From nobody at devnull.spamcop.net Wed Jul 1 19:20:06 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Wed Jul 1 19:20:04 2009 Subject: [Scspamcop] Re: Is Spamcop down? References: Message-ID: "Ellen" wrote in message news:h2duhk$9el$1@news.spamcop.net > Tim McGraw wrote: >> Ellen wrote: >>> System Operations is working on the issue. >> >> It seems to be back up. That was fast. > > Well yes and no -- it's actually an intermittent issue and they are > still working on it. So I would expect that the possibility of the > site going down again is still there ... > > > Ellen > SpamCop Woof! Lousy timing; there are also dangerous thunder/lightning storms on the east coast making the backbones intermittant too. Seems like anything south of a line from Rochester to Albany right now and fingers down to DC, best I can fathom. We're looking at local microbursts, 2" hail, >70mph wind gusts & 0 visibility during the bursts. I get my info thru the Weatherbug & local airport if it matters. You can see where a lot of stuff is by tracking the hourly lightning strikes & wind direction. Twayne` From pantheus at spamcop.net Wed Jul 1 19:35:18 2009 From: pantheus at spamcop.net (ken) Date: Wed Jul 1 19:40:04 2009 Subject: [Scspamcop] trying to build blacklist Message-ID: Lately (last several weeks) I've been having way too much leakage of spam from the mail handling service to my real inbox - hundred or more a day. So, I'm trying to build a solid blacklist from return:path but finding that most are msn or sH*tmail or have forged one of my many domain names, for that to be very effective. It would be impossible for me to define a list of known addresses that were allowed in. I can't eliminate msn or sH*tmail because of the nature of who and where many may be writing from or have reply-to set. Nor can I from any of my domain names due to mailman lists on several names. I have set all domain names to feed xxxxx@spamcop.net, and have judiciously pruned the white list to only absolutely necessary, known entities. Yet way too much leaks. Am I kidding myself to think a blacklist will help? Is there any other way to get around this? Short of course blocking msn or sH*tmail? And yes, I know this is mail service related, but I do only nntp - don't go to the zoo (over there). From nobody at devnull.spamcop.net Thu Jul 2 00:42:49 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Thu Jul 2 00:45:04 2009 Subject: [Scspamcop] Re: trying to build blacklist References: Message-ID: "ken" wrote in message news:h2grrm$pko$1@news.spamcop.net... > > And yes, I know this is mail service related, but I do only > nntp - don't > go to the zoo (over there). Not very well I'd say. Perhaps at least one visit to the zoo might be useful, say perhaps looking at the various "SpamCop Newsgroup" Wiki pages, at least starting with - http://forum.spamcop.net/scwik/SpamCopNewsgroups .... Apparently you don't see the need for taking the time to read all the stuff that other users have tried to generate as FAQ data 'over there' but you're willing to ask others to take their time to re-invent the wheel just so it's NNTP ..???? > So, I'm trying to build a solid blacklist from return:path In general, that's pretty off the wall these days. Gazillions of new Domains created a day, most spam these days using forged header data, on and on. Pretty useless plan, actually. > It would be impossible for me to define a > list of known addresses that were allowed in. See above. > Is there any other way to get around this? Short of course > blocking > msn or sH*tmail? Just as 'over in the zoo' .... you'd get a better answer to a specific issue if you'd have provided a Tracking URL of a specific spam in question. Your much-too-general query could be answered with exactly the same all-too-general answer here (or over there) .... build real filters, use BLs, change SpamAssassin thresholds, etc. etc. etc. .... Again, this is something that does have much traffic in existence 'over there' .... don't be so damned lazy, biased, whatever .. go to where the data is, compare notes with