From nobody at devnull.spamcop.net Mon Jun 1 13:26:47 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Mon Jun 1 13:30:03 2009 Subject: [Scspamcop] OT Re: Is this really from optusnet or is it another spammer trick? References: <4A219C3D.9020302@spamcop.net> Message-ID: Tim McGraw wrote: > Twayne wrote: >> Mike Easter wrote: >> >>> I could change this Subject: to 'Subject field' or something. >> >> You could, but that would be silly. I know you're aware of it so you >> may wish to reread the RFC section on Subjects in newgroups. > > Funny that you should mention that, since the RFC that applies only > states that if the message is submitted in response to another > message, the default subject should begin with "Re:". http://www.faqs.org/rfcs/rfc1855.html and http://www.rfc1855.net/ plus other repositories: Well, RFC 1855 actually mentions using "long", smileys, and flame tags and one or two other things, and then wraps it together with a "Mail should have a subject heading which reflects the content of the message.". I haven't really looked to see if 1855 has been superceded or not but my brief search didn't seem to indicate it had. OTOH I was wrong in saying the RFC spelled it out, it doesn't. However "OT" is recognized and even sort of specced by many in the same community and other places. So what I was remembering was support articles and not the specific writings in the RFCs. Actually too, unless I have a glitch, "re:" isn't found in the prose of RFC 1855. There is a proposal draft or two floating around but I didn't see any supercession notices. May I ask what RFC you are reading? Regards, Twayne > >> You're often about netiquette; I'm surprised you wouldn't wish to >> follow it. > > By the context it was clear enough ME was speaking hypothetically, > though it might have been clearer had he said, "I could change the > Subject: to 'Foo'." From tmcgraw at spamcop.net Mon Jun 1 13:38:25 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Mon Jun 1 13:40:04 2009 Subject: [Scspamcop] Re: Is this really from optusnet or is it another spammer trick? In-Reply-To: References: <4A219C3D.9020302@spamcop.net> Message-ID: Twayne wrote: > May I ask what RFC you are reading? RFC1036, "Standard for interchange of USENET messages." From nobody at devnull.spamcop.net Mon Jun 1 14:10:21 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Mon Jun 1 14:15:03 2009 Subject: [Scspamcop] OT Re: Is this really from optusnet or is it another spammer trick? References: Message-ID: > Mike Easter wrote: >> Twayne wrote: >>> Mike Easter wrote: >> >>>> I could change this Subject: to 'Subject field' or something. >>> >>> You could, but that would be silly. >> >> No it wouldn't be silly at all. The subject, which in this case is a >> bad one created by GH and which has been altered 'inappropriately' >> (not according to guidelines) by you, is not the topic we are >> discussing down here in the body. > Neglecting the irrelevance of your opinion of the validity of the OPs subject line, the OP set the subject for the thread. For those searching the SC archives, at Google or any of the several other places that collect the spamcop posts, it indicates what SHOULD be in the post. The Subject implies the content of the Body. When the content of the Body has no longer anything to do with the original post, the RFC indicates that it should be so indicated. " - Mail should have a subject heading which reflects the content of the message. " You drove off the road and I simply indicated that the content of MY post was off topic to the stated topic in the Subject line, which you also should have done. It's common sense and it's supported in any number of reputable sources. Anyone researching for information on the Subject thus knows that there is very likely nothing of any value to their search when the Subject includes an OT. It is a courtesy to future readers and to the OP too in that he may well choose to not bother reading it, looking for a response to his query when properly used. One could probably argue that perhaps "OT" belongs to the right of the Subject but that has its own inherent problems. >> >> What would be more appropriate would be if -1- GH had made a proper >> subject in the first place and then That is your opinion and is not your place to decide. I am talking about the overall case anyway, not just one e-mail. > -2- if you were going to change >> it, that you change it in the manner of 'newsubject' was: >> 'oldsubject' and then -3- if I were going to change it again to what >> we are really talking about, I would change it again and do it in the >> described fashion of 'was' again. In some circumstances, where it would make sense to improve the relationship of the Subject to the body for some reason, that works. But when there is no relevany at all to the OPs query "OT" is better, faster and clearer. I've only ever seen what you espouse on professional groups where this kind of a communication just wouldn't happen. However, had you done that, I'm sure the worst it could have drawn was comments to start a new thread for this particular converstation. Personally I would have considered it hijacking the thread but I would have said nothing for some reason I'm not even sure of at this moment. >> >>> I know you're aware of it so you >>> may wish to reread the RFC section on Subjects in newgroups. >> >> No. I'm not aware of the rfc section on subjects. What is it that >> you want to say it sez? RFC 1855 Mail should have a *subject heading which reflects the content of the message. * Messages and articles should be brief and to the point. Don't wander off-topic, don't ramble and don't send mail or post messages solely to point out other people's errors in typing or spelling. These, more than any other behavior, mark you as an immature beginner. - Mail should have a subject heading which reflects the content of the message. There's a lot more to 1855 and I suspect you're pulling my leg but it's easy enough for you to look up if you don't have it. Then, from other sources:? http://email.about.com/od/netiquettetips/qt/et_ot_subject.htm > ... It is a good idea to mark messages that are a bit (or more) off-topic in the Subject: header already, so that people not interested can filter them to low-priority folders or ignore them altogether. Use "OT" in the Subject to Indicate Off-Topic Messages Usually, the keyword or acronym "OT" is used to indicate such messages: Put "OT: " (without quotes) in front of your message's subject. For example, a message might come with the subject: "OT: My cat loves spinach!" ?...? Not sure this isn't a mix of 2 quotes: ? Use "OT" in the Subject to Indicate Off-Topic Messages - About Email email etiquette · email subjects · netiquette ... More Tips. Netiquette Tips & Communication SkillsMost Popular Email TipsAll Email Tips ... http://email.about.com/od/netiquettetips/qt/et_ot_subject.htm ========== >> >>> All that >>> would do is confuse the issue for anyone looking for relevant >>> Subjects. >> >> I don't know what you mean by that. Confuse what issue for anyone >> doing what with subjects? IMO, you cannot find a discussion about >> something in a newsgroup (or in the pipermail archives) by searching >> on the subjects. You have to search for your terms in the whole body >> of the message. I don't find newsgroup subjects to be a very useful >> tool for searching at all, whether I'm using googleweb on pipermail >> or GG on usenet. But Mike, what you "find" and what people actually do are two different things. IME I've found that using subjects is often preferable to looking for body content because often the body content only mentions what I'm looking for in passing. If I see an applicable subject line, then the content follows it 99% of the time unless it's all unmarked "OT" responses & flames. >> >>> You're often about netiquette; I'm surprised you wouldn't wish to >>> follow it. >> > ... Removed: Stuff I could not make feel relevant & thus have nothing > to reply to. I think your implying that the OPs subject was incorrect is not relevent to any of this discussion, nor was it on-topic due to the way it was presented and where you directed that arm of the thread to go. Common sense netiquette would imply that if the OP's subject line could be improved, then such a suggestion might be a good one, and the OP would be able to do the "is" - "was" scenario. I don't plan to ride this into the ground with you because I know you love to rationalize and I don't find that productive. Rationalization can be a real wart on the ass of progress and never pushes anything forward. But if you wish to discuss the joys of smtp and all its glory, I might welcome it in a new thread. Regards, Twayne From nobody at devnull.spamcop.net Mon Jun 1 14:49:41 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Mon Jun 1 14:50:04 2009 Subject: [Scspamcop] Re: Is this really from optusnet or is it another spammer trick? References: <4A219C3D.9020302@spamcop.net> Message-ID: Tim McGraw wrote: > Twayne wrote: >> May I ask what RFC you are reading? > > RFC1036, "Standard for interchange of USENET messages." Thanks! From nobody at spamcop.net Mon Jun 1 18:05:06 2009 From: nobody at spamcop.net (Bar0) Date: Mon Jun 1 18:10:03 2009 Subject: [Scspamcop] Re: OT Re: Is this really from optusnet or is it another spammer trick? References: Message-ID: "Charles" wrote in message news:Xns9C1D99D7FBD26TheShrubIsAnAss@216.154.195.61... > > Lastly and IMO, Mr. Hyde would appear to be the one most in need of help > with etiquette - he gets quite nasty! I keep waiting for Dr. Jekyll to post here, I would imagine him to be much more well mannered. I guess he's been staying off his medz. From MikeE at ster.invalid Mon Jun 1 20:29:00 2009 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 1 20:30:03 2009 Subject: [Scspamcop] Re: OT Re: Is this really from optusnet or is it another spammer trick? References: Message-ID: Bar0 wrote: > "Charles" >> Lastly and IMO, Mr. Hyde would appear to be the one most in need of >> help with etiquette - he gets quite nasty! > > I keep waiting for Dr. Jekyll to post here, I would imagine him to be > much more well mannered. I guess he's been staying off his medz. Last nite the Spencer Tracy, Ingrid Bergman, Lana Turner, Donald Crisp 1941 v. of RL Stevenson's classic was showing. Tracy didn't meet & costar with Kate until the following year. I'm reading a casting story that sez that originally Bergman was supposed to be the good girl and Turner the bad one, but Ingrid sed she was tired of being goodgirls and wanted to be the baddie, so they switched the casting around at her request. Naturally all that good/bad girl stuff wasn't even in the original story. -- Mike Easter kibitzer, not SC admin From gary-sc at invalid.com Mon Jun 1 21:51:11 2009 From: gary-sc at invalid.com (Gary) Date: Mon Jun 1 21:55:04 2009 Subject: [Scspamcop] Not sure why this did not process Message-ID: Hello, I'm not sure why this report was unable to be processed, http://www.spamcop.net/sc?id=z2961204421z1bbf2a5ab5b173061a2d381b5cd717c5z. It looks like everything needed is present. Thanks! From nobody at spamcop.net Mon Jun 1 22:12:35 2009 From: nobody at spamcop.net (bar0) Date: Mon Jun 1 22:15:04 2009 Subject: [Scspamcop] Re: OT Re: Is this really from optusnet or is it another spammer trick? References: Message-ID: "Mike Easter" wrote in message news:h01ro9$2v9$1@news.spamcop.net... > Bar0 wrote: >> "Charles" > >>> Lastly and IMO, Mr. Hyde would appear to be the one most in need of >>> help with etiquette - he gets quite nasty! >> >> I keep waiting for Dr. Jekyll to post here, I would imagine him to be >> much more well mannered. I guess he's been staying off his medz. ... > > Naturally all that good/bad girl stuff wasn't even in the original story. > I had no idea there were any girls except some kindly assistant cum nurse of Dr. Jekylls. The details are rather vague after some 45 years. But I only remember the goood/bad Doctor. From nobody at spamcop.net Mon Jun 1 22:18:11 2009 From: nobody at spamcop.net (bar0) Date: Mon Jun 1 22:20:03 2009 Subject: [Scspamcop] Re: Not sure why this did not process References: Message-ID: "Gary" wrote in message news:h020if$k34$1@news.spamcop.net... > Hello, > > I'm not sure why this report was unable to be processed, > http://www.spamcop.net/sc?id=z2961204421z1bbf2a5ab5b173061a2d381b5cd717c5z. > > It looks like everything needed is present. > > Thanks! You're mailhoisted, and maybe giggle added some new mailservers or internal routing, that your mailhosting confuguration doesn't allow for or recognize. From MikeE at ster.invalid Mon Jun 1 23:04:39 2009 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 1 23:05:04 2009 Subject: [Scspamcop] Re: Not sure why this did not process References: Message-ID: Gary wrote: > I'm not sure why this report was unable to be processed, > http://www.spamcop.net/sc?id=z2961204421z1bbf2a5ab5b173061a2d381b5cd717c5 z. As bar0 sed, it is a mailhost problem. SC sez "Add/edit your mailhost configuration" Also, IMO the directmail SharkVac marketer (appears to) believe/s that you subscribed for their email marketing. The mail is configured like a legitimate mailing list item ie straightup with all kinds of unsub features -- defnitely canspam compliant. If you don't want anymore of their mail, I predict that if you unsub it would stop. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Jun 2 02:06:02 2009 From: nobody at spamcop.net (Antispam Knight) Date: Tue Jun 2 02:10:03 2009 Subject: [Scspamcop] Carloan crap Message-ID: Anyone else getting clobbered with the non RFC compliant car loan crap? Got about 20 of 'em today. Who are these asshats? All the same format as http://www.spamcop.net/sc?id=z2961669596z5ae5544e36f8945f9bda8d14497314b1z AK From nobody at spamcop.net Tue Jun 2 13:29:17 2009 From: nobody at spamcop.net (Bar0) Date: Tue Jun 2 13:30:03 2009 Subject: [Scspamcop] Re: Carloan crap References: Message-ID: "Larry in AZ" wrote in message news:Xns9C1E419F76ED2thefrogprince@216.154.195.61... > Waiving the right to remain silent, "Antispam Knight" > said: > >> Anyone else getting clobbered with the non RFC compliant car loan crap? >> Got about 20 of 'em today. Who are these asshats? > > No, not here. Just the usual pillz, watches and college degrees... > > -- > Larry J. - Remove spamtrap in ALLCAPS to e-mail > > "A lack of common sense is now considered a disability, > with all the privileges that this entails." One that I received was English spam, but the web site was ostensibly a Russian carloan lender. I think mine was a joe against the lender. From nobody at spamcop.net Tue Jun 2 13:43:10 2009 From: nobody at spamcop.net (Antispam Knight) Date: Tue Jun 2 13:45:03 2009 Subject: [Scspamcop] Re: Carloan crap References: Message-ID: "Bar0" wrote in message news:h03nhf$74g$1@news.spamcop.net... > > "Larry in AZ" wrote in message > news:Xns9C1E419F76ED2thefrogprince@216.154.195.61... >> Waiving the right to remain silent, "Antispam Knight" >> >> said: >> >>> Anyone else getting clobbered with the non RFC compliant car loan crap? >>> Got about 20 of 'em today. Who are these asshats? >> >> No, not here. Just the usual pillz, watches and college degrees... >> >> -- >> Larry J. - Remove spamtrap in ALLCAPS to e-mail >> >> "A lack of common sense is now considered a disability, >> with all the privileges that this entails." > > One that I received was English spam, but the web site was ostensibly a > Russian carloan lender. I think mine was a joe against the lender. It's actually Estonian (mine is anyway). Spamvertised sites are: autopant.eu[193.46.236.34] (shut down by nano.lv) autopank.eu[193.46.236.34] autolaenuabi.com[193.46.236.34] AK From g.hyde at bigNOSPAMpond.net.au Tue Jun 2 20:06:51 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Tue Jun 2 20:15:03 2009 Subject: [Scspamcop] Is anyone else getting reports that don't report the source IP correctly? Message-ID: SpamCop says in this report that the source doesn't report the IP address correctly: http://www.spamcop.net/sc?id=z2964625211zdb68a36bf4cb8dc97c9fa8b22b54409az SpamCop finds that the obviously noncompliant second Received: line is not parseable and says: virtua.com.br does not report source IP correctly Is anyone else getting similar reports? Cheers ... Geoffrey Hyde From tmcgraw at spamcop.net Tue Jun 2 22:56:05 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Jun 2 23:00:03 2009 Subject: [Scspamcop] Re: Is anyone else getting reports that don't report the source IP correctly? In-Reply-To: References: Message-ID: Geoffrey Hyde wrote: > SpamCop says in this report that the source doesn't report the IP address > correctly: > > http://www.spamcop.net/sc?id=z2964625211zdb68a36bf4cb8dc97c9fa8b22b54409az > > SpamCop finds that the obviously noncompliant second Received: line is not > parseable and says: > > virtua.com.br does not report source IP correctly ...and offers to send reports to virtuaATvirtua.com.br, which you elected to do. The "X does not report source IP correctly" has been seen before, and it is based on thousands if not millions of pieces of evidence which you or I are not privy to. You're trying to second guess the system. 189.120.80.172 is the only IP# in both received lines, so it could not possibly be from anywhere else. And it belongs to virtua. Did you try anything at all before posting, like looking up that IP# on senderbase? From spamcop.5.nixnews at spamgourmet.com Wed Jun 3 06:12:49 2009 From: spamcop.5.nixnews at spamgourmet.com (Nic K. Mowe) Date: Wed Jun 3 06:15:02 2009 Subject: [Scspamcop] my email address not being 'munged' Message-ID: Recently I am receiving a lot of spam with my email address being used as the fake sender address. While in the reports I send, my email address is x-ed out when it is mentioned in the subject, my - faked - email address in the (SC-) reports I send remains in the clear. Question: Do I make things worse when I am sending these reports without manually 'munging' my address after being pocessed by SC? Nic From g.hyde at bigNOSPAMpond.net.au Wed Jun 3 07:35:17 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Wed Jun 3 07:40:03 2009 Subject: [Scspamcop] Re: my email address not being 'munged' References: Message-ID: "Nic K. Mowe" wrote in message news:h05ib9$ffi$1@news.spamcop.net... > Recently I am receiving a lot of spam with my email address being used as > the fake sender address. While in the reports I send, my email address is > x-ed out when it is mentioned in the subject, my - faked - email address > in the (SC-) reports I send remains in the clear. > > Question: Do I make things worse when I am sending these reports without > manually 'munging' my address after being pocessed by SC? If I'm reading you correctly, you're saying the faked email address is the one that you've signed up for reporting spam via SpamCop with? If not, you need to either add that address as an alias or sign up under that email address if it's one you are using as a spamtrap address. The SpamCop FAQ on the site would have better information than I would, please read it and check what needs to be done. The other thing is, if you have already sent a SpamCop report, it isn't actually possible to 'munge' the report address information, unless editing it before sending is possible if you're a paid reporter. If you're a free reporter, like me, you will not be able to munge your address if it is visible in the SpamCop report. Cheers ... Geoffrey Hyde From MikeE at ster.invalid Wed Jun 3 10:04:07 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 3 10:05:03 2009 Subject: [Scspamcop] Re: my email address not being 'munged' References: Message-ID: Nic K. Mowe wrote: > Recently I am receiving a lot of spam with my email address being used > as the fake sender address. While in the reports I send, my email > address is x-ed out when it is mentioned in the subject, my - faked - > email address in the (SC-) reports I send remains in the clear. > > Question: Do I make things worse when I am sending these reports without > manually 'munging' my address after being pocessed by SC? Long answer based on considerations: SC has a standard munge which it performs which does not munge the From. It also does not munge any instances in which the recipient's address is 'encrypted' or obscured in some way. That is, it is always possible that a spam that you report will have you address in some way accessible to anyone who gets the SC report. If you really really care (as in 'paranoid') about that, SC provides the 'nonreport' type of condition called 'mole reporter'. For the simpler kind of obvious exposure of your email address, SC makes an exception to its rules about not making material changes to a spam to allow you to munge your address prior to submitting unless the recipient provider has requested no munged reports. Then, there's the issue of 'what is the significance' of your address being available to the provider who receives your report. Is that a good thing or a bad thing or a neither thing. Do you believe that the provider recipient is going to somehow retaliate against your address if s/he has it? Do you believe that the provider recipient is going to cause your address to be listwashed? Is that listwashing good or bad for you as a reporter? Then the short answer to 'do I make things worse' is: It depends on your perspective; probably not. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Jun 3 16:14:40 2009 From: nobody at devnull.spamcop.net (Lou) Date: Wed Jun 3 16:15:03 2009 Subject: [Scspamcop] Re: my email address not being 'munged' In-Reply-To: References: Message-ID: Nic K. Mowe wrote, On 6/3/2009 4:12 AM: > > Question: Do I make things worse when I am sending these reports without > manually 'munging' my address after being pocessed by SC? > > Nic JMHO but I stopped munging my reports a year or so ago to no effect that I can tell. My thoughts were/are: 1. "they" already know who I am. The spammer is most likely not reading it anyway. 2. some ISPs don't want Munged reports. If they are whitehats then they get a report to uses. If they are blackhats, see #1 above. 3. If they uses the information to listwash my name I can then concentrate on the dumber spammers - pick the low hanging fruit as it were. The time they spend reading and removing my name slows them down. Why should I be the only one with a to do list? 4. If they do retaliate what is the result? I have lots of examples from them and all their bots to reports. To mount an attack they expose themselves. 2 yrs ago I must have pissed off someone. I received 100s of identical emails a day for 2-3 days. It took a little longer to process my spam to SC. DOS no, effective no. There are bigger things to worry about. Lou From V at nguard.LH Thu Jun 4 00:00:13 2009 From: V at nguard.LH (VanguardLH) Date: Thu Jun 4 00:05:03 2009 Subject: [Scspamcop] Re: my email address not being 'munged' References: Message-ID: Nic K. Mowe wrote: > Recently I am receiving a lot of spam with my email address being used as > the fake sender address. While in the reports I send, my email address is > x-ed out when it is mentioned in the subject, my - faked - email address in > the (SC-) reports I send remains in the clear. > > Question: Do I make things worse when I am sending these reports without > manually 'munging' my address after being pocessed by SC? > > Nic Why use a munged e-mail address (or why not become a mole where you don't send reports and just update the blacklist)? Think about it. If a spammer were to excite their mailing list with those recipients that have reported them to the blacklists, sending to those same recipients is guaranteed to put them back on the blacklists. However, from what I've read, spammers do not, in general, worry about blacklists. However, the main purpose of issuing the spam report is to update the blacklist, not to send out abuse reports which may not be heeded or they head into an automatic bit bucket upon delivery. If you are updating the blacklist then you should be using it. If the same spammer hits you again, they get reported again and this time the reenergized record results in a longer listing period. The spammer would end up sending spam to someone that is known, even by them (based on them finding out from the report you are worried that they can obtain), to report them to a blacklist. When they spam you again, you report them again and their listing lasts even longer this time on the blacklist. They spam you again and they're listed even longer (up to whatever maximum retention threshold is used by the blacklist). If you poked your finger into a woman's breast and got heartily slapped, and slapped twice the next time, and so on, how many times would you poke that breast again? You should consider reporting the abuse as a means of updating the blacklist. Issuing abuse reports is a side effect or secondary purpose. If you don't want to issue any abuse reports (which can have dubious value regarding effectiveness), become a mole. I switched to being mole for awhile until I realized that I'd rather have the spammer touch me again so I could slap them again and harder next time. I don't remember how many years that I've been a reporter to SpamCop (and it often wanes for long periods because I don't get much spam to report) but I have not experienced any rise in received spam due to including everything in the abuse report sent out by SpamCop. From nobody at devnull.spamcop.net Thu Jun 4 23:24:25 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Thu Jun 4 23:25:04 2009 Subject: [Scspamcop] Re: my email address not being 'munged' References: Message-ID: "VanguardLH" wrote in message news:h07gs7$3rg$1@news.spamcop.net... > > Why use a munged e-mail address (or why not become a mole where > you > don't send reports and just update the blacklist)? What is Mole Reporting? http://forum.spamcop.net/scwik/MoleReporting Julian's own words from eons ago .."What's the use?" From jzeitlin at spamcop.net Fri Jun 5 11:50:34 2009 From: jzeitlin at spamcop.net (=?ISO-8859-1?Q?E=F6nw=EB?=) Date: Fri Jun 5 11:55:03 2009 Subject: [Scspamcop] So, the FTC is perhaps slow, but not TOTALLY ineffective... Message-ID: http://www.ftc.gov/opa/2009/06/3fn.shtm FTC Shuts Down Notorious Rogue Internet Service Provider, 3FN Service Specializes in Hosting Spam-Spewing Botnets, Phishing Web sites, Child Pornography, and Other Illegal, Malicious Web Content A rogue Internet Service Provider that recruits, knowingly hosts, and actively participates in the distribution of spam, child pornography, and other harmful electronic content has been shut down by a district court judge at the request of the Federal Trade Commission. The ISP's upstream providers and data centers have disconnected its servers from the Internet. more at the link... -- E?nw? (SpamCop subscriber, not staff/admin) From bert at iphouse.com Fri Jun 5 13:40:43 2009 From: bert at iphouse.com (Bert Hyman) Date: Fri Jun 5 13:45:03 2009 Subject: [Scspamcop] Re: So, the FTC is perhaps slow, but not TOTALLY ineffective... References: Message-ID: In news:mffi25hom30hkduhp8954du08vvs9foad4@4ax.com Eönwë wrote: > more at the link... Now I want to know where to find "the darkest corners of the Internet." -- Bert Hyman St. Paul, MN bert@iphouse.com From bcs1 at spamcop.net Fri Jun 5 17:32:08 2009 From: bcs1 at spamcop.net (Bill) Date: Fri Jun 5 17:35:04 2009 Subject: [Scspamcop] Re: So, the FTC is perhaps slow, but not TOTALLY ineffective... References: Message-ID: "Eönwë" wrote in message news:mffi25hom30hkduhp8954du08vvs9foad4@4ax.com... > http://www.ftc.gov/opa/2009/06/3fn.shtm > > FTC Shuts Down Notorious Rogue Internet Service Provider, 3FN Service > Specializes in Hosting Spam-Spewing Botnets, Phishing Web sites, Child > Pornography, and Other Illegal, Malicious Web Content > > A rogue Internet Service Provider that recruits, knowingly hosts, > and actively participates in the distribution of spam, child > pornography, and other harmful electronic content has been shut > down by a district court judge at the request of the Federal > Trade Commission. The ISP's upstream providers and data centers > have disconnected its servers from the Internet. > > more at the link... > -- > Eönwë > (SpamCop subscriber, not staff/admin) We had that posted to our company emails today, I must admit that i was happy to see that, but, at the same time, the spammer friendly peeps have already moved some of their stuff off to other places From bcs1 at spamcop.net Fri Jun 5 17:45:38 2009 From: bcs1 at spamcop.net (Bill) Date: Fri Jun 5 17:50:02 2009 Subject: [Scspamcop] a bunch of blank spams? Message-ID: like 40+ the past day or so, all coming directly to my SC address... http://www.spamcop.net/sc?id=z2975517450z2c746c3e7cd0bb6e4e528423774e52b0z http://www.spamcop.net/sc?id=z2975517487z1e6eaea19b1621f18ffb9644fba6ec3dz http://www.spamcop.net/sc?id=z2975517561z5ec9977d11b1fc20fe7afd120a2293ccz http://www.spamcop.net/sc?id=z2975517651zf586e135f7f58b3bae7e3993d1aa6505z any ideas? or is it just malformed spam? From MikeE at ster.invalid Fri Jun 5 19:13:34 2009 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 5 19:15:03 2009 Subject: [Scspamcop] Re: a bunch of blank spams? References: Message-ID: Bill wrote: Subject: a bunch of blank spams? > like 40+ the past day or so, all coming directly to my SC address... They aren't actually empty. Something somewhere on that end or this one 'smushed' the body up against the header - missing the empty line space that belongs between the two. That causes SC to interpret the body as being part of the header, so it can't see the body. > any ideas? > > or is it just malformed spam? Most likely malformed spam, but SC has come under suspicion in the past about handling some header 'variations' imperfectly. For example, SA spamassassin sez: X-Spam-Status: hits=12.6 tests=HELO_DYNAMIC_DHCP, MISSING_DATE, MISSING_HB_SEP, MISSING_HEADERS, MISSING_MID, MISSING_SUBJECT, RDNS_DYNAMIC, SARE_MONEYTERMS, URIBL_BLACK, URIBL_SBL version=3.2.4 I'm not familiar with all of those, but there isn't a missing date and missing mid and missing subject in the item that the parser was trying to parse. Those header elements were present and smushed into the body. So, SA and SC interpreted what they were seeing differently. SC saw all the headerlines but couldn't see the body as a distinct entity because the body was smushed into the headers according to what we see in the function 'View entire message' -- but SA didn't see all the headerlines for some reason which isn't clear. -- Mike Easter kibitzer, not SC admin From DLipman~nospam~ at Verizon.Net Fri Jun 5 19:53:05 2009 From: DLipman~nospam~ at Verizon.Net (David H. Lipman) Date: Fri Jun 5 19:55:03 2009 Subject: [Scspamcop] Re: So, the FTC is perhaps slow, but not TOTALLY ineffective... References: Message-ID: From: "Bert Hyman" | In news:mffi25hom30hkduhp8954du08vvs9foad4@4ax.com Eönwë | wrote: >> more at the link... | Now I want to know where to find "the darkest corners of the Internet." Research -- RBN -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp From g.hyde at bigNOSPAMpond.net.au Fri Jun 5 20:50:09 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Fri Jun 5 20:55:03 2009 Subject: [Scspamcop] Re: So, the FTC is perhaps slow, but not TOTALLY ineffective... References: Message-ID: "Eönwë" wrote in message news:mffi25hom30hkduhp8954du08vvs9foad4@4ax.com... > http://www.ftc.gov/opa/2009/06/3fn.shtm > > FTC Shuts Down Notorious Rogue Internet Service Provider, 3FN Service > Specializes in Hosting Spam-Spewing Botnets, Phishing Web sites, Child > Pornography, and Other Illegal, Malicious Web Content > > A rogue Internet Service Provider that recruits, knowingly hosts, > and actively participates in the distribution of spam, child > pornography, and other harmful electronic content has been shut > down by a district court judge at the request of the Federal > Trade Commission. The ISP's upstream providers and data centers > have disconnected its servers from the Internet. Can anyone tell me what HTML the FTC broke on that page? I can't scroll down the page to view the content past the visible area on that site. They apparently used something that breaks scroll bars, and prevents them from appearing on that webpage. This means that there are only two ways for me to view the rest of the article: One is to highlight the text so that it is forced down by the highlighting code in IE. The other way is to use FireFox as it's not vulnerable to this HTML problem, and I can therefore use FF to view that webpage manually. Cheers ... Geoffrey Hyde From MikeE at ster.invalid Fri Jun 5 21:27:49 2009 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 5 21:30:02 2009 Subject: [Scspamcop] Re: So, the FTC is perhaps slow, but not TOTALLY ineffective... References: Message-ID: Geoffrey Hyde wrote: > "E?nw?" >> http://www.ftc.gov/opa/2009/06/3fn.shtm > Can anyone tell me what HTML the FTC broke on that page? I can't scroll > down the page to view the content past the visible area on that site. > They apparently used something that breaks scroll