From jbm at freeola.com Tue Dec 2 10:06:15 2008 From: jbm at freeola.com (JudyBM) Date: Tue Dec 2 10:10:03 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) References: Message-ID: We had the same issue here and from another server I look after in South London. My only solution was to disable the protection from SpamCop and Spamhaus. I think someone has made an error and blocked the entire Internet. Can you confirm this SpamCop? Judy "SpamCop Admin" wrote in message news:ge57j4la5ihd6cpevhrpkj9uf2dhquom2f@4ax.com... > william wrote: >>-Sent >>> RCPT TO: >>-Received <<< 554 Service unavailable; Client host >>-[pc125.solomon-systech.com] blocked by bl.spamcop.net; 202.76.106.125 > > Ceva-dsp.com has a problem with their filtering setup. There is no > reason to block mail from 202.76.106.125 and they certainly shouldn't > be citing our service. > > 202.76.106.125 is not on our list and never has been. There are no > SpamCop reports against it. > > http://www.mxtoolbox.com/blacklists.aspx > > As far as I can tell the IP is is not listed by any blocking list. > > - Don D'Minion - SpamCop Admin - From ppearson at nowhere.invalid Tue Dec 2 10:35:09 2008 From: ppearson at nowhere.invalid (Peter Pearson) Date: Tue Dec 2 10:40:03 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) References: Message-ID: On Tue, 2 Dec 2008 15:06:15 -0000, JudyBM wrote: [re-ordered chronologically] > "SpamCop Admin" wrote in message > news:ge57j4la5ihd6cpevhrpkj9uf2dhquom2f@4ax.com... >> william wrote: >>>-Sent >>> RCPT TO: >>>-Received <<< 554 Service unavailable; Client host >>>-[pc125.solomon-systech.com] blocked by bl.spamcop.net; 202.76.106.125 >> >> Ceva-dsp.com has a problem with their filtering setup. There is no >> reason to block mail from 202.76.106.125 and they certainly shouldn't >> be citing our service. >> >> 202.76.106.125 is not on our list and never has been. There are no >> SpamCop reports against it. >> >> http://www.mxtoolbox.com/blacklists.aspx >> >> As far as I can tell the IP is is not listed by any blocking list. >> >> - Don D'Minion - SpamCop Admin - > > We had the same issue here and from another server I look after in South > London. My only solution was to disable the protection from SpamCop and > Spamhaus. I think someone has made an error and blocked the entire > Internet. By "had the same issue", do you mean that you received erroneous responses from Spamcop's blocking list? -- To email me, substitute nowhere->spamcop, invalid->net. From user at domain.invalid Tue Dec 2 10:59:28 2008 From: user at domain.invalid (Farelf) Date: Tue Dec 2 11:00:03 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) In-Reply-To: References: Message-ID: JudyBM wrote: > We had the same issue here and from another server I look after in South > London. My only solution was to disable the protection from SpamCop and > Spamhaus. I think someone has made an error and blocked the entire > Internet. > > Can you confirm this SpamCop? > Judy Don gave a lookup for multiple blocklists (below), another is http://www.robtex.com/ - do you see your IP address returning any hits in either/both? Other reasons are (poor) sender reputation score and lack of rDNS/rDNS not pointing to the host. Neither of which seems to be a problem with the O/P's stated address (though only SenderBase reputation checked) - http://www.senderbase.org/ rDNS C:\Documents and Settings\Steve>nslookup ... > set type=ptr > 125.106.76.202.in-addr.arpa ... Non-authoritative answer: 125.106.76.202.in-addr.arpa name = pc125.solomon-systech.com > > > "SpamCop Admin" wrote in message > news:ge57j4la5ihd6cpevhrpkj9uf2dhquom2f@4ax.com... > >>william wrote: >> >>>-Sent >>> RCPT TO: >>>-Received <<< 554 Service unavailable; Client host >>>-[pc125.solomon-systech.com] blocked by bl.spamcop.net; 202.76.106.125 >> >>Ceva-dsp.com has a problem with their filtering setup. There is no >>reason to block mail from 202.76.106.125 and they certainly shouldn't >>be citing our service. >> >>202.76.106.125 is not on our list and never has been. There are no >>SpamCop reports against it. >> >>http://www.mxtoolbox.com/blacklists.aspx >> >>As far as I can tell the IP is is not listed by any blocking list. >> >>- Don D'Minion - SpamCop Admin - > > > From jbm at freeola.com Tue Dec 2 13:23:39 2008 From: jbm at freeola.com (JudyBM) Date: Tue Dec 2 13:25:02 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) References: Message-ID: No, we are not blocked by any spamblocker lists. The problem as I said was resolved by removing the service from my mail server but to be clear... the problem we were experiencing is that we COULD send messages to the outside world.. but we were not receiving anything back and bounced messages were reported as being blocked by DNSBL etc. As soon as I disabled these services, the mail came flooding in. Judy "Farelf" wrote in message news:gh3m0u$lsk$1@news.spamcop.net... > JudyBM wrote: >> We had the same issue here and from another server I look after in South >> London. My only solution was to disable the protection from SpamCop and >> Spamhaus. I think someone has made an error and blocked the entire >> Internet. >> >> Can you confirm this SpamCop? >> Judy > > Don gave a lookup for multiple blocklists (below), another is > http://www.robtex.com/ - do you see your IP address returning any hits in > either/both? Other reasons are (poor) sender reputation score and lack of > rDNS/rDNS not pointing to the host. Neither of which seems to be a > problem with the O/P's stated address (though only SenderBase reputation > checked) - http://www.senderbase.org/ > > rDNS > > C:\Documents and Settings\Steve>nslookup > ... > > > set type=ptr > > 125.106.76.202.in-addr.arpa > ... > > Non-authoritative answer: > 125.106.76.202.in-addr.arpa name = pc125.solomon-systech.com > > > > >> >> "SpamCop Admin" wrote in message >> news:ge57j4la5ihd6cpevhrpkj9uf2dhquom2f@4ax.com... >> >>>william wrote: >>> >>>>-Sent >>> RCPT TO: >>>>-Received <<< 554 Service unavailable; Client host >>>>-[pc125.solomon-systech.com] blocked by bl.spamcop.net; 202.76.106.125 >>> >>>Ceva-dsp.com has a problem with their filtering setup. There is no >>>reason to block mail from 202.76.106.125 and they certainly shouldn't >>>be citing our service. >>> >>>202.76.106.125 is not on our list and never has been. There are no >>>SpamCop reports against it. >>> >>>http://www.mxtoolbox.com/blacklists.aspx >>> >>>As far as I can tell the IP is is not listed by any blocking list. >>> >>>- Don D'Minion - SpamCop Admin - >> >> From MikeE at ster.invalid Tue Dec 2 16:25:54 2008 From: MikeE at ster.invalid (Mike Easter) Date: Tue Dec 2 16:30:03 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) References: Message-ID: JudyBM wrote: > No, we are not blocked by any spamblocker lists. The problem as I said > was resolved by removing the service from my mail server but to be > clear... the problem we were experiencing is that we COULD send > messages to the outside world.. but we were not receiving anything back > and bounced messages were reported as being blocked by DNSBL etc. As > soon as I disabled these services, the mail came flooding in. Do I understand you to be saying that you are admin/ing a couple of mailservers which you had misconfigured? Also, the communication process in a newsgroup will be very much facilitated by two very important steps. #1 - trim (delete) all of the previous words or lines to which you are not directly replying #2 - place your (next) words *under* those words you *are* directly replying Illustrations: http://www.anta.net/misc/nnq/nquote.shtml Q1: What is "quoting" in newsgroup postings? - Q2: How should I use the quoted text and arrange it with my own text? - Q3: Why shouldn't I quote the entire posting that I'm responding to? http://www.netmeister.org/news/learn2quote.html How do I quote correctly in Usenet? -- 2.1 How much should I quote? - 2.2 What should not be quoted? - 2.3 Why should I place my response below the quoted text? -- Mike Easter kibitzer, not SC admin From Kevin_newsspam01 at devnull.invalid Tue Dec 2 23:29:33 2008 From: Kevin_newsspam01 at devnull.invalid (Kevin) Date: Tue Dec 2 23:40:03 2008 Subject: [Scspamcop] Re: RFC 5321 and 5322 References: Message-ID: In message , Ellen writes >A couple of new RFCs are available for those of you who like to read >RFCs :-) [..] >RFC5321: It consolidates, updates and > clarifies, but does not add new or change existing functionality of > the following: > > o the original SMTP (Simple Mail Transfer Protocol) specification of > RFC 821 [1], Are there any plans to update http://spamcop.net/fom-serve/cache/329.html#bounces and http://spamcop.net/fom-serve/cache/329.html#bounceexplain to reflect the changes in 5321, especially the last paragraph of the new section 6.2? http://tools.ietf.org/html/rfc5321#section-6.2 Bounces are no longer required, in fact they are discouraged in the case of identified 'attack' messages, which includes spam. Conversely, if a message is rejected because it is found to contain hostile content (a decision that is outside the scope of an SMTP server as defined in this document), rejection ("bounce") messages SHOULD NOT be sent unless the receiving site is confident that those messages will be usefully delivered. The preference and default in these cases is to avoid sending non-delivery messages when the incoming message is determined to contain hostile content. -- Kevin From jbm at freeola.com Wed Dec 3 06:29:20 2008 From: jbm at freeola.com (JudyBM) Date: Wed Dec 3 06:30:03 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) References: <8o3cj4t5vtlfgivtfe1e8ovhh2pj3ctn41@4ax.com> Message-ID: May I ask what in the configuration changed on Saturday morning that was different to how it was over the past 3 years? SpamCop and Spamhaus were set up on my servers 3 years ago and have always proved to be one of the most helpful resources we've had... so much so, I have insisted everyone else (other network admins and clients) use it. No one changed anything this end at all yet the mail stopped coming in. The mail only returned when I disabled the facility. Look if you don't have a solution.. fair enough but I would like to continue to use the service if I can... I feel really vulnerable without it... I just need reasurring it won't happen again because it caused our company some significant loss at the weekend. Thanks, "SpamCop Admin" wrote in message news:8o3cj4t5vtlfgivtfe1e8ovhh2pj3ctn41@4ax.com... > JudyBM wrote: >>-The problem as I said was >>-resolved by removing the service from my mail server >>-we were not receiving anything > > SpamCop and SpamHaus are NOT listing the whole Internet. > > If you couldn't receive ANY mail at all while using those blocking > services, it means your server filtering setup was misconfigured. > > http://www.spamcop.net/fom-serve/cache/290.html > http://www.spamcop.net/fom-serve/cache/291.html > > Those FAQs may help. > > If mail you *SENT* was rejected citing our service as the reason, you > can get information about your server's IP here: > > http://www.spamcop.net/bl.shtml > http://www.senderbase.org/ > http://www.mxtoolbox.com/blacklists.aspx > > - Don D'Minion - SpamCop Admin - > service AT admin.spamcop.net From nobody at spamcop.net Wed Dec 3 06:56:27 2008 From: nobody at spamcop.net (Steven Underwood) Date: Wed Dec 3 07:00:03 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) References: <8o3cj4t5vtlfgivtfe1e8ovhh2pj3ctn41@4ax.com> Message-ID: "JudyBM" wrote in message news:gh5qii$eei$1@news.spamcop.net... > May I ask what in the configuration changed on Saturday morning that was > different to how it was over the past 3 years? > SpamCop and Spamhaus were set up on my servers 3 years ago and have always > proved to be one of the most helpful resources we've had... so much so, I > have insisted everyone else (other network admins and clients) use it. > > No one changed anything this end at all yet the mail stopped coming in. > The mail only returned when I disabled the facility. > > Look if you don't have a solution.. fair enough but I would like to > continue to use the service if I can... > I feel really vulnerable without it... I just need reasurring it won't > happen again because it caused our company some significant loss at the > weekend. > > Thanks, > As SpamCopAdmin already stated, nothing changed on the blocklist end and if it did, you would not be the only person to notice. Something changed on your end (perhaps your DNS servers failed during that period). SpamCop and Spamhaus are completely different services hosted in different areas, so the fact that both of them were failing you indicates a problem closer to you (your ISP, perhaps). From nobody at spamcop.net Wed Dec 3 08:19:09 2008 From: nobody at spamcop.net (Ellen) Date: Wed Dec 3 08:20:04 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) In-Reply-To: References: <8o3cj4t5vtlfgivtfe1e8ovhh2pj3ctn41@4ax.com> Message-ID: JudyBM wrote: > May I ask what in the configuration changed on Saturday morning that was > different to how it was over the past 3 years? Nothing changed here at SpamCop -- I can't speak for SpamHaus but I suspect if something changed there I would have heard about it .... Please check with your ISP/hosting provider/transit provider and ask if they had an outage. You might also ask a couple of the folks who you expected to get mail from if they got rejects or bounces and if so to send them along to you so you can see what the reject/bounce said. I suspect whatever the cause of the outage that it was neither SC or SH and that it was quickly resolved and your removing the lists from your server was coincidental assuming you have made no changes at all to your server software or hardware ... Ellen SpamCop From MikeE at ster.invalid Wed Dec 3 10:39:15 2008 From: MikeE at ster.invalid (Mike Easter) Date: Wed Dec 3 10:40:03 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) References: <8o3cj4t5vtlfgivtfe1e8ovhh2pj3ctn41@4ax.com> Message-ID: william wrote: > We still received the below message from spamcop, however, our company > IP (202.76.106.125) is not listing in your spam list. Please let me > know how to solve it. > > Error: > Sent >>> RCPT TO: > Received <<< 554 Service unavailable; Client host > [pc125.solomon-systech.com] blocked by bl.spamcop.net; 202.76.106.125 This william posted result above was caused by a misconfigured (incoming) mailserver filter. JudyBM wrote: > No, we are not blocked by any spamblocker lists. The problem as I said > was resolved by removing the service from my mail server but to be > clear... the problem we were experiencing is that we COULD send > messages to the outside world.. but we were not receiving anything back > and bounced messages were reported as being blocked by DNSBL etc. As > soon as I disabled these services, the mail came flooding in. This JudyBM problem above sounds like it was caused by a misconfigured incoming mailserver filter also. It would be better to do an adequate mailserver administrator job of troubleshooting the mailserver's filter configuration than to simply (permanently) disable the filtering because of lack of adequate troubleshooting. When you attempt to communicate by top posting as you do, it isn't clear what you are perceiving or even whether or not you are seeing when you read this information below: SpamCop Admin wrote: > If you couldn't receive ANY mail at all while using those blocking > services, it means your server filtering setup was misconfigured. > > http://www.spamcop.net/fom-serve/cache/290.html > http://www.spamcop.net/fom-serve/cache/291.html Some top posters read just a few lines and then stop reading without reading comprehensively and hit reply and start typing some nonresponsive reply. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed Dec 3 11:33:42 2008 From: nobody at spamcop.net (Bar0) Date: Wed Dec 3 11:35:04 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) References: <8o3cj4t5vtlfgivtfe1e8ovhh2pj3ctn41@4ax.com> Message-ID: "Mike Easter" wrote in message news:gh696i$ub5$1@news.spamcop.net... > william wrote: >> ... > > JudyBM wrote: >> ... Hmmm... posting styles are so similar, although "William" did start contextual replies after only one nudge, but I gotta wonder about Judy, Trolling perhaps? From jbm at freeola.com Wed Dec 3 11:40:57 2008 From: jbm at freeola.com (JudyBM) Date: Wed Dec 3 11:45:04 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) References: <8o3cj4t5vtlfgivtfe1e8ovhh2pj3ctn41@4ax.com> Message-ID: "Mike Easter" wrote in message news:gh696i$ub5$1@news.spamcop.net... > william wrote: >> We still received the below message from spamcop, however, our company >> IP (202.76.106.125) is not listing in your spam list. Please let me >> know how to solve it. >> >> Error: >> Sent >>> RCPT TO: >> Received <<< 554 Service unavailable; Client host >> [pc125.solomon-systech.com] blocked by bl.spamcop.net; 202.76.106.125 > > This william posted result above was caused by a misconfigured (incoming) > mailserver filter. > > JudyBM wrote: >> No, we are not blocked by any spamblocker lists. The problem as I said >> was resolved by removing the service from my mail server but to be >> clear... the problem we were experiencing is that we COULD send >> messages to the outside world.. but we were not receiving anything back >> and bounced messages were reported as being blocked by DNSBL etc. As >> soon as I disabled these services, the mail came flooding in. > > This JudyBM problem above sounds like it was caused by a misconfigured > incoming mailserver filter also. > > It would be better to do an adequate mailserver administrator job of > troubleshooting the mailserver's filter configuration than to simply > (permanently) disable the filtering because of lack of adequate > troubleshooting. > > When you attempt to communicate by top posting as you do, it isn't clear > what you are perceiving or even whether or not you are seeing when you > read this information below: > > SpamCop Admin wrote: >> If you couldn't receive ANY mail at all while using those blocking >> services, it means your server filtering setup was misconfigured. >> >> http://www.spamcop.net/fom-serve/cache/290.html >> http://www.spamcop.net/fom-serve/cache/291.html > > Some top posters read just a few lines and then stop reading without > reading comprehensively and hit reply and start typing some nonresponsive > reply. > > > > -- > Mike Easter > kibitzer, not SC admin > Okay..firstly.. this was never meant to be a blame or name calling situation.. it was an enquiry. I posted the message while looking to see if anyone else had the issue. The facility was disabled because it was the easiest way to resolve the issue first thing on a Monday morning. The setup here was originally configured by Microsoft tech remotely and its config copied to the other company I mentioned. Since 2005, the service has been running very well indeed and I applaud the service offered by any SpamBlack lister company. Trying to say that this is a problem because of the way it was set up does not help because it was set up years ago with no issues until last weekend. Blaming ISP's is also futile as explained earlier, another company that I support also had the same problem and was resolved in the same way. The other company has a different ISP and is 10 miles away so it can't even be blamed on the exchange. In all fairness. SpamCop and Spamhaus are not the only Spamblack listers on the settings so perhaps it was caused by someone else. I needed to know if there was an issue... and you have said there was not. Thanks for your efforts guys but I still need to know where this problem came from .... this was definately NOT an individual situation and as soon as I find the root of the problem, I will let you know. Regards, Judy From MikeE at ster.invalid Wed Dec 3 11:47:44 2008 From: MikeE at ster.invalid (Mike Easter) Date: Wed Dec 3 11:50:03 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) References: <8o3cj4t5vtlfgivtfe1e8ovhh2pj3ctn41@4ax.com> Message-ID: Bar0 wrote: > "Mike Easter" >> william wrote: >>> ... >> >> JudyBM wrote: >>> ... > > Hmmm... posting styles are so similar, although "William" did start > contextual replies after only one nudge, but I gotta wonder about Judy, > Trolling perhaps? I definitely don't think they are the same person as they are sourced differently and the nature of the problem was different. William's problem was that he - his outgoing mail - got a rejection from a mailserver which was misconfigured to say that the rejection was based on the scbl which rejection message was 'wrong' - errant - 'bogus'. JudyBM's problem is that she is responsible for admin/ing some mailserver, but she didn't know how to troubleshoot the problem with incoming which arose. Her outgoing was and her incoming wasn't. Those who attempted to email her who got bounces somehow told her "bounced messages were reported as being blocked by DNSBL etc" -- whatever that means exactly. At least that's the way I understand the scenario which I found lacking of adequate description. Other fragments of the scenario are that she turned off the filtering and that incoming is again. Further, that she somehow interpreted the trouble as related to blocklists such as spamhaus & scbl and that she is accustomed only to communicating as in corporate email TOFU topposting and not familiar nor receptive to suggestions about newsgroup communication problems. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Dec 3 12:09:06 2008 From: MikeE at ster.invalid (Mike Easter) Date: Wed Dec 3 12:10:03 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) References: <8o3cj4t5vtlfgivtfe1e8ovhh2pj3ctn41@4ax.com> Message-ID: JudyBM wrote: > "Mike Easter" >> This william posted result above was caused by a misconfigured >> (incoming) mailserver filter. >> This JudyBM problem above sounds like it was caused by a misconfigured >> incoming mailserver filter also. > Trying to say that this is a problem because of the way it was set up > does not help because it was set up years ago with no issues until last > weekend. Blaming ISP's is also futile as explained earlier, another > company that I support also had the same problem and was resolved in > the same way. The other company has a different ISP and is 10 miles > away so it can't even be blamed on the exchange. If I try to mail something to raffingers-stuart.co.uk then I have to find out that its primary mailserver is mail.raffingers-stuart.co.uk at 82.133.0.3 which nameservice is coming from oh2.co.uk Then if my mail is able to hit that mailserver because that nameservice worked and then that previously reliable MX mailserver is now rejecting all mail by giving it a 'bogus-labeled' bounce (example like William's) which says that my sending IP is blocklisted by mail.raffingers-stuart.co.uk blocklisting algorithms or software, but that message is bogus as concluded for William's case, then the mail.raffingers-stuart.co.uk filtering algo/software/configuration isn't working right. If the scenario is unfolding differently than that, then there needs to be a clearer picture of what happened after some more troubleshooting. -- Mike Easter kibitzer, not SC admin From OCXZIBYDBUTE at spammotel.com Wed Dec 3 14:11:35 2008 From: OCXZIBYDBUTE at spammotel.com (Karl-Josef Ziegler) Date: Wed Dec 3 14:15:03 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) In-Reply-To: References: <8o3cj4t5vtlfgivtfe1e8ovhh2pj3ctn41@4ax.com> Message-ID: JudyBM wrote: > Trying to say that this is a problem because of the way it was set up does > not help because it was set up years ago with no issues until last weekend. Only a question: are there any automatic (software) updates scheduled on weekends? Regards, - Karl-Josef From blacklist-me at davjam.org Wed Dec 3 16:18:59 2008 From: blacklist-me at davjam.org (David Bolt) Date: Wed Dec 3 16:25:03 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) References: <8o3cj4t5vtlfgivtfe1e8ovhh2pj3ctn41@4ax.com> Message-ID: On Wed, 3 Dec 2008, JudyBM wrote:- >In all fairness. SpamCop and Spamhaus are not the only Spamblack listers on >the settings so perhaps it was caused by someone else. I needed to know if >there was an issue... and you have said there was not. It might be an idea to post the list of external block lists you're using, just in case one of them is defunct. You might want to specifically check for block lists that use dnsrbl.net[0][1] as that domain was wildcarded and all queries returned 127.0.0.1. >Thanks for your efforts guys but I still need to know where this problem >came from .... this was definately NOT an individual situation and as soon >as I find the root of the problem, I will let you know. One thing you really need to do is to (very) regularly check to make sure the block lists you're using are still up and running. One place to start is to check here: [0] A block list that stopped working back in 2005. From a thread on the spam-l mailing list with the first posting made on Monday, it appears that someone changed the addresses for dnsrbl.net DNS servers for dnsrbl.net to those provided by suavemente. This wouldn't have been much of a problem if their techs hadn't decided that, even though they didn't actually host that domain, it would be a good idea to return a positive response rather than an NXDOMAIN. The end results were that they re-activated the DNSBL in "list-the-world" mode. [1] There's mention of the mayhem caused in a few places: Regards, David Bolt -- Team Acorn: http://www.distributed.net/ OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s SUSE 10.1 32 | | openSUSE 10.3 32b | openSUSE 11.0 32b | openSUSE 10.2 64b | openSUSE 10.3 64b | openSUSE 11.0 64b RISC OS 3.6 | TOS 4.02 | openSUSE 10.3 PPC | RISC OS 3.11 From connyank at cox.net Fri Dec 5 21:11:22 2008 From: connyank at cox.net (jg) Date: Fri Dec 5 21:15:04 2008 Subject: [Scspamcop] msg contains no date? Message-ID: http://www.spamcop.net/sc?id=z2435667199z7f5841cd1b51d20dfa07cedb7fbed9d2z maybe I missed a thread in the past, but haven't seen this response before. what am I missing? From MikeE at ster.invalid Fri Dec 5 23:17:07 2008 From: MikeE at ster.invalid (Mike Easter) Date: Fri Dec 5 23:20:03 2008 Subject: [Scspamcop] Re: msg contains no date? References: Message-ID: jg wrote: > http://www.spamcop.net/sc?id=z2435667199z7f5841cd1b51d20dfa07cedb7fbed9d2z > > maybe I missed a thread in the past, but haven't seen this response > before. > > what am I missing? I don't have an answer. It isn't possible for me to experimentally tinker with a date issue on your mailhosted parse because there is a difference between how the parser handles the date for mailhosted parses compared to non-mailhosted and my experiments are done with a nonmailhosted account. For nonmailhosted, the parser chains back the same way to the source as it did for your mailhosted parse, but instead of determining 'no date' it currently determines the item is 5 hours old and offers to report. http://www.spamcop.net/sc?id=z2435796238z705956d2c1073e02011b64b27d7a44bez Message is 5 hours old Report Spam to: Re: 134.84.135.6 (Administrator of network where email originates) To: abuse@umn.edu (refuses munged reports) (Notes) The date determination algo for mailhosted accounts is flawed compared to nonmailhosted, but this is the worst flawed behavior I've seen. I think the algo should be rewritten to determine the date the same way for mailhosted and nonmailhosted. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Sat Dec 6 07:19:40 2008 From: nobody at spamcop.net (Ellen) Date: Sat Dec 6 07:25:03 2008 Subject: [Scspamcop] Re: msg contains no date? In-Reply-To: References: Message-ID: jg wrote: > http://www.spamcop.net/sc?id=z2435667199z7f5841cd1b51d20dfa07cedb7fbed9d2z > > maybe I missed a thread in the past, but haven't seen this response before. > > what am I missing? I think it is because this received header is missing a ; prior to the datestamp and therefore the parser cannot "see" the datestamp: Received: from vs-w.tc.umn.edu (natpool-pub.oit.umn.edu [134.84.135.6]) by mta-m3.tc.umn.edu (UMN smtpd) with ESMTP Fri, 5 Dec 2008 16:43:25 -0600 (CST) There should be a ; after the last phrase before the datestamp/timestamp. Ellen SpamCop From MikeE at ster.invalid Sat Dec 6 11:44:01 2008 From: MikeE at ster.invalid (Mike Easter) Date: Sat Dec 6 11:45:03 2008 Subject: [Scspamcop] Re: msg contains no date? References: Message-ID: Ellen wrote: > jg wrote: >> what am I missing? > > > I think it is because this received header is missing a ; prior to the > datestamp and therefore the parser cannot "see" the datestamp: Aha! Goodjob. I was looking for some little punctuation or configuration variation but I overlooked that deficiency. I believe/ am sure/ that semicolon punctuation is RFC required syntax. That's another reason that the mailhosted parse shouldn't be reaching way down there for a critical/essential datum of the date from a traceline instead of taking it from the first 'good' traceline of the chain as it does for the nonmailhosted. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon Dec 8 13:57:55 2008 From: nobody at devnull.spamcop.net (Twayne) Date: Mon Dec 8 14:00:03 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) References: <8o3cj4t5vtlfgivtfe1e8ovhh2pj3ctn41@4ax.com> Message-ID: David Bolt said: > On Wed, 3 Dec 2008, JudyBM wrote:- > > > > That link is coming up 404 Not Found. Typo? Twayne > > > [0] A block list that stopped working back in 2005. From a thread on > the spam-l mailing list with the first posting made on Monday, it > appears that someone changed the addresses for dnsrbl.net DNS servers > for dnsrbl.net to those provided by suavemente. This wouldn't have > been much of a problem if their techs hadn't decided that, even > though they didn't actually host that domain, it would be a good idea > to return a positive response rather than an NXDOMAIN. The end > results were that they re-activated the DNSBL in "list-the-world" > mode. > > [1] There's mention of the mayhem caused in a few places: > > > > > > > > Regards, > David Bolt From blacklist-me at davjam.org Mon Dec 8 14:58:27 2008 From: blacklist-me at davjam.org (David Bolt) Date: Mon Dec 8 15:05:04 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) References: <8o3cj4t5vtlfgivtfe1e8ovhh2pj3ctn41@4ax.com> Message-ID: <2xePHvBjxXPJFwzJ@dev.null.davjam.org> On Mon, 8 Dec 2008, Twayne wrote:- > >David Bolt said: >> On Wed, 3 Dec 2008, JudyBM wrote:- >> >> >> >> > >That link is coming up 404 Not Found. Typo? Worked find just now. Try this one instead: This will/should take you to the same page, with a preview at tinyurl.com first, where there's presently a list of 127 dead DNSBL zones. Regards, David Bolt -- Team Acorn: http://www.distributed.net/ OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s SUSE 10.1 32 | | openSUSE 10.3 32b | openSUSE 11.0 32b | openSUSE 10.2 64b | openSUSE 10.3 64b | openSUSE 11.0 64b RISC OS 3.6 | TOS 4.02 | openSUSE 10.3 PPC | RISC OS 3.11 From nobody at devnull.spamcop.net Mon Dec 8 14:54:12 2008 From: nobody at devnull.spamcop.net (Wazoo) Date: Mon Dec 8 15:25:03 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) References: <8o3cj4t5vtlfgivtfe1e8ovhh2pj3ctn41@4ax.com> Message-ID: "Twayne" wrote in message news:ghjqlg$tts$1@news.spamcop.net... > > David Bolt said: >> On Wed, 3 Dec 2008, JudyBM wrote:- >> >> >> >> > > That link is coming up 404 Not Found. Typo? Works from here. Try this without the URL: inclusion; http://spamlinks.net/filter-dnsbl-dead.htm From nobody at devnull.spamcop.net Wed Dec 10 18:07:31 2008 From: nobody at devnull.spamcop.net (Twayne) Date: Wed Dec 10 18:10:03 2008 Subject: [Scspamcop] Re: Spam list issue (we can't send email to our customer) References: <8o3cj4t5vtlfgivtfe1e8ovhh2pj3ctn41@4ax.com> Message-ID: Huh, clicking either link works now, which is surprising because about half the net's missing here. Thanks though Wazoo, appreciate your effort. Had I been thinking faster, I probably would have realized there were possible weather problems here on the east coast due to the weather. Anything going north-bound from Syracuse NY seems to be in a lot of trouble but the other compass points are working. I couldn't even get to my own website about an hour ago; today's been especially bad. Snow, then rain, then ice and now snow again on top of between 1/4" & 1/2" of ice. And to whoever posted that link: Thanks! Twayne > "Twayne" wrote in message > news:ghjqlg$tts$1@news.spamcop.net... >> >> David Bolt said: >>> On Wed, 3 Dec 2008, JudyBM wrote:- >>> >>> >>> >>> >> >> That link is coming up 404 Not Found. Typo? > > Works from here. Try this without the URL: inclusion; > http://spamlinks.net/filter-dnsbl-dead.htm From nobody at devnull.spamcop.net Thu Dec 11 20:58:16 2008 From: nobody at devnull.spamcop.net (Patto) Date: Thu Dec 11 21:00:03 2008 Subject: [Scspamcop] What's wrong with Spamcop? Message-ID: http://www.spamcop.net/sc?id=z2448957069ze7aaec19f679a2455a7a79dfbcfa28c3z This, and many other (especially .ru domains) give the following error for the spamvertized URL Host freenevesta.ru (checking ip) IP not found ; freenevesta.ru discarded as fake. Why is that? When I check the IP address of the above host, I get 209.160.21.125 immediately. So why can SC not find an IP address? Moreover, if I press the browser's refresh key enough times (10~20), then eventually SC gives up its resistance and finds the IP address. From MikeE at ster.invalid Thu Dec 11 22:31:36 2008 From: MikeE at ster.invalid (Mike Easter) Date: Thu Dec 11 22:35:03 2008 Subject: [Scspamcop] Re: What's wrong with Spamcop? References: Message-ID: Patto wrote: > Host freenevesta.ru (checking ip) IP not found ; freenevesta.ru > discarded as fake. > > Why is that? When I check the IP address of the above host, I get > 209.160.21.125 immediately. I don't see 'immediately'. That name takes *forever* to resolve. Any sensible DNS would time out. SC's resolver doesn't fiddle around with slow nameservice -- especially those that don't want to resolve for SC at all. > So why can SC not find an IP address? > > Moreover, if I press the browser's refresh key enough times (10~20), > then eventually SC gives up its resistance and finds the IP address. Eventually the nameservice for the .ru works. The primary nameserver for the domain is at the same IP address as the MX for the domain. I'm sure that if you took that name to DNSstuff and did the dns timing test on it, the nameservice would get an F rating. -- Mike Easter kibitzer, not SC admin From mr206 at spamtrackers.eu Fri Dec 12 00:50:47 2008 From: mr206 at spamtrackers.eu (mr206) Date: Fri Dec 12 00:55:03 2008 Subject: [Scspamcop] Re: What's wrong with Spamcop? In-Reply-To: References: Message-ID: Patto wrote: > http://www.spamcop.net/sc?id=z2448957069ze7aaec19f679a2455a7a79dfbcfa28c3z > > This, and many other (especially .ru domains) give the following error > for the spamvertized URL > > Host freenevesta.ru (checking ip) IP not found ; freenevesta.ru > discarded as fake. > > Why is that? When I check the IP address of the above host, I get > 209.160.21.125 immediately. > > So why can SC not find an IP address? > > Moreover, if I press the browser's refresh key enough times (10~20), > then eventually SC gives up its resistance and finds the IP address. SC considers spamvertized domains a lower priority and the parser has to contend with the body of the evem, which may contain horrible HTML coding. Also, there are instances where some spammers completely block the IPs that SpamCop uses from accessing their site, so the parser can't determine that it's a real site. From nobody at devnull.spamcop.net Fri Dec 12 02:37:07 2008 From: nobody at devnull.spamcop.net (Patto) Date: Fri Dec 12 02:40:04 2008 Subject: [Scspamcop] Re: What's wrong with Spamcop? In-Reply-To: References: Message-ID: Mike Easter wrote: > Patto wrote: > >> Host freenevesta.ru (checking ip) IP not found ; freenevesta.ru >> discarded as fake. >> >> Why is that? When I check the IP address of the above host, I get >> 209.160.21.125 immediately. > > I don't see 'immediately'. That name takes *forever* to resolve. Any > sensible DNS would time out. SC's resolver doesn't fiddle around with > slow nameservice -- especially those that don't want to resolve for SC at > all. Thanks for the reply. I used Sam Spade, which responded in the milliseconds range. But then it may use another (local) name server. From wb8tyw at qsl.network Sun Dec 14 14:49:20 2008 From: wb8tyw at qsl.network (John Malmberg) Date: Sun Dec 14 14:50:03 2008 Subject: [Scspamcop] refuses to accept this type of report - Open relay Message-ID: http://www.spamcop.net/sc?id=z2454784676zf5217d27d153d8cfb2be612305674c3ez This report shows that the ISP is refusing to accept spamcop.net reports about their open relay on their web-mail. What incentive do they have to fix these open relay problems if spamcop only lists the input to the open relay? If an ISP is refusing reports about spam that they are relaying, then they should be listable on spamcop.net. Especially if they are relaying for an address that is not reportable to them. -John wb8tyw@qsl.network Personal Opinion Only From nobody at spamcop.net Sun Dec 14 17:02:12 2008 From: nobody at spamcop.net (bar0) Date: Sun Dec 14 17:05:03 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay References: Message-ID: "John Malmberg" wrote in message news:gi3o01$ec2$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z2454784676zf5217d27d153d8cfb2be612305674c3ez > > This report shows that the ISP is refusing to accept spamcop.net reports > about their open relay on their web-mail. > > What incentive do they have to fix these open relay problems if spamcop > only lists the input to the open relay? > > If an ISP is refusing reports about spam that they are relaying, then they > should be listable on spamcop.net. Especially if they are relaying for an > address that is not reportable to them. > > -John > wb8tyw@qsl.network > Personal Opinion Only Strange, I ran your parse and cox does seem interested in SC reports for relayimg From snowbat at geocities.com Sun Dec 14 17:19:15 2008 From: snowbat at geocities.com (Snowbat) Date: Sun Dec 14 17:20:03 2008 Subject: [Scspamcop] Re: Again - truncated reporting address References: Message-ID: Problem with abuse@telehouse-ua.com http://www.spamcop.net/sc?action=rcache;ip=94.74.74.105 "whois 94.74.74.105@whois.arin.net" (Getting contact from whois.arin.net ) Redirect to ripe Display data: "whois 94.74.74.105@whois.ripe.net" (Getting contact from whois.ripe.net) whois.ripe.net found abuse contacts for 94.74.74.105 = abuse@telehouse whois: 94.74.72.0 - 94.74.79.255 = abuse@telehouse Routing details for 94.74.74.105 Using abuse net on abuse@telehouse Using best contacts abuse@telehouse <<<<<<< $ whois -h whois.ripe.net 94.74.74.105 .. inetnum: 94.74.72.0 - 94.74.79.255 netname: UMSN-NET descr: Ukrainian Multiservice Network, Ltd. .. abuse-mailbox: abuse@telehouse-ua.com From wb8tyw at qsl.network Sun Dec 14 18:59:58 2008 From: wb8tyw at qsl.network (John Malmberg) Date: Sun Dec 14 19:00:03 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay In-Reply-To: References: Message-ID: bar0 wrote: > "John Malmberg" wrote in message > news:gi3o01$ec2$1@news.spamcop.net... >> http://www.spamcop.net/sc?id=z2454784676zf5217d27d153d8cfb2be612305674c3ez >> >> This report shows that the ISP is refusing to accept spamcop.net reports >> about their open relay on their web-mail. >> >> What incentive do they have to fix these open relay problems if spamcop >> only lists the input to the open relay? >> >> If an ISP is refusing reports about spam that they are relaying, then they >> should be listable on spamcop.net. Especially if they are relaying for an >> address that is not reportable to them. >> >> -John >> wb8tyw@qsl.network >> Personal Opinion Only > > Strange, I ran your parse and cox does seem interested in SC reports for > relayimg I just re-ran it and the reports were still being sent to the devnull.spamcop.net address pool. See the tracker section for "Reports regarding this spam have already been sent". It shows this. -John Personal Opinion Only From MikeE at ster.invalid Sun Dec 14 20:04:22 2008 From: MikeE at ster.invalid (Mike Easter) Date: Sun Dec 14 20:05:04 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay References: Message-ID: John Malmberg wrote: www.spamcop.net/sc?id=z2454784676zf5217d27d153d8cfb2be612305674c3ez > > This report shows that the ISP is refusing to accept spamcop.net reports > about their open relay on their web-mail. > > What incentive do they have to fix these open relay problems if spamcop > only lists the input to the open relay? > > If an ISP is refusing reports about spam that they are relaying, then > they should be listable on spamcop.net. Especially if they are relaying > for an address that is not reportable to them. There are several different concepts afoot here. First, SC is not an open relay listing service and the algo is configured to avoid/prevent any listings of open relay by design. The algo is listed to temporarily 'be suspicious' of an open relay and send the IP of the suspicious relay to the relay testers, which historically were an important blocklisting function. Then, once SC became familiar with/ came to recognize/ a relay as a relay server, regardless of whether it was an open relay or not, the relay was 'trusted' to be a relay -- which means that the algo was configured to chain thru' the open relay to the source behind it. Any particular provider of a relay could request to be SC notified of its relaying status, or any particular provider could request to not be notified of its status as relay, spamvertiser provider, or source provider. In any case, the algo and the SCbl were both 'designed' - or configured by design - to not blocklist any relays at all, because blocklisting relay servers has a lot of fallout - collateral damage - by blocklisting the legitimate mail from those relays. So, if it should ever come to pass that a server is getting itself blocklisted by the SC reporters feed and the algo's parse, then a deputy is going to 'personally'/manually handle the parsing algo to trust the server to be a server and not be blocklisted -- unless in the greater scheme of things a deputy wants to choose to 'untrust' a relaying server, which would have the consequence of leading to the server getting itself blocklisted with the resultant collateral damage to the innocent goodmailers. In this case, in looking at the tracker's reports; the cox servers were being 'identified' as intermediaries, not sources, and the 'option' to notify the intermediary/relay provider was being devnulled. Cox doesn't want to hear about it and spamcop doesn't want to notify anyone who doesn't want to hear about it and SC doesn't want to list a relay which is not a source and SC doesn't want server collateral damage. Your idea of taking revenge on a provider who doesn't want to be SC notified of being a relay/intermediary isn't going to fly, based on the concepts above. -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Mon Dec 15 02:13:17 2008 From: wb8tyw at qsl.network (John Malmberg) Date: Mon Dec 15 02:15:04 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay In-Reply-To: References: Message-ID: Mike Easter wrote: > John Malmberg wrote: > www.spamcop.net/sc?id=z2454784676zf5217d27d153d8cfb2be612305674c3ez >> This report shows that the ISP is refusing to accept spamcop.net reports >> about their open relay on their web-mail. >> > > Your idea of taking revenge on a provider who doesn't want to be SC > notified of being a relay/intermediary isn't going to fly, based on the > concepts above. It is not a concept of revenge, just protection. The most common use of a blocking list is on the I.P. address that the receiving mail server gets the message from. In the case where a provider is refusing reports about their open relay, the provider customers will also suffer because of other networks will stop accepting their e-mail, so refusing spamcop.net reports about their open relay is not a good idea for them. And this is independent of any action that spamcop.net would do. At my former ISP - they had an internal news group, and after incidents of spam or viruses relayed through their main mail servers, users quickly started posting about at least 2 major networks that stop accepting all e-mail from those specific relays. From the reports I saw, it could take up to 24 hours for that to get those blocks removed. I suspect that these ISPs set these notifications on the assumption that the spam source was on their network, because when the spam source is actually on their network they get notified. This indicates that when the ISP gets no notification of their open relay, it is an error in the logic of how the system was set up, and should be corrected. -John wb8tyw@qsl.network Personal Opinion Only From nobody at spamcop.net Mon Dec 15 07:05:21 2008 From: nobody at spamcop.net (Ellen) Date: Mon Dec 15 08:00:04 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay In-Reply-To: References: Message-ID: John Malmberg wrote: > http://www.spamcop.net/sc?id=z2454784676zf5217d27d153d8cfb2be612305674c3ez > > This report shows that the ISP is refusing to accept spamcop.net reports > about their open relay on their web-mail. > > What incentive do they have to fix these open relay problems if spamcop > only lists the input to the open relay? > > If an ISP is refusing reports about spam that they are relaying, then > they should be listable on spamcop.net. Especially if they are relaying > for an address that is not reportable to them. > > -John > wb8tyw@qsl.network > Personal Opinion Only It's not an open relay. When you have mailhosts *and* IPs are trusted to be ISP mailservers, then the system will generate the "relaying" reports for those trusted mailservers. Some ISPs want them and some don't. The system is finding the source of the spam correctly. Ellen SpamCop From nobody at spamcop.net Mon Dec 15 10:03:17 2008 From: nobody at spamcop.net (Ellen) Date: Mon Dec 15 10:10:03 2008 Subject: [Scspamcop] Maintenance Friday Dec 19, 2008 Message-ID: Planned Maintenance Window - Friday, Dec. 19, 2008 6PM PST Scheduled server maintenance and upgrades will be taking place Dec 19, 2008 18:00 (-0800) for a period of approximately 4 hours During this time the SpamCop Reporting Service website will be in maintenance mode. Emailed spam submissions will be accepted, but processing will be delayed during the maintenance process. This will not affect the SpamCop/CESmail email service, newsgroups or forums. Ellen SpamCop f/u spamcop From wb8tyw at qsl.network Mon Dec 15 10:41:37 2008 From: wb8tyw at qsl.network (John Malmberg) Date: Mon Dec 15 10:45:03 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay In-Reply-To: References: Message-ID: Ellen wrote: > John Malmberg wrote: >> http://www.spamcop.net/sc?id=z2454784676zf5217d27d153d8cfb2be612305674c3ez >> >> >> This report shows that the ISP is refusing to accept spamcop.net >> reports about their open relay on their web-mail. >> >> What incentive do they have to fix these open relay problems if >> spamcop only lists the input to the open relay? >> >> If an ISP is refusing reports about spam that they are relaying, then >> they should be listable on spamcop.net. Especially if they are >> relaying for an address that is not reportable to them. > > It's not an open relay. When you have mailhosts *and* IPs are trusted to > be ISP mailservers, then the system will generate the "relaying" reports > for those trusted mailservers. Some ISPs want them and some don't. The > system is finding the source of the spam correctly. It is effectively an open relay due to an account being compromised on the web mail server, and as long as the ISP does not get notified and fix the issue, the spammers have free run all the ISP's e-mail servers. It is not one of my mailhosts, so mailhosts should not have anything to do with it. As I pointed out in my previous post, it looks like the ISP that requested not to be notified is erroneously assuming that their relays will never relay for I.P. addresses not on their network. They appear to have forgotten about their web mail interface. They also appear to have not secured their web mail interface from allowing Nigerian 419 scammers to easily use it as a relay. They need to be putting in a delay/rate limiter on the web mail system to catch these security breaches. I have noticed that when the spam originates on the network of an ISP that has requested not to be notified about their relays, those ISPs get notified of the source, but not their relays, so it looks like this setting was intended to avoid them getting duplicate reports for the same incident. I do not think this system is working the way that the ISPs or spamcop intended when the ISP has a method of relaying for I.P. addresses that are not its own. In that case the ISP only gets notified of their security breach when they show up on other blocking lists, or they get a manual lart. -John wb8tyw@qsl.network Personal Opinion Only From MikeE at ster.invalid Mon Dec 15 11:40:48 2008 From: MikeE at ster.invalid (Mike Easter) Date: Mon Dec 15 11:45:03 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay References: Message-ID: John Malmberg wrote: > Ellen wrote: >> It's not an open relay. > It is effectively an open relay due to an account being compromised on > the web mail server, You can manually notify cox if you are a free reporter or additionally notify them if you are a spamcop reporter. abuse@cox.net - maybe they will squash or admonish the rachellelash@cox.net account. Or you could call her up and tell her yourself, she edits the Old Mission Montessori newsletter "please contact Rachelle or Jon Lash at rachellelash@cox.net or 231-1289." from the newsletter .pdf OMM is in Oceanside CA which is 760 areacode, but that 231 prefix telno looks like a 619 area code which is a different part of San Diego county. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Mon Dec 15 12:18:31 2008 From: nobody at spamcop.net (Ellen) Date: Mon Dec 15 12:20:03 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay In-Reply-To: References: Message-ID: John Malmberg wrote: > Ellen wrote: >> >> It's not an open relay. When you have mailhosts *and* IPs are trusted >> to be ISP mailservers, then the system will generate the "relaying" >> reports for those trusted mailservers. Some ISPs want them and some >> don't. The system is finding the source of the spam correctly. > > It is effectively an open relay due to an account being compromised on > the web mail server, and as long as the ISP does not get notified and > fix the issue, the spammers have free run all the ISP's e-mail servers. Not for the generally accepted definition of open relay. > > It is not one of my mailhosts, so mailhosts should not have anything to > do with it. Please read what I said and not the * around the word *and* which I specifically put there to indicate that the two conditions have to be met -- the account parsing the spam has mailhosts *and* there are IPs in received headers that are trusted to be ISP mailservers. > > As I pointed out in my previous post, it looks like the ISP that > requested not to be notified is erroneously assuming that their relays > will never relay for I.P. addresses not on their network. They appear > to have forgotten about their web mail interface. I don't think they have forgotten about it. However it has always been the SpamCop way to allow anyone to refuse SpamCop reports either completely or selectively and Cox has chosen to not get the relaying reports. > > They also appear to have not secured their web mail interface from > allowing Nigerian 419 scammers to easily use it as a relay. They need > to be putting in a delay/rate limiter on the web mail system to catch > these security breaches. I would suspect it is a cracked/hacked account. I have no idea what rate limiting or other outbound controls they have in place -- I also have no idea how many 419's are being sent from the account. > I have noticed that when the spam originates on the network of an ISP > that has requested not to be notified about their relays, those ISPs get > notified of the source, but not their relays, so it looks like this > setting was intended to avoid them getting duplicate reports for the > same incident. > > I do not think this system is working the way that the ISPs or spamcop > intended when the ISP has a method of relaying for I.P. addresses that > are not its own. All the major webmail providers include the connecting IP and that is who we notify. The idea being that the closer you get to the actual infected machine the more likely it is to get fixed. Neither solution is ideal but this is the one that seems to work better. None of this is to say that you shouldn't drop a note directly to abuse@cox -- they do read their abuse mailbox as far as I know. Ellen SpamCop From wb8tyw at qsl.network Tue Dec 16 00:23:56 2008 From: wb8tyw at qsl.network (John Malmberg) Date: Tue Dec 16 00:25:04 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay In-Reply-To: References: Message-ID: Ellen wrote: > John Malmberg wrote: >> Ellen wrote: > >> >> I do not think this system is working the way that the ISPs or spamcop >> intended when the ISP has a method of relaying for I.P. addresses that >> are not its own. > > All the major webmail providers include the connecting IP and that is > who we notify. The idea being that the closer you get to the actual > infected machine the more likely it is to get fixed. Neither solution is > ideal but this is the one that seems to work better. > > None of this is to say that you shouldn't drop a note directly to > abuse@cox -- they do read their abuse mailbox as far as I know. I did drop a note directly to abuse@cox at the same time I filed the spamcop.net report, and also pointed out that by refusing these types of reports, that they are probably delaying getting important reports about security problems on their