From nobody at spamcop.net Thu Jan 1 04:32:19 2009 From: nobody at spamcop.net (N. Miller) Date: Thu Jan 1 04:35:07 2009 Subject: [Scspamcop] Re: Hat Check - DSL Extreme? References: Message-ID: <1mxv0vqpwi7sf$.dlg@nobody.spamcop.net> On Wed, 31 Dec 2008 19:23:08 -0600, bar0 from SpamCop wrote: > "BlueWave" wrote in message > news:gjh2t4$rq9$1@news.spamcop.net... >> bar0 wrote: > ... >> You have a point, but since they're not a major ISP player I wouldn't be >> at all surprised if they didn't have the resources to do what you've >> suggested to patrol their own network. > Then they shouldn't pretend to be an ISP. Furthermore it's not that > expensive to do. What you describe is kinda like a moving company with 2 > cardboard boxes a Ford Ranger, or S-10 and one driver. DSLX sells DSL over ATTIS (AT&T) copper. They have decided not to be the "evil Net Nanny" that AT&T is (AT&T blocks customer access to outbound port 25 off of the ATTIS IP network). -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From nobody at spamcop.net Thu Jan 1 15:54:25 2009 From: nobody at spamcop.net (BlueSkyzz) Date: Thu Jan 1 15:55:08 2009 Subject: [Scspamcop] Re: Hat Check - DSL Extreme? In-Reply-To: <1mxv0vqpwi7sf$.dlg@nobody.spamcop.net> References: <1mxv0vqpwi7sf$.dlg@nobody.spamcop.net> Message-ID: N. Miller wrote: > DSLX sells DSL over ATTIS (AT&T) copper. They have decided not to be the > "evil Net Nanny" that AT&T is (AT&T blocks customer access to outbound port > 25 off of the ATTIS IP network). My traceroute to them shows Level 3 as their upstream (another company that has a history of being spam-ambivalent), unless ATT owns L3 now? From nobody at spamcop.net Thu Jan 1 15:56:42 2009 From: nobody at spamcop.net (BlueSkyzz) Date: Thu Jan 1 16:00:08 2009 Subject: [Scspamcop] Re: Hat Check - DSL Extreme? In-Reply-To: References: Message-ID: bar0 wrote: > Then they shouldn't pretend to be an ISP. Furthermore it's not that > expensive to do. What you describe is kinda like a moving company with 2 > cardboard boxes a Ford Ranger, or S-10 and one driver. I suggest you take up your opinions about how they should (or shouldn't) run their business with them directly. I'm sure they'll be thrilled to hear your input. From ganhedinheironainternet at dinheiro.com Thu Jan 1 21:38:44 2009 From: ganhedinheironainternet at dinheiro.com (Ganhe dinheiro na internet) Date: Thu Jan 1 21:40:08 2009 Subject: [Scspamcop] H`YH1 como ganhar dinheiro na internet , dinheiro rapido, dinheiro navegando, ganha dinheiro na internet, megainvestimento.com H`YH1>6>:a0pG*! Message-ID: http://ganhar-dinheiro-pela-internet.vila.bol.com.br/ Essa semana, eu conheci um site muito interessante. Nele ha varios e-books de diversos temas interessantes, alem disso, eh um site de investimento, onde o valor pago retorna para nos com lucro de 300%. Voce efetua um pagamento unico de R$ 30,00, tem o direito a baixar mais de 30 apostilas onlines de diversos temas: - Memorizacao; - Leitura dinamica; - Fotografia digital; - Tecnicas em vendas; - Curso basico de VOIP; - Curso de Autocad 3D; - Muitos outros Alem das apostilas, voce participara de um Fantastico Negocio de Geracao de Renda. Sem grupos... Sem mensalidades... Uma unica coluna... Por se tratar de uma fila œnica, todo usu‡rio que ingressa no site tem um lugar na fila, a cada 10 cotas adquiridas em nosso sistema, todos os indicados descem para o numero anterior ao seu. EX: Se voce ingressar no projeto e seu numero for 51, assim que entrarem os proximos 10 voce subira para a posicao 50. Assim que voce chegar na posicao 1 da fila voce recebera R$ 130,00. Alem desse lucrode mais de 300%, voce podera ganhar R$ 10,00 por amigo que voce indicar e entrar no sistema. Pense nos lucros que podera obter alem dos grandes conhecimentos adquiridos com nossas apostilas virtuais. Voce pode adquirir agora mesmo a sua posicao. Lembre-se: eh por ordem de chegada ! Se voce deixar para amanha, podera ter dezenas de pessoas antes decvoce. Se aderir hoje, podera ter dezenas de pessoas apos voce amanha. Cadastre-se agora mesmo!!! http://ganhar-dinheiro-pela-internet.vila.bol.com.br/ Comentario: Nao sou parte da equipe dos idealizadores do projeto, sou apenas um usuario que aprovou o sistema e viu nele um excelente oportunidade de conseguir uma renda de forma garantida, e passou pelo filtro que faco antes de me afiliar em qualquer negocio na rede. Palavras-chave ganhe dinheiro dinheiro ganhar dinheiro dinheiro facil dinheiro f‡cil dinheiro rapido mais dinheiro fazer dinheiro dinheiro j‡ quero dinheiro ganhar dinheiro com a internet ganhar dinheiro internet ganhar dinheiro em casa ganhar dinheiro facil dinheiro r‡pido muito dinheiro dinheiro internet seu dinheiro dinheiro n‹o dinheiro extra dinheiro pela internet dinheiro em casa como ganhar dinheiro dinheiro na internet meu dinheiro sem dinheiro dinheiro casa dinheiro online dinheiro blog dicas dinheiro ganhar muito dinheiro como fazer dinheiro ganhe dinheiro com seu site preciso de dinheiro mas dinheiro ganhar dinheiro com internet que dinheiro moeda dinheiro ganhar dinheiro pela internet dinheiro computador emprestimo dinheiro quero ganhar dinheiro ganhe dinheiro pela internet ganhar dinheiro extra como ganhar dinheiro pela internet ganhar dinheiro com computador ganhar dinheiro na internet ganhe muito dinheiro dinheiro navegando como dinheiro ganhe dinheiro navegando como ganhar dinheiro na internet como ganhar dinheiro facil ganhe dinheiro na internet como ganhar muito dinheiro trabalho dinheiro ganhe dinheiro internet dinheiro web dinheiro com site comoganhar dinheiro dinheiro gratis dinheiro render dinheiro site empresto dinheiro falcificar dinheiro ganahr dinheiro www dinheiro tipos de dinheiro forum dinheiro dinheiro paypal dinheiro google foto de dinheiro dinheiro ja mais dinheiro com foto dinheiro dinheiro agora dinheiro com internet dinheiro com a internet dinheiro second life dinheiro wikipedia dinheiro Ž dinheiro boliviano como os bancos conseguiram ganhar dinheiro em cima de dinheiro dinheiro net jogo dinheiro ganhe dinheiro on line ganhe dinheiro online dinheiro a receber imagens dinheiro como ganhar dinheiro trabalhando em casa ganhar dinheiro sem sair de casa ganhar dinheiro com site maneira de ganhar dinheiro vamos ganhar dinheiro onde est‡ o dinheiro n‹o quero dinheiro como ganhar dinheiro com a internet com ganhar dinheiro ganhar dinheiro on line ganhar dinheiro com paypal ganhar dinheiro online guardar dinheiro dinheiro certo ganhe dinheiro agora ganhar dinheiro site ganhar dinheiro paypal ganhar dinheiro clicando ganhe dinheiro com a internet juntar dinheiro perder dinheiro como se fosse dinheiro ganhar dinheiro agora ganhe dinheiro clicando ganhar dinheiro second life dinheiro clicando o que d‡ dinheiro precisa de dinheiro dinheiro n‹o Ž tudo quer dinheiro dinheiro n‹o beleza pura dinheiro publico oportunidade de ganhar dinheiro msn seu dinheiro dinheiro n‹o mas formosura dinheiro real nosso dinheiro emprestimo de dinheiro ganha dinheiro ganhei dinheiro como conseguir muito dinheiro precisando de dinheiro caneta dinheiro como conseguir dinheiro investir seu dinheiro dinheiro moedas dinheiro emprestado como arrumar dinheiro rasgar dinheiro dinheiro apreendido dinheiro com seu site ganhar dinheiro com meu site gaveta de dinheiro envio de dinheiro emprestar dinheiro ganhar dinheiro pela net ganhar dinheiro r‡pido trocar dinheiro onde investir dinheiro dinheiro sujo dinheiro pela net m(YV7+^QObe7+n6UTIDoM@1@y:5Tt=.-Wr4DFB#ZR\4S/6S/bd From nobody at nowhere.not Thu Jan 1 22:44:20 2009 From: nobody at nowhere.not (Robert Blair) Date: Thu Jan 1 22:45:08 2009 Subject: [Scspamcop] Re: Hat Check - DSL Extreme? References: <1mxv0vqpwi7sf$.dlg@nobody.spamcop.net> Message-ID: On Thu, 1 Jan 2009 09:32:19 UTC, "N. Miller" wrote: > > Then they shouldn't pretend to be an ISP. Furthermore it's not that > > expensive to do. What you describe is kinda like a moving company with 2 > > cardboard boxes a Ford Ranger, or S-10 and one driver. > > DSLX sells DSL over ATTIS (AT&T) copper. They have decided not to be the > "evil Net Nanny" that AT&T is (AT&T blocks customer access to outbound port > 25 off of the ATTIS IP network). Blocking port 25 is the right thing to do as a default for a very large percentage of home users. If you know what you are doing they should have a procedure to unblock port 25 but I can see why they would not want to do it. When I travel I find some hotels/motels that have port 25 blocked so you can receive your email but not send any unless you configure your email program to use their email out bound server. The main reason I use my hosting company's alternate email port (always). -- Robert Blair From nobody at spamcop.net Thu Jan 1 22:52:27 2009 From: nobody at spamcop.net (bar0) Date: Thu Jan 1 22:55:09 2009 Subject: [Scspamcop] Re: Hat Check - DSL Extreme? References: Message-ID: "BlueSkyzz" wrote in message news:gjjama$u4j$2@news.spamcop.net... > bar0 wrote: > >> Then they shouldn't pretend to be an ISP. Furthermore it's not that >> expensive to do. What you describe is kinda like a moving company with 2 >> cardboard boxes a Ford Ranger, or S-10 and one driver. > > I suggest you take up your opinions about how they should (or shouldn't) > run their business with them directly. I'm sure they'll be thrilled to > hear your input. > Why should I bother? They're not my friends. Like I said I owe them nothing, and if their customers spam they can pay the price. Personally I wouldn't choose to notify them. From Ag2000CO at Starband.net Fri Jan 2 07:32:04 2009 From: Ag2000CO at Starband.net (LKing) Date: Fri Jan 2 07:35:08 2009 Subject: [Scspamcop] Re: H`YH1 como ganhar dinheiro na internet , dinheiro rapido, dinheiro navegando, ganha dinheiro na internet, megainvestimento.com H`YH1>6>:a0pG*! In-Reply-To: References: Message-ID: Ganhe dinheiro na internet wrote, On 1/1/2009 9:38 PM: > > Where again are all those reasons that a SC NG is so much better than a forum? This is the second time around for this spammer. From MikeE at ster.invalid Fri Jan 2 10:43:55 2009 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jan 2 10:45:07 2009 Subject: [Scspamcop] Re: H`YH1 como ganhar dinheiro na internet , dinheiro rapido, dinheiro navegando, ganha dinheiro na internet, megainvestimento.com H`YH1>6>:a0pG*! References: Message-ID: LKing wrote: > Ganhe dinheiro na internet wrote, On 1/1/2009 9:38 PM: > > > > > Where again are all those reasons that a SC NG is so much better than a > forum? This is the second time around for this spammer. Vulnerabilities of the SC ng to various non-controlled/ non-moderated problems are /not/ the reasons that the ng is preferred by many. Pro-forum people 'appreciate' the control which forum moderation can bring and therefore spend some significant time moderating away the unwanted and moderating/moving around the wanted when it is too misplaced or disorderly. The newsgroups are not moderated and do not even require registration to use and post. And the admin of the newsgroups definitely doesn't want to moderate them -- that's one of the reasons he prefers forum over newsgroup support. -- Mike Easter kibitzer, not SC admin From me at privacy.net Fri Jan 2 12:57:38 2009 From: me at privacy.net (Michael R N Dolbear) Date: Fri Jan 2 13:00:09 2009 Subject: [Scspamcop] Re: H`YH1 como ganhar dinheiro na internet , dinheiro rapido, dinheironavegando, ganha dinheiro na internet, megainvestimento.com H`YH1>6>:a0pG*! References: Message-ID: <01c96d02$750e3f80$LocalHost@default> LKing wrote > Ganhe dinheiro na internet wrote, On 1/1/2009 9:38 PM: > > > > > Where again are all those reasons that a SC NG is so much better than a > forum? This is the second time around for this spammer. Easy enough to require authentication and password for the SC private news server as for the forum but unless the volume rises, why bother ? -- Mike D From nobody at spamcop.net Fri Jan 2 13:37:29 2009 From: nobody at spamcop.net (N. Miller) Date: Fri Jan 2 13:40:09 2009 Subject: [Scspamcop] Re: Hat Check - DSL Extreme? References: <1mxv0vqpwi7sf$.dlg@nobody.spamcop.net> Message-ID: <6riziai985rt$.dlg@nobody.spamcop.net> On Thu, 01 Jan 2009 12:54:25 -0800, BlueSkyzz from SpamCop wrote: > N. Miller wrote: >> DSLX sells DSL over ATTIS (AT&T) copper. They have decided not to be the >> "evil Net Nanny" that AT&T is (AT&T blocks customer access to outbound port >> 25 off of the ATTIS IP network). > My traceroute to them shows Level 3 as their upstream (another company > that has a history of being spam-ambivalent), unless ATT owns L3 now? DSL. Modem to the DSLAM. ATTIS, or Verizon, copper. Matters not who is "upstream". It is not Level 3 copper being used in the "Last Mile". AFAIK, Level 3 does not have "Last Mile" copper. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From MikeE at ster.invalid Fri Jan 2 13:41:28 2009 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jan 2 13:45:08 2009 Subject: [Scspamcop] Re: H`YH1 como References: <01c96d02$750e3f80$LocalHost@default> Message-ID: Michael R N Dolbear wrote: > LKing >> Where again are all those reasons that a SC NG is so much better than a >> forum? This is the second time around for this spammer. > > Easy enough to require authentication and password for the SC private > news server as for the forum but unless the volume rises, why bother ? While I agree entirely with your main thesis, 'why bother', it is actually not 'easy enough'. That registration process would put unwelcome additional work on news admin. In addition, it really isn't much security at all, considering that unwanted postings occur to the forum in spite of the registration and moderation process. And 'regulars' have been guilty in the past of abusing the newsgroups. While it would presumably have prevented these particular spams from being posted directly to the newsserver; in the past some strange 'leakage' has occurred from posts which were not posted directly to the newsserver, but got there/here by other routes. The management/ prevention/ of such 'leakages' would also require a lot of administrative hullaballoo. The best attitude for newsserver/newsreader management is generally to minimize the workload for admin and to let the newsreaders do their own filtering or ignoring. IMO ofcourse -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri Jan 2 16:32:18 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Fri Jan 2 16:35:08 2009 Subject: [Scspamcop] Re: Broken headers References: <49591134.9000307@spamcop.net> Message-ID: "Tim McGraw" wrote in message news:gjh212$pqj$1@news.spamcop.net... > > Whatever the impediment was, these are now parsing without > intervention in a manual parse but don't pass the VER sniff test. As a Forum posted is asking about exactly the same mal-formed header issue, I'm asking for a bit of clarification. Are you stating that a manual parse of e-nail with the same "missing new-line" bits are able to be processed by a manual parse? With no editing, etc. of the submittal? I guess I'm asking for a Tracking URL of one of these 'problem' submittals that did parse despite the bad headers. From tmcgraw at spamcop.net Fri Jan 2 17:01:40 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Fri Jan 2 17:05:09 2009 Subject: [Scspamcop] Re: Broken headers In-Reply-To: References: <49591134.9000307@spamcop.net> Message-ID: Wazoo wrote: > Tim McGraw wrote: >> Whatever the impediment was, these are now parsing without >> intervention in a manual parse but don't pass the VER sniff test. > As a Forum posted is asking about exactly the same mal-formed header > issue, I'm asking for a bit of clarification. Are you stating that > a manual parse of e-nail with the same "missing new-line" bits are > able to be processed by a manual parse? With no editing, etc. of > the submittal? I guess I'm asking for a Tracking URL of one of > these 'problem' submittals that did parse despite the bad headers. On Dec. 31st these were parsing: http://www.spamcop.net/sc?id=z2492975579z701b1b16438fff7b5959e10d33b2848ez http://www.spamcop.net/sc?id=z2492975014zca15c5b0b750348b84ac579394cb4b14z http://www.spamcop.net/sc?id=z2492974857z7e075a79649f98245636a61991b971fdz They no longer parse. JT wrote me on 1/1 to say: > The sender is sending spam with illegal line ends in the headers. These are carriage returns instead of line feeds, or vice versa, or something. They probably won't display correctly in an email program, either. > > I'd suggest you just delete them since they're being detected as spam already. From Ag2000CO at Starband.net Fri Jan 2 18:07:49 2009 From: Ag2000CO at Starband.net (LKing) Date: Fri Jan 2 18:10:09 2009 Subject: [Scspamcop] Re: H`YH1 como In-Reply-To: References: Message-ID: LKing wrote, On 1/2/2009 7:32 AM: > Ganhe dinheiro na internet wrote, On 1/1/2009 9:38 PM: > > > > > Where again are all those reasons that a SC NG is so much better than a > forum? I obviously need to assure my caffeine-low-light is not lit before I post here. If I had realized how sensitive the subject was I _may_ mot have stuck it with a stick. From tmcgraw at spamcop.net Fri Jan 2 22:00:06 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Fri Jan 2 22:05:08 2009 Subject: [Scspamcop] Re: Broken headers In-Reply-To: References: <49591134.9000307@spamcop.net> Message-ID: Tim McGraw wrote: > On Dec. 31st these were parsing: > http://www.spamcop.net/sc?id=z2492975579z701b1b16438fff7b5959e10d33b2848ez > http://www.spamcop.net/sc?id=z2492975014zca15c5b0b750348b84ac579394cb4b14z > http://www.spamcop.net/sc?id=z2492974857z7e075a79649f98245636a61991b971fdz > > They no longer parse. Clarification/example: This was in my held mail. I moved it to reporting/trash. It said it couldn't parse it. I c&p full message, put it in the reporting window and it parses, working as those above: http://www.spamcop.net/sc?id=z2497613514z04c7728c0ecf98a159a89077c72d3148z From user at domain.invalid Fri Jan 2 23:11:38 2009 From: user at domain.invalid (Farelf) Date: Fri Jan 2 23:15:08 2009 Subject: [Scspamcop] Re: Broken headers In-Reply-To: References: <49591134.9000307@spamcop.net> Message-ID: Tim McGraw wrote: > Clarification/example: This was in my held mail. I moved it to > reporting/trash. It said it couldn't parse it. I c&p full message, put > it in the reporting window and it parses, working as those above: > > http://www.spamcop.net/sc?id=z2497613514z04c7728c0ecf98a159a89077c72d3148z I would think the spammer mangling of the 'message' is probably at fault, confusing the parser. The *boundary declaration* is wrong (or the boundaries are wrong, take your pick). The missing CR LF doesn't help but the boundary thing is possibly why there are misplaced X-line headers added and may even (who knows?) cause the deletion of that needed linebreak. When the declaration Content-Type: multipart/alternative; boundary=----=_NextPart_000_0023_68_F4B2D511.0F2CB568 is followed by a boundary ------=_NextPart_000_0023_68_F4B2D511.0F2CB568 then anything reading that is going to see it as the end of the message because it contains the 2 extra 'terminator' dashes. It should be ----=_NextPart_000_0023_68_F4B2D511.0F2CB568 - in conformity with the declaration. The best that can happen with that is a premature message close. Insert the missing line break *and* adjust (either the declaration and last expression *or* the two boundaries in the body) and it should parse OK, like: http://www.spamcop.net/sc?id=z2497670889zd58683a5cc31cbc616a56a2ffc640c80z So, I'm thinking the parser is not to blamed if it is 'just' a somewhat unexpected handling of a bollixed spam. We've seen such malformations come and go in the past (but the parser abides ...) From tmcgraw at spamcop.net Fri Jan 2 23:58:24 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Sat Jan 3 00:00:08 2009 Subject: [Scspamcop] Re: Broken headers In-Reply-To: References: <49591134.9000307@spamcop.net> Message-ID: Farelf wrote: > Tim McGraw wrote: >> Clarification/example: This was in my held mail. I moved it to reporting/trash. It said it couldn't parse it. I c&p full message, put it in the reporting window and it parses > So, I'm thinking the parser is not to blamed if it is 'just' a somewhat > unexpected handling of a bollixed spam. We've seen such malformations > come and go in the past (but the parser abides ...) Before, when Queued for reporting: http://www.spamcop.net/sc?id=z2497773583ze4009af64069e5c1d3e5c8a541f3352dz After, when same text is pasted in window: http://www.spamcop.net/sc?id=z2497774383zd3f0a4a5b86e6b606779445091c47b7ez From user at domain.invalid Sat Jan 3 00:39:01 2009 From: user at domain.invalid (Farelf) Date: Sat Jan 3 00:40:08 2009 Subject: [Scspamcop] Re: Broken headers In-Reply-To: References: <49591134.9000307@spamcop.net> Message-ID: Tim McGraw wrote: > > Before, when Queued for reporting: > http://www.spamcop.net/sc?id=z2497773583ze4009af64069e5c1d3e5c8a541f3352dz > > After, when same text is pasted in window: > http://www.spamcop.net/sc?id=z2497774383zd3f0a4a5b86e6b606779445091c47b7ez Good point, must be some (processing) sequence thing happening which is irksome and denies the opportunity to report and is clearly sub-optimal. The paste-in method seems to work the same whether using original data (as you have) or stored data (as I did, though I made slight changes to explore the boundary matter). I would agree that SC should be looking at the email submission process, even if it *is* down to mangled message format - because clearly the parser *can* process the data more completly. I suppose that could be turned around to say the paste-in method has a 'relaxed' standard which cannot be supported in email submissions, particularly if quick reporting uses the same key parts - I just don't know. But if it is just happening with SC mail accounts (as it seems at the moment) maybe the parser as such isn't actually the problem. In the past we have suspected 'spammer ploys' in various types of message malformations causing reporting problems only to see them fade away (presumably because they haven't pulled the sucker reponses that 'proper' messages do). I dare say if this one goes on long enough it will be in SC's interests to do something about. But yes, good point about the difference and really annoying for all encountering it. From nobody at devnull.spamcop.net Sat Jan 3 01:37:31 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Sat Jan 3 01:40:08 2009 Subject: [Scspamcop] Re: H`YH1 como References: <01c96d02$750e3f80$LocalHost@default> Message-ID: "Mike Easter" wrote in message news:gjln46$hgv$1@news.spamcop.net... > Michael R N Dolbear wrote: >> LKing > >>> Where again are all those reasons that a SC NG is so much better >>> than a >>> forum? This is the second time around for this spammer. >> >> Easy enough to require authentication and password for the SC >> private >> news server as for the forum but unless the volume rises, why >> bother ? > > While I agree entirely with your main thesis, 'why bother', it is > actually > not 'easy enough'. > > That registration process would put unwelcome additional work on > news > admin. You simply wouldn't believe the amount of spam traffic that is attempted via the Mailing List/Archives. One particular lowlife appears to ether a staffer of or has access to the logs for powercomm.com .... over four months of reporting, only seeing the next batch (primarily targeted to the 'old' server archives/lists) come from yet another IP Address within the same block, started adding those blocks to the iptables (no current Forum users impacted) ,,, now the scumbag is using countless open proxies to send the crap, spamvertised sites still on powercomm.com .... I sure didn't realize what I was setting myself up for when re-starting the Archiving, fool that I am From ecm2001.winols at bentleyfulldownload.com Sat Jan 3 18:36:25 2009 From: ecm2001.winols at bentleyfulldownload.com (ecm2001 winols shoemaster bentley) Date: Sat Jan 3 18:40:09 2009 Subject: [Scspamcop] ecm2001 winols shoemaster wilcom bentley amiable 181836244772556 Message-ID: We can crack or emulate any protection type: Dongle, Hardlock, Hasp, Serial, Password, Hasp4, Flexlm, Sentinel, Wibu, Eutron Smartkey, Hasphl, Proteq, All the Protections!! email = xshowsoft@gmail.com email = xshowsoft at gmail.com If you have some protected program, and want to crack it, we can help you! Ecm2001 v4 professional, all checksums enabled download Kess v4 all family enabled download WinOls 1.217 download crack wilcom 2006 full HMI/SCADA System Zenon Software for Industrial Automation emulator SHOEMASTER v3.04 all modules download Victor EAT Designscope 2.05 all modules Ricardo Wave Software 5.1 r Elcometer EDCS Plus + Optitex 9.03 and 9.2 all modules DVP 5.3 Complete W/S, Aero Triangulation, Vectorization, AT, Orthomosaic SDS Steel Detailing System v 6.34 Full Aspen Oneliner/Power Flow version 9 crack SES CDEGS 10.1.6 Full - All modules crack ecmfull Scanvec Amiable Flexi Family 7.6 Scanvec Amiable FlexiSIGN PRO 7.5 Scanvec Amiable Flexi EXPERT Scanvec Amiable FlexiSIGN Scanvec Amiable FlexiLETTER Scanvec Amiable FlexiDESIGNER Scanvec Amiable PhotoPRINT Family 4 Scanvec Amiable PhotoPRINT SERVER PRO Scanvec Amiable PhotoPRINT SERVER Scanvec Amiable PhotoPRINT DX Scanvec Amiable PhotoPRINT SE Scanvec Amiable EnRoute Family 3 Scanvec Amiable EnRoute Pro Scanvec Amiable EnRoute Plus Scanvec Amiable EnRoute Basic Scanvec Amiable EnRoute Wood Bentley Advanced Routing and Permitting System (ARPS) Bentley AutoPLANT Equipment Bentley AutoPLANT Isometrics Bentley AutoPLANT P&ID Bentley AutoPLANT Structural Detailer Bentley AutoPLANT Structural Engineering Bentley AutoPLANT Structural Modeler Bentley Architecture 8 Bentley Arenium Bentley AutoPIPE Bentley AXSYS Engine Bentley AXSYS Integrity Bentley AXSYS Process Bentley CloudWorx 03 Bentley Coax Bentley Connectors Bentley Copper Bentley Data Manager Bentley Datasheets Bentley Descartes 8 Bentley Driver Packs Bentley eWarehouse Bentley Explorer 2004 Bentley Explorer Interference Detection Bentley Explorer NWD Export Bentley Explorer Photorealism Bentley Facilities Inquirer Bentley Facilities Manager Bentley Facilities Planner Bentley Facilities Reports Bentley Fiber Bentley Geo Web Publisher Bentley Geospatial Management Bentley Hookups Bentley HVAC 8 Bentley I/RAS B Bentley Inside Plant Bentley Instrumentation & Wiring Bentley Interference Manager Bentley Knowledge Manager Bentley MXRAIL Bentley MXRENEW Bentley MXROAD Bentley MXSITE Bentley MXURBAN Bentley Navigator Bentley Piping Bentley PlantFLOW Bentley PlantSpace IsoExtractor Bentley PowerCivil Bentley PowerDraft Bentley PowerMap Bentley PowerMap Field Bentley PowerSurvey Bentley ProjectWise Connector for ArcGIS Software Bentley ProjectWise Connector for Oracle Bentley Publisher Bentley PULS Bentley Redline Bentley Structural Bentley Transportation Data Manager (TDM) Bentley View Bentley Vision Bentley Wastewater Bentley Water Bentley CivilStorm Bentley CulvertMaster Bentley Darwin Calibrator Bentley Darwin Designer Bentley Digital InterPlot Bentley Elementary Electrical Diagrams (EED) Bentley FlowMaster Bentley GeoMacao Bentley GEOPAK Bridge Bentley GEOPAK Civil Engineering Suite Bentley GEOPAK Rebar Bentley GEOPAK Site Bentley GEOPAK Survey Bentley HAMMER Bentley InRail Bentley InRoads 2004 Bentley InRoads Bridge Bentley InRoads Site Bentley InRoads Site Suite Bentley InRoads Storm & Sanitary Bentley InRoads Suite Bentley InRoads Survey Bentley Location Data Manager (LDM) Bentley Location Data Manager Express (LDMx) Bentley MicroStation Bentley MicroStation GeoGraphics Bentley PlantSpace Equipment Bentley PlantSpace Isometrics Bentley PlantSpace Orthographics Bentley PlantSpace P&ID Bentley PlantSpace Raceways Bentley PlantSpace SupportModeler Bentley PondPack Bentley ProjectWise Bentley ProjectWise Extensions Bentley Right of Way Office Bentley SewerCAD Bentley SewerGEMS Bentley Skelebrator Bentley StormCAD Bentley WaterCAD Bentley WaterGEMS Bentley WaterSAFE Bentley WinNOZL email = xshowsoft@gmail.com email = xshowsoft at gmail.com Mw!+?^S!n\PDo/;[Beg73wJ`SbyJ-P From DLipman~nospam~ at Verizon.Net Sat Jan 3 20:46:09 2009 From: DLipman~nospam~ at Verizon.Net (David H. Lipman) Date: Sat Jan 3 20:50:08 2009 Subject: [Scspamcop] Re: H`YH1 <--- Indy 9.00.10 spam References: Message-ID: From: "Mike Easter" | LKing wrote: >> Ganhe dinheiro na internet wrote, On 1/1/2009 9:38 PM: >> > >> > >> Where again are all those reasons that a SC NG is so much better than a >> forum? This is the second time around for this spammer. | Vulnerabilities of the SC ng to various non-controlled/ non-moderated | problems are /not/ the reasons that the ng is preferred by many. | Pro-forum people 'appreciate' the control which forum moderation can bring | and therefore spend some significant time moderating away the unwanted and | moderating/moving around the wanted when it is too misplaced or | disorderly. | The newsgroups are not moderated and do not even require registration to | use and post. And the admin of the newsgroups definitely doesn't want to | moderate them -- that's one of the reasons he prefers forum over newsgroup | support. | -- | Mike Easter | kibitzer, not SC admin Filtering on "X-Library: Indy 9.00.10" would help as this is a professional spamming tool against Usenet. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp From MikeE at ster.invalid Sun Jan 4 00:35:54 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 4 00:40:08 2009 Subject: [Scspamcop] Re: H`YH1 <--- Indy 9.00.10 spam References: Message-ID: David H. Lipman wrote: > "Mike Easter" > Filtering on "X-Library: Indy 9.00.10" would help as this is a > professional spamming tool against Usenet. That's a useful observation. You didn't happen to cite a particular part of my earlier remark Mike Easter wrote: > The best attitude for newsserver/newsreader management is generally to > minimize the workload for admin and to let the newsreaders do their own > filtering or ignoring. IMO ofcourse ... for which your suggestion is excellent (or appropriate) for the last 2 spams which both include the xlibrary line in question. I have no idea why a usenet spamming tool would care to brand itself with an unnecessary XLibrary line. I don't normally use a filter for the spamcop newsgroups. And when I do/ have in the past/ it is typically based on some header in the overview. Naturally the xlibrary line isn't in the overview. I think I'm going to stick to ignoring them. -- Mike Easter kibitzer, not SC admin From DLipman~nospam~ at Verizon.Net Sun Jan 4 07:36:00 2009 From: DLipman~nospam~ at Verizon.Net (David H. Lipman) Date: Sun Jan 4 07:40:08 2009 Subject: [Scspamcop] Re: H`YH1 <--- Indy 9.00.10 spam References: Message-ID: From: "Mike Easter" | David H. Lipman wrote: >> "Mike Easter" >> Filtering on "X-Library: Indy 9.00.10" would help as this is a >> professional spamming tool against Usenet. | That's a useful observation. | You didn't happen to cite a particular part of my earlier remark | Mike Easter wrote: >> The best attitude for newsserver/newsreader management is generally to >> minimize the workload for admin and to let the newsreaders do their own >> filtering or ignoring. IMO ofcourse | ... for which your suggestion is excellent (or appropriate) for the last 2 | spams which both include the xlibrary line in question. | I have no idea why a usenet spamming tool would care to brand itself with | an unnecessary XLibrary line. | I don't normally use a filter for the spamcop newsgroups. And when I do/ | have in the past/ it is typically based on some header in the overview. | Naturally the xlibrary line isn't in the overview. | I think I'm going to stick to ignoring them. | -- | Mike Easter | kibitzer, not SC admin Over the years I have seen and examined numerous NNTP spams. There are several professional "spammer preferred" tools. Indy 9.x and Indy 10.x seem to be highly prized. They are able to run as a bot and be able to traverse all news groups of all selected hierarchies and post a spam message in every group. Their failing is the addition to the header. Once Usenet admins started to use filters based upon the header entries, these posts dramatically decreased. There are other spamming tools that are able to traverse all news groups of all selected hierarchies and they too add to the header which can be used in a filter. Having noted this I have examined legitimate NNTP posts and to date, not one legitimate post has been made using these tools. Besides the fact that your past batch of spam (12/30, 1/1 and 1/3) used Indy, all were generated from "Tele Norte Leste Participações S.A." in Brazil. