From jeffg at spamcop.net Wed Mar 1 23:48:44 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 1 23:50:10 2006 Subject: [SpamCop-Mail] Re: Sluggish response References: Message-ID: Jeff G. wrote: > Ejo wrote: >> Submitting spam via the web-form is very slow at the moment. > > http://forum.spamcop.net/forums/index.php?act=module&automodule=custom&page=stats > appears to show that the performance of the SpamCop Parsing and > Reporting Service went to hell in a handbasket around 21:40 EST -0500 > (02:40 UTC -0000), 54 minutes ago. Its administrators are probably > already aware of the issue. It's been over two hours now. This appears to be a bigger problem than normal. :( -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From click1510 at earthlink.net Fri Mar 3 12:16:01 2006 From: click1510 at earthlink.net (CO-DBA-SC-EL) Date: Fri Mar 3 15:20:02 2006 Subject: [SpamCop-Mail] UMSY Message-ID: Why can't SpamCop email filter these annoying UMSY spams? See for example report ID 1677920143. I am bombarded with those, obviously sent through botnets. This has been going on for over one week. The spammer has obviously found the right formula to get around spamcop and spamAssassin. They don't even bother to try to obfuscate "UMSY". C_O From MikeE at ster.invalid Fri Mar 3 13:13:47 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 16:15:03 2006 Subject: [SpamCop-Mail] Re: UMSY References: Message-ID: CO-DBA-SC-EL wrote: > Why can't SpamCop email filter these annoying UMSY spams? See for > example report ID 1677920143. When you call up your own reportid, you can access everything about it via its tracker. When anyone else calls up your reportid, they can only see the subject Promo Movers: Weekly Member Newsletter Then, in order to know whatever it is you are trying to talk about, I have to go to sightings to find a spam and determine that it is a stockspam, and then I have to further derive that UMSY is a stock abbreviation by determining that US MedSys Corp is a known stockspam 'marketer'. So, then further, I have to search a little harder in sightings to find an actual UMSY stock promo in a promo movers newsletter. http://snipurl.com/n5gu Then, since you didn't provide a tracker to an example of the spam, I guess I'll make one myself http://www.spamcop.net/sc?id=z889921579z6324ae41d86ed5577815eb2cb0b372ffz That particular item was sourced from a CBL listed proxy 222.40.149.15 -- and it is entirely possible that yours was too. > I am bombarded with those, obviously sent through botnets. This has > been going on for over one week. The spammer has obviously found the > right formula to get around spamcop and spamAssassin. They don't even > bother to try to obfuscate "UMSY". >From your reportid, it appears that you are not spamcop reporting your spam, but instead you are mole reporting, which means that your spam isn't contributing to the SCbl. If you want to discuss why a particular spam wasn't blocked, you should be looking at its headers and you should be thinking about what blocklists you have enabled, and you should be thinking about how you have your SpamAssassin SA score set, because the item which I provided a tracker for was caught be a SA type filter, and that item would have also been caught by my filter on the basis of its CBL listing. So, if your choice of configuration for spamcop's filter isn't doing the job, maybe you should consider fixing your configuration. So, my gripes about this communication so far are: - if you are going to talk about a spam which wasn't filtered, you should post a tracker for it, not a reportid - if you are going to talk about /anything/ don't abbreviate more than what someone who isn't looking at the same thing you are looking at will be able to figure out. This isn't a guessing game, altho' sometimes we play it - if you are 'just' a mole reporter, your reports don't really count, so you aren't helping the SCbl and therefore your reports aren't helping other people filter their spam -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Mar 3 13:16:08 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 16:20:02 2006 Subject: [SpamCop-Mail] Re: UMSY References: Message-ID: Mike Easter