network. When an ISP is refusing such reports, it makes them look bad to people, including potential customers. It looks like they do not care about such problems unless it causes their mail relays to be blocked. I know that you may not be able to change such things, but I also know that sometimes ISP support people monitor these forums, and some of them may be able to effect a fix. -John wb8tyw@qsl.network Personal Opinion Only From wb8tyw at qsl.network Tue Dec 16 00:29:27 2008 From: wb8tyw at qsl.network (John Malmberg) Date: Tue Dec 16 00:30:02 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay In-Reply-To: References: Message-ID: Mike Easter wrote: > John Malmberg wrote: >> Ellen wrote: > >>> It's not an open relay. > >> It is effectively an open relay due to an account being compromised on >> the web mail server, > > You can manually notify cox if you are a free reporter or additionally > notify them if you are a spamcop reporter. Manual lart was sent at the same time as the original report. > abuse@cox.net - maybe they will squash or admonish the > rachellelash@cox.net account. > > Or you could call her up and tell her yourself, she edits the Old Mission > Montessori newsletter "please contact Rachelle or Jon Lash at > rachellelash@cox.net or 231-1289." from the newsletter .pdf > > OMM is in Oceanside CA which is 760 areacode, but that 231 prefix telno > looks like a 619 area code which is a different part of San Diego county. I do not have the time to do that my self, however it may make a interesting article for her to publish where she can point out things like: When did cox notify her that criminals had taken over her e-mail account with access to her personal e-mails? Of did she find out from someone seeing this thread? Does she have any idea of how the criminals got access to her e-mail? Did she have a weak password, did someone fall for a phish, or did malware get into one of her computers? Did she access her e-mail from a public computer? -John wb8tyw@qsl.network Personal Opinion Only From MikeE at ster.invalid Tue Dec 16 10:04:00 2008 From: MikeE at ster.invalid (Mike Easter) Date: Tue Dec 16 10:05:04 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay References: Message-ID: John Malmberg wrote: > When did cox notify her that criminals had taken over her e-mail account > with access to her personal e-mails? I'm the one that believes that it should be against the 'law'/rules - subject to fines and/or loss of license - to 'transmit' unlicensed traffic over the internet. ISPs, intermediates, & backbones all have to be licensed by some international body, similar to the international bodies which regulate radio transmissions in the air. Then there would be a 'hammer' on the ISPs, which hammer would actually be administered by the intermediates and backbones, because the intermediates could be fined or lose their internet license privileges for carrying any unlicensed traffic of the ISP. This would force the ISP to enforce remedying of problems with their network. The client isn't allowed to be a bot by the ISP and the ISP is subject to fines or loss of license for carrying the traffic on its network and its upstreams have to enforce the rules against unlicensed traffic or they are subject to fining themselves. Bots are a national security problem. The ISPs have to clean them up. -- Mike Easter kibitzer, not SC admin From tmcgraw at spamcop.net Tue Dec 16 13:25:57 2008 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Dec 16 13:30:03 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay In-Reply-To: References: Message-ID: Mike Easter wrote: > I'm the one that believes that it should be against the 'law'/rules - > subject to fines and/or loss of license - to 'transmit' unlicensed traffic > over the internet. ISPs, intermediates, & backbones all have to be > licensed by some international body, similar to the international bodies > which regulate radio transmissions in the air. There is no international body that regulates /commercial/ radio transmissions. There are also "pirate" radio stations that have been operating for years if not decades. > Bots are a national security problem. The ISPs have to clean them up. For all you or I know, the US NSA already tracks bots in order to follow international crime. From MikeE at ster.invalid Tue Dec 16 13:58:16 2008 From: MikeE at ster.invalid (Mike Easter) Date: Tue Dec 16 14:00:04 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay References: Message-ID: Tim McGraw wrote: > Mike Easter wrote: >> I'm the one that believes that it should be against the 'law'/rules - >> subject to fines and/or loss of license - to 'transmit' unlicensed >> traffic over the internet. ISPs, intermediates, & backbones all have >> to be licensed by some international body, similar to the >> international bodies which regulate radio transmissions in the air. > > There is no international body that regulates /commercial/ radio > transmissions. There are also "pirate" radio stations that have been > operating for years if not decades. There is cooperation between the various agencies in the US, FAA, DoD, NAS natlairspacesyst, FCC, and with their corresponding agencies all over the world. A US private pilot has to have a license to transmit on the freq/s associated with aviation, ground control, tower, clearance and approach control and so forth. Private pilots in other countries are managed similarly, to say nothing of the international cooperation for 'approving' commercial pilots (and aircraft) usage of airwaves and airspace. That's why the commercial aircraft and pilots of some countries are not allowed to use the US airspace and airports. Internationally, the non-US agencies cooperate thru' national civil aviation authorities, military authorities, and air navigation service providers including how that affects the licensing of those who would use the approved radio frequencies. The airwaves are not used willy-nilly by unlicensed airwave traffice. There is not one central agency which makes all of the airwave rules for the world. Even if there were, there would still be pirates. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Dec 16 15:21:22 2008 From: nobody at spamcop.net (bar0) Date: Tue Dec 16 15:25:03 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay References: Message-ID: "Tim McGraw" wrote in message news:gi8rrl$al2$1@news.spamcop.net... > Mike Easter wrote: .... >> Bots are a national security problem. The ISPs have to clean them up. > > For all you or I know, the US NSA already tracks bots in order to follow > international crime. I like that sentence. Could you be implying that NSA are wannabe criminals? Antyway I love all these theories of why scammers are allowed to cotinue operating week after week, month after month, and occams razor suggests: 1) There is insufficient political capital to be made by going after these sorts of crime in a serious way. 2) Allocation of insufficient resources, (and do we really want a police state?). 3) Victims oughtta know better. From tmcgraw at spamcop.net Tue Dec 16 15:42:24 2008 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Dec 16 15:45:02 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay In-Reply-To: References: Message-ID: Mike Easter wrote: > Tim McGraw wrote: >> Mike Easter wrote: >>> ISPs, intermediates, & backbones all have to be licensed by some international body, similar to the international bodies which regulate radio transmissions in the air. >> There is no international body that regulates /commercial/ radio >> transmissions. There are also "pirate" radio stations that have been >> operating for years if not decades. > There is not one central agency which makes all of the airwave rules for > the world. Even if there were, there would still be pirates. So even if their were "some international body" that licensed "ISPs, intermediates, & backbones" there would still be spammers. What's the point? I'd rather keep government (and any quasi-governmental international agency) out of the mix altogether. It's begging for censorship. There are consequences to living in a free society. From MikeE at ster.invalid Tue Dec 16 15:59:28 2008 From: MikeE at ster.invalid (Mike Easter) Date: Tue Dec 16 16:00:04 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay References: Message-ID: Tim McGraw wrote: > Mike Easter wrote: >> There is not one central agency which makes all of the airwave rules >> for the world. Even if there were, there would still be pirates. > > So even if their were "some international body" that licensed "ISPs, > intermediates, & backbones" there would still be spammers. Much much less. And the spam isn't the biggest problem from the botnets which can attack and extort large operations both public and private. If ISPs and their upstreams were licensed, there would be more power to get them to self regulate and the botnets would be but a shadow of their current selves. > What's the point? I'd rather keep government (and any quasi-governmental > international agency) out of the mix altogether. It's begging for > censorship. There are consequences to living in a free society. The botnets are a problem caused by the lack of 'self discipline' of the ISPs. If the ISPs can't adequately self discipline, then there needs to be more oversight to help them. The internet is more like a public utility than a private enterprise. Public utilities, which are privately owned and operated, are overseen by the regulatory processes and bodies for such utilities. -- Mike Easter kibitzer, not SC admin From bert at iphouse.com Wed Dec 17 09:16:59 2008 From: bert at iphouse.com (Bert Hyman) Date: Wed Dec 17 09:20:03 2008 Subject: [Scspamcop] The MySQL server is not running ... Message-ID: Wednesday, Dec 17 @ 14:15Z Tried to submit http://www.spamcop.net/sc?id=z2461438727ze3d3c58d07c749b0855dc55b264c6b5fz and got this: putRow The MySQL server is running with the --read-only option so it cannot execute this statement (1290)/sc? putRow The MySQL server is running with the --read-only option so it cannot execute this statement (1290)/sc? putRow The MySQL server is running with the --read-only option so it cannot execute this statement (1290)/sc? Sorry, failed to get reportid from database, will not send. Repeated three more times. -- Bert Hyman St. Paul, MN bert@iphouse.com From nobody at spamcop.net Wed Dec 17 09:52:16 2008 From: nobody at spamcop.net (bar0) Date: Wed Dec 17 09:55:03 2008 Subject: [Scspamcop] Re: The MySQL server is not running ... References: Message-ID: "Bert Hyman" wrote in message news:Xns9B7754429CCEVeebleFetzer@216.154.195.61... > Wednesday, Dec 17 @ 14:15Z > > Tried to submit > > http://www.spamcop.net/sc?id=z2461438727ze3d3c58d07c749b0855dc55b264c6b5fz > > and got this: > > putRow The MySQL server is running with the --read-only option so it > cannot execute this statement (1290)/sc? > putRow The MySQL server is running with the --read-only option so it > cannot execute this statement (1290)/sc? > putRow The MySQL server is running with the --read-only option so it > cannot execute this statement (1290)/sc? > Sorry, failed to get reportid from database, will not send. > > Repeated three more times. > > -- > Bert Hyman St. Paul, MN bert@iphouse.com just try again a little later, I've been seeing off and on problems and delays in the reporting system sice yesterday afternoon (CST) From MikeE at ster.invalid Wed Dec 17 10:45:12 2008 From: MikeE at ster.invalid (Mike Easter) Date: Wed Dec 17 10:45:05 2008 Subject: [Scspamcop] Re: The MySQL server is not running ... References: Message-ID: bar0 wrote: > "Bert Hyman" >> cannot execute this statement (1290)/sc? > just try again a little later, I've been seeing off and on problems and > delays in the reporting system sice yesterday afternoon (CST) Perhaps that is one of the reasons for the scheduled maintenance for the reporting system Fri evening PST; Sat 02:00 UTC for anticipated 4h. -- Mike Easter kibitzer, not SC admin From bert at iphouse.com Wed Dec 17 11:19:11 2008 From: bert at iphouse.com (Bert Hyman) Date: Wed Dec 17 11:20:02 2008 Subject: [Scspamcop] Re: The MySQL server is not running ... References: Message-ID: In news:gib3n7$b9i$1@news.spamcop.net "bar0" wrote: > "Bert Hyman" wrote in message > news:Xns9B7754429CCEVeebleFetzer@216.154.195.61... > >> Wednesday, Dec 17 @ 14:15Z >> ... >> Sorry, failed to get reportid from database, will not send. >> >> Repeated three more times. > > just try again a little later, I've been seeing off and on problems > and delays in the reporting system sice yesterday afternoon (CST) Seems to be OK now. -- Bert Hyman St. Paul, MN bert@iphouse.com From nobody at devnull.spamcop.net Wed Dec 17 11:32:27 2008 From: nobody at devnull.spamcop.net (Twayne) Date: Wed Dec 17 11:35:03 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay References: Message-ID: > "Tim McGraw" wrote in message > news:gi8rrl$al2$1@news.spamcop.net... >> Mike Easter wrote: > .... >>> Bots are a national security problem. The ISPs have to clean them >>> up. >> >> For all you or I know, the US NSA already tracks bots in order to >> follow international crime. > > I like that sentence. Could you be implying that NSA are wannabe > criminals? > Antyway I love all these theories of why scammers are allowed to > cotinue operating week after week, month after month, and occams > razor suggests: > 1) There is insufficient political capital to be made by going after > these sorts of crime in a serious way. > > 2) Allocation of insufficient resources, (and do we really want a > police state?). > > 3) Victims oughtta know better. I think a big part of the problem, really, is people don't know when they've been zombied. There's no easy way I've ever come across to describe to the uninitiated how to know if they have been zombied. For whatever reason, there isn't a lot of ecuation around about it. I'd like to think I'd discover it almost in an instant if it happened to me, but ... never having had the problem and not intending to purposely get the problem, much of it remains a mystery to me. I don't even know what kind, if any, of malware detector might see a zombied footprint on a machine. With all the zombies that are out there, it must not be overly easy to discover for the inexperienced. Twayne From nobody at spamcop.net Wed Dec 17 12:30:26 2008 From: nobody at spamcop.net (Ellen) Date: Wed Dec 17 12:35:03 2008 Subject: [Scspamcop] Re: The MySQL server is not running ... In-Reply-To: References: Message-ID: Bert Hyman wrote: > Wednesday, Dec 17 @ 14:15Z > > Tried to submit > > http://www.spamcop.net/sc?id=z2461438727ze3d3c58d07c749b0855dc55b264c6b5fz > > and got this: > > putRow The MySQL server is running with the --read-only option so it cannot execute this statement (1290)/sc? > putRow The MySQL server is running with the --read-only option so it cannot execute this statement (1290)/sc? > putRow The MySQL server is running with the --read-only option so it cannot execute this statement (1290)/sc? > Sorry, failed to get reportid from database, will not send. > > Repeated three more times. > Thanks -- operations is workign on the problem and has been for a couple of hours. Appreciate your reporting it! Ellen SpamCop From MikeE at ster.invalid Wed Dec 17 12:44:04 2008 From: MikeE at ster.invalid (Mike Easter) Date: Wed Dec 17 12:45:03 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay References: Message-ID: Twayne wrote: > I think a big part of the problem, really, is people don't know when > they've been zombied. ... for some value of 'people'. Should the 'basic' people be considered to be someone who bought a computer in the not too distant past with MS XP installed along with OEM bloatware and its insecurities which has some kind of standard 'default' install and configuration of the browser and mailuser agent and software firewall? That would be IE version say 6 and OE and no (software) firewall (or maybe XP's with holes poked in it) and no router. Then that basic person proceeds to surf and 'enjoy their internet experience' which means allowing all kinds of webpage insecurities to unfold with adware, spyware, and zombifiers executing -- because the normal presumed 'healthy' popular webpages with useful content are riddled with advertiser tricks and gimmicks to take advantage of the user's insecurities for the advertisers' benefit. That basic person also gets spam and reads spamsubjects and opens some of their spam and even clicks on the occasional spamlink. The spam they hate is the spam more than they want to look at and/but the spam they are interested in is OK/acceptable. > There's no easy way I've ever come across to > describe to the uninitiated how to know if they have been zombied. For > whatever reason, there isn't a lot of ecuation around about it. > I'd like to think I'd discover it almost in an instant if it happened > to me, but ... never having had the problem and not intending to > purposely get the problem, much of it remains a mystery to me. I don't > even know what kind, if any, of malware detector might see a zombied > footprint on a machine. > With all the zombies that are out there, it must not be overly easy > to discover for the inexperienced. All of these zombied users are being enabled to function as zombies by the dint of their provider giving those zombied machine access to its networks and thus the internet. Many long years ago, RR roadrunner proactively monitored their networks for various types of network activity which would include zombie behavior and proactively contacted those zombies insisting that they de-zombie or be disconnected, and then disconnected the ones who couldn't get fixed. A few less years ago, EL earthlink offered a de-zombie and general cleanup service for a price, but didn't proactively identify those who needed it for those zombies. My idea in between the years I saw RR proactive and when I saw EL offer its service was that a provider should 'structure' a pay answer for the zombie and then proactively identify the zombies and disconnect those zombies until such time that the pay structure approved them to go online again. The paid dezombie structure could be integral to the provider or a private enterprise approved by the provider. Providers need to do a really lot about this problem. It is the responsibility of the provider, because the zombied user is using the provider's 'stuff' to do its zombie thing. So, the providers are in a sense manning the zombie armies. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed Dec 17 19:25:42 2008 From: nobody at spamcop.net (RW) Date: Wed Dec 17 19:30:04 2008 Subject: [Scspamcop] Server Maintenance - Thursday, Dec. 20, 2008 Message-ID: I might as well post the latest that came up today, since I just updated the news page. Planned Maintenance Window - Thursday, Dec. 20, 2008 3:00PM PST Scheduled server maintenance and upgrades will be taking place Thursday, December 18, 2008, starting at 3:00pm Pacific Standard Time. During this time the SpamCop Reporting Service website may not be available for short periods of time. All work is expected to be completed within one hour. Emailed spam submissions will be accepted, but processing will be delayed during the maintenance process. This will not affect the SpamCop/CESmail email service, newsgroups or forums. Richard From nobody at spamcop.net Wed Dec 17 19:26:46 2008 From: nobody at spamcop.net (RW) Date: Wed Dec 17 19:30:05 2008 Subject: [Scspamcop] Re: Server Maintenance - Thursday, Dec. 18, 2008 In-Reply-To: References: Message-ID: Let's correct that to December 18.... RW wrote: > I might as well post the latest that came up today, since I just updated > the news page. > > Planned Maintenance Window - Thursday, Dec. 18, 2008 3:00PM PST > > Scheduled server maintenance and upgrades will be taking place Thursday, > December 18, 2008, starting at 3:00pm Pacific Standard Time. During this > time the SpamCop Reporting Service website may not be available for > short periods of time. All work is expected to be completed within one > hour. Emailed spam submissions will be accepted, but processing will be > delayed during the maintenance process. > > This will not affect the SpamCop/CESmail email service, newsgroups or > forums. > > Richard From nobody at devnull.spamcop.net Wed Dec 17 20:53:48 2008 From: nobody at devnull.spamcop.net (Twayne) Date: Wed Dec 17 20:55:03 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay References: Message-ID: Mike E wrote: > Twayne wrote: > >> I think a big part of the problem, really, is people don't know when >> they've been zombied. > > ... for some value of 'people'. > > Should the 'basic' people be considered to be someone who bought a > computer in the not too distant past with MS XP installed along with > OEM bloatware and its insecurities which has some kind of standard > 'default' install and... Not only did you say a mouthful there, but it's a huge can of worms, too! I've found the "not too distant past" to be measured in years in more cases than I'd like to keep track of. I have a niece-in-law that still simply goes out and buys another macine whenever she gets to the point where an OS install is in order; she figures they're just plain broken and a new one won't have such problems. Gak! I've had other people ask me to get rid of all the "crap" on their machines for them. Like, well, useless things like firewall messages, AV alerts, thing I can not imagine how they remained igornant of for SO long! You could be God, and any advice they got would go in one ear and out the other! They actually give credence to the old joke about "where's the any-key?", I swear. You can't even thell them to RTFM because the manuals don't mention any of those things; so even if they do read their documentation, they're missing 80% of what they need to do on the 'net. And a lot of them aren't going to learn, either, because they don't go anywhere where the real information might be about the real world. An e-mail still looks mighty professional and real to them. > > Then that basic person proceeds to surf and 'enjoy their internet > experience' which means allowing all kinds of webpage insecurities to > ... And with the advances in social engineering already making the spam/scam rounds, they haven't got a chance in hell to accurately figure anything out on their own. I've seen a few pretty convincing looking PayPal and even Gvt agency phis spams that I imagine high percentages of people are falling for. I even got sucked into one myself awhile back: I asked my sister where she got her DTV decoders from and she gave me a decent enough looking link to a local TV station. I used it, it looked fine, gave them my name, address, email & all that & it wasn't until the very last page, the "thank you" page that I realized I had just been suckered. It WAS a good link when my sister used it; but it sure isn't now! I've been getting a steady stream of about 30 spams/day ever since then. Reporting them isn't having any effect at all on them, so now I'm taking them on one at a time and complaining with prejudice via my own manual mails, but ... it's only made a tiny crack in the flow. Worst part is, they're all from the same place!! onx.com or onyx.com or some other aberration of the same name takes care of over 50% of them! I might have finally been forced to delete & create a new address if that one doesn't start to reduce traffic soon. ... > All of these zombied users are being enabled to function as zombies > by the dint of their provider giving those zombied machine access to > its networks and thus the internet. 