From nobody at spamcop.net Sat Nov 1 00:57:01 2008 From: nobody at spamcop.net (Antispam Knight) Date: Sat Nov 1 01:00:03 2008 Subject: [Scspamcop] Re: OT Re: header parsing errors References: <4906F18B.8050408@spamcop.net> <49071B61.9090107@spamcop.net> <2qTXMihZv7CJFwa6@spam.filter> Message-ID: "vg4cysss7001" <127@[127.0.0.1]> wrote in message news:2qTXMihZv7CJFwa6@spam.filter... > In article , Mike Easter > writes > [snip] >>Put/ Sprinkle/ your wry or standard smilies up in there wherever :-) >>necessary :-/ > > At primary school in UK 1950's, one boy was nick-named "Sprinkle", because > of his artistic urination :-) > -- > Misha > Free on-line, off-site backups? > Reminds me of the story of the two men trudging through the snow, when they come upon yellow writing in the snow. One of the gents nudges the other, and asks sardonically, "Hey, that's your son's name, isn't it?" , to which the other replies "Yes, but it's your daughter's handwriting!" AK From cputrdoc at gmail.com Sun Nov 2 15:17:02 2008 From: cputrdoc at gmail.com (Marc J. Miller) Date: Sun Nov 2 15:20:04 2008 Subject: [Scspamcop] Re: What's the catch? In-Reply-To: References: Message-ID: <490E0ABE.5050400@gmail.com> Sometimes the angle for this kind of scam is that there are customs fees to be paid. If the scammer fronts the expense with a phony check, that can be used as evidence against them. Usually the customs fees are addressed somewhere that the scammer can cash that check. Often it's intercepted before it reaches the destination it was addressed to (relatively easy with Money Gram and Western Union) so that they can avoid giving out their true address. This can be done from anywhere in the world. RandallW wrote: > Spammers want one or both of these things: > > #1: Your money > #2: Your personal information, so they can steal your money > > From gary-sc at invalid.com Mon Nov 3 10:08:28 2008 From: gary-sc at invalid.com (Gary) Date: Mon Nov 3 10:10:03 2008 Subject: [Scspamcop] new twist on unreportable spam Message-ID: Hello, Earlier I had opened up a discussion on spam as not being reportable. As a test, I have setup a Google Mail account to check my POP3 account to see what would happen if I got some of this mal-formed mail. The tracking URL that I reported today's spam from my POP3 account is http://www.spamcop.net/sc?id=z2386669421z8fd318d1b9845e8082b9e74e1658f7f0z. The tracking URL for the Google Mail version of the message is http://www.spamcop.net/sc?id=z2386822367z57a73f2991003585a733df61231c37fdz. The report from the Google Mail version is what I would expect. A couple of questions: 1. Why can Spamcop parse the Google Mail version properly? 2. Please confirm that the Google Mail version does not implicate Google Mail as a spammer. I don't think that it does. Thanks much!! Gary From MikeE at ster.invalid Mon Nov 3 10:47:58 2008 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 3 10:50:03 2008 Subject: [Scspamcop] Re: new twist on unreportable spam References: Message-ID: Gary wrote: > The tracking URL that I reported today's spam from my POP3 account is www.spamcop.net/sc?id=z2386669421z8fd318d1b9845e8082b9e74e1658f7f0z. That is a spam which SC refuses to parse for notify because it is deficient in header elements. There is no subject, To, from, date, or messageid. Besides the 3 Xlines, there are 6 'other' header elements besides the Received tracelines, but not the basic ones which SC 'requires' (looks for). > The tracking URL for the Google Mail version of the message is www.spamcop.net/sc?id=z2386822367z57a73f2991003585a733df61231c37fdz. That is a spam which SC parsed and which is not deficient in header elements. It has all of: subject, To, from, date, messageid, + 10 Xlines and 9 other header elements besides the Received tracelines. These 2 html spams are similar in that the payload is a b64 encoded .jpg whose name is ful.jpg and they are sourced from the same IP, but they are not identical -- separate from the difference in the header elements. > The report from the Google Mail version is what I would expect. > > A couple of questions: > 1. Why can Spamcop parse the Google Mail version properly? Its headers are properly populated with elements which SC expects; looks for and requires. SC doesn't expect much, but the spam can't be deficient in _all_ of the headerlines that SC looks for. It needs to have at least one. > 2. Please confirm that the Google Mail version does not implicate Google > Mail as a spammer. I don't think that it does. Neither the source nor spamvertiser determination implicate gmail. -- Mike Easter kibitzer, not SC admin From eschrama at spamcop.net Mon Nov 3 20:41:05 2008 From: eschrama at spamcop.net (Ejo) Date: Mon Nov 3 20:45:03 2008 Subject: [Scspamcop] No reports filed Message-ID: Is this a problem? All spam that I filtered and that I submit is not processed by spamcop. From nobody at spamcop.net Mon Nov 3 21:00:49 2008 From: nobody at spamcop.net (bar0) Date: Mon Nov 3 21:05:03 2008 Subject: [Scspamcop] Re: No reports filed References: Message-ID: "Ejo" wrote in message news:geo97d$4p8$1@news.spamcop.net... > Is this a problem? All spam that I filtered and that I submit is not > processed by spamcop. So, exactly what happens after you have submitted this stuff you have filtered? And what do you mean by filtered? Does the unfiltered stuff get processed after submission? From eschrama at spamcop.net Tue Nov 4 01:23:12 2008 From: eschrama at spamcop.net (Ejo) Date: Tue Nov 4 01:25:03 2008 Subject: [Scspamcop] Re: No reports filed In-Reply-To: References: Message-ID: bar0 wrote: > "Ejo" wrote in message > news:geo97d$4p8$1@news.spamcop.net... >> Is this a problem? All spam that I filtered and that I submit is not >> processed by spamcop. > > So, exactly what happens after you have submitted this stuff you have > filtered? > > And what do you mean by filtered? Does the unfiltered stuff get processed > after submission? > > I just filter on the spamassassin score, everything beyond a score of 9 is trashed, the rest is submitted to spamcop. It just took a while for the submitted spam to be processed, now the report history shows that it came through. From nobody at spamcop.net Fri Nov 7 15:04:51 2008 From: nobody at spamcop.net (Bar0) Date: Fri Nov 7 15:05:03 2008 Subject: [Scspamcop] Re: We must be doing something right... References: Message-ID: "Michael Vilain" wrote in message news:vilain-E25D2D.11350907112008@news.cesmail.net... >I got a phishing spam announce SPAMCOP would be down for maintainance > for the next three days and that they needed my username, password, and > birthdate for some reason. Needless to say, I reported it: > > http://www.spamcop.net/sc?id=z2396896722z5ebaaa163b0e2cee1d75de77dc3ec802 > z > > Is there a place on the Spamcop forums where I should post this? Well, there is NANAE in the wider usenet hierarchy, in our microcosm here it would be: News.spamcop.spam From Ag2000CO at Starband.net Fri Nov 7 22:06:03 2008 From: Ag2000CO at Starband.net (LKing) Date: Fri Nov 7 22:10:03 2008 Subject: [Scspamcop] Re: We must be doing something right... In-Reply-To: References: Message-ID: Michael Vilain wrote, On 11/7/2008 2:35 PM: > > http://www.spamcop.net/sc?id=z2396896722z5ebaaa163b0e2cee1d75de77dc3ec802 > z > > Is there a place on the Spamcop forums where I should post this? > It would nice if the link worked for the rest of us. From nobody at spamcop.net Fri Nov 7 22:49:56 2008 From: nobody at spamcop.net (Steven Underwood) Date: Fri Nov 7 22:50:03 2008 Subject: [Scspamcop] Re: We must be doing something right... In-Reply-To: References: Message-ID: "LKing" wrote in message news:gf2vmq$sl7$1@news.spamcop.net... > Michael Vilain wrote, On 11/7/2008 2:35 PM: >> >> http://www.spamcop.net/sc?id=z2396896722z5ebaaa163b0e2cee1d75de77dc3ec802 >> z >> >> Is there a place on the Spamcop forums where I should post this? >> > > It would nice if the link worked for the rest of us. It was simply wrapped. adding the z to the end works fine. http://www.spamcop.net/sc?id=z2396896722z5ebaaa163b0e2cee1d75de77dc3ec802z From Ag2000CO at Starband.net Sat Nov 8 09:51:14 2008 From: Ag2000CO at Starband.net (LKing) Date: Sat Nov 8 09:55:03 2008 Subject: [Scspamcop] Re: We must be doing something right... In-Reply-To: References: Message-ID: Steven Underwood wrote, On 11/7/2008 10:49 PM: > It was simply wrapped. Dah, must get new glasses. thanks From nobody at devnull.spamcop.net Sat Nov 8 18:57:58 