblaze allows them to optout spam you for their various bulkmailing list agreements they are calling newsletters -- which could be unlimited in scope or rather 'range' or numbers. As a general rule, an email provider such as an ISP feels that they have the right to send you 'newsletters' of various sorts, some of which you can opt out of and some of which you can't. For example, EL has a rather complex policy. EL sez I can opt out [in advance] of being contacted by email, telephone, and postal mail for various EL 'marketing and informational' communications. Each of those is individually configured. I can similarly separately opt out of having EL purchase information about me from third parties [!]. I am currently opted out of all of that. I cannot opt out of receiving 'administrative' communications about my EL account. Those 'administrative' communications from EL and similarly from RR often contained some very non-administrative information, and each such administrative 'spam' item identifies itself as an administrative item. EL also has a huge privacy policy page, some of which isn't altogether 'private'. I am presently opted in to the Elink newsletter, which is a different subscription method from the above discussion. -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Thu Sep 1 21:56:19 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Thu Sep 1 22:00:03 2005 Subject: [SpamCop-List] Re: Burn Survivor Mailing List References: Message-ID: In article , "Ron B." writes: > http://www.spamcop.net/sc?id=z802056257zc273fc326aff613279fdc2bb7d65b378z > > points to a canceled Spamcop report. > I am not a member of the list nor ever even heard of it. I got one too. > Is this an attempt to confirm my e-mail addy? > If so, it was sent to my Spamcop account. From JG at coks.net Thu Sep 1 20:19:31 2005 From: JG at coks.net (JG) Date: Thu Sep 1 22:20:02 2005 Subject: [SpamCop-List] Spam arrives marked read, showing as being forwarded Message-ID: Per the subject line, whats this nitwit driving at?: http://www.spamcop.net/sc?id=z802051630ze1d0d3cbd820e46e23d966ee1bf1130fz So the x-Mozilla headers are forged to indicate already read, don't know which line controls the forwarded indication but its there somewhere. I know in all likelyhood theres no good answer to this, but gotta ask WTF anyway. Is it just looking to fool filters? From tfm3 at nospam.teleproc.com Thu Sep 1 22:58:49 2005 From: tfm3 at nospam.teleproc.com (Thomas Mooney) Date: Thu Sep 1 23:00:03 2005 Subject: [SpamCop-List] blackholes.us Message-ID: I'm having trouble accessing the blackholes.us site. That includes the web-site and the blocklists. Does anyone have any information about what's going on there? Thanks, -- TFM3 Note: Spam-resistant e-mail address From spamcop2.5.kuch at recursor.net Fri Sep 2 03:34:12 2005 From: spamcop2.5.kuch at recursor.net (Robert) Date: Fri Sep 2 02:35:11 2005 Subject: [SpamCop-List] No source IP address found, cannot proceed. Message-ID: http://members.spamcop.net/sc?id=z802124442z380c48a0502d63be54dba57c5528b9e3z Getting a lot of these reports back. Looks like either a glitch with the parser or another obfuscating technique from spammy. I don't know a lot about SMTP headers, so I can't spot the error. Any suggestions? From nobody at nowhere.invalid Fri Sep 2 10:24:23 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri Sep 2 03:25:29 2005 Subject: [SpamCop-List] Re: No source IP address found, cannot proceed. References: Message-ID: On Fri, 02 Sep 2005 02:34:12 -0400, Robert coughed into spamcop and left this in : > http://members.spamcop.net/sc?id=z802124442z380c48a0502d63be54dba57c5528b9e3z You might want to post the URL that starts with "www" rather than "members" in the future - only *you* can view that page. > Getting a lot of these reports back. Looks like either a glitch with > the parser or another obfuscating technique from spammy. > > I don't know a lot about SMTP headers, so I can't spot the error. Yahpoo's Received: header looks malformed. The parser can't parse it, andf since the next one down was inserted by the spammer there's every chance it's a forgery, and it refers to an RFC1918 IP address anyway. Therefore, SC can't trace the origin of the mail. -- Steve Doctors can be frustrating. You wait six weeks for an appointment and he says, "I wish you'd come to me sooner." From mwnospam at comcast.net Fri Sep 2 04:30:30 2005 From: mwnospam at comcast.net (spamacyde) Date: Fri Sep 2 03:35:04 2005 Subject: [SpamCop-List] Re: No source IP address found, cannot proceed. References: Message-ID: How easy is it to forge headers? What percentage of headers are forged? Are we going to look forward to seeing more and more forged headers? "Steven Maesslein" wrote in message news:slrndhfvh7.3e0.nobody@127.0.0.1... > On Fri, 02 Sep 2005 02:34:12 -0400, Robert coughed into spamcop and left > this in : > > > http://members.spamcop.net/sc?id=z802124442z380c48a0502d63be54dba57c5528b9e3z > > You might want to post the URL that starts with "www" rather than > "members" in the future - only *you* can view that page. > > > Getting a lot of these reports back. Looks like either a glitch with > > the parser or another obfuscating technique from spammy. > > > > I don't know a lot about SMTP headers, so I can't spot the error. > > Yahpoo's Received: header looks malformed. The parser can't parse it, > andf since the next one down was inserted by the spammer there's every > chance it's a forgery, and it refers to an RFC1918 IP address anyway. > > Therefore, SC can't trace the origin of the mail. > > -- > Steve > > Doctors can be frustrating. You wait six weeks for an > appointment and he says, "I wish you'd come to me sooner." From spamcop2.5.kuch at recursor.net Fri Sep 2 04:35:54 2005 From: spamcop2.5.kuch at recursor.net (Robert) Date: Fri Sep 2 03:40:04 2005 Subject: [SpamCop-List] Re: No source IP address found, cannot proceed. In-Reply-To: References: Message-ID: Steven Maesslein wrote: > On Fri, 02 Sep 2005 02:34:12 -0400, Robert coughed into spamcop and left > this in : > > >>http://members.spamcop.net/sc?id=z802124442z380c48a0502d63be54dba57c5528b9e3z > > > You might want to post the URL that starts with "www" rather than > "members" in the future - only *you* can view that page. > > >>Getting a lot of these reports back. Looks like either a glitch with >>the parser or another obfuscating technique from spammy. >> >>I don't know a lot about SMTP headers, so I can't spot the error. > > > Yahpoo's Received: header looks malformed. The parser can't parse it, > andf since the next one down was inserted by the spammer there's every > chance it's a forgery, and it refers to an RFC1918 IP address anyway. > > Therefore, SC can't trace the origin of the mail. > Sorry - http://www.spamcop.net/sc?id=z802124442z380c48a0502d63be54dba57c5528b9e3z From MikeE at ster.invalid Fri Sep 2 03:05:16 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Sep 2 05:06:02 2005 Subject: [SpamCop-List] Re: No source IP address found, cannot proceed. References: Message-ID: Robert wrote: www.spamcop.net/sc?id=z802124442z380c48a0502d63be54dba57c5528b9e3z The original item has a line^1 at the top which is not a valid headerline so I removed that and parsed it with a non-mailhosted account which parses successfully. http://www.spamcop.net/sc?id=z802156923z8c1489c0bfc7930132bc639e0b69a8b6z Report Spam to: Re: 202.57.91.35 (Administrator of network where email originates) To: cmmarimla@pldt.com.ph (Notes) Re: http://www.cwxd.downtowarea.com (Administrator of network hosting website referenced in spam) To: abuse@kornet.net (Notes) ^1 The bad line is >From - Fri Sep 02 02:26:07 2005 A valid headerline must have a name or title with no spaces and ending with colon space followed by the value or content of the field. But that error or spurious headerline isn't what is causing this problem with the original parse: Parsing header: 0: Received: from 202.57.91.35 (HELO mahan2000.com) (202.57.91.35) by mta105.rog.mail.scd.yahoo.com with SMTP; Thu, 01 Sep 2005 23:25:11 -0700 No unique hostname found for source: 202.57.91.35 Possible forgery. Supposed receiving system not associated with any of your mailhosts That part of SC's verbose, which you can't always interpret at face value, seems to be saying that it isn't happy with the 'by' field of what is supposed to be a mailhosted account. That is /not/ the same way SC performs on the same line for my non-mailhosted parse. Parsing header: Received: from 202.57.91.35 (HELO mahan2000.com) (202.57.91.35) by mta105.rog.mail.scd.yahoo.com with SMTP; Thu, 01 Sep 2005 23:25:11 -0700 202.57.91.35 found host 202.57.91.35 = adsl-57.91.35.info.com.ph (cached) Possible spammer: 202.57.91.35 Received line accepted SC then proceeds to id the IP as a cbl listed proxy and stops chaining. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Sep 2 03:22:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Sep 2 05:25:23 2005 Subject: [SpamCop-List] Re: No source IP address found, cannot proceed. References: Message-ID: Mike Easter wrote: > The original item has a line^1 at the top which is not a valid > headerline so I removed that and parsed it with a non-mailhosted > account which parses successfully. Apparently SC has encountered such a line sufficiently frequently that the algorithm accepts it and parses equally well for a non-mailhosted account with the line present or absent. This parse has the 'bad' line present and is successful with exactly the same results as the previous posting. www.spamcop.net/sc?id=z802163457z336eea141e4d83e4071b7484bb8e4a2ez So, this issue is entirely about SC not liking the top Received line for the mailhosted account while accepting it for the non-mailhosted one. Perhaps yahoo has changed its configuration from that when the mailhost configuration was performed. -- Mike Easter kibitzer, not SC admin From redford_stone at INVERSE_OF_COLDmail.com Fri Sep 2 12:32:59 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Fri Sep 2 07:35:21 2005 Subject: [SpamCop-List] Re: blackholes.us References: Message-ID: "Thomas Mooney" wrote in news:df8f54$1l2$1@news.spamcop.net: > I'm having trouble accessing the blackholes.us site. That includes > the web-site and the blocklists. Does anyone have any information > about what's going on there? > > Thanks, > Can't raise it either from my end. Not sure what is up. Could be either maintenance or DDOS. Most likely the former. I'd give it about 24 hours to see if it comes back up. From spamcop-list-at-news.spamcop.net at musaic.net Fri Sep 2 14:50:34 2005 From: spamcop-list-at-news.spamcop.net at musaic.net (St - Musaic.Net) Date: Fri Sep 2 07:51:06 2005 Subject: [SpamCop-List] blackholes.us In-Reply-To: References: Message-ID: <358600087.20050902135034@musaic.net> > Can't raise it either from my end. Not sure what is up. Could be either > maintenance or DDOS. Most likely the former. I'd give it about 24 hours to > see if it comes back up. Well...don't hold your breath...my anti-spam system utilized blackholes.us I see from my logs that last update was 10th of august 2005. After that date my system has not been having any conversation with blackholes.us. Blackholes is gone, I am afraid... If you want a list of ip address allocations by country, go here: http://www.completewhois.com/statistics/country_statistics.htm NOTE: This is NOT a blocklist! -- St From bar_n0ne at hotmail.com Fri Sep 2 18:30:42 2005 From: bar_n0ne at hotmail.com (Berny) Date: Fri Sep 2 09:35:03 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities References: Message-ID: "Redstone" wrote in message news:Xns96C493F9A378tinlc@216.154.195.61... > "Berny" wrote in > SNIPPED > > Have you gone to Geocities webform to report it? Did it before and it > worked.. though sometimes it took a bit longer than usual. > Hoops!!, now for several weeks the jerks at uk.geocities have had their thumbs up their bums while they play whack a mole with a 2 day reaction time. From no at spam.invalid Fri Sep 2 09:40:52 2005 From: no at spam.invalid (Michael Wise) Date: Fri Sep 2 11:45:03 2005 Subject: [SpamCop-List] blackholes.us References: Message-ID: In article , "St - Musaic.Net" wrote: > > Can't raise it either from my end. Not sure what is up. Could be either > > maintenance or DDOS. Most likely the former. I'd give it about 24 hours to > > see if it comes back up. > > Well...don't hold your breath...my anti-spam system utilized blackholes.us > I see from my logs that last update was 10th of august 2005. After that > date my system has not been having any conversation with blackholes.us. > > Blackholes is gone, I am afraid... > > If you want a list of ip address allocations by country, go here: > http://www.completewhois.com/statistics/country_statistics.htm > NOTE: This is NOT a blocklist! If you're looking for China/Korea info, you can get it from my site, which is kept more current that the blackholes.us data anyway. http://www.okean.com/asianspamblocks.html --Mike From nobody at spamcop.net Fri Sep 2 09:44:22 2005 From: nobody at spamcop.net (Ellen) Date: Fri Sep 2 12:40:02 2005 Subject: [SpamCop-List] Re: No source IP address found, cannot proceed. References: Message-ID: "Robert" wrote in message news:df8ros$8j4$1@news.spamcop.net... > http://members.spamcop.net/sc?id=z802124442z380c48a0502d63be54dba57c5528b9e3z > > Getting a lot of these reports back. Looks like either a glitch with > the parser or another obfuscating technique from spammy. > > I don't know a lot about SMTP headers, so I can't spot the error. > > Any suggestions? Appears that yahoo/Rogers changed the naming scheme for the mailservers. They used to be of the format matnnn.rog.mail.re2.yahoo.com and are now of the format matnnn.rog.mail.scd.yahoo.com I updated the mailhost. Let me know if you see any other failures to parse the top header. Ellen SpamCop From big_mart_98 at yahoo.com Fri Sep 2 19:10:44 2005 From: big_mart_98 at yahoo.com (Martin Edwards) Date: Fri Sep 2 13:10:04 2005 Subject: [SpamCop-List] Re: Burn Survivor Mailing List In-Reply-To: References: Message-ID: Larry Kilgallen wrote: > In article , "Ron B." writes: > >>http://www.spamcop.net/sc?id=z802056257zc273fc326aff613279fdc2bb7d65b378z >> >>points to a canceled Spamcop report. >>I am not a member of the list nor ever even heard of it. > > > I got one too. > > >>Is this an attempt to confirm my e-mail addy? >>If so, it was sent to my Spamcop account. My guess is that it was phishing, clever though. From MikeE at ster.invalid Fri Sep 2 17:43:37 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Sep 2 19:45:03 2005 Subject: [SpamCop-List] Re: Email with no body - claims to be from blade4.cesmail.net References: Message-ID: G u y M a c o n wrote: > Here is an interesting email I got. Pasting a spam [header and/or body] into a discussion group is not the way to communicate about such an item. The proper way is to submit the item to the parser, copy the tracking url, submit or cancel the report as appropriate, and then paste that tracker into the discussion group. That particular item without a body would provide this tracker copied from the top of the parse which doesn't offer to submit a report Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z802377132ze06f9ff18c803abbebd7cafc2b9df015z That's what you should have posted here instead of what you did. > It had no body at all, so SpamCop > refused to take the report until I added a body with my own text. And that, an empty body spam, is what you found so 'interesting'? OK. The interesting part of that to me is that it is 'controversial' about whether or not we should add some text to the body to facilitate the parser's response to offer to report the item. In the forums, an admin makes such a recommendation. However, the forums are not an official faq. The official faq describes what material changes to a spam are permissible and which are not -- and it does /not/ name adding text to the body as permissible. And, the cardinal element of the material changes faq page is all about not doing anything to cause SC to find [which implies to report] an IP which it wouldn't otherwise find/report. Adding body text is a material change causing SC to find/report an IP which it wouldn't otherwise. If whoever is in control of the faq doesn't change the faq, I don't think that Jeff's blessing for making a material change which appears in the forum is good enough to permit such a change. Faq changes are sometimes made 'instantaneously' -- some other faq changes are never made regardless of how many times they are discussed. This issue is a faq change which has been discussed, emphasized, criticized, documented, etc and no such faq change has ever come into being. http://www.spamcop.net/fom-serve/cache/283.html Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Sep 2 17:54:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Sep 2 19:55:03 2005 Subject: [SpamCop-List] Re: Email with no body - claims to be from blade4.cesmail.net References: Message-ID: G u y M a c o n wrote: > Did Spamcop add the Message-ID and From, or was that somethin the > spammer did? Many servers which receive an item with no mid will add their own, and when I see an mid with the characteristics of a receiving server, such as here, I assume that the mid was added by the recipient server [as I assume here] unless I have some evidence to the contrary. However, spammers can forge such lines and can make an mid of their choosing. Servers don't normally add Froms even if absent. This item went from the proxy 220.76.123.170 thru' the spamcop system which added the xlines [and presumably mid] and then to your oco mailbox. -- Mike Easter kibitzer, not SC admin From mwnospam at comcast.net Fri Sep 2 21:33:21 2005 From: mwnospam at comcast.net (spamacyde) Date: Fri Sep 2 20:35:17 2005 Subject: [SpamCop-List] blackholes.us References: Message-ID: Is it easy to configure Outlook Express to reject mail from the IP addresses listed on your site? "Michael Wise" wrote in message news:no-79C57E.08405102092005@news.cesmail.net... > In article , > "St - Musaic.Net" wrote: > > > > Can't raise it either from my end. Not sure what is up. Could be either > > > maintenance or DDOS. Most likely the former. I'd give it about 24 hours to > > > see if it comes back up. > > > > Well...don't hold your breath...my anti-spam system utilized blackholes.us > > I see from my logs that last update was 10th of august 2005. After that > > date my system has not been having any conversation with blackholes.us. > > > > Blackholes is gone, I am afraid... > > > > If you want a list of ip address allocations by country, go here: > > http://www.completewhois.com/statistics/country_statistics.htm > > NOTE: This is NOT a blocklist! > > > If you're looking for China/Korea info, you can get it from my site, > which is kept more current that the blackholes.us data anyway. > > > http://www.okean.com/asianspamblocks.html > > > --Mike From MikeE at ster.invalid Fri Sep 2 18:51:42 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Sep 2 20:55:04 2005 Subject: [SpamCop-List] blackholes.us References: Message-ID: spamacyde wrote: > Is it easy to configure Outlook Express to reject mail from the IP > addresses listed on your site? When you stick a remark 'up in the air' up there which isn't in context to anything, it lacks 'meaning'. That forces the reader of a contextless remark to pay particular attention to every single element of the /content/ of your contextless remark. Then your remark sez 'configure OE to reject mail' -- which is worse than contextless. It is senseless. OE doesn't 'reject' mail. Reject is a term applied to a recipient server which can reject an smtp transaction with a sending IP. The other elements of your question is about 'IP addresses listed on your site' -- but since there is no context, it isn't even apparent what or who you are talking to about whatever. That forces someone to have to imaginatively reconstruct what you didn't handle properly in the first place. I suppose we should fix it all up to look something like this. spamacyde wrote: > "Michael Wise" >> If you're looking for China/Korea info, you can get it from my site, >> which is kept more current that the blackholes.us data anyway. >> http://www.okean.com/asianspamblocks.html > Is it easy to configure Outlook Express to reject mail from the IP > addresses listed on your site? If I had seen something like that, maybe I wouldn't have gotten so 'aggravated' and 'attacked' your OE 'reject mail' remark, and tried to be a little more gentle and interpret it as a filtering question. OE is extremely weak in its message rules for handling spam. If you were using a proxy like SpamPal, you could exclude quite a variety of countries. If you were running a server, you could use something like Michael provides, as did Matthew Evans of blackholes. The trimmed contextualization which I created above but which you didn't do when you topposted conveys the meaning of your question much much better than what you did. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Fri Sep 2 19:39:15 2005 From: nobody at spamcop.net (N. Miller) Date: Fri Sep 2 21:40:05 2005 Subject: [SpamCop-List] Re: No source IP address found, cannot proceed. References: Message-ID: <1vx653n4jd5xb$.dlg@news.spamcop.net> On Fri, 2 Sep 2005 09:24:23 +0200, Steven Maesslein wrote: > Yahpoo's Received: header looks malformed. The parser can't parse it, > andf since the next one down was inserted by the spammer there's every > chance it's a forgery, and it refers to an RFC1918 IP address anyway. > > Therefore, SC can't trace the origin of the mail. The Yahoo! Received: header line looks just like the ones that SC parses just fine when I submit them. The next Received: header line looks exactly like any internal hand off which appears in legitimate email which leaves my server for my ISP's SMTP AUTH server for relay. http://www.spamcop.net/sc?id=z802403040z5c30c4ab5694aaedbffb79e4b26a6d4bz -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at spamcop.net Fri Sep 2 19:45:21 2005 From: nobody at spamcop.net (N. Miller) Date: Fri Sep 2 21:50:05 2005 Subject: [SpamCop-List] blackholes.us References: Message-ID: On Fri, 2 Sep 2005 20:33:21 -0400, spamacyde wrote: > Is it easy to configure Outlook Express to reject mail from the IP addresses > listed on your site? It is impossible for Outlook Express, or any other MUA to "reject" email; if the term "reject" is in the normal SMTP context. OE can only download email from a POP3 server, or, delete it from the server under specific, limited conditions. Most importanly, OE can't examine the "Received" header line of email, so it can't even find IP addresses in email headers. Even with a client which can find IP addresses in email headers, most clients can't distinguish between the MTA <> MX transaction, and earlier transactions. This means that it can be possible to dump email for a blacklisted IP address when that should not happen; as when a residential customer email is sent from a listed source IP address, but goes through a legitimate ISP mail server. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at spamcop.net Fri Sep 2 19:57:07 2005 From: nobody at spamcop.net (N. Miller) Date: Fri Sep 2 22:00:03 2005 Subject: [SpamCop-List] Re: Email with no body - claims to be from blade4.cesmail.net References: Message-ID: <1rte6us7m10ca$.dlg@news.spamcop.net> On Fri, 2 Sep 2005 16:43:37 -0700, Mike Easter wrote: > And, the cardinal element of the material changes faq page is all about > not doing anything to cause SC to find [which implies to report] an IP > which it wouldn't otherwise find/report. Adding body text is a material > change causing SC to find/report an IP which it wouldn't otherwise. I can only guess that SC doesn't offer to report blank body spam because it is similar in nature to DFNs, AV bounces, and C/R challenges; all of which were, at one time, not reportable. At the current time, all of the above, collectively called, "backscatter", are now reportable; except for blank body email. Given that blank body email seems to be a result of broken spamware, maybe it is time to rethink the issue. Or not...if a blank body is the result of broken spamware, it should be reportable; but it is possible that blank body email is the result of some misadventure by a non-spamming sender, and that should not be reported. I guess I just don't know how to answer the issue. It would be a bad thing to mis-report innocent email senders; but surely the recipient would recognize by the headers if the sender is an innocent party. But I can't say that all SC reporters are careful, as well. I guess I will just not recommend doing it... -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From MikeE at ster.invalid Fri Sep 2 20:43:13 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Sep 2 22:45:03 2005 Subject: [SpamCop-List] Re: Email with no body - claims to be from blade4.cesmail.net References: <1rte6us7m10ca$.dlg@news.spamcop.net> Message-ID: N. Miller wrote: > Mike Easter wrote: > I can only guess that SC doesn't offer to report blank body spam > because it is similar in nature to DFNs, AV bounces, and C/R > challenges; all of which were, at one time, not reportable. No. I think that the parser is configured to assume that if the body is blank that the item has been improperly submitted. I don't /think/ I have a problem with the current configuration of the parser not wanting to report a spam -- altho' my judgment would be that if I were the one choosing the default configuration, that I would have the parser 'warn' the reporter that the spam showed no body and that that might represent an error in submission, but I would have the parser offer to make the report on the source. Unless I were the 'boss' and I didn't think that empty spams should be reported; in which case I would address that issue in the faq. If I were the boss and I tho't that it was OK if empty spams were reported for the various reasons which are that most empty spams look 'exactly' like regular spams except for the missing body. That is, I consider an empty spam to be a payloaded spam 'wannabe'. A spam error for which the sooner the IP source is blocklisted the better will be our spamfiltering agents. > At the current time, all of the above, collectively called, > "backscatter", are now reportable; except for blank body email. I don't think backscatter issues are the same as empty spam at all. > I guess I will just not recommend doing it... My little 'diatribe' about reporting empty spam by materially changing the body to 'force' a report seems against the faq isn't because I'm against reporting empty spam. I'm in favor of reporting empty spam. What I'm against is having an inconsistent 'attitude' about what the faq sez about material changes. If the powers that be actually want 'us' tinu to be making material changes to spam to report empty spam, then something should change. The faq should condone materially changing the missing spambody; or the parser should 'choose' to handle the empty spam differently by offering to report it with a warning that something might be wrong. The business of the parser handling the item so that the reporter is forced to make a material change which isn't condoned by the faq is a bad configuration for both the faq and the parser, and the boss is supposed to be in charge of both the faq and the parser. So, my gripe about this empty spam issue is that the boss isn't doing a good job about handling it. And 'you' can tell him I sed so, whoever you is. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri Sep 2 23:37:23 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Sep 2 23:40:04 2005 Subject: [SpamCop-List] Re: Email with no body - claims to be from blade4.cesmail.net References: Message-ID: "Mike Easter" wrote in message news:dfao2f$gmg$1@news.spamcop.net... > > The interesting part of that to me is that it is 'controversial' about > whether or not we should add some text to the body to facilitate the > parser's response to offer to report the item. > > In the forums, an admin makes such a recommendation. However, the > forums are not an official faq. The official faq describes what > material changes to a spam are permissible and which are not -- and it > does /not/ name adding text to the body as permissible. In all fairness (and to back up Mike Easter's thoughts) ... http://forum.spamcop.net/forums/index.php?showtopic=4821&view=findpost&p=32362 > If whoever is in control of the faq doesn't change the faq, I don't > think that Jeff's blessing for making a material change which appears in > the forum is good enough to permit such a change. Faq changes are > sometimes made 'instantaneously' -- some other faq changes are never > made regardless of how many times they are discussed. This issue is a > faq change which has been discussed, emphasized, criticized, documented, > etc and no such faq change has ever come into being. There's been many more of "us" offering the same suggestion ... I picked it up from newsgroup traffic years ago ...Some FAQ changes I can state that I was involved with, submitting data, justification, usually suggested changes .. and (most of) those changes happened. Other FAQ changes have been made out of the blue, only noted when someone pointed them out or I 'discovered' the change while researching something else. Some changes just aren't going to happen This one in particular, as I conjecture in the referenced Forum post and you suggest above, is at least partially based on the inexperience of some in the handling of their spam. That some talk about their "blank spam" and then produce a 20 pound load of HTML infested e-mail body is just one episodic scenario. Those users that come in talking about how they submit their "spam headers" and wondering why they always see errors in the parse results .... on and on ... From edb2000 at spamcop.net Fri Sep 2 23:05:24 2005 From: edb2000 at spamcop.net (Don Wannit) Date: Sat Sep 3 01:10:03 2005 Subject: [SpamCop-List] Wow! Message-ID: This recent hardware infusion is making a big difference! I just got this result in a spam parse: >Yum, this spam is fresh! >Message is -1 hours old Now that's fast spam processing! :-) http://www.spamcop.net/sc?id=z802443402z309a80dacdeda529d6204e4da05ea83bz -- Don Wannit A paid SpamCop user since 1999 From bjoeg at *spammer*bjoeg.dk Sat Sep 3 06:55:04 2005 From: bjoeg at *spammer*bjoeg.dk (Bjarke Andersen) Date: Sat Sep 3 02:00:04 2005 Subject: [SpamCop-List] LOL @ Inkline Global Message-ID: InkLineGlobal, for many a trusted Ink provider, for me a spammer that suddenly emerged in my mailbox. Since many trusted this company I was kinda thinking, that maybe someone just typed my email address by accident, but today I found som funny small proof in the cleartext message. Look at the path name of the gif file, apparently they dont want to hide that they are in fact spamming, rather than "newsletting". -- Bjarke Andersen - Freelance SpamKiller http://www.cdt.org/speech/spam/030319spamreport.shtml (How to prevent) Wanna reply by email? Remove the spammer in address From nobody at nowhere.invalid Sat Sep 3 11:38:01 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Sep 3 04:40:09 2005 Subject: [SpamCop-List] blackholes.us References: Message-ID: On Fri, 2 Sep 2005 20:33:21 -0400, spamacyde coughed into spamcop and left this in : > Is it easy to configure Outlook Express to reject mail from the IP > addresses listed on your site? On whose site? There's no context above your comments to know what you're on about. However, the answer is no. Mail rejection takes place server-side, not client-side, so by the time any mailer sees the mail it's too late, the mail can't be rejected. It can only be bounced, which is a Bad Thing(tm) anyway. -- Steve Linux: the choice of a GNU generation -- ksh @ cis . ufl . edu put this on Tshirts in '93 From no at spam.invalid Sat Sep 3 09:27:21 2005 From: no at spam.invalid (Michael Wise) Date: Sat Sep 3 11:30:07 2005 Subject: [SpamCop-List] blackholes.us References: Message-ID: In article , "spamacyde" wrote: ... > > > Blackholes is gone, I am afraid... > > > > > > If you want a list of ip address allocations by country, go here: > > > http://www.completewhois.com/statistics/country_statistics.htm > > > NOTE: This is NOT a blocklist! > > > > > > If you're looking for China/Korea info, you can get it from my site, > > which is kept more current that the blackholes.us data anyway. > > > > > > http://www.okean.com/asianspamblocks.html > Is it easy to configure Outlook Express to reject mail from the IP addresses > listed on your site? Probably not. The info I have up is designed for server-level blocking. --Mike From JG at coks.net Sat Sep 3 09:59:54 2005 From: JG at coks.net (JG) Date: Sat Sep 3 12:00:02 2005 Subject: [SpamCop-List] spam within spam? Message-ID: http://www.spamcop.net/sc?id=z802580531z2b2ca020ac2a78d746472e2c055f36d6z Opening the message shows a simple spamvert for dialup. Looking at the source it shows some ebay tripe built in - is this just part of a nonsensical body filler or is this something else? From MikeE at ster.invalid Sat Sep 3 11:09:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 3 13:10:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: JG wrote: www.spamcop.net/sc?id=z802580531z2b2ca020ac2a78d746472e2c055f36d6z > Opening the message shows a simple spamvert for dialup. Looking at > the source it shows some ebay tripe built in - is this just part of a > nonsensical body filler or is this something else? If you routinely open your spam and read it, you must have some purpose in mind. What exactly is your intention when you open a spam? What sort of investigation do you do before you open it? How are you configured to assure that opening spam does not benefit the spamvertiser more than it does /not/ benefit the spamvertiser. Do you have an 'algorithm' or a decision tree to represent any particular strategies to be employed depending upon what you find when you investigate the interior of a spam? How do 'we' know that your purposes in opening spams are 'honorable' from a spamfighting point of view. Or... are you a 'spamreader' who is curious about what spam says and because of such curiosity and interest you also go to visit spamvertised sites and occasionally purchase something from a spamvertiser? Any spamreader, whether they are a spam reporter or not, is 'suspect' about their intentions and purposes [in my book] especially if they have not proven themselves to be pledged and able to never aid a spammer by their actions. The item in question has a different plaintext content than its html content which are in multiparts. 'Studying' the content of the portion of the spam judged to be not associated with the payload is 'kinda crazy' -- but I suppose a person could make a pastime of it. In this case the ebay material falls into the category of 'junk' not associated with the payload, except that the junk also contains an enigmatic link to the payload site. The payload is the html part which also contains 'curiosities' which you can study if you are so motivated. The payload links appear slightly different in what you see than the link which isn't seen; for example you see http://ltpx.shop4depot.com but you connect to http://brhq.shop4depot.com/ - Approximately how much time do you think you should be spending on that curiosity? In addition, you see http://trlsqpy.shop4depot.com/r/ but you connect to http://zdwd.shop4depot.com/r/ -- we should probably spend a lot of time here talking about all that . SC identifies the enigmatic link in the plaintext part as well as the links above which are the 'connecting' links. The links themselves redirect to shop4emporium.info -- which if you are going to spend any time 'dissecting' the content of the spam should be considered to be the true payload target -- which is at the same IP as all of the above 202.65.111.128 -- namely a spamhaus listed .hk /32 Somehow there needs to be a 'balance' in the business of studying spambody content. The paypal 'misdirecting' red herring of the plaintext portion of the body is 'echoed' in the bogus lines in the header, which have also have paypal bogosity. You could spend a great deal of wasted time discussing why the spammer constructed the bogus header lines the way s/he did and why construct the spambody the way s/he did. Surely you don't think that is a good way for us to spend our time in this discussion group. I would rather accuse you of being a spamreader who might be reading spam insecurely and visiting spammer websites curiously. Then we can argue about that instead of how the spam was put together and why it was put together that way. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Sep 3 11:42:38 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 3 13:45:04 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Mike Easter wrote: > The paypal 'misdirecting' red herring of the > plaintext portion of the body is 'echoed' in the bogus lines in the > header, which have also have paypal bogosity. Should say -- the ebay misdirecting red herring of the plaintext body is echoed in the bogus line in the header, which has paypal bogosity. -- Mike Easter kibitzer, not SC admin From RobertTaylor at SpamCop.net Sat Sep 3 14:46:14 2005 From: RobertTaylor at SpamCop.net (Robert Taylor) Date: Sat Sep 3 13:50:03 2005 Subject: [SpamCop-List] Att'n. Mike Easter: Scammers Cashing in on Katrina Message-ID: Hello Mike, I assume you're aware of the efforts on the part of spammers to divert relief funds for the Katrina tragedy to their own pockets. A friend connected to the Red Cross asked me if I knew of anyone who might help, or recommend someone who might help, to counter this despicable business, either directly, or simply in the form of advice. Given your knowledge and skill in interpreting and tracing eMail headers, the thought occurred to me that you might be willing to contact Red Cross and offer whatever ideas, suggestions or help your schedule and commitments might allow. According to a pair of exchanges over in another news group, it seems that, despite their best intentions, R. C. may not be handling the matter too well. Please forgive what might appear to be a personal liberty in this request; no such liberty intended, just looking for the best person who might help in what is clearly a good--and desperate--cause. Regards, Robert (eMail addy is valid) -- eMail: RobertTaylor@SpamCop.net Web-Address: http://users.rcn.com/robertt.nh.ultranet/Web-SitePg1.htm From verdy_p at wanadoo.fr Sat Sep 3 02:31:27 2005 From: verdy_p at wanadoo.fr (Philippe Verdy (n.o-s.p.a.m+abuse)) Date: Sat Sep 3 14:35:06 2005 Subject: [SpamCop-List] Re: Anyone read Norwegian here? References: Message-ID: > From: "Anti-Spam" > X-Trace: news.spamcop.net 1125330871 16196 216.95.192.200 (29 Aug 2005 > 15:54:31 GMT) > > (...message snipped...) > Bring in the death penalty for repeat spammers. Your signature brings nothing to this newsgroup, is unproductive, and its political implications are completely out of topic, and does not give more information to people reading them, notably because they may be opposed to your argument. Although many may have very radical opinions about how spammers should be prosecuted, I doubt anyone would approve your offending "suggestion" (especially those in countries where death penalty is banned, or even not applicable to misbehavior which is not within the application field of criminal laws). So please, either change your "suggestion" which is chocking for death penalty opponents into something more neutral and realist, or just don't suggest anything against spammers: let judges and juries decide on the nature of the offence and on the penalty to apply. The problem is definitely not in the penalty to apply, but in the lack of judiciary actions against spammers. We are here in this group to help identifying spammers, and provide proofs of offence to help authorities taking the necessary measures to locate and prosecute them if needed. Not all spams are of criminal nature, most of them are just unfair or illegal commercial practices. They are spams, what they "sell" may be illegal, but we are not there to judge their authors (notably, MOST effective spam sources are innocent people that don't even know that their PC is infected by viral spamware, and that just complain to their ISP when they feel their Internet connection is too slow, or that don't know exactly what to do to cleanup their PC: they seek the assistance of their ISP, and we are here to report them to their ISP, so that the ISP can identify the infected sources and mnimize the dammage to the network.) So it will be more productive to say something else, such as "Let's prosecute spammers and bring them out of the net: I don't support what they do, I collect proofs of actions against them, and will report all of them." For now, your signature, when it is read repeatedly in your messages posted to public groups, has an impact which is SIMILAR to what YOU can feel when receiving unsollicitated porn content through spam. It is also irrespective to your readers, and does not help improving your own image. The rest of your message may not be taken seriously if you don't respect your readers, and it does not help improving the image of this whole newsgroup. So be serious, remove this sentence from your public postings (keep it for your private postings if you want, but then assume privately all its implications about yourself). Thanks. -- Philippe. From MikeE at ster.invalid Sat Sep 3 13:16:32 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 3 15:20:02 2005 Subject: [SpamCop-List] Re: Att'n. Mike Easter: Scammers Cashing in on Katrina References: Message-ID: Robert Taylor wrote: > According to a pair of > exchanges over in another news group, it seems that, despite their > best intentions, R. C. may not be handling the matter too well. I would be interested in seeing that discussion. Where is it? A working email for me is mike.easter@gmail.com -- Mike Easter kibitzer, not SC admin From spamcop-list-at-news.spamcop.net at musaic.net Sat Sep 3 23:27:00 2005 From: spamcop-list-at-news.spamcop.net at musaic.net (St - Musaic.Net) Date: Sat Sep 3 16:27:54 2005 Subject: [SpamCop-List] Anyone read Norwegian here? In-Reply-To: References: Message-ID: <858578764.20050903222700@musaic.net> > Kan dere f?lge opp denne p? vanlig vis, med kopi til abuse@basefarm.com? > Klagen p? spam ble sendt inn av xxx@reports.spamcop.net "Please handle this complaint in accordance with AUP and report back to abuse@basefarm.com The incident was reported by xxx@reports.spamcop.net" -- St From spamcop2.5.kuch at recursor.net Sat Sep 3 18:38:43 2005 From: spamcop2.5.kuch at recursor.net (Robert) Date: Sat Sep 3 17:40:08 2005 Subject: [SpamCop-List] Re: No source IP address found, cannot proceed. In-Reply-To: References: Message-ID: Ellen wrote: > "Robert" wrote in message > news:df8ros$8j4$1@news.spamcop.net... > > http://members.spamcop.net/sc?id=z802124442z380c48a0502d63be54dba57c5528b9e3z > >>Getting a lot of these reports back. Looks like either a glitch with >>the parser or another obfuscating technique from spammy. >> >>I don't know a lot about SMTP headers, so I can't spot the error. >> >>Any suggestions? > > > > Appears that yahoo/Rogers changed the naming scheme for the mailservers. > They used to be of the format > matnnn.rog.mail.re2.yahoo.com and are now of the format > matnnn.rog.mail.scd.yahoo.com I updated the mailhost. Let me know if you > see any other failures to parse the top header. > > > > Ellen > > SpamCop > > no problems since your update. Thanks. From JG at coks.net Sat Sep 3 17:21:19 2005 From: JG at coks.net (JG) Date: Sat Sep 3 19:20:04 2005 Subject: [SpamCop-List] Re: spam within spam? In-Reply-To: References: Message-ID: On 9/3/2005 10:09 AM Mike Easter scribbled: > JG wrote: > www.spamcop.net/sc?id=z802580531z2b2ca020ac2a78d746472e2c055f36d6z > > >>Opening the message shows a simple spamvert for dialup. Looking at >>the source it shows some ebay tripe built in - is this just part of a >>nonsensical body filler or is this something else? > > > If you routinely open your spam and read it, you must have some purpose > in mind. What exactly is your intention when you open a spam? What > sort of investigation do you do before you open it? How are you > configured to assure that opening spam does not benefit the spamvertiser > more than it does /not/ benefit the spamvertiser. Never /said/ I routinely open spam /but/ if the obfuscation is such that one can't tell what the subject is from viewing the souce(I send meds to FDA, pump and dump to SEC) opening the spam usually tells me what is really going on. > > Do you have an 'algorithm' or a decision tree to represent any > particular strategies to be employed depending upon what you find when > you investigate the interior of a spam? How do 'we' know that your > purposes in opening spams are 'honorable' from a spamfighting point of > view. I don't know - what does that mean? Honorable spamfighting as opposed to /what/ ? WTF could I be doing dishonorably? > > Or... are you a 'spamreader' who is curious about what spam says and > because of such curiosity and interest you also go to visit spamvertised > sites and occasionally purchase something from a spamvertiser? Hardly, Mike, tho I suppose there exist such dimwits - you are free to check out my reporting record should you desire/have the ability. What on earth gave you the idea I open spam to read them? I went to college - I can read a book if I want... > > Any spamreader, whether they are a spam reporter or not, is 'suspect' > about their intentions and purposes [in my book] especially if they have > not proven themselves to be pledged and able to never aid a spammer by > their actions. Huh? > > > The item in question has a different plaintext content than its html > content which are in multiparts. 'Studying' the content of the portion > of the spam judged to be not associated with the payload is 'kinda > crazy' -- but I suppose a person could make a pastime of it. In this > case the ebay material falls into the category of 'junk' not associated > with the payload, except that the junk also contains an enigmatic link > to the payload site. Yes, enigmatic - the purpose of my post, which I canceled a few minutes later - but you saw it and flipped out over me looking. I use Thunderbird and it is set to not allow any execution of anything in the message, so I feel fairly secure in opening the message. How do you tell the spam is offering a list of meds if you can't see it in the source?? > > The payload is the html part which also contains 'curiosities' which you > can study if you are so motivated. The payload links appear slightly > different in what you see than the link which isn't seen; for example > you see http://ltpx.shop4depot.com but you connect to > http://brhq.shop4depot.com/ - Approximately how much time do you think > you should be spending on that curiosity? In addition, you see > http://trlsqpy.shop4depot.com/r/ but you connect to > http://zdwd.shop4depot.com/r/ -- we should probably spend a lot of time > here talking about all that . Glad the sarcasm is ended - see above... > > SC identifies the enigmatic link in the plaintext part as well as the > links above which are the 'connecting' links. The links themselves > redirect to shop4emporium.info -- which if you are going to spend any > time 'dissecting' the content of the spam should be considered to be the > true payload target -- which is at the same IP as all of the above > 202.65.111.128 -- namely a spamhaus listed .hk /32 > > Somehow there needs to be a 'balance' in the business of studying > spambody content. The paypal 'misdirecting' red herring of the > plaintext portion of the body is 'echoed' in the bogus lines in the > header, which have also have paypal bogosity. You could spend a great > deal of wasted time discussing why the spammer constructed the bogus > header lines the way s/he did and why construct the spambody the way > s/he did. > > Surely you don't think that is a good way for us to spend our time in > this discussion group. I would rather accuse you of being a spamreader > who might be reading spam insecurely and visiting spammer websites > curiously. Then we can argue about that instead of how the spam was put > together and why it was put together that way. Cripe, did that piss you off that much? I was curious of what the intent was. I report too much of this shit to spend that much time analyzing it to death... > > From JG at coks.net Sat Sep 3 17:22:55 2005 From: JG at coks.net (JG) Date: Sat Sep 3 19:25:02 2005 Subject: [SpamCop-List] Re: spam within spam? In-Reply-To: References: Message-ID: On 9/3/2005 10:42 AM Mike Easter scribbled: > Mike Easter wrote: > >>The paypal 'misdirecting' red herring of the >>plaintext portion of the body is 'echoed' in the bogus lines in the >>header, which have also have paypal bogosity. > > > Should say -- the ebay misdirecting red herring of the plaintext body > is echoed in the bogus line in the header, which has paypal bogosity. > > I didn't even see the paypal - I don't spend all that time looking since I'm not in law enforcement. From JG at coks.net Sat Sep 3 17:26:49 2005 From: JG at coks.net (JG) Date: Sat Sep 3 19:30:03 2005 Subject: [SpamCop-List] Re: spam within spam? In-Reply-To: References: Message-ID: On 9/3/2005 10:42 AM Mike Easter scribbled: > Mike Easter wrote: > >>The paypal 'misdirecting' red herring of the >>plaintext portion of the body is 'echoed' in the bogus lines in the >>header, which have also have paypal bogosity. > > > Should say -- the ebay misdirecting red herring of the plaintext body > is echoed in the bogus line in the header, which has paypal bogosity. > > Maybe I'll just spend my time cutting and pasting neutral discussions on the various virtues of s/w packages rather than discuss the subject of the group - if I were a spammer, I could Google M$ IE and flood the group with misinformation until I was shut off. Then I'd go over to alt.spam and read about Brad... From JG at coks.net Sat Sep 3 17:29:27 2005 From: JG at coks.net (JG) Date: Sat Sep 3 19:30:07 2005 Subject: [SpamCop-List] Re: spam within spam? In-Reply-To: References: Message-ID: On 9/3/2005 4:21 PM JG scribbled: > On 9/3/2005 10:09 AM Mike Easter scribbled: > >>If you routinely open your spam and read it, you must have some purpose >>in mind. What exactly is your intention when you open a spam? What >>sort of investigation do you do before you open it? How are you >>configured to assure that opening spam does not benefit the spamvertiser >>more than it does /not/ benefit the spamvertiser. > > > Never /said/ I routinely open spam /but/ if the obfuscation is such that > one can't tell what the subject is from viewing the souce(I send meds to > FDA, pump and dump to SEC) opening the spam usually tells me what is > really going on. > > If you know a better way to spot a meds list I'm all ears... From RobertTaylor at SpamCop.net Sat Sep 3 21:00:06 2005 From: RobertTaylor at SpamCop.net (Robert Taylor) Date: Sat Sep 3 20:00:02 2005 Subject: [SpamCop-List] Re: Att'n. Mike Easter: Scammers Cashing in on Katrina References: Message-ID: In news:dfcsqh$nvp$1@news.spamcop.net, Mike Easter sent: > Robert Taylor wrote: >> According to a pair of >> exchanges over in another news group, it seems that, despite their >> best intentions, R. C. may not be handling the matter too well. > > I would be interested in seeing that discussion. Where is it? > > A working email for me is mike.easter@gmail.com news.grc.com group: grc.security thread: scammers hit web in Katrina's wake A little under the weather at the moment (surgery). I'll be in touch. Regards, Robert -- eMail: RobertTaylor@SpamCop.net From 9ucs5y001 at sneakemail.com Sat Sep 3 19:00:06 2005 From: 9ucs5y001 at sneakemail.com (DS) Date: Sat Sep 3 21:05:03 2005 Subject: [SpamCop-List] Re: Track TCP/IP transmissions made by background processes References: Message-ID: "Jeff" wrote in message news:detbe5$ci8$1@news.spamcop.net... >I have some background processes that are running that I can't stop. When >I try to stop them, they > simply spawn a new process and rename themselves as a .exe file with a > random 7 character filename. > Neither ad-aware nor Microsoft's spyware software detects them, nor does > Norton Antivirus. I'm > assuming these programs are either sending or receiving transmissions over > the internet without me > knowing. Is there a way to find out if they're transmitting or receiving > data over the internet? I finished cleaning up my sister-in-law's computer that was behaving like this. It turns out that it was infected with both VX2 and SAH. To clear it out, I had to resort to the Windows boot/install/recovery console and delete the root culprit executable. It was loading at winlogon time via the WinLogon/Notify method. I was lucky--if that didn't work, it was re-imaging time for her HD. DS From MikeE at ster.invalid Sat Sep 3 19:19:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 3 21:20:02 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: JG wrote: >> Mike Easter >>> If you routinely open your spam and read it, you must have some >>> purpose in mind. What exactly is your intention when you open a >>> spam? What sort of investigation do you do before you open it? >>> How are you configured to assure that opening spam does not benefit >>> the spamvertiser more than it does /not/ benefit the spamvertiser. >> >> >> Never /said/ I routinely open spam /but/ if the obfuscation is such >> that one can't tell what the subject is from viewing the souce(I >> send meds to FDA, pump and dump to SEC) opening the spam usually >> tells me what is really going on. >> >> > > If you know a better way to spot a meds list I'm all ears... If you are going to open your spams, I would inspect the message source before I did that, so that you will know how it is constructed before you open it. You will also have to decide if you are going to open the items offline, since you are presumably going to be rendering any html which is inside. Alternatively, if you are sufficiently skilled at reading or interpreting raw unrendered html, you could do your inspections on the unrendered condition. In addition to opening spams and reading them, you will also have to determine the content of the ultimate website after any redirectors -- because sometimes the apparent content of the spam isn't what the website is all about. This issue about the presumed Or perhaps the better and quicker strategy would be to simply use the parser to 'extract' the links and then use a tool, either online or console based to GET the website's content and make your judgment as to pharm spams. The stock spams typically don't have a payload website associated. I'm not altogether sure that the profit which is provided to the spammer by tickling the website is balanced by the debatable 'value' of providing the information to the FDA or SEC -- but since I can't prove that one way or the other it becomes a personal choice of the particular spamfighter. That is, your actions are profitting the spammer. Depending upon how you do it, you may also be 'inviting' more spam with webbugs. Ostensibly you are gaining some uknown something or other in the spamfighting effort by giving stock spams to the SEC and pharm spams to the FDA -- but I actually rather doubt that you are succeeding in doing anything of consequence there. So, then what we have left, in the example of the pharm spam, since it involves a website hit, is positive benefit to the spammer as a combination of whatever webbugs you tickle if you open the spam insecurely - plus whatever advertiser profits you give to the spammer by either visiting the website or tickling it with a GET function - to be somehow counterbalanced by some effect against the spammer by giving the spam to the FDA and SEC. I'm concerned that that counterbalance is zero -- so the spammer has a net gain as a result of your spamfighting efforts which involve opening the spam and/or visiting the website to determine what is going on there. Perhaps you would be better off to just send everything blindly to the FDA and SEC and not investigate anything. I realize that sounds zany, but I think the spammer is winning the investigation battle. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Sep 3 19:27:10 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 3 21:30:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Dave Lerner wrote: > Mike Easter >> Any spamreader, whether they are a spam reporter or not, is 'suspect' > But isn't this getting > rather paranoid? > > "spamreaders"? Are you serious? :D Spamreading is 'generally' bad. The vast majority of spam recipients need to have their spam 'automagically' put into a junk folder for them so that they aren't confronted with spamsubjects and spamfroms in their inbox, and they need to be deleting it all unopened, not determining what is and isn't spam by reading subjects, froms, and sometimes interiors of spams mixed in with their goodmail. The inbox is no place for spam to be landing. The world is full of spamwhiners and spamhaters who are also spamreaders and spam profitters. Spam reporters are also spamwhiners and spamhaters and spamreaders. I can't sit and look over the shoulder of every single spamreader or spamreporter to determine for myself whether or how they should be handling their spam, except that in general spamreading works to the advantage of the spammer. > Do you really think the people who buy Viagra or low-rate mortgages > advertised in spam are going to come here and ask technical questions > about the spam? I think there is a tremendous overlap between spamwhiners, spamhaters, spamreaders, spamreporters, and spamprofitters. It is very hard to sort them out, except that I know that those who delete all of their spam unopened because it has been put into a junk folder by an effective filter are not profitting spammers. Any variety of spamreader, reporter or not, is at least partially suspect because I can't police how they go about reading their spam. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Sep 3 19:47:57 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 3 21:50:03 2005 Subject: [SpamCop-List] Re: Att'n. Mike Easter: Scammers Cashing in on Katrina References: Message-ID: Robert Taylor wrote: > Mike Easter >> Robert Taylor wrote: >>> According to a pair of >>> exchanges over in another news group, it seems that, despite their >>> best intentions, R. C. may not be handling the matter too well. >> >> I would be interested in seeing that discussion. Where is it? > news.grc.com > group: grc.security > thread: scammers hit web in Katrina's wake That method of discussing the issue by describing emails isn't going to work. The whole enchilada needs to be posted, and that's not the right place to do it. There's no point in even discussing the items [at least to me] if it isn't posted in its entirety somewhere -- for example there's a nana [news.admin.net-abuse.*] newsgroup for sightings which is appropriate for posting spams for discussion. So, I'm going to pass on even getting involved in the discussion, unless I were to go over there and tell them that if they are going to discuss spams they should be posting them. But it seems the discussants are people who like to try to describe spams, so I'm staying out. -- Mike Easter kibitzer, not SC admin From not at home.today Sun Sep 4 03:45:49 2005 From: not at home.today (Ant) Date: Sat Sep 3 21:55:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "JG" wrote: > Cripe, did that piss you off that much? I was curious of what the > intent was. I report too much of this shit to spend that much time > analyzing it to death... Don't mind Mike; he froths at the mouth, although not usually this sarcastically, when someone "reads" a spam by allowing their mail agent to "open" it. He has a point in that some mail agents (e.g. OE) tend to be insecure when rendering html content. Apart from script or other (usually Microsoft) vulnerabilities which can be exploited when rendering an email, spams can contain web beacons which signal to the spammer that you opened the mail if you are online at the time. Also if you are "curious" about what's at the other end of a link, you may be tempted to click it, thus generating a hit for the spammer and possibly infecting your PC with malware if insecurely configured. I hardly think that anyone here is going to be seduced into buying spamvertized crap. To answer your original question; spammers obfuscate to get around filters, and try to mislead as to the true source of the mail. Of course we (ObTinw) say spammers are stupid, and this item, having a different plain-text and html part, is an obvious indicator of spam. From g.hyde at bigpond.net.au Sun Sep 4 14:33:04 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Sat Sep 3 23:35:04 2005 Subject: [SpamCop-List] Re: www.mypctuneup.com References: Message-ID: I'm not sure if this is relevant, but one really good (and AFAICT, fairly safe) improvement newer PC's have over older ones is that they factory-install a BIOS chip which has Trend ChipAaway or some similar BIOS-based antivirus protection which prevents most exploits like this from running in the first place. I'm not saying it's the only protection one needs, as I most certainly do have Symantec's Norton Internet Security (which includes a Norton Antivirus program tailored for NIS) installed as well, but I sure wouldn't like to be without the chip protection which stops a lot of simpler virus infection methods dead in their tracks. It may be a bit overzealous, though a lot of the time I don't know if something I am prompted to install is something I want to trust or not, and I'm quite glad modern computer software and BIOSes are being updated to help block more common virus infection methods. -- Cheers ... Geoffrey Hyde "Jeff" wrote in message news:detet2$f32$1@news.spamcop.net... > That's SO NICE of these people to install software spy software on my > computer without my permission > and then offer a website with a free uninstall. I just noticed this crap > in my Add/Remove Programs > listing, and when I clicked on it, it wouldn't uninstall without a > connection to the internet. Then > it made me answer some questions and tried to pressure me to NOT uninstall > the software and when I > finally insisted on unintalling, it takes you to http://www.mypctuneup.com > where you have to > download more software to do the uninstall. I can't believe this is not > illegal. The FAQ on this > website claims that I gave them permission to install their spy software > which I most certainly did > not. > > Jeff > > From RobertTaylor at SpamCop.net Sun Sep 4 01:20:59 2005 From: RobertTaylor at SpamCop.net (Robert Taylor) Date: Sun Sep 4 00:25:03 2005 Subject: [SpamCop-List] Re: Att'n. Mike Easter: Scammers Cashing in on Katrina References: Message-ID: In news:dfdjoc$55m$1@news.spamcop.net, Mike Easter sent: > Robert Taylor wrote: >> Mike Easter > >>> Robert Taylor wrote: >>>> According to a pair of >>>> exchanges over in another news group, it seems that, despite their >>>> best intentions, R. C. may not be handling the matter too well. >>> >>> I would be interested in seeing that discussion. Where is it? > >> news.grc.com >> group: grc.security >> thread: scammers hit web in Katrina's wake > That method of discussing the issue by describing emails isn't going to > work. The whole enchilada needs to be posted, and that's not the right > place to do it. There's no point in even discussing the items [at least > to me] if it isn't posted in its entirety somewhere -- for example > there's a nana [news.admin.net-abuse.*] newsgroup for sightings which is > appropriate for posting spams for discussion. > > So, I'm going to pass on even getting involved in the discussion, unless > I were to go over there and tell them that if they are going to discuss > spams they should be posting them. But it seems the discussants are > people who like to try to describe spams, so I'm staying out. I understand. Of course, that decision is perforce entirely up to you, and I respect it. In citing the above thread, it was not my intention to suggest that you join it; I thought perhaps you might choose to do some independent investigation, e.g., with information supplied by Red Cross, but I see your point regarding the absence of some concrete material in an appropriate forum. Regards, Robert -- eMail: RobertTaylor@SpamCop.net Web-Address: http://users.rcn.com/robertt.nh.ultranet/Web-SitePg1.htm From JG at coks.net Sun Sep 4 00:32:47 2005 From: JG at coks.net (JG) Date: Sun Sep 4 02:35:04 2005 Subject: [SpamCop-List] Re: spam within spam? In-Reply-To: References: Message-ID: On 9/3/2005 6:19 PM Mike Easter scribbled: In hindsight: Mike Easter barked: > > >>>>If you routinely open your spam and read it, you must have some >>>>purpose in mind. What exactly is your intention when you open a >>>>spam? Not out of curiousity, I assure you. I ctrl/u for source and see: Subject: Your dreams come true today Mime-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="=====================_88522554==.REL" --=====================_88522554==.REL Content-Type: multipart/alternative; boundary="=====================_75176944==.ALT" --=====================_75176944==.ALT Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable ! boo it's cellular or gogo in resumption and tomorrow not hereford and dexter not crimea try proverb or louver , upon the declaim or resistible but indefatigable see bolo see kraft a carlyle not added it's nairobi. --=====================_75176944==.ALT Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable 3D""

a ascription the struck or permissible some century or captain , hat and antiperspirant not plop it's projectile , epidemiology not snippy but cheap but auk it's bandit or canton and finland the straw , bennington a falcon. No, thanks; > For Deletion
--=====================_75176944==.ALT-- --=====================_88522554==.REL Content-Type: image/gif; name="hollywood.7.gif"; x-mac-type="1A903702"; x-mac-creator="8A491966" Content-ID: <9.0.0.86.0.35941329679831.28431184@conciliate.flashmail.com.6> Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="hollywood.7.gif" R0lGODlh1QF9AJEAAP////8AAAAAzAAAACH5BAAAAAAALAAAAADVAX0AAAL/hI+py+0Po5y0 2ouz3rz7D4biSJbmiabqyrbuCzNDN8zxjef6zsf1bwP9EEGIbZioRYq9pvMJjfaKzE2waiQy lUup9wsOizHbA9JMnXHNirVyzWantckzAP4+Ysf8vv//UXYXN1ho8NaGRyco13j4CGl4RHc3 CXiJmam5IAiURpUVaZhEejV6ZooGGrm36foK29TJKdpKuEqaq8bK24ubGhssPPzyS3sqc0t0 vDxoWQicatxLXG19reG5hQp0CKd1xWUnWmmJ5Kkq3l3OXkmODR8vL2VbPH+Pn59T78Kv/w8w oMCBBAsaPIgwocKFDBs6fAgxosSJFCtavIgxo8aN/xw7evwIMqTIkSRLmjyJMqXKlSxbunwJ M6bMmTRr2ryJM6fOnTx7+vwJNKjQoUSLGj2KNKnSpUybOn0KNarUqVSp+jM4Dk2JqyK/Wcjq AWwGsSS+cW020esoEesIefskA49ZtUJ24Fp7ga6VORz0TvDbxi2FswXVEh7sjJIvwZKoARtx OMVdMpGNVH4AeMnZZ6q0ukv0Gaw2cOfIvk0nt+3ot+FWt0WdyI3sz6ADl5n2eLFj0OrqhAvN bZtvcHF3sZMtjjanVnNTD3nNWs1sb+l8G0Z3GnY55mujMaZuHO/xT3mox6X9HC7y3uj1mJdr Ppfj8M2q0E+srLH8Z95rJ/+frx8r5twS3h78ucWXge/EB9wi7i2nmDvTTWjgOuV51mAy++UX mHZ1MOicX6o9+N5vlDiHWoJYTCMecbENmF9u+vUnHo00IoigG3FgZxt+taDFHF3wKaeNXkN2 lqJnQtpnx3pGdhiggt+dyBeD0YFn4pDTKUkehh8qhyM1x9iHH4/SMHbmblDaiOZwO7rY4jK7 3MWiLudxSRp0ETYXIZ4QOqhYZnixyUycWH5p5XmzzUWkcI1u+aVhQE4JCZn34dZmpRyuuCmH gpGJDFoO5EbnlJztSWKJo1YpoYmRVvjhkZllNQ6PSLK2XHPkBWkhrU3W6qt120D3a2sN2Lqd m9n/LStJasoSV9qtweJ6JbXJangKfNG+yCSKrx5bGnvtFetriHBtd9lW6f4Fqzzr9jGZqO9W ZZlk7UoVb5j0lmUaDeXOu5Oe1u1LcMEGH4xwwgovzHDDDj8MccQSIxBAxdVUHMC+gkaEMcUZ f2GxASGL/PECI5Nw8gUpT7CyBC2jcisKAGMGw2Uzy3dJyC0/sTMAPafwcwRBNzA0AzubIqMJ NzuxNA2aWLwyxiV33DHJUptctdQ6V+1x1iNrrQDXVpfctdg+cw220TunfTbZbX/M9tVjb33s I9JcZ9yvWq03XLF+Birdqlm6JymFSC46LJwwP2023SQ/fgDbkWf89dWO/0NeucdEkw2125NT PjXcoTvQudqaZ5755JC/LXrdMCZ94JvvmarvjTkuGCWBNcYOjZj/zahpgJlE3TrmnHuuegIn a3386ssjv3rbpBd/tvPQfw59ynJXr3zz3H8ffSmOIGu3j9J6Kv6kYtaOLaHtx8hIlL322XQM xFsffc/3Jx829c9v3r/s+W+A0wOf5lSXugMaj3/hk9P4aDYnO6mJFoyw3Y9w5z5buA896muR rFyxv9T9z3TdU2AJvzdCrJ1OgPhD4fWqt7bmJZCBlyual3REs3fwLmmZyh2UhNdBC9ZHfbzz 4RB7B4vtYa97clMiE0X3vMaBTYlme9sSsda50P9pL4ZOtOLctHg8MF6xgaLKlpDQ1I1tgek7 wGpjdpY0rDzwilvtaIcae2UsSk2MJPXbox9l9sdAgmFjgiykIQ+JyEQqcpGMbKQjHwnJSIaB kF6gZAUsSRAR9bE29YLMVTCZD1ttsh+h6EIZ/0Iad9WNBfminRVQ+RAh/oEfXIkfu06JDe6w EpaQ4WVDbjStZfWLWdzIUKvKGBw9rAhmzqIgnGITs2G2Z5qIU5wcb1icPB7zQkbC4aN25KoL xUxOifsUcqABykxk8IgwMhQS5Te7eIbKiJw60frK90PZpYmWAupns+gZI0qxCBEZqudj0mS+ WuyQSRMc6D1zSSQPvXH/VzkMYqd8pxqJfgqctFrQMvOEu+JcFIjCu5Q3f2g7IYLqnpIaaT2b tbjdRBAfL5VSgnzZUJfikocbDV42V+qffI4qpyzF0Sp46lCLCrVO+JRXjqRE0nkiLaHxqKmG XleoHq5znjXSY3dkV9FT6VOoq0ToOwdl1CPGKakjPSVTzypVXIK1q57iqTXcaC101fFaHmzm eB7kt+pwaUkTzas1wdUlYf6UWXstVz7RIRq/BseOy1SmMNUBWMzGR2D/IqZZeuqRUboTIS/l SCuPIlrRCqO0GzmtH6WZST6FFraSrK1tb4vb3Op2t7ztrW9/C9zgCne4xC2ucY+L3OQqd7nM /22uc58L3ehKd7rUra51r4vd7Gp3u9ztrne/C97wine82hWAec2LgPMKIAHqZW9703teAMRX Ae+tr3rRa4D7rvcA+t2ve/XL3/dCAL//JbB8+3tgAtvXwAcucHsRTF8DS1jACd7vg+/rAAon OMDzzS+GOfzhCvs3wgsIsYgZvBEFjxjFDYZvgN3r4QZM2MUtjnGNW8xi9OrYwv5lcYFhbOMG 7zjIRGYwhYeM3ySPGMgzLvKKe8zjDE8Yyi+usoqFHGUigxjIN1byR5qsZSfT+MU+FvOWmfzk MldZy2qu8JhvzOYl41jOGo5zm4e85iCD2csy7vB8jUxlOHf5ySXu8P+g4dtmi6g5x4SW8p0h 7GEU4/nMUn6zoGl85QcAmsRw5rOl6xxhMOu50VjW9J9PzeVJvznRnl60oTvi6kJbOtQDJrWb f4zrSuf50iDOtK53HWk6m9jOcpb1pwM9alaf2tPJLvahg+1gZAsY1BqJdY1FXehXc/nZM940 r80M7DwzmwHezjW44xzmbXca2dde76PdPO4rM3rVS26yqMedYmfPedfWLvO9s2xje+t73eEW N7uNHW4NY9vb7061rTMd6xgmWeCcbcw9Se3rfYMEwMFk9sWPjOpQ81rJIbZvx/396mHjetrD Zvm8ET1yKKtY5TAXvuBdDvAf73jmU865nq0tuGCZ+5fn5C260cHb36QrfelMb7rTnw71qEt9 6lSnkrWvjvWzh33rUD+6178O9rA/pQAAOw== --=====================_88522554==.REL-- Now, doesn't that tell us all a lot about the spam? You'd never know that it was a mortgage spam from that mess, least I wouldn't. And SC parser doesn't enlighten anyone as to the content - could be a drug ring, maybe terrorists (eek), who knows. And you think it better that the unwashed masses just dump it and go on. Well, in a way you are probably correct. But some of us aren't content to just report the source through SC because, frankly, we're just pissing up a rope, regardless of what you say. 10 kornets a day and go away. Since you have started this biz, /way/ before I did, it has only gotten worse. And you continue to pound the table for ??? Yes, dimwits continue to look and buy. Remember Holden Caulfield? Nothing to be done about that - that is why spam lives. What sort of investigation do you do before you open it? I see a subject asking me if my penis is large enough and have to think about it a minute... >>>>How are you configured to assure that opening spam does not benefit >>>>the spamvertiser more than it does /not/ benefit the spamvertiser. I don't understand that question. I open a spam on my machine - I have my client set to not allow script execution nor to open any attachments. Furthermore, all spam has already been filtered to a separate folder. >>If you know a better way to spot a meds list I'm all ears... > > If you are going to open your spams, I would inspect the message source > before I did that, so that you will know how it is constructed before > you open it. I thought I had been through that. You will also have to decide if you are going to open the > items offline, since you are presumably going to be rendering any html > which is inside. Alternatively, if you are sufficiently skilled at > reading or interpreting raw unrendered html, you could do your > inspections on the unrendered condition. I don't understand your concern here - I haven't encountered that problem. My client sanitizes html automatically. > > In addition to opening spams and reading them, you will also have to > determine the content of the ultimate website after any redirectors -- > because sometimes the apparent content of the spam isn't what the > website is all about. This issue about the presumed Don't know why your sentence got cut off here, but I understand your question and that is wh I posted in the 1st place - the apparent content didn't look like the source. Beyond that, terms like redirectors lose me... > > Or perhaps the better and quicker strategy would be to simply use the > parser to 'extract' the links and then use a tool, either online or > console based to GET the website's content and make your judgment as to > pharm spams. I think it has been pretty well documented in this group that the "extractor" does a pretty piss poor job (on purpose, of course, since it is only interested in the source - The Holy Grail) with the spamverts. I haven't risen to the level of 'Getting" site contents yet. And, no, I /DO NOT/ visit any links offered (where did you get the idea I was visiting sites??). Interestingly enough, over in a Netscape group, there is an individual spouting off that he goes to /every/ link in spam so he can find the source and report it and is claiming almost total success. Claims that he gets feedback from kornet and cnc-noc (sp?) The stock spams typically don't have a payload website > associated. True, but the intent is often buried in alphabet soup, less than others... > > I'm not altogether sure that the profit which is provided to the spammer > by tickling the website is balanced by the debatable 'value' of > providing the information to the FDA or SEC -- but since I can't prove > that one way or the other it becomes a personal choice of the particular > spamfighter. How am I tickling anyone?? > > That is, your actions are profitting the spammer. Depending upon how > you do it, you may also be 'inviting' more spam with webbugs. Please explain... > Ostensibly you are gaining some uknown something or other in the > spamfighting effort by giving stock spams to the SEC and pharm spams to > the FDA -- but I actually rather doubt that you are succeeding in doing > anything of consequence there. Seems like another pile to throw something on, like SC lists, same effect... > > So, then what we have left, in the example of the pharm spam, since it > involves a website hit, is positive benefit to the spammer as a > combination of whatever webbugs you tickle if you open the spam > insecurely - plus whatever advertiser profits you give to the spammer by > either visiting the website or tickling it with a GET function - to be > somehow counterbalanced by some effect against the spammer by giving the > spam to the FDA and SEC. I'm concerned that that counterbalance is > zero -- so the spammer has a net gain as a result of your spamfighting > efforts which involve opening the spam and/or visiting the website to > determine what is going on there. I think you have made a lot of assumptions here and are a little off base. I never mentioned visiting any site, nor using GET (I am aware of the function, but don't know how to use it) so don't know where this is coming from. > > Perhaps you would be better off to just send everything blindly to the > FDA and SEC and not investigate anything. I realize that sounds zany, > but I think the spammer is winning the investigation battle. > Well, yeah, you are spending your time ranting at me about zilch when your knowledge, experience, and wit could be put to better use in the battle against spam. And seeing the effect that SC has had/is having on spam, I would, if I were you, get off the high horse you are kibbutzing. From JG at coks.net Sun Sep 4 00:46:17 2005 From: JG at coks.net (JG) Date: Sun Sep 4 02:45:02 2005 Subject: [SpamCop-List] Re: spam within spam? In-Reply-To: References: Message-ID: On 9/3/2005 6:27 PM Mike Easter scribbled: > > Spamreading is 'generally' bad. The vast majority of spam recipients > need to have their spam 'automagically' put into a junk folder for them > so that they aren't confronted with spamsubjects and spamfroms in their > inbox, and they need to be deleting it all unopened, not determining > what is and isn't spam by reading subjects, froms, and sometimes > interiors of spams mixed in with their goodmail. The inbox is no place > for spam to be landing. Sounds like '1984' or 'Animal Farm", but you have a point... > > The world is full of spamwhiners and spamhaters who are also spamreaders > and spam profitters. Spam reporters are also spamwhiners and spamhaters > and spamreaders. Here you have no point... > > I can't sit and look over the shoulder of every single spamreader or > spamreporter to determine for myself whether or how they should be > handling their spam, except that in general spamreading works to the > advantage of the spammer. > Rash generalization probably unsupported, an educated guess at best, probably true but not admissable,,, Dave opined, and I wholeheartedly concur : >>Do you really think the people who buy Viagra or low-rate mortgages >>advertised in spam are going to come here and ask technical questions >>about the spam? Mike demurred > > I think there is a tremendous overlap between spamwhiners, spamhaters, > spamreaders, spamreporters, and spamprofitters. It is very hard to sort > them out, except that I know that those who delete all of their spam > unopened because it has been put into a junk folder by an effective > filter are not profitting spammers. Any variety of spamreader, reporter > or not, is at least partially suspect because I can't police how they go > about reading their spam. There's a sound bite... From JG at coks.net Sun Sep 4 00:56:02 2005 From: JG at coks.net (JG) Date: Sun Sep 4 02:55:03 2005 Subject: [SpamCop-List] Re: spam within spam? In-Reply-To: References: Message-ID: On 9/3/2005 6:45 PM Ant scribbled: > "JG" wrote: > > >>Cripe, did that piss you off that much? I was curious of what the >>intent was. I report too much of this shit to spend that much time >>analyzing it to death... > > > Don't mind Mike; he froths at the mouth, although not usually this > sarcastically, I know he can go off, but this one threw me... when someone "reads" a spam by allowing their mail > agent to "open" it. He has a point in that some mail agents (e.g. OE) > tend to be insecure when rendering html content. Apart from script or > other (usually Microsoft) vulnerabilities which can be exploited when > rendering an email, spams can contain web beacons which signal to the > spammer that you opened the mail if you are online at the time. I could google it, but might you supply a link to an explanation of this? Also > if you are "curious" about what's at the other end of a link, you may > be tempted to click it, thus generating a hit for the spammer and > possibly infecting your PC with malware if insecurely configured Tnx, know that.. I hardly think that anyone here is going to be seduced into buying spamvertized crap. Good to know... > > To answer your original question; spammers obfuscate to get around > filters, and try to mislead as to the true source of the mail. Yes, I know that - the use of ebay /embedded/ was, to me, unique. Of course we (ObTinw) say spammers are stupid, and this item, having a different plain-text and html part, is an obvious indicator of spam. Thanks, we knew that from the beginning. Whats obtinw? And thanks, your time is appreciated. jg (can't say Jeff G. cuz name taken) From redford_stone at INVERSE_OF_COLDmail.com Sun Sep 4 09:47:38 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sun Sep 4 04:50:52 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities References: Message-ID: "Berny" wrote in news:df9k64$mbi$1@news.spamcop.net: > > Hoops!!, now for several weeks the jerks at uk.geocities have had their > thumbs up their bums while they play whack a mole with a 2 day reaction > time. > > That's about average. However, the particular Geocities spammer stopped spamming since I was being tenacious enough to report EACH and every link. From MikeE at ster.invalid Sun Sep 4 03:17:02 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 05:20:45 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: JG wrote: > Subject: Your dreams come true today I don't see why you felt that you had to paste in a spambody here to show that b64 encoded gif/s [or b64 encoded anything else] need to be b64 decoded and displayed before they can be read. But, even tho' you took up a lot of room posting that here, that posting wasn't as informative about the item as it would have been to post the tracker. In fact, if you had posted the tracker it would have been easier to see what the item was. > http://www.psarefi.net/?id=3Dp11 Payload site for the gif which sez Dear Sir/Madam, You're pre-approved for a $400,000 mortgage with a low fixed rate. Your credit is not a factor! We want you in our business! Please, complete the 45 sec. approval form clicking below. CLICK HERE TO ACTIVATE YOUR MORTGAGE The alleged optout link is here http://www.psarefi.net/book.php > Now, doesn't that tell us all a lot about the spam? You'd never know > that it was a mortgage spam from that mess, least I wouldn't. The business of safely and securely opening a spam which contains a gif is a quick way of seeing what the gif sez and what the links are; but I don't recommend insecurely opening and rendering unknown html mails when you don't know what is inside or whether or not you are securely configured. How can I know what some spamreader knows and doesn't know about inspecting spam prior to opening and rendering? Opening a spam or other unknown html mail can do all kinds of bad things to you if you are insecure and exploited. > And SC parser doesn't enlighten anyone as to the content - could be a > drug ring, maybe terrorists (eek), who knows. That is correct, the parser doesn't render a gif for youl > And you think it better that the unwashed masses just dump it and go > on. Yes I believe that the majority of spam recipients need to have their spam separated from their goodmail by a good filter so that it isn't in their inbox and they don't need to open any spam to find out if it is spam or not. At that point they can decide if they want to be a 'passive' antispammer by deleting all of the spam unopened and unread. If they want to take an additional step toward spamfighting and they don't know enough about handling spam securely, then they can feed their spams to the SC parser for reporting. The majority of them should not be opening spams allegedly for determining additional notifies, because their spam opening might be causing more harm than good if they don't know what they are doing. Sometimes you act like you don't know what you are doing. > Well, in a way you are probably correct. But some of us aren't > content > to just report the source through SC because, frankly, we're just > pissing up a rope, regardless of what you say. I'm not against people graduating from passively deleting all spams unopened to some variety of advanced spamfighting, but I don't believe that advanced spamfighting starts with opening and rendering spams insecurely or unsafely. > What sort of investigation do you do before you open it? > > I see a subject asking me if my penis is large enough and have to > think about it a minute... Ha! But that's not good enough. >>>>> How are you configured to assure that opening spam does not >>>>> benefit the spamvertiser more than it does /not/ benefit the >>>>> spamvertiser. > I don't understand that question. I open a spam on my machine - I > have > my client set to not allow script execution nor to open any > attachments. Furthermore, all spam has already been filtered to a > separate folder. The good news about having the spam prefiltered is that you already know it is spam before you start handling it. The security of not allowing script execution is a plus, but not opening the attachment can interfere with your being able to see the content of a gif, for example. >>> If you know a better way to spot a meds list I'm all ears... >> >> If you are going to open your spams, I would inspect the message >> source before I did that, so that you will know how it is >> constructed before you open it. > > I thought I had been through that. And then, if you can safely determine that the item can be opened, sometimes opening it and rendering it is quicker than taking it apart and decoding it 'piecemeal' like I had to do with what you posted here which you should have put a tracker for instead. > You will also have to decide if you are going to open the >> items offline, since you are presumably going to be rendering any >> html which is inside. Alternatively, if you are sufficiently >> skilled at reading or interpreting raw unrendered html, you could do >> your inspections on the unrendered condition. > > I don't understand your concern here - I haven't encountered that > problem. My client sanitizes html automatically. I think you should be very careful about assuming what 'sanitizes html' really means. I don't understand exactly what you mean compared to what I find out when I examine a message source of unrendered html. >> In addition to opening spams and reading them, you will also have to >> determine the content of the ultimate website after any redirectors >> -- because sometimes the apparent content of the spam isn't what the >> website is all about. This issue about the presumed Oops. I was going to say something about the presumed site not being what it seemed to be from the spam content, but the site was actually about what the html content said. > Don't know why your sentence got cut off here, but I understand your > question and that is wh I posted in the 1st place - the apparent > content didn't look like the source. Beyond that, terms like > redirectors lose me... A redirector is when the spambody contains a link, and spamcop determines the provider for the link, but the provider for that link isn't the provider for the link where the payload is. In this case for which you provided the tracker, there was a redirector, and the payload was at a different url than the body content, but the provider for the redirector and the payload site were the same, as it was all the same IP. >> Or perhaps the better and quicker strategy would be to simply use the >> parser to 'extract' the links and then use a tool, either online or >> console based to GET the website's content and make your judgment as >> to pharm spams. > > I think it has been pretty well documented in this group that the > "extractor" does a pretty piss poor job (on purpose, of course, since > it > is only interested in the source - The Holy Grail) with the spamverts. > I haven't risen to the level of 'Getting" site contents yet. OK. I'm not 'griping' about not evaluating whether or not the spamvertised site is really the payload site. But, some advanced spamfighters feel a need to check out what is at the site, and not very many like to click on the link and let the spam exercise their browser to take them there. > And, no, I /DO NOT/ visit any links offered (where did you get the > idea > I was visiting sites??). Because part of the same process which motivates one to open spams for investigation can lead the investigation to the redirectors and then the spamsite's payload. We are discussing the details of advancing the spamfight, which you have chosen to do. > Interestingly enough, over in a Netscape group, there is an individual > spouting off that he goes to /every/ link in spam so he can find the > source and report it and is claiming almost total success. Claims > that > he gets feedback from kornet and cnc-noc (sp?) Different spamfighters have different styles. And tales. > The stock spams typically don't have a payload website >> associated. > > True, but the intent is often buried in alphabet soup, less than > others... > >> >> I'm not altogether sure that the profit which is provided to the >> spammer by tickling the website is balanced by the debatable 'value' >> of providing the information to the FDA or SEC -- but since I can't >> prove that one way or the other it becomes a personal choice of the >> particular spamfighter. > > How am I tickling anyone?? If you aren't visiting the spamvertised site or using a GET function, then you aren't. I didn't know how far you were going with your investigation after you opened the spam. >> That is, your actions are profitting the spammer. Depending upon how >> you do it, you may also be 'inviting' more spam with webbugs. > > Please explain... If you don't GET or visit, you aren't tripping the counter at the site in that way. But if you open a spam online with a webbug, such as calling up a graphic from the website, you can 'telegraph' back to the spamsite that a particular graphic got called which can tell the spamsite that a particular mail got opened. >> Ostensibly you are gaining some uknown something or other in the >> spamfighting effort by giving stock spams to the SEC and pharm spams >> to the FDA -- but I actually rather doubt that you are succeeding in >> doing anything of consequence there. > > Seems like another pile to throw something on, like SC lists, same > effect... I'm just trying to balance out the costs, in terms of time and effort, and any possible benefits to the spammer, against the gains, in terms of antispam effect, of opening spams so that you can pass the item to the FDA and SEC. Part of the cost evaluation depends on how you do it and how much you know about what you are doing. > I think you have made a lot of assumptions here and are a little off > base. Yes; I made some assumptions. Part of the reasons I asked a lot of questions in the beginning of the diatribe was to clarify the answers to those assumptions. By ranting about the effects of some of the assumptions, I emphasize the reasons why opening spam shouldn't be done willy-nilly because of its hazards, while at the same time 'goading' good answers to the same questions. > I never mentioned visiting any site, nor using GET (I am aware > of the function, but don't know how to use it) so don't know where > this is coming from. Depending on the issue, I might use GET to determine a redirector, as I did in the case of the item with the tracker, and with the url you pasted in here with the body you shouldn't have. So, I didn't know if you used an online GET gizmo or not. >> Perhaps you would be better off to just send everything blindly to >> the FDA and SEC and not investigate anything. I realize that sounds >> zany, but I think the spammer is winning the investigation battle. >> > Well, yeah, you are spending your time ranting at me about zilch when > your knowledge, experience, and wit could be put to better use in the > battle against spam. > And seeing the effect that SC has had/is having on spam, I would, if I > were you, get off the high horse you are kibbutzing. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Sun Sep 4 11:52:48 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 05:55:20 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Dave Lerner" wrote in message news:dfee3t$k4l$1@news.spamcop.net... > > In Thunderbird, even if you allow HTML to be rendered, you can block > remote image links, which prevents the above from happening. > > I don't recall if OE provides similar protection, without disabling HTML > rendering completely. Yes it does. So does IE. From MikeE at ster.invalid Sun Sep 4 04:00:18 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 06:05:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: JG wrote: > Dave opined, and I wholeheartedly concur >> >>> Do you really think the people who buy Viagra or low-rate mortgages >>> advertised in spam are going to come here and ask technical >>> questions about the spam? > > Mike demurred I demurred and then you concurred with a 'stalking horse' or strawman argument. The issue isn't about whether or not other spamreaders and spam believers and spam clickers and spam profitters are going to come in here, nor was that a topic of discussion. The issue is about whether or not spamcop spamreporters ever do 'bad things' with their spamreading and spamhandling. And the answer is "Yes, they most certainly do." Neophyte spamcop reporters have been known to handle their spam badly in the reporting process and cause themselves to get more spam. I get into arguments here or alt.spam or wherever I go about whether or not the various 'anti-s' are somehow immune to spam or not. I believe that anti-s - where anti is some kind of concept of 'antispammer' are first of all regular people. They are against spam, but some people are only against the spam they aren't interested in, while being interested in other spam. I believe that there are spamreporters who don't like some spam and report it, while reading and using some other spam. I can't prove that, and no anti or reporter likes to admit to ever using spam for shopping or other interests.. I also believe that the passive deleter of all spam unopened who is pledged to never aid a spammer is a valuable contribution to the antispam effort. The spamreporter who is also a sometime spamuser could be considered to be helping spam more than hurting it. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Sun Sep 4 12:30:16 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 06:35:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dfegjj$le1$1@news.spamcop.net... > > > I also believe that the passive deleter of all spam unopened who is > pledged to never aid a spammer is a valuable contribution to the > antispam effort. The spamreporter who is also a sometime spamuser could > be considered to be helping spam more than hurting it. And therein lies the difficulty Mike - one person's spam is another person's requested product/market update....... Other than the obvious spammers where the originator/spamvertiser are trying to remain anonymous, only the recipient can determine whether or not what they have in their inbox is, in fact, spam. So it goes back to permission - not content (sometimes, not even permission, but whether or not it's related enough to your business to be able to be taken as a genuine marketing/sales/purchasing request/enquiry). One has to (safely) look at the content in order to make that determination. In other words, if I get a mail containing Pharm spam, then it gets treated as such automagically. On the other hand, if I receive a mail which has anything to do with scuba, freediving, spearfishing, watersports, etc., then I have to treat it as a legitimate business enquiry - whether it was requested or not - until I can determine from the content whether it *IS* a legitimate enquiry, or a scam of some description. From porpoise1954 at yahoo.co.uk Sun Sep 4 12:38:02 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 06:40:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Porpoise" wrote in message news:dfeich$mde$1@news.spamcop.net... > > > In other words, if I get a mail containing Pharm spam, then it gets > treated as such automagically. On the other hand, if I receive a mail > which has anything to do with scuba, freediving, spearfishing, > watersports, etc., then I have to treat it as a legitimate business > enquiry - whether it was requested or not - until I can determine from the > content whether it *IS* a legitimate enquiry, or a scam of some > description. By way of example: If all spam-like emails were automagically dealt with in the manner Mike E would like, I wouldn't have pulled an email from the "spam" folder which was an unsolicited marketing email and we wouldn't now be the British Distributor for their product (diving fins). From MikeE at ster.invalid Sun Sep 4 04:40:47 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 06:45:02 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > "Dave Lerner" >> In Thunderbird, even if you allow HTML to be rendered, you can block >> remote image links, which prevents the above from happening. >> >> I don't recall if OE provides similar protection, without disabling >> HTML rendering completely. > > Yes it does. So does IE. I think we should be very careful about what we are saying and not saying about IE/OE in this regard. OE can be configured to use a particular IE security zone, such as restricted. The IE restricted security zone can be configured to be very restricted with its customization which is where the script running is prevented. IE can be configured 'globally' not specifically for the various security zones for a number of Advanced Internet Options in its Options/ Advanced settings, which includes 'show pictures'. OE6 can be configured to read all messages in plaintext, thus deterring html rendering altogether, and in the security section can be configured to not open attachments. What Dave is describing in Tbird about blocking remote image links is not 'independently' configurable without blocking rendering altogether. You could turn off IE's 'show pictures' altogether, but then all your general IE browsing pictures would be gone too. The remote image link call can be averted by going offline, which is easy to toggle, especially if you put an offline toggle in the toolbar. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Sep 4 04:52:29 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 06:55:02 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > "Mike Easter" >> I also believe that the passive deleter of all spam unopened who is >> pledged to never aid a spammer is a valuable contribution to the >> antispam effort. The spamreporter who is also a sometime spamuser >> could be considered to be helping spam more than hurting it. > > And therein lies the difficulty Mike - one person's spam is another > person's requested product/market update....... Then we need to have a discussion about what is spam and what isn't. I'm recommending that the deleter delete all /spam/ unopened and unread, not that all 'unknown' mail be deleted unopened and unread. Some people could whitelist all of their friends and call everything else spam. Some other people have to have much more sophisticated filters to help them with their spamfiltering, because they receive a considerable amount of unknown but wanted mail for business and other reasons. > Other than the > obvious spammers where the originator/spamvertiser are trying to > remain anonymous, only the recipient can determine whether or not > what they have in their inbox is, in fact, spam. However, depending upon the design of the spamfilter and its creation of Xlines in the headers of the unknown mail, a lot of very valuable information about an unknown item can be found in the headers. How a person who has a 'busy' mailbox, including spam as well as unknown mail, handles their mail gets complex. I don't think the answer of opening all of the spam to see what it is is the right answer. > So it goes back to > permission - not content (sometimes, not even permission, but whether > or not it's related enough to your business to be able to be taken as > a genuine marketing/sales/purchasing request/enquiry). One has to > (safely) look at the content in order to make that determination. I believe that somewhere in the very high 90s percent of the mail can be well evaluated by passing the mail thru' a good proxy spamfilter like SpamPal which will tag the spam for diversion into a Junk folder. That tagging also includes the creation of the Xlines. I believe that if one is suspicious that a goodmail has been so tagged as spam that the headers can be inspected to see why it was so tagged; while inspecting the headers, if there are still questions, the message source can be examined. If it is determined that the item was a false positive from that investigation, then it can be moved out of the Junk folder and opened. Opening spam to find goodmail isn't often necessary if there is a proper filter in place doing the inspecting and the tagging. The spam filter can do a much more thorough job of inspection than your eyeballs reading subjects and froms. > In other words, if I get a mail containing Pharm spam, then it gets > treated as such automagically. On the other hand, if I receive a mail > which has anything to do with scuba, freediving, spearfishing, > watersports, etc., then I have to treat it as a legitimate business > enquiry - whether it was requested or not - until I can determine > from the content whether it *IS* a legitimate enquiry, or a scam of > some description. You can be aided in those endeavors by a proper proxy spamfilter tagging the mail. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Sep 4 04:54:08 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 06:55:06 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > If all spam-like emails were automagically dealt with in the manner > Mike E would like, I wouldn't have pulled an email from the "spam" > folder which was an unsolicited marketing email and we wouldn't now > be the British Distributor for their product (diving fins). It is possible for good spamfilters to have false positives or false negatives. The strategy for determining that involves careful handling of the undiagnosed spam or goodmail on the way to figuring it out. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Sun Sep 4 13:06:00 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 07:10:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dfeivh$mqp$1@news.spamcop.net... > Porpoise wrote: > > OE can be configured to use a particular IE security zone, such as > restricted. The IE restricted security zone can be configured to be > very restricted with its customization which is where the script running > is prevented. IE can be configured 'globally' not specifically for the > various security zones for a number of Advanced Internet Options in its > Options/ Advanced settings, which includes 'show pictures'. OE can be set to prevent the rendering of pictures and external HTML regardless of what other security settings are set/unset. > > OE6 can be configured to read all messages in plaintext, thus deterring > html rendering altogether, and in the security section can be configured > to not open attachments. Not necessary if picture rendering and external HTML rendering is disabled. > > What Dave is describing in Tbird about blocking remote image links is > not 'independently' configurable without blocking rendering altogether. > You could turn off IE's 'show pictures' altogether, but then all your > general IE browsing pictures would be gone too. I don't know what you mean by "independently" configurable in Tbird, but in OE/IE the showing/or not of pictures is settable independantly of any other security settings. > > The remote image link call can be averted by going offline, which is > easy to toggle, especially if you put an offline toggle in the toolbar. > Yes. And if you are still online, even reading the source in some other editing programme can be dangerous if that editing programme also has the ability to "preview" the webpage/email code From MikeE at ster.invalid Sun Sep 4 05:26:06 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 07:30:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > OE can be set to prevent the rendering of pictures and external HTML > regardless of what other security settings are set/unset. No [or I don't understand what you are saying]. IE [not OE] can be set to prevent the rendering of pictures in all security zones. This would prevent OE from having IE render the pictures, but it would also disable all IE picture rendering for all zones, not just restricted. Somehow there is something wrong with our communication here. >> OE6 can be configured to read all messages in plaintext, thus >> deterring html rendering altogether, and in the security section can >> be configured to not open attachments. > > Not necessary if picture rendering and external HTML rendering is > disabled. I'm assuming you are describing picture rendering in IE/ Tools/ Internet Options/ Advanced tab/ Multimedia section - uncheck show pictures. There isn't a 'picture showing' configuration section in OE, except for not opening attachments. I'm not sure what you mean by 'external html rendering'. My par just above is about configuring OE6 -- the business of configuring IE to control how it renders for OE takes two forks. How it is configured 'in general' not specifically for a security zone in the Advanced tab, and how the Restricted zone is configured if that is the security zone OE is configured for. >> What Dave is describing in Tbird about blocking remote image links is >> not 'independently' configurable without blocking rendering >> altogether. You could turn off IE's 'show pictures' altogether, but >> then all your general IE browsing pictures would be gone too. > > I don't know what you mean by "independently" configurable in Tbird, > but in OE/IE the showing/or not of pictures is settable independantly > of any other security settings. I want us to be careful about not 'smearing' OE/IE configuration together, even tho' they are married, the configurations are done one place or another. We configure OE including which security setting of IE to use. We configure IE, including in the advanced section which affects all IE function, not just that for OE's restricted zone. >> The remote image link call can be averted by going offline, which is >> easy to toggle, especially if you put an offline toggle in the >> toolbar. >> > > Yes. And if you are still online, even reading the source in some > other editing programme can be dangerous if that editing programme > also has the ability to "preview" the webpage/email code Correct; going offline is only going offline. It doesn't change anything else which might be insecurely configured or handled. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Sun Sep 4 13:41:15 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 07:45:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dfejle$n65$1@news.spamcop.net... > Porpoise wrote: >> "Mike Easter" > > Then we need to have a discussion about what is spam and what isn't. > I'm recommending that the deleter delete all /spam/ unopened and unread, > not that all 'unknown' mail be deleted unopened and unread. Well, according to the widest definition of what spam is, it is 'unsolicited commercial/bulk email'. Content doesn't enter the equation. And under that definition, most of it gets tagged as spam and shitfed to the "spam" folder. Probably 99% of what ends up in there comes under that categorisation. Unfortunately, a lot of that "unsolicited" email is valid commercial marketing mail (from unknown originators - so can't be white-listed as I'm not psychic and able to see into the future to be able to white-list people we don't know about yet). The filter hasn't been invented that can make that determination because it is highly subjective and requires the perusal of a yumanbeen > > Some people could whitelist all of their friends and call everything > else spam. Some other people have to have much more sophisticated > filters to help them with their spamfiltering, because they receive a > considerable amount of unknown but wanted mail for business and other > reasons. See above. > >> Other than the >> obvious spammers where the originator/spamvertiser are trying to >> remain anonymous, only the recipient can determine whether or not >> what they have in their inbox is, in fact, spam. > > However, depending upon the design of the spamfilter and its creation of > Xlines in the headers of the unknown mail, a lot of very valuable > information about an unknown item can be found in the headers. How a > person who has a 'busy' mailbox, including spam as well as unknown mail, > handles their mail gets complex. I don't think the answer of opening > all of the spam to see what it is is the right answer. No-one was talking about the opening of *all* spam - the pharms and scams are mostly obvious - what was being discussed is whether or not a large proportion of unsolicited commercial email is in fact 'spam' and that it is necessary to read *that* spam in order to make that determination. (Or perhaps what we should be doing is further categorising such mail into "wanted spam" and "unwanted spam". The wanted spam being the determination of the recipient. In the real, commercial, world that we live in what is "unsolicted" and what is "unwanted" are not always the same thing. > > > I believe that somewhere in the very high 90s percent of the mail can be > well evaluated by passing the mail thru' a good proxy spamfilter like > SpamPal which will tag the spam for diversion into a Junk folder. So just how, exactly, would the spamfilter determine whether or not we were potentially interested in buying/selling/distributing a particular product from a particular manufacturer or not. I guess you could use bogosity as some form of measure (where source = spamvertiser = product name, or whatever) but outside of that, the algorithm hasn't been written that can determine what/or not we might be interested in buying/selling/distributing. > That > tagging also includes the creation of the Xlines. I believe that if one > is suspicious that a goodmail has been so tagged as spam that the > headers can be inspected to see why it was so tagged; while inspecting > the headers, if there are still questions, the message source can be > examined. And determine what? Outside of the normal bogosity issue mentioned above. > If it is determined that the item was a false positive from that > investigation, then it can be moved out of the Junk folder and opened. Which is what I do several times every day...... i.e. 'It' gets filtered into the "spam" folder first, from where I have to retrieve 'it'. But I still have to read it in order to make the final determination (bearing in mind the 'obvious ones are obvious). > > Opening spam to find goodmail isn't often necessary if there is a proper > filter in place doing the inspecting and the tagging. The spam filter > can do a much more thorough job of inspection than your eyeballs reading > subjects and froms. As detailed above, the filter hasn't been written yet that can do that. All of our known business associates are already white-listed, it's the, as yet, unknown ones that defeat any filtering algorithm. > > You can be aided in those endeavors by a proper proxy spamfilter tagging > the mail. Yet again, as shown above, that hasn't been written yet. Whilst our mail *is* filtered, there is no way of writing a filter that can know that I want to be able to deal with this unknown sender but not that unknown sender. Or that I might be interested in that product but not this one. Or that I might be interested in this product - but only from that supplier, not this one.... or, or, or........ There are too many 'ors' and 'ifs' involved. So, unfortunately, it still means trolling through the "spam" folder serching out potentially missed business opportunities. I'm not saying that what you are suggesting is rubbish. Most of what you are saying is valid and extremely good advice when considering your average "home" user, where the demarcation lines are more easily drawn, but a lot of it just doesn't work in a full-scale commercial environment. From MikeE at ster.invalid Sun Sep 4 05:44:05 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 07:45:09 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Since this is a thread I've been doing my ranting about spamreading and spamhandling in, I'll try to clarify what often sounds harsh or something else. I'm against recipients reading spamsubjects in the inbox to determine if something is spam or not; it is much better to use a proxy spamfilter or spamcop to sort and tag the spamitems. When spam is 'properly' sorted into the Junk folder and tagged and Xlined, the /deleter/ can carefully inspect it and delete it all unopened. If the deleter needs to inspect the /interior/ of spams, s/he should have instruction on doing that securely, not just be opening it insecurely. When spam is properly sorted into the Junk folder and tagged and Xlined, the /reporter/ can contribute it to the spamcop parsing and reporting service, typically without opening it for reading or other interests. The inspection of the interior can usually be performed from the results of the parse. If there is confusion, it likely can be resolved by view entire message. If there is still confusion, and the reporter has need to /open/ a spam for evaluation, that should not be done before the above inspection or otherwise insecurely. That security involves proper configuration for proper spam handling. I make no assumptions about how spam reporters are configured. When spam is properly sorted and tagged, some more *advanced* reporters may also be interested in making additional determinations. They may be interested in additional notifies based on content. They may be interested in additional notifies based on unresponsive providers. They may be interested in additional notifies based on redirectors of the spamvertised site. The advanced reporter has a higher obligation for secure handling than does the deleter, of course. Of double course. Underlined. One does not start down the road to becoming an advanced reporter by opening spam. One starts down that road by *NOT* opening spam, but instead by examining message sources. And learning how to handle spam securely. And securing one's browser or using other tools. The default model for spam recipients is to receive spam in the inbox and open it insecurely and curiously as a potential item of interest. One should not /assume/ how far a spamcop reporter has come away from the default mode just by becoming a reporter. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Sun Sep 4 13:43:52 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 07:45:13 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dfejoh$nan$1@news.spamcop.net... > Porpoise wrote: >> If all spam-like emails were automagically dealt with in the manner >> Mike E would like, I wouldn't have pulled an email from the "spam" >> folder which was an unsolicited marketing email and we wouldn't now >> be the British Distributor for their product (diving fins). > > It is possible for good spamfilters to have false positives or false > negatives. The strategy for determining that involves careful handling > of the undiagnosed spam or goodmail on the way to figuring it out. That's part of the point I was making Mike - that the filter hasn't yet been written that can do all that, so........ it means I still have to troll through the "spam" folder to retrieve those potential missed opportunties - which can still only be determined by the reading of such mails....... From MikeE at ster.invalid Sun Sep 4 05:55:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 08:00:04 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > "Mike Easter" >> I believe that somewhere in the very high 90s percent of the mail >> can be well evaluated by passing the mail thru' a good proxy >> spamfilter like SpamPal which will tag the spam for diversion into a >> Junk folder. > > So just how, exactly, would the spamfilter determine whether or not > we were potentially interested in buying/selling/distributing a > particular product from a particular manufacturer or not. I guess you > could use bogosity as some form of measure (where source = > spamvertiser = product name, or whatever) but outside of that, the > algorithm hasn't been written that can determine what/or not we might > be interested in buying/selling/distributing. Bogosity is very important; as is being sourced from proxy/trojans. I can't imagine that your wanted mail would be being tagged by my spam filter. Each person's spam filter is configured according to the kinds of mail they get, spam and wanted as well, so the tuning of a filter for you might be different than its tuning for me. We are trying to talk about some generic concept here; I'm saying that maybe it isn't as much of a problem as you think. However, if you are 'interested in' genuine spam with bogus headerlines and abuse of proxies on my filter's dnsbl lists and spammishness in the body just because it is about your interest, then I would fault your choice of supporting that type of spamming. >> That >> tagging also includes the creation of the Xlines. I believe that if >> one is suspicious that a goodmail has been so tagged as spam that the >> headers can be inspected to see why it was so tagged; while >> inspecting the headers, if there are still questions, the message >> source can be examined. > > And determine what? Outside of the normal bogosity issue mentioned > above. If an alleged goodmail was tagged by the filter, it would be tagged for a reason. That reason is determined in the Xlines. Knowledge of the Xline information precedes the inspection of the interior by the message source. >> If it is determined that the item was a false positive from that >> investigation, then it can be moved out of the Junk folder and >> opened. > > Which is what I do several times every day...... i.e. 'It' gets > filtered into the "spam" folder first, from where I have to retrieve > 'it'. But I still have to read it in order to make the final > determination (bearing in mind the 'obvious ones are obvious). We would need to talk about some specific false positives to make a meaningful discussion. Perhaps there's something wrong with the way you are filtering. >> Opening spam to find goodmail isn't often necessary if there is a >> proper filter in place doing the inspecting and the tagging. The >> spam filter can do a much more thorough job of inspection than your >> eyeballs reading subjects and froms. > > As detailed above, the filter hasn't been written yet that can do > that. All of our known business associates are already white-listed, > it's the, as yet, unknown ones that defeat any filtering algorithm. Which/what filtering algorithm? >> You can be aided in those endeavors by a proper proxy spamfilter >> tagging the mail. > > Yet again, as shown above, that hasn't been written yet. Whilst our > mail *is* filtered, there is no way of writing a filter that can know > that I want to be able to deal with this unknown sender but not that > unknown sender. Or that I might be interested in that product but not > this one. Or that I might be interested in this product - but only > from that supplier, not this one.... or, or, or........ There are too > many 'ors' and 'ifs' involved. So, unfortunately, it still means > trolling through the "spam" folder serching out potentially missed > business opportunities. I think you should mostly not have to be looking in the spam folder. That is a very very nasty place. The proper filtering strategy should be to almost never have false positives, even if there's a little leakage of false negatives. > I'm not saying that what you are suggesting is rubbish. Most of what > you are saying is valid and extremely good advice when considering > your average "home" user, where the demarcation lines are more easily > drawn, but a lot of it just doesn't work in a full-scale commercial > environment. I have a feeling your filtering criteria might be too tight or need a different design with more focus on dnsbl/s and less on various innocent html, if your unknown goodmail is constructed 'promotionally'. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Sep 4 05:59:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 08:00:10 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > "Mike Easter" >> It is possible for good spamfilters to have false positives or false >> negatives. The strategy for determining that involves careful >> handling of the undiagnosed spam or goodmail on the way to figuring >> it out. > > That's part of the point I was making Mike - that the filter hasn't > yet been written that can do all that, so........ it means I still > have to troll through the "spam" folder to retrieve those potential > missed opportunties - which can still only be determined by the > reading of such mails....... Yabbut, trolling thru' the spam folder having to look very 'carefully' is nasty business. You don't want that to be going on. You are much better off picking thru' the inbox and spotting some spams in there and moving them into Junk than you are having to carefully inspect a folder full of spams. That is very bad. Nasty stuff. I think we should be talking about the specifics of your filter. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Sun Sep 4 13:59:54 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 08:05:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dfelkf$oig$1@news.spamcop.net... > Porpoise wrote: >> OE can be set to prevent the rendering of pictures and external HTML >> regardless of what other security settings are set/unset. > > No [or I don't understand what you are saying]. IE [not OE] can be set > to prevent the rendering of pictures in all security zones. This would > prevent OE from having IE render the pictures, but it would also disable > all IE picture rendering for all zones, not just restricted. Somehow > there is something wrong with our communication here. Well the determination (as I read it) was of having pictures not load. As there is no way (that I know of) of determining in advance which pictures are OK to render and which aren't, that automatically led me to assume that we would be talking about preventing *all* pictures from loading/being got (getted?). If what you're wanting to happen is that *all* pictures except the ones from sites in the trusted zone should not load and that the ones from sites in trusted zone can, well that's a different kettle of fish - for which (at this time) I have no answer. > >>> OE6 can be configured to read all messages in plaintext, thus >>> deterring html rendering altogether, and in the security section can >>> be configured to not open attachments. >> >> Not necessary if picture rendering and external HTML rendering is >> disabled. > > I'm assuming you are describing picture rendering in IE/ Tools/ Internet > Options/ Advanced tab/ Multimedia section - uncheck show pictures. > There isn't a 'picture showing' configuration section in OE, except for > not opening attachments. I beg to differ Mike. There *is* a setting in OE for preventing picture loading (and external content in HTML) which is completely autonomous to and independant of any IE settings. Under the 'Tools/Security' tab, there is a checkbox "Block images and other external content in HTML email". > I want us to be careful about not 'smearing' OE/IE configuration > together, even tho' they are married, the configurations are done one > place or another. We configure OE including which security setting of > IE to use. Not necessarily - see above. > We configure IE, including in the advanced section which > affects all IE function, not just that for OE's restricted zone. The issue above covers OE - independantly of whatever might be configured for IE. From MikeE at ster.invalid Sun Sep 4 06:13:09 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 08:15:02 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: >> I'm assuming you are describing picture rendering in IE/ Tools/ >> Internet Options/ Advanced tab/ Multimedia section - uncheck show >> pictures. There isn't a 'picture showing' configuration section in >> OE, except for not opening attachments. > > I beg to differ Mike. There *is* a setting in OE for preventing > picture loading (and external content in HTML) which is completely > autonomous to and independant of any IE settings. Under the > 'Tools/Security' tab, there is a checkbox "Block images and other > external content in HTML email". For my OE, it sez in OE/ Tools/ Options/ Security tab Virus Protection Select the Internet Explorer security zone to use Internet zone Restricted sites zone Warn me when other applications try to send mail as me Do not allow attachments to be saved or opened that could potentiall be a virus Secure Mail Encrypting and Digitally signing I'm driving OE 6.00.2800.1123 - I'm Win98 not XP, I can't do anything with XP-SP2, which affects OE. You are 6.00.2900.2670 >> I want us to be careful about not 'smearing' OE/IE configuration >> together, even tho' they are married, the configurations are done one >> place or another. We configure OE including which security setting >> of IE to use. > > Not necessarily - see above. Perhaps you have some options which I don't have. >> We configure IE, including in the advanced section which >> affects all IE function, not just that for OE's restricted zone. > > The issue above covers OE - independantly of whatever might be > configured for IE. Only if it is present in the version. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Sun Sep 4 14:20:15 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 08:25:02 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dfemm6$p70$1@news.spamcop.net... > One does not start down the road to becoming an advanced reporter by > opening spam. One starts down that road by *NOT* opening spam, but > instead by examining message sources. And learning how to handle spam > securely. And securing one's browser or using other tools. I agree entirely with most of what you said there (and in the other posts) Mike, but maybe we're not quite discussing the same thing here. What I was spouting about was the how/why/what of determining what *is/isn't* spam, in the first place and the inadequacy of spam filters. Because what's spam to you, isn't necessarily spam to me - and vice versa...... From MikeE at ster.invalid Sun Sep 4 06:29:54 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 08:30:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > "Mike Easter" >> One does not start down the road to becoming an advanced reporter by >> opening spam. That was my 'summary' about accusing some generic spamreporters of being spamreaders in the beginning of this thread while I was asking questions about why and how JG was opening his spam because he was asking about the results or content of reading it. > I agree entirely with most of what you said there (and in the other > posts) Mike, but maybe we're not quite discussing the same thing > here. That is correct. You and I are 'arguing'/debating about the facility of /your/ spamfilter to keep from putting some of your wanted mail into your junk/spam folder and how to deal with that. I don't have that problem with my spam filter, but my spamfiltering is easier than someone else's. But, just because it is easier doesn't mean that I have any interest in 'difficulty' in getting my goodmail out of my Junk folder. I don't want to be doing that. > What I was spouting about was the how/why/what of determining > what *is/isn't* spam, in the first place and the inadequacy of spam > filters. Because what's spam to you, isn't necessarily spam to me - > and vice versa...... We should start with your picking an item which is a goodmail for you, but which was called spam by your filter. You could put it into the parser, get a tracking url, and cancel the report. Post the tracking url, and I'll see if I can figure out whether or not my filter would have tagged it. Maybe you just need a different filter or to configure yours differently. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Sun Sep 4 15:12:43 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 09:15:05 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dfencg$po6$1@news.spamcop.net... > Porpoise wrote: >> "Mike Easter" > Bogosity is very important; as is being sourced from proxy/trojans. I > can't imagine that your wanted mail would be being tagged by my spam > filter. Each person's spam filter is configured according to the kinds > of mail they get, spam and wanted as well, so the tuning of a filter for > you might be different than its tuning for me. I wasn't really discussing those - if there is bogosity, they *are, unambiguously spam* in my book. What I was talking about are "legitimate" spams where source = spamvertiser etc. but which is still "unsolicited commercial email". > > We are trying to talk about some generic concept here; I'm saying that > maybe it isn't as much of a problem as you think. However, if you are > 'interested in' genuine spam with bogus headerlines and abuse of proxies > on my filter's dnsbl lists and spammishness in the body just because it > is about your interest, then I would fault your choice of supporting > that type of spamming. No that isn't it at all - see above > >>> That >>> tagging also includes the creation of the Xlines. I believe that if >>> one is suspicious that a goodmail has been so tagged as spam that the >>> headers can be inspected to see why it was so tagged; while >>> inspecting the headers, if there are still questions, the message >>> source can be examined. Showing a few examples might be the answer: This was tagged as [SPAM] IS spam (to me) and was flagged and automagically sorted as such but as the bogosity isn't immediately obvious as the subject is in Turkish and the source is Turkey (where we might get legitimate mail from) viewing the headers is necessary, whereupon we automatically take it that anyone who is going to have a username like ain't gonna do business with us, it remains in the spam folder to be dealt with as spam: http://www.spamcop.net/sc?id=z802856318z7031b0939f1bbdc6ce4b272a6e1e12f6z This was tagged as [SPAM] but (whilst it *is* technically spam within the general definition) to me, it is a legitimate business to business enquiry (which cannot be determined from the headers - only the content). These are the ones I was "talking about". Whilst most other people may automatically block anything from China, we do business there and it is from this type of email that now we have some of our products manufactured in China (although not this particular company). http://www.spamcop.net/sc?id=z802858825z3b0ae9565f9bb67fb145b6c6d3988feaz This was tagged as [SPAM] and is obviously spam by the subject line and so requires nothing further than reporting/deleting. http://www.spamcop.net/sc?id=z802859840z2b23789c7e556083005ca46e85d54850z This was NOT tagged, but could have legitimately been classified as spam. Hmmm...... which category to put it in????? It *is* spam under the definition, but it is business to business (hmmmm... do we need a new logo???....hmmmmm....) ahhh.... what's all this bogosity in the headers and all this obfuscation in the body??......... http://www.spamcop.net/sc?id=z802860245z905027bd949afeb7e4ff2530ddbe275bz From porpoise1954 at yahoo.co.uk Sun Sep 4 15:19:31 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 09:20:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dfeocm$qeq$1@news.spamcop.net... > > For my OE, it sez in OE/ Tools/ Options/ Security tab > > Virus Protection > Select the Internet Explorer security zone to use > Internet zone > Restricted sites zone > Warn me when other applications try to send mail as me > Do not allow attachments to be saved or opened that could potentiall > be a virus > > Secure Mail > Encrypting and Digitally signing > > I'm driving OE 6.00.2800.1123 - I'm Win98 not XP, I can't do anything > with XP-SP2, which affects OE. > > You are 6.00.2900.2670 Aha... therein lies the difference - in "my" version of OE there is a seperate checkbox for that called "Download Images" > > Perhaps you have some options which I don't have. Yes. Apparently so.... Perhaps that's all part of keeping software up-to-date ;-) and with all the latest security updates/patches....... From porpoise1954 at yahoo.co.uk Sun Sep 4 15:24:56 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 09:30:04 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dfepc2$r3p$1@news.spamcop.net... > Porpoise wrote: >> "Mike Easter" > > >> What I was spouting about was the how/why/what of determining >> what *is/isn't* spam, in the first place and the inadequacy of spam >> filters. Because what's spam to you, isn't necessarily spam to me - >> and vice versa...... > > We should start with your picking an item which is a goodmail for you, > but which was called spam by your filter. You could put it into the > parser, get a tracking url, and cancel the report. Post the tracking > url, and I'll see if I can figure out whether or not my filter would > have tagged it. Done in seperate post Mike. > > Maybe you just need a different filter or to configure yours > differently. Possibly, but I can't even imagine how I would determine "rule-wise" (as opposed to what my eyes/brain can determine easily) what to put in it to cover that one. From MikeE at ster.invalid Sun Sep 4 07:44:34 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 09:45:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > "Mike Easter" >> I'm driving OE 6.00.2800.1123 - I'm Win98 not XP, I can't do anything >> with XP-SP2, which affects OE. >> >> You are 6.00.2900.2670 > > Aha... therein lies the difference - in "my" version of OE there is a > seperate checkbox for that called "Download Images" I found a picture of yours http://www.microsoft.com/windowsxp/images/expertzone/columns/bowman/oesecurity.jpg it has the extra section in the middle called 'Block images and other external content in html mail" The article which discusses it is here http://www.microsoft.com/windowsxp/using/security/expert/bowman_introtosp2.mspx > Perhaps that's all part of keeping software up-to-date ;-) and > with all the latest security updates/patches....... Except that that particular up-to-date-ness involves XP, and MS and I got a divorce about that time. I decided that my upgrade path after 98se was going to be Linux, unless I could find a really good deal on W2K. That is, my upgrade was going to be linux in any case, but that I was willing to spend a very little time or money on 2K, but not XP. That deal hasn't yet come along. I refuse to pay the MS tax just to buy new hardware any more, and fortunately you don't usually have to do that anymore. Dell is holding out, but I can usually beat their deals if I shop long enough. Well, Dell sells MS-less hardware, but they never make any real good deals on it like they do their MS ware. Very strange how that works. Like the fix is in between MS & Dell. There oughta be a law of some kind or another -- it isn't just 'business' when the collusion between the bid'ness men becomes unfair practices. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Sun Sep 4 16:00:36 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 10:05:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dfeto3$ts4$1@news.spamcop.net... > > I refuse to pay the MS tax just to buy new hardware any more, and > fortunately you don't usually have to do that anymore. Dell is holding > out, but I can usually beat their deals if I shop long enough. Well, > Dell sells MS-less hardware, but they never make any real good deals on > it like they do their MS ware. Very strange how that works. Like the > fix is in between MS & Dell. There oughta be a law of some kind or > another -- it isn't just 'business' when the collusion between the > bid'ness men becomes unfair practices. I suspect it's because Linux still doesn't drive everything that M$ does. So they have to use different components that will work with Linux. But I know where you're coming from. I have a dual-boot system with W2K/Mandrake but I still have to keep booting into W2K for certain functions. I still live in hope though. Same as I live in hope that, one day, governments will outlaw all this regionalisation crap in what is *supposed* to be a free market global economy - I should be free to buy my DVDs from wherever I want and play them on whatever machine I want. From MikeE at ster.invalid Sun Sep 4 08:03:37 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 10:05:11 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > This was tagged as [SPAM] but (whilst it *is* technically spam within > the general definition) to me, it is a legitimate business to > business enquiry (which cannot be determined from the headers - only > the content). These are the ones I was "talking about". Whilst most > other people may automatically block anything from China, we do > business there and it is from this type of email that now we have > some of our products manufactured in China (although not this > particular company). www.spamcop.net/sc?id=z802858825z3b0ae9565f9bb67fb145b6c6d3988feaz My own filters would tag a .cn mail as spam, but if I were getting wanted .cn mail, I would remove that criterion for tagging. That IP is also on sorbs dubl, which is a bit of a problem. My filter wouldn't tag it because of that, but it is problematic when you are receiving mail direct to mx from a dynamic IP. That is strange behavior -- either the IP is misclassified by sorbs or the sender is behaving strangely by not using hir provider's smtp server. According to the information at senderbase, that IP is one of 8 IPs with a 'significant' output in the /24, but it is hard to tell if it is supposed to be an output server because the provider's netblock is quite large, and the /16 has very many IPs with an output which is similar. >From a human point of view, if I take out the .cn business, then I see spammishness and no bogosity. So, what I see is a straightup unsolicited [presumably] item which is clearly an html marketing missive. However, it doesn't have spammish html which would trigger my body plugin. Unfortunately my filter doesn't allow me to feed it the item, but I think if I took cn off the criterion it wouldn't be tagged. So, I'm saying my filter amended to allow .cn sourcing to be untagged, wouldn't tag that just because it was html. Someone else's filter might because it came direct to mx from a dynamic IP. -- Mike Easter kibitzer, not SC admin From not at home.today Sun Sep 4 16:05:46 2005 From: not at home.today (Ant) Date: Sun Sep 4 10:10:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "JG" wrote: > On 9/3/2005 6:45 PM Ant scribbled: >> spams can contain web beacons which signal to the >> spammer that you opened the mail if you are online at the time. > > I could google it, but might you supply a link to an explanation of this? I see that "web bug", which is the informal name, has been described. >> To answer your original question; spammers obfuscate to get around >> filters, and try to mislead as to the true source of the mail. > > Yes, I know that - the use of ebay /embedded/ was, to me, unique. I've seen all sorts of random text in spam, including what looked like quoted material from another email or newsgroup post in your example. >> Of course we (ObTinw) say spammers are stupid, and this item, having a >> different plain-text and html part, is an obvious indicator of spam. > > Thanks, we knew that from the beginning. Did we? Who are we? Was that a royal "we"? That's the point of using TINW (There Is No We). It implies "we" are individual posters in a newsgroup. We speak for ourselves, rather than as an organized group with a consensus of opinion. Using TINW shows others that one understands this, although here I think you meant to say "I". > Whats obtinw? It's traditional in some groups like NANAE (news.admin.net-abuse.email) and here to use TINW, TINU, etc. when using words like "we" and "us" that refer to the community (of spam fighters in this case) as a whole. See also TINLC (Lumber Cartel). If you don't put TINW, or similar, some smartarse will likely flame you for assuming they think the same way as you. My using "Ob" as a prefix recognises that this has become practically obligatory. i.e, I am obliged to use it even though I may not think it absolutely necessary. The usage of Ob[whatever] is also common practice in some groups. From MikeE at ster.invalid Sun Sep 4 08:15:55 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 10:20:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > This was NOT tagged, but could have legitimately been classified as > spam. Hmmm...... which category to put it in????? It *is* spam under > the definition, but it is business to business (hmmmm... do we need a > new logo???....hmmmmm....) ahhh.... what's all this bogosity in the > headers and all this obfuscation in the body??......... www.spamcop.net/sc?id=z802860245z905027bd949afeb7e4ff2530ddbe275bz My filter would've tagged that as spam all over the place. The 'top' from IP [which is actually the source] is listed in numerous db/s which I use, especially cbl which causes sbl-xbl. I can't tell whether or not the content of the html would've contributed anything in my filtering. >From a human point of view I see 'targetted' email marketing and I can't be certain of how much bogosity there was in the headers because the MX for incredible-mail.com which is localhost.fabulous.com has become 127.0.0.1, which is the way some providers squash; but the item is over 2 days old, so something could've happened as a result of the 'marketing' mailing. >From a reporting point of view I would certainly report it. From a filtering point of view it would've been tagged by my system, so that is all working as it should. So, compared with your filter, mine wouldn't have let it be a false negative. So far, if I removed .cn, my filter is doing better than your filter by eliminating a false positive and a false negative. -- Mike Easter kibitzer, not SC admin From not at home.today Sun Sep 4 16:18:37 2005 From: not at home.today (Ant) Date: Sun Sep 4 10:20:09 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities References: Message-ID: "Redstone" wrote: > "Berny" wrote: >> Hoops!!, now for several weeks the jerks at uk.geocities have had their >> thumbs up their bums while they play whack a mole with a 2 day reaction >> time. > > That's about average. However, the particular Geocities spammer stopped > spamming since I was being tenacious enough to report EACH and every link. You must be lucky, or listwashed. I'm still getting GeoShitties spam. From MikeE at ster.invalid Sun Sep 4 08:28:18 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 10:30:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > This was tagged as [SPAM] IS spam (to me) and was flagged and > automagically sorted as such but as the bogosity isn't immediately > obvious as the subject is in Turkish and the source is Turkey (where > we might get legitimate mail from) viewing the headers is necessary, > whereupon we automatically take it that anyone who is going to have a > username like ain't gonna do business with us, it > remains in the spam folder to be dealt with as spam: www.spamcop.net/sc?id=z802856318z7031b0939f1bbdc6ce4b272a6e1e12f6z That IP isn't on the dnsbl/s I use, I don't have a .tr source filter working, I can't tell if anything in the body would've triggered my body scoring, so it is possible that my filter could have leaked that thru' -- but my eyeballs would call it spam in my inbox, so I would manually move it. So, that might've been a false negative for me. > This was tagged as [SPAM] and is obviously spam by the subject line > and so requires nothing further than reporting/deleting. www.spamcop.net/sc?id=z802859840z2b23789c7e556083005ca46e85d54850z That would be tagged by mine based on the cbl ie sbl-xbl IP, and I can't tell about the body. So, of the 4, it looks like my filter would perform more satisfactorily on those, because I would rather have a little leak than having any false positives. If I were tuning it for your mail, I would remove the .cn filter if you get wanted mail from there. If I were turning my own filter differently on the basis of the false negative seen here, I would add .tr to my country list, since I don't have any need for .tr mail. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Sep 4 08:38:35 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 10:40:02 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > Showing a few examples might be the answer: What does this scoring mean? X-Spam-Level: 7/5 What does the top/bottom mean? How are they derived? What is this filter? How can you configure it? Does it use dnsbl/s? -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Sun Sep 4 16:40:23 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 10:45:02 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dfevis$vdj$1@news.spamcop.net... > My filter would've tagged that as spam all over the place. The 'top' > from IP [which is actually the source] is listed in numerous db/s which > I use, especially cbl which causes sbl-xbl. I can't tell whether or not > the content of the html would've contributed anything in my filtering. > From a human point of view I see 'targetted' email marketing and I can't > be certain of how much bogosity there was in the headers because the MX > for incredible-mail.com which is localhost.fabulous.com has become > 127.0.0.1, which is the way some providers squash; but the item is over > 2 days old, so something could've happened as a result of the > 'marketing' mailing. I just grabbed them at random from my "spam" folder. They are all days old. It probably wasn't the best example I could have found if I had spent more time searching. > > From a reporting point of view I would certainly report it. From a > filtering point of view it would've been tagged by my system, so that is > all working as it should. So, compared with your filter, mine wouldn't > have let it be a false negative. > > So far, if I removed .cn, my filter is doing better than your filter by > eliminating a false positive and a false negative. I think we're going somewhat obliquely here. I wasn't saying that filters are useless - more, I was saying that they are not capable of handling situations where, for example using the false-positive example: **************************** Return-Path: Delivery-Date: Wed, 31 Aug 2005 03:03:38 +0200 Received: from [219.136.87.253] (helo=max-po.com) by mxeu9.kundenserver.de with ESMTP (Nemesis), id 0MKt64-1EAH0R20kY-0001NV for x; Wed, 31 Aug 2005 03:03:11 +0200 Message-ID: <2005_______________________9D03@max-po.com> From: star06@max-po.com To: x Subject: [SPAM] Waterproof Safety Jacket Date: 31 Aug 2005 09:03:13 +0800 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Envelope-To: x X-Spam-Flag: Yes X-Spam-Level: 7/5 **************************** That was a false-positive to us only because of the fact it (the product - Waterproof Safety Jacket) is related to our line of business - which wouldn't be apparent in the headers (other than the subject line [which could have been crap]). However, had it been related to, say, washing machines, then it wouldn't have been a false-positive (to us). But that couldn't have been covered by filtering on the headers (AFAICS). What would you apply the filter to? You can't use the subject (unless you can think of every possible subject line that might be related to the business in some way). So, had it been: **************************** Return-Path: Delivery-Date: Wed, 31 Aug 2005 03:03:38 +0200 Received: from [219.136.87.253] (helo=max-po.com) by mxeu9.kundenserver.de with ESMTP (Nemesis), id 0MKt64-1EAH0R20kY-0001NV for x; Wed, 31 Aug 2005 03:03:11 +0200 Message-ID: <2005_______________________9D03@max-po.com> From: star06@max-po.com To: x Subject: [SPAM] Washing Machine /or/ Hiking Jackets /or/ non-slip decking for boats /or/ Hydrophone /etc/ Date: 31 Aug 2005 09:03:13 +0800 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Envelope-To: x X-Spam-Flag: Yes X-Spam-Level: 7/5 ****************************** It wouldn't have been a false positive. Show me how a filter would cover that.............. (when only the product is the determining factor). From porpoise1954 at yahoo.co.uk Sun Sep 4 16:55:04 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 11:00:02 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dff0a2$vri$1@news.spamcop.net... > Porpoise wrote: > >> This was tagged as [SPAM] IS spam (to me) and was flagged and >> automagically sorted as such but as the bogosity isn't immediately >> obvious as the subject is in Turkish and the source is Turkey (where >> we might get legitimate mail from) viewing the headers is necessary, >> whereupon we automatically take it that anyone who is going to have a >> username like ain't gonna do business with us, it >> remains in the spam folder to be dealt with as spam: > www.spamcop.net/sc?id=z802856318z7031b0939f1bbdc6ce4b272a6e1e12f6z > > That IP isn't on the dnsbl/s I use, I don't have a .tr source filter > working, I can't tell if anything in the body would've triggered my body > scoring, so it is possible that my filter could have leaked that > thru' -- but my eyeballs would call it spam in my inbox, so I would > manually move it. So, that might've been a false negative for me. Which highlights some of the flaws with filtering - no foolproof method of filtering has been yet devised. Which is what I was originally pointing out. Because there is no way of feeding the filter with the data contained within your brain to subjectively determine what is or isn't spam (to you). Particularly when you don't know what you might or might not end up adding to your product line through opportunities appearing in your received marketing emails. > >> This was tagged as [SPAM] and is obviously spam by the subject line >> and so requires nothing further than reporting/deleting. > > www.spamcop.net/sc?id=z802859840z2b23789c7e556083005ca46e85d54850z > > That would be tagged by mine based on the cbl ie sbl-xbl IP, and I can't > tell about the body. > > So, of the 4, it looks like my filter would perform more satisfactorily > on those, because I would rather have a little leak than having any > false positives. If I were tuning it for your mail, I would remove the > .cn filter if you get wanted mail from there. If I were turning my own > filter differently on the basis of the false negative seen here, I would > add .tr to my country list, since I don't have any need for .tr mail. Whereas, there isn't any country that we don't want to receive email from, because we don't want to lose any business opportunities and we have customers all over the world. There have also been occasions when we've had false positives from existing, established customers who have changed mail providers/used webmail while in a different country and are, therefore, not in our address book under that address (and thereby white-listed). Whilst I might be able to generally improve on some of the filtering to some extent (along the lines of what you have put forth), it still wouldn't cope with the example I was trying to get across. Where we have hundreds of product lines, and potentially hundreds more that we don't know what they are yet we can't easily use that as filtering criteria. From MikeE at ster.invalid Sun Sep 4 09:04:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 11:05:02 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > "Dave Lerner" >> In Thunderbird, even if you allow HTML to be rendered, you can block >> remote image links, which prevents the above from happening. >> >> I don't recall if OE provides similar protection, without disabling >> HTML rendering completely. > > Yes it does. So does IE. Now that I'm straightened out on this, in Win XP-SP2, OE 6.00.2900.2670 has a section in OE/ Tools/ Options - Security tab which permits configuring 'Block images and other external content in html mail" which didn't exist in earlier versions of OE6. That feature isn't available without XP-SP2, so it isn't available on Win versions prior to XP. A number of other features of OE are also affected by XP-SP2, including eliminating the chronic 'begin' bug of seeing an attachment where none exists. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Sun Sep 4 17:04:05 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 11:05:10 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dff0tb$g8$1@news.spamcop.net... > Porpoise wrote: > >> Showing a few examples might be the answer: > > What does this scoring mean? > > X-Spam-Level: 7/5 God(TM) knows > > What does the top/bottom mean? How are they derived? God(TM) knows > > What is this filter? F-Secure (part of the Firewall, Antivirus, Spamfiltering, Spyware suite) [Used to use BlackIce, Norton, Ad-aware seperately, but changed to F-secure when it was A-listed by PC Pro] Prior to that, I never used to bother with filtering (outside of the message rules within OE). > How can you configure it? As far as I can see, outside of white-listing or blacklisting email addresses, not very much. There is no obvious way of adjusting how/what dnsbls it uses > Does it use dnsbl/s? Pass... From porpoise1954 at yahoo.co.uk Sun Sep 4 17:08:53 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 11:10:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dff2df$1j1$1@news.spamcop.net... > > Now that I'm straightened out on this, in Win XP-SP2, OE 6.00.2900.2670 > has a section in OE/ Tools/ Options - Security tab which permits > configuring 'Block images and other external content in html mail" which > didn't exist in earlier versions of OE6. > > That feature isn't available without XP-SP2, so it isn't available on > Win versions prior to XP. A number of other features of OE are also > affected by XP-SP2, including eliminating the chronic 'begin' bug of > seeing an attachment where none exists. > Which comes back to using the "latest versions"........... ;-)) From MikeE at ster.invalid Sun Sep 4 09:18:00 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 11:20:02 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > "Mike Easter" >> My filter would've tagged that as spam all over the place. The 'top' >> from IP [which is actually the source] is listed in numerous db/s >> which I use, especially cbl which causes sbl-xbl. >> From a reporting point of view I would certainly report it. From a >> filtering point of view it would've been tagged by my system, so >> that is all working as it should. So, compared with your filter, >> mine wouldn't have let it be a false negative. >> >> So far, if I removed .cn, my filter is doing better than your filter >> by eliminating a false positive and a false negative. > > I think we're going somewhat obliquely here. I wasn't saying that > filters are useless We aren't going obliquely at all. What we are talking about is optimizing a filter for you. I was 'starting with' a filter which is doing just fine for me and talking about how it is already currently better than your filter, and it could be improved over that. We are talking about the problem of your getting wanted mail in your junk/spam folder, which I think is very bad, because it is very nasty to have to muck about in there. It is like throwing away something by accident and having to go dumpster diving for it, as opposed to accidentally having a little bit of trash in the kitchen. Dumpster diving [goodmail in the junk] is much worse than trash in the inbox. > - more, I was saying that they are not capable of > handling situations where, for example using the false-positive > example: > Received: from [219.136.87.253] (helo=max-po.com) > From: star06@max-po.com > Subject: [SPAM] Waterproof Safety Jacket > X-Spam-Flag: Yes > That was a false-positive to us only because of the fact it (the > product - Waterproof Safety Jacket) is related to our line of > business - I understand; but what I'm saying is that the only thing which would've made that item positive to my filter is the .cn business, which tuned for you could be eliminated. So, I'm saying that my filter tuned for you wouldn't have made that a false positive. ... even tho' the item has some 'problems' for some filters. > What would you apply the filter > to? SpamPal's filters incorporate dnsbl/s very effectively, and also use regular expressions like SpamAssassin does on elements of the header and body. You still haven't said what kind of filter you are using -- what its name is, how it configures. > So, > had it been: > Subject: [SPAM] Washing Machine /or/ Hiking Jackets /or/ non-slip > decking for boats /or/ Hydrophone /etc/ > Show me how a filter would > cover that.............. (when only the product is the determining > factor). The subject was immaterial to my filter *not* calling it a false positive. I think you are thinking too much about a filter 'reading' or interpreting words. I think maybe you should tinker with SpamPal if your situation would allow you to use a proxy between the server and the mailuser agent. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Sep 4 09:28:52 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 11:30:02 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > "Mike Easter" >> That IP isn't on the dnsbl/s I use, I don't have a .tr source filter >> working, I can't tell if anything in the body would've triggered my >> body scoring, so it is possible that my filter could have leaked that >> thru' -- but my eyeballs would call it spam in my inbox, so I would >> manually move it. So, that might've been a false negative for me. > > Which highlights some of the flaws with filtering - no foolproof > method of filtering has been yet devised. Yabbut. An important element of my argument is that it is very easy to move a spam out of an inbox which has practically no spam in it; whereas it is very nasty to have to dig thru' a great big pile of spam to find goodmail. False negatives are a very very very different problem than false positives. And, also that a spamfilter can be tuned to be better and better. On the basis of these 4 items we are talking about, I would add .tr the country filter to my filtering and I would subtract .cn the country filtering from your filter. > Which is what I was > originally pointing out. We've gone way beyond talking about filters being imperfect. We are talking about the 'smoothness' of handling those imperfections and we are also still talking about minimizing opening or inspecting the interior of spams in order to figure out what they are. When you go mucking in the spam to find the goodmail, there is going to be too much nasty kind of diagnosis. That is not smooth. That is dirty. > Because there is no way of feeding the > filter with the data contained within your brain to subjectively > determine what is or isn't spam (to you). I'm not saying you don't get to use your brain anymore. I'm saying we want to make the best use of your eyes and brain. Your brain isn't used wisely if your spamfilter is putting goodmail in the spam; whereas it is much more comfortable moving a little spam out of the inbox. > Particularly when you don't > know what you might or might not end up adding to your product line > through opportunities appearing in your received marketing emails. I understand that unknown wanted mail is a 'problem' from a spamfiltering point of view. It is that unknown which puts the highest demands on the spamfilter tagger. That's why you need a good one and not a tacky one like X-Spam-Level: 7/5 -- What the hell is that? > Whereas, there isn't any country that we don't want to receive email > from, because we don't want to lose any business opportunities and we > have customers all over the world. Okay, fine. Just because country filters are useful to my filtering doesn't mean it is useful to someone else's. My filter would allow someone to choose the .us if they wanted to. > There have also been occasions > when we've had false positives from existing, established customers > who have changed mail providers/used webmail while in a different > country and are, therefore, not in our address book under that > address (and thereby white-listed). The problem of a whitelist not working anymore shouldn't automatically cause something to get tagged as spam. You have to figure out how come it was tagged. I still think there's something funky about your filtering criteria. > Whilst I might be able to generally improve on some of the filtering > to some extent (along the lines of what you have put forth), it still > wouldn't cope with the example I was trying to get across. Where we > have hundreds of product lines, and potentially hundreds more that we > don't know what they are yet we can't easily use that as filtering > criteria. You are still thinking about words and such whereas I'm thinking about IP addresses and genuine 'funkiness' in the headers and body. I don't know how to explain it without your seeing it in operation -- which you would have to see on your own spam. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Sep 4 09:32:11 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 11:35:02 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > "Mike Easter" >> Now that I'm straightened out on this, in Win XP-SP2, OE >> 6.00.2900.2670 has a section in OE/ Tools/ Options - Security tab >> which permits configuring 'Block images and other external content >> in html mail" which didn't exist in earlier versions of OE6. >> >> That feature isn't available without XP-SP2, so it isn't available on >> Win versions prior to XP. A number of other features of OE are also >> affected by XP-SP2, including eliminating the chronic 'begin' bug of >> seeing an attachment where none exists. >> > > Which comes back to using the "latest versions"........... ;-)) That version of XP/IE/OE also has some features I don't like very much. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Sep 4 09:44:10 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 11:45:02 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > "Mike Easter" >> What does this scoring mean? >> X-Spam-Level: 7/5 > > God(TM) knows >> What does the top/bottom mean? How are they derived? > > God(TM) knows >> What is this filter? > > F-Secure Well, so far from what I've heard here, I don't think much of it. My 'theories' and notions and 'rants' about spamhandling don't work very well if you don't have a seriously decent spamfilter working to separate/tag the spam and goodmail. And if you are getting unknown goodmail instead of just whitelistable goodmail, you *MUST* have a /good/ filter. Especially if you get unknown good from all over the world. > Prior to that, I > never used to bother with filtering (outside of the message rules > within OE). I can see /any/ kind of filter being an improvement over the weakness of OE, but I don't think this one is good enough for what you are talking about. >> How can you configure it? > > As far as I can see, outside of white-listing or blacklisting email > addresses, not very much. There is no obvious way of adjusting > how/what dnsbls it uses > >> Does it use dnsbl/s? > > Pass... I'm going to look into this. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Sun Sep 4 17:59:54 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 12:05:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dff378$25l$1@news.spamcop.net... > Porpoise wrote: > > SpamPal's filters incorporate dnsbl/s very effectively, But dnsbl/s block on the basis of where it comes from rather than what's in it (which is the basis of the filter we would need - as I'm sure some of the contacts we have made would have possibly/probably been on dnsbl/s due to their being in China et.) > and also use > regular expressions like SpamAssassin does on elements of the header and > body. That sounds more a possibility, but I just evisage having to "allow" so many permutaions, it would take forever to programme it all in > You still haven't said what kind of filter you are using -- what > its name is, how it configures. Covered in another post > >> So, >> had it been: > >> Subject: [SPAM] Washing Machine /or/ Hiking Jackets /or/ non-slip >> decking for boats /or/ Hydrophone /etc/ > >> Show me how a filter would >> cover that.............. (when only the product is the determining >> factor). > > The subject was immaterial to my filter *not* calling it a false > positive. > > I think you are thinking too much about a filter 'reading' or > interpreting words. I think maybe you should tinker with SpamPal if > your situation would allow you to use a proxy between the server and the > mailuser agent. Hmm..... Not sure how I would achieve that on a laptop that connects to the internet via routers on work/home networks. I don't think I can install a proxy on either of the routers. From MikeE at ster.invalid Sun Sep 4 10:01:00 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 12:05:11 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Mike Easter wrote: > Porpoise wrote: >>> What is this filter? >> >> F-Secure > > Well, so far from what I've heard here, I don't think much of it. >>> How can you configure it? >> >> As far as I can see, outside of white-listing or blacklisting email >> addresses, not very much. There is no obvious way of adjusting >> how/what dnsbls it uses >> >>> Does it use dnsbl/s? >> >> Pass... > > I'm going to look into this. However good the virus or other features of f-secure are, it has an extremely cheesy spamfilter. That is practically no filter at all, and its configurability might as well be zero. It has an on/off switch. And wowee you can 'configure' it to 'aggressive, optimal, and relaxed' where you have no idea what any of that is. Who knows if it uses dnsbl/s because the whole thing is just one big white/gray/black box of dysfunctionality. You need a spamfilter. I recommend spampal and turning off f-secure's filter. SpamPal will have a little bitty learning curve compared to on/off and high medium low of f-secure - but you will be able to configure it at will. Here's the comparison with similars http://spampal.de/comparison-chart.html and here's the home page http://www.spampal.org/ -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Sep 4 10:11:06 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 12:15:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > "Mike Easter" >> SpamPal's filters incorporate dnsbl/s very effectively, > > But dnsbl/s block on the basis of where it comes from rather than > what's in it Don't get down on dnsbl/s too hastily. You can configure your choice of dnsbl/s very very conservatively if you like. You might choose to not include spamcop's because occasionally some IP might get in there you don't want tagged. Why you should be receiving spam from proxified spamsource IPs I can't imagine. > (which is the basis of the filter we would need - as I'm > sure some of the contacts we have made would have possibly/probably > been on dnsbl/s due to their being in China et.) Just because you are in .cn doesn't put you on anything but a country list. If you aren't using countries, .cn IPs are shaped like everyone else's. >> and also use >> regular expressions like SpamAssassin does on elements of the header >> and body. > > That sounds more a possibility, but I just evisage having to "allow" > so many permutaions, it would take forever to programme it all in Oog. Learning how to manufacture you own regex/s is a wonderful education, but I would just as soon use someone else's and just evaluate them or drop them for my own purposes. >> I think maybe you should tinker with SpamPal if >> your situation would allow you to use a proxy between the server and >> the mailuser agent. > > Hmm..... Not sure how I would achieve that on a laptop that connects > to the internet via routers on work/home networks. I don't think I > can install a proxy on either of the routers. It isn't exactly that kind of proxy. I have a router. What goes on is that SpamPal is pointed at the mailserver just like your OE or other mailagent is right now. Then, your OE is pointed at spampal instead of the mailserver. So, when you tell OE to get the mail, it tells spampal to get the mail and spampal tells the server to give me the mail. Then, all of the mail comes thru' spampal on the way to your inbox. SpamPal filters it with its brilliant filters, headers and body, of your many options to choose how, and on the basis of those filters it tags the spams in the subject for most people, and then OE identifies that subject tag and puts it into the junk/spam folder. The concept is very simple and it works well because of how many ways you can configure. Whitelists, blacklists, countries, dnsbls, regex/s, urlbody plugins, etc. Point and click whatever you like. Easy. Piece o' pie. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Sep 4 10:25:50 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 12:30:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Mike Easter wrote: > SpamPal filters it with its brilliant filters, headers and body, of > your many options to choose how, An alternative to SP is to become a SpamCop mail client. SC works similarly to SP because it uses dnsbl/s and SA SpamAssassin's regex/s and other tools and is significantly configurable. -- Mike Easter kibitzer, not SC admin From JG at coks.net Sun Sep 4 11:08:18 2005 From: JG at coks.net (JG) Date: Sun Sep 4 13:10:04 2005 Subject: [SpamCop-List] Re: spam within spam? In-Reply-To: References: Message-ID: On 9/4/2005 2:17 AM Mike Easter scribbled: > JG wrote: > > >>Subject: Your dreams come true today > > > I don't see why you felt that you had to paste in a spambody here to > show that b64 encoded gif/s [or b64 encoded anything else] need to be > b64 decoded and displayed before they can be read. > > But, even tho' you took up a lot of room posting that here, that posting > wasn't as informative about the item as it would have been to post the > tracker. In fact, if you had posted the tracker it would have been > easier to see what the item was. > I'm not going to bother to go back & look, bt I thought I had posted the tracker in the beginning. I posted the b64 just as a demo of what I can't tell from looking at source alone, thats all. I am sorry to have put you through the exercise of futzing with it - that was not the intent. And thank you for the opportunity to rant - my own ignorance on these matters can be frustrating - I just wish I had stayed in computers years ago but card decks and poking holes in them was pretty boring at the time. From MikeE at ster.invalid Sun Sep 4 11:31:58 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 13:35:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: JG wrote: > I'm not going to bother to go back & look, bt I thought I had posted > the tracker in the beginning. In the beginning you posted a tracker to the Subject: Let us help with dialup with no gif, just different text and html. > I posted the b64 just as a demo of what I can't tell from looking at > source alone, thats all. Yes. The b64 gif demonstrates that problem - as it would have with the tracker instead of the raw source here. And, the b64 gif is also a good 'talking point' for the 'arguments' we were all having together about how to handle spam vis security of configuration for the consideration of opening a spam. Depending upon how a person was configured to examine or inspect their spam securely, they might not have been able to read the gif even with opening it. So, that gets into the 'algorithm' of what to do with a spam which you want to report. How should it be examined? How should the mailuser agent be configured? How should the browser which is doing the rendering be configured? When, under what circumstances, and how should a spam be opened? Should it be rendered? Should one be offline? Which browser, which mailuser agent? Which version? Very complicated subject. I think it would be very difficult to write a faq for it. That's one of the reasons I would rather tell 'everyone' -- "Don't be opening your spam!" Spam opening is a very complicated subject. WE don't even have a faq for it around here. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Sep 4 11:40:56 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 13:45:04 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Mike Easter wrote: > So, that gets into the 'algorithm' of what to do with a spam which you > want to report. How should it be examined? How should the mailuser > agent be configured? How should the browser which is doing the > rendering be configured? When, under what circumstances, and how > should a spam be opened? Should it be rendered? Should one be > offline? Which browser, which mailuser agent? Which version? > > Very complicated subject. I think it would be very difficult to > write a faq for it. > > That's one of the reasons I would rather tell 'everyone' -- "Don't be > opening your spam!" Spam opening is a very complicated subject. WE > don't even have a faq for it around here. That's not strictly true. There's a bit of a faq here for secure handling of mail http://forum.spamcop.net/forums/index.php?showtopic=3571 But, that kind of secure handling of mail doesn't get that b64'd gif read, so there could also be some strategies for different methods of dissecting out the b64, decoding it and displaying it without even using the rendering capabilities of the mailuser agent calling the browser in whatever kind of configuration it was in. In this case I just 'grabbed' the b64 stuff you posted and decoded it with Iceows into a gif and displayed it with IrfanView. -- Mike Easter kibitzer, not SC admin From BNRAGMAOKKXT at spammotel.com Sun Sep 4 18:43:36 2005 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Sun Sep 4 13:45:12 2005 Subject: [SpamCop-List] NTL - Spam Submission Problems? Message-ID: Is anyone with an Ntlworld account having problems submitting spam by mail since they implemented their spam filtering? I've altered the spam preferences so that anything like spam is being delivered to my Inbox, but, I'm wondering if they are also filtering outgoing mail and are catching submissions I've sent to SpamCop thinking that they are spam. I'm getting a 30% return if I'm lucky at present. Rob From porpoise1954 at yahoo.co.uk Sun Sep 4 19:49:07 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 13:50:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dff4oa$35u$1@news.spamcop.net... > Porpoise wrote: >> "Mike Easter" > >>> What is this filter? >> >> F-Secure > > Well, so far from what I've heard here, I don't think much of it. My > 'theories' and notions and 'rants' about spamhandling don't work very > well if you don't have a seriously decent spamfilter working to > separate/tag the spam and goodmail. And if you are getting unknown > goodmail instead of just whitelistable goodmail, you *MUST* have a > /good/ filter. Especially if you get unknown good from all over the > world. > >> Prior to that, I >> never used to bother with filtering (outside of the message rules >> within OE). > > I can see /any/ kind of filter being an improvement over the weakness of > OE, but I don't think this one is good enough for what you are talking > about. > >>> How can you configure it? >> >> As far as I can see, outside of white-listing or blacklisting email >> addresses, not very much. There is no obvious way of adjusting >> how/what dnsbls it uses >> >>> Does it use dnsbl/s? >> >> Pass... > > I'm going to look into this. Digging into the system files, it appears it uses SpamAssassin as it's basis, but there is no access to it through the UI - only through the "local.cf" file........ From nobody at spamcop.net Sun Sep 4 20:27:56 2005 From: nobody at spamcop.net (TimeLord) Date: Sun Sep 4 14:30:03 2005 Subject: [SpamCop-List] Re: NTL - Spam Submission Problems? References: Message-ID: "Canopus" wrote in message news:dffbo8$7em$1@news.spamcop.net... >Is anyone with an Ntlworld account having problems submitting spam by mail >since they implemented their spam filtering? I've altered the spam >preferences so that anything like spam is being delivered to my Inbox, but, >I'm wondering if they are also filtering outgoing mail and are catching >submissions I've sent to SpamCop thinking that they are spam. I'm getting >a 30% return if I'm lucky at present. Yes - I've come to the conclusion they are - nothing sent through my NTL mail account has reached spamcop this week, with the exception of one test mail with no attachments. I'm using other accounts to submit for now. Kev From MikeE at ster.invalid Sun Sep 4 13:06:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 15:10:04 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > Digging into the system files, it appears it uses SpamAssassin as it's > basis, but there is no access to it through the UI - only through the > "local.cf" file........ Well, I don't use SA, but I see that local.cf is a SA file. So, you are just looking at the folder/directory structure inside the f-secure program files? or where did you find that out? SA is good. Lack of configurability is bad. Being able to compensate for lack of configurability with a /n/x type text .cf file would be good. I tried searching on the combo f-secure and local.cf and I didn't find anything much. -- Mike Easter kibitzer, not SC admin From JG at coks.net Sun Sep 4 13:24:25 2005 From: JG at coks.net (JG) Date: Sun Sep 4 15:25:02 2005 Subject: [SpamCop-List] Re: spam within spam? In-Reply-To: References: Message-ID: On 9/4/2005 10:40 AM Mike Easter scribbled: > > But, that kind of secure handling of mail doesn't get that b64'd gif > read, so there could also be some strategies for different methods of > dissecting out the b64, decoding it and displaying it without even using > the rendering capabilities of the mailuser agent calling the browser in > whatever kind of configuration it was in. Along those lines, why aren't you using Mozilla open source s/w rather that OE/IE? Given all your insecurities on spam, no surprise given you are using OE/IE, I would think you'd prefer it... > > In this case I just 'grabbed' the b64 stuff you posted and decoded it > with Iceows into a gif and displayed it with IrfanView. Thanks for the headsup on Iceows - finding that particular functionality somewhere has been on my todo list for weeks now... From MikeE at ster.invalid Sun Sep 4 13:40:43 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 15:45:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: JG wrote: > Thanks for the headsup on Iceows - finding that particular > functionality somewhere has been on my todo list for weeks now... It is more powerful if you go get arj somewhere http://www.arjsoftware.com and then tell/config iceows where arj is. There are some things it can't do without arj. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Sep 4 13:58:23 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 16:00:02 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: JG wrote: > Mike Easter scribbled: > Along those lines, why aren't you using Mozilla open source s/w rather > that OE/IE? For some of the same reasons I'm using Win98 instead of better alternatives. > Given all your insecurities on spam, no surprise given you are using > OE/IE, I would think you'd prefer it... I've learned how to handle OE/IE securities since the days when they were a lot worse than they are now. Currently my gripes with IE's primitiveness are greater than any gripes with OE, which are actually none. That backwardness or deficiency of IE is what is going to 'drive' me over to mepis/linus rather than just 'hopping' over to firefox on Win. I spend 99% of my computer time in OE & IE. If I'm going to make some adjustments, I might as well adjust all the way over to a different OS. In fact, I just dl/ed the latest mepis last night and also picked up the free linspire while it was 'hanging out' this weekend because I have a box over there that came with an older linspire installed from a whitebox 'factory' sale - except the whitebox is black. -- Mike Easter kibitzer, not SC admin From redwolfe_98 at nospam.com Sun Sep 4 19:29:40 2005 From: redwolfe_98 at nospam.com (redwolfe_98) Date: Sun Sep 4 18:30:05 2005 Subject: [SpamCop-List] Slow Processing Message-ID: my spam has been being processed slowly, the last couple of days.. it looks like spamcop ate some of the spam from the last batch that i submitted.. :( From BNRAGMAOKKXT at spammotel.com Mon Sep 5 00:07:19 2005 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Sun Sep 4 19:10:10 2005 Subject: [SpamCop-List] Re: NTL - Spam Submission Problems? References: Message-ID: TimeLord on 04/09/2005 wrote: > Yes - I've come to the conclusion they are - nothing sent through my NTL mail account has reached spamcop this week, with the exception of one test mail with no attachments. I'm using other accounts to submit for now. This is what I was beginning to suspect. Am using MailWasher to submit reports and have just figured out how to configuring it to use my Yahoo account for submissions, unfortunately, due to the Yahoo advert Yahoo put on the bottom of every mail I have to now make sure I don't report Yahoo due to their link. Rob From redwolfe_98 at nospam.com Sun Sep 4 20:27:43 2005 From: redwolfe_98 at nospam.com (redwolfe_98) Date: Sun Sep 4 19:30:03 2005 Subject: [SpamCop-List] Re: Slow Processing References: Message-ID: update.. the spam that i submitted to spamcop finally "processed", so i was able to report the spam.. From porpoise1954 at yahoo.co.uk Mon Sep 5 01:39:47 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 19:45:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dff5ns$3kr$1@news.spamcop.net... > Mike Easter wrote: > > However good the virus or other features of f-secure are, it has an > extremely cheesy spamfilter. That is practically no filter at all, and > its configurability might as well be zero. It has an on/off switch. > And wowee you can 'configure' it to 'aggressive, optimal, and relaxed' > where you have no idea what any of that is. Who knows if it uses > dnsbl/s because the whole thing is just one big white/gray/black box of > dysfunctionality. I've discovered it uses SpamAssassin (mentioned in another post) but you have to configure it via the "local.cf" configuration file, as it doesn't give you a GUI to do it with. From porpoise1954 at yahoo.co.uk Mon Sep 5 01:53:43 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 19:55:04 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dffgjg$aj0$1@news.spamcop.net... > Porpoise wrote: > >> Digging into the system files, it appears it uses SpamAssassin as it's >> basis, but there is no access to it through the UI - only through the >> "local.cf" file........ > > Well, I don't use SA, but I see that local.cf is a SA file. So, you are > just looking at the folder/directory structure inside the f-secure > program files? or where did you find that out? > > SA is good. Lack of configurability is bad. Being able to compensate > for lack of configurability with a /n/x type text .cf file would be > good. I tried searching on the combo f-secure and local.cf and I didn't > find anything much. Yes. The there is a whole bunch of configuration files but the vast majority of them are ones that get dl-ed with each update and are thereby non-configurable by the user (as they would get over-written at the very next update). Any user configuration must be done in the "local.cf" file, which, at the moment only comprises of: ****************************** # This is the right place to customize your installation of SpamAssassin. # # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be # tweaked. # ########################################################################### # # rewrite_header Subject *****SPAM***** # report_safe 1 # trusted_networks 212.17.35. # lock_method flock ******************************** BTW, during the digging process, I also discovered that for the Spyware side of things, F-Secure actually uses Ad-Aware (which I already had installed and it (F-secure) seems to have configured itself to use that existing installation. From MikeE at ster.invalid Sun Sep 4 17:57:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 20:00:02 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Porpoise wrote: > "Mike Easter" >> However good the virus or other features of f-secure are, it has an >> extremely cheesy spamfilter. That is practically no filter at all, >> and its configurability might as well be zero. It has an on/off >> switch. And wowee you can 'configure' it to 'aggressive, optimal, >> and relaxed' where you have no idea what any of that is. Who knows >> if it uses dnsbl/s because the whole thing is just one big >> white/gray/black box of dysfunctionality. > > I've discovered it uses SpamAssassin (mentioned in another post) but > you have to configure it via the "local.cf" configuration file, as it > doesn't give you a GUI to do it with. When I looked thru' the f-secure docs and around I found nojoy for configuring much anything except on/off & the 3 speeds. Maybe some SA /n/x/ guru who knows how to carve out a local.cf file with hammer and chisel might be of some help. It is hard for me to believe that they're running an SA undercarriage there and giving no configurability or instructions to it. Or even recognition. Having a SA folder and .cf file and no SA configurable functionality isn't much good, because whatever configuration it is in isn't working so hot. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Mon Sep 5 03:06:47 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Sep 4 21:10:05 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "Mike Easter" wrote in message news:dfg1l4$k5k$1@news.spamcop.net... > Porpoise wrote: > > When I looked thru' the f-secure docs and around I found nojoy for > configuring much anything except on/off & the 3 speeds. Maybe some SA > /n/x/ guru who knows how to carve out a local.cf file with hammer and > chisel might be of some help. It is hard for me to believe that they're > running an SA undercarriage there and giving no configurability or > instructions to it. Or even recognition. > > Having a SA folder and .cf file and no SA configurable functionality > isn't much good, because whatever configuration it is in isn't working > so hot. Well other than the "local.cf" file, all the other *.cf files are standard SA files which have the following headers: # SpamAssassin xxxx file # # Please don't modify this file as your changes will be overwritten with # the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # <@LICENSE> # Copyright 2004 Apache Software Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ########################################################################### The only file which is user configurable is the "local.cf". Doing a bit of research on the SA site, this would seem to be the only user configurable file in SA (the others are all configured by SA via SA updates). Although you can download other people's rulesets...... It seems you can make rulesets and call them "anything.cf". You just need to know how to define the rules...... From mwnospam at comcast.net Sun Sep 4 23:16:27 2005 From: mwnospam at comcast.net (spamacyde) Date: Sun Sep 4 22:20:07 2005 Subject: [SpamCop-List] Re: Att'n. Mike Easter: Scammers Cashing in on Katrina References: Message-ID: I have no problem with Katrina spam being descussed here. "Robert Taylor" wrote in message news:dfdsn4$a26$1@news.spamcop.net... > In news:dfdjoc$55m$1@news.spamcop.net, > Mike Easter sent: > > > Robert Taylor wrote: > >> Mike Easter > > > >>> Robert Taylor wrote: > >>>> According to a pair of > >>>> exchanges over in another news group, it seems that, despite their > >>>> best intentions, R. C. may not be handling the matter too well. > >>> > >>> I would be interested in seeing that discussion. Where is it? > > > >> news.grc.com > >> group: grc.security > >> thread: scammers hit web in Katrina's wake > > > That method of discussing the issue by describing emails isn't going to > > work. The whole enchilada needs to be posted, and that's not the right > > place to do it. There's no point in even discussing the items [at least > > to me] if it isn't posted in its entirety somewhere -- for example > > there's a nana [news.admin.net-abuse.*] newsgroup for sightings which is > > appropriate for posting spams for discussion. > > > > So, I'm going to pass on even getting involved in the discussion, unless > > I were to go over there and tell them that if they are going to discuss > > spams they should be posting them. But it seems the discussants are > > people who like to try to describe spams, so I'm staying out. > > I understand. Of course, that decision is perforce entirely up to you, and > I respect it. In citing the above thread, it was not my intention to > suggest that you join it; I thought perhaps you might choose to do some > independent investigation, e.g., with information supplied by Red Cross, but > I see your point regarding the absence of some concrete material in an > appropriate forum. > > Regards, > > Robert > > -- > eMail: RobertTaylor@SpamCop.net > Web-Address: http://users.rcn.com/robertt.nh.ultranet/Web-SitePg1.htm > > > From / at /.cn Mon Sep 5 14:00:44 2005 From: / at /.cn (Petzl) Date: Sun Sep 4 23:05:12 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities References: Message-ID: "Ant" wrote in message news:dfevo9$vfh$1@news.spamcop.net... > "Redstone" wrote: > >> "Berny" wrote: >>> Hoops!!, now for several weeks the jerks at uk.geocities have had their >>> thumbs up their bums while they play whack a mole with a 2 day reaction >>> time. >> >> That's about average. However, the particular Geocities spammer stopped >> spamming since I was being tenacious enough to report EACH and every >> link. > > You must be lucky, or listwashed. I'm still getting GeoShitties spam. > Still getting one a day spamvertised pornsite using base 64 which confuses SpamCop I report the link here http://uk.geocities.yahoo.com/v/alert.html as the link is spamvertised I mark it illegal activities (sent to children everywhere) They are still very slow in reacting Petzl From bar_n0ne at hotmail.com Mon Sep 5 09:02:58 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon Sep 5 00:05:04 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities References: Message-ID: "Petzl" wrote in message news:dfgcd4$sag$1@news.spamcop.net... > > SNIP > > Still getting one a day spamvertised pornsite > using base 64 which confuses SpamCop > I report the link here > http://uk.geocities.yahoo.com/v/alert.html > > as the link is spamvertised I mark it illegal activities (sent to children > everywhere) > They are still very slow in reacting > > Petzl Still coming in the guy opens a new geocities account every few minutes,, obviously yahoo has lost the notion of rate limiting. At leat they are occasionally parsing now, and sending yahoo internal handling reports, before they were found but ignored , no matter how often one tried to parse From nobody at nowhere.invalid Mon Sep 5 09:00:54 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon Sep 5 02:05:04 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities References: Message-ID: On Mon, 5 Sep 2005 08:02:58 +0400, Berny coughed into spamcop and left this in : > Still coming in the guy opens a new geocities account every few minutes,, > obviously yahoo has lost the notion of rate limiting. You're assuming they ever had it at all in the first place... -- Steve Reporter (to Mahatma Gandhi): "Mr. Gandhi, what do you think of Western civilisation?" Gandhi: "I think it would be a good idea." From nobody at xyzzy.claranet.de Mon Sep 5 09:30:18 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon Sep 5 02:35:03 2005 Subject: [SpamCop-List] Re: Wow! References: Message-ID: <431BE5FA.683@xyzzy.claranet.de> Don Wannit wrote: >> Yum, this spam is fresh! >> Message is -1 hours old > Now that's fast spam processing! > :-) LOL. That's a cool concept, blacklist them before they spew. From MikeE at ster.invalid Mon Sep 5 04:28:47 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Sep 5 06:30:22 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: G u y M a c o n wrote: > Mike Easter wrote: > >> I demurred and then you concurred with a 'stalking horse' or strawman >> argument. > > Those are not the same thing. You are correct that they aren't, but I didn't mean the 'or' usage to indicate that the terms on either side were the same thing. Dave Lerner wrote: > Do you really think the people who buy Viagra or low-rate mortgages > advertised in spam are going to come here and ask technical questions > about the spam? Strawman can apply to my rebuttal to Dave's argument, because I'm saying that he is creating an argument for me which I'm not making and then knocking it down. > Stalking Horse > A decoy put forward to mislead. Meant to bring to mind a hunters > concealing himself behind his horse while stalking game. Another or different rebuttal is that Dave's argument is misleading or spurious - by mischaracterizing my view of JG or other spamreporters who open spam as spam suckers. But I think the stalking horse term was poorly chosen. And definitely not 'equal' to the strawman term, as you say. > Straw Man > Attacking an argument which is different from, and usually weaker > than, what the opposition actually wrote. Meant to bring to mind > a fighter ignoring his opponent, setting up a dummy filled with > straw, knocking down the dummy, then claiming victory. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Sep 5 04:41:58 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Sep 5 06:45:02 2005 Subject: [SpamCop-List] Re: Email with no body - claims to be from blade4.cesmail.net References: <1rte6us7m10ca$.dlg@news.spamcop.net> Message-ID: G u y M a c o n wrote: > I was also torn between the following body text choices: I think the concept is that a reporter is doing a provider the favor of telling them about an item which was received, namely an empty spam with these headers -- and the reporter doesn't want the report to be misinterpreted. 'Normally' we don't send a copy of evidence which has been modified, except in some way in which the modification is 'apparent' -- such as standard SC mungeing. The business of the abuse desk recipient finding any alteration of the evidence to be an unsatisfactory and unacceptable treatment is part of the issue at hand. The whole idea is that "This is a true and honest representation of what I received, except where it isn't." So, you want there to be no 'ambiguity' that the item was an empty spam, or any ambiguity that the address/es have been munged. Those desks who don't want any mungeing of the evidence and find it unacceptable will have to discard or disregard the item -- similarly those desks who don't consider an empty spam to be a spam. The reporter is doing the favor, the desk gets to decide what they want to do with the information. The reporter's responsibility is to be accurate and to not misrepresent what s/he got. So, the modification should reflect that - openly. I think 'looks like' something the reporter added to show that the spam was empty. Whereas some kind of 'sneaky' invisible something fabricated isn't as open and communicative. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Sep 5 05:52:33 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Sep 5 07:55:15 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: G u y M a c o n wrote: > Mike Easter wrote: > >> If you are going to open your spams, I would inspect the message >> source before I did that, so that you will know how it is >> constructed before you open it. You will also have to decide if you >> are going to open the items offline, since you are presumably going >> to be rendering any html which is inside. Alternatively, if you are >> sufficiently skilled at reading or interpreting raw unrendered html, >> you could do your inspections on the unrendered condition. > > The above gives the impression that you think that there is always > something dangerous about rendering the html in a spam. This is > true for the inexperienced user - expecially if he runs a Microsoft > OS - but it certainly is not universal. My system opens spam with > an instance of Lynx [ http://en.wikipedia.org/wiki/Lynx_(web_browser) > ] that my standalone firewall does not allow to connect to the > Internet. This is much more convenient than reading the HTML source > and just as safe. Part of the problem derives from the wishes of the opener to see the spam as the spammer intended it to be seen, so that it is 'simpler' or clearer to understand the thrust of the gig. 'What is it that this spammer is wanting me to do, and why is s/he wanting me to do it?' If you don't render some spams, you don't know what the 'mission' of the missive is. Openers of spam who want to 'read' and understand the spammer's 'presentation' have a heavier and more difficult responsibility for security than someone who doesn't want to be 'opening' and rendering spam for reading purposes, including the graphics > As to *why* I might want to open a spam, my reason is to try to figure > out how it got past my filters and to update my filters to catch it. Dissecting the headers and interior for purposes of enchancing spamfilters is a lot easier than some of these other ideas and purposes. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Sep 5 05:58:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Sep 5 08:00:05 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Another commentary aimed at no one in particular. I think we need to take a more 'analytical' approach to some things rather than acting reflexively. The telephone rings, people think they should answer it. Snailmail comes, people think they should open it. Email comes, people think they should open it, too. In other circumstances, there is someone 'secretarial' or a machine to answer the 'phone. There's a secretary to dispose of the junk snailmail and process the other mail for approval and disposition.. There's also a 'secretarial' spamfilter to put the spam into the junk folder separate from the goodmail. Now, what shall we do with the junk? Quick answer: discard it unread or quicksubmit it to spamcop for spamsource reporting after glancing at its spamfilter xlines for survey purposes. Long very very complicated answer: - Figure out some way to look inside it, acting defensively and securely while still peeling away the onion to the little pieces and parts representing a combination of proxy abuse and arrangement with a blackhat website provider. - Then 'read' or puzzle over what some zany misleading spammer has said and done and wonder a lot of about that. - Then go to the trouble of 'notifying' the completely disinterested blackhat provider. - Then puzzle over which government agencies to notify, who are entirely ignoring such submissions with the infinitesimally small exception of some overworked and disinterested researcher who has to figure out what to do with organizing the stored digital information. -- Mike Easter kibitzer, not SC admin From nospam at dev.null Mon Sep 5 16:16:12 2005 From: nospam at dev.null (No Spam) Date: Mon Sep 5 09:20:05 2005 Subject: [SpamCop-List] Re: spam within spam? In-Reply-To: References: Message-ID: JG wrote: > On 9/3/2005 6:19 PM Mike Easter scribbled: > > In hindsight: > > Mike Easter barked: > >> >>>>>If you routinely open your spam and read it, you must have some >>>>>purpose in mind. What exactly is your intention when you open a >>>>>spam? > > > Not out of curiousity, I assure you. I ctrl/u for source and see: > .... SNIP ... Ctrl-U is your friend - agreed. In this context I guess I am a "spam browser". Why ... Now just look what little gem this post has uncovered: > 3D"" Hello, does anyone has a statistic with the most common ports used as proxy ports for sending SPAM? thanks, Diogo Corteletti From MikeE at ster.invalid Mon Sep 5 09:36:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Sep 5 11:40:02 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: No Spam wrote: > Anyway: Moral of the story - > There are many ways to combat spam. Spamcop reports is great, but not > the only way. Like a disease, a combination of complimentary > (non-spam) drugs may be required to curb it ... I agree that there are many ways to fight spam. I would like to see 'conversions'. I would like to see some of the multitudes of sometime spam openers and spam respondents to be 'converted' to multitudes of spamfiltered always deleters who are pledged to never aid a spammer. I would like to see some of those spamfiltered deleters converted to quick spamcop reporters. I would like to see some quick spamcop reporters converted to regular reporters and more advanced spamfighters, whichever kind of more advanced spamfighting appeals to them. And each step or conversion along the way involves spamfiltering and spamhandling which should be done wisely. Part of the 'joy' of spamfighting is to find the facets or the sport or competition which trip your own trigger. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Sep 5 09:49:30 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Sep 5 11:50:03 2005 Subject: [SpamCop-List] Re: Statistics References: Message-ID: Diogo Corteletti de Oliveira wrote: > does anyone has a statistic with the most common ports used as proxy > ports for sending SPAM? Once upon a time the popular ports were things like 23, 80, 81, 1080, 3128, 8080, and 8081 for socks & http, but things have gotten a lot more complicated. Nowadays the world is full of infected trojans who might be anything. Common port testers still typically go for the old popular ports, but the view should be broader than that. -- Mike Easter kibitzer, not SC admin From diogo_c at brturbo.com.br Mon Sep 5 15:47:18 2005 From: diogo_c at brturbo.com.br (Diogo Corteletti de Oliveira) Date: Mon Sep 5 13:55:02 2005 Subject: [SpamCop-List] Re: Statistics In-Reply-To: References: Message-ID: Mike Easter wrote: > Diogo Corteletti de Oliveira wrote: > >>does anyone has a statistic with the most common ports used as proxy >>ports for sending SPAM? > > > Once upon a time the popular ports were things like 23, 80, 81, 1080, > 3128, 8080, and 8081 for socks & http, but things have gotten a lot more > complicated. Nowadays the world is full of infected trojans who might > be anything. > > Common port testers still typically go for the old popular ports, but > the view should be broader than that. > Yeah! Unfortunately that?s true. But as i never have gathered information about that i thought someone could have Statistics that could show that a particular trojan/worm is more active in the internet and it uses a specific port. But all points out to any port could be used making it dificult to filter connections at Service Providers. From nobody at devnull.spamcop.net Mon Sep 5 16:57:01 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Mon Sep 5 16:50:04 2005 Subject: [SpamCop-List] Re: Att'n. Mike Easter: Scammers Cashing in on Katrina References: Message-ID: "Robert Taylor" wrote in message news:dfdsn4$a26$1@news.spamcop.net... I am curious how spammers are diverting funds from the ARC. The only ways I can imagine are by sending emails that 'look' like the ARC or by manipulating Google hits so that their site comes up before redcross.org. If people are stupid enough to respond to emails that claim to represent the ARC, then there is not much the ARC can do. Perhaps there could be something done by Google or other search engines to rig the results for certain input so that only certain legitimate charities are presented or put a prominently displayed banner that says that only these websites are known to be legitimate and it's caveat emptor for the rest. Again what can the ARC do about that? All the advertising advises you to go to www.redcross.org and presumably once there, you can't be diverted to a spammer site. To stop them would take too long to have an effect, IMHO. Though possibly it would be a good idea for someone to collect such spam and see if it could be traced (like viruses) to a particular person. That would be a law enforcement function, though, it seems to me, under fraud. Miss Betsy From nobody at devnull.spamcop.net Mon Sep 5 17:01:53 2005 From: nobody at devnull.spamcop.net (Cat) Date: Mon Sep 5 17:05:03 2005 Subject: [SpamCop-List] Re: Att'n. Mike Easter: Scammers Cashing in on Katrina In-Reply-To: References: Message-ID: (Top posting corrected) spamacyde wrote: >>I understand. Of course, that decision is perforce entirely up to you, >>and >>I respect it. In citing the above thread, it was not my intention to >>suggest that you join it; I thought perhaps you might choose to do some >>independent investigation, e.g., with information supplied by Red Cross, > > but > >>I see your point regarding the absence of some concrete material in an >>appropriate forum. > I have no problem with Katrina spam being descussed here. Haven't you been asked more than once to stop top posting and not snipping? Your insistance on top posting and not snipping makes it really hard for anyone else to follow the context of your replies. From nospam at dev.null Tue Sep 6 00:39:57 2005 From: nospam at dev.null (No Spam) Date: Mon Sep 5 17:45:03 2005 Subject: [SpamCop-List] Re: spam within spam? In-Reply-To: References: Message-ID: Mike Easter wrote: > No Spam wrote: > >>Anyway: Moral of the story - >>There are many ways to combat spam. Spamcop reports is great, but not >>the only way. Like a disease, a combination of complimentary >>(non-spam) drugs may be required to curb it ... > ... snip... > And each step or conversion along the way involves spamfiltering and > spamhandling which should be done wisely. > > Part of the 'joy' of spamfighting is to find the facets or the sport or > competition which trip your own trigger. > > Two key words being "wisely" and "spamfighting". It has to be consistent. NEVER support a spammer by which ever means, i.e: a) Never allow him to make money from you, b) at best cost him money :-) As such, do not mess with it if you do not understand it. At least he will not make money off you. Cheers E From nospam at dev.null Tue Sep 6 00:55:37 2005 From: nospam at dev.null (No Spam) Date: Mon Sep 5 18:00:03 2005 Subject: [SpamCop-List] Re: MyFamilyInc.com In-Reply-To: References: Message-ID: Brian wrote: > C. S. wrote: > ... snip.... > > Genealogy.com is another story. They are spammers. They are not > ancestry. They don't honor unsubscribes. > Looks like they are same: Registrant: MyFamily.com, Inc. 360 W. 4800 N. Provo, UT 84604 US Registrar: DOTSTER Domain Name: MYFAMILYINC.COM Created on: 05-NOV-99 Expires on: 05-NOV-09 Last Updated on: 07-SEP-04 Administrative, Technical Contact: Registration, Domain domreg@myfamilyinc.com MyFamily.com, Inc. 340 W. 4800 N. Provo, UT 84604 US 801-705-7000 801-705-7001 Domain servers in listed order: NS1.MYFAMILY.NET NS2.MYFAMILY.NET AND Registrant: MyFamily.com, Inc. 360 W. 4800 N. Provo, UT 84604 US Domain Name: GENEALOGY.COM Administrative Contact: Genealogy.Com DOMREG@myfamilyinc.com 360 W. 4800 N. Provo, UT 84604 US 801-705-7000 Technical Contact: Genealogy.Com Technical@GENEALOGY.COM 39500 STEVENSON PL STE 204 FREMONT, CA 94539-3103 US 510-794-6850 Record expires on 05-Feb-2011. Record created on 05-Feb-1999. Database last updated on 5-Sep-2005 17:52:27 EDT. Cheers E From nospam at dev.null Tue Sep 6 01:15:43 2005 From: nospam at dev.null (No Spam) Date: Mon Sep 5 18:20:03 2005 Subject: [SpamCop-List] Re: Brazillian spam no longer getting spamcop complaints to hoster of site In-Reply-To: References: Message-ID: Joel Rubin wrote: .... SNIP.. > > I don't think Embratel (which had been complained to in the past) will > do anything about it but I do want the clickplug IP's blocked. > "BIG" BAD NEWS crowd. A while back a complaint to them caused address that was used to be used in fake "from" lines in mails. ..but interesting non the less. More interesting was a virus with my old mail addie in it circulating and originating in Spain.(Enough misdirected bounces to trace source) Luckily it was disposable :-) They are Ivo's mates and most definitely black hat. Cheers E From not at home.today Tue Sep 6 03:01:11 2005 From: not at home.today (Ant) Date: Mon Sep 5 21:05:03 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities References: Message-ID: "Petzl" wrote: > "Ant" wrote in message >> You must be lucky, or listwashed. I'm still getting GeoShitties spam. > > Still getting one a day spamvertised pornsite > using base 64 which confuses SpamCop > I report the link here > http://uk.geocities.yahoo.com/v/alert.html When someone posted a similar link earlier (for us.geocities) I spent an age going round in circles at the UK site looking for the equivalent UK URL and got nowhere. If my brain had been properly in gear, I might have thought to change "us." to "uk."! Thanks for the link. > as the link is spamvertised I mark it illegal activities (sent to children > everywhere) > They are still very slow in reacting I wonder if they actually use those categories for prioritisation? They should have one for spamvertisements. There should be no requirement by the submitter to visit the spammy URL. From SC.10.myspamgobbler at spamcowboy.net Mon Sep 5 20:13:26 2005 From: SC.10.myspamgobbler at spamcowboy.net (Brian) Date: Mon Sep 5 22:15:02 2005 Subject: [SpamCop-List] Re: MyFamilyInc.com In-Reply-To: References: Message-ID: No Spam wrote: > Brian wrote: > >> C. S. wrote: >> > ... snip.... > >> >> Genealogy.com is another story. They are spammers. They are not >> ancestry. They don't honor unsubscribes. >> > > Looks like they are same: > Registrant: > MyFamily.com, Inc. > 360 W. 4800 N. > Provo, UT 84604 > US > grrrr. I never looked. Thanks for this. I think. I guess it's time to have a talk with these folks. I'll do a little more checking with genealogy.com to see if they still ignore unsubscribes etc and then apply more pressure if necessary. As it stands right now, I'm pulling all of my support from them. -- Brian SC.10.myspamgobbler@spamcowboy.net From mwnospam at comcast.net Mon Sep 5 23:21:06 2005 From: mwnospam at comcast.net (spamacyde) Date: Mon Sep 5 22:25:03 2005 Subject: [SpamCop-List] Right Wing Spammers Message-ID: I suspect that right-wing pinheads search "liberal" blogs and newsgroups and give email addresses to the appropriate spamming scum. Any confirmation? Of course, if anybody knows of the reverse, I'd like to hear about that too. Thanks in advance. From / at /.cn Tue Sep 6 14:50:50 2005 From: / at /.cn (Petzl) Date: Mon Sep 5 23:55:03 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities References: Message-ID: "Ant" wrote in message news:dfipqf$86a$1@news.spamcop.net... > "Petzl" wrote: [S] >> http://uk.geocities.yahoo.com/v/alert.html > > When someone posted a similar link earlier (for us.geocities) I spent > an age going round in circles at the UK site looking for the equivalent > UK URL and got nowhere. If my brain had been properly in gear, I might > have thought to change "us." to "uk."