From me at privacy.net Thu Dec 3 08:48:11 2009 From: me at privacy.net (Michael R N Dolbear) Date: Thu Dec 3 08:50:09 2009 Subject: [Scspamcop] No reports filed Message-ID: <01ca73b2$c827b9a0$LocalHost@default> I occasionally look at my /past reports/ and see "No reports filed" against an item quick reported many hours ago. Sometimes these are due to "indicates Spam will stop" and similar issues but sometimes there is some kind of transient fault. Thus I have Submitted: Tue Dec 1 16:13:49 2009 GMT : Regarding Your Bank Draft Of (USD$850.000.00). No reports filed I dragged it out of the SpamCop mail trash folder and pasted it in the reporting page and it reported fine though saying there some kind of error in the body Here is your TRACKING URL - 00:12 03/12/09 http://www.spamcop.net/sc?id=z3548119609zfedf76be1b9a4c4ba8e83ec2f38cfaf bz I note that the email that reports on quick reporting started with a spuious error for a blank From: and Subject and then the next earlier item to the Bank Draft one I have also had cases when the email never turned up and thus perhaps the Spam quick reporting process crashed ? I use both "report as Spam" from SpamCop Webmail and "Quick Report" from VER Any suggestions, ideas or countermeasures ? -- Mike D -- Mike D From MikeE at ster.invalid Thu Dec 3 09:12:26 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Dec 3 09:15:08 2009 Subject: [Scspamcop] Re: No reports filed References: <01ca73b2$c827b9a0$LocalHost@default> Message-ID: Michael R N Dolbear wrote: > Submitted: Tue Dec 1 16:13:49 2009 GMT : > Regarding Your Bank Draft Of (USD$850.000.00). > No reports filed The tracker sez (among a lot of other things): Reports regarding this spam have already been sent: Re: 41.222.192.87 (Administrator of network where email originates) Reportid: 4698239602 To: robert@isoceltelecom.com Reportid: 4698239603 To: ferdinand@isoceltelecom.com Re: 209.191.85.7 (Administrator interested in intermediary handling of spam) Reportid: 4698239601 To: spamcop@mailservices.yahoo.com It appears that reports were filed and id/ed. > I dragged it out of the SpamCop mail trash folder and pasted it in the > reporting page > and it reported fine though saying there some kind of error in the body There is a minor MIME boundary misconstruction in the body, but it doesn't really matter as there is no URL link in the body. The item is a .ng 419 - it doesn't need a link for its payload. > I note that the email that reports on quick reporting started with a > spuious error for a blank From: and Subject and then the next earlier > item to the Bank Draft one What does this sentence mean to ask? > I have also had cases when the email never turned up and thus perhaps > the Spam quick reporting process crashed ? Is there a question here in this sentence? > I use both "report as Spam" from SpamCop Webmail and "Quick Report" > from VER What shall I do with that information? > Any suggestions, ideas or countermeasures ? Regarding what? If the question is: was or was not a report filed? ... then the person who submitted the item for which there is a tracker you posted can use the report section and access the reports. The tracker you posted does not give /me/ access to the 3 reports: Reportid/s: 4698239601-03 ... but it states that 3 reports were sent regarding the source and the intermediary handling from the source. -- Mike Easter kibitzer, not SC admin From me at privacy.net Thu Dec 3 16:57:01 2009 From: me at privacy.net (Michael R N Dolbear) Date: Thu Dec 3 17:00:09 2009 Subject: [Scspamcop] Re: No reports filed References: <01ca73b2$c827b9a0$LocalHost@default> Message-ID: <01ca7453$18b98740$LocalHost@default> Mike Easter wrote > Michael R N Dolbear wrote: > > > Submitted: Tue Dec 1 16:13:49 2009 GMT : > > Regarding Your Bank Draft Of (USD$850.000.00). > > No reports filed > > The tracker sez (among a lot of other things): > > Reports regarding this spam have already been sent: > Re: 41.222.192.87 (Administrator of network where email originates) > Reportid: 4698239602 To: robert@isoceltelecom.com > Reportid: 4698239603 To: ferdinand@isoceltelecom.com > Re: 209.191.85.7 (Administrator interested in intermediary handling of > spam) > Reportid: 4698239601 To: spamcop@mailservices.yahoo.com > > It appears that reports were filed and id/ed. see below > > I dragged it out of the SpamCop mail trash folder and pasted it in the > > reporting page > > and it reported fine though saying there some kind of error in the > body The tracker was produced from pasting the Spam after I noticed the "No reports filed" in /Past Reports/ > There is a minor MIME boundary misconstruction in the body, but it > doesn't really matter as there is no URL link in the body. The item is > a .ng 419 - it doesn't need a link for its payload. Thanks > > I note that the email that reports on quick reporting started with a > > spurious error for a blank From: and Subject and then the next earlier > > item to the Bank Draft one > > What does this sentence mean to ask? It provides info relating to the /No reports filed/ report. The questions would be "Has anyone seen anything like this before?" and "Has anyone got a suggestion as how it came about?". > > I have also had cases when the email never turned up and thus perhaps > > the Spam quick reporting process crashed ? > > Is there a question here in this sentence? The question would be "Has anyone seen anything like this before ?" and "Has anyone got a suggestion as how this came about ?" and "Has the Spam quick reporting process ever been observed to crash ?" and "Does anyone know of a reason why email reports on Spam quick reporting were lost?" > > I use both "report as Spam" from SpamCop Webmail and "Quick Report" > > from VER > > What shall I do with that information? Since there are two interfaces to Quick Reporting I provide that data. (I have been dinged in the past for not providing information.) If results from others can associate the problem with one interface only then it will have served a purpose. > > Any suggestions, ideas or countermeasures ? > > Regarding what? Anything relating to /No reports filed/ > If the question is: was or was not a report filed? Until I resubmitted I assume it wasn't and that /No reports filed/ was true. Thanks for your input. -- Mike D From nobody at spamcop.net Thu Dec 10 16:47:34 2009 From: nobody at spamcop.net (Twayne) Date: Thu Dec 10 16:50:08 2009 Subject: [Scspamcop] Re: VISA Phish References: Message-ID: In news:tuntg5t7vk72ehe9amjonh9l8p9av78vfg@4ax.com, DevilsPGD typed: > In message "Geoffrey Hyde" > was claimed to have wrote: > >> >> "Paul" wrote in message >> news:Xns9CCE854A03A7ESenex@216.154.195.61... >>> My VISA provider seems to want people to learn to be phished. They >>> sent me a warning, complete with the "click here to ..." link. >>> Lower down, it said something like "If you think this is possibly a >>> fake, click here." ... > > No. He's saying his credit card provider sent a legitimate email with > various hallmarks of phishers, training users by encouraging bad > behaviour. > > Amex is similar, you get emails that sometimes pass DKIM/SPF, > sometimes not. You get instructed to click links and provide your > username/password for more information, and to make it better, the > links look like this: > > www.americanexpress.com > > (and yes, the emails are legit transactional emails that I both > requested and want) Same here. However even though I've asked for the mails, I still don't click anything in them or use them for anything but an alert, just in case. I use it as sort of an alert to changes I might not otherwise be aware of. Then I go to the actual cc site using my own URLs and accesses and look for the same information. So far, when I suspected the mail was legit, it always has been. So far it's been pretty easy to tell. It means I DO download those e-mails though, so ... whether that's an exposure or not I'm not sure. If I saw a line like the VISA sample the OP noted though, it'd automatically go for reporting. I still say, never ever click or use anything in any critical e-mails where identity or financials