2008 From: nobody at devnull.spamcop.net (Wazoo) Date: Sat Nov 8 19:00:04 2008 Subject: [Scspamcop] Re: We must be doing something right... References: Message-ID: "Michael Vilain" wrote in message news:vilain-E25D2D.11350907112008@news.cesmail.net... >I got a phishing spam announce SPAMCOP would be down for >maintainance > for the next three days and that they needed my username, > password, and > birthdate for some reason. Needless to say, I reported it: > > http://www.spamcop.net/sc?id=z2396896722z5ebaaa163b0e2cee1d75de77dc3ec8022z > > Is there a place on the Spamcop forums where I should post this? > > -- > DeeDee, don't press that button! DeeDee! NO! Dee... > [I filter all Goggle Groups posts, so any reply may be > automatically by ignored] Entire post quoted here (with fixed URL) in order to handle a Forum post due to the use of the X-No-Archive flag by the OP. From news0807REMOVECAPS at orrery.e4ward.com Sun Nov 9 03:24:08 2008 From: news0807REMOVECAPS at orrery.e4ward.com (Ian Smith) Date: Sun Nov 9 03:25:04 2008 Subject: [Scspamcop] Isn't spam good! Message-ID: As I check my list of held mail, I sometimes notice that the spoofed return addresses contain an interesting looking domian name. Knowing that the spam didn't originate from those domains, I'm often compelled to take a look at their websites. Sometimes I find a gem... http://thingsmygirlfriendandihavearguedabout.com/ Enjoy. regards, Ian From a at b.com Mon Nov 10 17:34:18 2008 From: a at b.com (a@b.com) Date: Mon Nov 10 17:35:03 2008 Subject: [Scspamcop] Time Broken on Web Interface on SpamCop Server Message-ID: <4918B6EA.5000308@b.com> Hello SpamCop Users. I write, not as anyone who knows anything about spam, but as a user who uses the copy-paste function for Spamcop Submissions via the web. It appears that the time synchronization for spam cop *may* be off, since when I click on 'submit', the time that appears on an e-mail message back to my mailbox, as a CC user, has a timestamp of Date: Mon, 10 Nov 2008 00:57:59 -0800 But the e-mail was received at the eastern time zone of North America, at Mon, 10 Nov 2008 13:39:11 -0800 at the Mail server for Yahoo.com Any Idea what would cause the change in time. Te only thing I can think of, is that the web server is generating the form, but its time is incorrect. Is there a Server admin that can check the system time? Thanks TerrificInTahoma From ppearson at nowhere.invalid Wed Nov 12 12:34:14 2008 From: ppearson at nowhere.invalid (Peter Pearson) Date: Wed Nov 12 12:35:03 2008 Subject: [Scspamcop] Score one for the good guys Message-ID: It appears that security blogger Brian Krebs persuaded Internet providers Hurricane Electric and (possibly) Global Crossing to pull the plug on McColo Corp of San Jose, Calif.: http://tinyurl.com/5u7fxq or http://voices.washingtonpost.com/securityfix/2008/11/major_source_of_online_scams_a.html The results appear to be impressive: http://mailsc.spamcop.net/spamgraph.shtml?spamweek -- To email me, substitute nowhere->spamcop, invalid->net. From nobody at devnull.spamcop.net Thu Nov 13 16:43:58 2008 From: nobody at devnull.spamcop.net (Twayne) Date: Thu Nov 13 16:45:03 2008 Subject: [Scspamcop] This one made me look twice ... Message-ID: http://www.spamcop.net/sc?id=z2407967528zcc3b7382886681944019171a8a8b66f1z Is there any point in submitting it? There's nothing there of any use is there? Twayne From nobody at spamcop.net Thu Nov 13 17:06:28 2008 From: nobody at spamcop.net (Steven Underwood) Date: Thu Nov 13 17:10:03 2008 Subject: [Scspamcop] Re: This one made me look twice ... References: Message-ID: I don't fully understand your reluctance... If reported today, reports would be sent to: Re: 148.233.237.190 (Administrator of network where email originates) gccips@reduno.com.mx plus it will be added to the count for the bl. "Twayne" wrote in message news:gfi72t$sf5$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z2407967528zcc3b7382886681944019171a8a8b66f1z > > Is there any point in submitting it? There's nothing there of any use is > there? > > Twayne > > From user at domain.invalid Fri Nov 14 09:40:04 2008 From: user at domain.invalid (Farelf) Date: Fri Nov 14 09:45:03 2008 Subject: [Scspamcop] Re: This one made me look twice ... In-Reply-To: References: Message-ID: Twayne wrote: > http://www.spamcop.net/sc?id=z2407967528zcc3b7382886681944019171a8a8b66f1z > > Is there any point in submitting it? There's nothing there of any use > is there? > > Twayne > > Many of those .cn spamvertized sites resolve to fast-flux botnets, as the one in that spam does: C:\Documents and Settings\Steve>nslookup kelb.uiith.cn ... Non-authoritative answer: Name: uiith.cn Addresses: 76.186.185.3, 77.89.73.82, 78.96.28.60, 85.186.205.155 89.134.253.142, 89.135.8.223, 121.159.164.52, 195.182.143.253 Aliases: kelb.uiith.cn C:\Documents and Settings\Steve> Usually there's a nominally responsible corporate citizen or two amongst the unwitting hosts (for instance Comcast, Comcast, RR, Comcast ... but not necessarily in this case, I haven't checked). While SC will not resolve the network it will (reluctantly) resolve the top-most address on the revolving stack. I confess that in my idle moments I've been known to hit the reload button a few times until such resolution is achieved and to post the nslookup results with a covering "Your IP address is part of a fast-flux botnet" into the notes for the resultant report in the hope that the abuse handler might actually do something about tracking down the affected/infected machine, if s(he) feels like a little light diversion and what I suppose to be a modest technical challenge. Who knows, it /could/ do some good? Or the botnets could just keep growing, eventually one of us gets to have the last uninfected machine in a sea of zombies, like that guy in Mathieson's "I am legend." Sorry, got carried away there, for a minute :) From ppearson at nowhere.invalid Fri Nov 14 11:03:57 2008 From: ppearson at nowhere.invalid (Peter Pearson) Date: Fri Nov 14 11:05:03 2008 Subject: [Scspamcop] Re: This one made me look twice ... References: Message-ID: On Thu, 13 Nov 2008 16:43:58 -0500, Twayne wrote: > http://www.spamcop.net/sc?id=z2407967528zcc3b7382886681944019171a8a8b66f1z > > Is there any point in submitting it? There's nothing there of any use > is there? As I understand it, submitting it will help to keep the offending open proxy, 148.233.237.190, on Spamcop's block list, thereby doing a favor for all email users whose mail systems use that list. -- To email me, substitute nowhere->spamcop, invalid->net. From tmcgraw at spamcop.net Fri Nov 14 14:52:38 2008 From: tmcgraw at spamcop.net (Tim McGraw) Date: Fri Nov 14 14:55:03 2008 Subject: [Scspamcop] "ISP resolved this issue sometime after Fri Nov 14 07:45:35 2008 -0800" Message-ID: http://www.spamcop.net/sc?id=z2408843925z2a43fe896c1a28984cf1a44f41c850d1z AFAICT, all received headers indicate spam was sent and received since Fri Nov 14 07:45:35 2008 -0800. Shouldn't this be reportable? From MikeE at ster.invalid Fri Nov 14 18:07:41 2008 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 14 18:10:03 2008 Subject: [Scspamcop] Re: "ISP resolved this issue sometime after Fri Nov 14 07:45:35 2008 -0800" References: Message-ID: Tim McGraw wrote: www.spamcop.net/sc?id=z2408843925z2a43fe896c1a28984cf1a44f41c850d1z > > AFAICT, all received headers indicate spam was sent and received since > Fri Nov 14 07:45:35 2008 -0800. Shouldn't this be reportable? I tend to disregard or rather reinterpret a lot of the words which occur in SC verbose in favor of my own 'vision' of what is going on. SC's philosophy is to have a default mode of notifying a provider whereas it is my personal belief that the default mode should be to not notify. I also think that those who administer SC and its default modes are aware of some of what is wrong with a default notify mode and choose to have notify be the default because that is much of the basis between SC and the SC reporters and what reporters like about SC.... ... (default notify) until .... ... any provider who doesn't want to be notified about something or other 'speaks up' and then the dominant mode becomes to not notify, and the SC reporter's feelings about notifying become considerably less important than unwanted notifying. I say dominant because SC plays a little game with its reporters about allowing paying reporters to 'appeal' to SC about notifying and then not allowing appeals anymore and blah blah blah. Insinuate into that model the mechanism by which a notified is able to communicate with SC about not wanting to be notified. I've never been a provider, so I haven't seen all of the interfaces between SC and providers, but my concept of some of the interfaces are oversimplified by the concepts: - I never want to be notified about anything, no way, no how - I do want to be notified about /some/ things, but I don't want to be notified about a lot of other things. - I don't want to go on record as not wanting to be notified about anything, so I will simply respond in some way that lets you know that I don't want to be notified about /this/ thing any more SC has provided an interface, perhaps to mollify the SC reporters, that when a provider has communicated in the #3 fashion above, that SC will 'present' the issue to the reporter as if the provider _had said_ that "spam will cease" -- whereas in reality the provider said "I hear what you are saying and I don't want to hear it any more." That may seem to be a long-winded version of what I think, but it is actually the short version. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Fri Nov 14 18:28:06 2008 From: nobody at spamcop.net (Bar0) Date: Fri Nov 14 18:30:03 2008 Subject: [Scspamcop] Re: "ISP resolved this issue sometime after Fri Nov 14 07:45:35 2008 -0800" References: Message-ID: "Mike Easter" wrote in message news:gfl0bu$nic$1@news.spamcop.net... > Tim McGraw wrote: > www.spamcop.net/sc?id=z2408843925z2a43fe896c1a28984cf1a44f41c850d1z >..... >...... > SC has provided an interface, perhaps to mollify the SC reporters, that > when a provider has communicated in the #3 fashion above, that SC will > 'present' the issue to the reporter as if the provider _had said_ that > "spam will cease" -- whereas in reality the provider said "I hear what you > are saying and I don't want to hear it any more." > > That may seem to be a long-winded version of what I think, but it is > actually the short version. It's not the lack of notify that irks most, I suspect, It's the implication that one's spam sample is from before that time and thus will not be counted towards the blocklist , nor will any URL's be parsed and submitted (by whatever arcane process) to SCURBL. Personally I agree about notifies, most of the heavyweights in NANAE consider SC to be an opt-out spammer because of notifies. From MikeE at ster.invalid Fri Nov 14 19:21:59 2008 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 14 19:25:03 2008 Subject: [Scspamcop] Re: "ISP resolved this issue sometime after Fri Nov 14 07:45:35 2008 -0800" References: Message-ID: Mike Easter wrote: > I say dominant because SC plays a little game with its reporters about > allowing paying reporters to 'appeal' to SC about notifying and then not > allowing appeals anymore and blah blah blah. In case those remarks may be confusing or vague to those with free accounts, here are some explanatory links. http://www.spamcop.net/fom-serve/cache/288.html A premium account gives you access to more features on SpamCop than free users. These features include: -- The option to appeal a website/URL issue in parsed spam that you find has been incorrectly reported as 'closed' or an 'innocent bystander'; http://www.spamcop.net/fom-serve/cache/262.html paying members are allowed to appeal. -When you parse a message and see that "ISP has taken action" or "ISP does not wish to receive reports", you will almost always be presented with a checkbox to appeal. Naturally if something has (already) been appealed, then the appealing (to please notify anyway) is over. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Nov 14 19:21:59 2008 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 14 19:40:03 2008 Subject: [Scspamcop] Re: "ISP resolved this issue sometime after Fri Nov 14 07:45:35 2008 -0800" References: Message-ID: Mike Easter wrote: > I say dominant because SC plays a little game with its reporters about > allowing paying reporters to 'appeal' to SC about notifying and then not > allowing appeals anymore and blah blah blah. In case those remarks may be confusing or vague to those with free accounts, here are some explanatory links. http://www.spamcop.net/fom-serve/cache/288.html A premium account gives you access to more features on SpamCop than free users. These features include: -- The option to appeal a website/URL issue in parsed spam that you find has been incorrectly reported as 'closed' or an 'innocent bystander'; http://www.spamcop.net/fom-serve/cache/262.html paying members are allowed to appeal. -When you parse a message and see that "ISP has taken action" or "ISP does not wish to receive reports", you will almost always be presented with a checkbox to appeal. Naturally if something has (already) been appealed, then the appealing (to please notify anyway) is over. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri Nov 14 19:48:49 2008 From: nobody at devnull.spamcop.net (Twayne) Date: Fri Nov 14 19:50:03 2008 Subject: [Scspamcop] Re: This one made me look twice ... References: Message-ID: > On Thu, 13 Nov 2008 16:43:58 -0500, Twayne > wrote: >> http://www.spamcop.net/sc?id=z2407967528zcc3b7382886681944019171a8a8b66f1z >> >> Is there any point in submitting it? There's nothing there of any >> use is there? > > As I understand it, submitting it will help to keep the > offending open proxy, 148.233.237.190, on Spamcop's block > list, thereby doing a favor for all email users whose > mail systems use that list. Yeah, I agree; thanks to all who responded, in fact. Occasionally I tend to overthink things and let internal facts confuse a straight forward issue. e.g. I get sidetracked too easily. I did submit it. Twayne From nobody at devnull.spamcop.net Fri Nov 14 19:52:06 2008 From: nobody at devnull.spamcop.net (Twayne) Date: Fri Nov 14 19:55:03 2008 Subject: [Scspamcop] Re: "ISP resolved this issue sometime after Fri Nov 14 07:45:35 2008 -0800" References: Message-ID: > Tim McGraw wrote: > www.spamcop.net/sc?id=z2408843925z2a43fe896c1a28984cf1a44f41c850d1z >> >> AFAICT, all received headers indicate spam was sent and received >> since Fri Nov 14 07:45:35 2008 -0800. Shouldn't this be reportable? > > I tend to disregard or rather reinterpret a lot of the words which > occur in SC verbose in favor of my own 'vision' of what is going on. > > SC's philosophy is to have a default mode of notifying a provider > whereas it is my personal belief that the default mode should be to > not notify. I also think that those who administer SC and its > default modes are aware of some of what is wrong with a default > notify mode and choose to have notify be the default because that is > much of the basis between SC and the SC reporters and what reporters > like about SC.... > > ... (default notify) until .... > > ... any provider who doesn't want to be notified about something or > other 'speaks up' and then the dominant mode becomes to not notify, > and the SC reporter's feelings about notifying become considerably > less important than unwanted notifying. > > I say dominant because SC plays a little game with its reporters about > allowing paying reporters to 'appeal' to SC about notifying and then > not allowing appeals anymore and blah blah blah. > > Insinuate into that model the mechanism by which a notified is able to > communicate with SC about not wanting to be notified. > > I've never been a provider, so I haven't seen all of the interfaces > between SC and providers, but my concept of some of the interfaces are > oversimplified by the concepts: > > - I never want to be notified about anything, no way, no how > - I do want to be notified about /some/ things, but I don't want to be > notified about a lot of other things. > - I don't want to go on record as not wanting to be notified about > anything, so I will simply respond in some way that lets you know > that I don't want to be notified about /this/ thing any more > > SC has provided an interface, perhaps to mollify the SC reporters, > that when a provider has communicated in the #3 fashion above, that > SC will 'present' the issue to the reporter as if the provider _had > said_ that "spam will cease" -- whereas in reality the provider said > "I hear what you are saying and I don't want to hear it any more." > > That may seem to be a long-winded version of what I think, but it is > actually the short version. lol, I'm sure it is! The short version, I mean. But I agree with your thoughts for the most part. Good response, actually. Twayne From MikeE at ster.invalid Fri Nov 14 20:17:52 2008 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 14 20:20:03 2008 Subject: [Scspamcop] Re: "ISP resolved this issue sometime after Fri Nov 14 07:45:35 2008 -0800" References: Message-ID: Twayne wrote: > lol, I'm sure it is! The short version, I mean. But I agree with your > thoughts for the most part. Good response, actually. I think you meant to/ should have/ cite(d) me, who made the statement above, and I think you (meant to/ should have) trimmed everything else which you weren't specifically replying to, eg your post would/should look like this.... Mike Easter wrote: > That may seem to be a long-winded version of what I think, but it is > actually the short version. lol, I'm sure it is! The short version, I mean. But I agree with your thoughts for the most part. Good response, actually. ... instead of not attributing me, and/but instead then bottom posting on /all/ of my long reply instead of trimming everything but the last sentence/par. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon Nov 17 21:17:08 2008 From: nobody at devnull.spamcop.net (Patto) Date: Mon Nov 17 21:20:03 2008 Subject: [Scspamcop] Re: New spammer trick In-Reply-To: References: Message-ID: Did you click on the 'Report Abuse' button at the bottom? Larry in AZ wrote: > Spammers using Google Docs for their payload > > Me\dications for less > http://docs.google.co_/Doc?tab=revlist&docid=ddf8nh6k_0nv659vv8 > > [URL munged to not work] > > Spamcop doesn't pick up abuse@google.com, so I forwarded the spam separately. From nobody at spamcop.net Mon Nov 17 23:02:10 2008 From: nobody at spamcop.net (Trent) Date: Mon Nov 17 23:05:04 2008 Subject: [Scspamcop] Re: New spammer trick In-Reply-To: References: Message-ID: "Patto" wrote in message news:gft8j4$6fg$1@news.spamcop.net... > Did you click on the 'Report Abuse' button at the bottom? > All that does in put them in your filter . > Larry in AZ wrote: >> Spammers using Google Docs for their payload >> >> Me\dications for less >> http://docs.google.co_/Doc?tab=revlist&docid=ddf8nh6k_0nv659vv8 >> >> [URL munged to not work] >> >> Spamcop doesn't pick up abuse@google.com, so I forwarded the spam >> separately. From nobody at devnull.spamcop.net Wed Nov 19 10:27:22 2008 From: nobody at devnull.spamcop.net (Twayne) Date: Wed Nov 19 10:30:04 2008 Subject: [Scspamcop] Spam with spamcop ref Message-ID: HI, Probably of no consequence; I mention it only in the event that it means anything to anyone here at SC. The following tracker http://www.spamcop.net/sc?id=z2413112474z3658d91fba5acecdc5dd6a5bcd3c7f39z has as its subject line "You have 11 unread message" in it. 1. Normally I wouldn't pay any attention to it, but it's addressed to one of my e-mail addresses that has NEVER received a spam in nearly three years. I also know the ONLY place I've used that address for in the last two months; a place I wouldn't expect to be involved with spam: Cherry keyboards at www.datacal.com, I think it was. I can't get to any sites where I can check rbl's right now but I've never seen spam as a result of them before. I used their link to go to their Cherry programmable keyboard pages where I asked a question and gave them that address to respond to. I received a response to my question late yesterday and the spam this am. 2. The previous e-mail spam submission I just checked, WAS 11 spams, and the return did have the ... "11 unread..." sentence in it. I'm going to use spamcop for the parse, but lart it manually so I can remove that subject line, just in case it's a search method. I like to periodically pick one for special prejudice anyway; might's well make it this one. Like I said; FWIW, Twayne From nobody at spamcop.net Wed Nov 19 13:41:40 2008 From: nobody at spamcop.net (Ellen) Date: Wed Nov 19 13:45:02 2008 Subject: [Scspamcop] Re: Spam with spamcop ref In-Reply-To: References: Message-ID: Twayne wrote: > HI, > > Probably of no consequence; I mention it only in the event that it means > anything to anyone here at SC. > > The following tracker > http://www.spamcop.net/sc?id=z2413112474z3658d91fba5acecdc5dd6a5bcd3c7f39z > > has as its subject line "You have 11 unread message" in it. > > 1. Normally I wouldn't pay any attention to it, but it's addressed to > one of my e-mail addresses that has NEVER received a spam in nearly > three years. I also know the ONLY place I've used that address for in > the last two months; a place I wouldn't expect to be involved with spam: > Cherry keyboards at www.datacal.com, I think it was. I can't get to any > sites where I can check rbl's right now but I've never seen spam as a > result of them before. I used their link to go to their Cherry > programmable keyboard pages where I asked a question and gave them that > address to respond to. I received a response to my question late > yesterday and the spam this am. > > 2. The previous e-mail spam submission I just checked, WAS 11 spams, > and the return did have the ... "11 unread..." sentence in it. > > I'm going to use spamcop for the parse, but lart it manually so I can > remove that subject line, just in case it's a search method. I like to > periodically pick one for special prejudice anyway; might's well make it > this one. > > Like I said; FWIW, > > Twayne > > There is an old saying -- when you hear hoofbeats think horses not zebras (or some such similar thing -- someone will be along in a minute to correct me) ... I looked at the spam and there is nothing particularly unique or anything about it -- I have seen tons of that sort of subject line. And unless you changed the 'to" address before you submitted the spam to the parser I wouldn't be all that surprised about seeing spam to it. Just saying .... Ellen SpamCop From MikeE at ster.invalid Wed Nov 19 16:25:24 2008 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 19 16:30:02 2008 Subject: [Scspamcop] Re: Spam with spamcop ref References: Message-ID: Ellen wrote: > There is an old saying -- when you hear hoofbeats think horses not > zebras (or some such similar thing -- someone will be along in a minute > to correct me) ... ... nothing to correct, absolutely fine. Its etymology was actually a medical diagnosis aphorism (zebras, odd obscure diseases like fascinomas) tho't to be coined by Dr. Theodore Woodward, prof at the U of MD med school. Besides that nice little contribution to our language, he did a lot of good work in typhus & typhoid and got a Nobel prize nomination for that work 60 years ago. But someone else won the prize that year. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Nov 19 19:36:53 2008 From: nobody at devnull.spamcop.net (Twayne) Date: Wed Nov 19 19:40:03 2008 Subject: [Scspamcop] Re: Spam with spamcop ref References: Message-ID: > Twayne wrote: >> HI, >> >> Probably of no consequence; I mention it only in the event that it >> means anything to anyone here at SC. >> >> The following tracker >> http://www.spamcop.net/sc?id=z2413112474z3658d91fba5acecdc5dd6a5bcd3c7f39z >> >> has as its subject line "You have 11 unread message" in it. >> >> 1. Normally I wouldn't pay any attention to it, but it's addressed >> to one of my e-mail addresses that has NEVER received a spam in >> nearly three years. I also know the ONLY place I've used that >> address for in the last two months; a place I wouldn't expect to be >> involved with spam: Cherry keyboards at www.datacal.com, I think it >> was. I can't get to any sites where I can check rbl's right now but >> I've never seen spam as a result of them before. I used their link >> to go to their Cherry programmable keyboard pages where I asked a >> question and gave them that address to respond to. I received a >> response to my question late yesterday and the spam this am. >> >> 2. The previous e-mail spam submission I just checked, WAS 11 spams, >> and the return did have the ... "11 unread..." sentence in it. >> >> I'm going to use spamcop for the parse, but lart it manually so I can >> remove that subject line, just in case it's a search method. I like >> to periodically pick one for special prejudice anyway; might's well >> make it this one. >> >> Like I said; FWIW, >> >> Twayne >> >> > > > There is an old saying -- when you hear hoofbeats think horses not > zebras (or some such similar thing -- someone will be along in a > minute to correct me) ... > > I