From DougThegarden at invalid.com Sun Jan 1 11:23:04 2006 From: DougThegarden at invalid.com (Doug Thegarden) Date: Sun Jan 1 06:25:06 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers In-Reply-To: References: Message-ID: MikeV06 wrote: > I am thinking about using Thunderbird for email. I know OL has a problem > with headers and just wondered if Thunderbird works OK when forwarding spam > to SC? > Works for me. And TB is at least standards compliant which Doubtlook isn't. Doug From n4jwyfo02 at sneakemail.com Sun Jan 1 13:46:55 2006 From: n4jwyfo02 at sneakemail.com (Aviatrix) Date: Sun Jan 1 08:50:03 2006 Subject: [SpamCop-List] Re: Spamcop causing problems In-Reply-To: References: Message-ID: Vanguard wrote: (Lots of good stuff snipped, for brevity) > If your father is unwilling to learn how his spam filtering works > (blacklists, bayesian filters, greylisting, whatever) and to configure > it the way he wants then get him to stop using those spam filters. The OP's father may not actually have that option. The OP is based in the UK. I presume his father is, too. I know of several UK ISPs that force their own spam filters onto their customers - i.e., the ISP uses blocklists to bounce or discard mail, and the mail never reaches the customer's POP3 mailbox. These ISPs do not give customers the choice of opting out of the spam filtering. The OP's father may need to change ISPs, or switch to a non-ISP mail account (Hotmail, Gmail, Yahoo, whatever) A. From nobody at nowhere.invalid Sun Jan 1 15:14:02 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Jan 1 09:15:03 2006 Subject: [SpamCop-List] Re: vCard References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> Message-ID: On Sat, 31 Dec 2005 19:17:44 -0800, Mike Easter coughed into spamcop and left this in : > lock-ups that have required me to kill the firefox.exe process. And I've > even been forced to reboot Windows XP a few times.// That might explain it. I'm not using the Windows version of Firefox. I've found nothing untoward to report about the *Linux* version. -- Steve The average nutritional value of promises is roughly zero. From me at privacy.net Sun Jan 1 09:30:02 2006 From: me at privacy.net (MikeV06) Date: Sun Jan 1 10:35:03 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers References: Message-ID: On Sun, 01 Jan 2006 11:23:04 +0000, Doug Thegarden wrote: > MikeV06 wrote: >> I am thinking about using Thunderbird for email. I know OL has a problem >> with headers and just wondered if Thunderbird works OK when forwarding spam >> to SC? >> > > Works for me. And TB is at least standards compliant which Doubtlook isn't. > > Doug Thank you, that is what I needed to know. Doing a Ctrl-U, etc. routine is not what I had in mind. From ng at bgdsv.co.uk Sun Jan 1 15:49:12 2006 From: ng at bgdsv.co.uk (Brian Gregory [UK]) Date: Sun Jan 1 10:50:02 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers References: Message-ID: "MikeV06" wrote in message news:tnwu7e83bzy.dlg@mycomputer06.invalid.com... >I am thinking about using Thunderbird for email. I know OL has a problem > with headers and just wondered if Thunderbird works OK when forwarding > spam > to SC? In Outlook Express "Forward As Attachment" is the best way to forward some messages (you can do several at the same time) to SPAMCOP. Doesn't Outlook have this too? (It's on the "Message" menu in OE). -- Brian Gregory. (In the UK) ng@bgdsv.co.uk To email me remove the letter vee. From nobody at devnull.spamcop.net Sun Jan 1 09:57:26 2006 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jan 1 11:00:02 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers References: Message-ID: "MikeV06" wrote in message news:tnwu7e83bzy.dlg@mycomputer06.invalid.com... > I am thinking about using Thunderbird for email. I know OL has a problem > with headers and just wondered if Thunderbird works OK when forwarding spam > to SC? How to use Thunderbird to report multiple emails, One user's step by step example http://forum.spamcop.net/forums/index.php?showtopic=5307 From nobody at devnull.spamcop.net Sun Jan 1 10:05:33 2006 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jan 1 11:10:03 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers References: Message-ID: "Mike Easter" wrote in message news:dp7eb3$4ou$1@news.spamcop.net... > MikeV06 wrote: > > I am thinking about using Thunderbird for email. I know OL has a > > problem with headers and just wondered if Thunderbird works OK when > > forwarding spam to SC? > > It looks to me like SC's faq is in serious need of updating.... You think so? (Me thinking of the dozens and dozens of previous threads about something to do with a SpamCop FAQ, the tons of my e-mail archives on my attempts at getting some things added, changed, updated, deleted, etc.) > I guess everyone who could do some updating is obsessed with the web > interface. ???? not sure what the "web interface" thing is. The last "go round" on the www.spamcop.net web page(s) dealt with information on the reporting system ourages. > Somehow the web interface is immediately amedable to updating but the > webfaq is somehow impenetrable. Funny how that works. R.W. states that changes on the "official" FAQ now need to be walked though a corporate maze, to include legal ... so it mostly doesn't happen. > I think the solution to the whole thing is one of who is responsible. I > think the webfaq needs a 'signature' which sez --- "I am responsible for > keeping the webfaq up-to-date" -- Signed, XXX > > Once you have to show your 'face' about being responsible for something, > then everything starts getting better. Julian started it, Dollface was involved, R.W. picked it up, IronPort staff got involved ..... see above for "who's involved" these days. From nobody at nowhere.invalid Sun Jan 1 18:01:44 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Jan 1 12:05:03 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers References: Message-ID: On Sun, 1 Jan 2006 15:49:12 -0000, Brian Gregory [UK] coughed into spamcop and left this in : > In Outlook Express "Forward As Attachment" is the best way to forward some > messages (you can do several at the same time) to SPAMCOP. Doesn't Outlook > have this too? (It's on the "Message" menu in OE). No. Outlook doesn't store e-mail as it came down the pipe. It breaks it up and messes around with it in order for it to conform with its own storage system, and is unable thereafter to reassemble the mail as it was received originally. Outlook is not designed primarily as a mail client in the sense that we (tinw) understand it, but as an Exchange client. -- Steve The box said: "Requires Windows 98/2000/XP/NT, or better." So, I installed LINUX! From vanguard.code at comcastNIX.net Sun Jan 1 12:29:13 2006 From: vanguard.code at comcastNIX.net (Vanguard) Date: Sun Jan 1 13:30:03 2006 Subject: [SpamCop-List] Re: Spamcop causing problems References: Message-ID: "Aviatrix" wrote in message news:dp8mgf$nav$1@news.spamcop.net... > Vanguard wrote: > > (Lots of good stuff snipped, for brevity) > > >> If your father is unwilling to learn how his spam filtering works >> (blacklists, bayesian filters, greylisting, whatever) and to configure >> it the way he wants then get him to stop using those spam filters. > > The OP's father may not actually have that option. If the father is running a local anti-spam filter, it is entirely their choice whether they run it or not and how to configure it. If it is a server-side filter provided by the e-mail service, the father can disable that option. If the e-mail provider does not permit the user to disable spam filtering, that e-mail provider is rude and violating the user's rights (but then the user agreed to that provider's contract which the user should read). > The OP is based in the UK. I presume his father is, too. > > I know of several UK ISPs that force their own spam filters onto their > customers - i.e., the ISP uses blocklists to bounce or discard mail, and > the mail never reaches the customer's POP3 mailbox. These ISPs do not > give customers the choice of opting out of the spam filtering. And they don't also provide whitelisting? No matter what spam filter solution I have used or trialed, whitelisting was always a requirement to eliminate false positives. > The OP's father may need to change ISPs, or switch to a non-ISP mail > account (Hotmail, Gmail, Yahoo, whatever) Could be. Sounds like the ISP is an idiot dictator. -- _______________________________________________________ ** Post replies to the newsgroup. Share with others. ** For e-mail, remove "NIX" and append "#VC811" to Subject. _______________________________________________________ From jg at coks.net Sun Jan 1 10:37:29 2006 From: jg at coks.net (jg) Date: Sun Jan 1 13:40:03 2006 Subject: [SpamCop-List] Re: vCard In-Reply-To: References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> Message-ID: On 12/31/2005 7:17 PM Mike Easter scribbled: > jg wrote: > >>Mike Easter > > >>>I don't know whether it should be mentioned or not, but Scott Finney >>>who has a popular newsletter and is a powerful FireFox supporter, >>>suggests holding off on 1.5 in favor of earlier verisons. >>> >>>I don't have the ref handy; I'll check on that. >>> >> >>There are no problems w/ 1.5 at all > > > None according to the FF developers; but here's what SF sez: > > http://www.scotsnewsletter.com/75.htm#ff15 > > // I recommend holding off, at least temporarily, on installing Firefox > 1.5.-- somewhere early in the Release Candidates I began to encounter > problems. And I'm beginning to learn that I might not be alone in that. > The issues people are reporting to me are highly varied --I 've > personally seen 100% CPU spikes will Firefox is laboring at something -- > A memory leak is an errant programmatic process that over time may > gradually eat away at system resources. In worst-case scenarios, a > memory leak may cause an application to become unstable. -- That may not > be the case. I am, though, hearing sufficient reports about trouble to > be cautious. -- In most cases the Firefox freeze-ups unstick themselves > after a couple of minutes. But I have also experienced permanent > lock-ups that have required me to kill the firefox.exe process. And I've > even been forced to reboot Windows XP a few times.// > I've not had any problems vis a vis crashes or reboots. The memory leaks have been discussed for some time now and it doesn't happen to everyone. You can look at http://kb.mozillazine.org/Memory_Leak to see how it is being addressed - I rather like the idea that open source s/w is able to discuss problems and work on fixes faster than todays commercial packages. From MikeE at ster.invalid Sun Jan 1 10:45:45 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 13:50:02 2006 Subject: [SpamCop-List] Re: vCard References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> Message-ID: jg wrote: > Mike Easter scribbled: >>>> holding off on 1.5 in favor of earlier >>>> verisons. > You can look at http://kb.mozillazine.org/Memory_Leak to see how it is > being addressed I saw that when I was checking out the 'debates' between those who luv opera vs those who luv FF. There's actually quite a lot of that. I don't know that that section on how to reduce memory usage addresses the issue of a /leak/. It doesn't sound like the developers agree that there's a leak even tho' they used the word. >- I rather like the idea that open source s/w is able > to discuss problems and work on fixes faster than todays commercial > packages. Especially if/when they can get it hammered out and solved. -- Mike Easter kibitzer, not SC admin From jg at coks.net Sun Jan 1 11:25:36 2006 From: jg at coks.net (jg) Date: Sun Jan 1 14:25:02 2006 Subject: [SpamCop-List] Re: vCard In-Reply-To: References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> Message-ID: On 1/1/2006 10:45 AM Mike Easter scribbled: > I don't know that that section on how to reduce memory usage addresses > the issue of a /leak/. It doesn't sound like the developers agree that > there's a leak even tho' they used the word. This has confused me at times - I /think/ "they" use leak and usage interchangably. An exacting person such as yourself may take issue and have a valid point - dunno. In an ongoing thread over @ FF ng, there is talk of dlls not unloading at some point, implying it may be a Win problem with a reg hack to fix it. I've not had the problem - and I am memory deprived.... From mwnospam at comcast.net Sun Jan 1 14:44:07 2006 From: mwnospam at comcast.net (spamacyde) Date: Sun Jan 1 14:45:02 2006 Subject: [SpamCop-List] Bogus Spamvertised Web Links Message-ID: Is it possible for a spammer to provide a link that involves the IP address of a legitimate web site if they want to mess with the spam recipient or host of that web site? If the answer to the question above is yes, when spamcop deobfuscates links in a spam message, does it make an attempt to verify whether the links point to a "bad" website as oppossed to a "good" one? If the answer to the second question no, what do I need to do to protect myself when clicking on a link to verify that it goes to a "bad" site ie one that is trying to sell me potions as opposed to Fred's blog about pine trees or no site at all? Thanks. From jg at coks.net Sun Jan 1 12:00:09 2006 From: jg at coks.net (jg) Date: Sun Jan 1 15:00:02 2006 Subject: [SpamCop-List] Re: Bogus Spamvertised Web Links In-Reply-To: References: Message-ID: On 1/1/2006 11:44 AM spamacyde scribbled: > Is it possible for a spammer to provide a link that involves the IP address > of a legitimate web site if they want to mess with the spam recipient or > host of that web site? Isn't that a form of joejobbing - in which case, the answer to your question is yes? > > If the answer to the question above is yes, when spamcop deobfuscates links > in a spam message, does it make an attempt to verify whether the links > point to a "bad" website as oppossed to a "good" one? I'm not really qualified to give a definitive answer, but it would seem to be asking SC to do quite a bit more than it is set up for - how would it tell "good site" from "a bad site"? > > If the answer to the second question no, what do I need to do to protect > myself when clicking on a link to verify that it goes to a "bad" site ie one > that is trying to sell me potions as opposed to Fred's blog about pine trees > or no site at all? Use a secure browser and disallow script execution, s/w downloading/installation, etc. Others here will advise to not click the link at all if you are not sure of it, which is good advice... > > Thanks. > > From jg at coks.net Sun Jan 1 12:10:59 2006 From: jg at coks.net (jg) Date: Sun Jan 1 15:10:02 2006 Subject: [SpamCop-List] SC problems... Message-ID: http://www.spamcop.net/sc?id=z850400310zcea8c542a83d8c72633414f203e9810az Aside, the comcor spam vert seems to have changed his med format for the new year. Lately, just about every other parse has to be resubmitted to get link resolution (1st parse just ignores link(s)). This comcor spammer, who seems to be on some kind of month long roll, at least through cox.net, seems to give SC harder time than others. Is there a reason for this? And am I wasting my time in canceling and resubmitting? It doesn't seem to be having much effect anyway... From Nobody at Spamcop.net.dev.null Sun Jan 1 15:15:01 2006 From: Nobody at Spamcop.net.dev.null (Michael Brennan) Date: Sun Jan 1 16:20:03 2006 Subject: [SpamCop-List] Re: vCard (was: Malformed Spamlink or New Type?) References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> Message-ID: <43B84655.E8A46AEC@Spamcop.net.dev.null> Steven Maesslein wrote: > > On Sat, 31 Dec 2005 15:49:36 -0600, Michael Brennan coughed into spamcop > and left this in <43B6FCF0.8E6902E6@Spamcop.net.dev.null>: > > > last summer I looked at FlashPeak SlimBrowser > > before discarding it and loading Firefox. > > There have been two updates of Firefox (one major) since 1.0.6. > > 1.5 is no longer beta, it was released - last month I think. I've been > using it for a while and it seems to run well. > My OS is Win 98. I think I'm not supported beyond FF 1.0.4, but I installed 1.0.6 anyway when I got the constant nags (the nags continue) to see if it would run, keeping the 1.0.4. instal.exe file handy on media. So far, it runs okay, but I'm a bit resource-challenged at only 160 megs of RAM and a 300-MHz P-II MMX CPU. FF is a little slow out of the gate on boot, and the pages load fairly leisurely, but that may be my 26.4K (nailed-up) dialup connection. I don't plan to install any later versions of FF. Michael From n4jwyfo02 at sneakemail.com Sun Jan 1 21:24:00 2006 From: n4jwyfo02 at sneakemail.com (Aviatrix) Date: Sun Jan 1 16:25:03 2006 Subject: [SpamCop-List] Re: Spamcop causing problems In-Reply-To: References: Message-ID: Vanguard wrote: > And they don't also provide whitelisting? No matter what spam filter > solution I have used or trialed, whitelisting was always a requirement > to eliminate false positives. No - some of them don't. They just have one central spam filter for all their customers, and that's what customers are stuck with. Sadly we haven't heard from the OP since his original post. If he were to come back here and tell us who is father's ISP is and how is mail is routed (direct, or via a forwarding address) then I guess one of us here in the UK might be able to give him some more advice. I know the UK ISP market reasonably well, and I'm probably not the only one here who does. From Nobody at Spamcop.net.dev.null Sun Jan 1 15:28:15 2006 From: Nobody at Spamcop.net.dev.null (Michael Brennan) Date: Sun Jan 1 16:30:03 2006 Subject: [SpamCop-List] Parava Networks, UUNet, and MCI Message-ID: <43B8496F.1AB4B562@Spamcop.net.dev.null> Concerning this spamitem, http://www.spamcop.net/sc?id=z850378097z3a8f2a43d12712623d31e50a5f21a7eez I dug a little and found that the spamlink is hosted by Parava.net, which in turn appears to be part of UUNet Technologies and MCI. Can someone elucidate the relationship among Parava Networks, UUNet Technologies, and MCI? Side Issue: In my "additional remarks" section of my submitted report, I retrieved as much info from SamSpade.org on the spamlink as I could, but I don't see the comments when I pull up the report from SpamCop's server using the tracking URL link. What happens to those comments? Where do they go? Chasing down who Parava is, which appears to be the end of the line (error msgs etc.) when chasing many spamlinks, I was able to pull up this page from SamSpade: Server Used: [ whois.arin.net ] 65.210.194.2 = [ host2.parava.net ] OrgName: UUNET Technologies Inc. OrgID: UU Address: 22001 Loudoun County Parkway City: Ashburn StateProv: VA PostalCode: 20147 Country: US NetRange: 65.192.0.0 - 65.223.255.255 CIDR: 65.192.0.0/11 NetName: UUNET65 NetHandle: NET-65-192-0-0-1 Parent: NET-65-0-0-0-0 NetType: Direct Allocation NameServer: AUTH03.NS.UU.NET NameServer: AUTH00.NS.UU.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2000-10-27 Updated: 2002-02-13 RTechHandle: OA12-ARIN RTechName: UUnet Technologies Inc. Technologies RTechPhone: 1-800-900-0241 RTechEmail: help4u@mci.com OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: 1-800-900-0241 OrgAbuseEmail: abuse-mail@mci.com OrgNOCHandle: OA12-ARIN OrgNOCName: UUnet Technologies Inc. Technologies OrgNOCPhone: 1-800-900-0241 OrgNOCEmail: help4u@mci.com OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: 1-800-900-0241 OrgTechEmail: swipper@mci.com CustName: Parava Networks Address: 6009 Richmond Avenue City: Houston StateProv: TX PostalCode: 77057 Country: US RegDate: 2001-09-20 Updated: 2003-05-30 NetRange: 65.210.194.0 - 65.210.194.63 CIDR: 65.210.194.0/26 NetName: UU-65-210-194 NetHandle: NET-65-210-194-0-1 Parent: NET-65-192-0-0-1 NetType: Reassigned Comment: RegDate: 2001-09-20 Updated: 2003-05-30 RTechHandle: OA12-ARIN RTechName: UUnet Technologies Inc. Technologies RTechPhone: 1-800-900-0241 RTechEmail: help4u@mci.com OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: 1-800-900-0241 OrgAbuseEmail: abuse-mail@mci.com OrgNOCHandle: OA12-ARIN OrgNOCName: UUnet Technologies Inc. Technologies OrgNOCPhone: 1-800-900-0241 OrgNOCEmail: help4u@mci.com OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: 1-800-900-0241 OrgTechEmail: swipper@mci.com ARIN WHOIS database last updated 2005-12-31 19: 10 Any comments on these players? I have seen it said several times on this newsgroup and others that UUNet and MCI are black hats. Parava Networks certainly seems to be. Michael From MikeE at ster.invalid Sun Jan 1 13:35:49 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 16:40:03 2006 Subject: [SpamCop-List] Re: Bogus Spamvertised Web Links References: Message-ID: spamacyde wrote: > Is it possible for a spammer to provide a link that involves the IP > address of a legitimate web site if they want to mess with the spam > recipient or host of that web site? Innocent bystander IB links are frequently included in spambodies. A SC reporter is supposed to uncheck any IBs which SC doesn't know should be considered an IB and there is a faq on that http://www.spamcop.net/fom-serve/cache/126.html How should I select the recipients for my spam report? // Spammers will often include innocent parties' addresses in spam in an effort to confuse and discredit. [...] These are "innocent bystanders" and should not be reported as spammers. Make sure these boxes are unchecked if you are not fairly sure the address in question is being used by the spammer. // > If the answer to the question above is yes, when spamcop deobfuscates > links in a spam message, does it make an attempt to verify whether > the links point to a "bad" website as oppossed to a "good" one? Yes and No -- if a URL is /known/ to be an IB or there are other causes of a URL to not lead to a SC notify which has been entered into the db. But, SC doesn't otherwise have some kind of 'artificial intelligence' which it uses to 'derive' that a found URL is an IB vs a payload URL. It is dependent upon human deputy admins to enter db information or on SC reporters to determine IBness. > If the answer to the second question no, what do I need to do to > protect myself when clicking on a link to verify that it goes to a > "bad" site ie one that is trying to sell me potions as opposed to > Fred's blog about pine trees or no site at all? If it is your intention to notify about a body's spamvertised site and you can't tell from the context of the unrendered spam, the next step in the process of evaluating a spam is to carefully render it after you have determined what security precautions you should take before doing so. Some would call that 'opening' the spam, securely. If you have rendered the content of the spambody and you still can't tell the IB from the spamvertiser, you can find one of several ways to determine what is at the URL payload site or any redirection or frame handling from/at the payload site. You can do that using a GET function from a console, or you can do that with a websniffer site, or you can do that with a browser which has been properly secured. One would hope that that entire process doesn't profit the spammer more than it hurts hir. If you are going to all of that trouble just to notify a blackhat provider who is going to be handing over the report evidence to the spammer and not taking some action against the spammer, then you are wasting your time and you might be aiding the spamvertiser with ad profit and whatever advantage may be gained by getting the evidence of your report. Some spams could do without reporting of the spamvertiser to the SC derived notify. I am of the opinion that it should be the option of the reporter whether or not the website should be reported to the SC derived website provider -- in addition to putting the spamvertised site on the statistics page and/or submitted to the sc-surbl. -- Mike Easter kibitzer, not SC admin From Nobody at Spamcop.net.dev.null Sun Jan 1 15:47:14 2006 From: Nobody at Spamcop.net.dev.null (Michael Brennan) Date: Sun Jan 1 16:50:03 2006 Subject: [SpamCop-List] Re: Parava Networks, UUNet, and MCI References: <43B8496F.1AB4B562@Spamcop.net.dev.null> Message-ID: <43B84DE2.3F6502E0@Spamcop.net.dev.null> Michael Brennan wrote: > > Concerning this spamitem, > > http://www.spamcop.net/sc?id=z850378097z3a8f2a43d12712623d31e50a5f21a7eez > Furthermore, I chased another spamlink in a sex-drug spamitem http://www.spamcop.net/sc?id=z850377854zf2a6f13007e35fefd66b4a5d5c29399bz and got another "creepylink" that traced back to another group similarly structured around UUNet and MCI: (from the "add'l comments" section) Server Used: [ whois.crsnic.net ] http://creepy.extra-prevent.com/ = [ 221.7.209.67 ] !!! whois.itsyourdomain.com failed to respond *** displaying Referrer's Records (whois.crsnic.net): Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: EXTRA-PREVENT.COM Registrar: INNERWISE INC. D/B/A ITSYOURDOMAIN.COM Whois Server: whois.itsyourdomain.com Referral URL: http://www.itsyourdomain.com Name Server: NS1.NAMECOP.NET Name Server: NS2.NAMECOP.NET Name Server: NS6.NAMECOP.NET Status: REGISTRAR-LOCK Updated Date: 30-dec-2005 Creation Date: 11-dec-2005 Expiration Date: 11-dec-2006 >>> Last update of whois database: Sun 1 Jan 2006 02: 31: 08 EST <<< Further lookup on itsyourdomain.com shows following msg: Server Used: [ whois.crsnic.net ] ITSYOURDOMAIN.COM = [ 63.85.86.16 ] !!! whois.itsyourdomain.com failed to respond *** Lookup of the IP [ 63.85.86.16 ] gives info: Server Used: [ whois.arin.net ] 63.85.86.16 = [ www.itsyourdomain.com ] OrgName: UUNET Technologies Inc. OrgID: UU Address: 22001 Loudoun County Parkway City: Ashburn StateProv: VA PostalCode: 20147 Country: US NetRange: 63.64.0.0 - 63.127.255.255 CIDR: 63.64.0.0/10 NetName: UUNET63 NetHandle: NET-63-64-0-0-1 Parent: NET-63-0-0-0-0 NetType: Direct Allocation NameServer: AUTH03.NS.UU.NET NameServer: AUTH00.NS.UU.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 1999-01-22 Updated: 2003-01-23 RTechHandle: OA12-ARIN RTechName: UUnet Technologies Inc. Technologies RTechPhone: 1-800-900-0241 RTechEmail: help4u@mci.com OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: 1-800-900-0241 OrgAbuseEmail: abuse-mail@mci.com OrgNOCHandle: OA12-ARIN OrgNOCName: UUnet Technologies Inc. Technologies OrgNOCPhone: 1-800-900-0241 OrgNOCEmail: help4u@mci.com OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: 1-800-900-0241 OrgTechEmail: swipper@mci.com OrgName: Innerwise Inc. OrgID: INER Address: 1005 W. Wise Road City: Schaumburg StateProv: IL PostalCode: 60193 Country: US NetRange: 63.85.86.0 - 63.85.86.255 CIDR: 63.85.86.0/24 NetName: UU-63-85-86 NetHandle: NET-63-85-86-0-1 Parent: NET-63-64-0-0-1 NetType: Reallocated Comment: RegDate: 2000-08-23 Updated: 2000-08-23 RTechHandle: TC553-ARIN RTechName: Cucci Ted RTechPhone: 1-847-895-3989 RTechEmail: tcucci@innerwise.com ARIN WHOIS database last updated 2005-12-31 19: 10 Regards, Michael From MikeE at ster.invalid Sun Jan 1 13:53:50 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 16:55:02 2006 Subject: [SpamCop-List] Re: Parava Networks, UUNet, and MCI References: <43B8496F.1AB4B562@Spamcop.net.dev.null> Message-ID: Michael Brennan wrote: > Concerning this spamitem, > www.spamcop.net/sc?id=z850378097z3a8f2a43d12712623d31e50a5f21a7eez There seems to be some confusion here. That tracker is about this spamvertiser http://catastrophic.extra-clinic.com dns catastrophic.extra-clinic.com Canonical name: extra-clinic.com Aliases: catastrophic.extra-clinic.com Addresses: 61.234.235.12 = CRTC 221.7.209.67 = CNC-GL inetnum: 61.232.0.0 - 61.237.255.255 netname: CRTC country: CN descr: CHINA RAILWAY TELECOMMUNICATIONS CENTER inetnum: 221.7.209.0 - 221.7.209.255 netname: CNC-GL-INTER-3 country: CN descr: CNC Guilin INternet network > I dug a little and found that the spamlink is hosted by Parava.net, > which in turn appears to be part of UUNet Technologies and MCI. Subject: Parava Networks, UUNet, and MCI > Can someone elucidate the relationship among Parava Networks, UUNet > Technologies, and MCI? There's nothing in this tracker about that; and the tracker shows the reports would be going to the .cn provider Re: http://catastrophic.extra-clinic.com (Administrator of network hosting website referenced in spam) postmaster@chinatietong.com crnet_mgr@chinatietong.com crnet_tec@chinatietong.com > 65.210.194.2 = [ host2.parava.net ] As a separate issue, we could talk about 65.210.194.2 rDNS host2.parava.net -- which must have been in some other spam. Here is its structure: whois -h whois.arin.net 65.210.194.2 ... UUNET Technologies, Inc. 65.192.0.0 - 65.223.255.255 OrgAbuseEmail: abuse-mail@mci.com Parava Networks 65.210.194.0 - 65.210.194.63 OrgAbuseEmail: abuse-mail@mci.com You can also do an abuse.net reg'd notifies on the rDNS whois -h whois.abuse.net host2.parava.net ... abuse@mci.com valdes@parava.net postmaster@parava.net (for parava.net) You can also consider the responsiveness of the IP address to see how it is blocklisted, where we find it to be spews listed, but spews is down right now, so I can't tell /why/ or how its spews listing came to be. However, a spews listing is always a good reason to consider notifying an upstream adjacency or a parent. We would consider the uunet relationship to be the parent and also to be the ASN = UUNET - AS 701 So, everything points to notifying the mci addresses, abuse-mail and abuse at uunet in addition to the parava notifies. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Jan 1 14:05:41 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 17:10:03 2006 Subject: [SpamCop-List] Re: Parava Networks, UUNet, and MCI References: <43B8496F.1AB4B562@Spamcop.net.dev.null> <43B84DE2.3F6502E0@Spamcop.net.dev.null> Message-ID: Michael Brennan wrote: www.spamcop.net/sc?id=z850377854zf2a6f13007e35fefd66b4a5d5c29399bz > > and got another "creepylink" that traced back to another group > similarly structured around UUNet and MCI: This is another example of something which has nothing to do with uunet/mci according to my resolving and SC's resolving http://creepy.extra-prevent.com/ = 221.7.209.67 Resolving link obfuscation http://creepy.extra-prevent.com/ Host creepy.extra-prevent.com (checking ip) = 221.7.209.67 .... where 221.7.209.67 is a .cn, not a uunet/mci Re: http://creepy.extra-prevent.com/ (Administrator of network hosting website referenced in spam) glxk@gxcc.com.cn inetnum: 221.7.209.0 - 221.7.209.255 netname: CNC-GL-INTER-3 descr: CNC Guilin INternet network admin-c: XK43-AP = glxk@gxcc.com.cn tech-c: XK43-AP -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Jan 1 14:10:10 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 17:15:04 2006 Subject: [SpamCop-List] Re: Parava Networks, UUNet, and MCI References: <43B8496F.1AB4B562@Spamcop.net.dev.null> <43B84DE2.3F6502E0@Spamcop.net.dev.null> Message-ID: Michael Brennan wrote: > Domain Name: EXTRA-PREVENT.COM > Registrar: INNERWISE INC. D/B/A ITSYOURDOMAIN.COM itsyourdomain is the domainname registrar for the spamvertised site. Doing a DNS on the domainname registrar is not productive > ITSYOURDOMAIN.COM = [ 63.85.86.16 ] Finding the provider for the domainname registrar's IP is also not productive whois -h whois.arin.net 63.85.86.16 ... UUNET Technologies, Inc. 63.64.0.0 - 63.127.255.255 Innerwise Inc. 63.85.86.0 - 63.85.86.255 Don't go down that road. -- Mike Easter kibitzer, not SC admin From usa at yourface.com Sun Jan 1 17:46:00 2006 From: usa at yourface.com (GuitarMan) Date: Sun Jan 1 17:50:04 2006 Subject: [SpamCop-List] Anyway to get this reported? Message-ID: I paste the following into the submission window and then press the Process Spam button and get the following error: SpamCop v 1.514 Copyright (C) 1998-2005, IronPort Systems, Inc. All rights reserved. Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=blahblahblah (hidden on purpose) No source IP address found, cannot proceed. Add/edit your mailhost configuration Finding full email headers Submitting spam via email (may work better) Example: What spam headers should look like Nothing to do. Here is what is pasted to submit: Path: nwrdny02.gnilink.net!cycny02.gnilink.net!gnilink.net!cycny01.gnilink.net!hwmnpeer01.lga!hwmedia!hw-filter.lga!fe13.lga.POSTED!2ce0aac1!not-for-mail From: "Proudtobehonest@GOODEALERS.COM" Subject: ZzZzZzZ TURN $5 INTO $15,000 IN ONLY 30 DAYS!READ IT!!$F Newsgroups: 24hoursupport.helpdesk Sender: "Proudtobehonest@GOODEALERS.COM" Organization: Proudtobehonest@GOODEALERS.COM X-Priority: 3 X-Library: Indy 9.00.10 Lines: 278 Message-ID: X-Complaints-To: abuse@100ProofNews.com NNTP-Posting-Date: Sun, 01 Jan 2006 14:57:36 MST Date: Mon, 2 Jan 2006 23:02:20 +0100 Xref: news.verizon.net 24hoursupport.helpdesk:892861 X-Received-Date: Sun, 01 Jan 2006 16:57:35 EST (nwrdny02.gnilink.net) PAYPAL MAGIC!!! TURN $5 INTO $15,000 IN ONLY 30 DAYS...HERES HOW! This is a Money Scheme and Not, I repeat... This is Not a Scam!!! You have most likely seen or heard about this project on TV programs such as 20/20 and Oprah, or you may have read about it in the Wall Street Journal. If not, here it is below - revealed to you in step-by-step detail. This program is by no means new. It has been in existence in many forms for at least a decade. But in the early days, it required a lot more time and effort, as well as an investment of a few hundred dollars. However thanks to PayPal and the Internet, the investment is now virtually ZERO! And what's more, the entire process is FASTER, EASIER, and MORE LUCRATIVE than it has EVER been! Below is the email sent to me: How to Turn $5 into $15,000 in 30 Days with PayPal I WAS SHOCKED WHEN I SAW HOW MUCH MONEY CAME FLOODING INTO MY PAYPAL ACCOUNT I turned $5 into $14,706 within the first 30 days of operating the business plan that I am about to reveal to you free of charge. If you decide to take action on the following instructions, I will GUARANTEE that you will enjoy a similar return! STILL NEED PROOF? Here are just 3 testimonials from the countless individuals who decided to invest nothing more than $5 and half an hour of their time to participate in this program: "What an amazing plan! I followed your instructions just 3 weeks ago, and although I haven't made 15 grand yet, I'm already up to $9,135. I'm absolutely gob smacked." -Pam Whittemore , Ohio "Well, what can I say?... THANK YOU SO MUCH! I sent 40 e-mail's out like you said and then I just forgot about the whole thing. To be honest, I didn't really think anything would come of it. But when I checked my paypal account a week later, there was over $5,000 in After 30 days I now have over $11,000 to spend! I can't thank you enough!"-Juan Tovar, NY,NY "I was shocked when I saw how much money came flooding into my paypal account. Within 3 weeks my account balance has ballooned to $12,449. At first I thought there had been some sort of error with my account!" -Richard Barrie , Boulder,CO The only things you will need are: An email address. A Business PayPal account with at least $5 deposited in it, and just 15 to 30 minutes of your time. This program takes just half an hour to set up. After that, there is absolutely no work whatsoever to do on your part. You have absolutely NOTHING to lose, and there is NO LIMIT to the amount of income you can generate from this one single business program. Let's get started, just follow the instructions exactly as set out below and then prepare yourself for a HUGE influx of cash over the next 30 days! Here's what you need to do. . . REQUIREMENTS [THESE INSTRUCTIONS MUST BE FOLLOWED VERBATUM FOR THIS TO WORK] #1) an email address #2) a Premier or Business PayPal account Now follow the steps: 1-4 STEP #1 - Setting up your FREE PayPal Account It's extremely safe and very easy to set up a FREE PayPal account! Copy and paste this to the address bar https://www.paypal.com (notice the secure "https" within the link) Be sure to sign up for a free PREMIER or BUSINESS account (and not just a PERSONAL account) otherwise you won't be able to receive credit card payments from other people. STEP #2 - Sending PayPal money "It is an undeniable law of the universe that we must first give in order to receive." Now all you have to do is send $5.00 by way of PayPal to each of the six email addresses listed below. After setting up your free paypal account and confirming or verifying YOUR ACCOUNT AND putting (five Dollars) $5.00 into your Paypal Account use the Account tab on Paypal to send $5.00 to each of the Names on the List then move the top one and place yours in the #5 spot on the list of names #1-#5. Remember your name becomes #5. Make sure the subject of the payment says... *PLEASE PUT ME ON YOUR EMAIL LIST* (this keeps the program 100% legal.. so please don't forget!) Note: (If you do not see the full email address for the 5 members, just hit reply to this email and they will show up.) (Just in case you still haven't opened your PayPal account yet, use this link to open one in your name), https://www.paypal.com #1) flashingsnake_721@hotmail.com #2) gigervy@hotmail.com #3) fuspow@yahoo.co.uk #4) terribird@voila.fr #5) honestman123@lycos.com Remember, all of this is ABSOLUTELY LEGAL! You are creating a service! A Business... An Email List Service Business If you have any doubts, please refer to Title 18 Sec. 1302 & 1241 of the United States Postal laws. STEP #3 - Adding Your Email Address After you send your five $1.00 payments, it's your turn to add your email address to the list! Take the #1) email off the list that you see above, move the other addresses up one (5 becomes 4 & 4 becomes 3, etc) then put YOUR email address (the one used in your PayPal account) as #5) on the list. **MAKE SURE THE EMAIL YOU SUPPLY IS EXACTLY AS IT APPEARS IN YOUR PAYPAL ACCOUNT.** STEP #4 - Copy Message to 200 Newgroups, message boards,etc...... The Pure Joy of Receiving PayPal Money! You are now ready to post your copy of this message, to at least 200 newsgroups, message boards, etc. (I think there are close to 32,000 groups) All you need is 200, but remember, the more you post, the more money you make - as well as everyone else on the list! In this situation your job is to let as many people see this letter as possible. So they will make you and me rich!!!! You can even start posting the moment your email is confirmed. Payments will still appear in your PayPal account even while your bank account is being confirmed. HOW TO POST TO NEWSGROUPS & MESSAGE BOARDS Step #1) You do not need to re-type this entire letter to do your own posting. Simply put your CURSOR at the beginning of this letter and drag your CURSOR to the bottom of this document, and select 'copy' from the edit menu. This will copy the entire letter into your computer's temporary memory. Step #2) Open a blank 'Notepad' file and place your cursor at the top of the blank page. From the 'Edit' menu select 'Paste'. This will paste a copy of the letter into notepad so that you can add your email to the list. Or copy to a Word Document. and Place in the email upon completion. Step #3) Save your new Notepad file as a .txt file. If you want to do your postings in different sittings, you'll always have this file to go back to. Step #4) Use Netscape or Internet Explorer and try searching for various newsgroups, on-line forums, message boards, bulletin boards, chat sites, discussions, discussion groups, online communities, etc. EXAMPLE: go to any search engine like yahoo.com, google.com, altavista.com, excite.com - then search with subjects like? millionaire message board? or money making message board? or opportunity message board? or money making discussions? or business bulletin board? or money making forum? etc. You will find thousands & thousands of message boards. Click them one by one then you will find the option to post a new message. Step #5) Visit these message boards and post this article as a new message by highlighting the text of this letter and selecting 'Paste' from the 'Edit' menu. Fill in the Subject, this will be the header that everyone sees as they scroll thru the list of postings in a particular group, click the post message button. You're done with your first one! Congratulations! THAT'S IT!! All you have to do is jump to different newsgroups and post away. After you get the hang of it, it will take about 30 seconds for each newsgroup! REMEMBER, THE MORE NEWSGROUPS AND/OR MESSAGE BOARDS YOU POST IN, THE MORE MONEY YOU WILL MAKE!! BUT YOU HAVE TO POST A MINIMUM OF 200** That's it! You will begin receiving money within days! **JUST MAKE SURE THE EMAIL YOU SUPPLY IS EXACTLY AS IT APPEARS ON PAYPAL.** Explanation of why it works so well: $$$$$ NOW THE WHY PART: Out of 200 postings, say I receive only 5 replies (a very low example). So then I Made $5.00 with my email at #5 on the letter. Now, each of the 5 persons who just sent me $1.00 make the MINIMUM 200 postings, each with my email at #5 and only 5 persons respond to each of the original 5, that is another $25.00 for me, now those 25 each make 200 MINIMUM posts with my email at #4 and only 5 replies each, I will bring in an additional $125.00! Now, those 125 persons turn around and post the MINIMUM 200 with my email at #3 and only receive 5 replies each, I will make an additional $625.00! OK, now here is the fun part, each of those 625 persons post a MINIMUM 200 letters with my email at #2 and they only receive 5 replies that just made me $3,125.00!!! Those 3,125 persons will all deliver this message to 200 newsgroups with my email at #1 and if still 5 persons per 200 newsgroups react I will receive $15,625.00! With an original investment of only $5.00! AMAZING!! When your email is no longer on the list, you just take latest posting in the newsgroups, and send out another $5.00 to emails on the list, putting your email at number 5 again. And start posting again. The thing to remember is, thousands of people all over the world are joining the internet and reading these articles everyday, JUST LIKE YOU are now!! So can you afford $5.00?? And see if it really works?? I think so? People have said, what if the plan is played out and no one sends you the money? So what are the chances of that happening when there are tons of new honest users and new honest people who are joining the internet and newsgroups everyday and are willing to give it a try? Estimates are at 20,000 to 50,000 new users everyday, with thousands of those joining the actual Internet. Remember, play FAIRLY and HONESTLY and this will work. This really isn't another one of those crazy scams! As long as people FOLLOW THROUGH with sending out $5.00, it works! With warm wishes, bless you and your loved ones, https://www.paypal.com $$$$$ REMEMBER, IT IS 100% LEGAL! DON'T PASS THIS UP --------------= Posted using GrabIt =---------------- ------= Binary Usenet downloading made easy =--------- -= Get GrabIt for free from http://www.shemes.com/ =- . . From MikeE at ster.invalid Sun Jan 1 14:56:47 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 18:00:02 2006 Subject: [SpamCop-List] Re: Anyway to get this reported? References: Message-ID: GuitarMan wrote: > I paste the following into the submission window and then press the > Process Spam button and get the following error: > > SpamCop v 1.514 Copyright (C) 1998-2005, IronPort Systems, Inc. All > rights reserved. > Here is your TRACKING URL - it may be saved for future reference: > http://www.spamcop.net/sc?id=blahblahblah (hidden on purpose) Whenever you want to talk about the result of a parse, posting the tracker is all you are supposed to post -- not 'keep it a secret' and then post the usenet spam here in a discussion group, which you are *not* supposed to do. You are not supposed to post spam into the discussion groups. The best thing to do with a spam is to use the parser on it and post its tracker, not 'blahblahblah'. The only other alternative is to post the item in the ng spamcop.spam - which screws up the format unless you post it as an attachment. > Here is what is pasted to submit: > > Path: That is a usenet message. Reporting usenet spam is mostly a waste of time, and SC doesn't do a great job of parsing them, because its algorithm is very very simplistic. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Mon Jan 2 00:01:47 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Jan 1 18:05:02 2006 Subject: [SpamCop-List] Re: vCard (was: Malformed Spamlink or New Type?) References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> <43B84655.E8A46AEC@Spamcop.net.dev.null> Message-ID: On Sun, 01 Jan 2006 15:15:01 -0600, Michael Brennan coughed into spamcop and left this in <43B84655.E8A46AEC@Spamcop.net.dev.null>: > My OS is Win 98. I think I'm not supported beyond FF 1.0.4, Not true. http://www.mozilla.com/firefox/system-requirements.html > FF is a little slow out of the gate on boot, That's because, unlike Internet Exploder, it isn't loaded when the OS boots. It's one of those things called an "application" that's only loaded when you ask for it :o) > and the pages load fairly leisurely, but that may be my 26.4K > (nailed-up) dialup connection. That probably has something to do with it. On a laptop with similar muscle to your machine, FF 1.0.7 (haven't installed 1.5 on it yet) displays pages fairly quickly - but it is hooked up to a DSL connection with 10mbps down. -- Steve If the designers of X-window built cars, there would be no fewer than five steering wheels hidden about the cockpit, none of which followed the same principles -- but you'd be able to shift gears with your car stereo. Useful feature, that, -- From the programming notebooks of a heretic, 1990. From nobody at nowhere.invalid Mon Jan 2 00:06:40 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Jan 1 18:10:03 2006 Subject: [SpamCop-List] Re: Anyway to get this reported? References: Message-ID: On Sun, 1 Jan 2006 17:46:00 -0500, GuitarMan coughed into spamcop and left this in : > I paste the following into the submission window and then press the > Process Spam button and get the following error: > > SpamCop v 1.514 Copyright (C) 1998-2005, IronPort Systems, Inc. All rights > reserved. > Here is your TRACKING URL - it may be saved for future reference: > http://www.spamcop.net/sc?id=blahblahblah (hidden on purpose) > > No source IP address found, cannot proceed. A) Please do not post spam in here. Post it to the spamcop.spam newsgroup and point to it from your message sent here. B) There is no source IP address in the piece of usenet spam you provided. C) AFAIK, Spamcop no longer parses usenet postings anyway. Its main purpose is for reporting *e-mail* spam. -- Steve What's the definition of a will? (It's a dead giveaway). From MikeE at ster.invalid Sun Jan 1 15:13:45 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 18:15:03 2006 Subject: [SpamCop-List] Re: Anyway to get this reported? References: Message-ID: GuitarMan wrote: > Here is what is pasted to submit: SC's parser is not going to help you with that item, it does not have an nntp posting host line. The only thing you can do with that is to manually notify the news provider for the message if you are skilled enough to determine that from the path. It is difficult to determine which lines are bogus in a news message. For example, the Path doesn't appear to have bogosity in it, but the source newsserver line is unfamiliar to me. I am somewhat doubtful as to the veracity of the X-complaints-to line, but you could notify it and let them figure out if their notify is bogus. > Path: nwrdny02.gnilink.net!cycny02.gnilink.net! gnilink.net! cycny01.gnilink.net! hwmnpeer01.lga! hwmedia! hw-filter.lga! fe13.lga.POSTED! 2ce0aac1! not-for-mail I've put spaces after the bangs in the Path so that it will wrap. You read the path backwards from the 'hw' section to your own gnilink. > Message-ID: That correlates with the Path information. > X-Complaints-To: abuse@100ProofNews.com That's possible, I don't know. If it were true, it would be a good way to report this. > https://www.paypal.com You could notify paypal that their system is being used for a Ponzi scheme. > #1) flashingsnake_721@hotmail.com > #2) gigervy@hotmail.com > #3) fuspow@yahoo.co.uk > #4) terribird@voila.fr > #5) honestman123@lycos.com You could notify those email providers that those clients are using their accounts for an illegal activity. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Mon Jan 2 00:23:57 2006 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Jan 1 18:30:02 2006 Subject: [SpamCop-List] Re: Anyway to get this reported? References: Message-ID: <43B8648D.58F0@xyzzy.claranet.de> GuitarMan wrote: > Here is your TRACKING URL - it may be saved for future reference: > http://www.spamcop.net/sc?id=blahblahblah (hidden on purpose) Bad idea, the tracking URL is the best way to discuss issues. If you never get that far you can post spam in the "spam" NG and discuss it here with a pointer by subject. Or better as followup to your own example switching from NG spamcop.spam to NG spamcop = here, that creates the proper references as pointer. But never post spam here. > No source IP address found, cannot proceed. Your spam is no mail, it's a news article. SC is very stupid wrt news... > Add/edit your mailhost configuration ..forget this for news spam, it's only relevant for mail... > Here is what is pasted to submit: > Path: > nwrdny02.gnilink.net!cycny02.gnilink.net!gnilink.net!cycny01.gnilink.net!hwmnpeer01.lga!hwmedia!hw-filter.lga!fe13.lga.POSTED!2ce0aac1!not-for-mail If that really is it (without tracking URL impossible to judge, it could be an oddity of your attempt to post it here). If it really is it something destroyed the Path header field. It should be Path: nwrd... (etc. all in one long line) or if the header field is folded (multi-line) all other lines need white space at the begin: Path: nwrd... That would do. It's not the one long line you got, but it is a proper folding recognized by SC. If you really tried only... Path: nwrd... ...SC is forced to "think" that nwrd... is no header field or in other words the begin of the spam body (ignoring all other header fields after the Path). > X-Complaints-To: abuse@100ProofNews.com Otherwise (no Path folding oddity in your real submission) SC normally just takes X-Complaints-To for news spam, but... > NNTP-Posting-Date: Sun, 01 Jan 2006 14:57:36 MST ...AFAIK it insists on a NNTP-Posting-Host header field. You don't have that, a hopeless case. Your own news server might be the problem (gnilink.net), talk to your news master about the obscure ...!hwmnpeer01.lga!... (etc.) part in the Path. From nobody at nowhere.invalid Mon Jan 2 00:33:29 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Jan 1 18:35:02 2006 Subject: [SpamCop-List] Re: Anyway to get this reported? References: Message-ID: On Sun, 1 Jan 2006 15:13:45 -0800, Mike Easter coughed into spamcop and left this in : >> #1) flashingsnake_721@hotmail.com >> #2) gigervy@hotmail.com >> #3) fuspow@yahoo.co.uk >> #4) terribird@voila.fr >> #5) honestman123@lycos.com > > You could notify those email providers that those clients are using > their accounts for an illegal activity. Yahoo, hotmail and wanadoo - they're *really* going to jump on that one :o) Lycos, OTOH, has its MXen with outblaze, which must be the one and only white-hat ISP in Asia. -- Steve Male cadavers are incapable of yielding testimony. From MikeE at ster.invalid Sun Jan 1 15:34:14 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 18:35:04 2006 Subject: [SpamCop-List] Re: Anyway to get this reported? References: Message-ID: Mike Easter wrote: > I am somewhat doubtful as to the veracity of the X-complaints-to line, > but you could notify it and let them figure out if their notify is > bogus. Now I am more confident that that is a good place to notify for this >> X-Complaints-To: abuse@100ProofNews.com > > That's possible, I don't know. If it were true, it would be a good > way to report this. because it all fits together with the path and the mid and other similar items I've found from searching. There is a 100proofnews provider and they provide to individuals and to ISPs.and others needing multiple accounts. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Mon Jan 2 00:39:52 2006 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Jan 1 18:45:02 2006 Subject: [SpamCop-List] Re: vCard References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> <43B84655.E8A46AEC@Spamcop.net.dev.null> Message-ID: <43B86848.601B@xyzzy.claranet.de> Michael Brennan wrote: > I'm a bit resource-challenged at only 160 megs of RAM and a > 300-MHz P-II MMX CPU. My box is worse, tnx for info, now I know that testing FF would be a waste of time. If you disable the odd Netscape 4.x idea of "style sheets" it isn't too bad (Edit -> Pref -> Advanced -> enable style sheets), On my box Netcape 4.x is already too slow, I use it only for hard cases where Netcape 3.x is seriously lost (Javascript or obscure https issues). Bye, Frank From nobody at xyzzy.claranet.de Mon Jan 2 00:57:19 2006 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Jan 1 19:00:03 2006 Subject: [SpamCop-List] Re: SC problems... References: Message-ID: <43B86C5F.6342@xyzzy.claranet.de> jg wrote: > And am I wasting my time in canceling and resubmitting? If you do it now (12 hours later), yes: dfhrgfh.info (-654-21-): .multi.surbl.org It's already on 5 of 6 SURBLs, incl. 1 = SC.surbl.org. You can check this with `host dfhrgfh.info.SC.surbl.org` : | dfhrgfh.info.sc.surbl.org = 127.0.0.2 Listed on SC.surbl. Or `host dfhrgfh.info.multi.surbl.org` : | dfhrgfh.info.multi.surbl.org = 127.0.0.118 118 = 2 +4 +16 +32 + 64 = 2^1 +2^2 +2^4 +2^5 +2^6, the 1 in 2^1 stands for "listed on SC.surbl" in the MULTI output. -- Frank From MikeE at ster.invalid Sun Jan 1 16:06:19 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 19:10:03 2006 Subject: [SpamCop-List] Re: vCard References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> <43B84655.E8A46AEC@Spamcop.net.dev.null> <43B86848.601B@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Michael Brennan wrote: > >> I'm a bit resource-challenged at only 160 megs of RAM and a >> 300-MHz P-II MMX CPU. > > My box is worse, tnx for info, now I know that testing FF would > be a waste of time. If you disable the odd Netscape 4.x idea > of "style sheets" it isn't too bad (Edit -> Pref -> Advanced -> > enable style sheets), > > On my box Netcape 4.x is already too slow, I use it only for > hard cases where Netcape 3.x is seriously lost (Javascript or > obscure https issues). Has anyone tried any of the operas? Either current or older versions which are available in the archives? http://www.opera.com/download/ Opera 8.51 for Windows, English (US) version - Show other languages and platforms http://arc.opera.com/pub/opera/ These are the Opera FTP archives for older versions of Opera. There's a not insignificant contingent which prefers opera to FF. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Jan 1 16:17:06 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 19:20:03 2006 Subject: [SpamCop-List] Re: vCard References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> <43B84655.E8A46AEC@Spamcop.net.dev.null> <43B86848.601B@xyzzy.claranet.de> Message-ID: Mike Easter wrote: > Has anyone tried any of the operas? Either current or older versions > which are available in the archives? Here's a note from a ng post 2004 May 23 // IME, a major issue with running Opera on older Pentium-class systems is memory. Opera 7 may not be happy with 16 megs, but for me, it ran well on a P100 with 64 and Win98 SE lite. As I recall, Matthew would have problems with O7 where I wouldn't not because he was using Win95, but because 7.x wants more memory than 6.06. // Newsgroups: opera.general Subject: Re: Opera turmed into Shit Date: Sun, 23 May 2004 16:59:19 +0000 (UTC) Message-ID: http://snipurl.com/l7iy snurled gg to the thread -- Mike Easter kibitzer, not SC admin From g.hyde at bigpond.net.au Mon Jan 2 10:53:57 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Sun Jan 1 19:55:02 2006 Subject: [SpamCop-List] Very suspicious spam email. Message-ID: http://www.spamcop.net/sc?id=z850489359zb3d9b4a9fd85fbd15c4e959233b1a988z Following this one up, SpamCop sends abuse reports to abuse AT gblx DOT net - which isn't, AFAIK, a paypal owned site or abuse email. I reported it as spam but put a warning notice in the 'comments' field, as I'm not sure if this was actually from paypal. I also forwarded it onto spoof AT paypal DOT com but as yet have not received a reply back from them. As to why I reported it, if it really IS from paypal they should have informed me by now with an email from their spoof address. Cheers ... Geoffrey Hyde From MikeE at ster.invalid Sun Jan 1 17:17:15 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 20:20:03 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: Geoffrey Hyde wrote: www.spamcop.net/sc?id=z850489359zb3d9b4a9fd85fbd15c4e959233b1a988z Subject: Very suspicious spam email. Before you 'read' the interior of an unknown mail [ideally, or even its subject/from, for that matter] you should look at its headers to begin to characterize things before you start reading what a spammer wants you to read. It is sourced from 206.165.246.84 rDNS email-84.paypal.com That is pretty likely to be from paypal, yes? Then it has list-unsubscribe headers, like a paypal mailing list item. So, now that we are comfortable assuming the item is from paypal, we open and read it accordingly. Too many people open unknown mails to determine what they are. That is a bad practice; they shouldn't be opening anything that hasn't already had its headers analyzed. And if its headers contain bogosity and other spammishness, the body shouldn't be rendered before it is inspected for the risks of its content. So, now we're opening a paypal missive. What does it turn out to be? It is an informational and promotional about what's up with paypal .au vs paypal the regular, a Calif. corp. So, yes, it is meant for you to read and digest the 'meaning' of the paypal.au transition. > Following this one up, SpamCop sends abuse reports to abuse AT gblx > DOT > net - which isn't, AFAIK, a paypal owned site or abuse email. The source 206.165.246.84 rDNS email-84.paypal.com lives in here whois -h whois.arin.net 206.165.246.84 ... OrgName: Global Crossing NetRange: 206.165.0.0 - 206.165.255.255 OrgAbuseEmail: abuse@gblx.net > I > reported it as spam but put a warning notice in the 'comments' field, > as I'm not sure if this was actually from paypal. I also forwarded > it onto spoof AT paypal DOT com but as yet have not received a reply > back from them. I think a better strategy is to have a 'practice' or routine for handling unknown mail in which you analyze it by its headers first, and then depending upon your 'sense' of it by the headers, you may then for 'honest' headers evaluate the content of the body. In this case, SC can help you with the header analysis and sez this about the source host 206.165.246.84 = email-84.paypal.com > As to why I reported it, if it really IS from paypal they should have > informed me by now with an email from their spoof address. I don't know what that sentence means. -- Mike Easter kibitzer, not SC admin From mwnospam at comcast.net Sun Jan 1 20:54:47 2006 From: mwnospam at comcast.net (spamacyde) Date: Sun Jan 1 20:55:03 2006 Subject: [SpamCop-List] Re: Bogus Spamvertised Web Links References: Message-ID: "Mike Easter" wrote in message news:dp9hvj$736$1@news.spamcop.net... > spamacyde wrote: > > Is it possible for a spammer to provide a link that involves the IP > > address of a legitimate web site if they want to mess with the spam > > recipient or host of that web site? > > Innocent bystander IB links are frequently included in spambodies. A SC > reporter is supposed to uncheck any IBs which SC doesn't know should be > considered an IB and there is a faq on that > http://www.spamcop.net/fom-serve/cache/126.html How should I select the > recipients for my spam report? > > // Spammers will often include innocent parties' addresses in spam in an > effort to confuse and discredit. [...] These are "innocent bystanders" > and should not be reported as spammers. Make sure these boxes are > unchecked if you are not fairly sure the address in question is being > used by the spammer. // > > > If the answer to the question above is yes, when spamcop deobfuscates > > links in a spam message, does it make an attempt to verify whether > > the links point to a "bad" website as oppossed to a "good" one? > > Yes and No -- if a URL is /known/ to be an IB or there are other causes > of a URL to not lead to a SC notify which has been entered into the db. > But, SC doesn't otherwise have some kind of 'artificial intelligence' > which it uses to 'derive' that a found URL is an IB vs a payload URL. > It is dependent upon human deputy admins to enter db information or on > SC reporters to determine IBness. > > > If the answer to the second question no, what do I need to do to > > protect myself when clicking on a link to verify that it goes to a > > "bad" site ie one that is trying to sell me potions as opposed to > > Fred's blog about pine trees or no site at all? > > If it is your intention to notify about a body's spamvertised site and > you can't tell from the context of the unrendered spam, the next step in > the process of evaluating a spam is to carefully render it after you > have determined what security precautions you should take before doing > so. Some would call that 'opening' the spam, securely. > > If you have rendered the content of the spambody and you still can't > tell the IB from the spamvertiser, you can find one of several ways to > determine what is at the URL payload site or any redirection or frame > handling from/at the payload site. You can do that using a GET function > from a console, or you can do that with a websniffer site, or you can do > that with a browser which has been properly secured. > > One would hope that that entire process doesn't profit the spammer more > than it hurts hir. If you are going to all of that trouble just to > notify a blackhat provider who is going to be handing over the report > evidence to the spammer and not taking some action against the spammer, > then you are wasting your time and you might be aiding the spamvertiser > with ad profit and whatever advantage may be gained by getting the > evidence of your report. > > Some spams could do without reporting of the spamvertiser to the SC > derived notify. > > I am of the opinion that it should be the option of the reporter whether > or not the website should be reported to the SC derived website > provider -- in addition to putting the spamvertised site on the > statistics page and/or submitted to the sc-surbl. > > > -- > Mike Easter > kibitzer, not SC admin > From nobody at xyzzy.claranet.de Mon Jan 2 03:05:53 2006 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Jan 1 21:10:03 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: <43B88A81.70A4@xyzzy.claranet.de> Geoffrey Hyde wrote: > As to why I reported it, if it really IS from paypal they > should have informed me by now with an email from their > spoof address. Legit, see Mike's detailed answer. It's also their style to address the nightmare of different laws by "local" paypal sites. Another good point, they use your name, the phishers would try to get away with "dear paypal customer". One dark spot, paypal.com has an SPF policy, and you might be used to get a PASS for legit paypal mail. Now they forgot to publish an SPF policy for their new email.paypal.com.au domain. Just tell them that you want a PASS if you miss it. Bye, Frank From usa at yourface.com Sun Jan 1 21:43:44 2006 From: usa at yourface.com (GuitarMan) Date: Sun Jan 1 21:45:02 2006 Subject: [SpamCop-List] Re: Anyway to get this reported? References: Message-ID: Thank you everyone for your help and suggestions... From bar_n0ne at hotmail.com Mon Jan 2 09:09:10 2006 From: bar_n0ne at hotmail.com (Berny) Date: Mon Jan 2 00:10:09 2006 Subject: [SpamCop-List] Re: Spamcop causing problems (fscking TROLLS and newsgroup spammers) References: Message-ID: "Aviatrix" wrote in message news:dp9h9f$6gh$1@news.spamcop.net... > Vanguard wrote: > SNIP > Sadly we haven't heard from the OP since his original post. If he were > to come back here and tell us ...SNIPPED Are you guys serious? Come on , the OP was a TROL:L, like spam the tone, sound, style and nature of these biweekly missives are far too similar to each other to be coincidence. Yes we do get posters with a real beef, (actual and similar situations) but their letters don't have this dreary sameness. I've been watching these kind of missive for a long time, 1)They NEVER have the rejection message, 2) They NEVER identify sending or, receiving ISP, or any email address. 2)They always involve som sob story with a , sick, old infirm, handicapped etc. relation. 3) The Poster claims NEVER to have spammed, well they spammed the newsgroup about weekly it looks like.. 4) The OP NEVER returns For the future I suggest a simple boilerplate that suggests reading the FAQ's and that they should be thankful their infirm relations ISP rejected their mail instead of dropping it in the bit bucket so they wouldn't just think their old relative died becaues of unresponsiveness. From nobody at devnull.spamcop.net Mon Jan 2 14:27:45 2006 From: nobody at devnull.spamcop.net (Patto) Date: Mon Jan 2 00:30:03 2006 Subject: [SpamCop-List] Re: How can I report SPAM *without* opening the e-mail? In-Reply-To: References: Message-ID: Andy Miller wrote: > Hi, > > I use MS Outlook. I'm happy to do the Options-Headers thing and report all > headers but I really don't like actually opening the SPAM mail. Sure I have > virus scanners but still I don't like opening mail that was unsolicited and > from an unknown source. > > I read somewhere that forwarding from Outlook wasn't "good enough" but even > if it were the operation of forwarding would open the e-mail. > > Can't I just send in a report with the whole *unopened* e-mail as an > attachment? > > Thanks, > Andy I use OL Spamcop with Outlook 2003. It's a quick download, easy install, and highly configurable. From MikeE at ster.invalid Sun Jan 1 21:31:21 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 00:35:03 2006 Subject: [SpamCop-List] Re: Spamcop causing problems (fscking TROLLS and newsgroup spammers) References: Message-ID: Berny wrote: > Are you guys serious? > > Come on , the OP was a TROL:L, like spam the tone, sound, style and > nature of these biweekly missives are far too similar to each other > to be coincidence. I disagree. David Matthews is a real person with a real email addy and a real website, 2 in fact, related to his profession as a mountain walk leader. That person is the right age to have an elderly father. And his personal information is available on the websites and the domainname registrations. > 1)They NEVER have the rejection message, > > 2) They NEVER identify sending or, receiving ISP, or any email > address. > > 2)They always involve som sob story with a , sick, old infirm, > handicapped etc. relation. > > 3) The Poster claims NEVER to have spammed, well they spammed the > newsgroup about weekly it looks like.. > > 4) The OP NEVER returns The business about how the stereotypical person who has had their email blocked 'behaves' in terms of not presenting the IP address 'properly' doesn't prove they are a troll -- and the business about someone showing up here and getting the sense of what it is all about and then leaving is without filling in the details also not so very surprising. I respond to some possible trolls sometimes -- I don't think this was one of them. Besides reading the headers, I also read the 'handwriting' of a poster. -- Mike Easter kibitzer, not SC admin From g.hyde at bigpond.net.au Mon Jan 2 15:49:15 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Mon Jan 2 00:50:03 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: <43B88A81.70A4@xyzzy.claranet.de> Message-ID: It might be their 'style' to do things this or that way but how do I know for sure until they prove or disprove it? Spammers have in the past attempted to simulate real websites, and a country code trick was used more than once to fool people. As this email looks to me, it is *very* badly done, there are a whole bunch of things I don't like about their supposed 'style' of writing - that also suggest if this is them they need their marketing and contact emails updated, or if it is not them that it is a very clever spammer operating behind the site. If it smells bad, I see no harm in SC reporting it, if they are genuinely paypal they will let me know. It's extremely fishy for a paypal email like this to have an abuse address outside of their main paypal domain, especially considering all their currently known abuse addresses goto abuse AT paypal DOT com or similar EG the spoof AT paypal DOT com etc. Cheers ... Geoffrey Hyde "Frank Ellermann" wrote in message news:43B88A81.70A4@xyzzy.claranet.de... > Geoffrey Hyde wrote: > >> As to why I reported it, if it really IS from paypal they >> should have informed me by now with an email from their >> spoof address. > > Legit, see Mike's detailed answer. It's also their style > to address the nightmare of different laws by "local" paypal > sites. Another good point, they use your name, the phishers > would try to get away with "dear paypal customer". > > One dark spot, paypal.com has an SPF policy, and you might > be used to get a PASS for legit paypal mail. Now they forgot > to publish an SPF policy for their new email.paypal.com.au > domain. Just tell them that you want a PASS if you miss it. > > Bye, Frank > From vanguard.code at comcastNIX.net Sun Jan 1 23:49:24 2006 From: vanguard.code at comcastNIX.net (Vanguard) Date: Mon Jan 2 00:50:07 2006 Subject: [SpamCop-List] Re: Spamcop causing problems (fscking TROLLS and newsgroup spammers) References: Message-ID: "Berny" wrote in message news:dpachp$mcd$1@news.spamcop.net... > > Are you guys serious? > > Come on , the OP was a TROL:L, like spam the tone, sound, style and nature > of these biweekly missives are far too similar to each other to be > coincidence. > > Yes we do get posters with a real beef, (actual and similar situations) > but > their letters don't have this dreary sameness. I've been watching these > kind > of missive for a long time, > > 1)They NEVER have the rejection message, > > 2) They NEVER identify sending or, receiving ISP, or any email address. > > 2)They always involve som sob story with a , sick, old infirm, handicapped > etc. relation. > > 3) The Poster claims NEVER to have spammed, well they spammed the > newsgroup > about weekly it looks like.. > > 4) The OP NEVER returns > > For the future I suggest a simple boilerplate that suggests reading the > FAQ's and that they should be thankful their infirm relations ISP > rejected > their mail instead of dropping it in the bit bucket so they wouldn't just > think their old relative died becaues of unresponsiveness. Work in support for awhile (or just participate in newsgroups for a long time) and you would realize that there are LOTS of dumb users out there, and most are dumb on the same topics. Would you like to count how many times different users have asked the same old tired and highly repeated question on how to get Outlook Express to stop blocking attachments? Yeah, it's right there but the users are took f..king stupid or lazy to ever bother looking at the options of a program to effect changes to its behavior. I don't often answer those posts anymore but sometimes I do. Depends on my mood and time available. Have you counted how many "valid" questions (according to whatever is your criteria) have been asked by an OP that never returns or never replies after reading the replies from others? If you need the OP to reply to stroke your ego, Usenet is not for you. It is rare that the OP comes back to give thanks, damnation, or in anyway follows up on their post. Yes, there are many posters who post about someone else's problem but since they are not trained as support personnel they haven't a clue about what information they should gather and divulge in their post. I have a mother-in-law that when I get to the second sentence of a dumbed down explanation has her lost already. Yes, there are folks that have a natural and strong resistance to technology or are just too lazy to learn anymore. Those "I just want to use the damn thing" users who want computers to act as predictably as a washing machine won't be the ones coming here to ask questions because they won't know how to get here, won't know the community or netiquette, and really don't care about here because they have someone else to ask for help. I guess if you don't want to get caught up in what you think is a troll post, the best solution is not to participate at all. However, since you did participate, and if it was a troll, he got you, too. Hah hah! -- _______________________________________________________ ** Post replies to the newsgroup. Share with others. ** For e-mail, remove "NIX" and append "#VC811" to Subject. _______________________________________________________ From jg at coks.net Sun Jan 1 21:53:13 2006 From: jg at coks.net (jg) Date: Mon Jan 2 00:55:03 2006 Subject: [SpamCop-List] Re: SC problems... In-Reply-To: <43B86C5F.6342@xyzzy.claranet.de> References: <43B86C5F.6342@xyzzy.claranet.de> Message-ID: On 1/1/2006 3:57 PM Frank Ellermann scribbled: > If you do it now (12 hours later), yes: didn't notice the time frame at the time, but the question wasn't time specific, more rhetorical... > > dfhrgfh.info (-654-21-): .multi.surbl.org > > It's already on 5 of 6 SURBLs, incl. 1 = SC.surbl.org. > > You can check this with `host dfhrgfh.info.SC.surbl.org` : > > | dfhrgfh.info.sc.surbl.org = 127.0.0.2 > > Listed on SC.surbl. Or `host dfhrgfh.info.multi.surbl.org` : > > | dfhrgfh.info.multi.surbl.org = 127.0.0.118 > > 118 = 2 +4 +16 +32 + 64 = 2^1 +2^2 +2^4 +2^5 +2^6, the 1 > in 2^1 stands for "listed on SC.surbl" in the MULTI output. /That/ is complete greek to me - I'm not an admin, nor an IT guy... But thanks for the input - bye, jg From g.hyde at bigpond.net.au Mon Jan 2 15:58:01 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Mon Jan 2 01:00:04 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: "Mike Easter" wrote in message news:dp9uuo$fhr$1@news.spamcop.net... > Geoffrey Hyde wrote: > www.spamcop.net/sc?id=z850489359zb3d9b4a9fd85fbd15c4e959233b1a988z >> As to why I reported it, if it really IS from paypal they should have >> informed me by now with an email from their spoof address. > > I don't know what that sentence means. Most forwarded messages to their spoof address will usually have replies which come back from that same address. Also, a lot of people seem to think that I know who owns what address, and that I trust DNS info given out by servers. However, I'm not too trusting of them, as I can't know all possible address registrants, and if it doesn't look plausible, I have to know why it would be plausible in order to trust that sort of information. If I don't know why ... Well, you get the general idea - I think most people on the internet are far TOO trusting of sites, I don't work it that way unless I have factual data that supports the theory. Cheers ... Geoffrey Hyde From bar_n0ne at hotmail.com Mon Jan 2 09:58:00 2006 From: bar_n0ne at hotmail.com (Berny) Date: Mon Jan 2 01:00:06 2006 Subject: [SpamCop-List] Re: Spamcop causing problems (fscking TROLLS and newsgroup spammers) References: Message-ID: "Mike Easter" wrote in message news:dpadr5$n2q$1@news.spamcop.net... > Berny wrote: > > SNIP. > > I disagree. David Matthews is a real person with a real email addy and > a real website, 2 in fact, related to his profession as a mountain walk > leader. That person is the right age to have an elderly father. And > his personal information is available on the websites and the domainname > registrations. > SNIP > > The business about how the stereotypical person who has had their email > blocked 'behaves' in terms of not presenting the IP address 'properly' > doesn't prove they are a troll -- and the business about someone showing > up here and getting the sense of what it is all about and then leaving > is without filling in the details also not so very surprising. > > I respond to some possible trolls sometimes -- I don't think this was > one of them. > > Besides reading the headers, I also read the 'handwriting' of a poster. That.s also what I look at, I find too many of these have the same "handwriting" style. Maybe this OP was genuine, Maybe it was Mr. Matthews, also Maybe not, perhaps you know more than I. From vanguard.code at comcastNIX.net Mon Jan 2 00:21:54 2006 From: vanguard.code at comcastNIX.net (Vanguard) Date: Mon Jan 2 01:25:02 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: "Geoffrey Hyde" wrote in message news:dp9tk6$emh$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z850489359zb3d9b4a9fd85fbd15c4e959233b1a988z > > Following this one up, SpamCop sends abuse reports to abuse AT gblx DOT > net - which isn't, AFAIK, a paypal owned site or abuse email. I reported > it as spam but put a warning notice in the 'comments' field, as I'm not > sure if this was actually from paypal. I also forwarded it onto spoof AT > paypal DOT com but as yet have not received a reply back from them. > > As to why I reported it, if it really IS from paypal they should have > informed me by now with an email from their spoof address. Go to https://www.paypal.com/au/. Click on the "Product Disclosure ... ARBN ..." link on the right side. Unfortunately Paypal decided to go through Doubleclick for the link which is, in my opinion, very stupid for any so-called "official" announcment. All but one tag pointed to paypal.com to get the image file. The one that did not point to Paypal (link.p0.com) looks like a web bug to track if you ever opened their e-mail (domain registration says the registrant is Yesmail, http://www.yesmail.com/), but then, like an educated e-mail user, the option to block linked images in your e-mail client is already enabled. There are no tags to links to take you anywhere, so it is an information-only e-mail. If you really are a PayPal customer then it is even less likely that it is spam (as your contract with them permits them to send you notification unless there is an option to disable those), and if you are a PayPal customer then falsely accused them of spamming you since it is highly likely that you agreed to get those notifications. PayPal did violate one principal of good e-mail, however: they did NOT include a plain-text MIME part in their HTML-formatted message. Of course, there may be an option in the configuration of your PayPal account that specified in what format you want their notifications, but HTML-formatted e-mails should always include a plain-text MIME part (some anti-spam products will increase the spam rating for HTML-formatted e-mails without a plain-text part). >From the Received header (the one that YOUR mail server got), The IP address (see http://www.dnsstuff.com/tools/whois.ch?ip=206.165.246.84) is allocated to Global Crossing. If you do a traceroute on email-84.paypal.com, again you are going through glbx.net (http://www.dnsstuff.com/tools/tracert.ch?ip=email-84.paypal.com). That is by glbx.net is listed as a recipient of your spam report. Looks like a legitimate PayPal notification that they sent through Yesmail services which got delivered through Global Crossing. If you are a PayPal customer, you probably just falsely accused them of spamming. I don't recall ever getting a human-written response from sending a suspect mail to their spoof e-mail address. I don't think it was spam because you never did mention NOT being a Paypal member. -- _______________________________________________________ ** Post replies to the newsgroup. Share with others. ** For e-mail, remove "NIX" and append "#VC811" to Subject. _______________________________________________________ From bar_n0ne at hotmail.com Mon Jan 2 13:00:20 2006 From: bar_n0ne at hotmail.com (Berny) Date: Mon Jan 2 04:05:06 2006 Subject: [SpamCop-List] shopping spree and claim your free (whatever) is back Message-ID: On MCI, Only now (Lindsey?) is sending from China, but the sites are hosted at MCI.(again) Interestingly the turdlets arrive almost simultaneously with 2 adultactioncam.com turdlets, about 4 times a day. (those ones with multiple zombie hosted redirectors) Wonder if Lindsey has hooked up with the blah-blah-cam crowd now? one of many: http://www.spamcop.net/sc?id=z850648244zc052fa7b29fa231ca1dda9a71bd5c964z new spamvertizing names every day, same small subset of IP's From redford_stone at INVERSE_OF_COLDmail.com Mon Jan 2 12:14:01 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Mon Jan 2 07:15:03 2006 Subject: [SpamCop-List] Re: Anyone come across those nasty WMFs? References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6F057.5799@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote in news:43B6F057.5799 @xyzzy.claranet.de: > Redstone wrote: > >> I've heard that spammers are beginning to employ them, >> but haven't seen it personally. > > I've read that the new "Google redirection greeting card" > crap tries this, but the one I got was already a dead > link. The link in my case ended with ".exe", so maybe > it wasn't a WMF. > It tried to download an executable it seems. (Good thing that the link was dead.) Seems whatever boobytrapped image you tried to look at worked. > If it was, then cutting the association for *.wmf won't > get it. > > MS offers a hard way to deregister the broken DLL: > > http://www.microsoft.com/technet/security/advisory/912840.mspx > > US-CERT mumbled something about a "file magic" (like MZ > for executable files or PK for ZIP), but apparently WMF > has no such magic, or I didn't get their idea. > > http://www.kb.cert.org/vuls/id/181038 > http://en.wikipedia.org/wiki/Windows_Metafile > > Frank > The crappy thing is that it is a VERY temporary workaround. My images and metafiles are registered with another program (ACDsee).. not sure if it helps any, but I'm not taking an chances. From redford_stone at INVERSE_OF_COLDmail.com Mon Jan 2 12:20:00 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Mon Jan 2 07:20:03 2006 Subject: [SpamCop-List] Re: straight spammer error or some trickery attempt gone astray? References: Message-ID: "Mike Easter" wrote in news:dp6q3h$q64$1 @news.spamcop.net: > Or maybe it happened somewhere in between in the > handling between the spamsource and your mailserver. > Nah.. don't give the spammers that much credit. More like b0rken spamware. If I had a nickle for every spam I received missing something critical (namely the URL itself)... From nobody at devnull.spamcop.net Mon Jan 2 07:41:59 2006 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Mon Jan 2 07:45:03 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: "Vanguard" wrote in message news:dpagq2$ovt$1@news.spamcop.net... > If you are a PayPal customer, you > probably just falsely accused them of spamming. I have a hard time deciding about some PayPal emails also. I am not a regular user of PayPal, but had to sign up in order to use my credit card so I do get legitimate ones occasionally. I generally ignore them since I am not interested. If I need to use them again, the rules or whatever will probably have been changed and I can find out then. I did have one that said that my account had been repeatedly attempted access and that if it wasn't me, to do something. It sure looked legitimate (in the headers and message source), but at the time, I didn't have the time to look up passwords, etc. and go to the site and see what was going on. Probably not a good idea to procrastinate. I don't usually report the ones I am unsure of, though I follow the reasoning that the OP had. Legitimate sites that are often spoofed ought to insure that when one gets a legitimate email from them, that there is no question. Reporting it shows that, at least, one person was confused. While I don't think the spoof submission would be answered, IMHO, the spamcop report ought to have been if it was legitimate. Miss Betsy From g.hyde at bigpond.net.au Mon Jan 2 23:47:57 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Mon Jan 2 08:50:03 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: "Miss Betsy" wrote in message news:dpb6vi$4fv$1@news.spamcop.net... > "Vanguard" wrote in message > news:dpagq2$ovt$1@news.spamcop.net... > >> If you are a PayPal customer, you >> probably just falsely accused them of spamming. > I don't usually report the ones I am unsure of, though I follow the > reasoning that the OP had. Legitimate sites that are often spoofed > ought to insure that when one gets a legitimate email from them, > that there is no question. Reporting it shows that, at least, one > person was confused. While I don't think the spoof submission > would be answered, IMHO, the spamcop report ought to have been if > it was legitimate. IMHO, in the case of a popular site like PayPal, they ought to insure (or is ensure a better word?) that they are seen to be coming from the one source site. If they are not, they risk confusion amongst members who don't regularly use PayPal. I would consider myself a medium to low-use customer as I don't often visit their site unless I have a specific reason to, like send or receive money ... It is therefore highly suspect of a PayPal email (genuine or not) to have abuse addresses that the intended recipient is unfamiliar with. I also have very little time or practical use to go wading through pages and pages of TOU documents just to find one small relevant paragraph that might help me decide an email's legitimacy or not. I originally read the first couple of paragraphs of PayPal's TOU, and skipped down till I found the "I agree" button. Why? Because it is very long-winded, it's impractical to expect someone to be reading the whole document in one pass. The same could be said of Microsoft's EULAs. But enough of that, I am heartily sick and tired of having to judge every single email on it's merits and 'might be legitimate' points. I'd really like it if SC could tell me if it's analysis code tells it this was a legitimate email. Or if there is a site that could do that for me. It's really a lot of work having to track down URLs, check server listings, and so forth. Cheers ... Geoffrey Hyde From bar_n0ne at hotmail.com Mon Jan 2 18:24:34 2006 From: bar_n0ne at hotmail.com (Berny) Date: Mon Jan 2 09:25:02 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: "Geoffrey Hyde" wrote in message news:dpbaub$6gk$1@news.spamcop.net... SNIP > But enough of that, I am heartily sick and tired of having to judge every > single email on it's merits and 'might be legitimate' points. I'd really > like it if SC could tell me if it's analysis code tells it this was a > legitimate email. Or if there is a site that could do that for me. It's > really a lot of work having to track down URLs, check server listings, and > so forth. I actually find SC a damn good authenticator and use it any time I get email about bank accounts etc. (not only phishes, but also legit ones from my bank), of course in those latter cases I don;t sent LARTS From MikeE at ster.invalid Mon Jan 2 06:51:56 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 09:55:03 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: Geoffrey Hyde wrote: > But enough of that, I am heartily sick and tired of having to judge > every single email on it's merits and 'might be legitimate' points. Here are some snips from the item, trying to be brief but paste enough here: // Dear Geoffrey Hyde, PayPal, Inc. is pleased to announce that we are preparing to introduce PayPal Australia [...] Until PayPal Australia begins operating in February 2006, your customer relationship continues to be with PayPal, Inc. (a US company), [...] With the introduction of our new Australian company, your customer relationship will automatically be transferred to PayPal Australia which we anticipate will occur on 2 February 2006. [...] minor consequential changes to the User Agreement and its incorporated policies and the Privacy Policy If you do not wish to hold a PayPal Australia account and would prefer to continue your relationship with PayPal, Inc., you may only do so if you are a resident in the United States and your primary address in your PayPal account, as of 2 February 2006, is a legitimate postal address within the United States. If your primary address is not in the United States and you do not wish to receive services from PayPal Australia, you may close your account at any time, either before or after the transition. To modify your notification preferences, log in to your PayPal account, click the Profile sub-tab, then click the Notifications link under Account Information. // > I'd really like it if SC could tell me if it's analysis code tells it > this was a legitimate email. Or if there is a site that could do > that for me. My provider has a site to 'test' whether a spamvertised URL is from them. // Use this tool to determine if a web site is a legitimate EarthLink or EarthLink partner site. // http://support.earthlink.net/ Verify a Website! ... but I don't think that tool is particularly valuable -- since the unwitting recipient is going to open the mail and copy the URL from the rendered phish. Paypal doesn't have a gizmo for testing their mail. I just searched around for one. > It's really a lot of work having to track down URLs, > check server listings, and so forth. The SC reporter has a somewhat higher level of responsibility to be able to examine the headers and body of a mail to determine if it is spam or not than the average 'citizen' email recipient who is not a reporter -- Mike Easter kibitzer, not SC admin From mwnospam at comcast.net Mon Jan 2 09:58:38 2006 From: mwnospam at comcast.net (spamacyde) Date: Mon Jan 2 10:00:02 2006 Subject: [SpamCop-List] Spamcop Mistracking? Message-ID: I have a spam that asks me to click on http://1098.net. Spamcop says the ISP assoociated with it is Internap. If I ping 1098.net, then lookup the IP address with Arin, Arin says it's Go Daddy Software. Please explain. I reported the spam by pasting it in the form and I don't see a tracker on the resulting web page. Sorry From MikeE at ster.invalid Mon Jan 2 07:00:38 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 10:05:03 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: Geoffrey Hyde wrote: > But enough of that, I am heartily sick and tired of having to judge > every single email on it's merits and 'might be legitimate' points. That could be very tedious if you have a lot of spam all mixed up together in your Inbox with your goodmail. That isn't the way I manage my Inbox. My inbox doesn't have any spam in it. All of my spam is in my Junk folder because its headers and interior body contents have been evaluated by SpamPal. SP uses my choice of dnsbl/s and its regex and other body plugins against my whitelisteds to comb the headers and body in a sophisticated fashion which is almost perfect and never has any false positives. Similarly, spamcop email subscribers have their mail well separated into spam and goodmail. This item would not have been in my Junk mail folder -- and if I don't recognize an item in my Inbox as spam vs goodmail, I check its headers first for veracity, finding bogosity there, I move it into Junk. Finding honesty in the header, I check its body for safety, then render it securely when appropriate and read what the content is about. I can't see how I would become 'sick and tired' of judging 'every singe email' -- because all of mine have been evaluated very well by SpamPal prior to arriving in the Junk folder or Inbox. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Jan 2 07:11:44 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 10:15:03 2006 Subject: [SpamCop-List] Re: Spamcop Mistracking? References: Message-ID: spamacyde wrote: > I have a spam that asks me to click on http://1098.net. The tracker would be much better for this. > Spamcop > says the ISP assoociated with it is Internap. SC tells me the notify is godaddy Parsing input: http://1098.net Host 1098.net (checking ip) = 64.202.189.170 Reporting addresses: abuse@godaddy.com > If I ping 1098.net, > then lookup the IP address with Arin, Arin says it's Go Daddy > Software. Please explain. 1098.net DNS 64.202.189.170 OrgName: Go Daddy Software, Inc. NetRange: 64.202.160.0 - 64.202.191.255 RAbuseEmail: abuse@godaddy.com > I reported the spam by pasting it in the form and I don't see a > tracker on the resulting web page. Sorry The tracker is at the top of the form which you get when you perform the parse and it is time to report. After you report, that tracker isn't visible anymore -- so you have to copy the tracker before you report, or you have to reparse the same item again and copy the tracker and cancel the report. Or you can also access the tracker by going to your recent reports and using the reportid to access the tracker. It looks like: Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z850467288z3a3ab852bb72fd2264c6fd19b3fe5d3bz When you access by the reportid [from your past reports] you can click the reportid # which provides a view with a 'parse' at the top. That parse link can be copied, because it is also the tracker of the above configuration, while the aforementioned reportid link is of this configuration http://www.spamcop.net/mcgi?action=gettrack&reportid=1577656720 which we can't use in place of a tracker. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Mon Jan 2 16:37:10 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon Jan 2 10:40:02 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: On Mon, 2 Jan 2006 23:47:57 +1000, Geoffrey Hyde coughed into spamcop and left this in : > they ought to insure (or is ensure a better word?) In the US they couldn't care less. Either will do in either context. In *real* English (g,d&r), "insure" means to take out an insurance policy, while "ensure" means to make sure of something. You "insure" your car, and you "ensure" that your insurance policy is up to date. -- Steve Reporter (to Mahatma Gandhi): "Mr. Gandhi, what do you think of Western civilisation?" Gandhi: "I think it would be a good idea." From devnull at spamcop.net Mon Jan 2 10:42:44 2006 From: devnull at spamcop.net (Frog Prince) Date: Mon Jan 2 10:45:02 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: "Steven Maesslein" | > they ought to insure (or is ensure a better word?) | | In the US they couldn't care less. Either will do in either context. | | In *real* English (g,d&r), "insure" means to take out an insurance | policy, while "ensure" means to make sure of something. | | You "insure" your car, and you "ensure" that your insurance policy is up | to date. | In the USA Ensure is a trade name for a nutritional supplement and adult diapers. From MikeE at ster.invalid Mon Jan 2 08:05:24 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 11:10:04 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: Frog Prince wrote: > "Steven Maesslein" > >>> they ought to insure (or is ensure a better word?) >> >> In the US they couldn't care less. Either will do in either context. While that is 'sorta' true, in terms of US usage as 'analyzed' by some wordsmiths, I would say that the misuse is not 'bilaterally symmetrical'. That what happens is that ensure is not a popular word, so insure gets used for both the financial and the 'make certain' usage - whereas ensure should be used for the latter. I'm quite certain that the usage of ensure in place of insure the financial doesn't happen in the US with any frequency. >> In *real* English (g,d&r), "insure" means to take out an insurance >> policy, while "ensure" means to make sure of something. >> >> You "insure" your car, and you "ensure" that your insurance policy >> is up to date. Yes. > In the USA Ensure is a trade name for a nutritional supplement and > adult diapers. And, as a consequence to the commercial application of the Ensure word, you get rather spectacular differences in how often the two words occur. Whereas, altho' ensure isn't used very much in US American English, because of the products, it googlehits 570 million to insure's 34 million hits. -- Mike Easter kibitzer, not SC admin From Nobody at Spamcop.net.dev.null Mon Jan 2 11:46:58 2006 From: Nobody at Spamcop.net.dev.null (Michael Brennan) Date: Mon Jan 2 12:50:04 2006 Subject: [SpamCop-List] Re: Parava Networks, UUNet, and MCI References: <43B8496F.1AB4B562@Spamcop.net.dev.null> <43B84DE2.3F6502E0@Spamcop.net.dev.null> Message-ID: <43B96712.CD1C7F21@Spamcop.net.dev.null> Mike Easter wrote: > > Michael Brennan wrote: > > > Domain Name: EXTRA-PREVENT.COM > > Registrar: INNERWISE INC. D/B/A ITSYOURDOMAIN.COM > > itsyourdomain is the domainname registrar for the spamvertised site. > > Doing a DNS on the domainname registrar is not productive > > > ITSYOURDOMAIN.COM = [ 63.85.86.16 ] > > Finding the provider for the domainname registrar's IP is also not > productive > > whois -h whois.arin.net 63.85.86.16 ... > UUNET Technologies, Inc. 63.64.0.0 - 63.127.255.255 > Innerwise Inc. 63.85.86.0 - 63.85.86.255 > > Don't go down that road. > I found some interesting references to Itsyourdomain.com and Innerwise Inc at this ROKSO address: http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK5532 but otherwise don't see the reason for your warning. You might have other knowledge of this outfit, I gather. It sounds like this might be a portal into some serious professional wire fraud, as evidenced by the letter at the bottom of the cited ROKSO record, involving virtual identities and entities all over the map, including the pain-in-the-butt "Ryan Kelly"/Jungle Ventures/Your-domain-here.com in Belize. So why do UUNet and MCI keep turning up? At some point the dirt is going to stick. Given their tactics in the long-distance market (numerous false-flagging operations designed to sweep up customers their crummy service has jaded in the past), I'm being driven slowly to the conclusion that MCI has a serious appetite for what financial analysts like to call, delicately, "lower-quality earnings". Michael From Nobody at Spamcop.net.dev.null Mon Jan 2 11:54:55 2006 From: Nobody at Spamcop.net.dev.null (Michael Brennan) Date: Mon Jan 2 12:55:03 2006 Subject: [SpamCop-List] Re: Parava Networks, UUNet, and MCI References: <43B8496F.1AB4B562@Spamcop.net.dev.null> <43B84DE2.3F6502E0@Spamcop.net.dev.null> Message-ID: <43B968EF.A90DC52B@Spamcop.net.dev.null> Mike Easter wrote: > > Michael Brennan wrote: > > www.spamcop.net/sc?id=z850377854zf2a6f13007e35fefd66b4a5d5c29399bz > > > > and got another "creepylink" that traced back to another group > > similarly structured around UUNet and MCI: > > This is another example of something which has nothing to do with > uunet/mci according to my resolving and SC's resolving > > > Re: http://creepy.extra-prevent.com/ (Administrator of network hosting > website referenced in spam) > glxk@gxcc.com.cn > > inetnum: 221.7.209.0 - 221.7.209.255 > netname: CNC-GL-INTER-3 > descr: CNC Guilin INternet network > admin-c: XK43-AP = glxk@gxcc.com.cn > tech-c: XK43-AP I'm not surprised at this guy's turning up again.....I guess my "whois" technique leaves something to be desired, but I did chase domain names and IP's as you can see by my earlier posts; I just got something different. I always uncheck the box next to glxk@gxcc.com.cn on my SpamCop reports, since I believe that this is the spammer himself. Do you happen to know who this is? I've thought it's one of the three Russians whose names come up a lot. As an aside, I saw a ROKSO entry some weeks ago that tied Ruslan Ibragimov to "Ryan Kelly" and Jungle Ventures in Belize. Michael From MikeE at ster.invalid Mon Jan 2 10:09:24 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 13:10:02 2006 Subject: [SpamCop-List] Re: Parava Networks, UUNet, and MCI References: <43B8496F.1AB4B562@Spamcop.net.dev.null> <43B84DE2.3F6502E0@Spamcop.net.dev.null> <43B968EF.A90DC52B@Spamcop.net.dev.null> Message-ID: Michael Brennan wrote: > Mike Easter wrote: >> Michael Brennan wrote: www.spamcop.net/sc?id=z850377854zf2a6f13007e35fefd66b4a5d5c29399bz >> Re: http://creepy.extra-prevent.com/ (Administrator of network >> hosting website referenced in spam) >> glxk@gxcc.com.cn > I always uncheck the box next to glxk@gxcc.com.cn on my SpamCop > reports, since I believe that this is the spammer himself. Do you > happen to know who this is? This is about 221.7.209.67 no rDNS in here inetnum: 221.7.209.0 - 221.7.209.255 descr: CNC Guilin INternet network That /24 is spamhaus listed http://www.spamhaus.org/SBL/sbl.lasso?query=SBL35677 // China Netcom Group Dirty Block: CNC Guilin Internet network Spam hosting. Massive numbers of spams with URIs hosted within this /24 reported via SpamCop (where it is the #1 reported spam host for the last week) and other sources. IP block has no rDNS, probably dynamic IPs. ISP, China Netcom Group Guilin, has minimal info in APNIC, and no abuse@ address registered with abuse.net. // > I've thought it's one of the three > Russians whose names come up a lot. If you go to the SBL link above, you will see a lot of /32s for Leo Kuvayev and others which got merged into the /24 on Dec 17. Spamhaus is pretty conservative. When it starts putting things into blocks, you can assume a lot of refractoriness and nonresponsiveness. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Jan 2 10:29:29 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 13:30:03 2006 Subject: [SpamCop-List] Re: Parava Networks, UUNet, and MCI References: <43B8496F.1AB4B562@Spamcop.net.dev.null> <43B84DE2.3F6502E0@Spamcop.net.dev.null> <43B96712.CD1C7F21@Spamcop.net.dev.null> Message-ID: Michael Brennan wrote: > Mike Easter wrote: >> Michael Brennan wrote: >> >>> Domain Name: EXTRA-PREVENT.COM >>> Registrar: INNERWISE INC. D/B/A ITSYOURDOMAIN.COM >> >> itsyourdomain is the domainname registrar for the spamvertised site. It is very important to understand the relationship between a domainname which is a spamvertised website and the domainname registrar which is not. The typical 'enforcement' responsibilities of domainname registrars is that they are expected to enforce against bogus information in the registration according to their ICANN responsibilities, but not very many of them enforce against the registrants for spamvertising. >> Doing a DNS on the domainname registrar is not productive >> >>> ITSYOURDOMAIN.COM = [ 63.85.86.16 ] >> >> Finding the provider for the domainname registrar's IP is also not >> productive >> >> whois -h whois.arin.net 63.85.86.16 ... >> UUNET Technologies, Inc. 63.64.0.0 - 63.127.255.255 >> Innerwise Inc. 63.85.86.0 - 63.85.86.255 >> >> Don't go down that road. What 'don't go down that road' means is that sending spam notifies to the domainname registrar isn't likely to be fruitful. I suppose that you can do it if you want, but don't be expecting that the registrar is going to be doing some enforcing about the spamming. >> > > > I found some interesting references to Itsyourdomain.com and Innerwise > Inc at this ROKSO address: > > http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK5532 That rokso is really about your-domains-here.com -- but there are registrants with the registrar and nameservers - which is another issue - itsyourdomain.com > but otherwise don't see the reason for your warning. You might have > other knowledge of this outfit, I gather. No I don't mean 'warning' -- I'm just trying to explain the role of the registrar for a domainname as opposed to the provider for the spamvertiser's webspace. The webspace provider is a completely different thing and has different 'responsibilities' than the domainname registrar. > It sounds like this might be a portal into some serious professional > wire fraud, as evidenced by the letter at the bottom of the cited > ROKSO record, involving virtual identities and entities all over the > map, including the pain-in-the-butt "Ryan Kelly"/Jungle > Ventures/Your-domain-here.com in Belize. The spamgang is an entity which has a domainname and a business and uses a provider's webspace. The domainname needs a registrar and nameservice. There is also a webserver software and its functionality. The 'method' of attacking the nameservice registration or the registration information of the spamvertiser should be kept 'in balance' -- considering what the 'expected' role of the domainname registrar is. It seems that you are treating the domainname registrar as if the registrar were the spammer. That is not correct. > So why do UUNet and MCI keep turning up? We've been discussing or debating here about how they don't keep turning up. Nothing you have posted in this thread with this subject shows me anything which has to do with those providers. You didn't even show what the mention of parava was all about yet. -- Mike Easter kibitzer, not SC admin From 96q7vwa02 at sneakemail.com Mon Jan 2 09:31:53 2006 From: 96q7vwa02 at sneakemail.com (Fred K.) Date: Mon Jan 2 13:35:04 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: "Mike Easter" wrote in message news:dpbem9$88c$1@news.spamcop.net... > My provider has a site to 'test' whether a spamvertised URL is from > them. // Use this tool to determine if a web site is a legitimate > EarthLink or EarthLink partner site. // http://support.earthlink.net/ > Verify a Website! > Mike Easter > kibitzer, not SC admin > FYI My new PC-cillin Internet Security 2006 has a URL verification feature built in. I have used McAfee, Norton NIS 2005 but PC-cillin is the best and it is light in terms of system resources. I am switching all my computers from Norton as the subscriptions expire. Fred k. From MikeE at ster.invalid Mon Jan 2 10:48:24 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 13:50:03 2006 Subject: [SpamCop-List] Re: Parava Networks, UUNet, and MCI References: <43B8496F.1AB4B562@Spamcop.net.dev.null> <43B84DE2.3F6502E0@Spamcop.net.dev.null> <43B96712.CD1C7F21@Spamcop.net.dev.null> Message-ID: Mike Easter wrote: > Michael Brennan wrote: >> So why do UUNet and MCI keep turning up? > > We've been discussing or debating here about how they don't keep > turning up. Nothing you have posted in this thread with this subject > shows me anything which has to do with those providers. You didn't > even show what the mention of parava was all about yet. In the first tracker in the first post in this thread, the spamvertiser was http://catastrophic.extra-clinic.com The domainname registrar for extra-clinic.com is Registrar: PARAVA NETWORKS INC DBA REGISTRATEYA.COM NAAME.COM and the nameservers are Name Server: NS1.NAMESVA.COM Name Server: NS2.NAMESVA.COM and the registrar's website is at http://www.parava.net and the registrar's whois server is whois.parava.net parava.net's MX is mail.parava.net which DNS 65.210.194.2 whose rDNS is host2.parava.net As a consequence of that, you derived the providers for that IP's block whois -h whois.arin.net 65.210.194.2 ... UUNET Technologies, Inc. 65.192.0.0 - 65.223.255.255 Parava Networks 65.210.194.0 - 65.210.194.63 and I'm saying that the uunet/mci/parava 'connection' -- is very very 'roundabout' -- as the MX for a domainname registrar isn't 'connected' to the spam situation of one of the domainnames which is registered there. Ya' know whatta' mean, Gene? -- Mike Easter kibitzer, not SC admin From mwnospam at comcast.net Mon Jan 2 14:17:09 2006 From: mwnospam at comcast.net (spamacyde) Date: Mon Jan 2 14:20:02 2006 Subject: [SpamCop-List] Spamcop fails to resolve link Message-ID: This is for tracker: http://www.spamcop.net/sc?id=z850910536z9de25e6bbbd2b296dea83bab360b5515z The Spamcop parser failed to find the link http://m894.net. Seems pretty easy to me. Also when I look up the IP addresss associated with the link on arin.net, 63.251.92.195, I get Internap Network Services NETBLK-PNAP-11-99 (NET-63-251-0-0-1) 63.251.0.0 - 63.251.255.255 Gamedyne PNAP-SEF-GAMEDYNE-DC-01 (NET-63-251-0-0-2) 63.251.0.0 - 63.251.0.255 Well, which ISP is it? Thanks From mwnospam at comcast.net Mon Jan 2 14:49:06 2006 From: mwnospam at comcast.net (spamacyde) Date: Mon Jan 2 14:50:03 2006 Subject: [SpamCop-List] Re: Spamcop fails to resolve link References: Message-ID: Sorry, the info in the message above is imprecise. Please delete this message and the one above it. "spamacyde" wrote in message news:dpbu7k$hga$1@news.spamcop.net... > This is for tracker: > > http://www.spamcop.net/sc?id=z850910536z9de25e6bbbd2b296dea83bab360b5515z > > The Spamcop parser failed to find the link http://m894.net. > > Seems pretty easy to me. Also when I look up the IP addresss associated > with the link on arin.net, 63.251.92.195, > > I get > > Internap Network Services NETBLK-PNAP-11-99 (NET-63-251-0-0-1) > 63.251.0.0 - 63.251.255.255 > Gamedyne PNAP-SEF-GAMEDYNE-DC-01 (NET-63-251-0-0-2) > 63.251.0.0 - 63.251.0.255 > > Well, which ISP is it? > > Thanks > > From MikeE at ster.invalid Mon Jan 2 11:50:12 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 14:55:07 2006 Subject: [SpamCop-List] Re: Spamcop fails to resolve link References: Message-ID: spamacyde wrote: > This is for tracker: Good job! :-) www.spamcop.net/sc?id=z850910536z9de25e6bbbd2b296dea83bab360b5515z > > The Spamcop parser failed to find the link http://m894.net. Correct. The problem is that the spam wasn't properly constructed. SC pays attention to construction information in the mail's headers: Content-Type: text/html; charset="us-ascii" so SC expects to find a normal html construction in the spambody, but that doesn't happen. Instead there is a 'primitive' markup language. I'm not a markup language expert, so I don't know how to name it or characterize it, but it isn't 'legitimate' html, so the embedded html-ish link isn't recognized by SC. The question of whether SC should be able to find that link or not is a legitimate discussion here. If I recreate that spam and open it with my mailuser agent and its browser rendering engine operational, the item is 'correctly' rendered as the spammer intended > Seems pretty easy to me. Also when I look up the IP addresss > associated with the link on arin.net, 63.251.92.195, That's not what I get. I also don't get what SC got. Currently, as of this moment, I get 69.25.142.3 You can also get the notify information from SC, by putting in the link nakedly into the parser. Parsing input: http://m894.net Host m894.net (checking ip) = 64.74.96.243 host 64.74.96.243 (getting name) no name Reporting addresses: abuse@internap.com .... which you will notice is different from yours and mine. So, I would say there's some hocus-pocus going on with the nameservice, so we should attack that. > Internap Network Services NETBLK-PNAP-11-99 (NET-63-251-0-0-1) > 63.251.0.0 - 63.251.255.255 > Gamedyne PNAP-SEF-GAMEDYNE-DC-01 (NET-63-251-0-0-2) > 63.251.0.0 - 63.251.0.255 > > Well, which ISP is it? You did something wrong in your lookup. The IP you were working with was 63.251.92.195 which doesn't live in the Gamedyne block you are showing there, since the gamedyne block has a '0' or zero in the 3rd octet -- whereas your target has a '92' in the 3rd octet. For this exercise on the IP you got, we'll work this because the demonstration is similar: whois -h whois.arin.net 63.251.92.195 ... Internap Network Services 63.251.0.0 - 63.251.255.255 OrgAbuseEmail: abuse@internap.com eNom 63.251.92.192 - 63.251.92.255 OrgAbuseEmail: abuse@internap.com Notice that 'my' arin lookup which sez enom instead of gamedyne has a '92' in the 3rd octet. But, we are/ I am/ nattering over a faulty arin lookup, when we should be more interested in why you and I and SC all got different resolutions for the spamvertised site. Maybe it is because everything is so fresh: Domain Name: M894.NET Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: DNS1.NAME-SERVICES.COM Name Server: DNS2.NAME-SERVICES.COM Name Server: DNS3.NAME-SERVICES.COM Name Server: DNS4.NAME-SERVICES.COM Name Server: DNS5.NAME-SERVICES.COM Status: REGISTRAR-LOCK Updated Date: 01-jan-2006 Creation Date: 01-jan-2006 Expiration Date: 01-jan-2007 Maybe yesterday things were different. I resolved it several times, and every time I got this IP and this structure: Canonical name: m894.net Addresses: 69.25.142.3 which has a similar structure of parent and child as the one I did above: whois -h whois.arin.net 69.25.142.3 ... Internap Network Services 69.25.0.0 - 69.25.255.255 eNom 69.25.142.0 - 69.25.142.63 which has the same notifies BTW, I also ran it in SC several times, and SC's resolver always got a different IP than I Parsing input: http://m894.net Routing details for 64.74.96.243 Aha! now I'm getting differing and alternating results Parsing input: m894.net Host m894.net (checking ip) = 212.118.243.115 host 212.118.243.115 (getting name) no name I'll quit now, this variability could go on all day. -- Mike Easter kibitzer, not SC admin From kjz at despammed.com Mon Jan 2 21:00:58 2006 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Mon Jan 2 15:05:02 2006 Subject: [SpamCop-List] Re: Spamcop fails to resolve link In-Reply-To: References: Message-ID: Mike Easter wrote: > Parsing input: http://m894.net > Host m894.net (checking ip) = 64.74.96.243 > host 64.74.96.243 (getting name) no name > Reporting addresses: > abuse@internap.com Without seeing the spam I will predict: It's a redirector from eNom/Internap to another website, this spamvertized website is for mortgage leadz and the spammer is A. P. from UA. - kjz From MikeE at ster.invalid Mon Jan 2 12:38:12 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 15:40:02 2006 Subject: [SpamCop-List] Re: Spamcop fails to resolve link References: Message-ID: Karl-Josef Ziegler wrote: > Mike Easter wrote: > >> Parsing input: http://m894.net >> Host m894.net (checking ip) = 64.74.96.243 >> host 64.74.96.243 (getting name) no name >> Reporting addresses: >> abuse@internap.com > > Without seeing the spam I will predict: > > It's a redirector from eNom/Internap to another website, > this spamvertized website is for mortgage leadz and the > spammer is A. P. from UA. http://m894.net redirects to http://o12933.com at 202.65.99.20 inetnum: 202.65.99.20 - 202.65.99.20 netname: BB099020 country: HK e-mail: wmma@hkabc.net spamhaused /32 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36175 payload is mortgage spamvertising The domainname is discussed in the long discussion about Alex Polyakov in this nanae message From: "Spam Reporting" Newsgroups: news.admin.net-abuse.email Subject: Re: Mortgage phisher and fake diploma spammer [LONG POST] Message-ID: <5pStf.40114$dO2.13105@newssvr29.news.prodigy.net> Date: Sun, 01 Jan 2006 15:18:25 GMT snurled googleup to that part of the long thread http://snipurl.com/l88g -- Mike Easter kibitzer, not SC admin From AHaumer_gmxnet at nopspam.invalid Mon Jan 2 21:50:40 2006 From: AHaumer_gmxnet at nopspam.invalid (Anton Haumer) Date: Mon Jan 2 15:55:03 2006 Subject: [SpamCop-List] SC down? Message-ID: <43B99220.9EAE4A61@nopspam.invalid> by mail submitted spam seems to vanish in a black hole, I get no messages back to finsh reporting ... -- Toni From MikeE at ster.invalid Mon Jan 2 13:05:38 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 16:10:04 2006 Subject: [SpamCop-List] Re: SC down? References: <43B99220.9EAE4A61@nopspam.invalid> Message-ID: Anton Haumer wrote: > by mail submitted spam seems to vanish in a black hole, > I get no messages back to finsh reporting ... I've email submitted two batches of spam today, one about 7 AM PST which was replied about 10 AM and one about 10 AM which hasn't been replied as of 1 PM. Times all PST = UTC -0800 Yesterday's and preceding all replied. -- Mike Easter kibitzer, not SC admin From mwnospam at comcast.net Mon Jan 2 16:17:45 2006 From: mwnospam at comcast.net (spamacyde) Date: Mon Jan 2 16:20:03 2006 Subject: [SpamCop-List] Re: Spamcop fails to resolve link References: Message-ID: Ok, I have no idea what "redirection" is. The link is not very cosmetic or enticing; spammy is just playing games, probably knows that I will report the message to Spamcop and probably reads this newsgroup. Does Internap have any responsibility for this spam message or is its IP just in the middle of the "redirection"? Thanks "Mike Easter" wrote in message news:dpc2vg$kn3$1@news.spamcop.net... > Karl-Josef Ziegler wrote: > > Mike Easter wrote: > > > >> Parsing input: http://m894.net > >> Host m894.net (checking ip) = 64.74.96.243 > >> host 64.74.96.243 (getting name) no name > >> Reporting addresses: > >> abuse@internap.com > > > > Without seeing the spam I will predict: > > > > It's a redirector from eNom/Internap to another website, > > this spamvertized website is for mortgage leadz and the > > spammer is A. P. from UA. > > http://m894.net redirects to http://o12933.com at 202.65.99.20 > inetnum: 202.65.99.20 - 202.65.99.20 > netname: BB099020 > country: HK > e-mail: wmma@hkabc.net > > spamhaused /32 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36175 > > payload is mortgage spamvertising > > The domainname is discussed in the long discussion about Alex Polyakov > in this nanae message > > From: "Spam Reporting" > Newsgroups: news.admin.net-abuse.email > Subject: Re: Mortgage phisher and fake diploma spammer [LONG POST] > Message-ID: <5pStf.40114$dO2.13105@newssvr29.news.prodigy.net> > Date: Sun, 01 Jan 2006 15:18:25 GMT > > snurled googleup to that part of the long thread http://snipurl.com/l88g > > > > -- > Mike Easter > kibitzer, not SC admin > Ok, I have no idea what "redirection" is. The link is not very cosmetic or enticing; spammy is just playing games, probably knows that I will report the message to Spamcop and probably reads this newsgroup(I have evidence of this since the address associated with Spamacyde got spammed). Does Internap have any responsibility for this spam message or is its IP just in the middle of the "redirection"? Thanks From bert at iphouse.com Mon Jan 2 21:19:59 2006 From: bert at iphouse.com (Bert Hyman) Date: Mon Jan 2 16:20:06 2006 Subject: [SpamCop-List] Re: SC down? References: <43B99220.9EAE4A61@nopspam.invalid> Message-ID: In news:43B99220.9EAE4A61@nopspam.invalid Anton Haumer wrote: > by mail submitted spam seems to vanish in a black hole, > I get no messages back to finsh reporting ... I've found that the acknowledgements have been slow in coming for weeks, sometimes not coming at all, but if I go to http://members.spamcop.net after a "reasonable" time, the reports will all be there waiting for me. -- Bert Hyman St. Paul, MN bert@iphouse.com From MikeE at ster.invalid Mon Jan 2 13:42:50 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 16:45:03 2006 Subject: [SpamCop-List] Re: Spamcop fails to resolve link References: Message-ID: spamacyde wrote: > I have no idea what "redirection" is. It is common practice for the link as spamvertised in the spam to not be the actual site where the payload is. The browser will 'follow around' any redirection or frame 'shifting' -- so when the spammee clicks the link, the payload which will be delivered to hir gullible eyeballs will be coming from whatever place the spammer decided to put it. In this case, the spamvertised link is m894.net currently at 64.74.96.243 -- but the webserver there sez 'object moved' and sends you to http://o12933.com which is at 202.65.99.20 -- a completely different provider and everything else. > The link is not very cosmetic > or enticing; spammy is just playing games, probably knows that I will > report the message to Spamcop and probably reads this newsgroup. You are 'thinking' way too much for the spammer. Let's just say that spamvertisers have a variety of strategies to help them keep their sites running. > Does Internap have any responsibility for this spam message or is its > IP just in the middle of the "redirection"? Yes.... Internap's customer is spamvertising and it is appropriate to be notifying them. However, the 'diligent' spam reporter who was going to the trouble of figuring out when SC's notifies are inadequate for various reasons, would want to take into account which of the potential notifies are blackhats [such as those who are listed in spews and spamhaus] or when some additional notifies need to be made because of redirectors or frame 'moves' -- or when some additional notifies of parents or upstreams need to be made because of the unresponsiveness of the algorithmically derived SC notify. Pretty soon we are going to have to talk about the advantages and importance of trimming and contextualizing your replies, so that we can have a conversation here. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Mon Jan 2 22:42:54 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon Jan 2 16:45:07 2006 Subject: [SpamCop-List] Re: SC down? References: <43B99220.9EAE4A61@nopspam.invalid> Message-ID: On Mon, 02 Jan 2006 21:50:40 +0100, Anton Haumer coughed into spamcop and left this in <43B99220.9EAE4A61@nopspam.invalid>: > spam seems to vanish in a black hole, I wish..... :) -- Steve A revolving concretion of earthy or mineral matter accumulates no congeries of small, green bryophytic plant. From me at privacy.net Mon Jan 2 16:08:36 2006 From: me at privacy.net (MikeV06) Date: Mon Jan 2 17:10:02 2006 Subject: [SpamCop-List] Re: How can I report SPAM *without* opening the e-mail? References: Message-ID: <6m5atzl1dx2e.dlg@mycomputer06.invalid.com> On Mon, 02 Jan 2006 14:27:45 +0900, Patto wrote: > Andy Miller wrote: >> Hi, >> >> I use MS Outlook. I'm happy to do the Options-Headers thing and report all >> headers but I really don't like actually opening the SPAM mail. Sure I have >> virus scanners but still I don't like opening mail that was unsolicited and >> from an unknown source. >> >> I read somewhere that forwarding from Outlook wasn't "good enough" but even >> if it were the operation of forwarding would open the e-mail. >> >> Can't I just send in a report with the whole *unopened* e-mail as an >> attachment? >> >> Thanks, >> Andy > > I use OL Spamcop with Outlook 2003. It's a quick download, easy > install, and highly configurable. I am doing a Google to look for what you are talking about. Is is ol-spam-rpt-vbs Or is it spamcontrol -- http://www.hendricom.com/spamcontrolforsc.htm Or SpamGrabber -- http://www.olspamcop.org/ (I think it must be this one) Or ?? Thanks. From AHaumer_gmxnet at nopspam.invalid Tue Jan 3 00:25:53 2006 From: AHaumer_gmxnet at nopspam.invalid (Anton Haumer) Date: Mon Jan 2 18:30:03 2006 Subject: [SpamCop-List] Re: SC down? References: <43B99220.9EAE4A61@nopspam.invalid> Message-ID: <43B9B681.4B434674@nopspam.invalid> Anton Haumer wrote: > by mail submitted spam seems to vanish in a black hole, > I get no messages back to finsh reporting ... well, response mails finally arrived -- Toni From nobody at devnull.spamcop.net Mon Jan 2 19:19:04 2006 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Jan 2 20:20:04 2006 Subject: [SpamCop-List] Re: How can I report SPAM *without* opening the e-mail? References: <6m5atzl1dx2e.dlg@mycomputer06.invalid.com> Message-ID: "MikeV06" wrote in message news:6m5atzl1dx2e.dlg@mycomputer06.invalid.com... > On Mon, 02 Jan 2006 14:27:45 +0900, Patto wrote: > > > > I use OL Spamcop with Outlook 2003. It's a quick download, easy > > install, and highly configurable. > > I am doing a Google to look for what you are talking about. Is is > > ol-spam-rpt-vbs > > Or is it spamcontrol -- http://www.hendricom.com/spamcontrolforsc.htm > > Or SpamGrabber -- http://www.olspamcop.org/ (I think it must be this one) The official SpamCop FAQ can be found following the "Help" link on your logged-in www.spamcop.net web page. For a single-page access point to that data and much more, try http://forum.spamcop.net/forums/index.php?showtopic=2238 Both entry points would eventually lead you to a FAQ entry on Outlook at http://www.spamcop.net/fom-serve/cache/122.html that lists some third-party tools. From g.hyde at bigpond.net.au Tue Jan 3 11:23:42 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Mon Jan 2 20:25:02 2006 Subject: [SpamCop-List] Security Vulnerability Warning for Microsoft users. Message-ID: http://www.microsoft.com/technet/security/advisory/912840.mspx http://www.kb.cert.org/vuls/id/181038 Looks as if some gamers on a popular site have already been affected by this one. I'm pretty sure the more people know about it the less impact there'll be if they follow the advice given in the advisory. Cheers ... Geoffrey Hyde From vanguard.code at comcastNIX.net Mon Jan 2 21:42:41 2006 From: vanguard.code at comcastNIX.net (Vanguard) Date: Mon Jan 2 22:45:02 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: "Geoffrey Hyde" wrote in message news:dpbaub$6gk$1@news.spamcop.net... > > "Miss Betsy" wrote in message > news:dpb6vi$4fv$1@news.spamcop.net... >> "Vanguard" wrote in message >> news:dpagq2$ovt$1@news.spamcop.net... >> >>> If you are a PayPal customer, you >>> probably just falsely accused them of spamming. > >> I don't usually report the ones I am unsure of, though I follow the >> reasoning that the OP had. Legitimate sites that are often spoofed >> ought to insure that when one gets a legitimate email from them, >> that there is no question. Reporting it shows that, at least, one >> person was confused. While I don't think the spoof submission >> would be answered, IMHO, the spamcop report ought to have been if >> it was legitimate. It was legitimate. It came from a known source and the headers weren't spoofed. It is YOUR decision that it was spam. SpamCop cannot discern if the content is spam as doing so would require the intelligence of, at least, a child to determine that fact. YOU said it was spam and YOU reported it SpamCop which only tells you from whence the e-mail originated to report what YOU said was spam. If enough other users also say that it was spam then that source would get included in SpamCop's blacklist which you should be using (if you report spam to SpamCop, why wouldn't you be using their blacklist, too?). Although alluded to but not specific, I will agree that all "official" announcements from a domain should appear to have originated from that domain. My ISP, Comcast, contracts with eCare to handle support e-mailed requests from Comcast customers and also to send out "official" notifications regarding Comcast's services. eCare was sending these from whatever domain that eCare was using for their e-mail service which was NOT a Comcast domain. eCare would hide that the notice came from eCare and tried to make the content of the message appear as though Comcast wrote and sent it. It wasn't spam because Comcast contracted with eCare to send those announcements. It wasn't spam because it originated from a non-Comcast domain. It wasn't spam simply because I momentarily somehow forgot that I had a business relationship with Comcast so mails from them do NOT qualify as spam. However, I did complain to Comcast that any so-called official announcements should show they originate from a Comcast domain. After about a year, those announcement did originate from a Comcast domain. Maybe Comcast let eCare use their SMTP server or provided a listserver in the Comcast domain. Maybe Comcast provided a secured relay into Comcast's domain using a proxy so that the headers got changed so the announcements looked like they came from Comcast. Whatever they did wasn't as important that Comcast made a change so official announcement now from from the Comcast domain despite whomever Comcast contracts with for support services. If you noticed, the IP *address* was allocated to Global Crossing but that IP address resolved to the paypal.com IP *name* whose registrant is PayPal. Just because you don't want to get a mail doesn't qualify it as spam. Just because you don't want to bother investigating the source from whence that mail originates, check the headers, and check the body, especially if HTML formatted, is also not reason enough for you to report it as spam. YOU are the one that decided it was spam, not SpamCop. From nobody at xyzzy.claranet.de Tue Jan 3 05:23:33 2006 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon Jan 2 23:30:03 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: <43B88A81.70A4@xyzzy.claranet.de> Message-ID: <43B9FC45.68A1@xyzzy.claranet.de> Geoffrey Hyde wrote: > It might be their 'style' to do things this or that way but > how do I know for sure until they prove or disprove it? It's from the info on their security pages: They always use your name, they never talk about more critical things in mail. Worked for me so far - I use the option to get mail whenever their AUP is modified. Admittedly the phishers always miss my local part reserved for amazon / paypal (of course that's NOT nobody@ ;-) and more than one phish to different local parts gives it away. IMHO it's rather simple to identify legit mail from sources you know. From unknown sources it's difficult, in one "phish or real" quiz I misinterpreted two legit mails as phishes. But I don't know the "style" of legit Barclays Bank mails or whatever it was, so that's no issue for them or me. > As this email looks to me, it is *very* badly done, there > are a whole bunch of things I don't like about their supposed > 'style' of writing Sure, they could improve it, switching the sending domain from old SPF PASS to new without SPF, and without announcement from the old address was a bit naive. Murphy and nobody's perfect. > If it smells bad, I see no harm in SC reporting it, if they > are genuinely paypal they will let me know. It would harm them if they make it into the ScBL by some false reports. If all you want is to inform them that they screwed up from your POV you could do this directly without SC report. My 2 cents (or rather about 40 if I'd use Paypal to send it ;-) From nobody at xyzzy.claranet.de Tue Jan 3 05:48:34 2006 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon Jan 2 23:55:05 2006 Subject: [SpamCop-List] Re: SC problems... References: <43B86C5F.6342@xyzzy.claranet.de> Message-ID: <43BA0222.2390@xyzzy.claranet.de> jg wrote: > /That/ is complete greek to me - I'm not an admin Nor me, and I don't check this often. But sometimes I get say 20 identical spams (= same spamvertized URL), and then I can either quick report it or send normal "manual" reports. And if the spamvertized domain is already on SURBL "manual" reports are a waste of time from my POV. I'd love an option "switch all pending manual reports to quick reports" if it's a waste of time (e.g. if SC doesn't find an IP to LART the spamvertized URL). Greek or not, it's a real issue sometimes. Bye, Frank From bar_n0ne at hotmail.com Tue Jan 3 11:22:48 2006 From: bar_n0ne at hotmail.com (Berny) Date: Tue Jan 3 02:25:04 2006 Subject: [SpamCop-List] Re: Spamcop fails to resolve link References: Message-ID: "Mike Easter" wrote in message news:dpc6om$mta$1@news.spamcop.net... > spamacyde wrote: > > Does Internap have any responsibility for this spam message or is its > > IP just in the middle of the "redirection"? > > Yes.... > > Internap's customer is spamvertising and it is appropriate to be > notifying them. However, the 'diligent' spam reporter who was going to > the trouble of figuring out when SC's notifies are inadequate for > various reasons, would want to take into account which of the potential > notifies are blackhats [such as those who are listed in spews and > spamhaus] or when some additional notifies need to be made because of > redirectors or frame 'moves' -- or when some additional notifies of > parents or upstreams need to be made because of the unresponsiveness of > the algorithmically derived SC notify. Internap is fairly black hat, they've happily hosted a little nest of penis pill, ED drugs and mortgage spammers on the same little nest of their IP's for a month or 2 now, and I see no end in sight. From jzeitlin at spamcop.net Tue Jan 3 02:33:51 2006 From: jzeitlin at spamcop.net (=?ISO-8859-1?Q?E=F6nw=EB?=) Date: Tue Jan 3 02:35:03 2006 Subject: [SpamCop-List] Re: SC down? References: <43B99220.9EAE4A61@nopspam.invalid> Message-ID: <04akr15k856dk8r06spp39og25imu13qv0@4ax.com> On Mon, 02 Jan 2006 21:50:40 +0100, Anton Haumer wrote: >by mail submitted spam seems to vanish in a black hole, >I get no messages back to finsh reporting ... The mail seems to be getting TO SpamCop; there seems to be a bottleneck of some sort on the outgoing, usually resulting in the outbound mail coming through in dribs and drabs several hours later. For a while earlier today, there was also about a one-hour lag even on the inbound, but that seems to have cleared up. -- E?nw? (SpamCop subscriber, not staff/admin) From bar_n0ne at hotmail.com Tue Jan 3 14:35:14 2006 From: bar_n0ne at hotmail.com (Berny) Date: Tue Jan 3 05:40:14 2006 Subject: [SpamCop-List] Re: SC down? References: <43B99220.9EAE4A61@nopspam.invalid> <04akr15k856dk8r06spp39og25imu13qv0@4ax.com> Message-ID: "Eönwë" wrote in message news:04akr15k856dk8r06spp39og25imu13qv0@4ax.com... > On Mon, 02 Jan 2006 21:50:40 +0100, Anton Haumer > wrote: > > >by mail submitted spam seems to vanish in a black hole, > >I get no messages back to finsh reporting ... > > The mail seems to be getting TO SpamCop; there seems to be a bottleneck > of some sort on the outgoing, usually resulting in the outbound mail > coming through in dribs and drabs several hours later. For a while > earlier today, there was also about a one-hour lag even on the inbound, > but that seems to have cleared up. > -- > Eönwë > (SpamCop subscriber, not staff/admin) The website seems to be performing normally, but the mailed submissions are taking 1 or more hours to arrive (can see that when there are saved messages to parse) and the notifications are dribbling back to the notification account from 1/2 hour or more after that I manually submit most spam and only submit by mail from yahoo, unless the days load is heavy. I receive the notifications at a corporate email account, so it's possible yahoo is slow to send, and SC slow to send, but things are definitely slow for mailed submissions since yesterday afternoon, (morning for people in the USA) From nobody at devnull.spamcop.net Tue Jan 3 06:56:53 2006 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Tue Jan 3 07:00:05 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: "Vanguard" wrote in message news:dpcrrh$2fa$1@news.spamcop.net... >However, I did complain to Comcast that any so-called official > announcements should show they originate from a Comcast domain. After about > a year, those announcement did originate from a Comcast domain. Maybe > Comcast let eCare use their SMTP server or provided a listserver in the > Comcast domain. Maybe Comcast provided a secured relay into Comcast's > domain using a proxy so that the headers got changed so the announcements > looked like they came from Comcast. Whatever they did wasn't as important > that Comcast made a change so official announcement now from from the > Comcast domain despite whomever Comcast contracts with for support services. contacting paypal directly that you were confused about an email is a much better course. In fact, IMHO, one should never report through spamcop any email from someone you have had previous contact with (unless it is an obvious phish). IMHO, it is much more effective to complain as a customer whatever problem you are having. Miss Betsy From me at privacy.net Tue Jan 3 08:22:30 2006 From: me at privacy.net (MikeV06) Date: Tue Jan 3 09:25:05 2006 Subject: [SpamCop-List] Re: How can I report SPAM *without* opening the e-mail? References: <6m5atzl1dx2e.dlg@mycomputer06.invalid.com> Message-ID: <1pml4i0249klc.dlg@mycomputer06.invalid.com> On Mon, 2 Jan 2006 19:19:04 -0600, WazoO wrote: > "MikeV06" wrote in message > news:6m5atzl1dx2e.dlg@mycomputer06.invalid.com... >> On Mon, 02 Jan 2006 14:27:45 +0900, Patto wrote: >>> >>> I use OL Spamcop with Outlook 2003. It's a quick download, easy >>> install, and highly configurable. >> >> I am doing a Google to look for what you are talking about. Is is >> >> ol-spam-rpt-vbs >> >> Or is it spamcontrol -- http://www.hendricom.com/spamcontrolforsc.htm >> >> Or SpamGrabber -- http://www.olspamcop.org/ (I think it must be this one) > > The official SpamCop FAQ can be found following the "Help" link > on your logged-in www.spamcop.net web page. You assume I have an account. > For a single-page > access point to that data and much more, try > http://forum.spamcop.net/forums/index.php?showtopic=2238 It is probably buried there somewhere, but not the answer to the question of which one of the many OL Spamcop packages to which you were referring. > Both entry points would eventually lead you to a FAQ entry on > Outlook at http://www.spamcop.net/fom-serve/cache/122.html > that lists some third-party tools. I saw all those, but wanted to know which one you thought was really great. Blah. From MikeE at ster.invalid Tue Jan 3 08:39:13 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jan 3 11:40:03 2006 Subject: [SpamCop-List] Nanae thread Message-ID: Interesting thread from nanae Newsgroups: news.admin.net-abuse.email Subject: Spamcop block list Date: 3 Jan 2006 08:30:33 GMT Message-ID: snurled GG of currently 25 msg thread http://snipurl.com/l8zs The OP is an ISP's mail admin whose servers [and users] have been getting themselves SCbl listed for various reasons that he needed to remedy -- so he sought the advice of other admins. There are several useful messages there; primarily about how the SCbl makes a difference; secondarily about how to fix things at providers whose users are sources of spam. -- Mike Easter kibitzer, not SC admin From jg at coks.net Tue Jan 3 11:06:12 2006 From: jg at coks.net (jg) Date: Tue Jan 3 14:05:03 2006 Subject: [SpamCop-List] Re: Nanae thread In-Reply-To: References: Message-ID: On 1/3/2006 8:39 AM Mike Easter scribbled: > Interesting thread from nanae > > Newsgroups: news.admin.net-abuse.email > Subject: Spamcop block list > Date: 3 Jan 2006 08:30:33 GMT > Message-ID: > > snurled GG of currently 25 msg thread http://snipurl.com/l8zs > > The OP is an ISP's mail admin whose servers [and users] have been > getting themselves SCbl listed for various reasons that he needed to > remedy -- so he sought the advice of other admins. > > There are several useful messages there; primarily about how the SCbl > makes a difference; secondarily about how to fix things at providers > whose users are sources of spam. > > Good read - tried to sub to nanae and am unable to connect - is it on another port other than 119? From bait-423c86b2-42ff9001 at good.julianhaight.com Tue Jan 3 11:19:36 2006 From: bait-423c86b2-42ff9001 at good.julianhaight.com (Chris F. Willoughby) Date: Tue Jan 3 14:20:02 2006 Subject: [SpamCop-List] nomaster for KRNIC spam Message-ID: http://www.spamcop.net/sc?id=z851377116z32a805acad9bcedc3898812286f1b08cz Shouldn't this have gone to hostmaster@nic.or.kr instead of nomaster@devnull? Thanks. -- Unhandled exceptions are the bane of my existance. From nobody at nowhere.invalid Tue Jan 3 20:41:03 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Jan 3 14:45:03 2006 Subject: [SpamCop-List] Re: Nanae thread References: Message-ID: On Tue, 03 Jan 2006 11:06:12 -0800, jg coughed into spamcop and left this in : > Good read - tried to sub to nanae and am unable to connect - is it on > another port other than 119? Does your news provider carry that newsgroup? -- Steve The average nutritional value of promises is roughly zero. From asterix at no_where.net Tue Jan 3 20:47:08 2006 From: asterix at no_where.net (Asterix) Date: Tue Jan 3 14:50:02 2006 Subject: [SpamCop-List] Re: Nanae thread References: Message-ID: <1h8lwdt.n7xksraxts2uN%asterix@no_where.net> jg wrote: > Good read - tried to sub to nanae and am unable to connect - is it on > another port other than 119? It's not on Spamcop ... :-) -- I recommend Macs to my friends, and Windows machines to those whom I don't mind billing by the hour From Nobody at Spamcop.net.dev.null Tue Jan 3 13:50:57 2006 From: Nobody at Spamcop.net.dev.null (Michael Brennan) Date: Tue Jan 3 14:55:04 2006 Subject: [SpamCop-List] Re: Spamcop fails to resolve link References: Message-ID: <43BAD5A1.3ABF666@Spamcop.net.dev.null> Mike Easter wrote: > > payload is mortgage spamvertising > > The domainname is discussed in the long discussion about Alex Polyakov > in this nanae message > > From: "Spam Reporting" > Newsgroups: news.admin.net-abuse.email > Subject: Re: Mortgage phisher and fake diploma spammer [LONG POST] > Message-ID: <5pStf.40114$dO2.13105@newssvr29.news.prodigy.net> > Date: Sun, 01 Jan 2006 15:18:25 GMT > > snurled googleup to that part of the long thread http://snipurl.com/l88g > Elegant referral, well done. I can't play in their league, but thanks for mentioning it. I'll pass links via e-mail to someone who can. Best regards, Michael From nobody at nowhere.invalid Tue Jan 3 20:56:51 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Jan 3 15:00:02 2006 Subject: [SpamCop-List] Re: nomaster for KRNIC spam References: Message-ID: On Tue, 3 Jan 2006 11:19:36 -0800, Chris F. Willoughby coughed into spamcop and left this in : > http://www.spamcop.net/sc?id=z851377116z32a805acad9bcedc3898812286f1b08cz > > Shouldn't this have gone to hostmaster@nic.or.kr instead of nomaster@devnull? Highly unlikely. That's the KRNIC LIR contact. whois.nic.or.kr doesn't have any info on ownership of that IP address so it would appear to be a bogon - ie: an unallocated IP address for which someone has managed to acquire routing through use of forged documents or whatever. -- Steve The average nutritional value of promises is roughly zero. From ycbs at blackhole.invalid Tue Jan 3 12:01:26 2006 From: ycbs at blackhole.invalid (NormanM) Date: Tue Jan 3 15:05:02 2006 Subject: [SpamCop-List] Re: Nanae thread References: Message-ID: <1jmewt0v40ikk$.dlg@pacbell.net> On Tue, 03 Jan 2006 11:06:12 -0800, jg wrote: > Good read - tried to sub to nanae and am unable to connect - is it on > another port other than 119? More likely not on the server you are using. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From MikeE at ster.invalid Tue Jan 3 12:13:31 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jan 3 15:15:03 2006 Subject: [SpamCop-List] Re: Nanae thread References: Message-ID: jg wrote: > Mike Easter scribbled: >> Newsgroups: news.admin.net-abuse.email >> Subject: Spamcop block list >> Date: 3 Jan 2006 08:30:33 GMT >> Message-ID: > Good read - tried to sub to nanae and am unable to connect - is it on > another port other than 119? This news server we are talking on is news.spamcop.net which only carries the spamcop ng/s. Your provider cox provides you with regular usenet newsservers news.east.cox.net news.central.cox.net news.west.cox.net Cox also has some help stuff about it, but I don't want to configure my browser to get in there http://support.cox.com/sdcxuser/asp/cox_main.asp Cox Newsgroup FAQ - select "Newsgroups" So, you set up a different newsserver account to get the usenet stuff like nanae. I'm sure cox's newsservers carry nanae. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Jan 3 12:27:34 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jan 3 15:30:03 2006 Subject: [SpamCop-List] Re: nomaster for KRNIC spam References: Message-ID: Chris F. Willoughby wrote: www.spamcop.net/sc?id=z851377116z32a805acad9bcedc3898812286f1b08cz > > Shouldn't this have gone to hostmaster@nic.or.kr instead of > nomaster@devnull? No, but there isn't really a /good/ notify, since apnic and krnic don't know where it belongs. In a way, it doesn't really matter because the IP is listed all over the place as being a spamsource, hitting spamtraps, and looking like a proxytrojan -- and the nomaster doesn't keep the IP from going into spamcop's SCbl count. I would notify thrunet and the ntt contacts below. There's a little bit of information at radb and cymru that sez ntt and/or thrunet, so you could notify both of them. whois -h whois.radb.net 61.253.29.45 ... route: 61.253.0.0/16 descr: Temporary regisitered customer object by NTT Korea origin: AS9277 notify: korea-ip-gl@ntt.com notify: ops@ntt.net mnt-by: MAINT-VERIO-JP changed: takata@ntt.net 20040727 source: VERIO whois -h whois.cymru.com 61.253.29.45 ... AS | IP | AS Name 9277 | 61.253.29.45 | THRUNET-AS-KR THRUNET where as9277 is thrunet abuse@thrunet.com and ntt doesn't have a reg'd abuse.net contact. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Jan 3 15:58:55 2006 From: nobody at spamcop.net (indigo) Date: Tue Jan 3 16:00:02 2006 Subject: [SpamCop-List] Re: just wtf is MySpace.com? References: Message-ID: Berny wrote: > 5 missives from them about messages to my "account" > > What account? could someone (un)wittingly created some account on this > thing? > > Of course the message title sort of gives it away, > > "New Message from on MySpace sent December 2" a month ago? and now > you tell me? > > LARTS away Myspace is some online community for friend finding and business networking. Never heard anything bad about them before. Did you check NANAS for spamsign from them? It's a free service (and not too many ads IIRC), I don't see what the point of spamming someone from there is.... From Nobody at SpamCop.devnull.diespammerdie.net Tue Jan 3 17:48:44 2006 From: Nobody at SpamCop.devnull.diespammerdie.net (Michael Brennan) Date: Tue Jan 3 18:50:02 2006 Subject: [SpamCop-List] Re: vCard References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> <43B84655.E8A46AEC@Spamcop.net.dev.null> <43B86848.601B@xyzzy.claranet.de> Message-ID: <43BB0D5C.9811DD45@SpamCop.devnull.diespammerdie.net> Mike Easter wrote: > > Mike Easter wrote: > > > Has anyone tried any of the operas? Either current or older versions > > which are available in the archives? > > Here's a note from a ng post 2004 May 23 > > // IME, a major issue with running Opera on older Pentium-class systems > is memory. Opera 7 may not be happy with 16 megs, but for me, it ran > well on a P100 with 64 and Win98 SE lite. As I recall, Matthew would > have problems with O7 where I wouldn't not because he was using Win95, > but because 7.x wants more memory than 6.06. // > > Newsgroups: opera.general > Subject: Re: Opera turmed into Shit > Date: Sun, 23 May 2004 16:59:19 +0000 (UTC) > Message-ID: > > http://snipurl.com/l7iy snurled gg to the thread Mike, Thanx for the link, Opera is on my list to try sometime. Still evaluating Mozilla FF, might try the "style sheets" elimination, which I opted for when configuring FF, on a "oh, why not?" basis. Didn't know there was any impact on performance. Regards, Michael From zypher at spamcop.net Tue Jan 3 20:54:22 2006 From: zypher at spamcop.net (Ron B.) Date: Tue Jan 3 21:55:03 2006 Subject: [SpamCop-List] Spamcop Unable to Trace Source of these "Pump 'n' Dump" Spams Message-ID: Spammy now seems to be able to avoid using known IP. I've gotten several of these stock spams: http://www.spamcop.net/sc?id=z851618420z37f098e8234c7477b2fdfc220b4cf8fbz From nobody at devnull.spamcop.net Tue Jan 3 22:08:49 2006 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Tue Jan 3 22:10:03 2006 Subject: [SpamCop-List] Re: Spamcop Unable to Trace Source of these "Pump 'n' Dump" Spams References: Message-ID: "Ron B." wrote in message news:dpfdcv$etv$1@news.spamcop.net... > Spammy now seems to be able to avoid using known IP. > I've gotten several of these stock spams: > > http://www.spamcop.net/sc?id=z851618420z37f098e8234c7477b2fdfc220b4cf8fbz Compare parser results obtained here using no mailhost configuration: http://www.spamcop.net/sc?id=z851736529z6cb36eb2262ddef58f0f68c7f0125cb4z Here the parser finds the same source that I do. There is a problem with your mailhost configuration. It looks to me like you may need to add c60.cesmail.net as a trusted mailhost, but as I don't use the mailhost setup I am not in any position to advise. There are others about as are experienced in such matters as may be better able to advise. -g From MikeE at ster.invalid Tue Jan 3 19:11:59 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jan 3 22:15:03 2006 Subject: [SpamCop-List] Re: Spamcop Unable to Trace Source of these "Pump 'n' Dump" Spams References: Message-ID: Ron B. wrote: > Spammy now seems to be able to avoid using known IP. > I've gotten several of these stock spams: > www.spamcop.net/sc?id=z851618420z37f098e8234c7477b2fdfc220b4cf8fbz You are using a mailhosted account, and something is wrong with how it has been configured compared to the headers submitted to the parser, so SC sez // Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust anything beyond this header No source IP address found, cannot proceed. // because the mailhost configuration is happening right at the top from cesmail to cotse. If I take the same spam and submit it to a non-mailhosted account parse, it will be properly parsed http://www.spamcop.net/sc?id=z851738459za9dd30d1ce32b3cc1f9e41897544170bz Report Spam to: Re: 70.105.134.14 (Administrator of network where email originates) To: abuse@verizon.net (Notes) If you didn't configure for a mailhost in which SC is forwarding to a cotse server that stamps its line like that, you will need to reconfigure your mailhost, as SC suggests in the error // Add/edit your mailhost configuration // -- Mike Easter kibitzer, not SC admin From zypher at spamcop.net Tue Jan 3 21:41:08 2006 From: zypher at spamcop.net (Ron B.) Date: Tue Jan 3 22:45:03 2006 Subject: [SpamCop-List] Re: Spamcop Unable to Trace Source of these "Pump 'n' Dump" Spams In-Reply-To: References: Message-ID: Mike Easter wrote: > Ron B. wrote: > >>Spammy now seems to be able to avoid using known IP. >>I've gotten several of these stock spams: >> > > www.spamcop.net/sc?id=z851618420z37f098e8234c7477b2fdfc220b4cf8fbz > > You are using a mailhosted account, and something is wrong with how it > has been configured compared to the headers submitted to the parser, so > SC sez > > // Possible forgery. Supposed receiving system not associated with any > of your mailhosts > Will not trust anything beyond this header > No source IP address found, cannot proceed. // > > because the mailhost configuration is happening right at the top from > cesmail to cotse. > > If I take the same spam and submit it to a non-mailhosted account parse, > it will be properly parsed > > http://www.spamcop.net/sc?id=z851738459za9dd30d1ce32b3cc1f9e41897544170bz > Report Spam to: > Re: 70.105.134.14 (Administrator of network where email originates) > To: abuse@verizon.net (Notes) > > If you didn't configure for a mailhost in which SC is forwarding to a > cotse server that stamps its line like that, you will need to > reconfigure your mailhost, as SC suggests in the error > > // Add/edit your mailhost configuration // > > > Thanks, will try. From jg at coks.net Tue Jan 3 22:58:50 2006 From: jg at coks.net (jg) Date: Wed Jan 4 02:00:11 2006 Subject: [SpamCop-List] Re: Nanae thread In-Reply-To: References: Message-ID: On 1/3/2006 12:13 PM Mike Easter scribbled: > jg wrote: > >>Mike Easter scribbled: > > >>>Newsgroups: news.admin.net-abuse.email >>>Subject: Spamcop block list >>>Date: 3 Jan 2006 08:30:33 GMT >>>Message-ID: > > >>Good read - tried to sub to nanae and am unable to connect - is it on >>another port other than 119? > > > This news server we are talking on is news.spamcop.net which only > carries the spamcop ng/s. > > Your provider cox provides you with regular usenet newsservers > > news.east.cox.net > news.central.cox.net > news.west.cox.net > > Cox also has some help stuff about it, but I don't want to configure my > browser to get in there > http://support.cox.com/sdcxuser/asp/cox_main.asp Cox Newsgroup FAQ - > select "Newsgroups" > > So, you set up a different newsserver account to get the usenet stuff > like nanae. I'm sure cox's newsservers carry nanae. > Thanks guys, I had my head up my butt - was thinking they had/used their own servers... From g.hyde at bigpond.net.au Wed Jan 4 20:46:01 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Wed Jan 4 05:50:15 2006 Subject: [SpamCop-List] Straightup spam appears to be coming from within my network - how? Message-ID: http://www.spamcop.net/sc?id=z851902206z6f5921f57f31749550c4ea8df7cce52bz This is either a really stupid newbie spammer, or someone has infected a telstra server or user with a virus or hack, as I do believe spamming is against the bigpond TOS. Reported, just in case it is something telstra can handle. Cheers ... Geoffrey Hyde From g.hyde at bigpond.net.au Wed Jan 4 21:06:15 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Wed Jan 4 06:10:03 2006 Subject: [SpamCop-List] Pharmacy spam - this time from .tr domain Message-ID: http://www.spamcop.net/sc?id=z851909535z71e0e183db8d0370f68c9b68fd1030bbz It appears the spammers are definitely getting their act back into gear, I wonder which spam filter would be a good one to use? I'm also looking for a good antivirus scanner, anyone got any recommendations (As long as it's not from Symantec, as their last upgrade failed.) that wuld do the trick? Cheers ... Geoffrey Hyde From MikeE at ster.invalid Wed Jan 4 05:14:06 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jan 4 08:15:03 2006 Subject: [SpamCop-List] Re: Straightup spam appears to be coming from within my network - how? References: Message-ID: Geoffrey Hyde wrote: www.spamcop.net/sc?id=z851902206z6f5921f57f31749550c4ea8df7cce52bz > > This is either a really stupid newbie spammer, or someone has > infected a telstra server or user with a virus or hack, as I do > believe spamming is against the bigpond TOS. Subject: Straightup spam appears to be coming from within my network - how? Not 'straightup' as I use the term. I use straightup to indicate a spam with a certain 'honest' directness to it, where the source = the From = the spamvertiser -- and the headers lack bogosity or abuse of anything. Some straightup spam is a candidate to be sending the notify to a remove address if you aren't philosophically opposed to listwashing. This is just a regular ol' abusive pharm spam with a bogus From and injected at an abused proxy. The From is a yahoo addy, the source is an abused proxy listed at CBL for hitting spamtraps and looking like a proxytrojan, and the spamvertiser has a nonresponsive .cn provider. It happens that the abused proxy is 144.135.161.135 rDNS c135.161.135.144.satellite.bigpond.com which is the same provider as you. This is not an item you would be using or believing any remove information. > Reported, just in case it is something telstra can handle. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Jan 4 05:33:44 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jan 4 08:35:03 2006 Subject: [SpamCop-List] Re: Pharmacy spam - this time from .tr domain References: Message-ID: Geoffrey Hyde wrote: www.spamcop.net/sc?id=z851909535z71e0e183db8d0370f68c9b68fd1030bbz pharm spam, abused cbl listed proxy, .cn spamverider [where 'spamverider' = spamvertiser provider] Same o' same o'. > It appears the spammers are definitely getting their act back into > gear, I wonder which spam filter would be a good one to use? My fave is SpamPal which makes it easy for me to custom configure my/its dnsbl/s - because I make the dnsbl/s 'tight' - tight because I can 'simply' whitelist all of my goodmail and have no false positives. The only filtering I do on the body with it is a regex and url plugin. This item would have been caught by the cbl dnsbl condition at the least, maybe more. > I'm also looking for a good antivirus scanner, anyone got any > recommendations (As long as it's not from Symantec, as their last > upgrade failed.) that wuld do the trick? My preference is AVG, but that's mainly because it is 'good enough' and free. http://www.spampal.org SpamPal sits between your email program and your mailbox http://spampal.de/comparison-chart.html To see how SpamPal matches up against other popular anti-spam programs, check out this comparison chart. http://free.grisoft.com/doc/1 The newest version of the popular AVG Anti-Virus Free Edition is available for download. BTW -- today google's name appears in raised dots in its usual multicolors in honor of Louis Braille's bd. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Jan 4 05:49:53 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jan 4 08:50:02 2006 Subject: [SpamCop-List] Re: Nanae thread References: Message-ID: Mike Easter wrote: > snurled GG of currently 25 msg thread http://snipurl.com/l8zs Thread now at 116 msgs and growing. > The OP is an ISP's mail admin whose servers [and users] have been > getting themselves SCbl listed for various reasons that he needed to > remedy -- so he sought the advice of other admins. Much informative discussion. I'm following it nntp, not google of course. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Jan 4 06:00:19 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jan 4 09:05:03 2006 Subject: [SpamCop-List] Re: Straightup spam appears to be coming from within my network - how? References: Message-ID: Mike Easter wrote: > Some straightup spam is a candidate to be sending the > notify to a remove address if you aren't philosophically opposed to > listwashing. ... where the 'listwash facilitating' notify is a 'standard' notify to the appropriate abuse desks for spamsource and spamverider, but also includes the email remove address, I don't mean clicking on an alleged remove link. -- Mike Easter kibitzer, not SC admin From kenbrody at spamcop.net Wed Jan 4 11:20:29 2006 From: kenbrody at spamcop.net (Kenneth Brody) Date: Wed Jan 4 11:30:03 2006 Subject: [SpamCop-List] Re: Xmas holidays are over - as far as spammers are concerned! References: Message-ID: <43BBF5CD.D2944C4B@spamcop.net> Redstone wrote: > > Steven Maesslein wrote in > news:slrndr2gsg.4te.nobody@127.0.0.1: > > > On Mon, 26 Dec 2005 23:53:42 -0800, RandallW coughed into spamcop and > > left this in : > > > >> "Your Paypal account has been violated!" > >> > >> What a horrid filthy crime. > > > > Especially as I don't even have a friggin' PayPal account... > > > > According to these spammers, I have 7 Paypal accounts was violated. :-) Only seven? About the only e-mail address I have that doesn't get PayPal phishes is the one I use on my PayPal account. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From jzeitlin at spamcop.net Wed Jan 4 12:28:23 2006 From: jzeitlin at spamcop.net (=?ISO-8859-1?Q?E=F6nw=EB?=) Date: Wed Jan 4 12:30:03 2006 Subject: [SpamCop-List] Continuing sluggishness on email server handling parsing. Message-ID: Well, it appears that my comment about the slowness getting spam INTO the system was a little premature; there's still (or again) a delay of upwards of an hour between the time I send spam for parsing and the time that the website indicates that there's unreported spam. And it's been several hours since I actually processed that spam, and I still haven't gotten my copies of the reports. Has anyone been flagged on this? -- E?nw? (SpamCop subscriber, not staff/admin) From nobody at spamcop.net Wed Jan 4 09:56:18 2006 From: nobody at spamcop.net (RandallW) Date: Wed Jan 4 13:00:02 2006 Subject: [SpamCop-List] Re: Continuing sluggishness on email server handling parsing. References: Message-ID: "Eönwë" wrote in message news:h81or1hjl6il1k7cqp81s2gc3gnq6d07c3@4ax.com... > Well, it appears that my comment about the slowness getting spam INTO > the system was a little premature; there's still (or again) a delay of > upwards of an hour between the time I send spam for parsing and the time > that the website indicates that there's unreported spam. And it's been > several hours since I actually processed that spam, and I still haven't > gotten my copies of the reports. > > Has anyone been flagged on this? > -- > Eönwë > (SpamCop subscriber, not staff/admin) This error appeared for me a few minutes ago: Cannot send mail:smtpOpen: connect to smtp server failed (Connection refused) From nobody at devnull.spamcop.net Wed Jan 4 12:23:11 2006 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jan 4 13:25:04 2006 Subject: [SpamCop-List] Re: Continuing sluggishness on email server handling parsing. References: Message-ID: "RandallW" wrote in message news:dph285$bot$1@news.spamcop.net... > > This error appeared for me a few minutes ago: > > Cannot send mail:smtpOpen: connect to smtp server failed (Connection > refused) Mail and webmail servers just came back up. As the rest of the warning "should" have stated, give it a few .... Announcements were posted in the Forum dealing with this outage, spamcop.mail has some traffic on this .... From nobody at spamcop.net Wed Jan 4 13:42:25 2006 From: nobody at spamcop.net (Ellen) Date: Wed Jan 4 13:45:07 2006 Subject: [SpamCop-List] mail and mailservers - 2 problems Message-ID: There are/were 2 different problems: 1) The email system mailservers handling @spamcop.net/@cesmail.net/@cqmail/net -- these were apparently down/non-responsive for a short time and have come back up 2) delays in submitted spams/receiving the SC mail with links/etc -- we are encountering some issues with the parsing system mailservers. We have engineering working on it. The servers are backlogged and are working thru the backlog which will take some time to process. I do not know how long it will take them to catch back up. We appreciate your patience. Ellen SpamCop From nobody at devnull.spamcop.net Wed Jan 4 13:04:53 2006 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jan 4 14:05:03 2006 Subject: [SpamCop-List] Re: mail and mailservers - 2 problems References: Message-ID: "Ellen" wrote in message news:dph4v5$dmh$1@news.spamcop.net... > There are/were 2 different problems: > > 1) The email system mailservers handling > @spamcop.net/@cesmail.net/@cqmail/net -- these were apparently > down/non-responsive for a short time and have come back up > > 2) delays in submitted spams/receiving the SC mail with links/etc -- we are > encountering some issues with the parsing system mailservers. We have > engineering working on it. The servers are backlogged and are working thru > the backlog which will take some time to process. I do not know how long it > will take them to catch back up. > > We appreciate your patience. Added to my string/flurry of Announcements over in the Forum. Thanks. From blacklist-me at davjam.org Wed Jan 4 19:09:55 2006 From: blacklist-me at davjam.org (David Bolt) Date: Wed Jan 4 14:15:03 2006 Subject: [SpamCop-List] Spamcop claims my address bounces Message-ID: For the second time in a week, SpamCop has claimed the address it's supposed to send mail to is bouncing. Having complete access to the mail server logs, including all the logs going back well over the years it's been running, I've only found once where it bounced. That occasion was in mid July 2005, and caused by me not finishing setting up the address before telling SpamCop what it should use. Since then, upto date, there have been no server failures or bounces for the address known to SpamCop but, on 2005-12-30, SpamCop decided I had been bouncing mail. After resetting the flag things proceeded slowly, with quite a few mailed submissions completely disappearing, for the last few days. Today, SpamCop is again claiming that the address it knows is bouncing and I've had to reset the bounce flag again. Probably related to this is the fact that a batch of 83 spams submitted by mail at 03:52 +0000 have disappeared, along with another three that were auto-submitted (12:33 +0000, 14:03 +0000 and 14:24 +0000). Strangely, the one that I did get a return on and, after reporting, said I'd been bouncing mails, was submitted at 08:13 +0000. So, back to the point. Is this problem related to the fact that the mail submission side appears to have fscked up? More importantly, is there an estimated time when it's going to be fixed because I'd hate to have to let a large number of spams go unreported purely because I don't have the time to report them all. Regards, And have a Happy New Year David Bolt -- Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/ AMD1800 1Gb WinXP/SUSE 9.3 | AMD2400 256Mb SuSE 9.0 | A3010 4Mb RISCOS 3.11 AMD2400(32) 768Mb SUSE 10.0 | RPC600 129Mb RISCOS 3.6 | Falcon 14Mb TOS 4.02 AMD2600(64) 512Mb SUSE 10.0 | A4000 4Mb RISCOS 3.11 | STE 4Mb TOS 1.62 From nobody at xyzzy.claranet.de Wed Jan 4 20:22:25 2006 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Wed Jan 4 14:25:03 2006 Subject: [SpamCop-List] Re: mail and mailservers - 2 problems References: Message-ID: <43BC2071.3AD1@xyzzy.claranet.de> Ellen wrote: > @spamcop.net/@cesmail.net/@cqmail/net -- these were > apparently down/non-responsive for a short time and > have come back up Yes, I switched from direct to vmx1 to direct to vmx2 > delays in submitted spams/receiving the SC mail with > links/etc ACK, worked until 17:32 GMT, started to fail 18:36 GMT from my "recent reports" POV. > We appreciate your patience. No problem, I only checked because I wait for a batch of 17 reports queued for manual LARTing. -- Frank From nobody at spamcop.net Wed Jan 4 14:48:54 2006 From: nobody at spamcop.net (Ellen) Date: Wed Jan 4 14:50:03 2006 Subject: [SpamCop-List] Re: Spamcop claims my address bounces References: Message-ID: "David Bolt" wrote in message news:pPQ1FdVD2BvDFwb7@dev.null.davjam.org... > For the second time in a week, SpamCop has claimed the address it's > supposed to send mail to is bouncing. Having complete access to the mail > server logs, including all the logs going back well over the years it's > been running, I've only found once where it bounced. That occasion was > in mid July 2005, and caused by me not finishing setting up the address > before telling SpamCop what it should use. > > Since then, upto date, there have been no server failures or bounces for > the address known to SpamCop but, on 2005-12-30, SpamCop decided I had > been bouncing mail. After resetting the flag things proceeded slowly, > with quite a few mailed submissions completely disappearing, for the > last few days. > > Today, SpamCop is again claiming that the address it knows is bouncing > and I've had to reset the bounce flag again. Probably related to this is > the fact that a batch of 83 spams submitted by mail at 03:52 +0000 have > disappeared, along with another three that were auto-submitted (12:33 > +0000, 14:03 +0000 and 14:24 +0000). Strangely, the one that I did get a > return on and, after reporting, said I'd been bouncing mails, was > submitted at 08:13 +0000. > > So, back to the point. Is this problem related to the fact that the mail > submission side appears to have fscked up? More importantly, is there an > estimated time when it's going to be fixed because I'd hate to have to > let a large number of spams go unreported purely because I don't have > the time to report them all. > > It is possible that the bounce flag was caused by the mailserver issue altho I suspect not; the mailserver issue was not happening on 12/30. I do not know how long it will take to work thru the backlog. Ellen From scamper at trisk.com Wed Jan 4 14:01:47 2006 From: scamper at trisk.com (Garen Erdoisa) Date: Wed Jan 4 16:05:03 2006 Subject: [SpamCop-List] Re: mail and mailservers - 2 problems In-Reply-To: References: Message-ID: Ellen wrote: > There are/were 2 different problems: > > 1) The email system mailservers handling > @spamcop.net/@cesmail.net/@cqmail/net -- these were apparently > down/non-responsive for a short time and have come back up > > 2) delays in submitted spams/receiving the SC mail with links/etc -- we are > encountering some issues with the parsing system mailservers. We have > engineering working on it. The servers are backlogged and are working thru > the backlog which will take some time to process. I do not know how long it > will take them to catch back up. > > We appreciate your patience. > > > Ellen > SpamCop > > > > > Just a comment, and maybe a heads up for others since this is probably related; I just removed a bunch of reports that showed up duplicated on my spamcop reporting account on 3 spams submitted via email. When looking back through my maillog to try to understand why they showed up as duplicated on spamcop.net when each report was sent only once on my end, I found in each case several instances in my logs where the sendmail server received from spamcop.net a delivery status notification of 4.0.0 Stat=Deferred This happened between 10:30am and about 11:40am -0700 today. So apparently, spamcop actually got the reports, but because spamcop.net's server kept returning a DSN of 4.0.0, my server kept resending the reports since they were still in my mail server's outgoing mail queue. This is the only reason I can think of why they would have shown up more than once for each report on my reporting account. Garen Erdoisa From Nobody at SpamCop.devnull.diespammerdie.net Wed Jan 4 17:07:09 2006 From: Nobody at SpamCop.devnull.diespammerdie.net (Michael Brennan) Date: Wed Jan 4 18:10:02 2006 Subject: [SpamCop-List] Re: mail and mailservers - 2 problems References: Message-ID: <43BC551D.919ABD9C@SpamCop.devnull.diespammerdie.net> Ellen wrote: > > There are/were 2 different problems: > > 1) The email system mailservers handling > @spamcop.net/@cesmail.net/@cqmail/net -- these were apparently > down/non-responsive for a short time and have come back up > > 2) delays in submitted spams/receiving the SC mail with links/etc -- we are > encountering some issues with the parsing system mailservers. We have > engineering working on it. The servers are backlogged and are working thru > the backlog which will take some time to process. I do not know how long it > will take them to catch back up. > > We appreciate your patience. > > Ellen > SpamCop Ellen, No complaint here, but fyi the parses on a group of spams I e-mailed between 0700 and 0800 PST today took about four hours to turn around. Does Spammy have anything to do with this? (Just my suspicious Irish nature.) Michael From asterix at no_where.net Thu Jan 5 00:19:47 2006 From: asterix at no_where.net (Asterix) Date: Wed Jan 4 18:20:03 2006 Subject: [SpamCop-List] Re: Pharmacy spam - this time from .tr domain References: Message-ID: <1h8o0kz.y7fc4z11cn7p2N%asterix@no_where.net> Geoffrey Hyde wrote: > http://www.spamcop.net/sc?id=z851909535z71e0e183db8d0370f68c9b68fd1030bbz The .tr spam source is probably just another trojaned Windows PC. You find them all over the globe, including next door. > I'm also looking for a good antivirus scanner, anyone got any > recommendations (As long as it's not from Symantec, as their last upgrade > failed.) that wuld do the trick? What do you mean upgrade failed ? Please be more specific. At work we use Symantec AV Corporate Edition, which apparently is completely different from their consumer line Norton AV. It does what it should, and that's it. -- I recommend Macs to my friends, and Windows machines to those whom I don't mind billing by the hour From nobody at spamcop.net Wed Jan 4 19:12:40 2006 From: nobody at spamcop.net (Ellen) Date: Wed Jan 4 19:15:02 2006 Subject: [SpamCop-List] Re: mail and mailservers - 2 problems References: <43BC551D.919ABD9C@SpamCop.devnull.diespammerdie.net> Message-ID: "Michael Brennan" wrote in message news:43BC551D.919ABD9C@SpamCop.devnull.diespammerdie.net... > > No complaint here, but fyi the parses on a group of spams I e-mailed > between 0700 and 0800 PST today took about four hours to turn around. > > Does Spammy have anything to do with this? (Just my suspicious Irish > nature.) > Yes -- the mailservers being backed up means the mail doesn't get handed off to the app servers as fast as one would like, etc etc. Think horses not zebras -- which is to say don't assume any nefarious machinations :-) Ellen SpamCop From Nobody at SpamCop.devnull.diespammerdie.net Wed Jan 4 18:26:41 2006 From: Nobody at SpamCop.devnull.diespammerdie.net (Michael Brennan) Date: Wed Jan 4 19:30:02 2006 Subject: [SpamCop-List] Spammy's E-Mail? Message-ID: <43BC67C1.F6D3932A@SpamCop.devnull.diespammerdie.net> Folks, Who is this clown? glxk@gxcc.com.cn He's most recently featured here: http://www.spamcop.net/sc?id=z852030581z02eb353615d6e95bcd902f37130b1d88z using bta.net.cn as his provider. Am I right in thinking that this e-mail is the spammer himself? I've been unchecking the box next to this address. The address shows up often enough to color it dark black, but there's something about this address that suggests he's the spammer. Thanks to a link Mike Easter posted above, I was able to read about this spamgang's activity in Google's discussion groups somewhat, and I recognize any number of payload domains they've used. But I was wondering whether this is the boyo hisself, arranging for reports and complaints to be sent to him to facilitate listwashing. Michael From andy.miller at rogers.com Wed Jan 4 19:51:33 2006 From: andy.miller at rogers.com (Andy Miller) Date: Wed Jan 4 19:50:05 2006 Subject: [SpamCop-List] What checkboxes should I avoid; ++ Message-ID: Hi, The web page for reporting has this big alert: ATTENTION: Report only those e-mail addresses and web sites that you think your spammer has used. Avoid checking any boxes left empty unless you know that your spammer has used the addresses or sites thus identified. Each false report that you submit means wasted time for a network administrator, so take care. The last thing SpamCop wants are network administrators so accustomed to false claims that they no longer take these spam reports seriously. What checkboxes? I don't ever see any checkboxes anywhere when I report Spam. ==== Oh, while I'm here, what does the 'or' part of the following mean: Paste entire spam (headers, blank line, body) - or - single address (one line only): What kind of reporting would a single address be? An IP address, an e-mail address? Would such a [flimsy] report be considered? ==== Oh well -- twice now (out of a few hundred reports) I've got a diagnostic saying "No data / Too much data" Well, it sure wasn't >50K of data, but just 1K or 2K at max. Why would I get such a message? ==== Finally, does anyone know if, in OL macros, whether merely accessing the .Body member of a selected message actually opens/executes the message or otherwise alerts the sender that the mesage body has been looked at? Thanks, Andy Honest, I failed to find answers to these in the FAQ. From MikeE at ster.invalid Wed Jan 4 17:11:43 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jan 4 20:15:03 2006 Subject: [SpamCop-List] Re: Spammy's E-Mail? References: <43BC67C1.F6D3932A@SpamCop.devnull.diespammerdie.net> Message-ID: Michael Brennan wrote: > Who is this clown? > > glxk@gxcc.com.cn Do you mean what/ who is the/ meatspace person (who) accesses that mailbox? Or, do you mean what is the purpose of that mailbox? According to the apnic contact records for CNC Guilin INternet network, that is: person: Xu Kai nic-hdl: XK43-AP e-mail: glxk@gxcc.com.cn address: 57,Zhongshanzhong Road,Xiangshan District,Guilin 541001,China phone: +86-0773-3110195 fax-no: +086-0773-3110328 > He's most recently featured here: > > http://www.spamcop.net/sc?id=z852030581z02eb353615d6e95bcd902f37130b1d88z The spam contains http://boswell.nxbuyingform.com which SC resolved to 221.7.209.67 -- I get that IP & 211.144.147.128 inetnum: 221.7.209.0 - 221.7.209.255 descr: CNC Guilin INternet network admin-c/tech-c: XK43-AP That nic-hdl is your buddy Xu Kai. > using bta.net.cn as his provider. Am I right in thinking that this > e-mail is the spammer himself? No, but what is a 'spammer' in your terminology in this context? That is the address of the provider for the /24 netspace. The IP itself is listed in spamhaus as the /32 for mortgage spam. The /24 provider has 4 other /32 listings in spamhaus at http://www.spamhaus.org/SBL/listings.lasso?isp=cncgroup-gx -- Two of those listings are for ROKSO spammers, spamhaus also has commentary on the provider and considers the space 'dirty' http://www.spamhaus.org/SBL/sbl.lasso?query=SBL35677 // China Netcom Group Dirty Block: CNC Guilin Internet network = Spam hosting. Massive numbers of spams with URIs hosted within this /24 reported via SpamCop (where it is the #1 reported spam host for the last week) and other sources. IP block has no rDNS, probably dynamic IPs. ISP, China Netcom Group Guilin, has minimal info in APNIC, and no abuse@ address registered with abuse.net. // > I've been unchecking the box next to > this address. Some people don't bother reporting to blackhat providers. > The address shows up often enough to color it dark > black, but there's something about this address that suggests he's the > spammer. I don't think you have your terminology quite straight. The addy is the apnic listed contact for the provider. The provider is unresponsive or blackhat. > Thanks to a link Mike Easter posted above, I was able to read about > this spamgang's activity in Google's discussion groups somewhat, and I > recognize any number of payload domains they've used. But I was > wondering whether this is the boyo hisself, arranging for reports and > complaints to be sent to him to facilitate listwashing. You could call up or fax Xu Kai yourself if you tho't it would help you get to know hir. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Jan 4 17:27:17 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jan 4 20:30:03 2006 Subject: [SpamCop-List] Re: What checkboxes should I avoid; ++ References: Message-ID: Andy Miller wrote: > The web page for reporting has this big alert: for everyone. > ATTENTION: Report only those e-mail addresses and web sites that you > think your spammer has used. Avoid checking any boxes left empty > unless you know that your spammer has used the addresses or sites > thus identified. Each false report that you submit means wasted time > for a network administrator, so take care. The last thing SpamCop > wants are network administrators so accustomed to false claims that > they no longer take these spam reports seriously. That warning is positioned right under the buttons for send, preview, and cancel which are right under the reporting addresses and their checkboxes. > What checkboxes? I don't ever see any checkboxes anywhere when I > report Spam. Everyone who is approving reports has check boxes beside every addy which is being reported to. If I were trying to imagine a situation that had no check boxes I would have to imagine a situation where there was no reports. If I had to imagine a situation which has no reports, I would have to be imagining a mole reporter. But, I've never seen a mole reporter's parse page, so I don't know what it looks like. Are you a mole reporter? Described here during signup http://www.spamcop.net/anonsignup.shtml Register as a "mole"? What's this? http://www.spamcop.net/fom-serve/cache/373.html What is "mole" reporting? > Oh, while I'm here, what does the 'or' part of the following mean: > > Paste entire spam (headers, blank line, body) - or - single > address (one line only): That means that SC will parse something like a 'naked' spamvertised URL or IP address and suggest how you should notify for it. > What kind of reporting would a single address be? An IP address, an > e-mail address? Would such a [flimsy] report be considered? SC doesn't report it as a spamcop report -- the parser only derives how it would choose to notify for that IP or email addy or URL if it were notifying for it. It resolves the domain of an addy to an IP or the URL to an IP. Then it uses the whois of the appropriate regional internet registrar like arin or apnic or ripe or afrinic or lacnic or krnic and the admin/tech contacts for the IP. > Oh well -- twice now (out of a few hundred reports) I've got a > diagnostic saying > "No data / Too much data" > Well, it sure wasn't >50K of data, but just 1K or 2K at max. Why > would I get such a message? Something didn't work. The specifics would depend on the specifics of the item. I can't remember whether or not you get a tracker for that kind of glitch. If you do get a tracker, you can post the tracker here and we can talk about the specific item from that tracker link to it. > Finally, does anyone know if, in OL macros, whether merely accessing > the .Body member of a selected message actually opens/executes the > message or otherwise alerts the sender that the mesage body has been > looked at? It can, depending upon the insecurity of your configuration and the specifics of the body of the item you are opening. I wouldn't use an application which forced me to open spams in order to report them. However, when I *choose* to investigate the interior of a spam, I can do it securely in many different ways, even including opening the spam and rendering it with my mailuser agent's browser's rendering engine. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Jan 5 10:53:25 2006 From: nobody at devnull.spamcop.net (Patto) Date: Wed Jan 4 20:55:03 2006 Subject: [SpamCop-List] Re: How can I report SPAM *without* opening the e-mail? In-Reply-To: <6m5atzl1dx2e.dlg@mycomputer06.invalid.com> References: <6m5atzl1dx2e.dlg@mycomputer06.invalid.com> Message-ID: MikeV06 wrote: > On Mon, 02 Jan 2006 14:27:45 +0900, Patto wrote: > >> Andy Miller wrote: >>> Hi, >>> >>> I use MS Outlook. I'm happy to do the Options-Headers thing and report all >>> headers but I really don't like actually opening the SPAM mail. Sure I have >>> virus scanners but still I don't like opening mail that was unsolicited and >>> from an unknown source. >>> >>> I read somewhere that forwarding from Outlook wasn't "good enough" but even >>> if it were the operation of forwarding would open the e-mail. >>> >>> Can't I just send in a report with the whole *unopened* e-mail as an >>> attachment? >>> >>> Thanks, >>> Andy >> I use OL Spamcop with Outlook 2003. It's a quick download, easy >> install, and highly configurable. > > I am doing a Google to look for what you are talking about. Is is > > ol-spam-rpt-vbs > > Or is it spamcontrol -- http://www.hendricom.com/spamcontrolforsc.htm > > Or SpamGrabber -- http://www.olspamcop.org/ (I think it must be this one) > > Or ?? > > Thanks. Sorry for not providing the link; I simply forgot. But you guessed the correct one OL Spamcop is http://www.olspamcop.org/ - later renamed SpamGrabber. From andy.miller at rogers.com Wed Jan 4 21:27:24 2006 From: andy.miller at rogers.com (Andy Miller) Date: Wed Jan 4 21:30:03 2006 Subject: [SpamCop-List] Re: What checkboxes should I avoid; ++ References: Message-ID: Thanks. "Mike Easter" wrote in message news:dphslf$sf2$1@news.spamcop.net... > > Are you a mole reporter? Described here during signup > http://www.spamcop.net/anonsignup.shtml Register as a "mole"? What's > this? http://www.spamcop.net/fom-serve/cache/373.html What is "mole" > reporting? > Yes, I am a mole reporter, have only ever been a mole reporter, so have never seen these checkboxes. I can't say that it is obvious that as a mole reporter one wouldn't see those checkboxes. There's probably some way that I can request the ATTENTION text be augmented to indicate it applies to only non-mole reporters. > >> Oh well -- twice now (out of a few hundred reports) I've got a >> diagnostic saying >> "No data / Too much data" >> Well, it sure wasn't >50K of data, but just 1K or 2K at max. Why >> would I get such a message? > > Something didn't work. The specifics would depend on the specifics of > the item. I can't remember whether or not you get a tracker for that > kind of glitch. If you do get a tracker, you can post the tracker here > and we can talk about the specific item from that tracker link to it. > I don't think a tracker is created for that message. If it happens to me again I will definitely check for a tracker and report it here. Thx. > > -- > Mike Easter > kibitzer, not SC admin > From bait-423c86b2-42ff9001 at good.julianhaight.com Wed Jan 4 21:03:27 2006 From: bait-423c86b2-42ff9001 at good.julianhaight.com (Chris F. Willoughby) Date: Thu Jan 5 00:05:03 2006 Subject: [SpamCop-List] Re: nomaster for KRNIC spam References: Message-ID: But if KRNIC owns the address wouldn't they also be the ones responsible and needing to be notified? Chris "Steven Maesslein" wrote in message news:slrndrllo3.d6t.nobody@127.0.0.1... > Highly unlikely. That's the KRNIC LIR contact. > > whois.nic.or.kr doesn't have any info on ownership of that IP address so > it would appear to be a bogon - ie: an unallocated IP address for which > someone has managed to acquire routing through use of forged documents > or whatever. > > -- > Steve > > The average nutritional value of promises is roughly zero. From feldethom2165 at email2me.net Thu Jan 5 01:14:22 2006 From: feldethom2165 at email2me.net (Fred k) Date: Thu Jan 5 05:35:15 2006 Subject: [SpamCop-List] Sober up as Christmas viruses spiral Message-ID: Despite the US Federal Trade Commission recently announcing to the world that the CAN-SPAM act is working, the US continues to be the main source globally of unsolicited mails. According to IE Internet, 45.3 per cent of all spam mails in December originated in the US. Korea (6.1 percent) and China (5.3 per cent) are also major sources of spam, coming in second and third place behind the US in terms of overall spam production. Unwanted gifts http://go.theregister.com/news/http://www.theregister.co.uk/2006/01/04/electric_sober/ Fred k. From redford_stone at INVERSE_OF_COLDmail.com Thu Jan 5 12:11:44 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Jan 5 07:15:02 2006 Subject: [SpamCop-List] Re: Xmas holidays are over - as far as spammers are concerned! References: <43BBF5CD.D2944C4B@spamcop.net> Message-ID: Kenneth Brody wrote in news:43BBF5CD.D2944C4B@spamcop.net: > > Only seven? About the only e-mail address I have that doesn't get > PayPal phishes is the one I use on my PayPal account. > Just shows that the spammers are legit offphishals. -) From MikeE at ster.invalid Thu Jan 5 04:32:24 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jan 5 07:35:03 2006 Subject: [SpamCop-List] Re: nomaster for KRNIC spam References: Message-ID: Chris F. Willoughby wrote: > But if KRNIC owns the address wouldn't they also be the ones > responsible and needing to be notified? krnic is a 'sub-' regional internet registrar of apnic, where the RIRs are arin, ripe, afrinic, apnic, lacnic http://www.arin.net/community/index.html Regional Internet Registries just like the .br registry is a sub RIR of lacnic. The registries aren't the notification for a netblock's IP any more than ICANN is, except when they 'ask' to be notified, such as the way the .br registry does by listing an abuse contact in the whois. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Thu Jan 5 14:13:17 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Jan 5 08:15:04 2006 Subject: [SpamCop-List] Re: nomaster for KRNIC spam References: Message-ID: On Thu, 5 Jan 2006 04:32:24 -0800, Mike Easter coughed into spamcop and left this in : > krnic is a 'sub-' regional internet registrar of apnic aka "LIR", Local Internet Registry. -- Steve Why do people pay to go up tall buildings and then put money in binoculars to look down at things on the ground? From MikeE at ster.invalid Thu Jan 5 05:13:49 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jan 5 08:15:11 2006 Subject: [SpamCop-List] Re: nomaster for KRNIC spam References: Message-ID: Mike Easter wrote: > Chris F. Willoughby wrote: >> But if KRNIC owns the address wouldn't they also be the ones >> responsible and needing to be notified? > > krnic is a 'sub-' regional internet registrar of apnic, I forgot about this being about 61.253.29.45 Here's how the whois.nic.or.kr returns: whois -h whois.nic.or.kr 61.253.29.45 ... KRNIC is not a ISP but a National Internet Registry similar to APNIC. The IPv4 address is allocated from APNIC to KRNIC. KRNIC is holding the IPv4 address for further allocation to its member ISPs in the furture. If you have any question with the IPv4 address, Please contact at hostmaster@nic.or.kr So, in that sense, you could notify them, but not (exactly) as a spamcop report. This started out as a qx about a tracker and the IP was an open proxy source. The IP is listed in multiple blocklists as a spamsource, spamtrap hitting, open proxytrojan. It persists as being an output Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 4.8 5078% Last 30d 4.0 735% Average 3.1 monofont for columns and in fact there are others like that 61.253.29.23 & 61.253.29.67 in just that /24 And, if you really start looking around, you find 718 IPs listed by senderbase as being outputs in the /16 http://www.senderbase.org/search?searchBy=ipaddress&searchString=61.253.29.67&whichOthers=%2F16 Addresses in 61.253.0.0/16 used to send email So, if you were so motivated, you could research how many of them are listed in multiple blocklists and are also 'unassigned' by krnic, and you could 'confront' krnic with the question, "What are you going to do about this little situation here?" -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Jan 5 05:15:03 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jan 5 08:15:17 2006 Subject: [SpamCop-List] Re: nomaster for KRNIC spam References: Message-ID: Steven Maesslein wrote: > Mike Easter >> krnic is a 'sub-' regional internet registrar of apnic > > aka "LIR", Local Internet Registry. Yeah, what /he/ said :-) -- Mike Easter kibitzer, not SC admin From zypher at spamcop.net Thu Jan 5 07:38:18 2006 From: zypher at spamcop.net (Ron B.) Date: Thu Jan 5 08:40:03 2006 Subject: [SpamCop-List] OT (Was :Re: nomaster for KRNIC spam) In-Reply-To: References: Message-ID: Mike Easter wrote: > Steven Maesslein wrote: > >>Mike Easter > > >>>krnic is a 'sub-' regional internet registrar of apnic >> >>aka "LIR", Local Internet Registry. > > > Yeah, what /he/ said :-) > Respectfully, don't you ever sleep? From MikeE at ster.invalid Thu Jan 5 06:14:43 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jan 5 09:15:03 2006 Subject: [SpamCop-List] Re: OT (Was :Re: nomaster for KRNIC spam) References: Message-ID: Ron B. wrote: > Mike Easter wrote: >> Yeah, what /he/ said :-) > Respectfully, don't you ever sleep? I don't actually keep 'records' - but I probably sleep about as much as everyone else or 'most people' -- I just don't sleep 'in the same way' or 'like' most people. Where most people go to bed and sleep for some significant number of hours on some kind of regular schedule and get very 'concerned' or stressed when it doesn't work like that for them. Then, they have some kind of 'problem' when they aren't sleeping normally, including how they feel when they are awake. It doesn't work like that for me, and it/that doesn't concern me, so I sleep when I want to and when I don't, I don't. When I feel sleepy, I sleep. When I wake up, I wake up. Sometimes I sleep for the hours like regular people, usually I don't. I've slept several times in the last 24 hours. Some short, some longer. I'm aware of the various recommendations of sleep experts on sleep 'hygiene' -- but those recommendations are directed at people who desire normal sleeping 'habits'. I have no such 'needs' for sleep hygiene or training because I'm perfectly happy the way things are. -- Mike Easter kibitzer, not SC admin From RobertW at danjonengineering.com Thu Jan 5 10:11:38 2006 From: RobertW at danjonengineering.com (Robert Williams) Date: Thu Jan 5 13:15:03 2006 Subject: [SpamCop-List] Refused e-mails? Message-ID: I've got a client that has all of the sudden refused our e-mail because an IP Address is listed in SORBS. However, the listed IP Address has nothing to do with us. I've check SORBS and I can see that the IP Address IS listed. x@x.com on 1/5/2006 9:48 AM You do not have permission to send to this recipient. For assistance, contact your system administrator. < ylpvm15.prodigy.net #5.7.1 SMTP; 550 5.7.1 ... Connection refused. Please have your Internet Provider review the following URL: http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?IP=207.115.57.46> I've done a lookup at Network Solutions and found that the IP Address is a New York IP. I'm in California and the report came from a company that is also in California. Does this mean that there has been a redirector placed in the loop somewhere that is throwing our e-mails out to NY and back to CA? How would the IP Address just show up as relating to us? I'm getting ready to call BOTH ISPs to figure out what is going on. Any Comments, please! Thank you, RW 207.115.57.46 Record Type: IP Address OrgName: Prodigy Communications L.P. OrgID: PROD Address: 1565 Front St. City: Yorktown Heights StateProv: NY PostalCode: 10598 Country: US NetRange: 207.115.0.0 - 207.115.63.255 CIDR: 207.115.0.0/18 NetName: PRODIGY-BLK2 NetHandle: NET-207-115-0-0-1 Parent: NET-207-0-0-0-0 NetType: Direct Allocation NameServer: DNSMASTER2.PRODIGY.NET NameServer: DNSMASTER.PRODIGY.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 1996-06-19 Updated: 2001-09-26 RTechHandle: RL770-ARIN RTechName: Lynch, Robert RTechPhone: +1-914-448-1165 RTechEmail: boblynch@prodigy.net Here is my ISP Info: 67.114.86.114 Record Type: IP Address OrgName: SBC Internet Services OrgID: SIS-80 Address: 2701 W 15th St PMB 236 City: Plano StateProv: TX PostalCode: 75075 Country: US NetRange: 67.112.0.0 - 67.127.255.255 CIDR: 67.112.0.0/12 NetName: SBCIS-SIS80 NetHandle: NET-67-112-0-0-1 Parent: NET-67-0-0-0-0 NetType: Direct Allocation NameServer: NS1.PBI.NET NameServer: NS2.PBI.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2001-10-16 Updated: 2005-09-30 RTechHandle: PIA2-ORG-ARIN RTechName: IPAdmin-PBI RTechPhone: +1-800-648-1626 RTechEmail: pbiip@txmail.sbc.com OrgAbuseHandle: ABUSE6-ARIN OrgAbuseName: Abuse - Southwestern Bell Internet OrgAbusePhone: +1-800-648-1626 OrgAbuseEmail: abuse@sbcglobal.net OrgNOCHandle: SUPPO-ARIN OrgNOCName: Support - Southwestern Bell Internet Services OrgNOCPhone: +1-800-648-1626 OrgNOCEmail: support@swbell.net OrgTechHandle: IPADM2-ARIN OrgTechName: IPAdmin-SBIS OrgTechPhone: +1-800-648-1626 OrgTechEmail: IPAdmin-SBIS@sbis.sbc.com From MikeE at ster.invalid Thu Jan 5 11:02:17 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jan 5 14:05:04 2006 Subject: [SpamCop-List] Re: Refused e-mails? References: Message-ID: Robert Williams wrote: > I've got a client that has all of the sudden refused our e-mail > because an IP Address is listed in SORBS. However, the listed IP > Address has nothing to do with us. That isn't a very good description of who 'our email' is. > < ylpvm15.prodigy.net #5.7.1 SMTP; 550 5.7.1 ... Connection > refused. Please have your Internet Provider review the following URL: > http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?IP=207.115.57.46> 207.115.57.46 rDNS ylpvm15.prodigy.net is an output mailserver for prodigy and others It is listed in a number of db/s spam.dnsbl.rangers.eu.org 127.0.0.8 sorbs - servers sending to spamtrap addresses http://www.spambag.org/ backscatter spam.wytnij.to - output server spam > I've done a lookup at Network Solutions and found that the IP Address > is a New York IP. I'm in California and the report came from a > company that is also in California. That information is totally immaterial. > Does this mean that there has been a redirector placed in the loop > somewhere that is throwing our e-mails out to NY and back to CA? No. The geographic locations of company mailing addresses is not germane to this discussion. Neither is the geographic location of the mailservers which is a completely separate subject. Neither matters. What matters is what mailserver your mail uses, by IP address, in this case 207.115.57.46 -- and what manner of mailhandling and spamcontrol management your recipient performs - and what blocklists your mail's output server is on - and how that affects your mail's handling at that of your recipient. > How would the IP Address just show up as relating to us? Who is 'us'? where us refers to what mailserver handles your mail. That is, when you send your mail out, you send it to a mailserver. That mailserver, itself or via some mailtransfer agent, sends to your recipient. That recipient's filtering is what influences if your mail is rejected because of a mailserver being on a blocklist. > I'm getting ready to call BOTH ISPs to figure out what is going on. Only *you* know what ISP yours is > Any Comments, please! You posted here via a pacbell dsl IP 67.114.86.11 That doesn't actually tell me what your mailserver is. You used a danjonengineering.com in your From. That also doesn't tell me what your mailserver is. danjonengineering.com incoming mail uses a pacbell IP. pacbell.net uses prodigy.net servers for its incoming mail, so it is logical to assume that pacbell net 'customers' and their 'relations' such as sbc also use prodigy. So, I would say that your mail finds itself being output by a prodigy server which is blocklisted on some minor blocklists, including sorbs for hitting spamtraps -- sorbs has quite a number of different blocklists - and on spambag for backscatter, which is also not a good server configuration. It behooves the providers of mail services to have servers which are well behaved and keep themselves off the hundreds of different blocklists. It also behooves the recipients of mail to use blocklists and other antispam strategies wisely. Prodigy has many many output servers. If it doesn't watch out, at any given moment some of its servers could be on any number of blocklists besides sorbs Currently quite a lot of prodigy's servers on in sorbs Spam source blocklist. Here is a prodigy server on spamcop's blocklist. 207.115.63.31 which is worse than being on sorbs. Here's some more - 207.115.63.32 207.115.63.30 207.115.63.33 -- I could find many others. The point is, that if your mail uses IP addresses which are associated with spamoutput and blocklistings and your recpient uses those blocklists as part of their spam defense, then your mail may get rejected. The solution to that is a combination of a wise choice of your mail provider, and intelligent use of antispam techniques by your recipients. -- Mike Easter kibitzer, not SC admin From zypher at spamcop.net Thu Jan 5 13:25:53 2006 From: zypher at spamcop.net (Ron B.) Date: Thu Jan 5 14:30:03 2006 Subject: [SpamCop-List] Media: Iowa ISP Gets $11B In E-mail Spam Case Message-ID: Iowa ISP Gets $11B In E-mail Spam Case DES MOINES, Iowa -- An Iowa Internet service provider has been awarded $11 billion in a judgment against a Florida man who sent millions of unsolicited e-mail messages. The e-mail advertised mortgage and debt consolidation services. In addition to paying Clinton-based CIS Internet Services, the Florida man has been barred from accessing the Internet for three years. Copyright 2006 by KCCI.com. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. http://www.kcci.com/technology/5864633/detail.html?rss=des&psp=news From MikeE at ster.invalid Thu Jan 5 11:27:24 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jan 5 14:30:08 2006 Subject: [SpamCop-List] Re: Refused e-mails? References: Message-ID: Mike Easter wrote: > Robert Williams wrote: >> I've got a client that has all of the sudden refused our e-mail > 207.115.57.46 rDNS ylpvm15.prodigy.net is an output mailserver for > prodigy and others > Here is a prodigy server on spamcop's blocklist. 207.115.63.31 which > is worse than being on sorbs. Here's some more - 207.115.63.32 > 207.115.63.30 207.115.63.33 -- I could find many others. Your mail tries to go out servers which are associated with abusive behavior, backscatter and hitting spamtraps. It might go out any one of very many servers, but those very many servers are blocklisted in lots of important places, including spamcop. All of the IPs below are prodigy output servers which are spamcop blocklisted and more importantly, which spend a lot of time being so blocklisted. You are going to run into a lot of recipients who are going to be handling your mail according to their blocklists, which may include rejecting it. If your provider can't send your mail out via non-abusive servers and you can't get your recipient client to whitelist your mail, which may not be possible, you may need to get some other mail provider to handle your mail output. 207.115.63.107 listed in bl.spamcop.net will be delisted automatically in approximately 17 hours sent mail to SpamCop spam traps users have reported system as a source of spam past 359.9 days, it has been listed 79 times for a total of 148.2 days 207.115.63.126 listed in bl.spamcop.net will be delisted automatically in approximately 13 hours sent mail to SpamCop spam traps users have reported system as a source of spam past 358.4 days, it has been listed 81 times for a total of 138.7 days 207.115.63.30 listed in bl.spamcop.net will be delisted automatically in approximately 17 hours. sent mail to SpamCop spam traps users have reported system as a source of spam past 356.9 days, it has been listed 70 times for a total of 116.0 days 207.115.63.49 listed in bl.spamcop.net will be delisted automatically in approximately 21 hours. has sent mail to SpamCop spam traps appears this listing is caused by misdirected bounces past 358.7 days, it has been listed 74 times for a total of 126.1 days 207.115.63.31 listed in bl.spamcop.net will be delisted automatically in approximately 19 hours sent mail to SpamCop spam traps in the past week appears this listing is caused by misdirected bounces past 358.8 days, it has been listed 72 times for a total of 127.1 days 207.115.63.32 listed in bl.spamcop.net will be delisted automatically in approximately 18 hours sent mail to SpamCop spam traps in the past week appears this listing is caused by misdirected bounces past 356.7 days, it has been listed 49 times for a total of 102.2 days 207.115.63.33 listed in bl.spamcop.net -- Mike Easter kibitzer, not SC admin From mwnospam at comcast.net Thu Jan 5 17:18:12 2006 From: mwnospam at comcast.net (spamacyde) Date: Thu Jan 5 17:20:12 2006 Subject: [SpamCop-List] Re: SpamPal and Spamcop References: Message-ID: "Mike Easter" wrote in message news:dp6qoe$qgp$1@news.spamcop.net... > spamacyde wrote: > > "Mike Easter" > > >> altTRQ > >> selects the addy from the wab, > > > What address are you sending the messages to? I've been pasting the > > messages into the form. > > I put the/my spamcop submit addy into my .wab. > > In OE when you are in the message compose mode which you got to be when > you forwarded the spams as attachment, when you perform the sequence > alt-T you open the Tools menu. When you are in Tools, the R functions > to select recipients, so it opens the addressbook. When the addressbook > is open, the next letter pressed moves the selector to the alphabetized > 'names' in the addressbook because it 'falls into' the Find function. > > By carefully naming the submit address, that Q function causes the/my SC > submit address to 'fall into' the addressbook's slot, at which point I > only have to hit 'enter' to cause the address to go into the To and the > next 'enter' causes the properly addressed forwarded collection to be > ready to send. > > As a result, the sequence is alt-T-R-Q enter enter alt-S enter [where > the last enter is because OE wants to tell me that I don't have a > subject, and I'm saying OK anyway] > > I could avoid the last enter if I checked to not warn me about that, but > the SC submits are the only thing I send without a subject, so I would > rather be warned about that in case I do it accidentally. > > > -- > Mike Easter > kibitzer, not SC admin > Ok, I forwarded all my spam messages as attachments in a manner similar to the one above and I got a message back with links asking me to confirm each message individually. Is there a way to automatically confirm? Thank. From RobertW at danjonengineering.com Thu Jan 5 14:24:19 2006 From: RobertW at danjonengineering.com (Robert Williams) Date: Thu Jan 5 17:25:03 2006 Subject: [SpamCop-List] Re: Refused e-mails? References: Message-ID: "Mike Easter" wrote in message news:dpjqfj$vqg$1@news.spamcop.net... I was ready to respond to all the other BS you wrote in here, then I read this: : You posted here via a pacbell dsl IP 67.114.86.11 Because we run our own mailserver (in-office) that IS our mailserver. : That doesn't actually tell me what your mailserver is. You used a : danjonengineering.com in your From. That also doesn't tell me what your : mailserver is. danjonengineering.com incoming mail uses a pacbell IP. : pacbell.net uses prodigy.net servers for its incoming mail, so it is : logical to assume that pacbell net 'customers' and their 'relations' : such as sbc also use prodigy. The above is EXACTLY what I was looking for. If this is true, then that is my problem. : So, I would say that your mail finds itself being output by a prodigy : server which is blocklisted on some minor blocklists, including sorbs : for hitting spamtraps -- sorbs has quite a number of different : blocklists - and on spambag for backscatter, which is also not a good : server configuration. : : It behooves the providers of mail services to have servers which are : well behaved and keep themselves off the hundreds of different : blocklists. It also behooves the recipients of mail to use blocklists : and other antispam strategies wisely. : : Prodigy has many many output servers. If it doesn't watch out, at any : given moment some of its servers could be on any number of blocklists : besides sorbs Currently quite a lot of prodigy's servers on in sorbs : Spam source blocklist. : : Here is a prodigy server on spamcop's blocklist. 207.115.63.31 which is : worse than being on sorbs. Here's some more - 207.115.63.32 : 207.115.63.30 207.115.63.33 -- I could find many others. : : The point is, that if your mail uses IP addresses which are associated : with spamoutput and blocklistings and your recpient uses those : blocklists as part of their spam defense, then your mail may get : rejected. : : The solution to that is a combination of a wise choice of your mail : provider, and intelligent use of antispam techniques by your recipients. : : : -- : Mike Easter : kibitzer, not SC admin What really sucks is none of this happened until the merger between SBC and AT&T. Just a few days ago we were able to send mail to this client with no repercussions. Thanks Mike. RW From MikeE at ster.invalid Thu Jan 5 15:10:47 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jan 5 18:15:02 2006 Subject: [SpamCop-List] Re: SpamPal and Spamcop References: Message-ID: This turned out to be longer than I tho't it was gonna'.... spamacyde wrote: > "Mike Easter" >> I put the/my spamcop submit addy into my .wab. > I forwarded all my spam messages as attachments in a manner similar > to the one above and I got a message back with links asking me to > confirm each message individually. Correct. > Is there a way to automatically > confirm? No. And/But.... For 'standard' SC reporting, the parser IDs the spamsource to contribute to the SCbl, and the parser 'generally' tries to deobfuscate and resolve the spamvertised links to notify the spamverider [= spam carried advertiser's provider]. Standard reporting provides an important opportunity to oversee that the parser has determined the source correctly [and not one's own provider, in the even of a parser error] and the standard reporting also provides spamvertised links to the sc-surbl. This process requires individually 'surveying' each parsed item with all of its boxes beside the various addies which will be notified, and having surveyed the boxes, or added more addies, or made remarks, then approving to submit the report. Not an insignificant 'involvement' in the reporting process. Some people, like me, think that standard SC notification of spamveriders 'typically' has more disadvantages than advantages, except in the unusual incidence of there being a whitehat spamverider. If the spamverider is blackhat and in cahoots with the spamgang, you are providing a copy of the spam evidence to the spamverider's customers, the spamgang. The only mungeing on that evidence is standard SC mungeing or none at all, depending on your configuration. The concerns about inadequate mungeing of spam evidence in the hands of the perpetrator or the perp's cohorts is described in the faq section on mole reporting. But mole reporting is pretty much worthless. There is also the 'condition' of quick reporting. Quick reporting causes the effect of the reporter to somewhat resemble the effect of the spamtrap hit, except for score. If a reporter who is configured as a mailhost reporter 'applies' for approval to be a quick reporter and is approved, then the spam submissions result in *no* oversight of the parse, opening the door to unfortunate reportings of misparses, the worst variety of which is reporting ones own provider and getting into a jam about that. In addition, there is no parsing of the body of the spam, and thus no notification of the spamverider. This is a two edged sword. That means that the spamvertised url isn't fed into the sc-surbl - which is 'bad' or a reduction in one effect of the report of the spam -- and it also means that the spamverider isn't notified. The standard SC derived spamverider notify, which isn't designed in a 'robust' fashion to eliminate all or even most non-responsive or even blackhat providers is notifying some ie many nonresponsives and some blackhats.-- so that means the non-notification of those spamveriders is also a two-edged sword. The one edge is that of failing to notify the whitehat provider who would act against the spamvertiser. The other edge is that the vast majority, almost all, of the standard SC notifies will be going to either unresponsive or blackhat providers - mostly unresponsive. So, some reporters decide to do quick reporting on two important bases -- that it does *not* require confirmation, and that it does *not* notify the undesirable and/or nonresponsive spamveriders. So, the big advantage of quick reporting is that it is speedy and that it contributes to the SCbl - a very very important SC 'feature'. The other advantage is that it doesn't notify non-responsive and/or blackhat providers. The disadvantage is that it doesn't provide one element of oversight of the parse for source, and that it doesn't feed the sc-surbl, and that unless the spam is 'segregated' into quick vs normal reporting, that no whitehat spamveriders are notified. So, for some not insignificant subset of SC reporters, the balance of plusses and minuses causes them to become quick reporters. I think the balance could be shifted somewhat if SC would change the configuration options to allow the regular reporters to opt to not notify the spamveriders, but to cause those reports to go to devnull. Then, the parser would not have to resolve the spamvertised url to an IP, because no notification is necessary. The reporter would uncheck any innocent bystander devnulls, and all of the checked devnulls would be reported to the sc-surbl. So, the greatest benefit I think would be to the SC contribution to the sc-surbl and to the unloading of some parser overhead by eliminating the dastardly duty of trying to resolve the harum scarum anti-resolution strategies of the spamvertisers. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Jan 5 15:18:58 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jan 5 18:20:03 2006 Subject: [SpamCop-List] Re: SpamPal and Spamcop References: Message-ID: spamacyde wrote: > I forwarded all my spam messages as attachments in a manner similar > to the one above and I got a message back with links asking me to > confirm each message individually. Is there a way to automatically > confirm? There is no confirmation step for quick reporters, but only the unsupervised spamsource provider determination is notified and the spamsource IP is also contributed to the SCbl. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Jan 5 15:37:36 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jan 5 18:40:02 2006 Subject: [SpamCop-List] Re: Refused e-mails? References: Message-ID: Robert Williams wrote: > "Mike Easter" > I was ready to respond to all the other BS you wrote in here, then I > read this: > >> You posted here via a pacbell dsl IP 67.114.86.11 > > Because we run our own mailserver (in-office) that IS our mailserver. Well, the only thing I can 'derive' easily is that the incoming mail to danjonengineering comes thru' mail.danjonengineering.com which IP is 67.114.86.114 and which IP rDNSes to a pacbell DSL. And/but the website gets its nameservice from sbc, and the website and the IP itself are under sbc. The business of how the mail goes out isn't always so easily derived. We/I would have to look at the headers of a mail you sent -- but the appearance of the prodigy server in your trouble implies that's the way it goes. If you feel like sending me a mail at mike.easter@gmail.com -- that is, sending it via the same server than had the ttrouble you are describing.then I can see it 'for myself'. If you can intepret the headers, you can send one to yourself and have a look at it. >> , so it is logical to assume that pacbell net 'customers' and >> their 'relations' such as sbc also use prodigy. > > The above is EXACTLY what I was looking for. If this is true, then > that is my problem. Prodigy output servers have more than their share of problems. They must be unresponsive to the listings and the notifies from the blocklisters about what the problems are. >> The solution to that is a combination of a wise choice of your mail >> provider, and intelligent use of antispam techniques by your >> recipients. > What really sucks is none of this happened until the merger between > SBC and AT&T. Just a few days ago we were able to send mail to this > client with no repercussions. -- Mike Easter kibitzer, not SC admin From RobertW at danjonengineering.com Thu Jan 5 16:25:35 2006 From: RobertW at danjonengineering.com (Robert Williams) Date: Thu Jan 5 19:30:02 2006 Subject: [SpamCop-List] RW: Refused e-mails? References: Message-ID: Check your gmail Mike. RW "Mike Easter" wrote in message news:dpkajo$9gs$1@news.spamcop.net... : Robert Williams wrote: : > "Mike Easter" : : > I was ready to respond to all the other BS you wrote in here, then I : > read this: : > : >> You posted here via a pacbell dsl IP 67.114.86.11 : > : > Because we run our own mailserver (in-office) that IS our mailserver. : : Well, the only thing I can 'derive' easily is that the incoming mail to : danjonengineering comes thru' mail.danjonengineering.com which IP is : 67.114.86.114 and which IP rDNSes to a pacbell DSL. And/but the website : gets its nameservice from sbc, and the website and the IP itself are : under sbc. : : The business of how the mail goes out isn't always so easily derived. : We/I would have to look at the headers of a mail you sent -- but the : appearance of the prodigy server in your trouble implies that's the way : it goes. If you feel like sending me a mail at mike.easter@gmail.com -- : that is, sending it via the same server than had the ttrouble you are : describing.then I can see it 'for myself'. : : If you can intepret the headers, you can send one to yourself and have a : look at it. : : >> , so it is logical to assume that pacbell net 'customers' and : >> their 'relations' such as sbc also use prodigy. : > : > The above is EXACTLY what I was looking for. If this is true, then : > that is my problem. : : Prodigy output servers have more than their share of problems. They : must be unresponsive to the listings and the notifies from the : blocklisters about what the problems are. : : >> The solution to that is a combination of a wise choice of your mail : >> provider, and intelligent use of antispam techniques by your : >> recipients. : : > What really sucks is none of this happened until the merger between : > SBC and AT&T. Just a few days ago we were able to send mail to this : > client with no repercussions. : : : -- : Mike Easter : kibitzer, not SC admin : From ycbs at blackhole.invalid Thu Jan 5 16:38:43 2006 From: ycbs at blackhole.invalid (NormanM) Date: Thu Jan 5 19:40:03 2006 Subject: [SpamCop-List] Re: Refused e-mails? References: Message-ID: <1dqy3s03kih41$.dlg@pacbell.net> On Thu, 5 Jan 2006 14:24:19 -0800, Robert Williams wrote: > "Mike Easter" wrote in message > news:dpjqfj$vqg$1@news.spamcop.net... > I was ready to respond to all the other BS you wrote in here, then I read > this: >: You posted here via a pacbell dsl IP 67.114.86.11 > Because we run our own mailserver (in-office) that IS our mailserver. >: That doesn't actually tell me what your mailserver is. You used a >: danjonengineering.com in your From. That also doesn't tell me what your >: mailserver is. danjonengineering.com incoming mail uses a pacbell IP. >: pacbell.net uses prodigy.net servers for its incoming mail, so it is >: logical to assume that pacbell net 'customers' and their 'relations' >: such as sbc also use prodigy. > The above is EXACTLY what I was looking for. If this is true, then that is > my problem. > What really sucks is none of this happened until the merger between SBC and > AT&T. Just a few days ago we were able to send mail to this client with no > repercussions. SBC bought Prodigy long before they bough AT&T. All SBC email not handled by the Yahoo! servers for SBC Yahoo! accounts is handled by prodigy.net servers; has been that way since about 2002, anyway. SBC servers are in and out of a number of blocklists on a regular basis. One problem is backscatter; I have a defunct @pacbell.net email address which will cause backscatter if a spammer tries to send to it with a forged email address. SBC doesn't seem to know how to take care of it; I could fix it by getting it back, but SBC won't let me take it back. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From porpoise1954 at yahoo.co.uk Fri Jan 6 00:48:20 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Jan 5 19:50:02 2006 Subject: [SpamCop-List] UK Spam Win Message-ID: About time too! http://www.theregister.co.uk/2005/12/29/uk_spam_win/ From RobertW at danjonengineering.com Thu Jan 5 17:22:04 2006 From: RobertW at danjonengineering.com (Robert Williams) Date: Thu Jan 5 20:25:04 2006 Subject: [SpamCop-List] RW: Refused e-mails? References: <1dqy3s03kih41$.dlg@pacbell.net> Message-ID: "NormanM" wrote in message news:1dqy3s03kih41$.dlg@pacbell.net... : On Thu, 5 Jan 2006 14:24:19 -0800, Robert Williams wrote: : SBC bought Prodigy long before they bough AT&T. All SBC email not handled : by the Yahoo! servers for SBC Yahoo! accounts is handled by prodigy.net : servers; has been that way since about 2002, anyway. SBC servers are in and : out of a number of blocklists on a regular basis. One problem is : backscatter; I have a defunct @pacbell.net email address which will cause : backscatter if a spammer tries to send to it with a forged email address. : SBC doesn't seem to know how to take care of it; I could fix it by getting : it back, but SBC won't let me take it back. : : -- : Norman : ~Oh Lord, why have you come : ~To Konnyu, with the Lion and the Drum Very interesting, so if this is true, then the problem would ultimately lie inside the client we're having problems with. They must have just added that BL to their e-mail server within the last day or two. I just found out that the client we are having trouble contacting is in the midst of transitioning between IT Companies. Seems their old one just wasn't doing the job. Possible the new IT Company has control of their mailserver and has been blocking prodigy for sometime now. Thanks Guys, RW From MikeE at ster.invalid Thu Jan 5 18:04:26 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jan 5 21:05:02 2006 Subject: [SpamCop-List] Re: Refused e-mails? References: <1dqy3s03kih41$.dlg@pacbell.net> Message-ID: Robert Williams wrote: > Very interesting, so if this is true, then the problem would > ultimately lie inside the client we're having problems with. Often these kinds of problems are 'multifocal'. For example, this topic started because of a prodigy server being sorbs listed -- but sorbs listings are, errrmmm, problematic -- so that wasn't really a very good 'false positive' spamblock, and the other listings for that server at that moment were 'unimportant' blocklists - ie not really a good reason to block. But, like so many other issues, the block opened up a look at the 'condition' of the prodigy output servers, which are a mess, considering the multiple spamcop blocklistings and the percentage of the time they've been listed. That is *not* a healthy thing for your mail to be going out. > They > must have just added that BL to their e-mail server within the last > day or two. The sorbs listing that started the issue here isn't a great way to reject mail, all by itself. > I just found out that the client we are having trouble > contacting is in the midst of transitioning between IT Companies. > Seems their old one just wasn't doing the job. Possible the new IT > Company has control of their mailserver and has been blocking prodigy > for sometime now. Even so, or whatever, your prodigy output server condition is problematic. The gmail you sent me came out of the prodigy output server 207.115.57.43 which server is listed similarly to the first one we talked about here, that was a similar IP at .46 instead of .43, and it is also listed in sorbs spam, and the same 4 other 'minor' lists about backscatter and such. This prodigy condition isn't going to go away whatever might be happening with the client whose provider's spamblocking brought it to light in the first place. The spamcop listings I talked about earlier may end up causing you more problems than the sorbs and other 'minor' listings - which in and of themselves aren't popular blocklists, whereas SpamCop is more popular than that. You just haven't hit that situation yet. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Jan 5 18:17:49 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jan 5 21:20:03 2006 Subject: [SpamCop-List] Re: Refused e-mails? References: Message-ID: Robert Williams wrote: > Check your gmail Mike. Gotit. -- Mike Easter kibitzer, not SC admin From RobertW at danjonengineering.com Thu Jan 5 18:25:48 2006 From: RobertW at danjonengineering.com (Robert Williams) Date: Thu Jan 5 21:30:03 2006 Subject: [SpamCop-List] RW: Refused e-mails? References: <1dqy3s03kih41$.dlg@pacbell.net> Message-ID: Looking through my archived e-mails, I noticed that I don't have a single SpamCop response from any of the aforementioned ISPs (SBC, PacBell, AT&T, or Prodigy). I know that doesn't really mean much, because I can't say for sure that I ever reported any of those ISPs, but it does make one curious. Does anyone know if any of those ISPs even respond to SC? RW "Mike Easter" wrote in message news:dpkj76$e9d$1@news.spamcop.net... : Robert Williams wrote: : : > Very interesting, so if this is true, then the problem would : > ultimately lie inside the client we're having problems with. : : Often these kinds of problems are 'multifocal'. For example, this topic : started because of a prodigy server being sorbs listed -- but sorbs : listings are, errrmmm, problematic -- so that wasn't really a very good : 'false positive' spamblock, and the other listings for that server at : that moment were 'unimportant' blocklists - ie not really a good reason : to block. : : But, like so many other issues, the block opened up a look at the : 'condition' of the prodigy output servers, which are a mess, considering : the multiple spamcop blocklistings and the percentage of the time : they've been listed. That is *not* a healthy thing for your mail to be : going out. : : > They : > must have just added that BL to their e-mail server within the last : > day or two. : : The sorbs listing that started the issue here isn't a great way to : reject mail, all by itself. : : > I just found out that the client we are having trouble : > contacting is in the midst of transitioning between IT Companies. : > Seems their old one just wasn't doing the job. Possible the new IT : > Company has control of their mailserver and has been blocking prodigy : > for sometime now. : : Even so, or whatever, your prodigy output server condition is : problematic. : : The gmail you sent me came out of the prodigy output server : 207.115.57.43 which server is listed similarly to the first one we : talked about here, that was a similar IP at .46 instead of .43, and it : is also listed in sorbs spam, and the same 4 other 'minor' lists about : backscatter and such. : : This prodigy condition isn't going to go away whatever might be : happening with the client whose provider's spamblocking brought it to : light in the first place. : : The spamcop listings I talked about earlier may end up causing you more : problems than the sorbs and other 'minor' listings - which in and of : themselves aren't popular blocklists, whereas SpamCop is more popular : than that. You just haven't hit that situation yet. : : : -- : Mike Easter : kibitzer, not SC admin : : : From redford_stone at INVERSE_OF_COLDmail.com Fri Jan 6 05:14:37 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Fri Jan 6 00:15:05 2006 Subject: [SpamCop-List] Re: UK Spam Win References: Message-ID: "Porpoise" wrote in news:dpkeom$bqf$1 @news.spamcop.net: > About time too! > > http://www.theregister.co.uk/2005/12/29/uk_spam_win/ > > > Now if the US could get something similar together. There is one particular adult site I'd like to put over a fire. From g.hyde at bigpond.net.au Fri Jan 6 16:37:34 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Fri Jan 6 01:40:04 2006 Subject: [SpamCop-List] Re: UK Spam Win References: Message-ID: "Redstone" wrote in message news:Xns9742D8202217Etinlc@216.154.195.61... > "Porpoise" wrote in news:dpkeom$bqf$1 > @news.spamcop.net: > >> About time too! >> >> http://www.theregister.co.uk/2005/12/29/uk_spam_win/ >> >> >> > > Now if the US could get something similar together. There is one > particular > adult site I'd like to put over a fire. Why don't you find a lawyer friend or relative who knows a bit about law and see what they can put together under current US laws?? Maybe they could bring a hefty class-action lawsuit to bear on the spammers burden. If this could be done in the US, I'm pretty sure it would mean the end of the corporations being the only ones able to sue spammers. If suing spammers becomes more commonplace, it could drive them out of business, or at least to domains outside of the countries with laws against their spam. And if things go right, this will mean an increase in spams from foreign countries, which will put more pressure on them - or the backbones which serve them - to block this spam for us, meaning less spam - eventually. Lastly, why would any spam-friendly ISP want to support spammers who keep costing them time, network bandwidth, and listwashing maintenance hassles when for the equivalent of UKP300 or thereabouts, they could give them the flick, instead? Cheers ... Geoffrey Hyde From crappy.trappy at ntlworld.com Fri Jan 6 08:48:25 2006 From: crappy.trappy at ntlworld.com (Tim) Date: Fri Jan 6 03:50:03 2006 Subject: [SpamCop-List] Re: UK Spam Win In-Reply-To: References: Message-ID: Porpoise wrote: > About time too! > > http://www.theregister.co.uk/2005/12/29/uk_spam_win/ > > Already posted by me on 30/12/2005 @ 18:11 GMT. Title is [MEDIA] Claim back ?300 per spam Everyone ignored it. From DougThegarden at invalid.com Fri Jan 6 09:04:32 2006 From: DougThegarden at invalid.com (Doug Thegarden) Date: Fri Jan 6 04:05:03 2006 Subject: [SpamCop-List] Re: UK Spam Win In-Reply-To: References: Message-ID: Porpoise wrote: > About time too! > > http://www.theregister.co.uk/2005/12/29/uk_spam_win/ > > Now if we could just get the price up to the $11Bn awarded recently in Florida that would be worth going for ;-) Doug From nobody at xyzzy.claranet.de Fri Jan 6 10:12:32 2006 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Jan 6 04:15:03 2006 Subject: [SpamCop-List] Re: RIPE lookup bug (?) References: <439698EC.2241@xyzzy.claranet.de> Message-ID: <43BE3480.44C@xyzzy.claranet.de> The same problem as reported 2005-12-07: > | inetnum: 193.238.120.0 - 193.238.123.255 > | netname: POLIVEKTOR-JSC > | descr: Polivektor JSC network > | country: RU > | org: ORG-POLI1-RIPE > | admin-c: POLI2-RIPE > | tech-c: POLI2-RIPE > [...] > | organisation: ORG-POLI1-RIPE > | org-name: Polivektor JSC > | org-type: NON-REGISTRY > | address: kalanchevskaya st. 4, Moscow Russia, 194568 > | e-mail: admin@polivektor.com > [...] > | person: Polivektor Techical > | address: 194568, Kalanchevkaya st. 4, Moscow Russia > | phone: +7 (095) 780-22-87 > | nic-hdl: POLI2-RIPE > [...] > No mail address for tech-c / admin-c, but there is an address > for the organization. It's also the only item on the left > side with an "@" in the filtered RIPE output. > SC ignores this and tries "Lookup poli2-ripe@whois.ripe.net". > That's wrong, it got handle POLI2-RIPE already for its first > query. Asking again won't change the fact that there's no > mail address in this object. Fresh tracker: http://www.spamcop.net/sc?id=z852922567z7952c8f447b10d6373d658510dc76560z It's about a spamvertizd URL, otherwise I'd simply post an O/R in spamcop routing, or should I do that anyway ? Bye, Frank From nobody at xyzzy.claranet.de Fri Jan 6 10:35:53 2006 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Jan 6 04:40:03 2006 Subject: [SpamCop-List] Re: vCard References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> <43B84655.E8A46AEC@Spamcop.net.dev.null> <43B86848.601B@xyzzy.claranet.de> <43BB0D5C.9811DD45@SpamCop.devnull.diespammerdie.net> Message-ID: <43BE39F9.5C03@xyzzy.claranet.de> Michael Brennan wrote: > evaluating Mozilla FF, might try the "style sheets" > elimination, which I opted for when configuring FF, > on a "oh, why not?" basis. Just to be sure, when I proposed that it was for your Netscpe 4.x, not for FF. Bye, Frank From MikeE at ster.invalid Fri Jan 6 01:42:15 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jan 6 04:45:40 2006 Subject: [SpamCop-List] Re: RIPE lookup bug (?) References: <439698EC.2241@xyzzy.claranet.de> <43BE3480.44C@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > The same problem as reported 2005-12-07: > >>> inetnum: 193.238.120.0 - 193.238.123.255 >>> netname: POLIVEKTOR-JSC >>> admin-c: POLI2-RIPE >>> tech-c: POLI2-RIPE >>> e-mail: admin@polivektor.com >>> nic-hdl: POLI2-RIPE >> No mail address for tech-c / admin-c, but there is an address >> for the organization. It's also the only item on the left >> side with an "@" in the filtered RIPE output. > >> SC ignores this and tries "Lookup poli2-ripe@whois.ripe.net". > >> That's wrong, it got handle POLI2-RIPE already for its first >> query. Asking again won't change the fact that there's no >> mail address in this object. > > Fresh tracker: > http://www.spamcop.net/sc?id=z852922567z7952c8f447b10d6373d658510dc76560z > > It's about a spamvertizd URL, otherwise I'd simply post an O/R > in spamcop routing, or should I do that anyway ? I think so. Even tho' this is about 193.238.120.7 which is spamhaused, Ellen may want to do routing for the /22 for AS34835 route: 193.238.120.0/22 descr: Polivektor JSC origin: AS34835 mnt-by: POLIVEKTOR-MNT source: RIPE # Filtered because I don't think fixing the algorithm to take care of this is going to happen real quick. It would have to ignore some empty lines or one empty line, and I /think/ that would cause troubles in other situations, but I'm not sure. Spamhaus is working v e r r r y s l o w w w l y right now, so I don't know how the listing is. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Fri Jan 6 11:00:04 2006 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Jan 6 05:05:39 2006 Subject: [SpamCop-List] O/R 193.238.120/22 => admin@polivektor.com (was: RIPE lookup bug (?)) References: <439698EC.2241@xyzzy.claranet.de> <43BE3480.44C@xyzzy.claranet.de> Message-ID: <43BE3FA4.152B@xyzzy.claranet.de> Mike Easter wrote: > Frank Ellermann wrote: >> The same problem as reported 2005-12-07: >>>> inetnum: 193.238.120.0 - 193.238.123.255 > >>> netname: POLIVEKTOR-JSC [...] >>>> e-mail: admin@polivektor.com {...] > http://www.spamcop.net/sc?id=z852922567z7952c8f447b10d6373d658510dc76560z >> It's about a spamvertizd URL, otherwise I'd simply post an O/R >> in spamcop routing, or should I do that anyway ? > I think so. Even tho' this is about 193.238.120.7 which is > spamhaused, Ellen may want to do routing for the /22 for > AS34835 > route: 193.238.120.0/22 > descr: Polivektor JSC > origin: AS34835 > mnt-by: POLIVEKTOR-MNT > source: RIPE # Filtered > because I don't think fixing the algorithm to take care of > this is going to happen real quick. It would have to ignore > some empty lines or one empty line, and I /think/ that would > cause troubles in other situations, but I'm not sure. It could just pick the first line "e-mail: x@y" in its first answer if there's no "e-mail" at all in the second answer. Or better: It could stop to send a second query for the Admin-C + Tech-C handle, because it already got that in the first answer. The second query wastes time on both sides (SC and RIPE). An O/R for spamhaused IPs is probably pointless, isn't it ? I try it anyway (X-post + fup2 spamcop.routing proposed). Thanks and bye, Frank From nobody at devnull.spamcop.net Fri Jan 6 06:46:03 2006 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Fri Jan 6 06:45:03 2006 Subject: [SpamCop-List] Re: Refused e-mails? References: <1dqy3s03kih41$.dlg@pacbell.net> Message-ID: "Robert Williams" wrote in message news:dpkkf8$f1t$1@news.spamcop.net... > Looking through my archived e-mails, I noticed that I don't have a single > SpamCop response from any of the aforementioned ISPs (SBC, PacBell, AT&T, or > Prodigy). I know that doesn't really mean much, because I can't say for > sure that I ever reported any of those ISPs, but it does make one curious. > > Does anyone know if any of those ISPs even respond to SC? I know that if I reported manually to ATT, then I got an auto response. If I chose to receive all responses in spamcop, I never received an auto response from ATT. That's been a while since I tried that experiment so things might have changed. But it makes sense that they turn off auto responses for spamcop reports since most reporters choose not to get autoresponses. Miss Betsy an almost new internet user From nobody at spamcop.net Fri Jan 6 08:24:06 2006 From: nobody at spamcop.net (Ellen) Date: Fri Jan 6 08:45:03 2006 Subject: [SpamCop-List] Re: RIPE lookup bug (?) References: <439698EC.2241@xyzzy.claranet.de> <43BE3480.44C@xyzzy.claranet.de> Message-ID: "Mike Easter" wrote in message news:dple1i$s43$1@news.spamcop.net... > > I think so. Even tho' this is about 193.238.120.7 which is spamhaused, > Ellen may want to do routing for the /22 for AS34835 > > route: 193.238.120.0/22 > descr: Polivektor JSC > origin: AS34835 > mnt-by: POLIVEKTOR-MNT > source: RIPE # Filtered > > because I don't think fixing the algorithm to take care of this is going > to happen real quick. It would have to ignore some empty lines or one > empty line, and I /think/ that would cause troubles in other situations, > but I'm not sure. > Right now I think I will leave it just as it is. It's a ROKSO spammer: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL34935 I think I will make the routing more explicit on that point and if/when I have time I will poke around and see if I can find someplace other than devnull. Thanks Ellen SpamCop From porpoise1954 at yahoo.co.uk Fri Jan 6 13:53:17 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Fri Jan 6 08:55:03 2006 Subject: [SpamCop-List] Re: UK Spam Win References: Message-ID: "Tim" wrote in message news:dplask$q03$1@news.spamcop.net... > Porpoise wrote: >> About time too! >> >> http://www.theregister.co.uk/2005/12/29/uk_spam_win/ > > Already posted by me on 30/12/2005 @ 18:11 GMT. > > Title is [MEDIA] Claim back £300 per spam Must have missed it! Perhaps people-power *can* work in the long term. Now, if we can just get rid of regionalisation/DRM etc. From mwnospam at comcast.net Fri Jan 6 09:13:34 2006 From: mwnospam at comcast.net (spamacyde) Date: Fri Jan 6 09:15:02 2006 Subject: [SpamCop-List] Re: UK Spam Win References: Message-ID: "Porpoise" wrote in message news:dpkeom$bqf$1@news.spamcop.net... > About time too! > > http://www.theregister.co.uk/2005/12/29/uk_spam_win/ > > Well, Does the Florida man have 11 billion? Did he earn that from spamming?) From MikeE at ster.invalid Fri Jan 6 07:41:48 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jan 6 10:45:02 2006 Subject: [SpamCop-List] Re: RIPE lookup bug (?) References: <439698EC.2241@xyzzy.claranet.de> <43BE3480.44C@xyzzy.claranet.de> Message-ID: Ellen wrote: > "Mike Easter" >> Even tho' this is about 193.238.120.7 which is >> spamhaused, Ellen may want to do routing for the /22 for AS34835 > Right now I think I will leave it just as it is. It's a ROKSO spammer: > > http://www.spamhaus.org/sbl/sbl.lasso?query=SBL34935 Earlier I couldn't see how bad the spamhausing was because spamhaus's db wasn't coming up. Now I can see that the sbl is for the whole /22 for the rokso Leo Kuvayev > I think I will make the routing more explicit on that point and > if/when I have time I will poke around and see if I can find > someplace other than devnull. Thanks Potaroo sez unnet is up, whoever that is 34835 POLIVEKTOR Polivektor JSC Adjacency: 1 Upstream: 1 Downstream: 0 Upstream Adjacent AS list AS31323 UNNET-AS United Networks Ltd. AS AS31323 remarks: Points of contact for UNNET Network Operations remarks: -------------------------------------------------------- -- remarks: Routing and peering issues: ncc@unnet.ru remarks: SPAM and Network security issues: abuse@unnet.ru remarks: Customer support: support@unnet.ru remarks: General information: info@unnet.ru No abuse.net reg'd -- Mike Easter kibitzer, not SC admin From DougThegarden at invalid.com Fri Jan 6 16:57:49 2006 From: DougThegarden at invalid.com (Doug Thegarden) Date: Fri Jan 6 12:00:02 2006 Subject: [SpamCop-List] Re: UK Spam Win In-Reply-To: References: Message-ID: spamacyde wrote: > "Porpoise" wrote in message > news:dpkeom$bqf$1@news.spamcop.net... >> About time too! >> >> http://www.theregister.co.uk/2005/12/29/uk_spam_win/ >> >> > Well, > > Does the Florida man have 11 billion? Did he earn that from spamming?) > > Probably not but I'll rather have all he has up to $11Bn than all he has up to ?300 (purely because he'd have less left to restart spamming you understand, honest) Doug From ycbs at blackhole.invalid Fri Jan 6 10:25:11 2006 From: ycbs at blackhole.invalid (NormanM) Date: Fri Jan 6 13:30:03 2006 Subject: [SpamCop-List] Re: RW: Refused e-mails? References: <1dqy3s03kih41$.dlg@pacbell.net> Message-ID: On Thu, 5 Jan 2006 18:25:48 -0800, Robert Williams wrote: > Looking through my archived e-mails, I noticed that I don't have a single > SpamCop response from any of the aforementioned ISPs (SBC, PacBell, AT&T, or > Prodigy). I know that doesn't really mean much, because I can't say for > sure that I ever reported any of those ISPs, but it does make one curious. > > Does anyone know if any of those ISPs even respond to SC? "They" are now one... http://www.sbc.com/gen/general?pid=7582 SBC is just that, "SBC". It is not an acronym. It was an invention to reflect the unity of the new company formed when Southwestern Bell Telephone, the smallest of the post AT&T break-up RBOCs, went on a buying spree. The acquisitions included Ameritech, an umbrella for a number of Midwestern state Bells (all using the "ameritech.net" domain), Pacific Telesis, an umbrella for two far western state Bells (using "pacbell.net" and "nvbell.net", respectively), an independent telephone company, Southern New England Telephone (using the "snet.net" domain; may have been a Bell franchise, but was never part of AT&T), and an ISP, Prodigy, which had, itself, absorbed a couple of smaller ISPs (using the "flash.net", "wans.net", and "prodigy.net" domains). The new entity, SBC, created a new domain to be used for new customers: "sbcglobal.net". The former Southwestern Bell Telephone no longer issues "swbell.net" to new customers. Since at least 2002, when the telephone bill here changed from Pacific Bell to SBC, SBC has been "The ISP". According to the link posted above, the new ISP will be called, "AT&T Yahoo! HSI". One other item of interest: http://www.google.com/search?q=prodigy+for+sale I am not clear on the details; apparently, AT&T wants to sell the Prodigy brand, while retaining it for North American use; if that makes sense. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From kenbrody at spamcop.net Fri Jan 6 13:41:42 2006 From: kenbrody at spamcop.net (Kenneth Brody) Date: Fri Jan 6 13:45:04 2006 Subject: [SpamCop-List] Re: Media: Iowa ISP Gets $11B In E-mail Spam Case References: Message-ID: <43BEB9E6.BC83537E@spamcop.net> "Ron B." wrote: > > Iowa ISP Gets $11B In E-mail Spam Case > > > DES MOINES, Iowa -- An Iowa Internet service provider has been awarded > $11 billion in a judgment against a Florida man who sent millions of > unsolicited e-mail messages. Let's see if they ever collect a dime. > The e-mail advertised mortgage and debt consolidation services. > > In addition to paying Clinton-based CIS Internet Services, the Florida > man has been barred from accessing the Internet for three years. I'm curious how this is to be enforced, and what penalties would be imposed if he gets caught. > Copyright 2006 by KCCI.com. All rights reserved. This material may not > be published, broadcast, rewritten or redistributed. > > http://www.kcci.com/technology/5864633/detail.html?rss=des&psp=news -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From devnull at spamcop.net Fri Jan 6 14:03:50 2006 From: devnull at spamcop.net (Frog Prince) Date: Fri Jan 6 14:15:02 2006 Subject: [SpamCop-List] Re: Media: Iowa ISP Gets $11B In E-mail Spam Case References: <43BEB9E6.BC83537E@spamcop.net> Message-ID: "Kenneth Brody" | > | > In addition to paying Clinton-based CIS Internet Services, the Florida | > man has been barred from accessing the Internet for three years. | | I'm curious how this is to be enforced, and what penalties would be | imposed if he gets caught. | It's called contempt of court and depending on the judge the penalties can be dyconeion (spl?) From bill_beyer at excite.cXoYmZ Fri Jan 6 11:23:31 2006 From: bill_beyer at excite.cXoYmZ (Bill Beyer) Date: Fri Jan 6 14:25:04 2006 Subject: [SpamCop-List] Re: Media: Iowa ISP Gets $11B In E-mail Spam Case References: <43BEB9E6.BC83537E@spamcop.net> Message-ID: "Frog Prince" wrote in message news:dpmfau$fh1$1@news.spamcop.net... > > "Kenneth Brody" > | > > | > In addition to paying Clinton-based CIS Internet Services, the Florida > | > man has been barred from accessing the Internet for three years. > | > | I'm curious how this is to be enforced, and what penalties would be > | imposed if he gets caught. > | > > It's called contempt of court and depending on the judge the penalties can > be dyconeion (spl?) I believe you meant "draconian". Since the ISP has obtained a judgement against the spammer a lien can be placed against all of the spammers business and quite possibly personal assets. In addition wages can be garnished and bank accounts frozen, assets can be seized as well. From porpoise1954 at yahoo.co.uk Fri Jan 6 19:22:48 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Fri Jan 6 14:25:10 2006 Subject: [SpamCop-List] Re: Media: Iowa ISP Gets $11B In E-mail Spam Case References: <43BEB9E6.BC83537E@spamcop.net> Message-ID: "Frog Prince" wrote in message news:dpmfau$fh1$1@news.spamcop.net... > > "Kenneth Brody" > | > > | > In addition to paying Clinton-based CIS Internet Services, the Florida > | > man has been barred from accessing the Internet for three years. > | > | I'm curious how this is to be enforced, and what penalties would be > | imposed if he gets caught. > | > > It's called contempt of court and depending on the judge the penalties can > be dyconeion (spl?) draconian From bill_beyer at excite.cXoYmZ Fri Jan 6 13:42:04 2006 From: bill_beyer at excite.cXoYmZ (Bill Beyer) Date: Fri Jan 6 16:40:04 2006 Subject: [SpamCop-List] New obfucation method or unusually stupid spammer? Message-ID: Tracking link: http://www.spamcop.net/sc?id=z853454841z4460eb3b09feb6f76599fcce0cd24d94z I've gotten over a dozen of these little gems over the past few weeks with the href="%Ed_shmid% link. Of course it doesn't parse, is it some sort of script reference or just an inordinately incompetent spammer? From RobertW at danjonengineering.com Fri Jan 6 13:45:00 2006 From: RobertW at danjonengineering.com (Robert Williams) Date: Fri Jan 6 16:45:03 2006 Subject: [SpamCop-List] RW: Refused e-mails? References: <1dqy3s03kih41$.dlg@pacbell.net> Message-ID: When I was having all these issues the other day, 2 or 3 of the support levels couldn't help, so they forwarded it up the chain to the Network Operations Department at SBC. I actually had to wait for them to call me. But, in talking to the guy there I got a little information out of him. According to him, the Prodigy.net mailservers are legacy servers for the clients with older systems. Unfortunately, us clients with the newer, up to date, systems are also subject to using the legacy servers. SBC does have a plan to phase out the Prodigy.net mailservers, but the guy couldn't give me a definitive date. RW "NormanM" wrote in message news:tjkddruohiud$.dlg@pacbell.net... : On Thu, 5 Jan 2006 18:25:48 -0800, Robert Williams wrote: : : > Looking through my archived e-mails, I noticed that I don't have a single : > SpamCop response from any of the aforementioned ISPs (SBC, PacBell, AT&T, or : > Prodigy). I know that doesn't really mean much, because I can't say for : > sure that I ever reported any of those ISPs, but it does make one curious. : > : > Does anyone know if any of those ISPs even respond to SC? : : "They" are now one... : : http://www.sbc.com/gen/general?pid=7582 : : SBC is just that, "SBC". It is not an acronym. It was an invention to : reflect the unity of the new company formed when Southwestern Bell : Telephone, the smallest of the post AT&T break-up RBOCs, went on a buying : spree. The acquisitions included Ameritech, an umbrella for a number of : Midwestern state Bells (all using the "ameritech.net" domain), Pacific : Telesis, an umbrella for two far western state Bells (using "pacbell.net" : and "nvbell.net", respectively), an independent telephone company, Southern : New England Telephone (using the "snet.net" domain; may have been a Bell : franchise, but was never part of AT&T), and an ISP, Prodigy, which had, : itself, absorbed a couple of smaller ISPs (using the "flash.net", : "wans.net", and "prodigy.net" domains). : : The new entity, SBC, created a new domain to be used for new customers: : "sbcglobal.net". The former Southwestern Bell Telephone no longer issues : "swbell.net" to new customers. : : Since at least 2002, when the telephone bill here changed from Pacific Bell : to SBC, SBC has been "The ISP". According to the link posted above, the new : ISP will be called, "AT&T Yahoo! HSI". : : One other item of interest: : : http://www.google.com/search?q=prodigy+for+sale : : I am not clear on the details; apparently, AT&T wants to sell the Prodigy : brand, while retaining it for North American use; if that makes sense. : : -- : Norman : ~Oh Lord, why have you come : ~To Konnyu, with the Lion and the Drum From jeffg at spamcop.net Fri Jan 6 17:06:14 2006 From: jeffg at spamcop.net (Jeff G.) Date: Fri Jan 6 17:10:03 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers References: Message-ID: "jg" wrote in message news:dp7eoq$4tp$2@news.spamcop.net... > I forward to all sorts of addys as well as reporting to SC and > get replies, rarely a carbon based lifeform, tho... If you do that all in one email message per spam, please make sure that your Confidential Submit Address remains confidential by putting it in the BCC field. Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From info-nospam at nhrivers.org Fri Jan 6 17:18:59 2006 From: info-nospam at nhrivers.org (chp) Date: Fri Jan 6 17:20:03 2006 Subject: [SpamCop-List] Blacklisted with questions Message-ID: Not sure if this is the place to ask this but... I'm a home/home office user on a cable connection and my IP address has become listed on Spamcop and a few others. I run no internet services and have a pretty locked-down firewall. (Until today I had an open wireless system that SHOULD have been safe due to weak router signals, long distances between residences, etc. but I found some odd activity so it's now WEP encrypted 128-bit). Also, I've run virus checks, spyware checks, etc. with nothing found (primary computer on this network is a Mac running OS 10.3.9, other is an XP laptop). The reason this is a problem is that this is a home connection that I often use for work through which I have a dialup ISP account. I used to be able to send email to my work email mail server directly from my connection, allowing me to use my work laptop and email account from home. But since my IP address (dynamically assigned but it has been the same for a long time) is blacklisted and my ISP uses Spamcop and others to block spam, I can no longer do this. So now I can't send work email from my cable connection, and instead have to do it through my dialup - which is also my phone line. That's not really workable for me. What might have been the cause of this listing and how can I get de-listed and prevent it from happening again (aside from what I've already done)? Thanks From PossumTrot at dont.spam.me Fri Jan 6 14:48:32 2006 From: PossumTrot at dont.spam.me (Possum Trot) Date: Fri Jan 6 17:50:02 2006 Subject: [SpamCop-List] US Spam laws (was Re: UK Spam Win) References: Message-ID: "Redstone" wrote in message news:Xns9742D8202217Etinlc@216.154.195.61... > "Porpoise" wrote in news:dpkeom$bqf$1 > @news.spamcop.net: >> About time too! >> http://www.theregister.co.uk/2005/12/29/uk_spam_win/ >> > Now if the US could get something similar together. There is one > particular > adult site I'd like to put over a fire. > Red, If you live in Washington State or California there are already legal precedents. I know of a young man in the Seattle area who has successfully sued several individuals in Small Claims Court (or possibly state District Court) and has collected from some of them. The Washington statute is RCW 19-190. Several of the defendents were from other states. Here's a December, 2005 judgement in Federal Court in the Eastern District of Washington (Spokane). http://www.internetcases.com/archives/spam/. The gist of this decision is that advertizing is a business so advertizing in the state of Washington by whatever means, including spam, makes you subject to laws of the state of Washington. From PossumTrot at dont.spam.me Fri Jan 6 14:54:56 2006 From: PossumTrot at dont.spam.me (Possum Trot) Date: Fri Jan 6 18:00:03 2006 Subject: [SpamCop-List] Spam filters and storage limits okay under First Amendment Message-ID: This from a July, 2005 decision in Federal Court in the Southern District of Texas. http://www.internetcases.com/archives/2005/07/spam_filters_an_1.html From vanguard.code at comcastNIX.net Fri Jan 6 16:59:48 2006 From: vanguard.code at comcastNIX.net (Vanguard) Date: Fri Jan 6 18:00:09 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: "chp" wrote in message news:dpmqch$lbr$1@news.spamcop.net... > Not sure if this is the place to ask this but... > > I'm a home/home office user on a cable connection and my IP address has > become listed on Spamcop and a few others. I run no internet services and > have a pretty locked-down firewall. (Until today I had an open wireless > system that SHOULD have been safe due to weak router signals, long > distances between residences, etc. but I found some odd activity so it's > now WEP encrypted 128-bit). Also, I've run virus checks, spyware checks, > etc. with nothing found (primary computer on this network is a Mac running > OS 10.3.9, other is an XP laptop). > > The reason this is a problem is that this is a home connection that I > often use for work through which I have a dialup ISP account. I used to > be able to send email to my work email mail server directly from my > connection, allowing me to use my work laptop and email account from home. > But since my IP address (dynamically assigned but it has been the same for > a long time) is blacklisted and my ISP uses Spamcop and others to block > spam, I can no longer do this. > > So now I can't send work email from my cable connection, and instead have > to do it through my dialup - which is also my phone line. That's not > really workable for me. > > What might have been the cause of this listing and how can I get de-listed > and prevent it from happening again (aside from what I've already done)? > > Thanks You better do some serious checking of your computer(s). Your IP name of c-24-62-250-158.hsd1.nh.comcast.net resolves to an IP address of 24.62.250.158. A check for how much traffic has been recorded for your IP address athttp://www.senderbase.org/search?searchString=24.62.250.158 shows a LOT of e-mail traffic coming out from your host. It has been high for the last 30 days, maybe longer. There has been a lot of e-mail coming out of that IP address. Did you recently get your IP address released? Since your IP address is dynamic, you might've gotten stuck with a new leased IP address that was previously being used to spew spam. With cable broadband, the IP address lease will still expire (run "ipconfig /all") but usually you get the same IP address on the renewal. However, eventually you get a new one from the IP pool managed by the DHCP server. If you weren't the one doing the spamming then maybe you just got your IP address changed. This happened to me when my IP changed after several months. The new IP address had already been blacklisted by SORBS for over 4 months (SORBS is quick to add spam sources but extremely slow in removing them, so their list is often out of date). I had to contact SORBS and they manually updated their blacklist so my new IP address was no longer listed. The old IP address that I got as my new one had been removed from other blacklists so long before the problem happened that there were no records of it being blacklisted. Only because SORBS is so slow is why I was still on their blacklist. I only noticed it because I was sending my test mails (forget what I was testing) but they were getting tagged as spam because I was using the SORBS blacklist in SpamPal. I then realized that my IP address had just changed: on the last lease expiration, I didn't get my old IP address in the lease renewal. After finding out how slow is SORBS (4 month update intervals), I don't bother using that blacklist anymore. It wasn't because they blacklisted me since I understand how dynamic IP addresses can change and you get stuck with one that some other idiot used that was infected. It was after discussing with them how they automatically add IP address but only perform manual purges every 3 to 4 months. Quick to list, quick to become outdated. Your current IP address (which might be a new one for you) is listed as having spewed out a ton of e-mails which makes it likely due to the volume that it was used for spamming. Your current IP address is also listed as a spam source by several blacklists. You are screwed for awhile until those blacklists get updated after whatever expiration interval they use to remove items from their blacklist. You could try contacting each but many do not provide any means for contact; i.e., they generate a blacklist but refuse to be responsible for them. SPEWS is a very bad vigilante blacklist but then using them to identify spam mails is not how they should be used since they really rate the spamminess of e-mail providers and aren't really for identifying spammers in particular. No matter where you run to hide from the SPEWS blacklist, eventually they will blacklist you even if you don't have an Internet connection at all. You need to know how a blacklist is updated, maintained, and its focus to know if you want to use it but unfortunately many hide the specifics of their blacklist. Could be your lack of securing your WiFi setup the moment you set it up meant someone misused your connection to spam. If you were interested in catching the bastard, you might unsecure it again to monitor when they attempt to misuse your connection again. Of course, and just like you, another neighbor probably didn't bother securing their WiFi setup, either. Could be you just got a different IP address so the old one (which is new to you) was being used to spam either deliberately or from some boob that doesn't bother securing their computers. For SpamCop, any blacklisting of your IP address should expire so you don't get blocked anymore by anyone who CHOOSES to use that blacklist. Remember that SpamCop cannot block you. Only the user that chooses to delegate spam filtering to someone else decided to block you. I just checked and your IP address is no longer in SpamCop's blacklist. Although the record already expired at SpamCop, you still have several other blacklists that will result in blocking your mails *if* someone chooses to use those blacklists. CBL's record (http://cbl.abuseat.org/lookup.cgi?ip=24.62.250.158) says the [last] detection was 3 days ago. I don't know how they take to expire their records after the last detection. I bet you thought that spam was someone else's problem to clean up. Unless you get a static IP address, the lease expiration and renewal for dynamic IP addresses means you can end up getting blacklisted because of prior abuse of a new IP address assigned to you - and you may not even have an Internet connection to use for spewing spam (e.g., you connected, got the new "bad" IP address, and immediately disconnect and never reconnect but you are now blacklisted). -- _______________________________________________________ ** Post replies to the newsgroup. Share with others. ** For e-mail, remove "NIX" and append "#VC811" to Subject. _______________________________________________________ From vanguard.code at comcastNIX.net Fri Jan 6 17:12:19 2006 From: vanguard.code at comcastNIX.net (Vanguard) Date: Fri Jan 6 18:15:02 2006 Subject: [SpamCop-List] Re: Spam filters and storage limits okay under First Amendment References: Message-ID: "Possum Trot" wrote in message news:dpmsho$mju$1@news.spamcop.net... > This from a July, 2005 decision in Federal Court in the Southern District > of Texas. > > http://www.internetcases.com/archives/2005/07/spam_filters_an_1.html "de Mino complained of the University's practice of shutting down e-mail accounts for adjunct professors during the summer, when they were not under contract to teach. " Yeah, as a contract consultant, I would love to retain use of every resource available at all any any employer where I was once contracted for employment but am no longer there. I could have incredible bandwidth, run proxies all over, and have access to all those computers, too. What stupidity. If you aren't currently employed then you don't get access to an employer's resources. Gee, I should be able to walk into any business where I do NOT work to use whatever I want however I want. Right, uh huh. "He further complained of the inability to transmit e-mail after his account had reached its data storage limit." Gmail might have a 2.5GB disk quota but that is still a limited quota. No e-mail provider can supply infinite storage space simply because there isn't an infinite number of storage media available. What a boob! The asshole can't be bothered to organize his mails and then bitches that it is someone else's fault for his stupidity and laziness. "certain messages he had sent to other faculty had been caught in the system's spam filter" Probably several of the employed teachers didn't want to correspond with him anymore and just added him to their block/blacklists. He obviously wasn't the shiniest gem and the other wanted to disassociate themselves from the dull rock. "De Mino contended that he was denied access when he tried to communicate with other faculty regarding University policies." Well, pretty goes for the rest of us regarding some business where we are NOT employed. See, even educated folk are stupid. Be careful to not visit this boob on the day he does hedge trimming; else, he might drop that lawnmower on you. -- _______________________________________________________ ** Post replies to the newsgroup. Share with others. ** For e-mail, remove "NIX" and append "#VC811" to Subject. _______________________________________________________ From ycbs at blackhole.invalid Fri Jan 6 15:17:33 2006 From: ycbs at blackhole.invalid (NormanM) Date: Fri Jan 6 18:20:02 2006 Subject: [SpamCop-List] Re: RW: Refused e-mails? References: <1dqy3s03kih41$.dlg@pacbell.net> Message-ID: <1ovrvkrc524dv.dlg@pacbell.net> On Fri, 6 Jan 2006 13:45:00 -0800, Robert Williams wrote: > When I was having all these issues the other day, 2 or 3 of the support > levels couldn't help, so they forwarded it up the chain to the Network > Operations Department at SBC. I actually had to wait for them to call me. > But, in talking to the guy there I got a little information out of him. > According to him, the Prodigy.net mailservers are legacy servers for the > clients with older systems. Unfortunately, us clients with the newer, up to > date, systems are also subject to using the legacy servers. SBC does have > a plan to phase out the Prodigy.net mailservers, but the guy couldn't give > me a definitive date. In fact, the prodigy.net servers are for customers who have not migrated to AT&T Yahoo! HSI (formerly SBC Yahoo! DSL Service). For POP3 access, non-migrated, legacy customers use servers of the construct: postoffice..net (with the possible exception of legacy Prodigy and legacy Southern New England Telephone customers). That would be the server name entered into the POP3 client; the actual server names end with the prodigy.net domain. For SMTP, non-migraged, legacy customers use servers of the construct: mail..net, with the same exception noted as for the POP3 servers. Again, that is the server name entered into the SMTP client; the actual server names end with the prodigy.net domain. Migrated legacy customers, and new customers can't access the legacy POP3 severs, nor can the non-migrated customers access the new POP3 servers. Migrated, and new, customers can access the legacy SMTP servers, though it is unclear to me whether the non-migrated customers can access the new SMTP servers. In order to phase out the legacy SMTP/POP3 servers, AT&T will have to either force their non-migrated customers to migrate to AT&T Yahoo! HSI, or provide them with access to some substitute for the legacy servers, as they are phased out. This will amount to a significant dislocation for the non-migrated customers, unless the ratio of migrated/new customers to non-migrated reaches some approximation of 1.0. Perhaps, now that SBC has merged with, and become, AT&T, they will just replace the prodigy.net servers with att.net servers. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From info-nospam at nhrivers.org Fri Jan 6 18:22:20 2006 From: info-nospam at nhrivers.org (chp) Date: Fri Jan 6 18:25:04 2006 Subject: [SpamCop-List] Re: Blacklisted with questions In-Reply-To: References: Message-ID: Vanguard wrote: > "chp" wrote in message > news:dpmqch$lbr$1@news.spamcop.net... > >> Not sure if this is the place to ask this but... >> >> I'm a home/home office user on a cable connection and my IP address >> has become listed on Spamcop and a few others. I run no internet >> services and have a pretty locked-down firewall. (Until today I had an >> open wireless system that SHOULD have been safe due to weak router >> signals, long distances between residences, etc. but I found some odd >> activity so it's now WEP encrypted 128-bit). Also, I've run virus >> checks, spyware checks, etc. with nothing found (primary computer on >> this network is a Mac running OS 10.3.9, other is an XP laptop). >> >> The reason this is a problem is that this is a home connection that I >> often use for work through which I have a dialup ISP account. I used >> to be able to send email to my work email mail server directly from my >> connection, allowing me to use my work laptop and email account from >> home. But since my IP address (dynamically assigned but it has been >> the same for a long time) is blacklisted and my ISP uses Spamcop and >> others to block spam, I can no longer do this. >> >> So now I can't send work email from my cable connection, and instead >> have to do it through my dialup - which is also my phone line. That's >> not really workable for me. >> >> What might have been the cause of this listing and how can I get >> de-listed and prevent it from happening again (aside from what I've >> already done)? >> >> Thanks > > > > You better do some serious checking of your computer(s). Your IP name > of c-24-62-250-158.hsd1.nh.comcast.net resolves to an IP address of > 24.62.250.158. A check for how much traffic has been recorded for your > IP address athttp://www.senderbase.org/search?searchString=24.62.250.158 > shows a LOT of e-mail traffic coming out from your host. It has been > high for the last 30 days, maybe longer. There has been a lot of e-mail > coming out of that IP address. > > Did you recently get your IP address released? Since your IP address is > dynamic, you might've gotten stuck with a new leased IP address that was > previously being used to spew spam. With cable broadband, the IP > address lease will still expire (run "ipconfig /all") but usually you > get the same IP address on the renewal. However, eventually you get a > new one from the IP pool managed by the DHCP server. If you weren't the > one doing the spamming then maybe you just got your IP address changed. > > This happened to me when my IP changed after several months. The new IP > address had already been blacklisted by SORBS for over 4 months (SORBS > is quick to add spam sources but extremely slow in removing them, so > their list is often out of date). I had to contact SORBS and they > manually updated their blacklist so my new IP address was no longer > listed. The old IP address that I got as my new one had been removed > from other blacklists so long before the problem happened that there > were no records of it being blacklisted. Only because SORBS is so slow > is why I was still on their blacklist. I only noticed it because I was > sending my test mails (forget what I was testing) but they were getting > tagged as spam because I was using the SORBS blacklist in SpamPal. I > then realized that my IP address had just changed: on the last lease > expiration, I didn't get my old IP address in the lease renewal. After > finding out how slow is SORBS (4 month update intervals), I don't bother > using that blacklist anymore. It wasn't because they blacklisted me > since I understand how dynamic IP addresses can change and you get stuck > with one that some other idiot used that was infected. It was after > discussing with them how they automatically add IP address but only > perform manual purges every 3 to 4 months. Quick to list, quick to > become outdated. > > Your current IP address (which might be a new one for you) is listed as > having spewed out a ton of e-mails which makes it likely due to the > volume that it was used for spamming. Your current IP address is also > listed as a spam source by several blacklists. You are screwed for > awhile until those blacklists get updated after whatever expiration > interval they use to remove items from their blacklist. You could try > contacting each but many do not provide any means for contact; i.e., > they generate a blacklist but refuse to be responsible for them. SPEWS > is a very bad vigilante blacklist but then using them to identify spam > mails is not how they should be used since they really rate the > spamminess of e-mail providers and aren't really for identifying > spammers in particular. No matter where you run to hide from the SPEWS > blacklist, eventually they will blacklist you even if you don't have an > Internet connection at all. You need to know how a blacklist is > updated, maintained, and its focus to know if you want to use it but > unfortunately many hide the specifics of their blacklist. > > Could be your lack of securing your WiFi setup the moment you set it up > meant someone misused your connection to spam. If you were interested > in catching the bastard, you might unsecure it again to monitor when > they attempt to misuse your connection again. Of course, and just like > you, another neighbor probably didn't bother securing their WiFi setup, > either. Could be you just got a different IP address so the old one > (which is new to you) was being used to spam either deliberately or from > some boob that doesn't bother securing their computers. > > For SpamCop, any blacklisting of your IP address should expire so you > don't get blocked anymore by anyone who CHOOSES to use that blacklist. > Remember that SpamCop cannot block you. Only the user that chooses to > delegate spam filtering to someone else decided to block you. > > I just checked and your IP address is no longer in SpamCop's blacklist. > Although the record already expired at SpamCop, you still have several > other blacklists that will result in blocking your mails *if* someone > chooses to use those blacklists. CBL's record > (http://cbl.abuseat.org/lookup.cgi?ip=24.62.250.158) says the [last] > detection was 3 days ago. I don't know how they take to expire their > records after the last detection. > > I bet you thought that spam was someone else's problem to clean up. > Unless you get a static IP address, the lease expiration and renewal for > dynamic IP addresses means you can end up getting blacklisted because of > prior abuse of a new IP address assigned to you - and you may not even > have an Internet connection to use for spewing spam (e.g., you > connected, got the new "bad" IP address, and immediately disconnect and > never reconnect but you are now blacklisted). > Wow, thanks for all of that explanation. I too just found out Spamcop de-listed me, and I was able to send a few emails out. Unfortunately, I must be the dupe who was responsible for the email, b/c I've had the same IP address for a while. I had an unsecured network for a while, but figured it was safe due to specifics of my location. But since the PC shows up clean and the Mac _should_ be clean, I have to assume the wireless was being hijacked. I did see some unknown MAC addresses a few hours ago, but I don't have much for logging of activity aside from packets sent (it's just a D-Link router!). I've closed the wireless and I hope that takes care of it. Probably such luddites as I shouldn't be allowed to put in a wireless home network! ;-) Thanks again, Carl From jeffg at spamcop.net Fri Jan 6 18:38:19 2006 From: jeffg at spamcop.net (Jeff G.) Date: Fri Jan 6 18:50:02 2006 Subject: [SpamCop-List] Re: "brokenlove" sites appear to be hosted and DNS'd by zombies References: Message-ID: "Redstone" wrote in message news:Xns96F9C9E3F3FCCtinlc@216.154.195.61... > I think it will soon become time to bear the heavy guns down on > Teleglobe.. When I lart manually, I generally use OE's "Tools / Request Read Receipt", which produces a "Disposition-Notification-To:" Header Line. The first time I did that while larting abuse[at]teleglobe.net, I got LOTS of receipts from members of that distribution list, for weeks, but not a single reply from a human. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From blacklist-me at davjam.org Fri Jan 6 23:50:35 2006 From: blacklist-me at davjam.org (David Bolt) Date: Fri Jan 6 19:00:03 2006 Subject: [SpamCop-List] Re: Spamcop claims my address bounces References: Message-ID: On Wed, 4 Jan 2006, Ellen wrote:- >It is possible that the bounce flag was caused by the mailserver issue altho >I suspect not; the mailserver issue was not happening on 12/30. Having happened twice again today[0], I don't think it's anything to do with the mail server problems. It would be interesting to know just what is causing the problem though especially since, in between the two times today that I had to reset the bounce flag, there was a batch of about 50 spams and no attempts to deliver the "ready to report" mails. [0] Fri, 6 Jan 2006 19:36:44 +0000 Fri, 6 Jan 2006 22:51:50 +0000 Regards, And have a Happy New Year David Bolt -- Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/ AMD1800 1Gb WinXP/SUSE 9.3 | AMD2400 256Mb SuSE 9.0 | A3010 4Mb RISCOS 3.11 AMD2400(32) 768Mb SUSE 10.0 | RPC600 129Mb RISCOS 3.6 | Falcon 14Mb TOS 4.02 AMD2600(64) 512Mb SUSE 10.0 | A4000 4Mb RISCOS 3.11 | STE 4Mb TOS 1.62 From vanguard.code at comcastNIX.net Fri Jan 6 18:04:51 2006 From: vanguard.code at comcastNIX.net (Vanguard) Date: Fri Jan 6 19:05:03 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: "chp" wrote in message news:dpmu39$nt7$1@news.spamcop.net... > > Wow, thanks for all of that explanation. I too just found out Spamcop > de-listed me, and I was able to send a few emails out. SpamCop cannot stop your mails from going out. SpamCop cannot stop your mails from coming in. It's just a list. From MikeE at ster.invalid Fri Jan 6 16:19:36 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jan 6 19:20:02 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: chp wrote: > Vanguard wrote: >> You better do some serious checking of your computer(s). Your IP >> name of c-24-62-250-158.hsd1.nh.comcast.net resolves to an IP >> address of >> 24.62.250.158. A check for how much traffic has been recorded for >> your IP address >> athttp://www.senderbase.org/search?searchString=24.62.250.158 shows >> a LOT of e-mail traffic coming out from your host. It has been high >> for the last 30 days, maybe longer. There has been a lot of e-mail >> coming out of that IP address. > I had an unsecured network for a while, but figured it was safe due to > specifics of my location. But since the PC shows up clean and the Mac > _should_ be clean, I have to assume the wireless was being hijacked. > I did see some unknown MAC addresses a few hours ago, but I don't have > much for logging of activity aside from packets sent (it's just a > D-Link router!). > > I've closed the wireless and I hope that takes care of it. Probably > such luddites as I shouldn't be allowed to put in a wireless home > network! ;-) This situation with the information at senderbase that Vanguard mentioned shows that there is still a huge amount of mail coming out of your IP, not 'a few days ago' but right up until the present -- which suggests to me that you aren't secured at all, as we speak, like, right now, ie 2006.Jan.06 4:18 PM PST or UTC -0800 when this data was obtained. Report on IP address: 24.62.250.158 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 2.9 12951% Last 30d 1.6 628% Average 0.7 Monospace font for columns Senderbase's information above isn't absolutely perfectly precise, more like a 'rough estimate' -- but if it /were/ exactly right, then senderbase is saying that its estimation of the mail output from your IP in the last 24 hours [roughly] was almost 1000 items, which is well over a hundred times as much as its long term history, and that over the last month it has averaged about 40 items a day, compared to its long term history of about 6 a day - roughly speaking again. That is, the figures above for 'magnitude' should be considered as if they were exponents, or the log of the number of mail items. You can see the huge 130X increase in the last 24 hours above the long term average. That is, maybe the last day is really some 24 hour period ending recently, but in any case, it is very recent, not 'days' old. Maybe the rough estimates are off by a half an order of magnitude or even more -- in any case, there's a problem going on there and I think it is current. I don't think that the fact that the spamcop listing aged off is sufficient reassurance to convince me that there isn't something wrong with your IP currently -- as yet unsecured. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Jan 6 16:37:23 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jan 6 19:40:03 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: chp wrote: > (Until today I had > an open wireless system that SHOULD have been safe due to weak router > signals, long distances between residences, etc. but I found some odd > activity so it's now WEP encrypted 128-bit). I just now re-read this. For some reason I tho't that WEP/ing took place a few days ago, not 'today'. So, maybe we haven't had time yet to see the senderbase activity go down. You might/probably should look into WPA security if someone in your neighborhood is currently using your wireless connectivity for fun and profit. -- Mike Easter kibitzer, not SC admin From jeffg at spamcop.net Fri Jan 6 19:31:28 2006 From: jeffg at spamcop.net (Jeff G.) Date: Fri Jan 6 19:45:04 2006 Subject: [SpamCop-List] Re: Newbie: How2report vai mail ? References: <43556463.3D19@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:43556463.3D19@xyzzy.claranet.de... > For a MUA (mail user agent) there are only two and a half > choices to achieve something like "forward complete crap > with all headers": > > 1 - resend it (resulting in Resent-* headers), some weird > MUAs call this function "bounce" for unknown reasons. > Advantage: it works even if the recipient has no MIME > Disadvantage: it works only for one mail, nobody (?) > tested it with SC as recipient That is guaranteed not to work, as there will only be one set of Header Lines. Submission email messages need at least two sets of Header Lines, one to get the submission to the system, and one for the first spam message. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jeffg at spamcop.net Fri Jan 6 19:42:41 2006 From: jeffg at spamcop.net (Jeff G.) Date: Fri Jan 6 19:45:09 2006 Subject: [SpamCop-List] Re: Newbie: How2report vai mail ? References: Message-ID: "Ger" wrote in message news:dj3u44$hdc$1@news.spamcop.net... > I figure basic info like: > "one should never compromise the email adress to report spam to" should be > mentioned on the frontpage of spamcop.net , right below the email adress > itself in a simple manner: > " PERSONAL REPORT ADRESS - KEEP THIS EMAIL ADRESS SECRET AT ALL TIMES" or > something similar. The last time I signed up an email address for a Free Reporting Account, I got the following in that email address's first email message from SpamCop: "Someone (probably you) has requested that SpamCop email you an authorization key. You may use this key to send spam reports via SpamCop. Never post this publicly or share it with others. If you do, anyone who sees it will be able to impersonate you and send email via SpamCop as if they were you. ... Forward your spam to: submit.16charANcodeNMBR@spam.spamcop.net" where 16charANcodeNMBR is your personal unique authorization key (a 16 character alphanumeric code). -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From redball at mindspring.com Fri Jan 6 18:42:30 2006 From: redball at mindspring.com (Trish Roberts-Miller) Date: Fri Jan 6 19:52:02 2006 Subject: [SpamCop-List] Re: SpamCop-List Digest, Vol 60, Issue 18 In-Reply-To: <200601061940.1eV27V3p93Nl3qa0@aaron.mail.atl.earthlink.net> References: <200601061940.1eV27V3p93Nl3qa0@aaron.mail.atl.earthlink.net> Message-ID: <43BF0E76.7070609@mindspring.com> spamcop-list-request@news.spamcop.net wrote: >---------------------------------------------------------------------- > >Message: 1 >Date: Fri, 6 Jan 2006 17:12:19 -0600 >From: "Vanguard" >Subject: [SpamCop-List] Re: Spam filters and storage limits okay > under First Amendment >To: spamcop-list@news.spamcop.net >Message-ID: >Content-Type: text/plain; format=flowed; charset="Windows-1252"; > reply-type=response > >"Possum Trot" wrote in message >news:dpmsho$mju$1@news.spamcop.net... > > >>This from a July, 2005 decision in Federal Court in the Southern District >>of Texas. >> >>http://www.internetcases.com/archives/2005/07/spam_filters_an_1.html >> >> > > >"de Mino complained of the University's practice of shutting down e-mail >accounts for adjunct professors during the summer, when they were not under >contract to teach. " > >Yeah, as a contract consultant, I would love to retain use of every resource >available at all any any employer where I was once contracted for employment >but am no longer there. I could have incredible bandwidth, run proxies all >over, and have access to all those computers, too. What stupidity. If you >aren't currently employed then you don't get access to an employer's >resources. Gee, I should be able to walk into any business where I do NOT >work to use whatever I want however I want. Right, uh huh. > >"He further complained of the inability to transmit e-mail after his account >had reached its data storage limit." >Gmail might have a 2.5GB disk quota but that is still a limited quota. No >e-mail provider can supply infinite storage space simply because there isn't >an infinite number of storage media available. What a boob! The asshole >can't be bothered to organize his mails and then bitches that it is someone >else's fault for his stupidity and laziness. > >"certain messages he had sent to other faculty had been caught in the >system's spam filter" >Probably several of the employed teachers didn't want to correspond with him >anymore and just added him to their block/blacklists. He obviously wasn't >the shiniest gem and the other wanted to disassociate themselves from the >dull rock. > >"De Mino contended that he was denied access when he tried to communicate >with other faculty regarding University policies." >Well, pretty goes for the rest of us regarding some business where we are >NOT employed. > >See, even educated folk are stupid. Be careful to not visit this boob on >the day he does hedge trimming; else, he might drop that lawnmower on you. > > > I don't know this guy, but I do know something about how contract employees are treated (although I am not one), and I also know about how state universities often treat their employees. If your contract says you start September 1, you probably expect to start working September 1. You probably don't expect to start working August 20. At many places (and some Us in Texas follow this practice), university teachers' contracts start September 1, but they are expected to begin teaching late August. (They are paid for that time in August, but not until October 1.) Further, when you show up the first day of work, you expect..well, you expect to start working. Not at a U, where it is assumed that you have worked several weeks, unpaid, in order to prepare your classes. Class prep time is unpaid. Similarly, much post-semester time is simply assumed--if a student has a complaint, if s/he needs a letter of recommendation, it is assumed that the U can contact you via email (at many Us, email is the only method of communication for and by U policy). Hence, if you don't have access to email during the summer, you will miss all the announcements, many of which will affect your (unpaid) class planning. Finally, for tenure track faculty, promotion and retention depend upon publishing, which is done in the summer. An untenured faculty member who took summers "off" would find him or herself unemployed in short notice. In short, far too often, the contract only covers the time the U pays an employee, not the time the U expects its employees to work. -- Trish Roberts-Miller redball@mindspring.com http://www.cwrl.utexas.edu/~robertsmiller/homepage.html "though we could fool each other, we should consider-- lest the parade of our mutual life get lost in the dark." ("A Ritual to Read to Each Other" Wm. Stafford) From dfm2a3l0t2 at spymac.com Fri Jan 6 19:53:27 2006 From: dfm2a3l0t2 at spymac.com (D.F. Manno) Date: Fri Jan 6 19:55:04 2006 Subject: [SpamCop-List] Re: Media: Iowa ISP Gets $11B In E-mail Spam Case References: <43BEB9E6.BC83537E@spamcop.net> Message-ID: In article , "Bill Beyer" wrote: > Since the ISP has obtained a judgement > against the spammer a lien can be placed against all of the spammers > business and quite possibly personal assets. In addition wages can be > garnished and bank accounts frozen, assets can be seized as well. You're assuming that there are assets that can be seized. He may have made himself judgment-proof, hiding behind shell corporations, putting things in others' names, renting/leasing equipment instead of owning, etc. -- D.F. Manno dfm2a3l0t2@spymac.com The problem with being sure that God is on your side is that you can't change your mind, because God sure isn't going to change His. (Roger Ebert) From jg at coks.net Fri Jan 6 17:26:22 2006 From: jg at coks.net (jg) Date: Fri Jan 6 20:25:03 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers In-Reply-To: References: Message-ID: On 1/6/2006 2:06 PM Jeff G. scribbled: > "jg" wrote in message > news:dp7eoq$4tp$2@news.spamcop.net... > >>I forward to all sorts of addys as well as reporting to SC and >>get replies, rarely a carbon based lifeform, tho... > > > If you do that all in one email message per spam, please make sure that > your Confidential Submit Address remains confidential by putting it in > the BCC field. > > Thanks and Best Regards, Jeff G. > http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 > Does not apply here. I cut & paste to SC, frwd spam to various reporting addys /other/ than SC. Funny you should bring it up, though, cause I'm dumping my ISP and looking into SC email. While looking at that, I was wondering about reporting spam. I've never used my secret address - can I frwd multi spam to that addy (now, not when I sign up for SC mail)? With all apologies to wazoo, I haven't fallen across that yet, though truth be it known, I don't have time to sift through all the FAQs... From MikeE at ster.invalid Fri Jan 6 17:33:55 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jan 6 20:35:03 2006 Subject: [SpamCop-List] Re: New obfucation method or unusually stupid spammer? References: Message-ID: Bill Beyer wrote: www.spamcop.net/sc?id=z853454841z4460eb3b09feb6f76599fcce0cd24d94z > I've gotten over a dozen of these little gems over the past few weeks > with the href="%Ed_shmid% link. Of course it doesn't parse, is it > some sort of script reference or just an inordinately incompetent > spammer? Some proper link was supposed to go in between the % % As a separate issue, but probably related; this spammer isn't really very competent to construct content-type text/html - since that body is actually some kind of tacky markup which isn't really html, in spite of what the headers say. -- Mike Easter kibitzer, not SC admin From info-nospam at nhrivers.org Fri Jan 6 20:52:05 2006 From: info-nospam at nhrivers.org (chp) Date: Fri Jan 6 20:55:02 2006 Subject: [SpamCop-List] Re: Blacklisted with questions In-Reply-To: References: Message-ID: Vanguard wrote: > "chp" wrote in message > news:dpmu39$nt7$1@news.spamcop.net... > >> >> Wow, thanks for all of that explanation. I too just found out Spamcop >> de-listed me, and I was able to send a few emails out. > > > SpamCop cannot stop your mails from going out. SpamCop cannot stop your > mails from coming in. It's just a list. > Yes, but my work ISP uses the Spamcop list and others to ID IP addresses they should reject. Since my IP address was on several lists, my email sent from this IP address to go out through my dial-up ISP's mail server was rejected by their mail server, thinking I was a spammer. It's odd because I'd used it that way for several years. But I'm close to fixing it - for good I hope. Carl From info-nospam at nhrivers.org Fri Jan 6 21:03:35 2006 From: info-nospam at nhrivers.org (chp) Date: Fri Jan 6 21:05:03 2006 Subject: [SpamCop-List] Re: Blacklisted with questions In-Reply-To: References: Message-ID: Mike Easter wrote: > chp wrote: > > >>(Until today I had >>an open wireless system that SHOULD have been safe due to weak router >>signals, long distances between residences, etc. but I found some odd >>activity so it's now WEP encrypted 128-bit). > > > I just now re-read this. > > For some reason I tho't that WEP/ing took place a few days ago, not > 'today'. > > So, maybe we haven't had time yet to see the senderbase activity go > down. > > You might/probably should look into WPA security if someone in your > neighborhood is currently using your wireless connectivity for fun and > profit. > > > I set up the WEP around 4pm EST (GMT minus 5 hours) today, 1/6/06, and in response to this problem, so it was very recent. In fact, since doing that, I haven't seen any unusual MAC addresses. Boy, I sure hope you're right. Based on my knowledge of my neighbors - most of whom are friends and not especially tech savvy - and their proximity (not especially close), I find it hard to believe anyone was intentionally using my connection for illicit purposes. Possible I suppose, but not likely. But I wonder if a neighbor might be infected with the Sober (or other?) worm and could have been (unknown to them) sending out mail over the last 24-48 hours through my connection. Possible? I didn't think I could do WPA, but maybe WPA-PSK??? Well, I'm sufficiently humbled by this experience, and now understand how easy it can be for spammers to do their tricks. Thanks for all your help, Carl From MikeE at ster.invalid Fri Jan 6 18:16:00 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jan 6 21:20:02 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: chp wrote: > But I wonder if a neighbor might be infected > with the Sober (or other?) worm and could have been (unknown to them) > sending out mail over the last 24-48 hours through my connection. > Possible? Yes. Accidental wireless rustling can happen -- or, maybe a little 'mild' intentional but relatively innocent nonspam 'borrowing' - 'he won't mind' - but the borrower gets infected and spews sobers. The CBL listing mentioned sobers, but only generally and informationally - not as a characterization of your listing there. The CBL listing is 'designed' to list sources which are hitting spamtraps and 'look like' proxytrojan injectors, and your IP is so listed there. But the CBL listing and site is mentioning that an important cause of increased cbl listings are sober propagations. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Jan 6 18:22:57 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jan 6 21:25:04 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: Mike Easter wrote: > The CBL listing is 'designed' to list sources which are hitting > spamtraps and 'look like' proxytrojan injectors, and your IP is so > listed there. You could have the cbl remove/delist your listing and see if it recurs. That would be a nice test of your improved security. http://cbl.abuseat.org/lookup.cgi CBL Lookup Utility Put your IP 24.62.250.158 in there, and then when it comes up positive, request its removal. Recheck after an appropriate time X allowed for the delisting process so that you can see it delisted, then if it gets back on again, the new listing date/time will appear. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri Jan 6 20:27:06 2006 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Jan 6 21:30:03 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers References: Message-ID: "jg" wrote in message news:dpn57c$sur$1@news.spamcop.net... > > > Does not apply here. > I cut & paste to SC, frwd spam to various reporting addys /other/ than SC. > Funny you should bring it up, though, cause I'm dumping my ISP and > looking into SC email. While looking at that, I was wondering about > reporting spam. > I've never used my secret address - can I frwd multi spam to that addy > (now, not when I sign up for SC mail)? > With all apologies to wazoo, I haven't fallen across that yet, though > truth be it known, I don't have time to sift through all the FAQs... I distinctly recall posting this link within the last few days, but of course, know not where ..... How to use Thunderbird to report multiple emails One users step by step example http://forum.spamcop.net/forums/index.php?showtopic=5307 It's in the "How to Use .... Reporting" Forum section From info-nospam at nhrivers.org Fri Jan 6 21:28:52 2006 From: info-nospam at nhrivers.org (chp) Date: Fri Jan 6 21:30:09 2006 Subject: [SpamCop-List] Re: Blacklisted with questions In-Reply-To: References: Message-ID: Mike Easter wrote: > Mike Easter wrote: > > >>The CBL listing is 'designed' to list sources which are hitting >>spamtraps and 'look like' proxytrojan injectors, and your IP is so >>listed there. > > > You could have the cbl remove/delist your listing and see if it recurs. > That would be a nice test of your improved security. > > http://cbl.abuseat.org/lookup.cgi CBL Lookup Utility > > Put your IP 24.62.250.158 in there, and then when it comes up positive, > request its removal. > > Recheck after an appropriate time X allowed for the delisting process so > that you can see it delisted, then if it gets back on again, the new > listing date/time will appear. > Thank you Mike. I was just working on that, but I was also running all of the checks CBL mentions just to be safe. I'd rather not de-list and get re-listed, as I assume it'll get harder to get off if I keep poping up. I know I can eventually reset the MAC address to the router address (it's now just a clone of my laptop's ethernet), and if I then release and reset my IP address I'll probably get a new IP address, but I'm holding off on that as a last resort, and once I'm sure I've fixed this mess. Also, it's probably not fair to leave that IP address to someone else... Thanks again. Carl From baloo at ursine.ca Fri Jan 6 19:02:16 2006 From: baloo at ursine.ca (Paul Johnson) Date: Fri Jan 6 22:30:04 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: chp wrote: > But since the PC shows up clean and the Mac _should_ be clean, I have to > assume the wireless was being hijacked. "Should" isn't good enough. If you can't say "is," then it's time to format, reinstall and restore from a known clean backup. If you don't have a backup, ouch, still gotta reinstall but now you don't get any data. -- Paul Johnson Email and Instant Messenger (Jabber): baloo@ursine.ca Got jabber? http://ursine.ca/Ursine:Jabber From skiwi at spamcop.net Fri Jan 6 19:53:39 2006 From: skiwi at spamcop.net (Skiwi) Date: Fri Jan 6 22:55:03 2006 Subject: [SpamCop-List] Re: Media: Iowa ISP Gets $11B In E-mail Spam Case In-Reply-To: References: <43BEB9E6.BC83537E@spamcop.net> Message-ID: D.F. Manno wrote: > In article , > "Bill Beyer" wrote: > >> Since the ISP has obtained a judgement >> against the spammer a lien can be placed against all of the spammers >> business and quite possibly personal assets. In addition wages can be >> garnished and bank accounts frozen, assets can be seized as well. > > You're assuming that there are assets that can be seized. He may have made > himself judgment-proof, hiding behind shell corporations, putting things in > others' names, renting/leasing equipment instead of owning, etc. He can't declare bankrupty - and if the ISP 'forgives' the debt, he has to pay taxes on that forgiven value as a form of income... the IRS will chase a lot harder than other agencies (witness Capone...) - well, we can hope! :-) From jg at coks.net Fri Jan 6 20:55:33 2006 From: jg at coks.net (jg) Date: Fri Jan 6 23:55:04 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers In-Reply-To: References: Message-ID: On 1/6/2006 6:27 PM WazoO scribbled: > "jg" wrote in message news:dpn57c$sur$1@news.spamcop.net... > >>Does not apply here. >>I cut & paste to SC, frwd spam to various reporting addys /other/ than SC. >>Funny you should bring it up, though, cause I'm dumping my ISP and >>looking into SC email. While looking at that, I was wondering about >>reporting spam. >>I've never used my secret address - can I frwd multi spam to that addy >>(now, not when I sign up for SC mail)? >>With all apologies to wazoo, I haven't fallen across that yet, though >>truth be it known, I don't have time to sift through all the FAQs... > > > I distinctly recall posting this link within the last few days, but of > course, > know not where ..... > > How to use Thunderbird to report multiple emails > One users step by step example > http://forum.spamcop.net/forums/index.php?showtopic=5307 > > It's in the "How to Use .... Reporting" Forum section > > My question wasn't with Thunderbunny - I asked if one could forward multiple spam as attachments. 1 send = 30 spam forwarded... I've not heard of any problems with my client and forwarding issues. Sorry I missed your thread, but it probably wasn't on my mind at the time... off to the link... From jg at coks.net Fri Jan 6 21:02:33 2006 From: jg at coks.net (jg) Date: Sat Jan 7 00:05:03 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers In-Reply-To: References: Message-ID: On 1/6/2006 6:27 PM WazoO scribbled: > How to use Thunderbird to report multiple emails > One users step by step example > http://forum.spamcop.net/forums/index.php?showtopic=5307 > > It's in the "How to Use .... Reporting" Forum section > > My own setup is just about exactly the setup explained in that link... From edb2000 at spamcop.net Fri Jan 6 21:48:55 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Sat Jan 7 00:50:02 2006 Subject: [SpamCop-List] Re: Spamcop claims my address bounces In-Reply-To: References: Message-ID: David Bolt wrote: > On Wed, 4 Jan 2006, Ellen wrote:- > >> It is possible that the bounce flag was caused by the mailserver issue >> altho >> I suspect not; the mailserver issue was not happening on 12/30. > > > Having happened twice again today[0], I don't think it's anything to do > with the mail server problems. It would be interesting to know just what > is causing the problem though especially since, in between the two times > today that I had to reset the bounce flag, there was a batch of about 50 > spams and no attempts to deliver the "ready to report" mails. > > > [0] > Fri, 6 Jan 2006 19:36:44 +0000 > Fri, 6 Jan 2006 22:51:50 +0000 > > Regards, And have a Happy New Year > David Bolt > I had to reset the bounce flag on my account twice between Dec 8 and Dec 30, which was during the period of some... "instability" ... The logs on the relevant SMTP mail server showed no rejections or bounces at all for mail coming from SpamCop. So I don't know why that bounce flag would have gotten set either time. Didn't think much of it, since there were so many yo-yo ups and downs around that time. But if these imprecise data points contribute to the picture, I'm happy to contribute. Conjecture: there have been some problems experienced by SC when DNS lookups are too slow; maybe SC sets the bounce flag on an email account if the MX lookup times out? That would mean the SMTP server never gets contacted, so the admin on that server would never see any kind of reject/bounce. -- Don Wannit A paid SpamCop user since 1999 From info-nospam at nhrivers.org Sat Jan 7 01:05:49 2006 From: info-nospam at nhrivers.org (chp) Date: Sat Jan 7 01:10:02 2006 Subject: [SpamCop-List] Re: Blacklisted with questions In-Reply-To: References: Message-ID: Paul Johnson wrote: > chp wrote: > >>But since the PC shows up clean and the Mac _should_ be clean, I have to >>assume the wireless was being hijacked. > > > "Should" isn't good enough. If you can't say "is," then it's time to > format, reinstall and restore from a known clean backup. If you don't have > a backup, ouch, still gotta reinstall but now you don't get any data. > Ouch. I'm working hard here (and a ton of hours thanks to the lack of help from my ISP) to correct this, so be nice. How many home wireless network owners do you think would do this or even could? I'm trying first to figure out if there's a way to scan my system to see if it's compromised, before resorting to a reformat and reinstall, as my last backup isn't as recent as I'd like. I've got lots of options for a WinXP box, but it's a little harder to find them for a Mac under OSX. BTW, I did a reformat and reinstall fairly recently on both machines (a few weeks ago) so I'd rather only do it as a last resort. Lastly, since closing my wireless this afternoon, I've seen much less traffic, and my listings have decreased steadily. So I'm betting I was right... From edb2000 at spamcop.net Fri Jan 6 22:08:09 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Sat Jan 7 01:10:07 2006 Subject: [SpamCop-List] Re: Spam filters and storage limits okay under First Amendment In-Reply-To: References: Message-ID: Vanguard wrote: [a very reasonable response objecting to claims of offense if they were made by a contract employee of a regular company. Good Stuff.] Because the response was made via the email-to-news gateway, the thread is broken, and even the Subject: header is wrong, so the response from Trish Roberts-Miller is not connected to this thread. I really like her response in article news://mailman.5.1136595123.16519.spamcop-list@news.spamcop.net Please be sure to read it even though your modern threaded news reader might not connect it to this discussion :-) -- Don Wannit A paid SpamCop user since 1999 From MikeE at ster.invalid Sat Jan 7 00:48:02 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jan 7 03:50:09 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: chp wrote: > Mike Easter wrote: >> http://cbl.abuseat.org/lookup.cgi CBL Lookup Utility >> >> Put your IP 24.62.250.158 in there, and then when it comes up >> positive, request its removal. > I know I can eventually reset the MAC address to > the router address (it's now just a clone of my laptop's ethernet), > and if I then release and reset my IP address I'll probably get a new > IP address, but I'm holding off on that as a last resort, and once > I'm sure I've fixed this mess. Also, it's probably not fair to leave > that IP address to someone else... I don't think I would recommend resetting any MAC addresses, later on the security. I see that you are currently not listed at CBL. Right now your only listings are 'normal' considering that you are a dynamic and that you are comcast. You show up listed at dnsbl.net.au -- but that is a consequence of being listed 'somewhere else' - not directly in their db, and I think it is from the recency of the cbl listing and that that listing will clear by itself. If it doesn't you can remove it at http://www.dnsbl.net.au/search/ but I wouldn't do anything with that gizmo right now. Your listing at five-ten-sg is hard to easily describe, but it means that you are in a block of spamsource/s - and it is likely your IP will just stay in that db. I wouldn't worry about it because it is not a db that 'normal' people use to block with. The comcast condition is enough to have you in there. You are listed at sorbs dynamic - which is normal - because your cable IP is classified as a dynamic and it 'looks like' a dynamic by its rNDS, and so it can be in 'anyone's' dynamic blocklist and sorbs is a 'good one' about listing dynamics. Soometimes even static cable IPs get into dynamic db/s. You are listed in spambag because you are comcast, and you are listed in spews because you are comcast. I won't go into why that is right now, but comcast has a huge problem about how it doesn't 'force' its user IPs to become secured. Spews fundamentally just lists all of comcast and pokes some holes for the comcast servers. I would like to get a little clearer on your network to think about its security. I tend to think of computers by 'name' and you have a desktop Mac 10.3.9 which I'll call MacX, and a laptop XP which I'll call Tbird, and some kind of wireless router which I don't even know the brand name or model, but that would be very useful information in terms of security suggestions. You said that you are cable, but I don't know if your router is integrated with your cable modem or if they are separate - so maybe your cable modem is separate and wired to the router, and then MacX and Tbird connect to the router wirelessly. You also said you didn't think that you could WPA but maybe WPA-PSK -- but I don't know why you said that. You also said that you had done virus and spyware checks but you didn't say how you did that. Depending upon your router's type and whether or not it has logging potential, you could be very very assured about several security issues. My own network configuration is all wired, using a Linksys BEFSR41. Because I submit my logs to DShield [which you could compare somewhat to submitting spam to spamcop] I have an 'enhanced' logging system called WallWatcher, and WallWatcher has features and a 'helper' program that keeps its logs in a DShield compliant format and also automatically sends them in regularly. I *LUV* WW for its ability to show me what is going on with the router's activity in a lot of nifty ways. So, give some feedback on some of the unknowns up there; the router's identification which will help define how to secure and log; the AV/antispyware investigation to date; and the nature of the wireless connectors. -- Mike Easter kibitzer, not SC admin From bar_n0ne at hotmail.com Sat Jan 7 15:05:23 2006 From: bar_n0ne at hotmail.com (Berny) Date: Sat Jan 7 06:10:03 2006 Subject: [SpamCop-List] Re: "brokenlove" sites appear to be hosted and DNS'd by zombies References: Message-ID: "Jeff G." wrote in message news:dpmvku$omn$1@news.spamcop.net... > "Redstone" wrote in message > news:Xns96F9C9E3F3FCCtinlc@216.154.195.61... > > I think it will soon become time to bear the heavy guns down on > > Teleglobe.. > > When I lart manually, I generally use OE's "Tools / Request Read > Receipt", which produces a "Disposition-Notification-To:" Header Line. > The first time I did that while larting abuse[at]teleglobe.net, I got > LOTS of receipts from members of that distribution list, for weeks, but > not a single reply from a human. > > -- > Best Regards, Jeff G. > http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 > Soon? Teleglobes client, adultactionca/m/sh/.com and datecam and related affilieates have been raping home users and others for ofer a year, they have a spam sending botnet, a hosting botnet and a dns botnet. No big ISP's eem to mind at all. And telegloe doesn;t seem to mind either, even when they spam from teleglobe space. I guess they get plenty of pink money from these assholes. See threads by/with Mark Ferguson in NANAE From porpoise1954 at yahoo.co.uk Sat Jan 7 11:22:49 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sat Jan 7 06:25:03 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: "chp" wrote in message news:dpnlnr$6ao$1@news.spamcop.net... > > I'm trying first to figure out if there's a way to scan my system to see > if it's compromised, before resorting to a reformat and reinstall, as my > last backup isn't as recent as I'd like. I've got lots of options for a > WinXP box, but it's a little harder to find them for a Mac under OSX. BTW, > I did a reformat and reinstall fairly recently on both machines (a few > weeks ago) so I'd rather only do it as a last resort. > > Lastly, since closing my wireless this afternoon, I've seen much less > traffic, and my listings have decreased steadily. So I'm betting I was > right... Well, you *may* have shut the stable door, but the horse may have already bolted - i.e. that previous unsecured situation/condition *may* mean that you now have any/much/some/a little stuff on your machine(s) that you really don't want to be there......... There are all sorts/types of malware out there that do all sorts of things, from keyloggers to viral/spam propagators..... I'd make sure you do a *very* thorough examination of your system. From porpoise1954 at yahoo.co.uk Sat Jan 7 11:26:48 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sat Jan 7 06:30:03 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers References: Message-ID: "jg" wrote in message news:dpnhfi$46c$1@news.spamcop.net... > On 1/6/2006 6:27 PM WazoO scribbled: >> >> > My question wasn't with Thunderbunny - I asked if one could forward > multiple spam as attachments. 1 send = 30 spam forwarded... Yes! > I've not heard of any problems with my client and forwarding issues. > Sorry I missed your thread, but it probably wasn't on my mind at the > time... > off to the link... From DougThegarden at invalid.com Sat Jan 7 11:30:54 2006 From: DougThegarden at invalid.com (Doug Thegarden) Date: Sat Jan 7 06:35:03 2006 Subject: [SpamCop-List] Re: Media: Iowa ISP Gets $11B In E-mail Spam Case In-Reply-To: References: <43BEB9E6.BC83537E@spamcop.net> Message-ID: D.F. Manno wrote: > In article , > "Bill Beyer" wrote: > >> Since the ISP has obtained a judgement >> against the spammer a lien can be placed against all of the spammers >> business and quite possibly personal assets. In addition wages can be >> garnished and bank accounts frozen, assets can be seized as well. > > You're assuming that there are assets that can be seized. He may have made > himself judgment-proof, hiding behind shell corporations, putting things in > others' names, renting/leasing equipment instead of owning, etc. IIRC in Florida certain assets including the family home are exempt from seizure. Doug From DougThegarden at invalid.com Sat Jan 7 11:44:52 2006 From: DougThegarden at invalid.com (Doug Thegarden) Date: Sat Jan 7 06:45:02 2006 Subject: [SpamCop-List] Re: Blacklisted with questions In-Reply-To: References: Message-ID: Paul Johnson wrote: > chp wrote: >> But since the PC shows up clean and the Mac _should_ be clean, I have to >> assume the wireless was being hijacked. > > "Should" isn't good enough. If you can't say "is," then it's time to > format, reinstall and restore from a known clean backup. If you don't have > a backup, ouch, still gotta reinstall but now you don't get any data. > Not much point in restoring from a backup unless you know the backup is clean and this seems to have been going on for some time by all accounts. Better first to try cleaning what you have. Doug From DougThegarden at invalid.com Sat Jan 7 11:49:24 2006 From: DougThegarden at invalid.com (Doug Thegarden) Date: Sat Jan 7 06:50:02 2006 Subject: [SpamCop-List] Re: Blacklisted with questions In-Reply-To: References: Message-ID: chp wrote: > > > I set up the WEP around 4pm EST (GMT minus 5 hours) today, 1/6/06, and > in response to this problem, so it was very recent. In fact, since doing > that, I haven't seen any unusual MAC addresses. > > Boy, I sure hope you're right. Based on my knowledge of my neighbors - > most of whom are friends and not especially tech savvy - and their > proximity (not especially close), I find it hard to believe anyone was > intentionally using my connection for illicit purposes. Possible I > suppose, but not likely. But I wonder if a neighbor might be infected > with the Sober (or other?) worm and could have been (unknown to them) > sending out mail over the last 24-48 hours through my connection. Possible? > You can pick up a wireless network over a fair distance with a suitable antenna. The standard antenna are omnidirectional so they work irrespective of the relative locations, but take two fixed locations and a high gain very directional antenna at one end and you can be talking of miles Doug From nobody at nowhere.invalid Sat Jan 7 13:30:47 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Jan 7 07:35:02 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: On Sat, 07 Jan 2006 01:05:49 -0500, chp coughed into spamcop and left this in : > Ouch. I'm working hard here (and a ton of hours thanks to the lack of > help from my ISP) to correct this, so be nice. How many home wireless > network owners do you think would do this or even could? Trouble with wireless is that it can be cracked. In under 10 minutes. It may be practical in that you don't have a house that looks like a bowl of spaghetti, but if you're in a built-up area with anyone within the wireless network's range, you are exposing yourself to having your connection hijacked. If security is more important to you than aesthetics (and it should be, especially in the light of recent events) then you should dump the WiFi and go ethernet. That'll close one gaping hole in your network. Once that particular bit is secure then you can start delousing the machines. -- Steve The only person to get all of his work done by Friday was Robinson Crusoe From DougThegarden at invalid.com Sat Jan 7 13:38:02 2006 From: DougThegarden at invalid.com (Doug Thegarden) Date: Sat Jan 7 08:40:03 2006 Subject: [SpamCop-List] Re: Blacklisted with questions In-Reply-To: References: Message-ID: Steven Maesslein wrote: > > Trouble with wireless is that it can be cracked. In under 10 minutes. > For certain values of "can be" Doug From vanguard.code at comcastNIX.net Sat Jan 7 08:10:26 2006 From: vanguard.code at comcastNIX.net (Vanguard) Date: Sat Jan 7 09:15:02 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: "chp" wrote in message news:dpn6s2$tpc$1@news.spamcop.net... > Vanguard wrote: >> "chp" wrote in message >> news:dpmu39$nt7$1@news.spamcop.net... >> >>> >>> Wow, thanks for all of that explanation. I too just found out Spamcop >>> de-listed me, and I was able to send a few emails out. >> >> >> SpamCop cannot stop your mails from going out. SpamCop cannot stop your >> mails from coming in. It's just a list. >> > > > Yes, but my work ISP uses the Spamcop list and others to ID IP addresses > they should reject. Then you already recognize that is it not SpamCop that blocks anything but it is your ISP that is blocking your mails. They may use SpamCop, BrightMail, a proprietary anti-spam solution, or whatever but THEY are the ones doing the blocking. Of course, if the ISP were polite (and which may be required in some countries), they must offer the option to disable spam filtering to retain that choice by the user. So use the webmail interface to your account and disable spam filtering if you prefer to use a client-side solution. If it isn't your account (i.e., it is the company's account) that you get to use then it is your company's choice to enable the spam filtering option, so it is your company delegating authority to their ISP to do the blocking. A list can do nothing by itself. It has to get used by something else. So bring the issue up with your ISP or your company. Obviously the company is too lazy to bother contacting the ISP to setup an auto-whitelist of their own IP addresses. If it were your own account at the ISP, you could obvious whitelist yourself. However, you configuring your anti-spam solution has no effect on other users that also get to configure their anti-spam setup. Using blacklists WILL incur false positives, especially since dynamic IP addresses move around between users. Anyone using blacklists should understand the problems inherent with them. Too many users simply incorporate a blacklist without understanding what it blacklists, how it obtains those suspected spam sources, how long it takes for records to expire, how repeated siting affect the duration for the expiration, and what, if any, recourse a blacklisted source has for contention. Note that SpamCop is usually considered an agressive blacklist (which is not to say that it is sloppy, like SPEWS). Note that if you got blacklisted then there is a possibility that you also got your ISP's mail server blacklisted. You spewed, and you spewed through their mail server, and which your ISP obviously took no action to deter regarding outbound spam. They use a blacklist and yet they have no means of deterring spam originating from their own mail server? Be thankful that the ISP didn't kill the account which, according to you, is your company's account. The ISP should be checking if any SpamCop-tagged senders are their own customers. From Kilgallen at SpamCop.net Sat Jan 7 08:11:10 2006 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sat Jan 7 09:15:10 2006 Subject: [SpamCop-List] Re: Spamcop claims my address bounces References: Message-ID: In article , David Bolt writes: > On Wed, 4 Jan 2006, Ellen wrote:- > >>It is possible that the bounce flag was caused by the mailserver issue altho >>I suspect not; the mailserver issue was not happening on 12/30. > > Having happened twice again today[0], I don't think it's anything to do > with the mail server problems. It would be interesting to know just what > is causing the problem though especially since, in between the two times > today that I had to reset the bounce flag, there was a batch of about 50 > spams and no attempts to deliver the "ready to report" mails. For a month or so I have been getting recycled bounce flag settings. I say "recycled" because the text it claims was returned by my host is no longer present in that file on the host. Recently I got one case where the spamcop mail system was bouncing mail sent by the spamcop reporting system citing reasons that were not intelligible to me. From vanguard.code at comcastNIX.net Sat Jan 7 08:31:36 2006 From: vanguard.code at comcastNIX.net (Vanguard) Date: Sat Jan 7 09:35:03 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: "Mike Easter" wrote in message news:dpn2fs$qsg$1@news.spamcop.net... > chp wrote: > >> (Until today I had >> an open wireless system that SHOULD have been safe due to weak router >> signals, long distances between residences, etc. but I found some odd >> activity so it's now WEP encrypted 128-bit). > > I just now re-read this. > > For some reason I tho't that WEP/ing took place a few days ago, not > 'today'. > > So, maybe we haven't had time yet to see the senderbase activity go > down. The IP name of c-24-62-250-158.hsd1.nh.comcast.net (from a reverse DNS lookup of the IP address of 24.62.250.158 for the poster) is, according to the poster, a "company" account. Yet it seems the volume is still pretty high. I don't recall the exact 30-day magnitude and volume change when I looked before, but I thought magnitude was 1.6 and volume change was in the six hundreds. Now the magnitude is 1.7 and the volume change in the seven hundreds (708%), so it is going up, not down. If it were a company account, that might explain the increase but that must be a company spewing out lots of e-mail, and it's increasing. If it is this user's particular account with that ISP (whether paid for by his company or not), his e-mail volume is increasing, not decreasing, after the WiFi correction to stop sharing his connection. I'm suspicious that the ISP account for this guy is a company account. The IP address would resolve to a company domain even if they were hosting it at the ISP, wouldn't it? With the IP name that was returned, it really looks like a personal account. Also, if the poster were actually using their ISP's mail server (Comcast), wouldn't the e-mail volume shown for the poster's IP address mean the poster is the one running a mail server, like a mailer trojan? If the user were sending through Comcast's e-mail server, there would be zero volume shown for e-mail originating from the poster's IP address. When I enter my IP address at SenderBase, the magnitude is 0.0. I don't run a mail server, I don't have any trojans on my computer sending out mails, and no mails originate from my network. They all go within the mail session to my ISP's SMTP server and THAT is from where any of my e-mails originate. That SenderBase shows e-mails originate from this guy's IP address which is for his host means he is the mail server, not his ISP's mail server. Know of any way to see SenderBase's statistics using higher granualarity? That is, instead of seeing a moving 30-day average for magnitude and volume change, is there a way to see weekly and daily values (so we could see if they are going up or down)? From MikeE at ster.invalid Sat Jan 7 07:00:50 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jan 7 10:05:04 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: Vanguard wrote: > "Mike Easter" >> chp wrote: >> >>> (Until today I had >>> an open wireless system that SHOULD have been safe due to weak >>> router signals, long distances between residences, etc. but I found >>> some odd activity so it's now WEP encrypted 128-bit). >> So, maybe we haven't had time yet to see the senderbase activity go >> down. > > > The IP name of c-24-62-250-158.hsd1.nh.comcast.net (from a reverse DNS > lookup of the IP address of 24.62.250.158 for the poster) is, > according to the poster, a "company" account. No. I'm not getting it that way. // chp wrote: > I'm a home/home office user on a cable connection and my IP address > has become listed > this is a home connection that I > often use for work through which I have a dialup ISP account. > now I can't send work email from my cable connection, and instead > have to do it through my dialup - which is also my phone line. // Carl has a residential comcast cable IP that we are talking about. Its mail was being blocked by his work's SCbl. > With the IP > name that was returned, it really looks like a personal account. Correct. That's the way I'm seeing it. > Also, if the poster were actually using their ISP's mail server > (Comcast), wouldn't the e-mail volume shown for the poster's IP > address mean the poster is the one running a mail server, like a > mailer trojan? My read is that the Carl's mail goes out the comcast servers, the spam is going out direct to mx. Carl's work is using its dnsbl filter on the whole header, including his IP, not just on the connecting comcast server. > If the user were sending through Comcast's e-mail > server, there would be zero volume shown for e-mail originating from > the poster's IP address. You mean.... Report on IP address: 24.62.250.158 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 2.7 6114% Last 30d 1.7 708% Average 0.8 ... that the old 'average' should be zero. But we don't know how long spam has been going out from his IP. > When I enter my IP address at SenderBase, > the magnitude is 0.0. Correct. As is mine. > That > SenderBase shows e-mails originate from this guy's IP address which > is for his host means he is the mail server, not his ISP's mail > server. That is correct; that there is an old history of 0.8, a monthly of 1.7, and a daily of 2.7 as we speak. My read above was done at 2006.Jan.07 6:58 AM PST UTC-0800 > Know of any way to see SenderBase's statistics using higher > granualarity? No. We just have to wait for senderbase to evolve its daily, we have to wait and see if he reappears on cbl, or we have to see some logs from a WallWatcher installed to monitor his router, whatever that is. -- Mike Easter kibitzer, not SC admin From vanguard.code at comcastNIX.net Sat Jan 7 09:13:58 2006 From: vanguard.code at comcastNIX.net (Vanguard) Date: Sat Jan 7 10:15:03 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: "Mike Easter" wrote in message news:dpol2q$moi$1@news.spamcop.net... Man, time for another cup of coffee. Somehow I read the first line as the overall stats when, in fact, it is the Last Day stats. I don't think I really need anymore granularity than that. 2.7 magnitude and 6100% volume change in the last day (which could be since midnight the prior day or the last 24 hours). It doesn't look like anything this poster did has reduced his spam output (since I doubt his non-spam output would be anywhere near that high), or the stats haven't been updated yet to reflect any change in his output. -- _______________________________________________________ ** Post replies to the newsgroup. Share with others. ** For e-mail, remove "NIX" and append "#VC811" to Subject. _______________________________________________________ From nobody at spamcop.net Sat Jan 7 10:12:34 2006 From: nobody at spamcop.net (John Anderson) Date: Sat Jan 7 11:15:06 2006 Subject: [SpamCop-List] Is Spamcop down? Message-ID: Spamcop down? It does not answer From nobody at spamcop.net Sat Jan 7 10:15:03 2006 From: nobody at spamcop.net (John Anderson) Date: Sat Jan 7 11:15:17 2006 Subject: [SpamCop-List] Re: Is Spamcop down? References: Message-ID: "John Anderson" wrote in message news:dpop9f$pdu$1@news.spamcop.net... > Spamcop down? > It does not answer > > > Gateway Timeout The proxy server did not receive a timely response from the upstream server. Reference #1.829528cf.1136650448.2921dc From big_mart_98 at yahoo.com Sat Jan 7 16:59:51 2006 From: big_mart_98 at yahoo.com (Martin Edwards) Date: Sat Jan 7 12:00:03 2006 Subject: [SpamCop-List] Re: Media: Iowa ISP Gets $11B In E-mail Spam Case In-Reply-To: References: <43BEB9E6.BC83537E@spamcop.net> Message-ID: Frog Prince wrote: > "Kenneth Brody" > | > > | > In addition to paying Clinton-based CIS Internet Services, the Florida > | > man has been barred from accessing the Internet for three years. > | > | I'm curious how this is to be enforced, and what penalties would be > | imposed if he gets caught. > | > > It's called contempt of court and depending on the judge the penalties can > be dyconeion (spl?) > > Draconian. From nobody at devnull.spamcop.net Sat Jan 7 11:28:30 2006 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Jan 7 12:30:03 2006 Subject: [SpamCop-List] Re: Is Spamcop down? References: Message-ID: "John Anderson" wrote in message news:dpop9f$pdu$1@news.spamcop.net... > Spamcop down? > It does not answer For Forum users, I placed a graphic/link at the top of the Forum pages to reflect the Reporting System Server Status. Noting that there in fact was an outage ... big picture seen at http://forum.spamcop.net/forums/index.php?act=module&automodule=custom&page=stats From bozoz at webtv.net Sat Jan 7 11:11:39 2006 From: bozoz at webtv.net (Imzadi Bozoz) Date: Sat Jan 7 13:25:07 2006 Subject: [SpamCop-List] Problem With SPAM! Message-ID: <27116-43C0045B-55@storefull-3252.bay.webtv.net> Hello. I can't keep SPAM out of my "FULL" email box. I can't even keep it out when I block the box, even though I can't see it. I have a 1997 Classic PM WebTV. I was ok until WebTV inceased the capacity of the email boxes. Do I need to DECREASE the capacity of my boxes to get rid of the problem? Any help would be greatly appreciated. Sincerely, "Bozoz Imzadi" From bait-423c86b2-42ff9001 at good.julianhaight.com Sat Jan 7 10:27:24 2006 From: bait-423c86b2-42ff9001 at good.julianhaight.com (Chris F. Willoughby) Date: Sat Jan 7 13:30:02 2006 Subject: [SpamCop-List] Here's another spam that won't process correctly Message-ID: http://www.spamcop.net/sc?id=z853869922ze0d5edca895bcb6db526dee41248af98z Thoughts? -- Unhandled exceptions are the bane of my existance. From devnull at spamcop.net Sat Jan 7 13:33:40 2006 From: devnull at spamcop.net (Frog Prince) Date: Sat Jan 7 13:35:03 2006 Subject: [SpamCop-List] Re: Media: Iowa ISP Gets $11B In E-mail Spam Case References: <43BEB9E6.BC83537E@spamcop.net> Message-ID: "Martin Edwards" | > | I'm curious how this is to be enforced, and what penalties would be | > | imposed if he gets caught. | > | | > | > It's called contempt of court and depending on the judge the penalties can | > be dyconeion (spl?) | > | > | Draconian. Yah, that too. From jpp at yahoo.com Sat Jan 7 07:57:00 2006 From: jpp at yahoo.com (jpp@yahoo.com) Date: Sat Jan 7 14:00:05 2006 Subject: [SpamCop-List] =?iso-8859-1?q?Sonorisation_et_effets_lumi=C9res_=C1_prix_discount?= Message-ID: <25553336@msn.com> SonoBoulevard.com vous souhaite une bonne AnnÊe 2006 ! DÊcouvrez sans plus attendre notre sÊlection de produits pour fËter la nouvelle annÊe... www.SonoBoulevard.com : MatÊriel de Sonorisation, Êclairage, musique... - BOOST DANCER LIGHT : Projecteur de lumiÉre demi sphÉre, effet couleur, dÊtection musicale... 39 Euros http://www.sonoboulevard.com/index.php?action=affil&choix=set&affilid=479&IdAffPage=87&naction=detailprod&Id=2 - Micro sans fil BOOST WK-360 : Micro dynamique sans fil. PortÊe 30 m. Fonctionne avec ou sans cable... 24,9 Euros http://www.sonoboulevard.com/index.php?action=affil&choix=set&affilid=479&IdAffPage=87&naction=detailprod&Id=334 - Amplificateur KARAOKE KA-200 : Puissance 2 X 100 Watts, 2 entrÊes Micro, RÊglage de volume, balance, Êcho, bass-medium-aigus par micro... 99 Euros http://www.sonoboulevard.com/index.php?action=affil&choix=set&affilid=479&IdAffPage=87&naction=detailprod&Id=96 - Amplificateur BOOST XPA-250 : Nouvelle esthÊtique en aluminium brossÊ, Puissance maximum (W) 2 * 250W, Sorties : Turnlock/Bornes , Ventilation, Protection : courant continu surchauffe, softstart et court circuit... 189 Euros http://www.sonoboulevard.com/index.php?action=affil&choix=set&affilid=479&IdAffPage=87&naction=detailprod&Id=1341 - BOOST Voice CHANGER : Truqueur de voix, gÊnÊrateur d’effets, 8 effets sonores avec contrÆleur de vitesse... 46 Euros http://www.sonoboulevard.com/index.php?action=affil&choix=set&affilid=479&IdAffPage=87&naction=detailprod&Id=268 - Double micro sans fils BOOST HF-260 : Micro HF haute qualitÊ, 2 canaux, 2 antennes, 2 micros main, gamme de frÊquence 160 - 250 MHz, portÊe 100m, bande passante 40Hz-20KHz rÊglages indÊpendants du volume de chaque micro... 76 Euros http://www.sonoboulevard.com/index.php?action=affil&choix=set&affilid=479&IdAffPage=87&naction=detailprod&Id=332 Gagnez de l'argent en vous affiliant sur www.SonoBoulevard.com Faites comme moi, affiliez vous et gagnez 5% du montant des commandes... Pour vous affilier, cliquez ici : http://www.sonoboulevard.com/index.php?action=affil&choix=set&affilid=479&IdAffPage=87&naction=affilde From MikeE at ster.invalid Sat Jan 7 11:01:47 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jan 7 14:05:03 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: Chris F. Willoughby wrote: www.spamcop.net/sc?id=z853869922ze0d5edca895bcb6db526dee41248af98z Something has changed about your mailhost's configuration and SC is telling you to get that fixed, because mailhosted accounts can't be different from how they were configured. SC has no flexibility there. SpamCop received mail from SureWest ( 66.60.130.146 ) 66.60.130.146 does not report source IP correctly No source IP address found, cannot proceed. Add/edit your mailhost configuration > Thoughts? A human parser would just chain down that place where SC ran into the variation and name the source correctly. SC also breaks the chain prematurely for a non-mailhosted account, so something at surewest is unfamiliar. http://www.spamcop.net/sc?id=z853879792z3bd636b02dbe239a1b85c268d6f1c0c2z Report Spam to: Re: 66.60.130.146 (Administrator of network where email originates) To: abuse@surewest.net The surewest server is not the source, the source is 213.246.40.46 rDNS ns1004.imingo.net or maybe the IP behind it. The apparent source is likely a server which isn't naming its source. Abbreviated Received lines *comment from mailgate.cesmail.net ([216.154.195.36]) by c60.cesmail.net *you from pop-surewest.mc.surewest.net [66.60.130.146] by mailgate.cesmail.net *you from (rg.mc.surewest.net [66.60.130.146]) by mp1.mc.surewest.net *you from (ns1004.imingo.net [213.246.40.46]) by rg2.mc.surewest.net *source/relay Received: by ns1004.imingo.net *server -- Mike Easter kibitzer, not SC admin From bait-423c86b2-42ff9001 at good.julianhaight.com Sat Jan 7 12:00:19 2006 From: bait-423c86b2-42ff9001 at good.julianhaight.com (Chris F. Willoughby) Date: Sat Jan 7 15:05:02 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: well, I can TRY doing the mailhost thing again.. but that doesn't seem to 'fix' anything. Any other ideas? Chris "Mike Easter" wrote in message news:dpp36j$v9h$1@news.spamcop.net... > Chris F. Willoughby wrote: > www.spamcop.net/sc?id=z853869922ze0d5edca895bcb6db526dee41248af98z > > Something has changed about your mailhost's configuration and SC is > telling you to get that fixed, because mailhosted accounts can't be > different from how they were configured. SC has no flexibility there. > > SpamCop received mail from SureWest ( 66.60.130.146 ) > > 66.60.130.146 does not report source IP correctly > No source IP address found, cannot proceed. > Add/edit your mailhost configuration > >-- > Mike Easter > kibitzer, not SC admin > From MikeE at ster.invalid Sat Jan 7 12:06:44 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jan 7 15:10:02 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: Chris F. Willoughby wrote: > well, I can TRY doing the mailhost thing again.. but that doesn't > seem to 'fix' anything. Any other ideas? There's a really lot I don't understand about reading the parser verbose about mailhost problems. I'm accustomed to the verbose saying one thing and meaning another, or saying something in a different place than where/when it is going on, but the mailhost error clues are especially ambiguous. What is happening? Some things parse OK and some don't? Or what? -- Mike Easter kibitzer, not SC admin From Ilgaz at spamcop.net Sat Jan 7 22:36:53 2006 From: Ilgaz at spamcop.net (Ilgaz Ocal) Date: Sat Jan 7 15:40:03 2006 Subject: [SpamCop-List] Re: just wtf is MySpace.com? References: Message-ID: On 2006-01-03 22:58:55 +0200, "indigo" said: > > > Berny wrote: >> 5 missives from them about messages to my "account" >> >> What account? could someone (un)wittingly created some account on this >> thing? >> >> Of course the message title sort of gives it away, >> >> "New Message from on MySpace sent December 2" a month ago? and now >> you tell me? >> >> LARTS away > > Myspace is some online community for friend finding and business networking. > Never heard anything bad about them before. Did you check NANAS for spamsign > from them? It's a free service (and not too many ads IIRC), I don't see what > the point of spamming someone from there is.... It has evil "invite" feature. I suspect OP has some excited friends inviting him all over. I tried it, opened an account with my spamcop mail and closed 2 days later. Asides from 3-4 "your account will be closed" alerts, I didn't get any spam whatsoever. Ilgaz From bait-423c86b2-42ff9001 at good.julianhaight.com Sat Jan 7 12:44:06 2006 From: bait-423c86b2-42ff9001 at good.julianhaight.com (Chris F. Willoughby) Date: Sat Jan 7 15:45:02 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: Yeah, basically.. The vast majority of my spam parses just fine.. but perhaps 10% or so routinely give me that error about not finding a source. And it's always that particular Surewest IP that it has issues with. 66.60.130.146 Chris "Mike Easter" wrote in message news:dpp70b$1nc$1@news.spamcop.net... > Chris F. Willoughby wrote: >> well, I can TRY doing the mailhost thing again.. but that doesn't >> seem to 'fix' anything. Any other ideas? > > There's a really lot I don't understand about reading the parser verbose > about mailhost problems. I'm accustomed to the verbose saying one thing > and meaning another, or saying something in a different place than > where/when it is going on, but the mailhost error clues are especially > ambiguous. > > What is happening? Some things parse OK and some don't? Or what? > > -- > Mike Easter > kibitzer, not SC admin > From MikeE at ster.invalid Sat Jan 7 13:25:04 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jan 7 16:25:04 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: Chris F. Willoughby wrote: Content-Transfer-Encoding: quoted-printable X-Newsreader: Microsoft Outlook Express 6.00.2900.2670 > The vast majority of my spam parses just fine.. but > perhaps 10% or so routinely give me that error about not finding a > source. And it's always that particular Surewest IP that it has > issues with. 66.60.130.146 Apparently you have a server behavior that isn't in your mailhosts lineup. Seems like if it were in there, you wouldn't have the trouble. PS: Not only are your replies not trimmed or contextualized, but you are posting in OE QP quoted printable. Not a pretty picture. -- Mike Easter kibitzer, not SC admin From jeffg at spamcop.net Sat Jan 7 16:45:56 2006 From: jeffg at spamcop.net (Jeff G.) Date: Sat Jan 7 17:00:03 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: Mike Easter wrote: > Chris F. Willoughby wrote: > www.spamcop.net/sc?id=z853869922ze0d5edca895bcb6db526dee41248af98z > SpamCop received mail from SureWest ( 66.60.130.146 ) > > 66.60.130.146 does not report source IP correctly > No source IP address found, cannot proceed. > Add/edit your mailhost configuration Chris F. Willoughby wrote: > it's always that particular Surewest IP that it has > issues with. 66.60.130.146 Please write to the SpamCop Deputies via deputies[at]spamcop.net requesting a review of what appears to have been their decision not to trust 66.60.130.146, as represented by the SpamCop Parser as "66.60.130.146 does not report source IP correctly". Also, please don't compromise spamtrap email addresses by revealing them in public like that. -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jeffg at spamcop.net Sat Jan 7 17:01:57 2006 From: jeffg at spamcop.net (Jeff G.) Date: Sat Jan 7 17:05:02 2006 Subject: [SpamCop-List] Re: Problem With SPAM! References: <27116-43C0045B-55@storefull-3252.bay.webtv.net> Message-ID: Imzadi Bozoz wrote: > Hello. I can't keep SPAM out of my "FULL" email box. I can't even keep > it out when I block the box, even though I can't see it. > I have a 1997 Classic PM WebTV. > I was ok until WebTV inceased the capacity of the email boxes. Do I > need to DECREASE the capacity of my boxes to get rid of the problem? > Any help would be greatly appreciated. > Sincerely, > "Bozoz Imzadi" You will need to contact WebTV's support personnel about this problem. They will probably advise you to get a new WebTV email address. If you decide to do that, please notify your contacts of your new email address from your old email address, so as to inspire more trust by your contacts. -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From bait-423c86b2-42ff9001 at good.julianhaight.com Sat Jan 7 15:25:14 2006 From: bait-423c86b2-42ff9001 at good.julianhaight.com (Chris F. Willoughby) Date: Sat Jan 7 18:25:04 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: "Jeff G." wrote in message news:dppdf4$6al$1@news.spamcop.net... > Please write to the SpamCop Deputies via deputies[at]spamcop.net > requesting a review of what appears to have been their decision not to > trust 66.60.130.146, as represented by the SpamCop Parser as > "66.60.130.146 does not report source IP correctly". > > Also, please don't compromise spamtrap email addresses by revealing them > in public like that. > > -- > Thanks and Best Regards, Jeff G. > http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 > Uh, spamtrap? I don't have a spamtrap addy... So I'm not really sure what you are referring to. Chris From bait-423c86b2-42ff9001 at good.julianhaight.com Sat Jan 7 15:30:02 2006 From: bait-423c86b2-42ff9001 at good.julianhaight.com (Chris F. Willoughby) Date: Sat Jan 7 18:30:03 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: "Mike Easter" wrote in message news:dppbj7$54a$1@news.spamcop.net... > PS: Not only are your replies not trimmed or contextualized, but you > are posting in OE QP quoted printable. Not a pretty picture. > > > -- > Mike Easter > kibitzer, not SC admin I'm not sure why you say that as I've always trimmed and contexualized as I see appropriate. As far as for using QP. That's because everyone whines if I use HTML.. not to mention I insist on using 8 bit rather than 7. :) Chris From bait-423c86b2-42ff9001 at good.julianhaight.com Sat Jan 7 15:32:55 2006 From: bait-423c86b2-42ff9001 at good.julianhaight.com (Chris F. Willoughby) Date: Sat Jan 7 18:35:03 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: Done. We'll see what they have to say. "Jeff G." wrote in message news:dppdf4$6al$1@news.spamcop.net... > Please write to the SpamCop Deputies via deputies[at]spamcop.net > requesting a review of what appears to have been their decision not to > trust 66.60.130.146, as represented by the SpamCop Parser as > "66.60.130.146 does not report source IP correctly". From MikeE at ster.invalid Sat Jan 7 15:36:40 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jan 7 18:40:03 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: Chris F. Willoughby wrote: > "Jeff G >> Also, please don't compromise spamtrap email addresses by revealing >> them in public like that. > Uh, spamtrap? I don't have a spamtrap addy... So I'm not really sure > what you are referring to. Jeff's was confusing to me too. Still is. I was going to be quiet since if something slipped past me noticing then I figgered it was 'nearly invisible' ;-) so I was going to leave it alone. PPS: Thanks for fixing OP's QP and contextualizing. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Jan 7 15:47:03 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jan 7 18:50:03 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: Chris F. Willoughby wrote: > As far as for using QP. That's > because everyone whines if I use HTML.. I don't get it. It's not like your only 'choices' are between html and plaintext mime encoded QP. First and foremost, 'we' don't do html, but plaintext. Second and very important for newsing in an environment with all kinds of different operating systems and news agents, the choices in plaintext in OE are in the plaintext settings for mime encoding, where there's none vs quoted printable [or even b64 for goodness sakes]. OE's QP is very incompatible in a nntp environment, especially a 'mixed' environment like this. It appears that you got it reconfigured in the other post. > not to mention I insist on > using 8 bit rather than 7. :) I don't really understand how that pertains to the above, except for where it is configured. Are you talking about allowing 8 bits in the headers? -- Mike Easter kibitzer, not SC admin From jeffg at spamcop.net Sat Jan 7 18:49:58 2006 From: jeffg at spamcop.net (Jeff G.) Date: Sat Jan 7 19:05:03 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers References: Message-ID: jg wrote: > I've never used my secret address - can I frwd multi spam to that addy > (now, not when I sign up for SC mail)? Yes, you can, but when doing so please "forward as attachment" and "Keep in mind that the limits of 50,000 bytes per Submitted Spam and 100,000 bytes per Submission Email are still in effect." http://forum.spamcop.net/forums/index.php?showtopic=1848 -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jeffg at spamcop.net Sat Jan 7 19:15:09 2006 From: jeffg at spamcop.net (Jeff G.) Date: Sat Jan 7 19:20:03 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: Chris F. Willoughby wrote in message news:dppikc$94q$1@news.spamcop.net... > "Jeff G." wrote in message > news:dppdf4$6al$1@news.spamcop.net... >> Also, please don't compromise spamtrap email addresses by revealing >> them in public like that. > Uh, spamtrap? I don't have a spamtrap addy... So I'm not really sure > what you are referring to. The message I am replying to includes "From: "Chris F. Willoughby" " (complete with mismatched angle brackets) in its Header Lines. In OE6, that info would be the "E-mail address" field on the "General" Tab in the Properties for your news.spamcop.net Account. Please change it to a real address of yours, a munged nondeliverable address that won't impact your ISP, or nobody@spamcop.net. -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jeffg at spamcop.net Sat Jan 7 19:41:40 2006 From: jeffg at spamcop.net (Jeff G.) Date: Sat Jan 7 19:45:02 2006 Subject: [SpamCop-List] Re: Stupid but aggressive spammer References: Message-ID: Claudio Valderrama C. wrote: > "Hans Salvisberg" wrote in message > news:dinn9h$uca$1@news.spamcop.net... > The reporting addresses (at Telefonica and at Terra) will mix. ... My own research of reporting addresses related to Telefonica and its presence in Argentina and Spain has shown that the following email addresses bounce: abuse@cvtci.com.ar; postmaster@nic.es; postmaster@nic.ar; abuse@nic.ar; postmaster@mrecic.gov.ar; abuse@mrecic.gov.ar; arantza.delallosa@red.es; postmaster@tdatacenter.com; abuse@tdatacenter.com; atina@bardo.mrec.ar; Antonio_Del_Rio_Fernandez/OSI/TESA@telefonica.es, 28SBHC09/SRV/PASARELA_EMAIL@telefonica.es, 28NBHX03/SRV/TESA@telefonica.es, Maria_Ascension_Garcia_Nieto/OSI/TESA@telefonica.es, Francisco_Encinas_Rosillo/OSI/TESA@telefonica.es, Manuel_Capellan_Alvarez/OSI/TESA@telefonica.es, postmaster@ctina.ar; abuse@ctina.ar; postmaster@interdominio.com; abuse@interdominio.com; sysadmin@red.es; tasamail@telefonica.com.ar; postmaster@sceest04.correodeempresas.telefonica.es; postmaster@mail.INTERDOMAIN.ORG, jmsoler@telefonica.es; postmaster@mrse.com.ar; and abuse@mrse.com.ar. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From MikeE at ster.invalid Sat Jan 7 16:46:58 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jan 7 19:50:04 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: Jeff G. wrote: > Chris F. Willoughby wrote in message >> "Jeff G." >>> Also, please don't compromise spamtrap email addresses by revealing >>> them in public like that. >> Uh, spamtrap? I don't have a spamtrap addy... So I'm not really sure >> what you are referring to. > > The message I am replying to includes "From: "Chris F. Willoughby" > Message-ID: Jeff G. wrote: > The message I am replying to includes "From: "Chris F. Willoughby" > Message-ID: On Sat, 7 Jan 2006 08:48:02 UTC, "Mike Easter" wrote: > Spews fundamentally just lists all of comcast and > pokes some holes for the comcast servers. Well that is news. If you are one of the favored few you can allow spam and get away with it. Now I see why many people say Spews is bad, I always wondered why some people were so against Spews, now I see. -- Robert Blair From MikeE at ster.invalid Sat Jan 7 19:47:53 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jan 7 22:50:03 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: Robert Blair wrote: > "Mike Easter" >> Spews fundamentally just lists all of comcast and >> pokes some holes for the comcast servers. > > Well that is news. If you are one of the favored few you can allow > spam and get away with it. Now I see why many people say Spews is > bad, I always wondered why some people were so against Spews, now I > see. I'm not sure if I understand if you are disappointed in spews because they list all of comcast except the servers or if your disappointment is because they /don't/ list the servers. The principle, as it appears to those observing spews listings, behind spews is that they start by listing spamsources or spamveriders - spamvertiser providers - or other forms of spam support - say just a single IP. If the provider for the spamsoure or spamverider or spamsupporter doesn't resolve the problem, then spews might list a little block of IPs -- and so forth so that there is progressively more listing for the lack of response to the known spam source. This can progress to very large blocks or even numbers of very large blocks. This creates the effect of collateral damage - which some spamfighters are philosophically against - but it /is/ true that those 'collaterals' are paying their money to and supporting a spam supporter. If the collaterals wouldn't support the spam supporter then the problem of spam would actually be 'over' pretty fast, just like if the 'public' wouldn't financially support spam then there wouldn't be any. So, in the name of listing progressively larger blocks because the provider didn't secure the comcast spamsources, all of comcast has become blocklisted. Theoretically that should also include all of the comcast servers. Perhaps the spews listing would be more effective if it included all of the comcast servers as well as all of the individual comcast user IPs. -- Mike Easter kibitzer, not SC admin From jeffg at spamcop.net Sat Jan 7 23:52:03 2006 From: jeffg at spamcop.net (Jeff G.) Date: Sat Jan 7 23:55:05 2006 Subject: [SpamCop-List] Re: Shaw Cable Refuses Munged Reports References: Message-ID: "spamacyde" wrote in message news:diqs92$tj3$1@news.spamcop.net... > What are legitimate reasons for refusing munged reports? Imagine the following scenario: Spammer signs up with ISP A for IP connectivity, and executes a contract for that purpose. Spammer signs up with ISP B for email connectivity for Email Address A, and executes a contract for that purpose. Spammer signs up with ISP C for webhosting of Domain A, and executes a contract for that purpose. Spammer uses its ISP A connectivity to send a spam email message to SC Reporters A and B (who both munge, among others), from Email Address A, spamvertising Domain A. SC Reporters A and B submit SC Reports for the spam email message, and one of them includes a User Notification Report of spammy use of Email Address A to ISP B. The Reports go to ISPs A, B, and C. All three ISPs terminate their relationships with Spammer. (you're still imagining, right?) Spammer threatens to sue all three ISPs for any number of causes in civil court. All three ISPs' Legal Departments or outside Attorneys fail to ask SC Reporters A and B for the unmunged version of the spam email message, or don't get timely responses. Spammer wins all three cases or are forced to settle out of court due to insufficient evidence of Spammer's complicity in sending the spam email message. All three ISPs' Legal Departments or outside Attorneys instruct their Abuse Desks to no longer accept munged SC Reports, as they're useless in court, and to keep their mouths shut about confidential, internal, proprietary, and trade secret reasons for doing what they do. All three ISPs' Abuse Desks ask SpamCop to no longer send them munged Reports. It could happen. It probably has happened. Another scenario is an ISP that doesn't have the disk space, software, CPU time, or will to do extensive logging of email messages that pass through its servers, and only logs the internal connecting IP Address, To, and Subject. A third scenario is an ISP that has a policy of challenging its customers' Reported spammy-looking email messages, requesting signup details for the Reporters' email addresses. A fourth scenario is an ISP that has an underfunded Abuse Desk that doesn't have the time (to do the extra research) or the patience (to deal with the hassle) necessary for munged SC Reports vs. unmunged SC Reports. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From / at /.cn Sun Jan 8 16:40:29 2006 From: / at /.cn (Petzl) Date: Sun Jan 8 00:45:02 2006 Subject: [SpamCop-List] Re: Problem With SPAM! References: <27116-43C0045B-55@storefull-3252.bay.webtv.net> Message-ID: "Imzadi Bozoz" wrote in message news:27116-43C0045B-55@storefull-3252.bay.webtv.net... > Hello. I can't keep SPAM out of my "FULL" email box. I can't even keep > it out when I block the box, even though I can't see it. > I have a 1997 Classic PM WebTV. > I was ok until WebTV inceased the capacity of the email boxes. Do I > need to DECREASE the capacity of my boxes to get rid of the problem? > Any help would be greatly appreciated. > Working Email addresses need to be kept hidden, Use a free throwaway address like hotmail for places like newsgroups and "first contact" Choose a login that has at least eight Alphanumeric characters or more like hard_2_guess [at] hotmail If you really want a email address that is effective in very accurately sorting only legitimate email to your inbox you need a spamcop email account http://www.spamcop.net/ces/individuals.shtml You can keep your old email address SpamCop's Email account will sort all spam and remove viruses sent to it. Spam is sent to a Very Easy Reporting (VER) folder http://home.iprimus.com.au/petzl/Spamcops.png all reported to SpamCop at click of mouse and feeding the SCBL (SpamCop Black List) It is best to dump the email address an ISP gives one. Use the SpamCop one as it is the only email address you will ever need If it proves not to be your "cup of tea" a refund is cheerfully given within two weeks of trying I'm just a user of SpamCop and have been since last century, having the only email address I will ever need Sydney Australia Petzl From nobody at spamcop.net Sat Jan 7 22:16:18 2006 From: nobody at spamcop.net (Chris F. Willoughby) Date: Sun Jan 8 01:20:04 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: I believe my system will reply in whatever format the original poster posted in. OE doesn't explain the difference between QP and non-QP nor any of the other modes. I've found that the way I currently have it configured seems to work on just about any system. I used to sometimes get rejections from news servers for posting in a format that wasn't accepted. *shrug* I personally don't have any issue with HTML or any other format in as much as I'm not forced to use one because someone ELSE says so. Anyway, since OE doesn't explain things clearly I had to 'guess' as to what works best. QP seems to make logical sense. Yes, in reference to your question I *was* talking about allowing 8 bit headers. :) Chris "Mike Easter" wrote in message news:dppjte$a7a$1@news.spamcop.net... > I don't get it. It's not like your only 'choices' are between html and > plaintext mime encoded QP. > > First and foremost, 'we' don't do html, but plaintext. > > Second and very important for newsing in an environment with all kinds > of different operating systems and news agents, the choices in plaintext > in OE are in the plaintext settings for mime encoding, where there's > none vs quoted printable [or even b64 for goodness sakes]. > > OE's QP is very incompatible in a nntp environment, especially a 'mixed' > environment like this. > > It appears that you got it reconfigured in the other post. > > I don't really understand how that pertains to the above, except for > where it is configured. Are you talking about allowing 8 bits in the > headers? > > -- > Mike Easter > kibitzer, not SC admin > From nobody at spamcop.net Sat Jan 7 22:17:17 2006 From: nobody at spamcop.net (Chris F. Willoughby) Date: Sun Jan 8 01:20:12 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: "Mike Easter" wrote in message news:dppj9v$9mm$1@news.spamcop.net... > Jeff's was confusing to me too. Still is. I was going to be quiet > since if something slipped past me noticing then I figgered it was > 'nearly invisible' ;-) so I was going to leave it alone. > > > PPS: Thanks for fixing OP's QP and contextualizing. > > -- > Mike Easter > kibitzer, not SC admin The odd thing is I haven't done anything different than I normally do.. *lol* Chris From nobody at spamcop.net Sat Jan 7 22:21:54 2006 From: nobody at spamcop.net (Chris F. Willoughby) Date: Sun Jan 8 01:25:03 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: I'm glad we're all on the same page now. 8-) I already fixed it and some stuff was dealt with via e-mail. The only thing I can think of is that at the time I thought configuring that as a from and sticking a reply to as something valid would be ok.. Considering that spammers quite possibly read these NGs and get e-mail addresses from them. Anyway, the less said the better I think. hehe Chris "Mike Easter" wrote in message news:dppooo$dcc$1@news.spamcop.net... > Oooohhhh! I get it. Chris put a spamtrap bait in his OE's newsagent > From. > > I didn't see it because my OEQF is configured to make very short little > attributions which don't include the email addy. > > I'm all straightened out now. > > Don't do that, Chris. Wake up, Mike. Good job, Jeff. > > > -- > Mike Easter > kibitzer, not SC admin > From bozoz at webtv.net Sat Jan 7 23:25:24 2006 From: bozoz at webtv.net (Imzadi Bozoz) Date: Sun Jan 8 01:35:03 2006 Subject: [SpamCop-List] Re: Problem With SPAM! References: Message-ID: <5555-43C0B054-239@storefull-3257.bay.webtv.net> Thanks for the advice. I did call WebTV and they said for me to leave the email address I use for posting, idle for about 6 months. Then delete the accumulated SPAM and try posting with it again. Weird, how, even though it is FULL. SPAM can still get in! Even when I BLOCKED the box, SPAM still came in. I could see the red light! I had the SPAM block checked, but not the "approved senders' list". I did check that also now. Maybe that will make a difference. I can't totally leave that email addy idle, because it is tied to my websites, but I can refrain from using it for posting and email. They didn't suggest that I get a new email address....which I couldn't do, if it messes me up with my website. (Not the WebTV website...the one on Tripod) I have a hotmail account, but don't know how to use it for posting on WebTV newsgroups. If I could do that it would save me a lot of trouble. If I can't get anything solved those 2 ways, I will get the mail box at spamcop. I also have a computer, but I like to do the WebTV newsgroups and keep my WebTV connection. (The people seem to be more friendly.) I have never tried to get the WebTV newsgroups with my PC. I have started to try it, but is asks for a password and name. I think WebTV has a firewall to keep out PC users...or has that changed? I always felt that I would get viruses from accessing WebTV Newsgroups with my PC. My ISP is GREAT for keeping out SPAM for the PC. I don't get any at all there. It is stopped at the server. Once again, thanks. :-) Imzadi :-) bozoz@webtv.net From ycbs at blackhole.invalid Sat Jan 7 23:13:44 2006 From: ycbs at blackhole.invalid (NormanM) Date: Sun Jan 8 02:15:03 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: <1r57zj4ednywl$.dlg@pacbell.net> On Sun, 8 Jan 2006 03:29:34 +0000 (UTC), Robert Blair wrote: > On Sat, 7 Jan 2006 08:48:02 UTC, "Mike Easter" > wrote: >> Spews fundamentally just lists all of comcast and >> pokes some holes for the comcast servers. > Well that is news. If you are one of the favored few you can allow > spam and get away with it. Now I see why many people say Spews is > bad, I always wondered why some people were so against Spews, now I > see. I have seen Comcast SMTP output servers listed by SPEWS: |http://www.spamcop.net/sc?id=z854131017zca3428eee54dbd1f9e5e4461fddad9a4z I altered the message headers to obfuscated email addresses, and to bring the date current for a test parse; then canceled the reports. The November date in the message part is the actual date of the message; I can't find a more current listing. My MTA would only tag the connecting IP address, not the submission IP address. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From bar_n0ne at hotmail.com Sun Jan 8 12:48:47 2006 From: bar_n0ne at hotmail.com (Berny) Date: Sun Jan 8 03:50:07 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: <1r57zj4ednywl$.dlg@pacbell.net> Message-ID: "NormanM" wrote in message news:1r57zj4ednywl$.dlg@pacbell.net... > On Sun, 8 Jan 2006 03:29:34 +0000 (UTC), Robert Blair wrote: > > > On Sat, 7 Jan 2006 08:48:02 UTC, "Mike Easter" > > wrote: > > >> Spews fundamentally just lists all of comcast and > >> pokes some holes for the comcast servers. > > > Well that is news. If you are one of the favored few you can allow > > spam and get away with it. Now I see why many people say Spews is > > bad, I always wondered why some people were so against Spews, now I > > see. > > I have seen Comcast SMTP output servers listed by SPEWS: > > |http://www.spamcop.net/sc?id=z854131017zca3428eee54dbd1f9e5e4461fddad9a4z Do you mean SCBL (SpamCop Block List) ? here? > > I altered the message headers to obfuscated email addresses, and to bring > the date current for a test parse; then canceled the reports. The November > date in the message part is the actual date of the message; I can't find a > more current listing. My MTA would only tag the connecting IP address, not > the submission IP address. > > -- > Norman > ~Oh Lord, why have you come > ~To Konnyu, with the Lion and the Drum From bar_n0ne at hotmail.com Sun Jan 8 12:55:49 2006 From: bar_n0ne at hotmail.com (Berny) Date: Sun Jan 8 04:00:03 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: <1r57zj4ednywl$.dlg@pacbell.net> Message-ID: "Berny" wrote in message news:dpqjlk$r30$1@news.spamcop.net... > SNIPPED > > |http://www.spamcop.net/sc?id=z854131017zca3428eee54dbd1f9e5e4461fddad9a4z > > Do you mean SCBL (SpamCop Block List) ? here? sorry, just saw the X-Blocked line From nobody at nowhere.invalid Sun Jan 8 14:26:40 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Jan 8 08:30:04 2006 Subject: [SpamCop-List] Re: Problem With SPAM! References: <5555-43C0B054-239@storefull-3257.bay.webtv.net> Message-ID: On Sat, 7 Jan 2006 23:25:24 -0700, Imzadi Bozoz coughed into spamcop and left this in <5555-43C0B054-239@storefull-3257.bay.webtv.net>: > Weird, how, even though it is FULL. SPAM can still get in! Even when > I BLOCKED the box, SPAM still came in. Isn't there going to be a problem with the warranty if WebTV finds out that you've been stuffing luncheon meat into the WebTV box? -- Steve If carrots are so good for the eyes, how come I see so many dead rabbits on the highway? From MikeE at ster.invalid Sun Jan 8 05:27:51 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 8 08:30:12 2006 Subject: [SpamCop-List] Re: Problem With SPAM! References: <5555-43C0B054-239@storefull-3257.bay.webtv.net> Message-ID: Imzadi Bozoz wrote: > They didn't suggest that I get a new email address....which I > couldn't do, if it messes me up with my website. (Not the WebTV > website...the one on Tripod) As a person with both a webtv account and a regular access account, and both a webtv website and a non-webtv website, you likely have knowledge and experience in some areas that not many people do. Most of us here don't know much about webtv. I've done some searching in the past to answer webtv questions in the 24hoursupport.helpdesk ng and have gathered up a collection of 'reference' websites which cover the webtv plans and hardware from the beginning to the present. I still have some questions about things I don't understand that I might ask you, but this isn't actually the right ng for it. > I have a hotmail account, but don't know how to use it for posting > on WebTV newsgroups. If I could do that it would save me a lot of > trouble. If I can't get anything solved those 2 ways, I will get > the mail box at spamcop. I don't know how it works about the 'webtv' newsgroups. I do know that I've read sites which name over 230 alt.discuss.* ng/s which seems to imply that those are webtv groups. Certainly the regular nntp newsservers that I access just carry 'a few' alt.discuss groups and a very few groups with webtv in the name, such as alt.online-service.webtv. There are also some specifically google groups for webtv, but google doesn't carry any more alt.discuss groups than a 'normal' nntp newsserver. Certainly not 230. It is my understanding that those webtv-ers who don't have 'regular' access are encouraged to use some kind of webtv news interface or google groups, but its that webtv news interface that I don't know much about. > I also have a computer, but I like to do the WebTV newsgroups and > keep my WebTV connection. (The people seem to be more friendly.) Every community has its unique flavor. > I have never tried to get the WebTV newsgroups with my PC. I have > started to try it, but is asks for a password and name. I think WebTV > has a firewall to keep out PC users...or has that changed? It is hard for us outside of webtv to figure out how things work 'inside' of webtv -- and I think not very many people have probed or searched around trying to see what kind of webtv world they can get into. > I always felt that I would get viruses from accessing WebTV > Newsgroups with my PC. I don't think I understand that concept. I can only look at that issue from the perspective of a 'regular' accessor to nntp newsgroups who is using a vulnerable operating system and a vulnerable newsreader. There are plenty of viruses dropped into regular newsgroups, and thus plenty of opportunities to behave insecurely using a regular system. I don't think the alt.discuss newsgroups would be any better or worse about that -- if you are wondering if alt.discuss groups are more dangerous than others. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Sun Jan 8 14:31:01 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Jan 8 08:35:04 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: On Sat, 7 Jan 2006 15:47:03 -0800, Mike Easter coughed into spamcop and left this in : > I don't really understand how that pertains to the above, except for > where it is configured. Are you talking about allowing 8 bits in the > headers? 8-bit characters in headers are a no-no. Period. I suspect this pertains to allowing 8-bit characters in the body instead of encoding them in Quoted-Pukeable or base64. This said, a posting which is just a succession of lines that run off the right of the screen are generally the result of someone using QP, and they're a real nuisance. Especially when they're top-posted, meaning that the only stuff that's readable is the quoted text, which we've already read (so there's no need to quote it in its entirety). -- Steve Computers are like air conditioners They stop working properly when you open Windows From nobody at devnull.spamcop.net Sun Jan 8 08:34:52 2006 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Sun Jan 8 08:35:12 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: "Mike Easter" wrote in message news:dpq20v$hv0$1@news.spamcop.net... > So, in the name of listing progressively larger blocks because the > provider didn't secure the comcast spamsources, all of comcast has > become blocklisted. Theoretically that should also include all of the > comcast servers. > > Perhaps the spews listing would be more effective if it included all of > the comcast servers as well as all of the individual comcast user IPs. I suppose it depends on what the blocking intends to do. I am surprised that SPEWS allows comcast servers since their stance has not been sympathetic to the 'poor innocent bystander'. Just out of curiosity, does that mean that comcast has fairly good spam control AFA its customers being allowed to send spam through its servers? (I understand that most of the spam comes from compromised computers and that, in spite of saying it would do something, apparently still does not make any effective move to get customers to clean their machines) Miss Betsy an almost new internet user From MikeE at ster.invalid Sun Jan 8 05:52:52 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 8 08:55:03 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: Miss Betsy wrote: > "Mike Easter" >> So, in the name of listing progressively larger blocks because the >> provider didn't secure the comcast spamsources, all of comcast has >> become blocklisted. Theoretically that should also include all of >> the comcast servers. For example, when spews is 'on the march' about some 'typical' netblock, as the spews coverage expands, it doesn't typically 'poke holes' for the servers. If the servers become 'ensnared' by the spews blocklisting, then anyone who is inside of that would have to be getting some kind of alternate mail service. >> Perhaps the spews listing would be more effective if it included all >> of the comcast servers as well as all of the individual comcast user >> IPs. > > I suppose it depends on what the blocking intends to do. I am > surprised that SPEWS allows comcast servers since their stance has > not been sympathetic to the 'poor innocent bystander'. I would guess that spews [what/whoever that is] might be thinking that that is just 'too much' -- too many innocent bystanders, too much 'static' about spews not having to account to anyone for whatever they might choose to list. The business of listers getting sued for listing -- which is pretty crazy when you think of it -- can be problematic. > Just out of curiosity, does that mean that comcast has fairly good > spam control AFA its customers being allowed to send spam through > its servers? I don't think that comcast is any worse than any other provider about that. It behooves a big provider to not have its servers listed in important blocklists, because that affects the delivery of mail sent by its customers. > (I understand that most of the spam comes from > compromised computers and that, in spite of saying it would do > something, apparently still does not make any effective move to get > customers to clean their machines) The general situation about big providers is that they make public statements about what they are going to do -- my provider EL EarthLink claims to be part of a big coalition doing things to remedy its users being spamsources -- which seemingly would include shutting down the trojanized spamsources and/or blocking their port 25 access -- but in reality all EL has done is make public statements. The number of trojanized spamspewing mindspring IPs which are multilisted all over the place hasn't changed a bit over the course of the statements or the formation of the antispam coalition. It is all just publicity hype -- no action. Apparently it must be a difficult policy to implement - or something. Part of the problem is that there isn't any kind of 'law' that can be effectively used to motivate those providers to perform according to what their responsibilities would seem to be. EL should 'have to' have some control of its users spamsourcing, besides it being just a good idea. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Jan 8 05:57:57 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 8 09:00:04 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: Chris F. Willoughby wrote: > "Mike Easter" >> PPS: Thanks for fixing OP's QP and contextualizing. > The odd thing is I haven't done anything different than I normally > do.. *lol* You're right. You haven't fixed the QP. It is probably time to filter you out. -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Sun Jan 8 08:53:41 2006 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sun Jan 8 09:55:03 2006 Subject: [SpamCop-List] Re: Shaw Cable Refuses Munged Reports References: Message-ID: In article , "Jeff G." writes: > All three ISPs terminate their relationships with Spammer. (you're still > imagining, right?) > It could happen. It probably has happened. Well, not that first part I quoted :-) From jg at coks.net Sun Jan 8 07:52:01 2006 From: jg at coks.net (jg) Date: Sun Jan 8 10:50:16 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers In-Reply-To: References: Message-ID: On 1/6/2006 2:06 PM Jeff G. scribbled: > "jg" wrote in message > news:dp7eoq$4tp$2@news.spamcop.net... > >>I forward to all sorts of addys as well as reporting to SC and >>get replies, rarely a carbon based lifeform, tho... > > > If you do that all in one email message per spam, please make sure that > your Confidential Submit Address remains confidential by putting it in > the BCC field. > > Thanks and Best Regards, Jeff G. > http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 > Strike 2 - saw this after 1st 2 attempts - about the same time I saw the bit on 100k limit. Thanks for that input - I saw none of that in the FAQ, but probably didn't look in the right spot? Now is my confidential address ng? Should I contact/alert admin on the matter? I've never used bcc before, much less in that fashion... From nobody at nowhere.not Sun Jan 8 18:24:21 2006 From: nobody at nowhere.not (Robert Blair) Date: Sun Jan 8 13:25:13 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: On Sun, 8 Jan 2006 03:47:53 UTC, "Mike Easter" wrote: > >> Spews fundamentally just lists all of comcast and > >> pokes some holes for the comcast servers. > > > > Well that is news. If you are one of the favored few you can allow > > spam and get away with it. Now I see why many people say Spews is > > bad, I always wondered why some people were so against Spews, now I > > see. > > I'm not sure if I understand if you are disappointed in spews because > they list all of comcast except the servers or if your disappointment is > because they /don't/ list the servers. Because they don't list the servers. From what I know Spews keeps making the IP block larger to try to get the ISP to clean you their mess. Punching holes in a large block to allow the ISP to bypass being injured is not going to make anyone try to clean you their act. I have never heard of Spews punching holes for servers for small ISPs, they just list the entire IP block. So as I said above if you are one of the privileged few you do not need to keep your IP space clean. -- Robert Blair From MikeE at ster.invalid Sun Jan 8 10:30:45 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 8 13:35:03 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: Robert Blair wrote: > "Mike Easter" >> I'm not sure if I understand if you are disappointed in spews because >> they list all of comcast except the servers or if your >> disappointment is because they /don't/ list the servers. > > Because they don't list the servers. From what I know Spews keeps > making the IP block larger to try to get the ISP to clean you their > mess. Punching holes in a large block to allow the ISP to bypass > being injured is not going to make anyone try to clean you their act. > I have never heard of Spews punching holes for servers for small ISPs, > they just list the entire IP block. So as I said above if you are one > of the privileged few you do not need to keep your IP space clean. I agree that not listing comcast's servers is the 'cowardly' approach. My own feeling is that if spews wanted to be consistent in its 'policies', then it should have the comcast servers on its spews2 list already, and then, one by one, over the course of some weeks, begin adding the servers to the spews1. The result of that would be that tens of thousands of comcast users would be having trouble the first advance, and soon it would be hundreds of thousands. The problem is that spews would get a lot of adverse publicity, and then the hue and cry would go up 'globally' - instead of just in nanae and a few websites - about how spews unbridled influence should be curtailed - along with the unbridled influence of other blocklists, including spamcop's. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Sun Jan 8 11:45:04 2006 From: nobody at spamcop.net (N. Miller) Date: Sun Jan 8 14:50:14 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: <1kgntnx8t3ijb$.dlg@news.spamcop.net> On Sat, 7 Jan 2006 22:16:18 -0800, Chris F. Willoughby wrote: > I believe my system will reply in whatever format the original poster posted in. OE doesn't explain the difference between QP and non-QP nor any of the other modes. I've found that the way I currently have it configured seems to work on just about any system. I used to sometimes get rejections from news servers for posting in a format that wasn't accepted. *shrug* I personally don't have any issue with HTML or any other format in as much as I'm not forced to use one because someone ELSE says so. > > Anyway, since OE doesn't explain things clearly I had to 'guess' as to what works best. QP seems to make logical sense. > > Yes, in reference to your question I *was* talking about allowing 8 bit headers. :) Ah, now I see. I just posted to messages to spamcop.test; one using your settings, the other disabling the 8-bit allowance (not for headers, I think, but the message body; useful for posting in exotic characters, such as CJK, I expect), and setting the MIME type to "None". There is a significant difference. I will _not_ edit the quoted text of your post. As I am looking at my compose window, I see three long lines extending to the right, not wrapping. In my test posts, the one using your configuration looks like that when I reply. The other post, change to MIME type = "None", wraps the quoted text nicely in the reply compose window. Frankly, I find it annoying when I see such in the reply compose window. It also gets messy when the next person to replay retains the original quote; leading to interspersed short lines in between the normal 76 character lines. Typical MSFT idiocy, which they foist onto unsuspecting users; who just don't know any better. Now I know why I see such nonsense. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From blacklist-me at davjam.org Sun Jan 8 20:16:33 2006 From: blacklist-me at davjam.org (David Bolt) Date: Sun Jan 8 15:20:03 2006 Subject: [SpamCop-List] Re: Spamcop claims my address bounces References: Message-ID: On Sat, 7 Jan 2006, Larry Kilgallen wrote:- >In article , David Bolt > writes: >> Having happened twice again today[0], I don't think it's anything to do >> with the mail server problems. It would be interesting to know just what >> is causing the problem though especially since, in between the two times >> today that I had to reset the bounce flag, there was a batch of about 50 >> spams and no attempts to deliver the "ready to report" mails. > >For a month or so I have been getting recycled bounce flag settings. >I say "recycled" because the text it claims was returned by my host >is no longer present in that file on the host. > >Recently I got one case where the spamcop mail system was bouncing >mail sent by the spamcop reporting system citing reasons that were >not intelligible to me. It looks like there may still be a problem as I've just had to reset the bounce flag again. This bounce-flag problem makes for a wonderful situation here. I'd submitted over a hundred spams to report and, when I didn't receive a reply, checked an older report to see if the flag needed resetting again. Unfortunately, it did. Now, I don't know if the reports I sent were /dev/null'd, because the system thinks I'm bouncing mail, or if they've been delayed due to some other system problem. My only way to find out is to keep checking to see if SpamCop thinks I've something to report and, if nothing turns up in the next several hours, something like twelve just to be sure, resubmit those that haven't become too old. Regards, And have a Happy New Year David Bolt -- Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/ AMD1800 1Gb WinXP/SUSE 9.3 | AMD2400 256Mb SuSE 9.0 | A3010 4Mb RISCOS 3.11 AMD2400(32) 768Mb SUSE 10.0 | RPC600 129Mb RISCOS 3.6 | Falcon 14Mb TOS 4.02 AMD2600(64) 512Mb SUSE 10.0 | A4000 4Mb RISCOS 3.11 | STE 4Mb TOS 1.62 From MikeE at ster.invalid Sun Jan 8 12:31:20 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 8 15:35:03 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: <1kgntnx8t3ijb$.dlg@news.spamcop.net> Message-ID: N. Miller wrote: > Chris F. Willoughby wrote: > Ah, now I see. I just posted to messages to spamcop.test; one using > your settings, the other disabling the 8-bit allowance (not for > headers, I think, but the message body; useful for posting in exotic > characters, such as CJK, I expect), and setting the MIME type to > "None". There is a significant difference. I will _not_ edit the > quoted text of your post. There is a lot bigger problem than what your testing has shown you. I think that Chris must not fully appreciate how big the problem of OE QP is. > As I am looking at my compose window, I see three long lines > extending to the right, not wrapping. In my test posts, the one using > your configuration looks like that when I reply. The other post, > change to MIME type = "None", wraps the quoted text nicely in the > reply compose window. Let's just keep the whole subject and confusion about the 8 bit business out of the discussion. I only want to focus on one thing now, OE QP and the fact that it is noncompliant and also handled badly by any number of systems, not the least of which is 'normal' OE which isn't enhanced by OE QF - where QF is for QuoteFix as opposed to QP for QuotedPrintable. > Frankly, I find it annoying when I see such in the reply compose > window. It also gets messy when the next person to replay retains the > original quote; leading to interspersed short lines in between the > normal 76 character lines. Typical MSFT idiocy, which they foist onto > unsuspecting users; who just don't know any better. Now I know why I > see such nonsense. The problem is much much worse than what you are describing. The whole conversation which I was having with Chris was only possible because I had my OEQF enabled. If I had been conversing with him with native OE, there would be no quote marks or levels of attribution assigned by my native OE. That is a huge problem which is completely separate from the subject of the variability in what happens as regards the wrapping. In the case of the wrapping alone, OE native handles the wrapping of someone else's QP which hasn't been wrapped. I don't want to speak positively about QP because it might 'confuse' Chris to think I'm supporting his use of it -- but in a pure OE environment which doesn't need any citation quote marks, if all of the OE correspondents are configured for QP, then the disaster which OE has which requires it to need 'quote fixing' is resolved. But, that imaginary environment has nothing to do with this environment which is a news environment and needs citations, and also isn't a pure OE environment. That is why it is 'imperative' that someone not use OE QP. Whether or not some other version of QP might be more compatible, I don't know. But OE's QP is not acceptable in a news environment. -- Mike Easter kibitzer, not SC admin From jg at coks.net Sun Jan 8 13:36:37 2006 From: jg at coks.net (jg) Date: Sun Jan 8 16:35:03 2006 Subject: [SpamCop-List] multi attachments Message-ID: In a recent thread, I inquired of the ability to frwd multi attachments of spam to the addy supplied by SC. After going over all the directions supplied by SC FAQ and Jeff G.'s URLS, I /think/ I'm doing everything correctly, after screwing up the 1st 2 or 3 due to certain missed rules, to wit, no more than 100k and being sure to use bcc to disguise my "secret" address, I managed to get a single submission through OK. However, multiple spams attached to a single message do not seem to get through yet. Something is telling me that that is for paid members only - could this be correct? Apologies for not going to help ng... From nobody at devnull.spamcop.net Sun Jan 8 18:17:32 2006 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Sun Jan 8 18:20:03 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: "Mike Easter" wrote in message news:dpr5fc$6bk$1@news.spamcop.net... > It is all just publicity hype -- no action. Apparently it must be a > difficult policy to implement - or something. Part of the problem is > that there isn't any kind of 'law' that can be effectively used to > motivate those providers to perform according to what their > responsibilities would seem to be. EL should 'have to' have some > control of its users spamsourcing, besides it being just a good idea. The only difficulty (from my naive viewpoint) is that the 'customer is always right' even if they are spewing spam to innocent non-customers. Miss Betsy From nobody at devnull.spamcop.net Sun Jan 8 18:20:57 2006 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Sun Jan 8 18:20:13 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: "Mike Easter" wrote in message news:dprlob$fcv$1@news.spamcop.net... > The problem is that spews would get a lot of adverse publicity, and then > the hue and cry would go up 'globally' - instead of just in nanae and a > few websites - about how spews unbridled influence should be curtailed - > along with the unbridled influence of other blocklists, including > spamcop's. Why, oh why, can't admins understand 'spin'??? If they championed their decision to prevent porn from being delivered to innocent victims and 'raised the consciousness' of comcast customers, why would there be any negative opinion against blocklists? Miss Betsy From dfm2a3l0t2 at spymac.com Sun Jan 8 18:46:33 2006 From: dfm2a3l0t2 at spymac.com (D.F. Manno) Date: Sun Jan 8 18:50:03 2006 Subject: [SpamCop-List] Re: Shaw Cable Refuses Munged Reports References: Message-ID: In article , "Jeff G." wrote: > All three ISPs' Legal Departments or outside Attorneys fail to ask SC > Reporters A and B for the unmunged version of the spam email message, or > don't get timely responses. So you're telling me I should save all my spam on the off chance that it might be needed in a future legal matter? I don't have that big a hard drive. -- D.F. Manno dfm2a3l0t2@spymac.com The problem with being sure that God is on your side is that you can't change your mind, because God sure isn't going to change His. (Roger Ebert) From nobody at devnull.spamcop.net Sun Jan 8 18:05:25 2006 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jan 8 19:10:05 2006 Subject: [SpamCop-List] Re: multi attachments References: Message-ID: "jg" wrote in message news:dps0gi$m2p$1@news.spamcop.net... > In a recent thread, I inquired of the ability to frwd multi attachments > of spam to the addy supplied by SC. > After going over all the directions supplied by SC FAQ and Jeff G.'s ??? SC FAQ? thought the problem there was that (none of the) FAQ(s) had this data ..???? Was one of the reasons I pointed to the Forum How to ... section for an entry ... > URLS, I /think/ I'm doing everything correctly, after screwing up the > 1st 2 or 3 due to certain missed rules, to wit, no more than 100k and > being sure to use bcc to disguise my "secret" address, I managed to get > a single submission through OK. Why not start simple with one spam, then two in one submittal, but only to SpamCop (perhaps a CC: to an account elsewhere) such that you can see where things are going wrong? > However, multiple spams attached to a single message do not seem > to get through yet. See above. > Something is telling me that that is for paid members only - could this > be correct? No, not correct. From nobody at devnull.spamcop.net Sun Jan 8 18:14:10 2006 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jan 8 19:15:03 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers References: Message-ID: "jg" wrote in message news:dprcae$9u9$1@news.spamcop.net... > > Strike 2 - saw this after 1st 2 attempts - about the same time I saw the > bit on 100k limit. > Thanks for that input - I saw none of that in the FAQ, but probably > didn't look in the right spot? Not sure where you're looking .. As seen in the following, there are more data available besides the "official" FAQ that's been complained about for years. What is SpamCop? http://forum.spamcop.net/forums/index.php?act=faq&article=20 > Now is my confidential address ng? Should I contact/alert admin on the > matter? > I've never used bcc before, much less in that fashion... BCC: = Blind Carbon/Courtesy Copy ..... next e-mail you send to friend/family, add yourself (your own e-mail address) to the BCC: line. Look at the headers on the copy you receive. From nobody at xyzzy.claranet.de Mon Jan 9 02:38:38 2006 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Jan 8 20:45:04 2006 Subject: [SpamCop-List] Re: multi attachments References: Message-ID: <43C1BE9E.253C@xyzzy.claranet.de> jg wrote: > However, multiple spams attached to a single message do not > seem to get through yet. If you get no feedback at all maybe you ran into the unclear size limits, try to stay below 40 "small" spams. With my V90 connection my browser has the time to display its sending progress: Any number of two or more spams up to a total of 250 KB apparently works (observation, no official limit). > Something is telling me that that is for paid members only - > could this be correct? Could but isn't... ;-) For basic tests follow Wazoo's idea: submit two spams and then a single spam. If you only get the feedback for the latter something's very odd. If you get no feedback at all it could be anything not limited to "SC delay or down". Normally you should get an error message if the "whatever-your-software-claims-to-be-an-attachment" is not related to Internet standards or what SC needs - SC doesn't insist on some MIME details as long as it can find a complete mail header for each part in a multipart spam submission. It also doesn't care about "attachment" vs. "inline", it only wants the complete mail header (my pet peeve here). Better don't try this with calendar software like Outlook, you need an Internet mail user agent, OE could do. Bye, Frank From baloo at ursine.ca Sun Jan 8 17:32:54 2006 From: baloo at ursine.ca (Paul Johnson) Date: Sun Jan 8 21:10:03 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: <63r893-a39.ln1@ursine.ca> Miss Betsy wrote: > > "Mike Easter" wrote in message > news:dprlob$fcv$1@news.spamcop.net... > >> The problem is that spews would get a lot of adverse publicity, > and then >> the hue and cry would go up 'globally' - instead of just in nanae > and a >> few websites - about how spews unbridled influence should be > curtailed - >> along with the unbridled influence of other blocklists, including >> spamcop's. > > Why, oh why, can't admins understand 'spin'??? Because it's a dishonest, obnoxious right-wing tactic, and admins tend to be the opposite? -- Paul Johnson Email and Instant Messenger (Jabber): baloo@ursine.ca Got jabber? http://ursine.ca/Ursine:Jabber From jg at coks.net Sun Jan 8 19:05:46 2006 From: jg at coks.net (jg) Date: Sun Jan 8 22:05:02 2006 Subject: [SpamCop-List] Re: multi attachments In-Reply-To: <43C1BE9E.253C@xyzzy.claranet.de> References: <43C1BE9E.253C@xyzzy.claranet.de> Message-ID: On 1/8/2006 5:38 PM Frank Ellermann scribbled: > jg wrote: > > >>However, multiple spams attached to a single message do not >>seem to get through yet. > > > If you get no feedback at all maybe you ran into the unclear > size limits, try to stay below 40 "small" spams. With my V90 > connection my browser has the time to display its sending > progress: Any number of two or more spams up to a total of > 250 KB apparently works (observation, no official limit). > Sorry, don't think I mentioned - I got a single one through, but 3 multiples failed - 1 pushed the size limit, 2 others didn't, and another single did not get through as well. With a cable connection, the time to send is minimal. >...For basic tests follow Wazoo's idea: > submit two spams and then a single spam. If you only get the > feedback for the latter something's very odd. If you get no > feedback at all it could be anything not limited to "SC delay > or down". Normally you should get an error message if the > "whatever-your-software-claims-to-be-an-attachment" is not > related to Internet standards or what SC needs - SC doesn't > insist on some MIME details as long as it can find a complete > mail header for each part in a multipart spam submission. > I'll try Wazoo's suggestions. Mime shud be OK, and I send them as attachment (to answer following) and agent is Thunderbird.... > It also doesn't care about "attachment" vs. "inline", it only > wants the complete mail header (my pet peeve here). Better > don't try this with calendar software like Outlook, you need > an Internet mail user agent, OE could do. > > Bye, Frank > From jg at coks.net Sun Jan 8 19:12:15 2006 From: jg at coks.net (jg) Date: Sun Jan 8 22:10:03 2006 Subject: [SpamCop-List] Re: multi attachments In-Reply-To: References: Message-ID: On 1/8/2006 4:05 PM WazoO scribbled: > ??? SC FAQ? thought the problem there was that (none of the) FAQ(s) > had this data ..???? Was one of the reasons I pointed to the Forum > How to ... section for an entry ... Sorry, Wazoo, thought that was one of Jeff's suggestions. I said I looked at the FAQ, didn't say I got much of anything out of it - didn't mean to confuse. > Why not start simple with one spam, then two in one submittal, but > only to SpamCop (perhaps a CC: to an account elsewhere) such > that you can see where things are going wrong? I sent a single and got response. 