etc. are concerned. It occurs to me to wonder if that wasn't actually a phishing mail from other than Visa, talking about a legit change Visa made, just to get people to click in it. Going to the cc site and verifying the e-mail's content actually exists does not say that the e-mails isn't a phish, even if the bank did issue a similar email. I'm probably not making sense, but something just doesn't smell right. I think I'd be changing passwords if that were me, something that should be done periodically anyway. HTH, Twayne` HTH, Twayne` From DeathToSpam at crazyhat.net Sat Dec 12 16:36:37 2009 From: DeathToSpam at crazyhat.net (DevilsPGD) Date: Sat Dec 12 16:40:08 2009 Subject: [Scspamcop] Re: VISA Phish References: Message-ID: <3e08i5h45nk3j0b0sgan7div286lotsini@4ax.com> In message "Twayne" was claimed to have wrote: >In news:tuntg5t7vk72ehe9amjonh9l8p9av78vfg@4ax.com, >DevilsPGD typed: >> In message "Geoffrey Hyde" >> was claimed to have wrote: >> >>> >>> "Paul" wrote in message >>> news:Xns9CCE854A03A7ESenex@216.154.195.61... >>>> My VISA provider seems to want people to learn to be phished. They >>>> sent me a warning, complete with the "click here to ..." link. >>>> Lower down, it said something like "If you think this is possibly a >>>> fake, click here." >... >> >> No. He's saying his credit card provider sent a legitimate email with >> various hallmarks of phishers, training users by encouraging bad >> behaviour. >> >> Amex is similar, you get emails that sometimes pass DKIM/SPF, >> sometimes not. You get instructed to click links and provide your >> username/password for more information, and to make it better, the >> links look like this: >> >> www.americanexpress.com >> >> (and yes, the emails are legit transactional emails that I both >> requested and want) > >Same here. However even though I've asked for the mails, I still don't >click anything in them or use them for anything but an alert, just in case. That's my point -- Amex's marketing is putting effort into training users to trust links, so despite best practices employed by those who know and care, having average end users trained to click on links in mail that may or may not be legitimate just isn't helpful. From user at domain.invalid Sat Dec 12 21:54:09 2009 From: user at domain.invalid (Farelf) Date: Sat Dec 12 21:55:08 2009 Subject: [Scspamcop] Re: VISA Phish In-Reply-To: <3e08i5h45nk3j0b0sgan7div286lotsini@4ax.com> References: <3e08i5h45nk3j0b0sgan7div286lotsini@4ax.com> Message-ID: DevilsPGD wrote: > > That's my point -- Amex's marketing is putting effort into training > users to trust links, so despite best practices employed by those who > know and care, having average end users trained to click on links in > mail that may or may not be legitimate just isn't helpful. Agree completely. Yet, the world changes. ISP filtering becomes ever more pervasive (and, perhaps, even more effective). I dare say the average uncomprehending denizen of the internet would never see a phish (or straight spam) these days. Only us 'anti-spam fanatics' and, evidently, some others. Seems a helluva way to run things to me - to simply live with 86% (according to IronPort) 'noise' in the initial delivery hops, then just quietly filter it out and sweep it under the rug. That's a -16dB 'SNR' as I mentioned in another venue. Such inefficiency - and still enough suckers around to make it worth trying for the phishers. Somebody should have raised it at Copenhagen. How many megawatts are wasted? There are 'carbon emission' estimates out there, somewhere. Dubious science and of declining relevance to the greater majority if they never see the spam, but still .... From MikeE at ster.invalid Sun Dec 13 00:32:27 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sun Dec 13 00:35:09 2009 Subject: [Scspamcop] Re: VISA Phish References: <3e08i5h45nk3j0b0sgan7div286lotsini@4ax.com> Message-ID: Farelf wrote: > Seems a helluva way to run things to me - to > simply live with 86% (according to IronPort) 'noise' in the initial > delivery hops, then just quietly filter it out and sweep it under the > rug. That's a -16dB 'SNR' as I mentioned in another venue. The providers 'don't mind' spamfiltering. The providers 'can't abide' securing (what does that concept really mean operationally?) their own propagating IPs. Those providers refuse to take responsibility for curtailing spamsourcing even tho' a lot of the majors agreed with each other years ago that they would. Liar liar pants on fire. OTOH, the US is no longer the largest spamsource; so that is something. -- Mike Easter kibitzer, not SC admin From avoozl at spamcop.net Sun Dec 13 01:06:19 2009 From: avoozl at spamcop.net (Chris Willoughby) Date: Sun Dec 13 01:10:08 2009 Subject: [Scspamcop] Re: VISA Phish References: <3e08i5h45nk3j0b0sgan7div286lotsini@4ax.com> Message-ID: "Mike Easter" wrote in message news:hg1u97$1s4$1@news.spamcop.net... > OTOH, the US is no longer the largest spamsource; so that is something. > > > -- > Mike Easter > kibitzer, not SC admin > Who is? From MikeE at ster.invalid Sun Dec 13 01:17:15 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sun Dec 13 01:20:07 2009 Subject: [Scspamcop] Re: VISA Phish References: <3e08i5h45nk3j0b0sgan7div286lotsini@4ax.com> Message-ID: Chris Willoughby wrote: > "Mike Easter" >> OTOH, the US is no longer the largest spamsource; so that is >> something. > Who is? Brazil. Recent article in Forbes reporting Cisco data: http://snipr.com/tnven According to a report released Tuesday from the security division of Cisco Brazil was responsible for 7.7 trillion spam e-mail messages in the year through November, nearly triple its spam output in 2008. That puts it well ahead of the U.S., which sent 6.6 trillion spam messages in the same period this year, down from 8.3 trillion in 2008. -- Mike Easter kibitzer, not SC admin From not at home.today Sun Dec 13 04:57:11 2009 From: not at home.today (Ant) Date: Sun Dec 13 05:00:08 2009 Subject: [Scspamcop] Re: VISA Phish References: <3e08i5h45nk3j0b0sgan7div286lotsini@4ax.com> Message-ID: "Farelf" wrote: > Somebody should have raised it at Copenhagen. > How many megawatts are wasted? There are 'carbon emission' estimates > out there, somewhere. More bandwith is wasted by streaming media - youtube, internet radio/TV and the like. Computers used to be for computing, now they're mostly entertainment devices. From g.hyde at bigNOSPAMpond.net.au Sun Dec 13 07:29:43 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Sun Dec 13 07:30:09 2009 Subject: [Scspamcop] Re: VISA Phish References: <3e08i5h45nk3j0b0sgan7div286lotsini@4ax.com> Message-ID: "Ant" wrote in message news:hg2dr6$7ek$1@news.spamcop.net... > "Farelf" wrote: > >> Somebody should have raised it at Copenhagen. >> How many megawatts are wasted? There are 'carbon emission' estimates >> out there, somewhere. > > More bandwith is wasted by streaming media - youtube, internet radio/TV > and the like. Computers used to be for computing, now they're mostly > entertainment devices. I look forward to the day when young kids ask "mister, what's an email address?" One of these days, someone is going to come up with something that makes email (at least as we know it today) unnecessary and obsolete. There are already lots of alternative communication channels out there, someday email will become obsolete. Only then will many spammers cold dead hands be pried off it. Cheers ... Geoffrey Hyde From gezgin at spamcop.net.which.is.not.invalid Sun Dec 13 10:02:46 2009 From: gezgin at spamcop.net.which.is.not.invalid (Gezgin) Date: Sun Dec 13 10:05:07 2009 Subject: [Scspamcop] more of the 0 remaining Message-ID: ...is what happens when you have exactly one hundred held emails. http://www.kanyak.com/stash/spamcop_more_of_the_0_remaining.jpg -- Bob http://www.kanyak.com From me at privacy.net Sun Dec 13 21:18:34 2009 From: me at privacy.net (Michael R N Dolbear) Date: Sun Dec 13 21:20:08 2009 Subject: [Scspamcop] Re: VISA Phish References: <3e08i5h45nk3j0b0sgan7div286lotsini@4ax.com> Message-ID: <01ca7c46$b8f688c0$LocalHost@default> Farelf wrote > Agree completely. Yet, the