From nobody at spamcop.net  Sun May 10 20:37:35 2009
From: nobody at spamcop.net (bar0)
Date: Sun May 10 20:40:09 2009
Subject: [Scspamcop] Hurray
Message-ID: <gu7og4$s2c$1@news.spamcop.net>

the NG is back!! thanx 


From tmcgraw at spamcop.net  Sun May 10 21:06:27 2009
From: tmcgraw at spamcop.net (Tim McGraw)
Date: Sun May 10 21:10:08 2009
Subject: [Scspamcop] Me Too!
Message-ID: <gu7q65$poh$1@news.spamcop.net>

I had to put in my $0.10 worth, and since neither of the two threads 
already begun on this topic were started by me, well... 
http://en.wikipedia.org/wiki/Me_too
From nobody at devnull.spamcop.net  Sun May 10 22:06:39 2009
From: nobody at devnull.spamcop.net (Patto)
Date: Sun May 10 22:10:08 2009
Subject: [Scspamcop] Re: Hurray
In-Reply-To: <gu7og4$s2c$1@news.spamcop.net>
References: <gu7og4$s2c$1@news.spamcop.net>
Message-ID: <gu7tmv$lkf$1@news.spamcop.net>

bar0 wrote:
> the NG is back!! thanx

What actually happened? I just got a very strange message whenever I 
tried to access the SC NG. Any explanation?
From DLipman~nospam~ at Verizon.Net  Sun May 10 22:10:40 2009
From: DLipman~nospam~ at Verizon.Net (David H. Lipman)
Date: Sun May 10 22:15:09 2009
Subject: [Scspamcop] Re: Welcome back news.spamcop.net
References: <schram-BFC135.17414310052009@news.spamcop.net>
Message-ID: <gu7tuj$rjv$1@news.spamcop.net>

From: "Chris Schram" <schram@webenet.net>

| The Off-Topic Subject sez it all. I'm just not a forums kinda guy, so
| I'm very happy that the newsserver is back up and running.

Ditto....

Welcome back !

-- 
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp 


From nobody at spamcop.net  Sun May 10 23:45:34 2009
From: nobody at spamcop.net (bar0)
Date: Sun May 10 23:50:08 2009
Subject: [Scspamcop] Re: Hurray
References: <gu7og4$s2c$1@news.spamcop.net> <gu7tmv$lkf$1@news.spamcop.net>
Message-ID: <gu83gj$b5u$1@news.spamcop.net>


"Patto" <nobody@devnull.spamcop.net> wrote in message 
news:gu7tmv$lkf$1@news.spamcop.net...
> bar0 wrote:
>> the NG is back!! thanx
>
> What actually happened? I just got a very strange message whenever I tried 
> to access the SC NG. Any explanation?

This is porbably inaccurate and oversimplified, but apparently the colo or 
site where the NG servers are, had a power failure. After power was restored 
the servers came up in a funny state, and. required manual (on-site) 
intervention by one JT. Apparently this took place sometime today. 


From user at domain.invalid  Mon May 11 00:34:35 2009
From: user at domain.invalid (Farelf)
Date: Mon May 11 00:35:08 2009
Subject: [Scspamcop] Re: Hurray
In-Reply-To: <gu83gj$b5u$1@news.spamcop.net>
References: <gu7og4$s2c$1@news.spamcop.net> <gu7tmv$lkf$1@news.spamcop.net>
	<gu83gj$b5u$1@news.spamcop.net>
Message-ID: <gu86ch$b0k$1@news.spamcop.net>

bar0 wrote:

> 
> This is porbably inaccurate and oversimplified, but apparently the colo or 
> site where the NG servers are, had a power failure. After power was restored 
> the servers came up in a funny state, and. required manual (on-site) 
> intervention by one JT. Apparently this took place sometime today. 
> 

Seems like a useful summary to me.  It can be added that the server (on 
216.154.195.61) was responsive on port 80 (http) throughout, but not on 
119 (NG) and was also unresponsive to remote reset requests.  That neat 
little GRC utility idserve.exe that Mike Easter mentioned elsewhere 
demonstrates the ports responses on separate queries 
(http://news.spamcop.net and news://news.spamcop.net).

And yes, someone evidently took time out to go to the location on the 
2nd Sunday in May - a date which will be significant to those who were 
*born* as opposed to those who were hatched or sprung fully-formed from 
the forehead of Zeus <g> - and performed the manual re-boot or whatever. 
And it worked.  What a relief.
From me at privacy.net  Mon May 11 08:44:40 2009
From: me at privacy.net (Michael R N Dolbear)
Date: Mon May 11 09:45:09 2009
Subject: [Scspamcop] Re: Hurray, Hurray
References: <gu7og4$s2c$1@news.spamcop.net> <gu7tmv$lkf$1@news.spamcop.net>
	<gu83gj$b5u$1@news.spamcop.net> <gu86ch$b0k$1@news.spamcop.net>
Message-ID: <01c9d23e$9b3f6c00$cdce403e@default>

Meee too !

-- 
Mike D


From nobody at spamcop.net  Tue May 12 12:00:08 2009
From: nobody at spamcop.net (Kev)
Date: Tue May 12 12:05:04 2009
Subject: [Scspamcop] Re: Hurray, Hurray
References: <gu7og4$s2c$1@news.spamcop.net> <gu7tmv$lkf$1@news.spamcop.net>
	<gu83gj$b5u$1@news.spamcop.net> <gu86ch$b0k$1@news.spamcop.net>
	<01c9d23e$9b3f6c00$cdce403e@default>
Message-ID: <guc6f4$68t$1@news.spamcop.net>


"Michael R N Dolbear" <me@privacy.net> wrote in message 
news:01c9d23e$9b3f6c00$cdce403e@default...
> Meee too !
>
> -- 
> Mike D
>
>

Yeh, what he said :-) 


From Kevin_newsspam01 at devnull.invalid  Tue May 12 18:28:08 2009
From: Kevin_newsspam01 at devnull.invalid (Kevin)
Date: Tue May 12 18:50:03 2009
Subject: [Scspamcop] Re: Hurray
References: <gu7og4$s2c$1@news.spamcop.net> <gu7tmv$lkf$1@news.spamcop.net>
	<gu83gj$b5u$1@news.spamcop.net> <gu86ch$b0k$1@news.spamcop.net>
Message-ID: <Dy1xQsB4ffCKFAgy@devnull.invalid>

In message <gu86ch$b0k$1@news.spamcop.net>, Farelf <user@domain.invalid> 
writes
>bar0 wrote:
>
>>  This is porbably inaccurate and oversimplified, but apparently the 
>>colo or  site where the NG servers are, had a power failure. After 
>>power was restored  the servers came up in a funny state, and. 
>>required manual (on-site)  intervention by one JT. Apparently this 
>>took place sometime today.
>
>Seems like a useful summary to me.  It can be added that the server (on 
>216.154.195.61) was responsive on port 80 (http) throughout, but not on 
>119 (NG) and was also unresponsive to remote reset requests. That neat 
>little GRC utility idserve.exe that Mike Easter mentioned elsewhere 
>demonstrates the ports responses on separate queries 
>(http://news.spamcop.net and news://news.spamcop.net).

And if anyone wants it, the utility is at
http://www.grc.com/id/IDServe.htm The Help page has instructions on how 
to check servers on different ports.

>And yes, someone evidently took time out to go to the location on the 
>2nd Sunday in May - a date which will be significant to those who were 
>*born* as opposed to those who were hatched or sprung fully-formed from 
>the forehead of Zeus <g> - and performed the manual re-boot or 
>whatever. And it worked.  What a relief.

And it's much appreciated that 'someone' was willing to do that. It's 
been pretty quiet here since then though, I suspect that a lot of people 
wandered away, at least for a while.

I also found out that I wasn't collecting all the posts since it came 
back up. Some, like the one I'm responding to, didn't come down until I 
specifically asked for them. Asking for a resend on everything in the 
last week got me two posts in Test that hadn't come through before.
-- 
Kevin
From avoozl at spamcop.net  Fri May 15 02:44:27 2009
From: avoozl at spamcop.net (Chris F. Willoughby)
Date: Fri May 15 02:45:03 2009
Subject: [Scspamcop] Quickreporting errors..
Message-ID: <guj30d$rt4$1@news.spamcop.net>

error:ISP has indicated spam will cease; ISP resolved this issue sometime 
after
<noscript>Thu May 14 00:28:59 2009 GMT </noscript><script><!--
document.write(showDate(1242260939));
//--></script>

I still see that particular error every so often.  It seems to only show up 
when ISPs have 'resolved' the issue.  It also won't show on the main page so 
linking a tracker won't help. :)

Thanks. 