wrote: > That particular item was sourced from a CBL listed proxy > 222.40.149.15 -- and it is entirely possible that yours was too. I meant, if a particular spam modus operandi is utilizing something like abused proxy smtp injection, then it is likely that other items of the same modus also use abused proxies, but not likely the same exact one, but a different one. -- Mike Easter kibitzer, not SC admin From click1510 at earthlink.net Fri Mar 3 21:20:08 2006 From: click1510 at earthlink.net (CO-DBA-SC-EL) Date: Sat Mar 4 00:25:03 2006 Subject: [SpamCop-Mail] Re: UMSY References: Message-ID: Mike, thank you for your reply. Why bother with mole reporting if it does not contribute to the SCbl? Hmm.... As to why I did not post the full tracker: The tracker contains information that identifies me, my antispam measures and and my mail server. Much too much information to put on a public newsgroup monitored by spammers. As to why I went "mole". Same thing. What prompted me to go "mole" a couple of years ago was regular upsurges of spam after I reported some spam. Watching the detailed spam parses these days for the stuff I drop into the "Report" form, much too often I see that the report would not be anywhere near sanitized well enough, or would be going to someone who has a connection with the spammer. For example, I don't for a second believe that spamcop reports to chinanet are just ignored. There is just too much good stuff to mine from them. My posting to mail was because as a spamcop mail customer I think the problem with this particular spammer getting through so easily is a SpamAssassin rule problem, rather than a reporting problem. Every single address that particular spammer has been using that I bothered to track down looked like a zombie. A different one every time, of course. C_O "Mike Easter" wrote in message news:duabhs$6sg$1@news.spamcop.net... > CO-DBA-SC-EL wrote: >> Why can't SpamCop email filter these annoying UMSY spams? See for >> example report ID 1677920143. > > When you call up your own reportid, you can access everything about it > via its tracker. When anyone else calls up your reportid, they can only > see the subject Promo Movers: Weekly Member Newsletter > > Then, in order to know whatever it is you are trying to talk about, I > have to go to sightings to find a spam and determine that it is a > stockspam, and then I have to further derive that UMSY is a stock > abbreviation by determining that US MedSys Corp is a known stockspam > 'marketer'. > > So, then further, I have to search a little harder in sightings to find > an actual UMSY stock promo in a promo movers newsletter. > http://snipurl.com/n5gu > > Then, since you didn't provide a tracker to an example of the spam, I > guess I'll make one myself > > http://www.spamcop.net/sc?id=z889921579z6324ae41d86ed5577815eb2cb0b372ffz > > That particular item was sourced from a CBL listed proxy > 222.40.149.15 -- and it is entirely possible that yours was too. > >> I am bombarded with those, obviously sent through botnets. This has >> been going on for over one week. The spammer has obviously found the >> right formula to get around spamcop and spamAssassin. They don't even >> bother to try to obfuscate "UMSY". > > From your reportid, it appears that you are not spamcop reporting your > spam, but instead you are mole reporting, which means that your spam > isn't contributing to the SCbl. > > If you want to discuss why a particular spam wasn't blocked, you should > be looking at its headers and you should be thinking about what > blocklists you have enabled, and you should be thinking about how you > have your SpamAssassin SA score set, because the item which I provided a > tracker for was caught be a SA type filter, and that item would have > also been caught by my filter on the basis of its CBL listing. > > So, if your choice of configuration for spamcop's filter isn't doing the > job, maybe you should consider fixing your configuration. > > So, my gripes about this communication so far are: > > - if you are going to talk about a spam which wasn't filtered, you > should post a tracker for it, not a reportid > - if you are going to talk about /anything/ don't