world changes. ISP filtering becomes ever > more pervasive (and, perhaps, even more effective). I dare say the > average uncomprehending denizen of the internet would never see a phish > (or straight spam) these days. [...] Users of GoogleMail perhaps. Other filters just are not up to it yet and,. since credit card issuers do send out emailings, avoidance of key phases should see phishers getting through. I recently noted a "we have updated our conditions of use" from clickandbuy.com which used exactly the "what you seem to be clicking isn't what you will get" that was called out in this thread. Grrr ! -- Mike D From user at domain.invalid Mon Dec 14 00:59:23 2009 From: user at domain.invalid (Farelf) Date: Mon Dec 14 01:00:08 2009 Subject: [Scspamcop] Re: VISA Phish In-Reply-To: <01ca7c46$b8f688c0$LocalHost@default> References: <3e08i5h45nk3j0b0sgan7div286lotsini@4ax.com> <01ca7c46$b8f688c0$LocalHost@default> Message-ID: Michael R N Dolbear wrote: > Farelf wrote > >> (the) average uncomprehending denizen of the internet would never see a >> phish (or straight spam) these days. [...] > > Users of GoogleMail perhaps. Other filters just are not up to it yet > and,. since credit card issuers do send out emailings, avoidance of key > phases should see phishers getting through. Yahoo and Hotmail are said to be good too (certainly little/none reaches my inboxes with those but that is inconclusive). Then there is quite a lot of anti-spam functionality built into the current Windows clients. Certainly the leading edge of a new and deliberately crafted spam run stands a chance of penetrating many defences - but their window is limited. Phishers are (or can be) a little different, supposedly, and may avoid triggering defences longer-term with lower volumes, possibly 'targeted'. But then their reach is limited. The defence of the herd is in its number. My own ISP's filtering is quite effective for those that use it (they use IronPort devices/services, as a free 'plug' for the Cisco empire). They also do something I've not heard of elsewhere - they filter and (silently) drop backscatter, so they say. Certainly I've had none since they implemented it. Those are free services, switchable except for the backscatter. I think your own provider charges for their SecureMail security and spam provisions? I'm not sure if that puts them in front of or behind the trend. A 'superposition' state perhaps :) We heard regularly of providers imposing filtering some time ago (as indeed Hotmail and Yahoo did) and presumably that continues. Outward filtering is most noticeable for a SC reporter but inwards filtering is going on too. Something has to choke back the 200 billion (and more) spam a day that are sent to get to us (even if they are 'only' those little American billions). > > I recently noted a "we have updated our conditions of use" from > clickandbuy.com > which used exactly the "what you seem to be clicking isn't what you > will get" that was called out in this thread. > > Grrr ! > LOL! No, they certanly don't help the cause. What's worse, typically they show or feign utter incomprehension when anyone tries to point out the error of their ways. I'm not even sure we can trust 'market forces' to eventually weed them out of the gene pool. But I want to believe, so very much. From nobody at spamcop.net Tue Dec 15 10:13:40 2009 From: nobody at spamcop.net (John-A) Date: Tue Dec 15 10:15:09 2009 Subject: [Scspamcop] Mediacom abuse mail bounces Message-ID: Spamcop is still sending abuse reports to abuse@mchsi.com but if I send anything there, it bounces. So does postmaster@mchsi.com ------------------------------------------------------------------------------------ This is the mail system at host dsmdc-mail-mta17-svc.mcomdc.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system abuse@mchsi.com: mchsi.com From MikeE at ster.invalid Tue Dec 15 11:47:38 2009 From: MikeE at ster.invalid (Mike Easter) Date: Tue Dec 15 11:50:09 2009 Subject: [Scspamcop] Re: Mediacom abuse mail bounces References: Message-ID: John-A wrote: > Spamcop is still sending abuse reports to abuse@mchsi.com > but if I send anything there, it bounces. > So does postmaster@mchsi.com mediacom/mchsi is undergoing a mail disaster in the early-middle stages of recovery which has taken about 6 days. There is a great deal of mail incompetence there. A friend of mine asked me to help him with a problem which he thought was OE's, but it was the mchsi mailserver. There are about 26 pages (so far) of a litany of unhappy mchsi/mediacom would-be emailers at dslreports. My friend currently has satisfactory mailservice (by avoiding using mchsi's smtp server). We have his OE rigged to use gmail imap and we have his mchsi account to autoforward everything to the mchsi address to the gmail account from which he imap/s it. Naturally all of his mail goes out via the gmail smtp, not mchsi's. If I were SC, I wouldn't change anything. Eventually mchsi addresses will work again. Up until today, there was no acknowledgment on the mediacom website that there was any problem, and even tho' there is now a webpage about the 'transition' (which triggered the problem), that page is 'stealthed' -- there is no link to it from the mediacom front pages. Mediacom is taking the TigerWoods stonewall approach to the management of their shortcomings. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Dec 15 15:14:12 2009 From: nobody at spamcop.net (John-A) Date: Tue Dec 15 15:15:08 2009 Subject: [Scspamcop] Re: Mediacom abuse mail bounces In-Reply-To: References: Message-ID: "Mike Easter" wrote in message news:hg8ejb$ctp$1@news.spamcop.net... > mediacom/mchsi is undergoing a mail disaster in the early-middle stages > of recovery which has taken about 6 days. There is a great deal of mail > incompetence there. > > A friend of mine asked me to help him with a problem which he thought > was OE's, but it was the mchsi mailserver. > > There are about 26 pages (so far) of a litany of unhappy mchsi/mediacom > would-be emailers at dslreports. > Yes, Mike, I have been looking at that site at dslreports. In the meantime, I have been using gmail and hotmail to send mail to friends. John Anderson From user at domain.invalid Tue Dec 15 20:43:41 2009 From: user at domain.invalid (Farelf) Date: Tue Dec 15 20:45:08 2009 Subject: [Scspamcop] Re: VISA Phish In-Reply-To: References: <3e08i5h45nk3j0b0sgan7div286lotsini@4ax.com> Message-ID: Mike Easter wrote: > Chris Willoughby wrote: >> "Mike Easter" > >>> OTOH, the US is no longer the largest spamsource; so that is >>> something. > >> Who is? > > Brazil. > > Recent article in Forbes reporting Cisco data: http://snipr.com/tnven > According to a report released Tuesday from the security division of > Cisco Brazil was responsible for 7.7 trillion spam e-mail messages in > the year through November, nearly triple its spam output in 2008. That > puts it well ahead of the U.S., which sent 6.6 trillion spam messages in > the same period this year, down from 8.3 trillion in 2008. > Some interesting details on spam demographics at Project Honey Pot - http://www.projecthoneypot.org/1_billionth_spam_message_stats.php (thanks to ufo-joe over in the forums for flagging this). This provides an alternative view of the spamming business - in one part of the dissection - "We decided to look at the number of compromised machines operating within the country divided by the number of security professionals operating in the country. This gives us a relative IT security score. As a proxy for the number of security professionals we used members in Project Honey Pot. Here are the results:" (see the site). It is, indeed, some sort of a tribute to something that the USA has been supplanted as the premier spamsouce (it probably never was on the PHP index) - but, in terms of internet deployment and relative wealth its citizens, would certainly remain the main *target* of the forces of spamdom in terms of total numbers. From user at invalid.dom Tue Dec 15 21:02:45 2009 From: user at invalid.dom (Claudio) Date: Tue Dec 15 20:55:08 2009 Subject: [Scspamcop] Account disabled