bars, and prevents > them from appearing on that webpage. It is xhtml 1.0 transitional. It works OK in Opera & FF3. What is your browser? > This means that there are only two ways for me to view the rest of the > article: One is to highlight the text so that it is forced down by the > highlighting code in IE. Which IE version? I have an IE6sp1 in W98se which doesn't have a problem with the scroolbar. > The other way is to use FireFox as it's not vulnerable to this HTML > problem, and I can therefore use FF to view that webpage manually. You can see all of the errors by taking the link to the w3 place http://validator.w3.org/ -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sat Jun 6 00:40:18 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Sat Jun 6 00:45:04 2009 Subject: [Scspamcop] Re: So, the FTC is perhaps slow, but not TOTALLY ineffective... References: Message-ID: "Geoffrey Hyde" wrote in message news:h0cemq$f4v$1@news.spamcop.net... > > "Eönwë" wrote in message > news:mffi25hom30hkduhp8954du08vvs9foad4@4ax.com... >> http://www.ftc.gov/opa/2009/06/3fn.shtm >> >> FTC Shuts Down Notorious Rogue Internet Service Provider, 3FN >> Service >> Specializes in Hosting Spam-Spewing Botnets, Phishing Web sites, >> Child >> Pornography, and Other Illegal, Malicious Web Content > > Can anyone tell me what HTML the FTC broke on that page? I can't > scroll down the page to view the content past the visible area on > that site. They apparently used something that breaks scroll > bars, and prevents them from appearing on that webpage. Not really HTML 'directly' .. it's the .CSS involved. Specific code is found as; .CSS files written to try to work around IE6 breakage for those trying to view with either IE6 or IE7 .. the problem is that IE8 contains yet more "fixes" that break other things. Try using the "compatibility" button. From nobody at spamcop.net Sat Jun 6 01:19:49 2009 From: nobody at spamcop.net (Antispam Knight) Date: Sat Jun 6 01:20:03 2009 Subject: [Scspamcop] Re: a bunch of blank spams? References: Message-ID: "Mike Easter" wrote in message news:h0c8qn$6ik$1@news.spamcop.net... > Bill wrote: > Subject: a bunch of blank spams? >> like 40+ the past day or so, all coming directly to my SC address... > > They aren't actually empty. Something somewhere on that end or this one > 'smushed' the body up against the header - missing the empty line space > that belongs between the two. > > That causes SC to interpret the body as being part of the header, so it > can't see the body. > >> any ideas? >> >> or is it just malformed spam? > > Most likely malformed spam, but SC has come under suspicion in the past > about handling some header 'variations' imperfectly. > > For example, SA spamassassin sez: > > X-Spam-Status: hits=12.6 tests=HELO_DYNAMIC_DHCP, MISSING_DATE, > MISSING_HB_SEP, MISSING_HEADERS, MISSING_MID, MISSING_SUBJECT, > RDNS_DYNAMIC, SARE_MONEYTERMS, URIBL_BLACK, URIBL_SBL version=3.2.4 > > I'm not familiar with all of those, but there isn't a missing date and > missing mid and missing subject in the item that the parser was trying to > parse. Those header elements were present and smushed into the body. > > So, SA and SC interpreted what they were seeing differently. SC saw all > the headerlines but couldn't see the body as a distinct entity because > the body was smushed into the headers according to what we see in the > function 'View entire message' -- but SA didn't see all the headerlines > for some reason which isn't clear. > > > -- > Mike Easter > kibitzer, not SC admin I am also getting boucoup of these. This is one of those cases where it's ok to add a blank line and a note to the effect that there is no message in the spam, to get it to parse. I have probably reported 50 of these in the last few days. The latest ones claim to be a joe job, but using the same open proxies/compromised machines to send!! It's not us using these open proxies. Really! We're being framed! Lart 'em all. And lart abuse@nano.lv (offline, cuz spamcop won't lart 'em) if you're so inclined. AK From user at domain.invalid Sat Jun 6 01:27:40 2009 From: user at domain.invalid (Farelf) Date: Sat Jun 6 01:30:03 2009 Subject: [Scspamcop] Re: a bunch of blank spams? In-Reply-To: References: Message-ID: Mike Easter wrote: > Bill wrote: > Subject: a bunch of blank spams? >> like 40+ the past day or so, all coming directly to my SC address... > > They aren't actually empty. Something somewhere on that end or this one > 'smushed' the body up against the header - missing the empty line space > that belongs between the two. > > That causes SC to interpret the body as being part of the header, so it > can't see the body. > >> any ideas? >> >> or is it just malformed spam? > > Most likely malformed spam, but SC has come under suspicion in the past > about handling some header 'variations' imperfectly. > Well, with 40+ a day you certainly wouldn't want to do this but the parser *can* handle those if you use the "Select outlook/eudora workaround form" option for webform submission: http://www.spamcop.net/sc?id=z2976214767z45883f66cd37ee30dbda80827dd2af34z That is certainly against the spirit of the (no) 'material changes' rule - another reason for not submitting reports derived that way, it is exactly the same as 'manually' inserting the 'missing' blank line delineator between header and body in my book since it requires reporter determination/splitting of the two parts. ...But as a diagnostic it clearly demonstrates the (never doubted) accuracy of Mike's analysis. From user at invalid.dom Sat Jun 6 01:30:04 2009 From: user at invalid.dom (Claudio) Date: Sat Jun 6 01:35:03 2009 Subject: [Scspamcop] Why can't SC find the abuse mailbox Message-ID: Hello, look here, please http://members.spamcop.net/sc?action=showcmd;cmd=whois%2077.235.34.187%40whois.ripe.net What I see in this page is: abuse-mailbox: security@eurovps.com However, when doing a report, I see Tracking link: http://www.cuanto.cl/ [report history] Resolves to 77.235.34.187 Display data: "whois 77.235.34.187@whois.arin.net" (Getting contact from whois.arin.net ) Redirect to ripe Display data: "whois 77.235.34.187@whois.ripe.net" (Getting contact from whois.ripe.net) Lookup is2102-ripe@whois.ripe.net Display data: "whois is2102-ripe@whois.ripe.net" (Getting contact from whois.ripe.net) is2102-ripe = Lookup vl1380-ripe@whois.ripe.net Display data: "whois vl1380-ripe@whois.ripe.net" (Getting contact from whois.ripe.net) vl1380-ripe = whois.ripe.net 77.235.34.187 (nothing found) No reporting addresses found for 77.235.34.187, using devnull for tracking. Hence I have to include the abuse mailbox by hand. Why can't SC discover the contact address? Here's the tracking URL: http://www.spamcop.net/sc?id=z2976196559z7109e8c256b0f888f28173db3e1c8440z Thanks. C. From MikeE at ster.invalid Sat Jun 6 09:38:57 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 6 09:40:05 2009 Subject: [Scspamcop] Re: Why can't SC find the abuse mailbox References: Message-ID: Claudio wrote: Subject: Why can't SC find the abuse mailbox ... because SC doesn't know how to read.. abuse-mailbox: security@eurovps.com ... because SC is trained to find the admin/tech-c nic-hdl, in this case is2102-ripe &/or vl1380-ripe and then the 'e-mail:' field associated with that nic-hdl. However, with or without the -B flag, ripe's database does not have such a field/value for either of those nic-hdl/s. It has their name, telno, address, a 'changed:' email, but no 'e-mail:' for either of them. Also, eurovps.com failed to provide a contact address to abuse.net, but SC never gets to that part. > What I see in this page is: > abuse-mailbox: security@eurovps.com But you are a human who knows how to read 'abuse-mailbox'. That is not part of SC's training. SC also does not 'see' the line which is *not* associated with either tech/admin contact nic-hdl which sez e-mail: administration@eurovps.com > Hence I have to include the abuse mailbox by hand. Why can't SC > discover the contact address? > Here's the tracking URL: www.spamcop.net/sc?id=z2976196559z7109e8c256b0f888f28173db3e1c8440z -- Mike Easter kibitzer, not SC admin From bcs1 at spamcop.net Tue Jun 9 13:19:19 2009 From: bcs1 at spamcop.net (Bill) Date: Tue Jun 9 13:20:04 2009 Subject: [Scspamcop] Re: a bunch of blank spams? References: Message-ID: "Farelf" wrote in message news:h0cunt$a22$1@news.spamcop.net... > Mike Easter wrote: >> Bill wrote: >> Subject: a bunch of blank spams? >>> like 40+ the past day or so, all coming directly to my SC address... >> >> They aren't actually empty. Something somewhere on that end or this one >> 'smushed' the body up against the header - missing the empty line space >> that belongs between the two. >> >> That causes SC to interpret the body as being part of the header, so it >> can't see the body. >> >>> any ideas? >>> >>> or is it just malformed spam? >> >> Most likely malformed spam, but SC has come under suspicion in the past >> about handling some header 'variations' imperfectly. >> > > Well, with 40+ a day you certainly wouldn't want to do this but the parser > *can* handle those if you use the "Select outlook/eudora workaround form" > option for webform submission: > > http://www.spamcop.net/sc?id=z2976214767z45883f66cd37ee30dbda80827dd2af34z > > That is certainly against the spirit of the (no) 'material changes' rule - > another reason for not submitting reports derived that way, it is exactly > the same as 'manually' inserting the 'missing' blank line delineator > between header and body in my book since it requires reporter > determination/splitting of the two parts. ...But as a diagnostic it > clearly demonstrates the (never doubted) accuracy of Mike's analysis. agreed, besides, the one great thing about this is, when i look at them, the only way I see the spam at all is if i view the source, so aside from just highliting and deleting them all at once in IMAP, the spammers have sort of shot themselves in the foot with this run... the only thing they are accomplishing here is using up traffic and box space... just did another 50+ today... w00t!! Bill From g.hyde at bigNOSPAMpond.net.au Tue Jun 9 19:46:33 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Tue Jun 9 19:50:03 2009 Subject: [Scspamcop] Is anyone else getting .jp spam which has no notify address? Message-ID: http://www.spamcop.net/sc?id=z2990223542z6f8519d511b5167a949920bf36cfa38dz SpamCop says it can't find a notify address for the source IP address in this spamitem. Is it just me or is this some new spammer trick we're not yet aware of? I've sent a copy of the parse along to the deputies in case they can figure out a notify address for the source. Cheers ... Geoffrey Hyde From nobody at spamcop.net Tue Jun 9 21:00:22 2009 From: nobody at spamcop.net (bar0) Date: Tue Jun 9 21:05:04 2009 Subject: [Scspamcop] Re: Is anyone else getting .jp spam which has no notify address? References: Message-ID: "Geoffrey Hyde" wrote in message news:h0msen$nv0$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z2990223542z6f8519d511b5167a949920bf36cfa38dz > > SpamCop says it can't find a notify address for the source IP address in > this spamitem. > > Is it just me or is this some new spammer trick we're not yet aware of? > > I've sent a copy of the parse along to the deputies in case they can > figure out a notify address for the source. > > Cheers ... > > Geoffrey Hyde No, but my favorite Korean spammer (fakes starch and pillz) has managed to get krnic to carve out an unallocated "allocation" for himself. It likewise has no reporting address. From MikeE at ster.invalid Tue Jun 9 21:30:32 2009 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 9 21:35:03 2009 Subject: [Scspamcop] Re: Is anyone else getting .jp spam which has no notify address? References: Message-ID: Geoffrey Hyde wrote: www.spamcop.net/sc?id=z2990223542z6f8519d511b5167a949920bf36cfa38dz > > SpamCop says it can't find a notify address for the source IP address in > this spamitem. The nic.ad.jp db lacks colon punctuation for JP00010938 email whois -h whois.nic.ad.jp 210.136.109.85 ... a. [Network Number] 210.136.109.0/24 b. [Network Name] SUITE2-NET m. [Administrative Contact] JP00010938 n. [Technical Contact] JP00010938 whois -h whois.nic.ad.jp jp00010938 ... [E-Mail] suite@arena.ne.jp whois -h whois.abuse.net arena.ne.jp ... abuse@sphere.ad.jp (for arena.ne.jp) SC doesn't like some syntax problems. -- Mike Easter kibitzer, not SC admin From dritz at mindspring.com Tue Jun 9 21:54:50 2009 From: dritz at mindspring.com (David Ritz) Date: Tue Jun 9 21:55:04 2009 Subject: [Scspamcop] Re: Is anyone else getting .jp spam which has no notify address? In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 09 June 2009 18:30 -0700, in article , Mike Easter wrote: > Geoffrey Hyde wrote: > www.spamcop.net/sc?id=z2990223542z6f8519d511b5167a949920bf36cfa38dz > > SpamCop says it can't find a notify address for the source IP > > address in this spamitem. > > The nic.ad.jp db lacks colon punctuation for JP00010938 email > whois -h whois.nic.ad.jp 210.136.109.85 ... > a. [Network Number] 210.136.109.0/24 > b. [Network Name] SUITE2-NET > m. [Administrative Contact] JP00010938 > n. [Technical Contact] JP00010938 > > whois -h whois.nic.ad.jp jp00010938 ... > [E-Mail] suite@arena.ne.jp > > whois -h whois.abuse.net arena.ne.jp ... > abuse@sphere.ad.jp (for arena.ne.jp) > > SC doesn't like some syntax problems. dritz:~> whois -h whois.cyberabuse.org 210.136.109.85 % This is the CyberAbuse Whois v5.5 [ Informations about 210.136.109.85 ] IP range : 210.136.109.0 - 210.136.109.255 Network name : SUITE2-NET Infos : NTT PC Communications Incorporated Country : Japan (JP) Abuse E-mail : tech-contact@sphere.ad.jp Source : JPNIC % Copyright JPNIC % See : http://jprs.jp/en/copyright.html % The CyberAbuse Whois % Copyright 2003-2008, Philippe Bourcier % http://www.cyberabuse.org/whois/ dritz:~> whois -h whois.nic.ad.jp 210.136.0.0/16/e [ JPNIC database provides information regarding IP address and ASN. Its use ] [ is restricted to network administration purposes. For further information, ] [ use 'whois -h whois.nic.ad.jp help'. To only display English output, ] [ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'. ] Network Information: [Network Number] 210.136.0.0/16 [Network Name] [Organization] NTT PC Communications Incorporated [Administrative Contact] JP00041200 [Technical Contact] JP00041200 [Abuse] tech-contact@sphere.ad.jp [Allocated Date] 1996/11/12 [Last Update] 2008/09/26 20:42:37(JST) Less Specific Info. - ---------- No match!! More Specific Info. - ---------- Too many matches. Narrower expression, please. dritz:~> whois -b sphere.ad.jp abuse@sphere.ad.jp (for sphere.ad.jp) I'll note that c-67-184-7-116.hsd1.il.comcast.net [67.184.7.116] is the likely source of the spam. - -- David Ritz Be kind to animals; kiss a shark. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (Darwin) Comment: Public Keys: iEYEARECAAYFAkovEmoACgkQUrwpmRoS3usG4wCeP5pbD4k3CDuqqWI33UVTmj2t 3H4AoPbkYMuh4Hgcd7BD1X/hid2milGM =nn0t -----END PGP SIGNATURE----- From MikeE at ster.invalid Tue Jun 9 23:41:22 2009 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 9 23:45:03 2009 Subject: [Scspamcop] Re: Is anyone else getting .jp spam which has no notify address? References: Message-ID: David Ritz wrote: > I'll note that c-67-184-7-116.hsd1.il.comcast.net [67.184.7.116] is > the likely source of the spam. I agree that the .jp server apparently relayed it for the comcast. The parser is prone to 'aggressively' break chains for mailhosted accounts ie Geoffrey's. The server doesn't relay promiscuously for the abuse.net open relay tester neither at 210.136.109.85 or 210.153.15.2 both of which call themselves ps38.suite2.arena.ne.jp on their 250. Often the parser will be able to correctly parse the same chain for a nonmailhosted account better/ less aggressive/ against breaking the chain than a mailhosted one, but not in this case. If the same spam is parsed for a nonmailhosted account, the parser tries much harder to chain thru' the .jp server to the next line, but it can't get the job done (from the top line to the bottom line below) because the input handling name and 'by' stamp is different from the output name and rDNS IP. The server answers and stamps with ps38.suite2.arena.ne.jp Abbreviated Received tracelines from tv-e.jp ([210.136.109.85]) by nschwingx06p.mx.bigpond.com from unknown (HELO User) (67.184.7.116) by ps38.suite2.arena.ne.jp (210.136.109.85) 210.136.109.85 rDNS tv-e.jp also tv-e.jp DNS 210.136.109.85 but ps38.suite2.arena.ne.jp DNS 210.153.15.2 The human parser can work out those discrepancies. -- Mike Easter kibitzer, not SC admin From user at domain.invalid Wed Jun 10 03:33:23 2009 From: user at domain.invalid (Farelf) Date: Wed Jun 10 03:35:02 2009 Subject: [Scspamcop] Re: a bunch of blank spams? In-Reply-To: References: Message-ID: Bill wrote: > "Farelf" wrote in message > > just did another 50+ today... > w00t!! > > Bill > Good man! I don't get spam anymore, even with my ISP's inwards filtering turned off :(. Apart from the occasional bank phish. Just as well, increasingly difficult to smuggle them past my ISP's outwards filtering, which I can't turn off. ISP apparently has no interest in exempting/whitelisting SC submissions (or bank 'hoax' addresses). I guess it's cheaper/simpler that way for him, already having spent a small fortune on some IronPort 'solution'. I must take up the cudgels again, sometime, run the gauntlet of feigned/real incomprehension. When I'm feeling strong. From nobody at spamcop.net Wed Jun 10 13:19:50 2009 From: nobody at spamcop.net (Michael) Date: Wed Jun 10 13:20:12 2009 Subject: [Scspamcop] Spammer Spams Spamlists; SC Urps on XLines Message-ID: <4A2FEB36.69E65B84@spamcop.net> http://www.spamcop.net/sc?id=z2992281932zb54eb86028fec322bd2fea2a612ab83ez SC Parser didn't like the doublespaced X-Lines. Spammy is spamvertising his spamlists of professionals. Whois shows this for the contact domain: Domain: datalistsource.com Status: Active DNS: ns1.contactpluscorp.com ns2.contactpluscorp.com Created: 2009-04-29 03:40:40 Expires: 2010-04-29 03:40:40 Last Modified: 2009-04-29 03:22:46 Registrant Contact: Med Sources Inc Vern Paige (vernpaige@easy.com) 1300 Don Mills Road North York, Ontario, ca M3B 2W6 P: +01.4163911681 F: +01.4163911681 Administrative Contact: Med Sources Inc Vern Paige (vernpaige@easy.com) 1300 Don Mills Road North York, Ontario, ca M3B 2W6 P: +01.4163911681 F: +01.4163911681 Technical Contact: Med Sources Inc Vern Paige (vernpaige@easy.com) 1300 Don Mills Road North York, Ontario, ca M3B 2W6 P: +01.4163911681 F: +01.4163911681 Billing Contact: Med Sources Inc Vern Paige (vernpaige@easy.com) 1300 Don Mills Road North York, Ontario, ca M3B 2W6 P: +01.4163911681 F: +01.4163911681 =============== Michael From bcs1 at spamcop.net Wed Jun 10 13:31:23 2009 From: bcs1 at spamcop.net (Bill) Date: Wed Jun 10 13:35:12 2009 Subject: [Scspamcop] Re: Not sure why this did not process References: Message-ID: "Mike Easter" wrote in message news:h024s4$1ot$1@news.spamcop.net... > Gary wrote: > >> I'm not sure why this report was unable to be processed, >> > http://www.spamcop.net/sc?id=z2961204421z1bbf2a5ab5b173061a2d381b5cd717c5 > z. > > As bar0 sed, it is a mailhost problem. SC sez "Add/edit your mailhost > configuration" > > Also, IMO the directmail SharkVac marketer (appears to) believe/s that > you subscribed for their email marketing. The mail is configured like a > legitimate mailing list item ie straightup with all kinds of unsub > features -- defnitely canspam compliant. > > If you don't want anymore of their mail, I predict that if you unsub it > would stop. > > > -- > Mike Easter > kibitzer, not SC admin >\ here's one Mike, 419 scam from what I can tell... http://www.spamcop.net/sc?id=z2992677217z66977cb0cb9253d44946feae4081344bz came through my personal server, nothing changed, SC even lists my server in the chain, but then gives me the mailhost error... wasn't sure whether to start a new thread or not, but since this one was already here I just added it Bill From nobody at devnull.spamcop.net Wed Jun 10 13:32:15 2009 From: nobody at devnull.spamcop.net (Giampaolo Tomassoni) Date: Wed Jun 10 13:35:12 2009 Subject: [Scspamcop] Question about involvment of italian ISP in Spam Message-ID: Recently, I reported the following: http://www.spamcop.net/sc?id=z2992553474z0f69bcfda72ff4fba7889d58c31b7bacz According to the parser, in the cbmsrl.com domain the Aruba Italian ISP seems involved. However, I can't understand why, since nor the domain's whois record, nor the whois one about that host address seems somehow to relate to Aruba. Is there any reason? I avoided reporting to Aruba anyway, because I suspect they're not involved. Thanks, Giampaolo From tmcgraw at spamcop.net Wed Jun 10 16:14:46 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Jun 10 16:15:04 2009 Subject: [Scspamcop] Re: Not sure why this did not process In-Reply-To: References: Message-ID: Bill wrote: > "Mike Easter" wrote in message > news:h024s4$1ot$1@news.spamcop.net... >> Gary wrote: >> >>> I'm not sure why this report was unable to be processed, >>> >> http://www.spamcop.net/sc?id=z2961204421z1bbf2a5ab5b173061a2d381b5cd717c5 >> z. >> >> As bar0 sed, it is a mailhost problem. SC sez "Add/edit your mailhost >> configuration" >> >> Also, IMO the directmail SharkVac marketer (appears to) believe/s that >> you subscribed for their email marketing. The mail is configured like a >> legitimate mailing list item ie straightup with all kinds of unsub >> features -- defnitely canspam compliant. >> >> If you don't want anymore of their mail, I predict that if you unsub it >> would stop. > > here's one Mike, > > 419 scam from what I can tell... > > http://www.spamcop.net/sc?id=z2992677217z66977cb0cb9253d44946feae4081344bz > > came through my personal server, nothing changed, SC even lists my server > in the chain, but then gives me the mailhost error... > > wasn't sure whether to start a new thread or not, but since this one was > already here I just added it It looks to me like the mail was POP'd for an address at bcs-bcs.com (69.147.228.100) which is Nobis Technology Group, your local ISP. Even though the parser says "You have failed to configure your own mail host, from which you pop mail" and that you should mailhost through wanadoo.fr, that Received line says mail was received from that server via SMTP, not POP. One thing I've seen is that if an ISP begins with only one server, say sirius.foo.tld, and adds another server such as osirus.foo.tld, SC may not recognize it. First I DELETE your bcs-bcs.com mailhosting, then I would ADD it again. If that doesn't fix it then you should contact deputies. From MikeE at ster.invalid Wed Jun 10 16:21:20 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 10 16:25:03 2009 Subject: [Scspamcop] Re: Spammer Spams Spamlists; SC Urps on XLines References: <4A2FEB36.69E65B84@spamcop.net> Message-ID: Michael wrote: www.spamcop.net/sc?id=z2992281932zb54eb86028fec322bd2fea2a612ab83ez > SC Parser didn't like the doublespaced X-Lines. ... and how did it get to be that way? That is, how/ by what process/ did the item get into the parser? -- Mike Easter kibitzer, not SC admin From tmcgraw at spamcop.net Wed Jun 10 16:30:16 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Jun 10 16:35:04 2009 Subject: [Scspamcop] Re: Question about involvment of italian ISP in Spam In-Reply-To: References: Message-ID: <4A3017D8.4080006@spamcop.net> Giampaolo Tomassoni wrote: > Recently, I reported the following: > > http://www.spamcop.net/sc?id=z2992553474z0f69bcfda72ff4fba7889d58c31b7bacz > > According to the parser, in the cbmsrl.com domain the Aruba Italian ISP > seems involved. However, I can't understand why, since nor the domain's > whois record, nor the whois one about that host address seems somehow to > relate to Aruba. www.cbmsrl.com is in the text part of this email so therefore was checked as a spamvertised link. According to descriptions online, C.B.M. SRL sells "new and used utensil machines and forklift trucks." www.cbmsrl.com is hosted by wmgitalia.it. SC looks up wmgitalia.it at abuse.net: http://www.abuse.net/lookup.phtml?domain=wmgitalia.it abuse [at] aruba.it is on the list because it is the "owner" of ASN31034, the netblock where www.cbmsrl.com is being hosted. There was apparently a large MS Word document attached (SC truncated it) with the filename "NEW STOCK JUNE." They also include their full address and phone number in the text portion of the mail and have a legitimate Reply-To address. This is not typical spammer behavior, and I couldn't find any evidence that cbmsrl.com engaged in spammy behavior. I would email the Reply-To "info" address and asked to be removed from their list. From tmcgraw at spamcop.net Wed Jun 10 16:32:36 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Jun 10 16:35:04 2009 Subject: [Scspamcop] Re: Spammer Spams Spamlists; SC Urps on XLines In-Reply-To: <4A2FEB36.69E65B84@spamcop.net> References: <4A2FEB36.69E65B84@spamcop.net> Message-ID: Michael wrote: > http://www.spamcop.net/sc?id=z2992281932zb54eb86028fec322bd2fea2a612ab83ez > > SC Parser didn't like the doublespaced X-Lines. Not just X-Lines, ALL lines had an additional CR/LF. And those additional CR/LFs could not have been added by any email program. From MikeE at ster.invalid Wed Jun 10 16:45:29 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 10 16:50:04 2009 Subject: [Scspamcop] Re: Question about involvment of italian ISP in Spam References: Message-ID: Giampaolo Tomassoni wrote: > Recently, I reported the following: www.spamcop.net/sc?id=z2992553474z0f69bcfda72ff4fba7889d58c31b7bacz mclink.it user > mclink.it server/mta x2 > edlui.it mailbox parser sez the mclink server is the source, breaking the chain prematurely for your mailhosted account. spambody consists of mulitpart text + html + MS word doc in b64. > According to the parser, in the cbmsrl.com domain the Aruba Italian ISP > seems involved. I can't read the Italian and I'm too lazy to render the spam and Babelfish the .it contents into English. What does the intent of the spam content say about www.cbmsrl.com ? Superficially it looks like that is the spamvertiser. (to someone like me who can't read .it) The item is sourced from mclink (an .it space) and spamvertising from widestore space, also .it space. I don't know what you are saying about cbmsrl being Aruba. Even the domainname is registered .it > Is there any reason? You are referring to a lot of old cache information^1 about the numerous contacts (including an aruba) for cbmsrl which should be widestore. I refreshed that cache and it doesn't say that anymore Now sez: Re: http://www.cbmsrl.com/ (Administrator of network hosting website referenced in spam) abuse@widestore.net postmaster@widestore.net ^1 Re: http://www.cbmsrl.com/ (Administrator of network hosting website referenced in spam) abuse@wmgitalia.it abuse@aruba.it abuse@widestore.net postmaster@wmgitalia.it friulinet@gmail.com abuse@it.easynet.net abuse@inwind.it abuse.inwind#libero.it@devnull.spamcop.net postmaster@iunet.it -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Jun 10 16:52:57 2009 From: nobody at devnull.spamcop.net (Giampaolo Tomassoni) Date: Wed Jun 10 16:55:11 2009 Subject: [Scspamcop] Re: Question about involvment of italian ISP in Spam References: <4A3017D8.4080006@spamcop.net> Message-ID: "Tim McGraw" ha scritto nel messaggio news:4A3017D8.4080006@spamcop.net... > ...omissis > > abuse [at] aruba.it is on the list because it is the "owner" of ASN31034, > the netblock where www.cbmsrl.com is being hosted. Ah, that's it. I did look at whois and dns soa data, but didn't do it at ASNs. > There was apparently a large MS Word document attached (SC truncated it) > with the filename "NEW STOCK JUNE." They also include their full address > and phone number in the text portion of the mail and have a legitimate > Reply-To address. This is not typical spammer behavior, and I couldn't > find any evidence that cbmsrl.com engaged in spammy behavior. I would > email the Reply-To "info" address and asked to be removed from their list. I have yet to identify a "typical spammer behavior", apart the fact that more copies of the same message hit my server... Thank you, Tim. Giampaolo From MikeE at ster.invalid Wed Jun 10 16:53:22 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 10 16:55:11 2009 Subject: [Scspamcop] Re: Not sure why this did not process References: Message-ID: Bill wrote: www.spamcop.net/sc?id=z2992677217z66977cb0cb9253d44946feae4081344bz That's a mailhosted parse and the parser is telling you that your/the mailhost isn't configured. You don't want to be using a mailhosted account for your spam reports if any one of your mailservers isn't (currently and properly) configured. Sometimes they change and you need to start over with your mailhost configuration. > came through my personal server, nothing changed, SC even lists my > server in the chain, but then gives me the mailhost error... Maybe something changed that you didn't detect. > wasn't sure whether to start a new thread or not, but since this one > was already here I just added it IMO a new thread is/ would be/ better, because this 'topic'/issue is actually different. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Jun 10 17:01:58 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 10 17:05:04 2009 Subject: [Scspamcop] Re: Not sure why this did not process References: Message-ID: Tim McGraw wrote: > sirius.foo.tld, and adds another server such as osirus.foo.tld, SC may > not recognize it. If our foo.tld hostname examples are going to be based on Egyptian legends/myths and/or astronomy, then I'm going for the osiris spelling. :-) -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Jun 10 17:06:56 2009 From: nobody at devnull.spamcop.net (Giampaolo Tomassoni) Date: Wed Jun 10 17:10:12 2009 Subject: [Scspamcop] Re: Question about involvment of italian ISP in Spam References: Message-ID: "Mike Easter" ha scritto nel messaggio news:h0p60t$l76$1@news.spamcop.net... > Giampaolo Tomassoni wrote: >> Recently, I reported the following: > > www.spamcop.net/sc?id=z2992553474z0f69bcfda72ff4fba7889d58c31b7bacz > > mclink.it user > mclink.it server/mta x2 > edlui.it mailbox > > parser sez the mclink server is the source, breaking the chain > prematurely for your mailhosted account. > > spambody consists of mulitpart text + html + MS word doc in b64. > >> According to the parser, in the cbmsrl.com domain the Aruba Italian ISP >> seems involved. > > I can't read the Italian and I'm too lazy to render the spam and > Babelfish the .it contents into English. What does the intent of the > spam content say about www.cbmsrl.com ? Superficially it looks like that > is the spamvertiser. (to someone like me who can't read .it) Right, Mike. > The item is sourced from mclink (an .it space) and spamvertising from > widestore space, also .it space. > > I don't know what you are saying about cbmsrl being Aruba. Even the > domainname is registered .it Oh, no, no. I probably wasn't clear enough: Aruba is a well-known ISP here in Italy. It homed at aruba.it and it's Italian. The name cames after a slangish term which, in Arezzo (the italian city from where the ISP operates), means more or less "sells like crazy" (apart being also the name of a fiscal paradise). I was meaning the SC parser was suggesting to file a copy of the report to some Aruba.IT mailbox, but I couldn't see a reason. Then Tim showed me why. >> Is there any reason? > > You are referring to a lot of old cache information^1 about the numerous > contacts (including an aruba) for cbmsrl which should be widestore. I > refreshed that cache and it doesn't say that anymore > > Now sez: > Re: http://www.cbmsrl.com/ (Administrator of network hosting website > referenced in spam) > > abuse@widestore.net > postmaster@widestore.net Oh, fine. Thank you Mike. Giampaolo > > > ^1 Re: http://www.cbmsrl.com/ (Administrator of network > hosting website referenced in spam) > > abuse@wmgitalia.it > abuse@aruba.it > abuse@widestore.net > postmaster@wmgitalia.it > friulinet@gmail.com > abuse@it.easynet.net > abuse@inwind.it > abuse.inwind#libero.it@devnull.spamcop.net > postmaster@iunet.it > > > -- > Mike Easter > kibitzer, not SC admin > From nobody at spamcop.net Wed Jun 10 18:39:25 2009 From: nobody at spamcop.net (Bar0) Date: Wed Jun 10 18:40:12 2009 Subject: [Scspamcop] How does this phish collect it's data? Message-ID: I've had several PHISH lately where I can't divine the actual web or email destination of the phished data. All of these, aside from using PayPal and eBay images etc. refer to a http://www.swisstools.net/mailform.asp which I suspect is an abused site for formail scripts. So I imagine this quasi innocent site helps bring up a mailform generating an email from the suckers own PC with the phished data, but where does it go? here's a tracker: http://www.spamcop.net/sc?id=z2993533705za0368a01462de0fcc2344a997920dc42z maybe someone else can grep something interesting out of the body of this turd. Swisstools has been used in spam I've seen for several weeks now, so, I imagine Aplus thinks they're innocent bystanders. From apartamento at jardim-camburi-vitoria.com Wed Jun 10 18:40:48 2009 From: apartamento at jardim-camburi-vitoria.com (apartamento jardim camburi) Date: Wed Jun 10 18:45:04 2009 Subject: [Scspamcop] Ligue agora mesmo 0xx27 3084-5709 vendo apartamento em jardim camburi , oportunidade de negocio apto 7200628181 Message-ID: Apartamento de 2 quartos com suite a partir de 110.000. Otimo local. Perto de escolas , padarias e comercio em geral. Contato: Tel 0xx27 3084-5709 corretorimoveisjc@gmail.com corretorimoveisjc(arroba)gmail.com Apartamentos de 3 quartos em Jardim Camburí Apartamentos de 3 quartos com suíte em Jardim Camburí Imóveis de 3 quartos em Jardim Camburí Apartamento de 3 quartos em Jardim Camburí Casa de 3 quartos em Jardim camburi Cobertura de frente ao Mar em Jardim camburi. Imoveis na Planta em Jardim Camburi $AHjqfIdJ! From MikeE at ster.invalid Wed Jun 10 19:04:57 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 10 19:10:03 2009 Subject: [Scspamcop] Re: How does this phish collect it's data? References: Message-ID: Bar0 wrote: > I've had several PHISH lately where I can't divine the actual web or > email destination of the phished data. > > All of these, aside from using PayPal and eBay images etc. refer to a > > http://www.swisstools.net/mailform.asp which I suspect is an abused > site for formail scripts. > > So I imagine this quasi innocent site helps bring up a mailform > generating an email from the suckers own PC with the phished data, but > where does it go? > > here's a tracker: > www.spamcop.net/sc?id=z2993533705za0368a01462de0fcc2344a997920dc42z > > > maybe someone else can grep something interesting out of the body of > this turd. It doesn't work. The paypal phish looks like a paypal communication requesting info email, pp pass, CC info, card no, expir date, verification #, PIN and so forth. But the payload function is b0rken. The link you posted above gives an error message. If you go to the front page of the swisstools site, it is in .fr and you can use the googletranslation tools to navigate the site in .en It is too much trouble/long/ to describe the business/functions the site is in, you can start here^1 with a snurl to the googletranslator -- but it has to do with some swiss tools for your website which saves the websiteuser bandwidth for various functions. ^1 http://snipr.com/jv5qv The site even has a mailform tool which is similar to the payload link, but with an extra directory in the path. > Swisstools has been used in spam I've seen for several weeks now, so, I > imagine Aplus thinks they're innocent bystanders. Maybe the site provider found out about the phishscam and shutdown sitepage's link into an error. -- Mike Easter kibitzer, not SC admin From bcs1 at spamcop.net Wed Jun 10 20:26:46 2009 From: bcs1 at spamcop.net (Bill) Date: Wed Jun 10 20:30:04 2009 Subject: [Scspamcop] Re: Not sure why this did not process References: Message-ID: "Tim McGraw" wrote in message news:h0p47q$e0j$1@news.spamcop.net... > > It looks to me like the mail was POP'd for an address at bcs-bcs.com > (69.147.228.100) which is Nobis Technology Group, your local ISP. Yes bcs-bcs.com is correct, It's my server and Nobis (one of my employers) colos it for me in the datacenter. nslookup 69.147.228.100 ns server removed Name: nebula.bcs-bcs.com Address: 69.147.228.100 nslookup nebula.bcs-bcs.com ns server removed Non-authoritative answer: Name: nebula.bcs-bcs.com Address: 69.147.228.100 > > Even though the parser says "You have failed to configure your own mail > host, from which you pop mail" and that you should mailhost through > wanadoo.fr, that Received line says mail was received from that server via > SMTP, not POP. yeah, not sure why it would say that, and relaying through my server isn't allowed, so I'm not exactly sure why that comes up like that, fetchmail popped that from my server, the next logical course of action is for SC to see the wanado address and say "not associated with your mailhost, will not trust ect ect" > > One thing I've seen is that if an ISP begins with only one server, say > sirius.foo.tld, and adds another server such as osirus.foo.tld, SC may not > recognize it. > > First I DELETE your bcs-bcs.com mailhosting, then I would ADD it again. > > If that doesn't fix it then you should contact deputies. Might have to do that since nothing has changed on my end... Thanks Bill From bcs1 at spamcop.net Wed Jun 10 20:41:30 2009 From: bcs1 at spamcop.net (Bill) Date: Wed Jun 10 20:45:05 2009 Subject: [Scspamcop] Re: Not sure why this did not process References: Message-ID: "Mike Easter" wrote in message news:h0p6fl$nvh$1@news.spamcop.net... > Bill wrote: > > www.spamcop.net/sc?id=z2992677217z66977cb0cb9253d44946feae4081344bz > > That's a mailhosted parse and the parser is telling you that your/the > mailhost isn't configured. You don't want to be using a mailhosted > account for your spam reports if any one of your mailservers isn't > (currently and properly) configured. Sometimes they change and you need > to start over with your mailhost configuration. > >> came through my personal server, nothing changed, SC even lists my >> server in the chain, but then gives me the mailhost error... > > Maybe something changed that you didn't detect. > >> wasn't sure whether to start a new thread or not, but since this one >> was already here I just added it > > IMO a new thread is/ would be/ better, because this 'topic'/issue is > actually different. > > > -- > Mike Easter > kibitzer, not SC admin > this test one works just fine though... http://www.spamcop.net/sc?id=z2993948135zae6f66f4e7764a8ceabf5aded5ed8dfez of course I canceled the report since it's all me LOL From nobody at devnull.spamcop.net Wed Jun 10 21:04:29 2009 From: nobody at devnull.spamcop.net (Patto) Date: Wed Jun 10 21:05:04 2009 Subject: [Scspamcop] Re: Ligue agora mesmo 0xx27 3084-5709 vendo apartamento em jardim camburi , oportunidade de negocio apto 7200628181 In-Reply-To: References: Message-ID: apartamento jardim camburi wrote: > [spam text removed] Reported to Gmail abuse desk. From nobody at spamcop.net Wed Jun 10 21:07:01 2009 From: nobody at spamcop.net (Steven Underwood) Date: Wed Jun 10 21:10:04 2009 Subject: [Scspamcop] Re: Spammer Spams Spamlists; SC Urps on XLines In-Reply-To: References: <4A2FEB36.69E65B84@spamcop.net> Message-ID: "Tim McGraw" wrote in message news:h0p598$h6f$2@news.spamcop.net... > Michael wrote: >> http://www.spamcop.net/sc?id=z2992281932zb54eb86028fec322bd2fea2a612ab83ez >> >> SC Parser didn't like the doublespaced X-Lines. > > Not just X-Lines, ALL lines had an additional CR/LF. > > And those additional CR/LFs could not have been added by any email > program. I had a version of Lotus Notes that did something similar when forwarding attachments. From MikeE at ster.invalid Wed Jun 10 21:17:43 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 10 21:20:04 2009 Subject: [Scspamcop] Re: Not sure why this did not process References: Message-ID: Bill wrote: > "Mike Easter" >> Maybe something changed that you didn't detect. > this test one works just fine though... > www.spamcop.net/sc?id=z2993948135zae6f66f4e7764a8ceabf5aded5ed8dfez In that one, the cesmail stamped header isn't all junked up with garbage. This isn't the first time that I've observed the cesmail server to screw up headers. This will wrap terribly here, but this is what the first one you posted showed. Received: from bcs-bcs.com [69.147.228.100] by fetchmail.cesmail.net with POP3 (fetchmail-6.2.1) for x (single-drop); Wed, 10 Jun 2009 13:05:55 -0400 (EDT) * 2.3 DATE_IN_PAST_96_XX Date: is 96 hours or more before Received: date * 0.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [80.11.234.18 listed in zen.spamhaus.org] * 1.6 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [80.11.234.18 listed in dnsbl.sorbs.net] * 0.1 RDNS_DYNAMIC Delivered to trusted network by host with * dynamic-looking rDNS * 0.7 MSOE_MID_WRONG_CASE MSOE_MID_WRONG_CASE * 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook That crap doesn't belong in the 'by fetchmail.cesmail' stamp. It belongs somewhere else, and the parser apparently gagged on it. The parser is saying crazy things No unique hostname found for source: 80.11.234.18 SpamCop received mail from sending system 80.11.234.18 That IP 80.11.234.18 spamfilter crap is coming out of the 'by' field for cesmail and the parser is going nuts trying to digest it. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Jun 10 21:28:47 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 10 21:30:03 2009 Subject: [Scspamcop] Re: Not sure why this did not process References: Message-ID: Mike Easter wrote: > That IP 80.11.234.18 spamfilter crap is coming out of the 'by' field for > cesmail and the parser is going nuts trying to digest it. I remember back in the really old days when Julian used to lurk the newsgroups and he would be tinkering with the parser algos while we were discussing parser results. As a result the parse would change during a 'conversation'. In this case that wouldn't happen because the headers are screwed up and no parser tinkering is going to change that. Whatever went wrong (appeared to go) wrong at the cesmail intake MTA. Or, it is possible that that stamp was originally OK, and then something like the processing for SA broke the headers. -- Mike Easter kibitzer, not SC admin From DLipman~nospam~ at Verizon.Net Wed Jun 10 21:50:01 2009 From: DLipman~nospam~ at Verizon.Net (David H. Lipman) Date: Wed Jun 10 21:55:03 2009 Subject: [Scspamcop] Re: X-Library: Indy 9.00.10 -- spam References: Message-ID: From: "Patto" | apartamento jardim camburi wrote: >> [spam text removed] | Reported to Gmail abuse desk. Err, no... abuse@gvt.net.br -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp From tmcgraw at spamcop.net Wed Jun 10 21:52:01 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Jun 10 21:55:04 2009 Subject: [Scspamcop] Re: Spammer Spams Spamlists; SC Urps on XLines In-Reply-To: References: <4A2FEB36.69E65B84@spamcop.net> Message-ID: Steven Underwood wrote: > Tim McGraw wrote: >> Michael wrote: >>> SC Parser didn't like the doublespaced X-Lines. >> Not just X-Lines, ALL lines had an additional CR/LF. >> >> And those additional CR/LFs could not have been added by any email >> program. > I had a version of Lotus Notes that did something similar when > forwarding attachments. I suspect that might have been possible in the last millennium. From nobody at spamcop.net Wed Jun 10 22:35:03 2009 From: nobody at spamcop.net (Steven Underwood) Date: Wed Jun 10 22:35:04 2009 Subject: [Scspamcop] Re: Spammer Spams Spamlists; SC Urps on XLines In-Reply-To: References: <4A2FEB36.69E65B84@spamcop.net> Message-ID: "Tim McGraw" wrote in message news:h0po05$v30$1@news.spamcop.net... > Steven Underwood wrote: >> Tim McGraw wrote: >>> Michael wrote: >>>> SC Parser didn't like the doublespaced X-Lines. >>> Not just X-Lines, ALL lines had an additional CR/LF. >>> >>> And those additional CR/LFs could not have been added by any email >>> program. >> I had a version of Lotus Notes that did something similar when forwarding >> attachments. > > I suspect that might have been possible in the last millennium. This was 3 or 4 years ago. From user at domain.invalid Thu Jun 11 02:47:04 2009 From: user at domain.invalid (Farelf) Date: Thu Jun 11 02:50:02 2009 Subject: [Scspamcop] Re: Spammer Spams Spamlists; SC Urps on XLines In-Reply-To: References: <4A2FEB36.69E65B84@spamcop.net> Message-ID: Steven Underwood wrote: > > "Tim McGraw" wrote in message > news:h0p598$h6f$2@news.spamcop.net... >> Michael wrote: >>> http://www.spamcop.net/sc?id=z2992281932zb54eb86028fec322bd2fea2a612ab83ez >>> >>> >>> SC Parser didn't like the doublespaced X-Lines. >> >> Not just X-Lines, ALL lines had an additional CR/LF. >> >> And those additional CR/LFs could not have been added by any email >> program. > > I had a version of Lotus Notes that did something similar when > forwarding attachments. And Outlook used to do that sometimes - when the 'Outlook has removed additional line breaks' (which it apparently added in the first place) didn't work. That was with the 2003 version. From user at domain.invalid Thu Jun 11 03:29:16 2009 From: user at domain.invalid (Farelf) Date: Thu Jun 11 03:30:02 2009 Subject: [Scspamcop] Re: Spammer Spams Spamlists; SC Urps on XLines In-Reply-To: References: <4A2FEB36.69E65B84@spamcop.net> Message-ID: Farelf wrote: > > And Outlook used to do that sometimes - when the 'Outlook has removed > additional line breaks' (which it apparently added in the first place) > didn't work. That was with the 2003 version. But maybe that wasn't the headers as well (don't recall clearly enough). From Kevin_newsspam01 at devnull.invalid Thu Jun 11 04:23:59 2009 From: Kevin_newsspam01 at devnull.invalid (Kevin) Date: Thu Jun 11 04:40:03 2009 Subject: [Scspamcop] Re: X-Library: Indy 9.00.10 -- spam References: Message-ID: In message , David H. Lipman writes >From: "Patto" > >| apartamento jardim camburi wrote: >>> [spam text removed] > >| Reported to Gmail abuse desk. > >Err, no... > >abuse@gvt.net.br That the [apparent] source and is worth reporting, but Gmail will [hopefully] shut down his contact address, invalidating all his efforts. -- Kevin From bcs1 at spamcop.net Thu Jun 11 07:57:34 2009 From: bcs1 at spamcop.net (Bill) Date: Thu Jun 11 08:00:04 2009 Subject: [Scspamcop] Re: Not sure why this did not process References: Message-ID: "Mike Easter" wrote in message news:h0pmkg$pum$1@news.spamcop.net... > Mike Easter wrote: > >> That IP 80.11.234.18 spamfilter crap is coming out of the 'by' field > for >> cesmail and the parser is going nuts trying to digest it. > > I remember back in the really old days when Julian used to lurk the > newsgroups and he would be tinkering with the parser algos while we were > discussing parser results. As a result the parse would change during a > 'conversation'. > > In this case that wouldn't happen because the headers are screwed up and > no parser tinkering is going to change that. Whatever went wrong > (appeared to go) wrong at the cesmail intake MTA. Or, it is possible > that that stamp was originally OK, and then something like the processing > for SA broke the headers. > HAHAHA!!! I do remember that a little... From tmcgraw at spamcop.net Thu Jun 11 11:26:15 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Thu Jun 11 11:30:05 2009 Subject: [Scspamcop] Re: Spammer Spams Spamlists; SC Urps on XLines In-Reply-To: References: <4A2FEB36.69E65B84@spamcop.net> Message-ID: Farelf wrote: > Farelf wrote: >> And Outlook used to do that sometimes - when the 'Outlook has removed >> additional line breaks' (which it apparently added in the first place) >> didn't work. That was with the 2003 version. > But maybe that wasn't the headers as well (don't recall clearly enough). Yes... and even if S. Underwood's "version of Lotus Notes that did something similar when forwarding attachments" it wasn't clear if "something similar" was adding CR/LFs to headers. From bcs1 at spamcop.net Thu Jun 11 12:05:25 2009 From: bcs1 at spamcop.net (Bill) Date: Thu Jun 11 12:10:03 2009 Subject: [Scspamcop] for the deputies i guess.. Message-ID: well, I'm confused posted this one in a thread named "Not sure why this didn't process" http://www.spamcop.net/sc?id=z2992677217z66977cb0cb9253d44946feae4081344bz discussed it with a couple of folks and the issue seems to have vanished, but now I got another one like that too... http://www.spamcop.net/sc?id=z2995550620z53b1edbfebf231262d74fc1287d3b715z says 2: Received: from bcs-bcs.com [69.147.228.100] by fetchmail.cesmail.net with POP3 (fetchmail-6.2.1) for x (single-drop) ect ect, but then goes down again and says SpamCop received mail from sending system 83.8.253.139 how can fetchmail get it from bcs-bcs.com, and then SC say it got it from abxd139.neoplus.adsl.tpnet.pl at the same time? maybe i'm missreading something though Bill From tmcgraw at spamcop.net Thu Jun 11 12:10:56 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Thu Jun 11 12:15:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. In-Reply-To: References: Message-ID: Bill wrote: > well, I'm confused > > posted this one in a thread named "Not sure why this didn't process" > http://www.spamcop.net/sc?id=z2992677217z66977cb0cb9253d44946feae4081344bz > > discussed it with a couple of folks and the issue seems to have vanished, > but now I got another one like that too... > > http://www.spamcop.net/sc?id=z2995550620z53b1edbfebf231262d74fc1287d3b715z > > says > 2: Received: from bcs-bcs.com [69.147.228.100] by fetchmail.cesmail.net with > POP3 (fetchmail-6.2.1) for x (single-drop) ect ect, but then goes down > again and says > SpamCop received mail from sending system 83.8.253.139 > > how can fetchmail get it from bcs-bcs.com, and then SC say it got it from > abxd139.neoplus.adsl.tpnet.pl at the same time? > > maybe i'm missreading something though Did you try DELETING and then re-configuring your bcs-bcs.com mailhost(s)? From nobody at spamcop.net Thu Jun 11 12:18:15 2009 From: nobody at spamcop.net (Bar0) Date: Thu Jun 11 12:20:04 2009 Subject: [Scspamcop] Re: How does this phish collect it's data? References: Message-ID: "Mike Easter" wrote in message news:h0pe7k$qme$1@news.spamcop.net... > Bar0 wrote: >> I've had several PHISH lately where I can't divine the actual web or >> email destination of the phished data. . > > Maybe the site provider found out about the phishscam and shutdown > sitepage's link into an error. Thanks Mike, I had a look and the mailform has been moved into a members area, and a different subdirectory. I guess they were somewhat innocent BS's If these guys are as smart as they claim to be, they shouldn't have been leaving plainly abusable stuff around on the net.. From MikeE at ster.invalid Thu Jun 11 12:29:35 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 11 12:30:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Bill wrote: > well, I'm confused www.spamcop.net/sc?id=z2995550620z53b1edbfebf231262d74fc1287d3b715z I think that something you (your system or your mail provider bcs which precede cesmail/spamcop) are doing is causing the following effects on the headers of the spam mail which cesmail server receives: - something (some filter) is putting '*SPAM*' in front of the mail's subject - something (some filter) is wrongputting a whole bunch of headers which in this case look like: * 3.9 DATE_IN_FUTURE_96_XX Date: is 96 hours or more after Received: date * 2.9 MSGID_OUTLOOK_INVALID Message-Id is fake (in Outlook Express format) * 0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.1 MPART_ALT_DIFF BODY: HTML and text parts are different * 1.5 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words * 0.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [83.8.253.139 listed in zen.spamhaus.org] * 1.6 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [83.8.253.139 listed in dnsbl.sorbs.net] ... which headers are affixed *ON TOP* of the headers which cesmail receives from your bcs-bcs.com server The result of those wrongly placed/ wrongly structured/ headers is that the cesmail server handles them wrongly. The result of the wrong handling of the wrongly placed headers is that the cesmail server integrates all that sh*t into the 'by' field which the cesmail header is stamping. The cesmail's header is supposed to (just) say: Received: from bcs-bcs.com [69.147.228.100] by fetchmail.cesmail.net with POP3 (fetchmail-6.2.1) for x (single-drop); Thu, 11 Jun 2009 06:49:15 -0400 (EDT) ... but instead it says that + all that other sh*t above. Then when the parser is processing the headers, it cannot digest all that stuff when it is simply trying to process the cesmail 'by' field -- so it barfs. -- Mike Easter kibitzer, not SC admin From bcs1 at spamcop.net Thu Jun 11 12:37:34 2009 From: bcs1 at spamcop.net (Bill) Date: Thu Jun 11 12:40:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "Tim McGraw" wrote in message news:h0raam$t65$1@news.spamcop.net... > > Did you try DELETING and then re-configuring your bcs-bcs.com mailhost(s)? no, I did not as there have been many other emails and spams come through and parse just fine... Only these two are making SC go into spasms From bcs1 at spamcop.net Thu Jun 11 12:41:39 2009 From: bcs1 at spamcop.net (Bill) Date: Thu Jun 11 12:45:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "Mike Easter" wrote in message news:h0rbdf$tv$1@news.spamcop.net... The cesmail's header is supposed to (just) say: > > Received: from bcs-bcs.com [69.147.228.100] by fetchmail.cesmail.net > with POP3 (fetchmail-6.2.1) for x (single-drop); Thu, 11 Jun 2009 > 06:49:15 -0400 (EDT) > > ... but instead it says that + all that other sh*t above. > > Then when the parser is processing the headers, it cannot digest all that > stuff when it is simply trying to process the cesmail 'by' field -- so it > barfs. > > damn, where's Julian when we need him LOL doubt he's lurking around here any more... LOL From MikeE at ster.invalid Thu Jun 11 12:57:31 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 11 13:00:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Mike Easter wrote: > Bill wrote: >> well, I'm confused > - something (some filter) is putting '*SPAM*' in front of the mail's > subject > - something (some filter) is wrongputting a whole bunch of headers > which in this case look like: Where is the filter which is changing the mailheaders? Is it being done by bcs? Can you turn that off? -- Mike Easter kibitzer, not SC admin From bcs1 at spamcop.net Thu Jun 11 13:10:10 2009 From: bcs1 at spamcop.net (Bill) Date: Thu Jun 11 13:15:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "Mike Easter" wrote in message news:h0rd1r$3pd$1@news.spamcop.net... > Mike Easter wrote: >> Bill wrote: >>> well, I'm confused > >> - something (some filter) is putting '*SPAM*' in front of the mail's >> subject >> - something (some filter) is wrongputting a whole bunch of headers >> which in this case look like: > > Where is the filter which is changing the mailheaders? Is it being done > by bcs? Can you turn that off? > > > -- > Mike Easter > kibitzer, not SC admin > I can turn that off, it's SA, but i wouldn't think that it's what's causing this if it's only on 2 emails out of hundreds that have gone through the machine... it's off now.. Bill From nobody at spamcop.net Thu Jun 11 13:28:19 2009 From: nobody at spamcop.net (Steven Underwood) Date: Thu Jun 11 13:30:04 2009 Subject: [Scspamcop] Re: Spammer Spams Spamlists; SC Urps on XLines In-Reply-To: References: <4A2FEB36.69E65B84@spamcop.net> Message-ID: "Tim McGraw" wrote in message news:h0r7mt$mus$1@news.spamcop.net... > Farelf wrote: >> Farelf wrote: >>> And Outlook used to do that sometimes - when the 'Outlook has removed >>> additional line breaks' (which it apparently added in the first place) >>> didn't work. That was with the 2003 version. >> But maybe that wasn't the headers as well (don't recall clearly enough). > > Yes... and even if S. Underwood's "version of Lotus Notes that did > something similar when forwarding attachments" it wasn't clear if > "something similar" was adding CR/LFs to headers. What was happening is that CR/LF's were being added to every line of text (Windows notepad) documents when they were attached to outgoing messages. This was happening whether they were received by SpamCop, my own personal email account, or other mail systems. It was not noticed until I started trying to report spam received by that system. There was a server setting (MIME wrap length, I believe) that I needed to modify from the default to eliminate the issue. Basically, Notes was modifying the attachment as it was being sent through the SMTP process, but it was only being noticed in text files. From bcs1 at spamcop.net Thu Jun 11 13:28:32 2009 From: bcs1 at spamcop.net (Bill) Date: Thu Jun 11 13:30:05 2009 Subject: [Scspamcop] Re: How does this phish collect it's data? References: Message-ID: "Bar0" wrote in message news:h0pcmt$mi1$1@news.spamcop.net... > Swisstools has been used in spam I've seen for several weeks now, so, I > imagine Aplus thinks they're innocent bystanders. swisstools was used in a paypal spoof email too: i sent them the email fw: to spoof@ and said "here you go guys, another one" and part of the reply was "Hello BCS Computers, Thanks for forwarding that suspicious-looking email. You're right - it was a phishing attempt, and we're working on stopping the fraud. By reporting the problem, you've made a difference! " whether swisstools is really IB or not is tbd at this point I guess, but regardless, they should still have or be able to put a stop to that type usage of their services.. just mho Bill From MikeE at ster.invalid Thu Jun 11 13:30:10 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 11 13:30:12 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Bill wrote: > "Mike Easter" >> Where is the filter which is changing the mailheaders? Is it being >> done by bcs? Can you turn that off? > I can turn that off, it's SA, I'm not talking about the cesmail SA. At least I don't think I am. If cesmail's SA is screwing up its own headers there's a different problem than I'm imagining. I'm talking about some other filter that changes headers before they get to cesmail/spamcop. > but i wouldn't think that it's what's > causing this if it's only on 2 emails out of hundreds that have gone > through the machine... > > it's off now.. Can you provide a tracker to a previous spam which was so processed by both that filter - presumably on the bcs end stamping those headers (*SPAM* in subject) before cesmail gets it and which was parser processed and reported satisfactorily? -- Mike Easter kibitzer, not SC admin From V at nguard.LH Thu Jun 11 15:06:50 2009 From: V at nguard.LH (VanguardLH) Date: Thu Jun 11 15:10:04 2009 Subject: [Scspamcop] Re: Spammer Spams Spamlists; SC Urps on XLines References: <4A2FEB36.69E65B84@spamcop.net> Message-ID: Michael wrote: > http://www.spamcop.net/sc?id=z2992281932zb54eb86028fec322bd2fea2a612ab83ez > > SC Parser didn't like the doublespaced X-Lines. Since the first blank line is the delimiter between the header and body section, how did the spammer expect e-mail clients to handle that message? From DLipman~nospam~ at Verizon.Net Thu Jun 11 20:17:10 2009 From: DLipman~nospam~ at Verizon.Net (David H. Lipman) Date: Thu Jun 11 20:20:03 2009 Subject: [Scspamcop] Re: X-Library: Indy 9.00.10 -- spam References: Message-ID: From: "Kevin" | In message , David H. Lipman | writes >>From: "Patto" >>| apartamento jardim camburi wrote: >>>> [spam text removed] >>| Reported to Gmail abuse desk. >>Err, no... >>abuse@gvt.net.br | That the [apparent] source and is worth reporting, but Gmail will | [hopefully] shut down his contact address, invalidating all his efforts. | -- | Kevin Gmail is Google -- fat chance! -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp From dritz at mindspring.com Thu Jun 11 20:52:55 2009 From: dritz at mindspring.com (David Ritz) Date: Thu Jun 11 20:55:05 2009 Subject: [Scspamcop] Re: for the deputies i guess.. In-Reply-To: References: Message-ID: LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEExCgpPbiBUaHVyc2Rh eSwgMTEgSnVuZSAyMDA5IDEzOjEwIC0wNDAwLCBpbiBhcnRpY2xlIDxoMHJkcGokNm1nJDFAbmV3 cy5zcGFtY29wLm5ldD4sIEJpbGwgPGJjczFAc3BhbWNvcC5uZXQ+IHdyb3RlOgoKPiAgSSBjYW4g dHVybiB0aGF0IG9mZiwgaXQncyBTQSwgYnV0IGkgd291bGRuJ3QgdGhpbmsgdGhhdCBpdCdzIHdo YXQncyAKPiBjYXVzaW5nIHRoaXMgaWYgaXQncyBvbmx5IG9uIDIgZW1haWxzIG91dCBvZiBodW5k cmVkcyB0aGF0IGhhdmUgZ29uZSAKPiB0aHJvdWdoIHRoZSBtYWNoaW5lLi4uCgpCaWxsLAoKSSBk b24ndCBrbm93IHdoYXQgb3B0aW9ucyBhcmUgYXZhaWxhYmxlIHRvIHlvdSwgd2l0aCByZXNwZWN0 IHRvIHlvdXIgClNwYW1Bc3Nhc3NpbiB1c2VyIGNvbmZpZ3VyYXRpb24sIG5vcm1hbGx5IGxvY2F0 ZWQgYXQgCn4vLnNwYW1hc3Nhc3Npbi91c2VyX3ByZWZzLiAgVXNpbmcgInBlcmxkb2MgTWFpbDo6 U3BhbUFzc2Fzc2luOjpDb25mIiAKdG8gcmVhZCB0aGUgZG9jdW1lbnRhaW9uLCBsb29rIGZvciB0 aGUgQkFTSUMgTUVTU0FHRSBUQUdHSU5HIE9QVElPTlMuCgo8cGVybGRvYyBNYWlsOjpTcGFtQXNz YXNzaW46OkNvbmY+CiAgIHJlcG9ydF9zYWZlICggMCB8IDEgfCAyICkgICAgIChkZWZhdWx0OiAx KQogICAgICAgaWYgdGhpcyBvcHRpb24gaXMgc2V0IHRvIDEsIGlmIGFuIGluY29taW5nIG1lc3Nh Z2UgaXMgdGFnZ2VkIGFzCiAgICAgICBzcGFtLCBpbnN0ZWFkIG9mIG1vZGlmeWluZyB0aGUgb3Jp Z2luYWwgbWVzc2FnZSwgU3BhbUFzc2Fzc2luIHdpbGwKICAgICAgIGNyZWF0ZSBhIG5ldyByZXBv cnQgbWVzc2FnZSBhbmQgYXR0YWNoIHRoZSBvcmlnaW5hbCBtZXNzYWdlIGFzIGEKICAgICAgIG1l c3NhZ2UvcmZjODIyIE1JTUUgcGFydCAoZW5zdXJpbmcgdGhlIG9yaWdpbmFsIG1lc3NhZ2UgaXMK ICAgICAgIGNvbXBsZXRlbHkgcHJlc2VydmVkLCBub3QgZWFzaWx5IG9wZW5lZCwgYW5kIGVhc2ll ciB0byByZWNvdmVyKS4KCiAgICAgICBJZiB0aGlzIG9wdGlvbiBpcyBzZXQgdG8gMiwgdGhlbiBv cmlnaW5hbCBtZXNzYWdlcyB3aWxsIGJlIGF0dGFjaGVkCiAgICAgICB3aXRoIGEgY29udGVudCB0 eXBlIG9mIHRleHQvcGxhaW4gaW5zdGVhZCBvZiBtZXNzYWdlL3JmYzgyMi4gIFRoaXMKICAgICAg IHNldHRpbmcgbWF5IGJlIHJlcXVpcmVkIGZvciBzYWZldHkgcmVhc29ucyBvbiBjZXJ0YWluIGJy b2tlbiBtYWlsCiAgICAgICBjbGllbnRzIHRoYXQgYXV0b21hdGljYWxseSBsb2FkIGF0dGFjaG1l bnRzIHdpdGhvdXQgYW55IGFjdGlvbiBieQogICAgICAgdGhlIHVzZXIuICBUaGlzIHNldHRpbmcg bWF5IGFsc28gbWFrZSBpdCBzb21ld2hhdCBtb3JlIGRpZmZpY3VsdCB0bwogICAgICAgZXh0cmFj dCBvciB2aWV3IHRoZSBvcmlnaW5hbCBtZXNzYWdlLgoKICAgICAgIElmIHRoaXMgb3B0aW9uIGlz IHNldCB0byAwLCBpbmNvbWluZyBzcGFtIGlzIG9ubHkgbW9kaWZpZWQgYnkKICAgICAgIGFkZGlu ZyBzb21lICJY4oiSU3BhbeKIkiIgaGVhZGVycyBhbmQgbm8gY2hhbmdlcyB3aWxsIGJlIG1hZGUg dG8gdGhlCiAgICAgICBib2R5LiAgSW4gYWRkaXRpb24sIGEgaGVhZGVyIG5hbWVkIFjiiJJTcGFt 4oCQUmVwb3J0IHdpbGwgYmUgYWRkZWQgdG8KICAgICAgIHNwYW0uICBZb3UgY2FuIHVzZSB0aGUg cmVtb3ZlX2hlYWRlciBvcHRpb24gdG8gcmVtb3ZlIHRoYXQgaGVhZGVyCiAgICAgICBhZnRlciBz ZXR0aW5nIHJlcG9ydF9zYWZlIHRvIDAuCgogICAgICAgU2VlIHJlcG9ydF9zYWZlX2NvcHlfaGVh ZGVycyBpZiB5b3Ugd2FudCB0byBjb3B5IGhlYWRlcnMgZnJvbSB0aGUKICAgICAgIG9yaWdpbmFs IG1haWwgaW50byB0YWdnZWQgbWVzc2FnZXMuCjwvcGVybGRvYyBNYWlsOjpTcGFtQXNzYXNzaW46 OkNvbmY+CgpMb29raW5nIGF0IHRoZSBoZWFkZXJzIGF0IApodHRwOi8vd3d3LnNwYW1jb3AubmV0 L3NjP2lkPXoyOTk1NTUwNjIwejUzYjFlZGJmZWJmMjMxMjYyZDc0ZmMxMjg3ZDNiNzE1ejthY3Rp b249ZGlzcGxheSwKaXQgbG9va3MgYXMgdGhvdWdoIHlvdXIgLnNwYW1hc3NzYXNzaW4vdXNlcl9w cmVmcyByZXBvcnRfc2FmZSBpcyBzZXQgCnRvIDAuICBUaGlzIGlzIHdoYXQgaXMgYWRkaW5nIGFs bCB0aGUgZXh0cmEgbWF0ZXJpYWwgdG8geW91ciBoZWFkZXJzLgoKV2VyZSB5b3UgdG8gY2hhbmdl IHRoaXMgZnJvbSAwIHRvIDEsIHRoZSBvcmlnaW5hbCBzcGFtIG1lc3NhZ2Ugd291bGQgCmJlIHJl dGFpbmVkLCBpbnRhY3QsIHdpdGhvdXQgYW55IGFkZGl0aW9uYWwgYWRkZWQgaGVhZGVycywgYXMg YW4gClJGQzgyMiBNSU1FIHBhcnQuICBGb3J3YXJkaW5nIHRoYXQgYXR0YWNobWVudCB0byBTQywg cmF0aGVyIHRoZSBlbnRpcmUgCm1lc3NhZ2Ugd2l0aCBhbGwgb2YgdGhlIHRoZSBTQSBhbmFseXNp cyBhbmQgaGVhZGVycywgaXMgaW50ZW5kZWQgdG8gYmUgCnJlcG9ydF9zYWZlLCBpZS4gU3BhbUNv cCBmcmllbmRseS4KClBsZWFzZSBzZWUgCjxodHRwOi9kcml0ei5tYWtvLmF0aC5jeC8wMDBkMDFj OWVhYjElMjRhNTI2NmU0MCUyNDY0MDBhOGMwLnR4dD4sIGFzIAphbiBleGFtcGxlIG9mIGEgc3Bh bSBJIHByb2Nlc3NlZCwgdG9kYXkuICBDb21wYXJlIGl0IHRvIHRoZSB2ZXJzaW9uIAphcyBpdCB3 YXMgc3VibWl0dGVkIHRvIFNDLCAKPGh0dHA6Ly93d3cuc3BhbWNvcC5uZXQvc2M/aWQ9ejI5OTcx OTY1OTZ6YjNiYWQzOTJjNWUzYWQwODcxMzFmZGQ4OTdiMjc0YmZ6O2FjdGlvbj1kaXNwbGF5Pi4g IApOb3RlIHRoYXQgdGhlIHN1Ym1pdHRlZCB2ZXJzaW9uIGlzIGlkZW50aWNhbCB0byB0aGUgbWF0 ZXJpYWwgY29udGFpbmVkIAppbiB0aGUgIm9yaWdpbmFsIG1lc3NhZ2UgYmVmb3JlIFNwYW1Bc3Nh c3Npbi4iCgogICAgQ29udGVudC1UeXBlOiBtZXNzYWdlL3JmYzgyMjsgeC1zcGFtLXR5cGU9b3Jp Z2luYWwKICAgIENvbnRlbnQtRGVzY3JpcHRpb246IG9yaWdpbmFsIG1lc3NhZ2UgYmVmb3JlIFNw YW1Bc3Nhc3NpbgogICAgQ29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudAogICAgQ29udGVu dC1UcmFuc2Zlci1FbmNvZGluZzogOGJpdAoKSSdsbCBhZG1pdCwgSSdtIGF0IHNvbWV0aGluZyBv ZiBhbiBhZHZhbnRhZ2UsIGluIHRoYXQgSSdtIHJ1bm5pbmcgU0EgCmxvY2FsbHksIGluIGEgVW5p eCBsaWtlLCBCU0QgKERhcndpbikgZW52aXJvbm1lbnQuICBJJ2xsIGZyZXF1ZW50bHkgCnN1Ym1p dCB0d2VudHkgb3IgbW9yZSBpdGVtcyB0byBTQywgYXMgYSBzaW5nbGUgc3VibWlzc2lvbiwgZWFj aCBvZiAKd2hpY2ggaXMgYW4gdW5pcXVlIFJGQzgyMiBwYXJ0LiAgU0Mgc2VlbXMgcGVyZmVjdGx5 IGhhcHB5IHdpdGggdGhpcyAKYW5kIHBhcnNlcyB0aGUgc3VibWlzc2lvbnMgd2l0aG91dCBhIGhp dGNoLgoKIEZyb206IFNwYW1Db3AgQXV0b1Jlc3BvbmRlciA8c3BhbWNvcEBkZXZudWxsLnNwYW1j b3AubmV0PgogVG86IFtyZWRhY3RlZF0KIERhdGU6IFRodSwgMTEgSnVuIDIwMDkgMTU6MjE6MjUg R01UCiBTdWJqZWN0OiBbU3BhbUNvcF0gaGFzIGFjY2VwdGVkIDE2IGVtYWlscyBmb3IgcHJvY2Vz c2luZwogCiBTcGFtQ29wIGlzIG5vdyByZWFkeSB0byBwcm9jZXNzIHlvdXIgc3BhbS4KIAogVXNl IGxpbmtzIHRvIGZpbmlzaCBzcGFtIHJlcG9ydGluZyAobWVtYmVycyB1c2UgY29va2llLWxvZ2lu IHBsZWFzZSEpOgogaHR0cDovL3d3dy5zcGFtY29wLm5ldC9zYz9pZD16Mjk5NjA1NzYyNno2ZWEy MDVkNjM1MjYwN2NlZGQxOTQ5MjFjMTA4N2ZmNnoKIGh0dHA6Ly93d3cuc3BhbWNvcC5uZXQvc2M/ aWQ9ejI5OTYwNTc2MzF6YWU1Yzg0YmQzZThkZGIxNjdjMWRhNzBmM2EwODU4MjZ6CiBodHRwOi8v d3d3LnNwYW1jb3AubmV0L3NjP2lkPXoyOTk2MDU3NjQwejEyNzllYzc5ZGZmNzBlMTU5MGRiMGRm NDdhMjNjYjQ3egogaHR0cDovL3d3dy5zcGFtY29wLm5ldC9zYz9pZD16Mjk5NjA1NzY0N3oxYTFi ZTk1MjEyOTU2MmQ5ZGRhMzhlN2E3ZmE5MGUzY3oKIGh0dHA6Ly93d3cuc3BhbWNvcC5uZXQvc2M/ aWQ9ejI5OTYwNTc2NDl6M2JkYzc2YjIzYTk0ZGY0OWM2ZWEwMjk0NTQ1ZTQyNDV6CiBodHRwOi8v d3d3LnNwYW1jb3AubmV0L3NjP2lkPXoyOTk2MDU3NjUxemE1NWQ1OWU4N2NmOGY2MDc2ZjVhYTM3 ODcxNzhmMTcxegogaHR0cDovL3d3dy5zcGFtY29wLm5ldC9zYz9pZD16Mjk5NjA1NzY1M3oxY2U5 MzFiNDhlYTIzOTM5YTZlMDM5MGE2ODhhYzVjYXoKIGh0dHA6Ly93d3cuc3BhbWNvcC5uZXQvc2M/ aWQ9ejI5OTYwNTc2NTR6MzRmNTE5NTc0NDlhNWZlMDBkZjJjYjJkMWRjYTgxNDN6CiBodHRwOi8v d3d3LnNwYW1jb3AubmV0L3NjP2lkPXoyOTk2MDU3NjU3ejM2NGM3ZmQ5MmFjODk5YWM3M2ZiNjdm OTE3ZjY4NTA3egogaHR0cDovL3d3dy5zcGFtY29wLm5ldC9zYz9pZD16Mjk5NjA1NzY2M3phYTkx Yjk4ODBjZTM1NGY3M2VjNjZhYTg4MWNjMjgwMHoKIGh0dHA6Ly93d3cuc3BhbWNvcC5uZXQvc2M/ aWQ9ejI5OTYwNTc2Njl6ZmJkZTdmMjM0Nzg1NjkyNDVlZjM4NGQzMTMzMWMwNTl6CiBodHRwOi8v d3d3LnNwYW1jb3AubmV0L3NjP2lkPXoyOTk2MDU3Njc0ejY3MDc5MDNmNjM4MzcxYWU0NjFmNWU2 ZjdjNzU5ZTBmegogaHR0cDovL3d3dy5zcGFtY29wLm5ldC9zYz9pZD16Mjk5NjA1NzY4N3plNDFj ZjYwOWZiYTE0NWU3MTA5NmI4OTc1OTcwNTIzNXoKIGh0dHA6Ly93d3cuc3BhbWNvcC5uZXQvc2M/ aWQ9ejI5OTYwNTc2OTZ6YTY4MTJmNzQ3ODE0YjNhMDQxOTlkZjEzYzNmMzQyMzV6CiBodHRwOi8v d3d3LnNwYW1jb3AubmV0L3NjP2lkPXoyOTk2MDU3Njk5ejQ3ZTc4MGJjYWIyM2I5MmZjODk3YjFj NDhkZWZhZDIzegogaHR0cDovL3d3dy5zcGFtY29wLm5ldC9zYz9pZD16Mjk5NjA1NzcwMno2Y2Jj ZGQ1Mjk5MzUwMjk2MDI2ZjdmNjgxMGFmNWRiZHoKCi0gLS0gCkRhdmlkIFJpdHogPGRyaXR6QG1p bmRzcHJpbmcuY29tPgogQmUga2luZCB0byBhbmltYWxzOyBraXNzIGEgc2hhcmsuCi0tLS0tQkVH SU4gUEdQIFNJR05BVFVSRS0tLS0tClZlcnNpb246IEdudVBHIHYyLjAuMTEgKERhcndpbikKQ29t bWVudDogUHVibGljIEtleXM6IDxodHRwOi8vZHJpdHouaG9tZS5taW5kc3ByaW5nLmNvbS9rZXlz LnR4dD4KCmlFWUVBUkVDQUFZRkFrb3hwdWNBQ2drUVVyd3BtUm9TM3V0T2dnQ2dqa2tVMXJValRp eFVWRTdsditJVU5XTHQKM3QwQW9PVVdZN2VSK1RkclVZc1NDcHByc2F6T213OE0KPUFXRjYKLS0t LS1FTkQgUEdQIFNJR05BVFVSRS0tLS0tCg== From nobody at devnull.spamcop.net Thu Jun 11 22:59:13 2009 From: nobody at devnull.spamcop.net (Patto) Date: Thu Jun 11 23:00:04 2009 Subject: [Scspamcop] Re: X-Library: Indy 9.00.10 -- spam In-Reply-To: References: Message-ID: David H. Lipman wrote: > From: "Kevin" > > | In message , David H. Lipman > | writes >>> From: "Patto" > >>> | apartamento jardim camburi wrote: >>>>> [spam text removed] > >>> | Reported to Gmail abuse desk. > >>> Err, no... > >>> abuse@gvt.net.br > > | That the [apparent] source and is worth reporting, but Gmail will > | [hopefully] shut down his contact address, invalidating all his efforts. > > | -- > | Kevin > > Gmail is Google -- fat chance! Google is not Yahoo; if properly reported, Gmail addresses are usually shut down within hours. From DLipman~nospam~ at Verizon.Net Thu Jun 11 23:14:00 2009 From: DLipman~nospam~ at Verizon.Net (David H. Lipman) Date: Thu Jun 11 23:15:03 2009 Subject: [Scspamcop] Re: X-Library: Indy 9.00.10 -- spam References: Message-ID: From: "Patto" | David H. Lipman wrote: >> From: "Kevin" >> | In message , David H. Lipman >> | writes >>>> From: "Patto" >>>> | apartamento jardim camburi wrote: >>>>>> [spam text removed] >>>> | Reported to Gmail abuse desk. >>>> Err, no... >>>> abuse@gvt.net.br >> | That the [apparent] source and is worth reporting, but Gmail will >> | [hopefully] shut down his contact address, invalidating all his efforts. >> | -- >> | Kevin >> Gmail is Google -- fat chance! | Google is not Yahoo; if properly reported, Gmail addresses are usually | shut down within hours. The problem is Google Gmail service was NOT used in the spam. It is just an address within the spam. There was no abuse that Google could deal with. However the Indy based spam was generated from a Brazilian ISP account and they can kill that account. While I agree that the Gmail account is part of the overarching issue, Google didn't have an abuse issue to take action on. I also don't see how you think Google will take actions in hours. If they take action, it takes weeks to well over a month. Even with issues where all Google accounts are used. Example, Usenet spam of a Blogger.Com Blog spot, posted via Google Groups and created fwith a Gmail account. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp From nobody at spamcop.net Fri Jun 12 14:13:38 2009 From: nobody at spamcop.net (RandallW) Date: Fri Jun 12 14:15:02 2009 Subject: [Scspamcop] CC copies to me, of network admins getting an infected computer cleaned Message-ID: I sent a spamcop report, which resulted in the admin/tech people trying to track down the spam. I've gotten a few CC mails of the conversations going back and forth. Here's the first one CC'd to me. ================================== (deleted name), It looks like someone at your office may be spamming. I can not tell if this is a legitimate message or not, but we have gotten 2 SPAM complaints as a result. See below my signature for one of the reports. Thanks, -- (another deleted name) SupraNet Communications, Inc. ================================ 2nd CC mail: Hey D- Yeah one of our elderly engineers managed to get some kind of malware on his computer which added an Outlook rule that forwarded all of his emails to an account in the UK AND deleted the email in his inbox as well as his Sent Items folder, handily covering its tracks. Grrrr I am both pissed about it and impressed at how clever these guys are at finding ways around firewalls, antivirus programs, etc. I deleted the Outlook rule, but beyond that, his computer may also be spamming in general since his name shows up on the UK Lottery spam (x) I took his computer off the network until I can wipe it and reinstall the O/S, so I'm hoping that is the end of it, but I guess I'll have to wait and see if we turn up on any more black lists. Thanks for the warning! -K From borgholio at storymind.com Fri Jun 12 18:07:22 2009 From: borgholio at storymind.com (Borgholio) Date: Fri Jun 12 18:10:04 2009 Subject: [Scspamcop] Reports disabled, no reason given Message-ID: http://www.spamcop.net/sc?id=z3001011850zd67b4b2dc84ac73dd44203d7a35e5fd9z Reports for the spamsource and spamvertized urls are disabled, but no reason is given as to why. From dritz at mindspring.com Fri Jun 12 18:44:39 2009 From: dritz at mindspring.com (David Ritz) Date: Fri Jun 12 18:45:04 2009 Subject: [Scspamcop] Re: Reports disabled, no reason given In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 12 June 2009 15:07 -0700, in article , Borgholio wrote: > http://www.spamcop.net/sc?id=z3001011850zd67b4b2dc84ac73dd44203d7a35e5fd9z > Reports for the spamsource and spamvertized urls are disabled, but no > reason is given as to why. I suspect that Constant Contact, a legitimate bulk mailer with a multitude of small customers, has received far too many spam complaints from individuals who use a "this is spam" button, or a SpamCop report, as an unsubscribe request. I have no way of knowing whether you subscribed to the CC list in question or not. In any case, you have a couple of choices: 1) Use the List-Unsubscribe information provided. It will be honored. 2) Send an abuse complaint to . It will be investigated. If your complaint is well founded, it will receive appropriate action. The last time I received an unsolicited mailing via CC, it came to an address variant which I've never used. It's deliverable and appears all to frequently in spam via purchased lists. This fact alone led to the immediate termination of the new customer in question. Keep in mind, Constant Contact is a legitimate mailer which caters to small clients. Most of their lists are well maintained. When a bad actor appears, they will not hesitate terminate. - -- David Ritz Be kind to animals; kiss a shark. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (Darwin) Comment: Public Keys: iEYEARECAAYFAkoy2lgACgkQUrwpmRoS3usQyQCfXHiEOpQNNUrzv9OazZER6+zr ewcAoIy9j22dHxFrkC9LGqBb3XD66gl1 =5RiR -----END PGP SIGNATURE----- From tmcgraw at spamcop.net Fri Jun 12 18:49:19 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Fri Jun 12 18:50:04 2009 Subject: [Scspamcop] Re: Reports disabled, no reason given In-Reply-To: References: Message-ID: Borgholio wrote: > http://www.spamcop.net/sc?id=z3001011850zd67b4b2dc84ac73dd44203d7a35e5fd9z > > Reports for the spamsource and spamvertized urls are disabled, but no > reason is given as to why. As mainstream "email marketing" list providers go, constant contact is as legit as they come. It's advertising a very legit concert in Santa Monica, "Trailer Music Live," and while that might be an excellent name for a house concert series at a trailer park, it's actually an orchestra playing the music used in movie trailers. The email was sent by Immediate Music of Santa Monica and is properly constructed for CAN-SPAM laws (which constant contact requires). Constant contact costs money, it is heavily vetted, true spammers are booted immediately. Sometimes, someone gets on a list they shouldn't be. If I were you I would unsub using the links in the email. That doesn't address your question though, and although reports are disabled it still counts against the SCBL. From borgholio at storymind.com Fri Jun 12 19:27:08 2009 From: borgholio at storymind.com (Borgholio) Date: Fri Jun 12 19:30:03 2009 Subject: [Scspamcop] Re: Reports disabled, no reason given In-Reply-To: References: Message-ID: Tim McGraw wrote: > > That doesn't address your question though, and although reports are > disabled it still counts against the SCBL. Well actually it does, thanks for all the input guys. I sent a manual report to their abuse email since I know I never signed up to their customer's list. From DeathToSpam at crazyhat.net Fri Jun 12 22:30:37 2009 From: DeathToSpam at crazyhat.net (DevilsPGD) Date: Fri Jun 12 22:35:02 2009 Subject: [Scspamcop] Re: Reports disabled, no reason given References: Message-ID: In message David Ritz was claimed to have wrote: >I suspect that Constant Contact, a legitimate bulk mailer with a >multitude of small customers, has received far too many spam >complaints from individuals who use a "this is spam" button, or a >SpamCop report, as an unsubscribe request. According to Constant Contact, they want the messages but SC won't send them, apparently SC wants to send them to an upstream, but fails to consider that CC is the upstream in this context (with the messages being sent by CC's customer) I don't know how true that is, but it's the story from CC's side. From tmcgraw at spamcop.net Fri Jun 12 23:44:24 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Fri Jun 12 23:45:03 2009 Subject: [Scspamcop] Re: Reports disabled, no reason given In-Reply-To: References: Message-ID: DevilsPGD wrote: > David Ritz wrote: > >> I suspect that Constant Contact, a legitimate bulk mailer with a >> multitude of small customers, has received far too many spam >> complaints from individuals who use a "this is spam" button, or a >> SpamCop report, as an unsubscribe request. > According to Constant Contact, they want the messages but SC won't send > them, apparently SC wants to send them to an upstream, but fails to > consider that CC is the upstream in this context (with the messages > being sent by CC's customer) > > I don't know how true that is, but it's the story from CC's side. Spamcop sez it wants to send to them: > Reports routes for 208.75.122.11: > routeid:49937530 208.75.120.0 - 208.75.123.255 to:abuse@constantcontact.com > Administrator found from whois records http://www.spamcop.net/sc?action=showroute;ip=208.75.122.11;typecodes=17 The op's spam is the only spam to be reported from that IP# in the last 90 days, according to the "history" option. From MikeE at ster.invalid Sat Jun 13 05:01:35 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 13 05:05:03 2009 Subject: [Scspamcop] Re: Reports disabled, no reason given References: Message-ID: DevilsPGD wrote: > David Ritz >> I suspect that Constant Contact, a legitimate bulk mailer with a >> multitude of small customers, has received far too many spam >> complaints from individuals who use a "this is spam" button, or a >> SpamCop report, as an unsubscribe request. > > According to Constant Contact, they want the messages but SC won't send > them, apparently SC wants to send them to an upstream, but fails to > consider that CC is the upstream in this context (with the messages > being sent by CC's customer) > > I don't know how true that is, but it's the story from CC's side. The tracker sez the CC source IP... 208.75.123.133 listed in iadb.isipp.com ( 127.2.255.1 ) ... but that information is incomplete. ISIPP (itself) sez; 208.75.123.133 is in the IADB, and has the following entries: 127.0.0.1 - present 127.2.255.4 - Publishes rDNS 127.2.255.2 - Publishes Microsoft "Sender I.D." record 127.0.0.2 - present 127.2.255.1 - Publishes SPF record 127.3.100.7 - All mailing list mail is opt-in So, I would say that CC provides a service of mailing to the client, in this case the movie trailer music co and that ISIPP provides a mail accreditation service to CC to help them do that. All of that structure being geared toward separating the good guys in email marketing from the bad guys -- where the goodguys are supposed to do everything right like opt-in and CANSPAM compliant and unsubbing and the structure is supposed to help them get their accredited email past some spam filters. ISIPP is an email deliverability/accreditation place that you pay to be listed and you are supposed to behave yourself. http://www.isipp.com/email-accreditation/ Which Email Accreditation or Reputation Service Should We Use? -- Mike Easter kibitzer, not SC admin From bcs1 at spamcop.net Sun Jun 14 11:18:34 2009 From: bcs1 at spamcop.net (Bill) Date: Sun Jun 14 11:20:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "Mike Easter" wrote in message news:h0rev2$9l0$1@news.spamcop.net... > Can you provide a tracker to a previous spam which was so processed by > both that filter - presumably on the bcs end stamping those headers > (*SPAM* in subject) before cesmail gets it and which was parser processed > and reported satisfactorily? > > > -- > Mike Easter > kibitzer, not SC admin > yes, http://www.spamcop.net/sc?id=z3006864384z712f32a0b56a8dc2a1ac9c53f9a9a568z Thanks Bill From bcs1 at spamcop.net Sun Jun 14 11:24:13 2009 From: bcs1 at spamcop.net (Bill) Date: Sun Jun 14 11:25:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "David Ritz" wrote in message news:alpine.OSX.2.00.0906111951020.86619@mako.ath.cx... > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thursday, 11 June 2009 13:10 -0400, in article > , Bill wrote: > >> I can turn that off, it's SA, but i wouldn't think that it's what's >> causing this if it's only on 2 emails out of hundreds that have gone >> through the machine... > > Bill, > > I don't know what options are available to you, with respect to your > SpamAssassin user configuration, normally located at Thanks David, I'll have to read up on that, probably the worst part of this whole issue is that i don't get the problem on every email, just "every so often" one will seem to much up the works. I suspect it's got something to do with the way the spammers are creating their crap moreso than with my system, but i might be wrong... also, in fighting spam, every bit of info one can get has to help right??? :) Bill From MikeE at ster.invalid Sun Jun 14 11:58:01 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jun 14 12:00:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Bill wrote: >> Can you provide a tracker to a previous spam which was so processed by >> both that filter - presumably on the bcs end stamping those headers >> (*SPAM* in subject) before cesmail gets it and which was parser >> processed and reported satisfactorily? > yes, > www.spamcop.net/sc?id=z3006864384z712f32a0b56a8dc2a1ac9c53f9a9a568z That is still screwed up and this one definitely looks like it was the cesmail SA, rather than some SA that handled it before cesmail got it. To me, this looks like cesmail's SA piled all of those SA filter lines into the 'by' field for the cesmail MTA. In this example, that condition didn't gag the parser; maybe because there weren't quite as many filter lines. So the parser was able to gag down the 'misplaced' filter lines and proceed on to the traceline chaining business. Earlier I tho't that you had a SA on your bcs end that was causing this SA filterlines in the 'by' field problem. -- Mike Easter kibitzer, not SC admin From bcs1 at spamcop.net Mon Jun 15 08:01:39 2009 From: bcs1 at spamcop.net (Bill) Date: Mon Jun 15 08:05:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "Mike Easter" wrote in message news:h136m6$r4c$1@news.spamcop.net... > > Earlier I tho't that you had a SA on your bcs end that was causing this > SA filterlines in the 'by' field problem. > well, i've shut off the SA on my box, so I guess as long as the stuff parses it'll be good I guess ;) maybe SA + SA = fail?? LOL Bill From dritz at mindspring.com Mon Jun 15 13:34:36 2009 From: dritz at mindspring.com (David Ritz) Date: Mon Jun 15 13:35:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 15 June 2009 08:01 -0400, in article , Bill wrote: > "Mike Easter" wrote in message > news:h136m6$r4c$1@news.spamcop.net... >> Earlier I tho't that you had a SA on your bcs end that was causing >> this SA filterlines in the 'by' field problem. > well, i've shut off the SA on my box, so I guess as long as the > stuff parses it'll be good I guess ;) Too bad. I find SpamAssassin to be an extremely useful tool. > maybe SA + SA = fail?? LOL Just for kicks, I changed the report_safe from 1 (yes) to 0 (no), in my ~/.spamassassin/user_prefs file. I submitted it to SC, without stripping the SA annotation: http://www.spamcop.net/sc?id=z3010865971zfca12e745e5992b11c6ed731efadffc9z While SC did not choke on the submission, the added headers brought the spam message's length from 2,488 characters, to 5,386. Whether one sets report_safe to 0, 1 or 2, you should still be able to use SpamAssassin to strip its own markup. Simply feed your raw messages, complete with the SpamAssassin X headers, through "spamassassin -d" dritz:~> spamassassin --help [...] -d, --remove-markup Remove spam reports from a message [...] - -- David Ritz Be kind to animals; kiss a shark. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (Darwin) Comment: Public Keys: iEYEARECAAYFAko2hjQACgkQUrwpmRoS3usmMQCfZKtbZonPU+3iIp9H386jnQ7N LBgAnR8etGmpWkBwib/53+Oz9IokL3T+ =QKeH -----END PGP SIGNATURE----- From MikeE at ster.invalid Mon Jun 15 14:17:03 2009 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 15 14:20:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: David Ritz wrote: > Whether one sets report_safe to 0, 1 or 2, you should still be able to > use SpamAssassin to strip its own markup. Do you interpret this thread's Bill's trackers to indicate that it is the cesmail/spamcop SA which is stuffing the cesmail MTA 'by' field with SA filter feedback lines? I'm confused over whether the cesmail MTA or an earlier one at bcs is responsible for one or more tracker's noisy 'by' field seen here. If it is the cesmail SA, then that is a bad configuration which should be fixed by cesmail admin. -- Mike Easter kibitzer, not SC admin From dritz at mindspring.com Mon Jun 15 15:20:08 2009 From: dritz at mindspring.com (David Ritz) Date: Mon Jun 15 15:25:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 15 June 2009 11:17 -0700, in article , Mike Easter wrote: > David Ritz wrote: >> Whether one sets report_safe to 0, 1 or 2, you should still be able >> to use SpamAssassin to strip its own markup. > Do you interpret this thread's Bill's trackers to indicate that it > is the cesmail/spamcop SA which is stuffing the cesmail MTA 'by' > field with SA filter feedback lines? > I'm confused over whether the cesmail MTA or an earlier one at bcs > is responsible for one or more tracker's noisy 'by' field seen here. I'm sorry if I missed the point. I've looked at the headers in Bill's two failed submissions. http://www.spamcop.net/sc?id=z2992677217z66977cb0cb9253d44946feae4081344bz http://www.spamcop.net/sc?id=z2995550620z53b1edbfebf231262d74fc1287d3b715z I've compared them to the headers of my submission. http://www.spamcop.net/sc?id=z3010865971zfca12e745e5992b11c6ed731efadffc9z As you note, cesmail is including additional information in the "Received: from bcs-bcs.com" header, supposedly derived from SpamAssassin running on their fetchmail.cesmail.net box. Bill commented in : well, i've shut off the SA on my box, so I guess as long as the stuff parses it'll be good I guess ;) maybe SA + SA = fail?? LOL I'm not sure how to interpret this comment, as he appears to be saying he had been feeding his mail through a local copy of SA, after it has already be processed with SA by fetchmail.cesmail.net and an associated filter[0-9]+.cesmail.net box. He's right in suggesting that this may be the source of the problems he encounters on an occasional basis. > If it is the cesmail SA, then that is a bad configuration which > should be fixed by cesmail admin. I can't be certain, but it appears that Bill has set up his bcs-bcs.com account to forward to cesmail. Perhaps the source of the problem has to do with Bill's SC Mailhosts configuration, as both of the submissions in question state, "You have failed to configure your own mail host, from which you pop mail." Forwarded mail can lead to all kinds of unforseen problems. If something has changed, at either of Bill's providers, this could lead SC to header parsing problems. None the less, the additional information added to the Received header written by fetchmail.cesmail.net does not belong there. It belongs in a separate SA X-Spam-* header. This is, indeed, something which might best be addressed by a cesmail admin. - -- David Ritz Be kind to animals; kiss a shark. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (Darwin) Comment: Public Keys: iEYEARECAAYFAko2nugACgkQUrwpmRoS3uvaJACgvEzHj+EwB89whavDuoJO1fCK sQkAn391uxRKF8rZVLHPjK5pPCjbisgO =jQ3p -----END PGP SIGNATURE----- From nobody at nowhere.not Tue Jun 16 02:18:01 2009 From: nobody at nowhere.not (Robert Blair) Date: Tue Jun 16 02:20:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: On Mon, 15 Jun 2009 18:17:03 UTC, "Mike Easter" wrote: > Do you interpret this thread's Bill's trackers to indicate that it is the > cesmail/spamcop SA which is stuffing the cesmail MTA 'by' field with SA > filter feedback lines? The parsing of the emails works for David but not for Bill. Could this be the problem of Outlook moving header records around? Bill's message seems to have the "X-Spam-Report:" line removed. -- Robert Blair From bcs1 at spamcop.net Tue Jun 16 11:33:13 2009 From: bcs1 at spamcop.net (Bill) Date: Tue Jun 16 11:35:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "David Ritz" wrote in message news:alpine.OSX.2.00.0906151337460.40367@mako.ath.cx... > Bill commented in : > > > well, i've shut off the SA on my box, so I guess as long as the stuff > parses it'll be good I guess ;) > > maybe SA + SA = fail?? LOL > > > I'm not sure how to interpret this comment, as he appears to be saying > he had been feeding his mail through a local copy of SA, after it has > already be processed with SA by fetchmail.cesmail.net and an > associated filter[0-9]+.cesmail.net box. He's right in suggesting > that this may be the source of the problems he encounters on an > occasional basis. > Hi David, My server has SA on it and SC "fetches" the emails from there the same as if i used my OE or outlook to pop the email down to my PC, so SA on my system does/did it's thing when the email arrived, then when SC went and got the email from my server, SC's SA evidently adds something to it as well, hence the SA + SA = fail? question/comment. :) I'm going to have to look at the stuff you sent me and when i get a chance i'll login to my server and see what I can break :) Bill From MikeE at ster.invalid Tue Jun 16 11:55:55 2009 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 16 12:00:09 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Bill wrote: > My server has SA on it and SC "fetches" the emails from there the same > as if i used my OE or outlook to pop the email down to my PC, so SA on > my system does/did it's thing when the email arrived, then when SC went > and got the email from my server, SC's SA evidently adds something to > it as well, hence the SA + SA = fail? question/comment. What I'm trying to figure out is which SA is responsible for putting its lines in the wrong place, the cesmail one or the bcs one. I should restate that; which SA is responsible for the lines which are getting put into the wrong place (by the cesmail server)? SA lines should not be a part of what is found in the header which contains the string 'by fetchmail.cesmail.net' -- Mike Easter kibitzer, not SC admin From bcs1 at spamcop.net Tue Jun 16 12:17:50 2009 From: bcs1 at spamcop.net (Bill) Date: Tue Jun 16 12:20:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "Mike Easter" wrote in message news:h18fab$lb5$1@news.spamcop.net... > Bill wrote: > >> My server has SA on it and SC "fetches" the emails from there the same >> as if i used my OE or outlook to pop the email down to my PC, so SA on >> my system does/did it's thing when the email arrived, then when SC went >> and got the email from my server, SC's SA evidently adds something to >> it as well, hence the SA + SA = fail? question/comment. > > What I'm trying to figure out is which SA is responsible for putting its > lines in the wrong place, the cesmail one or the bcs one. I should > restate that; which SA is responsible for the lines which are getting > put into the wrong place (by the cesmail server)? > > SA lines should not be a part of what is found in the header which > contains the string 'by fetchmail.cesmail.net' > > > -- > Mike Easter > kibitzer, not SC admin > yeah, idk, I'm a bit lost on it too.. From MikeE at ster.invalid Tue Jun 16 14:16:20 2009 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 16 14:20:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Bill wrote: > "Mike Easter" >> Bill wrote: >> >>> My server has SA on it and SC "fetches" the emails from there >> What I'm trying to figure out is... >> ... which SA is responsible for the lines which are getting >> put into the wrong place (by the cesmail server)? >> >> SA lines should not be a part of what is found in the header which >> contains the string 'by fetchmail.cesmail.net' > yeah, idk, I'm a bit lost on it too.. Let me elaborate some more: David Ritz: http://www.spamcop.net/sc?id=z3010865971zfca12e745e5992b11c6ed731efadffc9 z This is a tracker involving SA lines which does not involve cesmail MTAs. SA (verbose) lines are found in header named X-Spam-Report: There are other xspam lines as well, but that DR tracker was not involving cesmail. Call that a DR SA. In two Bill bcs trackers: http://www.spamcop.net/sc?id=z2992677217z66977cb0cb9253d44946feae4081344b z http://www.spamcop.net/sc?id=z2995550620z53b1edbfebf231262d74fc1287d3b715 z ... there can be found both/similar SA xspam lines, and also 2 X-SpamCop-* lines, one -Disposition and one -Checked. Naturally DR's headers do not contain the SC lines seen in Bill's, since the DR tracker didn't involve SC/cesmail filtering. Since the xspamcop lines for Bill's reflect that it was blocked based on SA, it seems/ I guess/ that we would have to assume that the SA lines were 'placed' by cesmail and further - or *BUT* - that the SA lines were placed in the cesmail line instead of properly in an xspamreport line as they should have been. Or, as is illustrated below, (perhaps) not placed in the headers at all. If I go to the forum and snoop on topics which involve mail accounts posting their trackers I see examples from 2009 Apr which show 3 xspam lines I interpret as being SA lines, and those are checkerversion, level, and status, but those 3 items have no *-report lines, which are the multiple lines reflecting which filters were used; in Bill's those -report lines are the misplaced ones in the fetchmail-cesmail 'by' field. forum samples 1-3 http://www.spamcop.net/sc?id=z2787948062zd7e0533d528c45be293eb290fbf5e15b z http://www.spamcop.net/sc?id=z2787949137z9bd6d60f0d01965db89bfda269c47c1f z http://www.spamcop.net/sc?id=z2787949407z4d41d58c552d51cbc82cd121d6e42842 z Altho' I don't have enough material (yet) to draw a conclusion, based on the limited information that I have, I would say that it appears that the cesmail/SC SA does *not* stamp the numerous lines which appear in DR's SA example or in Bill's; instead the SCcesmail SA stamps a more limited summary in the -status line X-Spam-Status: hits=1.1 tests=FS_LARGE_PERCENT2,RDNS_DYNAMIC version=3.2.4 >From this I have to conclude that Bill is (must be) - that is, Bill's bcs server - sending the cesmail server a bunch of SA lines, perhaps without any header at all, which the cesmail MTA is 'misinterpreting' as being part of 'something else' and so they end up by being misplaced in the fetchmail.cesmail MTA 'by' field. Bill sez that he has turned off SA on his end, but that does not appear to be the case in any trackers he has posted so far. -- Mike Easter kibitzer, not SC admin From dritz at mindspring.com Tue Jun 16 23:38:45 2009 From: dritz at mindspring.com (David Ritz) Date: Tue Jun 16 23:40:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 16 June 2009 11:16 -0700, in article , Mike Easter wrote: > From this I have to conclude that Bill is (must be) - that is, Bill's bcs > server - sending the cesmail server a bunch of SA lines, perhaps without > any header at all, which the cesmail MTA is 'misinterpreting' as being > part of 'something else' and so they end up by being misplaced in the > fetchmail.cesmail MTA 'by' field. The only instances of SpamAssassin which is identified in Bill headers are running on filter[0-9]+.cesmail.net. All lines which match ^\t\* would normally be found in the X-Spam-Report header. How these specific header have been transposed to the 'Received from bcs-bcs.com [69.147.228.100]\n\tby fetchmail.cesmail.net ...' header is a complete mystery. ======================================================================== It just doesn't add up: Looking at Bill's submission: http://www.spamcop.net/sc?id=z2995550620z53b1edbfebf231262d74fc1287d3b715z X-Spam-Status: hits=15.5 tests=DATE_IN_FUTURE_96_XX,EXTRA_MPART_TYPE, HTML_IMAGE_ONLY_04,HTML_MESSAGE,INVALID_DATE,MIME_HTML_MOSTLY,MPART_ALT_DIFF, MSGID_OUTLOOK_INVALID,MY_CID_AND_STYLE,RDNS_NONE,SUBJ_ALL_CAPS version=3.2.4 <...> X-SpamCop-Disposition: Blocked SpamAssassin=15 However, if one adds up the misplaced X-Spam-Report entries (^\t\*), they only total 11.5. While some of the tags in the X-Spam-Status match those in the misplaced X-Spam-Report entries, several are missing, apparently accounting for the scoring discrepancy. - -- David Ritz Be kind to animals; kiss a shark. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (Darwin) Comment: Public Keys: iEYEARECAAYFAko4ZVsACgkQUrwpmRoS3usNOQCfdGCZnhysJixxyItOLeGp/gmU gi4AoPTAnhmEZ/fHasadY5kYBJ7W4bP1 =uH5E -----END PGP SIGNATURE----- From MikeE at ster.invalid Wed Jun 17 07:41:33 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 17 07:45:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: David Ritz wrote: > Mike Easter >> From this I have to conclude that Bill is (must be) - that is, Bill's >> bcs server - sending the cesmail server a bunch of SA lines, perhaps >> without any header at all, which the cesmail MTA is 'misinterpreting' >> as being part of 'something else' and so they end up by being >> misplaced in the fetchmail.cesmail MTA 'by' field. > > The only instances of SpamAssassin which is identified in Bill headers > are running on filter[0-9]+.cesmail.net. It is my contention that Bill's tracker contains the following lines which are stamped by the cesmail/spamcop SA: X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter8 X-Spam-Level: *************** X-Spam-Status: X-SpamCop-Checked: X-SpamCop-Disposition: Blocked SpamAssassin=15 ... and that Bill's tracker also contains SA lines which are not found in the SA lines in the examples I examined from the forum. Those 'discrepant' and verbose SA lines are the type which are seen in your tracker, but in your tracker those lines are held in this header: X-Spam-Report: The forum example of SA lines does not contain an X-Spam-Report section. Instead, all of the details of filter rules and scoring total is held in the X-Spam-Status section. > All lines which match ^\t\* would normally be found in the > X-Spam-Report header. How these specific header have been transposed > to the 'Received from bcs-bcs.com [69.147.228.100]\n\tby > fetchmail.cesmail.net ...' header is a complete mystery. I am hypothesizing that Bill's bcs sent them 'preloaded' in a form which caused the fetchmail to mishandle them. > It just doesn't add up: I agree with your scoring demonstration > However, if one adds up the misplaced X-Spam-Report entries (^\t\*), > they only total 11.5. While some of the tags in the X-Spam-Status > match those in the misplaced X-Spam-Report entries, several are > missing, apparently accounting for the scoring discrepancy. I believe that is caused by the fact that the X-Spam-Report-type entries did not come from the cesmail/SC SA process but came to the fetchmail MTA preloaded by Bill's bcs. -- Mike Easter kibitzer, not SC admin From bcs1 at spamcop.net Wed Jun 17 10:46:24 2009 From: bcs1 at spamcop.net (Bill) Date: Wed Jun 17 10:50:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "Mike Easter" wrote in message news:h1akpd$aq4$1@news.spamcop.net... > > I believe that is caused by the fact that the X-Spam-Report-type entries > did not come from the cesmail/SC SA process but came to the fetchmail MTA > preloaded by Bill's bcs. > > > > -- > Mike Easter > kibitzer, not SC admin > I'm going to let you guys hash this out because you are wayyyy over my head at the moment, but i was curious about one part of it... "the fetchmail MTA preloaded by Bill's bcs." isn't fetchmail ran on SC's servers? Thanks Bill From MikeE at ster.invalid Wed Jun 17 11:38:45 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 17 11:40:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Bill wrote: > "Mike Easter" >> I believe that is caused by the fact that the X-Spam-Report-type >> entries did not come from the cesmail/SC SA process but came to the >> fetchmail MTA preloaded by Bill's bcs. > I'm going to let you guys hash this out because you are wayyyy over my > head at the moment, but i was curious about one part of it... > > > "the fetchmail MTA preloaded by Bill's bcs." > > isn't fetchmail ran on SC's servers? Yes. My theory is that your bcs sticks a bunch of x-spam-report-type lines into its headers noncompliantly. When the fetchmail server sees those lines, it doesn't know how to handle them because they aren't configured with a proper headerfield such as x-spam-report. As a result, the cesmail fetchmail MTA stuffs them into its 'by' field after the normal 'by' stuff. This is a medium to large problem, because when there are a lot of those lines/ that data/ the spamcop parser, which must digest the Received tracelines (but not SA lines), tries to digest that part of the traceline and barfs. My theory is also that if you could stop that bcs part of the problem from happening, then the fetchmail wouldn't do that and the parser wouldn't barf. -- Mike Easter kibitzer, not SC admin From bcs1 at spamcop.net Wed Jun 17 13:04:02 2009 From: bcs1 at spamcop.net (Bill) Date: Wed Jun 17 13:05:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "Mike Easter" wrote in message news:h1b2m4$80j$1@news.spamcop.net... > Bill wrote: >> "Mike Easter" > > My theory is also that if you could stop that bcs part of the problem > from happening, then the fetchmail wouldn't do that and the parser > wouldn't barf. > > well I did turn it off in the panel, but I saw ione today that came trough with the tag in it, I think that the Plesk update may have re-enabled it, but i haven't gone to look yet because i'm doing my other work atm I did see this one though, went through ok, but has allot of stuff in it http://www.spamcop.net/sc?id=z3017843630zde122aa551cfe73afe37888b3dcdabaez Bill From bcs1 at spamcop.net Wed Jun 17 13:13:20 2009 From: bcs1 at spamcop.net (Bill) Date: Wed Jun 17 13:15:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "Mike Easter" wrote in message news:h1b2m4$80j$1@news.spamcop.net... here's another one too (tagged) that doesn't have all that crap.. next one in line after the one I just posted http://www.spamcop.net/sc?id=z3017843639zff5d958a42a5963d1c8d42ee9747978az and another http://www.spamcop.net/sc?id=z3017843668z8fed7e3018caa904dfce7365c9c76b53z and http://www.spamcop.net/sc?id=z3017843678z088c383eb615102488873cb2d534169ez all of which are tagged by SA on my system, but parsed fine then there's this one (not tagged) http://www.spamcop.net/sc?id=z3017843689z6391ca28f30564082dad64e8d278c34cz so yeah IDK, I have 5 more in held mail at the moment, I'll try to see if any of them look goofy or not well, scratch that, they are just more of the blank spams sent directly to SC http://www.spamcop.net/sc?id=z3018284028z84dd791743a201755ad15114e4b0c67az at least Sc was able to catch part of that one.. Bill From MikeE at ster.invalid Wed Jun 17 14:59:07 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 17 15:00:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Bill wrote: > here's another one too (tagged) that doesn't have all that crap.. next > one in line after the one I just posted www.spamcop.net/sc?id=z3017843639zff5d958a42a5963d1c8d42ee9747978az normal www.spamcop.net/sc?id=z3017843668z8fed7e3018caa904dfce7365c9c76b53z normal www.spamcop.net/sc?id=z3017843678z088c383eb615102488873cb2d534169ez normal > all of which are tagged by SA on my system, but parsed fine > then there's this one (not tagged) www.spamcop.net/sc?id=z3017843689z6391ca28f30564082dad64e8d278c34cz normal > http://www.spamcop.net/sc?id=z3018284028z84dd791743a201755ad15114e4b0c67a z normal > at least Sc was able to catch part of that one.. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Jun 17 14:59:15 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 17 15:00:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Bill wrote: www.spamcop.net/sc?id=z3017843630zde122aa551cfe73afe37888b3dcdabaez bad In this context 'bad' means that your bcs threw inappropriate x-spam-report SA lines at the fetchmail server, and 'normal' would mean that it did not; regardless of other features of the submission or the parse. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Jun 17 16:22:53 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 17 16:25:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: That was confusing. I'll try this again another way. Bill wrote: > "Mike Easter" >> My theory is also that if you could stop that bcs part of the problem >> from happening, then the fetchmail wouldn't do that and the parser >> wouldn't barf. > well I did turn it off in the panel, but I saw ione today that came > trough with the tag in it, I think that the Plesk update may have > re-enabled it, but i haven't gone to look yet because i'm doing my > other work atm > > I did see this one though, went through ok, but has allot of stuff in it id=z3017843630zde122aa551cfe73afe37888b3dcdabaez bad In this context 'bad' means that your bcs threw inappropriate x-spam-report SA lines at the fetchmail server, and 'normal' would mean that it did not; regardless of other features of the submission or the parse. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Jun 17 16:25:56 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 17 16:30:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Bill wrote: > here's another one too (tagged) that doesn't have all that crap.. next > one in line after the one I just posted id=z3017843639zff5d958a42a5963d1c8d42ee9747978az > and another id=z3017843668z8fed7e3018caa904dfce7365c9c76b53z > and id=z3017843678z088c383eb615102488873cb2d534169ez all normal > all of which are tagged by SA on my system, but parsed fine > then there's this one (not tagged) id=z3017843689z6391ca28f30564082dad64e8d278c34cz normal id=z3018284028z84dd791743a201755ad15114e4b0c67az normal > at least Sc was able to catch part of that one.. I don't understand when or why you call tagged or untagged, because it doesn't match up with my definitions of bad and normal regarding the appearance at the tracker. -- Mike Easter kibitzer, not SC admin From bcs1 at spamcop.net Wed Jun 17 23:41:25 2009 From: bcs1 at spamcop.net (Bill) Date: Wed Jun 17 23:45:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "Mike Easter" wrote in message news:h1bjgj$am5$1@news.spamcop.net... > > I don't understand when or why you call tagged or untagged, because it > doesn't match up with my definitions of bad and normal regarding the > appearance at the tracker. > sorry, I mean tagged as in the SA on my server added the *spam* tag to the subject line.. Bill From MikeE at ster.invalid Thu Jun 18 00:34:13 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 18 00:35:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Bill wrote: > "Mike Easter" >> I don't understand when or why you call tagged or untagged, because it >> doesn't match up with my definitions of bad and normal regarding the >> appearance at the tracker. >> > sorry, I mean tagged as in the SA on my server added the *spam* tag to > the subject line.. Are you saying that your own SA is on all the time and it only stamps lines some of the time and some of the time it doesn't? I'm not talking about adding the spam subject tag. I'm talking about doing its job by making header modifications. That is, I am accustomed to spamfilters like SpamPal and/or SpamAssassin being on or off. When they are on, they perform their job according to their configuration - which rules, how much score, which lines to stamp, etc. As such, then all of your headers should have common traits, namely the evidence in the headers that the SA filter is 'working'. Some of your headers will be found to be spam and some not, but (it seems to me) all of them would have the same 'traits' or tracks of the workings of the SA process. Why don't all of your submissions from the server which is performing the SA filter show the same evidence that the filter is working, even when it 'passes' a nonspam without making a subject change. All of my SpamPal mediated headers show the same evidence that all of the items have been processed by SP. -- Mike Easter kibitzer, not SC admin From bcs1 at spamcop.net Thu Jun 18 09:45:39 2009 From: bcs1 at spamcop.net (Bill) Date: Thu Jun 18 09:50:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "Mike Easter" wrote in message news:h1cg44$j6k$1@news.spamcop.net... > Bill wrote: >> "Mike Easter" > >>> I don't understand when or why you call tagged or untagged, because it >>> doesn't match up with my definitions of bad and normal regarding the >>> appearance at the tracker. >>> >> sorry, I mean tagged as in the SA on my server added the *spam* tag to >> the subject line.. > > Are you saying that your own SA is on all the time and it only stamps > lines some of the time and some of the time it doesn't? > > I'm not talking about adding the spam subject tag. I'm talking about > doing its job by making header modifications. > > That is, I am accustomed to spamfilters like SpamPal and/or SpamAssassin > being on or off. When they are on, they perform their job according to > their configuration - which rules, how much score, which lines to stamp, > etc. > > As such, then all of your headers should have common traits, namely the > evidence in the headers that the SA filter is 'working'. Some of your > headers will be found to be spam and some not, but (it seems to me) all > of them would have the same 'traits' or tracks of the workings of the SA > process. > > Why don't all of your submissions from the server which is performing the > SA filter show the same evidence that the filter is working, even when it > 'passes' a nonspam without making a subject change. > > All of my SpamPal mediated headers show the same evidence that all of the > items have been processed by SP. > mine is set to not tag the email as spam unless it reaches a 7.00 score (if i understand how it's supposed to work and seemingly the serverwide settings were still enabled, so the tags were still getting inserted along with the SA info on the ones that reached a score of 7 or higher. as far as the other questions, I don't think I'm familiar enough with the program to say or know whether it's supposed to mod things all the time, or just the ones that meet the score level, I've always been under the assumption that it only alters something if it gets hit on for spam and leaves the ones that don't alone.. Bill From MikeE at ster.invalid Thu Jun 18 10:24:42 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 18 10:25:11 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Bill wrote: > "Mike Easter" >> Are you saying that your own SA is on all the time and it only stamps >> lines some of the time and some of the time it doesn't? >> >> I'm not talking about adding the spam subject tag. I'm talking about >> doing its job by making header modifications. > mine is set to not tag the email as spam unless it reaches a 7.00 score You are saying that a positive spam result caused by that score causes the subject to be changed. But I am saying that SA and others such as SP *always* make header changes whether they change the subject because of a positive result or not. > (if i understand how it's supposed to work and seemingly the serverwide > settings were still enabled, so the tags were still getting inserted > along with the SA info on the ones that reached a score of 7 or higher. To my understanding, you have not yet made clear to me what configurations you have made to the SA which you control. Previously you said you turned it off. I don't think you should necessarily have to turn it off unless you can't configure it to not send noncompliant x-spam-report lines that confuse the fetchmail.cesmal MTA. > as far as the other questions, I don't think I'm familiar enough with > the program to say or know whether it's supposed to mod things all the > time, or just the ones that meet the score level, I've always been > under the assumption that it only alters something if it gets hit on > for spam and leaves the ones that don't alone.. It can't know that something's subject should *not* be changed unless it runs its filter tests. If it runs its filter test, then it is going to stamp its lines except not the subject one. It is possible to run a filter test and have no positive results, in which case there would be no x-spam-report lines at all. My opinion is that if you don't know how to configure it 'properly' -- so that it doesn't throw noncompliant x-spam-report lines, then you should turn it off. My further opinion is that you should know how to configure it and what its header lines look like completely separate and free from anything that SC's/cesmail's server might superimpose on its headers. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Jun 18 10:56:43 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 18 11:00:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Mike Easter wrote: > My opinion is that if you don't know how to configure it 'properly' -- > so that it doesn't throw noncompliant x-spam-report lines, then you > should turn it off. My further opinion is that you should know how to > configure it and what its header lines look like completely separate > and free from anything that SC's/cesmail's server might superimpose on > its headers. In terms of 'demonstrating' headers processed by the bcs server's SA, it is not necessary to forward them or pop them into the cesmail system to illustrate. You could -1- leave the bcs SA turned on -2- turn off the forwarding/popping to SC/cesmail -3- use the resultant mail in the bcs mailbox to feed into the webparser to get trackers. Post the trackers here according to my privatize/cancel guide: How to make a tracker: 1 select and obtain the complete spam 2 privatize the header&body content 3 webparse it & copy the tracking URL 4 cancel the report & paste the tracker in here 1 ... in the manner described by the SC faq http://www.spamcop.net/fom-serve/cache/19.html How do I get my email program to reveal the full, unmodified email? 2 ... by modestly and unambiguously mungeing any private information you don't want to expose, such as your name or email address which might appear anywhere in the header or body. Avoid excessive or confusing mungeing. 3 login to the SC webparser, paste in the spam, and click Process Spam button; then copy the tracking URL from the top 'Here is your TRACKING URL' of the appearance http://www.spamcop.net/sc?id=z1505491930z5db2559eebcde98291b8e783c95d61ce z 4 ... after parsing, the report is 'live' until the cancel button is used. After cancelling the tracker disappears; the munged spam report should be cancelled because it has been materially changed and because you don't want to leave a tracker live. -- Mike Easter kibitzer, not SC admin From bcs1 at spamcop.net Thu Jun 18 14:30:18 2009 From: bcs1 at spamcop.net (Bill) Date: Thu Jun 18 14:35:05 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "Mike Easter" wrote in message news:h1dkj8$kmc$1@news.spamcop.net... > Mike Easter wrote: ok I broke the fetchmail by setting an invalid password for that account and I'll re-enable SA on my server, I've also setup Imap so I can get the emails sitting on the server and control them that way while we do this test. My SA is a part of the Plesk CP so I only have a couple of options as to how it's configured on the server. for serverwide preffs, I have: General Switch on server-wide SpamAssassin spam filtering x Switch on server-wide greylisting spam protection Apply individual settings to spam filtering x SpamAssassin SettingsThe maximum number of worker spamd processes to run (1-5) * 5 The score that a message must receive to qualify as spam * 7.00 Add the following text to the beginning of subject of each message recognized as spam *****SPAM***** Leave this field blank if you do not want to add any text. Type _SCORE_ if you want to include the score in the message subject. * Required fields and for that individual mailbox I show: General Switch on SpamAssassin spam filtering x SpamAssassin SettingsThe score that a message must receive to qualify as spam * 7.00 Add the following text to the beginning of subject of each message recognized as spam *SPAM* Leave this field blank if you do not want to add any text. Type _SCORE_ if you want to include the score in the message subject. Delete spam mail when it comes to mailbox * Required fields Bill From MikeE at ster.invalid Thu Jun 18 15:47:50 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 18 15:50:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Bill wrote: > I'll re-enable SA on my server, I've also setup Imap so I > can get the emails sitting on the server and control them that way > while we do this test. Okey dokey. -- Mike Easter kibitzer, not SC admin From dritz at mindspring.com Thu Jun 18 17:11:25 2009 From: dritz at mindspring.com (David Ritz) Date: Thu Jun 18 17:15:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 18 June 2009 14:30 -0400, in article , Bill wrote: > ok I broke the fetchmail by setting an invalid password for that > account and I'll re-enable SA on my server, I've also setup Imap so > I can get the emails sitting on the server and control them that way > while we do this test. > My SA is a part of the Plesk CP so I only have a couple of options > as to how it's configured on the server. for serverwide preffs, I > have: "To sleep: perchance to dream: ay, there's the rub;" https://plesk9.demo.parallels.com:8443/ settings Spam Filter Settings > General > Switch on server-wide SpamAssassin spam filtering x > Switch on server-wide greylisting spam protection > Apply individual settings to spam filtering x > SpamAssassin SettingsThe maximum number of worker spamd processes to > run (1-5) * 5 > The score that a message must receive to qualify as spam * 7.00 > Add the following text to the beginning of subject of each message > recognized as spam *****SPAM***** > Leave this field blank if you do not want to add any text. Type > _SCORE_ if you want to include the score in the message subject. > * Required fields > and for that individual mailbox I show: > General > Switch on SpamAssassin spam filtering x > SpamAssassin Settings The score that a message must receive to qualify > as spam * 7.00 > Add the following text to the beginning of subject of each message > recognized as spam *SPAM* > Leave this field blank if you do not want to add any text. Type > _SCORE_ if you want to include the score in the message subject. > Delete spam mail when it comes to mailbox > * Required fields Bill, your options are indeed limited, if this is the only way you have of accessing your SpamAssassin configuration. I strongly suspect that Plesk is writing a user_prefs file, which you could edit manually. I wouldn't begin to venture a guess as to where that SA user_prefs file might be hidden. If you are able to locate that file, you may be able to manually edit the user_prefs file using a text editor, to be more useful than Plesk's one size fits all premise. Should you choose to do so, you may want to take a look at . This is a HTMLized version of the Mail::SpamAssassin::Conf perldoc I initially referenced. It includes detailed information which one may use to exclude specific headers from your local reports; ie. X-Spam-Report. Additionally, you may want a hand in finding starting your own, quite basic user_prefs file. See . So far as POPping your mail automatically to cesmail for SC reporting, you will probably be best served were you to do so without any SpamAssassin preprocessing, as it would seem that this redundancy is what is causing SC's parsing to fail^W barf. As for myself, I attempted running spam samples through SpamAssassin multiple times, to see whether I could reproduce the errors you provided in your tracking samples, without success. (I was able to reproduce the scoring discrepancies which I now associate with passing the spam samples through SA multiple times.) Further, I submitted a days worth of spam passed through SA, with report_safe mode set to "0" (no), to SpamCop. While I was unable to produce any errors, I've gone back to submitting spam samples to SC with absolutely no added markup. I see little or no advantage to providing this information to spammy. - -- David Ritz Be kind to animals; kiss a shark. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (Darwin) Comment: Public Keys: iEYEARECAAYFAko6rYYACgkQUrwpmRoS3uvSAQCgwisO8e4f2pum8aL2TFi7Zzgi 2hwAnRn7uki6glZS+ByFhooYeAvhuBHe =kSEc -----END PGP SIGNATURE----- From bcs1 at spamcop.net Thu Jun 18 21:57:31 2009 From: bcs1 at spamcop.net (Bill) Date: Thu Jun 18 22:00:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "Mike Easter" wrote in message news:h1e5l5$jfi$1@news.spamcop.net... > Bill wrote: >> I'll re-enable SA on my server, I've also setup Imap so I >> can get the emails sitting on the server and control them that way >> while we do this test. > > Okey dokey. > > > -- > Mike Easter > kibitzer, not SC admin sadly, any other day, I'd have 30 or 40 Spam emails, but NOOOOO, not today... oh well, here's one for you http://www.spamcop.net/sc?id=z3024420247zd166bc32c0befed075b8e9fd5c5d05a7z I did report it because it's a legit spam... everything looks fine to me though, but I'm not a guru in this stuff... get me in a shell and I'm more confortable... Bill From MikeE at ster.invalid Thu Jun 18 22:12:21 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 18 22:15:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Bill wrote: www.spamcop.net/sc?id=z3024420247zd166bc32c0befed075b8e9fd5c5d05a7z I see a normal healthy set of SA headers without the unwanted x-spam-report lines and which this SA was that of the bcs server. In this case there wasn't a subject change because the SA score fell below that required for *spam*. I'm very puzzled about where the spurious lines come from in a different example, because we have seen a number of headers which are like this one (except in other examples the headers have also been thru' cesmail's MTAs plus SC's SA), and only an occasional one which has the funky lines. -- Mike Easter kibitzer, not SC admin From dritz at mindspring.com Thu Jun 18 23:09:17 2009 From: dritz at mindspring.com (David Ritz) Date: Thu Jun 18 23:10:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 18 June 2009 21:57 -0400, in article , Bill wrote: > sadly, any other day, I'd have 30 or 40 Spam emails, but NOOOOO, not > today... > oh well, here's one for you > http://www.spamcop.net/sc?id=z3024420247zd166bc32c0befed075b8e9fd5c5d05a7z > I did report it because it's a legit spam... That would seem to be a paradox. It seems outright outlandish, if one actually looks at the spam in question. I'll get back to that in a moment. > everything looks fine to me though, but I'm not a guru in this stuff... > get me in a shell and I'm more confortable... I assume you are referring to a CLI, rather than a GUI shell. OK. Now let's take a look at the submission. When I looked at the the Subject line, with or without a *SPAM* tag, I recognized that the payload is malware. As long as the malware attachment appeared to be complete, I downloaded it for a little forensic examination. With it downloaded, I passed it through SpamAssassin locally, where it scored 19.8, partially due to my personal weighting preferences. Content analysis details: (19.8 points, 5.0 required) pts rule name description - ---- ---------------------- -------------------------------------------------- 5.1 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.0000] 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server [94.245.199.65 listed in dnsbl.sorbs.net] 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see ] 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL [94.245.199.65 listed in zen.spamhaus.org] 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL 5.1 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook As for the payload, it's ugly and should be handled with extreme caution. dritz:~/infected> sha1 UPSFILE_NR79213100.zip ; date SHA1(UPSFILE_NR79213100.zip)= f9dac41fa2a44396dee3ec0de0dcdbc6bda414c0 Fri Jun 19 02:36:46 UTC 2009 dritz:~/infected> sweep UPSFILE_NR79213100.zip ; date >>> Virus 'Troj/Agent-KFS' found in file >>> UPSFILE_NR79213100.zip/UPSFILE_NR79213100.exe Could not check UPSFILE_NR79213100.zip (corrupt) Fri Jun 19 02:29:28 UTC 2009 File UPSFILE_NR79213100.zip received on 2009.06.19 02:41:01 (UTC) Current status: finished Result: 7/41 (17.07%) Antivirus Version Last Update Result a-squared 4.5.0.18 2009.06.19 - AhnLab-V3 5.0.0.2 2009.06.18 - AntiVir 7.9.0.191 2009.06.18 - Antiy-AVL 2.0.3.1 2009.06.18 - Authentium 5.1.2.4 2009.06.19 W32/Trojan3.AYY Avast 4.8.1335.0 2009.06.18 - AVG 8.5.0.339 2009.06.18 - BitDefender 7.2 2009.06.19 - CAT-QuickHeal 10.00 2009.06.18 - ClamAV 0.94.1 2009.06.19 - Comodo 1369 2009.06.19 - DrWeb 5.0.0.12182 2009.06.18 - eSafe 7.0.17.0 2009.06.18 - eTrust-Vet 31.6.6568 2009.06.19 - F-Prot 4.4.4.56 2009.06.19 W32/Trojan3.AYY F-Secure 8.0.14470.0 2009.06.18 - Fortinet 3.117.0.0 2009.06.18 - GData 19 2009.06.19 - Ikarus T3.1.1.59.0 2009.06.19 Trojan-Dropper Jiangmin 11.0.706 2009.06.18 - K7AntiVirus 7.10.766 2009.06.17 - Kaspersky 7.0.0.125 2009.06.19 - McAfee 5650 2009.06.18 - McAfee+Artemis 5650 2009.06.18 Artemis!992B02D8CECB McAfee-GW-Edition 6.7.6 2009.06.18 - Microsoft 1.4701 2009.06.19 VirTool:Win32/Obfuscator.FH NOD32 4169 2009.06.19 - Norman 6.01.09 2009.06.18 W32/Zbot.gen20 nProtect 2009.1.8.0 2009.06.19 - Panda 10.0.0.14 2009.06.18 - PCTools 4.4.2.0 2009.06.17 - Prevx 3.0 2009.06.19 - Rising 21.34.34.00 2009.06.18 - Sophos 4.42.0 2009.06.19 Troj/Agent-KFS Sunbelt 3.2.1858.2 2009.06.18 - Symantec 1.4.4.12 2009.06.19 - TheHacker 6.3.4.3.348 2009.06.19 - TrendMicro 8.950.0.1094 2009.06.18 - VBA32 3.12.10.7 2009.06.19 - ViRobot 2009.6.18.1794 2009.06.18 - VirusBuster 4.6.5.0 2009.06.18 - Additional information File size: 28785 bytes MD5 : ea746becb98adb51c0daa29ed2ff8888 SHA1 : f9dac41fa2a44396dee3ec0de0dcdbc6bda414c0 SHA256: d72ebad3090f0f08594695eff124ced3d5388cdedb09fd88be2d7fe0979b3a9e TrID : File type identification ZIP compressed archive (100.0%) ssdeep: 768:+sq1YR0n8CHly7CpIQuCR94maWUxh12DYYCFMqOvKJ:xq7n8CQ7CWCRWmaWUfdM1iJ PEiD : - RDS : NSRL Reference Data Set - Just for jollies, I took a closer look at the emitter host. dritz:~> blq -ant 94.245.199.65 ; date 94.245.199.65 : cbl.abuseat.org : BLOCKED (127.0.0.2) Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=94.245.199.65 94.245.199.65 : zen.spamhaus.org : BLOCKED (127.0.0.4) http://www.spamhaus.org/query/bl?ip=94.245.199.65 94.245.199.65 : bl.spamcop.net : BLOCKED (127.0.0.2) Blocked - see http://www.spamcop.net/bl.shtml?94.245.199.65 94.245.199.65 : bl.asnbl.org : BLOCKED (127.0.0.7) Top-spew - 94.245.199.0/24 blocked - too many spam-spewing hosts in your /24 - 19 IPs detected 94.245.199.65 : dnsbl-1.uceprotect.net : BLOCKED (127.0.0.2) IP 94.245.199.65 is UCEPROTECT-Level 1 listed. See http://www.uceprotect.net/rblcheck.php?ipr=94.245.199.65 94.245.199.65 : dnsbl-2.uceprotect.net : BLOCKED (127.0.0.2) Net 94.245.192.0/18 is UCEPROTECT-Level2 listed because 114 abusers are hosted by AS12635 Orange Austria Telecommunication GmbH/AS12635 there. See: http://www.uceprotect.net/rblcheck.php?ipr=94.245.199.65 Fri Jun 19 02:49:33 UTC 2009 At least SC didn't break. - -- David Ritz Be kind to animals; kiss a shark. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (Darwin) Comment: Public Keys: iEYEARECAAYFAko7AV0ACgkQUrwpmRoS3utL6ACgzPeh9BSCTYgAxi5dnz5GzfOt fJwAoJWu+SS1JMpJIhFlQ/PUv8Ms0qEm =PfYK -----END PGP SIGNATURE----- From tmcgraw at spamcop.net Thu Jun 18 23:36:42 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Thu Jun 18 23:40:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. In-Reply-To: References: Message-ID: David Ritz wrote: > 94.245.199.65 : bl.asnbl.org : BLOCKED (127.0.0.7) > Top-spew - 94.245.199.0/24 blocked - too many spam-spewing hosts in > your /24 - 19 IPs detected May I inquire about bl.asnbl.org, and where I may find out more about them? From user at domain.invalid Thu Jun 18 23:58:37 2009 From: user at domain.invalid (Farelf) Date: Fri Jun 19 00:00:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. In-Reply-To: References: Message-ID: David Ritz wrote: ... > > As for the payload, it's ugly and should be handled with extreme caution. > ... > > > File UPSFILE_NR79213100.zip received on 2009.06.19 02:41:01 (UTC) > Current status: finished > Result: 7/41 (17.07%) > ... Now that is interesting - submitted as the base64 text (just copy and paste to file, between and including the bracketing 'NextPart's - I couldn't extract the actual zip file from the tracker if you paid me) a slightly different detection set is obtained: http://www.virustotal.com/analisis/db9ca393651b3a5b7ddcc7ddbd299394ff41a236a07510eb3b052af148781920-1245383027 File virus.txt received on 2009.06.19 03:43:47 (UTC) Current status: finished Result: 8/41 (19.52%) From bcs1 at spamcop.net Fri Jun 19 08:15:34 2009 From: bcs1 at spamcop.net (Bill) Date: Fri Jun 19 08:20:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "David Ritz" wrote in message news:alpine.OSX.2.00.0906182143370.7699@mako.ath.cx... > > I assume you are referring to a CLI, rather than a GUI shell. > Yes, you are sorrect :) From bcs1 at spamcop.net Fri Jun 19 08:35:27 2009 From: bcs1 at spamcop.net (Bill) Date: Fri Jun 19 08:40:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "David Ritz" wrote in message news:alpine.OSX.2.00.0906181440420.1076@mako.ath.cx... (snip) > > Bill, your options are indeed limited, if this is the only way you > have of accessing your SpamAssassin configuration. > > I strongly suspect that Plesk is writing a user_prefs file, which you > could edit manually. I wouldn't begin to venture a guess as to where > that SA user_prefs file might be hidden. Yes, that's how I read it too from the serverwide preffs settings, and I can find those easy enough on the server in a CLI environment. (saved the links) > > So far as POPping your mail automatically to cesmail for SC reporting, > you will probably be best served were you to do so without any > SpamAssassin preprocessing, as it would seem that this redundancy is > what is causing SC's parsing to fail^W barf. > I think that falls back to my mathmatical equation from earlier, SA + SA = Fail.. LOL The funny thing is, I normally don't run the SA on my server at all, but John (John and his wife Ronnie, John who used to post here allot but I haven't seen him here recently) was getting his emails to me rejected by the server from one of his addresses so I enabled SA in order to whitelist his domain on my server and be able to communicate with him. I didn't really think about it at the time, I was simply making sure we could talk via email and I didn't even consider that SA + SA would cause any type problems... *shrug... Bill From bcs1 at spamcop.net Fri Jun 19 09:07:14 2009 From: bcs1 at spamcop.net (Bill) Date: Fri Jun 19 09:10:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "Mike Easter" wrote in message news:h1es62$tto$1@news.spamcop.net... > Bill wrote: > > www.spamcop.net/sc?id=z3024420247zd166bc32c0befed075b8e9fd5c5d05a7z > > I see a normal healthy set of SA headers without the unwanted > x-spam-report lines and which this SA was that of the bcs server. > > In this case there wasn't a subject change because the SA score fell > below that required for *spam*. > > I'm very puzzled about where the spurious lines come from in a different > example, because we have seen a number of headers which are like this one > (except in other examples the headers have also been thru' cesmail's MTAs > plus SC's SA), and only an occasional one which has the funky lines. > > > -- > Mike Easter > kibitzer, not SC admin > well I got one of those funky ones with tons of crap in it and parsed it's source directly from my server, now I'm going to let SC fetch it and see before SC fetch: http://www.spamcop.net/sc?id=z3026204391zf2fb9a4be83721d0e227a4ad987dd4a1z after SC fetch: http://www.spamcop.net/sc?id=z3026231815z80d5c4a16c6d7fce525a2aa0408747a7z and I think we've found the issue... SA + SA = FAIL LOL From MikeE at ster.invalid Fri Jun 19 11:05:49 2009 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 19 11:10:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Bill wrote: > "Mike Easter" >> I'm very puzzled about where the spurious lines come from > well I got one of those funky ones with tons of crap in it and parsed > it's source directly from my server, now I'm going to let SC fetch it > and see > > before SC fetch: id=z3026204391zf2fb9a4be83721d0e227a4ad987dd4a1z > after SC fetch: > id=z3026231815z80d5c4a16c6d7fce525a2aa0408747a7z > > and I think we've found the issue... > > SA + SA = FAIL That is very interesting to see what is happening. First, for reasons unknown, sometimes your SA provides a X-Spam-Report: field and values and sometimes it does not. That is a puzzle in itself. As it turns out, it would be better if it would not. However, there is nothing wrong that I can see with the structure of the headers at bcs when the XSR is included. The X-Spam-Report: IS properly configured and compliant. Then, to me, the interesting part is what happens when the cesmail MTAs handle your submission. All of your bcs SA lines are stripped out, because they are going to be replaced with SC/cesmail's own SA lines. And that is where the cesmail MTA screws up. I suppose we could say "that's because the cesmail doesn't know how to handle the X-Spam-Report: lines because it doesn't use X-Spam-Report: lines itself." but, it is just an algorithm and it should be programmed properly, which it is not. So, when the cesmail MTA handles the SA line stripping part of the operation, it strips off the X-Spam-Report: part (along with all of the other X-Spam-* headers and field values) -- except that it fails to strip off the *values* of the XSR. Let's say then that "it doesn't know what to do with" that data, so it wrongly smushes it into the 'by' field that the cesmail fetchmail MTA stamps. That turns into a potential for disaster. That misconfiguration caused by the cesmail fetchmail MTA sets the stage for the parser to fail when there is a lot of data in the bcs's XSR field. It isn't the bcs servers fault, and I don't know why sometimes it stamps an XSR and sometimes it doesn't, but the cesmail server's algorithm for stripping SA lines should be fixed and in the meantime if I were you I would turn off your SA for submitting to SC. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Jun 19 14:46:41 2009 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 19 14:50:03 2009 Subject: [Scspamcop] bl.asnbl.org Message-ID: I started a new thread. The SC newsserver was gagging on the long references line. Tim McGraw wrote: > David Ritz wrote: >> 94.245.199.65 : bl.asnbl.org : BLOCKED (127.0.0.7) >> Top-spew - 94.245.199.0/24 blocked - too many spam-spewing hosts in >> your /24 - 19 IPs detected > > May I inquire about bl.asnbl.org, and where I may find out more about > them? I don't know what David knows, but my guess is that SpamShield of spamshield.org makes a blocklist around/for an ASN block's IPs. Here's what someone saw: Mail from 66.246.xx.xx refused due to bl.asnbl.org: asn-block: Blacklisted ASN at spamshield.org. But spamshield's website doesn't mention it by name http://www.spamshield.org/ -- Mike Easter kibitzer, not SC admin From dritz at mindspring.com Fri Jun 19 17:15:09 2009 From: dritz at mindspring.com (David Ritz) Date: Fri Jun 19 17:20:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 18 June 2009 20:36 -0700, in article , Tim McGraw wrote: > David Ritz wrote: >> 94.245.199.65 : bl.asnbl.org : BLOCKED (127.0.0.7) >> Top-spew - 94.245.199.0/24 blocked - too many spam-spewing hosts in >> your /24 - 19 IPs detected > May I inquire about bl.asnbl.org, and where I may find out more about them? Under normal circumstances, I would suggest checking http://www.asnbl.org, but that's a dead end. To make matters slightly more frustrating, neither of my ASNBL contacts has been around, so I'll wing it. Automatic Network Synchronization Block List dritz:~> blq -ant asnbl 127.0.0.2 ; date 127.0.0.2 : bl.asnbl.org : BLOCKED (127.0.0.4) Blacklisted ASN at spamshield.org listed at bl.asnbl.org Top-spew: this /24 has too many spam-spewing IPs - listed at bl.asnbl.org Test listing for various African countries with high 419/AFF incidents . This code is not useful for email blocking, but to deny access to Webmail and VPN platforms via HTTP SpamShield alarm against $1 at spamshield.org blowback/accept&bounce DDoS MTA listed at bl.asnbl.org dynamic pool/generic rDNS listed at bl.asnbl.org spamshield.org ban due to AUP - listed at bl.asnbl.org Fri Jun 19 20:39:26 UTC 2009 This is blq's organization of the TXT record for 2.0.0.127.bl.asnbl.org. (Chip Rosenthal's DNSBL lookup script .) "host -t TXT 2.0.0.127.bl.asnbl.org" "dig TXT 2.0.0.127.bl.asnbl.org" "nslookup -type=TXT 2.0.0.127.bl.asnbl.org" dritz:~> host -t TXT 2.0.0.127.bl.asnbl.org ;; Truncated, retrying in TCP mode. 2.0.0.127.bl.asnbl.org descriptive text "dynamic pool/generic rDNS listed at bl.asnbl.org" 2.0.0.127.bl.asnbl.org descriptive text "spamshield.org ban due to AUP - listed at bl.asnbl.org" 2.0.0.127.bl.asnbl.org descriptive text "Blacklisted ASN at spamshield.org listed at bl.asnbl.org" 2.0.0.127.bl.asnbl.org descriptive text "Top-spew: this /24 has too many spam-spewing IPs - listed at bl.asnbl.org" 2.0.0.127.bl.asnbl.org descriptive text "Test listing for various African countries with high 419/AFF incidents . This code is not useful for email blocking, but to deny access to Webmail and VPN platforms via HTTP" 2.0.0.127.bl.asnbl.org descriptive text "SpamShield alarm against $1 at spamshield.org" 2.0.0.127.bl.asnbl.org descriptive text "blowback/accept&bounce DDoS MTA listed at bl.asnbl.org" While I use bl.asnbl.org when adding comments to my SC reports, I do not use it for filtering or scoring purposes. The same is true for some of the other DNSBLs in my default blq configuration. dritz:~> blq 127.0.0.2 ; date 127.0.0.2 : cbl.abuseat.org : BLOCKED 127.0.0.2 : zen.spamhaus.org : BLOCKED 127.0.0.2 : bl.spamcop.net : BLOCKED 127.0.0.2 : bl.asnbl.org : BLOCKED 127.0.0.2 : psbl.surriel.com : BLOCKED 127.0.0.2 : ix.dnsbl.manitu.net : BLOCKED 127.0.0.2 : dnsbl.sorbs.net : BLOCKED 127.0.0.2 : combined.njabl.org : BLOCKED 127.0.0.2 : dnsbl-1.uceprotect.net : BLOCKED 127.0.0.2 : dnsbl-2.uceprotect.net : BLOCKED Fri Jun 19 21:04:56 UTC 2009 My rarely used 'all' configuration includes the following. dritz:~> blq all 127.0.0.2 ; date 127.0.0.2 : cbl.abuseat.org : BLOCKED 127.0.0.2 : sbl.spamhaus.org : BLOCKED 127.0.0.2 : pbl.spamhaus.org : BLOCKED 127.0.0.2 : bl.asnbl.org : BLOCKED 127.0.0.2 : ubl.unsubscore.com : BLOCKED 127.0.0.2 : combined.njabl.org : BLOCKED 127.0.0.2 : zen.spamhaus.org : BLOCKED 127.0.0.2 : xbl.spamhaus.org : BLOCKED 127.0.0.2 : psbl.surriel.com : BLOCKED 127.0.0.2 : bl.spamcop.net : BLOCKED 127.0.0.2 : ipwhois.rfc-ignorant.org : ok 127.0.0.2 : dnsbl-1.uceprotect.net : BLOCKED 127.0.0.2 : dnsbl-2.uceprotect.net : BLOCKED 127.0.0.2 : dnsbl-3.uceprotect.net : BLOCKED 127.0.0.2 : ix.dnsbl.manitu.net : BLOCKED 127.0.0.2 : dnsbl.sorbs.net : BLOCKED 127.0.0.2 : list.bbfh.org : BLOCKED 127.0.0.2 : multi.uribl.com : BLOCKED 127.0.0.2 : multi.surbl.org : BLOCKED Fri Jun 19 21:05:30 UTC 2009 If either of my ASNBL contacts turn up, I'll try to find out what's up with their web-site. - -- David Ritz Be kind to animals; kiss a shark. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (Darwin) Comment: Public Keys: iEYEARECAAYFAko7//AACgkQUrwpmRoS3usyrQCeLgpUXIRL3JyO38PZSNQrtABr S8QAmgIvSdlQOtK1cFrlRQdti9J+eu7s =Gark -----END PGP SIGNATURE----- From tmcgraw at spamcop.net Fri Jun 19 18:13:36 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Fri Jun 19 18:15:02 2009 Subject: [Scspamcop] Re: bl.asnbl.org In-Reply-To: References: Message-ID: Mike Easter wrote: > I started a new thread. The SC newsserver was gagging on the long > references line. I'm okay with that but let's be honest here: the newsserver wasn't gagging. > Tim McGraw wrote: >> May I inquire about bl.asnbl.org, and where I may find out more about >> them? > I don't know what David knows, but my guess is that SpamShield of > spamshield.org makes a blocklist around/for an ASN block's IPs. Here's > what someone saw: Mail from 66.246.xx.xx refused due to bl.asnbl.org: > asn-block: Blacklisted ASN at spamshield.org. > > But spamshield's website doesn't mention it by name > http://www.spamshield.org/ But asnbl.org whois shows the "tech contact" to be Kai Schlichting, author/owner of spamshield.org. From dritz at mindspring.com Fri Jun 19 19:01:24 2009 From: dritz at mindspring.com (David Ritz) Date: Fri Jun 19 19:05:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 19 June 2009 11:58 +0800, in article , Farelf wrote: > David Ritz wrote: > ... >> As for the payload, it's ugly and should be handled with extreme >> caution. >> >> File UPSFILE_NR79213100.zip received on 2009.06.19 02:41:01 (UTC) >> Current status: finished >> Result: 7/41 (17.07%) > Now that is interesting - submitted as the base64 text (just copy > and paste to file, between and including the bracketing 'NextPart's > - I couldn't extract the actual zip file from the tracker if you > paid me) a slightly different detection set is obtained: dritz:~/infected> unzip UPSFILE_NR79213100.zip Archive: UPSFILE_NR79213100.zip inflating: UPSFILE_NR79213100.exe > http://www.virustotal.com/analisis/db9ca393651b3a5b7ddcc7ddbd299394ff41a236a07510eb3b052af148781920-1245383027 > File virus.txt received on 2009.06.19 03:43:47 (UTC) > Current status: finished > Result: 8/41 (19.52%) It seems that the AV vendors are (slowly) updating their databases. text submission: http://www.virustotal.com/analisis/7d0fdd6b2bc5a23892ba84cc730294a9e63e037404db0ab16fb3b0efce340277-1245450891 File tmp received on 2009.06.19 22:34:51 (UTC) Current status: finished Result: 12/41 (29.27%) zipped file: http://www.virustotal.com/analisis/9955b1a7729c4be568ed8378d07029f7d5d2ec9032ed6727ed58e0e61ba5b866-1245450587 File UPSFILE_NR79213100.zip received on 2009.06.19 22:29:47 (UTC) Current status: finished Result: 20/41 (48.78%) unzipped file: http://www.virustotal.com/analisis/698d5c5a24ace042a8f5c5b3f9522157fca2b03c2b47e02eaa33c0393ffd3fc3-1245448432 File UPSFILE_NR79213100.exe received on 2009.06.19 21:53:52 (UTC) Current status: finished Result: 21/41 (51.22%) - -- David Ritz Be kind to animals; kiss a shark. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (Darwin) Comment: Public Keys: iEYEARECAAYFAko8GMUACgkQUrwpmRoS3uvF9QCeNTTPGzHhWs4o4kWc6IXI4cg8 qlkAn35uf6Jtr2U1m4bfBqg5YlvdvTjI =NkXX -----END PGP SIGNATURE----- From dritz at mindspring.com Fri Jun 19 19:29:31 2009 From: dritz at mindspring.com (David Ritz) Date: Fri Jun 19 19:30:02 2009 Subject: [Scspamcop] Re: bl.asnbl.org In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 19 June 2009 15:13 -0700, in article , Tim McGraw wrote: > Mike Easter wrote: >> I started a new thread. The SC newsserver was gagging on the long >> references line. > I'm okay with that but let's be honest here: the newsserver wasn't > gagging. >> Tim McGraw wrote: >>> May I inquire about bl.asnbl.org, and where I may find out more >>> about them? >> I don't know what David knows, but my guess is that SpamShield of >> spamshield.org makes a blocklist around/for an ASN block's IPs. >> Here's what someone saw: Mail from 66.246.xx.xx refused due to >> bl.asnbl.org: asn-block: Blacklisted ASN at spamshield.org. >> But spamshield's website doesn't mention it by name >> http://www.spamshield.org/ > But asnbl.org whois shows the "tech contact" to be Kai Schlichting, > author/owner of spamshield.org. I have no doubt that Kai's spamshield.org is providing a data feed to ASNBL, as well as Kai's technical support. However, spamshield.org is only one of ASNBL's data sources. I did not think to ask Kai about the asnbl.org web-site. - -- David Ritz Be kind to animals; kiss a shark. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (Darwin) Comment: Public Keys: iEYEARECAAYFAko8H2UACgkQUrwpmRoS3utIMwCeK2v+kuYvIjMCv/59R6p9MWkV C44An1ATMxnw6LazdHODdd3ShI4IcZnd =yzVo -----END PGP SIGNATURE----- From dritz at mindspring.com Fri Jun 19 19:47:34 2009 From: dritz at mindspring.com (David Ritz) Date: Fri Jun 19 19:50:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 19 June 2009 08:05 -0700, in article , Mike Easter wrote: > It isn't the bcs servers fault, and I don't know why sometimes it > stamps an XSR and sometimes it doesn't, but the cesmail server's > algorithm for stripping SA lines should be fixed and in the meantime > if I were you I would turn off your SA for submitting to SC. I agree with this assessment. cesmail's servers are choking on the X-Spam-Report headers when it retrieves the messages via POP. Were Bill submitting them via forwarding to his SC submission address, or manually, as he did in his example, , thus bypassing fetchmail.cesmail.net entirely, he wouldn't be encountering these problems, as so clearly demonstrated in . As to the question of why the X-Spam-Report is included in some, but not all of the bcs-bcs.com processed items: SpamAssassin will only include an X-Spam-Report header when a message exceeds the required_score. By default, SA uses a score of 5.0. When the required_score is exceeded, the X-Spam-Flag is printed, "YES." If there is no "X-Spam-Flag: YES" header, no X-Spam-Report header is included. As an example, I passed one of my e-mail message through SA. (Note: I do not white-list my e-mail addresses in SA.) X-Spam-ASN: AS4355 209.86.0.0/16 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on glimmer.mako.ath.cx X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VERIFIED,DK_POLICY_TESTING,DK_SIGNED,DK_VERIFIED,RDNS_NONE shortcircuit=no autolearn=ham version=3.2.5 Bill has SA configured at bcs-bcs.com required=7.0. (This is one of the few setting to which Bill actually has access.) As such, items scoring above the SA default of 5.0, but below his setting of 7.0, will not be tagged as spam. So, the problem is not caused by feeding the spam messages through SA twice; rather by a "strip X-Spam headers" configuration error at cesmail. - -- David Ritz Be kind to animals; kiss a shark. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (Darwin) Comment: Public Keys: iEYEARECAAYFAko8DcUACgkQUrwpmRoS3utLGACbBd9dl5PgOyC88pXYhg+ZC/ff 2zgAoJ9PqWrAXrFpgHxekCb2pd/7BYUT =QcsH -----END PGP SIGNATURE----- From MikeE at ster.invalid Fri Jun 19 20:23:17 2009 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 19 20:25:03 2009 Subject: [Scspamcop] Re: bl.asnbl.org References: Message-ID: Tim McGraw wrote: > Mike Easter wrote: >> I started a new thread. The SC newsserver was gagging on the long >> references line. > > I'm okay with that but let's be honest here: the newsserver wasn't > gagging. Well, if you prefer, you can blame the newsreader for making the References line too long -- or perhaps 'allowing' the References line to be too long. My references line for your message looked like this: References: ... all on one line. That is probably noncompliant with something or other. OE wouldn't successfully transact with the newsserver to send because of a line too long when I tried to reply to your message, that is, the message was stuck in the outbox with an alert. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Jun 19 20:25:37 2009 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 19 20:30:03 2009 Subject: [Scspamcop] Re: bl.asnbl.org Message-ID: Mike Easter wrote: > Tim McGraw wrote: >> Mike Easter wrote: >>> I started a new thread. The SC newsserver was gagging on the long >>> references line. >> >> I'm okay with that but let's be honest here: the newsserver wasn't >> gagging. > > Well, if you prefer, you can blame the newsreader for making the > References line too long -- or perhaps 'allowing' the References line to > be too long. > > My references line for your message looked like this: > > References: > > > > > > > > > > > > > > > > > > > ... all on one line. > > That is probably noncompliant with something or other. OE wouldn't > successfully transact with the newsserver to send because of a line too > long when I tried to reply to your message, that is, the message was > stuck in the outbox with an alert. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Jun 19 20:26:40 2009 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 19 20:30:04 2009 Subject: [Scspamcop] Re: bl.asnbl.org References: Message-ID: Mike Easter wrote: oops. That hiccup was my fault. -- Mike Easter kibitzer, not SC admin From tmcgraw at spamcop.net Fri Jun 19 20:58:47 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Fri Jun 19 21:00:04 2009 Subject: [Scspamcop] Re: bl.asnbl.org In-Reply-To: References: Message-ID: Mike Easter wrote: > Tim McGraw wrote: >> Mike Easter wrote: >>> I started a new thread. The SC newsserver was gagging on the long >>> references line. >> I'm okay with that but let's be honest here: the newsserver wasn't >> gagging. > > Well, if you prefer, you can blame the newsreader... > > > > OE wouldn't successfully transact with the newsserver... From blacklist-me at davjam.org Fri Jun 19 20:55:27 2009 From: blacklist-me at davjam.org (David Bolt) Date: Fri Jun 19 21:15:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: On Fri, 19 Jun 2009, David Ritz wrote:- >So, the problem is not caused by feeding the spam messages through SA >twice; rather by a "strip X-Spam headers" configuration error at >cesmail. I wonder if a part of that problem is caused by the actual length of the header. AFAIK, header lines supposed to be a maximum of 998 bytes. RFC 2822 section 2.2.3 suggests this, but does this also apply where a header is continued over several lines? My guess is that the 998 byte limit applies to total length of the unfolded header. If this is so, the X-Spam-Report: header in the last mangled example far exceeds it as it's a total of 1476 bytes, or 1505 bytes using CRLF EOL markers. Regards, David Bolt -- Team Acorn: http://www.distributed.net/ OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s openSUSE 10.3 32b | openSUSE 11.0 32b | | openSUSE 10.3 64b | openSUSE 11.0 64b | openSUSE 11.1 64b | RISC OS 3.6 | RISC OS 3.11 | openSUSE 11.1 PPC | TOS 4.02 From dritz at mindspring.com Fri Jun 19 22:33:01 2009 From: dritz at mindspring.com (David Ritz) Date: Fri Jun 19 22:35:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 20 June 2009 01:55 +0100, in article , David Bolt wrote: > On Fri, 19 Jun 2009, David Ritz wrote:- > >> So, the problem is not caused by feeding the spam messages through >> SA twice; rather by a "strip X-Spam headers" configuration error at >> cesmail. > I wonder if a part of that problem is caused by the actual length of > the header. AFAIK, header lines supposed to be a maximum of 998 > bytes. RFC 2822 section 2.2.3 suggests this, but does this also > apply where a header is continued over several lines? My guess is > that the 998 byte limit applies to total length of the unfolded > header. If this is so, the X-Spam-Report: header in the last mangled > example far exceeds it as it's a total of 1476 bytes, or 1505 bytes > using CRLF EOL markers. I think you're headed in the wrong direction. I believe that these are line length limits, rather than unwrapped header length limits. Long header field folding is specifically designed so that a header field may exceed the 998 byte line length limit. cesmail is not recognizing the followed immediately by white space as being part of the X-Spam-Report header. Instead, it is failing to strip these lines and dumping them into the Received header written by fetchmail.cesmail.net. fetchmail.cesmail.net does not have any problems stripping the previous multi-line X-Spam-Status header. Perhaps it's not happy with the asterisks which follow the in the X-Spam-Report header. Whatever the reason for the failure, it's taking place at fetchmail.cesmail.net. A few years ago, I ran into an article in the news-stream which was cross-posted to a whopping 1362 newsgroups. It never appeared on any NNTP server, but it did propagate via transit boxes. I added the line wrapping, as the original, one line Newsgroups header was originally 43,708 characters in length. - -- David Ritz Be kind to animals; kiss a shark. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (Darwin) Comment: Public Keys: iEYEARECAAYFAko8SmcACgkQUrwpmRoS3utUMwCgyXmjuJs5tR425CB1FthtXBNu TgEAniDEkqb2xLecs8JsjoTS8fjCSB2K =Fv6n -----END PGP SIGNATURE----- From dritz at mindspring.com Fri Jun 19 23:58:23 2009 From: dritz at mindspring.com (David Ritz) Date: Sat Jun 20 00:00:03 2009 Subject: [Scspamcop] Re: bl.asnbl.org In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 19 June 2009 18:29 -0500, in article , David Ritz wrote: > On Friday, 19 June 2009 15:13 -0700, > in article , > Tim McGraw wrote: >> But asnbl.org whois shows the "tech contact" to be Kai Schlichting, >> author/owner of spamshield.org. <...> > I did not think to ask Kai about the asnbl.org web-site. Please pardon my brain-fart. Kai runs ASNBL. - -- David Ritz "Nowadays to be intelligible is to be found out." - Oscar Wilde (1854-1900) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (Darwin) Comment: Public Keys: iEYEARECAAYFAko8XmAACgkQUrwpmRoS3ut+ZgCfZ6KmLEJ9z5k9NXKDBFc08wgY 7pIAn020Iv2yfviSpZkahDWnI1g/uf8n =D+/c -----END PGP SIGNATURE----- From user at domain.invalid Sat Jun 20 12:48:44 2009 From: user at domain.invalid (Farelf) Date: Sat Jun 20 12:50:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. In-Reply-To: References: Message-ID: David Ritz wrote: > > dritz:~/infected> unzip UPSFILE_NR79213100.zip > Archive: UPSFILE_NR79213100.zip > inflating: UPSFILE_NR79213100.exe Thanks - it's getting the attachment from the text ('full file') representation in the tracker I don't get. Not important (certainly not from the POV of the thread). > > It seems that the AV vendors are (slowly) updating their databases. > > text submission: > http://www.virustotal.com/analisis/7d0fdd6b2bc5a23892ba84cc730294a9e63e037404db0ab16fb3b0efce340277-1245450891 > File tmp received on 2009.06.19 22:34:51 (UTC) > Current status: finished > Result: 12/41 (29.27%) > > zipped file: > http://www.virustotal.com/analisis/9955b1a7729c4be568ed8378d07029f7d5d2ec9032ed6727ed58e0e61ba5b866-1245450587 > File UPSFILE_NR79213100.zip received on 2009.06.19 22:29:47 (UTC) > Current status: finished > Result: 20/41 (48.78%) > > unzipped file: > http://www.virustotal.com/analisis/698d5c5a24ace042a8f5c5b3f9522157fca2b03c2b47e02eaa33c0393ffd3fc3-1245448432 > File UPSFILE_NR79213100.exe received on 2009.06.19 21:53:52 (UTC) > Current status: finished > Result: 21/41 (51.22%) > Quite some difference - had thought the text version was 'comparable' in detections, but obviously not. Yes, they update - but much quicker through the virustotal (and similar) services sample sharing than through just their own labs and user resources which was they way it was before those services, I would have thought. When I used to get a lot of virus emails (like that one) and submit the files to virustotal they seemed to be almost always early in the 'detection cycle' (as few as only 4 detections at the time of receipt) but the detection rate from the various AVs increased steadily over about a 48 hour period following receipt. A varying 'roster' of a small number of AVs would 'never' detect any given sample. I saw no single AV which could be relied upon for early/initial detection in every case - that is, anyone silly/distracted enough to open attachments would be infected quite quickly through that sort of attack, no matter what AV they used. But I'm well off-topic. From MikeE at ster.invalid Sat Jun 20 14:28:55 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 20 14:30:05 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Farelf wrote: > Thanks - it's getting the attachment from the text ('full file') > representation in the tracker I don't get. Not important (certainly not > from the POV of the thread). Do you mean 'How do you do it?' get the .zip from the text -or- maybe you meant something else. When I do it, I do it 'manually' and turn off any kind of realtime AV that will prevent my working with infected files. I access the tracker and copy and paste the b64 into a text file and save it as filename.b64. I can do that with or without retaining some lines of the delimiter that precedes the actual b64 encoding. Then I use a b64 decoder such as IzArc or Iceows to decode it into the .zip etc. It can also be done with a newsreader with b64 decoding built in by saving the mail at the tracker as an .eml or whatever is appropriate for your mua and then opening the mail which decodes the b64 and shows the .zip as an attachment. Naturally this should not be done with mua/s which are configured insecurely for a virm which could be executed by rendering especially if your AV is turned off :-). -- Mike Easter kibitzer, not SC admin From user at domain.invalid Sun Jun 21 03:11:48 2009 From: user at domain.invalid (Farelf) Date: Sun Jun 21 03:15:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. In-Reply-To: References: Message-ID: Mike Easter wrote: ... > > Do you mean 'How do you do it?' get the .zip from the text ... For context and method, see above. Thanks mike, that's exactly what I meant, noted. From bcs1 at spamcop.net Mon Jun 22 13:11:53 2009 From: bcs1 at spamcop.net (Bill) Date: Mon Jun 22 13:15:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Well, I just wanted to say this has certainly been an informative and useful thread and I wanted to thank everyone who helped... Bill From MikeE at ster.invalid Mon Jun 22 13:37:44 2009 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 22 13:40:04 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Bill wrote: > Well, I just wanted to say this has certainly been an informative and > useful thread and I wanted to thank everyone who helped... We learned that the parser's SA line stripper is b0rken, I learned some things about how SA stamps its lines, I/we found out about another blocklist, and we saw (yet) another example of a trojan propagation which was unrecognized by all of the most popular AV agents and almost all of the less popular ones. That last one should be a lesson to us about not counting on AV agents to protect us if we handle things insecurely or recklessly. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Jun 22 13:44:25 2009 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 22 13:45:02 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: Mike Easter wrote: > We learned that the parser's SA line stripper is b0rken, .. actually before the parser, the cesmail MTA. -- Mike Easter kibitzer, not SC admin From user at domain.invalid Tue Jun 23 11:12:47 2009 From: user at domain.invalid (Farelf) Date: Tue Jun 23 11:15:12 2009 Subject: [Scspamcop] Possible closure of SORBS Message-ID: Picked up from Arne Saknussemm's post in g.spam - news.grc.com http://www.au.sorbs.net/ "It comes with great sadness that I have to announce the imminent closure of SORBS. The University of Queensland have decided not to honor their agreement with myself and SORBS and terminate the hosting contract. ..." Not taken lightly at http://www.dnsbl.com/2009/06/sorbs-status-shutting-down-or-for-sale.html "My recommendation at this time is to cease using the various SORBS DNSBLs until and unless stable hosting is obtained by the list operator. ..." With some further comments and qualifications. From MikeE at ster.invalid Tue Jun 23 11:50:10 2009 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 23 11:50:11 2009 Subject: [Scspamcop] Re: Possible closure of SORBS References: Message-ID: Farelf wrote: > "My recommendation at this time is to cease using the various SORBS > DNSBLs until and unless stable hosting is obtained by the list operator. > ..." > > With some further comments and qualifications. Well, that's Al Iverson, who has rec'd against SORBS... "I've strongly recommended against using SORBS in the past, due to what I believe to be significant false positive issues." He also advises against using bl/s which have a potential for being 'shakey' such as if they are heading toward being shut down http://snipr.com/kq0n2 Monday, October 06, 2008 - Shutting Down Blacklists Sooo... considering that he is against using sorbs anyway and he is against using 'dying' bl/s, he would be 'aggressive' in his rec/s about sorbs. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Jun 23 15:17:59 2009 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 23 15:20:03 2009 Subject: [Scspamcop] Re: Possible closure of SORBS References: Message-ID: Farelf wrote: > "It comes with great sadness that I have to announce the imminent > closure of SORBS. Matt (Matthew) Sullivan is (actually/now/currently?) -- [or has always been] Michelle? Michelle Sullivan (Previously known as Matthew Sullivan) I also found a very harshly negative anti-sorbs page with a link to a pic in a M.Sullivan profile. For the time being I will assume that Michelle has always been Michelle female who chose to have an online male Matt persona (because) in what has traditionally been (or has seemed to have been) a man's world, but isn't really now so much, or rather perhaps now the perception is coming closer to the reality; IT credentials are gender neutral. -- Mike Easter kibitzer, not SC admin From blacklist-me at davjam.org Tue Jun 23 16:20:06 2009 From: blacklist-me at davjam.org (David Bolt) Date: Tue Jun 23 16:55:03 2009 Subject: [Scspamcop] Re: Possible closure of SORBS References: Message-ID: <5gkcjZU2jTQKFwG1@dev.null.davjam.org> On Tue, 23 Jun 2009, Mike Easter wrote:- >For the time being I will assume that Michelle has always been Michelle >female who chose to have an online male Matt persona (because) in what >has traditionally been (or has seemed to have been) a man's world, but >isn't really now so much, or rather perhaps now the perception is coming >closer to the reality; >From what's been posted on Spam-L, it appears that Michelle was the male Matthew and has most likely had the gender reassignment surgery to become Michelle, a female. > IT credentials are gender neutral. While that's a nice theory, and should be the same in reality, it is unfortunate that reality doesn't always seem to match the theory. Regards, David Bolt -- Team Acorn: http://www.distributed.net/ OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s openSUSE 10.3 32b | openSUSE 11.0 32b | | openSUSE 10.3 64b | openSUSE 11.0 64b | openSUSE 11.1 64b | RISC OS 3.6 | RISC OS 3.11 | openSUSE 11.1 PPC | TOS 4.02 From nobody at devnull.spamcop.net Tue Jun 23 17:47:20 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Tue Jun 23 17:50:03 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "Mike Easter" wrote in message news:h1ofh6$lpl$1@news.spamcop.net > Bill wrote: >> Well, I just wanted to say this has certainly been an informative and >> useful thread and I wanted to thank everyone who helped... > > We learned that the parser's SA line stripper is b0rken, I learned > some things about how SA stamps its lines, I/we found out about > another blocklist, and we saw (yet) another example of a trojan > propagation which was unrecognized by all of the most popular AV > agents and almost all of the less popular ones. > > That last one should be a lesson to us about not counting on AV > agents to protect us if we handle things insecurely or recklessly. AMEN to that!! It's amazing how many people I keep coming across that figure because they have a firewall and something-AV that they're protected from all "bad" things everywhere forever. Education just isn't happening. And I still don't unserstand SA! Twayne From nobody at devnull.spamcop.net Tue Jun 23 17:53:56 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Tue Jun 23 17:55:03 2009 Subject: [Scspamcop] Just curious Message-ID: Am I the only one seeing gobs and gobs of .cn and cn.net? Every spam for over a week now has included .cn somewhere in its url. Maybe Verizon/Yahoo has tweaked their spam filters again, lol. No, I'm not using blocklists at the moment; might have to start again though. Probably Spam Assassin or Mailwasher just for its blocklists part. Like I said, just curious whether it's the lists I'm on or if it's widespread. Not much I can do about it. Twayne` From user at domain.invalid Tue Jun 23 22:07:19 2009 From: user at domain.invalid (Farelf) Date: Tue Jun 23 22:10:03 2009 Subject: [Scspamcop] Re: Possible closure of SORBS In-Reply-To: References: Message-ID: Mike Easter wrote: ... > > Matt (Matthew) Sullivan is (actually/now/currently?) -- [or has always > been] Michelle? > > > Michelle Sullivan > (Previously known as Matthew Sullivan) > ... No, I think an actual gender change (an odd mixture of private and personal, to be expected when an existing public/visible persona is involved in such a thing). Whatever - more courage/conviction than I can readily imagine. SORBS has long drawn vehement criticism, much of it personal as Matthew, then Michelle has long been in the habit of making robust, if incomplete defences of the SORBS policies. Incomplete because much of the criticism seems to be based on lack of comprehension that there are different lists with different policies and, in the affrays I have seen, things generally devolve to the flame stage before that it sorted out/compartmentalised. But we know list operators do not aim to be loved for their products by the general (even if vociferous) public. Iverson's criticisms are another matter - he is more qualified to make than am I to question them (but I would not be inclined