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp From SandieFix at webtv.net Sun Jan 4 17:42:21 2009 From: SandieFix at webtv.net (Sandie Fix) Date: Sun Jan 4 17:55:08 2009 Subject: [Scspamcop] Spam Message-ID: <10154-49613B4D-353@storefull-3152.bay.webtv.net> I have Webtv and since Dec. 22,I have received over 800 spam mails. Is there any way that I can fix this? I have reported it to the Webmaster and have tried deleting as fast as they come in, but it is almost impossible and I am unable to receive mail from my friends. Help! From MikeE at ster.invalid Sun Jan 4 18:35:47 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 4 18:40:07 2009 Subject: [Scspamcop] Re: Spam References: <10154-49613B4D-353@storefull-3152.bay.webtv.net> Message-ID: Sandie Fix wrote: > I have Webtv and since Dec. 22,I have received over 800 spam mails. Is > there any way that I can fix this? I have reported it to the Webmaster > and have tried deleting as fast as they come in, but it is almost > impossible and I am unable to receive mail from my friends. Help! Disclaimer: The only thing I know about webtv is what I read online and from some interactions with webtv/ers who have been involved with spamcop. I can see this webtv page http://info.webtv.net/spam/ UBE (Spam) Control Measures at MSN TV (webtv.net) Webtv/ers can be dialup or broadband clients. Whether I was a webtv/er (dial or broadband) or a non-webtv dialup client of some ISP or a cable/dsl broadbander of some other, if my mail provider (such as a connectivity provider who was providing me with a mail address and a mailbox) was unable to provide me with a satisfactory mailbox -- too much (bad) filtering (lost goodmail) - too little nonconfigurable filtering (too much spam) - too little configurability of filtering (bad policies, too much rejected mail, unwelcome challenge response) - ... then I would get my mail some other way than via that 'bad' mailbox provider. That is, I would contact all those who I correspond with and change my address to that of a new mail provider. Just as an example; suppose you changed your email address to a gmail address. I have gmail accounts along with other accounts of my connectivity provider. I like the configurability of my connectivity provider, but I don't like its default configurations. My connectivity provider also doesn't do a good job of filtering spam, so I do that some other way for those mail accounts. Gmail does a good job of filtering spam and more importantly, it doesn't do a bad job (false positives and such). -- Mike Easter kibitzer, not SC admin From leon at rmvme.mvps.org Mon Jan 5 09:54:36 2009 From: leon at rmvme.mvps.org (Leon Mayne) Date: Mon Jan 5 10:00:07 2009 Subject: [Scspamcop] Hotmail spam Message-ID: I seem to be getting a lot of these lately: http://www.spamcop.net/sc?id=z2502965603z668b298dc3eaae85c8bbd8e3ace5ac71z To make it worse, Spamassassin is marking their spam score as -2.2. Have Hotmail given up trying to stop spam? From leon at rmvme.mvps.org Mon Jan 5 10:05:45 2009 From: leon at rmvme.mvps.org (Leon Mayne) Date: Mon Jan 5 10:10:09 2009 Subject: [Scspamcop] Re: SpamAssassin In-Reply-To: References: Message-ID: "Damien" wrote in message news:giob7o$lav$1@news.spamcop.net... > Can someone tell me what this 'star' (*) Spam-Level represents? And with > "X-Spam-Status: hits=1.4" does this mean I would have to set my > SpamAssassin level to '1' in order to catch this message? *Don't set your level to 1! See next answer* The spam level / bar header is for mail filtering. On my server I want to dump anything that has a spam level of 4 or more into the spambox and anything with a spam level of 14 or above into /dev/null. Therefore I have two filters (in this order): 1) If the header x-spam-level contains "**************" then blackhole the message 2) If the header x-spam-level contains "****" then redirect to my spambox (2) can normally be replaced with the "x-spam: Yes" or subject rewrite, but I like it like that so I can change it easily > If SpamAssassin found FORGED_HOTMAIL_RCVD2 wouldn't that be sufficient to > tag the message as Spam? If you have a particular rule that is indicative of the spam you receive then you can increase its score by editing ~/.spamassassin/user_prefs and adding a line to increase the score for that particular rule, e.g. score FORGED_HOTMAIL_RCVD2 3 Which would add 3 to the total spam score instead of 1.4 for that rule. HTH -- Leon Mayne http://leon.mvps.org/ From nobody at spamcop.net Mon Jan 5 11:03:07 2009 From: nobody at spamcop.net (Bar0) Date: Mon Jan 5 11:05:08 2009 Subject: [Scspamcop] Re: Hotmail spam References: Message-ID: "Leon Mayne" wrote in message news:gjt712$g0g$1@news.spamcop.net... >I seem to be getting a lot of these lately: > http://www.spamcop.net/sc?id=z2502965603z668b298dc3eaae85c8bbd8e3ace5ac71z > To make it worse, Spamassassin is marking their spam score as -2.2. Have > Hotmail given up trying to stop spam? There were a number of mass account credential Phish attempts in December against hotmail and yahoo, apparently they were quite successful. From tfm3 at nospam.teleproc.com Mon Jan 5 14:14:35 2009 From: tfm3 at nospam.teleproc.com (Thomas Mooney) Date: Mon Jan 5 14:15:08 2009 Subject: [Scspamcop] Cookie login problem - Firefox Message-ID: Spamcop no longer remembers who I am from one session to the next. This is only a problem on Firefox (currently 3.0.5). When I enter the URL www.spamcop.net, I am met with a page whose title is "SpamCop.net - Welcome registered user - Mozilla Firefox", but the top of the page reads "No userid found". My userid and password (presumably) is shown in the upper-right with a Login button. Pressing this button has no noticeable effect. Following the "Log in here" link takes me to the cookie login page. I enter the proper information and am returned to the "Welcome registered user" / "No userid found" page. Everything works as expected / hoped on IE 6.0.2800. I no longer user IE, but it does work. Any ideas? Time to contact a deputy? Thanks. From Ag2000CO at Starband.net Mon Jan 5 15:22:16 2009 From: Ag2000CO at Starband.net (LKing) Date: Mon Jan 5 15:25:08 2009 Subject: [Scspamcop] Re: Cookie login problem - Firefox In-Reply-To: References: Message-ID: Thomas Mooney wrote, On 1/5/2009 2:14 PM: > Spamcop no longer remembers who I am from one session to the next. > Everything works as expected / hoped on IE 6.0.2800. I no longer user IE, > but it does work. > > Any ideas? Time to contact a deputy? > > Thanks. > Works with IE not with FF. don't think you need the deputies. Sounds like the FF version of the SpamCop cookies have gotten hosed. Suggest you delete all SC cookies and start over. Tools > Options, select "Security" tab then click on "Saved Passwords.." in the Search window inter "spamcop" select http://www.spamcop.net and click "Remove" Now when you go to spamcop will will need to enter ID and password. If it still doesn't work go to Tools > Options, select "Privacy" tab click on "Show Cookies" I found cookies for ironpost.com and spamcop.net select and remove. Lou From tfm3 at nospam.teleproc.com Mon Jan 5 15:59:53 2009 From: tfm3 at nospam.teleproc.com (Thomas Mooney) Date: Mon Jan 5 16:00:07 2009 Subject: [Scspamcop] Re: Cookie login problem - Firefox References: Message-ID: "LKing" wrote in message news:gjtq5v$j88$1@news.spamcop.net... > Thomas Mooney wrote, On 1/5/2009 2:14 PM: > > Spamcop no longer remembers who I am from one session to the next. > > Everything works as expected / hoped on IE 6.0.2800. I no longer user IE, > > but it does work. > > > > Any ideas? Time to contact a deputy? > > > > Thanks. > > > Works with IE not with FF. don't think you need the deputies. Sounds > like the FF version of the SpamCop cookies have gotten hosed. > > Suggest you delete all SC cookies and start over. > Tools > Options, select "Security" tab then click on "Saved Passwords.." > > in the Search window inter "spamcop" select http://www.spamcop.net and > click "Remove" > > Now when you go to spamcop will will need to enter ID and password. > > If it still doesn't work go to Tools > Options, select "Privacy" tab > click on "Show Cookies" > > I found cookies for ironpost.com and spamcop.net select and remove. > > Lou I've tried all of that, several times. I get what appears to be a good login - my userid is at the top of the page. When I start a new browser session and go to SpamCop, I get the following messages: No userid found You appear to be using an old login (you may have logged out in another browser session) I'm at a loss. Tom From me at privacy.net Mon Jan 5 18:23:45 2009 From: me at privacy.net (Michael R N Dolbear) Date: Mon Jan 5 18:25:09 2009 Subject: [Scspamcop] Re: SpamAssassin References: Message-ID: <01c96f87$77d0a3c0$LocalHost@default> Leon Mayne wrote > The spam level / bar header is for mail filtering. On my server I want to > dump anything that has a spam level of 4 or more into the spambox and > anything with a spam level of 14 or above into /dev/null. Therefore I have > two filters (in this order): > 1) If the header x-spam-level contains "**************" then blackhole the > message > 2) If the header x-spam-level contains "****" then redirect to my spambox > (2) can normally be replaced with the "x-spam: Yes" or subject rewrite, but > I like it like that so I can change it easily Works in SpamCop mail as well but only if you log on to the webmail (browser) interface and use "filter" AND the two tests have to be in that order because "**************" obviously contains "****" But users of SpamCop Mail cannot change the SpamAssassin profile - everyone gets the same one. -- Mike D From Ag2000CO at Starband.net Mon Jan 5 18:42:06 2009 From: Ag2000CO at Starband.net (LKing) Date: Mon Jan 5 18:45:07 2009 Subject: [Scspamcop] Re: Cookie login problem - Firefox In-Reply-To: References: Message-ID: Thomas Mooney wrote, On 1/5/2009 3:59 PM: > > I've tried all of that, several times. I get what appears to be a good > login - my userid is at the top of the page. When I start a new browser > session and go to SpamCop, I get the following messages: > > > No userid found > You appear to be using an old login (you may have logged out in another > browser session) > > > I'm at a loss. > > Tom Don't know. It does act a little odd when I login with both FF and IE at the same time. When I logout of one it messes up the other. (Not a situation I would have expected them to program for.) Also in some situations (using only one browser) when I click on the Login in the upper right there is still a login screen on the screen (Logout button in upper right) If you click on the "Report Spam" tab or other tabs everything seems to work ok. My IE, Firefox and Vista are all current. From nobody at devnull.spamcop.net Mon Jan 5 20:47:20 2009 From: nobody at devnull.spamcop.net (Patto) Date: Mon Jan 5 20:50:08 2009 Subject: [Scspamcop] Re: Cookie login problem - Firefox In-Reply-To: References: Message-ID: Thomas Mooney wrote: > Spamcop no longer remembers who I am from one session to the next. This is > only a problem on Firefox (currently 3.0.5). When I enter the URL > www.spamcop.net, I am met with a page whose title is "SpamCop.net - Welcome > registered user - Mozilla Firefox", but the top of the page reads "No userid > found". My userid and password (presumably) is shown in the upper-right > with a Login button. Pressing this button has no noticeable effect. > Following the "Log in here" link takes me to the cookie login page. I enter > the proper information and am returned to the "Welcome registered user" / > "No userid found" page. > > Everything works as expected / hoped on IE 6.0.2800. I no longer user IE, > but it does work. > > Any ideas? Time to contact a deputy? > > Thanks. I have no problem accessing and logging in with FF 3.0.5. From neilk at geovectra.cl Tue Jan 6 10:23:54 2009 From: neilk at geovectra.cl (neil klopfenstein) Date: Tue Jan 6 10:25:08 2009 Subject: [Scspamcop] URL parsing problem Message-ID: http://www.spamcop.net/sc?id=z2505580106z0514ed1398dbff14a647b5240835d068z This spam is highly local which is just the kind I like to report. The spam contains this web address: > www.peltre.cl which is apparently being misparsed by spamcop: > Tracking link: http://www.peltre.cl No recent reports, no history available > Cannot resolve http://www.peltre.cl http://www.peltre.cl/ > > Tracking link: http://www.peltre.cl/ > No recent reports, no history available > Resolves to 200.6.117.50 > Routing details for 200.6.117.50 > [refresh/show] Cached whois for 200.6.117.50 : jolivera@iia.cl > Using last resort contacts jolivera@iia.cl This should probably be fixed. From nobody at spamcop.net Tue Jan 6 10:49:48 2009 From: nobody at spamcop.net (N. Miller) Date: Tue Jan 6 10:50:09 2009 Subject: [Scspamcop] Re: Hotmail spam References: Message-ID: <8teu5whrbkru.dlg@nobody.spamcop.net> On Mon, 5 Jan 2009 14:54:36 -0000, Leon Mayne from SpamCop wrote: > I seem to be getting a lot of these lately: > http://www.spamcop.net/sc?id=z2502965603z668b298dc3eaae85c8bbd8e3ace5ac71z > To make it worse, Spamassassin is marking their spam score as -2.2. Have > Hotmail given up trying to stop spam? Not by my Hotmail mailbox; they seem to be doing as well as ever. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From MikeE at ster.invalid Tue Jan 6 11:52:14 2009 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jan 6 11:55:08 2009 Subject: [Scspamcop] Re: URL parsing problem References: Message-ID: neil klopfenstein wrote: www.spamcop.net/sc?id=z2505580106z0514ed1398dbff14a647b5240835d068z > > This spam is highly local which is just the kind I like to report. The > spam contains this web address: > >> www.peltre.cl That's not a link. That is not proper html construction for a link. > which is apparently being misparsed by spamcop: > >> Tracking link: http://www.peltre.cl> No recent reports, no history available >> Cannot resolve http://www.peltre.cl But the problem isn't with the address The problem is with the html construction, in which the URL is never written as an http:// URL. -- if I edit the line so that it > parses correctly, spamcop successfully identifies a contact: You mean if you edit the line to create a clean html when there wasn't one there in the first place. The most efficient way for you to find out a contact from spamcop would be to simply feed the parser the naked hostname, rather than reconstructing an html construction error into a corrected error. Parsing input: www.peltre.cl Routing details for 200.6.117.50 [refresh/show] Cached whois for 200.6.117.50 : jolivera@iia.cl Using last resort contacts jolivera@iia.cl After SC tells you a notify address, if you are a paid reporter, you can add it as an additional notified and if you are a free reporter you can manually notify it. > This should probably be fixed. That is a b0rken spambody. 'Fixing' the parser to manage html errors in spams isn't going to happen. Spam constructors create such errors both accidentally and on purpose. -- Mike Easter kibitzer, not SC admin From blacklist-me at davjam.org Tue Jan 6 12:51:39 2009 From: blacklist-me at davjam.org (David Bolt) Date: Tue Jan 6 13:30:08 2009 Subject: [Scspamcop] Re: URL parsing problem References: Message-ID: On Tue, 6 Jan 2009, Mike Easter wrote:- >neil klopfenstein wrote: >> This should probably be fixed. > >That is a b0rken spambody. It's not a broken spam body. >'Fixing' the parser to manage html errors in >spams isn't going to happen. Spam constructors create such errors both >accidentally and on purpose. That's what's happening here. The spammer is taking advantage of the feature numerous mail clients have where they scan the body of a message for what look like URLs, and then turn them into a clickable links. Regards, David Bolt -- Team Acorn: http://www.distributed.net/ OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s | openSUSE 10.3 32b | openSUSE 11.0 32b | openSUSE 10.2 64b | openSUSE 10.3 64b | openSUSE 11.0 64b | openSUSE 11.1 64b TOS 4.02 | openSUSE 10.3 PPC | RISC OS 3.6 | RISC OS 3.11 From neilk at geovectra.cl Tue Jan 6 15:20:26 2009 From: neilk at geovectra.cl (neil klopfenstein) Date: Tue Jan 6 15:25:08 2009 Subject: [Scspamcop] Re: URL parsing problem In-Reply-To: References: Message-ID: Mike Easter wrote: > neil klopfenstein wrote: >>> Cannot resolve http://www.peltre.cl > The above is an example of the parser 'using its imagination'. The string > http://www.peltre.cl doesn't exist in the original spam, just > www.peltre.cl Right, well, it's 'using its imagination' wrong, and in a way that can clearly be fixed. Your average mail client doesn't have any trouble making a valid link out of the address, so spamcop shouldn't either. > The most efficient way for you to find out a contact from spamcop would be > to simply feed the parser the naked hostname, rather than reconstructing > an html construction error into a corrected error. I didn't realize you could do that. Nice. >> This should probably be fixed. > > That is a b0rken spambody. 'Fixing' the parser to manage html errors in > spams isn't going to happen. Spam constructors create such errors both > accidentally and on purpose. It's not really broken, though; my mail client 'correctly' turned it into a clickable link, as the spammer assumed it would. There should beno ambiguity since the character < can't appear in a domain name. From tmcgraw at spamcop.net Tue Jan 6 15:57:43 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Jan 6 16:00:09 2009 Subject: [Scspamcop] Re: URL parsing problem In-Reply-To: References: Message-ID: neil klopfenstein wrote: > Mike Easter wrote: >> 'Fixing' the parser to manage html errors in spams isn't going to happen. Spam constructors create such errors both accidentally and on purpose. > It's not really broken, though; my mail client 'correctly' turned it > into a clickable link, as the spammer assumed it would. There should > beno ambiguity since the character < can't appear in a domain name. There is a valid point to your request; if the parser can "resolve" www.domain.tld followed by a blank space, then it should not try to resolve www.domain.tld followed by '<' until it finds a space. It's a matter of expected behavior. When the parser was originally created there was a lot of c&p'ing that had to be done to properly resolve URLs. These days, if my email client can resolve www.domain.tld followed by '<' and even my word processor can do this with little human intervention, then there's no reason the parser could not also be taught to "recognize" valid URLs in the same way. From MikeE at ster.invalid Tue Jan 6 16:27:37 2009 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jan 6 16:30:08 2009 Subject: [Scspamcop] Re: URL parsing problem References: Message-ID: neil klopfenstein wrote: > Mike Easter wrote: >> neil klopfenstein wrote: >>>> Cannot resolve http://www.peltre.cl> >> The above is an example of the parser 'using its imagination'. The >> string http://www.peltre.cl doesn't exist in the original spam, just >> www.peltre.cl > > Right, well, it's 'using its imagination' wrong, and in a way that can > clearly be fixed. Your average mail client doesn't have any trouble > making a valid link out of the address, so spamcop shouldn't either. I guess we have to disagree about that. I don't think the parser ought to be using its imagination at all. I don't think the parser should be 'interpreting' or trying to interpret the errors that mail clients interpret. But then I don't think that the default mode of the parser/report generator should be to notify spamvertiser providers either. As a general rule, most spamvertiser providers are not 'good guys' who want to do anything about spam. Most of the time, spamvertiser providers are part of the spam generating process or in cahoots with it and should not be notified at all. Because of that, I think the default mode of the parser body work should be to deobfuscate URLs and feed the 'raw' URL, not resolved to IP, to the sc-surbl, not notify the provider. >> That is a b0rken spambody. 'Fixing' the parser to manage html errors >> in spams isn't going to happen. Spam constructors create such errors >> both accidentally and on purpose. > > It's not really broken, though; my mail client 'correctly' turned it > into a clickable link, as the spammer assumed it would. There should > beno ambiguity since the character < can't appear in a domain name. You and David don't like for me to say that it is broken, so I'll say it another way. The html portion of this spam mime multipart is not html compliant in terms of providing a recognizable html URL which is supposed to be in the format html:// I call that b0rken because it is a significant error. There are an infini te number of different ways that spammers can make b0rken html. Devoting programming, algorithmic resources to over-interpreting the body of the spam, which body I think it should be almost entirely leaving alone is not how I think the parser coders should be spending their time. -- Mike Easter kibitzer, not SC admin From tmcgraw at spamcop.net Tue Jan 6 18:21:27 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Jan 6 18:25:08 2009 Subject: [Scspamcop] Re: URL parsing problem In-Reply-To: References: Message-ID: Mike Easter wrote: > As a general rule, most spamvertiser providers are not 'good guys' who > want to do anything about spam. The same could be said for spam sources. But this is not a discussion about what sc should or should not report. > I don't think the parser ought to be using its imagination at all. I > don't think the parser should be 'interpreting' or trying to interpret the > errors that mail clients interpret. But it already does that when it tries to resolve http://www.peltre.cl Scheduled server maintenance and upgrades will be taking place starting at 2:00 p.m. PST on Thursday, January 8, 2009. The SpamCop Reporting Service website will not be available for approximate one hour. Emailed spam submissions will be accepted, but processing will be delayed during the maintenance process. This will not affect the SpamCop/CESmail email service, newsgroups or forums. Richard From MikeE at ster.invalid Tue Jan 6 19:51:06 2009 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jan 6 19:55:08 2009 Subject: [Scspamcop] Re: URL parsing problem References: Message-ID: Tim McGraw wrote: > Mike Easter wrote: >> As a general rule, most spamvertiser providers are not 'good guys' who >> want to do anything about spam. > > The same could be said for spam sources. But this is not a discussion > about what sc should or should not report. > >> I don't think the parser ought to be using its imagination at all. I >> don't think the parser should be 'interpreting' or trying to interpret >> the errors that mail clients interpret. > > But it already does that when it tries to resolve > http://www.peltre.cl > The question is: bad resolving or good resolving? > > I vote for good resolving. You mean when it tries to manufacture... www.peltre.cl .. into a /real/ URL. I vote for getting out of (the business of) manufacturing something which isn't even found in the spam - a material change. Spam reporters are not allowed to make material changes to spam, and I certainly don't think a (dumb) algorithm ought to be doing it or trying to do it either. Even if in some applications it is a pretty smart algo. -- Mike Easter kibitzer, not SC admin From tmcgraw at spamcop.net Tue Jan 6 20:46:34 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Jan 6 20:50:08 2009 Subject: [Scspamcop] Re: URL parsing problem In-Reply-To: References: Message-ID: Mike Easter wrote: > I vote for getting out of (the business of) manufacturing something which > isn't even found in the spam - a material change. A clickable link is something, regardless of the rendering apparatus. > Spam reporters are not allowed to make material changes to spam, and I > certainly don't think a (dumb) algorithm ought to be doing it or trying to > do it either. Even if in some applications it is a pretty smart algo. Identifying a clickable link makes a parse more accurate and therefore more believable. From MikeE at ster.invalid Tue Jan 6 22:11:01 2009 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jan 6 22:15:09 2009 Subject: [Scspamcop] Re: URL parsing problem References: Message-ID: Tim McGraw wrote: > Mike Easter wrote: >> I vote for getting out of (the business of) manufacturing something >> which isn't even found in the spam - a material change. > > A clickable link is something, regardless of the rendering apparatus. Clickable? If I paste 'grc' (plus control-enter) into my browser's addressline, the browser thru' my nameservice and the algorithm's of the OS & browser gets the IP of www.grc.com and when it accesses by a particular assumed http protocol http://http://www.grc.com (the 'new' almost completely manufactured URL from nearly nothing), the webserver there redirects the browser to the specific/complete path http://www.grc.com/intro.htm -- which html page is supposed to be compliant so that it will be properly rendered. However, the browser might be able to render an improperly written noncompliant html into something or other. Does that make 'grc' a 'clickable' link? That depends greatly on your definition of 'clickable'. The right kind of click plus everything else converts grc into the URL path/page http://www.grc.com/intro.htm >> Spam reporters are not allowed to make material changes to spam, and I >> certainly don't think a (dumb) algorithm ought to be doing it or >> trying to do it either. Even if in some applications it is a pretty >> smart algo. > > Identifying a clickable link makes a parse more accurate and therefore > more believable. Having a parser make a silk purse out of a sow's ear or make up a 'story' out of whole cloth doesn't make the parser more believable to me. It makes it into a fantasy land. -- Mike Easter kibitzer, not SC admin From Kevin_newsspam01 at devnull.invalid Wed Jan 7 04:08:19 2009 From: Kevin_newsspam01 at devnull.invalid (Kevin) Date: Wed Jan 7 04:25:08 2009 Subject: [Scspamcop] Re: Cookie login problem - Firefox References: Message-ID: <2VgMJV$DEHZJFAQh@devnull.invalid> In message , Thomas Mooney writes >"LKing" wrote in message >news:gjtq5v$j88$1@news.spamcop.net... >> Thomas Mooney wrote, On 1/5/2009 2:14 PM: >> > Spamcop no longer remembers who I am from one session to the next. >> >Everything works as expected / hoped on IE 6.0.2800. I no longer >> >user IE, but it does work. [..] >> Works with IE not with FF. don't think you need the deputies. Sounds >> like the FF version of the SpamCop cookies have gotten hosed. >> >> Suggest you delete all SC cookies and start over. >> Tools > Options, select "Security" tab then click on "Saved Passwords.." [..] > >I've tried all of that, several times. I get what appears to be a good >login - my userid is at the top of the page. When I start a new browser >session and go to SpamCop, I get the following messages: > > >No userid found >You appear to be using an old login (you may have logged out in another >browser session) > > >I'm at a loss. Try clearing the cache in Firefox. I've had occasional problems with a few sites and that usually fixes it. -- Kevin From tmcgraw at spamcop.net Wed Jan 7 12:17:15 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Jan 7 12:20:08 2009 Subject: [Scspamcop] Re: URL parsing problem In-Reply-To: References: Message-ID: Mike Easter wrote: > Clickable? Does that make 'grc' a 'clickable' link? That depends greatly on your definition of 'clickable'. Allow me to be ME for a moment. The sample we were discussing attempts to manufacture a URL using the '<' character. The parser should not do that. In this example, it should stop at a non-compliant character. >> Identifying a clickable link makes a parse more accurate and therefore >> more believable. > Having a parser make a silk purse out of a sow's ear or make up a 'story' > out of whole cloth doesn't make the parser more believable to me. It > makes it into a fantasy land. The parser should not attempt to manufacture a URL using non-compliant characters. From MikeE at ster.invalid Wed Jan 7 12:44:20 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jan 7 12:45:08 2009 Subject: [Scspamcop] Re: URL parsing problem References: Message-ID: Tim McGraw wrote: > Mike Easter wrote: >> Clickable? Does that make 'grc' a 'clickable' >> link? That depends greatly on your definition of 'clickable'. > > Allow me to be ME for a moment. > > The sample we were discussing attempts to manufacture a URL using the > '<' character. The parser should not do that. In this example, it should > stop at a non-compliant character. > >>> Identifying a clickable link makes a parse more accurate and therefore >>> more believable. >> Having a parser make a silk purse out of a sow's ear or make up a >> 'story' >> out of whole cloth doesn't make the parser more believable to me. It >> makes it into a fantasy land. > > The parser should not attempt to manufacture a URL using non-compliant > characters. You are saying how the parser should go about manufacturing URLs. I'm saying the parser shouldn't be manufacturing URLs at all. You want the URL manufacturing to improve (because it seems easy to eliminate noncompliant chars); I'm suggesting that philosophically it is wrong (to manufacture anything) and algorithmically it is (more or less) impossible to counteract all of the infinite varieties of html misconstruction. -- Mike Easter kibitzer, not SC admin From tfm3 at nospam.teleproc.com Wed Jan 7 12:56:58 2009 From: tfm3 at nospam.teleproc.com (Thomas Mooney) Date: Wed Jan 7 13:00:07 2009 Subject: [Scspamcop] Re: Cookie login problem - Firefox References: <2VgMJV$DEHZJFAQh@devnull.invalid> Message-ID: "Kevin" wrote in message news:2VgMJV$DEHZJFAQh@devnull.invalid... > In message , Thomas Mooney > writes > >"LKing" wrote in message > >news:gjtq5v$j88$1@news.spamcop.net... > >> Thomas Mooney wrote, On 1/5/2009 2:14 PM: > >> > Spamcop no longer remembers who I am from one session to the next. > >> >Everything works as expected / hoped on IE 6.0.2800. I no longer > >> >user IE, but it does work. > [..] > >> Works with IE not with FF. don't think you need the deputies. Sounds > >> like the FF version of the SpamCop cookies have gotten hosed. > >> > >> Suggest you delete all SC cookies and start over. > >> Tools > Options, select "Security" tab then click on "Saved Passwords.." > [..] > > > >I've tried all of that, several times. I get what appears to be a good > >login - my userid is at the top of the page. When I start a new browser > >session and go to SpamCop, I get the following messages: > > > > > >No userid found > >You appear to be using an old login (you may have logged out in another > >browser session) > > > > > >I'm at a loss. > > Try clearing the cache in Firefox. I've had occasional problems with a > few sites and that usually fixes it. > > -- > Kevin Bingo! That seems to have done it. I had been deleting the SpamCop cookies over and over, but that wasn't working. I don't have a clue what could have been in the cache that was a problem? Regardless, I'm pleased it's resolved. Thanks! From borgholio at storymind.com Thu Jan 8 05:11:33 2009 From: borgholio at storymind.com (Borgholio) Date: Thu Jan 8 05:15:08 2009 Subject: [Scspamcop] Spambot stuck in the "on" position Message-ID: Spam posted in .spam. So far I'm being hit with exactly 100 messages of this type every 10 minutes. Since it started this morning I've received thousands. Also, the spamvertised URL is not being reported at all. It should be reported to: abuse@pwebtech.com abuse@fortressitx.com abuse@nlayer.net abuse@telia.com I almost feel sorry for the abuse dept who is going to wake up in the morning with thousands of Spamcop complaints. From g.hyde at bigNOSPAMpond.net.au Thu Jan 8 05:40:08 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Thu Jan 8 05:45:08 2009 Subject: [Scspamcop] Re: Spambot stuck in the "on" position References: Message-ID: "Borgholio" wrote in message news:gk4jge$m1g$2@news.spamcop.net... > Spam posted in .spam. > > So far I'm being hit with exactly 100 messages of this type every 10 > minutes. Since it started this morning I've received thousands. Also, > the spamvertised URL is not being reported at all. It should be reported > to: > > abuse@pwebtech.com > abuse@fortressitx.com > abuse@nlayer.net > abuse@telia.com > > I almost feel sorry for the abuse dept who is going to wake up in the > morning with thousands of Spamcop complaints. >From reading your post above, I'm going to assume that you're talking about a SpamCop report and that you know how to use SpamCop to generate a proper parse. Please provide the link which is just after "Here is your TRACKING URL:" so others have a clue what you're talking about. Cheers ... Geoffrey Hyde From leon at rmvme.mvps.org Thu Jan 8 06:08:10 2009 From: leon at rmvme.mvps.org (Leon Mayne) Date: Thu Jan 8 06:10:07 2009 Subject: [Scspamcop] Re: Hotmail spam In-Reply-To: References: Message-ID: "Leon Mayne" wrote in message news:gjt712$g0g$1@news.spamcop.net... >I seem to be getting a lot of these lately: > http://www.spamcop.net/sc?id=z2502965603z668b298dc3eaae85c8bbd8e3ace5ac71z > To make it worse, Spamassassin is marking their spam score as -2.2. Have > Hotmail given up trying to stop spam? I just wrote a couple of regex's to filter them out by their stupid domain names in the end: http://www\.