looked at the spam and there is nothing particularly unique or > anything about it -- I have seen tons of that sort of subject line. > And unless you changed the 'to" address before you submitted the spam > to the parser I wouldn't be all that surprised about seeing spam to > it. Just saying .... > > > > Ellen > SpamCop Thanks, Helen; first time I've seen that sort of subject line. Like I said, it was just an FYI. From g.hyde at bigNOSPAMpond.net.au Thu Nov 20 17:16:41 2008 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Thu Nov 20 17:20:03 2008 Subject: [Scspamcop] Spammers are still out there - this one gets a "F-". Message-ID: http://www.spamcop.net/sc?id=z2414454531z3da26b800bf74ca3121513c4c9e18b5bz "F-" because the message the sender was trying to send was totally obliterated in all of the HTML junk that obscured the text message. Discussions, opinions, raves, et al, here - replies to email may be ignored and/or get you reported. Cheers ... Geoffrey Hyde From nobody at nowhere.not Fri Nov 21 14:39:17 2008 From: nobody at nowhere.not (Robert Blair) Date: Fri Nov 21 14:40:03 2008 Subject: [Scspamcop] Sorry, this email is too old to file a spam report. Message-ID: The top receive header says from swe-sunlandwest.com (adsl-67-122-187-217.dsl.lsan03.pacbell.net [67.122.187.217]) which to me says that "swe-sunlandwest.com" is not a normal email server. Yet spamcop chained to the next receive header as if it is a trusted server and complained that the message is too old. Neither swe-sunlandwest.com or pacbell.net are in my "hosts" configuration. So I think that something is wrong with spamcop parsing. http://www.spamcop.net/sc?id=z2415256517z8a40bdad36d77e4b69eae82b2f94fc55z -- Robert Blair From MikeE at ster.invalid Fri Nov 21 15:46:40 2008 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 21 15:50:03 2008 Subject: [Scspamcop] Re: Sorry, this email is too old to file a spam report. References: Message-ID: Robert Blair wrote: > The top receive header says from > > swe-sunlandwest.com (adsl-67-122-187-217.dsl.lsan03.pacbell.net > [67.122.187.217]) > > which to me says that "swe-sunlandwest.com" is not a normal email > server. Yet spamcop chained to the next receive header as if it is a > trusted server and complained that the message is too old. There is in fact a mailserver at that address and (so) the helo is not (exactly) bogus. swe-sunlandwest.com MX = mail.swe-sunlandwest.com mail.swe-sunlandwest.com DNS 67.122.187.217 67.122.187.217 rDNS adsl-67-122-187-217.dsl.lsan03.pacbell.net The mailserver there answers swe-sunlandwest.com very very slowly on port 25, and can be manipulated extensively, but I could not get it to relay promiscuously with the scripts at abuse.net. The mailserver also answers more promptly on port80. ironport/senderbase shows that server to have a pretty significant output. > Neither swe-sunlandwest.com or pacbell.net are in my "hosts" > configuration. > > So I think that something is wrong with spamcop parsing. > www.spamcop.net/sc?id=z2415256517z8a40bdad36d77e4b69eae82b2f94fc55z You are correct that SC trusts the IP to be a server which results in chaining further to the next line which has an old datestamp. Possibly the server is so gagged/overloaded with spam that it takes it 9 days to get it out. I can't see a big advantage to SC chaining back to the Nigerian cybercafe IP, so maybe a deputy should untrust the server. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Fri Nov 21 16:27:18 2008 From: nobody at spamcop.net (Ellen) Date: Fri Nov 21 16:30:02 2008 Subject: [Scspamcop] Re: Sorry, this email is too old to file a spam report. In-Reply-To: References: Message-ID: <492727B6.9000103@spamcop.net> Robert Blair wrote: > The top receive header says from > > swe-sunlandwest.com (adsl-67-122-187-217.dsl.lsan03.pacbell.net > [67.122.187.217]) > > which to me says that "swe-sunlandwest.com" is not a normal email server. Yet > spamcop chained to the next receive header as if it is a trusted server and > complained that the message is too old. > > Neither swe-sunlandwest.com or pacbell.net are in my "hosts" configuration. > > So I think that something is wrong with spamcop parsing. > > http://www.spamcop.net/sc?id=z2415256517z8a40bdad36d77e4b69eae82b2f94fc55z > > it's in one of your mailhosts alpha.dyndns.org (4123) ..or at least this is: dsl.lsan03.pacbell.net and that is why the received header is accepted ... and indeed you are the only user of that mailhost. And IP 63.200.17.147 answers on 25: telnet 67.122.187.217 25 Trying 67.122.187.217... Connected to 67.122.187.217. Escape character is '^]'. quit 220 swe-sunlandwest.com ESMTP Postfix 221 Bye Connection closed by foreign host. ellen@news:~$ and there is forward DNS for swe-sunlandwest.com dig swe-sunlandwest.com ; <<>> DiG 9.2.2 <<>> swe-sunlandwest.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24291 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;swe-sunlandwest.com. IN A ;; ANSWER SECTION: swe-sunlandwest.com. 7200 IN A 67.122.187.217 ;; AUTHORITY SECTION: swe-sunlandwest.com. 172798 IN NS ns69.worldnic.com. swe-sunlandwest.com. 172798 IN NS ns70.worldnic.com. The fact that the rDNS is not set to swe-sunlandwest is of interest but not definitive as to whether this is a mailserver or not. All that said I still don't know if the bottom header is legit or forged. You and Don need to have a chat about this mailhost. Ellen SpamCop From nobody at devnull.spamcop.net Fri Nov 21 17:27:21 2008 From: nobody at devnull.spamcop.net (Wazoo) Date: Fri Nov 21 17:30:02 2008 Subject: [Scspamcop] Re: "ISP resolved this issue sometime after Fri Nov 14 07:45:35 2008 -0800" References: Message-ID: "Mike Easter" wrote in message news:gfl0bu$nic$1@news.spamcop.net... > > ... any provider who doesn't want to be notified about something > or other > 'speaks up' and then the dominant mode becomes to not notify, and > the SC > reporter's feelings about notifying become considerably less > important > than unwanted notifying. > > I say dominant because SC plays a little game with its reporters > about > allowing paying reporters to 'appeal' to SC about notifying and > then not > allowing appeals anymore and blah blah blah. > > Insinuate into that model the mechanism by which a notified is > able to > communicate with SC about not wanting to be notified. > > I've never been a provider, so I haven't seen all of the > interfaces > between SC and providers, but my concept of some of the interfaces > are > oversimplified by the concepts: > > - I never want to be notified about anything, no way, no how > - I do want to be notified about /some/ things, but I don't want > to be > notified about a lot of other things. > - I don't want to go on record as not wanting to be notified about > anything, so I will simply respond in some way that lets you know > that I > don't want to be notified about /this/ thing any more I've tried to fill-in-the-blanks at; ISP Abuse Report Center http://forum.spamcop.net/scwik/ISPAbuseReportCenter From spamcop at NSgeodosch.com Fri Nov 21 18:43:29 2008 From: spamcop at NSgeodosch.com (George Doscher) Date: Fri Nov 21 18:45:04 2008 Subject: [Scspamcop] Spamcop mail down? Message-ID: For the past 20 minutes I have not been able to get into Spamcop mail. The Report Spam page works, but Webmail, Held Mail and even Mail News seems to be down. POP3 access returns an Invalid Password message. Webmail: A fatal error has occurred Could not connect to database for SQL SessionHandler. Details have been logged for the administrator. Held Mail: Cannot log into IMAP mailserver as xxxxx@spamcop.net From nobody at nowhere.not Fri Nov 21 22:55:39 2008 From: nobody at nowhere.not (Robert Blair) Date: Fri Nov 21 23:00:03 2008 Subject: [Scspamcop] Re: Sorry, this email is too old to file a spam report. References: <492727B6.9000103@spamcop.net> Message-ID: On Fri, 21 Nov 2008 21:27:18 UTC, Ellen wrote: > it's in one of your mailhosts alpha.dyndns.org (4123) ..or at least > this is: > > dsl.lsan03.pacbell.net > > and that is why the received header is accepted ... and indeed you are > the only user of that mailhost. And IP 63.200.17.147 answers on 25: That is for an email address that I had to have deleted while I was on a trip two months ago because some spammer used it as a from and I was getting several hundred bounce messages a day. I forgot it had been deleted so I did not clear the hosts information. I also had not realized that there was a pacbell.net in that email addresses path. Sorry for the miss information. I have deleted the now unused host information. -- Robert Blair From nobody at spamcop.net Sat Nov 22 03:28:27 2008 From: nobody at spamcop.net (RandallW) Date: Sat Nov 22 03:30:03 2008 Subject: [Scspamcop] pharm sites not resolving in parser Message-ID: I've been receiving pharm spam that doesn't resolve the spamervertised site ( in the parser ). Example below. http://www.spamcop.net/sc?id=z2415693959z95803a0d5038711d07eae391feb2f8c5z Though if I plug in the spamvertised site into an online viewer I do get some type of return, rather than a 401 error, so I think the site is alive. The result of the test is something I can't quite understand; it isn't direct like a www url. From MikeE at ster.invalid Sat Nov 22 07:51:12 2008 From: MikeE at ster.invalid (Mike Easter) Date: Sat Nov 22 07:55:03 2008 Subject: [Scspamcop] Re: Sorry, this email is too old to file a spam report. References: <492727B6.9000103@spamcop.net> Message-ID: Robert Blair wrote: > I have deleted the now unused host > information. Now you need to go to your tracker and report or cancel the report, since it isn't too old anymore, it is now live. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Nov 22 08:11:51 2008 From: MikeE at ster.invalid (Mike Easter) Date: Sat Nov 22 08:15:03 2008 Subject: [Scspamcop] Re: pharm sites not resolving in parser References: Message-ID: RandallW wrote: > I've been receiving pharm spam that doesn't resolve the spamervertised > site ( in the parser ). Example below. > www.spamcop.net/sc?id=z2415693959z95803a0d5038711d07eae391feb2f8c5z Your tracker is live. It is very very common for the parser to not resolve spamvertised sites. Sometimes such nonresolution is temporary or episodic, sometimes it is consistent. It is also common for a human using other tools to be able to resolve such URLs. Sometimes you can use SC as a tool to resolve, but not in this case. > Though if I plug in the spamvertised site into an online viewer I do get > some type of return, rather than a 401 error, so I think the site is > alive. The result of the test is something I can't quite understand; it > isn't direct like a www url. The link is at www.addmorelife.sg which resolves to 121.33.199.44 which is a chinanet guangdong provider. IMO it isn't appropriate to be using bandwidth or your resources or SC's resources notifying such providers and you should instead be using quickreporting on spam which contains such links. The other link which the parser finds in the body is the one live hotmail uses to spamvertise itself which hotmail doesn't want to hear about either and has told SC. My test did not show anything/webserver at that IP's port 80. Initiating server query ... Looking up IP address for domain: www.addmorelife.sg The IP address for the domain is: 121.33.199.44 Connecting to the server on standard HTTP port: 80 No response was received from the machine and port at that IP. The machine may be offline or the connection port may be stealthed. Query complete. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Sat Nov 22 16:38:21 2008 From: nobody at spamcop.net (RandallW) Date: Sat Nov 22 16:40:03 2008 Subject: [Scspamcop] Re: pharm sites not resolving in parser References: Message-ID: "Mike Easter" wrote in message news:gg90ej$vq5$1@news.spamcop.net... > It is very very common for the parser to not resolve spamvertised sites. > Sometimes such nonresolution is temporary or episodic, sometimes it is > consistent. It is also common for a human using other tools to be able to > resolve such URLs. Sometimes you can use SC as a tool to resolve, but not > in this case. > > > -- > Mike Easter > kibitzer, not SC admin > In this case it is consistency; the spamvertised site there is one of hundreds registered by some mr. spammy, and each one I have received ( maybe 50 of them ) ends up burping in the parser. From brandonplank at gmail.com Sat Nov 22 17:44:22 2008 From: brandonplank at gmail.com (Brandon) Date: Sat Nov 22 17:45:03 2008 Subject: [Scspamcop] Re: pharm sites not resolving in parser In-Reply-To: References: Message-ID: This issue was specific only to the .sg domains; I believe it's how they are looked up is the issue. As for the notion that reporting them is a waste of resources... it depends on who you ask. The links are what people click on and provide personal information/funds to spammers to keep their organizations running; I'd argue they are just as important as the IP where the message was sent. RandallW wrote: > In this case it is consistency; the spamvertised site there is one of > hundreds registered by some mr. spammy, and each one I have received ( maybe > 50 of them ) ends up burping in the parser. > > From nobody at spamcop.net Sat Nov 22 18:18:45 2008 From: nobody at spamcop.net (bar0) Date: Sat Nov 22 18:20:03 2008 Subject: [Scspamcop] Re: pharm sites not resolving in parser References: Message-ID: "Brandon" wrote in message news:gga209$3m5$1@news.spamcop.net... > This issue was specific only to the .sg domains; I believe it's how they > are looked up is the issue. > > As for the notion that reporting them is a waste of resources... it > depends on who you ask. The links are what people click on and provide > personal information/funds to spammers to keep their organizations > running; I'd argue they are just as important as the IP where the message > was sent. > > RandallW wrote: > > In this case it is consistency; the spamvertised site there is one of >> hundreds registered by some mr. spammy, and each one I have received ( >> maybe 50 of them ) ends up burping in the parser. But, The providers of the hosting, at best don't care, or more likely are in bed with, or wholly owned by the spammers. Notifying them does no one any good, at best their abuse mail spool goes to /dev/null, more likely is used to generate "Millions" addresses, and plenty of worse scenarios come to mind. Spammers are not only businessmen they are also assh---s, it's why they're in this kind of business, many are not above retaliatoin. From MikeE at ster.invalid Sat Nov 22 18:38:05 2008 From: MikeE at ster.invalid (Mike Easter) Date: Sat Nov 22 18:40:03 2008 Subject: [Scspamcop] Re: pharm sites not resolving in parser References: Message-ID: Brandon wrote: > As for the notion that reporting them is a waste of resources... it > depends on who you ask. The links are what people click on and provide > personal information/funds to spammers to keep their organizations > running; I'd argue they are just as important as the IP where the > message was sent. The debate is not whether it would be important for some exceedingly rare spamvertiser provider to take action against the spamvertiser if a spamvertiser provider were an exceedingly rare whitehat. The issue is when such reporting is more harmful than good which is generally true rather than generally untrue. The point I'm arguing is that if the spamvertiser provider is nonresponsive or blackhat, that notifying the blackhat/ nonresponder is a waste of SC & reporter resources to -1- submit the spam in a manner which requires time-consuming oversight by the reporter -2- use lots and lots of SC resources to parse the spambody, then resources including 'tying up' the resolver with b0rken nameservice belonging to all manner of spammy nameservers, then resources to process the IP to determine or not determine some kind of useless notify address and then -3- the reporter is handing over evidence which may aid the spam generator to the very blackhat who is often profiting from the spamgeneration itself. That is, the only spam which spamvertiser provider should be notified is the pure whitehat provider, not the blackhat, not the grey clueless hat, generally not even the 'unknown hat' -- because the whitehat is so rare that you can count on unknown hats to be clueless and unresponsive at best, blackhat at worst. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.not Sun Nov 23 01:45:38 2008 From: nobody at nowhere.not (Robert Blair) Date: Sun Nov 23 01:50:03 2008 Subject: [Scspamcop] Re: Sorry, this email is too old to file a spam report. References: <492727B6.9000103@spamcop.net> Message-ID: On Sat, 22 Nov 2008 12:51:12 UTC, "Mike Easter" wrote: > > I have deleted the now unused host > > information. > > Now you need to go to your tracker and report or cancel the report, since > it isn't too old anymore, it is now live. Yes, I reported that one and another one today. It also had a 12 Nov 2008 date. The IP is listed on a few block lists but not yet on spamcop. -- Robert Blair From 127 at [127.0.0.1] Sun Nov 23 01:42:01 2008 From: 127 at [127.0.0.1] (vg4cysss7001) Date: Sun Nov 23 02:10:03 2008 Subject: [Scspamcop] Re: Spam with spamcop ref References: Message-ID: In article , Twayne writes > HI, > >Probably of no consequence; I mention it only in the event that it means >anything to anyone here at SC. > >The following tracker >http://www.spamcop.net/sc?id=z2413112474z3658d91fba5acecdc5dd6a5bcd3c7f39z > >has as its subject line "You have 11 unread message" in it. > >1. [snip] > >2. The previous e-mail spam submission I just checked, WAS 11 spams, >and the return did have the ... "11 unread..." sentence in it. > I have heard of anti-virus software - Norton, etc. - corrupting subject lines. Some kind of timing, buffering problem maybe? I can't really see the point of running anti-virus checks on incoming and outgoing e-mail. The virus database may be updated between receipt of an e-mail and the opening of it, hence being more current. As for outgoing e-mail, if your system is clean, you would not be sending a virus - except in the case of forwarding an attachment without examining it first. Note that my e-mail client, Turnpike, holds e-mail in an encrypted database, so there is no point in running anti-virus against it in its entirety. Only when I read an e-mail and open an attachment is the checking invoked. -- Misha Free on-line, off-site backups? From nobody at devnull.spamcop.net Sun Nov 23 14:27:20 2008 From: nobody at devnull.spamcop.net (Twayne) Date: Sun Nov 23 14:30:02 2008 Subject: [Scspamcop] Re: Spam with spamcop ref References: Message-ID: > In article , Twayne > writes >> HI, >> >> Probably of no consequence; I mention it only in the event that it >> means anything to anyone here at SC. >> >> The following tracker >> http://www.spamcop.net/sc?id=z2413112474z3658d91fba5acecdc5dd6a5bcd3c7f39z >> >> has as its subject line "You have 11 unread message" in it. >> >> 1. > [snip] >> >> 2. The previous e-mail spam submission I just checked, WAS 11 spams, >> and the return did have the ... "11 unread..." sentence in it. >> > > I have heard of anti-virus software - Norton, etc. - corrupting > subject lines. Some kind of timing, buffering problem maybe? I've heard that OE used to be able to do that sort of thng, but it's supposedly been "fixed". Who knows? I've never heard of any mainstram AV doing it though. > > I can't really see the point of running anti-virus checks on > incoming and outgoing e-mail. The virus database may be updated > between receipt of an e-mail and the opening of it, hence being more > current. As for outgoing e-mail, if your system is clean, you would > not be sending a virus - except in the case of forwarding an > attachment without examining it first. Nope; I don't run AV on emails in or out. Way back when I had issues with AV on outgoing mails, but never an incoming. Anyway email scans are turned off. Not too sure how you got onto AV here. > > Note that my e-mail client, Turnpike, holds e-mail in an > encrypted database, so there is no point in running anti-virus against > it in its entirety. Only when I read an e-mail and open an attachment > is the checking invoked. Ymmv there; seems like that's about the same as ignoring the mail scans and catching it later if/when it spawns. Not sure I see what it has to do with the subject at hand. I have no problem; that was simply an FYI in case it meant anything to anyone at SC. From mr206 at spamtrackers.eu Sun Nov 23 17:45:56 2008 From: mr206 at spamtrackers.eu (mr206) Date: Sun Nov 23 17:50:03 2008 Subject: [Scspamcop] Re: pharm sites not resolving in parser In-Reply-To: References: Message-ID: Fair enough... but not all the IPs these sites are on are blacks or bulletproof and the same argument can be made for reporting through SpamCop at all. TTNet has the same IPs that have been used/abused for months and they do nothing to cease the spam; same can be said with CnC... yet it's more beneficial to do quickreporting to them, than to report a spamvertized domain? I guess I can't make that distinction, because both are equally offensive and abusive to the world. Mike Easter wrote: > The point I'm arguing is that if the spamvertiser provider is > nonresponsive or blackhat, that notifying the blackhat/ nonresponder is a > waste of SC & reporter resources to -1- submit the spam in a manner which > requires time-consuming oversight by the reporter -2- use lots and lots of > SC resources to parse the spambody, then resources including 'tying up' > the resolver with b0rken nameservice belonging to all manner of spammy > nameservers, then resources to process the IP to determine or not > determine some kind of useless notify address and then -3- the reporter is > handing over evidence which may aid the spam generator to the very > blackhat who is often profiting from the spamgeneration itself. > > That is, the only spam which spamvertiser provider should be notified is > the pure whitehat provider, not the blackhat, not the grey clueless hat, > generally not even the 'unknown hat' -- because the whitehat is so rare > that you can count on unknown hats to be clueless and unresponsive at > best, blackhat at worst. > > > From nobody at spamcop.net Mon Nov 24 02:47:42 2008 From: nobody at spamcop.net (RandallW) Date: Mon Nov 24 02:50:02 2008 Subject: [Scspamcop] Re: pharm sites not resolving in parser References: Message-ID: Just for the sake of curiosity, why are spammy's sites not resolving? From nobody at spamcop.net Mon Nov 24 07:51:10 2008 From: nobody at spamcop.net (bar0) Date: Mon Nov 24 07:55:03 2008 Subject: [Scspamcop] Re: pharm sites not resolving in parser References: Message-ID: "RandallW" wrote in message news:ggdm64$1nm$1@news.spamcop.net... > > Just for the sake of curiosity, why are spammy's sites not resolving? > Many possible reasons, Their DNS blackholes SC's IP's Their DNS response is slow enough (possibly tweaked) that SC consistently gives up before it resolves. ..... From nobody at spamcop.net Wed Nov 26 18:06:17 2008 From: nobody at spamcop.net (bar0) Date: Wed Nov 26 18:10:02 2008 Subject: [Scspamcop] Re: New spammer trick References: Message-ID: "Larry in AZ" wrote in message news:Xns9B62421E04673thefrogprince@216.154.195.61... ... > A new one now... spam payloads located at spaces.live.com wordpairs.cn redirectors to Russian/Romainian/Ukrainian "Canadian" Pharmacy sites From nobody at spamcop.net Wed Nov 26 18:43:05 2008 From: nobody at spamcop.net (N. Miller) Date: Wed Nov 26 18:45:04 2008 Subject: [Scspamcop] Re: New spammer trick References: Message-ID: <11fu35fx5rbun.dlg@nobody.spamcop.net> On Mon, 24 Nov 2008 08:01:22 -0800, Michael Vilain from DexLabs, Inc. wrote: > Yes, I've gotten a couple so far. Useless, IMO, to report it. Google > doesn't do anything to such reports. Are you sure? Doen't Google send such reports to /dev/nul? -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From mr206 at spamtrackers.eu Wed Nov 26 22:35:24 2008 From: mr206 at spamtrackers.eu (mr206) Date: Wed Nov 26 22:40:04 2008 Subject: [Scspamcop] Re: New spammer trick In-Reply-To: <11fu35fx5rbun.dlg@nobody.spamcop.net> References: <11fu35fx5rbun.dlg@nobody.spamcop.net> Message-ID: Google doesn't accept SpamCop reports, but you can manually paste the url of the spamvertized domain here to report it: http://help.blogger.com/?page=troubleshooter.cs&contact_type=Spam N. Miller wrote: > On Mon, 24 Nov 2008 08:01:22 -0800, Michael Vilain from DexLabs, Inc. wrote: > >> Yes, I've gotten a couple so far. Useless, IMO, to report it. Google >> doesn't do anything to such reports. > > Are you sure? Doen't Google send such reports to /dev/nul? > From nobody at spamcop.net Fri Nov 28 00:34:07 2008 From: nobody at spamcop.net (N. Miller) Date: Fri Nov 28 00:35:03 2008 Subject: [Scspamcop] Re: New spammer trick References: <11fu35fx5rbun.dlg@nobody.spamcop.net> Message-ID: <1ld039u24gsjz$.dlg@nobody.spamcop.net> On Wed, 26 Nov 2008 19:35:24 -0800, mr206 from SpamCop wrote: > Google doesn't accept SpamCop reports, but you can manually paste the > url of the spamvertized domain here to report it... 