to let that stop me if I was in the mood ). From nobody at devnull.spamcop.net Tue Jun 23 23:20:32 2009 From: nobody at devnull.spamcop.net (Patto) Date: Tue Jun 23 23:25:04 2009 Subject: [Scspamcop] Re: Just curious In-Reply-To: References: Message-ID: ~90% of my spam for the last half year contained .cn domains (never seen cn.net). They register several thousand new domains every week, as these are usually quickly shut down. In fact, I rarely see a live one. Twayne wrote: > Am I the only one seeing gobs and gobs of .cn and cn.net? Every spam for > over a week now has included .cn somewhere in its url. Maybe > Verizon/Yahoo has tweaked their spam filters again, lol. > No, I'm not using blocklists at the moment; might have to start again > though. Probably Spam Assassin or Mailwasher just for its blocklists > part. > > Like I said, just curious whether it's the lists I'm on or if it's > widespread. Not much I can do about it. > > Twayne` From user at domain.invalid Wed Jun 24 00:23:17 2009 From: user at domain.invalid (Farelf) Date: Wed Jun 24 00:25:03 2009 Subject: [Scspamcop] Re: Possible closure of SORBS In-Reply-To: References: Message-ID: Farelf wrote: > No, I think an actual gender change (an odd mixture of private and > personal, to be expected when an existing public/visible persona is > involved in such a thing). Whatever - more courage/conviction than I > can readily imagine. > ... Ah yes, I /knew/ I had seen it somewhere - http://people.sorbs.net/michelle/ From V at nguard.LH Wed Jun 24 02:41:15 2009 From: V at nguard.LH (VanguardLH) Date: Wed Jun 24 02:45:04 2009 Subject: [Scspamcop] Re: Possible closure of SORBS References: Message-ID: Farelf wrote: > Picked up from Arne Saknussemm's post in g.spam - news.grc.com > > http://www.au.sorbs.net/ > > "It comes with great sadness that I have to announce the imminent > closure of SORBS. The University of Queensland have decided not to honor > their agreement with myself and SORBS and terminate the hosting > contract. ..." > > Not taken lightly at > http://www.dnsbl.com/2009/06/sorbs-status-shutting-down-or-for-sale.html > > "My recommendation at this time is to cease using the various SORBS > DNSBLs until and unless stable hosting is obtained by the list operator. > ..." > > With some further comments and qualifications. You actually *use* SORBS? I found some of their records to be nearly 4 months old and with no subsequent incidents to re-energize that record. They even admitted that they occasionally (but wouldn't mention the time interval other than indicating a couple months) would have to do a manual purge to remove old stale records. These weren't old because they kept getting reenergized by new reports. They were completely stale for that time (no new incidents). SORBS is the one requiring a ransom to get delisted. That they charged anything, even to a charity (which was still out-of-pocket money to the listed site), sure seemed underhanded and punitive (perhaps without cause). From Googling around, their ransom explanation was: SORBS does not like requiring a fine, however it has proved nessesary in driving the message home, that you the users are responsible for what you and your machines do on the Internet. This particually applies when your machine is infected with a virus or trojan, getting infected with a virus or trojan can enable your computer to be used in an illegal attack on other computers and networks. Many of you will complain indicating you didn't know, however if you pass a Police speed camera at more than the speed limit, try explaining to them that "you didn't know what the limit was", you will get the same response from SORBS. Think it's outrageous? Well we the administrators of the internet find it outrageous that 15 year old children can hold Banking institutions and major companies to ransom by using 1000's of infected machines from around the world to flood networks, just because they feel like it. We also think it is outrageous that known people are able to use infected machines to defeat controls put in place specifically to stop spam, to fill our email boxes with so much rubbish that our servers become useless for what we need them for. Even more outrageous is that they can drive around in luxury cars, maybe own a yatch, and live in exclusive multi-million dollar houses by stealing the use of these machines. Putting an unpatched, unfirewalled Microsoft Windows? machine on the Internet is irresponsible in the highest degree, installing a proxy server and leaving it open for the world to use is both foolish and irresponsible, yet people are doing these things every day, and no one is telling them they can't or that it is wrong. The 'fine' is US $50.00 and is designed to be small enough to so that the home user will think twice about getting listed a second time, and small enough to be a 'right royal pain in the butt' to any large company. The idea being, that whether you are a multi-national company or a single home user, you will think twice about getting relisted for any reason. I thought SORBS had dropped the ransom due to bad publicity but they're still at it. From http://www.au.sorbs.net/overview.shtml: The affected IPs (the ones used to send the spam) will only be delisted when a donation us made to an acceptable charity or good cause, or when sufficient time has passed, or when SORBS determines that the netblock has been returned to the RIR; see the Spam Database FAQ for details. The charities and good causes SORBS approves will not have any connection with any SORBS administrator either past or present. If they're dying, good riddens (says they're closing on their own web site: www.au.sorbs.net). Yay! Stale records. Having to manually purge the old stale records. Slow to remove records. And then (and still now) extorting a ransom for delisting. If delisting were applicable then don't do it. If delisting is applicable then do it but don't extort a ransom. Remember that SORBS is a blacklister that endorsed SPEWS and its scheme for rating the spamminess of domains rather than targetting the actual spam sources. I don't like spam but I won't agree with their attempted kidnapping which it became once they charged a ransom. They are an extorting blot on the anti-spam community. Perhaps it is their dirty and lazy practices which the university decided was not a fit with the morales of a university-sponsored enterprise. It would be very interesting to see just what reasons Queensland U. gave to SORBS for discontinuing their free webhosting services. It's guaranteed that SORBS won't print the reasons given for the termination. Tis interesting that SORBS says Queensland didn't "honor" their agreement when, in fact, SORBS is trying to get hosting services for free so they get whatever the webhoster wants to give them. That's like saying Microsoft didn't "honor" their agreement to give you free e-mail service. The university decided to no longer provide free webhosting services but, of course, SORBS wants to paint themself as the victim. Hmm, SORBS has been around how long? 2003, isn't it when it went public? Guess Michelle aka Matthew finally graduated or got the boot from Queensland University and no longer gets to use their IT Dept's resources. I doubt we'll ever see the real reasons given by the university for termination of their free webhosting services to SORBS. No, I never got burned by SORBS. I don't run mail servers and don't even bulk mail. I stopped using their blacklist after finding out how inaccurate were many of their records, especially in how stale they were. Just too many false positives. When they devolved into extortionists, I definitely wouldn't use them thereafter. To be punitive to spammers, even the uneducated or slow-to-respond sources, means you keep them listed for longer or the delisting won't happen until, say, 2 weeks after it was requested (if automatic delisting doesn't happen sooner). You don't get to extort money from them even for some worthy cause whom you decide is worthy. From g.hyde at bigNOSPAMpond.net.au Wed Jun 24 03:54:18 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Wed Jun 24 03:55:03 2009 Subject: [Scspamcop] "Sorry, failed to get reportid from database, will not send." errors. Message-ID: I just tried to report a spam item, and it gave me the message in the subject line, repeated here for M.E.: Sorry, failed to get reportid from database, will not send. Why should this prevent SpamCop from reporting a spamitem? All I can hope for now is that the submitted and apparently unreported spam (which it isn't actually, because I DID click the 'submit' button to report the spamitem) is left on my reporting account to rot. Cheers ... Geoffrey Hyde From not at available.com Wed Jun 24 03:55:55 2009 From: not at available.com (Leon Mayne) Date: Wed Jun 24 04:05:02 2009 Subject: [Scspamcop] Re: "Sorry, failed to get reportid from database, will not send." errors. References: Message-ID: "Geoffrey Hyde" wrote in message news:h1sm3r$qio$1@news.spamcop.net... >I just tried to report a spam item, and it gave me the message in the >subject line, repeated here for M.E.: > > Sorry, failed to get reportid from database, will not send. > > Why should this prevent SpamCop from reporting a spamitem? All I can hope > for now is that the submitted and apparently unreported spam (which it > isn't actually, because I DID click the 'submit' button to report the > spamitem) is left on my reporting account to rot. Yup, me too: Sorry, failed to get reportid from database, will not send. __________ Information from ESET NOD32 Antivirus, version of virus signature database 4182 (20090624) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From not at available.com Wed Jun 24 04:09:28 2009 From: not at available.com (Leon Mayne) Date: Wed Jun 24 04:15:03 2009 Subject: [Scspamcop] Re: Just curious References: Message-ID: "Twayne" wrote in message news:h1ritd$2sk$1@news.spamcop.net... > Am I the only one seeing gobs and gobs of .cn and cn.net? Every spam for > over a week now has included .cn somewhere in its url. Maybe > Verizon/Yahoo has tweaked their spam filters again, lol. > No, I'm not using blocklists at the moment; might have to start again > though. Probably Spam Assassin or Mailwasher just for its blocklists > part. I ended up just dumping emails with a .cn tld into my spambox. No false positives thus far, but considering I don't buy anything from Chinese websites it's hardly surprising. From user at domain.invalid Wed Jun 24 06:47:33 2009 From: user at domain.invalid (Farelf) Date: Wed Jun 24 06:50:06 2009 Subject: [Scspamcop] Re: Possible closure of SORBS In-Reply-To: References: Message-ID: VanguardLH wrote: > Farelf wrote: > ...as above > > You actually *use* SORBS? Not me, no, but the parser apparently does. ...as above > > I thought SORBS had dropped the ransom due to bad publicity but they're > still at it. From http://www.au.sorbs.net/overview.shtml: > ...as above Well, I've delisted a server without paying ransom (not my server actually but the owner was in a bit of a catch-22 since the list he was on was denying him access to the delisting tools). Bad me - could get me banned there. Maybe the ransom thing was on another of their lists, don't know, don't care. That link serves the following 404 or whatever from their server whose name, I suspect, is Marvin: "File Not Found: /overview.shtml: The reqtested documenent is totally fake. /overview.shtml: Not found here. Even tried multi. Nothing helped. Nothing will help. I?m really depressed about this. You see, I?m just a web server... ?? here I am, brain the size of the universe,_ trying to serve you a simple web page, and then it doesn?t even exist! Where does that leave me? I mean, don?t even know you. How should I know what you war.ted from me? You honestly think I can. *guess*...? what someone I don?t even *know* wants to find here? " And much, much more in similar vein. From user at domain.invalid Wed Jun 24 07:15:59 2009 From: user at domain.invalid (Farelf) Date: Wed Jun 24 07:20:02 2009 Subject: [Scspamcop] Re: "Sorry, failed to get reportid from database, will not send." errors. In-Reply-To: References: Message-ID: Geoffrey Hyde wrote: > I just tried to report a spam item, and it gave me the message in the > subject line, repeated here for M.E.: > > Sorry, failed to get reportid from database, will not send. > > Why should this prevent SpamCop from reporting a spamitem? All I can hope > for now is that the submitted and apparently unreported spam (which it isn't > actually, because I DID click the 'submit' button to report the spamitem) is > left on my reporting account to rot. > > > Cheers ... > > Geoffrey Hyde > > > Ellen has raised a ticket, hopefully this will be resolved real soon: http://forum.spamcop.net/forums/index.php?s=&showtopic=10454&view=findpost&p=71941 From user at domain.invalid Wed Jun 24 07:57:23 2009 From: user at domain.invalid (Farelf) Date: Wed Jun 24 08:00:04 2009 Subject: [Scspamcop] Re: Possible closure of SORBS In-Reply-To: References: Message-ID: Farelf wrote: > VanguardLH wrote: >> I thought SORBS had dropped the ransom due to bad publicity but they're >> still at it. From http://www.au.sorbs.net/overview.shtml: > That link serves the following 404 or whatever > from their server whose name, I suspect, is Marvin: > Ah, that was the colon at the end doing the damage - link is http://www.au.sorbs.net/overview.shtml "References to the SORBS fine are ONLY meant in the context of the database of spam received by SORBS spamtraps or administrators." Now some people read that without reading it... They assume it applies to all the dnsbl.sorbs.net blocklists/zones. Which would be a, er, *BS* assumption. There are many zones, of greater and lesser utility to any given application. But there are very many netizens, more than prepared to fulminate mightily on the basis of their misconceptions, secondhand "knowledge", pack attack fighting frenzy and general irascibility. Unlike me From dritz at mindspring.com Wed Jun 24 09:31:20 2009 From: dritz at mindspring.com (David Ritz) Date: Wed Jun 24 09:35:04 2009 Subject: [Scspamcop] Re: Just curious In-Reply-To: References: Message-ID: On Tuesday, 23 June 2009 17:53 -0400, in article , Twayne wrote: > Am I the only one seeing gobs and gobs of .cn and cn.net? Every spam > for over a week now has included .cn somewhere in its url. Maybe > Verizon/Yahoo has tweaked their spam filters again, lol. I've seen plenty of .cn URIs, and even the occasional .net.cn URI, but I cannot recall ever seeing any .cn.net URIs in spam. (No, seeing as an e-mail address for reporting spam in a SC analysis doesn't qualify.) The vast bulk of these point to what Spamhaus identifies as the "Canadian Pharmacy" spam operation. > No, I'm not using blocklists at the moment; might have to start > again though. Probably Spam Assassin or Mailwasher just for its > blocklists part. Blocklists can be helpful, although SA does far more that DNSBL lookups. Notice that this boils down to only three sets of destination IP addresses. dritz:~% uri foydopeh.cn ; uri bewgohef.cn ; uri sizlehag.cn ; uri iadpirue.cn ; uri wayqumup.cn ; uri qigbiseh.cn ; uri wiybawuc.cn ; uri ixvyvrue.cn ; uri izrsztue.cn ; uri dhigulor.cn ; date foydopeh.cn.multi.uribl.com descriptive text "Blacklisted, see http://lookup.uribl.com/?domain=foydopeh.cn" foydopeh.cn.multi.surbl.org descriptive text "Blocked, foydopeh.cn on lists [ab][jp][ob][sc][ws], See: http://www.surbl.org/lists.html" bewgohef.cn.multi.uribl.com descriptive text "Blacklisted, see http://lookup.uribl.com/?domain=bewgohef.cn" bewgohef.cn.multi.surbl.org descriptive text "Blocked, bewgohef.cn on lists [ab][jp][ob][sc][ws], See: http://www.surbl.org/lists.html" sizlehag.cn.multi.uribl.com descriptive text "Blacklisted, see http://lookup.uribl.com/?domain=sizlehag.cn" sizlehag.cn.multi.surbl.org descriptive text "Blocked, sizlehag.cn on lists [ab][jp][ob][sc][ws], See: http://www.surbl.org/lists.html" iadpirue.cn.multi.uribl.com descriptive text "Blacklisted, see http://lookup.uribl.com/?domain=iadpirue.cn" iadpirue.cn.multi.surbl.org descriptive text "Blocked, iadpirue.cn on lists [ab][jp][ws], See: http://www.surbl.org/lists.html" wayqumup.cn.multi.uribl.com descriptive text "Blacklisted, see http://lookup.uribl.com/?domain=wayqumup.cn" wayqumup.cn.multi.surbl.org descriptive text "Blocked, wayqumup.cn on lists [ab][jp][ob][sc][ws], See: http://www.surbl.org/lists.html" qigbiseh.cn.multi.uribl.com descriptive text "Blacklisted, see http://lookup.uribl.com/?domain=qigbiseh.cn" qigbiseh.cn.multi.surbl.org descriptive text "Blocked, qigbiseh.cn on lists [ab][jp][ob][sc][ws], See: http://www.surbl.org/lists.html" wiybawuc.cn.multi.uribl.com descriptive text "Blacklisted, see http://lookup.uribl.com/?domain=wiybawuc.cn" wiybawuc.cn.multi.surbl.org descriptive text "Blocked, wiybawuc.cn on lists [ab][jp][ob][sc][ws], See: http://www.surbl.org/lists.html" ixvyvrue.cn.multi.uribl.com descriptive text "Blacklisted, see http://lookup.uribl.com/?domain=ixvyvrue.cn" ixvyvrue.cn.multi.surbl.org descriptive text "Blocked, ixvyvrue.cn on lists [ab][jp][ws], See: http://www.surbl.org/lists.html" izrsztue.cn.multi.uribl.com descriptive text "Blacklisted, see http://lookup.uribl.com/?domain=izrsztue.cn" izrsztue.cn.multi.surbl.org descriptive text "Blocked, izrsztue.cn on lists [jp][ws], See: http://www.surbl.org/lists.html" dhigulor.cn.multi.uribl.com descriptive text "Blacklisted, see http://lookup.uribl.com/?domain=dhigulor.cn" dhigulor.cn.multi.surbl.org descriptive text "Blocked, dhigulor.cn on lists [ab][jp][ws], See: http://www.surbl.org/lists.html" Wed Jun 24 02:47:31 UTC 2009 dritz:~> sbl \*.foydopeh.cn ; sbl \*.bewgohef.cn ; sbl \*.sizlehag.cn ; sbl \*.iadpirue.cn ; sbl \*.wayqumup.cn ; sbl \*.qigbiseh.cn ; sbl \*.wiybawuc.cn ; sbl \*.ixvyvrue.cn ; sbl \*.izrsztue.cn ; sbl \*.dhigulor.cn ; date 61.191.191.241 *.foydopeh.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76431 203.93.208.86 *.foydopeh.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL74278 58.17.3.41 *.foydopeh.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL73740 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76219 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL72929 60.191.239.166 *.foydopeh.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76498 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76119 60.191.221.123 *.foydopeh.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76177 203.93.208.86 *.bewgohef.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL74278 58.17.3.41 *.bewgohef.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76219 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL72929 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL73740 60.191.239.166 *.bewgohef.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76119 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76498 60.191.221.123 *.bewgohef.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76177 61.191.191.241 *.bewgohef.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76431 203.93.208.86 *.sizlehag.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL74278 58.17.3.41 *.sizlehag.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL73740 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76219 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL72929 60.191.239.166 *.sizlehag.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76498 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76119 60.191.221.123 *.sizlehag.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76177 61.191.191.241 *.sizlehag.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76431 220.248.184.7 *.iadpirue.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL75270 220.248.167.110 *.iadpirue.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL75023 203.93.208.86 *.wayqumup.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL74278 58.17.3.41 *.wayqumup.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76219 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL72929 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL73740 60.191.239.166 *.wayqumup.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76498 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76119 60.191.221.123 *.wayqumup.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76177 61.191.191.241 *.wayqumup.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76431 60.191.221.123 *.qigbiseh.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76177 61.191.191.241 *.qigbiseh.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76431 203.93.208.86 *.qigbiseh.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL74278 58.17.3.41 *.qigbiseh.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76219 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL72929 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL73740 60.191.239.166 *.qigbiseh.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76498 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76119 60.191.221.123 *.wiybawuc.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76177 61.191.191.241 *.wiybawuc.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76431 203.93.208.86 *.wiybawuc.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL74278 58.17.3.41 *.wiybawuc.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL72929 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL73740 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76219 60.191.239.166 *.wiybawuc.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76119 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76498 220.248.167.110 *.ixvyvrue.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL75023 220.248.184.7 *.ixvyvrue.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL75270 220.248.184.7 *.izrsztue.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL75270 220.248.167.110 *.izrsztue.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL75023 112.137.162.136 *.dhigulor.cn : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76116 Wed Jun 24 02:37:32 UTC 2009 Even redirects point to the same junk -- in this case, on the same IP. dritz:~> wget -t1 \*.dhigulor.cn ; date - --2009-06-23 22:02:07-- http://*.dhigulor.cn/ Resolving *.dhigulor.cn... 112.137.162.136 Connecting to *.dhigulor.cn|112.137.162.136|:80... connected. HTTP request sent, awaiting response... 302 Moved Temporarily Location: http://www.vip-pharms.com/ [following] - --2009-06-23 22:02:08-- http://www.vip-pharms.com/ Resolving www.vip-pharms.com... 112.137.162.136 Reusing existing connection to *.dhigulor.cn:80. HTTP request sent, awaiting response... No data received. Giving up. Wed Jun 24 03:02:09 UTC 2009 > Like I said, just curious whether it's the lists I'm on or if it's > widespread. Not much I can do about it. In a recent discussion elsewhere, it was suggested the dropping anything with a "\.cn" appearing in the headers or body could be considered lossless data compression. I'm certain this would not work in every situation. For most users outside of CN, it seems quite reasonable. Do note, however, that the Canadian Pharmacy URIs are not limited to the .cn TLD. There are plenty of .com URIs pointing at the same destinations. Unfortuntaly, SC will only report the first IP it resolves, for URIs with multiple hosts. Making maters worse, some of the spammers' DNS is quite effective at blocking SC queries. For example, I can tell that SC will be unable to resolve the following URIs, without bothering to run them through the SC engine: http://iadpirue.cn http://ixvyvrue.cn http://izrsztue.cn I know this from experience, which suggests that no URI which points to [220.248.167.110] and [220.248.184.7] will be resolved by SC. - -- David Ritz Be kind to animals; kiss a shark. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (Darwin) Comment: Public Keys: iEYEARECAAYFAkpBoqAACgkQUrwpmRoS3uvCLgCgkFWAwusQwFmp1jOa6ltvXQJ/ RfsAoIAoHgqmDiXhvOhcy4KzAmaYuSEQ =7oWr -----END PGP SIGNATURE----- From rob at sput.nl Wed Jun 24 09:58:55 2009 From: rob at sput.nl (Rob van der Putten) Date: Wed Jun 24 10:00:02 2009 Subject: [Scspamcop] Re: Possible closure of SORBS In-Reply-To: References: Message-ID: Hi there Farelf wrote: > Picked up from Arne Saknussemm's post in g.spam - news.grc.com > > http://www.au.sorbs.net/ > > "It comes with great sadness that I have to announce the imminent > closure of SORBS. The University of Queensland have decided not to honor > their agreement with myself and SORBS and terminate the hosting > contract. ..." > > Not taken lightly at > http://www.dnsbl.com/2009/06/sorbs-status-shutting-down-or-for-sale.html > > "My recommendation at this time is to cease using the various SORBS > DNSBLs until and unless stable hosting is obtained by the list operator. > ..." > > With some further comments and qualifications. I my experience, SORBS lists static IP addresses as dynamic. So I didn't use them anyway. Regards, Rob From nobody at devnull.spamcop.net Wed Jun 24 11:52:03 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Wed Jun 24 11:55:03 2009 Subject: [Scspamcop] Re: Just curious References: Message-ID: Thanks, David, that was a pretty good rundown! I've been a faithful "spam reporter" for years but the stuff just doesn't sink in enough to call myself an an actual fighter I pulled your post over into my Inbox so I can play with some of that infor later; thanks again. Twayne` From user at domain.invalid Wed Jun 24 12:45:12 2009 From: user at domain.invalid (Farelf) Date: Wed Jun 24 12:45:03 2009 Subject: [Scspamcop] Re: Possible closure of SORBS In-Reply-To: References: Message-ID: Rob van der Putten wrote: > Hi there > > > > I my experience, SORBS lists static IP addresses as dynamic. So I didn't > use them anyway. > Yep, it was just some such craziness that had me help out a server admin as I mentioned in an earlier post. There were pros and cons of course but at the end of the day a couple of static addresses had been deemed dynamic until until some TTL figures were changed. From MikeE at ster.invalid Wed Jun 24 12:50:26 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 24 12:55:02 2009 Subject: [Scspamcop] Re: Possible closure of SORBS References: Message-ID: Farelf wrote: >> No, I think an actual gender change (an odd mixture of private and >> personal, to be expected when an existing public/visible persona is >> involved in such a thing). Whatever - more courage/conviction than I >> can readily imagine. >> > ... > > Ah yes, I /knew/ I had seen it somewhere - > http://people.sorbs.net/michelle/ There's certainly a lot in there. And on top of everything else, now Ally has left. For those who haven't been delving into this complicated story, Ally is the woman who married Matt the man almost 10 years ago, and who it appears to me the Matt/Michelle persona is most devoted to and dependent upon. I certainly hope there is a competent shrink involved in this transition/evolution. I can see this confused person becoming suicidal whether it comes out in the blog or not. I think he should have stuck to being a crossdresser, but of course that wouldn't get it for a true transgender person and Michelle certainly had no use for the drag queens at the ball. I'm 'bemused' at how intolerant many non-heterosexual are of some other identity; homosexuals vs bisexuals, transgenders vs crossdressers and so forth. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Jun 24 13:03:22 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 24 13:05:03 2009 Subject: [Scspamcop] Re: Possible closure of SORBS References: Message-ID: Farelf wrote: > Rob van der Putten wrote: >> I my experience, SORBS lists static IP addresses as dynamic. So I >> didn't use them anyway. >> > > Yep, it was just some such craziness that had me help out a server admin > as I mentioned in an earlier post. There were pros and cons of course > but at the end of the day a couple of static addresses had been deemed > dynamic until until some TTL figures were changed. There have definitely been some vigorous arguments in nanae about why some blocks get called dynamic. Those who list blocks as dynamic by a 'formula' and insist that if you don't want your block/s to be called dynamic then you should play by formulary rules certainly upsets some people. To my understanding, there is only a ransom/fine for spam related listings, not for delisting some other listings, but such other listings may not get delisted in a timely manner. Or at all. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.not Wed Jun 24 13:27:02 2009 From: nobody at nowhere.not (Robert Blair) Date: Wed Jun 24 13:30:05 2009 Subject: [Scspamcop] Re: Possible closure of SORBS References: Message-ID: On Wed, 24 Jun 2009 13:58:55 UTC, Rob van der Putten wrote: > I my experience, SORBS lists static IP addresses as dynamic. So I didn't > use them anyway. My old ISP listed home user static IPs as dynamic. I know because I had a static IP and it was listed as dynamic. I had no problem with that because I always relayed my email through their email server. -- Robert Blair From bcs1 at spamcop.net Wed Jun 24 13:30:16 2009 From: bcs1 at spamcop.net (Bill) Date: Wed Jun 24 13:35:06 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "Twayne" wrote in message news:h1rih1$1jg$1@news.spamcop.net... > "Mike Easter" wrote in message > news:h1ofh6$lpl$1@news.spamcop.net >> Bill wrote: >>> Well, I just wanted to say this has certainly been an informative and >>> useful thread and I wanted to thank everyone who helped... >> >> We learned that the parser's SA line stripper is b0rken, I learned >> some things about how SA stamps its lines, I/we found out about >> another blocklist, and we saw (yet) another example of a trojan >> propagation which was unrecognized by all of the most popular AV >> agents and almost all of the less popular ones. >> >> That last one should be a lesson to us about not counting on AV >> agents to protect us if we handle things insecurely or recklessly. > > AMEN to that!! It's amazing how many people I keep coming across that > figure because they have a firewall and something-AV that they're > protected from all "bad" things everywhere forever. Education just isn't > happening. And I still don't unserstand SA! > > Twayne > > And I still don't unserstand SA! HAHA, you're not alone my friend LOL From bcs1 at spamcop.net Wed Jun 24 13:31:10 2009 From: bcs1 at spamcop.net (Bill) Date: Wed Jun 24 13:35:06 2009 Subject: [Scspamcop] Re: for the deputies i guess.. References: Message-ID: "Mike Easter" wrote in message news:h1ofh6$lpl$1@news.spamcop.net... > Bill wrote: >> Well, I just wanted to say this has certainly been an informative and >> useful thread and I wanted to thank everyone who helped... > > We learned that the parser's SA line stripper is b0rken, I learned some > things about how SA stamps its lines, I/we found out about another > blocklist, and we saw (yet) another example of a trojan propagation which > was unrecognized by all of the most popular AV agents and almost all of > the less popular ones. > > That last one should be a lesson to us about not counting on AV agents to > protect us if we handle things insecurely or recklessly. > > > -- > Mike Easter > kibitzer, not SC admin > agreed... From V at nguard.LH Wed Jun 24 20:21:32 2009 From: V at nguard.LH (VanguardLH) Date: Wed Jun 24 20:25:03 2009 Subject: [Scspamcop] Re: Possible closure of SORBS References: Message-ID: Farelf wrote: > Farelf wrote: >> VanguardLH wrote: > >>> I thought SORBS had dropped the ransom due to bad publicity but they're >>> still at it. From http://www.au.sorbs.net/overview.shtml: > >> That link serves the following 404 or whatever >> from their server whose name, I suspect, is Marvin: >> > > Ah, that was the colon at the end doing the damage - link is > > http://www.au.sorbs.net/overview.shtml > > "References to the SORBS fine are ONLY meant in the context of the > database of spam received by SORBS spamtraps or administrators." > > Now some people read that without reading it... They assume it applies > to all the dnsbl.sorbs.net blocklists/zones. Which would be a, er, *BS* > assumption. There are many zones, of greater and lesser utility to any > given application. But there are very many netizens, more than prepared > to fulminate mightily on the basis of their misconceptions, secondhand > "knowledge", pack attack fighting frenzy and general irascibility. > Unlike me The spam database is where the complaintants wanted to get delisted. >From what I read, the fine was only applied if there were a block of IP addresses involved, not for a single IP address. I don't run mail servers so I also don't run a farm of them which might constitute a block of IP addresses. The act of fining for ANY delisting from ANY blacklist is detestable. That's not how you punish spammers. That's not how you treat the industry. I stick with my applause that SORBS is going dead (and will be disappointed if another university is more lenient than Queenland and lets SORBS use their free webhosting services). From MikeE at ster.invalid Wed Jun 24 20:36:22 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 24 20:40:02 2009 Subject: [Scspamcop] Re: Possible closure of SORBS References: Message-ID: VanguardLH wrote: > I stick with my applause that SORBS is going dead (and will > be disappointed if another university is more lenient than Queenland and > lets SORBS use their free webhosting services). I'm pretty amazed at the traffic on the sorbs nameservers. 