([a-z0-9]*\-)?[a-z0-9]*\-[a-z0-9]*\.cn http://www\.[a-z0-9]*\-[a-z0-9]*\-[a-z0-9]*\.com (Or grouped into (http://www\.[a-z0-9]*\-[a-z0-9]*\-[a-z0-9]*\.com)|(http://www\.([a-z0-9]*\-)?[a-z0-9]*\-[a-z0-9]*\.cn) ) As long as I don't get a legit email containing a domain like http://www.this-is-cool.com ! From leon at rmvme.mvps.org Thu Jan 8 06:10:39 2009 From: leon at rmvme.mvps.org (Leon Mayne) Date: Thu Jan 8 06:15:08 2009 Subject: [Scspamcop] Re: Spambot stuck in the "on" position In-Reply-To: References: Message-ID: "Borgholio" wrote in message news:gk4jge$m1g$2@news.spamcop.net... > Spam posted in .spam. > > So far I'm being hit with exactly 100 messages of this type every 10 > minutes. Since it started this morning I've received thousands. Also, > the spamvertised URL is not being reported at all. It should be reported > to: > > abuse@pwebtech.com > abuse@fortressitx.com > abuse@nlayer.net > abuse@telia.com > > I almost feel sorry for the abuse dept who is going to wake up in the > morning with thousands of Spamcop complaints. The spam score seems high enough to not worry about it, they are obviously quantity rather than quality spammers. Blackhole any messages with a spam score of 16 or more. From nobody at devnull.spamcop.net Thu Jan 8 06:15:06 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Thu Jan 8 06:20:08 2009 Subject: [Scspamcop] Re: Spambot stuck in the "on" position References: Message-ID: "Borgholio" wrote in message news:gk4jge$m1g$2@news.spamcop.net... > Spam posted in .spam. > > So far I'm being hit with exactly 100 messages of this type every > 10 minutes. Since it started this morning I've received > thousands. Also, the spamvertised URL is not being reported at > all. It should be reported to: Responded to your post over in spamcop.mail. As researched and stated there, the URL in question appears to have already been "handled" by someone. The (non)resolving of spamvertised URLs has been beat to death over the last few years. From tim at denmantire.com Thu Jan 8 07:35:07 2009 From: tim at denmantire.com (Tim Boyer) Date: Thu Jan 8 07:40:08 2009 Subject: [Scspamcop] Re: Spambot stuck in the "on" position References: Message-ID: On Thu, 8 Jan 2009 11:10:39 -0000, "Leon Mayne" wrote: >"Borgholio" wrote in message >news:gk4jge$m1g$2@news.spamcop.net... >> Spam posted in .spam. >> >> So far I'm being hit with exactly 100 messages of this type every 10 >> minutes. Since it started this morning I've received thousands. Also, >> the spamvertised URL is not being reported at all. It should be reported >> to: >> >> abuse@pwebtech.com >> abuse@fortressitx.com >> abuse@nlayer.net >> abuse@telia.com >> >> I almost feel sorry for the abuse dept who is going to wake up in the >> morning with thousands of Spamcop complaints. > >The spam score seems high enough to not worry about it, they are obviously >quantity rather than quality spammers. Blackhole any messages with a spam >score of 16 or more. But here's the annoyance. My 'Held Email' now has 2732 messages in it. They're all spam - but there's no way to clear them faster than 100 at a time, and the more held email you have, the longer it takes the page to reload. So I'm going to spend a few hours tonight clicking 'Select All', 'Release/Delete', reload, etc. It sure would be nice to have a 'REALLY select all' checkbox, or the ability to see more than 100 email at a time... -- tim boyer tim@denmantire.com From gezgin at spamcop.net.which.is.not.invalid Thu Jan 8 08:14:34 2009 From: gezgin at spamcop.net.which.is.not.invalid (Opinicus) Date: Thu Jan 8 08:15:07 2009 Subject: [Scspamcop] Re: Spambot stuck in the "on" position References: Message-ID: "Leon Mayne" wrote > Blackhole any messages with a spam score of 16 or more. How do I do that? And will it prevent messages from being sent to the "Held" folder? -- Bob http://www.kanyak.com From user at domain.invalid Thu Jan 8 09:14:33 2009 From: user at domain.invalid (Farelf) Date: Thu Jan 8 09:15:08 2009 Subject: [Scspamcop] Re: Spambot stuck in the "on" position In-Reply-To: References: Message-ID: Tim Boyer wrote: > > But here's the annoyance. My 'Held Email' now has 2732 messages in it. They're > all spam - but there's no way to clear them faster than 100 at a time, and the > more held email you have, the longer it takes the page to reload. > > So I'm going to spend a few hours tonight clicking 'Select All', > 'Release/Delete', reload, etc. > > It sure would be nice to have a 'REALLY select all' checkbox, or the ability to > see more than 100 email at a time... > Don't use the mail system myself but I'm sure there's a way - is this any use? http://forum.spamcop.net/forums/index.php?showtopic=9659 Other (old) topics in that area discuss the interfaces but I wouldn't know if any of that is still relevant. Use the search box at the top of the forum page to look for anything relevant. From gezgin at spamcop.net.which.is.not.invalid Thu Jan 8 09:28:46 2009 From: gezgin at spamcop.net.which.is.not.invalid (Opinicus) Date: Thu Jan 8 09:30:08 2009 Subject: [Scspamcop] Re: Spambot stuck in the "on" position References: Message-ID: "Tim Boyer" wrote > But here's the annoyance. My 'Held Email' now has 2732 messages in it. > They're "ronb@mailinator.com (Come JOIN US Today.)", right? You're lucky. I just trashed 7,000+ > all spam - but there's no way to clear them faster than 100 at a time, and > the > more held email you have, the longer it takes the page to reload. > So I'm going to spend a few hours tonight clicking 'Select All', > 'Release/Delete', reload, etc. > It sure would be nice to have a 'REALLY select all' checkbox, or the > ability to > see more than 100 email at a time... There is after a fashion. This is how it was explained to me and it works: You can empty the held mail folder using the webmail interface: Click folders in the navbar Under folder navigator, find the held mail folder and checkmark it In the choose action drop down select *empty folders* which is 3rd up from the bottom (do NOT accidently choose delete folder which is 3rd down from the top) HTH. -- Bob http://www.kanyak.com From nobody at spamcop.net Thu Jan 8 10:51:50 2009 From: nobody at spamcop.net (Ellen) Date: Thu Jan 8 10:55:09 2009 Subject: [Scspamcop] Re: Spambot stuck in the "on" position In-Reply-To: References: Message-ID: Tim Boyer wrote: > On Thu, 8 Jan 2009 11:10:39 -0000, "Leon Mayne" wrote: > >> "Borgholio" wrote in message >> news:gk4jge$m1g$2@news.spamcop.net... >>> Spam posted in .spam. >>> >>> So far I'm being hit with exactly 100 messages of this type every 10 >>> minutes. Since it started this morning I've received thousands. Also, >>> the spamvertised URL is not being reported at all. It should be reported >>> to: >>> >>> abuse@pwebtech.com >>> abuse@fortressitx.com >>> abuse@nlayer.net >>> abuse@telia.com >>> >>> I almost feel sorry for the abuse dept who is going to wake up in the >>> morning with thousands of Spamcop complaints. >> The spam score seems high enough to not worry about it, they are obviously >> quantity rather than quality spammers. Blackhole any messages with a spam >> score of 16 or more. > > But here's the annoyance. My 'Held Email' now has 2732 messages in it. They're > all spam - but there's no way to clear them faster than 100 at a time, and the > more held email you have, the longer it takes the page to reload. > > So I'm going to spend a few hours tonight clicking 'Select All', > 'Release/Delete', reload, etc. > > It sure would be nice to have a 'REALLY select all' checkbox, or the ability to > see more than 100 email at a time... > log into webemail click folders checkmark the held mail folder use the dropdown to select "empty folder" which is the 3rd from the bottom -- do NOT select delete folder it can take the system a while to grind thru emptying a folder if it was a lot of mail in it but you can start this up and wander off and do other things BTW you could also set up an imap acct in your email app - IMAP to your SC account, do a mass select and delete of all mail in the held mail folder And BTW2: IIRC you can set you page size to >100 mails if you have some insane desire to sit around do select all/delete Ellen SpamCop From borgholio at storymind.com Thu Jan 8 14:06:41 2009 From: borgholio at storymind.com (Borgholio) Date: Thu Jan 8 14:10:07 2009 Subject: [Scspamcop] Re: Spambot stuck in the "on" position In-Reply-To: References: Message-ID: Geoffrey Hyde wrote: > "Borgholio" wrote in message > news:gk4jge$m1g$2@news.spamcop.net... >> Spam posted in .spam. >> >> So far I'm being hit with exactly 100 messages of this type every 10 >> minutes. Since it started this morning I've received thousands. Also, >> the spamvertised URL is not being reported at all. It should be reported >> to: >> >> abuse@pwebtech.com >> abuse@fortressitx.com >> abuse@nlayer.net >> abuse@telia.com >> >> I almost feel sorry for the abuse dept who is going to wake up in the >> morning with thousands of Spamcop complaints. > > From reading your post above, I'm going to assume that you're talking about > a SpamCop report and that you know how to use SpamCop to generate a proper > parse. Please provide the link which is just after "Here is your TRACKING > URL:" so others have a clue what you're talking about. > > > Cheers ... > > Geoffrey Hyde > > > You mean "skip to reports"? http://mailsc.spamcop.net/sc?id=z2511459038z2b54bb07d493fedd32c230b7e9abbf98z#report From nobody at spamcop.net Thu Jan 8 14:14:45 2009 From: nobody at spamcop.net (Bar0) Date: Thu Jan 8 14:15:08 2009 Subject: [Scspamcop] Re: Spambot stuck in the "on" position References: Message-ID: "Borgholio" wrote in message news:gk5irp$6t0$1@news.spamcop.net... > Geoffrey Hyde wrote: >> "Borgholio" wrote in message >> news:gk4jge$m1g$2@news.spamcop.net... >>> Spam posted in .spam. >>> >>> So far I'm being hit with exactly 100 messages of this type every 10 >>> minutes. Since it started this morning I've received thousands. Also, >>> the spamvertised URL is not being reported at all. It should be >>> reported to: >>> >>> abuse@pwebtech.com >>> abuse@fortressitx.com >>> abuse@nlayer.net >>> abuse@telia.com >>> >>> I almost feel sorry for the abuse dept who is going to wake up in the >>> morning with thousands of Spamcop complaints.... I don't feel sorry for pweb, nlayer, telia, or aplus, they are spammers through and through. I guess telia forgot about the time they were depeered a few years back, and subsequently blackholed at AOL, when that meant pretty much 90% of civilian address space. I also got a flood, and given the email addy, I suspect "Ron" may have personally been responsible for almost 100% of worldwide email traffic last night. From nobody at spamcop.net Thu Jan 8 14:20:10 2009 From: nobody at spamcop.net (Bar0) Date: Thu Jan 8 14:25:08 2009 Subject: [Scspamcop] Re: Spambot stuck in the "on" position References: Message-ID: "Bar0" wrote in message news:gk5jb6$ab9$1@news.spamcop.net... > > "Borgholio" wrote in message > news:gk5irp$6t0$1@news.spamcop.net... >> Geoffrey Hyde wrote: >>> "Borgholio" wrote in message >>> news:gk4jge$m1g$2@news.spamcop.net... >>>> Spam posted in .spam. >>>> >>>> So far I'm being hit with exactly 100 messages of this type every 10 >>>> minutes. Since it started this morning I've received thousands. Also, >>>> the spamvertised URL is not being reported at all. It should be >>>> reported to: >>>> >>>> abuse@pwebtech.com >>>> abuse@fortressitx.com >>>> abuse@nlayer.net >>>> abuse@telia.com >>>> >>>> I almost feel sorry for the abuse dept who is going to wake up in the >>>> morning with thousands of Spamcop complaints.... > > I don't feel sorry for pweb, nlayer, telia, or aplus, they are spammers > through and through. I guess telia forgot about the time they were > depeered a few years back, and subsequently blackholed at AOL, when that > meant pretty much 90% of civilian address space. > > I also got a flood, and given the email addy, I suspect "Ron" may have > personally been responsible for almost 100% of worldwide email traffic > last night. Actually given the volume of delivery, I'd bet it's a joe, still I don't feel sorry for the "Victims", they are still spammers. I think this is a case of spammer on spammer warfare. Unfortunately our inboxen are collateral. From me at privacy.net Thu Jan 8 19:04:10 2009 From: me at privacy.net (Michael R N Dolbear) Date: Thu Jan 8 19:05:08 2009 Subject: [Scspamcop] Re: Spambot stuck in the "on" position References: Message-ID: <01c971ec$9f4fd6c0$LocalHost@default> -- Mike D Ellen wrote in article > > It sure would be nice to have a 'REALLY select all' checkbox, or the ability to > > see more than 100 email at a time... > use the dropdown to select "empty folder" which is the 3rd from the > bottom -- do NOT select delete folder > it can take the system a while to grind thru emptying a folder if it was > a lot of mail in it but you can start this up and wander off and do > other things > BTW you could also set up an imap acct in your email app - IMAP to your > SC account, do a mass select and delete of all mail in the held mail folder > And BTW2: IIRC you can set you page size to >100 mails if you have some > insane desire to sit around do select all/delete And YAM (Yet Another Method) is to use an ad hoc webmail filter (webmail menu bar item 'Filters) to delete selected items in the held folder, perhaps all with an SA level of 16 or more X-Spam-Level contains **************** action delete should do it (does the whole of the folder, not just one page). -- Mike D From tim at denmantire.com Thu Jan 8 19:50:19 2009 From: tim at denmantire.com (Tim Boyer) Date: Thu Jan 8 19:55:09 2009 Subject: [Scspamcop] Re: Spambot stuck in the "on" position References: Message-ID: On Thu, 08 Jan 2009 10:51:50 -0500, Ellen wrote: >Tim Boyer wrote: >> On Thu, 8 Jan 2009 11:10:39 -0000, "Leon Mayne" wrote: >> >>> "Borgholio" wrote in message >>> news:gk4jge$m1g$2@news.spamcop.net... >>>> Spam posted in .spam. >>>> >>>> So far I'm being hit with exactly 100 messages of this type every 10 >>>> minutes. Since it started this morning I've received thousands. Also, >>>> the spamvertised URL is not being reported at all. It should be reported >>>> to: >>>> >>>> abuse@pwebtech.com >>>> abuse@fortressitx.com >>>> abuse@nlayer.net >>>> abuse@telia.com >>>> >>>> I almost feel sorry for the abuse dept who is going to wake up in the >>>> morning with thousands of Spamcop complaints. >>> The spam score seems high enough to not worry about it, they are obviously >>> quantity rather than quality spammers. Blackhole any messages with a spam >>> score of 16 or more. >> >> But here's the annoyance. My 'Held Email' now has 2732 messages in it. They're >> all spam - but there's no way to clear them faster than 100 at a time, and the >> more held email you have, the longer it takes the page to reload. >> >> So I'm going to spend a few hours tonight clicking 'Select All', >> 'Release/Delete', reload, etc. >> >> It sure would be nice to have a 'REALLY select all' checkbox, or the ability to >> see more than 100 email at a time... >> > > >log into webemail > >click folders > >checkmark the held mail folder > >use the dropdown to select "empty folder" which is the 3rd from the >bottom -- do NOT select delete folder > > >it can take the system a while to grind thru emptying a folder if it was >a lot of mail in it but you can start this up and wander off and do >other things > > >BTW you could also set up an imap acct in your email app - IMAP to your >SC account, do a mass select and delete of all mail in the held mail folder > > >And BTW2: IIRC you can set you page size to >100 mails if you have some >insane desire to sit around do select all/delete > > >Ellen >SpamCop Hah! I've never even looked at the webmail interface; just used SpamCop for reporting. Thanks much as always, Ellen! -- tim -- -- tim boyer tim@denmantire.com From nobody at spamcop.net Fri Jan 9 01:21:53 2009 From: nobody at spamcop.net (Antispam Knight) Date: Fri Jan 9 01:25:08 2009 Subject: [Scspamcop] Re: Spambot stuck in the "on" position References: Message-ID: "Opinicus" wrote in message news:gk52iu$bm0$1@news.spamcop.net... > "Tim Boyer" wrote > >> But here's the annoyance. My 'Held Email' now has 2732 messages in it. >> They're > > "ronb@mailinator.com (Come JOIN US Today.)", right? You're lucky. I just > trashed 7,000+ > >> all spam - but there's no way to clear them faster than 100 at a time, >> and the >> more held email you have, the longer it takes the page to reload. >> So I'm going to spend a few hours tonight clicking 'Select All', >> 'Release/Delete', reload, etc. >> It sure would be nice to have a 'REALLY select all' checkbox, or the >> ability to >> see more than 100 email at a time... > > There is after a fashion. This is how it was explained to me and it works: > > > You can empty the held mail folder using the webmail interface: > > Click folders in the navbar > > Under folder navigator, find the held mail folder and checkmark it > > In the choose action drop down select *empty folders* which is 3rd up > from the bottom (do NOT accidently choose delete folder which is 3rd > down from the top) > > > HTH. > > -- > Bob > http://www.kanyak.com You can also do it with an imap capable client. Just click on the first msg, then shift-clik on the last, then delete. I'm using Windows Live Mail. Yeah, I know--Microsoft, but it does the job. AK From leon at rmvme.mvps.org Fri Jan 9 04:58:24 2009 From: leon at rmvme.mvps.org (Leon Mayne) Date: Fri Jan 9 05:00:08 2009 Subject: [Scspamcop] Re: Spambot stuck in the "on" position In-Reply-To: References: Message-ID: "Opinicus" wrote in message news:gk4u7q$rvp$1@news.spamcop.net... >> Blackhole any messages with a spam score of 16 or more. > How do I do that? And will it prevent messages from being sent to the > "Held" folder? Michael already mentioned this. Add a filter to delete based on the spam level header: X-Spam-Level contains **************** From gezgin at spamcop.net.which.is.not.invalid Fri Jan 9 05:43:00 2009 From: gezgin at spamcop.net.which.is.not.invalid (Opinicus) Date: Fri Jan 9 05:45:07 2009 Subject: [Scspamcop] Re: Spambot stuck in the "on" position References: Message-ID: "Leon Mayne" wrote in message news:gk775s$v2i$1@news.spamcop.net... > "Opinicus" wrote in message > news:gk4u7q$rvp$1@news.spamcop.net... >>> Blackhole any messages with a spam score of 16 or more. >> How do I do that? And will it prevent messages from being sent to the >> "Held" folder? > Michael already mentioned this. Add a filter to delete based on the spam > level header: > X-Spam-Level contains **************** I must have missed that. I'll give it a try. -- Ho??akal?n, Robert Kanyak's Doghouse http://www.kanyak.com From gezgin at spamcop.net.which.is.not.invalid Sun Jan 11 01:21:02 2009 From: gezgin at spamcop.net.which.is.not.invalid (Opinicus) Date: Sun Jan 11 01:25:08 2009 Subject: [Scspamcop] Tap tap tap Message-ID: Is this thing on? I've seen no posts in here for something like twelve hours now... -- Bob http://www.kanyak.com From qcorrell at pacNObell.net Sun Jan 11 01:55:23 2009 From: qcorrell at pacNObell.net (Q Correll) Date: Sun Jan 11 02:00:09 2009 Subject: [Scspamcop] Re: Tap tap tap References: Message-ID: Opinicus, | Is this thing on? I've seen no posts in here for something like | twelve hours now... Yep,... it's on. -- Q 01/10/2009 22:55:14 XanaNews Version 1.18.1.52 [Everyone's & Q's Mods] From news0807REMOVECAPS at orrery.e4ward.com Sun Jan 11 17:52:47 2009 From: news0807REMOVECAPS at orrery.e4ward.com (Ian Smith) Date: Sun Jan 11 17:55:08 2009 Subject: [Scspamcop] Greylisting losing its effectiveness Message-ID: I started playing with the greylisting feature a few months ago and the effect was dramatic - spam was almost totally eradicated. Just recently, I've noticed the number of 'tries' increasing and now I've getting ever more through to the held mail and some through to my inbox. Well, at least I now get the pleasure of reporting a few again - I was getting withdrawal symptoms. regards, Ian From nobody at spamcop.net Mon Jan 12 17:17:42 2009 From: nobody at spamcop.net (Steven Underwood) Date: Mon Jan 12 17:20:07 2009 Subject: [Scspamcop] Re: Greylisting losing its effectiveness References: Message-ID: "Ian Smith" wrote in message news:gkdt82$pgd$1@news.spamcop.net... > > I started playing with the greylisting feature a few months ago and the > effect was dramatic - spam was almost totally eradicated. > > Just recently, I've noticed the number of 'tries' increasing and now I've > getting ever more through to the held mail and some through to my inbox. > Are you noting where these are coming from? I can not duplicate your results as the only spam I have had in months has come through my forward (ISP) or POP (gmail) routes. From news0807REMOVECAPS at orrery.e4ward.com Tue Jan 13 12:47:41 2009 From: news0807REMOVECAPS at orrery.e4ward.com (Ian Smith) Date: Tue Jan 13 12:50:08 2009 Subject: [Scspamcop] Re: Greylisting losing its effectiveness In-Reply-To: References: Message-ID: Steven Underwood wrote: > > > "Ian Smith" wrote in message > news:gkdt82$pgd$1@news.spamcop.net... >> >> I started playing with the greylisting feature a few months ago and >> the effect was dramatic - spam was almost totally eradicated. >> >> Just recently, I've noticed the number of 'tries' increasing and now >> I've getting ever more through to the held mail and some through to my >> inbox. >> > > Are you noting where these are coming from? I can not duplicate your > results as the only spam I have had in months has come through my > forward (ISP) or POP (gmail) routes. Servers in Korea, China (and one UK, at CarphoneWarehouse broadband) etc. Here is a snapshot of today's: http://www.smithinbedford.org.uk/spam/greylist.gif ... all spam. Before Xmas, the number of tries would be almost uniformly 1. A genuine email server will apparently go, typically, almost immediately to 4, then 8 tries within a few minutes. I can only assume that the spam clients are now doing multiple sends in order to try to defeat greylisting. There has definitely been a change in behaviour, at least within the subset of spammers that target me. regards, Ian From tmcgraw at spamcop.net Tue Jan 13 13:01:32 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Jan 13 13:05:09 2009 Subject: [Scspamcop] Re: URL parsing problem In-Reply-To: References: Message-ID: Mike Easter wrote: > You are saying how the parser should go about manufacturing URLs. > > I'm saying the parser shouldn't be manufacturing URLs at all. > > You want the URL manufacturing to improve (because it seems easy to > eliminate noncompliant chars); I'm suggesting that philosophically it is > wrong (to manufacture anything) and algorithmically it is (more or less) > impossible to counteract all of the infinite varieties of html > misconstruction. In your tortured semantics you're trying to say that you're saying what I'm actually saying. This parse gets the reporting right for freshyork.com despite the presence of garbage characters around it: http://www.spamcop.net/sc?id=z2522217100zf3f06ee243076b7ee43aa3f08266a804z It /is/ easy to eliminate noncompliant characters: don't use noncompliant characters! From MikeE at ster.invalid Tue Jan 13 14:34:26 2009 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jan 13 14:35:08 2009 Subject: [Scspamcop] Re: URL parsing problem References: Message-ID: Tim McGraw wrote: > Mike Easter wrote: >> You are saying how the parser should go about manufacturing URLs. >> >> I'm saying the parser shouldn't be manufacturing URLs at all. >> >> You want the URL manufacturing to improve (because it seems easy to >> eliminate noncompliant chars); I'm suggesting that philosophically it >> is wrong (to manufacture anything) and algorithmically it is (more or >> less) impossible to counteract all of the infinite varieties of html >> misconstruction. > > In your tortured semantics you're trying to say that you're saying what > I'm actually saying. I don't see it that way. > This parse gets the reporting right for freshyork.com despite the > presence of garbage characters around it: www.spamcop.net/sc?id=z2522217100zf3f06ee243076b7ee43aa3f08266a804z In this example, the parser is able to find http://www.freshyork.com/sp.php That /IS/ a URL because it is of the structure http:// with appropriate associated syntax. > It /is/ easy to eliminate noncompliant characters: don't use > noncompliant characters! The other example was /NOT/ a URL because it was not of the structure http:// The other example was simply a hostname www.peltre.cl When you were previously debating the other issue, you wanted to make that hostname + other characters into a http:// style structure when none existed in the original spam. If the original spam doesn't contain such a thing as http://www.peltre.cl then the parser shouldn't say that it does. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Jan 13 14:43:33 2009 From: nobody at spamcop.net (Bar0) Date: Tue Jan 13 14:45:08 2009 Subject: [Scspamcop] Re: URL parsing problem References: Message-ID: "Mike Easter" wrote in message news:gkiqc3$1sh$1@news.spamcop.net... > Tim McGraw wrote: >> Mike Easter wrote: .... > The other example was simply a hostname www.peltre.cl > > When you were previously debating the other issue, you wanted to make that > hostname + other characters into a http:// style structure when none > existed in the original spam. > > If the original spam doesn't contain such a thing as http://www.peltre.cl > then the parser shouldn't say that it does. I haven't seen, nor care to, the spam samples at issue, but, in my experience constructions such as: www.sample.com sans http:// is normally parsed as a URL within a plain text spam body. So, except for those occasions where SC chooses not to parse, www.peltrel.cl would have been parsed in the normal course of events. as long as the body was text or QP. In an html body the URL would have had to be in an "" type construction, with some exceptions, where if there are no links found at all, sometimes the parser does a plaintext search for URL's That is just behaviour I have noticed, your mileage may vary. From nobody at spamcop.net Tue Jan 13 15:21:38 2009 From: nobody at spamcop.net (Bar0) Date: Tue Jan 13 15:25:08 2009 Subject: [Scspamcop] Re: URL parsing problem References: Message-ID: "Bar0" wrote in message news:gkiqt6$536$1@news.spamcop.net... > > "Mike Easter" wrote in message > news:gkiqc3$1sh$1@news.spamcop.net... >> Tim McGraw wrote: >>> Mike Easter wrote: > .... >> The other example was simply a hostname www.peltre.cl >> >> When you were previously debating the other issue, you wanted to make >> that >> hostname + other characters into a http:// style structure when none >> existed in the original spam. >> >> If the original spam doesn't contain such a thing as http://www.peltre.cl >> then the parser shouldn't say that it does. > > > I haven't seen, nor care to, the spam samples at issue, but, in my > experience constructions such as: www.sample.com sans http:// is normally > parsed as a URL within a plain text spam body. So, except for those > occasions where SC chooses not to parse, www.peltrel.cl would have been > parsed in the normal course of events. as long as the body was text or QP. > In an html body the URL would have had to be in an "" > type construction, with some exceptions, where if there are no links found > at all, sometimes the parser does a plaintext search for URL's > > That is just behaviour I have noticed, your mileage may vary. I forgot to qualify:, www.sample.com and http://www.sample.com or http://sample.com would be recognized as URL's, "sample.com" would not. Note also www.sample.com and http://www.sample.com resolve to the same host, http://sample.com may not resolve to the same server, although usually it does. From tmcgraw at spamcop.net Tue Jan 13 15:38:07 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Jan 13 15:40:08 2009 Subject: [Scspamcop] Re: URL parsing problem In-Reply-To: References: Message-ID: Mike Easter wrote: > Tim McGraw wrote: >> This parse gets the reporting right for freshyork.com despite the >> presence of garbage characters around it: >> www.spamcop.net/sc?id=z2522217100zf3f06ee243076b7ee43aa3f08266a804z > In this example, the parser is able to find > http://www.freshyork.com/sp.php > > That /IS/ a URL because it is of the structure http:// with appropriate > associated syntax. True that. >> It /is/ easy to eliminate noncompliant characters: don't use >> noncompliant characters! > > The other example was /NOT/ a URL because it was not of the structure > http:// > > The other example was simply a hostname www.peltre.cl > > When you were previously debating the other issue, you wanted to make that > hostname + other characters into a http:// style structure when none > existed in the original spam. Only partially true: I wanted, as sc does, to convert the www. to http://www. ... I did NOT want it to use anything but alphanumeric characters, the hyphen and (perhaps) the underscore. Anything else comes at risk of misinterpretation. > If the original spam doesn't contain such a thing as http://www.peltre.cl > then the parser shouldn't say that it does. If the original spam's payload is www.peltre.cl the sender surely wants you to click on it. I've not seen a case where this isn't true. From g.hyde at bigNOSPAMpond.net.au Tue Jan 13 17:42:05 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Tue Jan 13 17:45:07 2009 Subject: [Scspamcop] Re: URL parsing problem References: Message-ID: "Tim McGraw" wrote in message news:gkikts$cmn$1@news.spamcop.net... > It /is/ easy to eliminate noncompliant characters: don't use noncompliant > characters! It is /not/ easy to eliminate noncompliant characters: Spammers don't particularly care how the delivery method works for the spamvertised URL/trojan payload they only care that it does work. Eliminating noncompliant characters would mean that we would have to eliminate spammers. That isn't going to happen any time soon, so I fail to see the point of your argument. Cheers ... Geoffrey Hyde From tmcgraw at spamcop.net Tue Jan 13 19:28:13 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Jan 13 19:30:08 2009 Subject: [Scspamcop] Re: URL parsing problem In-Reply-To: References: Message-ID: Geoffrey Hyde wrote: > Tim McGraw wrote: >> It /is/ easy to eliminate noncompliant characters: don't use noncompliant >> characters! > Eliminating noncompliant characters would mean that we would have to > eliminate spammers. Noncompliant characters in the context of what the parser does to construct a URL payload contained in a spamitem. From joegill at removethis Tue Jan 13 22:05:30 2009 From: joegill at removethis (Joe Gill) Date: Tue Jan 13 22:10:09 2009 Subject: [Scspamcop] Re: Greylisting losing its effectiveness In-Reply-To: References: Message-ID: "Ian Smith" wrote in message news:gkik49$8i0$1@news.spamcop.net... > Steven Underwood wrote: >> >> >> "Ian Smith" wrote in message >> news:gkdt82$pgd$1@news.spamcop.net... >>> >>> I started playing with the greylisting feature a few months ago and the >>> effect was dramatic - spam was almost totally eradicated. >>> >>> Just recently, I've noticed the number of 'tries' increasing and now >>> I've getting ever more through to the held mail and some through to my >>> inbox. >>> >> >> Are you noting where these are coming from? I can not duplicate your >> results as the only spam I have had in months has come through my forward >> (ISP) or POP (gmail) routes. > > Servers in Korea, China (and one UK, at CarphoneWarehouse broadband) etc. > Here is a snapshot of today's: > > http://www.smithinbedford.org.uk/spam/greylist.gif > > ... all spam. > > Before Xmas, the number of tries would be almost uniformly 1. A genuine > email server will apparently go, typically, almost immediately to 4, then > 8 tries within a few minutes. > > I can only assume that the spam clients are now doing multiple sends in > order to try to defeat greylisting. There has definitely been a change in > behaviour, at least within the subset of spammers that target me. > > regards, Ian My personal experience has been little change in SPAM level in the last few months. Ever since: 1) I turned on greylisting 2) ATT/Yahoo tightened what they would accept.... From g.hyde at bigNOSPAMpond.net.au Tue Jan 13 22:58:39 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Tue Jan 13 23:00:08 2009 Subject: [Scspamcop] Re: URL parsing problem References: Message-ID: "Tim McGraw" wrote in message news:gkjbiu$ig5$1@news.spamcop.net... > Geoffrey Hyde wrote: >> Tim McGraw wrote: >>> It /is/ easy to eliminate noncompliant characters: don't use >>> noncompliant characters! >> Eliminating noncompliant characters would mean that we would have to >> eliminate spammers. > > Noncompliant characters in the context of what the parser does to > construct a URL payload contained in a spamitem. I stand by my previous statement, which you misquoted out of context. The whole reason we /have/ noncompliant characters is because they were allowed in email bodies. This subesquently meant that they were allowed in spam. This does /not/ mean that SC has to waste time resolving any of them. It could reconstruct what it needs to get the URL, if it can be depended on. The spammers are relying on buggy code written for an equally buggy browser that happily interprets it as "HMTL" (and the various sub-flavors therein) code. I do not believe that SC, however, should attempt to resolve buggy code in any way, shape, or form. Cheers ... Geoffrey Hyde From tmcgraw at spamcop.net Wed Jan 14 18:38:23 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Jan 14 18:40:09 2009 Subject: [Scspamcop] Re: URL parsing problem In-Reply-To: References: Message-ID: Geoffrey Hyde wrote: > The whole reason we /have/ noncompliant characters is because they were > allowed in email bodies. A gross over-simplification. > This does /not/ mean that SC has to waste time resolving any of them. That's what I've said from the beginning of this thread. However, it comes around to what one defines "noncompliant" is. From nobody at devnull.spamcop.net Thu Jan 15 10:50:13 2009 From: nobody at devnull.spamcop.net (Blue Rock) Date: Thu Jan 15 10:55:08 2009 Subject: [Scspamcop] Would Like Some Help Interpreting this Possibly Forged NDR Message-ID: I received this following email, which appears on the surface to be backscatter: http://www.spamcop.net/sc?id=z2525900171z4ceefe2b0a75404ca3f9b878fad1c711z My domain's email server (spunkymail-mx7.g.dreamhost.com) received this message from a server operated by plus.net (ptb-relay02.plus.net, 212.159.14.146). According to the second Received: header in this message, that server received the message from 80.229.89.202, which is also operated by plus.net. Normally, when I report spam through Spamcop, it only trusts the first Received: heeader, since my spamcop account is set up for my Mailhosts. However, in this case, Spamcop trusted plus.net enough, that it actually handled the second Received: header, and added the comment: "Trusted site 212.159.14 received mail from 80.229.89.202" At first glance, this looks like a backscatter message that bounced from the mail servers of bluerocksystems.co.uk (which is a British company with the same name as my company, bluerocksystems.com). When I look up the MX server for bluerocksystems.co.uk, it is indeed 80.229.89.202 (at least one of them is), and is operated by plus.net. However, this bounce includes the original spam message that was rejected. That spam message supposedly originated from 79.127.3.124, which appears to be a very spam-ridden network, and is listed in several block lists. The puzzling thing is that my email address does not appear ANYWHERE within that spam or its headers - it is not in the Return-Path:, From:, or Reply-to: headers. So, if this was really was a bounce, why was it bounced to me? I conclude that one of two things happened: 1) Some spammer forged the entire NDR, including all the headers, and then somehow injected it at plus.net's server (212.159.14.146). 2) Bluerocksystems.co.uk's MX server is completely messed up, and decided to send an NDR to me at random. Is there a third possibility that I am missing? In either case, I am sure that spamcop did the correct thing, in sending the report to plus.net. I am wondering if someone else should be notified of this incident - i.e.: Should bluerocksystems.co.uk be notified that their MX is producing backscatter? I have notified other legitimate companies when I have received backscatter from them, and some of them have responded positively, and fixed the problem. In this case, I don't want to notify them, if it is uncertain that the backscatter was actually produced by their server. Should Spamcop be made aware that this happened? If a spammer can inject spam at plus.net's server, with forged headers, and Spamcop trusts the forged header, then some servers can be falsely listed for spam. From MikeE at ster.invalid Thu Jan 15 12:41:48 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jan 15 12:45:09 2009 Subject: [Scspamcop] Re: Would Like Some Help Interpreting this Possibly Forged NDR References: Message-ID: Blue Rock wrote: > I received this following email, which appears on the surface to be > backscatter: > www.spamcop.net/sc?id=z2525900171z4ceefe2b0a75404ca3f9b878fad1c711z I believe it is a backscatter 'mistake' -- errant bluerocksystems mailserver function. > My domain's email server (spunkymail-mx7.g.dreamhost.com) received this > message from a server operated by plus.net (ptb-relay02.plus.net, > 212.159.14.146). According to the second Received: header in this > message, that server received the message from 80.229.89.202, which is > also operated by plus.net. > > Normally, when I report spam through Spamcop, it only trusts the first > Received: heeader, since my spamcop account is set up for my Mailhosts. > However, in this case, Spamcop trusted plus.net enough, that it actually > handled the second Received: header, and added the comment: > > "Trusted site 212.159.14 received mail from 80.229.89.202" SC trusts 212.159.14.146 rDNS ptb-relay02.plus.net to be a server. In fact, it appears that SC trusts the entire class C /24 block of 256 IPs to be a SC trusted server. Notice the missing 4th octet in what you pasted. inetnum: 212.159.14.0 - 212.159.14.255 descr: Plusnet Portal Servers descr: PlusNet Technologies Ltd > At first glance, this looks like a backscatter message that bounced > from the mail servers of bluerocksystems.co.uk (which is a British > company with the same name as my company, bluerocksystems.com). When I > look up the MX server for bluerocksystems.co.uk, it is indeed > 80.229.89.202 (at least one of them is), and is operated by plus.net. At first and second and third glances. Sifting thru' the structure, it looks exactly like it would be expected to look if it were a dsn-failure. > However, this bounce includes the original spam message that was > rejected. That spam message supposedly originated from 79.127.3.124, > which appears to be a very spam-ridden network, and is listed in > several block lists. The puzzling thing is that my email address does > not appear ANYWHERE within that spam or its headers - it is not in the > Return-Path:, From:, or Reply-to: headers. Yep. I agree with you . That is inexplicable. From the original spam, it appears that both the envelope mail from and the From say MensHealth@rodale.delivery.net > So, if this was really was a bounce, why was it bounced to me? I don't know the answer to that. I'm inclined to blame it on a bluerocksystems error of some kind. > I conclude that one of two things happened: > > 1) Some spammer forged the entire NDR, including all the headers, and > then somehow injected it at plus.net's server (212.159.14.146). I don't think so. > 2) Bluerocksystems.co.uk's MX server is completely messed up, and > decided to send an NDR to me at random. I'm going with that one. > Is there a third possibility that I am missing? > > In either case, I am sure that spamcop did the correct thing, in > sending the report to plus.net. I am wondering if someone else should > be notified of this incident - i.e.: > > Should bluerocksystems.co.uk be notified that their MX is producing > backscatter? Sure. > I have notified other legitimate companies when I have > received backscatter from them, and some of them have responded > positively, and fixed the problem. In this case, I don't want to > notify them, if it is uncertain that the backscatter was actually > produced by their server. I don't think the confusion should stop you. The mail admin might be very very interested in the phenomenon. > Should Spamcop be made aware that this happened? If a spammer can > inject spam at plus.net's server, with forged headers, and Spamcop > trusts the forged header, then some servers can be falsely listed for > spam. It is 'common practice' for SC to trust servers to be servers which servers are not 'perfect'. The only time a deputy is interested in 'untrusting' a server (or a bank of 256 IPs which are all trusted servers in this case) is when the server is 'only' putting out spam and not serving any legitimate mail. That /24 block is a genuine block of servers that can be trusted to be servers which are also putting out legitimate mail. -- Mike Easter kibitzer, not SC admin From kopfj at worldnet.att.ent Thu Jan 15 12:47:31 2009 From: kopfj at worldnet.att.ent (John O. Kopf) Date: Thu Jan 15 12:50:07 2009 Subject: [Scspamcop] bad address provided by SpamCop... Message-ID: I just received this reply from an ISP I'd complained to; can someone update SpamCop's database? JK ========================================================================== Dear Sir or Madam: Thank you for your reply and suggestion. We understand you refer to Spamcop DB, however the information is miscue,Spamcop should correct inaccurate information about net- abuse@odn.ad.jp. Anyway,web2808.mail.bbt.yahoo.co.jp ([202.93.80.86]) is not belonging to our network for NIC. Thank you, ********************************************************** Kobayashi? net-abuse control team SOFTBANK TELECOM Corp. E-mail: net-abuse@odn.ad.jp ********************************************************** Copyright(C) 2009 SOFTBANK TELECOM Corp.?All Rights Reserved > > The Message contains: > > > > Received: from web2808.mail.bbt.yahoo.co.jp ([202.93.80.86]) > > > > forwarding this IP address to SpamCop, SpamCop returned: > > ============================================================== > > Parsing input: 202.93.80.86 > > [report history] > > Routing details for 202.93.80.86 > > [refresh/show] Cached whois for 202.93.80.86 : noc@bbtower.ad.jp > > Using abuse net on noc@bbtower.ad.jp > > abuse net bbtower.ad.jp = noc@bbtower.ad.jp, abuse@bbtower.ad.jp, > > net-abuse@odn.ad.jp, postmaster@bbtower.ad.jp > > Using best contacts noc@bbtower.ad.jp abuse@bbtower.ad.jp > > net-abuse@odn.ad.jp postmaster@bbtower.ad.jp > > Statistics: > > 202.93.80.86 not listed in bl.spamcop.net > > More Information.. > > 202.93.80.86 not listed in dnsbl.njabl.org > > 202.93.80.86 not listed in dnsbl.njabl.org > > 202.93.80.86 not listed in cbl.abuseat.org > > 202.93.80.86 not listed in dnsbl.sorbs.net > > > > Reporting addresses: > > noc@bbtower.ad.jp > > abuse@bbtower.ad.jp > > *net-abuse@odn.ad.jp* <====================== > > postmaster@bbtower.ad.jp > > ============================================================== > > > > ...thus, it reall *IS YOUR PROBLEM!!!!!* > > > > John Kopf > > > > > > > > ODN Support Center wrote: >> > > Dear Sir or Madam: >> > > >> > > Thank you for contacting us. >> > > >> > > We received your report and looked into the IP address. We believe >> > > that they really came from the server not belonging to our >> > > network. >> > > >> > > We are sorry that we are unable to research any further on sender. >> > > >> > > Still, as you have assumed, we appreciate your report. Thank you >> > > very much for supplying us with this information. >> > > >> > > ********************************************************** >> > > Kobayashi? >> > > net-abuse control team >> > > SOFTBANK TELECOM Corp. >> > > E-mail: net-abuse@odn.ad.jp >> > > ********************************************************** >> > > Copyright(C) 2009 SOFTBANK TELECOM Corp.?All Rights Reserved From nobody at devnull.spamcop.net Thu Jan 15 13:56:00 2009 From: nobody at devnull.spamcop.net (Blue Rock) Date: Thu Jan 15 14:00:09 2009 Subject: [Scspamcop] Re: Would Like Some Help Interpreting this Possibly Forged NDR References: Message-ID: "Mike Easter" wrote in message news:gknsgs$fs4$1@news.spamcop.net... > Blue Rock wrote: >> I received this following email, which appears on the surface to be >> backscatter: >> > www.spamcop.net/sc?id=z2525900171z4ceefe2b0a75404ca3f9b878fad1c711z > > I believe it is a backscatter 'mistake' -- errant bluerocksystems > mailserver function. >> I conclude that one of two things happened: >> >> 1) Some spammer forged the entire NDR, including all the headers, and >> then somehow injected it at plus.net's server (212.159.14.146). > > I don't think so. > >> 2) Bluerocksystems.co.uk's MX server is completely messed up, and >> decided to send an NDR to me at random. > > I'm going with that one. Really? I was actually leaning towards: "there is a third possibility that I am overlooking." How would Bluerocksystems.co.uk's MX come up with an un-published address to randomly send the NDR to? Would it just generate a bunch of characters at random and come up with xxxxxxxxx [at] bluerocksystems.com, where xxxxxxxxx is an address that I only use to communicate with trusted sources? Come to think of it, the address xxxxxxxxx has been captured by spammers, so I suppose Bluerocksystems.co.uk's MX could have remembered that address (possibly forged) on other spam message it has received in the past. If this is the case, however, that would be a serious flaw in that server's software. >> Should bluerocksystems.co.uk be notified that their MX is producing >> backscatter? > > Sure. > >> I have notified other legitimate companies when I have >> received backscatter from them, and some of them have responded >> positively, and fixed the problem. In this case, I don't want to >> notify them, if it is uncertain that the backscatter was actually >> produced by their server. > > I don't think the confusion should stop you. The mail admin might be very > very interested in the phenomenon. I guess you are right. Whatever the case, it appears that server is generating backscatter, and one way or the other, they should be notified so that they can stop it. From MikeE at ster.invalid Thu Jan 15 14:24:44 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jan 15 14:25:08 2009 Subject: [Scspamcop] Re: bad address provided by SpamCop... References: Message-ID: John O. Kopf wrote: > I just received this reply from an ISP I'd complained to; can someone > update SpamCop's database? I can't help you with your request for a deputy to update the SC routing db, but I can comment on some observations. I'm not sure that I would interpret this correspondence below as indicating that the routing db should be changed. This is about 202.93.80.86 rDNS web2808.mail.bbt.yahoo.co.jp which lives in here: inetnum: 202.93.64.0 - 202.93.95.255 netname: GCTR descr: BroadBand Tower, Inc. admin-c: JNIC1-AP tech-c: JNIC1-AP remarks: Email address for spam or abuse complaints : noc@bbtower.ad.jp whois -h whois.abuse.net bbtower.ad.jp ... abuse@bbtower.ad.jp net-abuse@odn.ad.jp postmaster@bbtower.ad.jp noc@bbtower.ad.jp (for bbtower.ad.jp) whois -h whois.apnic.net jnic1-ap role: Japan Network Information Center e-mail: hostmaster@nic.ad.jp It would seem to me that if BroadBand Tower wants their abuse notifies to go to some particular place, that they should configure appropriately at apnic and abuse-net. http://www.spamcop.net/fom-serve/cache/343.html How do I register an abuse@ email address? > We understand you refer to Spamcop DB, however the information is > miscue,Spamcop should correct inaccurate information about net- > abuse@odn.ad.jp. > > Anyway,web2808.mail.bbt.yahoo.co.jp ([202.93.80.86]) is not > belonging to our network for NIC. > > Thank you, > > ********************************************************** > Kobayashi??? > net-abuse control team > SOFTBANK TELECOM Corp. > E-mail: net-abuse@odn.ad.jp > ********************************************************** SC notified 3 bbtower addies and also net-abuse@odn.ad.jp. I'm not sure what Kobayashi is saying here -- but I don't interpret it as meaning that SC's db should be changed in any way. I think he is trying to say his address shouldn't be included at abuse-net. Perhaps he should take that up with the admin for bbtower.ad.jp and abuse-net. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Fri Jan 16 06:16:11 2009 From: nobody at spamcop.net (Ellen) Date: Fri Jan 16 08:20:09 2009 Subject: [Scspamcop] Re: Would Like Some Help Interpreting this Possibly Forged NDR In-Reply-To: References: Message-ID: Mike Easter wrote: > > It is 'common practice' for SC to trust servers to be servers which > servers are not 'perfect'. The only time a deputy is interested in > 'untrusting' a server (or a bank of 256 IPs which are all trusted servers > in this case) is when the server is 'only' putting out spam and not > serving any legitimate mail. That /24 block is a genuine block of servers > that can be trusted to be servers which are also putting out legitimate > mail. > > > Good catch on the /24. I am slightly underwhelmed by some things I am seeing in the database so I have removed the trusted flag from the /24. Ellen SpamCop From kopfj at worldnet.att.ent Fri Jan 16 09:59:00 2009 From: kopfj at worldnet.att.ent (John O. Kopf) Date: Fri Jan 16 10:00:08 2009 Subject: [Scspamcop] Re: bad address provided by SpamCop... In-Reply-To: References: Message-ID: Mike Easter wrote: > John O. Kopf wrote: >> I just received this reply from an ISP I'd complained to; can someone >> update SpamCop's database? > > I can't help you with your request for a deputy to update the SC routing > db, but I can comment on some observations. > > I'm not sure that I would interpret this correspondence below as > indicating that the routing db should be changed. > > This is about 202.93.80.86 rDNS web2808.mail.bbt.yahoo.co.jp which lives > in here: > > > inetnum: 202.93.64.0 - 202.93.95.255 > netname: GCTR > descr: BroadBand Tower, Inc. > admin-c: JNIC1-AP > tech-c: JNIC1-AP > remarks: Email address for spam or abuse complaints : > noc@bbtower.ad.jp > > > > whois -h whois.abuse.net bbtower.ad.jp ... > abuse@bbtower.ad.jp net-abuse@odn.ad.jp postmaster@bbtower.ad.jp > noc@bbtower.ad.jp (for bbtower.ad.jp) > > > whois -h whois.apnic.net jnic1-ap > role: Japan Network Information Center > e-mail: hostmaster@nic.ad.jp > > It would seem to me that if BroadBand Tower wants their abuse notifies to > go to some particular place, that they should configure appropriately at > apnic and abuse-net. > > http://www.spamcop.net/fom-serve/cache/343.html How do I register an > abuse@ email address? > >> We understand you refer to Spamcop DB, however the information is >> miscue,Spamcop should correct inaccurate information about net- >> abuse@odn.ad.jp. >> >> Anyway,web2808.mail.bbt.yahoo.co.jp ([202.93.80.86]) is not >> belonging to our network for NIC. >> >> Thank you, >> >> ********************************************************** >> Kobayashi??? >> net-abuse control team >> SOFTBANK TELECOM Corp. >> E-mail: net-abuse@odn.ad.jp >> ********************************************************** > > SC notified 3 bbtower addies and also net-abuse@odn.ad.jp. > > I'm not sure what Kobayashi is saying here -- but I don't interpret it as > meaning that SC's db should be changed in any way. I think he is trying > to say his address shouldn't be included at abuse-net. Perhaps he should > take that up with the admin for bbtower.ad.jp and abuse-net. Thanks - since I didn't know how to deal with it, I thought I'd post it here so that someone knowledgeable could handle it. John KOpf From anfi at onet.eu Fri Jan 16 18:24:00 2009 From: anfi at onet.eu (Andrzej Adam Filip) Date: Fri Jan 16 18:25:07 2009 Subject: [Scspamcop] Reporting REJECTED spam Message-ID: Are there any special recommendations for reporting spam *REJECTED* in SMTP session (after receiving the message)? -- [pl>en Andrew] Andrzej Adam Filip : anfi@onet.eu : anfi@xl.wp.pl Bad men live that they may eat and drink, whereas good men eat and drink that they may live. -- Socrates From user at domain.invalid Sun Jan 18 04:55:09 2009 From: user at domain.invalid (Farelf) Date: Sun Jan 18 05:00:07 2009 Subject: [Scspamcop] Re: Reporting REJECTED spam In-Reply-To: References: Message-ID: Andrzej Adam Filip wrote: > Are there any special recommendations for reporting spam *REJECTED* in > SMTP session (after receiving the message)? > Many are (doubtless) wondering, I will ask - how on earth can message receipt precede the SMTP session? From Ag2000CO at Starband.net Sun Jan 18 05:46:59 2009 From: Ag2000CO at Starband.net (LKing) Date: Sun Jan 18 05:50:09 2009 Subject: [Scspamcop] Re: Reporting REJECTED spam In-Reply-To: References: Message-ID: Andrzej Adam Filip wrote, On 1/16/2009 6:24 PM: > Are there any special recommendations for reporting spam *REJECTED* in > SMTP session (after receiving the message)? > Adam Let me guess. On your computer you are using some anti-spam/virus program that scans your outgoing email and/or the ISP that provides you outgoing email service scans your email for virus/spam. during ether of these scans, which looks like after/during the SMTP session to your local email application, you get a message (maybe in a popup window) saying *REJECTED* This is _not_ a "rejection" during the SMTP session between your SMTP server and the receiving mail service, but a rejection during the hand off of the email from your local email app and the SMTP server at your ISP. From nobody at spamcop.net Sun Jan 18 09:34:00 2009 From: nobody at spamcop.net (bar0) Date: Sun Jan 18 09:35:08 2009 Subject: [Scspamcop] Re: Reporting REJECTED spam References: Message-ID: "Farelf" wrote in message news:gkuu9r$dqe$1@news.spamcop.net... > Andrzej Adam Filip wrote: >> Are there any special recommendations for reporting spam *REJECTED* in >> SMTP session (after receiving the message)? >> > > Many are (doubtless) wondering, I will ask - how on earth can message > receipt precede the SMTP session? It can't, however, message receipt (acknowledgement with a 5xx code (reject)) can take place after receiving the DATA stream. See posts by Vernon Schryver in NANAE. From anfi at onet.eu Sun Jan 18 13:38:34 2009 From: anfi at onet.eu (Andrzej Adam Filip) Date: Sun Jan 18 13:40:09 2009 Subject: [Scspamcop] Re: Reporting REJECTED spam References: Message-ID: LKing wrote: > Andrzej Adam Filip wrote, On 1/16/2009 6:24 PM: >> Are there any special recommendations for reporting spam *REJECTED* in >> SMTP session (after receiving the message)? >> > Adam Let me guess. > > On your computer you are using some anti-spam/virus program that scans > your outgoing email > > and/or > > the ISP that provides you outgoing email service scans your email for > virus/spam. > > during ether of these scans, which looks like after/during the SMTP > session to your local email application, you get a message (maybe in a > popup window) saying *REJECTED* > > This is _not_ a "rejection" during the SMTP session between your SMTP > server and the receiving mail service, but a rejection during the hand > off of the email from your local email app and the SMTP server at your > ISP. 1) I use spamassassin to do "in SMTP session" scanning on my "personal MTA" [sendmail & mimedefang milter] 2) Some spam messages are rejected in reply to the final dot in SMTP session after receiving all headers and body (rejection is based on score produced by spamassassin scan) => so I (postmaster) end up with a copy of spam message *rejected* in SMTP session I think such "rejected spam delivery attempts" are "reportable" to spamcop.net (I have the message/spam) *BUT* I am sure it may avoid some fuss and concussions of postmasters to (somehow) clearly *MARK* in spamcop.net report that message was rejected. -- [pl>en Andrew] Andrzej Adam Filip : anfi@onet.eu : anfi@xl.wp.pl Mankind is poised midway between the gods and the beasts. -- Plotinus From MikeE at ster.invalid Sun Jan 18 14:45:41 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 18 14:50:08 2009 Subject: [Scspamcop] Re: Reporting REJECTED spam References: Message-ID: Andrzej Adam Filip wrote: >>> Are there any special recommendations for reporting spam *REJECTED* in >>> SMTP session (after receiving the message)? > 1) I use spamassassin to do "in SMTP session" scanning on my "personal > MTA" [sendmail & mimedefang milter] > 2) Some spam messages are rejected in reply to the final dot > in SMTP session after receiving all headers and body > (rejection is based on score produced by spamassassin scan) > => so I (postmaster) end up with a copy of spam message *rejected* > in SMTP session > > I think such "rejected spam delivery attempts" are "reportable" to > spamcop.net (I have the message/spam) *BUT* I am sure it may avoid some > fuss and concussions of postmasters to (somehow) clearly *MARK* in > spamcop.net report that message was rejected. Short version: report 'em Long version: When you say you 'rejected' something that you received in its entirety and saved, I'm reminded of a kooky newsgroup participant (Alan Connor) who had a very strange way of reading and replying to news messages, which strange way caused him to say that he hadn't 'downloaded' (implying 'or read') the messages that he was replying to. It also resulted in a very awkward way of replying. Yes, AC, somehow you found out the content of a news message, so you can respond/reply to it. Yes, (Alan/)Andrzej -- somehow you found out that a spam was propagated to you, so you can report it. -- Mike Easter kibitzer, not SC admin From user at domain.invalid Sun Jan 18 15:36:31 2009 From: user at domain.invalid (Farelf) Date: Sun Jan 18 15:40:08 2009 Subject: [Scspamcop] Re: Reporting REJECTED spam In-Reply-To: References: Message-ID: bar0 wrote: > "Farelf" wrote in message > news:gkuu9r$dqe$1@news.spamcop.net... > >>Andrzej Adam Filip wrote: >> >>>Are there any special recommendations for reporting spam *REJECTED* in >>>SMTP session (after receiving the message)? >>> >> >>Many are (doubtless) wondering, I will ask - how on earth can message >>receipt precede the SMTP session? > > > It can't, however, message receipt (acknowledgement with a 5xx code > (reject)) can take place after receiving the DATA stream. See posts by > Vernon Schryver in NANAE. > > Thanks (I live and learn) - and I see Mike Easter has reponded to the O/P's question. From nobody at spamcop.net Sun Jan 18 20:32:46 2009 From: nobody at spamcop.net (Ellen) Date: Sun Jan 18 20:35:08 2009 Subject: [Scspamcop] Re: Reporting REJECTED spam In-Reply-To: References: Message-ID: Andrzej Adam Filip wrote: > LKing wrote: > >> Andrzej Adam Filip wrote, On 1/16/2009 6:24 PM: >>> Are there any special recommendations for reporting spam *REJECTED* in >>> SMTP session (after receiving the message)? > > 1) I use spamassassin to do "in SMTP session" scanning on my "personal MTA" > [sendmail & mimedefang milter] > 2) Some spam messages are rejected in reply to the final dot > in SMTP session after receiving all headers and body > (rejection is based on score produced by spamassassin scan) > => so I (postmaster) end up with a copy of spam message *rejected* > in SMTP session > > I think such "rejected spam delivery attempts" are "reportable" to > spamcop.net (I have the message/spam) *BUT* I am sure it may avoid some > fuss and concussions of postmasters to (somehow) clearly *MARK* in > spamcop.net report that message was rejected. > Hrmmmm interesting question -- you issued the 5xx at the end of data so presumably if some postmaster is keeping track when you report the spam it looks like there were 2 spams - one that was rejected and one that was sent and accepted. That said in the