! Thanks for the link. > >> as the link is spamvertised I mark it illegal activities (sent to >> children >> everywhere) >> They are still very slow in reacting > > I wonder if they actually use those categories for prioritisation? > They should have one for spamvertisements. There should be no > requirement by the submitter to visit the spammy URL. > I personally suspect that litigation does have some input into decisions? A reason why I report as spam all that ends in Hotmails Junk folder to Hotmail Petzl From edb2000 at spamcop.net Mon Sep 5 21:58:23 2005 From: edb2000 at spamcop.net (Don Wannit) Date: Tue Sep 6 00:00:04 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities In-Reply-To: References: Message-ID: Berny wrote: > Still coming in the guy opens a new geocities account every few minutes,, > obviously yahoo has lost the notion of rate limiting. I love it. Today I sent one email to 5 yahoo email addresses, Yahoo rejected it because it had too many recipients. They still have rate limiting, just not at a useful point. -- Don Wannit A paid SpamCop user since 1999 From nobody at spamcop.net Mon Sep 5 22:38:25 2005 From: nobody at spamcop.net (N. Miller) Date: Tue Sep 6 00:40:03 2005 Subject: [SpamCop-List] Re: Right Wing Spammers References: Message-ID: <1oohk4eo3cge1$.dlg@news.spamcop.net> On Mon, 5 Sep 2005 22:21:06 -0400, spamacyde wrote: > I suspect that right-wing pinheads search "liberal" blogs and newsgroups and > give email addresses to the appropriate spamming scum. Any confirmation? > Of course, if anybody knows of the reverse, I'd like to hear about that too. Be careful; this pinhead is a deep part of that "vast, right-wing conspiracy". I know where you live... http://zapatopi.net/afdb/ As a rule, anybody with a grudge is capable of pulling any kind of stunt like that. Or, maybe, it is just a 'bot sucking up the email addresses from the web sites. Whatever the explanation, spammers are getting email addresses. That is, unfortunately, the way this Internet works. Maybe it is time to build another one? -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at spamcop.net Mon Sep 5 22:49:54 2005 From: nobody at spamcop.net (N. Miller) Date: Tue Sep 6 00:55:03 2005 Subject: [SpamCop-List] Speaking of "spam-within-spam"... Message-ID: <1hp1mme82mpo.dlg@news.spamcop.net> I handled an interesting item; I can't really say it was spam, but it probably was abusive. I had discarded a spam item promoting an ISP switch. I then found another item with a modified subject line, and containing the exact same spam item as I had just deleted as an attachment; but the header traces showed that it had gone through a different mail client and been delivered through a different MDA on the final hop. After puzzling it over, I realized that one of the spam victims in the Cc: list had forwarded a spam notify; and included each of the other spam victims in that list as recipients of the notify. Some people. I had forwarded it for a SpamCop parse, but flagged it for "special handling" because of the odd appearance of the subject line. I decided to cancel that report. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From bar_n0ne at hotmail.com Tue Sep 6 14:25:13 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue Sep 6 05:30:03 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities References: Message-ID: "Don Wannit" wrote in message news:dfj44v$dmi$1@news.spamcop.net... > I love it. Today I sent one email to 5 yahoo email addresses, > Yahoo rejected it because it had too many recipients. They > still have rate limiting, just not at a useful point. I believe that,,, Aaaargh, the Internet was designerd to survive nuclear war, can it survice spams and scams? From nobody at nowhere.invalid Tue Sep 6 12:38:39 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Sep 6 05:40:05 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities References: Message-ID: On Tue, 6 Sep 2005 13:25:13 +0400, Berny coughed into spamcop and left this in : > I believe that,,, Aaaargh, the Internet was designerd to survive nuclear > war, can it survice spams and scams? If ISPs and content providers acted responsibly it wouldn't have to. The question should really be, "can it survive irresponsible providers?" Like anything that starts rotting from the inside, its future should be in serious doubt. -- Steve The average nutritional value of promises is roughly zero. From vincehoran at gmail.com Tue Sep 6 12:08:14 2005 From: vincehoran at gmail.com (Vince Horan) Date: Tue Sep 6 06:08:22 2005 Subject: [SpamCop-List] Funniest strap line in ages Message-ID: Seen on a spam item from http://www optinemailtoday. biz advertising 2.5moptin email addresses: "Steve Linford, CEO of the Largest Email Tracking Firm in the World Has Constantly Ranked our Company as One of The Top 10 Contributing Firms to Email for the Past 7 Years." In other words they are admitting to being one of the top ten spammers! Vince Horan From mwnospam at comcast.net Tue Sep 6 09:41:15 2005 From: mwnospam at comcast.net (spamacyde) Date: Tue Sep 6 08:45:03 2005 Subject: [SpamCop-List] Re: Track TCP/IP transmissions made by background processes References: Message-ID: Please explain how to determine which excutables are loading via the winlogon method. A note to Spamcop personel. I hid the reply to group button on the Outlook Express Newsgroup reader. If this message winds up at root level, sorry but I don't know what to do about it. "DS" <9ucs5y001@sneakemail.com> wrote in message news:dfdguk$3ck$1@news.spamcop.net... > > "Jeff" wrote in message > news:detbe5$ci8$1@news.spamcop.net... > >I have some background processes that are running that I can't stop. When > >I try to stop them, they > > simply spawn a new process and rename themselves as a .exe file with a > > random 7 character filename. > > Neither ad-aware nor Microsoft's spyware software detects them, nor does > > Norton Antivirus. I'm > > assuming these programs are either sending or receiving transmissions over > > the internet without me > > knowing. Is there a way to find out if they're transmitting or receiving > > data over the internet? > > I finished cleaning up my sister-in-law's computer that was behaving like > this. It turns out that it was infected with both VX2 and SAH. To clear it > out, I had to resort to the Windows boot/install/recovery console and delete > the root culprit executable. It was loading at winlogon time via the > WinLogon/Notify method. I was lucky--if that didn't work, it was re-imaging > time for her HD. > > DS > From zypher at spamcop.net Tue Sep 6 09:17:37 2005 From: zypher at spamcop.net (Ron B.) Date: Tue Sep 6 09:20:02 2005 Subject: [SpamCop-List] Re: Funniest strap line in ages In-Reply-To: References: Message-ID: Vince Horan wrote: > Seen on a spam item from http://www optinemailtoday. biz advertising > 2.5moptin email addresses: > "Steve Linford, CEO of the Largest Email Tracking Firm in the World > Has Constantly Ranked our Company as One of The Top 10 Contributing > Firms to Email for the Past 7 Years." > In other words they are admitting to being one of the top ten spammers! > Vince Horan It's called "spin" :-) . From MikeE at ster.invalid Tue Sep 6 07:30:31 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Sep 6 09:35:03 2005 Subject: [SpamCop-List] Re: Track TCP/IP transmissions made by background processes References: Message-ID: spamacyde wrote: > Please explain how to determine which excutables are loading via the > winlogon method. What winlogon method discussion are you talking about? -- Mike Easter kibitzer, not SC admin From blacklist-me at davjam.org Tue Sep 6 15:04:12 2005 From: blacklist-me at davjam.org (David Bolt) Date: Tue Sep 6 10:05:03 2005 Subject: [SpamCop-List] Re: Att'n. Mike Easter: Scammers Cashing in on Katrina References: Message-ID: On Mon, 5 Sep 2005, Miss Betsy wrote:- >"Robert Taylor" wrote in message >news:dfdsn4$a26$1@news.spamcop.net... > >I am curious how spammers are diverting funds from the ARC. The >only ways I can imagine are by sending emails that 'look' like the >ARC or by manipulating Google hits so that their site comes up >before redcross.org. Basically by using the same technique as any other phishers use. Create a website that looks like the ARC site, then send out spams purporting to be from the ARC directing the victim to the lookalike site. Once there, the victim enters the required details and, either submits their donation which never gets to where it's intended, or they end up like any other victim of a phish. >To stop them would take too long to have an effect, IMHO. Though >possibly it would be a good idea for someone to collect such spam >and see if it could be traced (like viruses) to a particular >person. That would be a law enforcement function, though, it seems >to me, under fraud. Looking at how well law enforcement has handled other examples of phishing, I don't see much happening there. Regards, David Bolt -- Member of Team Acorn checking nodes at 63 Mnodes/s: http://www.distributed.net/ AMD 1800 1Gb WinXP/SuSE 9.3 | AMD 2400 160Mb SuSE 8.1 | AMD 2400 256Mb SuSE 9.0 AMD 1300 512Mb SuSE 9.0 | Falcon 14Mb TOS 4.02 | STE 4Mb TOS 1.62 RPC600 129Mb RISCOS 3.6 | A3010 4Mb RISCOS 3.11 | A4000 4Mb RISCOS 3.11 From nospam at dev.null Tue Sep 6 18:08:30 2005 From: nospam at dev.null (No Spam) Date: Tue Sep 6 11:10:04 2005 Subject: [SpamCop-List] spammer seeking .. Message-ID: http://www.spamcop.net/sc?id=z803614580z1941ab38ae419583011295a300fd4f76z refers: Spammer seeking to do marketing. Interesting. Let see what we can dish up for this low life. Cheers E From JG at coks.net Tue Sep 6 09:35:23 2005 From: JG at coks.net (JG) Date: Tue Sep 6 11:35:04 2005 Subject: [SpamCop-List] Re: Speaking of "spam-within-spam"... In-Reply-To: <1hp1mme82mpo.dlg@news.spamcop.net> References: <1hp1mme82mpo.dlg@news.spamcop.net> Message-ID: On 9/5/2005 9:49 PM N. Miller scribbled: > I handled an interesting item; I can't really say it was spam, but it > probably was abusive. I had discarded a spam item promoting an ISP switch. > I then found another item with a modified subject line, and containing the > exact same spam item as I had just deleted as an attachment; but the header > traces showed that it had gone through a different mail client and been > delivered through a different MDA on the final hop. After puzzling it over, > I realized that one of the spam victims in the Cc: list had forwarded a > spam notify; and included each of the other spam victims in that list as > recipients of the notify. Some people. How would one do that? Could that have been accidental? My email client is pretty exact about addresssing forwards - I don't even see a way... From MikeE at ster.invalid Tue Sep 6 10:14:18 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Sep 6 12:15:03 2005 Subject: [SpamCop-List] Re: Speaking of "spam-within-spam"... References: <1hp1mme82mpo.dlg@news.spamcop.net> Message-ID: JG wrote: > N. Miller scribbled: >> After puzzling it over, I realized that one of the >> spam victims in the Cc: list had forwarded a spam notify; and >> included each of the other spam victims in that list as recipients >> of the notify. Some people. > > How would one do that? Could that have been accidental? > My email client is pretty exact about addresssing forwards - I don't > even see a way... Yep; OE can /reply/ to all of the To/CCs, not fw or fw as attach. Another example of how posting a tracker of something worth talking about is so much better than describing it. Or rather /trying/ to describe it, sorta. Maybe if it isn't worth posting the tracker, it isn't worth talking about. -- Mike Easter kibitzer, not SC admin From sysops at providenet.com Tue Sep 6 10:56:32 2005 From: sysops at providenet.com (Jack Cole) Date: Tue Sep 6 13:00:04 2005 Subject: [SpamCop-List] SPamcop clocking legitimate emails Message-ID: Need a show of hands. Spamcop blocks only our legitimate email, not any Spam. We have a spam free netowrk and Spamcop keeps blocking us as we return email that is not for our users. Spamcop has traps setup so the mail we return as Spam goes to a trap. So, Spamcop blocks our email for 24 hours. It is not Spam. We spend 24 hours blocking only legitimate email from our users. Spam cop does not block Spam for us as we are a Spamfree network. We need to know how many others have this same problem. Spamcop is ignoring this issue and we feel that they are only hurting the internet and smaller ISP's but not fixing their problem. We are pleading with people to stop using Spamcop for this reason which we have had some success. How many out there see the same thing? Please email me so we can figure out our next step. sysops@providenet.com Thank you Jack Cole ProvideNet Communications From no at spam.invalid Tue Sep 6 11:13:35 2005 From: no at spam.invalid (Michael Wise) Date: Tue Sep 6 13:15:03 2005 Subject: [SpamCop-List] Re: SPamcop clocking legitimate emails References: Message-ID: In article , "Jack Cole" wrote: > Need a show of hands. Spamcop blocks only our legitimate email, not any > Spam. We have a spam free netowrk and Spamcop keeps blocking us as we > return email that is not for our users. Spamcop has traps setup so the mail > we return as Spam goes to a trap. Sounds to me like you're "returning" email to forged addresses which never sent it. If this is true, you deserve to be blacklisted until you get a clue and reject the message outright instead of accepting it and then bouncing it to an address which you cannot know to have been the true source. > > So, Spamcop blocks our email for 24 hours. It is not Spam. We spend 24 > hours blocking only legitimate email from our users. Spam cop does not > block Spam for us as we are a Spamfree network. > > We need to know how many others have this same problem. Spamcop is ignoring > this issue and we feel that they are only hurting the internet and smaller > ISP's but not fixing their problem. We are pleading with people to stop > using Spamcop for this reason which we have had some success. I'm quite happy with the SpamCop dnsbl on all mail servers I manage, thank you. I am not happy with providers who bounce mail to forged addresses. Does this show fit you? > > How many out there see the same thing? > > Please email me so we can figure out our next step. sysops@providenet.com The only next step is getting providers to competently handling inbound mail to nonexistant addresses. --Mike From MikeE at ster.invalid Tue Sep 6 11:13:55 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Sep 6 13:15:10 2005 Subject: [SpamCop-List] Re: SPamcop clocking legitimate emails References: Message-ID: Jack Cole wrote: > Need a show of hands. Huh? For or against foolish statements? I'm against. > Spamcop blocks only our legitimate email, not > any Spam. Foolish statement. Spamcop doesn't block anything. SpamCop is a parsing and reporting service, the maintainer of the spamcop blocklist, and a mailservice which filtertag holds spam and offers simplified reporting. > We have a spam free netowrk and Spamcop keeps blocking us > as we return email that is not for our users. Spamcop has traps > setup so the mail we return as Spam goes to a trap. When you say 'return email that is not for our users' it is highly likely that you are performing 'belated bouncing' instead of rejecting during the transaction. If you belatedly bounce by creating a newmail addressed to the bogus From of spams or viral propagations, then you are acting abusively toward the bogus Froms. Some of those bogus Froms will be spamcop reporters. Others will be spamtraps. If you are creating newmails addressed to spamtraps, you will surely get yourself spamcop blocklisted for Misdirected Bounces. That is all explained in the faqs. http://www.spamcop.net/fom-serve/cache/329.html#bounces Why are auto responders bad? -- Misdirected bounces > So, Spamcop blocks our email for 24 hours. It is not Spam. We spend > 24 hours blocking only legitimate email from our users. Spam cop > does not block Spam for us as we are a Spamfree network. Spamcop doesn't block mail. People and servers use reputable blocklists such as spamcop's to aid them in the control of abusive mail, such as spam and your misdirected so-called bounces which are actually newmails, not rejections of misaddressed mail. > We need to know how many others have this same problem. Spamcop is > ignoring this issue and we feel that they are only hurting the > internet and smaller ISP's but not fixing their problem. We are > pleading with people to stop using Spamcop for this reason which we > have had some success. You have the right to plead with whoever you want to plead with. What you should be doing instead of pleading is to reconfigure your abusively configured server. The link I provided above is a source of numerous links on how to configure various servers properly, such as MS Exchange, QMail, and others. -- Mike Easter kibitzer, not SC admin From bill_beyer at excite.cXoYmZ Tue Sep 6 11:22:45 2005 From: bill_beyer at excite.cXoYmZ (Bill Beyer) Date: Tue Sep 6 13:20:03 2005 Subject: [SpamCop-List] Re: SPamcop clocking legitimate emails References: Message-ID: "Jack Cole" wrote in message news:dfkho4$kkm$1@news.spamcop.net... > Need a show of hands. Spamcop blocks only our legitimate email, not any > Spam. We have a spam free netowrk and Spamcop keeps blocking us as we > return email that is not for our users. Spamcop has traps setup so the mail > we return as Spam goes to a trap. > > So, Spamcop blocks our email for 24 hours. It is not Spam. We spend 24 > hours blocking only legitimate email from our users. Spam cop does not > block Spam for us as we are a Spamfree network. > > We need to know how many others have this same problem. Spamcop is ignoring > this issue and we feel that they are only hurting the internet and smaller > ISP's but not fixing their problem. We are pleading with people to stop > using Spamcop for this reason which we have had some success. > > How many out there see the same thing? > > Please email me so we can figure out our next step. sysops@providenet.com > > Thank you > Jack Cole > ProvideNet Communications You're an IT person for an ISP, you're returning spam to the email address that it came from and you wonder why you get listed? You need to fix your problems and then worry about whether or not SC needs to fix theirs. From nobody at devnull.spamcop.net Tue Sep 6 14:53:49 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue Sep 6 13:55:02 2005 Subject: [SpamCop-List] Re: SPamcop clocking legitimate emails References: Message-ID: "Jack Cole" wrote in message news:dfkho4$kkm$1@news.spamcop.net... : Need a show of hands. Spamcop blocks only our legitimate email, not any : Spam. We have a spam free netowrk and Spamcop keeps blocking us as we : return email that is not for our users. Spamcop has traps setup so the mail : we return as Spam goes to a trap. ===> I don't see any hands going up. : : So, Spamcop blocks our email for 24 hours. It is not Spam. We spend 24 : hours blocking only legitimate email from our users. Spam cop does not : block Spam for us as we are a Spamfree network. ===> wrong; rtfm : : We need to know how many others have this same problem. Spamcop is ignoring : this issue and we feel that they are only hurting the internet and smaller : ISP's but not fixing their problem. We are pleading with people to stop : using Spamcop for this reason which we have had some success. ===> No one has that problem, including you. : : How many out there see the same thing? ===> None : : Please email me so we can figure out our next step. sysops@providenet.com : : Thank you : Jack Cole : ProvideNet Communications : : From nobody at nowhere.invalid Tue Sep 6 20:59:22 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Sep 6 14:00:03 2005 Subject: [SpamCop-List] Re: SPamcop clocking legitimate emails References: Message-ID: On Tue, 6 Sep 2005 09:56:32 -0700, Jack Cole coughed into spamcop and left this in : > Need a show of hands. Spamcop blocks only our legitimate email, not any > Spam. We have a spam free netowrk and Spamcop keeps blocking us as we > return email that is not for our users. Go away and read this: http://mailsc.spamcop.net/fom-serve/cache/329.html#bounces There is NO excuse whatsoever for bouncing mail to non-existent users and doing so *will* get you listed - rightly so. -- Steve The best way to accelerate a Windows-infested computer is at 9.8 m.s^-2 From nobody at devnull.spamcop.net Tue Sep 6 15:02:22 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue Sep 6 14:05:02 2005 Subject: [SpamCop-List] Re: SPamcop clocking legitimate emails References: Message-ID: I'll bet 123 cheap... or more likely ultradns... has some advice for you? "Jack Cole" wrote in message news:dfkho4$kkm$1@news.spamcop.net... : Need a show of hands. Spamcop blocks only our legitimate email, not any : Spam. We have a spam free netowrk and Spamcop keeps blocking us as we : return email that is not for our users. Spamcop has traps setup so the mail : we return as Spam goes to a trap. : : So, Spamcop blocks our email for 24 hours. It is not Spam. We spend 24 : hours blocking only legitimate email from our users. Spam cop does not : block Spam for us as we are a Spamfree network. : : We need to know how many others have this same problem. Spamcop is ignoring : this issue and we feel that they are only hurting the internet and smaller : ISP's but not fixing their problem. We are pleading with people to stop : using Spamcop for this reason which we have had some success. : : How many out there see the same thing? : : Please email me so we can figure out our next step. sysops@providenet.com : : Thank you : Jack Cole : ProvideNet Communications : : From nobody at spamcop.net Tue Sep 6 17:30:22 2005 From: nobody at spamcop.net (N. Miller) Date: Tue Sep 6 19:35:05 2005 Subject: [SpamCop-List] Re: Speaking of "spam-within-spam"... References: <1hp1mme82mpo.dlg@news.spamcop.net> Message-ID: <7mn9jptxr4ax.dlg@news.spamcop.net> On Tue, 06 Sep 2005 08:35:23 -0700, JG wrote: > On 9/5/2005 9:49 PM N. Miller scribbled: >> I handled an interesting item; I can't really say it was spam, but it >> probably was abusive. I had discarded a spam item promoting an ISP switch. >> I then found another item with a modified subject line, and containing the >> exact same spam item as I had just deleted as an attachment; but the header >> traces showed that it had gone through a different mail client and been >> delivered through a different MDA on the final hop. After puzzling it over, >> I realized that one of the spam victims in the Cc: list had forwarded a >> spam notify; and included each of the other spam victims in that list as >> recipients of the notify. Some people. > How would one do that? Could that have been accidental? > My email client is pretty exact about addresssing forwards - I don't > even see a way... I don't know if it could have been accidental. It looks like it was sent using Mozilla: http://www.spamcop.net/sc?id=z803752880z2cf6d3925ee6628f2ec01ede10f2ac6az Both Netscape 7.2 and Thunderbird 1.0.6 have a "Reply-All" button similar to MS Outlook Express. I suppose that, if the guy was too upset to see straight, he could have used the wrong button. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From not at home.today Wed Sep 7 01:54:06 2005 From: not at home.today (Ant) Date: Tue Sep 6 19:55:02 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities References: Message-ID: "Petzl" wrote: > "Ant" wrote: >> I wonder if they actually use those categories for prioritisation? >> They should have one for spamvertisements. There should be no >> requirement by the submitter to visit the spammy URL. > > I personally suspect that litigation does have some input into decisions? Quite likely. Let's hope Yahoo do something about the increasing abuse of their webspace. Perhaps this will help them: http://news.zdnet.co.uk/internet/0,39020369,39216533,00.htm Where Spamhaus criticises them for the number of phishing sites hosted. From JG at coks.net Tue Sep 6 19:54:41 2005 From: JG at coks.net (JG) Date: Tue Sep 6 21:55:04 2005 Subject: [SpamCop-List] 2 parses, diff results - any easy way to tell which is correct? Message-ID: http://www.spamcop.net/sc?id=z803780689z7686b4a2e3f5db13a11db3484f460c78z SC comes up with 195.222.62.50. Looking at the SC routing results, I see: quote: Reports routes for 195.222.62.50: routeid:11008800 195.222.32.0 - 195.222.63.255 to:support@bih.net.ba Administrator interested in all reports Friday, June 18, 2004 07:52:16 -0700 [Note added by 24.78.154.2, 24.66.94.142 (S010600045a22c670.ss.shawcable.net)] BIHnet is ISP of BH Telecom, and it is the biggest in Bosnia and Herzegovina. We have approximately 40.000 dialup, and 500 leased line users. In past few month we had a lot of problems with spammers, and lot of our dial-up IP addresses reached on the black lists. Few days ago we finally replaced our mail server with a new one. Now we have Sun One Messaging server 6.0 with Symantec Gateway Security 5440 with RBL check and antivirus protection, also the Spam Assassin installed on Sun. 80% of all our IP address space are reserved for dialup users. Next 10% are dedicated to Leased line customers who often have theirs mail servers. Starting with new mail system, a lot of our users have problems to send and receive an e-mail. So, to solve this problem, we kindly ask you for help to remove IP addresses we use from your RBL. IP address pools we use are: 195.222.32.0 - 195.222.63.255, and 80.65.64.0 - 80.65.95.255. unquote.. Granted, that is a year ago. Another parser comes up with: 80.65.77.248 quote: Parsing: Sender (or dispatching mailserver) IP:195.222.62.50 He/she/it has said to be :ksejon.team.ba Receiving mailserver [by]:fed1rmgxi03.cox.net The trusting level of this Received line: is 25% */No, I don't have the knowledge of the basis of this % calculation*/ ********** Parsing: Sender (or dispatching mailserver) IP:80.65.77.248 He/she/it has said to be :mail.natsoft.com.my Receiving mailserver [by]:ksejon.team.ba The trusting level of this Received line: is 100% ********** Parsing: Sender (or dispatching mailserver) IP:241.74.203.210 He/she/it has said to be :veb.atlantis.com Receiving mailserver [by]:vtgl.atlantis.com For e-mail: 241.74.203.210 is a IANA reserved address, skipping analysis 80.65.77.248 is the last valid ip, probably the spammer? unquote... I am unsure of how to interpret this - is it worth any discussion? Tnx, jg From nobody at devnull.spamcop.net Tue Sep 6 22:55:15 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Tue Sep 6 22:50:03 2005 Subject: [SpamCop-List] Re: Att'n. Mike Easter: Scammers Cashing in on Katrina References: Message-ID: The ARC is having problems with increased use of their website for donations - and also for ARC personnel accessing information on latest information on how to proceed. It is not due to phishers or spam. As I said the ARC has done what it can to discourage unauthorized collection of funds. The only thing it can't do is to make someone listen. A neighbor gave money to some teenagers collecting for the ARC. Probably the teenagers were really trying to help, but they were not 'authorized' by the ARC. Neither the teenagers nor the neighbor are people that that the ARC can control. Miss Betsy From sysops at providenet.com Tue Sep 6 21:05:03 2005 From: sysops at providenet.com (Jack Cole) Date: Tue Sep 6 23:10:03 2005 Subject: [SpamCop-List] Spamcop blocking legitimate emails Message-ID: Nice. About 3rd grade but nice! Ok, so I read through the text. Basically it says you must change the way you have been sending mail out because SpamCop can't figure out how to stop blocking legit mail. Hmmm, sounds a bit strange. It says we must tell all 11,000 users that they cannot use Outlook anymore to send Auto-Replies....Hmmm, never going to happen. Everyone allows Auto-replies, I use them myself all of the time. Because Spamcop can't fix their own system from blocking legit mail, why should we have to change our system. We have not changed email since we opened in 1996. Suddenly Spamcop comes along and says we must change the way we do business so they do not have to fix their model. What Spamcop is doing is simply building a barrier between them and legit ISP's. Nothing more. Spamcop is not blocking Spam from our network, they are only blocking legit email. Yes, Spammers do forge return addresses. That is correct. So our servers reject it. Good, we should. But, now with the help of Spamcop, Spammers can now shut down networks simply by making sure a Spam trap is listed in the email they send out. Isn't Spam cop supposed to help control Spam?? Why do we get 10,000+ emails a day from aol and Yahoo...but their email keeps flowing. When we send an autoreply back...hmmm, now our server get's blocked. Makes you think. And, get this...no other network has a problem with our mail, only Spamcop. Funny. Nobody else sees Spam from us but Spamcop reports us just about everyday. And...get this, we fight Spam every minute of everyday...but Spamcop wants us as an enemy. What is good is that this is a known problem. So far 3 networks have dumped Spamcop and we are waging an advertising campaign to continue getting us whitelisted or getting receiving servers from dropping Spamcop. Until Spamcop wakes up and starts working with ISP's, well, then Spamcop is only in our way. Spamcop does not block Spam from our network, only blocks legit mail. This brings up moutains of legal issues as anyone blocking legit mail is worse than any Spammer we know. Ok, so far, I read the ideas posted by Spamcop. They want us to email 11,000+ people and tell them no more outlook autoresponders. (Ok, I have several businesses that would say Goodbye as everyone else allows this. Ok, so I have no control over that at all. I guess I could read each email...about 350,000 a day and make sure it is not being autoresponded. Some do not say autoresponder so I will hire 10-15 people that can filter one by one. Yeah right...never going to happen. Spamcop will not even furnish proof of anything. We ask and they won't tell us even if this is coming from one of our 9000+ domains. How can we control this when we do not even have proof that it is occuring. I have asked and alls I get is the same answer...read this page and stop sending autoresponders....Prove to me that we are....show me the domain so I can shut them down and tell them to move to another ISP. Crazy but Spamcop can't figure out how to fix their problem so I guess we can just start turning off perfectly legitimate customers to fix it. OR.... Spamcop can get off their backside and fix their flawed system. How about this idea.....maybe...just maybe...you should block SPAM. I know...a new concept...but it would be more to what you are supposed to do. I tried to call Spamcop today and only got busy signals all day. Took a drive by Iron Ports but did not have time to talk. I will be by tomorrow sometime so we can sit down and look at the problem. Spam cop's model needs to change and work with ISP's. We fight Spam and monitor it constantly. Spamcop works against us and only blocks legit mail. Please tell me how other networks have figured out telling all of their users that they cannot send auto-replies or respond to any Spam ever again. I would like to know how it affected their customer base. BTW, if you can do it on AOL....do they get listed in Spamcop? Never seen that. Any users out there....please contact me. Tell me of the issues you are having so we can put a list together. I do appreciate the comments from Outblaze as well. Thank you for supporting us and dropping Spamcop today. Our mail is flowing to your network again....Legit mail. Here's a show of hands news:dfkho4$kkm$1@news.spamcop.net We all agree you should not be in IT - what a loser - Please read:- http://mailsc.spamcop.net/fom-serve/cache/329.html >>>>>>>>>>>>>>>>>>>>>>>>>>> Need a show of hands. Spamcop blocks only our legitimate email, not any Spam. We have a spam free netowrk and Spamcop keeps blocking us as we return email that is not for our users. Spamcop has traps setup so the mail we return as Spam goes to a trap. So, Spamcop blocks our email for 24 hours. It is not Spam. We spend 24 hours blocking only legitimate email from our users. Spam cop does not block Spam for us as we are a Spamfree network. We need to know how many others have this same problem. Spamcop is ignoring this issue and we feel that they are only hurting the internet and smaller ISP's but not fixing their problem. We are pleading with people to stop using Spamcop for this reason which we have had some success. How many out there see the same thing? Please email me so we can figure out our next step. sysops@providenet.com Thank you Jack Cole ProvideNet Communications From JG at coks.net Tue Sep 6 21:40:11 2005 From: JG at coks.net (JG) Date: Tue Sep 6 23:40:03 2005 Subject: [SpamCop-List] Re: Speaking of "spam-within-spam"... In-Reply-To: <7mn9jptxr4ax.dlg@news.spamcop.net> References: <1hp1mme82mpo.dlg@news.spamcop.net> <7mn9jptxr4ax.dlg@news.spamcop.net> Message-ID: On 9/6/2005 4:30 PM N. Miller scribbled: > I don't know if it could have been accidental. It looks like it was sent > using Mozilla: > > http://www.spamcop.net/sc?id=z803752880z2cf6d3925ee6628f2ec01ede10f2ac6az > > Both Netscape 7.2 and Thunderbird 1.0.6 have a "Reply-All" button similar > to MS Outlook Express. I suppose that, if the guy was too upset to see > straight, he could have used the wrong button. > Yup, I got it in TBird - never use it but can see how it happened. Just removed it in case /I? have a brain fart. Thats an oops... From JG at coks.net Tue Sep 6 21:51:05 2005 From: JG at coks.net (JG) Date: Tue Sep 6 23:50:02 2005 Subject: [SpamCop-List] Re: Spamcop blocking legitimate emails In-Reply-To: References: Message-ID: On 9/6/2005 8:05 PM Jack Cole scribbled: > I tried to call Spamcop today and only got busy signals all day. Took a > drive by Iron Ports but did not have time to talk. I will be by tomorrow > sometime so we can sit down and look at the problem. > Don't forget that they might like some doughnuts, Brad... From Kilgallen at SpamCop.net Wed Sep 7 00:02:17 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Wed Sep 7 00:05:05 2005 Subject: [SpamCop-List] Re: Spamcop blocking legitimate emails (Backscatter) References: Message-ID: In article , "Jack Cole" writes: > Ok, so I read through the text. Apparently not. > Basically it says you must change the way > you have been sending mail out because SpamCop can't figure out how to stop > blocking legit mail. You have it wrong. Sending a "reply" to someone who did not mail to you is _not_ "legitimate" mail. > It says we must tell all 11,000 users that they cannot use Outlook anymore > to send Auto-Replies....Hmmm, never going to happen. Then rejection-free delivery to spamfighters - not going to happen. > Everyone allows > Auto-replies, No, not everybody. > I use them myself all of the time. That must be why you are defending the practice. > We have not changed email since we opened in 1996. Spammers have changed the way they send spam, forging "From:" addresses. You have not been keeping up, and have thus been pestering those whose email addresses have been falsely used by the spammers. > What Spamcop is doing is simply building a barrier between them and legit > ISP's. An ISP that sends me spam is _not_ a legitimate ISP. I have _not_ solicited notification that spammers are falsely using my email address in their "From:" header. Any ISP that sends such notices is sending Unsolicited (by me) Bulk Email. > Spamcop is not blocking Spam from our network, they > Yes, Spammers do forge return addresses. > That is correct. So our servers reject it. No, that is the point. Reject is an SMTP operation that does _not_ originate a message to the putative sender. It causes the true sending system to get notification. What you are doing is _not_ rejecting, but Backscatter. http://mailsc.spamcop.net/fom-serve/cache/329.html > Spamcop will not even furnish proof of anything. Spamcop sends reports for every piece of spam I file. You or your upstream apparently are not reading them. From spamcop-list-at-news.spamcop.net at musaic.net Wed Sep 7 07:19:24 2005 From: spamcop-list-at-news.spamcop.net at musaic.net (St - Musaic.Net) Date: Wed Sep 7 00:19:56 2005 Subject: [SpamCop-List] Spamcop blocking legitimate emails In-Reply-To: References: Message-ID: <162271776.20050907061924@musaic.net> > It says we must tell all 11,000 users that they cannot use Outlook anymore > to send Auto-Replies....Hmmm, never going to happen. Everyone allows > Auto-replies, I use them myself all of the time. So you mean that innocent users whose address was forged by the spammers should accept that you and your customers bounce those messages "back" at them accusing them of sending spam? "Hmmm, never going to happen." If you (as in you and/or your customers) do that in response to a spam that have my address set as Sender then reporting is "going to happen". > Because Spamcop can't fix their own system from blocking legit mail, why > should we have to change our system. Wrong focus - you allow for incorrect bouncing and thus are adding to the spam problem. You can fix the problem with your own servers and users. > We have not changed email since we opened in 1996. Suddenly Spamcop comes > along and says we must change the way we do business so they do not have > to fix their model. Suddenly? This is not about they should have to fix their model. It is about YOUR servers that allow for false bouncing, thus you are adding to the spam problem for the innocent users who is to receive accusations that they spammed your users. Why should we live with your problem unless you will have to live with our problem? > Spamcop is not blocking Spam from our network, they are only blocking legit > email. Incorrect bounced mail in my mailbox is probably "legit" but it is highly unwanted. There is something wrong with the configuration of your attitude. Fix it! > Yes, Spammers do forge return addresses. That is correct. So our servers > reject it. How do YOU decide what is a forged return address? > Spammers can now shut down networks simply by making sure a Spam trap is > listed in the email they send out. That is not necessarily what happens. Yes, spammers can spew spam using forged senders - it is when your users are bouncing the mail back to the the spam traps that your server is evaluated. Or your users are bouncing spam back to innocent users that had nothing to do with the spam. Amongst these users you might find SpamCop-addressees that eventually will report these false accusations for what they are: Adding to the spam problem. > Isn't Spam cop supposed to help control Spam?? Yes - and your users or you yourself is apparently adding to the problem. Like I said: There is something wrong with the configuration of your attitude. Fix it! > Why do we get 10,000+ emails a day from aol and Yahoo...but their email > keeps flowing. You are too romantic about AOL and Yahoo - don't fool yourself into thinking their are that clean. > When we send an autoreply back...hmmm, now our server get's blocked. > Makes you think. It makes me think: Why the heck should I download your false bouncings? > And, get this...no other network has a problem with our mail, only Spamcop. > Funny. Nobody else sees Spam from us but Spamcop reports us just about > everyday. And...get this, we fight Spam every minute of everyday...but > Spamcop wants us as an enemy. If you are continously blocklisted, then rest assure those false bouncing are more than once every now and then. Is that how you fight spam? I mean, do you fight spam by allowing your users to send accusations of sending spam to innocent users in other networks? Is that how you fight spam every minute of everyday? > What is good is that this is a known problem. So far 3 networks have > dumped Spamcop and we are waging an advertising campaign to continue > getting us whitelisted or getting receiving servers from dropping Spamcop. That doesn't matter to me really - your advertising campaign doesn't give you and your camerados any VIP at my door. > Until Spamcop wakes up and starts working with ISP's, well, then Spamcop > is only in our way. Until you understand that the false accusations coming from your network is unwanted and that people have every right to object to your attitude, then the problem is yours to keep. > Spamcop does not block Spam from our network, only blocks legit mail. False bouncing is probably "legit", but there is something wrong with the configuration of your attitude. Fix it! > This brings up moutains of legal issues as anyone blocking legit mail is > worse than any Spammer we know. Are you saying that it is illegal for me to ask SpamCop what servers are allowing for false bouncing and based on the data they give it is illegal of me to decide that I don't want mail from you and your servers? What law is making that illegal? First amendment? You may have a right to speak - I have a right to not listen. I choose to not listen to your users and their false accusations. Go to court - be my guest! > Ok, so far, I read the ideas posted by Spamcop. They want us to email > 11,000+ people and tell them no more outlook autoresponders. (Ok, I have > several businesses that would say Goodbye as everyone else allows this. > > Ok, so I have no control over that at all. I guess I could read each > email...about 350,000 a day and make sure it is not being autoresponded. > Some do not say autoresponder so I will hire 10-15 people that can filter > one by one. Yeah right...never going to happen. Your attitude is definitly broken - I think it is un-repairable... > Spamcop will not even furnish proof of anything. We ask and they won't > tell us even if this is coming from one of our 9000+ domains. How can we > control this when we do not even have proof that it is occuring. Spam traps are secret - there is an apparent reason for that. If you want proof, why don you sign up to receive SpamCop summary reports for your net- works. As soon as a trap is recognized, a report will be sent to you. Okay, that report is not very accurate, but it gives you a hint. > I have asked and alls I get is the same answer...read this page and stop > sending autoresponders....Prove to me that we are....show me the domain so > I can shut them down and tell them to move to another ISP. Crazy but > Spamcop can't figure out how to fix their problem so I guess we can just > start turning off perfectly legitimate customers to fix it. Who told you that SpamCop can't figure out this or that - isn't that just your "opinion"? > Spamcop works against us and only blocks legit mail. ..."only blocks legit mail"...what a small world you are living in... > We have a spam free netowrk and Spamcop keeps blocking us as we return email > that is not for our users. And your users (or maybe even YOU) assume that spam was sent from the one addressee set as Sender. If that addressee was me, you expect me to remain forgiving to your accusations of sending spam? "Hmmm, never going to happen." > Spamcop has traps setup so the mail we return as Spam goes to a trap. I really don't think the problem starts there...are you implying SpamCop is munging a spammer's message so as to trap it?!? > So, Spamcop blocks our email for 24 hours. It is not Spam. We spend 24 > hours blocking only legitimate email from our users. Spam cop does not > block Spam for us as we are a Spamfree network. Some of your users probably have set their system to include the spam in the bounce they send. Thus, your users (or maybe even YOU) are not only sending off a false accustion of spamming, but the innocent recipient will even have to live with the fact that from your network someone sent a false accusation of spamming AND the spam itself. Is that legit email? Your attitude is definitly broken - is it is un-repairable? -- St From bar_n0ne at hotmail.com Wed Sep 7 09:15:10 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Sep 7 00:20:04 2005 Subject: [SpamCop-List] Re: Spamcop blocking legitimate emails References: Message-ID: "Jack Cole" wrote in message news:dflld3$etm$1@news.spamcop.net... > Nice. About 3rd grade but nice! > > Ok, so I read through the text. Basically it says you must change the way > you have been sending mail out because SpamCop can't figure out how to stop > blocking legit mail. Hmmm, sounds a bit strange. > >RANT SNIPPED Get your facts straight, Spamcop users, who are using ISP's or corporate networks all over the place are having problems with your bounces and auto-replies to forged spam and virus sender names, and hey guess what, they are reporting them. It's bad enough to get your own spam, doubly annoying to get someone elses too. no they are not pestering you directly, but pestering you through spamcop. Unless you can guarantee that your auto replies are going to actual mail senders, they are abusive and someone like me will probably report them through spamcop. From MikeE at ster.invalid Tue Sep 6 22:16:40 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Sep 7 00:20:10 2005 Subject: [SpamCop-List] Re: 2 parses, diff results - any easy way to tell which is correct? References: Message-ID: JG wrote: >www.spamcop.net/sc?id=z803780689z7686b4a2e3f5db13a11db3484f460c78z > > SC comes up with 195.222.62.50. That's a mailhost parse of these lines: Abbreviated Received lines *comment from fed1rmgxi03.cox.net ([195.222.62.50]) by fed1rmmtai03.cox.net *bogus helo, break the chain from ksejon.team.ba ([195.222.62.50]) by fed1rmgxi03.cox.net *bogusline from mail.natsoft.com.my (host-77-248.team.ba [80.65.77.248] by ksejon.team.ba *bogusline from veb.atlantis.com ([241.74.203.210]) by vtgl.atlantis.com *bogusline Even if you parse the spam with a nonmailhost, you still get the topline as source; which is listed by SCbl, for hitting spamtraps as well as being reported by reporters. > Another parser comes up with: > > 80.65.77.248 Very very very bad parse. Automated parsers make a lot of very stupid mistakes. In this case, the automated parser stupidly parsed past the first line's bogus helo. Any second grade human parser would never do that. Rather than read what your whacky parser sed, look at one little piece of DNS information: 195.222.62.50 rDNS ksejon.team.ba and then look back up at the topline of my abbreviation of the header at the helo which sez 195.222.62.50 is claiming to be fed1rmgxi03.cox.net *UNLESS* we assume that cox creates noncompliant lines, which I seem to recall seeing in the past. Where cox manufactures a bogus line of its own at the top. If someone who is familiar with cox manufacturing bogus lines at the top for the entertainment of unwary parsers, then you would reinterpret my abbreviations as follows: Abbreviated Received lines *comment from fed1rmgxi03.cox.net ([195.222.62.50]) by fed1rmmtai03.cox.net *bogus misleading noncompliant coxline from ksejon.team.ba ([195.222.62.50]) by fed1rmgxi03.cox.net *real compliant coxline from mail.natsoft.com.my (host-77-248.team.ba [80.65.77.248] by ksejon.team.ba *sourceline from veb.atlantis.com ([241.74.203.210]) by vtgl.atlantis.com That parse functionally discards the misleading topline, because it won't chain according to spamcop or normal human algorithms, and accepts the MX 195.222.62.50 as a team.ba server. That would lead us to 80.65.77.248 rDNS host-77-248.team.ba which is listed all over the place as a proxified spamsource. > I am unsure of how to interpret this - is it worth any discussion? I'm going to have to go back to some of your other trackers to look at them and see if cox is putting in a zany header. Apparently spamcop which has a record of your mailhost doesn't want to go past the topline, but if cox handles its headers noncompliantly, and a human parser knows it, the human might be able to handle/interpret a bad cox headerline. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Sep 6 22:30:24 2005 From: nobody at spamcop.net (N. Miller) Date: Wed Sep 7 00:35:03 2005 Subject: [SpamCop-List] Re: Speaking of "spam-within-spam"... References: <1hp1mme82mpo.dlg@news.spamcop.net> <7mn9jptxr4ax.dlg@news.spamcop.net> Message-ID: <104qvnmrof5sc.dlg@news.spamcop.net> On Tue, 06 Sep 2005 20:40:11 -0700, JG wrote: > On 9/6/2005 4:30 PM N. Miller scribbled: >> I don't know if it could have been accidental. It looks like it was sent >> using Mozilla: >> >> http://www.spamcop.net/sc?id=z803752880z2cf6d3925ee6628f2ec01ede10f2ac6az >> >> Both Netscape 7.2 and Thunderbird 1.0.6 have a "Reply-All" button similar >> to MS Outlook Express. I suppose that, if the guy was too upset to see >> straight, he could have used the wrong button. > Yup, I got it in TBird - never use it but can see how it happened. Just > removed it in case /I? have a brain fart. > Thats an oops... I didn't want to SC report it because, although abusive, it came through my ISP's output servers, and it appears to have been a sender error to report it in that fashion. I suppose I should drop a dime on the SBC web form submission site... The nice thing about Pegasus Mail is that there is only a "Reply" button; you have to explicitly choose "Include the Cc: field" in a menu box which pops up when you hit reply. If you use the default choices for the reply, you don't send to the whole "Cc:" list "on accident". The nice thing about 40tude (Dialog); the