From nobody at devnull.spamcop.net  Fri May 15 03:57:48 2009
From: nobody at devnull.spamcop.net (Wazoo)
Date: Fri May 15 04:00:03 2009
Subject: [Scspamcop] Re: Quickreporting errors..
References: <guj30d$rt4$1@news.spamcop.net>
Message-ID: <guj79s$bka$1@news.spamcop.net>

"Chris F. Willoughby" <avoozl@spamcop.net> wrote in message 
news:guj30d$rt4$1@news.spamcop.net...
> error:ISP has indicated spam will cease; ISP resolved this issue 
> sometime after
> <noscript>Thu May 14 00:28:59 2009 GMT </noscript><script><!--
> document.write(showDate(1242260939));
> //--></script>
>
> I still see that particular error every so often.  It seems to 
> only show up when ISPs have 'resolved' the issue.  It also won't 
> show on the main page so linking a tracker won't help. :)

History ... all of the Deputies admit to not being programmers. 
Thusly, the last time this was pointed out, the responses all 
pointed out "the explanation" of the ISP Response/Action.  I don't 
think that the issue of a "coding error" was made clear ... or at 
least wasn't acknowledged. 


From g.hyde at bigNOSPAMpond.net.au  Fri May 15 05:51:25 2009
From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde)
Date: Fri May 15 05:55:03 2009
Subject: [Scspamcop] Why does SpamCop print obvious remarks in reports?
Message-ID: <gujdv5$n62$1@news.spamcop.net>

http://www.spamcop.net/sc?id=z2891948467z7f793aac09f21ef3416d93425a02e68cz

For instance in this spamitem, it's obvious to a human reader that there are 
only two Received: lines that are legitimate, and therefore are parseable.

For some strange reason, though, SpamCop insists on saying "will not trust 
anything beyond this header" when it's already obvious that there quite 
literally aren't any more Received: lines for it TO trust!

Is this some artifact of old parsing algorithm text that still hangs around 
for some obscure reason which only the original programmer of SpamCop would 
know about?


Cheers ...

Geoffrey Hyde



From MikeE at ster.invalid  Fri May 15 09:24:20 2009
From: MikeE at ster.invalid (Mike Easter)
Date: Fri May 15 09:25:03 2009
Subject: [Scspamcop] Re: Why does SpamCop print obvious remarks in reports?
References: <gujdv5$n62$1@news.spamcop.net>
Message-ID: <gujqds$s2$1@news.spamcop.net>

Geoffrey Hyde wrote:
>
http://www.spamcop.net/sc?id=z2891948467z7f793aac09f21ef3416d93425a02e68cz
>
> For instance in this spamitem, it's obvious to a human reader that
> there are only two Received: lines that are legitimate, and therefore
> are parseable.

No.  I would say that the 'common' human spam reader would only know that
there were two Received tracelines.  The interpretation of 'legitimacy' is
something that the algo does better than many human parsers and not as
well as experienced human parsers.

> For some strange reason, though, SpamCop insists on saying "will not
> trust anything beyond this header"

The reason isn't strange at all.  Imagine that you are an algo.  You don't
'see' the headers as a 'gestalt', you see the headers as a series of
strings.  You see a header field and you know how to recognize it by the
fact that it is not preceded by an empty line and that it starts in the
first column and that there are no spaces and then a colon and then an
empty space.  In the case of the particular field we are discussing, the
compound string of string colon space string sequence is 'Received: from'

The parser is going to either look for all such occurrences all the way
thru' the algorithmic interpretation of when the header starts and when
the header ends, or it might stop sooner than the end of the header.

If it stops, then it 'announces' that it stopped based on the fact that
your headers are mailhosted and that your (complex) mailhosted string was
found.

If that same spam is parsed for a nonmailhosted account, the logic is
different.  See

http://www.spamcop.net/sc?id=z2892593988zdcbffbace844f1556bbc510fd006a297z

It does not announce, 'will not trust anything beyond this header' - but
instead it analyzes the lines one by one

196.211.39.19 found
host 196.211.39.19 (getting name) no name
196.211.39.19 not listed in dnsbl.njabl.org ( 127.0.0.9 )
196.211.39.19 listed in cbl.abuseat.org ( 127.0.0.2 )
Open proxies untrusted as relays

So, then it stops based on a different logic.  The logic is *not* that it
got to the bottom of the two Received tracelines.

> when it's already obvious that there
> quite literally aren't any more Received: lines for it TO trust!

When you say 'obvious' you are not thinking like an algo;  you are
thinking like a human which eyes and brain make assumptions based on a
'picture' formed by taking in the entire headers at a glance.  Those same
human eyes and brain are also prone to look at the bottom most traceline
for 'an answer' -- albeit errantly.

> Is this some artifact of old parsing algorithm text that still hangs
> around for some obscure reason which only the original programmer of
> SpamCop would know about?

I wouldn't call those verbose words an artifact.  It is hard enough to
interpret the verbose of the parse with more words;  it would be harder
with less words.  It is better for the human for the parser to announce as
clearly as possible what it is 'thinking' -- how/why it is acting the way
it acts.




-- 
Mike Easter
kibitzer, not SC admin

From avoozl at spamcop.net  Fri May 15 14:14:39 2009
From: avoozl at spamcop.net (Chris F. Willoughby)
Date: Fri May 15 14:15:04 2009
Subject: [Scspamcop] Re: Quickreporting errors..
References: <guj30d$rt4$1@news.spamcop.net> <guj79s$bka$1@news.spamcop.net>
Message-ID: <gukbej$nvf$1@news.spamcop.net>

"Wazoo" <nobody@devnull.spamcop.net> wrote in message 
news:guj79s$bka$1@news.spamcop.net...
> History ... all of the Deputies admit to not being programmers. Thusly, 
> the last time this was pointed out, the responses all pointed out "the 
> explanation" of the ISP Response/Action.  I don't think that the issue of 
> a "coding error" was made clear ... or at least wasn't acknowledged.
>

Yeah, I guess you could say that amounts to a bug report. :) 


From g.hyde at bigNOSPAMpond.net.au  Sat May 16 07:08:33 2009
From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde)
Date: Sat May 16 07:10:03 2009
Subject: [Scspamcop] Re: Why does SpamCop print obvious remarks in reports?
References: <gujdv5$n62$1@news.spamcop.net> <gujqds$s2$1@news.spamcop.net>
Message-ID: <gum6rp$ekl$1@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:gujqds$s2$1@news.spamcop.net...
> Geoffrey Hyde wrote:
>>
> http://www.spamcop.net/sc?id=z2891948467z7f793aac09f21ef3416d93425a02e68cz
>>
>> For instance in this spamitem, it's obvious to a human reader that
>> there are only two Received: lines that are legitimate, and therefore
>> are parseable.
>
> No.  I would say that the 'common' human spam reader would only know that
> there were two Received tracelines.  The interpretation of 'legitimacy' is
> something that the algo does better than many human parsers and not as
> well as experienced human parsers.

More to the point, in the particular spamitem's case, I'd only *care* that 
there are two Received tracelines.

I don't care about what logic the parser uses to get to it's conclusions, it 
could just not print that logic to the screen if such logic matches what I'm 
seeing.

Speicifically, is there a way to make it's "verbosity" more suited to not 
needlessly stating the flippantly obvious?

This was meant to be feedback to the developers of SpamCop's algorithm, not 
a a dissertation on how SpamCop's algorithm works - I just want to know if 
it can "turn off" unncecessary verbosity like this.  It's like static on the 
radio, no matter how long you analyze it, all it's ever going to be is 
static.


Cheers ...

Geoffrey Hyde


From nobody at spamcop.net  Sat May 16 09:14:47 2009
From: nobody at spamcop.net (Steven Underwood)
Date: Sat May 16 09:15:04 2009
Subject: [Scspamcop] Re: Why does SpamCop print obvious remarks in reports?
In-Reply-To: <gum6rp$ekl$1@news.spamcop.net>
References: <gujdv5$n62$1@news.spamcop.net> <gujqds$s2$1@news.spamcop.net>
	<gum6rp$ekl$1@news.spamcop.net>
Message-ID: <gume87$l6c$1@news.spamcop.net>


"Geoffrey Hyde" <g.hyde@bigNOSPAMpond.net.au> wrote in message 
news:gum6rp$ekl$1@news.spamcop.net...
>
>
> Speicifically, is there a way to make it's "verbosity" more suited to not 
> needlessly stating the flippantly obvious?
>

Do you have the "Show technical details" checkbox marked? 

From MikeE at ster.invalid  Sat May 16 10:14:48 2009
From: MikeE at ster.invalid (Mike Easter)
Date: Sat May 16 10:15:03 2009
Subject: [Scspamcop] Re: Why does SpamCop print obvious remarks in reports?
References: <gujdv5$n62$1@news.spamcop.net> <gujqds$s2$1@news.spamcop.net>
	<gum6rp$ekl$1@news.spamcop.net>
Message-ID: <gumhoe$439$1@news.spamcop.net>

Geoffrey Hyde wrote:
> "Mike Easter"

>> I would say that the 'common' human spam reader would only know
>> that there were two Received tracelines.  The interpretation of
>> 'legitimacy' is something that the algo does better than many human
>> parsers and not as well as experienced human parsers.