abbreviate more than > what someone who isn't looking at the same thing you are looking at will > be able to figure out. This isn't a guessing game, altho' sometimes we > play it > - if you are 'just' a mole reporter, your reports don't really count, > so you aren't helping the SCbl and therefore your reports aren't helping > other people filter their spam > > -- > Mike Easter > kibitzer, not SC admin > From MikeE at ster.invalid Fri Mar 3 22:00:40 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sat Mar 4 01:05:17 2006 Subject: [SpamCop-Mail] Re: UMSY References: Message-ID: CO-DBA-SC-EL wrote: > "Mike Easter" >> that >> item would have also been caught by my filter on the basis of its >> CBL listing. > Every > single address that particular spammer has been using that I bothered > to track down looked like a zombie. A different one every time, of > course. SC's dnsbl options include using the CBL. It is excellent for listing proxified trojans. -- Mike Easter kibitzer, not SC admin From Paul.Hunt at customsupport.com Sun Mar 5 23:38:09 2006 From: Paul.Hunt at customsupport.com (Paul Hunt) Date: Sun Mar 5 23:38:13 2006 Subject: [SpamCop-Mail] Stock pumping In-Reply-To: <20060225170010.5879.qmail@blade2.cesmail.net> References: <20060225170010.5879.qmail@blade2.cesmail.net> Message-ID: I am getting stock pump emails on a several times daily basis that are not being filtered. I report them all (to SpamCop AND to the SEC) and still they come. I use all the offered blacklists and an SA level of 4. Doesn't Spamcop or SA recognize this content by now and score it highly? Example: http://www.spamcop.net/sc? id=z891253259z8da4866d5e0acf7c33a1aed60f4f24aaz Thanks, Paul -- Paul Hunt Paul.Hunt@CustomSupport.com www.CustomSupport.com From eddie at eddie.web Tue Mar 7 15:05:01 2006 From: eddie at eddie.web (eddie) Date: Tue Mar 7 15:10:03 2006 Subject: [SpamCop-Mail] Re: Stock pumping In-Reply-To: References: <20060225170010.5879.qmail@blade2.cesmail.net> Message-ID: Paul Hunt wrote: > I am getting stock pump emails on a several times daily basis that are > not being filtered. I report them all (to SpamCop AND to the SEC) and > still they come. > > I use all the offered blacklists and an SA level of 4. > > Doesn't Spamcop or SA recognize this content by now and score it highly? > > Example: http://www.spamcop.net/sc? > id=z891253259z8da4866d5e0acf7c33a1aed60f4f24aaz > > Thanks, > Paul > -- > Paul Hunt > Paul.Hunt@CustomSupport.com > www.CustomSupport.com > I use all of SC's blacklists and SA is set to 1. It's not much away from blocking everything :) I whitelist anything that gets caught improperly. The P&D junk gets caught, but surprisingly, once in a very great while real spam does not get caught although it is in my blacklist. I suppose nothing is perfect. I would say that 99.99% of SC's catches are correct, based on my settings. You probably have your SA set too high. Most stock scams almost read like real email. From newspost at deletethispart.hypercreations.com Thu Mar 9 18:19:05 2006 From: newspost at deletethispart.hypercreations.com (D. T.) Date: Thu Mar 9 13:20:03 2006 Subject: [SpamCop-Mail] Re: UMSY References: Message-ID: "Mike Easter" wrote in news:dubadp$mde$1 @news.spamcop.net: > SC's dnsbl options include using the CBL. It is excellent for listing > proxified trojans. I think the CBL blocking might be broken at the moment for those of use with SC email accounts. A few days ago, I too started seeing a flood of obvious stock pumps that my SC settings were no longer catching. Here are two tracking URLs: http://www.spamcop.net/sc?id=z893629776zd3d88b5dc4ce361f2ddffd2c9ddbfb0cz http://www.spamcop.net/sc?id=z893630493zb1c0b16af8742f09607ff4182a53754bz According to what I see, both of those should have been caught due to their listings on the CBL, or am I missing something? Those are just two out of dozens and dozens that suddently started getting through to my inbox a few days ago. I strongly suspect problems with the SC system (this kind of thing has happened to the SC filtering system before, and it did indeed turn out to be something that needed fixing). DT From newspost at deletethispart.hypercreations.com Thu Mar 9 18:20:13 