other users, etc. From tmcgraw at spamcop.net Thu Jul 2 01:24:46 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Thu Jul 2 01:25:04 2009 Subject: [Scspamcop] Re: trying to build blacklist In-Reply-To: References: Message-ID: ken wrote: > Lately (last several weeks) I've been having way too much leakage of spam > from the mail handling service to my real inbox - hundred or more a day. A common symptom of white-listing your OWN email address (particularly your spamcop address). From DeathToSpam at crazyhat.net Thu Jul 2 01:58:35 2009 From: DeathToSpam at crazyhat.net (DevilsPGD) Date: Thu Jul 2 02:00:03 2009 Subject: [Scspamcop] Re: trying to build blacklist References: Message-ID: In message ken was claimed to have wrote: >Lately (last several weeks) I've been having way too much leakage of spam >from the mail handling service to my real inbox - hundred or more a day. > >So, I'm trying to build a solid blacklist from return:path but finding >that most are msn or sH*tmail or have forged one of my many domain names, >for that to be very effective. It would be impossible for me to define a >list of known addresses that were allowed in. > >I can't eliminate msn or sH*tmail because of the nature of who and where >many may be writing from or have reply-to set. Nor can I from any of my >domain names due to mailman lists on several names. > >I have set all domain names to feed xxxxx@spamcop.net, and have >judiciously pruned the white list to only absolutely necessary, known >entities. Yet way too much leaks. > >Am I kidding myself to think a blacklist will help? > >Is there any other way to get around this? Short of course blocking msn >or sH*tmail? > >And yes, I know this is mail service related, but I do only nntp - don't >go to the zoo (over there). It's been a couple years since I did any testing, but at one point when I had a large number of users submitting mail into a bayesian learning system I started building a blacklist of Return-Path and From headers which was then used in log-only mode going forward against mail that wasn't already whitelisted or authenticated. What I found was that there is effectively zero value in blacklisting addresses that have previously spammed you. There were a couple hits, well under 1% though, but conversely there were nearly as many false positives too due to intentional address collisions by spammers. The scammer spammers (drugs, porn, trojans, fake rolexes, etc) randomize their addresses and virtually never use the same address twice, so the technique was useless against these guys. The mainsleeze big-business spammers tend to use something VERP-like where the MAIL FROM rotates on each message in an effort to track bounces and deliverability rates, so the technique failed here as well. 419ers had a slightly higher hitrate since many of them actually receive mail at the same addresses from which they send, so they can't just randomize addresses as easily. Unfortunately phishing messages and viruses caused higher false positive rates since some of these mimic mail from large legitimate companies. Even without the false positives (which admittedly could probably be handled without a ton of pain) the actual hit rate was too low to be worth the time and energy invested in the technique. I'll also mention that these tests were performed after my DNS-BLs and a few other HELO/EHLO/rDNS tests completed, so my numbers were entirely based on the messages I might have otherwise accepted, one might argue that this skews the numbers, but to this straw-man I'd respond that you should use a decent DNS-BL and save yourself this headache. From pantheus at spamcop.net Thu Jul 2 02:32:00 2009 From: pantheus at spamcop.net (ken) Date: Thu Jul 2 02:35:04 2009 Subject: [Scspamcop] Re: trying to build blacklist References: Message-ID: On Wed, 01 Jul 2009 22:58:35 -0700, DevilsPGD wrote: > In message ken > was claimed to have wrote: > >>Lately (last several weeks) I've been having way too much leakage of >>spam from the mail handling service to my real inbox - hundred or more >>a day. Well, at