> Speicifically, is there a way to make it's "verbosity" more suited to
> not needlessly stating the flippantly obvious?

You can turn off the verbosity.

> I just want to
> know if it can "turn off" unncecessary verbosity like this.

Login/ Preferences/ Report handling options/ <item 4> Show technical
details during reporting -- click 'Simple output' instead of 'Show
technical data'



-- 
Mike Easter
kibitzer, not SC admin

From nobody at devnull.spamcop.net  Sat May 16 14:40:46 2009
From: nobody at devnull.spamcop.net (Twayne)
Date: Sat May 16 14:45:03 2009
Subject: [Scspamcop] Re: Why does SpamCop print obvious remarks in reports?
References: <gujdv5$n62$1@news.spamcop.net> <gujqds$s2$1@news.spamcop.net>
	<gum6rp$ekl$1@news.spamcop.net>
Message-ID: <gun1b7$b91$1@news.spamcop.net>

Geoffrey Hyde wrote:
> "Mike Easter" <MikeE@ster.invalid> wrote in message
> news:gujqds$s2$1@news.spamcop.net...
>> Geoffrey Hyde wrote:
>>>
>> http://www.spamcop.net/sc?id=z2891948467z7f793aac09f21ef3416d93425a02e68cz
>>>
>>> For instance in this spamitem, it's obvious to a human reader that
>>> there are only two Received: lines that are legitimate, and
>>> therefore are parseable.
>>

...

>
> This was meant to be feedback to the developers of SpamCop's
> algorithm, not a a dissertation on how SpamCop's algorithm works - I
> just want to know if it can "turn off" unncecessary verbosity like
> this.  It's like static on the radio, no matter how long you analyze
> it, all it's ever going to be is static.
>

It sounds like Mike & Steven probably covered the issue, but ... Overall 
I think it's necessary to keep in mind that output isn't meant for only 
one person, not even ME<g>!  Regardless of whether your concern is 
covered or not, I think my point of it being a one-size-has-to-fit-all 
is what's up here.  If it can be toggled on/off, great, but otherwise, 
it's a small price IMO for the services the tool provides to us.  I know 
I find it invaluable.
   I have issues with it too; nearly everyone does. I'd like to see the 
Skip to Reports still work even if it's an unreportable e-mail or ISP 
has ... and so forth, but I don't think I'm going to see anything to 
help me keep from manually scrolling down the page to see why the link 
didn't work.  e.g. I already reported it, the ISP has taken action, 
whatever.  I consider the SC code pretty much dead, or abandoned, 
whichever term you like, w/r to minor updates and changes.  It's doing 
the job they want and the fact that we can still use the tool is a 
privelege now, not the great offering it used to be or would be today 
had it remained with its originator.  Although I've found a couple other 
excellent tools for spam fighting, no one as yet assists with the 
formulation of a standardized and reasonable report, nor auto-runs and 
assembles the tool outputs for me like SC does.

In other words, I think things like you mention and that I mentioned are 
too picky for the situation at hand.

Oh yeah; I think I heard aliens on my AM portable the other day< G 
 >(wide grin). If I'm right they're due here on earth in exactly 104.65 
hours! But they said they're coming to learn to  "serve man", so ... 
lol! (Ya gotta recall the show).

Regards,

Twayne


From nobody at devnull.spamcop.net  Sat May 16 14:51:35 2009
From: nobody at devnull.spamcop.net (Twayne)
Date: Sat May 16 14:55:02 2009
Subject: [Scspamcop] Received Line & mailshost Q.
Message-ID: <gun1vg$d26$1@news.spamcop.net>

Hi,

I'm a free reporter yet and submit spams via e-mail.  I've come across 
situations like this before, specifically the " ... Supposed receiving 
system not associated with any of your mailhostsWill ... " part.

   Is it simply saying that the top received line should be my own ISP 
but isn't, so either my SC mailhosts setup is borked or it's a spam?  Or 
is it trying to tell me something else?  This is definietly spam, and I 
have no e-mail possiblities anything like what's listed there, so ... .

64.202.165.35 is godaddy.com so I quit looking any further there.  I 
still get a lot of spam that seems to include them.

The lines in question:

=========
http://www.spamcop.net/sc?id=z2897121948z665d427c22bfb4f1f3feb7330f0bd2eaz
------------------------
Parsing header:
0: Received: from smtpauth12.prod.mesa1.secureserver.net (64.202.165.35) 
by q1-in-norm.netfirms.com with SMTP; 16 May 2009 17:24:42 -0000Hostname 
verified: smtpauth12.prod.mesa1.secureserver.net
intermedia.net received mail from sending system 64.202.165.35

1: Received: from unknown (74.69.136.188) by 
smtpauth12.prod.mesa1.secureserver.net (64.202.165.35) with ESMTP; 16 
May 2009 17:24:40 -0000Hostname verified: 
cpe-74-69-136-188.stny.res.rr.com
Possible forgery. Supposed receiving system not associated with any of 
your mailhostsWill not trust anything beyond this header

===========

TIA,

Twayne`


From bcs1 at spamcop.net  Sat May 16 15:13:46 2009
From: bcs1 at spamcop.net (Bill)
Date: Sat May 16 15:15:04 2009
Subject: [Scspamcop] Re: Why does SpamCop print obvious remarks in reports?
References: <gujdv5$n62$1@news.spamcop.net> <gujqds$s2$1@news.spamcop.net>
	<gum6rp$ekl$1@news.spamcop.net> <gun1b7$b91$1@news.spamcop.net>
Message-ID: <gun39b$ifq$1@news.spamcop.net>


"Twayne" <nobody@devnull.spamcop.net> wrote in message 
news:gun1b7$b91$1@news.spamcop.net...

>
> Oh yeah; I think I heard aliens on my AM portable the other day< G
> >(wide grin). If I'm right they're due here on earth in exactly 104.65
> hours! But they said they're coming to learn to  "serve man", so ... lol! 
> (Ya gotta recall the show).
>
> Regards,
>
> Twayne
>
>

 I DO!!!

 LMAO...
 that was a big cookbook too wasn't it?


 well, now we've given away our age... LOL 


From bcs1 at spamcop.net  Sat May 16 15:28:00 2009
From: bcs1 at spamcop.net (Bill)
Date: Sat May 16 15:30:03 2009
Subject: [Scspamcop] cannot resolve?
Message-ID: <gun441$n24$1@news.spamcop.net>

Hi, I think i saw a thread on this situation a while back and I can't seem 
to find it, so if i'm being redundant I apologize in advance.

 I'm seeing many instances where reporting says :

Finding links in message body
Recurse multipart:
   Parsing text part
   Parsing HTML part

Resolving link obfuscation
   http://curtcome.com/
   Host curtcome.com (checking ip) IP not found ; curtcome.com discarded as 
fake.

Tracking link: http://curtcome.com/
No recent reports, no history available

Cannot resolve http://curtcome.com/

The fact is that the domain does resolve...

C:\Documents and Settings\User>nslookup curtcome.com
Server:  72.37.xxx.xxx.rdns.mydnsservers.com  <- obfusctaed
Address:  72.37.xxx.xxx

Non-authoritative answer:
Name:    curtcome.com
Addresses:  220.248.167.110, 220.248.184.7

 and the web page is live as of the time of posting this.
 here's the tracking URL from this particular spam.
http://www.spamcop.net/sc?id=z2897109200z586985d72f4a95053ded485bdb25866bz

any ideas?

 Thanks
Bill





From MikeE at ster.invalid  Sat May 16 15:39:07 2009
From: MikeE at ster.invalid (Mike Easter)
Date: Sat May 16 15:40:04 2009
Subject: [Scspamcop] Re: Received Line & mailshost Q.
References: <gun1vg$d26$1@news.spamcop.net>
Message-ID: <gun4oi$pel$1@news.spamcop.net>

Twayne wrote:

www.spamcop.net/sc?id=z2897121948z665d427c22bfb4f1f3feb7330f0bd2eaz

This looks to me like a personal straightup mail written from Tim/Timothy
Lungstrom who has the domains lungstrom.com and krackedpress.com.  The
mailservers for his domains are secureserver.net.  He mailed the item to
you and CCed several other people.  The mailing address he used for you
was at twaynesdomain whose mailservice is provided by netfirms.

> I'm a free reporter yet and submit spams via e-mail.  I've come across
> situations like this before, specifically the " ... Supposed receiving
> system not associated with any of your mailhostsWill ... " part.

SC is unfamiliar with lungstrom's secureserver, so it fails to chain back
thru' the server to Tim's 'residential' IP address, a stny.res.rr.com
which is not blocklisted anywhere as a proxy, it is just known as a
dynamic IP - normal.

That email does not look like a 'spam' as it is simply social, not
promoting anything and containing no bogosity.  Perhaps it was
misaddressed to something that is served by your domainname.