2006 From: newspost at deletethispart.hypercreations.com (D. T.) Date: Thu Mar 9 13:25:03 2006 Subject: [SpamCop-Mail] Re: Stock pumping References: <20060225170010.5879.qmail@blade2.cesmail.net> Message-ID: Paul Hunt wrote in news:mailman.18.1141619894.16519.spamcop-mail@news.spamcop.net: > I am getting stock pump emails on a several times daily basis that > are not being filtered. I report them all (to SpamCop AND to the SEC) > and still they come. Me too....a LOT of them, and all of a sudden. I suspect there are problems with the SC blacklist implementation...specifically the CBL. DT From newspost at deletethispart.hypercreations.com Thu Mar 9 18:21:47 2006 From: newspost at deletethispart.hypercreations.com (D. T.) Date: Thu Mar 9 13:25:05 2006 Subject: [SpamCop-Mail] Re: Stock pumping References: <20060225170010.5879.qmail@blade2.cesmail.net> Message-ID: eddie wrote in news:dukp1i$5jh$1@news.spamcop.net: > I use all of SC's blacklists and SA is set to 1. It's not much away from > blocking everything :) > You probably have your SA set too high. Most stock scams almost read > like real email. Yes they do....here's the SC scoring line from one of them: X-Spam-Status: hits=0.0 tests=HTML_MESSAGE So even with an SA setting as low as 1, the message would still have gotten through. I think there's something else wrong with the blocking associated with our email accounts. DT From newspost at deletethispart.hypercreations.com Thu Mar 9 18:58:49 2006 From: newspost at deletethispart.hypercreations.com (D. T.) Date: Thu Mar 9 14:00:13 2006 Subject: [SpamCop-Mail] Re: UMSY References: Message-ID: I've done a little more research on the flood of false negatives making it into my SC inbox, and although all of the IPs I've checked so far are listed on the CBL, the listing times were less than half an hour before their arrivals at the SC mail servers, so maybe the SC servers aren't doing "realtime" queries of the CBL when processing incoming email? Here's an example: CBL lookup: IP Address 221.199.146.98 was found in the CBL. It was detected at 2006-03-09 12:00 GMT (+/- 30 minutes). Spam received: by mx53.cesmail.net with SMTP; 9 Mar 2006 12:32:40 -0000 So, although if things were functioning ideally, that spam should have been blocked, we might be looking at stuff that's getting by just under the wire, before the SC system can tell that the CBL is listing them. DT From mrmeval at earthlink.net Wed Mar 15 20:53:11 2006 From: mrmeval at earthlink.net (James Caldwell) Date: Wed Mar 15 20:55:03 2006 Subject: [SpamCop-Mail] Why are you screwing with my mail? Message-ID: This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: xxxxx@iquest.net SMTP error from remote mailer after RCPT TO:: host mx-4.iquest.net [206.246.180.54]: 553 Blocked - see http://www.spamcop.net/bl.shtml?209.86.89.70 ------ This is a copy of the message, including all the headers. ------ Return-path: Received: from [69.81.63.17] (helo=[192.168.0.100]) by elasmtp-banded.atl.sa.earthlink.net with asmtp (Exim 4.34) id 1FJgv2-0005d9-BO for xxxxxxx@iquest.net; Wed, 15 Mar 2006 20:04:48 -0500 Message-ID: <4418B9AF.5050905@earthlink.net> Date: Wed, 15 Mar 2006 20:04:47 -0500 From: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20060202 Fedora/1.7.12-1.5.2 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Subject: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit -- "I can get you a drink, A reverend or we could call for Air Support." --http://www.schlockmercenary.com From MikeE at ster.invalid Wed Mar 15 18:49:54 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 15 21:50:13 2006 Subject: [SpamCop-Mail] Re: Why are you screwing with my mail? References: Message-ID: Posted to .mail & spamcop; f/ups to spamcop James Caldwell wrote: Newsgroups: spamcop.mail This is the wrong ng for your post. spamcop.mail is a group which was for people to interact about their spamcop mail accounts, which service is described here http://www.spamcop.net/ces/individuals.shtml SpamCop Email System for Individuals You are not posting about a spamcop mail issue, but about a spamcop blocklist effect. Your recipient chose to use the SCbl and as a result your mail's transmission to