case of botnet generated spam it matters not one whit as far as I am concerned. In the case of mainsleeze spam well then maybe it matters ... In either case there is no way to "mark" the spam as rejected yet accepted for spam reporting. You have any idea what volume you are talking about and what kind of spam it is? Ellen SpamCop From anfi at onet.eu Mon Jan 19 05:31:53 2009 From: anfi at onet.eu (Andrzej Adam Filip) Date: Mon Jan 19 05:35:08 2009 Subject: [Scspamcop] Re: Reporting REJECTED spam References: Message-ID: Ellen wrote: > Andrzej Adam Filip wrote: >> LKing wrote: >> >>> Andrzej Adam Filip wrote, On 1/16/2009 6:24 PM: >>>> Are there any special recommendations for reporting spam *REJECTED* in >>>> SMTP session (after receiving the message)? > >> >> 1) I use spamassassin to do "in SMTP session" scanning on my "personal MTA" >> [sendmail & mimedefang milter] >> 2) Some spam messages are rejected in reply to the final dot in >> SMTP session after receiving all headers and body (rejection is >> based on score produced by spamassassin scan) >> => so I (postmaster) end up with a copy of spam message *rejected* >> in SMTP session >> >> I think such "rejected spam delivery attempts" are "reportable" to >> spamcop.net (I have the message/spam) *BUT* I am sure it may avoid some >> fuss and concussions of postmasters to (somehow) clearly *MARK* in >> spamcop.net report that message was rejected. >> > > Hrmmmm interesting question -- you issued the 5xx at the end of data > so presumably if some postmaster is keeping track when you report the > spam it looks like there were 2 spams - one that was rejected and one > that was sent and accepted. That said in the case of botnet generated > spam it matters not one whit as far as I am concerned. In the case of > mainsleeze spam well then maybe it matters ... In either case there is > no way to "mark" the spam as rejected yet accepted for spam reporting. I was thinking about adding "extra header" to *reported* spam. e.g. X-Info-_FQDN_: Rejected by _FQDN_ in SMTP session (after "the final dot") > You have any idea what volume you are talking about and what kind of > spam it is? The volume on my (personal) servers are low. I was thinking more about introducing (in mimedefang milter) new procedure for dealing with "most likely spam": *IF* you can not reject message/spam before reply to "the final dot" *THEN* reject but put a copy into special IMAP folder of the recipient [ Inbox,Spambox,RejectBox] folder with old messages automatically purged, folder most users will hardly ever visit It should allow a) better handling and detection of "false positives" b) reporting rejected spam *IF* recipient wants to P.S. I also (as recipient) prefer approach "see spam for you IF YOU WANT" :-) -- [pl>en Andrew] Andrzej Adam Filip : anfi@onet.eu : anfi@xl.wp.pl "I have a bone to pick, and a few to break." -- Anonymous From g.hyde at bigNOSPAMpond.net.au Mon Jan 19 06:28:20 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Mon Jan 19 06:30:08 2009 Subject: [Scspamcop] Re: Reporting REJECTED spam References: Message-ID: "Andrzej Adam Filip" wrote in message news:emwtzuv178@amy.anfi.chickenkiller.com... > I was thinking more about introducing (in mimedefang milter) > new procedure for dealing with "most likely spam": > *IF* you can not reject message/spam before reply to "the final dot" > *THEN* reject but put a copy into special IMAP folder of the recipient > [ Inbox,Spambox,RejectBox] > folder with old messages automatically purged, folder most users will > hardly ever visit > > It should allow > a) better handling and detection of "false positives" > b) reporting rejected spam *IF* recipient wants to You should make sure that however you reject the spam or copy it into a box for later analysis/manual reporting, that it is handled compliantly - if at all possible -with regards to the "RFC" specification concerning handling of such email. If on the other hand, you're going to handle it noncompliantly, please be aware that noncompliance makes you responsible for anything that gets stuffed up due to the noncompliant way you're handling it. Or to put it a simpler way, avoid getting into "garbage in, garbage out" mail transactions at all costs! Lastly, make sure you're not feeding this spam to any mailserver outside the network you're responsible for, either accidentally, or on purpose. You might be able to feed it to SpamCop for reporting purposes, however, that may require special case setup at SpamCop. Perhaps you ought to consider signing up at SpamCop for an ISP account, if you qualify? Cheers ... Geoffrey Hyde From nobody at spamcop.net Mon Jan 19 07:37:06 2009 From: nobody at spamcop.net (Ellen) Date: Mon Jan 19 08:25:08 2009 Subject: [Scspamcop] Re: Reporting REJECTED spam In-Reply-To: References: Message-ID: Andrzej Adam Filip wrote: > > I was thinking about adding "extra header" to *reported* spam. e.g. > > X-Info-_FQDN_: Rejected by _FQDN_ in SMTP session (after "the final dot") I would expect that the header is unlikely to be read by a human and I am not sure it conveys what you want it to convey. But it should be harmless to add it. Ellen SpamCop From chris at ineedhelp.com.au Tue Jan 20 05:05:40 2009 From: chris at ineedhelp.com.au (Christopher Newell) Date: Tue Jan 20 05:10:08 2009 Subject: [Scspamcop] Effectiveness of reporting Message-ID: Hi All, I have used spamcop for awhile and find t very accurate. However when an abvious spam gets through I report it and nothing happens....ever.. I check the list for a few days to see if they have been added and nothing. Why is this? surely i'm not the only one being spammed, although it is a targeted spam. They being spammed from varous companies which sell online game currency. Obviusly their lists are harvested from other companies client lists. How can i get these buggers listed? Regards, Chris N. From g.hyde at bigNOSPAMpond.net.au Tue Jan 20 07:53:02 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Tue Jan 20 07:55:08 2009 Subject: [Scspamcop] Re: Effectiveness of reporting References: Message-ID: "Christopher Newell" wrote in message news:gl47lm$k2b$1@news.spamcop.net... > Hi All, > I have used spamcop for awhile and find t very accurate. However when an > abvious spam gets through I report it and nothing happens....ever.. > I check the list for a few days to see if they have been added and > nothing. > Why is this? > surely i'm not the only one being spammed, although it is a targeted spam. > They being spammed from varous companies which sell online game currency. > Obviusly their lists are harvested from other companies client lists. > > How can i get these buggers listed? Okay, first of all, if someone is trying to sell you online game currency, perhaps you should visit sites you had visited in the past where you bought/sold game currency or signed up to look at what they offered. There is more than one definition of spam, it sounds like you may have opted in somewhere. Or someone in yhour family has been using your PC without your permission. Secondly, you should consider the possibility that someone has a very similar email address to yours and that the company is mistakenly sending you this email - maybe it was mistyped. I had that happen to me once, when I finally got into contact with the person sending it, they said it was an assumption a relative had made. What you should also be checking, depending on what your level of understanding of email headers is, would be whether the IP addresses provided match up to what the email headers claim they are. If email headers match IP addresses and SpamCop chains correctly through them to get to the bottom-most address, perhaps you should consider these as not being from a zombified PC sending spam email. If, after all of the above checks out, you still think you are dealing with a spam email, you should get the tracking URL located at the top of the parse labeled "Here is your TRACKING URL" and paste it here so others can offer an analysis of the spam item in question. HTH Cheers ... Geoffrey Hyde From Ag2000CO at Starband.net Tue Jan 20 09:01:48 2009 From: Ag2000CO at Starband.net (LKing) Date: Tue Jan 20 09:05:09 2009 Subject: [Scspamcop] Re: Effectiveness of reporting In-Reply-To: References: Message-ID: Christopher Newell wrote, On 1/20/2009 5:05 AM: > > surely i'm not the only one being spammed, although it is a targeted > spam. Although you may not be the only one being spammed, it is quite possible you may be the only one reporting the spam. In addition to spamCop I also send spam to KnujOn. My weekly report shows how many time I have reported a domain and how many times others have reported the same domain. Each week I see several cases where I am the only one to have reported a domain. Given the targeted group being offered game gold, it is possible you are the only spamcop user getting the spam. That is one list I'm not on. Like Geoffrey suggested we (you & I) may browse different parts of the web. - Lou From MikeE at ster.invalid Tue Jan 20 10:47:58 2009 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jan 20 10:50:08 2009 Subject: [Scspamcop] Re: Effectiveness of reporting References: Message-ID: Christopher Newell wrote: > I have used spamcop for awhile and find t very accurate. However when an > abvious spam gets through I report it and nothing happens....ever.. > I check the list for a few days to see if they have been added and > nothing. Why is this? Your question seems to be why some source report you have in your mind does not result in a SCbl listing, but you didn't actually name the IP source. (Such) A generic question (which I sometimes refer to as an 'imaginary' example) can never be answered as specifically as a specific question (which I sometimes refer to as a 'real' example). If you had named the actual IP source, one could address an answer to the 'nature' of the specific IP and why it might not be easily listed, such as a server source which has lots of reputation points - where reputation is an indication of the volume of 'traffic' from that IP as tallied by such as senderbase. > How can i get these buggers listed? Precisely which buggers are you talking about? The SCbl does not list spamvertised URLs. The SCbl lists reported spamsources which are reported with sufficient frequency to outweigh the amount of reputation points or traffic of 'goodmail' (not spam reported) from that IP. -- Mike Easter kibitzer, not SC admin From piratebob at webtv.net Tue Jan 20 12:48:05 2009 From: piratebob at webtv.net (RM MS) Date: Tue Jan 20 12:50:08 2009 Subject: [Scspamcop] New to SpamCop Message-ID: <16626-49760E55-407@storefull-3312.bay.webtv.net> Hello, my name is Bob, I'm 49 y.o., I am on webtv Plus since late 1999. Fairly well-versed and experienced on most webtv user subjects, such as VCR and TV hookups, camcorder, e-scanner and other image sources, transloading, Pagebuilder, file moving, all the basics, and willing to offer help when I can. Have had contact with many of the pioneers in other groups, and thank you all for that, you know who you are! But right now, I'm asking for a teacher on SpamCop. Would like somebody at the level of Jimmy in CT or Noah or Big Bear, etc. I can't find a sign-up box, and actually don't grasp the whole thing yet. Maybe you can tell I never made the leap to "Real Computer" yet; I am not dumb, just limited for time and technologically behind the times. And, actually, just entirely happy with webtv Plus, it suits my needs most of the time. From piratebob at webtv.net Tue Jan 20 12:51:43 2009 From: piratebob at webtv.net (RM MS) Date: Tue Jan 20 13:00:08 2009 Subject: [Scspamcop] Hello, new person Message-ID: <16623-49760F2F-2279@storefull-3312.bay.webtv.net> I have become pretty successful with interfacing my cell phone and webtv Plus, if there are any questions, I may be able to help. Emails welcome from webtvers only, thanks. From snowbat at geocities.com Tue Jan 20 13:53:22 2009 From: snowbat at geocities.com (Snowbat) Date: Tue Jan 20 13:55:09 2009 Subject: [Scspamcop] Re: Again - truncated reporting address References: Message-ID: Problem with abuse@bridge-network.ro http://www.spamcop.net/sc?action=rcache;ip=95.64.85.50 "whois 95.64.85.50@whois.arin.net" (Getting contact from whois.arin.net ) Redirect to ripe Display data: "whois 95.64.85.50@whois.ripe.net" (Getting contact from whois.ripe.net) Abuse address in 'remarks' field: abuse@bridge-network.ro whois.ripe.net found abuse contacts for 95.64.85.50 = abuse@bridge whois: 95.64.80.0 - 95.64.87.255 = abuse@bridge Routing details for 95.64.85.50 Using abuse net on abuse@bridge Using best contacts abuse@bridge <<<<<<< $ whois -h whois.ripe.net 95.64.85.50 .. inetnum: 95.64.80.0 - 95.64.87.255 netname: BRIDGE-NETWORK descr: SC BRIDGE NETWORK TELECOM SRL remarks: For abuse & SPAM: abuse@bridge-network.ro .. From nobody at spamcop.net Tue Jan 20 14:18:14 2009 From: nobody at spamcop.net (Ellen) Date: Tue Jan 20 15:10:08 2009 Subject: [Scspamcop] Re: Again - truncated reporting address In-Reply-To: References: Message-ID: Snowbat wrote: > Problem with abuse@bridge-network.ro > > > http://www.spamcop.net/sc?action=rcache;ip=95.64.85.50 > "whois 95.64.85.50@whois.arin.net" (Getting contact from whois.arin.net ) > Redirect to ripe > Display data: > "whois 95.64.85.50@whois.ripe.net" (Getting contact from > whois.ripe.net) > Abuse address in 'remarks' field: abuse@bridge-network.ro > whois.ripe.net found abuse contacts for 95.64.85.50 = abuse@bridge > whois: 95.64.80.0 - 95.64.87.255 = abuse@bridge > Routing details for 95.64.85.50 > Using abuse net on abuse@bridge > Using best contacts abuse@bridge <<<<<<< > > > $ whois -h whois.ripe.net 95.64.85.50 > .. > inetnum: 95.64.80.0 - 95.64.87.255 > netname: BRIDGE-NETWORK > descr: SC BRIDGE NETWORK TELECOM SRL > remarks: For abuse & SPAM: abuse@bridge-network.ro > .. > TY Ellen From chris at ineedhelp.com.au Tue Jan 20 23:34:12 2009 From: chris at ineedhelp.com.au (Christopher Newell) Date: Tue Jan 20 23:35:08 2009 Subject: [Scspamcop] Re: Effectiveness of reporting References: Message-ID: Thanks for all the responses. Some more details were requested...so... The company in general are, Parsing input: http://www.time4exe.com/ Host www.time4exe.com (checking ip) = 222.35.2.163 host 222.35.2.163 (getting name) no name Routing details for 222.35.2.163 Parsing input: http://www.gamingexe.com/news/Big_Turkeys.aspx Host www.gamingexe.com (checking ip) = 208.47.211.223 host 208.47.211.223 (getting name) no name Routing details for 208.47.211.223 There is also, the same company seems to go by a few different names. woowmart.com gamingexe.com time2wow.com gogognomes.com I have tried to opt-out within their emails to just be ignored. Also contacted the companies through the support links on their site and although they say i will be removed it doesn't happen. These aren't your standard spammers. Its not just a company sending millions of emails. They seem to have my email (and others) from a list of game players. Although i have NEVER used their services or signed up on any of their sites. Its easy enough to block these through any number of means (which i have now done) however i reported these to see just how spamcop works with reporting. Regards, Chris N. "Mike Easter" wrote in message news:gl4rn9$4re$1@news.spamcop.net... > Christopher Newell wrote: > >> I have used spamcop for awhile and find t very accurate. However when an >> abvious spam gets through I report it and nothing happens....ever.. >> I check the list for a few days to see if they have been added and >> nothing. Why is this? > > Your question seems to be why some source report you have in your mind > does not result in a SCbl listing, but you didn't actually name the IP > source. > > (Such) A generic question (which I sometimes refer to as an 'imaginary' > example) can never be answered as specifically as a specific question > (which I sometimes refer to as a 'real' example). > > If you had named the actual IP source, one could address an answer to the > 'nature' of the specific IP and why it might not be easily listed, such as > a server source which has lots of reputation points - where reputation is > an indication of the volume of 'traffic' from that IP as tallied by such > as senderbase. > >> How can i get these buggers listed? > > Precisely which buggers are you talking about? The SCbl does not list > spamvertised URLs. The SCbl lists reported spamsources which are reported > with sufficient frequency to outweigh the amount of reputation points or > traffic of 'goodmail' (not spam reported) from that IP. > > > > > -- > Mike Easter > kibitzer, not SC admin > From g.hyde at bigNOSPAMpond.net.au Wed Jan 21 02:09:43 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Wed Jan 21 02:10:08 2009 Subject: [Scspamcop] What flavour of spam is this, exactly? Message-ID: http://www.spamcop.net/sc?id=z2544268255z91cfc67a30239c8812736b46efa4f94dz I think this could have a very small possibility of being legitimate, the google results suggest that's possible. I'm not sure though if this is some spammy attempt at disguising a spamitem like something legitimate. Does anyone have any thoughts on whether this is a new flavour of spam or just something I might have opted into somewhere on the internet? Cheers ... Geoffrey Hyde From nobody at spamcop.net Wed Jan 21 02:23:33 2009 From: nobody at spamcop.net (RandallW) Date: Wed Jan 21 02:25:08 2009 Subject: [Scspamcop] Re: New to SpamCop References: <16626-49760E55-407@storefull-3312.bay.webtv.net> Message-ID: > Hello, my name is Bob, I'm 49 y.o., I am on webtv Plus since late 1999. > Fairly well-versed and experienced on most webtv user subjects, such as > VCR and TV hookups, camcorder, e-scanner and other image sources, > transloading, Pagebuilder, file moving, all the basics, and willing to > offer help when I can. Have had contact with many of the pioneers in > other groups, and thank you all for that, you know who you are! > But right now, I'm asking for a teacher on SpamCop. Would like somebody > at the level of Jimmy in CT or Noah or Big Bear, etc. I can't find a > sign-up box, and actually don't grasp the whole thing yet. > Maybe you can tell I never made the leap to "Real Computer" yet; I am > not dumb, just limited for time and technologically behind the times. If you can't find anyone you can try looking at the Spamcop site's FAQ. From nobody at devnull.spamcop.net Wed Jan 21 04:44:42 2009 From: nobody at devnull.spamcop.net (Giampaolo Tomassoni) Date: Wed Jan 21 04:45:08 2009 Subject: [Scspamcop] Re: What flavour of spam is this, exactly? References: Message-ID: "Geoffrey Hyde" ha scritto nel messaggio news:gl6ho4$jgu$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z2544268255z91cfc67a30239c8812736b46efa4f94dz > > I think this could have a very small possibility of being legitimate, the > google results suggest that's possible. I'm not sure though if this is > some spammy attempt at disguising a spamitem like something legitimate. > > Does anyone have any thoughts on whether this is a new flavour of spam or > just something I might have opted into somewhere on the internet? > > Cheers ... > > Geoffrey Hyde It could be a fraud: you register to the conference and pay the required fees. In April 3 you get there, but at the University people tells you no conference is in progess... Please note April 3 is perfect: you probably will like to be there in April 2, which means you may have to start your voyage to Bridgeport in April, 1... Giampaolo From Ag2000CO at Starband.net Wed Jan 21 11:08:35 2009 From: Ag2000CO at Starband.net (LKing) Date: Wed Jan 21 11:10:08 2009 Subject: [Scspamcop] Re: What flavour of spam is this, exactly? In-Reply-To: References: Message-ID: Geoffrey Hyde wrote, On 1/21/2009 2:09 AM: > http://www.spamcop.net/sc?id=z2544268255z91cfc67a30239c8812736b46efa4f94dz > > I think this could have a very small possibility of being legitimate,... > Does anyone have any thoughts on whether this is a new flavour of spam or > just something I might have opted into somewhere on the internet? > > Geoffrey Hyde > Check the www.ASEE.org web page >> Conferences. I see conferences schedule includes: North East Section Meeting, Apr 3-4, University of Bridgeport, Bridgeport, CT http://www.asee.org/conferences/calendar/index.cfm?filter=7 From ericw at spamcop.net Wed Jan 21 11:55:17 2009 From: ericw at spamcop.net (Eric) Date: Wed Jan 21 12:00:08 2009 Subject: [Scspamcop] Help with spam bypassing filter Message-ID: For the past few weeks I've been getting spam through the filters here, all with the "from" listing as my spamcop email address. How can I adjust my filter to catch these spam emails? I've been getting sometimes a dozen or more a day. Here's the tracking URL to a few of them: http://www.spamcop.net/sc?id=z2545506420zf18b273b0202e1979aec72ebd198934bz http://www.spamcop.net/sc?id=z2545506422z4cc28a5e6894e34b4a902f62cccea9d9z http://www.spamcop.net/sc?id=z2545506423zae2c0a25eb2691c518feeaaa4cc150a7z From nobody at devnull.spamcop.net Wed Jan 21 14:28:43 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Wed Jan 21 14:30:07 2009 Subject: [Scspamcop] Re: What flavour of spam is this, exactly? References: Message-ID: > http://www.spamcop.net/sc?id=z2544268255z91cfc67a30239c8812736b46efa4f94dz > > I think this could have a very small possibility > of being > legitimate, the google results suggest that's > possible. I'm not sure though if this is some > spammy attempt at > disguising a spamitem like something legitimate. > Does anyone have any thoughts on whether this is > a new > flavour of spam or just something I might have > opted into > somewhere on the internet? > Cheers ... > > Geoffrey Hyde Received the same, identical spam here; same names, same text, etc.. Never had anything to do with them or anything close to them. I reported them. Twayne From nobody at devnull.spamcop.net Wed Jan 21 14:35:40 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Wed Jan 21 14:40:08 2009 Subject: [Scspamcop] Re: What flavour of spam is this, exactly? References: Message-ID: > http://www.spamcop.net/sc?id=z2544268255z91cfc67a30239c8812736b46efa4f94dz > > I think this could have a very small possibility > of being > legitimate, the google results suggest that's > possible. I'm not sure though if this is some > spammy attempt at > disguising a spamitem like something legitimate. > Does anyone have any thoughts on whether this is > a new > flavour of spam or just something I might have > opted into > somewhere on the internet? > Cheers ... > > Geoffrey Hyde No help, but a suggestion (unsolicited advice): Long ago I added a folder to my mail client for Subscriptions and every (literally every) place I signed up to goes there for reference later. I don't subscribe anywhere unless I know it'll be a confirmed optin so there is always something to put into that folder. Well, all but two instances - in those cases I sent myself an e-mail so I had something to put in the folder. Now, if I have a question & it's not in that folder, I know I didn't ask for it. It's about 99% foolproof after enough time passes. Saves wondering or researching to see if I might ever have had any interests in it. It's not that long a list. Twayne From nobody at no.no Wed Jan 21 15:56:31 2009 From: nobody at no.no (helge) Date: Wed Jan 21 16:00:08 2009 Subject: [Scspamcop] Re: Help with spam bypassing filter In-Reply-To: References: Message-ID: Eric skrev: > For the past few weeks I've been getting spam through the filters here, all > with the "from" listing as my spamcop email address. How can I adjust my > filter to catch these spam emails? I've been getting sometimes a dozen or > more a day. > > Here's the tracking URL to a few of them: > > http://www.spamcop.net/sc?id=z2545506420zf18b273b0202e1979aec72ebd198934bz > > http://www.spamcop.net/sc?id=z2545506422z4cc28a5e6894e34b4a902f62cccea9d9z > > http://www.spamcop.net/sc?id=z2545506423zae2c0a25eb2691c518feeaaa4cc150a7z > Do you have your own address whitelisted? see http://mail.spamcop.net/news.php: "Dec 9, 2008 * [08:01 EST] Lots of users have their own email address in their personal whitelist. This is a problem because spammers often send you spam that is forged with your own email address as the return address. Please make sure that you don't have your own email address on your personal whitelist because if it is, this spam will be whitelisted and delivered to your inbox." helge From me at privacy.net Wed Jan 21 16:34:11 2009 From: me at privacy.net (Michael R N Dolbear) Date: Wed Jan 21 16:35:08 2009 Subject: [Scspamcop] Re: Help with spam bypassing filter References: Message-ID: <01c97c0f$fb894200$1bd2403e@default> helge wrote in article ... > Eric skrev: > > For the past few weeks I've been getting spam through the filters here, all > > with the "from" listing as my spamcop email address. How can I adjust my > > filter to catch these spam emails? I've been getting sometimes a dozen or > > more a day. > > > > Here's the tracking URL to a few of them: > > > > http://www.spamcop.net/sc?id=z2545506420zf18b273b0202e1979aec72ebd198934 bz > Do you have your own address whitelisted? see > http://mail.spamcop.net/news.php: The poster does X-SpamCop-Disposition: Blocked SpamAssassin=24 X-SpamCop-Whitelisted: spamcop.net Take out that whitelist entry and things should work the same as for other mail. If one needs to send mail to Spamcop that must not be held, invent a secret address and send it "From: " that, changing it if it becomes known. -- Mike D From nobody at spamcop.net Thu Jan 22 00:35:31 2009 From: nobody at spamcop.net (RW) Date: Thu Jan 22 00:40:09 2009 Subject: [Scspamcop] Planned Maintenance Window - Thursday, January 22, 2009 Message-ID: Scheduled server maintenance and upgrades will be taking place starting at 3:00 p.m. PST on Thursday, January 22, 2009. The SpamCop Reporting Service website will not be available for approximate one hour. Emailed spam submissions will be accepted, but processing will be delayed during the maintenance process. This will not affect the SpamCop/CESmail email service, newsgroups or forums. This is work that was originally planned for the 13th, but power issues at the data center caused our engineers to delay the work. Richard From ericw at spamcop.net Thu Jan 22 11:11:23 2009 From: ericw at spamcop.net (Eric) Date: Thu Jan 22 11:15:08 2009 Subject: [Scspamcop] Re: Help with spam bypassing filter References: <01c97c0f$fb894200$1bd2403e@default> Message-ID: "Michael R N Dolbear" wrote in news:01c97c0f$fb894200 $1bd2403e@default: > > helge wrote in article > ... >> Eric skrev: >> > For the past few weeks I've been getting spam through the filters > here, all >> > with the "from" listing as my spamcop email address. How can I > adjust my >> > filter to catch these spam emails? I've been getting sometimes a > dozen or >> > more a day. >> > >> > Here's the tracking URL to a few of them: >> > >> > > http://www.spamcop.net/sc?id=z2545506420zf18b273b0202e1979aec72ebd198934 > bz > >> Do you have your own address whitelisted? see >> http://mail.spamcop.net/news.php: > > The poster does > > X-SpamCop-Disposition: Blocked SpamAssassin=24 > X-SpamCop-Whitelisted: spamcop.net > > Take out that whitelist entry and things should work the same as for > other mail. > > If one needs to send mail to Spamcop that must not be held, invent a > secret address and send it "From: " that, changing it if it becomes > known. Thanks everyone. I searched my whitelist and deleted spamcop.net. Going through my whitelist I realize I've been a member here for a very long time. I have 12 pages of whitelisted addresses, many of which I haven't seen in years. I'm tempted to delete them all and start over. We'll see. From g.hyde at bigNOSPAMpond.net.au Thu Jan 22 16:30:05 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Thu Jan 22 16:35:09 2009 Subject: [Scspamcop] Base64 encoded text spam. Message-ID: http://www.spamcop.net/sc?id=z2549230242zf04f6e2803253ac4ad659e0ad8bc5e58z As you can see SpamCop fails to decode the Base64 encoded text part, yet my email client reads it. It is interesting to note that spammers seem to be evolving their bag of tricks even though SpamCop isn't catching up. But should SpamCop spend time trying to decode base64 emails? Cheers ... Geoffrey Hyde From tmcgraw at spamcop.net Thu Jan 22 16:55:15 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Thu Jan 22 17:00:09 2009 Subject: [Scspamcop] Re: Base64 encoded text spam. In-Reply-To: References: Message-ID: Geoffrey Hyde wrote: > http://www.spamcop.net/sc?id=z2549230242zf04f6e2803253ac4ad659e0ad8bc5e58z > > As you can see SpamCop fails to decode the Base64 encoded text part, yet my > email client reads it. > > It is interesting to note that spammers seem to be evolving their bag of > tricks even though SpamCop isn't catching up. But should SpamCop spend time > trying to decode base64 emails? Not in this case, the decoded text does not include a link, only an email addy. From nobody at devnull.spamcop.net Thu Jan 22 17:38:20 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Thu Jan 22 17:40:09 2009 Subject: [Scspamcop] Re: Base64 encoded text spam. References: Message-ID: "Geoffrey Hyde" wrote in message news:glaoh4$k8u$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z2549230242zf04f6e2803253ac4ad659e0ad8bc5e58z > > As you can see SpamCop fails to decode the Base64 encoded text > part, yet my email client reads it. > > It is interesting to note that spammers seem to be evolving their > bag of tricks even though SpamCop isn't catching up. But should > SpamCop spend time trying to decode base64 emails? Evolving? http://forum.spamcop.net/scwik/SCMaterialChanges contains a couple of clarifications made by Don (the last additional change/addition by Ellen is still up in the air) .. This is an updated version of the original FAQ entry found at http://www.spamcop.net/fom-serve/cache/283.html which has been in place for years. From asterix at no_where.net Fri Jan 23 03:38:04 2009 From: asterix at no_where.net (Asterix) Date: Fri Jan 23 03:40:08 2009 Subject: [Scspamcop] Terminate reporting-only account? Message-ID: <1itzp7g.1ocw0b6uj1c4gN%asterix@no_where.net> I think I asked the same thing a few years ago. I have 5 reporting-only accounts on Spamcop - each for a different email address. One of those addresses is defunct, and one has been changed (by my employer's IT dept). Is there a way to terminate a reporing-only account, or do I just leave it be? I have found nada in the FAQ. -- I recommend Macs to my friends, and Windows machines to those whom I don't mind billing by the hour From nobody at spamcop.net Fri Jan 23 10:01:57 2009 From: nobody at spamcop.net (Ellen) Date: Fri Jan 23 10:15:09 2009 Subject: [Scspamcop] Re: Base64 encoded text spam. In-Reply-To: References: Message-ID: Wazoo wrote: (the last additional > change/addition by Ellen is still up in the air) ???? Ellen SpamCop From nobody at devnull.spamcop.net Fri Jan 23 17:51:40 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Fri Jan 23 17:55:08 2009 Subject: [Scspamcop] Re: Terminate reporting-only account? References: <1itzp7g.1ocw0b6uj1c4gN%asterix@no_where.net> Message-ID: "Asterix" wrote in message news:1itzp7g.1ocw0b6uj1c4gN%asterix@no_where.net... >I think I asked the same thing a few years ago. > > I have 5 reporting-only accounts on Spamcop - each for a different > email > address. One of those addresses is defunct, and one has been > changed (by > my employer's IT dept). > > Is there a way to terminate a reporing-only