Message-ID: Hello, I've been a paid reporting user for years (don't remember how many, but probably a deputy could find some internal information). I'm not aware of having done anything against the rules in the last weeks. Indeed, I've reported only a few undesired emails. Two days ago I got Sorry, your account has been disabled. Sorry, your account has been disabled. Please check your email for an explanation or contact SpamCop service. I followed the link and filled in the information. Is there anyone reading those web form inputs? Or should I wait a week for an answer? The text I got in an email says the same "your account has been disabled". No clue if it's an internal error or I did something improper. Thanks. C. From user at domain.invalid Tue Dec 15 21:34:21 2009 From: user at domain.invalid (Farelf) Date: Tue Dec 15 21:35:09 2009 Subject: [Scspamcop] Re: Account disabled In-Reply-To: References: Message-ID: Claudio wrote: > Hello, I've been a paid reporting user for years (don't remember how many, > but probably a deputy could find some internal information). > I'm not aware of having done anything against the rules in the last weeks. > Indeed, I've reported only a few undesired emails. > Two days ago I got > > Sorry, your account has been disabled. > Sorry, your account has been disabled. > Please check your email for an explanation or contact SpamCop service. > > I followed the link and filled in the information. > Is there anyone reading those web form inputs? Or should I wait a week for > an answer? > The text I got in an email says the same "your account has been disabled". > No clue if it's an internal error or I did something improper. > > Thanks. > > C. > > Hello Claudio, No doubt Don will answer when he sees this. If your address no longer receives SC messages (and 'bounces' them), that is a reason for suspension. It is not clear from what you say whether you responded to prompts from your member page or whether it was from links in an e-mail. If you received no e-mail that might be the problem. From me at privacy.net Wed Dec 16 10:44:16 2009 From: me at privacy.net (Michael R N Dolbear) Date: Wed Dec 16 10:45:08 2009 Subject: [Scspamcop] Re: VISA Phish References: <3e08i5h45nk3j0b0sgan7div286lotsini@4ax.com> <01ca7c46$b8f688c0$LocalHost@default> Message-ID: <01ca7e37$d94d3fe0$LocalHost@default> Farelf wrote > limited. Phishers are (or can be) a little different, supposedly, and > may avoid triggering defences longer-term with lower volumes, possibly > 'targeted'. But then their reach is limited. The defence of the herd > is in its number. > > My own ISP's filtering is quite effective for those that use it (they > use IronPort devices/services, as a free 'plug' for the Cisco empire). > They also do something I've not heard of elsewhere - they filter and > (silently) drop backscatter, so they say. Certainly I've had none since > they implemented it. Those are free services, switchable except for the > backscatter. > > I think your own provider charges for their SecureMail security and spam > provisions? I'm not sure if that puts them in front of or behind the > trend. A 'superposition' state perhaps :) That's Tiscali who have Lineone and other legacies and have now been bought by Talk Talk. Thanks for the heads up, I didn't notice their offerings included enhanced server side provision as well as discounted PC software. http://www.tiscali.co.uk/products/securemail/ ?9.99 pa per address Is this product right for me? Secure Mail Twin Pack ensures total protection for your Tiscali email account. It includes both the anti-virus and anti-spam products from Symantec. Incoming mail is scanned before it is delivered to you. If a virus is detected, it is eradicated before it even has a chance to infect your mailbox. Brightmail filters enable you to set the level of protection you want against annoying spam - either have the suspected mail tagged to warn you, elect to store spam in a built-in spam folder, or simply instruct Secure Mail to never deliver suspected spam to your mailbox. [...] == I noted the reduced level (50/day from 150/day) of visible spam in the Forum and that the headers may contain X-Brightmail: Message is probably unwanted (Spam) but only recently got proof that even ordinary Tiscali mailboxen get some filtering The spammer forged the return path to be the same as the "To:" so I got the backscatter of a 82% 0FF on P*Z*R ! spam > From: Mail Delivery System (generated from x@munged.screaming.net) SMTP error from remote mail server after end of data: host mx4.mail.uk.tiscali.com [212.74.100.150]: 552 5.2.0 GSwZ1d02238H9cL01SwaG3 Unacceptable Mail Content -- Mike D From ppearson at nowhere.invalid Wed Dec 16 12:30:01 2009 From: ppearson at nowhere.invalid (Peter Pearson) Date: Wed Dec 16 12:30:08 2009 Subject: [Scspamcop] Re: Account disabled References: Message-ID: On Tue, 15 Dec 2009 23:02:45 -0300, Claudio wrote: > Hello, I've been a paid reporting user for years (don't remember how many, > but probably a deputy could find some internal information). > I'm not aware of having done anything against the rules in the last weeks. > Indeed, I've reported only a few undesired emails. > Two days ago I got > > Sorry, your account has been disabled. > Sorry, your account has been disabled. > Please check your email for an explanation or contact SpamCop service. > > I followed the link and filled in the information. [snip] "Information"? Like username and password? Are you sure the link pointed to a Spamcop server? I've received phishes that resembled what you describe. -- To email me, substitute nowhere->spamcop, invalid->net. From nobody at spamcop.net Wed Dec 16 22:45:14 2009 From: nobody at spamcop.net (Richard W) Date: Wed Dec 16 22:50:09 2009 Subject: [Scspamcop] Re: No reports filed In-Reply-To: <01ca7453$18b98740$LocalHost@default> References: <01ca73b2$c827b9a0$LocalHost@default> <01ca7453$18b98740$LocalHost@default> Message-ID: Michael R N Dolbear wrote: > The question would be "Has anyone seen anything like this before ?" and > "Has anyone got a suggestion as how this came about ?" and "Has the > Spam quick reporting process ever been observed to crash ?" and "Does > anyone know of a reason why email reports on Spam quick reporting were > lost?" I couldn't find this exact spam in your recent history, but as a general rule if the parser runs into a problem it will abort rather than sending only some reports. Things error on the side of caution. Even though QR doesn't send URL link reports, they still parse out but everything has to add up for reports to be sent. Richard From nobody at spamcop.net Wed Dec 16 22:50:14 2009 From: nobody at spamcop.net (Richard W) Date: Wed Dec 16 22:55:07 2009 Subject: [Scspamcop] Re: Account disabled In-Reply-To: References: Message-ID: Claudio wrote: > Hello, I've been a paid reporting user for years (don't remember how many, > but probably a deputy could find some internal information). > I'm not aware of having done anything against the rules in the last weeks. > Indeed, I've reported only a few undesired emails. > Two days ago I got > > Sorry, your account has been disabled. > Sorry, your account has been disabled. > Please check your email for an explanation or contact SpamCop service. > > I followed the link and filled in the information. > Is there anyone reading those web form inputs? Or should I wait a week for > an answer? > The text I got in an email says the same "your account has been disabled". > No clue if it's an internal error or I did something improper. > > Thanks. > > C. > > We can't look at anything without the address the account is under. Write us at deputies@ or service@ and we'll take a look. Richard From vr at nospam.myrealbox.com Thu Dec 17 22:09:14 2009 From: vr at nospam.myrealbox.com (Vadim Rapp) Date: Thu Dec 17 22:10:08 2009 Subject: [Scspamcop] Cannot resolve www.topbestbank.net Message-ID: nslookup of www.topbestbank.net resolves successfully, and browser happily navigates to the site with pirated software. However, reporting it in spamcop ( # 4719532175 ) fails: "Cannot resolve www.topbestbank.net " , so the main culprit is not reported. From vr at nospam.myrealbox.com Thu Dec 17 22:26:37 2009 From: vr at nospam.myrealbox.com (Vadim Rapp) Date: Thu Dec 17 22:30:08 2009 Subject: [Scspamcop] Re: VISA Phish References: Message-ID: Hello, P> My VISA provider seems to want people to learn to be phished. They P> sent me a warning, complete with the "click here to ..." link. P> Lower down, it said something like "If you think this is possibly a P> fake, click here." I think, these days the most general look around reveals that the number of people with minimal competence is catastrophically small. In computer security area specifically as well as in any other generally. Whatever slogan or label they put up, be it "protecting your privacy", or "security", or "war on terror", or "green initiative", or "global warming", - if you dig just a little, you always reveal the same, blind dumb hunt for the buck by spewing out whatever lies it takes, without even understanding what it actually means. Maybe phishing is even not so bad for them, it probably provides good funding to fight it. Like the FBI that got unthinkable funds to fight the nonexisting terror. Same model. And in the end we will bail them out again anyways, so I guess everything is just dandy in their land. From user at domain.invalid Fri Dec 18 02:08:12 2009 From: user at domain.invalid (Farelf) Date: Fri Dec 18 02:10:08 2009 Subject: [Scspamcop] Re: Cannot resolve www.topbestbank.net In-Reply-To: References: Message-ID: Vadim Rapp wrote: > nslookup of www.topbestbank.net resolves successfully, and browser > happily navigates to the site with pirated software. However, reporting > it in spamcop ( # 4719532175 ) fails: "Cannot resolve > www.topbestbank.net " , so the main culprit is not reported. A deputy would need to look at that, DNS lookup gives an NXD C:\Documents and Settings\Admin>nslookup topbestbank.net Non-authoritative answer: Name: topbestbank.net Address: 202.80.173.5 > set type=ptr > 202.80.173.5 *** UnKnown can't find 5.173.80.202.in-addr.arpa.: Non-existent domain > >exit But sure, there are records aplenty: host 202.80.173.5 [whois.apnic.net node-2] Email: mohd_din[at]stteleport.com domain [domain dossier] Registrar of Record: Distribute IT Pty. Ltd. www.distributeit.com.au registrant Technical Contact: roach[at]qx8.ru From vr at nospam.myrealbox.com Fri Dec 18 20:38:05 2009 From: vr at nospam.myrealbox.com (Vadim Rapp) Date: Fri Dec 18 20:40:08 2009 Subject: [Scspamcop] Re: Cannot resolve www.topbestbank.net References: Message-ID: Here's an equivalent one, with the same site and same result in sc: http://www.spamcop.net/sc?id=z3589219854z176fc81950ff3fb0c4bd358e314d1285z From me at privacy.net Sat Dec 19 19:15:31 2009 From: me at privacy.net (Michael R N Dolbear) Date: Sat Dec 19 19:20:08 2009 Subject: [Scspamcop] Re: No reports filed References: <01ca73b2$c827b9a0$LocalHost@default> <01ca7453$18b98740$LocalHost@default> Message-ID: <01ca80e8$7981d400$LocalHost@default> Richard W wrote > Michael R N Dolbear wrote: > > > The question would be "Has anyone seen anything like this before ?" and > > "Has anyone got a suggestion as how this came about ?" and "Has the > > Spam quick reporting process ever been observed to crash ?" and "Does > > anyone know of a reason why email reports on Spam quick reporting were > > lost?" > I couldn't find this exact spam in your recent history, but as a general > rule if the parser runs into a problem it will abort rather than sending > only some reports. Things error on the side of caution. Even though QR > doesn't send URL link reports, they still parse out but everything has > to add up for reports to be sent. Thanks for that useful info. What would be nice would be for the parser to give a different message when it completes (no abort) but doesn't send any reports. Perhaps "Completed - no reports generated". You should be able to find Submitted: Tue Dec 1 16:13:49 2009 GMT : Regarding Your Bank Draft Of (USD$850.000.00). No reports filed and the resubmited Here is your TRACKING URL - 00:12 03/12/09 http://www.spamcop.net/sc?id=z3548119609zfedf76be1b9a4c4ba8e83ec2f38cfaf bz email me if you need my SpamCop webmail addie. -- Mike D From hans at salvisberg.nospam Mon Dec 21 08:38:30 2009 From: hans at salvisberg.nospam (Hans Salvisberg) Date: Mon Dec 21 08:40:07 2009 Subject: [Scspamcop] Spam through the SpamCop address -- please stop it! Message-ID: This has been going on for a few weeks now -- please do whatever it takes to stop it! Subject: My new address Text begins with: Men's HealthErec ss tile dysfu bni nction (ED) or (male) impo fa tence http://www.spamcop.net/sc?id=z3594514171z4dc0caae57dc8c712373bf890e9b9ed9z 190.182.26.190 is an open proxy http://www.spamcop.net/sc?id=z3594514173z54cf63f70521eb947f2f581870a18855z 193.203.103.179 is an open proxy Subject: Sun, 20 Dec 2009 13:21:33 +0100 Text begins with: Men's HealthErec pu tile dysfu fa nction (ED) or http://www.spamcop.net/sc?id=z3594543033z14dc5fd2f29b057414a8680cb7e3f681z 77.45.58.108 is an open proxy Subject: Fri, 18 Dec 2009 21:54:33 -0500 Text begins with: Men's HealthErec chm tile dysfu cq nction (ED) or http://www.spamcop.net/sc?id=z3594543039z80b4d7f5f166d8da48d98a6d00908c3bz 190.218.5.96 is an open proxy Subject: Lunar New Year Text begins with: Me ahw n's He stu alth Vi sbr agr doi a http://www.spamcop.net/sc?id=z3594548778zde040754013e71a77b75379ab9e7d494z 95.57.231.39 is an open proxy Subject: New Year's Eve Text begins with: Me szq n's He ln alth Vi dcz agr sy a V wd ia http://www.spamcop.net/sc?id=z3594548779z48b49cf7ce58a9733757c25ffda097e8z 93.41.214.229 is an open proxy Subject: a-okubo@presskogyo.co.jp Text begins with: Ordering me rjp ds in Canada is becoming a common practice for those http://www.spamcop.net/sc?id=z3594554315zdb8e0d563e462841c64bdb6090cd9988z 213.176.230.133 is an open proxy Subject: alexs01@ms21.hinet.net Text begins with: Erec ss tile Dys zw func ofg tion Acce bfq ssRx prov uc ides Men=92s Hea http://www.spamcop.net/sc?id=z3594554316z848fae1f5b209e0fa1b307c34a413085z 95.84.251.32 is an open proxy Subject: 13139.27760.qmail@plum.fruitmail.net Text begins with: Erec nu tile Dys ona func mol tion Acce uc ssRx prov npz ides Men=92s He http://www.spamcop.net/sc?id=z3594554317zded2fcd412b6b9442888130d0c647f7az 93.124.127.109 is an open proxy Subject: *displea'sed wi*th the, ,measureme-nt o-f your. w+illy?- Text begins with: Men's HealthErec hm tile dysfu kd nction (ED) or (male) impo klw tence http://www.spamcop.net/sc?id=z3594561486z3edb7b7adad34815c625a4295d6b845fz 95.179.8.102 is an open proxy Subject: 2009-2010 Text begins with: Why Cho jmx ose D od rug yq store? Low ydm est Pri puh ces http://www.spamcop.net/sc?id=z3594486375z980020aa735472f36f78279e79e9a698z 79.46.251.20 is an open proxy http://www.spamcop.net/sc?id=z3594486390z09943bf096d32d0ec84f569edecd5a09z 190.158.135.176 is an open proxy http://www.spamcop.net/sc?id=z3594486407z82ae53b7357251b5a72f347a041b28fbz 189.32.196.75 is an open proxy http://www.spamcop.net/sc?id=z3594486430z2028f2d0a989e33d82bb05f8df89bb1fz 93.73.192.232 is an open proxy http://www.spamcop.net/sc?id=z3594486442z33b141a24c7ffd3f6aa03404cad52e4ez 93.185.182.138 is an open proxy http://www.spamcop.net/sc?id=z3594486457zadebba2d6ecca21fdc333b1b3b1dae16z 190.51.92.253 is an open proxy Subject: what the New Year 2010 Text begins with: Me ozg n's He cdp alth Vi euz agr ox a V ped iagr http://www.spamcop.net/sc?id=z3594923614z1c7f8e36892fd996da2b0b831c88be75z 89.253.173.108 is an open proxy Subject: as the New Year Text begins with: Me ivk n's He qy alth Vi hko agr pn a V pts i agr pj http://www.spamcop.net/sc?id=z3594923616zc6718a3d7a067c102845815376628989z 213.176.230.151 is an open proxy ========================================================== All IPs are in cbl.abuseat.org (which I've enabled) and the spam is successfully held back by SpamCop. Looking at this spam, it seems that its a single spam source that's responsible for all of them. The common patterns are: -- same or similar text -- same type of obfuscation -- similar Subject patterns -- most