them was rejected. Rejection of mail during the transaction is a healthier effect than some other effects of spamfilters which result in mail being lost. I'm posting this to a general discussion group spamcop and making f/ups to there. Subject: Why are you screwing with my mail? The SCbl is a blocklist described here. http://www.spamcop.net/bl.shtml SpamCop Blocking List SpamCop doesn't block anything or screw with anyone's mail. It is a parsing and reporting system, the maintainer of the SCbl, and also provides a mail service for filtering and tagging spam. Your recipient rejected your mail as a method of their spam control. Your mail was rejected by your recipient's server because your EL earthlink output server was listed in the SCbl for abusive server behavior. More about that later. > SMTP error from remote mailer after RCPT TO:: > host mx-4.iquest.net [206.246.180.54]: 553 Blocked - see > http://www.spamcop.net/bl.shtml?209.86.89.70 That is a nicely informative information from the iquest server which is telling you that the EL server's IP caused the mail to be rejected because the EL IP was blocklisted in the SCbl spamcop blocklist. > ------ This is a copy of the message, including all the headers. Those headers aren't very helpful. They just say that your user IP which is a mindspring one gave the mail to the EL server. The problem is with the EL server which is blocklisted. Here's the current story on that EL IP 209.86.89.70 listed in bl.spamcop.net it will be delisted automatically in approximately 17 hours. users have reported system as a source of spam has been listed for less than 24 hours. Other hosts in this "neighborhood" with spam reports 209.86.89.63 209.86.89.64 209.86.89.65 209.86.89.66 209.86.89.92 <209.86.89.63 209.86.89.64 209.86.89.65 209.86.89.92 not listed> 209.86.89.66 listed in bl.spamcop.net will be delisted automatically in approximately 20 hours. has sent mail to SpamCop spam traps in the past week users have reported system as a source of spam has been listed for less than 24 hours. Both of those, .70 and .66, are EL output servers. Generally the SC parser avoids naming a server as a spamsource if there is a user IP behind it. Generally in the case of servers getting listed it is not for 'spam' per se, but some other abusive server behavior which is spamcop reportable. The most common server behaviors which are spamcop reportable are misdirected bounces and challenges. EL isn't configured for doing misdirected bounces, but it is definitely configured to perform challenges. That challenge behavior has been pointed out to EL as abusive many many many times in the past. I am an EL subscriber, and I have personally told EL about the problem of allowing users to configure to perform challenges to suspect mail -- numerous times in the EL support ng/s. In addition, whenever EL accepts a report about their servers performing abusive actions they find out about it. The problem is that EL's default medium spamblocker identifies known spam. That isn't a problem. However, the user can optionally configure to high spamblocker. When they do, the new default condition is to challenge the items which are not known spam and are not whitelisted. EL's known spam filter is 'leaky' -- resulting in spam getting past the known and into the Suspect folder. Spam From is bogus and is likely to be the addy of a spamcop reporter or a spamcop spamtrap. When the EL server sends a challenge to the spamcop reporter or the spamtrap, it is reportable. That reporting results in the EL server becoming spamcop blocklisted. That spamcop blocklisting causes your mail to get rejected. It is as 'simple' as that. Your provider is manufacturing abusive emails. You are trying to use the server which has being reported as abusive. Your recipient is using the SCbl to guard against spam and other abusive mail and your mail has become 'collateral damage' as a result of your recipient's spam strategies and modern day blocklisting of challenging servers. EL subscribers should be complaining to EL about running servers which get themselves blocklisted and which causes problems with their mail delivery. -- Mike Easter kibitzer, not SC admin From das