101% agreed!! The ISPs could stop them in their tracks if they wanted to, and all the excuses about cost, time and manpower are just so much BS in my opinion! It doesn't take that long to create a monitor to spot a zombie at work and it's a 1 time action. The "fix it or lose access" memoes can also be automated, along with actually blocking off the account for a period of time. I just do not buy their excuses and am at a complete loss as to how otherwise good ISPs can just sit back and ignore that crap. Hell, if ISPs wanted to they could almost put a stop to spam overnight, too, by enforcing already existing RFC rules and procedures. They just do not want to. ... > > Providers need to do a really lot about this problem. It is the > responsibility of the provider, because the zombied user is using the > provider's 'stuff' to do its zombie thing. So, the providers are in a > sense manning the zombie armies. AB-SO-LUTELY! But who besides you, myself and the other participants knows that? TV never mentions it, radio never does either, nor newspapers or any of the non-techie media, and even the techie media glosses over most of it unless there is some big PR advantage they can work it into. So, the reality is, IMO and unfortunately, that it's up to the user to protect themselves; their ISPs aren't going to do their jobs, so someone has to. And that brings it all back to: How does a USER know if their machine has been zombied? By "user" I mean users in general; people who actually only use their machines but know nothing about them and have no wish to know. To get their interest, it's going to take simplicity and convincing. And in their circles. How long do you think it would take even you to notice that your machine had been zombied? And I have yet another question, actually: How/why is it we never hear complaints about an innocent bystander having their accounts closed for spamming? If a normal user's machine with maybe a total of 15 emails/week suddenly spews 10,000 messages that week, why don't any of them lose their accounts for spamming reports? For that to happen it would have to mean that almost NO ISP ever bothers with reacting to spammers on their networks, but that's not the case. I don't think! I know some who at least claim and appear to react to spamming from their networks. So why don't we hear about the innocent bystanders, the collateral damage to killing off a zombie! Pretty surely because it's not happening. And if it's not happening, the most logical conclusion then is that there actually are NOT any massive number of zombies out there. ?? You tell me and we'll both know! I can feel it coming; I think I'm about to become obsessed with zombies for awhile. I've never done anything but trivial research; maybe it's time to get more serious about it, at least to satisfy myself that it really IS a problem and to know HOW to determine whether a machine is slow because it's a zombie or just compromised, or ... ?? Cheers, Twayne From mr206 at spamtrackers.eu Thu Dec 18 21:23:22 2008 From: mr206 at spamtrackers.eu (mr206) Date: Thu Dec 18 21:25:03 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay In-Reply-To: References: Message-ID: Twayne wrote: > Mike E wrote: > >> Twayne wrote: >> >>> I think a big part of the problem, really, is people don't know when >>> they've been zombied. >> ... for some value of 'people'. >> >> Should the 'basic' people be considered to be someone who bought a >> computer in the not too distant past with MS XP installed along with >> OEM bloatware and its insecurities which has some kind of standard >> 'default' install and... > > Not only did you say a mouthful there, but it's a huge can of worms, > too! I've found the "not too distant past" to be measured in years in > more cases than I'd like to keep track of. I have a niece-in-law that > still simply goes out and buys another macine whenever she gets to the > point where an OS install is in order; she figures they're just plain > broken and a new one won't have such problems. Gak! > I've had other people ask me to get rid of all the "crap" on their > machines for them. Like, well, useless things like firewall messages, > AV alerts, thing I can not imagine how they remained igornant of for SO > long! You could be God, and any advice they got would go in one ear and > out the other! They actually give credence to the old joke about > "where's the any-key?", I swear. > You can't even thell them to RTFM because the manuals don't mention > any of those things; so even if they do read their documentation, > they're missing 80% of what they need to do on the 'net. And a lot of > them aren't going to learn, either, because they don't go anywhere where > the real information might be about the real world. An e-mail still > looks mighty professional and real to them. > >> Then that basic person proceeds to surf and 'enjoy their internet >> experience' which means allowing all kinds of webpage insecurities to >> ... > > And with the advances in social engineering already making the spam/scam > rounds, they haven't got a chance in hell to accurately figure anything > out on their own. I've seen a few pretty convincing looking PayPal and > even Gvt agency phis spams that I imagine high percentages of people are > falling for. > I even got sucked into one myself awhile back: I asked my sister > where she got her DTV decoders from and she gave me a decent enough > looking link to a local TV station. I used it, it looked fine, gave > them my name, address, email & all that & it wasn't until the very last > page, the "thank you" page that I realized I had just been suckered. It > WAS a good link when my sister used it; but it sure isn't now! I've > been getting a steady stream of about 30 spams/day ever since then. > Reporting them isn't having any effect at all on them, so now I'm taking > them on one at a time and complaining with prejudice via my own manual > mails, but ... it's only made a tiny crack in the flow. Worst part is, > they're all from the same place!! onx.com or onyx.com or some other > aberration of the same name takes care of over 50% of them! I might > have finally been forced to delete & create a new address if that one > doesn't start to reduce traffic soon. > > ... > >> All of these zombied users are being enabled to function as zombies >> by the dint of their provider giving those zombied machine access to >> its networks and thus the internet. > > 101% agreed!! The ISPs could stop them in their tracks if they wanted > to, and all the excuses about cost, time and manpower are just so much > BS in my opinion! It doesn't take that long to create a monitor to spot > a zombie at work and it's a 1 time action. The "fix it or lose access" > memoes can also be automated, along with actually blocking off the > account for a period of time. I just do not buy their excuses and am at > a complete loss as to how otherwise good ISPs can just sit back and > ignore that crap. Hell, if ISPs wanted to they could almost put a stop > to spam overnight, too, by enforcing already existing RFC rules and > procedures. They just do not want to. > > ... >> Providers need to do a really lot about this problem. It is the >> responsibility of the provider, because the zombied user is using the >> provider's 'stuff' to do its zombie thing. So, the providers are in a >> sense manning the zombie armies. > > AB-SO-LUTELY! But who besides you, myself and the other participants > knows that? TV never mentions it, radio never does either, nor > newspapers or any of the non-techie media, and even the techie media > glosses over most of it unless there is some big PR advantage they can > work it into. > So, the reality is, IMO and unfortunately, that it's up to the user > to protect themselves; their ISPs aren't going to do their jobs, so > someone has to. > > And that brings it all back to: How does a USER know if their machine > has been zombied? By "user" I mean users in general; people who > actually only use their machines but know nothing about them and have no > wish to know. To get their interest, it's going to take simplicity and > convincing. And in their circles. How long do you think it would take > even you to notice that your machine had been zombied? > > And I have yet another question, actually: How/why is it we never hear > complaints about an innocent bystander having their accounts closed for > spamming? > If a normal user's machine with maybe a total of 15 emails/week > suddenly spews 10,000 messages that week, why don't any of them lose > their accounts for spamming reports? For that to happen it would have > to mean that almost NO ISP ever bothers with reacting to spammers on > their networks, but that's not the case. I don't think! I know some > who at least claim and appear to react to spamming from their networks. > So why don't we hear about the innocent bystanders, the collateral > damage to killing off a zombie! Pretty surely because it's not > happening. And if it's not happening, the most logical conclusion then > is that there actually are NOT any massive number of zombies out there. > ?? You tell me and we'll both know! > > I can feel it coming; I think I'm about to become obsessed with zombies > for awhile. I've never done anything but trivial research; maybe it's > time to get more serious about it, at least to satisfy myself that it > really IS a problem and to know HOW to determine whether a machine is > slow because it's a zombie or just compromised, or ... ?? > > Cheers, > > Twayne > > To be fair, a fair number of zombie computers are in cafes in Asia and NOT people's homes. Internet cafes in Korea and China certainly don't have McAfee or Kapersky installed. From nobody at devnull.spamcop.net Thu Dec 18 21:50:54 2008 From: nobody at devnull.spamcop.net (Wazoo) Date: Thu Dec 18 21:55:03 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay References: Message-ID: "Twayne" wrote in message news:gicaf1$3ma$1@news.spamcop.net... > > And I have yet another question, actually: How/why is it we never > hear complaints about an innocent bystander having their accounts > closed for spamming? > If a normal user's machine with maybe a total of 15 emails/week > suddenly spews 10,000 messages that week, why don't any of them > lose their accounts for spamming reports? For that to happen it > would have to mean that almost NO ISP ever bothers with reacting > to spammers on their networks, but that's not the case. I don't > think! I know some who at least claim and appear to react to > spamming from their networks. So why don't we hear about the > innocent bystanders, the collateral damage to killing off a > zombie! Pretty surely because it's not happening. And if it's > not happening, the most logical conclusion then is that there > actually are NOT any massive number of zombies out there. ?? You > tell me and we'll both know! Though not a direct response to your "closing the account" scenario, you might enjoy the read at; ProActive ISP http://forum.spamcop.net/forums/lofiversion/index.php/t9841.html From MikeE at ster.invalid Fri Dec 19 06:05:25 2008 From: MikeE at ster.invalid (Mike Easter) Date: Fri Dec 19 06:10:03 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay References: Message-ID: Twayne wrote: > Mike E wrote: >> Twayne wrote: >> >>> I think a big part of the problem, really, is people don't know when >>> they've been zombied. >> Should the 'basic' people be considered to be someone who bought a >> computer in the not too distant past with MS XP installed along with >> OEM bloatware and its insecurities which has some kind of standard >> 'default' install and... >> Then that basic person proceeds to surf and 'enjoy their internet >> experience' which means allowing all kinds of webpage insecurities to > And that brings it all back to: How does a USER know if their machine > has been zombied? By "user" I mean users in general; people who > actually only use their machines but know nothing about them and have no > wish to know. To get their interest, it's going to take simplicity and > convincing. And in their circles. How long do you think it would take > even you to notice that your machine had been zombied? My router + WallWatcher integration keeps logs and makes neato graphical picture interpretations which are actually easy to look at http://www.wallwatcher.com/ Collect, View, and Analyze Router Logs There are numerous articles about how a user should secure a windows installation. The general concept is -1- start with a windows install of a machine which is not connected to the internet -2- install windows in the descrtibed (non-default) way to secure it -3- only then may you connect to the internet. That doesn't 'work'/ apply to/ for the 'basic people' we are talking about who have bought their windows box preinstalled and who don't even have/get a genuine MS install disk and who actually have the equivalent of spyware preinstalled along with the preinstalled bloatware. The basic people we're discussing start off at a huge disadvantage on their way to becoming a zombie. They are operating an insecure OS which has been made even more insecure by the nature of its installation condition and the 'limitations' which the mfr has provided and encouraged the user to take the default install and connect to the internet. > And I have yet another question, actually: How/why is it we never hear > complaints about an innocent bystander having their accounts closed for > spamming? It doesn't happen (much at all). > I've never done anything but trivial research; maybe it's > time to get more serious about it, at least to satisfy myself that it > really IS a problem and to know HOW to determine whether a machine is > slow because it's a zombie or just compromised, or ... ?? Here're some old and less old articles you might be interested in http://www.markusjansson.net/exp.html How to secure Windows2000 / XP http://netsecurity.about.com/cs/windowsxp/a/aa042204.htm Securing Windows XP Home Edition http://tweezersedge.com/archives/2005/02/000534.html February 17, 2005 - Killing a Zombie - Rhye's niece wasn't sure exactly what was wrong with her computer - her main complaint was that it was running very sluggish (and had been for the last several months), and the computer was almost unusable now. She dropped off her computer here so I could take a long look at it and try to fix whatever was wrong with it. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri Dec 19 10:42:57 2008 From: nobody at devnull.spamcop.net (Twayne) Date: Fri Dec 19 10:45:03 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay References: Message-ID: > Twayne wrote: >> Mike E wrote: >> >>> Twayne wrote: >>> >>>> I think a big part of the problem, really, is people don't know >>>> when they've been zombied. >>> ... for some value of 'people'. >>> >>> Should the 'basic' people be considered to be someone who bought a >>> computer in the not too distant past with MS XP installed along with >>> OEM bloatware and its insecurities which has some kind of standard >>> 'default' install and... >> >> Not only did you say a mouthful there, but it's a huge can of worms, >> too! I've found the "not too distant past" to be measured in years in >> more cases than I'd like to keep track of. I have a niece-in-law >> that still simply goes out and buys another macine whenever she gets >> to the point where an OS install is in order; she figures they're >> just plain broken and a new one won't have such problems. Gak! >> I've had other people ask me to get rid of all the "crap" on their >> machines for them. Like, well, useless things like firewall >> messages, AV alerts, thing I can not imagine how they remained >> igornant of for SO long! You could be God, and any advice they got >> would go in one ear and out the other! They actually give credence >> to the old joke about "where's the any-key?", I swear. >> You can't even thell them to RTFM because the manuals don't >> mention any of those things; so even if they do read their >> documentation, they're missing 80% of what they need to do on the >> 'net. And a lot of them aren't going to learn, either, because they >> don't go anywhere where the real information might be about the real >> world. An e-mail still looks mighty professional and real to them. >> >>> Then that basic person proceeds to surf and 'enjoy their internet >>> experience' which means allowing all kinds of webpage insecurities >>> to ... >> >> And with the advances in social engineering already making the >> spam/scam rounds, they haven't got a chance in hell to accurately >> figure anything out on their own. I've seen a few pretty convincing >> looking PayPal and even Gvt agency phis spams that I imagine high >> percentages of people are falling for. >> I even got sucked into one myself awhile back: I asked my sister >> where she got her DTV decoders from and she gave me a decent enough >> looking link to a local TV station. I used it, it looked fine, gave >> them my name, address, email & all that & it wasn't until the very >> last page, the "thank you" page that I realized I had just been >> suckered. It WAS a good link when my sister used it; but it sure >> isn't now! I've been getting a steady stream of about 30 spams/day >> ever since then. Reporting them isn't having any effect at all on >> them, so now I'm taking them on one at a time and complaining with >> prejudice via my own manual mails, but ... it's only made a tiny >> crack in the flow. Worst part is, they're all from the same place!! >> onx.com or onyx.com or some other aberration of the same name takes >> care of over 50% of them! I might have finally been forced to >> delete & create a new address if that one doesn't start to reduce >> traffic soon. ... >> >>> All of these zombied users are being enabled to function as zombies >>> by the dint of their provider giving those zombied machine access to >>> its networks and thus the internet. >> >> 101% agreed!! The ISPs could stop them in their tracks if they >> wanted to, and all the excuses about cost, time and manpower are >> just so much BS in my opinion! It doesn't take that long to create >> a monitor to spot a zombie at work and it's a 1 time action. The >> "fix it or lose access" memoes can also be automated, along with >> actually blocking off the account for a period of time. I just do >> not buy their excuses and am at a complete loss as to how otherwise >> good ISPs can just sit back and ignore that crap. Hell, if ISPs >> wanted to they could almost put a stop to spam overnight, too, by >> enforcing already existing RFC rules and procedures. They just do >> not want to. ... >>> Providers need to do a really lot about this problem. It is the >>> responsibility of the provider, because the zombied user is using >>> the provider's 'stuff' to do its zombie thing. So, the providers >>> are in a sense manning the zombie armies. >> >> AB-SO-LUTELY! But who besides you, myself and the other participants >> knows that? TV never mentions it, radio never does either, nor >> newspapers or any of the non-techie media, and even the techie media >> glosses over most of it unless there is some big PR advantage they >> can work it into. >> So, the reality is, IMO and unfortunately, that it's up to the >> user to protect themselves; their ISPs aren't going to do their >> jobs, so someone has to. >> >> And that brings it all back to: How does a USER know if their >> machine has been zombied? By "user" I mean users in general; people >> who actually only use their machines but know nothing about them and >> have no wish to know. To get their interest, it's going to take >> simplicity and convincing. And in their circles. How long do you >> think it would take even you to notice that your machine had been >> zombied? And I have yet another question, actually: How/why is it we >> never >> hear complaints about an innocent bystander having their accounts >> closed for spamming? >> If a normal user's machine with maybe a total of 15 emails/week >> suddenly spews 10,000 messages that week, why don't any of them lose >> their accounts for spamming reports? For that to happen it would >> have to mean that almost NO ISP ever bothers with reacting to >> spammers on their networks, but that's not the case. I don't think! >> I know some who at least claim and appear to react to spamming from >> their networks. So why don't we hear about the innocent bystanders, >> the collateral damage to killing off a zombie! Pretty surely >> because it's not happening. And if it's not happening, the most >> logical conclusion then is that there actually are NOT any massive >> number of zombies out there. ?? You tell me and we'll both know! >> >> I can feel it coming; I think I'm about to become obsessed with >> zombies for awhile. I've never done anything but trivial research; >> maybe it's time to get more serious about it, at least to satisfy >> myself that it really IS a problem and to know HOW to determine >> whether a machine is slow because it's a zombie or just compromised, >> or ... ?? Cheers, >> >> Twayne >> >> > To be fair, a fair number of zombie computers are in cafes in Asia and > NOT people's homes. Internet cafes in Korea and China certainly don't > have McAfee or Kapersky installed. Yeah, I'm finding multiple stats crediting China with over 78% of it all in the world but those sites may be feeding off each other. N.A. numbers are fairly low, if they're believable. Others say it's around 25% for US figures for the total of zombied PCs. I tend to believe those, actually, because I know how many/often computers just aren't updated or protected even here in N.A.. As yet I haven't found a single reputable post-mortem or evaluation of any zombie; just a lot of similar looking "update, AV, spyware and a firewall". But I am starting to come up with some fairly reasonable ideas about detection IFF the "trusted sites" I'm reading are accuate or even mostly accurate. So far I feel like I know enough to be dangerous to myself and others, but it can't be as simple as it seems right now. Heuristics it would seem could catch most of it, and it seems there are a few things it would be easy to monitor to catch possibilities. There are a few apps that claim to catch them, but since I never get attacked, I'm not about to test something from someone I know nothing about and don't feel like researching separately. None of those seem to have much support, though. A lot of it looks like they're pushing false security feelings than anything very real. The biggest thing so far IMO is that N.A. isn't a prime target; China and 3rd worlders get most of it - good news, but ... OTOH one infestation is too many. But if it's really negligible in the US, why all the North American hoopla? Is it happening on a widespread basis or not? We surely have a lot of unpatched, non-updated machines here amongst home users, the latest supposed targets; very seldom do I see a macine fully updated or well protected when it comes in. Regards, Twayne From nobody at devnull.spamcop.net Fri Dec 19 10:52:03 2008 From: nobody at devnull.spamcop.net (Twayne) Date: Fri Dec 19 10:55:04 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay References: Message-ID: Wazoo said: > "Twayne" wrote in message ... I know some who at least claim and appear to react to >> spamming from their networks. So why don't we hear about the >> innocent bystanders, the collateral damage to killing off a >> zombie! Pretty surely because it's not happening. And if it's >> not happening, the most logical conclusion then is that there >> actually are NOT any massive number of zombies out there. ?? You >> tell me and we'll both know! > > Though not a direct response to your "closing the account" scenario, > you might enjoy the read at; > > ProActive ISP > http://forum.spamcop.net/forums/lofiversion/index.php/t9841.html Enlightening, at least. I was surprised to see Qwest in there; more ISPs need to do that. Along with notification of course, by snail if necessary. But that is exactly where such things can, and should be, stopped. They have the data, the means, and most of the answers to the problem. Thanks Wazoo, Twayne From MikeE at ster.invalid Fri Dec 19 11:46:21 2008 From: MikeE at ster.invalid (Mike Easter) Date: Fri Dec 19 11:50:06 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay References: Message-ID: Twayne wrote: I think maybe your OE is somehow making it harder for you to get the attribution and trimming done easily. This part would be attributed and trimmed like this. Twayne wrote: > mr206 wrote: >> To be fair, a fair number of zombie computers are in cafes in Asia and >> NOT people's homes. Internet cafes in Korea and China certainly don't >> have McAfee or Kapersky installed. > > Yeah, I'm finding multiple stats crediting China with over 78% of it all > in the world but those sites may be feeding off each other. N.A. > numbers are fairly low, if they're believable. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri Dec 19 12:01:06 2008 From: nobody at devnull.spamcop.net (Twayne) Date: Fri Dec 19 12:05:03 2008 Subject: [Scspamcop] Re: refuses to accept this type of report - Open relay References: Message-ID: Mike E wrote: > Twayne wrote: >> Mike E wrote: >>> Twayne wrote: >>> ... >> And that brings it all back to: How does a USER know if their >> machine has been zombied? By "user" I mean users in general; people >> who actually only use their machines but know nothing about them and >> have no wish to know. To get their interest, it's going to take >> simplicity and convincing. And in their circles. How long do you >> think it would take even you to notice that your machine had been >> zombied? > > My router + WallWatcher integration keeps logs and makes neato > graphical picture interpretations which are actually easy to look at > http://www.wallwatcher.com/ Collect, View, and Analyze Router Logs I'd forgotten about WallWatcher; tried it quite awhile ago and wasn't impressed. I'll take a look and see what it looks like today. I have a few old revs of various ones still stashed in archive; might be worth checking them all out again. Seems like Ethereal was another one I not quite liked but ... . I've used tcpView now and then and it gives real time status for connections, but it's a pretty basic tool. Useful though. > > There are numerous articles about how a user should secure a windows > installation. The general concept is -1- start with a windows > install of a machine which is not connected to the internet -2- > install windows in the descrtibed (non-default) way to secure it -3- > only then may you connect to the internet. Yeah, that seems to be the mantra of the wanna-be advisors; Install & keep upgraded firewall, AV and spyware and a few get as far as men tioning e-mails and not opening attachments, but ... almost none of them cover everything and several ignore disconnecting the 'net while doing preps, etc. etc.. They're writing off the top of their heads, I think. Trend and ZoneLabs and a few other names are also guilty of it if you don't keep track of the age of what you're reading. But even so, that only addresses part of the problem. All the security software in the world isn't going to help anyone if they go willy nilly clicking links, opening attachments, visiting "bad" web sites and providing all their personal info to whomever may ask for it. Also to date I don't recall a one of them advising anything about using a throw-away account. THESE are "basic people" IMO who I believe are the majority, who keep the zombifying processes chugging along, and don't or won't know any better until it's too late. Then, MAYBE they'll find some of the information they need, but if they're the kind have to take their machine to "the shop", they aren't likely to learn much about anything. You can almost see the shades coming down in one's eyes when you do try to explain something like that; you become just one more piece of the white noise that floats all around them, most of the time. IMO there isn't a lot of effort being put into the subject by anyone I've seen so far. I haven't yet even found a post-mortem anywhere near as good as one of the links you provided below, and it (understandably) didn't pinpoint the actual zombie files/processes from amongst the chaff. Another thing I am coming across, and find reasonably possible, is that the number of zombied machines in NA is fairly low, with China having the largest share followed by other 3rd worlders in general. That's all interesting and believable, except the number of machines zombied in NA seems to range from a few % to around 28% I think it was. > > That doesn't 'work'/ apply to/ for the 'basic people' we are talking > about who have bought their windows box preinstalled and who don't > even have/get a genuine MS install disk and who actually have the > equivalent of spyware preinstalled along with the preinstalled > bloatware. The basic people we're discussing start off at a huge > disadvantage on their way to becoming a zombie. EGGzakiteley! There is little to no education available. And when there is, there is nothing to point out the importance of such information. It's treated like the EUAL; a necessary nuisance to slip past quickly. I think a good analogy to that is a recent even with CO detectors in this area. CO detectors aren't new and in some places but far from all, are required by law just like fire detectors. Up across the border a couple weeks ago, a family of 4 were killed in their sleep by CO from a blocked chimney. Starting a day or so after it hit the newspapers big time, none of the stores in that entire province can keep CO detectors in stock; there just aren't anymore to be had; sold out! I've noticed in my favorite hardware store here in the states that the shelves for CO detectors are empty, too. Of course, being zombied wont' take a life unless it's a suicide over loss of all their money in the bank, a successful identity theft and other "lovely" things that can happen. Nowadays the criminals know to wait until the fraud alerts expire on cards, accounts, etc., and THEN they start selling them! But, unless they are a WSJ or somethign similar, PC zombies, spam viruses, spyware; none of it is newsworthy. And if it is, it's a tiny article, one time, on an inside page, between the obits and travel around town sections. > > They are operating an insecure OS which has been made even more > insecure by the nature of its installation condition and the > 