are sent by "The Bat!" -- most have "" in the HTML part -- they're all sent to multiple @spamcop.net addresses I'm getting a bit tired of having to deal with this crap, and since it's all going directly to my SpamCop address I wish SpamCop would take a more aggressive role in fighting this spammer. My @spamcop.net address is becoming more of a pain than a help -- I think SpamCop has an interest in stopping this. I use my @spamcop.net address exclusively for SpamCop matters and I never ever want to receive an email that also goes to other @spamcop.net addresses (except announcements originating from SpamCop, of course). Please provide a filter that allows me to drop these mails. Also, I never ever want to receive an email that contains the string ' Message-ID: "Hans Salvisberg" wrote in message news:hgntoq$5nd$1@news.spamcop.net... > This has been going on for a few weeks now -- please do whatever it takes > to stop it! [snip] You do realize SpamCop is a spam parsing and reporting service, not a "stop spammers with 1 click service", right? SpamCop just lets you report the originating IP addresses to whoever is the owning ISP of the spamming server sending spam to your address, it has no control whatsoever over what they actually send. In order to stop spammers from sending email, you must find out how to persuade the owning ISP's to tighten their security measures so that these spambots are controlled properly. This is done by analyzing the incoming spam for possible flaws which the spammers are abusing, and creating a report to help the owning ISP understand why this is bad, and why they should do something about it. Most people simply don't have the resources needed to do this.They therefore feed the incoming spam to the SpamCop parsing and reporting service, which in turn uses the data to create IP address blocklists and send out reports to ISP's abuse addresses for you. If your ISP's mail server is configurable to do so, you can get spam filtered using the SpamCop blocklist, although for a lot of ISP's this is not enabled by default or they use their own blocklist and/or service. With the SpamCop service and the amount of mail you're getting, it sounds like you might qualify for quick reporting. Find out how to do that by browsing around the SpamCop website, it's all there. Cheers ... Geoffrey Hyde Free SpamCop user, not admin. From ppearson at nowhere.invalid Tue Dec 22 21:05:25 2009 From: ppearson at nowhere.invalid (Peter Pearson) Date: Tue Dec 22 21:10:08 2009 Subject: [Scspamcop] Re: Spam through the SpamCop address -- please stop it! References: Message-ID: On Mon, 21 Dec 2009 14:38:30 +0100, Hans Salvisberg wrote: > This has been going on for a few weeks now -- please do whatever it > takes to stop it! [snip] > All IPs are in cbl.abuseat.org (which I've enabled) and the spam is > successfully held back by SpamCop. Looking at this spam, it seems that > its a single spam source that's responsible for all of them. The common > patterns are: > > -- same or similar text > -- same type of obfuscation > -- similar Subject patterns > -- most are sent by "The Bat!" > -- most have " white">" in the HTML part > -- they're all sent to multiple @spamcop.net addresses If it wouldn't inconvenience you to run a Python program before picking up your Spamcop email, send me email. I might have a tool that will help. -- To email me, substitute nowhere->spamcop, invalid->net. From dritz at mindspring.com Sun Dec 27 00:48:57 2009 From: dritz at mindspring.com (David Ritz) Date: Sun Dec 27 00:50:09 2009 Subject: [Scspamcop] Re: Cannot resolve www.topbestbank.net In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 18 December 2009 19:38 -0600, in article , Vadim Rapp wrote: > Here's an equivalent one, with the same site and same result in sc: > http://www.spamcop.net/sc?id=z3589219854z176fc81950ff3fb0c4bd358e314d1285z NS1 for your first example shows Yambo Financials spoor. Yambo has been extremely effecitve in blocking SC DNS queries, for the past few years. I don't expect this to change anytime soon. dritz:~> sbl www.topbestbank.net ; sbl ns1.topbestbank.net ; sbl ns2.topbestbank.net ; date 142.166.135.151 www.topbestbank.net : sbl.spamhaus.org : ok 24.232.33.129 ns1.topbestbank.net : sbl.spamhaus.org : BLOCKED (127.0.0.2) => http://www.spamhaus.org/SBL/sbl.lasso?query=SBL75942 <= 200.204.201.62 ns2.topbestbank.net : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL81714 Sun Dec 27 05:24:57 UTC 2009 dritz:~> sbl www.businessonlinemadeeasy.net ; sbl ns1.businessonlinemadeeasy.net ; sbl ns2.businessonlinemadeeasy.net ; date 142.166.135.151 www.businessonlinemadeeasy.net : sbl.spamhaus.org : ok 64.22.79.180 ns1.businessonlinemadeeasy.net : sbl.spamhaus.org : ok 200.204.201.62 ns2.businessonlinemadeeasy.net : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL81714 Sun Dec 27 05:35:43 UTC 2009 dritz:~> uri topbestbank.net ; uri businessonlinemadeeasy.net ; date topbestbank.net.multi.uribl.com descriptive text "Blacklisted, see http://lookup.uribl.com/?domain=topbestbank.net" topbestbank.net.multi.surbl.org descriptive text "Blocked, topbestbank.net on lists [jp][ob], See: http://www.surbl.org/lists.html" Host businessonlinemadeeasy.net.multi.uribl.com not found: 3(NXDOMAIN) businessonlinemadeeasy.net.multi.surbl.org descriptive text "Blocked, businessonlinemadeeasy.net on lists [ob], See: http://www.surbl.org/lists.html" Sun Dec 27 05:47:19 UTC 2009 - -- David Ritz Be kind to animals; kiss a shark. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (Darwin) Comment: Public Keys: iEYEARECAAYFAks29VMACgkQUrwpmRoS3ut45ACgz3/b4gGDK0CRxHVvWL/HqsUu SOoAoP16zsvUmAgDcAsO1VcNlTvuCGEm =a0Y0 -----END PGP SIGNATURE----- From MikeE at ster.invalid Sun Dec 27 10:50:09 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sun Dec 27 10:50:08 2009 Subject: [Scspamcop] Re: Cannot resolve www.topbestbank.net References: Message-ID: David Ritz wrote: > NS1 for your first example shows Yambo Financials spoor. Yambo has > been extremely effecitve in blocking SC DNS queries, for the past few > years. I don't expect this to change anytime soon. > dritz:~> sbl www.topbestbank.net > dritz:~> sbl www.businessonlinemadeeasy.net > dritz:~> uri topbestbank.net ; uri businessonlinemadeeasy.net ; date > topbestbank.net.multi.uribl.com descriptive text "Blacklisted, see > http://lookup.uribl.com/?domain=topbestbank.net" > topbestbank.net.multi.surbl.org descriptive text "Blocked, > topbestbank.net on lists [jp][ob], See: > http://www.surbl.org/lists.html" This would be a good place for me to posit my argument that the SC parser/notifier should be redesigned slightly in the purpose and method of its operation. A redesign could give the reporter the optional configuration to not (try to) notify the spamvertiser provider, but to simply feed the spamvertised URL to the stats and the sc-surbl The part of the parsing/notifying process which is designed to notify the spamvertiser provider is exceedingly resource intensive and is counterproductive in many ways. It has to deobfuscate the URL, then it has to deal the barriers and time resources to try to resolve the URL, all of which purpose is to notify the provider for the spamvertiser - which typically is not a good notify to be doing at all. Blackhat spamvertiser providers are not good for the reporter to be giving evidence. Instead, the parser/notifier should just deobfuscate the spamvertised url, present the result to the regular reporter for 'approval' to notify/report and then feed it into the stats which would feed it to the sc-surbl. That would be a win-win-win-win situation for the good guys; less resources burned for the SC parser, more spamvertised sites fed to the sc-surbl system, less resources burned in the notify machinery, and less blackhats handed SC reporter evidence spam. -- Mike Easter kibitzer, not SC admin From hans at salvisberg.nospam Sun Dec 27 11:46:45 2009 From: hans at salvisberg.nospam (Hans Salvisberg) Date: Sun Dec 27 11:50:08 2009 Subject: [Scspamcop] Re: Spam through the SpamCop address -- please stop it! In-Reply-To: References: Message-ID: On 