at spamcop.net Thu Mar 23 07:30:13 2006 From: das at spamcop.net (Debbie the Dogged) Date: Thu Mar 23 10:35:03 2006 Subject: [SpamCop-Mail] Anyone else having problems with pop.spamcop.net? Message-ID: I can get to webmail just fine but getting a "connection refused", since last night, when I try to pop the mail down. Thanks, -- Debbie the Dogged das at spamcop dot net "Poodles are space aliens who think they've disguised themselves as dogs." - Paghat the Ratgirl From das at spamcop.net Thu Mar 23 07:36:31 2006 From: das at spamcop.net (Debbie the Dogged) Date: Thu Mar 23 10:40:03 2006 Subject: [SpamCop-Mail] Re: Anyone else having problems with pop.spamcop.net? References: Message-ID: In article , das@spamcop.net says... > I can get to webmail just fine but getting a "connection refused", since > last night, when I try to pop the mail down. Never mind. Operator error. I discovered I could telnet to the pop port just fine from my work computer, but not my home computer, so rebooted my home computer and all is well. -- Debbie the Dogged das at spamcop dot net "Poodles are space aliens who think they've disguised themselves as dogs." - Paghat the Ratgirl From MikeE at ster.invalid Thu Mar 23 07:58:42 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Mar 23 11:00:02 2006 Subject: [SpamCop-Mail] Re: Anyone else having problems with pop.spamcop.net? References: Message-ID: Debbie the Dogged wrote: > I discovered I could telnet to the pop > port just fine from my work computer, but not my home computer, so > rebooted my home computer and all is well. 'Sick sockets' [whatever that means] which the reboot cured. Which Win version? -- Mike Easter kibitzer, not SC admin From das at spamcop.net Thu Mar 23 08:36:14 2006 From: das at spamcop.net (Debbie the Dogged) Date: Thu Mar 23 11:40:02 2006 Subject: [SpamCop-Mail] Re: Anyone else having problems with pop.spamcop.net? References: Message-ID: In article , MikeE@ster.invalid says... > Debbie the Dogged wrote: > > > I discovered I could telnet to the pop > > port just fine from my work computer, but not my home computer, so > > rebooted my home computer and all is well. > > 'Sick sockets' [whatever that means] which the reboot cured. Which Win > version? XP Pro SP2. -- Debbie the Dogged das at spamcop dot net "Poodles are space aliens who think they've disguised themselves as dogs." - Paghat the Ratgirl From MikeE at ster.invalid Thu Mar 23 17:24:12 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Mar 23 20:25:02 2006 Subject: [SpamCop-Mail] Re: Anyone else having problems with pop.spamcop.net? References: Message-ID: Debbie the Dogged wrote: > MikeE@ster.invalid says... >> Debbie the Dogged wrote: >>> rebooted my home computer and all is well. >> >> 'Sick sockets' [whatever that means] which the reboot cured. Which >> Win version? > > XP Pro SP2. I asked because the various prior generations of Win were supposedly worse and improved. The 9x/es then the NT family then XP. I searched on sick sockets but didn't find much, so maybe that wasn't a good or useful or communicative term. I'll have to research a little to find out what I meant when I said sick sockets. "I'm thinking of something, what is it? Please explain, but don't make it too technical." -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Mar 31 06:48:18 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 31 09:50:03 2006 Subject: [SpamCop-Mail] Re: UMSY References: Message-ID: D. T. wrote: > I think the CBL blocking might be broken at the moment for those of > use with SC email accounts. A few days ago, I too started seeing a > flood of obvious stock pumps that my SC settings were no longer > catching. Here are two tracking URLs: > www.spamcop.net/sc?id=z893629776zd3d88b5dc4ce361f2ddffd2c9ddbfb0cz That tracker doesn't show me evidence of passing thru' SC's mail filter -- there are no SC Xlines in the header. Yes, the source is currently CBL listed. www.spamcop.net/sc?id=z893630493zb1c0b16af8742f09607ff4182a53754bz Same thing, no SC Xlines. When people with SC mail accounts look at something which was caught or missed by the SC filter, they use the Xlines to help figure out why. -- Mike Easter kibitzer, not SC admin