account, or do I just > leave > it be? I have found nada in the FAQ. Historically, the words were that there shouldn't be an issue just ignoring that these accounts remained in existence. On the other hand, some accounts have in fact been abused. Once upon a time, it was a simple (and suggested) task to re-register a new account with the same e-mail address, but that changed, documented in the entry at http://forum.spamcop.net/forums/index.php?showtopic=1001 ..... if you can't find/don't recognize the contact address there, then try the Wiki page at http://forum.spamcop.net/scwik/SpamCopWhereToGetHelp I gave up trying to find your suggested previous posting. From nobody at devnull.spamcop.net Fri Jan 23 18:04:58 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Fri Jan 23 18:05:07 2009 Subject: [Scspamcop] Re: Base64 encoded text spam. References: Message-ID: "Ellen" wrote in message news:glcms9$j9q$1@news.spamcop.net... > Wazoo wrote: > (the last additional >> change/addition by Ellen is still up in the air) > > ???? a.. [Scspamcop] Re: Reporting REJECTED spam Ellen http://zeta.cesmail.net/pipermail/scspamcop/2009-January/thread.html#7885 The slippery-slope of 'allowing' additional data to be inserted into the headers. Yes, in the specific case of that particular discussion, there should be no argument. On the other hand, adding to the FAQ that's it's OK to manufacture and add lines could be used as justification by some folks to 'fix' some unparsable spam (or incomplete parsing) .... i.e., manufacturing 'missing' MIME Boundary line definitions, adding in a 'missing' Context-Type: line, etc. From nobody at spamcop.net Fri Jan 23 21:32:05 2009 From: nobody at spamcop.net (Ellen) Date: Fri Jan 23 21:35:08 2009 Subject: [Scspamcop] Re: Base64 encoded text spam. In-Reply-To: References: Message-ID: Wazoo wrote: > "Ellen" wrote in message > news:glcms9$j9q$1@news.spamcop.net... >> Wazoo wrote: >> (the last additional >>> change/addition by Ellen is still up in the air) >> ???? > > a.. [Scspamcop] Re: Reporting REJECTED spam Ellen > http://zeta.cesmail.net/pipermail/scspamcop/2009-January/thread.html#7885 > > The slippery-slope of 'allowing' additional data to be inserted into > the headers. Yes, in the specific case of that particular > discussion, there should be no argument. On the other hand, adding > to the FAQ that's it's OK to manufacture and add lines could be used > as justification by some folks to 'fix' some unparsable spam (or > incomplete parsing) .... i.e., manufacturing 'missing' MIME Boundary > line definitions, adding in a 'missing' Context-Type: line, etc. > > I assume you are referring to this? hard to tell since your link brings up a long thread of posts of which several are mine: ****start paste**** Andrzej Adam Filip wrote: > > I was thinking about adding "extra header" to *reported* spam. e.g. > > X-Info-_FQDN_: Rejected by _FQDN_ in SMTP session (after "the final dot") I would expect that the header is unlikely to be read by a human and I am not sure it conveys what you want it to convey. But it should be harmless to add it. ****end paste***** Having an inbound mailserver add X-headers is totally normal is it not? So if someone running a mailserver chooses to add an X-header and is also a SC reporter why is this a problem? Ellen SpamCop From anfi at onet.eu Sat Jan 24 05:11:06 2009 From: anfi at onet.eu (Andrzej Adam Filip) Date: Sat Jan 24 05:15:09 2009 Subject: [Scspamcop] Wrong "No source IP address found, cannot proceed." [onet.pl] Message-ID: <93prtyie78@amy.anfi.chickenkiller.com> Below please find spamcop.net reports with incorrect "No source IP address found, cannot proceed." : http://www.spamcop.net/sc?id=z2553284560z2442e7cbe37b53c492b82dac429d85e3z http://www.spamcop.net/sc?id=z2553284309ze54a81b4d12c925f78fcc1b4f777e291z http://www.spamcop.net/sc?id=z2553284087z70591adf8543dcc828bd3e1bc91a53f0z -- [pl>en Andrew] Andrzej Adam Filip : anfi@onet.eu : anfi@xl.wp.pl She was good at playing abstract confusion in the same way a midget is good at being short. -- Clive James, on Marilyn Monroe From borgholio at storymind.com Sat Jan 24 05:12:59 2009 From: borgholio at storymind.com (Borgholio) Date: Sat Jan 24 05:15:10 2009 Subject: [Scspamcop] Spamcop finding link to spamvertised site but not reporting Message-ID: Link to reports: http://www.spamcop.net/sc?id=z2553283993z5d21fdcd181b6300e5a81259d672a5a9z Spam posted in .spam. This appears to be the same spammer that sent me 100 messages every ten minutes a few weeks ago, and I am having the same problem with reporting the spamvertised site as I did back then. Spamcop was finding the spamvertised link but it was not generating any reports. The site is http://alwaysadultschatting.com and reports should go to: jay@ceilley.com abuse@colostore.com postmaster@colostore.com From borgholio at storymind.com Sat Jan 24 05:15:20 2009 From: borgholio at storymind.com (Borgholio) Date: Sat Jan 24 05:15:10 2009 Subject: [Scspamcop] Re: Spamcop finding link to spamvertised site but not reporting In-Reply-To: References: Message-ID: Borgholio wrote: > Link to reports: > > http://www.spamcop.net/sc?id=z2553283993z5d21fdcd181b6300e5a81259d672a5a9z > > Spam posted in .spam. > > This appears to be the same spammer that sent me 100 messages every ten > minutes a few weeks ago, and I am having the same problem with reporting > the spamvertised site as I did back then. Spamcop was finding the > spamvertised link but it was not generating any reports. The site is > http://alwaysadultschatting.com and reports should go to: > > jay@ceilley.com > abuse@colostore.com > postmaster@colostore.com As a followup, the spam also lists an IRC server. I don't know Spamcop's policy on reporting spamvertised chat servers, but the link is: irc.alwaysadultschatting.com and reports should go to: abuse@rackvibe.com abuse@justedge.net postmaster@rackvibe.com From nobody at devnull.spamcop.net Sat Jan 24 06:03:07 2009 From: nobody at devnull.spamcop.net (Giampaolo Tomassoni) Date: Sat Jan 24 06:05:09 2009 Subject: [Scspamcop] Re: Wrong "No source IP address found, cannot proceed." [onet.pl] References: <93prtyie78@amy.anfi.chickenkiller.com> Message-ID: "Andrzej Adam Filip" ha scritto nel messaggio news:93prtyie78@amy.anfi.chickenkiller.com... > Below please find spamcop.net reports with incorrect > "No source IP address found, cannot proceed." : Your server name seems wrong: where's the TLD? Giampaolo > http://www.spamcop.net/sc?id=z2553284560z2442e7cbe37b53c492b82dac429d85e3z > http://www.spamcop.net/sc?id=z2553284309ze54a81b4d12c925f78fcc1b4f777e291z > http://www.spamcop.net/sc?id=z2553284087z70591adf8543dcc828bd3e1bc91a53f0z > > -- > [pl>en Andrew] Andrzej Adam Filip : anfi@onet.eu : anfi@xl.wp.pl > She was good at playing abstract confusion in the same way a midget is > good at being short. > -- Clive James, on Marilyn Monroe From sfjoe at devnull.spamcop.net Sat Jan 24 12:39:51 2009 From: sfjoe at devnull.spamcop.net (Joe Holt) Date: Sat Jan 24 12:40:08 2009 Subject: [Scspamcop] Bulk deletion Message-ID: Apparently, I have pissed off a spammer. I have 12,448 emails in my inbox and they are coming in faster than I can delete them. Is there a way for a bulk-deletion in excess of the 100 at a time? From nobody at spamcop.net Sat Jan 24 13:16:23 2009 From: nobody at spamcop.net (me-no-no) Date: Sat Jan 24 13:20:08 2009 Subject: [Scspamcop] Re: Bulk deletion References: Message-ID: "Joe Holt" wrote in message news:C5A09267.12F%sfjoe@devnull.spamcop.net... > Apparently, I have pissed off a spammer. I have 12,448 emails in my inbox > and they are coming in faster than I can delete them. Is there a way for a > bulk-deletion in excess of the 100 at a time? Nah - Nuthin personal - seems like most of us (spamcop.net addresses) are getting them :-( Assuming they are the "alwaysadultschatting" as per previous post subj: "Spamcop finding spamvertised url but not reporting it" More info on methods of bulk deleting this continuing cr*p - See last weeks thread - Subj: "Spambot stuck in the "on" position" Best of luck !! Regs MENO From asterix at no_where.net Sat Jan 24 13:26:02 2009 From: asterix at no_where.net (Asterix) Date: Sat Jan 24 13:30:08 2009 Subject: [Scspamcop] Re: Terminate reporting-only account? References: <1itzp7g.1ocw0b6uj1c4gN%asterix@no_where.net> Message-ID: <1iu29ro.9o39pu12xevliN%asterix@no_where.net> Wazoo wrote: > "Asterix" wrote in message > news:1itzp7g.1ocw0b6uj1c4gN%asterix@no_where.net... > >I think I asked the same thing a few years ago. > > > > I have 5 reporting-only accounts on Spamcop - each for a different > > email > > address. One of those addresses is defunct, and one has been > > changed (by > > my employer's IT dept). > > > > Is there a way to terminate a reporing-only account, or do I just > > leave > > it be? I have found nada in the FAQ. > > Historically, the words were that there shouldn't be an issue just > ignoring that these accounts remained in existence. On the other > hand, some accounts have in fact been abused. Once upon a time, it > was a simple (and suggested) task to re-register a new account with > the same e-mail address, but that changed, documented in the entry > at http://forum.spamcop.net/forums/index.php?showtopic=1001 ..... Hi, Wazoo, That page is about password problems, not really what I asked about. I want to terminate (cancel, close, delete) one account, possibly two. And I don't find any contact address on that page, unless you refer to service at admin.spamcop.net - in your signature at the bottom. > if you can't find/don't recognize the contact address there, then try > the Wiki page at > http://forum.spamcop.net/scwik/SpamCopWhereToGetHelp The wiki appears ti just reflrct the contents of the "normal" help. No contact addy on that page, an no hint of an answer to my basic question - which I feel should be in the FAQ: - How do I terminate (cancel) a reporting-only account? The question is valid, since as you say, accounts have been abused. Also people get their addresses changed, and they close email acconts for various reasons (new ISP, spammed-to-death, &c.) > I gave up trying to find your suggested previous posting. So did I :-) -- I recommend Macs to my friends, and Windows machines to those whom I don't mind billing by the hour From nobody at devnull.spamcop.net Sat Jan 24 15:48:35 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Sat Jan 24 15:50:08 2009 Subject: [Scspamcop] Re: Base64 encoded text spam. References: Message-ID: "Ellen" wrote in message news:gldukk$gbg$1@news.spamcop.net... > Wazoo wrote: >> "Ellen" wrote in message >> news:glcms9$j9q$1@news.spamcop.net... >>> Wazoo wrote: >>> (the last additional >>>> change/addition by Ellen is still up in the air) >>> ???? >> >> a.. [Scspamcop] Re: Reporting REJECTED spam Ellen >> http://zeta.cesmail.net/pipermail/scspamcop/2009-January/thread.html#7885 >> >> The slippery-slope of 'allowing' additional data to be inserted >> into the headers. Yes, in the specific case of that particular >> discussion, there should be no argument. On the other hand, >> adding to the FAQ that's it's OK to manufacture and add lines >> could be used as justification by some folks to 'fix' some >> unparsable spam (or incomplete parsing) .... i.e., manufacturing >> 'missing' MIME Boundary line definitions, adding in a 'missing' >> Context-Type: line, etc. > > I assume you are referring to this? hard to tell since your link > brings up a long thread of posts of which several are mine: Windows-XP-Pro, OE brings up IE7 .... Ubuntu, Thunderbird brings up FireFox, both browser wndows showing the referenced post as the first line in the browser window page data, exactly as expected. That post's Subject line shown indented, showing that t's part of the thread that's reflected on the "above" screenful of data, needing a scroll up if that reference is needed. > Having an inbound mailserver add X-headers is totally normal is it > not? So if someone running a mailserver chooses to add an X-header > and is also a SC reporter why is this a problem? As I stated, in this specific case, there shouldn't be an issue. The situation now is that after all the years of "you shall not mess with the headers" .. then caveated by the allowance to mung "personal, identifying-type" of data within the headers (and body) .... your recent newsgroup statement was the first known public statement that said "anything else" ..... The "problem" with that is actually how to write it up, stating that it is now "officially" OK to 'add' data to he headers of a to-be-submitted-for-parsing e-mail and yet not allowing for the mis-interpretation of those words so as to allow someone to make their own 'additions/modifications' that would then also violate the "that the parser would not handle/find on its own" part of the "Material Changes" rule/FAQ entries. From nobody at devnull.spamcop.net Sat Jan 24 16:04:32 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Sat Jan 24 16:05:07 2009 Subject: [Scspamcop] Re: Terminate reporting-only account? References: <1itzp7g.1ocw0b6uj1c4gN%asterix@no_where.net> <1iu29ro.9o39pu12xevliN%asterix@no_where.net> Message-ID: "Asterix" wrote in message news:1iu29ro.9o39pu12xevliN%asterix@no_where.net... > Wazoo wrote: > >> "Asterix" wrote in message >> news:1itzp7g.1ocw0b6uj1c4gN%asterix@no_where.net... >> >I think I asked the same thing a few years ago. >> > >> > I have 5 reporting-only accounts on Spamcop - each for a >> > different >> > email >> > address. One of those addresses is defunct, and one has been >> > changed (by >> > my employer's IT dept). >> > >> > Is there a way to terminate a reporing-only account, or do I >> > just >> > leave >> > it be? I have found nada in the FAQ. >> >> Historically, the words were that there shouldn't be an issue >> just >> ignoring that these accounts remained in existence. On the other >> hand, some accounts have in fact been abused. Once upon a time, >> it >> was a simple (and suggested) task to re-register a new account >> with >> the same e-mail address, but that changed, documented in the >> entry >> at http://forum.spamcop.net/forums/index.php?showtopic=1001 ..... > > That page is about password problems, not really what I asked > about. > I want to terminate (cancel, close, delete) one account, possibly > two. > > And I don't find any contact address on that page, unless you > refer to > service at admin.spamcop.net - in your signature at the bottom. Actually, not "my sugnature" ... thise were words from Don, the SpamCop Admin guy. I thought he made it pretty clear that he was the Point-of-Contact for Reporting Accont/Address issues. >> if you can't find/don't recognize the contact address there, then >> try >> the Wiki page at >> http://forum.spamcop.net/scwik/SpamCopWhereToGetHelp > > The wiki appears ti just reflrct the contents of the "normal" > help. > No contact addy on that page, ???? "How to contact official folks" is there, both liinks pointing to web-page interfaces for making that contact. > an no hint of an answer to my basic > question - which I feel should be in the FAQ: > > - How do I terminate (cancel) a reporting-only account? > > The question is valid, since as you say, accounts have been > abused. > Also people get their addresses changed, and they close email > acconts > for various reasons (new ISP, spammed-to-death, &c.) Yes, I agree. On the other hand, there's a boat-load of stuff that I have tagged to be added to the FAQ/Wiki, but never seem to quite get around to it. So will note once again, the single-page-access version of the SpamCop FAQ over in the Forum and the SpamCop Wiki running over on the Forum server both contain data developed by other SpamCop.net users. After you get the "official" response, you are invited to add that data as an actual FAQ entry for all that it might concern in the future. I know it's come up before, but I wasn't able to come up with just the right mix of magic words to stumble across it .. and also having to note that some folks chose to use the X-NoArchive flag in their newsgroup posts, so unless someone else quotes the pertinent data, it's lost when it ages off the active newsgroup server.. From borgholio at storymind.com Sat Jan 24 16:47:42 2009 From: borgholio at storymind.com (Borgholio) Date: Sat Jan 24 16:50:07 2009 Subject: [Scspamcop] Re: Bulk deletion In-Reply-To: References: Message-ID: me-no-no wrote: > "Joe Holt" wrote in message > news:C5A09267.12F%sfjoe@devnull.spamcop.net... >> Apparently, I have pissed off a spammer. I have 12,448 emails in my inbox >> and they are coming in faster than I can delete them. Is there a way for a >> bulk-deletion in excess of the 100 at a time? > > Nah - Nuthin personal - seems like most of us (spamcop.net addresses) are > getting them :-( > Assuming they are the "alwaysadultschatting" as per previous post subj: > "Spamcop finding spamvertised url but not reporting it" > > More info on methods of bulk deleting this continuing cr*p - See last weeks > thread - > Subj: "Spambot stuck in the "on" position" > > Best of luck !! > > Regs > MENO > > Really and I thought I was the only one getting that.. Neat....4640 message in my held mail folder. From nobody at spamcop.net Sat Jan 24 18:53:41 2009 From: nobody at spamcop.net (RW) Date: Sat Jan 24 18:55:09 2009 Subject: [Scspamcop] Re: Terminate reporting-only account? In-Reply-To: <1itzp7g.1ocw0b6uj1c4gN%asterix@no_where.net> References: <1itzp7g.1ocw0b6uj1c4gN%asterix@no_where.net> Message-ID: Asterix wrote: > I think I asked the same thing a few years ago. > > I have 5 reporting-only accounts on Spamcop - each for a different email > address. One of those addresses is defunct, and one has been changed (by > my employer's IT dept). > > Is there a way to terminate a reporing-only account, or do I just leave > it be? I have found nada in the FAQ. There's no reason for having multiple reporting accounts. You can submit spam to a single account from any number of email accounts. Mailhosts will assist in making sure there is no confusion in the parsing engine. As for unused accounts, just leave them. There is no way of deleting them from the system. Every spam report in the database has to have an account to associate with, so we can't remove the accounts. Richard From nobody at spamcop.net Sat Jan 24 18:58:28 2009 From: nobody at spamcop.net (RW) Date: Sat Jan 24 19:00:08 2009 Subject: [Scspamcop] Re: Wrong "No source IP address found, cannot proceed." [onet.pl] In-Reply-To: <93prtyie78@amy.anfi.chickenkiller.com> References: <93prtyie78@amy.anfi.chickenkiller.com> Message-ID: Andrzej Adam Filip wrote: > Below please find spamcop.net reports with incorrect > "No source IP address found, cannot proceed." : > > http://www.spamcop.net/sc?id=z2553284560z2442e7cbe37b53c492b82dac429d85e3z > http://www.spamcop.net/sc?id=z2553284309ze54a81b4d12c925f78fcc1b4f777e291z > http://www.spamcop.net/sc?id=z2553284087z70591adf8543dcc828bd3e1bc91a53f0z > The top received line shows the mail received by "ps7.mod5.onet", but that server is not in your mailhost file. The address the spam is addressed to is not in your mailhost record. You need to run the mailhost tool on that address. Richard From nobody at spamcop.net Sat Jan 24 20:13:24 2009 From: nobody at spamcop.net (me-no-no) Date: Sat Jan 24 20:15:08 2009 Subject: [Scspamcop] Re: Bulk deletion References: Message-ID: "Borgholio" wrote in message news:glg297$5np$1@news.spamcop.net... > me-no-no wrote: >> "Joe Holt" wrote in message >> news:C5A09267.12F%sfjoe@devnull.spamcop.net... >>Apparently, I have pissed off a spammer. I have 12,448 emails in my inbox >>and they are coming in faster than I can delete them. Is there a way for a >>bulk-deletion in excess of the 100 at a time? >> Nah - Nuthin personal - seems like most of us (spamcop.net addresses) are >> getting them :-( >> Assuming they are the "alwaysadultschatting" as per previous post subj: >> "Spamcop finding spamvertised url but not reporting it" >> More info on methods of bulk deleting this continuing cr*p - See last >> weeks thread - >> Subj: "Spambot stuck in the "on" position" Best of luck !! >> Regs >> MENO > - Really and I thought I was the only one getting that.. Far from it :-) > - Neat....4640 message in my held mail folder. You should be so lucky - I stopped counting at 15,000 + :-) Some reported - Most deleted - Again !! All from 207.150.194.88 - HOSTWAY/SOUTHWEBVENTURES http://centralops.net/co/DomainDossier.aspx?addr=+207.150.194.88&dom_whois=true&dom_dns=true&net_whois=trueWell and truly BLed - as below:*RegsMENO*Listed in cbl.abuseat.org, cbl.abuseat.org : 127.0.0.2 : Blocked - seehttp://cbl.abuseat.org/lookup.cgi?ip=207.150.194.88Listed in dnsbl.sorbs.net, www.nl.sorbs.net : 127.0.0.6 : See:http://www.sorbs.net/lookup.shtml?207.150.194.88Listed in bl.spamcop.net, www.spamcop.net : 127.0.0.2 : Blocked - seehttp://www.spamcop.net/bl.shtml?207.150.194.88Listed in xbl.spamhaus.org, www.spamhaus.org/xbl/ : 127.0.0.4 :http://www.spamhaus.org/query/bl?ip=207.150.194.88Listed in dnsbl-1.uceprotect.net, : 127.0.0.2 :-Level 1. Seehttp://www.uceprotect.net/rblcheck.php?ipr=207.150.194.88Listed in db.wpbl.info, www.wpbl.info : 127.0.0.2 : Spam source -http://wpbl.info/record?ip=207.150.194.88 From borgholio at storymind.com Sat Jan 24 21:56:18 2009 From: borgholio at storymind.com (Borgholio) Date: Sat Jan 24 22:00:08 2009 Subject: [Scspamcop] Re: Bulk deletion In-Reply-To: References: Message-ID: me-no-no wrote: > "Borgholio" wrote in message > news:glg297$5np$1@news.spamcop.net... >> me-no-no wrote: >>> "Joe Holt" wrote in message >>> news:C5A09267.12F%sfjoe@devnull.spamcop.net... >>> Apparently, I have pissed off a spammer. I have 12,448 emails in my inbox >>> and they are coming in faster than I can delete them. Is there a way for a >>> bulk-deletion in excess of the 100 at a time? > >>> Nah - Nuthin personal - seems like most of us (spamcop.net addresses) are >>> getting them :-( >>> Assuming they are the "alwaysadultschatting" as per previous post subj: >>> "Spamcop finding spamvertised url but not reporting it" >>> More info on methods of bulk deleting this continuing cr*p - See last >>> weeks thread - >>> Subj: "Spambot stuck in the "on" position" Best of luck !! >>> Regs >>> MENO > >> - Really and I thought I was the only one getting that.. > > Far from it :-) > >> - Neat....4640 message in my held mail folder. > > You should be so lucky - I stopped counting at 15,000 + :-) > Some reported - Most deleted - Again !! Well I'm reporting each and every single one, since I can do it all with three clicks from my paid account. If the mailhost is so clueless to allow a spambot to send this much email without any kind of alert or throttle kicking in, they deserve to get 5k spam reports. From nobody at spamcop.net Sat Jan 24 22:02:42 2009 From: nobody at spamcop.net (Steven Underwood) Date: Sat Jan 24 22:05:07 2009 Subject: [Scspamcop] Re: Base64 encoded text spam. References: Message-ID: "Ellen" wrote in message news:gldukk$gbg$1@news.spamcop.net... > Having an inbound mailserver add X-headers is totally normal is it not? So > if someone running a mailserver chooses to add an X-header and is also a > SC reporter why is this a problem? > > > Ellen > SpamCop I did not read the original request as a mail server adding that line as much as the reporter himself adding it. And as Wazoo states, the addition of x-* headers should do no harm, but is a far different thing from the few very specific exceptions to the generic make no changes rule. The discussion referred to is how to word this in the FAQ to make it clear it is not OK to make other changes. Steve From nobody at devnull.spamcop.net Sat Jan 24 22:50:39 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Sat Jan 24 22:55:08 2009 Subject: [Scspamcop] Re: Bulk deletion References: Message-ID: "Joe Holt" wrote in message news:C5A09267.12F%sfjoe@devnull.spamcop.net... > Apparently, I have pissed off a spammer. I have 12,448 emails in > my inbox > and they are coming in faster than I can delete them. Is there a > way for a > bulk-deletion in excess of the 100 at a time? In the past, SpamCop e-mail support was to be handled in the spamcop.mail newsgroup. That was basically changed by the provider to the Forum. You situation and answer was last provided in a Topic/Discussion found at http://forum.spamcop.net/forums/index.php?showtopic=10030 ... Linear Post #11 in that Discussion has what you asked for. The guess might be that the whole Topic is about the same spammer. From snowbat at geocities.com Sat Jan 24 22:51:21 2009 From: snowbat at geocities.com (Snowbat) Date: Sat Jan 24 22:55:09 2009 Subject: [Scspamcop] Re: Again - truncated reporting address References: Message-ID: Problem with abuse@mundo-r.net http://www.spamcop.net/sc?action=rcache;ip=77.27.41.14 "whois 77.27.41.14@whois.arin.net" (Getting contact from whois.arin.net ) Redirect to ripe Display data: "whois 77.27.41.14@whois.ripe.net" (Getting contact from whois.ripe.net) whois.ripe.net found abuse contacts for 77.27.41.14 = abuse@mundo whois: 77.27.40.0 - 77.27.41.255 = abuse@mundo Routing details for 77.27.41.14 Using abuse net on abuse@mundo Using best contacts abuse@mundo <<<<<<< $ whois -h whois.ripe.net 77.27.41.14 .. inetnum: 77.27.40.0 - 77.27.41.255 netname: CABLEMODEM-NET descr: R Cable y Telecomunicaciones Galicia S.A .. abuse-mailbox: abuse@mundo-r.net From nobody at spamcop.net Sun Jan 25 08:13:23 2009 From: nobody at spamcop.net (Ellen) Date: Sun Jan 25 08:15:08 2009 Subject: [Scspamcop] Re: Again - truncated reporting address In-Reply-To: References: Message-ID: Snowbat wrote: > Problem with abuse@mundo-r.net > > > http://www.spamcop.net/sc?action=rcache;ip=77.27.41.14 > "whois 77.27.41.14@whois.arin.net" (Getting contact from whois.arin.net ) > Redirect to ripe > Display data: > "whois 77.27.41.14@whois.ripe.net" (Getting contact from > whois.ripe.net) > whois.ripe.net found abuse contacts for 77.27.41.14 = abuse@mundo > whois: 77.27.40.0 - 77.27.41.255 = abuse@mundo > Routing details for 77.27.41.14 > Using abuse net on abuse@mundo > Using best contacts abuse@mundo <<<<<<< > > > $ whois -h whois.ripe.net 77.27.41.14 > .. > inetnum: 77.27.40.0 - 77.27.41.255 > netname: CABLEMODEM-NET > descr: R Cable y Telecomunicaciones Galicia S.A > .. > abuse-mailbox: abuse@mundo-r.net > TY Ellen From borgholio at storymind.com Mon Jan 26 14:52:34 2009 From: borgholio at storymind.com (Borgholio) Date: Mon Jan 26 14:55:09 2009 Subject: [Scspamcop] Re: Bulk deletion In-Reply-To: References: Message-ID: Borgholio wrote: > me-no-no wrote: >> "Borgholio" wrote in message >> news:glg297$5np$1@news.spamcop.net... >>> me-no-no wrote: >>>> "Joe Holt" wrote in message >>>> news:C5A09267.12F%sfjoe@devnull.spamcop.net... >>>> Apparently, I have pissed off a spammer. I have 12,448 emails in my >>>> inbox and they are coming in faster than I can delete them. Is there >>>> a way for a bulk-deletion in excess of the 100 at a time? >> >>>> Nah - Nuthin personal - seems like most of us (spamcop.net >>>> addresses) are getting them :-( >>>> Assuming they are the "alwaysadultschatting" as per previous post >>>> subj: "Spamcop finding spamvertised url but not reporting it" >>>> More info on methods of bulk deleting this continuing cr*p - See >>>> last weeks thread - >>>> Subj: "Spambot stuck in the "on" position" Best of luck !! >>>> Regs >>>> MENO >> >>> - Really and I thought I was the only one getting that.. >> >> Far from it :-) >> >>> - Neat....4640 message in my held mail folder. >> >> You should be so lucky - I stopped counting at 15,000 + :-) >> Some reported - Most deleted - Again !! > > Well I'm reporting each and every single one, since I can do it all with > three clicks from my paid account. If the mailhost is so clueless to > allow a spambot to send this much email without any kind of alert or > throttle kicking in, they deserve to get 5k spam reports. Well it seems the flood has stopped. However there was so much of it that my email is backed up two days on my non-Spamcop accounts. :) From nobody at spamcop.net Mon Jan 26 15:51:54 2009 From: nobody at spamcop.net (Bar0) Date: Mon Jan 26 15:55:08 2009 Subject: [Scspamcop] Re: Bulk deletion References: Message-ID: "Borgholio" wrote in message news:gll495$65n$1@news.spamcop.net... > Borgholio wrote: >> me-no-no wrote: >>> "Borgholio" wrote in message >>> news:glg297$5np$1@news.spamcop.net... >>>> me-no-no wrote: >>>>> "Joe Holt" wrote in message >>>>> news:C5A09267.12F%sfjoe@devnull.spamcop.net... >>>>> Apparently, I have pissed off a spammer. I have 12,448 emails in my >>>>> inbox and they are coming in faster than I can delete them. Is there a >>>>> way for a bulk-deletion in excess of the 100 at a time? >>> >>>>> Nah - Nuthin personal - seems like most of us (spamcop.net addresses) >>>>> are getting them :-( >>>>> Assuming they are the "alwaysadultschatting" as per previous post >>>>> subj: "Spamcop finding spamvertised url but not reporting it" >>>>> More info on methods of bulk deleting this continuing cr*p - See last >>>>> weeks thread - >>>>> Subj: "Spambot stuck in the "on" position" Best of luck !! >>>>> Regs >>>>> MENO >>> >>>> - Really and I thought I was the only one getting that.. >>> >>> Far from it :-) >>> >>>> - Neat....4640 message in my held mail folder. >>> >>> You should be so lucky - I stopped counting at 15,000 + :-) >>> Some reported - Most deleted - Again !! >> >> Well I'm reporting each and every single one, since I can do it all with >> three clicks from my paid account. If the mailhost is so clueless to >> allow a spambot to send this much email without any kind of alert or >> throttle kicking in, they deserve to get 5k spam reports. > > Well it seems the flood has stopped. However there was so much of it that > my email is backed up two days on my non-Spamcop accounts. :) I don't have an SC mail account, and I got 2K+ messages before the spam filters at $DAYJOB kicked in. at 5-7K a piece that's several MB of mail. Enough to trigger a lot of quotas. From me at privacy.net Mon Jan 26 19:23:26 2009 From: me at privacy.net (Michael R N Dolbear) Date: Mon Jan 26 19:25:09 2009 Subject: [Scspamcop] Re: Terminate reporting-only account? References: <1itzp7g.1ocw0b6uj1c4gN%asterix@no_where.net> Message-ID: <01c97fe7$b837b000$LocalHost@default> RW wrote in > There's no reason for having multiple reporting accounts. You can > submit spam to a single account from any number of email accounts. > Mailhosts will assist in making sure there is no confusion in the > parsing engine. I don't agree. I have both a standard mailhosted account that came with SpamCop Mail and a non-mailhosted account which is useful for parsing other people's spam, spam received in mailboxen belonging to me-in-a-different-role and checking what's going on when the mailhosted parse look odd. I also have my original account which I try out changes to mailhosting on. -- Mike D From asterix at no_where.net Tue Jan 27 16:59:37 2009 From: asterix at no_where.net (Asterix) Date: Tue Jan 27 17:00:09 2009 Subject: [Scspamcop] Re: Terminate reporting-only account? References: <1itzp7g.1ocw0b6uj1c4gN%asterix@no_where.net> Message-ID: <1iu84kv.1ww4bio165eeoeN%asterix@no_where.net> RW wrote: > There's no reason for having multiple reporting accounts. You can > submit spam to a single account from any number of email accounts. > Mailhosts will assist in making sure there is no confusion in the > parsing engine. I know that - I learned long *after* having created my 5 accounts. At the time I wanted to separate the statistics (call me geek!) for