>    Is it simply saying that the top received line should be my own ISP
> but isn't, so either my SC mailhosts setup is borked or it's a spam?  Or
> is it trying to tell me something else?  This is definietly spam, and I
> have no e-mail possiblities anything like what's listed there, so ... .

SC only recognized the top line as yours.  When it looked at the 'by'
field of the 2nd line, that was not in its database as belonging to your
mailhost, so it *aggressively* stopped chaining. SC's aggressiveness in
chain cessation/breaking algorithm is different from mailhosted to
nonmailhosted.

This is a tracker from the same spam parsed for a nonmailhosted account.
Notice how much harder SC tries to chain thru' the secureserver line:

http://www.spamcop.net/sc?id=z2897339951zf9a7ed3eae3dd580585a6b7df66af701z

Received:  from unknown (74.69.136.188) by
smtpauth12.prod.mesa1.secureserver.net (64.202.165.35) with ESMTP; 16 May
2009 17:24:40 -0000
Masking IP-based 'by' clause.
Received:  from unknown (74.69.136.188) by
smtpauth12.prod.mesa1.secureserver.net with ESMTP; 16 May 2009
17:24:40 -0000
74.69.136.188 found
host 74.69.136.188 = cpe-74-69-136-188.stny.res.rr.com. (cached)
cpe-74-69-136-188.stny.res.rr.com. is 74.69.136.188
64.202.165.35 not listed in dnsbl.njabl.org ( 127.0.0.9 )
64.202.165.35 not listed in cbl.abuseat.org
64.202.165.35 not listed in dnsbl.sorbs.net
64.202.165.35 is not an MX for q1-in-norm.netfirms.com
64.202.165.35 is not an MX for smtpauth12.prod.mesa1.secureserver.net
64.202.165.35 is not an MX for smtpauth12.prod.mesa1.secureserver.net
64.202.165.35 is not an MX for q1-in-norm.netfirms.com
64.202.165.35 not listed in dnsbl.njabl.org ( 127.0.0.3 )
Possible spammer: 74.69.136.188
Host smtpauth12.prod.mesa1.secureserver.net (checking ip) = 64.202.165.35
64.202.165.35 not listed in dnsbl.njabl.org ( 127.0.0.9 )
64.202.165.35 not listed in cbl.abuseat.org
64.202.165.35 not listed in dnsbl.sorbs.net
   Chain test:smtpauth12.prod.mesa1.secureserver.net =?
smtpauth12.prod.mesa1.secureserver.net
   smtpauth12.prod.mesa1.secureserver.net and
smtpauth12.prod.mesa1.secureserver.net have same hostname - chain verified
Possible relay: 64.202.165.35
64.202.165.35 has already been sent to relay testers
Received line accepted

If SC were more familiar with 64.202.165.35, it would determine it to be a
relay and not name it as a source, but the RR dynamic instead.  But at the
present time, SC 'has to' stop at the relay IP

74.69.136.188 discarded as a forgery, using 64.202.165.35
Tracking message source: 64.202.165.35:

<cancelled report>

> 64.202.165.35 is godaddy.com so I quit looking any further there.  I
> still get a lot of spam that seems to include them.

SC would rather not name that server.



-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Sat May 16 16:06:42 2009
From: MikeE at ster.invalid (Mike Easter)
Date: Sat May 16 16:10:04 2009
Subject: [Scspamcop] Re: cannot resolve?
References: <gun441$n24$1@news.spamcop.net>
Message-ID: <gun6c8$v5g$1@news.spamcop.net>

Bill wrote:

> Resolving link obfuscation
>    http://curtcome.com/
>    Host curtcome.com (checking ip) IP not found ; curtcome.com
> discarded as fake.

If I put the naked domainname into the parser, SC can't resolve it.

Parsing input: curtcome.com
Cannot resolve curtcome.com

My nameserver resolves it promptly.  If you subscribe to a service at
dnsstuff, you can use their tool to analyze the quality of the nameservice
for the name;  but it still doesn't matter, because the nameservers could
block resolving it for SC, or they could be too pokey for SC's tastes.

> Non-authoritative answer:
> Name:    curtcome.com
> Addresses:  220.248.167.110, 220.248.184.7

My nameservice sez

nslookup 220.248.167.110
Canonical name: curtcome.com
Addresses:
  220.248.167.110
  220.248.184.7

If I try to contact the authoritative nameservers for the name, I wait
forever;

--- 05/16/09 12:55:24 US Mountain Standard Time
--- DNS lookup for "curtcome.com", please wait...
--- contacting nameserver: 207.69.188.185 [207.69.188.185]
--- Found authoritative nameserver: ns1.smartdnshosting.com
--- contacting nameserver: ns1.smartdnshosting.com [203.93.212.239]
<many many minutes go by and nothing happens>

> any ideas?

The name has nameserver problems, but in spite of that it is able to
function.

The disadvantage of the design of the SC notification process is that -1-
it wastes time trying to resolve the names of spamsites -2- it wastes
bandwidth notifying providers sometimes derived from that process -3- it
fails to feed the spamsite's name into sc-surbl when it fails to resolve
the name

It would be better if SC did not try to resolve the name, did not try to
notify the provider, and simply fed the name to the sc-surbl based on the
fact that it was reported by a SC reporter.


-- 
Mike Easter
kibitzer, not SC admin

From bcs1 at spamcop.net  Sat May 16 16:49:48 2009
From: bcs1 at spamcop.net (Bill)
Date: Sat May 16 16:50:03 2009
Subject: [Scspamcop] Re: cannot resolve?
References: <gun441$n24$1@news.spamcop.net> <gun6c8$v5g$1@news.spamcop.net>
Message-ID: <gun8td$b15$1@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:gun6c8$v5g$1@news.spamcop.net...
> Bill wrote:
>
>> Resolving link obfuscation
>>    http://curtcome.com/
>>    Host curtcome.com (checking ip) IP not found ; curtcome.com
>> discarded as fake.
>
> If I put the naked domainname into the parser, SC can't resolve it.
>
> Parsing input: curtcome.com
> Cannot resolve curtcome.com
>
> My nameserver resolves it promptly.  If you subscribe to a service at
> dnsstuff, you can use their tool to analyze the quality of the nameservice
> for the name;  but it still doesn't matter, because the nameservers could
> block resolving it for SC, or they could be too pokey for SC's tastes.
>
>> Non-authoritative answer:
>> Name:    curtcome.com
>> Addresses:  220.248.167.110, 220.248.184.7
>
> My nameservice sez
>
> nslookup 220.248.167.110
> Canonical name: curtcome.com
> Addresses:
>  220.248.167.110
>  220.248.184.7
>
> If I try to contact the authoritative nameservers for the name, I wait
> forever;
>
> --- 05/16/09 12:55:24 US Mountain Standard Time
> --- DNS lookup for "curtcome.com", please wait...
> --- contacting nameserver: 207.69.188.185 [207.69.188.185]
> --- Found authoritative nameserver: ns1.smartdnshosting.com
> --- contacting nameserver: ns1.smartdnshosting.com [203.93.212.239]
> <many many minutes go by and nothing happens>
>
>> any ideas?
>
> The name has nameserver problems, but in spite of that it is able to
> function.
>
> The disadvantage of the design of the SC notification process is that -1-
> it wastes time trying to resolve the names of spamsites -2- it wastes
> bandwidth notifying providers sometimes derived from that process -3- it
> fails to feed the spamsite's name into sc-surbl when it fails to resolve
> the name
>
> It would be better if SC did not try to resolve the name, did not try to
> notify the provider, and simply fed the name to the sc-surbl based on the
> fact that it was reported by a SC reporter.
>
>
> -- 
> Mike Easter
> kibitzer, not SC admin
>

aggreed, because i'm certain i'm not the only one of us sc users who got 
this particular one and the "No recent reports, no history available" is a 
little disenheartening when it means that some way or another a spammer is 
avoiding being reported at some level.