'limitations' which the mfr has provided and encouraged the user to > take the default install and connect to the internet. Yup. And whichever OS has the most installed base is always going to have the most of it all. The OEMs don't GAS whether their computers go in secure or not, because no one else does either! Some of the OEMs try, and fail dismally since the "updates" are a new annoyance to be gotten out of the way, etc. etc. etc.. There is nothing for most PC newbies that impresses upon them that security is as important as it is. MS brought a lot of that on themselves with their "not MS approved; install anyway?" crap and warnings, which ARE remembered by people! > >> And I have yet another question, actually: How/why is it we never >> hear complaints about an innocent bystander having their accounts >> closed for spamming? > > It doesn't happen (much at all). I'm finding that out, as I hinted at in some of the preceding verbiage here. But that begs the question then, WHY is it enough of a secret that one has to actually research to find such data? I feel I have a healthy dose of paranoia, and do in general try to keep up with the security world, and everyone from MS to ZS is screaming about patches, fixes, etc., for our computers? Ref. MS's recent out of cycle critical update this week for all versions of IE; that had to be disruptive to a lot of their departments, including QA who must turn blue holding their breath every time MS e-mails so much as a nibble of data that they didn't screw it up again. One answer sure could be: "It doesn't happen (much at all)", for sure. But then, I've read more than a few stories of the big DDoS attacks and those were from machines mostly located in the US and some in Canada, assuming they had accurate data and weren't exaggerating for effect. They may have used o'seas routes, but the machines were still located here for the ones that were located and recorded. Unfortunatelyh they don't say HOW they traced those machines, so ... . > >> I've never done anything but trivial research; maybe it's >> time to get more serious about it, at least to satisfy myself that it >> really IS a problem and to know HOW to determine whether a machine is >> slow because it's a zombie or just compromised, or ... ?? > > Here're some old and less old articles you might be interested in > > http://www.markusjansson.net/exp.html How to secure Windows2000 / XP Good article even if only up to SP2; a good reference so I bookmarked it. > http://netsecurity.about.com/cs/windowsxp/a/aa042204.htm Securing > Windows XP Home Edition > http://tweezersedge.com/archives/2005/02/000534.html Actually, the closest thing to a post-mortem I've come across yet. February 17, > 2005 - Killing a Zombie - Rhye's niece wasn't sure exactly what was > wrong with her computer - her main complaint was that it was running > very sluggish (and had been for the last several months), and the > computer was almost unusable now. She dropped off her computer here > so I could take a long look at it and try to fix whatever was wrong > with it. Thanks for the links etc. , and Regards, Twayne From nobody at devnull.spamcop.net Fri Dec 19 12:07:05 2008 From: nobody at devnull.spamcop.net (Twayne) Date: Fri Dec 19 12:10:03 2008 Subject: [Scspamcop] PS Misspoke Re: refuses to accept this type of report - Open relay References: Message-ID: PS -- Was looking at the wrong article for part of that: Your link is indeed a good breakdown for a zombie with little chaff; I misspoke. Sorry. Twayne From Damien at littledevil.com Mon Dec 22 10:20:24 2008 From: Damien at littledevil.com (Damien) Date: Mon Dec 22 10:25:02 2008 Subject: [Scspamcop] SpamAssassin Message-ID: I changed my SpamAssassin level from 4 to 3 to see if that would cut down on spam making it through the lists. I still received the following header on one spam that was not caught... X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter8X- Spam-Level: * X-Spam-Status: hits=1.4 tests=FORGED_HOTMAIL_RCVD2,SARE_WEOFFER version=3.2.4 Can someone tell me what this 'star' (*) Spam-Level represents? And with "X-Spam-Status: hits=1.4" does this mean I would have to set my SpamAssassin level to '1' in order to catch this message? If SpamAssassin found FORGED_HOTMAIL_RCVD2 wouldn't that be sufficient to tag the message as Spam? Thanks! --Damien From MikeE at ster.invalid Mon Dec 22 11:14:00 2008 From: MikeE at ster.invalid (Mike Easter) Date: Mon Dec 22 11:15:03 2008 Subject: [Scspamcop] Re: SpamAssassin References: Message-ID: Damien wrote: > I changed my SpamAssassin level from 4 to 3 to see if that would cut > down on spam making it through the lists. I still received the > following header on one spam that was not caught... > > X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter8X- > Spam-Level: * > X-Spam-Status: hits=1.4 tests=FORGED_HOTMAIL_RCVD2,SARE_WEOFFER > version=3.2.4 > > > Can someone tell me what this 'star' (*) Spam-Level represents? I think it means '1' (or rather 'less than 2') as opposed to 2 or 3 or whatever which would be ** or *** > And with > "X-Spam-Status: hits=1.4" does this mean I would have to set my > SpamAssassin level to '1' in order to catch this message? That is what I believe you are illustrating. > If SpamAssassin found FORGED_HOTMAIL_RCVD2 wouldn't that be sufficient > to tag the message as Spam? If you were configuring your own SA spamassassin, you could configure the value of the test, but I don't believe that is an option in spamcop's filters. I can finetune SpamPal's RegExFilter plugin's values, which is a tool like SA. Regards the 'value' of the rule, it is my understanding that... the FORGED_HOTMAIL_RCVD2 rule catches MSN Groups messages which are sent from Hotmail accounts. http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg03450.htm l They do not have Hotmail received headers, instead they have groups.msn.com headers: ... so it isn't necessarily spam if the rule is tripped. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Dec 22 11:36:26 2008 From: MikeE at ster.invalid (Mike Easter) Date: Mon Dec 22 11:40:04 2008 Subject: [Scspamcop] Re: SpamAssassin References: Message-ID: Mike Easter wrote: > Damien wrote: >> If SpamAssassin found FORGED_HOTMAIL_RCVD2 wouldn't that be sufficient >> to tag the message as Spam? > ... so it isn't necessarily spam if the rule is tripped. Here's an illustration^1 at SA Bugzilla of a false positive SA result. In this example, the hotmailrcvd is worth 2.3. The example had hir cutoff set for 3, and the total including the 2.3 was 7.1, so there are a lot of issues in the example which would confuse us to talk about. In any case, the example also shows: X-Spam-Level: ******* ... which are 7 asterisks corresponding to the 7.1 score. ^1 https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5874 FORGED_HOTMAIL_RCVD false positive -- Mike Easter kibitzer, not SC admin From mr206 at spamtrackers.eu Mon Dec 22 21:24:38 2008 From: mr206 at spamtrackers.eu (mr206) Date: Mon Dec 22 21:25:03 2008 Subject: [Scspamcop] Re: SpamAssassin In-Reply-To: References: Message-ID: Damien wrote: > I changed my SpamAssassin level from 4 to 3 to see if that would cut down > on spam making it through the lists. I still received the following header > on one spam that was not caught... > > X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter8X- > Spam-Level: * > X-Spam-Status: hits=1.4 tests=FORGED_HOTMAIL_RCVD2,SARE_WEOFFER > version=3.2.4 > > > Can someone tell me what this 'star' (*) Spam-Level represents? And with > "X-Spam-Status: hits=1.4" does this mean I would have to set my > SpamAssassin level to '1' in order to catch this message? > > If SpamAssassin found FORGED_HOTMAIL_RCVD2 wouldn't that be sufficient to > tag the message as Spam? > > Thanks! > > --Damien The * = 1 to 1.9 hits. If it were 2 hits, you would see **. Set your level to 1 if you want to filter this message out. From foo at example.com Tue Dec 23 08:18:30 2008 From: foo at example.com (wariat) Date: Tue Dec 23 08:20:03 2008 Subject: [Scspamcop] Spam with MY OWN e-mail address in from field Message-ID: Hello! I'm recieving more and more spam messages with my own address in from field. I'm not sure if I should report it because: 1. I don't want to find my address in any filters, i'm not a spammer, they just sending the spam to me with my address in From. 2. If i'll send a report it will have the From field not anonymized so in fact spamer will know who send the report. As I understand anonymisation in report is made to not give the spamer real addresses of reporter, this case all fields are anonymised (changed to ) except the From Field. From MikeE at ster.invalid Tue Dec 23 08:46:27 2008 From: MikeE at ster.invalid (Mike Easter) Date: Tue Dec 23 08:50:03 2008 Subject: [Scspamcop] Re: Spam with MY OWN e-mail address in from field References: Message-ID: wariat wrote: > I'm recieving more and more spam messages with my own address in from > field. That is a very common problem/condition of spam. > I'm not sure if I should report it because: > > 1. I don't want to find my address in any filters, i'm not a spammer, > they just sending the spam to me with my address in From. Reporting spam with your From doesn't affect any normal spam filters. SpamFrom is not filtered on, except by some foolish individuals who try to make message rules against their spam by clicking 'Block Sender' which is a very bad idea. > 2. If i'll send a report it will have the From field not anonymized so > in fact spamer will know who send the report. A regular SC spamcop report is sent to the providers for the spamvertised url and the source. A quick SC report is sent to the provider for the source. Standard SC munge replaces the instances of the To addresses with x but not the From. There are many ways by which a notified recipient may derive the identity of the party who got the mail/spam, such as by encrypting/hiding identification data in the headers or the body. For that reason, SC provides mole reporting (which is a form of non-reporting) for those who are concerned. SC also makes provisions in its rules for the user to munge hir own address prior to submitting the spam to the parser reporter. See below. > As I understand anonymisation in report is made to not give the spamer > real addresses of reporter, this case all fields are anonymised (changed > to ) except the From Field. Correct. Here is what the rule says about (pre-)mungeing your address http://www.spamcop.net/fom-serve/cache/283.html It is okay to munge your personal email address contained within links in the body of the spam, if SpamCop does not find and munge them, with one exception. If a report is going to an abuse desk that does not accept munged reports, you must not make even these minor changes to the spam. Altho' the From is not part of the body, and altho' as a general rule you shouldn't be doing header mungeing, and altho' as a general rule you shouldn't be 'interpreting' the rule about material changes to say anything other than what it says, I expect that somewhere in the forum a moderator may have said it is also OK to munge your address in the from. Another disadvantage to any kind of mungeing is that it may be 'awkward', depending on how you submit your spam. Personally, I quick report spam with my unmunged address in the From - and personally I don't like to send spam reports to any kind of spamvertiser providers, because I think that most of them are in cahoots with the spam generation process. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue Dec 23 11:27:30 2008 From: nobody at devnull.spamcop.net (Wazoo) Date: Tue Dec 23 11:30:02 2008 Subject: [Scspamcop] Re: Spam with MY OWN e-mail address in from field References: Message-ID: Mike Easter" wrote in message news:giqq3e$5u1$1@news.spamcop.net... > wariat wrote: > > SC also makes provisions in its rules for the user to munge hir > own > address prior to submitting the spam to the parser reporter. See > below. > >> As I understand anonymisation in report is made to not give the >> spamer >> real addresses of reporter, this case all fields are anonymised >> (changed >> to ) except the From Field. > > Correct. Here is what the rule says about (pre-)mungeing your > address > http://www.spamcop.net/fom-serve/cache/283.html It is okay to > munge your > personal email address contained within links in the body of the > spam, if > SpamCop does not find and munge them, with one exception. If a > report is > going to an abuse desk that does not accept munged reports, you > must not > make even these minor changes to the spam. > > Altho' the From is not part of the body, and altho' as a general > rule you > shouldn't be doing header mungeing, and altho' as a general rule > you > shouldn't be 'interpreting' the rule about material changes to say > anything other than what it says, I expect that somewhere in the > forum a > moderator may have said it is also OK to munge your address in the > from. Not entirely sure of the range of issues the "someone on the Forum ... said" was intended to bring up, but I will note that Don 'clarified' some statements made within both the newsgroups and the Forum. Those 'clarifications' were added to the updated version of the Wiki content found at; Material changes to spam http://forum.spamcop.net/scwik/SCMaterialChanges From gsb.pwbe at frbyoube.com Tue Dec 23 11:34:16 2008 From: gsb.pwbe at frbyoube.com (Make Money) Date: Tue Dec 23 11:35:04 2008 Subject: [Scspamcop] Spiderweb System Online Money Making For You Message-ID: You Can Make Money Online Spiderweb Marketing: www.thespidersystem.ws GDI: www.haveahappyday.info Free Videos. Free To Join..... This System Will Get You Paid Online From nzvhzdxv at mxuhxdvu.com Tue Dec 23 11:34:36 2008 From: nzvhzdxv at mxuhxdvu.com (Make Money) Date: Tue Dec 23 11:35:05 2008 Subject: [Scspamcop] Spiderweb System Online Money Making For You Message-ID: You Can Make Money Online Spiderweb Marketing: www.thespidersystem.ws GDI: www.haveahappyday.info Free Videos. Free To Join..... This System Will Get You Paid Online From MikeE at ster.invalid Tue Dec 23 12:00:41 2008 From: MikeE at ster.invalid (Mike Easter) Date: Tue Dec 23 12:05:03 2008 Subject: [Scspamcop] Re: Spam with MY OWN e-mail address in from field References: Message-ID: Wazoo wrote: > Mike Easter" >> Altho' the From is not part of the body, and altho' as a general rule you shouldn't be doing header mungeing, and altho' as a general rule you shouldn't be 'interpreting' the rule about material changes to say anything other than what it says, I expect that somewhere in the forum a moderator may have said it is also OK to munge your address in the from. > Not entirely sure of the range of issues the "someone on the Forum > ... said" was intended to bring up, but I will note that Don > 'clarified' some statements made within both the newsgroups and the > Forum. Those 'clarifications' were added to the updated version of > the Wiki content found at; > Material changes to spam > http://forum.spamcop.net/scwik/SCMaterialChanges As always, there is still some ambiguity to me: # Altering spam headers is absolutely not allowed. It's a *HUGE* taboo with us. # # You can delete your personal information from the spam, So, you can or you cannot delete your personal information from the spam header From? -- Mike Easter kibitzer, not SC admin From qcorrell at pacNObell.net Tue Dec 23 12:52:41 2008 From: qcorrell at pacNObell.net (Q Correll) Date: Tue Dec 23 12:55:02 2008 Subject: [Scspamcop] We've Been Spammed... Message-ID: From: "Make Money" Subject: Spiderweb System Online Money Making For You Date: Tue, 23 Dec 2008 11:34:36 -0500 -- Q 12/23/2008 09:52:05 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From nobody at spamcop.net Tue Dec 23 13:03:39 2008 From: nobody at spamcop.net (Ellen) Date: Tue Dec 23 13:20:02 2008 Subject: [Scspamcop] Re: Spam with MY OWN e-mail address in from field In-Reply-To: References: Message-ID: Mike Easter wrote: > > As always, there is still some ambiguity to me: > > # Altering spam headers is absolutely not allowed. It's a *HUGE* taboo > with us. > # > # You can delete your personal information from the spam, > > So, you can or you cannot delete your personal information from the spam > header From? > > > You can munge your email address in the "From:". Ellen SpamCop From MikeE at ster.invalid Tue Dec 23 13:20:48 2008 From: MikeE at ster.invalid (Mike Easter) Date: Tue Dec 23 13:25:03 2008 Subject: [Scspamcop] Re: Spam with MY OWN e-mail address in from field References: Message-ID: Ellen wrote: > Mike Easter wrote: >> So, you can or you cannot delete your personal information from the >> spam header From? > You can munge your email address in the "From:". Thanks. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Dec 23 13:35:19 2008 From: nobody at spamcop.net (N. Miller) Date: Tue Dec 23 13:40:03 2008 Subject: [Scspamcop] Re: Spam with MY OWN e-mail address in from field References: Message-ID: <1mb31cxc8a77a.dlg@nobody.spamcop.net> On Tue, 23 Dec 2008 13:18:30 +0000 (UTC), wariat from SpamCop wrote: > I'm recieving more and more spam messages with my own address in from > field. I see that, from time to time. I believe it is intended, primarily, as a "filter buster", on the assumption that most recipients automatically whitelist their own email address; thus "From: yourself" automatically evades the spam filters. > I'm not sure if I should report it because: > > 1. I don't want to find my address in any filters, i'm not a spammer, > they just sending the spam to me with my address in From. Spamcop parses the headers to identify the IP address of the spam source. The "From:" email address plays no role in the notify. > 2. If i'll send a report it will have the From field not anonymized so in > fact spamer will know who send the report. > As I understand anonymisation in report is made to not give the spamer > real addresses of reporter, this case all fields are anonymised (changed > to ) except the From Field. I stopped munging when I realized that the spammer already has my email address, and the ISP of the spam source may discount munged reports. I just go ahead with the notify, even if my email address is in the "From:" field. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From MikeE at ster.invalid Tue Dec 23 13:35:59 2008 From: MikeE at ster.invalid (Mike Easter) Date: Tue Dec 23 13:40:04 2008 Subject: [Scspamcop] Re: We've Been Spammed... References: Message-ID: Q Correll wrote: > From: "Make Money" > Subject: Spiderweb System Online Money Making For You > Date: Tue, 23 Dec 2008 11:34:36 -0500 But you didn't figger out the spamster/'hallster' Mark Hall Spider Web Marketing 302 Ostrich Lane Starr, SC 29684 Phone: 864-352-6689 hallster1@gmail.com Sat view (no street view available) http://snipurl.com/91k2s Source IP = 204.116.238.90 no rDNS Provider: West Carolina Rural Telephone Coop., Abbeyville SC distance Starr > Abbeville = 26 mi -- Mike Easter kibitzer, not SC admin From qcorrell at pacNObell.net Tue Dec 23 17:46:21 2008 From: qcorrell at pacNObell.net (Q Correll) Date: Tue Dec 23 17:50:03 2008 Subject: [Scspamcop] Re: We've Been Spammed... References: Message-ID: Mike, | But you didn't figger out the spamster/'hallster' I didn't even try. -- Q 12/23/2008 14:45:25 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From MikeE at ster.invalid Tue Dec 23 18:24:28 2008 From: MikeE at ster.invalid (Mike Easter) Date: Tue Dec 23 18:25:03 2008 Subject: [Scspamcop] Re: We've Been Spammed... References: Message-ID: Q Correll wrote: > Mike, > >> But you didn't figger out the spamster/'hallster' > > I didn't even try. Well, I can say that I did my research without visiting either website in the spam, not even with the GET function. See score sheet below. That might mean that it lacks accuracy - I can't say. Part of the 'trick' is to see what one can find out without 'opening' a spam or 'clicking' its link. In this case, since it was usenet spam, my email system for analyzing by examining the properties instead of opening has to be performed a little differently. An email can typically be examined by its properties/messagesource 'straightaway', because the usual situation is that the email has been downloaded to the client to enable the 'full force' of a spam filter to work on all of the header and body elements to sort it into the Junk folder. OTOH ontheotherhand, a news message is first 'seen' (only) by its headers accessed in the overview transaction between newsagent and newsserver, but the actual message hasn't been downloaded so the properties/source trick doesn't work. One trick I use if I want to see the properties/source of a news message (without opening it) is to 'copy' it to my deleted (or any other) folder. The copying has to 'access' the message source, and so (after such copying) then the properties are accessible. There are other ways of doing it, such as by saving the individual message. Back in the bad old days, one basis for not clicking open spam or clicking any of its links to investigate it were because of the insecurities of OE and IE. Later it became a 'game' -- if the spammer 'makes' you/ gets you to/ read the subject/from in the inbox, s/he wins points because it got in the inbox. If you accidentally open a spam ('to find out what it is') s/he wins points because your spamfilter didn't id it. If you are so curious you click on a link, s/he wins points. The idea that some people claim to be researching spam when they allow it into their inbox and open it and click its links is not acceptable research to me. (But) I have been known to render a spam and to access a spam's website in a 'research' atmosphere. Speaking of research, my local newspaper carried an article today about an important local figure who pled guilty to possession of kiddie porn and, "in a telephone interview last night, Sanders said he had downloaded the files as part of his research for an article on the sexual exploitation of children in foreign countries" http://snipurl.com/91xlm Veteran admits acquiring child porn - Activist says files were for research SDUT San Diego Union Tribune may require reg or BugMeNot. -- Mike Easter kibitzer, not SC admin From mr206 at spamtrackers.eu Tue Dec 23 21:05:07 2008 From: mr206 at spamtrackers.eu (mr206) Date: Tue Dec 23 21:10:03 2008 Subject: [Scspamcop] Re: Spam with MY OWN e-mail address in from field In-Reply-To: References: Message-ID: wariat wrote: > Hello! > > I'm recieving more and more spam messages with my own address in from > field. > I'm not sure if I should report it because: > > 1. I don't want to find my address in any filters, i'm not a spammer, > they just sending the spam to me with my address in From. > 2. If i'll send a report it will have the From field not anonymized so in > fact spamer will know who send the report. > As I understand anonymisation in report is made to not give the spamer > real addresses of reporter, this case all fields are anonymised (changed > to ) except the From Field. > It's an old spammer trick. They're using a bulk mailer, which plugs the recipient's email address in the "FROM" and "TO" fields, to give the appearance that you sent it... it's a method to bypass whitelists (for when you whitelist your own email address to prevent email from being sent to the spam folder). From nobody at devnull.spamcop.net Tue Dec 23 21:16:57 2008 From: nobody at devnull.spamcop.net (Patto) Date: Tue Dec 23 21:20:03 2008 Subject: [Scspamcop] Re: We've Been Spammed... In-Reply-To: References: Message-ID: Q Correll wrote: > From: "Make Money" > Subject: Spiderweb System Online Money Making For You > Date: Tue, 23 Dec 2008 11:34:36 -0500 And since Spamcop is not accepting newsgroup/usenet spam, there isn't even much we can do about it! Except - report domains it to uribl.com (done) - report to registrar using http://www.complainterator.com/ (done) From nobody at devnull.spamcop.net Tue Dec 23 22:07:41 2008 From: nobody at devnull.spamcop.net (Twayne) Date: Tue Dec 23 22:10:03 2008 Subject: [Scspamcop] Re: We've Been Spammed... References: Message-ID: > Q Correll wrote: >> From: "Make Money" >> Subject: Spiderweb System Online Money Making For You >> Date: Tue, 23 Dec 2008 11:34:36 -0500 > > And since Spamcop is not accepting newsgroup/usenet spam, there isn't > even much we can do about it! Except > - report domains it to uribl.com (done) > - report to registrar using http://www.complainterator.com/ (done) lol! Now there's a name and a half for a serious endeavor! First I've ever heard of it. Interesting. The site's a little sparse and undetailed, but ... guess that's not the important part, huh? Thanks, now I've yet another place to waste my time! Twayne From qcorrell at pacNObell.net Tue Dec 23 22:26:02 2008 From: qcorrell at pacNObell.net (Q Correll) Date: Tue Dec 23 22:30:03 2008 Subject: [Scspamcop] Re: We've Been Spammed... References: Message-ID: Mike, Thanks for the tutorial. -- Q 12/23/2008 19:25:49 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From qcorrell at pacNObell.net Tue Dec 23 22:27:09 2008 From: qcorrell at pacNObell.net (Q Correll) Date: Tue Dec 23 22:30:04 2008 Subject: [Scspamcop] Re: We've Been Spammed... References: Message-ID: Patto, | And since Spamcop is not accepting newsgroup/usenet spam, there isn't | even much we can do about it! Except - report domains it to uribl.com | (done) - report to registrar using http://www.complainterator.com/ | (done) Thanks. I didn't know what or even if there was a reporting protocol. -- Q 12/23/2008 19:26:16 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From nobody at devnull.spamcop.net Tue Dec 23 23:06:39 2008 From: nobody at devnull.spamcop.net (Wazoo) Date: Tue Dec 23 23:10:03 2008 Subject: [Scspamcop] Re: We've Been Spammed... References: Message-ID: "Twayne" wrote in message news:gis91l$gdc$1@news.spamcop.net... >> Q Correll wrote: >> >> And since Spamcop is not accepting newsgroup/usenet spam, there >> isn't >> even much we can do about it! Except >> - report domains it to uribl.com (done) >> - report to registrar using http://www.complainterator.com/ >> (done) > > lol! Now there's a name and a half for a serious endeavor! First > I've ever heard of it. Interesting. The site's a little sparse > and undetailed, but ... guess that's not the important part, huh? Perhaps more background for starters at http://forum.spamcop.net/forums/lofiversion/index.php/t7930.html would help? From MikeE at ster.invalid Wed Dec 24 07:43:51 2008 From: MikeE at ster.invalid (Mike Easter) Date: Wed Dec 24 07:45:03 2008 Subject: [Scspamcop] Re: We've Been Spammed... References: Message-ID: Wazoo wrote: > "Twayne" >> >>> - report to registrar using http://www.complainterator.com/ >> lol! Now there's a name and a half for a serious endeavor! First >> I've ever heard of it. Interesting. The site's a little sparse >> and undetailed, but ... guess that's not the important part, huh? > > Perhaps more background for starters at > http://forum.spamcop.net/forums/lofiversion/index.php/t7930.html > would