the different addresses so it made sense. I was reporting 100+ spam/day. Now I only report what slips through the filters - a handful/day. Also, for some reason, when I tried "merging" 3 accounts, the mailhost configuration played me some really nasty surprises, making me report a non-standard service provider (an astronomy club!) a few times. > As for unused accounts, just leave them. There is no way of deleting > them from the system. Every spam report in the database has to > have an account to associate with, so we can't remove the accounts. Ok. point taken. I fully understand that. But then - can an account be deactivated indefinitely? Simply put - keep account, deny access. -- I recommend Macs to my friends, and Windows machines to those whom I don't mind billing by the hour From nobody at spamcop.net Tue Jan 27 20:01:32 2009 From: nobody at spamcop.net (bar0) Date: Tue Jan 27 20:05:08 2009 Subject: [Scspamcop] Re: Terminate reporting-only account? References: <1itzp7g.1ocw0b6uj1c4gN%asterix@no_where.net> <1iu84kv.1ww4bio165eeoeN%asterix@no_where.net> Message-ID: "Asterix" wrote in message news:1iu84kv.1ww4bio165eeoeN%asterix@no_where.net... > RW wrote: > .... > Ok. point taken. I fully understand that. > But then - can an account be deactivated indefinitely? > Simply put - keep account, deny access. You could do that yourself: Get yourself a 16 character random password pulled from William Gibsons site set it and forget it. From nobody at devnull.spamcop.net Tue Jan 27 20:04:01 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Tue Jan 27 20:05:09 2009 Subject: [Scspamcop] Re: Terminate reporting-only account? References: <1itzp7g.1ocw0b6uj1c4gN%asterix@no_where.net> <1iu84kv.1ww4bio165eeoeN%asterix@no_where.net> Message-ID: > "Asterix" wrote in > message > news:1iu84kv.1ww4bio165eeoeN%asterix@no_where.net... >> RW wrote: >> > .... >> Ok. point taken. I fully understand that. >> But then - can an account be deactivated >> indefinitely? >> Simply put - keep account, deny access. > > You could do that yourself: > > Get yourself a 16 character random password > pulled from > William Gibsons site set it and forget it. lol, and "forget it" is to be taken literally I take it? Twayne From nobody at spamcop.net Tue Jan 27 22:17:30 2009 From: nobody at spamcop.net (bar0) Date: Tue Jan 27 22:20:08 2009 Subject: [Scspamcop] Re: Terminate reporting-only account? References: <1itzp7g.1ocw0b6uj1c4gN%asterix@no_where.net> <1iu84kv.1ww4bio165eeoeN%asterix@no_where.net> Message-ID: "Twayne" wrote in message news:gloatp$v21$1@news.spamcop.net... >> "Asterix" wrote in message >> news:1iu84kv.1ww4bio165eeoeN%asterix@no_where.net... >>> RW wrote: >>> >> .... >>> Ok. point taken. I fully understand that. >>> But then - can an account be deactivated indefinitely? >>> Simply put - keep account, deny access. >> >> You could do that yourself: >> >> Get yourself a 16 character random password pulled from >> William Gibsons site set it and forget it. > > lol, and "forget it" is to be taken literally I take it? Well unless your the Rain Man, I would think it's inevitable. From asterix at no_where.net Wed Jan 28 16:36:06 2009 From: asterix at no_where.net (Asterix) Date: Wed Jan 28 16:40:08 2009 Subject: [Scspamcop] Re: Terminate reporting-only account? References: <1itzp7g.1ocw0b6uj1c4gN%asterix@no_where.net> <1iu84kv.1ww4bio165eeoeN%asterix@no_where.net> Message-ID: <1iu9yqm.1k2vcxobf8xq6N%asterix@no_where.net> bar0 wrote: > "Twayne" wrote in message > news:gloatp$v21$1@news.spamcop.net... > >> "Asterix" wrote in message > >> news:1iu84kv.1ww4bio165eeoeN%asterix@no_where.net... > >>> RW wrote: > >>> > >> .... > >>> Ok. point taken. I fully understand that. > >>> But then - can an account be deactivated indefinitely? > >>> Simply put - keep account, deny access. > >> > >> You could do that yourself: > >> > >> Get yourself a 16 character random password pulled from > >> William Gibsons site set it and forget it. > > > > lol, and "forget it" is to be taken literally I take it? > > Well unless your the Rain Man, I would think it's inevitable. Thanks for the tip - the idea has actually crossed my mind... -- I recommend Macs to my friends, and Windows machines to those whom I don't mind billing by the hour From V at nguard.LH Thu Jan 29 09:28:39 2009 From: V at nguard.LH (VanguardLH) Date: Thu Jan 29 09:30:08 2009 Subject: [Scspamcop] My ISP's spam reporting e-mail address is disabled in SpamCop Message-ID: According to my ISP's (Comcast) web help pages, and when using a local e-mail client, I am to use missed-spam@comcast.net to send copies of spam that get past their server-side filter. Okay, but when I configure my SpamCop reporting account to include that reporting address, SpamCop says it has disabled reporting to that e-mail address. Comcast wants me to report there so why won't SpamCop let me report there? From MikeE at ster.invalid Thu Jan 29 09:54:52 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jan 29 09:55:08 2009 Subject: [Scspamcop] Re: My ISP's spam reporting e-mail address is disabled in SpamCop References: Message-ID: VanguardLH wrote: > According to my ISP's (Comcast) web help pages, and when using a local > e-mail client, I am to use missed-spam@comcast.net to send copies of > spam that get past their server-side filter. Okay, but when I configure > my SpamCop reporting account to include that reporting address, SpamCop > says it has disabled reporting to that e-mail address. Comcast wants me > to report there so why won't SpamCop let me report there? How a provider wants to hear from spamcop, which emails provider notifies by the millions (some providers consider spamcop notifies 'spam') is not the same as how a provider wants to hear from its clients (including missed spam). Providers and such automate their mail handling, so that mail to one address is handled one way, or by one department, while mail to another address is handled another way, another department. Some providers channel their 'missed-spam' username mail to go to a 3rd party enterprise level spam-filter-modifier (at EL it was once Brightmail, subsequently acquired by Symantec) -- whereas some providers may channel their spamcop notifies to a department with a completely different purpose. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Jan 29 14:59:42 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Thu Jan 29 15:00:09 2009 Subject: [Scspamcop] Re: My ISP's spam reporting e-mail address is disabled in SpamCop References: Message-ID: > VanguardLH wrote: >> According to my ISP's (Comcast) web help pages, >> and when >> using a local e-mail client, I am to use >> missed-spam@comcast.net to send copies of spam >> that get >> past their server-side filter. Okay, but when >> I >> configure my SpamCop reporting account to >> include that >> reporting address, SpamCop says it has disabled >> reporting to that e-mail address. Comcast >> wants me to >> report there so why won't SpamCop let me report >> there? > > How a provider wants to hear from spamcop, which > emails > provider notifies by the millions (some > providers > consider spamcop notifies 'spam') is not the > same as how > a provider wants to hear from its clients > (including > missed spam). > > Providers and such automate their mail handling, > so that > mail to one address is handled one way, or by > one > department, while mail to another address is > handled > another way, another department. > > Some providers channel their 'missed-spam' > username mail > to go to a 3rd party enterprise level > spam-filter-modifier (at EL it was once > Brightmail, > subsequently acquired by Symantec) -- whereas > some > providers may channel their spamcop notifies to > a > department with a completely different purpose. But ... why won't spamcop allow reporting to missed... ? From MikeE at ster.invalid Thu Jan 29 15:11:51 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jan 29 15:15:08 2009 Subject: [Scspamcop] Re: My ISP's spam reporting e-mail address is disabled in SpamCop References: Message-ID: Twayne wrote: >> VanguardLH wrote: >>> so why won't SpamCop let me report >>> there? > But ... why won't spamcop allow reporting to > missed... ? SC has a very sound policy to not be notifying/emailing addresses which don't want that mail. Many providers and mail admins find it unfortunate that you have to *tell* SC to not be notifying some address, rather than the default being 'do not email this address unless I ask for you to' -- which you would think that most antispammers would understand/assume, since we tend to think anyone who emails us something we didn't request is spam. -- Mike Easter kibitzer, not SC admin From V at nguard.LH Thu Jan 29 19:23:18 2009 From: V at nguard.LH (VanguardLH) Date: Thu Jan 29 19:25:09 2009 Subject: [Scspamcop] Re: My ISP's spam reporting e-mail address is disabled in SpamCop References: Message-ID: Mike Easter wrote: > Twayne wrote: >>> VanguardLH wrote: > >>>> so why won't SpamCop let me report >>>> there? > >> But ... why won't spamcop allow reporting to >> missed... ? > > SC has a very sound policy to not be notifying/emailing addresses which > don't want that mail. > > Many providers and mail admins find it unfortunate that you have to *tell* > SC to not be notifying some address, rather than the default being 'do not > email this address unless I ask for you to' -- which you would think that > most antispammers would understand/assume, since we tend to think anyone > who emails us something we didn't request is spam. "didn't request" meets one criteria of the rules regarding how to classigy UBE/UCE mails. It was *unsolicited*. A particular recipient has no clue as to how many total recipients that bulk mail was sent. When you report spam, you have no clue as to how many copies were sent but only that you got one and that it was unsolicited. If users were required to know all parameters that define UBE/UCE e-mails, like the quantity of them sent, no one particular user could ever report on spam. From V at nguard.LH Thu Jan 29 19:37:12 2009 From: V at nguard.LH (VanguardLH) Date: Thu Jan 29 19:40:07 2009 Subject: [Scspamcop] Re: My ISP's spam reporting e-mail address is disabled in SpamCop References: Message-ID: Mike Easter wrote: > VanguardLH wrote: >> According to my ISP's (Comcast) web help pages, and when using a local >> e-mail client, I am to use missed-spam@comcast.net to send copies of >> spam that get past their server-side filter. Okay, but when I configure >> my SpamCop reporting account to include that reporting address, SpamCop >> says it has disabled reporting to that e-mail address. Comcast wants me >> to report there so why won't SpamCop let me report there? > > How a provider wants to hear from spamcop, which emails provider notifies > by the millions (some providers consider spamcop notifies 'spam') is not > the same as how a provider wants to hear from its clients (including > missed spam). > > Providers and such automate their mail handling, so that mail to one > address is handled one way, or by one department, while mail to another > address is handled another way, another department. > > Some providers channel their 'missed-spam' username mail to go to a 3rd > party enterprise level spam-filter-modifier (at EL it was once Brightmail, > subsequently acquired by Symantec) -- whereas some providers may channel > their spamcop notifies to a department with a completely different > purpose. This is something recent. Well, within the last few months. It has been a long time since I reported any spam to SpamCop. For a long time, the Comcast anti-spam filter has been sufficient and I received no spam. One leaked through the other day so I decided to report it. I have the missed-spam Comcast e-mail address in my Preferences as an external reporting target. I have to elect to include that target (because I have non-Comcast e-mail accounts and only include Comcast when the spam came through Comcast's e-mail service). It's probably been a few months since I last reported spam through SpamCop but back then the missed-spam Comcast reporting address was working. It was now that I see the status of the report submission telling me that the reporting address is disabled by SpamCop. So something has happened in the last couple of months regarding SpamCop reports sent to Comcast. That Comcast requested SpamCop to no longer send it spam reports is something recent. It was working for years before. There is also the problem that SpamCop is deciding to whom to not send spam reports that violate the user's own preferences. The election to send the spam report to missed-spam at Comcast was my choice in Preferences, not a default reporting address that SpamCop uses for Comcast. In my preferences, the missed-Comcast address is listed in "Public standard report recipients". So *I* am asking SpamCop to send the spam report to Comcast using the same e-mail address that I would use in a separate report without me having to go through the manual process of submitting my own separate report to Comcast (which is probably not going to be formatted as nicely as SpamCop's report). So if SpamCop is not going to send an addition copy of the spam report to where *I* ask them to, why bother providing this preference field? The FTC asked SpamCop to stop sending all spam reports to them, too, but previously I had spam@uce.gov because they would still accept reports by single users that opted to include the FTC. So why isn't SpamCop also disabling those spam reports to the FTC where the user has configured their Preferences to include the FTC? It seem ridiculous to provide the "Public standard report recipients" if SpamCop isn't going to send reports there. From nobody at spamcop.net Thu Jan 29 20:25:36 2009 From: nobody at spamcop.net (Steven Underwood) Date: Thu Jan 29 20:30:08 2009 Subject: [Scspamcop] Re: My ISP's spam reporting e-mail address is disabled in SpamCop References: Message-ID: "VanguardLH" wrote in message news:glti28$niv$1@news.spamcop.net... > There is also the problem that SpamCop is deciding to whom to not send > spam reports that violate the user's own preferences. The election to > send the spam report to missed-spam at Comcast was my choice in > Preferences, not a default reporting address that SpamCop uses for > Comcast. In my preferences, the missed-Comcast address is listed in > "Public standard report recipients". So *I* am asking SpamCop to send > the spam report to Comcast using the same e-mail address that I would > use in a separate report without me having to go through the manual > process of submitting my own separate report to Comcast (which is > probably not going to be formatted as nicely as SpamCop's report). Comcast has likely requested that SpamCop not send any reports to that address or they may even reject email from SpamCop's server. That is Comcast's decision. Perhaps they feel there are too many false reports that come in through SpamCop because it is too easy to report that way. From MikeE at ster.invalid Thu Jan 29 20:49:11 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jan 29 20:50:08 2009 Subject: [Scspamcop] Re: My ISP's spam reporting e-mail address is disabled in SpamCop References: Message-ID: VanguardLH wrote: > There is also the problem that SpamCop is deciding to whom to not send > spam reports that violate the user's own preferences. If there are 3 parties, let's call them comcast, spamcop, and vanguard. Comcast sez to SC, don't mail me (at that address). Vanguard sez to SC, mail comcast (at that address). Am I understanding you to believe that the reporter (his wishes) is so important that SC is going to mail comcast (at that address)? If you believe that, you are mistaken. SC has a (specific and limited) role with its reporters. SC has a (rational and 'professional') role with providers. Reporters are 'important' to SC (as a mass body), but not so important that SC should be performing some action against its 'proper' relationship with providers. SC has a set of guidelines by which it interacts with its providers and a set of guidelines by which it interacts with its reporters. A useful concept that you may want to understand is how a paid reporter can 'appeal' to spamcop to notify a provider (which appeal isn't even available to the free reporter) -- but in the end, when the appeals are 'pealing' in the wilderness (the song is over now, my dear), the provider's wishes prevail and the SC reporter can go pound sand. Notifying he who doesn't want to be notified is always going to not. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu Jan 29 20:52:22 2009 From: nobody at spamcop.net (Ellen) Date: Thu Jan 29 20:55:09 2009 Subject: [Scspamcop] Re: My ISP's spam reporting e-mail address is disabled in SpamCop In-Reply-To: References: Message-ID: VanguardLH wrote: > It's probably been a few months > since I last reported spam through SpamCop but back then the missed-spam > Comcast reporting address was working. It was now that I see the status > of the report submission telling me that the reporting address is > disabled by SpamCop. > > So something has happened in the last couple of months regarding SpamCop > reports sent to Comcast. That Comcast requested SpamCop to no longer > send it spam reports is something recent. It was working for years > before. > Comcast specifically asked to *not* have any SpamCop reports sent to missed-spam@comcast.net back in September. As Mike said further upthread, ISPs have various ways in which they process incoming spam reports from various sources and SpamCop reports apparently are not processed gracefully at the missed-spam address. They do accept SpamCop reports to the standard abuse address. If you also want to send spams to the missed-spam address you will have to do that manually. Ellen SpamCop From nobody at devnull.spamcop.net Thu Jan 29 21:04:30 2009 From: nobody at devnull.spamcop.net (Patto) Date: Thu Jan 29 21:05:08 2009 Subject: [Scspamcop] Very clever - too many links Message-ID: http://www.spamcop.net/sc?id=z2570588479z961a10e3001766e0d51b0c1754e2e867z There is only one visible link in this spam - http://www.online-casino-usa-club.com/ But the spammer has managed to sneak in several dozen "innocent bystander" addresses to confuse Spamcop, and avoid getting reported. From V at nguard.LH Thu Jan 29 22:10:39 2009 From: V at nguard.LH (VanguardLH) Date: Thu Jan 29 22:15:08 2009 Subject: [Scspamcop] Re: My ISP's spam reporting e-mail address is disabled in SpamCop References: Message-ID: Ellen wrote: > VanguardLH wrote: >> It's probably been a few months >> since I last reported spam through SpamCop but back then the missed-spam >> Comcast reporting address was working. It was now that I see the status >> of the report submission telling me that the reporting address is >> disabled by SpamCop. >> >> So something has happened in the last couple of months regarding SpamCop >> reports sent to Comcast. That Comcast requested SpamCop to no longer >> send it spam reports is something recent. It was working for years >> before. >> > > Comcast specifically asked to *not* have any SpamCop reports sent to > missed-spam@comcast.net back in September. As Mike said further > upthread, ISPs have various ways in which they process incoming spam > reports from various sources and SpamCop reports apparently are not > processed gracefully at the missed-spam address. They do accept SpamCop > reports to the standard abuse address. > > If you also want to send spams to the missed-spam address you will have > to do that manually. > > Ellen > SpamCop I'll send a communication to Comcast asking why their web help pages ask their users to send spam reports (of what their spam filter missed) but won't accept those same reports from SpamCop (by Comcast users). It wasn't that Comcast was the source of the spam; else, they'd be named in the standard abuse contact info to get a report from SpamCop. The idea is to let Comcast users who do not use their webmail agent but instead a local e-mail client have a means of getting the spam filter updated at Comcast for what they missed. After all, who other than Comcast users that are using SpamCop are going to be sending spam reports from SpamCop? Non-Comcast users would receive no benefit from reporting *missed* spam to Comcast to get their inbound spam filtering updated. Oh well, time to discuss with Comcast their inconsistency. Thanks for the info. From nobody at devnull.spamcop.net Fri Jan 30 11:24:10 2009 From: nobody at devnull.spamcop.net (Blue Rock) Date: Fri Jan 30 11:25:08 2009 Subject: [Scspamcop] Re: Very clever - too many links References: Message-ID: "Patto" wrote in message news:gltn7e$6nc$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z2570588479z961a10e3001766e0d51b0c1754e2e867z > > There is only one visible link in this spam - > http://www.online-casino-usa-club.com/ > > But the spammer has managed to sneak in several dozen "innocent bystander" > addresses to confuse Spamcop, and avoid getting reported. You could manually report the site, if you wish:. The link resolves to IP address: 61.155.8.186 If you look up the WHOIS information for that IP address, you find the following address for reporting of spam: anti-spam [at] ns.chinanet.cn.net Also, if you look up the whois for the domain name in that link, you find that it is registered in Russia. Given that this domain name is registered in Russia, and hosted at an anonymous site in China, I tend to think that a report (Spamcop or manual) won't do any good anyway. As a Quick Reporter, the links in spam that I report are not processed. Only the source of the spam email is reported. I believe, as do others who post here, that reporting the links in spam is not worthwhile. I also wonder what mechanism exists to prevent Spamcop from reporting a link, should a spammer maliciously put innocent third-party links into a spam message, to cause trouble with those sites. From MikeE at ster.invalid Fri Jan 30 11:48:42 2009 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jan 30 11:50:08 2009 Subject: [Scspamcop] Re: Very clever - too many links References: Message-ID: Blue Rock wrote: > As a Quick Reporter, the links in spam that I report are not processed. > Only the source of the spam email is reported. I believe, as do others > who post here, that reporting the links in spam is not worthwhile. I concur with quick reporting. Each person has to evaluate their own spam by researching it. My research leads me to the conclusion that regular reporting would be a bad idea for my spam. I conjecture that it would be a bad idea for almost all spam. I further opine that the default mode for spamcop should be changed away from notifying spamvertiser providers by default. I theorize that the current default mode for regular reporting is so configured to appease the mass of foolish spamcop reporters; by so appeasing to enhance the quantities of spamcop reports to contribute to the value of the SCbl. It seems many/most reporters believe that (all) notifying is generally a positive antispam move, rather than realizing that it is most often a waste of resources, bandwidth, and is often counterproductive aiding the spamgeneration process rather than hindering it. Spamcop puts out tons and tons of useless notifies per week. > I also wonder what mechanism exists to prevent Spamcop from reporting a > link, should a spammer maliciously put innocent third-party links into a > spam message, to cause trouble with those sites. A reporter has numerous options: regular reporting with unchecking of notifies such as spamvertiser provider, quick reporting, mole (non-)reporting. -- Mike Easter kibitzer, not SC admin From V at nguard.LH Fri Jan 30 13:10:48 2009 From: V at nguard.LH (VanguardLH) Date: Fri Jan 30 13:15:08 2009 Subject: [Scspamcop] Re: Very clever - too many links References: Message-ID: Mike Easter wrote: > Blue Rock wrote: > >> As a Quick Reporter, the links in spam that I report are not processed. >> Only the source of the spam email is reported. I believe, as do others >> who post here, that reporting the links in spam is not worthwhile. > > I concur with quick reporting. > > Each person has to evaluate their own spam by researching it. My research > leads me to the conclusion that regular reporting would be a bad idea for > my spam. I conjecture that it would be a bad idea for almost all spam. I > further opine that the default mode for spamcop should be changed away > from notifying spamvertiser providers by default. > > I theorize that the current default mode for regular reporting is so > configured to appease the mass of foolish spamcop reporters; by so > appeasing to enhance the quantities of spamcop reports to contribute to > the value of the SCbl. It seems many/most reporters believe that (all) > notifying is generally a positive antispam move, rather than realizing > that it is most often a waste of resources, bandwidth, and is often > counterproductive aiding the spamgeneration process rather than hindering > it. Spamcop puts out tons and tons of useless notifies per week. > >> I also wonder what mechanism exists to prevent Spamcop from reporting a >> link, should a spammer maliciously put innocent third-party links into a >> spam message, to cause trouble with those sites. > > A reporter has numerous options: regular reporting with unchecking of > notifies such as spamvertiser provider, quick reporting, mole > (non-)reporting. When reporting spam to SpamCop, my primary goal is to get the SpamCop blacklist updated. I don't expect much, if anything, to result from any spam abuse report sent to the source of the e-mail. If you use a blacklist, it behooves you to help update it. That's the real intention of spam reports to SpamCop. The sending of abuse reports is to placate those users that want to somehow punish the spammer. There is the "mole" reporting mode at SpamCop but I'm reluctant to change to it. By its own description, the report might be seen by admins but the description of this mode does not explicitly declare that mole reports will get the blacklist updated. It seems mole reporting is of no value unless the blacklist gets updated. If you submit reports to SpamCop then you do so because you use their blacklist and what to help others and yourself by updating the blacklist. The sending of reports is like hitting a disconnected cross- walk button: soothes the user but has no real effect. I've never seen an FTC report on an action taken against a spammer that noted it used evidence provide by SpamCop user (that added the FTC reporting address to their reports) or from any other blacklist. I don't recall SpamCop touting that their spam reporting has any real overall effect. About the only blacklist that I've seen that makes claims that reports to it have resulted in actions against spammers is knujon. From nobody at devnull.spamcop.net Fri Jan 30 13:33:00 2009 From: nobody at devnull.spamcop.net (Blue Rock) Date: Fri Jan 30 13:35:08 2009 Subject: [Scspamcop] Re: Very clever - too many links References: Message-ID: "Mike Easter" wrote in message news:glvb1a$423$1@news.spamcop.net... > Blue Rock wrote: > >> I also wonder what mechanism exists to prevent Spamcop from reporting a >> link, should a spammer maliciously put innocent third-party links into a >> spam message, to cause trouble with those sites. > > A reporter has numerous options: regular reporting with unchecking of > notifies such as spamvertiser provider, quick reporting, mole > (non-)reporting. Yes, a reporter has those options. However, as you stated, there is a large population of Spamcop reporters, who believe that reporting the spamvertised links is worthwhile, and who may not take the time to uncheck those boxes when reporting spam. If a spammer maliciously puts an innocent third-party link in spam (as may have happened, according to the OP), and that spam is sent to multiple Spamcop reporters, then the web-site host of the innocent third party may receive multiple Spamcop reports. A host who is sensitive to issues of spam, and who has a zero-tolerance for spam policy, may be motivated to take down the site, after receiving many such reports. That was the gist of my statement in my posting ("I wonder what meachanism exists to prevent..."). From nobody at devnull.spamcop.net Fri Jan 30 13:50:35 2009 From: nobody at devnull.spamcop.net (Blue Rock) Date: Fri Jan 30 13:55:08 2009 Subject: [Scspamcop] Re: Very clever - too many links References: Message-ID: "VanguardLH" wrote in message news:glvfqq$s45$1@news.spamcop.net... > When reporting spam to SpamCop, my primary goal is to get the SpamCop > blacklist updated. I don't expect much, if anything, to result from any > spam abuse report sent to the source of the e-mail. If you use a > blacklist, it behooves you to help update it. That's the real intention > of spam reports to SpamCop. The sending of abuse reports is to placate > those users that want to somehow punish the spammer. I agree that the primary benefit of reporting spam is helping to maintain the blacklist. However, I know for a fact that some (very few) of my reports (Spamcop and manual) have resulted in action being taken against spammers using legitimate servers to send their mail. So, I do believe that there is some benefit to reporting the spam source. In certain rare cases, I will manually notify the hosts of spamvertised links, when I happen to notice that they seem to be otherwise legitimate hosting companies. But, for the most part, most spamvertised links are on black-hat hosts, or hosts who just don't care. So, I agree with Mike that Spamcop should not send those reports by default. From nobody at devnull.spamcop.net Fri Jan 30 13:51:39 2009 From: nobody at devnull.spamcop.net (Blue Rock) Date: Fri Jan 30 13:55:09 2009 Subject: [Scspamcop] Re: Very clever - too many links References: Message-ID: "VanguardLH" wrote in message news:glvfqq$s45$1@news.spamcop.net... > When reporting spam to SpamCop, my primary goal is to get the SpamCop > blacklist updated. I don't expect much, if anything, to result from any > spam abuse report sent to the source of the e-mail. If you use a > blacklist, it behooves you to help update it. That's the real intention > of spam reports to SpamCop. The sending of abuse reports is to placate > those users that want to somehow punish the spammer. I agree that the primary benefit of reporting spam is helping to maintain the blacklist. However, I know for a fact that some (very few) of my reports (Spamcop and manual) have resulted in action being taken against spammers using legitimate servers to send their mail. So, I do believe that there is some benefit to reporting the spam source. In certain rare cases, I will manually notify the hosts of spamvertised links, when I happen to notice that they seem to be otherwise legitimate hosting companies. But, for the most part, most spamvertised links are on black-hat hosts, or hosts who just don't care. So, I agree with Mike that Spamcop should not send those reports by default. From nobody at devnull.spamcop.net Fri Jan 30 13:56:31 2009 From: nobody at devnull.spamcop.net (Blue Rock) Date: Fri Jan 30 14:00:08 2009 Subject: [Scspamcop] Re: Very clever - too many links References: Message-ID: I apologie for the duplicate posting. Outlook Express reported an error, the first time I clicked the SEND button, so I clicked it again. I don't know why this happened. From pc77 at operamail.com Fri Jan 30 17:48:52 2009 From: pc77 at operamail.com (pc77) Date: Fri Jan 30 17:50:08 2009 Subject: [Scspamcop] Report span