30 billion DNS queries a day sounds like some sorbs list is useful to someone, or rather quite a few someones. I don't know how they are using which lists for scoring or whatever, but the usage if correctly stated and understood makes it sound that it has value. A list doesn't have value or significance or importance unless people are using it; but if they are, then it carries some weight. Of course, that also makes any problems with a list more problematic. -- Mike Easter kibitzer, not SC admin From V at nguard.LH Wed Jun 24 21:22:51 2009 From: V at nguard.LH (VanguardLH) Date: Wed Jun 24 21:25:03 2009 Subject: [Scspamcop] Re: Possible closure of SORBS References: Message-ID: Mike Easter wrote: > VanguardLH wrote: > >> I stick with my applause that SORBS is going dead (and will >> be disappointed if another university is more lenient than Queenland > and >> lets SORBS use their free webhosting services). > > I'm pretty amazed at the traffic on the sorbs nameservers. 30 billion > DNS queries a day sounds like some sorbs list is useful to someone, or > rather quite a few someones. > > I don't know how they are using which lists for scoring or whatever, but > the usage if correctly stated and understood makes it sound that it has > value. > > A list doesn't have value or significance or importance unless people are > using it; but if they are, then it carries some weight. Of course, that > also makes any problems with a list more problematic. And there were web pages once setup that when you visited them (not by clicking anywhere but just by visiting them) that they would send e-mails to every abuse address they listed. This was a vain attempt to deluge the abuse desks because someone got pissed at getting some spam. In effect, it was trying to DOS the abuse desks. The promoter went around trying to spew the URL into newsgroups and forums or anywhere else he could, sometimes hiding what was the intent of his URL and sometimes not. Lots of folks jumped on the bandwagon to abet in the DOS attack. That lots of users wanted to employ such vigilante tactics didn't make them helpful or useful to the anti-spam effort. How many boobs are using the challenge-response scheme to toss their spam turds into someone else's yard? Does them finding value in C-R obviate that it is an irresponsible anti-spam scheme? 30 billion DNS queries per day means over 347 thousand of them per second. No wonder Queensland U. wanted to get rid of SORBS. It sure seems like abusive use of their free webhosting services. I doubt the U would ever have tolerated that level of stress on their DNS server so it is highly suspect that SORBS inflated their value yet again. I suppose the U could've used a load-balanced farm of DNS servers but 30 billion queries per day still sounds high for a college environment. From user at domain.invalid Wed Jun 24 22:31:20 2009 From: user at domain.invalid (Farelf) Date: Wed Jun 24 22:35:03 2009 Subject: [Scspamcop] Re: Possible closure of SORBS In-Reply-To: References: Message-ID: Mike Easter wrote: > Farelf wrote: >> Rob van der Putten wrote: > >>> I my experience, SORBS lists static IP addresses as dynamic. So I >>> didn't use them anyway. >>> >> Yep, it was just some such craziness that had me help out a server > admin >> as I mentioned in an earlier post. There were pros and cons of course >> but at the end of the day a couple of static addresses had been deemed >> dynamic until until some TTL figures were changed. > > There have definitely been some vigorous arguments in nanae about why > some blocks get called dynamic. Those who list blocks as dynamic by a > 'formula' and insist that if you don't want your block/s to be called > dynamic then you should play by formulary rules certainly upsets some > people. > > To my understanding, there is only a ransom/fine for spam related > listings, not for delisting some other listings, but such other listings > may not get delisted in a timely manner. Or at all. > > Yes, I think you have put your finger on it Mike - it was when actually static addresses, used that way, didn't conform to the formulae and some 'server naming conventions' (also controversial) and were listed (sometimes in large blocks and suddenly after years of uncontested operation), regardless of other 'evidence', and then list users would block those IPs against significant mail traffic ... that caused much chagrin. An unlikely chain of events if SORBS did not have a certain strength of following/use. The other side of the coin is Robert Blair's parallel post where actual dynamically-allocated IPs were listed/called by the owner 'static' (which might have some revenue or marketing value). And those IP addresses may or may not have been listed on one of the SORBS lists appropriately but, even if listed, typically would cause a user like Robert absolutely no problem (even if permanently listed) because he only used those addresses properly as dynamic addresses. It is easy to see where SORBS might be coming from if they listed such and if some other lists of dynamic addresses did not list them. From user at domain.invalid Thu Jun 25 00:07:54 2009 From: user at domain.invalid (Farelf) Date: Thu Jun 25 00:10:04 2009 Subject: [Scspamcop] Re: "Sorry, failed to get reportid from database, will not send." errors. In-Reply-To: References: Message-ID: Geoffrey Hyde wrote: > I just tried to report a spam item, and it gave me the message in the > subject line, repeated here for M.E.: > > Sorry, failed to get reportid from database, will not send. > > Why should this prevent SpamCop from reporting a spamitem? All I can hope > for now is that the submitted and apparently unreported spam (which it isn't > actually, because I DID click the 'submit' button to report the spamitem) is > left on my reporting account to rot. > > > Cheers ... > > Geoffrey Hyde > > > It appears we're back in business. Processing status again showing/indicated at http://www.spamcop.net/spamgraph.shtml?spamstats [Reminder, when this .spamcop.net page is unavailable the independent one(s) at .forum.spamcop.net can be checked in the event of purely local/user effects.] Ellen posted in the forums that the system is out of maintenance mode/backlog processing. She earlier posted in: http://forum.spamcop.net/forums/index.php?s=&showtopic=10461&view=findpost&p=71979 "...Regarding any spams that you may have submitted prior to the system going into maintenance mode -- if you submitted by email and have the return email with the links go ahead and try the links. However remember that any spams that you received today during the day will be stale by tomorrow so I would just delete them and not worry about it. It is more important to submit the new spams than the older ones .... This will be my last update for today. After the system comes up if you notice any major problems please write to deputies admin.spamcop.net with as much information as possible -- the tracking url if there is one, what exactly you were doing, how you submitted the spam, a small copy/paste snippet of the error message from the website (if there is one) etc. And many thanks for your patience during this long outage!" From user at domain.invalid Thu Jun 25 00:12:02 2009 From: user at domain.invalid (Farelf) Date: Thu Jun 25 00:15:03 2009 Subject: [Scspamcop] Re: "Sorry, failed to get reportid from database, will not send." errors. In-Reply-To: References: Message-ID: Farelf wrote: ... > > It appears we're back in business. Processing status again > showing/indicated at http://www.spamcop.net/spamgraph.shtml?spamstats > [Reminder, when this .spamcop.net page is unavailable the independent > one(s) at .forum.spamcop.net can be checked in the event of purely > local/user effects.] > > Ellen posted in the forums that the system is out of maintenance > mode/backlog processing. She earlier posted in: > http://forum.spamcop.net/forums/index.php?s=&showtopic=10461&view=findpost&p=71979 > ... Though I admit some concern over the downward trend in the spamgraph over the past minutes. From nobody at spamcop.net Thu Jun 25 02:12:28 2009 From: nobody at spamcop.net (RW) Date: Thu Jun 25 02:15:03 2009 Subject: [Scspamcop] Re: "Sorry, failed to get reportid from database, will not send." errors. In-Reply-To: References: Message-ID: Farelf wrote: > Farelf wrote: > ... >> >> It appears we're back in business. Processing status again >> showing/indicated at http://www.spamcop.net/spamgraph.shtml?spamstats >> [Reminder, when this .spamcop.net page is unavailable the independent >> one(s) at .forum.spamcop.net can be checked in the event of purely >> local/user effects.] >> >> Ellen posted in the forums that the system is out of maintenance >> mode/backlog processing. She earlier posted in: >> http://forum.spamcop.net/forums/index.php?s=&showtopic=10461&view=findpost&p=71979 >> > ... > Though I admit some concern over the downward trend in the spamgraph > over the past minutes. If you look at the history though, the drop is within normal range for this time of day. Unlike other outages, there was no backlog to contend with. Submissions through the day, including traps, were lost, not delayed. The problem and solution were fairly simple, but it did require engineering to spend quite a bit of time today writing new code, rebuilding databases, etc. The bottom line is SpamCop reached its limit as programmed. SpamCop is a collection of perl scripts with the reportid field being a 32-bit integer data type. When SpamCop reached report number 4294967295, it couldn't count any higher. That was its limit. The solution was to rewrite the code to allow BIGINT in 64-bit, but that meant rebuilding the databases, tables, etc. That's what took all the time, but well under the 24 hour estimate. Richard From DeathToSpam at crazyhat.net Thu Jun 25 04:13:57 2009 From: DeathToSpam at crazyhat.net (DevilsPGD) Date: Thu Jun 25 04:15:04 2009 Subject: [Scspamcop] Re: Possible closure of SORBS References: Message-ID: In message VanguardLH was claimed to have wrote: >You actually *use* SORBS? I did. I never had any technical problems with it, but a combination of Matthew's claim that the sample configurations were not the recommended configuration along with a refusal to change said sample configurations soured my taste for SORBS' management. Progressing further, the willful mislabeling of static addresses as dynamic was a deal breaker for me, again despite not actually having any technical issues. Rather, it was simply a case of myself not being willing to delegate important network management decisions (such as what mail to accept/reject) when I wasn't confident about the clearheadedness and communication skills of the individual I was choosing to put in charge of rejecting mail to my users. If the DUL was described as a list of addresses with short TTLs, or dynamic type rDNS, then I wouldn't have had any issues, but labeling it as "dialup user list" or "dynamic user list" meant that every listed static IP was a false positive. So as a result I would tend to side with Al Iverson in terms of not recommending SORBS for blocking under any circumstances, and instead using SORBS on a scoring basis only, if you feel you must. That being said, we need as many quality DNSBLs as possible, all DNSBLs must eventually die and the more options there are, the lower the barrier to entry for new participants, and the stronger the community as a whole, so in that respect, I sincerely hope that SORBS finds new hosting, and/or accepts a buy-out offer. From MikeE at ster.invalid Thu Jun 25 11:06:10 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 25 11:10:03 2009 Subject: [Scspamcop] Re: Possible closure of SORBS References: Message-ID: DevilsPGD wrote: > If the DUL was described as a list of addresses with short TTLs, or > dynamic type rDNS, then I wouldn't have had any issues, but labeling it > as "dialup user list" or "dynamic user list" meant that every listed > static IP was a false positive. The sorbs lists could be improved significantly by some changes in the philosophies of the listings and the delistings. Such an improvement could come about by a change or revision in the attitudes or philosophy of the list's admin. Considering the powerful factors influencing the attitudes and feelings of the admin Michelle, it would seem to me that there is great potential for change in her administrative behaviors - sorbs list rules. She is more changed hormonally/chemically than some judicial processes do to some of the worst criminal offenders to influence and mitigate their bad behaviors. -- Mike Easter kibitzer, not SC admin From blacklist-me at davjam.org Thu Jun 25 07:56:44 2009 From: blacklist-me at davjam.org (David Bolt) Date: Thu Jun 25 11:35:03 2009 Subject: [Scspamcop] Re: Possible closure of SORBS References: Message-ID: On Wed, 24 Jun 2009, VanguardLH wrote:- >30 billion DNS queries per day means over 347 thousand of them per >second. Yes, it's a lot of queries per day, but those are spread out over multiple DNS servers[0] and not just aimed at the server hosted by the University of Queensland. From the traffic graph it seems like the load there is averaging around 10-11 thousand connections per second which, if you take the return packet to be 120 bytes, works out at around 11Mb/s. [0] A quick check shows there's 18 DNS servers listed for dnsbl.sorbs.net. 30 billion queries per day, spread out evenly across them all would be a little under 20,000 queries per second, or marginally more than 19Mb/s with a 120 byte return packet. Regards, David Bolt -- Team Acorn: http://www.distributed.net/ OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s openSUSE 10.3 32b | openSUSE 11.0 32b | | openSUSE 10.3 64b | openSUSE 11.0 64b | openSUSE 11.1 64b | RISC OS 3.6 | RISC OS 3.11 | openSUSE 11.1 PPC | TOS 4.02 From tmcgraw at spamcop.net Thu Jun 25 12:13:39 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Thu Jun 25 12:15:04 2009 Subject: [Scspamcop] Re: "Sorry, failed to get reportid from database, will not send." errors. In-Reply-To: References: Message-ID: RW wrote: > SpamCop is a collection of perl scripts with the reportid field being a > 32-bit integer data type. When SpamCop reached report number > 4294967295, it couldn't count any higher. That was its limit. > > The solution was to rewrite the code to allow BIGINT in 64-bit, but that > meant rebuilding the databases, tables, etc. That's what took all the > time, but well under the 24 hour estimate. An awesome feat for which I express my gratitude. Not being a programmer, I assume BIGINT would be an exponential improvement but ponder whether will there be a similar wall hit at some future date. And if so, is there an office pool for such date? From user at domain.invalid Thu Jun 25 12:17:03 2009 From: user at domain.invalid (Farelf) Date: Thu Jun 25 12:20:03 2009 Subject: [Scspamcop] Re: "Sorry, failed to get reportid from database, will not send." errors. In-Reply-To: References: Message-ID: RW wrote: > Farelf wrote: >> ... >> Though I admit some concern over the downward trend in the spamgraph >> over the past minutes. > > If you look at the history though, the drop is within normal range for > this time of day. Unlike other outages, there was no backlog to contend > with. Submissions through the day, including traps, were lost, not > delayed. > > The problem and solution were fairly simple, but it did require > engineering to spend quite a bit of time today writing new code, > rebuilding databases, etc. The bottom line is SpamCop reached its limit > as programmed. > > SpamCop is a collection of perl scripts with the reportid field being a > 32-bit integer data type. When SpamCop reached report number > 4294967295, it couldn't count any higher. That was its limit. > > The solution was to rewrite the code to allow BIGINT in 64-bit, but that > meant rebuilding the databases, tables, etc. That's what took all the > time, but well under the 24 hour estimate. > > Richard Thanks for the background Richard - much appreciated. Sort of reminds me of one of my favorite recent xkcds - http://xkcd.com/571/ Steve From nobody at nowhere.not Thu Jun 25 14:14:32 2009 From: nobody at nowhere.not (Robert Blair) Date: Thu Jun 25 14:15:03 2009 Subject: [Scspamcop] stupid government agencies Message-ID: I have received a "Delivery Failure" notice from Florida (see same subject in spamcop.spam). Looking at the the original report it was sent to postmaster@state.fl.us and ag.mccollum@myfloridalegal.com. Why do these idiots add reporting addresses for spam and then bounce the messages sent to them? Original spam report. http://www.spamcop.net/sc?id=z3046868037zef5de3e5ad0924a22a143d2885c5809cz -- Robert Blair From bcs1 at spamcop.net Thu Jun 25 14:22:25 2009 From: bcs1 at spamcop.net (Bill) Date: Thu Jun 25 14:25:02 2009 Subject: [Scspamcop] Outlook users beware.. Message-ID: seems like there's a new rash of scams/viruses trying to target M$ outlook/outlook express users, so I thought I'd give everyone a heads up. the url in the link leads one to http://update.microsoft.com/microsoftofficeupdate/isapdl/default.aspx?ln=3D= en-us&id=3D365135324228445314309798078394717634043362
http://www.spamcop.net/sc?id=z3046962774z8623d7be635be2737520410dc60bf47az and http://www.spamcop.net/sc?id=z3046963022zdcabb62836a41050eca2123c6d53baeaz Bill From tmcgraw at spamcop.net Thu Jun 25 16:23:13 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Thu Jun 25 16:25:04 2009 Subject: [Scspamcop] Re: stupid government agencies In-Reply-To: References: Message-ID: Robert Blair wrote: > I have received a "Delivery Failure" notice from Florida (see same subject in > spamcop.spam). I would forward that email, headers and all, to the webmaster address that appears on the home page at www.abuse.net, with a new or pre-pended subject line that indicates an abuse.net recommended email bounces. > Original spam report. > http://www.spamcop.net/sc?id=z3046868037zef5de3e5ad0924a22a143d2885c5809cz From dritz at mindspring.com Thu Jun 25 17:24:20 2009 From: dritz at mindspring.com (David Ritz) Date: Thu Jun 25 17:25:02 2009 Subject: [Scspamcop] Re: Outlook users beware.. In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 25 June 2009 14:22 -0400, in article , Bill wrote: > seems like there's a new rash of scams/viruses trying to target M$ > outlook/outlook express users, so I thought I'd give everyone a heads up. > the url in the link leads one to > [...]\*.iiljlk.com/microsoftofficeupdate/isapdl/default.aspx[...] > http://www.spamcop.net/sc?id=z3046962774z8623d7be635be2737520410dc60bf47az > and > http://www.spamcop.net/sc?id=z3046963022zdcabb62836a41050eca2123c6d53baeaz [...]\*.hhillj.com/microsoftofficeupdate/isapdl/default.aspx[...] Neither of these domains are resolving. I got a couple of these last night. One was dead by the time I looked at it. The other required following a link on the page, to get to the malware payload. I don't know how much, if any of it, would take pace automatically, as Lynx is too "dumb" to fall for such tricks. The one live host I checked resolved to around sixteen IP address, all of which appeared to be compromised hosts. I was able to drag down the malware target payload. sh-3.2$ sweep -archive -ss officexp-KB910721-FullFile-ENU.exe ; md5 officexp-KB910721-FullFile-ENU.exe ; date >>> Virus 'Mal/Zbot-O' found in file officexp-KB910721-FullFile-ENU.exe MD5 (officexp-KB910721-FullFile-ENU.exe) = abadbbb846c07f71d4fb16dbde1cb561 Thu Jun 25 16:12:32 CDT 2009 - -- David Ritz Be kind to animals; kiss a shark. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (Darwin) Comment: Public Keys: iEYEARECAAYFAkpD6w8ACgkQUrwpmRoS3us+2wCfdysjioU7sV+AtMuoV1zTriAi MfUAn2hXeBIJ74NqjBbfmUCDD16J1Mqe =KJ8B -----END PGP SIGNATURE----- From nobody at spamcop.net Thu Jun 25 20:35:31 2009 From: nobody at spamcop.net (RW) Date: Thu Jun 25 20:40:03 2009 Subject: [Scspamcop] Re: "Sorry, failed to get reportid from database, will not send." errors. In-Reply-To: References: Message-ID: Tim McGraw wrote: > RW wrote: >> SpamCop is a collection of perl scripts with the reportid field being >> a 32-bit integer data type. When SpamCop reached report number >> 4294967295, it couldn't count any higher. That was its limit. >> >> The solution was to rewrite the code to allow BIGINT in 64-bit, but >> that meant rebuilding the databases, tables, etc. That's what took >> all the time, but well under the 24 hour estimate. > > An awesome feat for which I express my gratitude. > > Not being a programmer, I assume BIGINT would be an exponential > improvement but ponder whether will there be a similar wall hit at some > future date. > > And if so, is there an office pool for such date? Not being a programmer or a mathematician, my understanding is the difference is 64-bit versus 32-bit, which is 2^64 vs 2^32 and will take us to report number 18,446,744,073,709,551,616 before choking again. Even with today's spam rate growth, we should be safe for at least six months ;-/ From not at home.today Thu Jun 25 21:26:32 2009 From: not at home.today (Ant) Date: Thu Jun 25 21:30:03 2009 Subject: [Scspamcop] Re: Outlook users beware.. References: Message-ID: "David Ritz" wrote: > >>> Virus 'Mal/Zbot-O' found in file officexp-KB910721-FullFile-ENU.exe Zeus banking trojans targeting many online banks, Ebay and Paypal. The bot controller is at labormi.com (91.206.201.6). From dritz at mindspring.com Fri Jun 26 17:46:35 2009 From: dritz at mindspring.com (David Ritz) Date: Fri Jun 26 17:50:03 2009 Subject: [Scspamcop] Re: Outlook users beware.. In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 26 June 2009 02:26 +0100, in article , Ant wrote: > "David Ritz" wrote: >> >>> Virus 'Mal/Zbot-O' found in file officexp-KB910721-FullFile-ENU.exe > Zeus banking trojans targeting many online banks, Ebay and Paypal. > The bot controller is at labormi.com (91.206.201.6). I'm still seeing the MS Office update versions. [ malware URIs broken intentionally ] http://update.microsoft.com.kiffil'com'mx/microsoftofficeupdate/isapdl/default.aspx REFRESH(7 sec): http://update.microsoft.com.kiffil'com'mx/microsoftofficeupdate/isapdl/ default.aspx/index2.php References in http://update.microsoft.com.kiffil'com'mx/microsoftofficeupdate/isapdl/ default.aspx/index2.php 1. http://gizliilimlerhazinesi.com/images/index.php 2. http://update.microsoft.com.kiffil'com'mx/microsoftofficeupdate/isa pdl/default.aspx/officexp-KB910721-FullFile-ENU.exe 3. http://go.microsoft.com/?linkid=2028325 4. http://support.microsoft.com/contactus/?ws=mscom 5. http://go.microsoft.com/?linkid=4412892 6. http://go.microsoft.com/?linkid=4412893 7. http://go.microsoft.com/?linkid=4412894 dritz:~> sbl gizliilimlerhazinesi.com 84.51.21.87 gizliilimlerhazinesi.com : sbl.spamhaus.org : BLOCKED (127.0.0.2) http://www.spamhaus.org/SBL/sbl.lasso?query=SBL76600 dritz:~/infected> wget -t1 \*.kiffil'com'mx/microsoftofficeupdate/isapdl/default.aspx/officexp-KB910721-FullFile-ENU.exe ; md5 officexp-KB910721-FullFile-ENU.exe ; sha1 officexp-KB910721-FullFile-ENU.exe ; sweep officexp-KB910721-FullFile-ENU.exe ; date - --2009-06-26 16:41:51-- http://*.kiffil'com'mx/microsoftofficeupdate/isapdl/default.aspx/officexp-KB910721-FullFile-ENU.exe Resolving *.kiffil'com'mx... 79.113.51.231, 79.165.91.210, 81.203.83.69, ... Connecting to *.kiffil'com'mx|79.113.51.231|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 82944 (81K) [application/octet-stream] Saving to: `officexp-KB910721-FullFile-ENU.exe' 100%[======================================>] 82,944 67.7K/s in 1.2s 2009-06-26 16:41:54 (67.7 KB/s) - `officexp-KB910721-FullFile-ENU.exe' saved [82944/82944] MD5 (officexp-KB910721-FullFile-ENU.exe) = 0862871440e8c9cda1d02bd8c9ab5867 SHA1(officexp-KB910721-FullFile-ENU.exe)= 23ef6a04f66346f6043ca272268ac921e8ccbf9e >>> Virus 'Mal/Zbot-O' found in file officexp-KB910721-FullFile-ENU.exe Fri Jun 26 21:42:02 UTC 2009 dritz:~> uri kiffil'com'mx ; dig \*.kiffil'com'mx ; date kiffil'com'mx.multi.uribl.com descriptive text "Blacklisted, see http://lookup.uribl.com/?domain=kiffil'com'mx" ; <<>> DiG 9.4.3-P1 <<>> *.kiffil'com'mx ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62110 ;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;*.kiffil'com'mx. IN A ;; ANSWER SECTION: *.kiffil'com'mx. 1800 IN A 79.113.51.231 *.kiffil'com'mx. 1800 IN A 79.165.91.210 *.kiffil'com'mx. 1800 IN A 81.203.83.69 *.kiffil'com'mx. 1800 IN A 84.124.147.235 *.kiffil'com'mx. 1800 IN A 84.126.129.173 *.kiffil'com'mx. 1800 IN A 88.65.96.216 *.kiffil'com'mx. 1800 IN A 89.78.195.12 *.kiffil'com'mx. 1800 IN A 92.249.248.36 *.kiffil'com'mx. 1800 IN A 94.52.123.19 *.kiffil'com'mx. 1800 IN A 95.76.14.96 *.kiffil'com'mx. 1800 IN A 200.77.204.131 *.kiffil'com'mx. 1800 IN A 77.222.224.108 *.kiffil'com'mx. 1800 IN A 78.157.82.12 *.kiffil'com'mx. 1800 IN A 79.108.45.9 *.kiffil'com'mx. 1800 IN A 79.109.144.180 ;; AUTHORITY SECTION: kiffil'com'mx. 1800 IN NS ns2.sobra-ns.com. kiffil'com'mx. 1800 IN NS ns2.hiringstaffing.com. kiffil'com'mx. 1800 IN NS ns1.hiringstaffing.com. kiffil'com'mx. 1800 IN NS ns1.sobra-ns.com. ;; ADDITIONAL SECTION: ns2.hiringstaffing.com. 8764 IN A 44.169.45.161 ns1.sobra-ns.com. 8764 IN A 91.199.50.168 ns1.hiringstaffing.com. 8764 IN A 91.199.50.168 ns2.sobra-ns.com. 8764 IN A 53.217.51.38 ;; Query time: 264 msec ;; SERVER: 192.168.101.1#53(192.168.101.1) ;; WHEN: Fri Jun 26 16:29:06 2009 ;; MSG SIZE rcvd: 436 Fri Jun 26 21:29:06 UTC 2009 - -- David Ritz Be kind to animals; kiss a shark. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (Darwin) Comment: Public Keys: iEYEARECAAYFAkpFQccACgkQUrwpmRoS3useMQCcDvHf9q/AkwPjMdQRrICPHVik iMoAoKv9gcVzIJje/qYv5pQPdsSA/Rl5 =46YI -----END PGP SIGNATURE----- From mr206 at spamtrackers.eu Sat Jun 27 19:38:00 2009 From: mr206 at spamtrackers.eu (mr206) Date: Sat Jun 27 19:40:03 2009 Subject: [Scspamcop] Re: stupid government agencies In-Reply-To: References: Message-ID: Tim McGraw wrote: > Robert Blair wrote: >> I have received a "Delivery Failure" notice from Florida (see same >> subject in spamcop.spam). > > I would forward that email, headers and all, to the webmaster address > that appears on the home page at www.abuse.net, with a new or pre-pended > subject line that indicates an abuse.net recommended email bounces. > >> Original spam report. >> http://www.spamcop.net/sc?id=z3046868037zef5de3e5ad0924a22a143d2885c5809cz >> Also, the tech for that IP/agency seems to be: ronnie_small@dcf.state.fl.us Maybe notify him? From not at available.com Sun Jun 28 17:09:50 2009 From: not at available.com (Leon Mayne) Date: Sun Jun 28 17:10:04 2009 Subject: [Scspamcop] Linked newsgroup spam Message-ID: Linky: http://www.spamcop.net/sc?id=z3058081388z44c21f2ed2df90311ee97edd733387c5z So the spammer posts a newsgroup message with their crap on (which spamcop doesn't report) and then sends UBE out linking to Google groups / Yahoo to hide the website address. Surely sites like Yahoo can block web access to the message if they believe it to be spam? Therefore why does Spamcop not send a report to Yahoo in this case? From MikeE at ster.invalid Sun Jun 28 18:09:50 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jun 28 18:10:03 2009 Subject: [Scspamcop] Re: Linked newsgroup spam References: Message-ID: Leon Mayne wrote: > Linky: www.spamcop.net/sc?id=z3058081388z44c21f2ed2df90311ee97edd733387c5z non mailhosted account - SC offers to notify the .md Moldova xoip source for a hotmail sourced spam. Structure: hotmail source, payload a yahoo groups spam message with a tax-free-tobacco.com payload at the yahoo group html message SC offers to notify the xoip source for the hotmail (a .md Moldova provider) and MS for hotmail. On that tracker, SC finds the live hotmail ad trailer and the yahoo groups payload, but does not offer to notify them. I reran the same spam to see if it would be handled the same way. SC deob/ed the yahoo but did not offer to notify; SC deob/ed the MS and determined that MS didn't want to be notified about their ad trailer on hotmail. It might be that the parser doesn't want to notify yahoo about yahoo groups content. > So the spammer posts a newsgroup message I don't call yahoo groups a 'newsgoup' message. Yahoo groups is yahoo groups. Googlespecific groups is google specific groups. > with their crap on (which > spamcop doesn't report) and then sends UBE out linking to Google groups > / Yahoo to hide the website address. Yes. > Surely sites like Yahoo can block > web access to the message if they believe it to be spam? Therefore why > does Spamcop not send a report to Yahoo in this case? I don't know for absolute sure that if we ran the same spam 100 times that it would always deobfuscate the yahoo group link but never offer to notify. This is an example of how a free spamcop reporter would do a manual notify on their own and a paid spamcop reporter would do an additional notified via SC. taxfreetobacco has a very vigorous affiliates program. The yahoo groups message tickles the affiliate's number. The IP for taxfreetobacco isn't blocklisted anywhere such as spamhaus. If a reporter were doing additional notifies or manuals, they could notify for the IP 173.45.80.83 rDNS 53.50.2d.static.xlhost.com but the reporter would have to convince the provider that this indirect pathway to find out about the tobacco site constitutes email spam. -- Mike Easter kibitzer, not SC admin From bcs1 at spamcop.net Mon Jun 29 08:38:04 2009 From: bcs1 at spamcop.net (Bill) Date: Mon Jun 29 08:40:03 2009 Subject: [Scspamcop] Re: Possible closure of SORBS References: Message-ID: "Farelf" wrote in message news:h1t4ag$cpi$1@news.spamcop.net... > Farelf wrote: >> VanguardLH wrote: > >>> I thought SORBS had dropped the ransom due to bad publicity but they're >>> still at it. From http://www.au.sorbs.net/overview.shtml: > >> That link serves the following 404 or whatever from their server whose >> name, I suspect, is Marvin: >> > > Ah, that was the colon at the end doing the damage - link is > > http://www.au.sorbs.net/overview.shtml > but the link with the 404 message is so much more entertaining to read... I LOL'd From nobody at spamcop.net Tue Jun 30 16:33:31 2009 From: nobody at spamcop.net (RandallW) Date: Tue Jun 30 16:35:03 2009 Subject: [Scspamcop] parser not working Message-ID: The parser is not working. I am able to paste in, but the using the report button results in this page showing: Gateway Timeout The proxy server did not receive a timely response from the upstream server. Reference #1.2ddaf180.1246393889.30a1825 From nobody at spamcop.net Tue Jun 30 16:34:44 2009 From: nobody at spamcop.net (Spamcop) Date: Tue Jun 30 16:35:03 2009 Subject: [Scspamcop] Is Spamcop down? Message-ID: An error occurred while processing your request. Reference #97.3f8a1645.1246393976.3ec9891 From nobody at spamcop.net Tue Jun 30 16:35:46 2009 From: nobody at spamcop.net (Ellen) Date: Tue Jun 30 16:40:04 2009 Subject: [Scspamcop] Re: Is Spamcop down? In-Reply-To: References: Message-ID: Spamcop wrote: > An error occurred while processing your request. Reference > #97.3f8a1645.1246393976.3ec9891 hrmmm interesting question and I think the answer is yes :-( Just failed for me too Ellen SpamCop From nobody at spamcop.net Tue Jun 30 16:39:09 2009 From: nobody at spamcop.net (Ellen) Date: Tue Jun 30 16:40:04 2009 Subject: [Scspamcop] Re: Is Spamcop down? In-Reply-To: References: Message-ID: Ellen wrote: > Spamcop wrote: >> An error occurred while processing your request. Reference >> #97.3f8a1645.1246393976.3ec9891 > > hrmmm interesting question and I think the answer is yes :-( Just failed > for me too > > > Ellen > SpamCop Replying to myself: System Operations is working on the issue. Ellen SpamCop From nobody at spamcop.net Tue Jun 30 16:41:00 2009 From: nobody at spamcop.net (John-A) Date: Tue Jun 30 16:45:03 2009 Subject: [Scspamcop] Re: parser not working In-Reply-To: References: Message-ID: Ok, just wondered. Changed my handle to my first name and initial John-A From tmcgraw at spamcop.net Tue Jun 30 17:00:08 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Jun 30 17:05:03 2009 Subject: [Scspamcop] Re: Is Spamcop down? In-Reply-To: References: Message-ID: Ellen wrote: > System Operations is working on the issue. It seems to be back up. That was fast. From nobody at spamcop.net Tue Jun 30 17:02:42 2009 From: nobody at spamcop.net (Ellen) Date: Tue Jun 30 17:05:03 2009 Subject: [Scspamcop] Re: Is Spamcop down? In-Reply-To: References: Message-ID: Tim McGraw wrote: > Ellen wrote: >> System Operations is working on the issue. > > It seems to be back up. That was fast. Well yes and no -- it's actually an intermittent issue and they are still working on it. So I would expect that the possibility of the site going down again is still there ... Ellen SpamCop