 Thanks Mike.
Bill


From nobody at devnull.spamcop.net  Mon May 18 11:50:00 2009
From: nobody at devnull.spamcop.net (Twayne)
Date: Mon May 18 11:50:04 2009
Subject: [Scspamcop] Re: Why does SpamCop print obvious remarks in reports?
References: <gujdv5$n62$1@news.spamcop.net> <gujqds$s2$1@news.spamcop.net>
	<gum6rp$ekl$1@news.spamcop.net> <gun1b7$b91$1@news.spamcop.net>
	<gun39b$ifq$1@news.spamcop.net>
Message-ID: <gus02u$bij$1@news.spamcop.net>

Bill wrote:
> "Twayne" <nobody@devnull.spamcop.net> wrote in message
> news:gun1b7$b91$1@news.spamcop.net...
>
>>
>> Oh yeah; I think I heard aliens on my AM portable the other day< G
>>> (wide grin). If I'm right they're due here on earth in exactly
>>> 104.65
>> hours! But they said they're coming to learn to  "serve man", so ...
>> lol! (Ya gotta recall the show).
>>
>> Regards,
>>
>> Twayne
>>
>>
>
> I DO!!!
>
> LMAO...
> that was a big cookbook too wasn't it?
>
>
> well, now we've given away our age... LOL

Well, I could say my gramps recorded it for me, but ... I'd be lying<G>

lol,
Twayne` 


From nobody at devnull.spamcop.net  Mon May 18 12:11:22 2009
From: nobody at devnull.spamcop.net (Twayne)
Date: Mon May 18 12:15:03 2009
Subject: [Scspamcop] Re: Received Line & mailshost Q.
References: <gun1vg$d26$1@news.spamcop.net> <gun4oi$pel$1@news.spamcop.net>
Message-ID: <gus1b0$ff8$1@news.spamcop.net>

Mike Easter wrote:
> Twayne wrote:
>
> www.spamcop.net/sc?id=z2897121948z665d427c22bfb4f1f3feb7330f0bd2eaz
>
> This looks to me like a personal straightup mail written from
> Tim/Timothy Lungstrom who has the domains lungstrom.com and
> krackedpress.com.  The mailservers for his domains are
> secureserver.net.  He mailed the item to you and CCed several other
> people.  The mailing address he used for you was at twaynesdomain
> whose mailservice is provided by netfirms.
>
>> I'm a free reporter yet and submit spams via e-mail.  I've come
>> across situations like this before, specifically the " ... Supposed
>> receiving system not associated with any of your mailhostsWill ... "
>> part.
>

...

> SC would rather not name that server.

Boy, I don't think I'll ever get this stuff straight in my head!

I am familiar with krackedpress but never noticed it anywhere in the 
lookups; I know it from newsgroup participation.  He may have seen me on 
news.netobjects.com where you have to give up your e-mail address to 
participate, so I created that address to use there originally. But I 
got lazy and used it for other groups too, so it isn't too hard to 
connect with me if you know where I hang out.  On most of the groups I 
frequent I clearly indicate that I use a fake address and consider any 
mail from a newsgroup spam, though.

 Personally I think it's someone phishing to validate adresses becuse of 
other very similar mails I've received but all with different trace 
information.  AFAIK they haven't repeated but I only get like one a 
month so I'm not sure of that.  They're good enough I actually end up 
looking at the content too and they are never relevant to me in any way; 
and no links, drops, nothing for contact info in the body.  Maybe 
they're just secret admirers<g>!  Or, accounts & address books could 
have been hijacked I suippose.
   That's why I was curious about the Received lines.

Thanks again, Mike.

Twayne`



From MikeE at ster.invalid  Mon May 18 14:58:38 2009
From: MikeE at ster.invalid (Mike Easter)
Date: Mon May 18 15:00:04 2009
Subject: [Scspamcop] Re: Received Line & mailshost Q.
References: <gun1vg$d26$1@news.spamcop.net> <gun4oi$pel$1@news.spamcop.net>
	<gus1b0$ff8$1@news.spamcop.net>
Message-ID: <gusb54$slg$1@news.spamcop.net>

Twayne wrote:
> Mike Easter wrote:

>> This looks to me like a personal straightup mail written from
>> Tim/Timothy Lungstrom who has the domains lungstrom.com and
>> krackedpress.com.

> I am familiar with krackedpress but never noticed it anywhere in the
> lookups; I know it from newsgroup participation.  He may have seen me on
> news.netobjects.com where you have to give up your e-mail address to
> participate, so I created that address to use there originally. But I
> got lazy and used it for other groups too, so it isn't too hard to
> connect with me if you know where I hang out.  On most of the groups I
> frequent I clearly indicate that I use a fake address and consider any
> mail from a newsgroup spam, though.

If one were so motivated, I would predict that if you emailed him and copied
his provider's abuse address the 'stern' -- "Do not email me" -- that he
would wash your domainname's address from his list.

OTOH, if your goal is not not be listwashed but to endanger his provider's
mailserver of becoming listed, then you would report just as you did, based
on the fact that you are on some kind of 'mailing list' - whether it is a
social one or not - which list you did not opt into.

Theoretically I could report some of the social spam I get from friends of
friends who scraped my addy off of email from my friend to a 'gang' of other
To.  Social spam begets social spam.

> Thanks again, Mike.

YW.

-- 
Mike Easter
kibitzer, not SC admin

From nobody at devnull.spamcop.net  Tue May 19 13:23:37 2009
From: nobody at devnull.spamcop.net (Blue Rock)
Date: Tue May 19 13:25:04 2009
Subject: [Scspamcop] How to determine Network Owner for site InfoUSA.com?
Message-ID: <guupus$fs9$1@news.spamcop.net>

http://www.spamcop.net/sc?id=z2901524526z88318267155b0f671a3fce4c4986dfebz

I received this spam message from an organization called InfoUSA.com. 
Normally, I quick report, and I don't bother to report web site links found 
in email message.  But, when a site looks like it is hosted by a legitimate 
US provider, I manually send a report.  I have managed to get some 
spamvertised sites on legitimate US hosts shut down.

This one looks like it would be a good target for such a report.  However, I 
cannot find who the network owner for the host of this web site is.

Spamcop's parser says the report address is postmaster@abii.com.  However, 
according to whois, abii.com is a domain name owned by InfoUSA, and I think 
reporting spam to the actual spammer won't do any good.  I have tried 
tracert, and several other resources, trying to find who the actual network 
owner is.

tracert simply says that the destination network is not found:

Tracing route to infousa.com [199.125.12.10]
over a maximum of 30 hops:

  ...
 10    20 ms    19 ms    18 ms  pos-1-5-0-0-cr01.mclean.va.ibone.comcast.net 
[68.86.91.233]
 11    21 ms    21 ms    25 ms  162.97.118.113
 12  Infousa.so-4-3-0.ar2.CHI1.gblx.net [208.49.135.186]  reports: 
Destination net unreachable.

Can anybody suggest a tool or method to find the responsible network owner, 
to which spam advertising InfoUSA.com should be reported?


From MikeE at ster.invalid  Tue May 19 14:25:26 2009
From: MikeE at ster.invalid (Mike Easter)
Date: Tue May 19 14:30:03 2009
Subject: [Scspamcop] Re: How to determine Network Owner for site InfoUSA.com?
References: <guupus$fs9$1@news.spamcop.net>
Message-ID: <guutil$vdd$1@news.spamcop.net>

Blue Rock wrote:
>
http://www.spamcop.net/sc?id=z2901524526z88318267155b0f671a3fce4c4986dfeb
z
>
> I received this spam message from an organization called InfoUSA.com.
> Normally, I quick report, and I don't bother to report web site links
> found in email message.  But, when a site looks like it is hosted by a
> legitimate US provider, I manually send a report.  I have managed to
> get some spamvertised sites on legitimate US hosts shut down.

That is a straightup html if you consider that infousa is the same as
emeraldmail - where straightup means the source = the spamvertiser.

From: "infoUSA" <infoUSA@emeraldmail-usa.com>

> This one looks like it would be a good target for such a report.
> However, I cannot find who the network owner for the host of this web
> site is.

infousa is a marketing company.  They control/ provide for/ their own
large netblock.

> Spamcop's parser says the report address is postmaster@abii.com.

That address is the rtech listed in ARIN.  There have been discussions
about some disadvantages of using SC strategy for choosing notifies.

> However, according to whois, abii.com is a domain name owned by
> InfoUSA, and I think reporting spam to the actual spammer won't do any
> good.  I have tried tracert, and several other resources, trying to
> find who the actual network owner is.

infousa owns all of the domainnames in question, infousa, emeraldmail and
all of the domainnames of the nameservers and the netspace that they
occupy.

> tracert simply says that the destination network is not found:

tracert is not a good tool to be using for several purposes.  First, many
targets don't answer ICMP pings.  Second, even if you use a port 80 tcp
ping, the route simply shows how the packets traveled to and from you and
the target and which hops echoed the ping, not what 'relationship' the
hops have with the target.

It is better to use the ASN number, except in this case it isn't very
helpful.

> Can anybody suggest a tool or method to find the responsible network
> owner, to which spam advertising InfoUSA.com should be reported?

If you use asn tools you get this info:

radb sez the asn is 3908/quest which I think is in error.  cymru sez the
asn is 12154 which I believe is correct and that is just infousa again.
serversniffer sez the asn is 12154 and I'm going with that and that the
upstreams are 29973 which has no registry entry and 701 which is
uunet/mci/verizon.  That is also what cidr report sez.

So, I don't think there is a future in going after the upstreams.  I also
don't think there is a future in going after the domainname registrar or
the nameservice, all of which is infousa all over again.

I would consider notifying infousa over the alternatives, since they
aren't listed in spamhaus as the IP or as the provider, but there isn't a
reg'd abuse.net contact for them.