'swoosh'! -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From blacklist-me at davjam.org Sat Nov 29 07:52:00 2008 From: blacklist-me at davjam.org (David Bolt) Date: Sat Nov 29 08:35:03 2008 Subject: [Scspamcop] SpamCop still reports finding no abuse address when there's a - in the domain Message-ID: <9Hpt6qIwrTMJFwo4@dev.null.davjam.org> Just a FYI, the "e-mail address truncation" bug is still there. The last spam I reported: shows a source address of 85.13.140.114 and, according to RIPE, the enclosing net block has an abuse address of ip@all-inkl.com. SpamCop is still truncating the addresses at the first '-' so decides it should be reported to ip@all, which of course isn't valid and so results in "nomaster@devnull.spamcop.net" address being used instead. So, two things: First is can a deputy add in an override so the spams do get to the correct abuse address? Second, given that this bug appears to have existed for quite a while now, is there any indication that the supposed bug-fix is going to be rolled out and, if so, when? Regards, David Bolt -- Team Acorn: http://www.distributed.net/ OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s SUSE 10.1 32 | | openSUSE 10.3 32b | openSUSE 11.0 32b | openSUSE 10.2 64b | openSUSE 10.3 64b | openSUSE 11.0 64b RISC OS 3.6 | TOS 4.02 | openSUSE 10.3 PPC | RISC OS 3.11 From nobody at spamcop.net Sat Nov 29 20:21:48 2008 From: nobody at spamcop.net (bar0) Date: Sat Nov 29 20:25:04 2008 Subject: [Scspamcop] Re: SpamCop still reports finding no abuse address when there's a - in the domain References: <9Hpt6qIwrTMJFwo4@dev.null.davjam.org> <3053j4hv1vh9mfp036n9hi9s239bdmcn7o@4ax.com> Message-ID: "SpamCop Admin" wrote in message news:3053j4hv1vh9mfp036n9hi9s239bdmcn7o@4ax.com... > David Bolt wrote: >>- >>- >>-enclosing net block has an abuse address of ip@all-inkl.com. SpamCop is >>-still truncating the addresses at the first '-' so decides it should be >>-reported to ip@all, which of course isn't valid > > That isn't the problem. ip@all has been remapped to ip@all-inkl.com > so that SpamCop will send the reports to the correct address. > > Unfortunately, ip@all-inkl.com is refusing our reports. I don't know > why. I think only one report shoulld be ever sent to an ISP or abuse address, along with a "subscribe" option. If the abuse address doesn't bother to subscribe then all reports should be henceforth dev-nulled. If they do subscribe, but the reproting address is a free e-mail service yahoo and variants like rocketmail netscape excite, hotmail live (not free) , a .cn, .kr, .br, .ru .ua or .ro address it should be likewise devnulled. in fact any ISP hosting a ROKSO, or who has in the past year should be devnulled also. From mr206 at spamtrackers.eu Sat Nov 29 22:30:33 2008 From: mr206 at spamtrackers.eu (mr206) Date: Sat Nov 29 22:35:04 2008 Subject: [Scspamcop] Re: SpamCop still reports finding no abuse address when there's a - in the domain In-Reply-To: References: <9Hpt6qIwrTMJFwo4@dev.null.davjam.org> <3053j4hv1vh9mfp036n9hi9s239bdmcn7o@4ax.com> Message-ID: The problem with that is that many of the ISPs will just ignore it if they only see one instance. I don't know if you've noticed, but many upstreams of hosts and ISPs track the amount of complaints/reports they receive... if I'm Joe Q Host and I get one SC report, I may disregard it and assume it's a n00b reporter. However, if I get crapflooded with reports from various users, I will know there's an issue and I'll deal with it. I think CNC, Kornet and others simply are overwhelmed with exploited IPs and they don't properly resolve the issues, so hackers/spammers just re-exploit those addresses. It does, however, annoy me that certain hosts and ISPs refuse SpamCop reports.... they're streamlined and easy to read; when I see someone refuse them, I personally think their 'hat' colour is no longer white, but starting to darken. bar0 wrote: > I think only one report shoulld be ever sent to an ISP or abuse address, > along with a "subscribe" option. If the abuse address doesn't bother to > subscribe then all reports should be henceforth dev-nulled. If they do > subscribe, but the reproting address is a free e-mail service yahoo and > variants like rocketmail netscape excite, hotmail live (not free) , a .cn, > .kr, .br, .ru .ua or .ro address it should be likewise devnulled. in fact > any ISP hosting a ROKSO, or who has in the past year should be devnulled > also. > > From nobody at spamcop.net Sat Nov 29 22:55:33 2008 From: nobody at spamcop.net (bar0) Date: Sat Nov 29 23:00:03 2008 Subject: [Scspamcop] Re: SpamCop still reports finding no abuse address when there's a - in the domain References: <9Hpt6qIwrTMJFwo4@dev.null.davjam.org> <3053j4hv1vh9mfp036n9hi9s239bdmcn7o@4ax.com> Message-ID: "mr206" wrote in message news:ggt1ct$8lo$1@news.spamcop.net... > The problem with that is that many of the ISPs will just ignore it if they > only see one instance. I don't know if you've noticed, but many upstreams > of hosts and ISPs track the amount of complaints/reports they receive... > if I'm Joe Q Host and I get one SC report, I may disregard it and assume > it's a n00b reporter. However, if I get crapflooded with reports from > various users, I will know there's an issue and I'll deal with it. If you or an ISP need a shiteload of SC reports to know you have a problem, then you're working on the "let the unpaid volunteers do my job" basis. A competent ISP that is concerned about its AUP and/or TOS doesn't need SC reports, nor to discover itself on a blocklist to know about abuse originating in it's network. If we, spamhaus, the CBL etc. can find it so can they. One report will do fine, and they do have the option to request all of them. > > I think CNC, Kornet and others simply are overwhelmed with exploited IPs > and they don't properly resolve the issues, so hackers/spammers just > re-exploit those addresses. Exactly, and they either are exploiting or working with the spammers or they don't care, so in either case reports are a waste of bandwidth. > > It does, however, annoy me that certain hosts and ISPs refuse SpamCop > reports.... they're streamlined and easy to read; when I see someone > refuse them, I personally think their 'hat' colour is no longer white, but > starting to darken. I see plenty of whitehats that don't want SC reports also, frankly though I see those very rarely. Those are the folks that keep an eye out for abuse that might come from their webspace. Of course others like google (docs, NG's, dropboxes) you may be right about. Pleae don;t top post, it puts your answeers out of context and forces others to roam around your post to see what you are responding to. > > bar0 wrote: > >> .... From mr206 at spamtrackers.eu Sun Nov 30 19:07:24 2008 From: mr206 at spamtrackers.eu (mr206) Date: Sun Nov 30 19:10:03 2008 Subject: [Scspamcop] Re: SpamCop still reports finding no abuse address when there's a - in the domain In-Reply-To: References: <9Hpt6qIwrTMJFwo4@dev.null.davjam.org> <3053j4hv1vh9mfp036n9hi9s239bdmcn7o@4ax.com> Message-ID: bar0 wrote: > > If you or an ISP need a shiteload of SC reports to know you have a problem, > then you're working on the "let the unpaid volunteers do my job" basis. A > competent ISP that is concerned about its AUP and/or TOS doesn't need SC > reports, nor to discover itself on a blocklist to know about abuse > originating in it's network. If we, spamhaus, the CBL etc. can find it so > can they. One report will do fine, and they do have the option to request > all of them. Sorry about the top posting... and thanks for letting me know. I think you put too much faith in the users, especially free users, of SpamCop. If you've ever sent yourself a 'user notification' report, you'll see the meriad of mis-routed and reported email. So, either users are sending reports they shouldn't, OR the people that respond to that page are all lying. Sure, 1 report should suffice, but if you start receiving several reports, then you know that the IP in question is actively being abused. From william at abc.com Sun Nov 30 21:16:33 2008 From: william at abc.com (william) Date: Sun Nov 30 21:15:03 2008 Subject: [Scspamcop] Spam list issue (we can't send email to our customer) Message-ID: Dear Sir, We still received the below message from spamcop, however, our company IP (202.76.106.125) is not listing in your spam list. Please let me know how to solve it. Error: Sent >>> RCPT TO: Received <<< 554 Service unavailable; Client host [pc125.solomon-systech.com] blocked by bl.spamcop.net; 202.76.106.125 Thanks, William Email: williampak@solomon-systech.com