least one great reply, thanks DevilsPGD ! and a plonk..... It is as I suspected.... and no, I don't have any of my addresses whitelisted. and I agree that the injecters using msn who is claiming to be anti-spam yet in at least my case the biggest enabler. So, I leave with thanks to two.... and will continue on down the path... ttfn. (and thanks) From pantheus at spamcop.net Thu Jul 2 16:41:26 2009 From: pantheus at spamcop.net (ken) Date: Thu Jul 2 16:45:12 2009 Subject: [Scspamcop] Re: trying to build blacklist - Solution found Message-ID: I have finally discovered why this became a problem. This particularly bad pill spammer was setting headers including: tests=BAYES_00 and autolearn=ham so SpamAssassin was running it as ham, and not spam so I need to retrain SA on my server with sa-learn with a ton of his junk. Now clearer vision is in sight.... From user at domain.invalid Thu Jul 2 21:24:57 2009 From: user at domain.invalid (Farelf) Date: Thu Jul 2 21:25:03 2009 Subject: [Scspamcop] Re: trying to build blacklist In-Reply-To: References: Message-ID: Charles wrote: > No way it was me! It was ken ! > >> Well, at least one great reply [...] >> and a plonk..... > > So, hey, would you mind, ever so much, putting me in your KF, too? I'd > appreciate it! +1 From dritz at mindspring.com Sun Jul 5 00:28:44 2009 From: dritz at mindspring.com (David Ritz) Date: Sun Jul 5 00:30:05 2009 Subject: [Scspamcop] Re: trying to build blacklist - Solution found In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 02 July 2009 20:41 -0000, in article , ken wrote: > I have finally discovered why this became a problem. > This particularly bad pill spammer was setting headers including: > tests=BAYES_00 and autolearn=ham > so SpamAssassin was running it as ham, and not spam so I need to > retrain SA on my server with sa-learn with a ton of his junk. > Now clearer vision is in sight.... GNU nano 2.0.9 File: .spamassassin/user_prefs <...> # Set headers which may provide inappropriate cues to the Bayesian # classifier # bayes_ignore_header X-Bogosity bayes_ignore_header X-Spam-Flag bayes_ignore_header X-Spam-Status <...> - -- David Ritz Be kind to animals; kiss a shark. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (Darwin) Comment: Public Keys: iEYEARECAAYFAkpQK/wACgkQUrwpmRoS3usoSwCg1VyRAoLdEFIbfMd3iLkiyS/i hBwAoMnWL4NhDwike/gPnOb6Rs+sBboE =UsRT -----END PGP SIGNATURE----- From bcs1 at spamcop.net Sun Jul 5 16:27:27 2009 From: bcs1 at spamcop.net (Bill) Date: Sun Jul 5 16:30:03 2009 Subject: [Scspamcop] is this a good reject message for SPF fail rejection? Message-ID: Hi, Your email is being rejected, your SPF records are not setup correctly for your domain. This must be properly setup. If you are a spammer using a forged address to get your unwanted spam into an email inbox on this server, "Sucks to be you, Huh?" thoughts, comments? Thanks in advance.. Bill From MikeE at ster.invalid Sun Jul 5 17:20:50 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 5 17:25:03 2009 Subject: [Scspamcop] Re: is this a good reject message for SPF fail rejection? References: Message-ID: Bill wrote: > Hi, Your email is being rejected, your SPF records are not setup > correctly for your domain. This must be properly setup. If you are a > spammer using a forged address to get your unwanted spam into an email > inbox on this server, "Sucks to be you, Huh?" > > thoughts, comments? I don't think that trying to converse with a spamgenerator process (or even conceiving of the spamprocess as if there were such a thing as a humanoid spammerperson transacting with a server) is useful. Also, I would rejection notice politely and very briefly but helpfully as if/ on the 'assumption' that/ the person whose mail was rejected was a realperson non-spammer, a friend whose mail you wanted who simply needs to SPF. (As if - With an attitude that) You are inconveniencing them - your wanted mail sender - to satisfy your own mail server's requirements. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.not Mon Jul 6 02:19:15 2009 From: nobody at nowhere.not (Robert Blair) Date: Mon Jul 6 02:20:03 2009 Subject: [Scspamcop] Re: is this a good reject message for SPF fail rejection? References: Message-ID: On Sun, 5 Jul 2009 20:27:27 UTC, "Bill" wrote: > Hi, Your email is being rejected, your SPF records are not setup correctly > for your domain. This must be properly setup. If you are a spammer using a > forged address to get your unwanted spam into an email inbox on this server, > "Sucks to be you, Huh?" You did not say if that was a "real bounce" or a "fake bounce". My guess is that it is a fake bounce and should be reported as the spam it is. -- Robert Blair From DeathToSpam at crazyhat.net Mon Jul 6 07:29:37 2009 From: DeathToSpam at crazyhat.net (DevilsPGD) Date: Mon Jul 6 07:30:04 2009 Subject: [Scspamcop] Re: is this a good reject message for SPF fail rejection? References: Message-ID: <63t25557dlr5psdo1lr9qpaaufea308u6l@4ax.com> In message "Bill" was claimed to have wrote: >Hi, Your email is being rejected, your SPF records are not setup correctly >for your domain. This must be properly setup. If you are a spammer using a >forged address to get your unwanted spam into an email inbox on this server, >"Sucks to be you, Huh?" > > thoughts, comments? Honestly, it's much too long. Not all mail servers return multiline errors back to the sender, and many truncate even a single line. I'd probably go for something like "SPF failed" and throw in a URL. From g.hyde at bigNOSPAMpond.net.au Mon Jul 6 09:01:22 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Mon Jul 6 09:05:03 2009 Subject: [Scspamcop] Re: is this a good reject message for SPF fail rejection? References: Message-ID: "Bill" wrote in message news:h2r2bf$bue$1@news.spamcop.net... > Hi, Your email is being rejected, your SPF records are not setup correctly > for your domain. This must be properly setup. If you are a spammer using a > forged address to get your unwanted spam into an email inbox on this > server, "Sucks to be you, Huh?" > > thoughts, comments? Ignore the temptation to poke fun at the spammers, and instead make the message brief and to the point, probably with a URL that points them to your SPF policies. (Which should also be brief and to the point, no sensible person will want to wade through a 5,000 word essay of tripe on what *you* think they should be doing with their configurations, just to find out if you included a contact address.) Cheers ... Geoffrey Hyde From bcs1 at spamcop.net Mon Jul 6 10:15:54 2009 From: bcs1 at spamcop.net (Bill) Date: Mon Jul 6 10:20:03 2009 Subject: [Scspamcop] Re: is this a good reject message for SPF fail rejection? References: Message-ID: "Bill" wrote in message news:h2r2bf$bue$1@news.spamcop.net... > Hi, Your email is being rejected, your SPF records are not setup correctly > for your domain. This must be properly setup. If you are a spammer using a > forged address to get your unwanted spam into an email inbox on this > server, "Sucks to be you, Huh?" > > thoughts, comments? > > Thanks in advance.. > Bill > > Thanks all... :) I still like poking fun at the spammers though LOL Hi, This email was rejected; SPF records status = 'fail'. Please see http://en.wikipedia.org/wiki/Sender_Policy_Framework for information on SPF records and their purpose. Thank you Bill From ppearson at nowhere.invalid Tue Jul 14 11:33:48 2009 From: ppearson at nowhere.invalid (Peter Pearson) Date: Tue Jul 14 11:35:04 2009 Subject: [Scspamcop] Someone's phishing Spamcop users again Message-ID: I've just received two emails purporting to be from "SpamCop Webmaster online ", telling me that if I don't reply with my username and password, my account will be deleted immediately, "to prevent it from arming our subscriber unit." -- To email me, substitute nowhere->spamcop, invalid->net. From user at domain.invalid Tue Jul 14 12:54:49 2009 From: user at domain.invalid (Farelf) Date: Tue Jul 14 12:55:04 2009 Subject: [Scspamcop] Re: Someone's phishing Spamcop users again In-Reply-To: References: Message-ID: Peter Pearson wrote: ... > my account will be deleted immediately, "to > prevent