IMO they are a marketing company which believes in listwashing who
doesn't have a provider that is worth notifying.  I would go for the
listwash.  That will be accomplished most efficiently using the
unsubscribe which goes to emeraldmail.



-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Tue May 19 14:35:07 2009
From: MikeE at ster.invalid (Mike Easter)
Date: Tue May 19 14:40:03 2009
Subject: [Scspamcop] Re: How to determine Network Owner for site InfoUSA.com?
References: <guupus$fs9$1@news.spamcop.net> <guutil$vdd$1@news.spamcop.net>
Message-ID: <guuu4q$1se$1@news.spamcop.net>

Mike Easter wrote:

> IMO they are a marketing company which believes in listwashing who
> doesn't have a provider that is worth notifying.  I would go for the
> listwash.  That will be accomplished most efficiently using the
> unsubscribe which goes to emeraldmail.

... or alternatively, if either you don't believe in listwashing or if
you think the disadvantages of unsubbing to an email marketing company
far outweigh the possible advantages (disadv. being washed from one list
and added to 9 others, eg) then you would not unsub.

Quick reporting would contribute the emerald server to the scbl tally.
Regular reporting would feed the emeraldmail and infousa to the sc-surbl
lists.

Maybe the regular reporting is the best thing you can do;  the rtech for
infousa will get the SC notify.

I almost forgot;  the emeraldmail IP (mailsource and redirector) is on
shawcable, so maybe that notify might appeal to you more.


-- 
Mike Easter
kibitzer, not SC admin

From nobody at devnull.spamcop.net  Tue May 19 14:45:09 2009
From: nobody at devnull.spamcop.net (Blue Rock)
Date: Tue May 19 14:50:03 2009
Subject: [Scspamcop] Re: How to determine Network Owner for site InfoUSA.com?
References: <guupus$fs9$1@news.spamcop.net> <guutil$vdd$1@news.spamcop.net>
	<guuu4q$1se$1@news.spamcop.net>
Message-ID: <guuunp$4e4$1@news.spamcop.net>

"Mike Easter" <MikeE@ster.invalid> wrote:
> Mike Easter wrote:
>
> Maybe the regular reporting is the best thing you can do;  the rtech for
> infousa will get the SC notify.
>
> I almost forgot;  the emeraldmail IP (mailsource and redirector) is on
> shawcable, so maybe that notify might appeal to you more.
>

Shawcable was already notified through the Quick Report, because they were 
also the source of the email.


From nobody at devnull.spamcop.net  Tue May 19 14:52:07 2009
From: nobody at devnull.spamcop.net (Blue Rock)
Date: Tue May 19 14:55:03 2009
Subject: [Scspamcop] Re: How to determine Network Owner for site InfoUSA.com?
References: <guupus$fs9$1@news.spamcop.net> <guutil$vdd$1@news.spamcop.net>
Message-ID: <guuv4u$5tn$1@news.spamcop.net>

"Mike Easter" <MikeE@ster.invalid> wrote:
>
> So, I don't think there is a future in going after the upstreams.  I also
> don't think there is a future in going after the domainname registrar or
> the nameservice, all of which is infousa all over again.
>

Thanks, Mike!

Unless I am mistaken, the Registrar for the domain infousa.com is Network 
Solutions, who seems to have an anti-spam policy.  [They also happen to be 
the registrar for my own domain name.]  I have never tried to notify a 
registrar before, somewhere I read that domain registrars tend to be 
unresponsive.  Do you think it would do any good?


From MikeE at ster.invalid  Tue May 19 15:41:35 2009
From: MikeE at ster.invalid (Mike Easter)
Date: Tue May 19 15:45:03 2009
Subject: [Scspamcop] Re: How to determine Network Owner for site InfoUSA.com?
References: <guupus$fs9$1@news.spamcop.net> <guutil$vdd$1@news.spamcop.net>
	<guuv4u$5tn$1@news.spamcop.net>
Message-ID: <guv21e$k0h$1@news.spamcop.net>

Blue Rock wrote:
> "Mike Easter"

>> So, I don't think there is a future in going after the upstreams.  I
>> also don't think there is a future in going after the domainname
>> registrar or the nameservice, all of which is infousa all over again.
>>
>
> Thanks, Mike!
>
> Unless I am mistaken, the Registrar for the domain infousa.com is
> Network Solutions, who seems to have an anti-spam policy.  [They also
> happen to be the registrar for my own domain name.]  I have never tried
> to notify a registrar before, somewhere I read that domain registrars
> tend to be unresponsive.  Do you think it would do any good?

My 'theory' is that typically there is nothing in the contract between a
domainname registrar and the registrant which would 'compel' a registrant
to be responsible to a registrar to not use the domainname user's servers
for spam sourcing or spamvertising.

The concept of notifying some kind of provider for a spamsource or a
spamvertisement is that the provider (say website or whatever) is
providing 'support' to the spamming process - support by providing
webspace or mailservice or something else.

The idea that the domain name registration is a form of support to the
spamvertising or the mailserver's existence/function seems like a reach;
but then you /could/ say that providing webspace to a spamvertiser is a
signficantly indirect form of support.

In none of those cases is the provider - website netblock or domainname
registration - actually guilty of any 'crime' or even misbehavior.  It is
the 'job' of a domainname registrar to provide registration and record
keeping.  The registrar is doing that job.  If it were so arranged, the
registrar is also in the business of 'privatizing' the registration
information.

So, if the question is "Do I (personally, me) notify domainname
registrars?"  the answer is no, but others do.

Sometimes a particular notify is done because there isn't anything
else/(better) to do.  When you think about it, that reason isn't
necessarily a very good one.


-- 
Mike Easter
kibitzer, not SC admin

From dritz at mindspring.com  Tue May 19 15:59:38 2009
From: dritz at mindspring.com (David Ritz)
Date: Tue May 19 16:00:03 2009
Subject: [Scspamcop] Re: How to determine Network Owner for site InfoUSA.com?
References: <guupus$fs9$1@news.spamcop.net>
Message-ID: <dritz-2172BA.14593819052009@news.cesmail.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <guupus$fs9$1@news.spamcop.net>,
 "Blue Rock" <nobody@devnull.spamcop.net> wrote:

> http://www.spamcop.net/sc?id=z2901524526z88318267155b0f671a3fce4c4986dfebz

> I received this spam message from an organization called InfoUSA.com. 
> Normally, I quick report, and I don't bother to report web site links 
> found in email message.  But, when a site looks like it is hosted by 
> a legitimate US provider, I manually send a report.  I have managed 
> to get some spamvertised sites on legitimate US hosts shut down.

> This one looks like it would be a good target for such a report.  
> However, I cannot find who the network owner for the host of this web 
> site is.

> Spamcop's parser says the report address is postmaster@abii.com.  
> However, according to whois, abii.com is a domain name owned by 
> InfoUSA, and I think reporting spam to the actual spammer won't do 
> any good.  I have tried tracert, and several other resources, trying 
> to find who the actual network owner is.

> tracert simply says that the destination network is not found:

> Tracing route to infousa.com [199.125.12.10]
> over a maximum of 30 hops:

>   ...
>  10    20 ms    19 ms    18 ms  pos-1-5-0-0-cr01.mclean.va.ibone.comcast.net [68.86.91.233]
>  11    21 ms    21 ms    25 ms  162.97.118.113
>  12  Infousa.so-4-3-0.ar2.CHI1.gblx.net [208.49.135.186]  reports: 
       ^^^^^^^                   ^^^^^^^^
> Destination net unreachable.

> Can anybody suggest a tool or method to find the responsible network 
> owner, to which spam advertising InfoUSA.com should be reported?

   I normally trim quotes.  I'm leaving your original intact, as it 
   points to a number of interesting questions.  These questions were 
   interesting, largely because they required pulling out some unusual 
   tools, in order to answer your unasked question, "If not 
   <postmaster@abii.com> and I want to bother an upstream provider, 
   whom should I contact?"

   A quick groups.google.com search indicates a smattering of 
   InfoUSA.com remarks, but enough to suggest that they're black-hat.

      <http://tinyurl.com/ouvear>

   Please note that there are references to InfoUSA.com and epending.  
   Judging from the spam, you are a victim of this practice.
<http://www.spamcop.net/sc?id=z2901524526z88318267155b0f671a3fce4c4986dfebz;action=display>

   InfoUSA.com is greylisted by uribl.com.  This may be an indication 
   of sloppiness on their part, or an indication a malice by their 
   customers and/or affiliates.

dritz:~> host -t TXT infousa.com.multi.uribl.com ; date
infousa.com.multi.uribl.com descriptive text "Greylisted, see http://lookup.uribl.com/?domain=infousa.com"
Tue May 19 18:50:57 UTC 2009

   Now, onto the issue of routes.

dritz:~> dig www.infousa.com ; date

; <<>> DiG 9.4.3-P1 <<>> www.infousa.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51252
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.infousa.com.    IN A

;; ANSWER SECTION:
www.infousa.com.  3600  IN A  199.125.10.29
                              ^^^^^^^^^^^^^
;; AUTHORITY SECTION:
infousa.com.      108335   IN NS ponca.infousadomain.com.
infousa.com.      108335   IN NS arikara.infousadomain.com.