sent by my mail Message-ID: Hi. Someone is sending spam with my mail address. I?m not sure of report it because I?m afraid spamcop suppose is me. The headers show me that is not my smtp, just the mail address is mine. Do you think I should report it ? Please sorry for my english. From MikeE at ster.invalid Fri Jan 30 18:47:52 2009 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jan 30 18:50:07 2009 Subject: [Scspamcop] Re: Report span sent by my mail References: Message-ID: pc77 wrote: > Hi. Someone is sending spam with my mail address. It is normal/ customary/ standard for spam to have a bogus From and spammers derive the bogus From from the same sources as they derive the spammees -- so spam will occur with your From and you will receive some of it. Some spammers (rather spam generation processes) specifically make the From correspond to a Rcpt to name, that is 'intentionally' put your - the spammee - address in the From. > I?m not sure of report > it because I?m afraid spamcop suppose is me. Nope, but the From will show in the SC report; whereas the To will be munged. That is, your address in the From will persist in the report unmunged by the standard SC mungeing process. > The headers show me that is > not my smtp, just the mail address is mine. Do you think I should report > it ? Sure. > Please sorry for my english. :-) Far better than my Spanish. --? Mike Easter kibitzer, not SC admin From pc77 at operamail.com Fri Jan 30 19:42:51 2009 From: pc77 at operamail.com (pc77) Date: Fri Jan 30 19:45:07 2009 Subject: [Scspamcop] Re: Report span sent by my mail References: Message-ID: Thanks. So I just forward the spam to that long address spamcop sent me to may mailbox? Another question: Can I forward it usaing any mail account or I have to use the one I use to register? En 30/01/2009 21:47:52, Mike Easter escribi?: > pc77 wrote: >> Hi. Someone is sending spam with my mail address. > > It is normal/ customary/ standard for spam to have a bogus From and > spammers derive the bogus From from the same sources as they derive the > spammees -- so spam will occur with your From and you will receive some > of > it. Some spammers (rather spam generation processes) specifically make > the From correspond to a Rcpt to name, that is 'intentionally' put your - > the spammee - address in the From. > >> I?m not sure of report >> it because I?m afraid spamcop suppose is me. > > Nope, but the From will show in the SC report; whereas the To will be > munged. That is, your address in the From will persist in the report > unmunged by the standard SC mungeing process. > >> The headers show me that is >> not my smtp, just the mail address is mine. Do you think I should report >> it ? > > Sure. > >> Please sorry for my english. > > :-) Far better than my Spanish. > > > > --? > Mike Easter > kibitzer, not SC admin > From nobody at devnull.spamcop.net Fri Jan 30 20:44:57 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Fri Jan 30 20:45:08 2009 Subject: [Scspamcop] Re: My ISP's spam reporting e-mail address is disabled in SpamCop References: Message-ID: "VanguardLH" wrote in message news:glti28$niv$1@news.spamcop.net... > > The > FTC asked SpamCop to stop sending all spam reports to them, too, > but > previously I had spam@uce.gov because they would still accept > reports by > single users that opted to include the FTC. So why isn't SpamCop > also > disabling those spam reports to the FTC where the user has > configured > their Preferences to include the FTC? Your facts on this are wrong. Please see Posts #3 and #15 in the Topic at http://forum.spamcop.net/forums/index.php?showtopic=1972 From MikeE at ster.invalid Fri Jan 30 20:49:50 2009 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jan 30 20:50:07 2009 Subject: [Scspamcop] Re: Report span sent by my mail References: Message-ID: pc77 wrote: > Thanks. So I just forward the spam to that long address spamcop sent me > to may mailbox? The long submit address is your personal and private email reporting address which corresponds to the account email address which you registered to be a spamcop reporter. The term 'forward' is ambiguous and is often a source of trouble. For example the mailuser agent OE Outlook Express has forward functions called 'forward' and 'forward as attachment' and it is imperative that spam submissions to spamcop be forwarded as attachment only, forward won't work at all. Your newsagent is Opera. SC's instructions for how to use each mailuser agent to submit spam do not include instructions for opera. I'm looking at an Opera client with which I'm not familiar, and its forward function gives the choice of forward or redirect. Opera's help section doesn't describe either forward or redirect as including the complete headers as is required by spamcop's reporting process. Are you planning on using Opera mail to submit your spam to the submit address or some other MUA mailuseragent? > Another question: Can I forward it usaing any mail > account or I have to use the one I use to register? If you have a MUA which can do the equivalent of OE's forward as attachment, it doesn't matter which account it is forwarded from. If you don't have such a MUA, it isn't going to work no matter which account you use. -- Mike Easter kibitzer, not SC admin From V at nguard.LH Fri Jan 30 22:12:22 2009 From: V at nguard.LH (VanguardLH) Date: Fri Jan 30 22:15:08 2009 Subject: [Scspamcop] Re: My ISP's spam reporting e-mail address is disabled in SpamCop References: Message-ID: Wazoo wrote: > "VanguardLH" wrote in message > news:glti28$niv$1@news.spamcop.net... >> >> The >> FTC asked SpamCop to stop sending all spam reports to them, too, >> but >> previously I had spam@uce.gov because they would still accept >> reports by >> single users that opted to include the FTC. So why isn't SpamCop >> also >> disabling those spam reports to the FTC where the user has >> configured >> their Preferences to include the FTC? > > Your facts on this are wrong. Please see Posts #3 and #15 in the > Topic at > http://forum.spamcop.net/forums/index.php?showtopic=1972 Yes, the FTC requested SpamCop stop sending the spam reports en masse. Individual SpamCop users are still allowed to specify the FTC reporting address so their individual reports get sent to the FTC. When I used to include the FTC (via Preference option), I never got back a non-delivery report and SpamCop's status (after submission) did not say it had disabled sending a copy of the spam report to the FTC (as it does now if I try to use the missed-spam Comcast address to send a copy of the spam report). http://www.spamcop.net/spamnews.shtml 2/11/2000: Extra reporting address for members: Send reports to anyone by default To make up for taking away the uce@ftc.gov option, I have added an advanced preference for sending copies of your spam to any one or more email addresses. You can include uce@ftc.gov or any other address you want to get copies of your spam. Note: That e-mail address has changed since then to spam@uce.gov. From gezgin at spamcop.net.which.is.not.invalid Sat Jan 31 03:40:54 2009 From: gezgin at spamcop.net.which.is.not.invalid (Opinicus) Date: Sat Jan 31 03:45:09 2009 Subject: [Scspamcop] Re: Report span sent by my mail References: Message-ID: "pc77" wrote in message news:op.uoldnqkank5rv3@pc77... > Hi. Someone is sending spam with my mail address. I??m not sure of report > it because I??m afraid spamcop suppose is me. The headers show me that is > not my smtp, just the mail address is mine. Do you think I should report > it ? I report these all the time. In fact I'm particularly aggressive about reporting them individually rather than using the "Quick report" feature and I frequently include a note like this: These losers are forging my email address (gezgin@spamcop.net) in a lame attempt to circumvent spam filters. It doesn't work. Nevertheless, please make them stop. Thank you for your cooperation. rlb I don't know that it has any effect but at least it feels good. ;-) -- Bob http://www.kanyak.com From nobody at spamcop.net Sat Jan 31 08:15:37 2009 From: nobody at spamcop.net (Steven Underwood) Date: Sat Jan 31 08:20:08 2009 Subject: [Scspamcop] Re: My ISP's spam reporting e-mail address is disabled in SpamCop References: Message-ID: "VanguardLH" wrote in message news:gm0fij$sgn$1@news.spamcop.net... > > Yes, the FTC requested SpamCop stop sending the spam reports en masse. Correct. Your ISP however has apparently requested it receive no reports in SpamCop's format. I don't understand why you don't get this. It was a decision by your ISP not to receive any further messages through SpamCop. They could reverse this decision by communicating that to the deputies. From pc77 at operamail.com Sat Jan 31 09:02:40 2009 From: pc77 at operamail.com (pc77) Date: Sat Jan 31 09:05:08 2009 Subject: [Scspamcop] Re: Report span sent by my mail References: Message-ID: Thanks for your reply. I?m sending an example of the spam mail with full headers. I replaced my email address with pepe@hotmail.com. So it doens?t matter Opera is not available to send attached mails, I can alway send a mail like this, right? Or I can use thunderbird to send it like attached. HERE IS THE SPAM: Delivered-To: pepe@gmail.com Received: by 10.100.43.1 with SMTP id q1cs19759anq; Fri, 30 Jan 2009 12:03:07 -0800 (PST) Received: by 10.229.96.13 with SMTP id f13mr1337103qcn.36.1233345786642; Fri, 30 Jan 2009 12:03:06 -0800 (PST) Return-Path: Received: from absoluteengineers.com ([85.204.6.95]) by mx.google.com with SMTP id 34si2591348yxl.40.2009.01.30.12.03.04; Fri, 30 Jan 2009 12:03:06 -0800 (PST) Received-SPF: neutral (google.com: 85.204.6.95 is neither permitted nor denied by domain of pepe@gmail.com) client-ip=85.204.6.95; Authentication-Results: mx.google.com; spf=neutral (google.com: 85.204.6.95 is neither permitted nor denied by domain of pepe@gmail.com) smtp.mail=pepe@gmail.com <-- DOES THIS MEAN THEY SEND THE SPAM WITH MY REAL ACCOUNT?? Date: Fri, 30 Jan 2009 12:03:06 -0800 (PST) Message-Id: <49835cfa.e203be0a.7b0d.ffffa2efSMTPIN_ADDED@mx.google.com> To: Subject: Throughout mail From: MIME-Version: 1.0 Importance: High Content-Type: text/html
Tell a friend ?? Download latest version See this email as a webpage

Hello!

Shipped Privately And Discreetly To Your Door!
See this email as a webpage
  We want to put a great big grin on your face in 2009. You'll be to rejoice all year.  

Unsubscribe ?? Lost Password ?? Account Settings ?? Help ?? Terms of Service ?? Privacy

?? 2003-2009 CopS Limited.CopS Communications S.a.r.l., 22/24 Green St, Amsterdam L2994.

CopS, CopSIn, CopSOut, CopScasts, CopS Certified, CopSMe!, CopS Pro, CopSFind, CopS Prime, CopS To Go, associated logos and the Cops-symbol are trademarks of CopS Limited.
En 30/01/2009 23:49:50, Mike Easter escribi?: > pc77 wrote: >> Thanks. So I just forward the spam to that long address spamcop sent me >> to may mailbox? > > The long submit address is your personal and private email reporting > address which corresponds to the account email address which you > registered to be a spamcop reporter. > > The term 'forward' is ambiguous and is often a source of trouble. For > example the mailuser agent OE Outlook Express has forward functions > called > 'forward' and 'forward as attachment' and it is imperative that spam > submissions to spamcop be forwarded as attachment only, forward won't > work > at all. > > Your newsagent is Opera. SC's instructions for how to use each mailuser > agent to submit spam do not include instructions for opera. I'm looking > at an Opera client with which I'm not familiar, and its forward function > gives the choice of forward or redirect. > > Opera's help section doesn't describe either forward or redirect as > including the complete headers as is required by spamcop's reporting > process. Are you planning on using Opera mail to submit your spam to the > submit address or some other MUA mailuseragent? > >> Another question: Can I forward it usaing any mail >> account or I have to use the one I use to register? > > If you have a MUA which can do the equivalent of OE's forward as > attachment, it doesn't matter which account it is forwarded from. If you > don't have such a MUA, it isn't going to work no matter which account you > use. > > From MikeE at ster.invalid Sat Jan 31 10:23:43 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jan 31 10:25:08 2009 Subject: [Scspamcop] Re: Report span sent by my mail References: Message-ID: pc77 wrote: > Thanks for your reply. I??m sending an example of the spam mail with > full headers. I replaced my email address with pepe@hotmail.com. So it > doens??t matter Opera is not available to send attached mails, I can > alway send a mail like this, right? Or I can use thunderbird to send it > like attached. > > HERE IS THE SPAM: Correct at least in part. If you use Opera's feature 'view all headers and message' you get the effect of what some call the 'message source' which is what the spamcop parser expects to parse. Certainly that message source can be pasted into the web parser. (But) There's a question about emailing, see below. Certainly if you are handling your mail with Tbird, it can be configured to forward as attachment. In Tbird, the configuration (for forward vs forward as attachment) is handled separately, different from how OE is configured. In Tbird the forwarding 'mode' is handled in Preferences/ General tab - Forward messages - (choose) Inline or As attachment. Opera has no such configuration as that. If Tbird weren't so configured, its forward function wouldn't work. Part of your question I'm not quite sure how to answer, because it is a fine point of precisely how the email parser works to interpret your spam's submission, and I'm not a spamcop programmer. Normally 'forward as attachment' results in what is called a 'mime attachment structure' -- which the email parser recognizes. That is (I believe) that the email parser is expecting to see the following in your email submission to the submit address: -1- the headers of your email from whatever account you might send it and addressed to the specific submit address corresponding to your spamcop reporting address account -2- the mime attachment structure resulting from email submitting a spam *forwarded as attachment* -3- the headers of the spam sent to you followed by the body structure of the spam with or without additional 'internal' mime attachment structures followed by the end of the spam body structure -4- if you are sending multiple spams attached to your own email to spamcop headers in -1- above, then the next mime attachment structure result from the next spam submitted as forward as attachment The problem with your described scenario is that your description sounds as if you are going to be pasting a complete spam (copied from Opera's 'view all headers and message' and pasted inline), instead of with the appropriate and expected mime structure. The result of that - such a pasted spam - will be inline structure instead of mime structure. I'm not sure if the email submit parser can accurately determine the end of your own headers to spamcop followed by a body of *inline* complete spam without a proper mime attachment structure to designate where your own mail structure to spamcop ends and the spam begins. On a separate issue: In a little bit we need to be discussing two housekeeping issues. One is about not posting spam into discussion groups and the other is about not top posting replies, but instead to post by attribute - trim - context. -- Mike Easter kibitzer, not SC admin From me at privacy.net Sat Jan 31 12:59:34 2009 From: me at privacy.net (Michael R N Dolbear) Date: Sat Jan 31 13:00:08 2009 Subject: [Scspamcop] Re: Report span sent by my mail References: Message-ID: <01c983ba$5172bf00$LocalHost@default> Mike Easter wrote > Nope, but the From will show in the SC report; whereas the To will be > munged. That is, your address in the From will persist in the report > unmunged by the standard SC mungeing process. In fact "may show" rather than "will show" since the From: is munged sometimes - I posted a tracker here in which that happened. From: munging *did* work Here is your TRACKING URL http://www.spamcop.net/sc?id=z2484463441z95ead4664f72bd11142a02210d10c6d az From: munging *didn't* work Here is your TRACKING URL - 19:21 31Dec08 http://www.spamcop.net/sc?id=z2492063280z5b32e02cef609c84516f1dc11814316 7z The URLs may break and need reassembly, note that the last character should be 'z' -- Mike D From pc77 at operamail.com Sat Jan 31 15:14:15 2009 From: pc77 at operamail.com (pc77) Date: Sat Jan 31 15:15:08 2009 Subject: [Scspamcop] Re: Report span sent by my mail References: Message-ID: The problem is that the spam mail is not received in any client because it goes directly to gmail spam folder, so I need to copy the headers or may be I could move the mail to inbox folder and then download it in thiunderbird. But I thinkk that if I do that, I will have the problem thjat gmail will consiserd mails like that lino no-spam since the moment I move it to inbox. Hahah.. pleaase sorry for all my question and excuise me for my awful english. I?m not very sure if you are understand me ok. I hope so. En 31/01/2009 13:23:43, Mike Easter escribi?: > pc77 wrote: >> Thanks for your reply. I??m sending an example of the spam mail with >> full headers. I replaced my email address with pepe@hotmail.com. So it >> doens??t matter Opera is not available to send attached mails, I can >> alway send a mail like this, right? Or I can use thunderbird to send it >> like attached. >> >> HERE IS THE SPAM: > > Correct at least in part. If you use Opera's feature 'view all headers > and message' you get the effect of what some call the 'message source' > which is what the spamcop parser expects to parse. Certainly that > message > source can be pasted into the web parser. (But) There's a question about > emailing, see below. > > Certainly if you are handling your mail with Tbird, it can be configured > to forward as attachment. In Tbird, the configuration (for forward vs > forward as attachment) is handled separately, different from how OE is > configured. In Tbird the forwarding 'mode' is handled in Preferences/ > General tab - Forward messages - (choose) Inline or As attachment. Opera > has no such configuration as that. If Tbird weren't so configured, its > forward function wouldn't work. > > Part of your question I'm not quite sure how to answer, because it is a > fine point of precisely how the email parser works to interpret your > spam's submission, and I'm not a spamcop programmer. > > Normally 'forward as attachment' results in what is called a 'mime > attachment structure' -- which the email parser recognizes. That is (I > believe) that the email parser is expecting to see the following in your > email submission to the submit address: > > -1- the headers of your email from whatever account you might send it > and > addressed to the specific submit address corresponding to your spamcop > reporting address account > -2- the mime attachment structure resulting from email submitting a spam > *forwarded as attachment* > -3- the headers of the spam sent to you followed by the body structure > of the spam with or without additional 'internal' mime attachment > structures followed by the end of the spam body structure > -4- if you are sending multiple spams attached to your own email to > spamcop headers in -1- above, then the next mime attachment structure > result from the next spam submitted as forward as attachment > > The problem with your described scenario is that your description sounds > as if you are going to be pasting a complete spam (copied from Opera's > 'view all headers and message' and pasted inline), instead of with the > appropriate and expected mime structure. > > The result of that - such a pasted spam - will be inline structure > instead > of mime structure. I'm not sure if the email submit parser can > accurately > determine the end of your own headers to spamcop followed by a body of > *inline* complete spam without a proper mime attachment structure to > designate where your own mail structure to spamcop ends and the spam > begins. > > On a separate issue: > > In a little bit we need to be discussing two housekeeping issues. One is > about not posting spam into discussion groups and the other is about not > top posting replies, but instead to post by attribute - trim - context. > > From MikeE at ster.invalid Sat Jan 31 15:44:43 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jan 31 15:45:09 2009 Subject: [Scspamcop] Re: Report span sent by my mail References: Message-ID: pc77 top posted: > The problem is that the spam mail is not received in any client because > it goes directly to gmail spam folder, Therefore the specifics of this discussion should be about reporting gmail spam, not some kind of generic discussion. You should read this reporting gmail spam tutorial in the forum http://forum.spamcop.net/forums/index.php?showtopic=4668 or http://snipr.com/b2ii8 Reporting GMail filtered spam - Tutorial ... and/or http://forum.spamcop.net/forums/index.php?showtopic=8921 or http://snipr.com/b2im2 Steps to report Gmail spam as attachments via IMAP with Thunderbird, Personally, I don't report the gmail spam -- but then I have a lot of my own attitudes about things which I wouldn't necessarily try to convince others. However, I *would* try to convince you to not top post which you persist in doing. Top posting fails to attribute, which by itself isn't too bad. More importantly, most importantly, extremely importantly -- top posting fails to context. In failing to context, top posting actually impairs the quality of the reading and replying -- making it seem as if the top poster can't read (all of what the previous post said) and making it seem as if the top poster can't write (responsively to what was said before). The way to context is #1 - trim, preferably aggressively - and #2 - context by placing your reply words directly under an empty line which is under the exact words to which your words are replying. You didn't do that. You hit reply and started typing on top - no trim, no context for your words. Here's an illustration of how to properly reply http://www.anta.net/misc/nnq/nquote.shtml Q1: What is "quoting" in newsgroup postings? - Q2: How should I use the quoted text and arrange it with my own text? Opera's cursor starts at the top of the reply. That is very close to where you should start trimming, right after the attribution. You should trim away every line of a reply to which you aren't going to directly reply, skip a line, type your reply, and trim everything else. Opera does autotrim sigs, so you won't have to do that. -- Mike Easter kibitzer, not SC admin From bert at iphouse.com Sat Jan 31 16:50:42 2009 From: bert at iphouse.com (Bert Hyman) Date: Sat Jan 31 16:55:09 2009 Subject: [Scspamcop] Re: My ISP's spam reporting e-mail address is disabled in SpamCop References: Message-ID: In news:gltr31$lif$1@news.spamcop.net VanguardLH wrote: > I'll send a communication to Comcast asking why their web help pages > ask their users to send spam reports (of what their spam filter > missed) but won't accept those same reports from SpamCop (by Comcast > users). If the report comes to them via Spamcop, they won't know that it came from a Comcast user. Regardless, Comcast apparently simply doesn't want Spamcop reports, period. Why not set up a mailing list or alias or whatever your email client uses to include both your spamcop reporting address and Comcast's reporting address and send your spam to that list? -- Bert Hyman St. Paul, MN bert@iphouse.com From V at nguard.LH Sat Jan 31 18:30:55 2009 From: V at nguard.LH (VanguardLH) Date: Sat Jan 31 18:35:08 2009 Subject: [Scspamcop] Re: My ISP's spam reporting e-mail address is disabled in SpamCop References: Message-ID: Steven Underwood wrote: > "VanguardLH" wrote in message > news:gm0fij$sgn$1@news.spamcop.net... >> >> Yes, the FTC requested SpamCop stop sending the spam reports en masse. > > Correct. Your ISP however has apparently requested it receive no reports in > SpamCop's format. > > I don't understand why you don't get this. It was a decision by your ISP > not to receive any further messages through SpamCop. They could reverse > this decision by communicating that to the deputies. I do get it. See my reply to Ellen. However, their choice seems arbitrary. It is SpamCop's policy to comply with those requests regardless of their insanity. Presumably the same information in a user's manually delivered spam report would already be in the SpamCop report. Same stuff, same address but not allowed from SpamCop but allowed from their customer. The only SpamCop users that would be sending *missed* spam reports to Comcast would be Comcast customers using SpamCop to facilitate a report in a standardized form (rather than hacking together something a bit different every time you report it yourself). The SpamCop user isn't reporting a spam originated from Comcast. The SpamCop user would be reporting *missed* spam which Comcast has permitted a means to report to get their spam filter updated. Non-Comcast users would have no reason to be sending spam reports to Comcast's missed-spam address as they receive no benefit from Comcast updating their spam filter as a consequence. I think this is more of a survival tactic by those at Comcast that have to deal with the spam reports. As with the FTC, they simply cannot handle all the SpamCop-using Comcast customers that were issuing spam reports from SpamCop. That also means they couldn't handle that load from their own users that directly e-mail the spam report without using SpamCop. They don't want to expend the resources to handle that load. They know that cutting of SpamCop will lower the missed-spam reports to a trickle, especially since the vast majority of other Comcast users that I've spoken with didn't even have a clue that such a reporting address existed. They want their users using the automated spam adjustment mechanism in their webmail agent (where you click on a Spam button to identify missed spam). This alleviates them having to employ more people to handle the manual instigated missed-spam reports. If every SpamCop-using Comcast customer were to always submit their own separate spam report to their missed-spam address (like including yourself in a copy of SpamCop's report and then resending that to Comcast), they'd probably just turn off that missed-spam account or have it automatically dump those reports into the bit bucket. By turning off the avenue for SpamCop-generated reports, Comcast has effectively declared that they don't really bother handling the missed-spam reports because they just don't have the manpower for it. It obviously is their choice and I agree that SpamCop should comply. It just caught me off guard since I had included Comcast's missed-spam address for a couple years now at SpamCop. Obviously I haven't submitted a spam report in quite awhile if SpamCop complied with Comcast's cutoff request back in September. From V at nguard.LH Sat Jan 31 18:47:53 2009 From: V at nguard.LH (VanguardLH) Date: Sat Jan 31 18:50:07 2009 Subject: [Scspamcop] Re: My ISP's spam reporting e-mail address is disabled in SpamCop References: Message-ID: Bert Hyman wrote: > In news:gltr31$lif$1@news.spamcop.net VanguardLH wrote: > >> I'll send a communication to Comcast asking why their web help pages >> ask their users to send spam reports (of what their spam filter >> missed) but won't accept those same reports from SpamCop (by Comcast >> users). > > If the report comes to them via Spamcop, they won't know that it came > from a Comcast user. Regardless, Comcast apparently simply doesn't want > Spamcop reports, period. They still won't know even if I send it myself directly to their missed-spam address. They do NOT reject such reports when submitted from a non-Comcast e-mail account. That is, I do not need to use my Comcast e-mail account to submit the missed-spam report to them. So they *do* accept such reports from a reporter outside of their own accounts. You might ask why would I submit a spam report through a non-Comcast e-mail account. I don't but it's not improbable that it could happen. An example is someone that uses Gmail to yank e-mails from other POP accounts to aggregate them into one account to facilitate a user that doesn't use a local e-mail client but just uses the webmail agent. They don't want to login to a dozen different domains to use their webmail agent for a dozen different e-mail accounts that the user has active. They would like one place to look at all their e-mails using just one webmail agent. Gmail isn't the only e-mail provider that yanks from other POP accounts. There are many e-mail providers or services that let the user collect all their e-mails from all their different accounts into one place. And that one place, which is not a Comcast account, is from where the user will most likely issue their spam report to the missed-spam address at Comcast. You don't need to do any login to authenticate yourself as a Comcast customer to send spam reports to their missed-spam address. And you don't need to send that spam report from a Comcast account. So Comcast has no means of validating that reports sent to their missed-spam address are indeed only from Comcast customers. But just who else would send a spam report there? Non-Comcast customers receive no benefit in trying to update Comcast's inbound spam filter. On Comcast customers, regardless from where they send the report, would be sending spam reports to that missed-spam address. > Why not set up a mailing list or alias or whatever your email client > uses to include both your spamcop reporting address and Comcast's > reporting address and send your spam to that list? I gave up using the mail-submit process for SpamCop a long time ago. For free reporting accounts, there is way too much delay before I get back the confirmation e-mail from SpamCop. I may not be at my computer when they send their confirmation e-mail which adds further delay. In fact, there have been times when I submitted the spam report via e-mail but didn't get back to my computer for a couple days and then the report is too old (I think 2 days is the max age threshold). I also like the technical report available when using the web interface for SpamCop reporting since I want to double-check that the parsing and analysis by SpamCop and to whom go the reports looks okay. Nowadays, I get few spams that leak past the server-side filter so it's a more rare occasion for me as to when I submit a spam report through SpamCop. I figure what I'll do is include my own e-mail address in the "Personal copies of outgoing reports" option in Preferences for my SpamCop account. That way, I will get a copy of the SpamCop abuse report. When it arrives in my mailbox, I'll just forward it to the missed-spam address at Comcast. Actually I'll reply but change the To header to the missed-spam address since I have Outlook configured to forward as attachment (so the recipient gets the actual original message, including headers; inline forwarding is always an edited copy of the original). I doubt Comcast accepts or can handle attachments in spam reports so I'll just send SpamCop's report as the body of my report. So Comcast is still going to get what it rejected: a SpamCop report. I doubt there would be anything in the way of further information that wouldn't already be available in the SpamCop-generated report.