it from arming our subscriber unit." LOL - thanks for the heads up too, Peter. An armed subscriber unit! {snort ... chuckle} A little whimsy in the morning is good. From ppearson at nowhere.invalid Wed Jul 15 11:03:44 2009 From: ppearson at nowhere.invalid (Peter Pearson) Date: Wed Jul 15 11:05:03 2009 Subject: [Scspamcop] Bad guys' new trick Message-ID: It seems the bad guys are looking for node names in the "Received:" lines of Spamcop reports. The "From:" line in the following spam includes two (invalid) names at eleodes.pearson.localdomain, which of course is not a useable domain. I suppose they're hoping I've whitelisted it. http://www.spamcop.net/sc?id=z3121725118zaf990bf18b1c5039b795dbd91b876f42z Is there any reason that a legitimate message would have multiple addresses on the "From:" line? -- To email me, substitute nowhere->spamcop, invalid->net. From nobody at devnull.spamcop.net Wed Jul 15 11:44:18 2009 From: nobody at devnull.spamcop.net (Lou) Date: Wed Jul 15 11:45:03 2009 Subject: [Scspamcop] Re: Bad guys' new trick In-Reply-To: References: Message-ID: Peter Pearson wrote, On 7/15/2009 9:03 AM: > > Is there any reason that a legitimate message would have > multiple addresses on the "From:" line? > Because some mail app may display "Get, Thinner, x" in the FROM column?? From nobody at spamcop.net Wed Jul 15 12:31:47 2009 From: nobody at spamcop.net (Bar0) Date: Wed Jul 15 12:35:03 2009 Subject: [Scspamcop] Re: Bad guys' new trick References: Message-ID: "Peter Pearson" wrote in message news:h3kr4g$d0f$1@news.spamcop.net... ;;; > > Is there any reason that a legitimate message would have > multiple addresses on the "From:" line? I do it occasionally to up to 3 or so recipients. That way no one feels like a "cc" (inlaws on "cc", outlaws on "to" or vsv?) From MikeE at ster.invalid Wed Jul 15 21:51:49 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 15 21:55:03 2009 Subject: [Scspamcop] Re: Bad guys' new trick References: Message-ID: Charles wrote: >> I wonder if I can even do that... > > I tried with t-bird/gmail. It looked like it worked on the client end > but on the recipient end it was totally normal as if it had come > straight from me. Sigh. Gmail isn't a good smtp server to use for bogosity in the From, except what is permitted and described using the webmail. If you use a client and configure its From bogus, gmail uses/ replaces your bogosity with/ values associated with the account. With other accounts, such as EL's earthlink's, I can configure my From however I like and EL's smtp server will respect my values. I haven't tried, but if I were going to try to put several From's, I would EL's server to experiment with, not gmail's. -- Mike Easter kibitzer, not SC admin From blacklist-me at davjam.org Wed Jul 15 22:06:33 2009 From: blacklist-me at davjam.org (David Bolt) Date: Wed Jul 15 22:35:03 2009 Subject: [Scspamcop] Re: Bad guys' new trick References: Message-ID: On Wed, 15 Jul 2009, Peter Pearson wrote:- >It seems the bad guys are looking for node names in the >"Received:" lines of Spamcop reports. The "From:" line in >the following spam includes two (invalid) names at >eleodes.pearson.localdomain, which of course is not a >useable domain. I suppose they're hoping I've whitelisted >it. > >http://www.spamcop.net/sc?id=z3121725118zaf990bf18b1c5039b795dbd91b876f42z > >Is there any reason that a legitimate message would have >multiple addresses on the "From:" line? I can't think of any reasons and didn't think it was actually legal, however it is allowed by RFC 5322: 3.6.2. Originator Fields The originator fields of a message consist of the from field, the sender field (when applicable), and optionally the reply-to field. The from field consists of the field name "From" and a comma- separated list of one or more mailbox specifications. If the from field contains more than one mailbox specification in the mailbox- list, then the sender field, containing the field name "Sender" and a single mailbox specification, MUST appear in the message. In either case, an optional reply-to field