help? Complainterator is designed to complain/notify the registrar for the nameservers for the spamvertised domain. There is a pretty good description in the spamtracker wiki for it http://spamtrackers.eu/wiki/index.php?title=Complainterator and there is some useful information in the Word .doc file in its download .zip, which was written by Terry Bowden, the TerryNZ in the forum. The discussion forum for the app _was_ at CastleCops. Unfortunately it appears that CC has recently died, which is too bad, because it provided support for a lot of software in addition to complainterator. http://www.castlecops.com/f287-Complainterator.html You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. PST 23 Dec 2008 I always tho't that Blue Frog and Complainterator took more credit for effectiveness than could be documented - but those who use the tools seem to be happy with getting registrar autoacks and seeing some names get snuffed. I'm also not quite clear on how the token for complainterator gets used by the dnsstuff links, as tight as dnsstuff tries to be with its tools. That is, the email from complainterator doesn't contain the spam, but instead it contains 'evidence' linking the nameserver registrar to the spamvertised site, which link evidence is 'mediated' thru' dnsstuff. -- Mike Easter kibitzer, not SC admin From nospam at emberts.com Wed Dec 24 14:39:01 2008 From: nospam at emberts.com (news.spamcop.net) Date: Wed Dec 24 14:40:03 2008 Subject: [Scspamcop] The spam flood has stopped (and where has everyone gone?) Message-ID: I have a domain that I stopped using several years because of the spam flood. I was getting thousands of spams every day (5,000 - 10,000 or more). Every now and then I enable the email for that domain just to see what is happening, and it's always the same - thousands of spams every day. This last week I did so again, and much to my surprise I'm only getting a dozen or so spams a day. I've left it on for a week, and for some reason the spam flood has died. Is this a trend, or just happenstance? And I remember when there was 3 or 4 times as much traffic through this group - where has everyone gone? From nospam at emberts.com Wed Dec 24 14:40:18 2008 From: nospam at emberts.com (Zootal) Date: Wed Dec 24 14:40:03 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: PS: Sorry about the news.spamcop.net...I forgot to fix my name in the setup when I added the spamcop server to OE :-( "news.spamcop.net" wrote in message news:giu33m$1dm$1@news.spamcop.net... >I have a domain that I stopped using several years because of the spam >flood. I was getting thousands of spams every day (5,000 - 10,000 or more). >Every now and then I enable the email for that domain just to see what is >happening, and it's always the same - thousands of spams every day. This >last week I did so again, and much to my surprise I'm only getting a dozen >or so spams a day. I've left it on for a week, and for some reason the spam >flood has died. Is this a trend, or just happenstance? > > And I remember when there was 3 or 4 times as much traffic through this > group - where has everyone gone? > From nobody at spamcop.net Wed Dec 24 14:56:30 2008 From: nobody at spamcop.net (Steven Underwood) Date: Wed Dec 24 15:00:03 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: "news.spamcop.net" wrote in message news:giu33m$1dm$1@news.spamcop.net... > I have a domain that I stopped using several years because of the spam > flood. I was getting thousands of spams every day (5,000 - 10,000 or > more). Every now and then I enable the email for that domain just to see > what is happening, and it's always the same - thousands of spams every > day. This last week I did so again, and much to my surprise I'm only > getting a dozen or so spams a day. I've left it on for a week, and for > some reason the spam flood has died. Is this a trend, or just > happenstance? > I would guess your ISP/host has started filtering your messages... many are. > And I remember when there was 3 or 4 times as much traffic through this > group - where has everyone gone? I don't know what timeframe your reference point is and I had been away for a while. Some of us have moved to the SpamCop support forums at: http://forum.spamcop.net/forums/index.php From nospam at emberts.com Wed Dec 24 15:46:20 2008 From: nospam at emberts.com (Zootal) Date: Wed Dec 24 15:55:03 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: > I would guess your ISP/host has started filtering your messages... many > are. There is no filtering at all - my host just forwards everything to me. The domain is parked at namecheap, and they don't filter email on this level of account. >> And I remember when there was 3 or 4 times as much traffic through this >> group - where has everyone gone? > I don't know what timeframe your reference point is and I had been away > for a while. Some of us have moved to the SpamCop support forums at: > http://forum.spamcop.net/forums/index.php I've been lurking here for years and years. How long has SpamCop been around? I think it was 1999 when I first starting using it. I don't remember exactly when I discovered this news server, but it would have been very early 2000s. From qcorrell at pacNObell.net Wed Dec 24 16:08:39 2008 From: qcorrell at pacNObell.net (Q Correll) Date: Wed Dec 24 16:10:03 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: Steven, | Some of us have moved to the SpamCop support forums at: | http://forum.spamcop.net/forums/index.php I don't care one whit for browser-based viewing. Does it allow NNTP? -- Q 12/24/2008 13:07:48 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From nospam at emberts.com Wed Dec 24 16:11:28 2008 From: nospam at emberts.com (Zootal) Date: Wed Dec 24 16:15:03 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: "Q Correll" wrote in message news:giu8cn$qng$1@news.spamcop.net... > Steven, > > | Some of us have moved to the SpamCop support forums at: > | http://forum.spamcop.net/forums/index.php > > I don't care one whit for browser-based viewing. Does it allow NNTP? > I have to second that. I'd rather have everything NNTP right here in one place instead of having to jump through 50 different web based forums here and there and splattered all over the Internet. But alas, young kids today don't know what usenet is. From MikeE at ster.invalid Wed Dec 24 16:20:27 2008 From: MikeE at ster.invalid (Mike Easter) Date: Wed Dec 24 16:25:03 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: Zootal wrote: > >> I would guess your ISP/host has started filtering your messages... many >> are. > > There is no filtering at all - my host just forwards everything to me. > The domain is parked at namecheap, and they don't filter email on this > level of account. Maybe all of your spam was coming from one spamgenerating gang with the same millions CD with your addy and the gang has become extinct and your spam address along with it. However, it seems to me that if you were getting thousands, that the address would have propagated among numbers of generating systems. > I've been lurking here for years and years. How long has SpamCop been > around? I think it was 1999 when I first starting using it. I don't > remember exactly when I discovered this news server, but it would have > been very early 2000s. The wiki (-pedia & spamcop-) and website sez that Julian founded SC in 1998. http://forum.spamcop.net/scwik/SpamCopHistory http://en.wikipedia.org/wiki/Spamcop http://www.spamcop.net/fom-serve/cache/109.html -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Dec 24 16:24:29 2008 From: nobody at devnull.spamcop.net (Wazoo) Date: Wed Dec 24 16:25:03 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: "Zootal" wrote in message news:giu7an$mms$1@news.spamcop.net... > > I've been lurking here for years and years. How long has SpamCop > been around? I think it was 1999 when I first starting using it. I > don't remember exactly when I discovered this news server, but it > would have been very early 2000s. What is SpamCop's history? http://forum.spamcop.net/scwik/SpamCopHistory The Portal page uses the same Welcome block found on the un-logged-in web page of the spamcop.net web-page .. note the date incorporated right into the logo graphic ... http://forum.spamcop.net/ From MikeE at ster.invalid Wed Dec 24 16:26:29 2008 From: MikeE at ster.invalid (Mike Easter) Date: Wed Dec 24 16:30:02 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: Zootal wrote: > "Q Correll" >> I don't care one whit for browser-based viewing. Does it allow NNTP? > I have to second that. I'd rather have everything NNTP right here in one > place instead of having to jump through 50 different web based forums > here and there and splattered all over the Internet. But alas, young > kids today don't know what usenet is. That topic of conversation came up the other day when someone was looking for an OpenOffice newsgroup. The OO webforums are busy, but you have to scratch around to find a decent OO mailing list reflected in a newsgroup on gmane. Similarly the ubuntu forum is humming, but alt.os.linux.ubuntu is much more placid and for whatever its worth, isn't carried by GG googlegroups, but is otherwise well propagated. The schism of spamcop's support into the webforum vs the newsgroups was originally intended to have the webforum completely replace the nntp, but out of the goodness of his heart the news admin has allowed the newsgroups to live. -- Mike Easter kibitzer, not SC admin From nospam at emberts.com Wed Dec 24 16:33:38 2008 From: nospam at emberts.com (Zootal) Date: Wed Dec 24 16:35:03 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: > Maybe all of your spam was coming from one spamgenerating gang with the > same millions CD with your addy and the gang has become extinct and your > spam address along with it. However, it seems to me that if you were > getting thousands, that the address would have propagated among numbers of > generating systems. > I suspect that the domain has propagated to just about every spammer out ther by now, I think it's been about 5 years since this initially happened. I never did find out what started it - one day the spam started pouring in. I think I'll revisit my host and see if it's really forwarding everything like it says it is. It just doesn't make sense that it would slow down like it has. From nobody at devnull.spamcop.net Wed Dec 24 16:36:23 2008 From: nobody at devnull.spamcop.net (Wazoo) Date: Wed Dec 24 16:40:04 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: "Zootal" wrote in message news:giu8h0$r6s$1@news.spamcop.net... > > I have to second that. I'd rather have everything NNTP right here > in one place instead of having to jump through 50 different web > based forums here and there and splattered all over the Internet. > But alas, young kids today don't know what usenet is. Yes, HTML stuff isn't the same as NNTP. However, your stated logic doesn't really fly. There is only one SpamCop.net Forum. If one actually looks at the newsgroup structure (and ignores that it hasn't been update, several pointer links have disappeared, and a lot of users don't follow the logic of using a specific newsgroup for their specific issues) you'll note that the Forum structure is basically the same. SpamCop Newsgroups: http://forum.spamcop.net/scwik/SpamCopNewsgroups SpamCop Forum: note the http://forum.spamcop.net/scwik/SpamCopNewsgroups on the Portal page http://forum.spamcop.net/ .... each "subject" has its own place within the structure. Wondering if having great-grandkids qualifies me as still being young? From MikeE at ster.invalid Wed Dec 24 16:54:05 2008 From: MikeE at ster.invalid (Mike Easter) Date: Wed Dec 24 16:55:03 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: Wazoo wrote: > "Zootal" >> But alas, young kids today don't know what usenet is. > Wondering if having great-grandkids qualifies me as still being > young? Maybe we can agree: - there are things wrong (and right) with nntp - there are things wrong (and right) with webforums - there is some division along generational lines of such mediums of exchange as nntp, webforums, email, chatgroups, instant messaging, IRC, and phone text messaging; but you can't determine what agegroup a person is strictly by which medium they use -- Mike Easter kibitzer, not SC admin From nospam at emberts.com Wed Dec 24 17:30:54 2008 From: nospam at emberts.com (Zootal) Date: Wed Dec 24 17:35:04 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: "Mike Easter" wrote in message news:giub1s$52j$1@news.spamcop.net... > Wazoo wrote: >> "Zootal" > >>> But alas, young kids today don't know what usenet is. > >> Wondering if having great-grandkids qualifies me as still being >> young? > > Maybe we can agree: > > - there are things wrong (and right) with nntp > - there are things wrong (and right) with webforums > - there is some division along generational lines of such mediums of > exchange as nntp, webforums, email, chatgroups, instant messaging, IRC, > and phone text messaging; but you can't determine what agegroup a person > is strictly by which medium they use > > Amen, Brother :) From nospam at emberts.com Wed Dec 24 17:34:55 2008 From: nospam at emberts.com (Zootal) Date: Wed Dec 24 17:35:04 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: >> I have to second that. I'd rather have everything NNTP right here in one >> place instead of having to jump through 50 different web based forums >> here and there and splattered all over the Internet. But alas, young kids >> today don't know what usenet is. > > Yes, HTML stuff isn't the same as NNTP. However, your stated logic > doesn't really fly. There is only one SpamCop.net Forum. Yes, but I visit more groups then just SpamCop :) At one time I had over 100 groups loaded into my newsreader. I think I'm down to about 70 or so. From MikeE at ster.invalid Wed Dec 24 17:54:32 2008 From: MikeE at ster.invalid (Mike Easter) Date: Wed Dec 24 17:55:03 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: Zootal wrote: > >> There is only one SpamCop.net Forum. > > Yes, but I visit more groups then just SpamCop :) > > At one time I had over 100 groups loaded into my newsreader. I think I'm > down to about 70 or so. ... and for me various newsservers, spamcop, gmane, provider's giganews, lotsa frees, and a cheap paid block. nntp/ing is a different world than 'adapting' to browser reading and editing (all over the place). I don't like to read and write to various webforums with a browser. Some browser or other, which varies, Opera, FF, even KMeleon. I don't even like to change the 'simple' interface of a newsreader, ie OE (plus QuoteFix) vs better choices. In linux it is usually Tbird, but I roam around much more than in Windows. -- Mike Easter kibitzer, not SC admin From qcorrell at pacNObell.net Wed Dec 24 18:05:42 2008 From: qcorrell at pacNObell.net (Q Correll) Date: Wed Dec 24 18:10:03 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: Mike, | The schism of spamcop's support into the webforum vs the newsgroups | was originally intended to have the webforum completely replace the | nntp, but out of the goodness of his heart the news admin has allowed | the newsgroups to live. I don't visit webforums at all except in the case of an emergency. -- Q 12/24/2008 15:04:56 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From qcorrell at pacNObell.net Wed Dec 24 18:07:11 2008 From: qcorrell at pacNObell.net (Q Correll) Date: Wed Dec 24 18:10:04 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: Wazoo, | Wondering if having great-grandkids qualifies me as still being young? Being a "young pup" is just a state of mind. My oldest great-grandkid is six years old. ;-) -- Q 12/24/2008 15:06:16 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From qcorrell at pacNObell.net Wed Dec 24 18:11:36 2008 From: qcorrell at pacNObell.net (Q Correll) Date: Wed Dec 24 18:15:03 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: Zootal, | At one time I had over 100 groups loaded into my newsreader. I think | I'm down to about 70 or so. I Access 123 Groups in 13 Accounts every day. -- Q 12/24/2008 15:10:47 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From nospam at emberts.com Wed Dec 24 18:36:38 2008 From: nospam at emberts.com (Zootal) Date: Wed Dec 24 18:40:04 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: "Q Correll" wrote in message news:giufav$knu$1@news.spamcop.net... > Wazoo, > > | Wondering if having great-grandkids qualifies me as still being young? > > Being a "young pup" is just a state of mind. > > My oldest great-grandkid is six years old. ;-) > > Nice. I have an 8 year old grandson, but that is all - I'm still a young pup myself From qcorrell at pacNObell.net Wed Dec 24 19:59:33 2008 From: qcorrell at pacNObell.net (Q Correll) Date: Wed Dec 24 20:00:03 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: Zootal, | Nice. I have an 8 year old grandson, but that is all - I'm still a | young pup myself I was never quite able to process being a grandfather, let alone being a great-grandfather. But,... here I am with four great-grandkids! -- Q 12/24/2008 16:56:58 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From nobody at devnull.spamcop.net Wed Dec 24 20:47:52 2008 From: nobody at devnull.spamcop.net (Patto) Date: Wed Dec 24 20:50:03 2008 Subject: [Scspamcop] Re: We've Been Spammed... In-Reply-To: References: Message-ID: Mike Easter wrote: > ... That is, the email from complainterator doesn't contain the spam, > but instead it contains 'evidence' linking the nameserver registrar to the > spamvertised site, which link evidence is 'mediated' thru' dnsstuff. I always append the SC tracker at the end of the generated email. From nobody at devnull.spamcop.net Wed Dec 24 20:50:31 2008 From: nobody at devnull.spamcop.net (Patto) Date: Wed Dec 24 20:55:04 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) In-Reply-To: References: Message-ID: news.spamcop.net wrote: > I have a domain that I stopped using several years because of the spam > flood. I was getting thousands of spams every day (5,000 - 10,000 or more). > Every now and then I enable the email for that domain just to see what is > happening, and it's always the same - thousands of spams every day. This > last week I did so again, and much to my surprise I'm only getting a dozen > or so spams a day. I've left it on for a week, and for some reason the spam > flood has died. Is this a trend, or just happenstance? Maybe someone realized that you are not reading their precious spam? From 127 at [127.0.0.1] Wed Dec 24 21:22:45 2008 From: 127 at [127.0.0.1] (vg4cysss7001) Date: Wed Dec 24 21:25:03 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: <08+3Zxs15uUJFw6E@spam.filter> In article , Q Correll writes >Mike, > >| The schism of spamcop's support into the webforum vs the newsgroups >| was originally intended to have the webforum completely replace the >| nntp, but out of the goodness of his heart the news admin has allowed >| the newsgroups to live. > >I don't visit webforums at all except in the case of an emergency. > > I agree. I find some/most web fora difficult to navigate around threads, plus there is the inevitable delay in (up- and) downloading, compared with a local newsbase. Lastly, Usenet articles can be downloaded when, say, at home on broadband, then read off-line elsewhere and any posting, if it can't wait, can be up-loaded using, say, GPRS or a public wireless hot-spot. Much cheaper than having to be on-line for all processing (reading, writing, etc.). -- Misha Free on-line, off-site backups? From qcorrell at pacNObell.net Wed Dec 24 22:50:55 2008 From: qcorrell at pacNObell.net (Q Correll) Date: Wed Dec 24 22:55:03 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: <08+3Zxs15uUJFw6E@spam.filter> Message-ID: vg4cysss7001, | Lastly, Yep,... all you typed. -- Q 12/24/2008 19:50:43 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From nobody at nowhere.not Thu Dec 25 02:20:29 2008 From: nobody at nowhere.not (Robert Blair) Date: Thu Dec 25 02:25:07 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: On Wed, 24 Dec 2008 19:39:01 UTC, "news.spamcop.net" wrote: > I have a domain that I stopped using several years because of the spam > flood. I was getting thousands of spams every day (5,000 - 10,000 or more). > Every now and then I enable the email for that domain just to see what is > happening, and it's always the same - thousands of spams every day. This > last week I did so again, and much to my surprise I'm only getting a dozen > or so spams a day. I've left it on for a week, and for some reason the spam > flood has died. Is this a trend, or just happenstance? Sounds like you have a catch-all email address and retrieve your email from it. I never use a catch-all email address just because of that problem. The only time I had spam in the high hundreds was once when a spammer used my email address as a FROM. -- Robert Blair From nobody at devnull.spamcop.net Thu Dec 25 03:01:18 2008 From: nobody at devnull.spamcop.net (Wazoo) Date: Thu Dec 25 03:05:08 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: "Zootal" wrote in message news:giuddi$c8o$1@news.spamcop.net... >> (adding attribute: wazoo said;) >> Yes, HTML stuff isn't the same as NNTP. However, your stated >> logic doesn't really fly. There is only one SpamCop.net Forum. > > Yes, but I visit more groups then just SpamCop :) > > At one time I had over 100 groups loaded into my newsreader. I > think I'm down to about 70 or so. I'm not even going to try to count the 'subscribed' newsgroups I've got in my lists. But I'll also note that I have no real idea of the number of Forums I'm also registered into (or simply have links to jump in and do my lurking.) I have always said and will repeat again, I need to go where the data resides, end of discussion. Some folks only provide support via Forums, some only via Lists/Archives, fewer and fewer do actual NNTP, (and of course, let's not forget those that offer no 'direct' support at all.) I'm not sure, but I seem to read your response as you working with some kind of impression that because I Admin the Forum that I don't do anything else ...???? Back to your 'young kids today don't know what usenet is' remark, I'll toss back that my first BBS was run on a Franklin 1200 (an Apple ][+ clone) using a 300-baud modem. I was using the 'Internet back in the days when one had to call the desired location and ask what their actual address was that day, changes being caused by a computer or network card being swapped out at that end. Gopher, Veronica, and such being the 'great' tools of those days. It's not like NNTP is foreign to me. From nospam at emberts.com Thu Dec 25 03:28:54 2008 From: nospam at emberts.com (Zootal) Date: Thu Dec 25 03:30:08 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: "Wazoo" wrote in message news:givekd$lm0$1@news.spamcop.net... > "Zootal" wrote in message > news:giuddi$c8o$1@news.spamcop.net... >>> (adding attribute: wazoo said;) >>> Yes, HTML stuff isn't the same as NNTP. However, your stated logic >>> doesn't really fly. There is only one SpamCop.net Forum. >> >> Yes, but I visit more groups then just SpamCop :) >> >> At one time I had over 100 groups loaded into my newsreader. I think I'm >> down to about 70 or so. > > I'm not even going to try to count the 'subscribed' newsgroups I've got in > my lists. But I'll also note that I have no real idea of the number of > Forums I'm also registered into (or simply have links to jump in and do my > lurking.) I have always said and will repeat again, I need to go where > the data resides, end of discussion. Some folks only provide support via > Forums, some only via Lists/Archives, fewer and fewer do actual NNTP, (and > of course, let's not forget those that offer no 'direct' support at all.) > > I'm not sure, but I seem to read your response as you working with some > kind of impression that because I Admin the Forum that I don't do anything > else ...???? Back to your 'young kids today don't know what usenet is' > remark, I'll toss back that my first BBS was run on a Franklin 1200 (an > Apple ][+ clone) using a 300-baud modem. I was using the 'Internet back > in the days when one had to call the desired location and ask what their > actual address was that day, changes being caused by a computer or network > card being swapped out at that end. Gopher, Veronica, and such being the > 'great' tools of those days. It's not like NNTP is foreign to me. > The "young kids" comment was not directed at anyone here. It was a comment on trends in general. And I remember the day I got my first 300 baud modem. Woohoo! A modem! I could connect to other computers, share files, leave messages! Life was good. Then a friend of mine that worked for Aprotek (they made modems back then) gave me a 2400 baud "sample" modem, and I wondered how I was ever happy with 300 baud modems. From MikeE at ster.invalid Thu Dec 25 12:02:07 2008 From: MikeE at ster.invalid (Mike Easter) Date: Thu Dec 25 12:05:08 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: Zootal wrote: > "Wazoo" >> I'll toss back that my first BBS was run on a >> Franklin 1200 (an Apple ][+ clone) using a 300-baud modem. > Then a friend of mine that worked > for Aprotek (they made modems back then) gave me a 2400 baud "sample" > modem, and I wondered how I was ever happy with 300 baud modems. All of this talk about old hardware and connectivity reminds me of my Atari ST days, 1200 baud modem (I don't think I remember 300) and GEnie commercial BBS -- which I used much more than local homebrew bbs/es. That had to start in about 1986 when Atari first provided the 1040 STf. My Atari years and GEnie roundtables were pretty active, but there wasn't a real internet. There was a little gap later, because after about 3 different 1040st/s of which I was using 2 of them in an office environment networked via their midi ports and 2 different Mega/s to tinker with, all of a sudden the next thing I had was a Windows 95 machine on the internet via a cable modem. I never accessed 'the internet' in its infancy with a telephone modem. My modem usage preceded any real internet and by the time there was a real internet, my community had access to cable modem connectivity. -- Mike Easter kibitzer, not SC admin From nospam at emberts.com Thu Dec 25 14:15:41 2008 From: nospam at emberts.com (Zootal) Date: Thu Dec 25 14:20:08 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: > All of this talk about old hardware and connectivity reminds me of my > Atari ST days, 1200 baud modem (I don't think I remember 300) and GEnie > commercial BBS -- which I used much more than local homebrew bbs/es. That > had to start in about 1986 when Atari first provided the 1040 STf. > > My Atari years and GEnie roundtables were pretty active, but there wasn't > a real internet. > > There was a little gap later, because after about 3 different 1040st/s of > which I was using 2 of them in an office environment networked via their > midi ports and 2 different Mega/s to tinker