key is for new post, and the key is for follow-up to. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From MikeE at ster.invalid Tue Sep 6 22:36:08 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Sep 7 00:40:03 2005 Subject: [SpamCop-List] Re: Spamcop blocking legitimate emails References: Message-ID: Jack Cole wrote: > Nice. About 3rd grade but nice! > > Ok, so I read through the text. Basically it says you must change > the way you have been sending mail out because SpamCop can't figure > out how to stop blocking legit mail. Hmmm, sounds a bit strange. Speaking of 3rd grade, you don't read so well, I guess. What I posted sez you must stop manufacturing abusive mail to send to bogus Froms. > It says we must tell all 11,000 users that they cannot use Outlook > anymore to send Auto-Replies.. Hmm. I think we were talking about servers before, but if you are serving for OL users who are sending abusive mail to bogus Froms, then you are going to have to stop serving for that as well. >..Hmmm, never going to happen. Hmm. I guess your server is going to live on blocklists. > Everyone allows Auto-replies, I use them myself all of the time. > Because Spamcop can't fix their own system from blocking legit mail, > why should we have to change our system. We have not changed email > since we opened in 1996. Suddenly Spamcop comes along and says we > must change the way we do business so they do not have to fix their > model. Just because you used to get away with abusing bogus Froms doesn't mean that it gets to stay that way. > What Spamcop is doing is simply building a barrier between them and > legit ISP's. Nothing more. Spamcop is not blocking Spam from our > network, they are only blocking legit email. Spam and viral propagations accepted by your server and then 'readdressed' to bogus Froms is not 'legit email'. Are you crazy? > Yes, Spammers do forge > return addresses. That is correct. So our servers reject it. If rejecting were how the item were handled there wouldn't be a problem. I'm going to have to call you a liar. I hate to use words like crazy and liar, but when you start twisting the facts around it has to get nasty. Reject means that a server rejects the smtp transaction and doesn't accept it and doesn't 'turn around' and manufacture a newmail addressed to a bogus From. Rejecting 'bad' or misaddressed or any other kind of mail doesn't cause any problem for the server at all. You must not be much of a mail admin if you don't know the difference between rejecting and belatedly bouncing or misdirection bouncing or accepting and newmailing something to the From or Reply-To address. > Good, > we should. But, now with the help of Spamcop, Spammers can now shut > down networks simply by making sure a Spam trap is listed in the > email they send out. Apparently your server which you haven't named, but you have only described, is or has been listed in the spamcop blocklist for misdirected bounces or possibly for serving for misdirected autoreplies. Your server is never ever ever ever going to be listed in the spamcop blocklist no matter how many smtp transactions it rejects. It can reject every single transaction if it wants to and none of those rejections will count one pip toward the spamcop blocklist. > Isn't Spam cop supposed to help control Spam?? Why do we get 10,000+ > emails a day from aol and Yahoo...but their email keeps flowing. > When we send an autoreply back...hmmm, now our server get's blocked. > Makes you think. This par isn't about your problem. Your problem is how your server is configured. > And, get this...no other network has a problem with our mail, only > Spamcop. Spamcop isn't a network. Spamcop doesn't block mail. Your recipients are the ones who block your mail, not spamcop. I'm a little bit puzzled about how come I'm an amateur spam hobbyist who is having a conversation with an alleged mail admin who doesn't seem to know what he is talking about. > Funny. Nobody else sees Spam from us but Spamcop reports us > just about everyday. And...get this, we fight Spam every minute of > everyday...but Spamcop wants us as an enemy. All you have to do is fix your abusive server configuration for your server's misdirected bounces, and everything will be all right there. But then, apparently you have another problem because you allow users to send abusive autoresponders thru' your server. Normally the spamcop parsing algorithm should name the source IP behind the server as the source, but since we aren't talking about any specific servers or users or reports or anything else specific, we are spinning our wheels here talking about some imaginary problem. > What is good is that this is a known problem. So far 3 networks have > dumped Spamcop and we are waging an advertising campaign to continue > getting us whitelisted or getting receiving servers from dropping > Spamcop. Go for it. The SCbl is simply a free tool to be used or not used by anyone who wants to or doesn't want to. Also, since I think you are a liar, I don't even believe you. > Until Spamcop wakes up and starts working with ISP's, well, > then Spamcop is only in our way. Spamcop does not block Spam from > our network, only blocks legit mail. This brings up moutains of > legal issues as anyone blocking legit mail is worse than any Spammer > we know. Wait a minute, I think I see a cartooney in the distance. A cartooney is a funny allusion to something that has to do with attorney. > Ok, so far, I read the ideas posted by Spamcop. They want us to email > 11,000+ people and tell them no more outlook autoresponders. (Ok, I > have several businesses that would say Goodbye as everyone else > allows this. I'm not sure how you are supposed to deal with some policy of allowing users to use autoresponders to abuse bogus Froms. I do know that providers who have users who use such apps as MailWasher to send bogus bounces have had to squash that abusive practice by their users. If you have users who are spamming or propagating viruses or propagating abusive autoresponders, I guess you are just going to have to deal with them, one by one. I suggest you start with the ones which are causing the most trouble. Right now I would assume that is your own server's configuration, not your users. This is getting too long for one post. I think I'll chop this off and start another one. -- Mike Easter kibitzer, not SC admin From no at spam.invalid Tue Sep 6 22:46:27 2005 From: no at spam.invalid (Michael Wise) Date: Wed Sep 7 00:50:02 2005 Subject: [SpamCop-List] Re: Spamcop blocking legitimate emails References: Message-ID: In article , "Jack Cole" wrote: > ... > What is good is that this is a known problem. So far 3 networks have dumped > Spamcop and we are waging an advertising campaign to continue getting us > whitelisted or getting receiving servers from dropping Spamcop. Good luck with that. Your efforts would be better spent attaining some degree of competency on proper mail server admin skills. > Until > Spamcop wakes up and starts working with ISP's, well, then Spamcop is only > in our way. I'm sure the SC people and the thousands and thousands of mail admins like me who use the SC dnsbl to block spam and backscatter from incompetent ISPs (as ProvideNet appears to be) can learn to live with your scorn. > Spamcop does not block Spam from our network, only blocks legit > mail. And auto-reply to a forged address is never legit. > This brings up moutains of legal issues as anyone blocking legit mail > is worse than any Spammer we know. > > Ok, so far, I read the ideas posted by Spamcop. They want us to email > 11,000+ people and tell them no more outlook autoresponders. (Ok, I have > several businesses that would say Goodbye as everyone else allows this. Any provider who allows for bounces or auto-replies to forged addresses deserves what they have coming. > > Ok, so I have no control over that at all. I guess I could read each > email...about 350,000 a day and make sure it is not being autoresponded. > Some do not say autoresponder so I will hire 10-15 people that can filter > one by one. Yeah right...never going to happen. You made your bed... > I tried to call Spamcop today and only got busy signals all day. Took a > drive by Iron Ports but did not have time to talk. I will be by tomorrow > sometime so we can sit down and look at the problem. Yeah right. > > Spam cop's model needs to change and work with ISP's. We fight Spam and > monitor it constantly. Spamcop works against us and only blocks legit mail. SC's model has worked just fine for years...the mouse roar from one incompetent provider is not going to change that. You claim to host 9,000 domains and 11,000+ customers generating 350k mails/day...yet you have a web site which looks like it was done by a kid, dns servers all in the same subnet, net blocks which are not properly swip'd to you, and are completely devoid of clues when it comes to competent email practices. Three words: does not compute. Why am I not surprised you run your site with IIS 4? Geez, people actually pay you guys to provide ISP services? --Mike --Mike From MikeE at ster.invalid Tue Sep 6 22:56:05 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Sep 7 01:00:03 2005 Subject: [SpamCop-List] Re: Spamcop blocking legitimate emails References: Message-ID: Jack Cole wrote: > Spamcop will not even furnish proof of anything. It is a problem when a server gets itself listed 'all by itself' for hitting spamtraps. When a server is listed, then all of the mail from that server is going to be 'affected' by anyone who is using the SCbl as part of their spamfighting strategy. It isn't an entirely wise configuration to reject mail 'simply' because it is SCbl listed, but it is a very effective method to bring attention to abusive practices of busy servers. It is spamcop's policy to not handout evidence of spamtrap hitting -- but very often SC deputies will give a clue about what is going on, such as misdirected bounces or autoresponders. But it sounds like you know all about that already. You don't need any evidence. You are just making noise. > We ask and they > won't tell us even if this is coming from one of our 9000+ domains. It doesn't matter whereall it is coming from . If you know and I know and spamcop knows and the spamtraps know and the spamreporters all know that your server is abusively serving up misdirected autoresponders and misdirected bounces, what else is there to know? Doh! > How can we control this when we do not even have proof that it is > occuring. Liar liar pants on fire. You know exactly what is occurring. Your servers and your users are guilty of abusive autoresponders and misdirected bounces. > I have asked and alls I get is the same answer...read this > page and stop sending autoresponders.... That sounds like very good advice to me. > Prove to me that we > are....show me the domain so I can shut them down and tell them to > move to another ISP. Crazy but Spamcop can't figure out how to fix > their problem so I guess we can just start turning off perfectly > legitimate customers to fix it. I'm sure it is a touchy problem about how to stop the misuse of user autoresponders. I suggest you send out an informative mail first about the problem with autoresponders. However, before you can send out an informative mail, I think you need to get a grip on the problem and understand it. As long as the mail admin doesn't understand and appreciate the problem, there isn't going to be a good solution. Maybe somebody needs a new mail admin. > Took a drive by Iron Ports but did not have time to talk. I will be > by tomorrow sometime so we can sit down and look at the problem. Good idea. Have a big long talk with some IronPort brass. 'Splain to them how you and your users ought to be able to send abusive email to thousands and thousands of people including spamcop reporters and spamtraps and that you think that you ought to get a bye. That ought to give the IronPort brass a big laugh. Bring some donuts and Starbucks. > Spam cop's model needs to change and work with ISP's. We fight Spam > and monitor it constantly. Spamcop works against us and only blocks > legit mail. There you go again. Spamcop doesn't block anything. You are going to have to get your facts straight if you are going to discuss this with anyone. > Please tell me how other networks have figured out telling all of > their users that they cannot send auto-replies or respond to any Spam > ever again. I see. You don't want to know how others have solve such problems. That's sorta pig-headed. -- Mike Easter kibitzer, not SC admin From JG at coks.net Tue Sep 6 23:08:48 2005 From: JG at coks.net (JG) Date: Wed Sep 7 01:10:03 2005 Subject: [SpamCop-List] Re: 2 parses, diff results - any easy way to tell which is correct? In-Reply-To: References: Message-ID: On 9/6/2005 9:16 PM Mike Easter scribbled: > JG wrote: > >>www.spamcop.net/sc?id=z803780689z7686b4a2e3f5db13a11db3484f460c78z >> >>SC comes up with 195.222.62.50. > > > That's a mailhost parse of these lines: > > Abbreviated Received lines *comment > from fed1rmgxi03.cox.net ([195.222.62.50]) by fed1rmmtai03.cox.net > *bogus helo, break the chain something in the back of my head was curious about that - it understood "from" anyway... > > Even if you parse the spam with a nonmailhost, you still get the topline > as source; which is listed by SCbl, for hitting spamtraps as well as > being reported by reporters. I wouldn't know that, but believe you... > > >> Another parser comes up with: >> >>80.65.77.248 > > > Very very very bad parse. Automated parsers make a lot of very stupid > mistakes. In this case, the automated parser stupidly parsed past the > first line's bogus helo. Any second grade human parser would never do > that. well, I've be held back a year - was thinking that snce both IPs were in the same neighborhood range, it would be more interesting than that... > > Rather than read what your whacky parser sed, look at one little piece > of DNS information: > > 195.222.62.50 rDNS ksejon.team.ba > > and then look back up at the topline of my abbreviation of the header at > the helo which sez 195.222.62.50 is claiming to be fed1rmgxi03.cox.net as stated, there was something there I was curious about, but couldn't finger... > > *UNLESS* we assume that cox creates noncompliant lines, which I seem to > recall seeing in the past. Where cox manufactures a bogus line of its > own at the top. I'd have no chance of even checking that out at this point - anything one could do to actually verify such - err- stuff? > > That parse functionally discards the misleading topline, because it > won't chain according to spamcop or normal human algorithms, and accepts > the MX 195.222.62.50 as a team.ba server. I'm off to google normal human algorithms... > > That would lead us to 80.65.77.248 rDNS host-77-248.team.ba which is > listed all over the place as a proxified spamsource. > and an unlikely LART target... > Thanks, Mike... From JG at coks.net Tue Sep 6 23:13:59 2005 From: JG at coks.net (JG) Date: Wed Sep 7 01:15:02 2005 Subject: [SpamCop-List] Re: Speaking of "spam-within-spam"... In-Reply-To: <104qvnmrof5sc.dlg@news.spamcop.net> References: <1hp1mme82mpo.dlg@news.spamcop.net> <7mn9jptxr4ax.dlg@news.spamcop.net> <104qvnmrof5sc.dlg@news.spamcop.net> Message-ID: On 9/6/2005 9:30 PM N. Miller scribbled: > > I didn't want to SC report it because, although abusive, it came through my > ISP's output servers, and it appears to have been a sender error to report > it in that fashion. I suppose I should drop a dime on the SBC web form > submission site... > > The nice thing about Pegasus Mail is that there is only a "Reply" button; > you have to explicitly choose "Include the Cc: field" in a menu box which > pops up when you hit reply. TBird has the same (now) and I'm not bothered by such a menu box... > The nice thing about 40tude (Dialog); the

key is for new post, and the > key is for follow-up to. I suppose if you're used to using hot keys, thats a plus. I've heard of 40tude but never looked at it - is that a So. Hemisphere production? just curious... From nobody at spamcop.net Wed Sep 7 00:14:26 2005 From: nobody at spamcop.net (N. Miller) Date: Wed Sep 7 02:15:03 2005 Subject: [SpamCop-List] Re: Spamcop blocking legitimate emails References: Message-ID: <1fx4mku3a83nb.dlg@news.spamcop.net> On Tue, 6 Sep 2005 20:05:03 -0700, Jack Cole wrote: > Ok, so I read through the text. Basically it says you must change the way > you have been sending mail out because SpamCop can't figure out how to stop > blocking legit mail. Hmmm, sounds a bit strange. SpamCop isn't broken, so it doesn't need fixing. > It says we must tell all 11,000 users that they cannot use Outlook anymore > to send Auto-Replies....Hmmm, never going to happen. Everyone allows > Auto-replies, I use them myself all of the time. I got some of them, plus numerous "bounces", plus MailWasher bounces, and a challenge when my yahoo.com email address was forged in a spam run one year. To the tune of over 200 messages telling me that a message, which I had never sent, couldn't be delivered. Threatened to fill up my Inbox to the point where I would not have been able to receive legitimate email to my account. So, what was I supposed to do? For my own domain, I just block such abuse up front; tough cookies for the sender. > Because Spamcop can't fix > their own system from blocking legit mail... New mail notifies to forged envelope sender email addresses are not legitimate email. > ...why should we have to change our system. Because SpamCop is not the only entity which is blocking bogus DFNs. > We have not changed email since we opened in 1996. The Internet, and SMTP service on the Internet have changed since 1996; drastically so. > Suddenly Spamcop comes along and says we must change the way we do > business so they do not have to fix their model. There is nothing wrong with their model; the problem is with systems which don't take into account the way email currently works. > What Spamcop is doing is simply building a barrier between them and legit > ISP's. Nothing more. Spamcop is not blocking Spam from our network, they > are only blocking legit email. Yes, Spammers do forge return addresses. > That is correct. So our servers reject it... You "bounce" it, with a new mail notice to the forged envelope sender; you are not rejecting it. If you were rejecting it, you would not be hitting spamtraps. All that you need to do is change your MX server so that it checks the RCPT TO email address against a list of valid email accounts on your system, then refuse to accept email with bad recipient email addresses. Tell the sending SMTP client that you can't accept the message; let the sending SMTP client decide how to handle it. As for auto responders, they are poison in the Internet. I will report them as abuse; I will block the severs sending them locally on my system. > Spamcop can get off their backside and fix their flawed system. How about > this idea.....maybe...just maybe...you should block SPAM. I know...a new > concept...but it would be more to what you are supposed to do. If SpamCop "fixes" what isn't broke, I will just send my abuse notifies manually, and block the messages locally. I am not alone. I am not the largest entity which will do this. The other big antispam outfit has this to say about matters: | Realtime rejection avoids the "backscatter" problem of some spam filters | which accept delivery, close the connection, and then try to return the | mail after it is determined to be spam. Of course, as we all know, most | spam and all viruses have forged sender addresses, and so the "bounce" | goes back to an innocent third party (if it is deliverable at all). http://www.spamhaus.org/faq/answers.lasso?section=DNSBL_Technical And as for auto responses, try this: http://www.google.com/search?q=blocking+auto+responses You are using 20th Century email techniques in the 21st Century; don't expect a lot of sympathy. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From redford_stone at INVERSE_OF_COLDmail.com Wed Sep 7 09:02:57 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Sep 7 04:05:19 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities References: Message-ID: "Ant" wrote in news:dfevo9$vfh$1@news.spamcop.net: > > You must be lucky, or listwashed. I'm still getting GeoShitties spam. > > Listwashed only if they (the spammer) found my email address systematically. (I doubt Yahoo gave it to the spammer since they did terminate the site.) From redford_stone at INVERSE_OF_COLDmail.com Wed Sep 7 09:17:44 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Sep 7 04:20:02 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities References: Message-ID: Don Wannit wrote in news:dfj44v$dmi$1@news.spamcop.net: > > > I love it. Today I sent one email to 5 yahoo email addresses, > Yahoo rejected it because it had too many recipients. They > still have rate limiting, just not at a useful point. > You should see when I use Yahoo for manual LARTs.. each time they want me to type in the letters from the image they give me. And now they have a problem with phishers? http://www.silicon.com/research/specialreports/thespamreport/0,39025001, 39152006,00.htm http://tinyurl.com/94mpu They're hosting spamming porn sites and phishers, and they want me to jump through their hoops? WTF? From redford_stone at INVERSE_OF_COLDmail.com Wed Sep 7 09:24:20 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Sep 7 04:25:02 2005 Subject: [SpamCop-List] Re: Spamcop blocking legitimate emails References: Message-ID: "Jack Cole" wrote in news:dflld3$etm$1@news.spamcop.net: > Nice. About 3rd grade but nice! > > All this and yet does not mention a single IP address to show us. Way to go Jack. From nobody at nowhere.invalid Wed Sep 7 11:29:43 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Sep 7 04:30:02 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities References: Message-ID: On Tue, 6 Sep 2005 13:50:50 +1000, Petzl coughed into spamcop and left this in : > I personally suspect that litigation does have some input into decisions? Yahoo! is an American company. Litigation is part of everyday life over there, so yes, I'd suspect that litigation has a part to play in every business decision, be it deciding how to sue someone or organising defence just in case the decision being made causes them to be sued. -- Steve Light travels faster than sound. That is why some people appear bright until you hear them speak. From nobody at xyzzy.claranet.de Wed Sep 7 12:47:31 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Wed Sep 7 05:55:19 2005 Subject: [SpamCop-List] Re: Spamcop blocking legitimate emails References: Message-ID: <431EB733.42A7@xyzzy.claranet.de> Jack Cole wrote: > Ok, so I read through the text. Good. Now for the next step, try to understand it. > Basically it says you must change the way you have been > sending mail out because SpamCop can't figure out how to > stop blocking legit mail. No, it doesn't say that, the "because" part is unrelated to the text. If it's a bogus bounce SC can figure this out, and then it's most probably not "legit". Yes, it does say "change the way how you've harrassed innocent bystanders" - nobody of the forged "senders" was the real sender, they are not interested in "your" spam (= spam sent to you), they don't want to know which users don't exist on your system, and if you want them to analyze "your" spam offer a salary. > It says we must tell all 11,000 users that they cannot use > Outlook anymore to send Auto-Replies Hogwash, nothing's wrong with Auto-Replies as specified in RfC 3834 if you have an SPF PASS or a similar indicator that the Return-Path might be accurate. And if you have a SPF FAIL or a similar indicator that the MAiL FROM is forged just reject the mail - while you're at it "tempfail" all other mails from the same IP, the spammer might try other bogus addresses from the same zombie. > Everyone allows Auto-replies The second millennium ended more than four years ago. Get out of this time warp or whatever it is, read RfC 3834, it is actually funny. > We have not changed email since we opened in 1996. Today about 80% of all mails are spam or spam-related crap. Bye, Frank From MikeE at ster.invalid Wed Sep 7 04:22:33 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Sep 7 06:25:13 2005 Subject: [SpamCop-List] Re: 2 parses, diff results - any easy way to tell which is correct? References: Message-ID: Mike Easter wrote: > JG wrote: www.spamcop.net/sc?id=z803780689z7686b4a2e3f5db13a11db3484f460c78z >> >> SC comes up with 195.222.62.50. > > That's a mailhost parse of these lines: > > Abbreviated Received lines *comment > from fed1rmgxi03.cox.net ([195.222.62.50]) by fed1rmmtai03.cox.net > *bogus helo, break the chain > from ksejon.team.ba ([195.222.62.50]) by fed1rmgxi03.cox.net > *bogusline > from mail.natsoft.com.my (host-77-248.team.ba [80.65.77.248] by > ksejon.team.ba *bogusline > from veb.atlantis.com ([241.74.203.210]) by vtgl.atlantis.com > *bogusline > > *UNLESS* we assume that cox creates noncompliant lines, which I seem > to recall seeing in the past. Cox definitely creates a noncompliant topline. Here's your old spam within spam item: from eastrmgxi06.cox.net ([220.216.52.4]) by eastrmmtai08.cox.net from iz004.net220216052.thn.ne.jp ([220.216.52.4]) by eastrmgxi06.cox.net.thn.ne.jp from smtp2.nix.paypal.com (64.4.240.75) by ip04.iwana.co.uk Notice that cox's top line is flawed. That line should be of the configuration like the 2nd line. Normal parsing would break the chain at the top line, but if we accept it even tho' it is misconstructed/ noncompliant/ because we know that the line belongs to your provider, then the 'real' top line is the 2nd line, which /is/ properly constructed. Now that we know cox makes a noncompliant line up there and a goodline on the 2nd line, we should /always/ disregard the topline and start with the 2nd line. > Where cox manufactures a bogus line of > its own at the top. If someone who is familiar with cox > manufacturing bogus lines at the top for the entertainment of unwary > parsers, then you would reinterpret my abbreviations as follows: > > Abbreviated Received lines *comment > from fed1rmgxi03.cox.net ([195.222.62.50]) by fed1rmmtai03.cox.net > *bogus misleading noncompliant coxline > from ksejon.team.ba ([195.222.62.50]) by fed1rmgxi03.cox.net *real > compliant coxline > from mail.natsoft.com.my (host-77-248.team.ba [80.65.77.248] by > ksejon.team.ba *sourceline > from veb.atlantis.com ([241.74.203.210]) by vtgl.atlantis.com > > That parse functionally discards the misleading topline, because it > won't chain according to spamcop or normal human algorithms, and > accepts the MX 195.222.62.50 as a team.ba server. > > That would lead us to 80.65.77.248 rDNS host-77-248.team.ba which is > listed all over the place as a proxified spamsource. So, my re-analysis is to agree with the outside parser's results and to disagree with the spamcop results which were to name the team.ba server. The team.ba user should be named as the source. The reason SC makes the error is because your mailhost has changed. The reason SC makes the error on a non-mailhosted parse is because cox's topline is broken/ flawed/ noncompliant. You have a problem. You need to change your mailhost configuration. It used to be eastrmmtai08.cox.net and now it is fed1rmmtai03.cox.net -- or rather you need to add fed1rmmtai03.cox.net Also cox has a problem with that stupid topline. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Sep 7 05:09:30 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Sep 7 07:10:03 2005 Subject: [SpamCop-List] Re: 2 parses, diff results - any easy way to tell which is correct? References: Message-ID: JG wrote: www.spamcop.net/sc?id=z803780689z7686b4a2e3f5db13a11db3484f460c78z > > SC comes up with 195.222.62.50. Looking at the SC routing results, I > see: SC names the server for your mailhosted account because your mailhost is different and SC doesn't recognize it. SC names the server for a nonmailhosted parse because your mailhost has a screwed up topline. > quote: > Reports routes for 195.222.62.50: I'm not going to bother with last year's discussion by the Bosnian admin, but the server is currently listed, and your report should've named the user behind the server instead of the server. > Granted, that is a year ago. Another parser comes up with: This turns out to be a correct result from an incompetent parser. Any righteous parsing should break the chain at the topline, because it is a bad line. But the incompetent autoparser fails to recognize that, but we can't see the actual line here. > 80.65.77.248 > > quote: > Parsing: > Sender (or dispatching mailserver) IP:195.222.62.50 > He/she/it has said to be :ksejon.team.ba > Receiving mailserver [by]:fed1rmgxi03.cox.net > The trusting level of this Received line: is 25% */No, I don't have > the knowledge of the basis of this % calculation*/ So, that parser decides to trust the top line 25%. That is very weird. Also, notice that in some 'English as a second language' terms it looks like it is saying that the helo was ksejon.team.ba, which means that it isn't looking at the topline, where the helo is actually the cox server. What is going on with this parse? How come it isn't looking at the flakey topline? If you've removed some lines from pasting this parser's work, things are going to get very confusing. > ********** > Parsing: > Sender (or dispatching mailserver) IP:80.65.77.248 > He/she/it has said to be :mail.natsoft.com.my > Receiving mailserver [by]:ksejon.team.ba > The trusting level of this Received line: is 100% I can understand that this funky parser might like a line that looks lik e an MX server handling an item from its user. > ********** > Parsing: > Sender (or dispatching mailserver) IP:241.74.203.210 > He/she/it has said to be :veb.atlantis.com > Receiving mailserver [by]:vtgl.atlantis.com > For e-mail: > 241.74.203.210 is a IANA reserved address, skipping analysis In this case the little parser is helped out by an IANA reserved, so it is 'stuck with' the correct IP - but it really isn't a good parse. > 80.65.77.248 is the last valid ip, probably the spammer? > unquote... > > I am unsure of how to interpret this - is it worth any discussion? Overall it is worth discussion because you need to fix your mailhost, it is worth discussion because whenever we mess with your headers, I'm going to have to decapitate your Received lines when I run it thru' a non-mailhosted parse because your provider puts a badline at the top. Here is a 'proper' nonmailhosted tracker, after removing your provider's flakey topline. SC gets it right. www.spamcop.net/sc?id=z803871058za940515b24c28b1e891737e11f2bd168z Report Spam to: Re: 80.65.77.248 (Administrator of network where email originates) To: support@bih.net.ba (Notes) -- Mike Easter kibitzer, not SC admin From nstrom at ananzi.co.za Wed Sep 7 08:22:28 2005 From: nstrom at ananzi.co.za (Nathan Strom) Date: Wed Sep 7 07:25:04 2005 Subject: [SpamCop-List] villagevoice.com redirector Message-ID: Another spammer-abused redirector that's not known to Spamcop: http://villagevoice.com/generic/act_headlinedirect.php?title=light+fascinate+how+sandwich+&url=%68%74%74%70%3A%2F%2Fptw.%65ggs%61%72e%79%65l%6Cow%2ecom forwards to http://ptw.eggsareyellow.com (or whatever is in the url= parameter) Hope this helps. From MikeE at ster.invalid Wed Sep 7 05:53:58 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Sep 7 07:55:08 2005 Subject: [SpamCop-List] Re: AOL Bouncing Our Mail References: <1sjth1t102oep96qaa237dsqv4h3a6dj9l@4ax.com> Message-ID: SpamCop Admin wrote: > AOL users are starting to report that our responses to their email > spam submissions are bouncing. That sounds funny -- that the would-be recipient would be reporting the 'bounce' to the sender. You would think the would-be recipient would be reporting that they weren't getting the response. By your saying it that way, I guess that means that the spamcop sender can't get the 'bounce' [bounce is such an ambiguous word] - that is the failed delivery information? If an AOLer submits a spam, then I would think the spamcop response to that submission should contain headers that look in part like this: Return-Path: Received: from vmx1.spamcop.net ([204.15.82.27]) by Received: from sc-app6.ironport.com (HELO spamcop.net) (204.15.82.25) by vmx1.spamcop.net with SMTP; 07 Sep 2005 02:56:35 -0700 From: SpamCop So, how does AOL bounce that spamcop mail? To the Return-Path? The From? Does it simply reject the transaction? What? If it rejected the transaction, you wouldn't need the report from the non-recipient, you would know the item had been rejected. -- Mike Easter kibitzer, not SC admin From anthony.edwards at uk.easynet.net Wed Sep 7 13:07:06 2005 From: anthony.edwards at uk.easynet.net (Anthony Edwards) Date: Wed Sep 7 08:10:04 2005 Subject: [SpamCop-List] Re: AOL Bouncing Our Mail References: <1sjth1t102oep96qaa237dsqv4h3a6dj9l@4ax.com> Message-ID: On Wed, 07 Sep 2005 05:31:58 -0600, SpamCop Admin wrote: > AOL users are starting to report that our responses to their email > spam submissions are bouncing. > > It's due to our recent change in server IPs. Possibly, possibly not. They are similarly bouncing email we are attempting to send to a corporate customer whose sole contact address is @aol.com with the following error message: http://postmaster.info.aol.com/errors/554hvub1.html Which means: * 554 HVU:B1 http://postmaster.info.aol.com/errors/554hvub1.html EXPLANATION: There is at least one URL in your email that is generating substantial complaints from AOL members. The two URLs which are common in all of the attempts so far (we are progressively editing to remove URLs) are: http://www.spamcop.net/sc?* (a link to an example Unsolicited Bulk Email reported via your service) And: http://www.uk.easynet.net/legal/acceptable.asp My guess would be that, for whatever reason, AOL are currently blocking all mail with URLs containing "http://www.spamcop.net/". -- Anthony Edwards * anthony.edwards@uk.easynet.net Abuse Team Manager * Tel: 0800 053 0588 Easynet Ltd * DDI: 0161 227 0707 http://www.uk.easynet.net * Fax: 0845 333 4503 From anthony.edwards at uk.easynet.net Wed Sep 7 13:14:56 2005 From: anthony.edwards at uk.easynet.net (Anthony Edwards) Date: Wed Sep 7 08:15:07 2005 Subject: [SpamCop-List] Re: AOL Bouncing Our Mail References: <1sjth1t102oep96qaa237dsqv4h3a6dj9l@4ax.com> Message-ID: On Wed, 7 Sep 2005 12:07:06 +0000 (UTC), Anthony Edwards wrote: > My guess would be that, for whatever reason, AOL are currently blocking > all mail with URLs containing "http://www.spamcop.net/". Further to this, I have just re-sent the email in question, this time removing the included "http://www.spamcop.net/sc?*" URL from the body text of the email in question. No rejection message this time from AOL and it therefore appears that both this latest transmission attempt has been accepted, and that my hypothesis above is likely to be correct. -- Anthony Edwards * anthony.edwards@uk.easynet.net Abuse Team Manager * Tel: 0800 053 0588 Easynet Ltd * DDI: 0161 227 0707 http://www.uk.easynet.net * Fax: 0845 333 4503 From nobody at devnull.spamcop.net Wed Sep 7 09:31:00 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed Sep 7 08:35:03 2005 Subject: [SpamCop-List] Re: Spamcop blocking legitimate emails References: Message-ID: "Mike Easter" wrote in message news:dflrt1$ji0$1@news.spamcop.net... : Jack Cole wrote: : : > Spamcop will not even furnish proof of anything. : : It is a problem when a server gets itself listed 'all by itself' for : hitting spamtraps. When a server is listed, then all of the mail from ... I respectfully submit that it's time to let this troll suffer the consequences of his actions which will either be nothing because he's simply a spanked spammer, or to lose all connectivity usage because of all the blocklists/blacklists it'll end up on. IFF there's any truth in that BS it won't take long and communications will be forced to stop. Pop From kenbrody at spamcop.net Wed Sep 7 10:57:10 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Wed Sep 7 10:25:07 2005 Subject: [SpamCop-List] Re: Spamcop blocking legitimate emails (Backscatter) References: Message-ID: <431EF1B6.3EF880F6@spamcop.net> Larry Kilgallen wrote: > > In article , "Jack Cole" > writes: [...] > > Spamcop will not even furnish proof of anything. > > Spamcop sends reports for every piece of spam I file. You or your > upstream apparently are not reading them. Hits on spamtraps are kept secret, however, as by definition spamtrap addresses must not be used on anything except the trap. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From MikeE at ster.invalid Wed Sep 7 08:29:09 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Sep 7 10:30:03 2005 Subject: [SpamCop-List] Re: Spamcop blocking legitimate emails References: Message-ID: Pop wrote: > I respectfully submit that it's time to let this troll suffer the > consequences of his actions which will either be nothing because > he's simply a spanked spammer, or to lose all connectivity usage > because of all the blocklists/blacklists it'll end up on. IFF > there's any truth in that BS it won't take long and > communications will be forced to stop. Well, there /is/ a discussion issue that makes it something other than 'spammer troll'. It is true that it is very problematic when a server gets itself listed, because SC is designed to list user IPs which are behind the server, and not the server. It is also true that 'originally' spamcop was designed for the reporting of spam per se, and there were rules against reporting other unwanted mail, including misdirected bounces and autoresponders. It is also true that the most common configuration of many many many servers was to accept mails and then be unable to deliver them and then have to do something with them and then that something was to email the >From or Return-Path. It is also true that it is problematic about what to do with those accepted mails. It is also true that the admin of a server which is hitting spamtraps all by itself isn't going to even get a notify, either of a spamreport or of being SC blocklisted. So, you can see how 'traditional' server behavior encountering 'modern day' spamcop behavior and becoming 'secretly' blocklisted, like some kind of 'star chamber' assassination or termination of the server's functionality vis those who are using the SCbl to block or reject would be very unsettling if it meant that all of a sudden many many mails would start bouncing. That's enough to make a mail admin upset. I'm not completely convinced we are dealing with a mail admin here, whatever he might want to call himself. But, I agree there's a problem there, ie misdirected bounces and autoacks. And the problem is going to have to be solved by someone who is competent to understand the problem and to develop a satisfactory configuration and policy for the answer. That might not be our poster here. -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Wed Sep 7 11:02:12 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Wed Sep 7 11:05:03 2005 Subject: [SpamCop-List] Re: Spamcop blocking legitimate emails (Backscatter) References: <431EF1B6.3EF880F6@spamcop.net> Message-ID: In article <431EF1B6.3EF880F6@spamcop.net>, Kenneth Brody writes: > Larry Kilgallen wrote: >> >> In article , "Jack Cole" >> writes: > [...] >> > Spamcop will not even furnish proof of anything. >> >> Spamcop sends reports for every piece of spam I file. You or your >> upstream apparently are not reading them. > > Hits on spamtraps are kept secret, however, as by definition spamtrap > addresses must not be used on anything except the trap. I find it hard to believe that this admitted backscatter operator receives _only_ spam whose "From:" addresses are Spamcop spamtraps. I find it easy to believe that someone with this level of naivete has no idea who would receive SpamCop reports for his IP address. From dwvbo91q4001 at sneakemail.com Wed Sep 7 16:37:20 2005 From: dwvbo91q4001 at sneakemail.com (Tim P.) Date: Wed Sep 7 11:40:16 2005 Subject: [SpamCop-List] Re: SPamcop clocking legitimate emails References: Message-ID: "Jack Cole" wrote in news:dfkho4$kkm$1@news.spamcop.net: > Need a show of hands. NNTP-Posting-Host: adsl-68-123-188-238.dsl.sntc01.pacbell.net > > Thank you > Jack Cole > ProvideNet Communications > > Why does a "clued" Admin not post from his own netspace? -- Tim P Very content SpamCop Subscriber since 4/2002 From JG at coks.net Wed Sep 7 10:39:08 2005 From: JG at coks.net (JG) Date: Wed Sep 7 12:40:14 2005 Subject: [SpamCop-List] Re: 2 parses, diff results - any easy way to tell which is correct? In-Reply-To: References: Message-ID: On 9/7/2005 3:22 AM Mike Easter scribbled: > You have a problem. You need to change your mailhost configuration. It > used to be eastrmmtai08.cox.net and now it is fed1rmmtai03.cox.net -- > or rather you need to add fed1rmmtai03.cox.net lakertmmai04 is my current host - don't think I can add with only a single address, if I am reading the support pages correctly, which is not too enlightening. I'll keep looking... From MikeE at ster.invalid Wed Sep 7 10:45:44 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Sep 7 12:50:03 2005 Subject: [SpamCop-List] Re: 2 parses, diff results - any easy way to tell which is correct? References: Message-ID: JG wrote: >Mike Easter scribbled: >> You have a problem. You need to change your mailhost configuration. >> It used to be eastrmmtai08.cox.net and now it is >> fed1rmmtai03.cox.net -- or rather you need to add >> fed1rmmtai03.cox.net > > > lakertmmai04 is my current host - don't think I can add with only a > single address, if I am reading the support pages correctly, which is > not too enlightening. > I'll keep looking... Ellen sez: >> If you have problems with mailhosts -- 1) registering new hosts; 2) returning probes; 3) spam parses or other issues you may post in this forum. However other than very general responses I will need you to write to deputies admin.spamcop.net with "mailhosts" in the subject line. In the body of the email describe your problem, include your registered SpamCop email address and if the issue involves a parse you must include a report number or a tracking url. You can include the snippet from the parse that concerns you but without a report number or a tracking url I will not be able to look at the issue. Do not include the spam because I cannot parse your spam. Julian continues to squish bugs and to write code to make the system more accourate and easier to use. Yes it is a bit mind boggling if you have many email addresses at different ISPs/hosting companies but the good news is that once it done, it is done. Thanks for your patience, persistence and helP! >> -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Sep 7 12:53:26 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Sep 7 12:55:02 2005 Subject: [SpamCop-List] Re: 2 parses, diff results - any easy way to tell which is correct? References: Message-ID: "JG" wrote in message news:dfn4vu$bqp$1@news.spamcop.net... > On 9/7/2005 3:22 AM Mike Easter scribbled: > > You have a problem. You need to change your mailhost configuration. It > > used to be eastrmmtai08.cox.net and now it is fed1rmmtai03.cox.net -- > > or rather you need to add fed1rmmtai03.cox.net > > lakertmmai04 is my current host - don't think I can add with only a > single address, if I am reading the support pages correctly, which is > not too enlightening. And I can't quite deduce what you are saying there. Adding a "Host" is usually a pretty straight forward action. Where it gets confusing is in the "name" of the Host that shows up ... caused by the use of a "shared" database, such that the first person in "named" a Host, and unless it was 'touched' by one of the Deputies, that's the name from then on. Per the Pinned entries by Julian and Ellen in the Forum, it's what happens with the parsing after adding/changing your hosts that is critical. If the parsing works, march on ... if there are errors, no reporting until problems are resolved. From big_mart_98 at yahoo.com Wed Sep 7 19:28:32 2005 From: big_mart_98 at yahoo.com (Martin Edwards) Date: Wed Sep 7 13:30:03 2005 Subject: [SpamCop-List] Re: Spamcop blocking legitimate emails In-Reply-To: References: Message-ID: Berny wrote: > "Jack Cole" wrote in message > news:dflld3$etm$1@news.spamcop.net... > >>Nice. About 3rd grade but nice! >> >>Ok, so I read through the text. Basically it says you must change the way >>you have been sending mail out because SpamCop can't figure out how to > > stop > >>blocking legit mail. Hmmm, sounds a bit strange. >> >>RANT SNIPPED > > > Get your facts straight, Spamcop users, who are using ISP's or corporate > networks all over the place are having problems with your bounces and > auto-replies to forged spam and virus sender names, and hey guess what, they > are reporting them. It's bad enough to get your own spam, doubly annoying > to get someone elses too. no they are not pestering you directly, but > pestering you through spamcop. Unless you can guarantee that your auto > replies are going to actual mail senders, they are abusive and someone like > me will probably report them through spamcop. > > Dead right. They are a real pisser. From kenbrody at spamcop.net Wed Sep 7 14:52:39 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Wed Sep 7 16:25:03 2005 Subject: [SpamCop-List] Re: Spamcop blocking legitimate emails (Backscatter) References: <431EF1B6.3EF880F6@spamcop.net> Message-ID: <431F28E7.5D040BA1@spamcop.net> Larry Kilgallen wrote: > > In article <431EF1B6.3EF880F6@spamcop.net>, Kenneth Brody writes: > > Larry Kilgallen wrote: > >> > >> In article , "Jack Cole" > >> writes: > > [...] > >> > Spamcop will not even furnish proof of anything. > >> > >> Spamcop sends reports for every piece of spam I file. You or your > >> upstream apparently are not reading them. > > > > Hits on spamtraps are kept secret, however, as by definition spamtrap > > addresses must not be used on anything except the trap. > > I find it hard to believe that this admitted backscatter operator > receives _only_ spam whose "From:" addresses are Spamcop spamtraps. > > I find it easy to believe that someone with this level of naivete > has no idea who would receive SpamCop reports for his IP address. True, and unless/until he posts either the IP being blocked (by the recipient, not by SpamCop, of course), or gives us the text of a failure message, we're only guessing. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From MikeE at ster.invalid Wed Sep 7 14:31:45 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Sep 7 16:35:25 2005 Subject: [SpamCop-List] Re: Spamcop blocking legitimate emails (Backscatter) References: <431EF1B6.3EF880F6@spamcop.net> <431F28E7.5D040BA1@spamcop.net> Message-ID: Kenneth Brody wrote: > True, and unless/until he posts either the IP being blocked (by the > recipient, not by SpamCop, of course), or gives us the text of a > failure message, we're only guessing. He's calling himself pridenet 198.144.197.25 rDNS mail.providenet.com 198.144.197.25 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 19 hours. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) System administrator has already delisted this system once Because of the above problems, express-delisting is not available Listing History In the past 137.1 days, it has been listed 19 times for a total of 15.0 days -- Mike Easter kibitzer, not SC admin From 79ytka802 at sneakemail.com Wed Sep 7 23:05:58 2005 From: 79ytka802 at sneakemail.com (Aviatrix) Date: Wed Sep 7 17:10:04 2005 Subject: [SpamCop-List] Quote of the year? Message-ID: Just had the following from one of my ISPs: Quote: ------------ Dear Customer, We cannot help getting blocked by SpamCop. It's by people abusing our WebMail system, and sending Spam to people, that SpamCop clamp down on our Servers. We have a constant battle with SpamCop against blocking our Servers. Our Abuse Team is investigating the matter, and aims to resolve the issue soon. ------------ How clueless can you get? From bill_beyer at excite.cXoYmZ Wed Sep 7 16:45:52 2005 From: bill_beyer at excite.cXoYmZ (Bill Beyer) Date: Wed Sep 7 18:40:36 2005 Subject: [SpamCop-List] Re: Quote of the year? References: Message-ID: "Aviatrix" <79ytka802@sneakemail.com> wrote in message news:dfnknj$l6c$1@news.spamcop.net... > Just had the following from one of my ISPs: > > > Quote: > > ------------ > Dear Customer, > > We cannot help getting blocked by SpamCop. > > It's by people abusing our WebMail system, and sending Spam to people, > that SpamCop clamp down on our Servers. > > We have a constant battle with SpamCop against blocking our Servers. > > Our Abuse Team is investigating the matter, and aims to resolve the > issue soon. > ------------ > > How clueless can you get? See the thread titled "Spamcop blocking legitimate emails" From redford_stone at INVERSE_OF_COLDmail.com Thu Sep 8 00:19:05 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Sep 7 19:20:02 2005 Subject: [SpamCop-List] Re: SPamcop clocking legitimate emails References: Message-ID: "Tim P." wrote in news:Xns96CA6C18B828Bdwvbo91q4001sneakema@216.154.195.61: > >> > > Why does a "clued" Admin not post from his own netspace? > His netspace is probably (likely) listed in other BLs (i.e. Spamhaus, SPEWS, etc.) From MikeE at ster.invalid Wed Sep 7 17:25:04 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Sep 7 19:25:02 2005 Subject: [SpamCop-List] Re: SPamcop clocking legitimate emails References: Message-ID: Redstone wrote: > His netspace is probably (likely) listed in other BLs (i.e. Spamhaus, > SPEWS, etc.) Actually the server I posted about isn't listed anywhere significant but SC. -- Mike Easter kibitzer, not SC admin From panoptes at iquest.net Wed Sep 7 19:41:07 2005 From: panoptes at iquest.net (Daniel W. Johnson) Date: Wed Sep 7 19:45:03 2005 Subject: [SpamCop-List] Re: 2 parses, diff results - any easy way to tell which is correct? References: Message-ID: <1h2j7cl.1wg194begtcbqN%panoptes@iquest.net> JG wrote: > lakertmmai04 is my current host - don't think I can add with only a > single address, if I am reading the support pages correctly, which is > not too enlightening. What do you mean by "add with only a single address"? The only interpretation I can come up with for that phrase is exactly the way most people set up mailhosts (and the way I told SpamCop about a new MX server at my provider). Is there some sort of complicated forwarding at that provider (e.g., going through two distinct domains behind the scenes)? If not, you should be able to go to the Mailhosts tab, note the "Mailhost name" for cox.net (or whatever), click Add new hosts, enter the relevant email address and the existing Mailhost name, and proceed from there. -- Daniel W. Johnson panoptes@iquest.net http://members.iquest.net/~panoptes/ 039 53 36 N / 086 11 55 W From JG at coks.net Wed Sep 7 18:23:40 2005 From: JG at coks.net (JG) Date: Wed Sep 7 20:25:28 2005 Subject: [SpamCop-List] Re: 2 parses, diff results - any easy way to tell which is correct? In-Reply-To: <1h2j7cl.1wg194begtcbqN%panoptes@iquest.net> References: <1h2j7cl.1wg194begtcbqN%panoptes@iquest.net> Message-ID: On 9/7/2005 4:41 PM Daniel W. Johnson scribbled: > JG wrote: > > What do you mean by "add with only a single address"? The only > interpretation I can come up with for that phrase is exactly the way > most people set up mailhosts (and the way I told SpamCop about a new MX > server at my provider). Mike implied I should /add/ a host What I mean is that I don't know if I can have more that 1 host per single email address - guess best way is to try... > Is there some sort of complicated forwarding at that provider (e.g., > going through two distinct domains behind the scenes)? If not, you > should be able to go to the Mailhosts tab, note the "Mailhost name" for > cox.net (or whatever), click Add new hosts, enter the relevant email > address and the existing Mailhost name, and proceed from there. From JG at coks.net Wed Sep 7 18:33:34 2005 From: JG at coks.net (JG) Date: Wed Sep 7 20:35:03 2005 Subject: [SpamCop-List] Re: 2 parses, diff results - any easy way to tell which is correct? In-Reply-To: References: Message-ID: On 9/7/2005 9:39 AM JG scribbled: > On 9/7/2005 3:22 AM Mike Easter scribbled: > >>You have a problem. You need to change your mailhost configuration. It >>used to be eastrmmtai08.cox.net and now it is fed1rmmtai03.cox.net -- >>or rather you need to add fed1rmmtai03.cox.net > > > > lakertmmai04 is my current host - don't think I can add with only a > single address, if I am reading the support pages correctly, which is > not too enlightening. > I'll keep looking... I went and clicked "add new hosts", followed the dots, and ended up with same mail host. Effectively did nothing, I suppose. So with Mike suggesting I "add" a different host name, I don't comprehend how to do so - it seems fully auto. I /now/ will try and select the name Mike suggested from the drop down list for cox... From JG at coks.net Wed Sep 7 18:38:30 2005 From: JG at coks.net (JG) Date: Wed Sep 7 20:40:14 2005 Subject: [SpamCop-List] Re: 2 parses, diff results - any easy way to tell which is correct? In-Reply-To: References: Message-ID: On 9/7/2005 3:22 AM Mike Easter scribbled: > > You have a problem. You need to change your mailhost configuration. It > used to be eastrmmtai08.cox.net No it /didn't/ used to be that and now it is fed1rmmtai03.cox.net -- > or rather you need to add fed1rmmtai03.cox.net That may be so, tried once to change via drop down menu and it didn't take. Went to add new host and auto process came up with same name, not fed1rmmtai03. I'll get lectured here, what with dupe info here in several responses - lets see what answers come in before I go to admin... From MikeE at ster.invalid Wed Sep 7 18:55:36 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Sep 7 21:00:04 2005 Subject: [SpamCop-List] Re: 2 parses, diff results - any easy way to tell which is correct? References: <1h2j7cl.1wg194begtcbqN%panoptes@iquest.net> Message-ID: JG wrote: > Mike implied I should /add/ a host I've never done it, but I can look at my mailhost configuration for an address and see all of my mailhosts and see a link that sez 'Add new hosts' -- but that function doesn't seem to enable me to add a server's name, it seems to want to talk about an additional or different server's name. So, I don't think 'add new host' is the way to add a new mailserver to an existing host configuration. Maybe it isn't user configurable. It seems to me that my mailhost EL has a lot more servers listed than I listed when I was configuring the mailhost. It has 23 servers listed and 34 different IPs -- so apparently the EL server's information was contributed to by more people than myself. I confess that there's a lot I don't know about how a user can go about reconfiguring their mailhost. It seems to me that generally deputies step up and make changes in a mailhost. That's why I posted Ellen's missive. > What I mean is that I don't know if I can have more that 1 host per > single email address - guess best way is to try... -- Mike Easter kibitzer, not SC admin From Nobody at SpamCop.net.dev.null Wed Sep 7 20:56:25 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Wed Sep 7 21:05:05 2005 Subject: [SpamCop-List] Re: What's the point? References: Message-ID: <431F8C39.393BEB74@SpamCop.net.dev.null> Doug Thegarden wrote: > > Bill Beyer wrote: > > > > Just recently however I've notice that the URL format for some of the > > spamvertised sites has changed. Many of the sites now look like this: > > http://www.sonicaurora.info/maturewishes.html?n_nbyylr.ljcvv,hvx . It > > doesn't take a genius to figure out that n_nbyylr.ljcvv,hvx is a coded > > version of my email address, x_xxxxxx@yahoo.com . l = y, j = a, c = h v = > > o, etc. The "." is used for @ and "," is used for "." > > > > Code a few choice addresses, substitute them and click the link ;-) > > Doug Oooo. Like the way you think. I'm getting a few of those, too. And my volume just stepped up -- think I've been selected for extra "credit line" phish traffic. Okay, it's time to play, then. Michael From Nobody at SpamCop.net.dev.null Wed Sep 7 21:00:49 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Wed Sep 7 21:10:02 2005 Subject: [SpamCop-List] Netscape, AOL Spam Reporting Addresses Message-ID: <431F8D41.A0B27359@SpamCop.net.dev.null> Does anyone have current reporting addresses for Netscape and AOL? I'm getting more spamlinked sites with Netscape- or AOL-supported registrants, in particular a JamesGrant123456@Netscape.net. Tough reporting these to their TOS desks, just talked to a teenaged girl in India at Netscape's 800 number desk, and the address she gave me resulted in an instantaneous autoreject. Same as "postmaster@", "abuse@", et cetera, which I'd already tried. I've been reporting AOL mail abuse through their feedback interface at AOL.com home. Netscape doesn't have one -- they're apparently there to sell, not to help. Info, please? TIA, Michael From Nobody at SpamCop.net.dev.null Wed Sep 7 21:10:28 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Wed Sep 7 21:15:04 2005 Subject: [SpamCop-List] Re: Anyone read Norwegian here? References: Message-ID: <431F8F84.179BF75@SpamCop.net.dev.null> Philippe Verdy wrote: > > > From: "Anti-Spam" > > X-Trace: news.spamcop.net 1125330871 16196 216.95.192.200 (29 Aug 2005 > > 15:54:31 GMT) > > > > (...message snipped...) > > Bring in the death penalty for repeat spammers. > > Your signature brings nothing to this newsgroup, [rant snipped for brevity] > So be serious, remove this sentence from your public postings (keep it for > your private postings if you want, but then assume privately all its > implications about yourself). > > Thanks. > -- Philippe. Hi, Philippe, Take your own advice, how about it? It's a free country. As in, he is free to reject your attempted putdown of his low opinion of spammers. Try as you might, you won't take the definition of "serious" into receivership. Not on the Net. And you might have posted your rant to "social" instead. TIA, and have a nice day, Michael From Nobody at SpamCop.net.dev.null Wed Sep 7 21:29:48 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Wed Sep 7 21:35:03 2005 Subject: [SpamCop-List] Re: Mystery spam source References: Message-ID: <431F940C.13D4ECE1@SpamCop.net.dev.null> Philippe Verdy wrote: > > "spamacyde" a ?crit dans le message de news: > detjmq$i60$1@news.spamcop.net... > >I received spam refering to fuckmyass.com a couple of weeks ago. This > > morning when I pinged fuckmyass.com, the ip address was 216.34.131.135. > > Now > > it's 66.197.67.72. > > > > Can somebody explain what's going on in detailed English? Kindly provide > > a > > glossary. > > When you want to identify the IP address of a suspect spam source, DON'T use > PING. > The effective source of your spam is most probably one of the many > open-relays or PCs infected by viral spamwares... Thank you, Philippe. Saved to disk. Michael From Nobody at SpamCop.net.dev.null Wed Sep 7 21:44:05 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Wed Sep 7 21:50:05 2005 Subject: [SpamCop-List] Re: Cleaning up and preventing malware (was mypctuneup.com) References: Message-ID: <431F9765.48D77304@SpamCop.net.dev.null> JG wrote: > > On 8/30/2005 7:55 PM spamacyde scribbled: > > > Yeh, > > > > I appreciate the info too. It is in well written English without too much > > jargon. Is JG an official at spamcop? Don't need the 'tude. > > No official nor did I /say/ I was. > > > AFAICT, anyone posting here is is knowledgable in this area. If not, > maybe going to a more simplistic ng would be better advice. > Is that an invitation for us free reporters with humble-colored beanies and no chops as sysops to pack up and *leave*? As long as we're OT and all. Signify further to us, Michael From nobody at devnull.spamcop.net Wed Sep 7 22:09:42 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Sep 7 22:15:02 2005 Subject: [SpamCop-List] Re: 2 parses, diff results - any easy way to tell which is correct? References: Message-ID: "JG" wrote in message news:dfo12t$ue0$1@news.spamcop.net... > I'll get lectured here, what with dupe info here in several responses - > lets see what answers come in before I go to admin... You could fix your kill-file and follow the previously suggested links to Julian's/Ellen's posted info in the Forum, but .... guess you won't see this either .... Of course noting that Mike E. simply provided the text of one of Ellen's posts and it doesn't appear that you took note of that either ...see Pinned entries at http://forum.spamcop.net/forums/index.php?showforum=7 From panoptes at iquest.net Wed Sep 7 22:48:56 2005 From: panoptes at iquest.net (Daniel W. Johnson) Date: Wed Sep 7 22:50:03 2005 Subject: [SpamCop-List] Re: 2 parses, diff results - any easy way to tell which is correct? References: <1h2j7cl.1wg194begtcbqN%panoptes@iquest.net> Message-ID: <1h2jg97.1oqbujl9thrcaN%panoptes@iquest.net> Mike Easter wrote: > I've never done it, but I can look at my mailhost configuration for an > address and see all of my mailhosts and see a link that sez 'Add new > hosts' -- but that function doesn't seem to enable me to add a server's > name, it seems to want to talk about an additional or different server's > name. So, I don't think 'add new host' is the way to add a new > mailserver to an existing host configuration. Maybe it isn't user > configurable. If you specify an existing "Mailhost name" from your configuration as the "standard name of this email provider", it will merrily add new Hosts/Domains to that mailhost's entry. I did exactly that yesterday. -- Daniel W. Johnson panoptes@iquest.net http://members.iquest.net/~panoptes/ 039 53 36 N / 086 11 55 W From JG at coks.net Wed Sep 7 22:23:31 2005 From: JG at coks.net (JG) Date: Thu Sep 8 00:25:03 2005 Subject: [SpamCop-List] Re: 2 parses, diff results - any easy way to tell which is correct? In-Reply-To: References: Message-ID: On 9/7/2005 7:09 PM WazoO scribbled: > "JG" wrote in message news:dfo12t$ue0$1@news.spamcop.net... > >>I'll get lectured here, what with dupe info here in several responses - >>lets see what answers come in before I go to admin... > > > You could fix your kill-file and follow the previously > suggested links to Julian's/Ellen's posted info in the > Forum, but .... guess you won't see this either .... I'd read that before Mile posted it and knew it in advance to be not much help. I don't now what your reference is re: kill-file - i don't have such... > Of course noting that Mike E. simply provided the > text of one of Ellen's posts and it doesn't appear that > you took note of that either ...see Pinned entries at > http://forum.spamcop.net/forums/index.php?showforum=7 Been there, thanks anyway, and it doesn't reveal much about the issue Mike raised - maybe /you/ could read it and enlighten me as to what I am missing... > > From JG at coks.net Wed Sep 7 22:29:08 2005 From: JG at coks.net (JG) Date: Thu Sep 8 00:30:03 2005 Subject: [SpamCop-List] Re: 2 parses, diff results - any easy way to tell which is correct? In-Reply-To: <1h2jg97.1oqbujl9thrcaN%panoptes@iquest.net> References: <1h2j7cl.1wg194begtcbqN%panoptes@iquest.net> <1h2jg97.1oqbujl9thrcaN%panoptes@iquest.net> Message-ID: On 9/7/2005 7:48 PM Daniel W. Johnson scribbled: > Mike Easter wrote: > > >>I've never done it, but I can look at my mailhost configuration for an >>address and see all of my mailhosts and see a link that sez 'Add new >>hosts' -- but that function doesn't seem to enable me to add a server's >>name, it seems to want to talk about an additional or different server's >>name. So, I don't think 'add new host' is the way to add a new >>mailserver to an existing host configuration. Maybe it isn't user >>configurable. > > > If you specify an existing "Mailhost name" from your configuration as > the "standard name of this email provider", it will merrily add new > Hosts/Domains to that mailhost's entry. I did exactly that yesterday. Well, we're (tinw) getting there - but the host name suggested I add was already there in the drop down list, /so/ I assume I don't need add a host, which probably throws the ball into Cox's court. Maybe not user configurable is a possibility - next up? From JG at coks.net Wed Sep 7 23:05:33 2005 From: JG at coks.net (JG) Date: Thu Sep 8 01:05:03 2005 Subject: [SpamCop-List] Re: Cleaning up and preventing malware (was mypctuneup.com) In-Reply-To: <431F9765.48D77304@SpamCop.net.dev.null> References: <431F9765.48D77304@SpamCop.net.dev.null> Message-ID: On 9/7/2005 6:44 PM Michael Brennan scribbled: > > Is that an invitation for us free reporters with humble-colored beanies > and no chops as sysops to pack up and *leave*? > As long as we're OT and all. > > Signify further to us, > Michael Didn't see where anyone said /anyone/ was OT - the /subject/ was woefully redundant, IMO, especially to anyone reporting spam, i.e., one who can supposedly tell what spam is and report it correctly. AFAIK SC is interested in reporting spam source. I certainly never said I was an expert in the area and rely on this group to aid my efforts in this direction. Spybot and Adaware are adjacent topics and addressing m$ updates and their importance is so prevalent that even the "humble-colored beanies" can recite the chant, ad nauseum, and you know what? After all the updates, you're probably still a month behind the spammers and vulnerable. And after all that, Mike E. still uses OE anyway (with QF, of course) - go figure... Sounds like you are feel someone is looking down their nose at you. Why's that? BTW, little late to this thread, aren't you? & I'm not a sysop - I was with an IBM 360/60, but that was yesterday... From JG at coks.net Wed Sep 7 23:10:42 2005 From: JG at coks.net (JG) Date: Thu Sep 8 01:10:03 2005 Subject: [SpamCop-List] Re: Netscape, AOL Spam Reporting Addresses In-Reply-To: <431F8D41.A0B27359@SpamCop.net.dev.null> References: <431F8D41.A0B27359@SpamCop.net.dev.null> Message-ID: On 9/7/2005 6:00 PM Michael Brennan scribbled: > Does anyone have current reporting addresses for Netscape and AOL? > > I'm getting more spamlinked sites with Netscape- or AOL-supported > registrants, in particular a JamesGrant123456@Netscape.net. Tough > reporting these to their TOS desks, just talked to a teenaged girl in > India at Netscape's 800 number desk, and the address she gave me > resulted in an instantaneous autoreject. Same as "postmaster@", > "abuse@", et cetera, which I'd already tried. > > I've been reporting AOL mail abuse through their feedback interface at > AOL.com home. Netscape doesn't have one -- they're apparently there to > sell, not to help. > > Info, please? > > TIA, > Michael AFAIK, Netscape abuse is AOL abuse, which is abuse@aol.com. Thats AFAIK, since I had to look all that up this very A.M.. From JG at coks.net Wed Sep 7 23:15:21 2005 From: JG at coks.net (JG) Date: Thu Sep 8 01:15:03 2005 Subject: [SpamCop-List] Re: What's the point? In-Reply-To: <431F8C39.393BEB74@SpamCop.net.dev.null> References: <431F8C39.393BEB74@SpamCop.net.dev.null> Message-ID: On 9/7/2005 5:56 PM Michael Brennan scribbled: > Doug Thegarden wrote: > >>Bill Beyer wrote: >> >>>Just recently however I've notice that the URL format for some of the >>>spamvertised sites has changed. Many of the sites now look like this: >>>http://www.sonicaurora.info/maturewishes.html?n_nbyylr.ljcvv,hvx . It >>>doesn't take a genius to figure out that n_nbyylr.ljcvv,hvx is a coded >>>version of my email address, x_xxxxxx@yahoo.com . l = y, j = a, c = h v = >>>o, etc. The "." is used for @ and "," is used for "." >>> >> >>Code a few choice addresses, substitute them and click the link ;-) >> >>Doug > > > > Oooo. Like the way you think. I'm getting a few of those, too. And my > volume just stepped up -- think I've been selected for extra "credit > line" phish traffic. Okay, it's time to play, then. > > Michael Since this came back, I'd like to note that I received a similar spam but it didn't bother to try and obfuscate my name - it simply had .html as the notify URL - you must be special... From MikeE at ster.invalid Thu Sep 8 01:47:15 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 8 03:50:12 2005 Subject: [SpamCop-List] Re: 2 parses, diff results - any easy way to tell which is correct? References: <1h2j7cl.1wg194begtcbqN%panoptes@iquest.net> <1h2jg97.1oqbujl9thrcaN%panoptes@iquest.net> Message-ID: JG wrote: > Well, we're (tinw) getting there - but the host name suggested I add > was already there in the drop down list, /so/ I assume I don't need > add a host, which probably throws the ball into Cox's court. > Maybe not user configurable is a possibility - next up? This is about this tracker: www.spamcop.net/sc?id=z803780689z7686b4a2e3f5db13a11db3484f460c78z The current parse of the index issue that this is all about is different now than it was before. That is, SC still fails to parse past the 195.222.62.50 IP for the mailhosted one, but it fails in a different way. Unfortunately, discussing the exact failure requires posting some verbose parse output. I'll abbreviate the headers, but I need to paste the verbose and comment it. Abbreviated Received lines *comment from fed1rmgxi03.cox.net ([195.222.62.50]) by fed1rmmtai03.cox.net *serves recipient, bad coxline from ksejon.team.ba ([195.222.62.50]) by fed1rmgxi03.cox.net *serves recipient, good coxline, server output from mail.natsoft.com.my (host-77-248.team.ba [80.65.77.248] by ksejon.team.ba *source to server from veb.atlantis.com ([241.74.203.210]) by vtgl.atlantis.com *bogusline My parse of this is that the item starts at the 80.65.77.248 team.ba user with the bogusline in place and passes thru' the ksejon team.ba server to the cox recipient. Call my headerlines above 1-4 from top down for later refer Previously SC broke the chain at the top bad coxline because it didn't recognize the fed1rmgxi03.cox.net server. Now SC breaks the chain at the 2nd good coxline because it doesn't trust ksejon as a server. Parsing header: 0: Received: from fed1rmgxi03.cox.net ([195.222.62.50]) by fed1rmmtai03.cox.net (InterMail vM.6.01.05.02 201-2131-123-102-20050715) with ESMTP id <20050906181128.YFNJ23473.fed1rmmtai03.cox.net@fed1rmgxi03.cox.net>; Tue, 6 Sep 2005 14:11:28 -0400 Hostname verified: ksejon.team.ba Cox received mail from sending system 195.222.62.50 1: Received: from ksejon.team.ba ([195.222.62.50]) by fed1rmgxi03.cox.net (InterMail vG.1.00.00.00 201-2136-104-20040331) with ESMTP id <20050906181129.SMUK12574.fed1rmgxi03.cox.net@ksejon.team.ba>; Tue, 6 Sep 2005 14:11:29 -0400 Hostname verified: ksejon.team.ba Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust anything beyond this header Tracking message source: 195.222.62.50: Unfortunately in all of the previous documentation, none of us pasted the exact verbose parse by SC before, but I remember what it looked like. SC broke the chain in the '0' section above and said 'supposed receiving system not associated etc' instead of doing that in the '1' section above. Interestingly, SC parses those headerlines 2-4 differently and correctly for a non-mailhost than for a mailhost. Recall that in order to parse this with a non-mailhost, we have to get rid of the bad coxline at the top, because that bad line will break a non- cox mailhost. http://www.spamcop.net/sc?id=z804128183z3fb50d855a96e854182e4870798de41az Report Spam to: Re: 80.65.77.248 (Administrator of network where email originates) To: support@bih.net.ba (Notes) That is the correct result; the details of the verbose can be seen at my tracker above. The source is the team.ba user, not the team.ba server. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Sep 8 02:11:39 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 8 04:15:03 2005 Subject: [SpamCop-List] Re: Cleaning up and preventing malware (was mypctuneup.com) References: <431F9765.48D77304@SpamCop.net.dev.null> Message-ID: JG wrote: > And after all that, Mike > E. still uses OE anyway (with QF, of course) - go figure... And Win98se. And IE6. Naturally without any of the patches for OE/IE which require WinXP like SP2. And, since IE can't handle css properly, just copying text from some webpages is actually tricky. I have to get it from the source or 'temporarily' send the page to email editing and copy it out of OE. Ah, the travails of working with primitive tools. -- Mike Easter kibitzer, not SC admin From nobody at example.com Thu Sep 8 12:24:23 2005 From: nobody at example.com (John Smith) Date: Thu Sep 8 06:25:20 2005 Subject: [SpamCop-List] ISPs in London Message-ID: I'm in London and I'm going to get ADSL. Can anyone recommend any spam-hostile ISPs in London (or, alternatively, un-recommend a spam-friendly ISP). Note that I'm not worried about receiving spam. Instead, I want to reward an ISP that is vigilant about preventing spam. From Nobody at SpamCop.net.dev.null Thu Sep 8 06:27:41 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Thu Sep 8 06:30:04 2005 Subject: [SpamCop-List] Re: Netscape, AOL Spam Reporting Addresses References: <431F8D41.A0B27359@SpamCop.net.dev.null> Message-ID: <4320121D.CC65E600@SpamCop.net.dev.null> JG wrote: > > On 9/7/2005 6:00 PM Michael Brennan scribbled: > > > Does anyone have current reporting addresses for Netscape and AOL? > > [snipping for conciseness] > > > > I've been reporting AOL mail abuse through their feedback interface at > > AOL.com home. Netscape doesn't have one -- they're apparently there to > > sell, not to help. > > > > Info, please? > > > > TIA, > > Michael > AFAIK, Netscape abuse is AOL abuse, which is abuse@aol.com. Thats > AFAIK, since I had to look all that up this very A.M.. JG, Thank you, but abuse@aol was one of the addresses I tried after the old AOL mail TOS address didn't work. I got the following autoacks previously on one attempt to LART: Failed to deliver to 'abuse@aol.com' SMTP module(domain @206.180.145.133:aol.com) reports: message text rejected by mailin-04.mx.aol.com: 554 TRANSACTION FAILED Failed to deliver to 'postmaster@aol.com' SMTP module(domain @206.180.145.133:aol.com) reports: message text rejected by mailin-04.mx.aol.com: 554 TRANSACTION FAILED Failed to deliver to 'sysadmin@aol.com' SMTP module(domain @206.180.145.133:aol.com) reports: message text rejected by mailin-04.mx.aol.com: 554 TRANSACTION FAILED Failed to deliver to 'IPadmin@aol.com' SMTP module(domain @206.180.145.133:aol.com) reports: message text rejected by mailin-04.mx.aol.com: 554 TRANSACTION FAILED I'm unfamiliar with many of these codes and don't know the significance of 554. Regards, Michael From anthony.edwards at uk.easynet.net Thu Sep 8 11:48:43 2005 From: anthony.edwards at uk.easynet.net (Anthony Edwards) Date: Thu Sep 8 06:50:03 2005 Subject: [SpamCop-List] Re: ISPs in London References: Message-ID: On Thu, 08 Sep 2005 11:24:23 +0100, John Smith wrote: > I'm in London and I'm going to get ADSL. Can anyone recommend any > spam-hostile ISPs in London (or, alternatively, un-recommend a > spam-friendly ISP). > > Note that I'm not worried about receiving spam. Instead, I want to > reward an ISP that is vigilant about preventing spam. Obviously I am somewhat biased, however you may find our broadband offerings of interest, either corporate: http://www.uk.easynet.net/broadband/broadband_category.asp?id=1 Or residential: http://www.easynetconnect.co.uk/ -- Anthony Edwards * anthony.edwards@uk.easynet.net Abuse Team Manager * Tel: 0800 053 0588 Easynet Ltd * DDI: 0161 227 0707 http://www.uk.easynet.net * Fax: 0845 333 4503 From uce2002 at hotmail.com Thu Sep 8 12:55:45 2005 From: uce2002 at hotmail.com (BT) Date: Thu Sep 8 07:00:03 2005 Subject: [SpamCop-List] Re: ISPs in London References: Message-ID: "Anthony Edwards" wrote in message news:dfp4ua$m85$1@news.spamcop.net... > On Thu, 08 Sep 2005 11:24:23 +0100, John Smith > wrote: >> I'm in London and I'm going to get ADSL. Can anyone recommend any >> spam-hostile ISPs in London (or, alternatively, un-recommend a >> spam-friendly ISP). >> >> Note that I'm not worried about receiving spam. Instead, I want to >> reward an ISP that is vigilant about preventing spam. > > Obviously I am somewhat biased, however you may find our broadband > offerings of interest, either corporate: > > http://www.uk.easynet.net/broadband/broadband_category.asp?id=1 > > Or residential: > > http://www.easynetconnect.co.uk/ > > -- > Anthony Edwards * anthony.edwards@uk.easynet.net > Abuse Team Manager * Tel: 0800 053 0588 > Easynet Ltd * DDI: 0161 227 0707 > http://www.uk.easynet.net * Fax: 0845 333 4503 Also Pipex - http://www.pipex.net/products/access/broadband/ From Nobody at SpamCop.net.dev.null Thu Sep 8 07:14:09 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Thu Sep 8 07:15:02 2005 Subject: [SpamCop-List] Brazilian Cert.br Message-ID: <43201D01.9D22DD7F@SpamCop.net.dev.null> Having made a SpamCop report on a mortgage phish, tracking URL here: http://www.spamcop.net/sc?id=z804158433z2ae08eac7d92d97cb2992fe184a01667z I went further and checked the spamvertised website http://hhmh.tlmort.com/e.php through SamSpade.org to a phony-looking registration on an IP 200.157.24.184 that I further looked up and found belongs to Bianchimano & Azevedo Servios de Informtica Ltda (owner) in Porto Alegre, Brazil, and Intelig Telecomunicaes Ltda [e-mail: sistemas@inteligweb.com.br], ("person"). I also see "nic-hdl-br: RAA72 person: Rafael Azevedo e-mail: abuse@webpro.com.br" This outfit gives the abuse address, but 1) I don't see the relationship to the "owner" or "person" above, and 2) "webpro.com.br" sounds awfully spammy; and so, regarding all these Brazilian entities listed so far as black hats (inform me if I'm wrong), I'm looking instead at the mail-abuse address listed at the bottom of the SamSpade report under "remarks": "Mail abuse issues should also be addressed to mail-abuse@cert.br". Is cert.br a good-guy certifying authority? I don't trust anyone else on the lookup for a manual LART, which perforce will reveal my home e-mail address. I was thinking of sending cert.br a manual copy of the SpamCop report with the additional remarks showing the lookup results pointing to the Brazilian webhost. Is this a good thing to do? Is cert.br trustworthy? Suggestions? Comments? Sorry if all this sounds fourth-grade grammar class to some of you, but my beanie is indeed a very humble color. I'm just trying to make a little trouble for some criminals who thoroughly deserve it. Or should I just continue to leave that to others? I also sent the original offending "mortgage application" phish off to Secret Service FCD, Netcraft, Millers-Miles UK, FraudWatch Int'l, and FTC, as well as sending the SpamCop report, which LARTed ChinaTieTong.com as the owner of the compromised server that sourced the original spew. TIA, Michael From nobody at nowhere.invalid Thu Sep 8 15:05:42 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Sep 8 08:10:12 2005 Subject: [SpamCop-List] Re: ISPs in London References: Message-ID: On Thu, 8 Sep 2005 11:55:45 +0100, BT coughed into spamcop and left this in : > Also Pipex - http://www.pipex.net/products/access/broadband/ You're kidding, right? Pipex == UUNet. Also they have (had?) a user who spammed me for years. I haven't heard from them in a while so maybe they've gone Rule-#4-compliant. -- Steve The quickest way to double your money is to fold it in half and put it back in your pocket. From spamcop-list-at-news.spamcop.net at musaic.net Thu Sep 8 16:08:02 2005 From: spamcop-list-at-news.spamcop.net at musaic.net (St - Musaic.Net) Date: Thu Sep 8 09:08:19 2005 Subject: [SpamCop-List] [OT] RFC-compliance Message-ID: <623969791.20050908150802@musaic.net> This message is OT - but even so, it may be the second best place to go to in order to find my answer on a problem I have with messages coming from this list (best place would be the manufacturer possibly, but then again, they might be clueless and biased... ;) Yesterday, I installed an SMTP server on one of my PCs - a server called is Mail Express Professional. For some odd reason, the server itches with messages from this list. It rejects messages when certain characters are present in some of the rather important header lines. The server error message is as follows: "Message has not been sent. Server reply - 5.5.0 Bad sequence of commands" This problem is regarding use of characters "+" and "=" in header lines SENDER:, ERRORS-TO: and RETURN-PATH: In a typical message from this list, these header lines looks as follows: > Return-Path: > Sender: spamcop-list-bounces-+addressee=domain.ext@news.spamcop.net > Errors-To: spamcop-list-bounces-+addressee=domain.ext@news.spamcop.net I have found out that if I remove "+" and replace "=" with "#AT#", the server accepts the messages - the header lines would look like this: > Return-Path: > Sender: spamcop-list-bounces-addressee#AT#@news.spamcop.net > Errors-To: spamcop-list-bounces-addressee#AT#@news.spamcop.net My questions are: Are characters "+" and "=" in addresses regarded as being non-RFC-compliant? (I never had a problem with this earlier!) Why would a server choose to disallow these characters if they indeed are RFC-compliant? I look forward to some enlightening answers to this OT-posting! -- St From uce2002 at hotmail.com Thu Sep 8 16:07:02 2005 From: uce2002 at hotmail.com (BT) Date: Thu Sep 8 10:10:19 2005 Subject: [SpamCop-List] Re: ISPs in London References: Message-ID: "Steven Maesslein" wrote in message news:slrndi0a8m.536.nobody@127.0.0.1... > On Thu, 8 Sep 2005 11:55:45 +0100, BT coughed into spamcop and left > this > in : > >> Also Pipex - http://www.pipex.net/products/access/broadband/ > > You're kidding, right? > > Pipex == UUNet. > > Also they have (had?) a user who spammed me for years. I haven't heard > from them in a while so maybe they've gone Rule-#4-compliant. > I have been with Pipex for +8 years and have not received one Pipex originated spam in that time. Pipex is a solid, dependable, business service despite who actually owns the shares. Similarly there seems nothing wrong with Bulldog and the are owned by C&W! From gezgin at spamcop.net Thu Sep 8 18:07:00 2005 From: gezgin at spamcop.net (Gezgin) Date: Thu Sep 8 10:10:36 2005 Subject: [SpamCop-List] But do they want them? Message-ID: I know spoof@ebay.com doesn't want SpamCop reports but I just noticed that SpamCop will send copies of eBay spoof reports to spam@ebay.com and postmaster@ebay.com. I make a habit of unchecking these. Does anybody know if that is that advisable or would eBay actually prefer to receive them? -- Bob Kanyak's Doghouse http://www.kanyak.com From MikeE at ster.invalid Thu Sep 8 08:29:55 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 8 10:30:03 2005 Subject: [SpamCop-List] Re: [OT] RFC-compliance References: Message-ID: St - Musaic.Net wrote: > Are characters "+" and "=" in addresses regarded as being > non-RFC-compliant? (I never had a problem with this earlier!) Short answer, they are compliant. Slightly longer answer, RFC 2821 & 2822 say "only 7bit ASCII characters are allowed in Internet mail addresses" Even longer discussion about various characters usage in the local part of an email address can be seen here http://www.remote.org/jochen/mail/info/chars.html Characters in the local part of a mail address ... where the discussion gives the OK green light to the plus char, saying "The plus sign is allowed in mail addresses and there is no reason not to use it. A common usage is for defining sub-addresses. Example: The user 'joe' with the mail address 'joe@example.com' can set up mail addresses like 'joe+list@example.com' if he needs more then one address." ... while giving the MAYBE yellow light to the equal char, saying "Really no reason not to use it. It is used by some mailing list servers to generate special addresses for detecting bounces." > Why would a server choose to disallow these characters if they > indeed are RFC-compliant? I think the server is being funky. Or maybe flakey. > I look forward to some enlightening answers to this OT-posting! -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Sep 8 08:49:31 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 8 10:50:02 2005 Subject: [SpamCop-List] Re: Brazilian Cert.br References: <43201D01.9D22DD7F@SpamCop.net.dev.null> Message-ID: Michael Brennan wrote: www.spamcop.net/sc?id=z804158433z2ae08eac7d92d97cb2992fe184a01667z > http://hhmh.tlmort.com/e.php > 200.157.24.184 > sistemas@inteligweb.com.br], ("person"). whois -h whois.registro.br 200.157.24.184 ... abuse-c: CIL198 = sistemas@inteligweb.com.br abuse-c means abuse contact notification handle and then email addy. > I also see "nic-hdl-br: RAA72 owner-c: RAA72 tech-c: RAA72 > e-mail: abuse@webpro.com.br" The business about contacting 'owner' vs 'tech' vs 'abuse' contact depends on what is available. If you read the registrations for the regional registrars such as registro.br carefully, you can get a better understanding of the roles of the listeds. > "Mail abuse issues should also be > addressed to mail-abuse@cert.br". Is cert.br a good-guy certifying > authority? Errm, who knows? Yes question mark. > I don't trust anyone else on the lookup for a manual > LART, which perforce will reveal my home e-mail address. The registro.br contacts 'belong' to the provider. The provider's IP is spamhaused.for/at SBL 31626 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL31626 and spamhaus considers that listing to also apply to cert.br. > I was thinking of sending cert.br a manual copy of the SpamCop report > with the additional remarks showing the lookup results pointing to the > Brazilian webhost. Is this a good thing to do? Is cert.br > trustworthy? I don't know why you would need to get so intimate with cert.br or any other notified as to provide them with an address you aren't comfortable notifying with. It is useful to know whereall any particular IP you are notifying about is listed, especially things like spamhaus or spews. > Suggestions? Comments? > Sorry if all this sounds fourth-grade grammar class to some of you, > but my beanie is indeed a very humble color. I'm just trying to make > a little trouble for some criminals who thoroughly deserve it. Or > should I just continue to leave that to others? Advancing the spamfight is a useful activity. I personally don't think that notifieds which in some cases are such blackhat providers that the information goes directly to the spam 'head' or spamgang is necessarily bad. I don't think it is likely that the inoffensive but thorough reporter will get revenge spammed or DOSed -- more likely such a reporter might make it into 'anti-' lists, which some spammers remove from their spamlists. > I also sent the original offending "mortgage application" phish off to > Secret Service FCD, Netcraft, Millers-Miles UK, FraudWatch Int'l, and > FTC, as well as sending the SpamCop report, which LARTed > ChinaTieTong.com as the owner of the compromised server that sourced > the original spew. -- Mike Easter kibitzer, not SC admin From kenbrody at spamcop.net Thu Sep 8 11:22:44 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Thu Sep 8 11:10:03 2005 Subject: [SpamCop-List] Re: Quote of the year? References: Message-ID: <43204934.5A61F77C@spamcop.net> Bill Beyer wrote: > > "Aviatrix" <79ytka802@sneakemail.com> wrote in message > news:dfnknj$l6c$1@news.spamcop.net... > > Just had the following from one of my ISPs: > > > > > > Quote: > > > > ------------ > > Dear Customer, > > > > We cannot help getting blocked by SpamCop. > > > > It's by people abusing our WebMail system, and sending Spam to people, > > that SpamCop clamp down on our Servers. > > > > We have a constant battle with SpamCop against blocking our Servers. > > > > Our Abuse Team is investigating the matter, and aims to resolve the > > issue soon. > > ------------ > > > > How clueless can you get? > > See the thread titled "Spamcop blocking legitimate emails" Sorry, this one's more clueless. That thread is "bouncing to forged addresses isn't spam". This one is "our own clients are abusing our systems, causing us to send spam, and we can't understand why SpamCop lists our servers as spam sources". -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From nobody at spamcop.net Thu Sep 8 09:22:58 2005 From: nobody at spamcop.net (Yours Truly) Date: Thu Sep 8 11:25:03 2005 Subject: [SpamCop-List] Re: Brazilian Cert.br In-Reply-To: <43201D01.9D22DD7F@SpamCop.net.dev.null> References: <43201D01.9D22DD7F@SpamCop.net.dev.null> Message-ID: Michael Brennan wrote: > ...Is cert.br trustworthy? Due to a quirk in my past life, I am on every Brazilian spammer's address list. Fully 2/3 to 3/4 of the spam I get is from Brazil, of course in Portuguese, which I can only barely read (with the help of the fish). Most of this spam has subjects like "a message from one who loves you" or "a card for you" or "new porno video released". The spam invites a click on a link to some executable file (they used to be stashed on Brazilian servers, but now more frequently reside in Spain). These executable files, which come in many flavors with many different names, never get recognized by Norton or SpyBot as anything unusual, but further probing reveals them to be mostly key loggers. Brazil is in the business of identity/financial theft big time. The IP addresses from whence the spam comes are legion, but many recur. Of course, since I am probably the only SpamCop user reporting them, they never make the block list. But note well: since the IP addresses appear again and the volume of spam never declines, the Brazilian abuse agents are doing Jack S--- to stop all of this. Trust a Brazilian about as far as you can hurl a blue whale. -Yours Truly From JG at coks.net Thu Sep 8 09:29:53 2005 From: JG at coks.net (JG) Date: Thu Sep 8 11:30:03 2005 Subject: [SpamCop-List] Re: Netscape, AOL Spam Reporting Addresses In-Reply-To: <4320121D.CC65E600@SpamCop.net.dev.null> References: <431F8D41.A0B27359@SpamCop.net.dev.null> <4320121D.CC65E600@SpamCop.net.dev.null> Message-ID: On 9/8/2005 3:27 AM Michael Brennan scribbled: > > Thank you, but abuse@aol was one of the addresses I tried after the old > AOL mail TOS address didn't work. I got the following autoacks > previously on one attempt to LART: > Thats not encouraging. I didn't get anything back 2 days ago using the address so really can't say... 554 error is fatal, thats all I know - there are several of which Transaction Failed is one - can't find an exact definition.... From spamcop at splorfING.net Thu Sep 8 17:46:34 2005 From: spamcop at splorfING.net (David) Date: Thu Sep 8 11:50:02 2005 Subject: [SpamCop-List] Re: ISPs in London References: Message-ID: "John Smith" wrote in message news:dfp3gn$leq$1@news.spamcop.net... > I'm in London and I'm going to get ADSL. Can anyone recommend any > spam-hostile ISPs in London (or, alternatively, un-recommend a > spam-friendly ISP). > > Note that I'm not worried about receiving spam. Instead, I want to reward > an ISP that is vigilant about preventing spam. We've got lines with Claranet and Zen - both appear to be very white hat and in our experience have reacted quickly to the rare spam complaints we have sent. -- David From nobody at spamcop.net Thu Sep 8 13:07:36 2005 From: nobody at spamcop.net (indigo) Date: Thu Sep 8 12:10:03 2005 Subject: [SpamCop-List] Re: Cleaning up and preventing malware (was mypctuneup.com) References: <431F9765.48D77304@SpamCop.net.dev.null> Message-ID: Mike Easter wrote: > JG wrote: > > > And after all that, Mike > > E. still uses OE anyway (with QF, of course) - go figure... > > And Win98se. Nuttin' wrong with that. I never would have upgraded from W98se to W2K if I hadn't bought an external HD that was bigger than 98 could handle partition-wise. And I had access to a, erm, available "free" copy of W2K ......a very well traveled copy...... From JG at coks.net Thu Sep 8 10:25:07 2005 From: JG at coks.net (JG) Date: Thu Sep 8 12:25:03 2005 Subject: [SpamCop-List] Re: Cleaning up and preventing malware (was mypctuneup.com) In-Reply-To: References: <431F9765.48D77304@SpamCop.net.dev.null> Message-ID: On 9/8/2005 9:07 AM indigo scribbled: > Mike Easter wrote: > >>JG wrote: >> >> >>>And after all that, Mike >>>E. still uses OE anyway (with QF, of course) - go figure... >> >>And Win98se. > > > Nuttin' wrong with that. I never would have upgraded from W98se to W2K if I > hadn't bought an external HD that was bigger than 98 could handle > partition-wise. And I had access to a, erm, available "free" copy of W2K > ......a very well traveled copy...... > > small world, I am about to take the same route - wonder if it the same 2000 cd? Now use 98 plain, never took to se for some reason... From nobody at spamcop.net Thu Sep 8 13:19:08 2005 From: nobody at spamcop.net (Anti-Spam) Date: Thu Sep 8 12:30:03 2005 Subject: [SpamCop-List] Re: Netscape, AOL Spam Reporting Addresses References: <431F8D41.A0B27359@SpamCop.net.dev.null> <4320121D.CC65E600@SpamCop.net.dev.null> Message-ID: "JG" wrote in message news:dfpla3$vp0$1@news.spamcop.net... > On 9/8/2005 3:27 AM Michael Brennan scribbled: > > > > > Thank you, but abuse@aol was one of the addresses I tried after the old > > AOL mail TOS address didn't work. I got the following autoacks > > previously on one attempt to LART: > > > > Thats not encouraging. > I didn't get anything back 2 days ago using the address so really can't > say... > 554 error is fatal, thats all I know - there are several of which > Transaction Failed is one - can't find an exact definition.... Every now and then, I'll also get a response that includes comments from AOL that says they're rejecting mail from my IP address for sending them spam. It looks like (difficult to confirm) this is because users on my system have sent them spam complaints to them, with spam attached, and it hasn't been worth the effort badgering AOL into fixing their errors. -- Bring in the death penalty for repeat spammers. Non-functional spambait addr: timep@qharoshvwnwvxjjw.net (generated by Webpoison) From MikeE at ster.invalid Thu Sep 8 10:34:50 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 8 12:35:03 2005 Subject: [SpamCop-List] Re: Cleaning up and preventing malware (was mypctuneup.com) References: <431F9765.48D77304@SpamCop.net.dev.null> Message-ID: indigo wrote: > Mike Easter wrote: >> And Win98se. > > Nuttin' wrong with that. I never would have upgraded from W98se to > W2K if I hadn't bought an external HD that was bigger than 98 could > handle partition-wise. And I had access to a, erm, available "free" > copy of W2K ......a very well traveled copy...... I wish I had one of those. I've always sed that Win2K was as far as I would ever go with MS OS, or rather I've been saying that for several years. >From here forward it will be dual booting with a linux, like mepis, and a win, currently to be 98se but I would use a 2K if I had one. I keep watching ebay for a good deal for a legit, but the deals haven't been good enough to motivate me to buy one. For experimental hobby purposes, of course. :-) I've also wondered about how 'trim' an XP or a 2K could be made by debloating and customizing using the 98lite methods with their xplite. 98 lite is amazing, you can make it really really tiny. -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Thu Sep 8 13:18:51 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Thu Sep 8 13:20:03 2005 Subject: [SpamCop-List] Re: Quote of the year? References: <43204934.5A61F77C@spamcop.net> Message-ID: In article <43204934.5A61F77C@spamcop.net>, Kenneth Brody writes: > Bill Beyer wrote: >> >> "Aviatrix" <79ytka802@sneakemail.com> wrote in message >> news:dfnknj$l6c$1@news.spamcop.net... >> > Just had the following from one of my ISPs: >> > >> > >> > Quote: >> > >> > ------------ >> > Dear Customer, >> > >> > We cannot help getting blocked by SpamCop. >> > >> > It's by people abusing our WebMail system, and sending Spam to people, >> > that SpamCop clamp down on our Servers. >> > >> > We have a constant battle with SpamCop against blocking our Servers. >> > >> > Our Abuse Team is investigating the matter, and aims to resolve the >> > issue soon. >> > ------------ >> > >> > How clueless can you get? >> >> See the thread titled "Spamcop blocking legitimate emails" > > Sorry, this one's more clueless. That thread is "bouncing to forged > addresses isn't spam". This one is "our own clients are abusing our > systems, causing us to send spam, and we can't understand why SpamCop > lists our servers as spam sources". So who to vote for in the battle between: Our customers send spam and we can't prevent that... vs. We send spam as an ISP and we can't prevent that... From Nobody at SpamCop.net.dev.null Thu Sep 8 13:30:20 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Thu Sep 8 13:35:02 2005 Subject: [SpamCop-List] Re: Netscape, AOL Spam Reporting Addresses References: <431F8D41.A0B27359@SpamCop.net.dev.null> <4320121D.CC65E600@SpamCop.net.dev.null> Message-ID: <4320752C.74F3859C@SpamCop.net.dev.null> Anti-Spam wrote: > > "JG" wrote in message news:dfpla3$vp0$1@news.spamcop.net... > > On 9/8/2005 3:27 AM Michael Brennan scribbled: > > > > > > > > Thank you, but abuse@aol was one of the addresses I tried after the old > > > AOL mail TOS address didn't work. I got the following autoacks > > > previously on one attempt to LART: > > > > > > > Thats not encouraging. > > I didn't get anything back 2 days ago using the address so really can't > > say... > > 554 error is fatal, thats all I know - there are several of which > > Transaction Failed is one - can't find an exact definition.... > > Every now and then, I'll also get a response that > includes comments from AOL that says they're > rejecting mail from my IP address for sending them > spam. It looks like (difficult to confirm) this is > because users on my system have sent them > spam complaints to them, with spam attached, and > it hasn't been worth the effort badgering AOL into > fixing their errors. > I sent them a copy of a SpamCop report with tracking URL and comments added showing their AOL mail client sporting his AOL address in the registration of his spammy website. The AOL mail account was supporting the mortgage-application phish site. Right now I'm getting spew from a number of sites, one registrant supported by AOL and one by Netscape. I sent AOL a couple of reports pasted into their IT feedback form......they won't have liked that, but there's no other way to contact them that I can see. Netscape doesn't even offer that. Netscape in particular seems to be concentrating on very basic customer communications centered around where to send the signed check. Thanks for the feedback. Michael From MikeE at ster.invalid Thu Sep 8 11:33:52 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 8 13:35:12 2005 Subject: [SpamCop-List] Re: Cleaning up and preventing malware (was mypctuneup.com) References: <431F9765.48D77304@SpamCop.net.dev.null> Message-ID: JG wrote: > Now use 98 plain, never took to se for some reason... SE had internet connection sharing ICS which was useful to some people with LANs. You could work around without it with a little software NAT network address translator - and nowadays that hardware NAT devices have become so cheap and ubiquitous, that is a much better solution for putting between a modem and a network. But that ICS was one of the useful features of SE back in the beginning. -- Mike Easter kibitzer, not SC admin From diogo_c at brturbo.com.br Thu Sep 8 15:37:26 2005 From: diogo_c at brturbo.com.br (Diogo Corteletti de Oliveira) Date: Thu Sep 8 13:45:02 2005 Subject: [SpamCop-List] Re: Brazilian Cert.br In-Reply-To: References: <43201D01.9D22DD7F@SpamCop.net.dev.null> Message-ID: First of all lets not generalize about spam combat in Brasil because everybody knows the NUMBER 1 contry in SPAM is USA and second of all certainly you are just a user or an administrator controling a insignificant number of hosts to be saying such a thing and not knowing the problems involving SPAM combat. And as it was said before this is not the forum to say such things as, i quote you " Trust a Brazilian about as far as you can hurl a blue whale." . I don?t know your nationality and i?m not willing to know also because and don?t generalize about it because if there are idiots in any country it does not make it a country of idiots. Yours Truly Yours Truly wrote: > Michael Brennan wrote: > >> ...Is cert.br trustworthy? > > > Due to a quirk in my past life, I am on every Brazilian spammer's > address list. Fully 2/3 to 3/4 of the spam I get is from Brazil, > of course in Portuguese, which I can only barely read (with the > help of the fish). Most of this spam has subjects like > "a message from one who loves you" or "a card for you" or > "new porno video released". The spam invites a click on a link > to some executable file (they used to be stashed on Brazilian > servers, but now more frequently reside in Spain). > These executable files, which come in many flavors > with many different names, never get recognized by Norton > or SpyBot as anything unusual, but further probing reveals > them to be mostly key loggers. Brazil is in the business of > identity/financial theft big time. > > The IP addresses from whence the spam comes are legion, > but many recur. Of course, since I am probably the only > SpamCop user reporting them, they never make the block list. > But note well: since the IP addresses appear again and the > volume of spam never declines, the Brazilian abuse agents > are doing Jack S--- to stop all of this. > > Trust a Brazilian about as far as you can hurl a blue whale. > > -Yours Truly From dirigo at spamcop.net Thu Sep 8 14:49:56 2005 From: dirigo at spamcop.net (Phil) Date: Thu Sep 8 13:50:03 2005 Subject: [SpamCop-List] AOL.com is bouncing my emails Message-ID: I am having a problem sending emails to an AOL subscriber. All email I send to him with any reference to my spamcop.net email address bounces with their error: http://postmaster.info.aol.com/errors/554hvub1.html If I change the reply to address and remove my email addy from my signature it goes through fine. Anyone else with this problem? -- Phil Davis From MikeE at ster.invalid Thu Sep 8 11:58:21 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 8 14:00:03 2005 Subject: [SpamCop-List] Re: AOL.com is bouncing my emails References: Message-ID: Phil wrote: > I am having a problem sending emails to an AOL subscriber. > > All email I send to him with any reference to my spamcop.net > email address bounces with their error: > > http://postmaster.info.aol.com/errors/554hvub1.html > > If I change the reply to address and remove my email addy > from my signature it goes through fine. > > Anyone else with this problem? First click and read this: news://news.spamcop.net/1sjth1t102oep96qaa237dsqv4h3a6dj9l@4ax.com Then read the rest of the thread that follows in this topic: From: SpamCop Admin Newsgroups: spamcop.help,spamcop Subject: AOL Bouncing Our Mail Date: Wed, 07 Sep 2005 05:31:58 -0600 Message-ID: <1sjth1t102oep96qaa237dsqv4h3a6dj9l@4ax.com> There's a problem with spamcop mail to AOL; being worked on. -- Mike Easter kibitzer, not SC admin From dirigo at spamcop.net Thu Sep 8 15:08:33 2005 From: dirigo at spamcop.net (Phil) Date: Thu Sep 8 14:10:02 2005 Subject: [SpamCop-List] Re: AOL.com is bouncing my emails References: Message-ID: Thanks, that is the problem. I arrived at my conclusion by substituting or removing email addresses until it worked. I have to remove all spamcop.net references to send mail to AOL.com. Patience is a virtue I'm told... They will fix it eventually I guess. -- Phil Davis "Mike Easter" wrote in message news:dfpu3p$62d$1@news.spamcop.net... > Phil wrote: > > I am having a problem sending emails to an AOL subscriber. > > > > All email I send to him with any reference to my spamcop.net > > email address bounces with their error: > > > > http://postmaster.info.aol.com/errors/554hvub1.html > > > > If I change the reply to address and remove my email addy > > from my signature it goes through fine. > > > > Anyone else with this problem? > > First click and read this: > > news://news.spamcop.net/1sjth1t102oep96qaa237dsqv4h3a6dj9l@4ax.com > > Then read the rest of the thread that follows in this topic: > > From: SpamCop Admin > Newsgroups: spamcop.help,spamcop > Subject: AOL Bouncing Our Mail > Date: Wed, 07 Sep 2005 05:31:58 -0600 > Message-ID: <1sjth1t102oep96qaa237dsqv4h3a6dj9l@4ax.com> > > > There's a problem with spamcop mail to AOL; being worked on. > > -- > Mike Easter > kibitzer, not SC admin From nobody at nowhere.invalid Thu Sep 8 21:22:58 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Sep 8 14:25:03 2005 Subject: [SpamCop-List] Re: ISPs in London References: Message-ID: On Thu, 8 Sep 2005 15:07:02 +0100, BT coughed into spamcop and left this in : > Similarly there seems nothing wrong with Bulldog and the are owned by > C&W! fx: THUD!! /me falls off the chair laughing. http://www.theregister.co.uk/2005/09/07/watchdog_bulldog/ OK, it's not spam-related, but you can't say that there's nothing wrong with them! -- Steve Shin, n. : a device for finding furniture in the dark. From nobody at spamcop.net Thu Sep 8 13:56:05 2005 From: nobody at spamcop.net (N. Miller) Date: Thu Sep 8 16:00:03 2005 Subject: [SpamCop-List] Re: Netscape, AOL Spam Reporting Addresses References: <431F8D41.A0B27359@SpamCop.net.dev.null> <4320121D.CC65E600@SpamCop.net.dev.null> Message-ID: <12e0rtbmtoffl.dlg@news.spamcop.net> On Thu, 08 Sep 2005 05:27:41 -0500, Michael Brennan wrote: > I'm unfamiliar with many of these codes and don't know the significance > of 554. A 554 error from AOL? I get that all the time: ======================================================================== 09/08/05 12:52:10 SMTP Verify nitacap@aol.com, at mailin-01.mx.aol.com Contacting 205.188.159.57 554- (RTR:BB) http://postmaster.info.aol.com/errors/554rtrbb.html HELO aosake.net 554- AOL does not accept e-mail transactions from dynamic or residential 554- IP addresses. 554 Connecting IP: 64.174.90.97 Doesn't want to talk to us ======================================================================== It means that they don't want to hear from your IP address. In the case above, because it is a dynamic IP address. I have seen them block the SBC output servers on occasion, as well. Short term, use a different account. Long term, talk to their postmaster. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at spamcop.net Thu Sep 8 17:00:28 2005 From: nobody at spamcop.net (indigo) Date: Thu Sep 8 16:05:03 2005 Subject: [SpamCop-List] Re: Cleaning up and preventing malware (was mypctuneup.com) References: <431F9765.48D77304@SpamCop.net.dev.null> Message-ID: Mike Easter wrote: > > I wish I had one of those. I've always sed that Win2K was as far as I > would ever go with MS OS, or rather I've been saying that for several > years. I doubt I'll ever go past W2K at home either, I don't ever plan on buying a new PC (ok, not for a long time), I'll just keep upgrading it until the day where the new components aren't compatible with W2K. Gotta happen at some point, I guess. From nospam at dev.null Fri Sep 9 00:47:29 2005 From: nospam at dev.null (No Spam) Date: Thu Sep 8 17:50:03 2005 Subject: [SpamCop-List] Re: Brazilian Cert.br In-Reply-To: References: <43201D01.9D22DD7F@SpamCop.net.dev.null> Message-ID: Mike Easter wrote: > Michael Brennan wrote: ... SNIP ... >>I was thinking of sending cert.br a manual copy of the SpamCop report >>with the additional remarks showing the lookup results pointing to the >>Brazilian webhost. Is this a good thing to do? Is cert.br >>trustworthy? ... snip .... > > Advancing the spamfight is a useful activity. I personally don't think > that notifieds which in some cases are such blackhat providers that the > information goes directly to the spam 'head' or spamgang is necessarily > bad. I don't think it is likely that the inoffensive but thorough > reporter will get revenge spammed or DOSed -- more likely such a > reporter might make it into 'anti-' lists, which some spammers remove > from their spamlists. > ... SNIP.... Agree with Mike! However, some additional tips: If you wish to do this, a) get a disposable address, b) Obfuscate all info that can ID you personally in the phish: b.1) Your email address b.2) smtp strings b.3) any coded tracking strings that may uniquely ID you. b.4) Mention that you have obfuscated personally identifiable details to proetct your privacy. This may cause the exercise to become a waste of time. So carefully evaluate what will need to be masked and what will be left vs the effort. Even so there is still risk involved in as far as your sending IP etc. This observation is based on personal experience. The mail address you send from may suddenly appear in a spammers fake headers. ...then follows misdirected bounces from misconfigured mail servers and causes secondary spamming. And lastly, suddenly viruses/worms are using this email address throughout the world, with more misdirected bounces. (Interestingly with most from Spain??) Urghhhhhhh.... Happened to me :-( However, having said that, a phish deserves all the "attention" it can get, short of actually believing it :-) Brazil or not. However, please be careful and protect yourself from retaliation when it comes to even supposedly reputable .br domains. Best of luck. E From spamcop at tinaja.mailshell.com Thu Sep 8 16:10:04 2005 From: spamcop at tinaja.mailshell.com (John Wilson) Date: Thu Sep 8 18:15:29 2005 Subject: [SpamCop-List] I'm blacklisted - no troubleshooting information available! Message-ID: We're suddenly blacklisted, and spamcop won't give me any good information to troubleshoot with. All it shows is 3 links basically saying "It could be anything - you're on your own". We're running up-to-date virus/spyware scanners on every machine in the network, including the exchange server, and none of them are reporting infections. The exchange server has blocked a lot of attachments tho. There are no autoresponders set up and the server doesn't allow relaying. At this point I have no idea what to look for. Is there any way to get useful information about what exactly triggered the blacklisting? From panoptes at iquest.net Thu Sep 8 18:26:34 2005 From: panoptes at iquest.net (Daniel W. Johnson) Date: Thu Sep 8 18:30:03 2005 Subject: [SpamCop-List] Re: I'm blacklisted - no troubleshooting information available! References: Message-ID: <1h2kz37.18kvjll1c1zyuyN%panoptes@iquest.net> John Wilson wrote: > We're suddenly blacklisted, and spamcop won't give me any good information > to troubleshoot with. All it shows is 3 links basically saying "It could be > anything - you're on your own". > > We're running up-to-date virus/spyware scanners on every machine in the > network, including the exchange server, and none of them are reporting > infections. The exchange server has blocked a lot of attachments tho. > There are no autoresponders set up and the server doesn't allow relaying. > At this point I have no idea what to look for. Is there any way to get > useful information about what exactly triggered the blacklisting? There might be. But all possbilities require the IP address of the "blocked" sender. -- Daniel W. Johnson panoptes@iquest.net http://members.iquest.net/~panoptes/ 039 53 36 N / 086 11 55 W From panoptes at iquest.net Thu Sep 8 18:31:35 2005 From: panoptes at iquest.net (Daniel W. Johnson) Date: Thu Sep 8 18:35:02 2005 Subject: [SpamCop-List] Re: I'm blacklisted - no troubleshooting information available! References: Message-ID: <1h2kzba.8sve3k1ft40ckN%panoptes@iquest.net> John Wilson wrote: > We're suddenly blacklisted, and spamcop won't give me any good information > to troubleshoot with. All it shows is 3 links basically saying "It could be > anything - you're on your own". > > We're running up-to-date virus/spyware scanners on every machine in the > network, including the exchange server, and none of them are reporting > infections. The exchange server has blocked a lot of attachments tho. > There are no autoresponders set up and the server doesn't allow relaying. > At this point I have no idea what to look for. Is there any way to get > useful information about what exactly triggered the blacklisting? Additional note: What results do you get when you apply the answers from http://forum.spamcop.net/forums/index.php?showtopic=972 ? -- Daniel W. Johnson panoptes@iquest.net http://members.iquest.net/~panoptes/ 039 53 36 N / 086 11 55 W From spamcop at tinaja.mailshell.com Thu Sep 8 17:07:48 2005 From: spamcop at tinaja.mailshell.com (John Wilson) Date: Thu Sep 8 19:10:03 2005 Subject: [SpamCop-List] Re: I'm blacklisted - no troubleshooting information available! References: <1h2kz37.18kvjll1c1zyuyN%panoptes@iquest.net> Message-ID: The IP address of our firewall is 69.29.1.141. "Daniel W. Johnson" wrote in message news:1h2kz37.18kvjll1c1zyuyN%panoptes@iquest.net... > John Wilson wrote: > >> We're suddenly blacklisted, and spamcop won't give me any good >> information >> to troubleshoot with. All it shows is 3 links basically saying "It could >> be >> anything - you're on your own". >> >> We're running up-to-date virus/spyware scanners on every machine in the >> network, including the exchange server, and none of them are reporting >> infections. The exchange server has blocked a lot of attachments tho. >> There are no autoresponders set up and the server doesn't allow relaying. >> At this point I have no idea what to look for. Is there any way to get >> useful information about what exactly triggered the blacklisting? > > There might be. But all possbilities require the IP address of the > "blocked" sender. > -- > Daniel W. Johnson > panoptes@iquest.net > http://members.iquest.net/~panoptes/ > 039 53 36 N / 086 11 55 W From spamcop at tinaja.mailshell.com Thu Sep 8 17:12:51 2005 From: spamcop at tinaja.mailshell.com (John Wilson) Date: Thu Sep 8 19:15:03 2005 Subject: [SpamCop-List] Re: I'm blacklisted - no troubleshooting information available! References: <1h2kzba.8sve3k1ft40ckN%panoptes@iquest.net> Message-ID: We're behind a firewall and if there is a loose virus or trojan in the network Trend Micro can't find it. No auto-responders and no one is sending spam. Not sure what else you may be asking. I want to know exactly what triggered the black listing so I know where to look, not a list of a hundred things it may have been. I've spent the past couple days working on this and I can't find any obvious problems. Working blind is very frustrating. "Daniel W. Johnson" wrote in message news:1h2kzba.8sve3k1ft40ckN%panoptes@iquest.net... > John Wilson wrote: > >> We're suddenly blacklisted, and spamcop won't give me any good >> information >> to troubleshoot with. All it shows is 3 links basically saying "It could >> be >> anything - you're on your own". >> >> We're running up-to-date virus/spyware scanners on every machine in the >> network, including the exchange server, and none of them are reporting >> infections. The exchange server has blocked a lot of attachments tho. >> There are no autoresponders set up and the server doesn't allow relaying. >> At this point I have no idea what to look for. Is there any way to get >> useful information about what exactly triggered the blacklisting? > > Additional note: What results do you get when you apply the answers from > http://forum.spamcop.net/forums/index.php?showtopic=972 ? > -- > Daniel W. Johnson > panoptes@iquest.net > http://members.iquest.net/~panoptes/ > 039 53 36 N / 086 11 55 W From porpoise1954 at yahoo.co.uk Fri Sep 9 01:35:09 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Sep 8 19:40:03 2005 Subject: [SpamCop-List] Re: I'm blacklisted - no troubleshooting information available! References: <1h2kz37.18kvjll1c1zyuyN%panoptes@iquest.net> Message-ID: "John Wilson" wrote in message news:dfqg8j$pbk$1@news.spamcop.net... > The IP address of our firewall is 69.29.1.141. > Seems to belong to: 69.29.1.141 PTR record: pppoe-69-29-1-141-rb.vcr.centurytel.net. [TTL 604800s] [A=69.29.1.141] OrgName: CenturyTel Internet Holdings, Inc. OrgID: CIH-12 Address: 100 CenturyTel Drive City: Monroe StateProv: LA PostalCode: 71201 Country: US Looks like a DSL connection?? (pppoe) and is currently listed: http://www.dnsbl.net.au/lookup/?69.29.1.141 http://psbl.surriel.com/listing?ip=69.29.1.141 http://www.spamcop.net/bl.shtml?69.29.1.141 = http://www.spamcop.net/w3m?action=blcheck&ip=69.29.1.141 http://www.uceprotect.net/en/index.php http://wpbl.pc9.org/cgi-bin/record?ip=69.29.1.141 Doesn't seem to have yet got itself listed at Spamhaus But aside from all that, WTF is an exchange server doing on a DSL connection trying to act as a mailserver? From porpoise1954 at yahoo.co.uk Fri Sep 9 01:47:10 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Sep 8 19:50:06 2005 Subject: [SpamCop-List] Re: I'm blacklisted - no troubleshooting information available! References: <1h2kzba.8sve3k1ft40ckN%panoptes@iquest.net> Message-ID: "John Wilson" wrote in message news:dfqgi3$pl2$1@news.spamcop.net... > We're behind a firewall and if there is a loose virus or trojan in the > network Trend Micro can't find it. No auto-responders and no one is > sending spam. Not sure what else you may be asking. > > I want to know exactly what triggered the black listing so I know where to > look, not a list of a hundred things it may have been. I've spent the > past couple days working on this and I can't find any obvious problems. > Working blind is very frustrating. Perhaps this will shed some light......... http://www.google.co.uk/search?num=20&hl=en&safe=off&q=Exchange+server+email+problems+spam&btnG=Search&meta= It's kinda why most people consider that an Exchange server shouldn't be trying to be a mailserver on a DSL connection (or any other connection for that matter - unless the admin *REALLY* knows what they're doing....). From nobody at devnull.spamcop.net Thu Sep 8 19:49:14 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Sep 8 19:50:18 2005 Subject: [SpamCop-List] Re: I'm blacklisted - no troubleshooting information available! References: <1h2kz37.18kvjll1c1zyuyN%panoptes@iquest.net> Message-ID: "John Wilson" wrote in message news:dfqg8j$pbk$1@news.spamcop.net... > > "Daniel W. Johnson" wrote in message > news:1h2kz37.18kvjll1c1zyuyN%panoptes@iquest.net... > > John Wilson wrote: > > > >> At this point I have no idea what to look for. Is there any way to get > >> useful information about what exactly triggered the blacklisting? > > > > There might be. But all possbilities require the IP address of the > > "blocked" sender. > > The IP address of our firewall is 69.29.1.141. Not exactly sure why you're offer up the IP of a firewall, but ... http://www.spamcop.net/w3m?action=checkblock&ip=69.29.1.141 states both spamtrap hits and complaints. Complaints would have gone to (have you talked to them?) "whois 69.29.1.141@whois.arin.net" (Getting contact from whois.arin.net ) Found AbuseEmail in whois abuse@centurytel.net 69.29.0.0 - 69.29.255.255:abuse@centurytel.net http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=69.29.1.141 shows quite a ramp-up in traffic ... do you know why? Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ......... 3.8 ..... 902% Last 30 days .. 3.6 ..... 556% Average ......... 2.8 One could assume fallout from Katrina, but ...??? Number like this usually suggest that the server is now "owned" ... As stated in another post, there is much data provided in the SpamCop FAQ, either on the www.spamcop.net page via the Help link ,,, a single-page entry point at < http://forum.spamcop.net/forums/index.php?showtopic=2238> a bit of a web-page at http://forum.spamcop.net/forums/index.php?act=home whatever your preference .. just stating that help is out there .... From spamcop at tinaja.mailshell.com Thu Sep 8 17:56:37 2005 From: spamcop at tinaja.mailshell.com (John Wilson) Date: Thu Sep 8 20:00:02 2005 Subject: [SpamCop-List] Re: I'm blacklisted - no troubleshooting information available! References: <1h2kz37.18kvjll1c1zyuyN%panoptes@iquest.net> Message-ID: It's a business DSL connection. DSL is not for home use only.... "Porpoise" wrote in message news:dfqhth$qcv$1@news.spamcop.net... > > "John Wilson" wrote in message > news:dfqg8j$pbk$1@news.spamcop.net... >> The IP address of our firewall is 69.29.1.141. >> > > Seems to belong to: > > 69.29.1.141 PTR record: pppoe-69-29-1-141-rb.vcr.centurytel.net. [TTL > 604800s] [A=69.29.1.141] > > > OrgName: CenturyTel Internet Holdings, Inc. > OrgID: CIH-12 > Address: 100 CenturyTel Drive > City: Monroe > StateProv: LA > PostalCode: 71201 > Country: US > > Looks like a DSL connection?? (pppoe) > and is currently listed: > > http://www.dnsbl.net.au/lookup/?69.29.1.141 > http://psbl.surriel.com/listing?ip=69.29.1.141 > http://www.spamcop.net/bl.shtml?69.29.1.141 = > http://www.spamcop.net/w3m?action=blcheck&ip=69.29.1.141 > http://www.uceprotect.net/en/index.php > http://wpbl.pc9.org/cgi-bin/record?ip=69.29.1.141 > > Doesn't seem to have yet got itself listed at Spamhaus > > But aside from all that, WTF is an exchange server doing on a DSL > connection trying to act as a mailserver? > > From anthony.edwards at uk.easynet.net Fri Sep 9 01:30:56 2005 From: anthony.edwards at uk.easynet.net (Anthony Edwards) Date: Thu Sep 8 20:35:03 2005 Subject: [SpamCop-List] Re: I'm blacklisted - no troubleshooting information available! References: <1h2kzba.8sve3k1ft40ckN%panoptes@iquest.net> Message-ID: On Thu, 8 Sep 2005 16:12:51 -0700, John Wilson wrote: > We're behind a firewall and if there is a loose virus or trojan in the > network Trend Micro can't find it. No auto-responders and no one is sending > spam. A recommendation. Configure the firewall to (if only temporarily) block all outbound destination TCP port 25 (SMTP) traffic except that originating from the Exchange Server on your network. Configure the firewall to also log the blocked traffic. Instruct your local users not to send any outbound email for the time being, except via your Exchange Server or using webmail interfaces (i.e. if they are running Outlook Express or similar desktop clients to send personal mail, tell them that they will not be able to do so until this issue is resolved). The above should enable you to quickly and easily identify the transmitting host(s) by reference to the firewall logs, assuming of course that the machine hosting the Exchange Server is not the culprit. If none are found, the machine hosting the Exchange Server may be the culprit. In that scenerio, temporarily block outbound mail at the firewall from the IP address of the Exchange Server machine also, whilst simultaneously shutting down the Exchange service. If mail still flows from the machine (identified by the firewall logging blocked traffic) when the Exchange service is shut down, then the machine probably hosts Trojan malware and/or a "spam zombie" engine of some sort. Finally, running AV software (however good) and/or spyware detection software etc may not detect the type of system administrator level operating system compromise now prevalent. If a machine is believed to be compromised at that level, by far the best course is to follow the given in the CERT Coordination Center document "Steps for Recovering from a UNIX or NT System Compromise" which is available at: http://www.cert.org/tech_tips/root_compromise.html i.e. rebuild and secure the machine comprehensively. Remember that, although Unsolicited Bulk Email transmission is the current external manifestation of the problem, of far greater concern to you as a business should be the security considerations. In the event that you do have a compromised host or hosts on your network, remote intruders may have gained system administrator level access to the machine or machines in question, and all data that they contain (together with all data contained on machines to which they have trusted access) should be considered to be at risk. I hope this helps. -- Anthony Edwards * anthony.edwards@uk.easynet.net Abuse Team Manager * Tel: 0800 053 0588 Easynet Ltd * DDI: 0161 227 0707 http://www.uk.easynet.net * Fax: 0845 333 4503 From panoptes at iquest.net Thu Sep 8 21:18:51 2005 From: panoptes at iquest.net (Daniel W. Johnson) Date: Thu Sep 8 21:20:03 2005 Subject: [SpamCop-List] Re: I'm blacklisted - no troubleshooting information available! References: <1h2kzba.8sve3k1ft40ckN%panoptes@iquest.net> Message-ID: <1h2l6he.8tl95k1v29zf8N%panoptes@iquest.net> John Wilson wrote: > We're behind a firewall and if there is a loose virus or trojan in the > network Trend Micro can't find it. No auto-responders and no one is sending > spam. Not sure what else you may be asking. > > I want to know exactly what triggered the black listing so I know where to > look, not a list of a hundred things it may have been. I've spent the past > couple days working on this and I can't find any obvious problems. Working > blind is very frustrating. I don't know whether you are large enough to qualify for reports at http://www.spamcop.net/fom-serve/cache/94.html ; I assume you aren't in a position to have seen previous reports to abuse@centurytel.net . Is http://psbl.surriel.com/evidence?ip=69.29.1.141&action=Check+evidence the sort of thing you are looking for? -- Daniel W. Johnson panoptes@iquest.net http://members.iquest.net/~panoptes/ 039 53 36 N / 086 11 55 W From JG at coks.net Thu Sep 8 19:37:39 2005 From: JG at coks.net (JG) Date: Thu Sep 8 21:40:03 2005 Subject: [SpamCop-List] Re: Cleaning up and preventing malware (was mypctuneup.com) In-Reply-To: References: <431F9765.48D77304@SpamCop.net.dev.null> Message-ID: On 9/8/2005 9:34 AM Mike Easter scribbled: > I keep watching ebay for a good deal for a legit, but the deals haven't > been good enough to motivate me to buy one. For experimental hobby > purposes, of course. :-) One of my Monday Night Football crew is a reseller with a drawer full of CDs - let me know and I can get you one if you'd like... From nospam at dev.null Fri Sep 9 05:10:05 2005 From: nospam at dev.null (No Spam) Date: Thu Sep 8 22:15:29 2005 Subject: [SpamCop-List] Re: I'm blacklisted - no troubleshooting information available! In-Reply-To: <1h2l6he.8tl95k1v29zf8N%panoptes@iquest.net> References: <1h2kzba.8sve3k1ft40ckN%panoptes@iquest.net> <1h2l6he.8tl95k1v29zf8N%panoptes@iquest.net> Message-ID: Daniel W. Johnson wrote: > John Wilson wrote: > > >>We're behind a firewall and if there is a loose virus or trojan in the >>network Trend Micro can't find it. No auto-responders and no one is sending >>spam. Not sure what else you may be asking. >> >>I want to know exactly what triggered the black listing so I know where to >>look, not a list of a hundred things it may have been. I've spent the past >>couple days working on this and I can't find any obvious problems. Working >>blind is very frustrating. > > > I don't know whether you are large enough to qualify for reports at > http://www.spamcop.net/fom-serve/cache/94.html ; I assume you aren't in > a position to have seen previous reports to abuse@centurytel.net . > > Is http://psbl.surriel.com/evidence?ip=69.29.1.141&action=Check+evidence > the sort of thing you are looking for? WELL WELL. Now I'm cheesed off. This spammy has been at it a long time with his fake whois details. Fact is I started reporting him as far back as April direct to Yesnic, also via WDPRS. Uses this set of details, one "borrowed" set in the middle east, one South African set and one Japanese set. I have escalated to ICANN more than once. Whois is proven to be wrong. Yesnic STILL allows him to register, then after a day or so, once the damage is done, they cancel and put on hold. Fact is it takes time to work through the system before the domains dies, exactly what spammy wants. I am now more sure than ever that Yesnic is in cahoots. Note this info is a new domain. Thx for this info. Serious capitalized LART on the way to Yesnic via ICANN. Time for them to loose their deposit I hope. For a good measure going to the newgroups now. This A***HOLE lowlife slimeball degenrating amoeba has been a regular vistor in my mailbox, a P1+++ priority treatment case. Daniel: I suggest you contact Yesnic, asking for the owner details. When they refer to whois details, tell them they are fake and they know it and you have proof they know it. You have my 1001% support. If you need assistance and proof of gross negligence on the part of Yesnic, say the word. You have it lock, stock and barrel. I have your PM bookmarked. Else mail me at skollie at mighty dot co dot za Plenty mails to Yesnic, plenty WDPRS reports, a copy or two of reports via whois registar problem reports. Domain Name: CHOICALSORIPENUP.COM Registrar: YESNIC CO. LTD. Whois Server: whois.yesnic.com Referral URL: http://www.yesnic.com Name Server: NS0.QUADNERO.COM Name Server: NS0.SERVINJON.COM Status: ACTIVE Updated Date: 08-sep-2005 Creation Date: 08-sep-2005 Expiration Date: 08-sep-2006 --- contacting server whois.yesnic.com ----------------------------------------------- Queried Domain Information as follows ----------------------------------------------- Domain Name : choicalsoripenup.com ::Registrant:: Name : Hector R Fortys Email : hector_r_fortys@yahoo.com Address : Calle Jose Marti #56 Floral Park Zipcode : 00918 Nation : PR Tel : 787-565-512 Fax : ::Administrative Contact:: Name : Hector R Fortys Email : hector_r_fortys@yahoo.com Address : Calle Jose Marti #56 Floral Park Zipcode : 00918 Nation : PR Tel : 787-565-512 Fax : ::Technical Contact:: Name : Hector R Fortys Email : hector_r_fortys@yahoo.com Address : Calle Jose Marti #56 Floral Park Zipcode : 00918 Nation : PR Tel : 787-565-512 Fax : ::Name Servers:: ns0.quadnero.com ns0.servinjon.com ::Dates & Status:: Created Date 2005-09-08 09:24:43 EDT Updated Date 2005-09-08 09:24:43 EDT Valid Date 2006-09-08 09:24:43 EDT Status ACTIVE From panoptes at iquest.net Thu Sep 8 22:31:14 2005 From: panoptes at iquest.net (Daniel W. Johnson) Date: Thu Sep 8 22:35:03 2005 Subject: [SpamCop-List] Re: I'm blacklisted - no troubleshooting information available! References: <1h2kzba.8sve3k1ft40ckN%panoptes@iquest.net> <1h2l6he.8tl95k1v29zf8N%panoptes@iquest.net> Message-ID: <1h2lade.cz3hjsj93mhgN%panoptes@iquest.net> No Spam wrote: > Daniel: I suggest you contact Yesnic, asking for the owner details. I think you have me confused with John Wilson (the one whose mail is actually getting blocked because of things like this). -- Daniel W. Johnson panoptes@iquest.net http://members.iquest.net/~panoptes/ 039 53 36 N / 086 11 55 W From nospam at dev.null Fri Sep 9 05:33:32 2005 From: nospam at dev.null (No Spam) Date: Thu Sep 8 22:35:14 2005 Subject: [SpamCop-List] Re: I'm blacklisted - no troubleshooting information available! In-Reply-To: References: <1h2kzba.8sve3k1ft40ckN%panoptes@iquest.net> <1h2l6he.8tl95k1v29zf8N%panoptes@iquest.net> Message-ID: Mail, ONCE AGAIN RE THIS PARTICULAR party using Yesnic, to ICANN via the Regsitar Problem system at http://reports.internic.net/cgi/registrars/problem-report.cgi Just once again proof that we theoretically have the mechanisms, but they are not working because the parties reponsible for them do not apply them. How many reports does it take? Will find a freebie web page to set up on this issue with history etc. --------------------------------------------------------------- Dear ICANN staff Please review reports re Yesnic and this party. Below the newest abuse committed with false whois details. Yesnic deems to most definitely be not acting in the spirit of their agrrement. Also see previous reports via this same mechanism on this issue. Aslo see copies of correspondence sent to Yesnic I have submitted. I am now ready to take issue on this matter on whichever forum I deem necessary. I suggest ICANN reviews their previous actions on this matter and adbvise me as to any actions taken. Any mail (or fact of non mail) is going to be published on the internet to let the internet community at large decide as to the efficiency of the mechanisms involved. Obviously whatever has been done in this matter has not been effective. Below portion of thread in the spamcop newsgroup speaks for itself. Note that this is the sole purpose for which this party is abusing the whois system, apparently with Yesnic's full support. -------------------------------------------------- -------- Original Message -------- Path: news.spamcop.net!not-for-mail From: No Spam Newsgroups: spamcop Subject: Re: I'm blacklisted - no troubleshooting information available! Date: Fri, 09 Sep 2005 04:10:05 +0200 Organization: SpamCop Lines: 118 Message-ID: References: <1h2kzba.8sve3k1ft40ckN%panoptes@iquest.net> <1h2l6he.8tl95k1v29zf8N%panoptes@iquest.net> NNTP-Posting-Host: wbs-196-2-123-20.wbs.co.za Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Trace: news.spamcop.net 1126231810 475 196.2.123.20 (9 Sep 2005 02:10:10 GMT) X-Complaints-To: news@news.spamcop.net NNTP-Posting-Date: Fri, 9 Sep 2005 02:10:10 +0000 (UTC) User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en In-Reply-To: <1h2l6he.8tl95k1v29zf8N%panoptes@iquest.net> Xref: news.spamcop.net spamcop:150530 Daniel W. Johnson wrote: > John Wilson wrote: > > >>We're behind a firewall and if there is a loose virus or trojan in the >>network Trend Micro can't find it. No auto-responders and no one is sending >>spam. Not sure what else you may be asking. >> >>I want to know exactly what triggered the black listing so I know where to >>look, not a list of a hundred things it may have been. I've spent the past >>couple days working on this and I can't find any obvious problems. Working >>blind is very frustrating. > > > I don't know whether you are large enough to qualify for reports at > http://www.spamcop.net/fom-serve/cache/94.html ; I assume you aren't in > a position to have seen previous reports to abuse@centurytel.net . > > Is http://psbl.surriel.com/evidence?ip=69.29.1.141&action=Check+evidence > the sort of thing you are looking for? WELL WELL. Now I'm cheesed off. This spammy has been at it a long time with his fake whois details. Fact is I started reporting him as far back as April direct to Yesnic, also via WDPRS. Uses this set of details, one "borrowed" set in the middle east, one South African set and one Japanese set. I have escalated to ICANN more than once. Whois is proven to be wrong. Yesnic STILL allows him to register, then after a day or so, once the damage is done, they cancel and put on hold. Fact is it takes time to work through the system before the domains dies, exactly what spammy wants. I am now more sure than ever that Yesnic is in cahoots. Note this info is a new domain. Thx for this info. Serious capitalized LART on the way to Yesnic via ICANN. Time for them to loose their deposit I hope. For a good measure going to the newgroups now. This A***HOLE lowlife slimeball degenrating amoeba has been a regular vistor in my mailbox, a P1+++ priority treatment case. Daniel: I suggest you contact Yesnic, asking for the owner details. When they refer to whois details, tell them they are fake and they know it and you have proof they know it. You have my 1001% support. If you need assistance and proof of gross negligence on the part of Yesnic, say the word. You have it lock, stock and barrel. I have your PM bookmarked. Else mail me at skollie at mighty dot co dot za Plenty mails to Yesnic, plenty WDPRS reports, a copy or two of reports via whois registar problem reports. Domain Name: CHOICALSORIPENUP.COM Registrar: YESNIC CO. LTD. Whois Server: whois.yesnic.com Referral URL: http://www.yesnic.com Name Server: NS0.QUADNERO.COM Name Server: NS0.SERVINJON.COM Status: ACTIVE Updated Date: 08-sep-2005 Creation Date: 08-sep-2005 Expiration Date: 08-sep-2006 --- contacting server whois.yesnic.com ----------------------------------------------- Queried Domain Information as follows ----------------------------------------------- Domain Name : choicalsoripenup.com ::Registrant:: Name : Hector R Fortys Email : hector_r_fortys@yahoo.com Address : Calle Jose Marti #56 Floral Park Zipcode : 00918 Nation : PR Tel : 787-565-512 Fax : ::Administrative Contact:: Name : Hector R Fortys Email : hector_r_fortys@yahoo.com Address : Calle Jose Marti #56 Floral Park Zipcode : 00918 Nation : PR Tel : 787-565-512 Fax : ::Technical Contact:: Name : Hector R Fortys Email : hector_r_fortys@yahoo.com Address : Calle Jose Marti #56 Floral Park Zipcode : 00918 Nation : PR Tel : 787-565-512 Fax : ::Name Servers:: ns0.quadnero.com ns0.servinjon.com ::Dates & Status:: Created Date 2005-09-08 09:24:43 EDT Updated Date 2005-09-08 09:24:43 EDT Valid Date 2006-09-08 09:24:43 EDT Status ACTIVE From nospam at dev.null Fri Sep 9 05:51:58 2005 From: nospam at dev.null (No Spam) Date: Thu Sep 8 22:55:03 2005 Subject: [SpamCop-List] Re: I'm blacklisted - no troubleshooting information available! In-Reply-To: <1h2lade.cz3hjsj93mhgN%panoptes@iquest.net> References: <1h2kzba.8sve3k1ft40ckN%panoptes@iquest.net> <1h2l6he.8tl95k1v29zf8N%panoptes@iquest.net> <1h2lade.cz3hjsj93mhgN%panoptes@iquest.net> Message-ID: Daniel W. Johnson wrote: > No Spam wrote: > > >>Daniel: I suggest you contact Yesnic, asking for the owner details. > > > I think you have me confused with John Wilson (the one whose mail is > actually getting blocked because of things like this). Apologies. Was concentrating on all the other actions put in motion :-) Wartime! Cheers From nobody at spamcop.net Fri Sep 9 00:42:19 2005 From: nobody at spamcop.net (Ellen) Date: Thu Sep 8 23:50:04 2005 Subject: [SpamCop-List] Re: I'm blacklisted - no troubleshooting information available! References: Message-ID: "John Wilson" wrote in message news:dfqcse$n62$1@news.spamcop.net... > We're suddenly blacklisted, and spamcop won't give me any good information > to troubleshoot with. All it shows is 3 links basically saying "It could be > anything - you're on your own". > > We're running up-to-date virus/spyware scanners on every machine in the > network, including the exchange server, and none of them are reporting > infections. The exchange server has blocked a lot of attachments tho. > There are no autoresponders set up and the server doesn't allow relaying. > At this point I have no idea what to look for. Is there any way to get > useful information about what exactly triggered the blacklisting? > > Replied via email. Ellen SpamCop From SC.10.myspamgobbler at spamcowboy.net Thu Sep 8 22:34:12 2005 From: SC.10.myspamgobbler at spamcowboy.net (Brian) Date: Fri Sep 9 00:35:05 2005 Subject: [SpamCop-List] Humor: MCI's clueful abuse desk Message-ID: Auto-ack received from a SpamCop report: I am currently out of the office on holiday, and will be back at work on Monday 12 September 2005. I will not be contactable by telephone or e-mail. Any day to day queries will be handed by the Netherlands Abuse Team who can be contacted on 00 31 203147914. If you have any urgent issues please contact my manager Bruce Haig, whose contact number is 00 49 69 97268 6899. Kind Regards Marta Grant UK MCI Abuse Team -- Brian SC.10.myspamgobbler@spamcowboy.net From pete+usenet at heypete.com Thu Sep 8 22:41:45 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Fri Sep 9 00:45:02 2005 Subject: [SpamCop-List] Re: Humor: MCI's clueful abuse desk References: Message-ID: In article , Brian wrote: > [abuse desk admin]: I will not be contactable by telephone or e-mail. Sounds like a proper Bastard abuse desk admin. :) That said, isn't UUNet-UK and UUNet-NL generally pretty good when it comes to abuse? -- Pete Stephenson HeyPete.com From nobody at nowhere.invalid Fri Sep 9 08:42:34 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri Sep 9 01:45:03 2005 Subject: [SpamCop-List] Re: Brazilian Cert.br References: <43201D01.9D22DD7F@SpamCop.net.dev.null> Message-ID: On Thu, 08 Sep 2005 23:47:29 +0200, No Spam coughed into spamcop and left this in : > This may cause the exercise to become a waste of time. As if it isn't already... > However, please be careful and protect yourself from retaliation when > it comes to even supposedly reputable .br domains. IME there's no such thing as a reputable .br domain. -- Steve Politics is the ability to foretell what is going to happen tomorrow, next week, next month and next year. And to have the ability afterwards to explain why it didn't happen. -- Winston Churchill From nobody at nowhere.invalid Fri Sep 9 08:46:25 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri Sep 9 01:50:03 2005 Subject: [SpamCop-List] Re: Humor: MCI's clueful abuse desk References: Message-ID: On Thu, 08 Sep 2005 21:41:45 -0700, Pete Stephenson coughed into spamcop and left this in : > That said, isn't UUNet-UK and UUNet-NL generally pretty good when it > comes to abuse? Most of UUNet is *VERY* good at abuse... -- Steve "Here, Outlook Express, run this program!" "Okay, stranger." From pete+usenet at heypete.com Fri Sep 9 00:16:35 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Fri Sep 9 02:20:02 2005 Subject: [SpamCop-List] Re: Humor: MCI's clueful abuse desk References: Message-ID: In article , Steven Maesslein wrote: > Most of UUNet is *VERY* good at abuse... Touché. -- Pete Stephenson HeyPete.com From hwolfe at spamcop.net Fri Sep 9 07:25:46 2005 From: hwolfe at spamcop.net (Herb Wolfe) Date: Fri Sep 9 07:25:35 2005 Subject: [SpamCop-List] Re: AOL Bouncing Our Mail In-Reply-To: References: <1sjth1t102oep96qaa237dsqv4h3a6dj9l@4ax.com> Message-ID: Anthony Edwards wrote: > On Wed, 7 Sep 2005 12:07:06 +0000 (UTC), Anthony Edwards > wrote: > > >>My guess would be that, for whatever reason, AOL are currently blocking >>all mail with URLs containing "http://www.spamcop.net/". > > > Further to this, I have just re-sent the email in question, this time > removing the included "http://www.spamcop.net/sc?*" URL from the body > text of the email in question. > > No rejection message this time from AOL and it therefore appears that > both this latest transmission attempt has been accepted, and that my > hypothesis above is likely to be correct. > Close. Actually it's just the spamcop.net text at most. I sent an e-mail to my mom the other day that was bounced. Snipped my .sig which had my url and spamcop e-mail address, and it went through fine. AOL's email admins seem rather incompetent, and not just due to this. She was telling me how she has trouble getting email from recipe mailing lists she's on, even after adding another screen name. From MikeE at ster.invalid Fri Sep 9 06:51:19 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Sep 9 08:55:04 2005 Subject: [SpamCop-List] Re: AOL Bouncing Our Mail References: <1sjth1t102oep96qaa237dsqv4h3a6dj9l@4ax.com> Message-ID: SpamCop Admin wrote: > I got a notice from AOL that they have whitelisted our servers, so I'm > assuming that code has been implemented, which is why our mail is no > longer bouncing. I wonder what it is about their configuration or filter rules that causes them to /need/ to whitelist the servers; that is, what filter rule is doing the 'catching' that has to be whitelisted against/for? - -- Mike Easter kibitzer, not SC admin From geary at eris.io.com Fri Sep 9 15:18:45 2005 From: geary at eris.io.com (Mark Geary) Date: Fri Sep 9 10:20:03 2005 Subject: [SpamCop-List] What does "Administrator interested in intermediary handling of spam" mean? Message-ID: I submitted a spam report for an email that had passed through a mailing list. As far as I can tell, the original source of the spam was still identifiable and a note was sent there. But in addition, spamcop suggested email to "Administrator interested in intermediary handling of spam" which was the postmaster at the site where the mailing list is hosted. My question is, is the email to them the only thing that happens, or is their ip address added to a list of bad people somewhere? Mark Geary -- "It's going to be a tough one Sam...Ziggy hasn't got a clue and the guy in the waiting room keeps asking me if I want a jelly baby." From Kilgallen at SpamCop.net Fri Sep 9 10:46:36 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Fri Sep 9 10:50:04 2005 Subject: [SpamCop-List] Re: What does "Administrator interested in intermediary handling of spam" mean? References: Message-ID: In article , geary@eris.io.com (Mark Geary) writes: > My question is, is the email to them the only thing that happens, or > is their ip address added to a list of bad people somewhere? Historically, SpamCop does not penalize those who ask to be informed of issues. It should have no effect other than informing them. From MikeE at ster.invalid Fri Sep 9 08:50:34 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Sep 9 10:55:04 2005 Subject: [SpamCop-List] Re: What does "Administrator interested in intermediary handling of spam" mean? References: Message-ID: Mark Geary wrote: > I submitted a spam report for an email that had passed through a > mailing list. You are describing something that you could have posted the tracker for, and then we could see it. That would make it easier to answer any questions about something we can't see. Descriptions are never equal to the real thing. This is a tracker and its environs. Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z804509426z43af8149fc7b9ad838d123407ce1c8d0z The best way to talk about anything that involves a message you have seen and want to talk about is to post that tracker. The way to get the tracker is to submit the item to the parser, copy the tracker from the top of the page, and cancel the report if it has already been reported. As a general rule, you should *not* be submitting mailing list spam, according to the rules you were to have read when you signed up at http://www.spamcop.net/fom-serve/cache/14.html On what type of email should I (not) use SpamCop? -- Spam sent to mailing lists The problem with mailing list spam is that it can result in the reporting of the mailing list server, who should not be reported or counted as the source for the spam -- but instead you should "send a note to the list owner who can block the source from sending to the list or take responsibility for reporting the spam themselves." -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Fri Sep 9 17:57:47 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri Sep 9 11:00:03 2005 Subject: [SpamCop-List] Re: AOL Bouncing Our Mail References: <1sjth1t102oep96qaa237dsqv4h3a6dj9l@4ax.com> Message-ID: On Fri, 09 Sep 2005 03:39:58 -0600, SpamCop Admin coughed into spamcop and left this in : > The other issue about them bouncing mail with an all-caps subject line > also appears to have been corrected. Wha....!!! AOL refusing mail with all-caps subjects?..... *SPLORF!* http://ars.userfriendly.org/cartoons/?id=20010820&mode=classic -- Steve Why is it that people say they slept like a baby when babies wake up every two hours? From blacklist-me at davjam.org Fri Sep 9 17:36:35 2005 From: blacklist-me at davjam.org (David Bolt) Date: Fri Sep 9 11:40:03 2005 Subject: [SpamCop-List] Re: ISPs in London References: Message-ID: <7yBOw81DwaIDFwSG@dev.null.davjam.org> On Thu, 8 Sep 2005, John Smith wrote:- >I'm in London and I'm going to get ADSL. Can anyone recommend any >spam-hostile ISPs in London (or, alternatively, un-recommend a >spam-friendly ISP). > >Note that I'm not worried about receiving spam. Instead, I want to >reward an ISP that is vigilant about preventing spam. Have a look at for a list of the ADSL supporting ISPs, then you can compare the features, costs, restrictions, etc. and have a look in the forums to see what their customers think. Then, after that, it's a just a case of checking the ones you picked out as the ones you're interested in to see what their reputations are like. From looking at the threads in NANAE, Tiscali and Wanadoo are good ones to avoid. There are probably others that would be good to avoid, as others will likely point out. My ISP is Demon and, while they aren't the best in the accounts department[0], they aren't spam-friendly. Easynet is is another that I would call spam-unfriendly[1]. [0] Some people[2] have had problems with them, often not taking payments, although the vast majority don't suffer from this failing. [1] Having only seen a very few spams passing through their system and received positive, and individual, responses to complaints. [2] Myself included. They needed a little prodding to get the direct debit set up properly when I swapped from credit card to direct debit payments. Eventually took 6 months, and me phoning them to before they finally took the payments due. Since then, there's been no problem in that department. Regards, David Bolt -- Member of Team Acorn checking nodes at 63 Mnodes/s: http://www.distributed.net/ AMD 1800 1Gb WinXP/SuSE 9.3 | AMD 2400 160Mb SuSE 8.1 | AMD 2400 256Mb SuSE 9.0 AMD 1300 512Mb SuSE 9.0 | Falcon 14Mb TOS 4.02 | STE 4Mb TOS 1.62 RPC600 129Mb RISCOS 3.6 | A3010 4Mb RISCOS 3.11 | A4000 4Mb RISCOS 3.11 From nobody at spamcop.net Fri Sep 9 11:24:29 2005 From: nobody at spamcop.net (Ellen) Date: Fri Sep 9 15:50:03 2005 Subject: [SpamCop-List] Re: What does "Administrator interested in intermediary handling of spam" mean? References: Message-ID: "Mark Geary" wrote in message news:dfs5k5$qki$1@news.spamcop.net... > > > My question is, is the email to them the only thing that happens, or > is their ip address added to a list of bad people somewhere? > The only thing that happens is that they get a "relaying" report. Ellen SpamCop From geary at eris.io.com Fri Sep 9 22:14:20 2005 From: geary at eris.io.com (Mark Geary) Date: Fri Sep 9 17:15:15 2005 Subject: [SpamCop-List] Re: What does "Administrator interested in intermediary handling of spam" mean? References: Message-ID: In article , Mike Easter wrote: < Mark Geary wrote: < < > I submitted a spam report for an email that had passed through a < > mailing list. < < You are describing something that you could have posted the tracker for, < and then we could see it. That would make it easier to answer any Ah, right. I think is what you are asking for. < As a general rule, you should *not* be submitting mailing list spam, < according to the rules you were to have read when you signed up at < http://www.spamcop.net/fom-serve/cache/14.html On what type of email < should I (not) use SpamCop? -- Spam sent to mailing lists < < The problem with mailing list spam is that it can result in the < reporting of the mailing list server, who should not be reported or < counted as the source for the spam -- but instead you should "send a < note to the list owner who can block the source from sending to the list < or take responsibility for reporting the spam themselves." If I understand the other replies to my post, the mailing list owner was not reported as a spammer, but was notified that spam passed through the list. Mark Geary -- "It's going to be a tough one Sam...Ziggy hasn't got a clue and the guy in the waiting room keeps asking me if I want a jelly baby." From nospam at dev.null Sat Sep 10 00:41:36 2005 From: nospam at dev.null (No Spam) Date: Fri Sep 9 17:45:04 2005 Subject: [SpamCop-List] Re: Brazilian Cert.br In-Reply-To: References: <43201D01.9D22DD7F@SpamCop.net.dev.null> Message-ID: Steven Maesslein wrote: > On Thu, 08 Sep 2005 23:47:29 +0200, No Spam coughed into spamcop and > left this in : > > >>This may cause the exercise to become a waste of time. > > > As if it isn't already... > > >>However, please be careful and protect yourself from retaliation when >>it comes to even supposedly reputable .br domains. > > > IME there's no such thing as a reputable .br domain. > Statistically speaking, there "should" be at least one, no matter what I personally believe ....? From MikeE at ster.invalid Fri Sep 9 16:17:55 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Sep 9 18:20:04 2005 Subject: [SpamCop-List] Re: What does "Administrator interested in intermediary handling of spam" mean? References: Message-ID: Mark Geary wrote: > www.spamcop.net/sc?id=z802257279z20c66f9227725e940aba303f2232a93bz> > is what you are asking for. Correct; it also tells the story of how the reports were sent. Lotsa received lines in there. Abbreviated Received lines from zaxxon.io.com ([209.198.128.81]) by postoffice.prismnet.com from c62.cesmail.net (c62.cesmail.net [216.154.195.54]) by zaxxon.io.com from unknown (HELO blade5.cesmail.net) ([192.168.1.215]) by c62.cesmail.net from unknown (192.168.1.101) by blade5.cesmail.net from alias2.acm.org (199.222.69.92) by mailgate.cesmail.net from psmtp.com ([64.18.2.111]) by alias2.acm.org from source ([204.152.190.11]) by exprod7mx61.postini.com from (outmail.yourhostingaccount.com [65.254.254.75]) by mail.netbsd.org from scan03.yourhostingaccount.com ([192.168.1.233] by mail18.yourhostingaccount.com from cgi21.yourhostingaccount.com ([192.168.1.109]) by scan03.yourhostingaccount.com from cgi21.yourhostingaccount.com ([192.168.1.109]) by scan03.yourhostingaccount.com To simplify those 11 headers, imagine they are numbered from 0-10 starting at the top. Think of the last 3 as a unit representing the source, because I've seen similars in sightings, and the top 5 as representing SC to you.. The story or sequence of the middle 3 is netbsd > postini > acm, which then went on to your spamcop account and thence io/prismnet. The administrator interested in the intermediary handling of spam was netbsd, which was the server receiving from the source package. In this case, netbsd would not have been/ was not/ named as the spamsource, partly because you are mailhosted and partly because netbsd is a trusted server. > < The problem with mailing list spam is that it can result in the > < reporting of the mailing list server, who should not be reported or > < counted as the source for the spam -- but instead you should "send a > < note to the list owner who can block the source from sending to the > list < or take responsibility for reporting the spam themselves." That problem about mailing list spam is still a concern; it is better to follow the rules than to report it. If you don't follow the rules and you report a mailing list server which shouldn't have been reported and it gets accidentally spamcop listed and 'you' and other false source reporters are the cause of numerous mailing list recipients mail getting spamcop blocked, you will surely get into trouble. > If I understand the other replies to my post, the mailing list owner > was not reported as a spammer, but was notified that spam passed > through the list. That is correct in this instance, assuming that we are calling netbsd the mailing list owner. Some of the header content is munged by spamcop's normal mungeing mode. -- Mike Easter kibitzer, not SC admin From mwnospam at comcast.net Fri Sep 9 20:10:11 2005 From: mwnospam at comcast.net (spamacyde) Date: Fri Sep 9 19:15:04 2005 Subject: [SpamCop-List] Phising Emails Message-ID: A couple of questions about phishing emails: 1) Do I want to report them to Spamcop? 2) Since trying to obtain financial information is more serious than peddling snake oil, is it possible after using arin.net to identify the source of the email to sue the hosting service or legally strong-arm them into revealing the sender? Ebay and the hosting services are remarkably concerned about the phishers' right to anonymity. From MikeE at ster.invalid Fri Sep 9 17:25:09 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Sep 9 19:30:04 2005 Subject: [SpamCop-List] Re: Phising Emails References: Message-ID: spamacyde wrote: > A couple of questions about phishing emails: > > 1) Do I want to report them to Spamcop? SpamCop's strength is all about blocklisting sources identified by reporters or spamtraps. The concept of the notification of a /spamvertised/ site is a courtesy extended to those whitehat providers who would like to know about spamvertisers. In the case of a phish, it is likely that 'phished' bank or other entity will also be SC notified 'accidentally' as an IB, since the phished bank isn't actually the spamvertiser. Most phished entities don't want to be notified of spams as if they were the spamvertiser. Many or most phished entities don't even actually want to hear about phish spam. What the phished entity wants is for any of their customer/client/s to not get phished, and they also want to 'look like' they are making every effort to prevent harm to their customers, for the good of their image. But, they mostly don't want piles and piles and piles of phishing spam notifications. They /would/ like to keep up with the 'format' of the phishes, so that they know what is floating around out there. They are *not* going to go to a lot of/ any/ trouble to deal with the /spamsources/. And, I'm sure that they would rather someone else other than themselves go to the trouble of investigating the actual 'phishery' website and domain owner and host. That is generally a problem of relatively unenforceable international investigation of some trouble and expense. The phished entity isn't much up for it. > 2) Since trying to obtain financial information is more serious than > peddling snake oil, is it possible after using arin.net to identify > the source of the email to sue the hosting service or legally > strong-arm them into revealing the sender? Your question isn't clear. Who/whom do you mean should be suing whom for what? Remember what we are talking about here. We are talking about a piece of spam. What exactly is the tort or basis for a 'suit'? A piece of spam isn't identity theft or stolen money from an account. So, the deal is that any real enforcement would have to take place after a genuine crime of some sort and significance. Not an item of spam. > Ebay and the hosting > services are remarkably concerned about the phishers' right to > anonymity. I don't know what that sentence means. Who is the phisher? -- Mike Easter kibitzer, not SC admin From pete+usenet at heypete.com Fri Sep 9 17:27:28 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Fri Sep 9 19:30:13 2005 Subject: [SpamCop-List] Re: Phising Emails References: Message-ID: In article , "spamacyde" wrote: > 1) Do I want to report them to Spamcop? Sure. Also, http://www.antiphishing.org/report_phishing.html wants to get copies as well. > 2) Since trying to obtain financial information is more serious than > peddling snake oil, is it possible after using arin.net to identify the > source of the email to sue the hosting service or legally strong-arm them > into revealing the sender? Ebay and the hosting services are remarkably > concerned about the phishers' right to anonymity. Not likely. Most of the hosts are out of the country. *shrugs* -- Pete Stephenson HeyPete.com From mwnospam at comcast.net Fri Sep 9 20:33:28 2005 From: mwnospam at comcast.net (spamacyde) Date: Fri Sep 9 19:35:03 2005 Subject: [SpamCop-List] Re: Phising Emails References: Message-ID: According to arin.net, both the server that sent the email and the phishing web site are in the US. "Pete Stephenson" wrote in message news:pete+usenet-80EDBA.16272809092005@news.cesmail.net... > In article , > "spamacyde" wrote: > > > 1) Do I want to report them to Spamcop? > > Sure. > > Also, http://www.antiphishing.org/report_phishing.html wants to get > copies as well. > > > 2) Since trying to obtain financial information is more serious than > > peddling snake oil, is it possible after using arin.net to identify the > > source of the email to sue the hosting service or legally strong-arm them > > into revealing the sender? Ebay and the hosting services are remarkably > > concerned about the phishers' right to anonymity. > > Not likely. Most of the hosts are out of the country. *shrugs* > > -- > Pete Stephenson > HeyPete.com From MikeE at ster.invalid Fri Sep 9 17:48:57 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Sep 9 19:50:02 2005 Subject: [SpamCop-List] Re: Phising Emails References: Message-ID: spamacyde wrote: > According to arin.net, both the server that sent the email