MAY also be included, which contains the field name "Reply-To" and a comma-separated list of one or more addresses. Of course, the spam isn't compliant. There should be a Sender: header, since there's more than one From: mailbox, and there isn't one. This isn't really surprising though. Regards, David Bolt -- Team Acorn: http://www.distributed.net/ OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s openSUSE 10.3 32b | openSUSE 11.0 32b | | openSUSE 10.3 64b | openSUSE 11.0 64b | openSUSE 11.1 64b | RISC OS 3.6 | RISC OS 3.11 | openSUSE 11.1 PPC | TOS 4.02 From ppearson at nowhere.invalid Thu Jul 16 13:17:00 2009 From: ppearson at nowhere.invalid (Peter Pearson) Date: Thu Jul 16 13:20:03 2009 Subject: [Scspamcop] Re: Bad guys' new trick References: Message-ID: On Thu, 16 Jul 2009 03:06:33 +0100, David Bolt wrote: > On Wed, 15 Jul 2009, Peter Pearson wrote:- [snip] >>Is there any reason that a legitimate message would have >>multiple addresses on the "From:" line? > > I can't think of any reasons and didn't think it was actually legal, > however it is allowed by RFC 5322: > > 3.6.2. Originator Fields > > The originator fields of a message consist of the from field, the > sender field (when applicable), and optionally the reply-to field. > The from field consists of the field name "From" and a comma- > separated list of one or more mailbox specifications. If the from > field contains more than one mailbox specification in the mailbox- > list, then the sender field, containing the field name "Sender" and a > single mailbox specification, MUST appear in the message. In either > case, an optional reply-to field MAY also be included, which contains > the field name "Reply-To" and a comma-separated list of one or more > addresses. > > Of course, the spam isn't compliant. There should be a Sender: header, > since there's more than one From: mailbox, and there isn't one. This > isn't really surprising though. Ha! Thanks for the background. -- To email me, substitute nowhere->spamcop, invalid->net. From me at privacy.net Sat Jul 18 15:13:53 2009 From: me at privacy.net (Michael R N Dolbear) Date: Sat Jul 18 15:15:02 2009 Subject: [Scspamcop] Re: Bad guys' new trick References: Message-ID: <01ca07aa$803a0040$LocalHost@default> David Bolt wrote > On Wed, 15 Jul 2009, Peter Pearson wrote:- > > >It seems the bad guys are looking for node names in the > >"Received:" lines of Spamcop reports. The "From:" line in > >the following spam includes two (invalid) names at > >Is there any reason that a legitimate message would have > >multiple addresses on the "From:" line? > > I can't think of any reasons and didn't think it was actually legal, > however it is allowed by RFC 5322: > > 3.6.2. Originator Fields > > The originator fields of a message consist of the from field, the > sender field (when applicable), and optionally the reply-to field. > The from field consists of the field name "From" and a comma- > separated list of one or more mailbox specifications. If the from > field contains more than one mailbox specification in the mailbox- > list, then the sender field, containing the field name "Sender" and a > single mailbox specification, MUST appear in the message. In either > case, an optional reply-to field MAY also be included, which contains > the field name "Reply-To" and a comma-separated list of one or more > addresses. Thanks from me too. One additional problem, what the email has in the From: field may not be what the spammer sent. Thus on a mailing list (which uses "Reply-to:" in the usual way for "Reply to list") I noticed that when when user "Chris Fr" took the valid option of not publishing their email address the From: field was generated and sent out as "Chris Fr" (without the quotes) which was converted in various ways by email servers to make it valid. Via Freeserve I got it as From: Chris@me.freeserve.com; Fr@me.freeserve.com Filling in a pseudo-domain related to the recieving mailbox is common but AOL users showed "UnknownSender@UnknownDomain". In the same way I get Spam sent with no From: or Sender: fields so my email server helpfully adds. Sender: 70112494@yahoo.com (derived from envelope by postmaster@mail-8.uk.tiscali.com) -- Mike D From nobody at devnull.spamcop.net Sun Jul 26 22:02:59 2009 From: nobody at devnull.spamcop.net (Patto) Date: Sun Jul 26 22:05:03 2009 Subject: [Scspamcop] No reporting addresses found for 122.34.85.197 Message-ID: http://www.spamcop.net/sc?id=z3158645153z616d7b21f3506224a7a134f7a1a51f62z namiai.com = 122.34.85.197 = Xpeed = LG Powercomm Korea Reporting addresses: abuse@powercomm.com abuse@lgpwc.com From guy.chapman at spamcop.net Wed Jul 29 13:29:54 2009 From: guy.chapman at spamcop.net (Just zis Guy, you know?) Date: Wed Jul 29 13:30:03 2009 Subject: [Scspamcop] Spam volumes Message-ID: Is it just me or is more crap getting through at the moment? I went for a long time with no more than two or three spam messages a day, these days it's half a dozen an hour. Virtually all are for watches or acai berry (and I am tempted to set up a subject blacklist on my server for the rod "oprah" as this is a 100% proof-positive indicator of spam). This increase seems to be since the volumes went back up after Srizbi got taken out, but that might just be me looking for a pattern where none exists. Guy -- http://www.chapmancentral.co.uk From MikeE at ster.invalid Wed Jul 29 14:56:59 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 29 15:00:03 2009 Subject: [Scspamcop] Re: Spam volumes References: Message-ID: Just zis Guy, you know? wrote: > Is it just me or is more crap getting through at the moment? Not very long ago I changed my spam management experimentally to see the result of doing that. I have earthlink and gmail mailservice I use regularly. EL's mailboxes allow 3 classes of filtration, high, default, and none. EL's medium/default leaks. EL's high is whitelisted only requiring management of suspect. Previously I used EL none and filtered everything - all the spam - from EL with SpamPal, which I could tweak to hardly leak at all. More recently I've been using EL high and managing suspect which mailbox gradually only contains spam as the whitelist evolves. Gmail's (almost) never leaked and still doesn't. The consequence of all of that is that I basically don't get any spam via gmail or EL, so I can't comment personally on anything increasing or decreasing. -- Mike Easter kibitzer, not SC admin From guy.chapman at spamcop.net Wed Jul 29 17:36:31 2009 From: guy.chapman at spamcop.net (Just zis Guy, you know?) Date: Wed Jul 29 17:40:03 2009 Subject: [Scspamcop] Re: Spam volumes References: Message-ID: On Wed, 29 Jul 2009 11:56:59 -0700, "Mike Easter" wrote: >I have earthlink and gmail mailservice I use regularly Do you have SpamCop pick those up and forward them? I have a number of pop3 accounts and SC picks them all up, filters and then forwards to my mail server at home. Oddly I get virtually no spam on my own domain other than to webmaster. Guy -- http://www.chapmancentral.co.uk From MikeE at ster.invalid Wed Jul 29 17:52:32 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 29 17:55:02 2009 Subject: [Scspamcop] Re: Spam volumes References: Message-ID: Just zis Guy, you know? wrote: > "Mike Easter" >> I have earthlink and gmail mailservice I use regularly > > Do you have SpamCop pick those up and forward them? No. I don't have any kind of spamcop mail account. Previously when I was getting unfiltered EL spam separated into Junk by SpamPal (which used SCBL among other bl/s), I submitted my junk to SC for the bl. But now I don't get or submit any spam. It would be too much trouble/inconvenience to me to fetch the gmail and EL spam (and suspect) from their spam folders on the EL & gmail servers. And since I'm not using SP with its SCBL, it also wouldn't feedback benefit to me directly the way it did before -- that is, with the old configuration I was both using and contributing to the SCBL. Now I'm using EL & gmail filters instead of SP's SCBL. > I have a number > of pop3 accounts and SC picks them all up, filters and then forwards > to my mail server at home. Oddly I get virtually no spam on my own > domain other than to webmaster. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.not Thu Jul 30 13:26:20 2009 From: nobody at nowhere.not (Robert Blair) Date: Thu Jul 30 13:30:03 2009 Subject: [Scspamcop] Re: Spam volumes References: Message-ID: On Wed, 29 Jul 2009 17:29:54 UTC, "Just zis Guy, you know?" wrote: > Is it just me or is more crap getting through at the moment? I went > for a long time with no more than two or three spam messages a day, > these days it's half a dozen an hour. Virtually all are for watches > or acai berry (and I am tempted to set up a subject blacklist on my > server for the rod "oprah" as this is a 100% proof-positive indicator > of spam). > > This increase seems to be since the volumes went back up after Srizbi > got taken out, but that might just be me looking for a pattern where > none exists. My spam has gone down from a year ago. I don't let my ISP filter my email. I would guess that the spammers have changed their spam enough to bypass your ISP's filters. -- Robert Blair From nobody at spamcop.net Thu Jul 30 13:50:07 2009 From: nobody at spamcop.net (Bar0) Date: Thu Jul 30 13:55:03 2009 Subject: [Scspamcop] Re: Spam volumes References: Message-ID: "Robert Blair" wrote in message news:TECQXhvKj0FX-pn2-wti8gfIlx2ld@Saturn.home... > On Wed, 29 Jul 2009 17:29:54 UTC, "Just zis Guy, you know?" > wrote: > >> Is it just me or is more crap getting through at the moment? I went >> for a long time with no more than two or three spam messages a day, >> these days it's half a dozen an hour. Virtually all are for watches >> or acai berry (and I am tempted to set up a subject blacklist on my >> server for the rod "oprah" as this is a 100% proof-positive indicator >> of spam). >> >> This increase seems to be since the volumes went back up after Srizbi >> got taken out, but that might just be me looking for a pattern where >> none exists. > > My spam has gone down from a year ago. I don't let my ISP filter my > email. I > would guess that the spammers have changed their spam enough to bypass > your > ISP's filters. > > > -- > Robert Blair My spam is down, but all my ISP's do heavy filtering, I suspect transient increases, and decreases in spam are due to lag between updating filters/blocklists or other tests, and spammers attempts to circumvent them. Overall, Global spam volumes (such as can be measured) are up apparently. From bcs1 at spamcop.net Fri Jul 31 08:54:37 2009 From: bcs1 at spamcop.net (Bill) Date: Fri Jul 31 08:55:04 2009 Subject: [Scspamcop] Re: Spam volumes References: Message-ID: "Bar0" wrote in message news:h4smgg$pi2$1@news.spamcop.net... > > My spam is down, but all my ISP's do heavy filtering, I suspect transient > increases, and decreases in spam are due to lag between updating > filters/blocklists or other tests, and spammers attempts to circumvent > them. Overall, Global spam volumes (such as can be measured) are up > apparently. I've found that if I set spf= fail rejection on my server that my daily spam drops to about 5 or 10 % of the volume that it normally gets, the only problem there is that many people's spf records aren't set right for their mailserver or their ISP's mailserver isn't set right, so some of my friend's emails are also being rejected by the server... *sigh... Bill From MikeE at ster.invalid Fri Jul 31 09:28:04 2009 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 31 09:30:04 2009 Subject: [Scspamcop] Re: Spam volumes References: Message-ID: Bill wrote: > I've found that if I set spf= fail rejection on my server that my daily > spam drops to about 5 or 10 % of the volume that it normally gets, the > only problem there is that many people's spf records aren't set right > for their mailserver or their ISP's mailserver isn't set right, so some > of my friend's emails are also being rejected by the server... Once upon a time, the spf would reject too much goodmail, but nowadays it is 'good' if wanted-spf-poor-mail gets rejected, because those who haven't yet, need to fix their spf. -- Mike Easter kibitzer, not SC admin