with, all of a sudden the next > thing I had was a Windows 95 machine on the internet via a cable modem. > > I never accessed 'the internet' in its infancy with a telephone modem. My > modem usage preceded any real internet and by the time there was a real > internet, my community had access to cable modem connectivity. > > -- > Mike Easter > kibitzer, not SC admin > My employer at the time let us use their CompuServe account, and I was on CS for years and years. I stayed with CompuServe until the Internet finally passed them by. CS choose not to keep up, was purchased by AOL, and thought computer users were stupid people that had to have the AOL interface to access online material. Bye bye CompuServe. I moved to a startup dialup Internet access company called EarthLink, whom I stayed with for years. This was back when EarthLink was new and knew how to treat their customers. Something they eventually lost, unfortunately, they used to be really good . I was using a Kaypro pc/xt with a 3.2MHz nec v20 processor (a drop in replacement for the 8086 that ran twice as fast). CGA was beautiful! From nobody at spamcop.net Thu Dec 25 15:35:52 2008 From: nobody at spamcop.net (Antispam Knight) Date: Thu Dec 25 15:40:08 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: "Zootal" wrote in message news:gj0m62$ujo$1@news.spamcop.net... >> All of this talk about old hardware and connectivity reminds me of my >> Atari ST days, 1200 baud modem (I don't think I remember 300) and GEnie >> commercial BBS -- which I used much more than local homebrew bbs/es. >> That >> had to start in about 1986 when Atari first provided the 1040 STf. >> >> My Atari years and GEnie roundtables were pretty active, but there wasn't >> a real internet. >> >> There was a little gap later, because after about 3 different 1040st/s of >> which I was using 2 of them in an office environment networked via their >> midi ports and 2 different Mega/s to tinker with, all of a sudden the >> next >> thing I had was a Windows 95 machine on the internet via a cable modem. >> >> I never accessed 'the internet' in its infancy with a telephone modem. >> My >> modem usage preceded any real internet and by the time there was a real >> internet, my community had access to cable modem connectivity. >> >> -- >> Mike Easter >> kibitzer, not SC admin >> > > My employer at the time let us use their CompuServe account, and I was on > CS for years and years. I stayed with CompuServe until the Internet > finally passed them by. CS choose not to keep up, was purchased by AOL, > and thought computer users were stupid people that had to have the AOL > interface to access online material. Bye bye CompuServe. I moved to a > startup dialup Internet access company called EarthLink, whom I stayed > with for years. This was back when EarthLink was new and knew how to treat > their customers. Something they eventually lost, unfortunately, they used > to be really good . I was using a Kaypro pc/xt with a 3.2MHz nec v20 > processor (a drop in replacement for the 8086 that ran twice as fast). CGA > was beautiful! Does anyone remember the TRS-80 (Trash-80)? My first foray into pc's began with that gem. 4k of ram. Then a friend had access to 16k chips. Wow! What would I ever do with 16k of ram? And one day upgrading to 56k of ram (64k minus the memory mapped ram or somesuch). And I remember loading software with the audio tape recorder. You could load a 1k or 2k prog. in just a few minutes! That's including retries when the load failed. Then I remember my joy at being able to install a single density disk drive, then cutting a notch in the diskettes (5 1/4") to make them double sided (but you had to turn them over). Then finally upgrading to double sided, double density drive. How could you *ever* run out of storage space now? AK From qcorrell at pacNObell.net Thu Dec 25 17:34:20 2008 From: qcorrell at pacNObell.net (Q Correll) Date: Thu Dec 25 17:35:08 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: Antispam, | Does anyone remember the TRS-80 (Trash-80)? Yep. I also remember several systems BEFORE the Trash-80 even existed. -- Q 12/25/2008 14:33:29 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From MikeE at ster.invalid Thu Dec 25 19:45:39 2008 From: MikeE at ster.invalid (Mike Easter) Date: Thu Dec 25 19:50:08 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: Q Correll wrote: > Antispam, > >> Does anyone remember the TRS-80 (Trash-80)? > > Yep. I also remember several systems BEFORE the Trash-80 even existed. The wiki has an article on the hx of personal computers; refers to 1977 TRS-80 + Commodore PET + Apple ][ as the 1977 Trinity, and has some par/s on the Intel 8008 cpu and the Altair 8800 and other early advances. http://en.wikipedia.org/wiki/History_of_personal_computers Those early things that tried to do it without a microprocessor CPU were a 'handful'. -- Mike Easter kibitzer, not SC admin From qcorrell at pacNObell.net Fri Dec 26 00:53:43 2008 From: qcorrell at pacNObell.net (Q Correll) Date: Fri Dec 26 00:55:08 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: Mike, | Those early things that tried to do it without a microprocessor CPU | were a 'handful'. I can atest to that. I started a company in 1964 to build what I think was the first desktop computer. All transistors, not even IC's! We had some "crooked" venture capital and it never saw the light of day of production. Just built the first prototype. -- Q 12/25/2008 21:49:17 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From Ag2000CO at Starband.net Fri Dec 26 12:58:25 2008 From: Ag2000CO at Starband.net (LKing) Date: Fri Dec 26 13:00:08 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) In-Reply-To: References: Message-ID: Q Correll wrote, On 12/26/2008 12:53 AM: > Mike, > > | Those early things that tried to do it without a microprocessor CPU > | were a 'handful'. > > I can atest to that. I started a company in 1964 to build what I think > was the first desktop computer. All transistors, not even IC's! > We had some "crooked" venture capital and it never saw the light of day > of production. Just built the first prototype. > Wrote my first "hello world" on a discrete component computer the size of a desk. It used drum memory, 6k as I remember. It used wired in tubes and a Selectric typewriter with paper tape for I/O. The Selectric had hammers not those new fangled balls. It had its own room and air conditioner! Royal McBee Typewriter has a new assemble plant in town and gave the computer to the collage with the understanding that they got to use it on the weekends. Their guy showed up Friday after 5 and stayed until sun up Monday. He brought rolls of tape, the results from all the checkpoints on the assemble line, parts orders/deliveries and accounting. He left with boxes of paper and history tapes. == God we though we wanted that job! When I went back to school '70-71, to finish what I had started in '61-63, the computer sat in the corner of an unused room. It still worked, kind of. There were lots of spots on the drum memory that didn't work. As a result (it seemed) every other command was a jump to the next block of good memory. With 6k of memory you sure learned to write tight code - remember that requirement? Even when I went back to school 79-80 size mattered. If it worked you passed. Size, elegance and documentation got you more. From qcorrell at pacNObell.net Fri Dec 26 15:38:19 2008 From: qcorrell at pacNObell.net (Q Correll) Date: Fri Dec 26 15:40:08 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: LKing, | With 6k of memory you sure learned to write tight code - remember | that requirement? Yep. Quite vividly. I wrote a lot of code, including compilers, in 4096 KB of memory. BTW, it was an "Electric typewriter." The "Selectric typewriter" was the typewriter with the "ball" printing element. A friend of mine still has the last Selectric typewriter I had,... and it still works! -- Q 12/26/2008 12:34:33 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From foo at example.com Fri Dec 26 16:37:21 2008 From: foo at example.com (wariat) Date: Fri Dec 26 16:40:09 2008 Subject: [Scspamcop] Re: Spam with MY OWN e-mail address in from field References: Message-ID: Hello! Dnia Tue, 23 Dec 2008 13:03:39 -0500, Ellen napisa?(a): Thank you All! > You can munge your email address in the "From:". So maybe it will be best if SpamCop engine will search/replace my (reporter) e-mail address automatically also in from field. If it can do this in lines (hidden) like: Delivered-To: x Return-Path: Received-SPF: neutral (google.com: 84.48.197.151 is neither permitted nor denied by domain of x) client-ip=84.48.197.151; Authentication-Results: mx.google.com; spf=neutral (google.com: 84.48.197.151 is neither permitted nor denied by domain of x) smtp.mail=x To: IMO it can do same also for last one in From field. Of course spammer can add something to mail and will know who is that #@$% ^ reporter, but he has to do this. In this case, they are sending mail "from me to me" probably just because they believe that I have my own address on whitelist. So maybe it is possible to add s/$reporters_email/x/ to any TODO list of SpamCop engine. From nobody at spamcop.net Fri Dec 26 17:35:48 2008 From: nobody at spamcop.net (N. Miller) Date: Fri Dec 26 17:40:08 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: <1p7bdkm5zrr30.dlg@nobody.spamcop.net> On Thu, 25 Dec 2008 09:02:07 -0800, Mike Easter from SpamCop wrote: > Zootal wrote: >> "Wazoo" >>> I'll toss back that my first BBS was run on a >>> Franklin 1200 (an Apple ][+ clone) using a 300-baud modem. >> Then a friend of mine that worked >> for Aprotek (they made modems back then) gave me a 2400 baud "sample" >> modem, and I wondered how I was ever happy with 300 baud modems. > All of this talk about old hardware and connectivity reminds me of my > Atari ST days, 1200 baud modem (I don't think I remember 300) ... I still have the old Hayes Smartmodem 300, which I attached to the serial cable interface on an HP 85 (which I also still have). > ... and GEnie commercial BBS ... Ah. The General Electric Network for Information Exchange. Round Tables. Nifty ASCII application. $4.95 a month (as compared with CompuServe: $9.95 a month for five hours of connect time; then $2 a minute after the five hours is up). I don't remember how many hours of GEnie that $4.95 a month bought. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From Ag2000CO at Starband.net Sat Dec 27 15:16:03 2008 From: Ag2000CO at Starband.net (LKing) Date: Sat Dec 27 15:20:08 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) In-Reply-To: References: Message-ID: Q Correll wrote, On 12/26/2008 3:38 PM: > LKing, > > | With 6k of memory you sure learned to write tight code - remember > | that requirement? > > Yep. Quite vividly. > > I wrote a lot of code, including compilers, in 4096 KB of memory. > Oh yes. I'm sure you too could write assembly code in hex almost as fast as in mnemonics. > BTW, it was an "Electric typewriter." The "Selectric typewriter" was > the typewriter with the "ball" printing element. you are probably right. A friend of mine > still has the last Selectric typewriter I had,... and it still works! > Somewhere in the back of the garage is my last Selectric with "electric" drive and an 8 bit serial to 6 bit parallel hardware driver for the solenoids to rotate the ball. Of course none of this solves my current xml issues with PhotoShop. There are times when digging through someone else's mess that I long for needing to know as much about the hardware as the software. From qcorrell at pacNObell.net Sat Dec 27 19:07:20 2008 From: qcorrell at pacNObell.net (Q Correll) Date: Sat Dec 27 19:10:09 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: LKing, | Somewhere in the back of the garage is my last Selectric with | "electric" drive and an 8 bit serial to 6 bit parallel hardware | driver for the solenoids to rotate the ball. Ah,... a man after my own heart,... a born pack-rat. ;-) | Of course none of this solves my current xml issues with PhotoShop. | There are times when digging through someone else's mess that I long | for needing to know as much about the hardware as the software. I know the feeling well. -- Q 12/27/2008 16:06:06 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From user at domain.invalid Sat Dec 27 20:26:34 2008 From: user at domain.invalid (Farelf) Date: Sat Dec 27 20:30:09 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) In-Reply-To: References: Message-ID: Q Correll wrote: > LKing, > > > | Of course none of this solves my current xml issues with PhotoShop. > | There are times when digging through someone else's mess that I long > | for needing to know as much about the hardware as the software. > > I know the feeling well. > > For the truly nostalgic who managed to part with all that great old stuff (must be something in the air, everyone's remininscing) - the reborn PDP-8, as 'discovered' by Steve Gibson over at the grc newsgroups - http://www.sparetimegizmos.com/Hardware/SBC6120-2.htm From nobody at devnull.spamcop.net Sat Dec 27 21:00:21 2008 From: nobody at devnull.spamcop.net (Twayne) Date: Sat Dec 27 21:05:09 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: >> Maybe all of your spam was coming from one spamgenerating gang with >> the same millions CD with your addy and the gang has become extinct >> and your spam address along with it. However, it seems to me that >> if you were getting thousands, that the address would have >> propagated among numbers of generating systems. >> > > I suspect that the domain has propagated to just about every spammer > out ther by now, I think it's been about 5 years since this initially > happened. I never did find out what started it - one day the spam > started pouring in. I think I'll revisit my host and see if it's > really forwarding everything like it says it is. It just doesn't make > sense that it would slow down like it has. You might want to check to see if the account can send/receive. Perhaps the ISP did someting to pare down some of the traffic. From qcorrell at pacNObell.net Sun Dec 28 02:27:13 2008 From: qcorrell at pacNObell.net (Q Correll) Date: Sun Dec 28 02:30:08 2008 Subject: [Scspamcop] Re: The spam flood has stopped (and where has everyone gone?) References: Message-ID: Farelf, | the reborn PDP-8, as 'discovered' by Steve Gibson over at the grc | newsgroups - http://www.sparetimegizmos.com/Hardware/SBC6120-2.htm Cool! Thanks! -- Q 12/27/2008 23:26:47 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From newspost at deletethispart.hypercreations.com Sun Dec 28 14:12:18 2008 From: newspost at deletethispart.hypercreations.com (David Topping) Date: Sun Dec 28 14:15:08 2008 Subject: [Scspamcop] SpamCop Forum mostly nonfunctional Message-ID: If the SC newsgroups and the SC help forum are both run on the same server, then this message may never see the light of day, but.... Hasn't anyone here noticed the problems with the SC Forum? I'm sure that Wazoo is trying to fix it, but the problems may be entirely due to problems with the server, rather than the forum software or database. In that case, JT needs to show up and help solve the problem. A little bird told me that Wazoo isn't feeling all that great, and also feels bad about the situation with the forum, so I hope things get better for him soon. Peace, DT From Ag2000CO at Starband.net Sun Dec 28 17:08:12 2008 From: Ag2000CO at Starband.net (LKing) Date: Sun Dec 28 17:10:08 2008 Subject: [Scspamcop] Re: SpamCop Forum mostly nonfunctional In-Reply-To: References: Message-ID: David Topping wrote, On 12/28/2008 2:12 PM: > Hasn't anyone here noticed the problems with the SC Forum? I'm sure that > Wazoo is trying to fix it, but the problems may be entirely due to problems > with the server, rather than the forum software or database. In that case, > JT needs to show up and help solve the problem. A little bird told me that > Wazoo isn't feeling all that great, and also feels bad about the situation > with the forum, so I hope things get better for him soon. I got on the forum today long enough to read Wazoo's side of the story. It _is_ the database. They did an update of MYSQL. New version loaded on top of the older version. They didn't play well with each other. Wazoo shut everything down, got some sleep, and then installed the new version from scratch, unscrambled some of the DB. When he made the post he though he had it stabilized, new user logged in, made a post... Oh well we know that was only temporary. The subject of his post was "What I got for christmas" From qcorrell at pacNObell.net Sun Dec 28 19:31:33 2008 From: qcorrell at pacNObell.net (Q Correll) Date: Sun Dec 28 19:35:09 2008 Subject: [Scspamcop] Re: SpamCop Forum mostly nonfunctional References: Message-ID: LKing, | The subject of his post was "What I got for christmas" A snide comment might be "That's what they get for using forums anyway." -- Q 12/28/2008 16:30:38 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From newspost at deletethispart.hypercreations.com Sun Dec 28 19:58:49 2008 From: newspost at deletethispart.hypercreations.com (David Topping) Date: Sun Dec 28 20:00:09 2008 Subject: [Scspamcop] Re: SpamCop Forum mostly nonfunctional References: Message-ID: LKing wrote in news:gj8tce$g1o$1@news.spamcop.net: > I got on the forum today long enough to read Wazoo's side of the > story. > It _is_ the database. They did an update of MYSQL. I see it now...thanks. When I posted, the forum was still not responding, but things seem a bit better now. DT From me at privacy.net Sun Dec 28 20:31:08 2008 From: me at privacy.net (Michael R N Dolbear) Date: Sun Dec 28 20:35:07 2008 Subject: [Scspamcop] Re: Spam with MY OWN e-mail address in from field References: Message-ID: <01c96951$c529fae0$LocalHost@default> wariat wrote in article ... > Dnia Tue, 23 Dec 2008 13:03:39 -0500, Ellen napisaÅ‚(a): > Thank you All! > > > You can munge your email address in the "From:". > So maybe it will be best if SpamCop engine will search/replace my > (reporter) e-mail address automatically also in from field. If it can do > this in lines (hidden) like: [...] > IMO it can do same also for last one in From field. It appears that SpamCop munging does what you want already - I did "preview reports" on a spam that had To: and From: the same (but in fact a different mailbox from my reporting address). The X-SpamCop lines are from the SpamCop mail service. ======= copied for x; Sun, 28 Dec 2008 22:32:25 +0000 To: Subject: {...} From: [...] X-SpamCop-Checked: X-SpamCop-Disposition: Blocked SpamAssassin=18 X-SpamCop-Disposition: Blacklist x === end copy Here is your TRACKING URL http://www.spamcop.net/sc?id=z2484463441z95ead4664f72bd11142a02210d10c6d az -- Mike D From newspost at deletethispart.hypercreations.com Mon Dec 29 09:09:18 2008 From: newspost at deletethispart.hypercreations.com (David Topping) Date: Mon Dec 29 09:10:08 2008 Subject: [Scspamcop] Re: SpamCop Forum mostly nonfunctional References: Message-ID: David Topping wrote in news:Xns9B82B6E2F4F36newsaddresshypercrea@216.154.195.61: > When I posted, the forum was still not > responding, but things seem a bit better now. ...but now, it's back to throwing database errors. DT From foo at example.com Mon Dec 29 09:24:23 2008 From: foo at example.com (wariat) Date: Mon Dec 29 09:25:07 2008 Subject: [Scspamcop] Re: Spam with MY OWN e-mail address in from field References: <01c96951$c529fae0$LocalHost@default> Message-ID: Hello! Dnia Mon, 29 Dec 2008 01:31:08 +0000, Michael R N Dolbear napisa?(a): > Here is your TRACKING URL > http://www.spamcop.net/sc?id=z2484463441z95ead4664f72bd11142a02210d10c6d > az Error - no ID found: z2484463441z95ead4664f72bd11142a02210d10c6d Anyway if I'm reporting mail with my own address in from/to the from address is not replaced by in report preview. Delivered-To: x Return-Path: Received-SPF: neutral (google.com: 190.92.23.227 is neither permitted nor denied by domain of x) client-ip=190.92.23.227; Authentication-Results: mx.google.com; spf=neutral (google.com: 190.92.23.227 is neither permitted nor denied by domain of x) smtp.mail=x To: From: <********@gmail.com> it's a copy of report ... i've changed my email address in from only to post it here, but it exist in report. From tmcgraw at spamcop.net Mon Dec 29 13:04:36 2008 From: tmcgraw at spamcop.net (Tim McGraw) Date: Mon Dec 29 13:05:08 2008 Subject: [Scspamcop] Broken headers Message-ID: <49591134.9000307@spamcop.net> The sender has wedged something in the headers that causes sc to choke: http://www.spamcop.net/sc?id=z2486530712z2458b81cfc1b20ee428a2a8e258d5b61z If I add a carriage return before the line with the hyphen characters (------=_NextPart_000_0023_2F_16F4CAAC.CB0D3176) it parses correctly: http://mailsc.spamcop.net/sc?id=z2486537963z35d113f84b9e52c0fd4f11285c23ed24z Although this puts the "X-SpamCop" headers in the body, it's a material change to headers that is necessary to properly parse. I started receiving several of these every day about two weeks ago, they have the highest SA scores (36-43) and don't show a subject line on the held mail screen. They never come through any hosting, they're always sent directly to my spamcop addy so something may not be firing properly in the CES mail system to distinguish the non-header content of that "NextPart" line. From tmcgraw at spamcop.net Mon Dec 29 15:03:58 2008 From: tmcgraw at spamcop.net (Tim McGraw) Date: Mon Dec 29 15:05:09 2008 Subject: [Scspamcop] Re: Happy holidays? In-Reply-To: References: Message-ID: Charles wrote: > Happy holidays? Happy? Holidays? Arg! A client sent me a holiday > greeting. A personal greeting. To me and 140 other people listed in the > "to" and "cc" fields. And, of course, people are replying to all. Oh, Charles. This is the spamcop ng, not .social! We (tinw) are all aging cranks who hate spam, got lost in the move to a Web-based forum and don't have time for such frivolities. I released "happiness" in my Burning Bowl ceremony this year, at least I don't own a cell phone. Don't believe it? Read my "pers" bio. http://www.persuasivecopy.com > It's a mad world out there. Ahhhh, yes. And happy happy joy joy to you. Unless you celebrate Festivus in February. From V at nguard.LH Mon Dec 29 17:00:40 2008 From: V at nguard.LH (VanguardLH) Date: Mon Dec 29 17:00:09 2008 Subject: [Scspamcop] Re: Broken headers References: <49591134.9000307@spamcop.net> Message-ID: Tim McGraw wrote: > The sender has wedged something in the headers that causes sc to choke: > http://www.spamcop.net/sc?id=z2486530712z2458b81cfc1b20ee428a2a8e258d5b61z > > If I add a carriage return before the line with the hyphen characters > (------=_NextPart_000_0023_2F_16F4CAAC.CB0D3176) it parses correctly: > http://mailsc.spamcop.net/sc?id=z2486537963z35d113f84b9e52c0fd4f11285c23ed24z > > Although this puts the "X-SpamCop" headers in the body, it's a material > change to headers that is necessary to properly parse. > > I started receiving several of these every day about two weeks ago, they > have the highest SA scores (36-43) and don't show a subject line on the > held mail screen. They never come through any hosting, they're always > sent directly to my spamcop addy so something may not be firing properly > in the CES mail system to distinguish the non-header content of that > "NextPart" line. A blank line delimits the header and body sections of the message. It is missing. There are no newline characters after several of the headers, starting with the Message-ID header, and why there is no delimiter line so all lines look like they are part of the header. You sure the e-mail actually looks like this? When you look at the raw source of the e-mail (provided you can get at it since some e-mail clients alter it to put into their database and that's what you get to look at and not the original message), is it just one super-long line starting with Message-ID or are there actually separate lines for each of those headers? From MikeE at ster.invalid Mon Dec 29 18:34:19 2008 From: MikeE at ster.invalid (Mike Easter) Date: Mon Dec 29 18:35:08 2008 Subject: [Scspamcop] Re: Broken headers References: <49591134.9000307@spamcop.net> Message-ID: Tim McGraw wrote: > The sender has wedged something in the headers that causes sc to choke: In the past, when looking at these, we wondered whether or not the problem was with some part of spamcop mangling the headers. www.spamcop.net/sc?id=z2486530712z2458b81cfc1b20ee428a2a8e258d5b61z > > If I add a carriage return before the line with the hyphen characters > (------=_NextPart_000_0023_2F_16F4CAAC.CB0D3176) it parses correctly: > http://mailsc.spamcop.net/sc?id=z2486537963z35d113f84b9e52c0fd4f11285c23ed 24z > > Although this puts the "X-SpamCop" headers in the body, it's a material > change to headers that is necessary to properly parse. The most logical (to me) explanation is that spamcop broke the mail. The experimental fix (for reconstructing into normal format, not for reporting purposes) would be to 'remove' 4 header elements (in 5 lines counting one folded headerline) found in the body of the mail and replace them at the bottom of the existing headers and then to create an empty line after the last headerline before the first line of the MIME body structure, 'This is a multi-part message in MIME format.' > something may not be firing properly > in the CES mail system to distinguish the non-header content of that > "NextPart" line. I think something may not be firing properly in the ces mail system. -- Mike Easter kibitzer, not SC admin From tmcgraw at spamcop.net Mon Dec 29 18:34:14 2008 From: tmcgraw at spamcop.net (Tim McGraw) Date: Mon Dec 29 18:35:08 2008 Subject: [Scspamcop] Re: Broken headers In-Reply-To: References: <49591134.9000307@spamcop.net> Message-ID: VanguardLH wrote: > You sure the e-mail actually looks like this? Absolutely positively. Use "View Original Message" on the first link to see how it looked when it came my way. > When you look at the raw source of the e-mail (provided you can get at it since some e-mail clients alter it to put into their database and that's what you get to look at and not the original message) As stated, it comes directly through the spamcop server. I suspect there's some trick being done to force it to accept the malformed SMTP. From tmcgraw at spamcop.net Mon Dec 29 18:36:57 2008 From: tmcgraw at spamcop.net (Tim McGraw) Date: Mon Dec 29 18:40:08 2008 Subject: [Scspamcop] Re: Broken headers In-Reply-To: References: <49591134.9000307@spamcop.net> Message-ID: Mike Easter wrote: > I think something may not be firing properly in the ces mail system. Bingo. Stated 5/100s of a second after my post. From MikeE at ster.invalid Mon Dec 29 18:47:12 2008 From: MikeE at ster.invalid (Mike Easter) Date: Mon Dec 29 18:50:09 2008 Subject: [Scspamcop] Re: Happy holidays? References: Message-ID: Tim McGraw wrote: > at least I don't own > a cell phone. I have a cellphone which I turn on/use briefly several times a year while traveling. OTOH, I like satellite radio (in rental