1 multiple I sent (well < 100k) but didn't hide my secret addy, no response, so think maybe the addy was a problem. Sent 1 multiple >100k before I saw your link. Sent 1 multiple which was well <100k and the addy was in bcc field - no response. From h9vzc2i02 at sneakemail.com Sun Jan 8 20:45:27 2006 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Sun Jan 8 23:45:07 2006 Subject: [SpamCop-List] Re: multi attachments References: Message-ID: "jg" wrote in message news:dps0gi$m2p$1@news.spamcop.net... > In a recent thread, I inquired of the ability to frwd multi attachments > of spam to the addy supplied by SC. > After going over all the directions supplied by SC FAQ and Jeff G.'s > URLS, I /think/ I'm doing everything correctly, after screwing up the > 1st 2 or 3 due to certain missed rules, to wit, no more than 100k and > being sure to use bcc to disguise my "secret" address, I managed to get > a single submission through OK. **** "Secxret addreess"???? Do you mean the submitxxxxxx@spam.spamcop.net ? (the xxx represent the 16alphanumeric code.) If so, there is no need to 'hide'it in the bcc. *** > However, multiple spams attached to a single message do not seem to get > through yet. ** You said you tried one and it worked, two or more did not? (I submit many attaced on each submittal - all get responses.) AFAIK the only limit on 'number' is the 100kb size limit. Have you tried to CC to yourself to see what is being received by SC? Also do you put "reply anyway" in the subject line - this guarantees that you will get something back (error messages etc.) BTW SC's parser does not look at anything in the message space, just looks at each attachment separately. -- A SpamCop user and forum reader, Not Admin *** > Something is telling me that that is for paid members only - could this > be correct? > Apologies for not going to help ng... From nobody at xyzzy.claranet.de Mon Jan 9 05:50:13 2006 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Jan 8 23:55:04 2006 Subject: [SpamCop-List] Re: multi attachments References: <43C1BE9E.253C@xyzzy.claranet.de> Message-ID: <43C1EB85.2328@xyzzy.claranet.de> jg wrote: > With a cable connection, the time to send is minimal. ACK, when I mentioned V90 it was because my stoneage MUA won't tell me how big a sent mail really is, unless I see it in its "send progress bar". The 250 KB estimastion was conservative, the real limit might be twice or more. 40 mails up to 400 KB should still work (tested today). I've no clue what you want to say about Bcc / secret address: Bcc works, it's important if you send a LART to some dubious ISP like EL or spamcast, and at the same time submit it to SC. With a Bcc: SC they don't see your secret address, and if they are as black or stupid as I think they also can't hand it over to the enemy, intentional or not. You'd use the same submit.SECRET@SC address for multiparts as for single submissions, s/submit/quick/ if you do / want quick. If that doesn't work from your POV it might be a broken filter at your ISP for *_outbound_* mail, but that would be FUBAR. Bye, Frank From lltbhill at link_earth.net Sun Jan 8 21:04:12 2006 From: lltbhill at link_earth.net (Lance) Date: Mon Jan 9 00:05:02 2006 Subject: [SpamCop-List] Re: multi attachments In-Reply-To: References: Message-ID: jg thought carefully and wrote on 1/8/2006 1:36 PM: > In a recent thread, I inquired of the ability to frwd multi attachments > of spam to the addy supplied by SC. > After going over all the directions supplied by SC FAQ and Jeff G.'s > URLS, I /think/ I'm doing everything correctly, after screwing up the > 1st 2 or 3 due to certain missed rules, to wit, no more than 100k and > being sure to use bcc to disguise my "secret" address, I managed to get > a single submission through OK. > However, multiple spams attached to a single message do not seem to get > through yet. > Something is telling me that that is for paid members only - could this > be correct? > Apologies for not going to help ng... Hi jg, I been following this thread and the "Thunderbird OK with headers" for a couple days now. I've been sending multiple attachments for two days now and everything works as expected. I use Thunderbird 1.07, I'm not a paying member, I just successfully submitted a 170kb email with 10 attachments, I don't bcc the spamcop address. There's something else going on. Lance ***** BTW, you should update your TB to 1.07 From nobody at xyzzy.claranet.de Mon Jan 9 06:19:55 2006 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon Jan 9 00:25:03 2006 Subject: [SpamCop-List] Re: multi attachments References: Message-ID: <43C1F27B.63C8@xyzzy.claranet.de> Lance wrote: > There's something else going on. My idea "outbound filter" was bogus. It could be a simple "inbound filter" that deletes SC's feedback mails: In the case of quick reports the body of the feedback mail quotes all submitted subjects, and that could cause havoc with a stupid filter. For ordinary multipart submissions (submit, not quick) the feedback mail only contains the tracker links to finish reporting. No idea why a filter should delete this mail, but in that case there's still a "pending reports" link on the "welcome" page. Admittedly I haven't used Bcc: for some time, not in 2006, so in theory SC could have a new bug about Bcc:, but that is unlikely. "Test Cc: to yourself and post the result in spamcop.spam" could help to debug the issue from this end. Bye, Frank From nobody at nowhere.invalid Mon Jan 9 10:42:15 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon Jan 9 04:45:39 2006 Subject: [SpamCop-List] Re: multi attachments References: Message-ID: On Sun, 8 Jan 2006 20:45:27 -0800, Anon_ coughed into spamcop and left this in : > "Secxret addreess"???? Do you mean the submitxxxxxx@spam.spamcop.net ? (the > xxx represent the 16alphanumeric code.) > > If so, there is no need to 'hide'it in the bcc. There is if the spam is being forwarded to a 3rd party at the same time. -- Steve In most countries selling harmful things like drugs is punishable. Then how come people can sell Microsoft software and go unpunished? -- Hasse Skrifvars From nobody at devnull.spamcop.net Mon Jan 9 09:06:31 2006 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Mon Jan 9 09:05:03 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: <63r893-a39.ln1@ursine.ca> Message-ID: "Paul Johnson" wrote in message news:63r893-a39.ln1@ursine.ca... > Miss Betsy wrote: > > > > > "Mike Easter" wrote in message > > news:dprlob$fcv$1@news.spamcop.net... > > > >> The problem is that spews would get a lot of adverse publicity, > > and then > >> the hue and cry would go up 'globally' - instead of just in nanae > > and a > >> few websites - about how spews unbridled influence should be > > curtailed - > >> along with the unbridled influence of other blocklists, including > >> spamcop's. > > > > Why, oh why, can't admins understand 'spin'??? > > Because it's a dishonest, obnoxious right-wing tactic, and admins tend to be > the opposite? That's a good explanation! To just state something without explanation or persuasive reasons is very much like 'my server; my rules; your choice' However, there is nothing wrong with accentuating the positive aspects of something or elaborating on how well it works and what is good about it. There is nothing that doesn't have a downside and 'collateral damage' is a downside. However, instead of calling it collateral damage, the people who allow spammers to use their computers and when warned by rejection from a blocklist that they are supporting spammers could be called netizens exploited by the spammers. Most of those people are not *knowingly* abusive or supporting abuse to their internet neighbors and, if approached in the right way, would probably be eager to do what is necessary to not be abusive. It is not only spin, but a more community minded attitude that admins lack. Miss Betsy From jg at coks.net Mon Jan 9 08:13:24 2006 From: jg at coks.net (jg) Date: Mon Jan 9 11:15:03 2006 Subject: [SpamCop-List] Re: multi attachments In-Reply-To: References: Message-ID: On 1/8/2006 9:04 PM Lance scribbled: > I been following this thread and the "Thunderbird OK with headers" for a > couple days now. > > I've been sending multiple attachments for two days now and everything > works as expected. hmmmmm... > > I use Thunderbird 1.07, I'm not a paying member, I just successfully > submitted a 170kb email with 10 attachments, I don't bcc the spamcop > address. That apparently is if one is to LART and submit at the same time, but one can't do that if submitting multi spam with 1 msg. - that just occured to me - amazing what a nights sleep can do... > > There's something else going on. Thats what I'm thinking, hence this thread. > > Lance > ***** > BTW, you should update your TB to 1.07 I'll get to that this week... From jg at coks.net Mon Jan 9 08:16:08 2006 From: jg at coks.net (jg) Date: Mon Jan 9 11:15:10 2006 Subject: [SpamCop-List] Re: multi attachments In-Reply-To: References: Message-ID: On 1/9/2006 1:42 AM Steven Maesslein scribbled: >> >>If so, there is no need to 'hide'it in the bcc. > > > There is if the spam is being forwarded to a 3rd party at the same time. > I was grasping at straws in locating a /why/ to the lack of response. With a multi submit, one wouldn't be sending elsewhere anyway normally... From jg at coks.net Mon Jan 9 08:22:49 2006 From: jg at coks.net (jg) Date: Mon Jan 9 11:25:02 2006 Subject: [SpamCop-List] Re: multi attachments In-Reply-To: References: Message-ID: On 1/8/2006 8:45 PM Anon_ scribbled: > **** > "Secxret addreess"???? Do you mean the submitxxxxxx@spam.spamcop.net ? (the > xxx represent the 16alphanumeric code.) > > If so, there is no need to 'hide'it in the bcc. > *** Thanks for that, think you're correct... >>However, multiple spams attached to a single message do not seem to get >>through yet. > > > ** > You said you tried one and it worked, two or more did not? (I submit many > attaced on each submittal - all get responses.) > > AFAIK the only limit on 'number' is the 100kb size limit. OK, am following that. > > Have you tried to CC to yourself to see what is being received by SC? > Not yet - that'll come next - have waited for a fresh batch overnight. > Also do you put "reply anyway" in the subject line - this guarantees that > you will get something back (error messages etc.) Was wondering what that was about (mentioned in a previous post)... > > BTW SC's parser does not look at anything in the message space, just looks > at each attachment separately. > OK...I looked at one in the sent file - did a ctrl-U to see the source and they are all in a nice neat line... From jg at coks.net Mon Jan 9 08:30:19 2006 From: jg at coks.net (jg) Date: Mon Jan 9 11:30:03 2006 Subject: [SpamCop-List] Re: multi attachments In-Reply-To: <43C1F27B.63C8@xyzzy.claranet.de> References: <43C1F27B.63C8@xyzzy.claranet.de> Message-ID: On 1/8/2006 9:19 PM Frank Ellermann scribbled: > Lance wrote: > > >>There's something else going on. There /was/ something going on, but this A.M., I submitted a single, then 2, then 3 at once and have received replies to all 3 msgs. with 1,2, and 3 trackers. My input screen shows unreported spam. Will try larger amounts and get back - maybe I was running into some system problem (?)... > > > My idea "outbound filter" was bogus. It could be a simple > "inbound filter" that deletes SC's feedback mails: In the > case of quick reports the body of the feedback mail quotes > all submitted subjects, and that could cause havoc with a > stupid filter. In the back of my head, I was concerned about my ISP letting the msg out - have no idea how they filter outbound, if at all. > > For ordinary multipart submissions (submit, not quick) the > feedback mail only contains the tracker links to finish > reporting. No idea why a filter should delete this mail, > but in that case there's still a "pending reports" link on > the "welcome" page. > > Admittedly I haven't used Bcc: for some time, not in 2006, > so in theory SC could have a new bug about Bcc:, but that > is unlikely. "Test Cc: to yourself and post the result in > spamcop.spam" could help to debug the issue from this end. > > Bye, Frank > From jg at coks.net Mon Jan 9 08:33:14 2006 From: jg at coks.net (jg) Date: Mon Jan 9 11:35:03 2006 Subject: [SpamCop-List] Re: multi attachments In-Reply-To: References: Message-ID: On 1/8/2006 4:05 PM WazoO scribbled: > Why not start simple with one spam, then two in one submittal, but > only to SpamCop (perhaps a CC: to an account elsewhere) such > that you can see where things are going wrong? > Did that this A.M. and have so far been successful with a single, then 2, and then 3 - go figure. Received 57 last night (fairly high for an overnight for me) so I have plenty of fresh ammo... From MikeE at ster.invalid Mon Jan 9 08:32:42 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 9 11:35:10 2006 Subject: [SpamCop-List] Re: multi attachments References: Message-ID: jg wrote: > On 1/8/2006 8:45 PM Anon_ scribbled: >> BTW SC's parser does not look at anything in the message space, just >> looks at each attachment separately. >> > OK...I looked at one in the sent file - did a ctrl-U to see the source > and they are all in a nice neat line... What do you mean 'all in a nice neat line'? My OE spamsubmits to SC are separated from each other by a mime attachment structure, and the first one attached would be separated from the mail's headers to spamcop by that same type of attachment structure. Such as > ------=_NextPart_000_005F_01C614EA.DD0C2020 > Content-Type: message/rfc822; > name="__SPAM__ Low mortagge ratee approvall.eml" > Content-Transfer-Encoding: 7bit > Content-Disposition: attachment; > filename="__SPAM__ Low mortagge ratee approvall.eml" where I've added the > leaders above to prevent any funny business in the post here. -- Mike Easter kibitzer, not SC admin From jg at coks.net Mon Jan 9 08:40:56 2006 From: jg at coks.net (jg) Date: Mon Jan 9 11:40:04 2006 Subject: [SpamCop-List] Pump&Dump run Message-ID: http://www.spamcop.net/sc?id=z854961963z02557c541d62f883328f7b6526ee0a61z Received a rash of these over the weekend - no spamverts to be found. And the most important part (to the SEC), the disclosure, is munged, probably to avoid filters but who knows, spammers are known to be stupid at times.... From rourkeBLOCK at BLOCKpsicorp.com Mon Jan 9 12:16:10 2006 From: rourkeBLOCK at BLOCKpsicorp.com (Patrick Rourke) Date: Mon Jan 9 12:15:04 2006 Subject: [SpamCop-List] Anyway to get partial header from reported email? Message-ID: Our server has been blacklisted, we suspect because of a single machine that was infected with a virus. Since I know that spamcop won't send the entire email that lead to our being blacklisted, I was wondering if there is any way I can get someone at spamcop to let me know whether one of our internal addresses is appearing in the header of the offending email, so that I can confirm that the issue is resolved? Thanks! Patrick Rourke rourke &at& psicorp &dot& com From jg at coks.net Mon Jan 9 09:55:24 2006 From: jg at coks.net (jg) Date: Mon Jan 9 12:55:03 2006 Subject: [SpamCop-List] Re: multi attachments In-Reply-To: <43C1F27B.63C8@xyzzy.claranet.de> References: <43C1F27B.63C8@xyzzy.claranet.de> Message-ID: On 1/8/2006 9:19 PM Frank Ellermann scribbled: > Admittedly I haven't used Bcc: for some time, not in 2006, > so in theory SC could have a new bug about Bcc:, but that > is unlikely. "Test Cc: to yourself and post the result in > spamcop.spam" could help to debug the issue from this end. > > Bye, Frank > How would I do that, Frank - paste and munge the headers? From jg at coks.net Mon Jan 9 09:56:01 2006 From: jg at coks.net (jg) Date: Mon Jan 9 12:55:12 2006 Subject: [SpamCop-List] Re: multi attachments In-Reply-To: References: Message-ID: On 1/9/2006 8:32 AM Mike Easter scribbled: > jg wrote: > >>On 1/8/2006 8:45 PM Anon_ scribbled: > > >>>BTW SC's parser does not look at anything in the message space, just >>>looks at each attachment separately. >>> >> >>OK...I looked at one in the sent file - did a ctrl-U to see the source >>and they are all in a nice neat line... > > > What do you mean 'all in a nice neat line'? > > My OE spamsubmits to SC are separated from each other by a mime > attachment structure, and the first one attached would be separated from > the mail's headers to spamcop by that same type of attachment structure. > Mine look like: >From - Mon Jan 09 08:43:48 2006 >X-Mozilla-Status: 0001 >X-Mozilla-Status2: 00800000 >Message-ID: >Date: Mon, 09 Jan 2006 08:43:46 -0800 >From: >User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >To: spamcop spam.spamcop.net> >Subject: [Fwd: -- Spam -- With Ultra Allure Pheromones you will] >Content-Type: multipart/mixed; >boundary="------------010304020606000604060903" >This is a multi-part message in MIME format. >--------------010304020606000604060903 >Content-Type: text/plain; charset=ISO-8859-1 >Content-Transfer-Encoding: 7bit >--------------010304020606000604060903 >Content-Type: message/rfc822; >name="-- Spam -- With Ultra Allure Pheromones you will" >Content-Transfer-Encoding: 7bit >Content-Disposition: inline; >filename="-- Spam -- With Ultra Allure Pheromones you will" > added by me. Sent 6 attachments - all separated the same way. I knew "in a line" would cause a problem but had a mental blank looking for the correct word - meant one after the other down the pages/screen. This bunch of 6 got no response (89k) after 1 hour. Have resent with "reply anyway" in subject - no reply as of yet (10 minutes) (didn't bcc myself, Wazoo). So, so far have been successful with 1, 2, and 3. Can anyone supply a SC address which I can send the "ignored" one to for review? From kenbrody at spamcop.net Mon Jan 9 13:14:27 2006 From: kenbrody at spamcop.net (Kenneth Brody) Date: Mon Jan 9 13:30:03 2006 Subject: [SpamCop-List] Re: Blacklisted with questions References: Message-ID: <43C2A803.82FD4DBD@spamcop.net> chp wrote: [...] > I had an unsecured network for a while, but figured it was safe due to > specifics of my location. But since the PC shows up clean and the Mac > _should_ be clean, I have to assume the wireless was being hijacked. I > did see some unknown MAC addresses a few hours ago, but I don't have > much for logging of activity aside from packets sent (it's just a D-Link > router!). > > I've closed the wireless and I hope that takes care of it. Probably > such luddites as I shouldn't be allowed to put in a wireless home > network! ;-) You'd be surprised as to how many times I've been workin gon my laptop at some remote location, and just out of curiousity scanned for wireless networks in the area, and how many times there will be an unsecured network called "linksys" or similar. Basically, people just plug in the wireless hub/router and use everything (including the name) in the factory setting. That sounds like what might have happened to you. A similar -- though completely different :-) -- thing happened to me a few years ago when broadband finally came to this area. I installed gateway software on the system hooked up to the cable modem, which would let all systems on our LAN to share the single net connection. (We had previously used separate dialups via 56K modems.) Well, it turns out that the default configuration had a WinSock proxy enabled to the outside world. Basically, this meant that anyone connected to the net somewhere could use my gateway and act as if it were part of our LAN as far as the rest of the net was concerned, and be untracable back to their real IP address. Well, a few months after we were running this new setup (looking back, I'm surprised it took that long), someone found our open proxy, and started spewing spam through it. (It took me a while to understand why the status window kept showing outgoing SMTP connections when we weren't sending any e-mail at the moment.) So, even though none of our systems were infected, and none of them were sending spam, the open proxy allowed someone else to send spam out via our gateway. Fortunately, the people here helped me understand the situation and to close the proxy, and get quicky unlisted. (As opposed to how some people come here with the "how dare SpamCop block my e-mail" attitude.) -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From nobody at spamcop.net Mon Jan 9 14:36:00 2006 From: nobody at spamcop.net (indigo) Date: Mon Jan 9 14:40:03 2006 Subject: [SpamCop-List] Re: SpamCop-List Digest, Vol 60, Issue 18 References: <200601061940.1eV27V3p93Nl3qa0@aaron.mail.atl.earthlink.net> Message-ID: Trish Roberts-Miller wrote: > > In short, far too often, the contract only covers the time the U pays > an employee, not the time the U expects its employees to work. Do they also shut down home pages during winter break? (http://www.cwrl.utexas.edu/~robertsmiller/homepage.html comes up 404 ;-) From zypher at spamcop.net Mon Jan 9 13:44:47 2006 From: zypher at spamcop.net (Ron B.) Date: Mon Jan 9 14:45:03 2006 Subject: [SpamCop-List] Media Followup: Spammer Owes ISP $11 Billion, Court Rules Message-ID: Spammer Owes ISP $11 Billion, Court Rules POSTED: 10:03 am CST January 9, 2006 CLINTON, Iowa -- It's said revenge is sweet. And if the owner of an Iowa Internet service company gets his way, revenge will also be very expensive for some spammers. Robert Kramer III has been awarded more than $11 billion in a federal court judgment in a lawsuit against e-mail spammers. On Dec. 23, a Southern District of Iowa judge awarded Kramer the huge judgment against spammer James McCalla, of Florida. Kramer also has received other large awards from companies in New York, Arizona and Florida. In his lawsuits, Kramer convinced the courts that the companies and McCalla sent millions of spam e-mails that interfered with his business, caused problems with his equipment and hindered service to his customers. While collecting such a court judgment can be tricky and can take a while, Kramer said he intends to go after the dough. He said he hopes to "squeeze them for everything they've got." Kramer and his company, CIS Internet Services, have what is believed to be one of the largest judgments ever made against computer spammers. http://www.kcci.com/technology/5950891/detail.html?rss=des&psp=irresistible From nobody at spamcop.net Mon Jan 9 14:55:37 2006 From: nobody at spamcop.net (indigo) Date: Mon Jan 9 15:00:03 2006 Subject: [SpamCop-List] Re: Spamcop claims my address bounces References: Message-ID: SpamCop Admin wrote: > >-It looks like there may still be a problem as I've just had to > >reset the > >-bounce flag again. > > It turns out that there has been an intermittent problem with the > Email Service mail servers not talking to each other, May I suggest family counseling? ;-) From BNRAGMAOKKXT at spammotel.com Mon Jan 9 20:08:42 2006 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Mon Jan 9 15:10:03 2006 Subject: [SpamCop-List] Quick Reports Error from SpamCop Message-ID: All of a sudden I'm seeing this error message in quick report summaries. It's the same for every spam submitted: error:Can't send report: (smtpEnvelope xxx@bounces.spamcop.net,abuse@xxx) smtpFrom: mail From xxx@bounces.spamcop.net: error (550 No expected reply from SMTP) Can anyone give me a clue why this has started happening? -- Rob http://www.flickr.com/photos/canopus_archives/ From nobody at spamcop.net Mon Jan 9 12:12:01 2006 From: nobody at spamcop.net (Chris F. Willoughby) Date: Mon Jan 9 15:15:03 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: "Mike Easter" wrote in message news:dpr5os$6fu$1@news.spamcop.net... > You're right. You haven't fixed the QP. > > It is probably time to filter you out. > > > -- > Mike Easter > kibitzer, not SC admin I didn't mean to be insulting or laughing at you.. So please don't take it that way. Well, whatever. You do what you have to do. I'd be sorry to see you go. However, since everything works fine on MY end.. I don't see any reason to alter my habits. Selfish perhaps.. but since I cannot see what things look like on the other end there's really nothing I could do to fix it either. Basically, other than personal preferences, I'm looking for a logical reason why what I do is broken and needs to change. Chris From nobody at spamcop.net Mon Jan 9 12:13:06 2006 From: nobody at spamcop.net (Chris F. Willoughby) Date: Mon Jan 9 15:15:12 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: <7c22s11aa2seq7k65iplj4cgfp2sajn5hh@4ax.com> Message-ID: Fine. I'll just use my own addy. Maybe everyone won't get all bent out of shape over a silly issue then. :) Chris "SpamCop Admin" wrote in message news:7c22s11aa2seq7k65iplj4cgfp2sajn5hh@4ax.com... > The 'trash' address I gave you was nobody@devnull.spamcop.net > > - Don - From nobody at spamcop.net Mon Jan 9 13:20:15 2006 From: nobody at spamcop.net (Ellen) Date: Mon Jan 9 15:20:04 2006 Subject: [SpamCop-List] Re: Anyway to get partial header from reported email? References: Message-ID: "Patrick Rourke" wrote in message news:dpu5gv$r6t$1@news.spamcop.net... > Our server has been blacklisted, we suspect because of a single machine that > was infected with a virus. Since I know that spamcop won't send the entire > email that lead to our being blacklisted, I was wondering if there is any > way I can get someone at spamcop to let me know whether one of our internal > addresses is appearing in the header of the offending email, so that I can > confirm that the issue is resolved? > > Thanks! > > Patrick Rourke > rourke &at& psicorp &dot& com > Answered in email. Ellen SpamCop From cfw at prodigy.net Mon Jan 9 12:30:46 2006 From: cfw at prodigy.net (Chris F. Willoughby) Date: Mon Jan 9 15:35:02 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: <7c22s11aa2seq7k65iplj4cgfp2sajn5hh@4ax.com> Message-ID: Done. I changed it to one of my old ones. Chris "SpamCop Admin" wrote in message news:7c22s11aa2seq7k65iplj4cgfp2sajn5hh@4ax.com... > The 'trash' address I gave you was nobody@devnull.spamcop.net > > - Don - From MikeE at ster.invalid Mon Jan 9 12:46:14 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 9 15:50:04 2006 Subject: [SpamCop-List] Re: Anyway to get partial header from reported email? References: Message-ID: Patrick Rourke wrote: > Our server has been blacklisted, 64.69.116.190 rDNS ASHost.PSICorp.com is blocklisted in spamcop for hitting spamtraps and reporters, CBL for hitting spamtraps and looking like a proxytrojan, uceprotect presumably proxytrojan, and then some others for being listed in cbl. The SC reports from reporters who aren't spamtraps are/were sent to abuse@ctccom.net You could get those evidence reports which are not spamtraps about your IPs sent to you by going thru' this process http://www.spamcop.net/fom-serve/cache/94.html How can I get SpamCop reports about my network? -- Mike Easter kibitzer, not SC admin From jeffg at spamcop.net Mon Jan 9 16:03:46 2006 From: jeffg at spamcop.net (Jeff G.) Date: Mon Jan 9 16:15:03 2006 Subject: [SpamCop-List] Re: Quick Reports Error from SpamCop References: Message-ID: "Canopus" wrote in message news:dpufs9$1p9$1@news.spamcop.net... > All of a sudden I'm seeing this error message in quick report summaries. > It's the same for every spam submitted: > > error:Can't send report: (smtpEnvelope xxx@bounces.spamcop.net,abuse@xxx) > smtpFrom: mail From xxx@bounces.spamcop.net: error (550 No expected reply > from SMTP) > > Can anyone give me a clue why this has started happening? It appears that part of the SpamCop Parsing and Reporting System can't send out its Quick Reports for you. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jeffg at spamcop.net Mon Jan 9 16:24:10 2006 From: jeffg at spamcop.net (Jeff G.) Date: Mon Jan 9 16:25:03 2006 Subject: [SpamCop-List] Re: multi attachments References: Message-ID: "jg" wrote in message news:dpu7uu$sbg$2@news.spamcop.net... > Can anyone supply a SC address which I can send the "ignored" one to for > review? Yes, service[at]admin.spamcop.net -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From blacklist-me at davjam.org Mon Jan 9 21:07:56 2006 From: blacklist-me at davjam.org (David Bolt) Date: Mon Jan 9 16:35:03 2006 Subject: [SpamCop-List] Re: Spamcop claims my address bounces References: Message-ID: On Mon, 9 Jan 2006, indigo wrote:- > > >SpamCop Admin wrote: >> >-It looks like there may still be a problem as I've just had to >> >reset the >> >-bounce flag again. >> >> It turns out that there has been an intermittent problem with the >> Email Service mail servers not talking to each other, > >May I suggest family counseling? ;-) In the Simpsons style? :-) Regards, David Bolt -- Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/ AMD1800 1Gb WinXP/SUSE 9.3 | AMD2400 256Mb SuSE 9.0 | A3010 4Mb RISCOS 3.11 AMD2400(32) 768Mb SUSE 10.0 | RPC600 129Mb RISCOS 3.6 | Falcon 14Mb TOS 4.02 AMD2600(64) 512Mb SUSE 10.0 | A4000 4Mb RISCOS 3.11 | STE 4Mb TOS 1.62 From jeffg at spamcop.net Mon Jan 9 16:34:56 2006 From: jeffg at spamcop.net (Jeff G.) Date: Mon Jan 9 16:35:16 2006 Subject: [SpamCop-List] Re: multi attachments References: <43C1F27B.63C8@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:43C1F27B.63C8@xyzzy.claranet.de... > Admittedly I haven't used Bcc: for some time, not in 2006, > so in theory SC could have a new bug about Bcc:, but that > is unlikely. "Test Cc: to yourself and post the result in > spamcop.spam" could help to debug the issue from this end. Actually, test Bcc to yourself at another ISP would be a more appropriate test. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From bill_beyer at excite.cXoYmZ Mon Jan 9 14:10:17 2006 From: bill_beyer at excite.cXoYmZ (Bill Beyer) Date: Mon Jan 9 17:10:03 2006 Subject: [SpamCop-List] Re: Media: Iowa ISP Gets $11B In E-mail Spam Case References: <43BEB9E6.BC83537E@spamcop.net> Message-ID: "Skiwi" wrote in message news:dpne03$24o$1@news.spamcop.net... > D.F. Manno wrote: > > In article , > > "Bill Beyer" wrote: > > > >> Since the ISP has obtained a judgement > >> against the spammer a lien can be placed against all of the spammers > >> business and quite possibly personal assets. In addition wages can be > >> garnished and bank accounts frozen, assets can be seized as well. > > > > You're assuming that there are assets that can be seized. He may have made > > himself judgment-proof, hiding behind shell corporations, putting things in > > others' names, renting/leasing equipment instead of owning, etc. > > He can't declare bankrupty - and if the ISP 'forgives' the debt, he has > to pay taxes on that forgiven value as a form of income... the IRS will > chase a lot harder than other agencies (witness Capone...) - well, we > can hope! :-) Why can't he declare bankruptcy? Dow-Corning did right after the judgement against them on silicone breast implants was upheld. From redball at mindspring.com Mon Jan 9 16:05:00 2006 From: redball at mindspring.com (Trish Roberts-Miller) Date: Mon Jan 9 17:14:44 2006 Subject: [SpamCop-List] Re: SpamCop-List Digest, Vol 60, Issue 18 In-Reply-To: <200601091445.1eW2X7bC3Nl3qa0@aaron.mail.atl.earthlink.net> References: <200601091445.1eW2X7bC3Nl3qa0@aaron.mail.atl.earthlink.net> Message-ID: <43C2DE0C.4070909@mindspring.com> spamcop-list-request@news.spamcop.net wrote: <>Date: Mon, 9 Jan 2006 14:36:00 -0500 From: "indigo" Subject: [SpamCop-List] Re: SpamCop-List Digest, Vol 60, Issue 18 To: spamcop-list@news.spamcop.net Message-ID: Trish Roberts-Miller wrote: > In short, far too often, the contract only covers the time the U pays > an employee, not the time the U expects its employees to work. Do they also shut down home pages during winter break? (http://www.cwrl.utexas.edu/~robertsmiller/homepage.html comes up 404 ;-) ======= No, they change server names. -- Trish Roberts-Miller redball@mindspring.com http://www.cwrl.utexas.edu/~roberts-miller/homepage.html "And often we must think of rhetoric not in terms of some one particular address, but as a general body of identifications that owe their convincingness much more to trivial repetition and dull daily reenforcement than to exceptional rhetorical skill." (Kenneth Burke, Rhetoric of Motives, 26) From BNRAGMAOKKXT at spammotel.com Mon Jan 9 22:44:36 2006 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Mon Jan 9 17:45:03 2006 Subject: [SpamCop-List] Re: Quick Reports Error from SpamCop References: Message-ID: Jeff G. on 09/01/2006 wrote: >"Canopus" wrote in message >news:dpufs9$1p9$1@news.spamcop.net... >>All of a sudden I'm seeing this error message in quick report >summaries. >>It's the same for every spam submitted: >> >>error:Can't send report: (smtpEnvelope >xxx@bounces.spamcop.net,abuse@xxx) >>smtpFrom: mail From xxx@bounces.spamcop.net: error (550 No expected >reply >>from SMTP) >> >>Can anyone give me a clue why this has started happening? > > >It appears that part of the SpamCop Parsing and Reporting System can't >send out its Quick Reports for you. I gathered that, but, was wondering why. Nothing has changed and it's not the odd one it has suddenly become all of them. -- Rob http://www.flickr.com/photos/canopus_archives/ From PossumTrot at dont.spam.me Mon Jan 9 14:56:11 2006 From: PossumTrot at dont.spam.me (Possum Trot) Date: Mon Jan 9 18:00:03 2006 Subject: [SpamCop-List] Supremes won't intervene in case involving spam blocking Message-ID: http://tinyurl.com/c38xs From devnull at spamcop.net Mon Jan 9 18:35:25 2006 From: devnull at spamcop.net (Frog Prince) Date: Mon Jan 9 18:45:04 2006 Subject: [SpamCop-List] Re: Media: Iowa ISP Gets $11B In E-mail Spam Case References: <43BEB9E6.BC83537E@spamcop.net> Message-ID: "Bill Beyer" | > >> Since the ISP has obtained a judgement | > >> against the spammer a lien can be placed against all of the spammers | > >> business and quite possibly personal assets. In addition wages can be | > >> garnished and bank accounts frozen, assets can be seized as well. | > > | > > You're assuming that there are assets that can be seized. He may have | made | > > himself judgment-proof, hiding behind shell corporations, putting things | in | > > others' names, renting/leasing equipment instead of owning, etc. | > | > He can't declare bankrupty - and if the ISP 'forgives' the debt, he has | > to pay taxes on that forgiven value as a form of income... the IRS will | > chase a lot harder than other agencies (witness Capone...) - well, we | > can hope! :-) | | Why can't he declare bankruptcy? Dow-Corning did right after the judgement | against them on silicone breast implants was upheld. The Congress changed the laws on personal bankrupcy. Dow et all can still dodge the bills and lay off the cost to the tax payer but an individual is greatly limited in that option. From BNRAGMAOKKXT at spammotel.com Mon Jan 9 23:50:58 2006 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Mon Jan 9 18:55:02 2006 Subject: [SpamCop-List] Re: Quick Reports Error from SpamCop References: Message-ID: Canopus on 09/01/2006 wrote: >I gathered that, but, was wondering why. Nothing has changed and it's not >the odd one it has suddenly become all of them. Well, whatever it was things seem to have settled down again and everything is parsing and reporting again. -- Rob http://www.flickr.com/photos/canopus_archives/ From me at privacy.net Mon Jan 9 18:29:17 2006 From: me at privacy.net (MikeV06) Date: Mon Jan 9 19:30:03 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers References: Message-ID: On Fri, 6 Jan 2006 17:06:14 -0500, Jeff G. wrote: > "jg" wrote in message > news:dp7eoq$4tp$2@news.spamcop.net... >> I forward to all sorts of addys as well as reporting to SC and >> get replies, rarely a carbon based lifeform, tho... > > If you do that all in one email message per spam, please make sure that > your Confidential Submit Address remains confidential by putting it in > the BCC field. Uhm, not trying to be smart, but who would be seeing the message To: field? If someone gets into my account, I got a lot more to worry about than just the SC submit address. Am I missing something here? From nobody at devnull.spamcop.net Mon Jan 9 19:10:11 2006 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Jan 9 20:15:03 2006 Subject: [SpamCop-List] ping: Mike Easter Message-ID: GMail From jg at coks.net Mon Jan 9 21:22:41 2006 From: jg at coks.net (jg) Date: Tue Jan 10 00:25:13 2006 Subject: [SpamCop-List] Re: multi attachments In-Reply-To: References: Message-ID: On 1/9/2006 1:24 PM Jeff G. scribbled: > "jg" wrote in message > news:dpu7uu$sbg$2@news.spamcop.net... > >>Can anyone supply a SC address which I can send the "ignored" one to > > for > >>review? > > > Yes, service[at]admin.spamcop.net > Thanks jg From nospam at nospam.org Tue Jan 10 09:07:09 2006 From: nospam at nospam.org (Ejo) Date: Tue Jan 10 03:10:14 2006 Subject: [SpamCop-List] No reporting addresses found for 83.229.48.195, using devnull for tracking. Message-ID: This struck me when I inspected the following report http://www.spamcop.net/sc?id=z855293194za64fa151f8dc63816606075eb3ccce90z does yahoo not even have an abuse desk where they read e-mail, why is this spamcop report not sent to abuse@yahoo.com Ejo From nobody at nowhere.invalid Tue Jan 10 11:31:46 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Jan 10 05:35:08 2006 Subject: [SpamCop-List] Re: multi attachments References: Message-ID: On Mon, 09 Jan 2006 08:16:08 -0800, jg coughed into spamcop and left this in : >>>If so, there is no need to 'hide'it in the bcc. >> >> There is if the spam is being forwarded to a 3rd party at the same time. >> > I was grasping at straws in locating a /why/ to the lack of response. > With a multi submit, one wouldn't be sending elsewhere anyway normally... In that case you might just as well put your submit.sekritcode@spam..... in the To: field and have done with it. -- Steve A lot of money is tainted. 'Taint yours and 'taint mine. From nobody at nowhere.invalid Tue Jan 10 11:34:35 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Jan 10 05:35:23 2006 Subject: [SpamCop-List] Re: multi attachments References: Message-ID: On Mon, 9 Jan 2006 08:32:42 -0800, Mike Easter coughed into spamcop and left this in : > where I've added the > leaders above to prevent any funny business in > the post here. There won't be any "funny business" unless the headers of your posting say Content-Type: multipart/$whatever; boundary="----=_NextPart_000_005F_01C614EA.DD0C2020" -- Steve A lot of money is tainted. 'Taint yours and 'taint mine. From nobody at nowhere.invalid Tue Jan 10 11:49:24 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Jan 10 05:50:02 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: On Mon, 9 Jan 2006 12:12:01 -0800, Chris F. Willoughby coughed into spamcop and left this in : > everything works fine on MY end Of course it does. You're using the same software to read your postings as to post them. It will be a sorry day for M$ (even more soi than usual) when Outleak Suxpress is incompatible with its own posts. > I don't see any reason to alter my habits. Selfish perhaps.. Totally. > but since I cannot see what things look like on the other end http://lugtouraine.free.fr/screenshot.png > there's really nothing I could do to fix it either. Getting rid of the qupted-printable in your newsreader's settings would be a good start... -- Steve Windows is.... A 32-bit extension to a 16-bit graphical interface, sitting on an 8-bit operating system, originally written for a 4-bit processor by a 2-bit company without ONE BIT of common sense. From redford_stone at INVERSE_OF_COLDmail.com Tue Jan 10 12:32:49 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Tue Jan 10 07:35:04 2006 Subject: [SpamCop-List] Re: "brokenlove" sites appear to be hosted and DNS'd by zombies References: Message-ID: "Berny" wrote in news:dpo79l$ees$1@news.spamcop.net: > > > Soon? Teleglobes client, adultactionca/m/sh/.com and datecam and > related affilieates have been raping home users and others for ofer a > year, they have a spam sending botnet, a hosting botnet and a dns > botnet. No big ISP's eem to mind at all. And telegloe doesn;t seem to > mind either, even when they spam from teleglobe space. I guess they > get plenty of pink money from these assholes. > > See threads by/with Mark Ferguson in NANAE > > They were booted off of Teleglobe a while ago. dns www.adultactioncam.com Canonical name: www.adultactioncam.com Addresses: 216.13.98.102 They're holed up at a blackhat establishment called Allstream Corp. Bunch of manual LARTs and they are still active. 01/10/06 04:30:44 IP block 216.13.98.102 Trying 216.13.98.102 at ARIN Trying 216.13.98 at ARIN OrgName: Allstream Corp. Corporation Allstream OrgID: ACCA-2 Address: 200 Wellington Street West Address: 16th Floor City: Toronto StateProv: ON PostalCode: M5V-3G2 Country: CA ReferralServer: rwhois://rwhois.allstream.com:4321 NetRange: 216.13.0.0 - 216.13.255.255 CIDR: 216.13.0.0/16 NetName: ALLSTREAM-7 NetHandle: NET-216-13-0-0-1 Parent: NET-216-0-0-0-0 NetType: Direct Allocation NameServer: NS1.BUSINESS.ALLSTREAM.NET NameServer: NS2.BUSINESS.ALLSTREAM.NET Comment: RegDate: Updated: 2004-02-03 From Nobody at SpamCop.devnull.diespammerdie.net Tue Jan 10 08:34:30 2006 From: Nobody at SpamCop.devnull.diespammerdie.net (Michael Brennan) Date: Tue Jan 10 09:35:02 2006 Subject: [SpamCop-List] Re: Supremes won't intervene in case involving spam blocking References: Message-ID: <43C3C5F6.3733DBF2@SpamCop.devnull.diespammerdie.net> Possum Trot wrote: > > http://tinyurl.com/c38xs Tks for the post. It's a good outcome for now, but don't count on a repeat of this outcome when major retailers and marketing firms bring the legal muscle to Judge Forum Q. Friendly's courtroom, to demand that ISP's permit them to spam accountholders at will. Glad to see spammy lose this one, though. This will help, when the real fight starts. Michael From spamcop at enigmedia.com Tue Jan 10 09:35:18 2006 From: spamcop at enigmedia.com (spamcop) Date: Tue Jan 10 09:40:03 2006 Subject: [SpamCop-List] mistaken report Message-ID: Hi: If there's anyone at SC monitoring the list, I inadvertently confirmed as spam report ID 1616752829 -- if possible please cancel the report! TIA, From anthony.edwards at uk.easynet.net Tue Jan 10 15:37:06 2006 From: anthony.edwards at uk.easynet.net (Anthony Edwards) Date: Tue Jan 10 10:40:03 2006 Subject: [SpamCop-List] Re: Supremes won't intervene in case involving spam blocking References: <43C3C5F6.3733DBF2@SpamCop.devnull.diespammerdie.net> Message-ID: On Tue, 10 Jan 2006 08:34:30 -0600, Michael Brennan wrote: > It's a good outcome for now, but don't count on a repeat of this outcome > when major retailers and marketing firms bring the legal muscle to Judge > Forum Q. Friendly's courtroom, to demand that ISP's permit them to spam > accountholders at will. I am normally quite pessimistic in respect of these issues, but in this instance I cannot see how any such lawsuit could possibly succeed. The CAN-SPAM Act of 2003: SEC. 8. EFFECT ON OTHER LAWS. [....] (c) NO EFFECT ON POLICIES OF PROVIDERS OF INTERNET ACCESS SERVICE- Nothing in this Act shall be construed to have any effect on the lawfulness or unlawfulness, under any other provision of law, of the adoption, implementation, or enforcement by a provider of Internet access service of a policy of declining to transmit, route, relay, handle, or store certain types of electronic mail messages. http://spamlaws.com/federal/108s877.shtml That is clear and unambiguous with no room for creative interpretation nor areas of greyness, is it not? -- Anthony Edwards * anthony.edwards@uk.easynet.net Abuse Team Manager * Tel: 0800 053 0588 Easynet Ltd * DDI: 0161 227 0707 http://www.uk.easynet.net * Fax: 0845 333 4503 From dannyg at dannyg.com Tue Jan 10 08:27:36 2006 From: dannyg at dannyg.com (Danny Goodman) Date: Tue Jan 10 11:27:50 2006 Subject: [SpamCop-List] Re: Supremes won't intervene in case involving spam blocking In-Reply-To: <200601101540.k0AFeE8n075779@dannyg.com> Message-ID: > That is clear and unambiguous with no room for creative interpretation > nor areas of greyness, is it not? YANAL. Danny http://www.dannyg.com http://www.spamwars.com From MikeE at ster.invalid Tue Jan 10 09:58:34 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jan 10 13:00:03 2006 Subject: [SpamCop-List] Re: Mike Easter References: Message-ID: WazoO wrote: > GMail Got it. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Jan 10 13:06:22 2006 From: nobody at spamcop.net (indigo) Date: Tue Jan 10 13:10:03 2006 Subject: [SpamCop-List] Re: SpamCop-List Digest, Vol 60, Issue 18 References: <200601091445.1eW2X7bC3Nl3qa0@aaron.mail.atl.earthlink.net> Message-ID: Trish Roberts-Miller wrote: > Do they also shut down home pages during winter break? > (http://www.cwrl.utexas.edu/~robertsmiller/homepage.html comes up 404 > ;-) > > ======= > > No, they change server names. Just pointing out that the URL in your sig is DOA. From MikeE at ster.invalid Tue Jan 10 10:10:38 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jan 10 13:15:03 2006 Subject: [SpamCop-List] Re: Mike Easter References: Message-ID: Mike Easter wrote: > WazoO wrote: >> GMail > > Got it. If anyone is wondering why the previous subject was Subject: ping: Mike Easter and the reply's subject was Subject: Re: Mike Easter That's because in its 'zeal' to allow multilingual-ness in handling the replacement of the various language's ways of saying 'Re:' -- MS's OE programmers decided that it would be a good idea to drop any 2-4 letter word ending with a colon in the subject and replace it with a Re for the English language version replies. This was in an effort to prevent Re Re Re Re problems. Of course, Re isn't really an 'English' word only, and the 'collateral damage' that the foolish programming decision causes is absurd - but it is just one of those little glaring examples which MS never got around to fixing. If I had noted that the 'ping' had gotten itself decapitated, I supposed I could've manually put it back in. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Jan 10 10:18:54 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jan 10 13:20:03 2006 Subject: [SpamCop-List] Re: mistaken report References: Message-ID: spamcop wrote: > Hi: If there's anyone at SC monitoring the list, I inadvertently > confirmed as spam report ID 1616752829 -- if possible please cancel > the report! It doesn't work like that. Your penance is greater than just making such a request here in the ng. http://forum.spamcop.net/forums/index.php?showtopic=138 // FAQ Entry: How can I unsend a report? You should manually send a retraction and apology to those to whom you reported the spam, with a copy mentioning the Report ID to deputies spamcop.net. Any originating ISPs will be able to use your recantation as evidence with SpamCop if your report landed them onto the SpamCop Blocking List. To find those to whom you sent the erroneous report, use the Links "Past Reports" and "View recent reports", leading to the "Show past reports" / "Report History" Page http://www.spamcop.net/mcgi?action=showhistory, // Jeff G // The reality is that the bad report will count as a report. If a report hasn't caused an IP to become listed, then it hasn't 'harmed' the reported IP's provider. A deputy only needs to actually manually do something like manually remove the effect of your bad report if it has caused an IP to become SCbl listed. -- Mike Easter kibitzer, not SC admin From news at REMOVECAPSalanharper.com Tue Jan 10 10:30:00 2006 From: news at REMOVECAPSalanharper.com (Alan Harper) Date: Tue Jan 10 13:30:03 2006 Subject: [SpamCop-List] mail.spamcop.net and webmail down? Message-ID: <100120061030000114%news@REMOVECAPSalanharper.com> I can't seem to pick up my email at mail.spamcop.net and when I try to get in on the web I see: > The connection has timed out > The server at webmail.spamcop.net is taking too long to respond. > * The site could be temporarily unavailable or too busy. Try > again in a few > moments. > > * If you are unable to load any pages, check your computer's > network > connection. > > * If your computer or network is protected by a firewall or > proxy, make sure > that Firefox is permitted to access the Web. Any thoughts? Thanks From MikeE at ster.invalid Tue Jan 10 10:37:26 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jan 10 13:40:03 2006 Subject: [SpamCop-List] Re: SpamCop-List Digest, Vol 60, Issue 18 References: <200601091445.1eW2X7bC3Nl3qa0@aaron.mail.atl.earthlink.net> Message-ID: indigo wrote: > Trish Roberts-Miller wrote: >> Do they also shut down home pages during winter break? >> (http://www.cwrl.utexas.edu/~robertsmiller/homepage.html comes up 404 >> ;-) >> No, they change server names. > > Just pointing out that the URL in your sig is DOA. http://slatin2.cwrl.utexas.edu/~roberts-miller/homepage.html Trish Roberts-Miller's Homepage -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Jan 10 10:55:26 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jan 10 14:00:02 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers References: Message-ID: MikeV06 wrote: >Jeff G. wrote: >> "jg" >>> I forward to all sorts of addys as well as reporting to SC and >>> get replies, rarely a carbon based lifeform, tho... >> >> If you do that all in one email message per spam, please make sure >> that your Confidential Submit Address remains confidential by >> putting it in the BCC field. > > Uhm, not trying to be smart, but who would be seeing the message To: > field? Anyone who receives a mail sees all of the addresses in the To and CC sections. The SC submit address is a 'secret' address -- so it should not be shared with any other To or CC recipients. If a bad guy has the SC submit addy, the baddie can submit troublesome items 'in the name of' the reporter who corresponds to that submit. What unfolds after that should be self limited, because the result of the baddie's submission /should/ come to the attention of the reporter, unless the submits are quick reports whose responses are being ignored by the negligent reporter. -- Mike Easter kibitzer, not SC admin From Nobody at SpamCop.devnull.diespammerdie.net Tue Jan 10 13:14:11 2006 From: Nobody at SpamCop.devnull.diespammerdie.net (Michael Brennan) Date: Tue Jan 10 14:15:03 2006 Subject: [SpamCop-List] Re: Supremes won't intervene in case involving spam blocking References: <43C3C5F6.3733DBF2@SpamCop.devnull.diespammerdie.net> Message-ID: <43C40783.FF8534DD@SpamCop.devnull.diespammerdie.net> Anthony Edwards wrote: > > On Tue, 10 Jan 2006 08:34:30 -0600, Michael Brennan > wrote: > > > It's a good outcome for now, but don't count on a repeat of this outcome > > when major retailers and marketing firms bring the legal muscle to Judge > > Forum Q. Friendly's courtroom, to demand that ISP's permit them to spam > > accountholders at will. > > I am normally quite pessimistic in respect of these issues, but in this > instance I cannot see how any such lawsuit could possibly succeed. > > The CAN-SPAM Act of 2003: > > SEC. 8. EFFECT ON OTHER LAWS. > > [....] > > (c) NO EFFECT ON POLICIES OF PROVIDERS OF INTERNET ACCESS > SERVICE- Nothing in this Act shall be construed to have > any effect on the lawfulness or unlawfulness, under any > other provision of law, of the adoption, implementation, > or enforcement by a provider of Internet access service of > a policy of declining to transmit, route, relay, handle, > or store certain types of electronic mail messages. > > http://spamlaws.com/federal/108s877.shtml > > That is clear and unambiguous with no room for creative interpretation > nor areas of greyness, is it not? It certainly would appear to be clear and unambiguous. However, with money to be made sitting on the table, a little company proceded to take to court -- and their suit wasn't thrown out immediately but carried through to judgment -- the most resource-rich and attorney-rebulgent university in the State of Texas. It's entirely possible that the cunning Louisiana lawmaker who was called in by the Direct Marketing Association (the real authors of CAN-SPAM) to help draft the bill, offered subparagraph (c) as a sop to opponents of the proposed law (the antispamming community) in the full foreknowledge that it would be immediately subjected to a First Amendment test by a moneyed and litigious marketing interest. Our politicians are every bit as cynical and dodgy as yours. Don't think you've got the "talent" pool all to yourself! 8^) Michael def: "rebulgent": in a condition well beyond merely bulging with From cfw at prodigy.net Tue Jan 10 11:54:03 2006 From: cfw at prodigy.net (Chris F. Willoughby) Date: Tue Jan 10 14:55:02 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: "Steven Maesslein" wrote in message news:slrnds749k.4f2.nobody@127.0.0.1... > Getting rid of the qupted-printable in your newsreader's settings would > be a good start... > > -- > Steve > > Windows is.... > A 32-bit extension to a 16-bit graphical interface, sitting on > an 8-bit operating system, originally written for a 4-bit processor > by a 2-bit company without ONE BIT of common sense. Ok.. I'll try Base64. Now, why doesn't it wrap on your system? Shouldn't your program be able to handle the wrapping on its own? It doesn't make any sense that it would wrap HERE and not THERE. =/ Chris From MikeE at ster.invalid Tue Jan 10 12:16:32 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jan 10 15:20:05 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: Chris F. Willoughby wrote: > "Steven Maesslein" >> Getting rid of the qupted-printable in your newsreader's settings >> would be a good start... That is exactly what needs to happen. > Ok.. I'll try Base64. Very bad idea -- similar and different adverse effects. > Now, why doesn't it wrap on your system? Shouldn't your program be > able to handle the wrapping on its own? It doesn't make any sense > that it would wrap HERE and not THERE. =/ http://support.microsoft.com/kb/q168779/ OLEXP: No Quote Characters When Using Quoted Printable Format -- // SYMPTOMS - When you reply to or forward a message that was composed using "Plain Text, Quoted Printable" format in Outlook Express, there is not a quote character at the beginning of each line of text that is included from the message you received. -- CAUSE - This is a side effect of the "Plain Text, Quoted Printable" format in the message you received. // http://www.insideoutlookexpress.com/faqs/why.htm#replychars Why does OE forget to add reply characters to some of my replies? -- // If the message to which you are replying was sent to you as MIME/Quoted Printable, the text of the message is formatted as paragraphs, not as lines, and therefore no reply characters will be added. This is a design issue, not a bug. It is simply the way Microsoft mail programs have always dealt with MIME/Quoted Printable. // http://mailformat.dan.info/config/oex.html Dan's Mail Format Site: -- Configuration: Outlook Express -- The Plain Text Settings box determines some formatting for plain text messages. // You can choose MIME or UUEncode encoding; this determines how attachments are coded. UUEncode is really archaic now, so MIME is the better choice. However, within the MIME section, you should pick "None" for the encoding choice. If you do this, you'll technically be breaking the standard if you use any characters outside the 7-bit US-ASCII range (e.g., if you include an accented letter), but choosing "Quoted Printable" (which would encode such characters and bring the message into compliance with the standards) unfortunately causes Outlook Express to violate another standard: that of line length. The "Automatically wrap text" item gets grayed out if "Quoted Printable" is used, and hard linebreaks are inserted only at the end of paragraphs, causing all sorts of display problems for other mail programs and Web-based mailing list archives. I used to think that this line-length problem happened in the plain-text versions of Outlook Express messages sent in HTML form, and went away when you picked plain text instead (yet another reason to prefer plain text over HTML), but it turns out that it's actually the "quoted printable" setting (which is by default on for HTML messages but off for plain text messages) that causes the problem. // The other encoding choice, "Base 64", is definitely to be avoided [...] // -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Jan 10 13:41:57 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jan 10 16:45:02 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: Chris F. Willoughby wrote: > Now, why doesn't it wrap on your system? Shouldn't your program be > able to handle the wrapping on its own? It doesn't make any sense > that it would wrap HERE and not THERE. =/ http://mailformat.dan.info/body/linelength.html Dan's Mail Format Site: Body: Line Length - How Long Should Lines Be? - The standards document for the format of e-mail messages, RFC 2822 [...] SHOULD be no more than 78 characters, [...] For practical purposes, lines should be broken at even less than 78 characters [...] Line Length of Incoming Messages [...] Here is a screenshot showing what a message violating line-length standards might look like to a reader:[...] // Quoted Printable Encoding :[...] Some people think that the use of Quoted Printable encoding (mentioned in the MIME, character sets, and attachments sections) is a "solution" to this line-length problem, because it will put in line breaks to bring the message in line with the standards, with an equal sign (=) at the end of each such broken line to indicate that it is a "soft" line break. :[...] However, once the receiving mail program decodes the encoding (assuming it supports Quoted Printable; if not, you end up with a somewhat messy, though readable, message with lots of equal signs in it), the soft breaks are taken back out again, and you're left with the standards-noncompliant long-line message format. :[...] So don't rely on Quoted Printable encoding to solve a line length problem; // What Should I Do? - To ensure that your outbound mail follows the proper line length conventions, take a look at the configuration settings of your mail program. Often, there will be an item somewhere in there that says how lines are to be wrapped; be sure it's set to wrap at 70 characters or less. // -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Tue Jan 10 23:23:34 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Jan 10 17:25:03 2006 Subject: [SpamCop-List] Re: Here's another spam that won't process correctly References: Message-ID: On Tue, 10 Jan 2006 11:54:03 -0800, Chris F. Willoughby coughed into spamcop and left this in : > Now, why doesn't it wrap on your system? Because it's being told *not* to wrap by the QP line continuations in your postings. -- Steve From nobody at spamcop.net Tue Jan 10 17:38:58 2006 From: nobody at spamcop.net (Ellen) Date: Tue Jan 10 17:40:05 2006 Subject: [SpamCop-List] Email system Message-ID: The email system (@spamcop.net, @cesmail.net, @cqmail.net) may be encountering problems again. Jeff is aware of the issues and working on them. Thanks for your patience! Ellen SpamCop From news at REMOVECAPSalanharper.com Tue Jan 10 15:42:12 2006 From: news at REMOVECAPSalanharper.com (Alan Harper) Date: Tue Jan 10 18:45:02 2006 Subject: [SpamCop-List] Re: mail.spamcop.net and webmail down? References: <100120061030000114%news@REMOVECAPSalanharper.com> Message-ID: <100120061542122866%news@REMOVECAPSalanharper.com> SpamCop Admin wrote: > Alan Harper wrote: > >-I can't seem to pick up my email at mail.spamcop.net > > POP, IMAP, and Webmail are all down. Follow up: mail.spamcop.net came back up w/in 3 minutes of my posting this query. A From jeffg at spamcop.net Tue Jan 10 22:13:15 2006 From: jeffg at spamcop.net (Jeff G.) Date: Tue Jan 10 22:30:04 2006 Subject: [SpamCop-List] Re: Supremes won't intervene in case involving spam blocking References: Message-ID: "Possum Trot" wrote in message news:dpupob$80q$1@news.spamcop.net... > http://tinyurl.com/c38xs Anyone who doesn't like tinyurl, please use http://channels.attbusiness.net/index.cfm?fuseAction=viewNewsArticle&nav_id=33&category_name=Washington&article_id=f553eabe4ea7e20dc0ed239cadafc84f instead. :) -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jeffg at spamcop.net Tue Jan 10 22:24:32 2006 From: jeffg at spamcop.net (Jeff G.) Date: Tue Jan 10 22:40:03 2006 Subject: [SpamCop-List] Re: "brokenlove" sites appear to be hosted and DNS'd by zombies References: Message-ID: "Redstone" wrote in message news:Xns97472E4AF6960tinlc@216.154.195.61... > dns www.adultactioncam.com > Canonical name: www.adultactioncam.com > Addresses: > 216.13.98.102 > > They're holed up at a blackhat establishment called Allstream Corp. > Bunch of manual LARTs and they are still active. > > > 01/10/06 04:30:44 IP block 216.13.98.102 > Trying 216.13.98.102 at ARIN > Trying 216.13.98 at ARIN > > OrgName: Allstream Corp. Corporation Allstream > OrgID: ACCA-2 > Address: 200 Wellington Street West > Address: 16th Floor > City: Toronto > StateProv: ON > PostalCode: M5V-3G2 > Country: CA > > ReferralServer: rwhois://rwhois.allstream.com:4321 > > NetRange: 216.13.0.0 - 216.13.255.255 > CIDR: 216.13.0.0/16 > NetName: ALLSTREAM-7 > NetHandle: NET-216-13-0-0-1 > Parent: NET-216-0-0-0-0 > NetType: Direct Allocation