2009-12-22 09:38, Geoffrey Hyde wrote: > With the SpamCop service and the amount of mail you're getting, it sounds > like you might qualify for quick reporting. Find out how to do that by > browsing around the SpamCop website, it's all there. Thank you for replying. I've been feeding my mail through SpamCop for many many years, and quick-reported close to 50,000 pieces of spam. This here is a new phenomenon: increasing amounts of spam being sent to my @spamcop.net address (!!) over an extended period of time. The spam is successfully held, but then I have to look through the list and quick-report it manually from the spamcop.net website. This is beginning to wear me down... On my own mail server I could easily detect and reject this spam, but I can't control what SpamCop dumps into my list of Held Email. Maybe I've been lucky that this list has remained manageable over the years and the occasional spamming attempts to @spamcop.net have fizzled out after a few weeks, but this time is different. Hans From hans at salvisberg.nospam Sun Dec 27 11:57:29 2009 From: hans at salvisberg.nospam (Hans Salvisberg) Date: Sun Dec 27 12:00:08 2009 Subject: [Scspamcop] Re: Spam through the SpamCop address -- please stop it! In-Reply-To: References: Message-ID: On 2009-12-23 03:05, Peter Pearson wrote: > If it wouldn't inconvenience you to run a Python program > before picking up your Spamcop email, send me email. I > might have a tool that will help. The problem is not picking up my SpamCop email, but looking through the list of Held Email at http://mailsc.spamcop.net/reportheld?action=heldlog This list contains the held email from two sources: a) mail to my @spamcop.net address b) mail to my other addresses that I filtered through SpamCop I look through this list to 1. catch the occasional false positive 2. look for patterns in the occasional piece of spam that enters my mail server (b) so I can improve its filters 3. quick-report all but #1 Can your program help here? TIA! Hans From ppearson at nowhere.invalid Sun Dec 27 17:11:32 2009 From: ppearson at nowhere.invalid (Peter Pearson) Date: Sun Dec 27 17:15:09 2009 Subject: [Scspamcop] Re: Spam through the SpamCop address -- please stop it! References: Message-ID: On Sun, 27 Dec 2009 17:57:29 +0100, Hans Salvisberg wrote: > On 2009-12-23 03:05, Peter Pearson wrote: >> If it wouldn't inconvenience you to run a Python program >> before picking up your Spamcop email, send me email. I >> might have a tool that will help. > > The problem is not picking up my SpamCop email, but looking through the > list of Held Email at > > http://mailsc.spamcop.net/reportheld?action=heldlog > > This list contains the held email from two sources: > a) mail to my @spamcop.net address > b) mail to my other addresses that I filtered through SpamCop > > I look through this list to > 1. catch the occasional false positive > 2. look for patterns in the occasional piece of spam that enters my mail > server (b) so I can improve its filters > 3. quick-report all but #1 > > Can your program help here? I think so. This program, spamcopfilter.py, speaks IMAP protocol to mail.spamcop.net. It retrieves the headers for all the messages in my Held Mail folder, builds a list of messages that it's sure are spam, and moves those messages into my Spam For Sure folder. Typically, when the dust settles, 50 messages have been moved to Spam For Sure, and about six are left in Held Mail. With a few mouse clicks, I report everything in my Spam For Sure folder. During normal at-home use, this program gets run just before fetchmail, the periodic program that moves mail from my Spamcop inbox to my Linux machine. When I'm travelling, I run this program manually from a netbook before going to Spamcop's webmail page. The program currently checks for X-Spamcop-whitelisted lines, looks at the X-Spam-level line, checks for a certain header defect that confuses parsing, checks a local whitelist file, compares the Subject line against a long list of regular expressions, looks for a certain common giveaway that I believe you've noticed in the To line, looks for certain annoyances in the From line, and some other more specialized things. It recognizes messages forwarded from my work address, and applies some slightly different tests to those messages. It keeps a log file showing all headers processed and the decisions reached. The Python code is not something I'd attach to an application for employment, but since it is Python, it's pretty clear. -- To email me, substitute nowhere->spamcop, invalid->net. From g.hyde at bigNOSPAMpond.net.au Mon Dec 28 09:28:40 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Mon Dec 28 09:30:08 2009 Subject: [Scspamcop] Re: Cannot resolve www.topbestbank.net References: Message-ID: "Mike Easter" wrote in message news:hh7vne$6ni$1@news.spamcop.net... > The part of the parsing/notifying process which is designed to notify > the spamvertiser provider is exceedingly resource intensive and is > counterproductive in many ways. It has to deobfuscate the URL, then it > has to deal the barriers and time resources to try to resolve the URL, > all of which purpose is to notify the provider for the spamvertiser - > which typically is not a good notify to be doing at all. Blackhat > spamvertiser providers are not good for the reporter to be giving > evidence. > > Instead, the parser/notifier should just deobfuscate the spamvertised > url, present the result to the regular reporter for 'approval' to > notify/report and then feed it into the stats which would feed it to the > sc-surbl. > > That would be a win-win-win-win situation for the good guys; less > resources burned for the SC parser, more spamvertised sites fed to the > sc-surbl system, less resources burned in the notify machinery, and less > blackhats handed SC reporter evidence spam. This could only really work if everyone on SpamCop knew what was a 'good' notify, and wouldn't hit IB's with reports they didn't ask for. Currently SpamCop is 'lazy' (for want of a better term) about URL deobsfucation/notification, mainly because it's got a lot of spam to proces through 24/7 and doesn't really want to be spending more time than it has to on a spamitem. If you can find a means of making sure that every SpamCop reporter can identify a 'good' notify, and not hit IB's with 'bad' notifys then, sure why not go for it and put your suggestion up? Otherwise, I feel that the current SpamCop situation is at a good midway point which reaches a fair balance given what most SpamCop reporters know. Cheers ... Geoffrey Hyde From MikeE at ster.invalid Mon Dec 28 10:58:35 2009 From: MikeE at ster.invalid (Mike Easter) Date: Mon Dec 28 11:00:08 2009 Subject: [Scspamcop] Re: Cannot resolve www.topbestbank.net References: Message-ID: Geoffrey Hyde wrote: > "Mike Easter" >> That would be a win-win-win-win situation for the good guys; less >> resources burned for the SC parser, more spamvertised sites fed to the >> sc-surbl system, less resources burned in the notify machinery, and >> less blackhats handed SC reporter evidence spam. > > This could only really work if everyone on SpamCop knew what was a > 'good' notify, and wouldn't hit IB's with reports they didn't ask for. In the past, from time to time I would evaluate about 100 or so of the spamvertiser providers represented by my spam. I never or almost never found any whitehats among them. If I assume that is the general state of affairs, then the whole idea of the default mode of SC notifying spamvertiser providers is upside down. The default mode should be to not notify any of them. If a spamvertiser provider wants to be notified by spamcop about something, they could ask to be. > Currently SpamCop is 'lazy' (for want of a better term) about URL > deobsfucation/notification, mainly because it's got a lot of spam to > proces through 24/7 and doesn't really want to be spending more time > than it has to on a spamitem. It would be better if all resolution and notification of spamvertiser providers were eliminated in favor of feeding all spamvertisers to the sc-surbl via statistics or alternate mechanisms. > If you can find a means of making sure that every SpamCop reporter can > identify a 'good' notify, and not hit IB's with 'bad' notifys then, I'm not talking about innocent bystanders being notified along with spamvertiser providers. I'm saying that no spamvertiser providers should be notified. The SC reporter is presented with the deobfuscation to 'approve' similar to the way it is now done. If the reporter approves/agrees that a deobfuscated URL is a spamvertiser instead of an IB, then the deobfuscated URL is fed to the stats and the sc-surbl, just as a small fraction of spamvertised URLs is now done. The big advantage would be a much much much much higher efficiency (of parsing) and much much much higher rate of providing spamvertising URLs to the sc-surbl. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Dec 28 11:07:01 2009 From: MikeE at ster.invalid (Mike Easter) Date: Mon Dec 28 11:10:08 2009 Subject: [Scspamcop] Re: Cannot resolve www.topbestbank.net References: Message-ID: Mike Easter wrote: > Geoffrey Hyde wrote: >> "Mike Easter" > >>> That would be a win-win-win-win situation for the good guys; less >>> resources burned for the SC parser, more spamvertised sites fed to the >>> sc-surbl system, less resources burned in the notify machinery, and >>> less blackhats handed SC reporter evidence spam. > In the past, from time to time I would evaluate about 100 or so of the > spamvertiser providers represented by my spam. > > I never or almost never found any whitehats among them. If I assume > that is the general state of affairs, then the whole idea of the default > mode of SC notifying spamvertiser providers is upside down. >> Currently SpamCop is 'lazy' (for want of a better term) about URL >> deobsfucation/notification, mainly because it's got a lot of spam to >> proces through 24/7 and doesn't really want to be spending more time >> than it has to on a spamitem. Or said another simpler way; ... the SC parsing notification system should be changed away from sometimes trying to resolve and notify spamvertiser providers. It would be much better to resolve none and notify none, while feeding all of them unresolved to the stats/sc-surbl system. As it is now, SC uselessly attempts to resolve some of the spamvertiser URLs - for almost absolutely no purpose except to interfere with a mechanism for doing something much more useful with the spam, namely feeding all of the spamvertisers to the sc-surbl. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Dec 29 16:44:53 2009 From: nobody at spamcop.net (Twayne) Date: Tue Dec 29 16:45:09 2009 Subject: [Scspamcop] Re: Cannot resolve www.topbestbank.net References: Message-ID: In news:hhal35$4vo$1@news.spamcop.net, Mike Easter typed: > Mike Easter wrote: >> Geoffrey Hyde wrote: >>> "Mike Easter" >> >>>> That would be a win-win-win-win situation for the good guys; less >>>> resources burned for the SC parser, more spamvertised sites fed to >>>> the sc-surbl system, less resources burned in the notify >>>> machinery, and less blackhats handed SC reporter evidence spam. > >> In the past, from time to time I would evaluate about 100 or so of >> the spamvertiser providers represented by my spam. >> >> I never or almost never found any whitehats among them. If I assume >> that is the general state of affairs, then the whole idea of the >> default mode of SC notifying spamvertiser providers is upside down. > >>> Currently SpamCop is 'lazy' (for want of a better term) about URL >>> deobsfucation/notification, mainly because it's got a lot of spam to >>> proces through 24/7 and doesn't really want to be spending more time >>> than it has to on a spamitem. > > Or said another simpler way; > > ... the SC parsing notification system should be changed away from > sometimes trying to resolve and notify spamvertiser providers. > > It would be much better to resolve none and notify none, while feeding > all of them unresolved to the stats/sc-surbl system. > > As it is now, SC uselessly attempts to resolve some of the > spamvertiser URLs - for almost absolutely no purpose except to > interfere with a mechanism for doing something much more useful with > the spam, namely feeding all of the spamvertisers to the sc-surbl. You make a good case, Mike. But wouldn't notifying spamvertisers in the lists be offering a way to punish or do dos on websites? What would there be to prevent them from adding my or your or whoever's sites to the list. Since the e-mail addresses 99% of the time ID the site, it seems like it'd be easy to do disservices to them. Say my meATusadatanetDOTnet was hidden in the code from a SC report, and they decided to set their software to show usadatanetDOTnet as one of their spamvertising sites. Now I'm in trouble if it's fed to the list and have to work my way out of trouble with SC. It seems like a simple mod to the spamware to pick those out if they wished. I'm not saying that's the method used, but it did happen to me once, a long time ago. Spamcop was great about straightening things out and no other problems came of it, but ... it still happened. LOL! Or am I as usual seeing the wrong trees and not even the forest? Regards, Twayne -- Cats land on their feet. but Toast lands PB side down; A cat glued to some jelly toast will hover in quantum indecision forever. From MikeE at ster.invalid Wed Dec 30 08:17:39 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Dec 30 08:20:08 2009 Subject: [Scspamcop] Re: Cannot resolve www.topbestbank.net References: Message-ID: Twayne wrote: > Mike Easter >> ... the SC parsing notification system should be changed away from >> sometimes trying to resolve and notify spamvertiser providers. >> >> It would be much better to resolve none and notify none, while feeding >> all of them unresolved to the stats/sc-surbl system. >> >> As it is now, SC uselessly attempts to resolve some of the >> spamvertiser URLs - for almost absolutely no purpose except to >> interfere with a mechanism for doing something much more useful with >> the spam, namely feeding all of the spamvertisers to the sc-surbl. > > You make a good case, Mike. But wouldn't notifying spamvertisers in the > lists be offering a way to punish or do dos on websites? The parser notifier is designed to allow the reporter to approve the notifies -- which is a process by which the regular reporter is supposed to be responsible and agree that a deobfuscated URL is in fact a spamvertiser. That oversight process could be retained; in effect saying, "Is this deobfuscated URL actually a spamvertiser?" which is the current process for trying to eliminate innocent bystanders. > What would > there be to prevent them from adding my or your or whoever's sites to > the list. In addition to the SC reporter oversight, sc-surbl also has a mechanism for not 'publishing' the SC URLs without some kind of vetting process which they describe as: sc.surbl.org contains message-body web sites processed from SpamCop URI reports, also known as "spamvertised" web sites. The reports are not used directly, but are subject to extensive processing. Entries in sc.surbl.org expire automatically several days after the SpamCop reports decrease. > Since the e-mail addresses 99% of the time ID the site, it > seems like it'd be easy to do disservices to them. I don't know what that sentence means in the context of what I'm talking about. > Say my meATusadatanetDOTnet was hidden in the code from a SC report, > and they decided to set their software to show usadatanetDOTnet as one > of their spamvertising sites. Now I'm in trouble if it's fed to the > list and have to work my way out of trouble with SC. I don't think anything in those two sentences pertains to what I'm talking about. > It seems like a simple mod to the spamware to pick those out if they > wished. > > I'm not saying that's the method used, but it did happen to me once, a > long time ago. Spamcop was great about straightening things out and no > other problems came of it, but ... it still happened. > > LOL! Or am I as usual seeing the wrong trees and not even the forest? I think so. -- Mike Easter kibitzer, not SC admin