cars) and won't rent a car without it anymore. -- Mike Easter kibitzer, not SC admin From V at nguard.LH Mon Dec 29 19:29:21 2008 From: V at nguard.LH (VanguardLH) Date: Mon Dec 29 19:30:08 2008 Subject: [Scspamcop] Re: Broken headers References: <49591134.9000307@spamcop.net> Message-ID: Tim McGraw wrote: > VanguardLH wrote: >> You sure the e-mail actually looks like this? > > Absolutely positively. > > Use "View Original Message" on the first link to see how it looked when > it came my way. > >> When you look at the raw source of the e-mail (provided you can get at it since some e-mail clients alter it to put into their database and that's what you get to > look at and not the original message) > > As stated, it comes directly through the spamcop server. I suspect > there's some trick being done to force it to accept the malformed SMTP. If the Message-ID header is absent, the SMTP server will add it. However, it is already exists, the SMTP server leaves it alone. My guess is the spammer's client generated the value for the Message-ID and may have deliberately made it obstructive to spam filters (it doesn't look like a value for Message-ID that I've seen before). Could be the sender's client is screwed up because all those headers after the Message-ID are *not* added by an SMTP server. They are part of the *data* of the message when composed by the sender. To, Cc, Bcc fields are not used from message data to route a message. The client generates an aggregate list of RCPT-TO commands that it sends to the SMTP mail server and that is followed by the DATA command containing the entire message, and that data includes the To, Cc, Bcc (if present), Date, From, Subject, and other headers that were put into the message. They aren't server headers. They are data the user's client put inside the message in a "header section" of that data. The are sent as part of the body inside the DATA command and are not used for routing the message. So my guess is that the spammer's e-mail client is screwing up by not inserting any newlines after the Message-ID header or maybe your e-mail provider's anti-spam filter is screwing up its parsing and losing the newlines after that rather unusual string used for the Message-ID header. If the server-side anti-spam header is for a SpamCop account then it could be a parsing problem with their filter (or wherever SpamAssassin got used). From newspost at deletethispart.hypercreations.com Mon Dec 29 19:46:16 2008 From: newspost at deletethispart.hypercreations.com (David Topping) Date: Mon Dec 29 19:50:09 2008 Subject: [Scspamcop] Re: SpamCop Forum mostly nonfunctional References: Message-ID: I think Wazoo found and corrected the problem, because the forum is flying now....not that this is important to the ng folks, but just in case there are some other "bi" people around wondering if it was safe to go back in the water.... DT From tmcgraw at spamcop.net Mon Dec 29 22:08:00 2008 From: tmcgraw at spamcop.net (Tim McGraw) Date: Mon Dec 29 22:10:07 2008 Subject: [Scspamcop] Re: Happy holidays? In-Reply-To: References: Message-ID: Charles wrote: > Tim McGraw wrote: >> Don't believe it? Read my "pers" bio. > Uh. You can write anything you want to - the fact of writing it doesn't > make it more or less true! Yabbut you wrote first! > And, uh, is that your chest and arm? Yes. And I'm a country singer married to Faith Hill. From nobody at spamcop.net Mon Dec 29 22:36:37 2008 From: nobody at spamcop.net (news.spamcop.net) Date: Mon Dec 29 22:40:07 2008 Subject: [Scspamcop] Re: Happy holidays? In-Reply-To: References: Message-ID: What does this post have to do with the topic of spam??? From nobody at devnull.spamcop.net Tue Dec 30 00:21:27 2008 From: nobody at devnull.spamcop.net (Wazoo) Date: Tue Dec 30 00:25:10 2008 Subject: [Scspamcop] Re: Happy holidays? References: Message-ID: news.spamcop.net" wrote in message news:gjc4vh$sf1$1@news.spamcop.net... > What does this post have to do with the topic of spam??? To yet another misconfigured newsgroup poster; take a look at the Wiki entry; SpamCop Newsgroups http://forum.spamcop.net/scwik/SpamCopNewsgroups spamcop - originally the hard-core, expert level stuff, now the basic dumping ground for all. From me at privacy.net Tue Dec 30 06:08:31 2008 From: me at privacy.net (Michael R N Dolbear) Date: Tue Dec 30 06:10:08 2008 Subject: [Scspamcop] Re: Spam with MY OWN e-mail address in from field References: <01c96951$c529fae0$LocalHost@default> Message-ID: <01c969f8$925946a0$LocalHost@default> wariat wrote in article ... > Hello! > > Dnia Mon, 29 Dec 2008 01:31:08 +0000, Michael R N Dolbear napisaÅ‚(a): > > > Here is your TRACKING URL > > http://www.spamcop.net/sc?id=z2484463441z95ead4664f72bd11142a02210d10c6d > > az > Error - no ID found: z2484463441z95ead4664f72bd11142a02210d10c6d Here is your TRACKING URL - http://www.spamcop.net/sc?id=z2484463441z95ead4664f72bd11142a02210d10c6d az The URL broke, it should end c6daz and you may have to reassemble it, in notepad say, before pasting it into your browsers address bar. > Anyway if I'm reporting mail with my own address in from/to the from > address is not replaced by in report preview. > > Delivered-To: x > Return-Path: > Received-SPF: neutral (google.com: 190.92.23.227 is neither permitted nor > denied by domain of x) client-ip=190.92.23.227; > Authentication-Results: mx.google.com; spf=neutral (google.com: > 190.92.23.227 is neither permitted nor denied by domain of x) smtp.mail=x > To: > From: <********@gmail.com> > > it's a copy of report ... i've changed my email address in from only to > post it here, but it exist in report. The only cases I have seen like this had From: encoded.even though it didn't have any special characters with the result that SpamCop personal black/whitelist didn't work. We need more trackers to see what works and what doesn't. -- Mike D From nospam at nospam.com Tue Dec 30 07:51:59 2008 From: nospam at nospam.com (Sem) Date: Tue Dec 30 07:55:09 2008 Subject: [Scspamcop] cnc-noc.net Message-ID: Hi all, in the 90% of the spam i got there is cnc-noc.net involved. Sending reports to abuse@cnc-noc.net is just a waste of time. There is any more effective way to fight? Can we start to send reports to CEO and employee of this china's company? Any usefull advice? Thank you very much! Sem From tmcgraw at spamcop.net Tue Dec 30 12:06:56 2008 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Dec 30 12:10:08 2008 Subject: [Scspamcop] Re: Broken headers In-Reply-To: References: <49591134.9000307@spamcop.net> Message-ID: Tim McGraw wrote: > Mike Easter wrote: >> I think something may not be firing properly in the ces mail system. Seven in this morning's crop, a new record for an eight-hour period. All were from open proxies and were listed on abusenet and all had RATWARE_MS_HASH in the SA scoring details. The last two had the highest SA scores w/ 47. All but the first parse attempted to create a preview message starting from the "From:" header instead of the spamitem body where I added an extra blank line before the line "This is a multi-part message in MIME format." In the first parse, I added the extra blank line earlier. Deputies and JT have been informed of this so I am continuing to report. Although some SA headers indicate DYNAMIC_DNS the parses remain consistent, at least at this end. http://www.spamcop.net/sc?id=z2489270477ze14ef5ad09fa1cc548b0e2445a9ae685z http://www.spamcop.net/sc?id=z2489279997z76bd60eaa3be97f2f37bc4466f09dedcz http://www.spamcop.net/sc?id=z2489294771z2680449e330ce8f0af540e9d1e8b8829z http://www.spamcop.net/sc?id=z2489300861zc7e1a70177feac5850ed91a95a31c2cez http://www.spamcop.net/sc?id=z2489323192za96af17530cb17f24b458fab9249c512z http://www.spamcop.net/sc?id=z2489313330z6b6688cece8bd3f2540f4f9960eba6c2z http://www.spamcop.net/sc?id=z2489319978zc4b484753d2dd09e183c3f1697314cf8z From qcorrell at pacNObell.net Tue Dec 30 12:30:39 2008 From: qcorrell at pacNObell.net (Q Correll) Date: Tue Dec 30 12:35:09 2008 Subject: [Scspamcop] Re: Happy holidays? References: Message-ID: news, | What does this post have to do with the topic of spam??? It IS spam! ;-) -- Q 12/30/2008 09:30:28 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From dfmanno at mail.com Tue Dec 30 13:55:37 2008 From: dfmanno at mail.com (D.F. Manno) Date: Tue Dec 30 14:00:07 2008 Subject: [Scspamcop] Re: Happy holidays? References: Message-ID: In article , Tim McGraw wrote: > Charles wrote: > > > Happy holidays? Happy? Holidays? Arg! A client sent me a holiday > > greeting. A personal greeting. To me and 140 other people listed in the > > "to" and "cc" fields. And, of course, people are replying to all. > > Oh, Charles. This is the spamcop ng, not .social! We don't use the S-word in .social. -- D.F. Manno dfmanno@mail.com From dfmanno at mail.com Tue Dec 30 13:57:37 2008 From: dfmanno at mail.com (D.F. Manno) Date: Tue Dec 30 14:00:08 2008 Subject: [Scspamcop] Re: Happy holidays? References: Message-ID: In article , Tim McGraw wrote: > Charles wrote: > > Tim McGraw wrote: > > > >> Don't believe it? Read my "pers" bio. > > > > Uh. You can write anything you want to - the fact of writing it doesn't > > make it more or less true! > > Yabbut you wrote first! > > > And, uh, is that your chest and arm? > > Yes. > > And I'm a country singer married to Faith Hill. And your dad was Tug McGraw. -- D.F. Manno dfmanno@mail.com From gezgin at spamcop.net.which.is.not.invalid Tue Dec 30 13:58:27 2008 From: gezgin at spamcop.net.which.is.not.invalid (Opinicus) Date: Tue Dec 30 14:00:08 2008 Subject: [Scspamcop] "USER_IN_WHITELIST"? Message-ID: A spammed advert that just got through contains the following (edited) line: X-Spam-Status: USER_IN_WHITELIST version=3.2.4 Which user? None of the parties associated with this message are in my White List. -- Bob http://www.kanyak.com From ganhedinheironainternet at dinheiro.com Tue Dec 30 14:44:18 2008 From: ganhedinheironainternet at dinheiro.com (Ganhe dinheiro na internet) Date: Tue Dec 30 14:45:09 2008 Subject: [Scspamcop] ganhe dinheiro na net , dinheiro rapido, dinheiro navegando, ganha dinheiro na internet, megainvestimento.com Message-ID: Essa semana, eu conheci um site muito interessante. Nele ha varios e-books de diversos temas interessantes, alem disso, eh um site de investimento, onde o valor pago retorna para nos com lucro de 300%. Voce efetua um pagamento unico de R$ 30,00, tem o direito a baixar mais de 30 apostilas onlines de diversos temas: - Memorizacao; - Leitura dinamica; - Fotografia digital; - Tecnicas em vendas; - Curso basico de VOIP; - Curso de Autocad 3D; - Muitos outros Alem das apostilas, voce participara de um Fantastico Negocio de Geracao de Renda. Sem grupos... Sem mensalidades... Uma unica coluna... Por se tratar de uma fila œnica, todo usu‡rio que ingressa no site tem um lugar na fila, a cada 10 cotas adquiridas em nosso sistema, todos os indicados descem para o numero anterior ao seu. EX: Se voce ingressar no projeto e seu numero for 51, assim que entrarem os proximos 10 voce subira para a posicao 50. Assim que voce chegar na posicao 1 da fila voce recebera R$ 130,00. Alem desse lucrode mais de 300%, voce podera ganhar R$ 10,00 por amigo que voce indicar e entrar no sistema. Pense nos lucros que podera obter alem dos grandes conhecimentos adquiridos com nossas apostilas virtuais. Voce pode adquirir agora mesmo a sua posicao. Lembre-se: eh por ordem de chegada ! Se voce deixar para amanha, podera ter dezenas de pessoas antes decvoce. Se aderir hoje, podera ter dezenas de pessoas apos voce amanha. Cadastre-se agora mesmo!!! http://my.opera.com/megainvestimento/blog/como-ganahr-dinheiro-na-internet-gastando-apenas-30-00-ganhei-130-em-1-semana http://my.opera.com/megainvestimento/ Comentario: Nao sou parte da equipe dos idealizadores do projeto, sou apenas um usuario que aprovou o sistema e viu nele um excelente oportunidade de conseguir uma renda de forma garantida, e passou pelo filtro que faco antes de me afiliar em qualquer negocio na rede. aJlO7(a]Wr-/^`*e'pi+ From connyank at cox.net Tue Dec 30 21:35:01 2008 From: connyank at cox.net (jg) Date: Tue Dec 30 21:35:08 2008 Subject: [Scspamcop] Re: "USER_IN_WHITELIST"? In-Reply-To: References: Message-ID: On 12/30/2008 10:58 AM Opinicus scribbled: > A spammed advert that just got through contains the following (edited) line: > > > X-Spam-Status: USER_IN_WHITELIST version=3.2.4 > > > Which user? None of the parties associated with this message are in my White > List. > dunno what the story is but spammers can add whatever x headers they want - don't waste your/anyone else's time by trying to figure it out - they're spammers From connyank at cox.net Tue Dec 30 21:38:58 2008 From: connyank at cox.net (jg) Date: Tue Dec 30 21:40:09 2008 Subject: [Scspamcop] Re: cnc-noc.net In-Reply-To: References: Message-ID: On 12/30/2008 04:51 AM Sem scribbled: > Hi all, > in the 90% of the spam i got there is cnc-noc.net involved. Sending reports > to abuse@cnc-noc.net is just a waste of time. no surprise There is any more effective > way to fight? Can we start to send reports to CEO and employee of this > china's company? Any usefull advice? no, unless you are unemployed and have nothing else to do. I know thats not useful but cnc-noc is black hat - spammer friendly. google them... > Thank you very much! > > Sem > > From MikeE at ster.invalid Tue Dec 30 23:11:27 2008 From: MikeE at ster.invalid (Mike Easter) Date: Tue Dec 30 23:15:09 2008 Subject: [Scspamcop] Re: cnc-noc.net References: Message-ID: Sem wrote: > in the 90% of the spam i got there is cnc-noc.net involved. Sending > reports to abuse@cnc-noc.net is just a waste of time. There is any more > effective way to fight? Can we start to send reports to CEO and > employee of this china's company? Any usefull advice? If you give a specific example of a spam with a tracking URL, some alternative manual notifies might be suggested. Sometimes there is some value in notifying the provider for the nameservice of the domainname, sometimes not. In many many cases, about the only thing useful that you can do with a spam is contribute the source IP to the SCbl, while notifying any provider associated is a waste of your time and resources in determining some provider or another to notify who doesn't want to hear of it. The only providers worth notifying are the ones who want to hear about a spam issue because they want to do something about it. It is not worth anyone's time to notify anyone who doesn't want to hear about it. What makes you think that some exec of some Chinese company wants your notify? -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Dec 30 23:48:53 2008 From: nobody at spamcop.net (bar0) Date: Tue Dec 30 23:50:08 2008 Subject: [Scspamcop] Re: "USER_IN_WHITELIST"? References: Message-ID: "jg" wrote in message news:gjelon$jcd$1@news.spamcop.net... > On 12/30/2008 10:58 AM Opinicus scribbled: > >> A spammed advert that just got through contains the following (edited) >> line: >> >> >> X-Spam-Status: USER_IN_WHITELIST version=3.2.4 >> >> >> Which user? None of the parties associated with this message are in my >> White >> List. >> > > dunno what the story is but spammers can add whatever x headers they > want - don't waste your/anyone else's time by trying to figure it out - > they're spammers Who knows, perhaps spammer heard of some filtering systems that overlookblocking or filtering when: X-USER_IN_WHITELIST .... is found in the header. Perhaps it was just a wistful hope, jg just gave you the best advice. From user at domain.invalid Wed Dec 31 00:55:33 2008 From: user at domain.invalid (Farelf) Date: Wed Dec 31 01:00:08 2008 Subject: [Scspamcop] Re: cnc-noc.net In-Reply-To: References: Message-ID: Mike Easter wrote: ... > > What makes you think that some exec of some Chinese company wants your > notify? > > The principal Chinese regulatory provisions are outlined here (Google translation): http://translate.google.com.au/translate?hl=en&sl=zh-CN&u=http://news.xinhuanet.com/newmedia/2006-03/01/content_4240889.htm&sa=X&oi=translate&resnum=3&ct=result&prev=/search%3Fq%3D%25E4%25BA%2592%25E8%2581%2594%25E7%25BD%2591%25E5%25AE%2589%25E5%2585%25A8%25E4%25BF%259D%25E6%258A%25A4%25E6%258A%2580%25E6%259C%25AF%25E6%258E%25AA%25E6%2596%25BD%25E8%25A7%2584%25E5%25AE%259A%26hl%3Den%26sa%3DG or http://snipurl.com/9aic5 Unsurprisingly this all seems to be nationally-centered and I'm sure the Chinese would take the view that most spam tracks back to a US origin in any event. That is, at best, it is by their lights 'not their problem', at worst perhaps it is actively in their national interest to let the USA smother itself in spam with just a 'little assistance' from their (sometimes) criminal providers. Criminal because, amongst other things, they clearly permit dedicated phishing domains to function for extended periods, maybe indefinitely (I haven't checked lately). Supposedly everything 'internet' there is ultimately state-controlled, not excepting the 'loyal entrepreneurs', making that an act of war in my book so I guess a late career change to diplomacy is not in my future. There are Chinese reporting agencies identified (somewhere) in Devilwolf's topic in the forums - http://forum.spamcop.net/forums/index.php?showtopic=9541 I am *inclined* to think efforts 'there' (in China) would be fruitless - but I guess that should be weighed against the *certainty* that no effort will produce ... no result. From user at domain.invalid Wed Dec 31 03:29:31 2008 From: user at domain.invalid (Farelf) Date: Wed Dec 31 03:30:08 2008 Subject: [Scspamcop] Re: We've Been Spammed... In-Reply-To: References: Message-ID: Q Correll wrote: > From: "Make Money" > Subject: Spiderweb System Online Money Making For You > Date: Tue, 23 Dec 2008 11:34:36 -0500 > And again ... Ganhe dinheiro na internet wrote: ... To: abuse@oi.net.br Someone uses your network to spam our newsgroup, please take action. Algu?m usa sua rede para spam nosso newsgroup, toma por favor a a??o. **********************original message*********************** ... From foo at example.com Wed Dec 31 04:58:35 2008 From: foo at example.com (wariat) Date: Wed Dec 31 05:00:08 2008 Subject: [Scspamcop] Re: Spam with MY OWN e-mail address in from field References: <01c96951$c529fae0$LocalHost@default> <01c969f8$925946a0$LocalHost@default> Message-ID: Hello! Dnia Tue, 30 Dec 2008 11:08:31 +0000, Michael R N Dolbear napisa?(a): > The only cases I have seen like this had From: encoded.even though it > didn't have any special characters with the result that SpamCop personal > black/whitelist didn't work. > > We need more trackers to see what works and what doesn't. I've sent you an e-mail with link to 'not working' report. Hope it will help. From nobody at devnull.spamcop.net Wed Dec 31 10:30:05 2008 From: nobody at devnull.spamcop.net (Twayne) Date: Wed Dec 31 10:30:08 2008 Subject: [Scspamcop] Re: "USER_IN_WHITELIST"? References: Message-ID: > A spammed advert that just got through contains the following > (edited) line: > > X-Spam-Status: USER_IN_WHITELIST version=3.2.4 > > > Which user? None of the parties associated with this message are in > my White List. Spammers will try all kinds of forgeries to get you to not report them. Spammer Rule #1: Spammers Lie. From me at privacy.net Wed Dec 31 11:09:21 2008 From: me at privacy.net (Michael R N Dolbear) Date: Wed Dec 31 11:10:07 2008 Subject: [Scspamcop] Re: "USER_IN_WHITELIST"? References: Message-ID: <01c96ac2$4bfc5ec0$LocalHost@default> Opinicus wrote > A spammed advert that just got through contains the following (edited) line: > > > X-Spam-Status: USER_IN_WHITELIST version=3.2.4 > > > Which user? None of the parties associated with this message are in my White > List. This "whitelist" is a local enhancement to SpamAssassin to prevent mail from spamcop ending up in 'Held', notice the negative number from SpamAssassin Example would be a forwarded reply to a spam report and hence if the same address was used for Spam it too would get through until the report-id expires. ====== Return-Path: X-Spam-Status: hits=-99.9 tests=TW_CQ,USER_IN_WHITELIST_TO version=3.2.4 X-SpamCop-Reply-Ids: 3739620648 In-Reply-To: ====== or a Quick Reporting status report Return-Path: X-Spam-Status: hits=-97.2 tests=USER_IN_WHITELIST,WEIRD_QUOTING version=3.2.4 From: SpamCop Subject: [SpamCop] Quick reporting data ====== -- Mike D From pssawyer at comcast.BAD.EXAMPLE.net Wed Dec 31 12:01:24 2008 From: pssawyer at comcast.BAD.EXAMPLE.net (Paul) Date: Wed Dec 31 12:05:08 2008 Subject: [Scspamcop] Re: Happy holidays? References: Message-ID: "news.spamcop.net" wrote in news:gjc4vh$sf1$1 @news.spamcop.net: > What does this post have to do with the topic of spam??? As much as you might expect from the Subject: line, and more! -- Paul From qcorrell at pacNObell.net Wed Dec 31 12:53:29 2008 From: qcorrell at pacNObell.net (Q Correll) Date: Wed Dec 31 12:55:09 2008 Subject: [Scspamcop] Re: We've Been Spammed... References: Message-ID: Farelf, | And again ... Yep. Same poster also spammed forums.talkto.net. -- Q 12/31/2008 09:52:23 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From nobody at spamcop.net Wed Dec 31 13:47:01 2008 From: nobody at spamcop.net (BlueSkyzz) Date: Wed Dec 31 13:50:08 2008 Subject: [Scspamcop] Hat Check - DSL Extreme? Message-ID: About the only spam I'm getting these days is coming from a dslextreme.com IP. Made several complaints to their abuse department, but they've all been ignored (and the spam continues). I found a phone number from their whois info, but wonder whether going that route would be just as unproductive as reporting it via e-mail. Anyone have any experience dealing with them? From me at privacy.net Wed Dec 31 14:36:22 2008 From: me at privacy.net (Michael R N Dolbear) Date: Wed Dec 31 14:40:09 2008 Subject: [Scspamcop] Re: Spam with MY OWN e-mail address in from field References: <01c96951$c529fae0$LocalHost@default> <01c969f8$925946a0$LocalHost@default> Message-ID: <01c96b7f$060ffee0$12cb403e@default> wariat wrote in article ... > On Tue, 30 Dec 2008 11:08:31 +0000, Michael R N Dolbear posted: > > The only cases I have seen like this had From: encoded.even though it > > didn't have any special characters with the result that SpamCop personal > > black/whitelist didn't work. > > > > We need more trackers to see what works and what doesn't. > I've sent you an e-mail with link to 'not working' report. Hope it will > help. Thanks. I have re-munged to produce a tracker that uses ele.phant@g.invalid rather than your address and shows this being munged to 'x' everywhere (even in the body) except in the From: Here is your TRACKING URL - 19:21 31Dec08 http://www.spamcop.net/sc?id=z2492063280z5b32e02cef609c84516f1dc11814316 7z -- Mike D From nobody at spamcop.net Wed Dec 31 15:17:55 2008 From: nobody at spamcop.net (bar0) Date: Wed Dec 31 15:20:08 2008 Subject: [Scspamcop] Re: Hat Check - DSL Extreme? References: Message-ID: "BlueSkyzz" wrote in message news:gjgen6$4rt$1@news.spamcop.net... > About the only spam I'm getting these days is coming from a dslextreme.com > IP. Made several complaints to their abuse department, but they've all > been ignored (and the spam continues). You're surprised? And you need a hat check? > > I found a phone number from their whois info, but wonder whether going > that route would be just as unproductive as reporting it via e-mail. Most likely. Anyway, if they cared, they would be quite aware of the problem, without your notices. > Anyone have any experience dealing with them? Only receipt of spam, mostly 419's and PHISH From nobody at spamcop.net Wed Dec 31 15:47:26 2008 From: nobody at spamcop.net (BlueSkyzz) Date: Wed Dec 31 15:50:08 2008 Subject: [Scspamcop] Re: Hat Check - DSL Extreme? In-Reply-To: References: Message-ID: bar0 wrote: > You're surprised? And you need a hat check? Just wanted to know if my experience was typical of anyone else's. > Most likely. Anyway, if they cared, they would be quite aware of the > problem, without your notices. How would they be aware of a spam problem if nobody reported it? > Only receipt of spam, mostly 419's and PHISH 419s from a US-based ISP? I'm surprised, thought most of those were based overseas. From nobody at spamcop.net Wed Dec 31 16:49:10 2008 From: nobody at spamcop.net (bar0) Date: Wed Dec 31 16:50:08 2008 Subject: [Scspamcop] Re: Hat Check - DSL Extreme? References: Message-ID: "BlueSkyzz" wrote in message news:gjglou$ogp$1@news.spamcop.net... > How would they be aware of a spam problem if nobody reported it? Because they would be monitoring their own networks, checking RBL's, and having a few of their own spamtraps. There are plenty of resources both free and paid to keep an ISP sufficiently well informed to nip most abuse in the bud. Requiring unpaid volunteers who get no benefit from their business to fulfill that role for them is inherently abusive. Sort of like Walmart asking the neighbours nearby to keep their parking lot clean for them. From tmcgraw at spamcop.net Wed Dec 31 19:16:33 2008 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Dec 31 19:20:08 2008 Subject: [Scspamcop] Re: Broken headers In-Reply-To: References: <49591134.9000307@spamcop.net> Message-ID: Mike Easter wrote: > Tim McGraw wrote: >> something may not be firing properly in the CES mail system to distinguish the non-header content of that "NextPart" line. > I think something may not be firing properly in the ces mail system. Whatever the impediment was, these are now parsing without intervention in a manual parse but don't pass the VER sniff test. From nobody at spamcop.net Wed Dec 31 19:31:32 2008 From: nobody at spamcop.net (BlueWave) Date: Wed Dec 31 19:35:08 2008 Subject: [Scspamcop] Re: Hat Check - DSL Extreme? In-Reply-To: References: Message-ID: bar0 wrote: > Because they would be monitoring their own networks, checking RBL's, and > having a few of their own spamtraps. There are plenty of resources both free > and paid to keep an ISP sufficiently well informed to nip most abuse in the > bud. Requiring unpaid volunteers who get no benefit from their business to > fulfill that role for them is inherently abusive. > > Sort of like Walmart asking the neighbours nearby to keep their parking lot > clean for them. You have a point, but since they're not a major ISP player I wouldn't be at all surprised if they didn't have the resources to do what you've suggested to patrol their own network. From nobody at spamcop.net Wed Dec 31 20:23:08 2008 From: nobody at spamcop.net (bar0) Date: Wed Dec 31 20:25:07 2008 Subject: [Scspamcop] Re: Hat Check - DSL Extreme? References: Message-ID: "BlueWave" wrote in message news:gjh2t4$rq9$1@news.spamcop.net... > bar0 wrote: ... > > You have a point, but since they're not a major ISP player I wouldn't be > at all surprised if they didn't have the resources to do what you've > suggested to patrol their own network. Then they shouldn't pretend to be an ISP. Furthermore it's not that expensive to do. What you describe is kinda like a moving company with 2 cardboard boxes a Ford Ranger, or S-10 and one driver.