;; ADDITIONAL SECTION:
arikara.infousadomain.com. 69091 IN A  199.125.13.1
ponca.infousadomain.com. 69091   IN A  199.125.12.1

;; Query time: 443 msec
;; SERVER: 192.168.101.1#53(192.168.101.1)
;; WHEN: Tue May 19 14:31:10 2009
;; MSG SIZE  rcvd: 137

Tue May 19 19:31:10 UTC 2009

   Routeviews.org and cymru.com indicate that their route is AS 12154.

dritz:~> host -t TXT 10.12.125.199.asn.routeviews.org
10.12.125.199.asn.routeviews.org descriptive text "12154" "199.125.12.0" "24"
dritz:~> host -t TXT 29.10.125.199.asn.routeviews.org
29.10.125.199.asn.routeviews.org descriptive text "12154" "199.125.10.0/24" "24"

dritz:~> whois -h whois.cymru.com 199.125.12.10 ; whois -h whois.cymru.com 199.125.10.29 ; date
AS      | IP               | AS Name
12154   | 199.125.10.29    | INFOUSA - InfoUSA
12154   | 199.125.12.10    | INFOUSA - InfoUSA
Tue May 19 19:36:12 UTC 2009

   whois.radb.net has no information for either the IP your traced or 
   the ASN.

dritz:~> whois.radb.net 199.125.12.10 ; whois whois.radb.net AS12154 ; date
%  No entries found for the selected source(s).
%  No entries found for the selected source(s).
Tue May 19 19:01:44 UTC 2009

   There is a listing for [199.125.10.29] (www.infousa.com), however.  
   You may find the information useful, but it may also be stale.

dritz:~> whois -h whois.radb.net 199.125.10.29 ; date
route:              199.125.10.0/24
descr:              Qwest Communications
                    950 17th Street Suite 1900
                    Denver, CO 80202
origin:             AS3908
mnt-by:             MAINT-QWEST
changed:            dgassen@qwest.com 20021116
source:             RADB
Tue May 19 19:38:45 UTC 2009

dritz:~% whois -h whois.radb.net AS3908
aut-num:    AS3908
as-name:    UNSPECIFIED
descr:      Supernet, Inc.
admin-c:    Scott Clementoni
tech-c:     Scott Clementoni
mnt-by:     MAINT-QWEST
changed:    scott.clementoni@qwest.com 20030205
source:     RADB

   It's time to pull out a Perl script, Kai Schlichting's 
   route-leecher.pl.  <http://www.spamshield.org/route-leecher.pl>.

dritz:~> route-leecher 12154
# Randomly selected router route-views2.oregon-ix.net
# router route-views2.oregon-ix.net not responding, retrying with router route-server.as5388.net
# router route-server.as5388.net not responding, retrying with router route-server.exodus.net
# router route-server.exodus.net not responding, retrying with router route-server.gblx.net
# Using router route-server.gblx.net
# Logging into router route-server.gblx.net
# using command: sh ip bg reg ^.*_12154_.*$
# Routes transiting through or originating from AS 12154 :

69.63.115.0/24 from AS: 12154 (upstreams: 29973), 
69.63.117.0/24 from AS: 12154 (upstreams: 29973), 
69.63.119.0/24 from AS: 12154 (upstreams: 29973), 
199.125.8.0/24 from AS: 12154 (upstreams: 701), 
199.125.9.0/24 from AS: 12154 (upstreams: 29973), 
199.125.10.0/24   from AS: 12154 (upstreams: 29973),     # <=
199.125.11.0/24   from AS: 12154 (upstreams: 701), 
199.125.12.0/24   from AS: 12154 (upstreams: 29973),     # <=
199.125.13.0/24   from AS: 12154 (upstreams: 29973), 
199.125.14.0/24   from AS: 12154 (upstreams: 29973), 


- ----------end of routes for AS 12154 -----------

   AS29973 is even more of a dead end, as I cannot find any routes 
   using the same set of tools.

dritz:~> whois -h whois.cymru.com AS29973 ; date
AS Name
NO_NAME
Tue May 19 19:17:21 UTC 2009

dritz:~% whois -h whois.radb.net AS29973 ; date
%  No entries found for the selected source(s).
Tue May 19 19:46:44 UTC 2009

   The only "known" routes appear to be for 199.125.8.0/24 and 
   199.125.11.0/24.

dritz:~> whois -h whois.cymru.com AS701 ; date
AS Name
UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
Tue May 19 19:09:23 UTC 2009

   If you absolutely feel that it is necessary to annoy an upstream for 
   199.125.12.0/24, your best bet will be GBLX.net.

dritz:~> whois -h whois.abuse.net gblx.net
abuse@gblx.net (for gblx.net)

HTH.

- -- 
David Ritz <dritz@mindspring.com>
 Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----
Version: 9.10.0.500
Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

wj8DBQFKEw7aUrwpmRoS3usRAsEHAJ0e9i5nmEolLEG06NnddwzpAQ3lUgCg9Tmd
5qz0VOc2RPdDq/NNeKcUADA=
=Y4Bq
-----END PGP SIGNATURE-----
From nobody at devnull.spamcop.net  Tue May 19 16:44:50 2009
From: nobody at devnull.spamcop.net (Blue Rock)
Date: Tue May 19 16:45:05 2009
Subject: [Scspamcop] Re: How to determine Network Owner for site InfoUSA.com?
References: <guupus$fs9$1@news.spamcop.net>
	<dritz-2172BA.14593819052009@news.cesmail.net>
Message-ID: <guv5o7$48d$1@news.spamcop.net>

"David Ritz" <dritz@mindspring.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> "Blue Rock" <nobody@devnull.spamcop.net> wrote:
>
>> http://www.spamcop.net/sc?id=z2901524526z88318267155b0f671a3fce4c4986dfebz
>

[SNIP]

>> tracert simply says that the destination network is not found:
>
>> Tracing route to infousa.com [199.125.12.10]
>> over a maximum of 30 hops:
>
>>   ...
>>  10    20 ms    19 ms    18 ms 
>> pos-1-5-0-0-cr01.mclean.va.ibone.comcast.net [68.86.91.233]
>>  11    21 ms    21 ms    25 ms  162.97.118.113
>>  12  Infousa.so-4-3-0.ar2.CHI1.gblx.net [208.49.135.186]  reports:
>       ^^^^^^^                   ^^^^^^^^
>> Destination net unreachable.
>

[SNIP]

>   Please note that there are references to InfoUSA.com and epending.
>   Judging from the spam, you are a victim of this practice.
> <http://www.spamcop.net/sc?id=z2901524526z88318267155b0f671a3fce4c4986dfebz;action=display>
>

Infousa is definitely epending!  The address this message was sent to was an 
alias I created, just to capture email from somebody who mis-spelled my name 
in my email address.  I have never given out that alias address, or used it 
for any purpose.

[SNIP]

>
>   If you absolutely feel that it is necessary to annoy an upstream for
>   199.125.12.0/24, your best bet will be GBLX.net.
>
> dritz:~> whois -h whois.abuse.net gblx.net
> abuse@gblx.net (for gblx.net)
>

Thanks for the detailed analysis.  I considered notifying gblx.net, because 
the last server that responded to my tracert was a gblx.net server. 
However, I wasn't sure that was a legitimate way to choose the next 
responsible network, especially since the trace stopped at that point. 
Also, I found a path diagram at robtex.com, that showed there were other 
routes to infousa.com - one through UUNET, and one through that unknown ASN 
(29973) that you found.

I am still not sure that gblx.net would be the correct ones to notify.  If 
they are, I have already read their (gblx.net's) Acceptable Use Policy. 
Infousa.com is definitely in violation of that policy. 


From nobody at devnull.spamcop.net  Tue May 19 17:12:32 2009
From: nobody at devnull.spamcop.net (Blue Rock)
Date: Tue May 19 17:15:03 2009
Subject: [Scspamcop] Re: How to determine Network Owner for site InfoUSA.com?
References: <guupus$fs9$1@news.spamcop.net> <guutil$vdd$1@news.spamcop.net>
	<guuv4u$5tn$1@news.spamcop.net> <guv21e$k0h$1@news.spamcop.net>
Message-ID: <guv7c4$cui$1@news.spamcop.net>

"Mike Easter" <MikeE@ster.invalid> wrote:
> Blue Rock wrote:
>> "Mike Easter"
>
>>> So, I don't think there is a future in going after the upstreams.  I
>>> also don't think there is a future in going after the domainname
>>> registrar or the nameservice, all of which is infousa all over again.
>>>
>>
>> Thanks, Mike!
>>
>> Unless I am mistaken, the Registrar for the domain infousa.com is
>> Network Solutions, who seems to have an anti-spam policy.  [They also
>> happen to be the registrar for my own domain name.]  I have never tried
>> to notify a registrar before, somewhere I read that domain registrars
>> tend to be unresponsive.  Do you think it would do any good?
>
> My 'theory' is that typically there is nothing in the contract between a
> domainname registrar and the registrant which would 'compel' a registrant
> to be responsible to a registrar to not use the domainname user's servers
> for spam sourcing or spamvertising.
>
> The concept of notifying some kind of provider for a spamsource or a
> spamvertisement is that the provider (say website or whatever) is
> providing 'support' to the spamming process - support by providing
> webspace or mailservice or something else.
>
> The idea that the domain name registration is a form of support to the
> spamvertising or the mailserver's existence/function seems like a reach;
> but then you /could/ say that providing webspace to a spamvertiser is a
> signficantly indirect form of support.
>
> In none of those cases is the provider - website netblock or domainname
> registration - actually guilty of any 'crime' or even misbehavior.  It is
> the 'job' of a domainname registrar to provide registration and record
> keeping.  The registrar is doing that job.  If it were so arranged, the
> registrar is also in the business of 'privatizing' the registration
> information.

I realize they aren't guilty of a crime.  By the same token, neither the 
spammer's web site host, nor the spammer's email provider is guilty of a 
crime.  I only manually notify any provider when I can find a clear 
Acceptable Use Policy, or Terms of Service, posted by that provider, and I 
can demonstrate that the sender is in violation of that policy.

In this case, the registrar, Network Solutions, has posted an Acceptable Use 
Policy, and made it part of any service they offer, including Domain 
Registration.  This policy (http://www.networksolutions.com/legal/aup.jsp), 
prohibits the sending of Unsolicited Bulk Email, and use of Unconfirmed 
Mailing Lists.

>
> So, if the question is "Do I (personally, me) notify domainname
> registrars?"  the answer is no, but others do.
>
> Sometimes a particular notify is done because there isn't anything
> else/(better) to do.  When you think about it, that reason isn't
> necessarily a very good one.
>

I agree.  I am not asking if I should notify the registrar because there 
isn't anything better to do.

I have found that the majority of web hosts and email providers don't 
enforce their own AUP.  They would rather just listwash me, than lose a 
paying customer.  However, I have found a few providers that have 
immediately canceled the accounts of the spammers.  One of them did, within 
an hour of my sending them a manual report.

I guess I am asking if, in your opinion (or in the opinion of anybody more 
experienced than myself) notifying the registrar that one of their customers 
was in violation of their own policy would have any effect?  More 
specifically, would notifying Network Solutions have any effect? 


From dritz at mindspring.com  Tue May 19 17:50:02 2009
From: dritz at mindspring.com (David Ritz)
Date: Tue May 19 17:50:03 2009
Subject: [Scspamcop] Re: How to determine Network Owner for site InfoUSA.com?
References: <guupus$fs9$1@news.spamcop.net>
	<dritz-2172BA.14593819052009@news.cesmail.net>
	<guv5o7$48d$1@news.spamcop.net>
Message-ID: <dritz-F4B5AB.16500219052009@news.cesmail.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday, 19 May 2009 16:44 -0400, in article <guv5o7$48d$1@news.spamcop.net>, 
   Blue Rock <nobody@devnull.spamcop.net> wrote:

> > "Blue Rock" <nobody@devnull.spamcop.net> wrote:

> >> http://www.spamcop.net/sc?id=z2901524526z88318267155b0f671a3fce4c4986dfebz

> [SNIP]

> >> tracert simply says that the destination network is not found:

> >> Tracing route to infousa.com [199.125.12.10]
> >> over a maximum of 30 hops:

> >>  11    21 ms    21 ms    25 ms  162.97.118.113
> >>  12  Infousa.so-4-3-0.ar2.CHI1.gblx.net [208.49.135.186]  reports:
> >       ^^^^^^^                   ^^^^^^^^
> >> Destination net unreachable.

> [SNIP]

> > If you absolutely feel that it is necessary to annoy an upstream for
> > 199.125.12.0/24, your best bet will be GBLX.net.

> > dritz:~> whois -h whois.abuse.net gblx.net
> > abuse@gblx.net (for gblx.net)

> Thanks for the detailed analysis.  I considered notifying gblx.net, 
> because the last server that responded to my tracert was a gblx.net 
> server. However, I wasn't sure that was a legitimate way to choose 
> the next responsible network, especially since the trace stopped at 
> that point.

   The host name, Infousa.so-4-3-0.ar2.CHI1.gblx.net, rather clearly 
   indicates that InfoUSA is a customer of Global Crossing Limited 
   (GBLX.NET).  Your complaint to <abuse@gblx.net> will not be 
   misdirected.

> Also, I found a path diagram at robtex.com, that showed there were 
> other routes to infousa.com - one through UUNET, and one through 
> that unknown ASN (29973) that you found.

   I did mention the route via AS701, which you snipped.

> > dritz:~> whois -h whois.cymru.com AS701 ; date
> > AS Name
> > UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
> > Tue May 19 19:09:23 UTC 2009

    dritz:~> whois -b verizonbusiness.com
    abuse@uu.net (for verizonbusiness.com)

<aside>
   AS702 is Verizon Business in Europe.  Should you desire to get a 
   handle on the size of things, you might want to run:

      whois -h whois.radb.net AS702
</aside>

> I am still not sure that gblx.net would be the correct ones to 
> notify.  If they are, I have already read their (gblx.net's) 
> Acceptable Use Policy. Infousa.com is definitely in violation of 
> that policy.

   <abuse@gblx.net> is the single most correct address for your 
   complaint regarding InfoUSA's epending practices.

- -- 
David Ritz <dritz@mindspring.com>
 Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----
Version: 9.10.0.500
Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

wj4DBQFKEymGUrwpmRoS3usRAuDcAJ4osB41rnXq8BmHVIdk/XQPbypL7QCYmhTj
sEZld/xkBLa5niVFVluXUQ==
=Ruf3
-----END PGP SIGNATURE-----
From MikeE at ster.invalid  Tue May 19 17:58:30 2009
From: MikeE at ster.invalid (Mike Easter)
Date: Tue May 19 18:00:03 2009
Subject: [Scspamcop] Re: How to determine Network Owner for site InfoUSA.com?
References: <guupus$fs9$1@news.spamcop.net> <guutil$vdd$1@news.spamcop.net>
	<guuv4u$5tn$1@news.spamcop.net> <guv21e$k0h$1@news.spamcop.net>
	<guv7c4$cui$1@news.spamcop.net>
Message-ID: <guva25$o8i$1@news.spamcop.net>

Blue Rock wrote:
> "Mike Easter"

>> My 'theory' is that typically there is nothing in the contract between
>> a domainname registrar and the registrant which would 'compel' a
>> registrant to be responsible to a registrar to not use the domainname
>> user's servers for spam sourcing or spamvertising.

> In this case, the registrar, Network Solutions, has posted an
> Acceptable Use Policy, and made it part of any service they offer,
> including Domain Registration.  This policy
> (http://www.networksolutions.com/legal/aup.jsp), prohibits the sending
> of Unsolicited Bulk Email, and use of Unconfirmed Mailing Lists.

I can read what that sez, but it isn't clear to me whether that AUP
'operationally' pertains to those to whom netsol provides webspace or
mailservers^1 - or if in reality netsol 'cares' (where cares means that
netsol would threaten a client with something or other based on a
reporter's complaint of netsol being the registrar for a domainname that
the reporter alleges sent an unsolicited bulk commercial email)

^1 netsol sells domainnames, websites and hosting, online emarketing,
email services, SSL certificates, website security, credit card services

> I have found that the majority of web hosts and email providers don't
> enforce their own AUP.

An AUP is there for the one who 'requires' the agreement to the AUP to be
able to use as that entity wants it to be used;  the AUP isn't there for
your/ the spam reporter's personal use and interpretation.

> They would rather just listwash me, than lose a
> paying customer.  However, I have found a few providers that have
> immediately canceled the accounts of the spammers.  One of them did,
> within an hour of my sending them a manual report.

There are providers for such as webhosting who feel strongly that they
don't want their website clients to be spamming or scamming or being of
immoral character.  When you notify them, the action they take isn't
because you notified them, the action they take is based on what they
determine about their client.  Your notification may lead them to
determine something they didn't know.

> I guess I am asking if, in your opinion (or in the opinion of anybody
> more experienced than myself) notifying the registrar that one of their
> customers was in violation of their own policy would have any effect?
> More specifically, would notifying Network Solutions have any effect?

I'm saying that such a notification would only have an effect if netsol
were so inclined to care whether or not someone they sold a domainname
registration to had spammed, and if they did care, if they netsol thought
that the nature of their contract with the client were written in such a
way that they could terminate their domainname registration (or refuse to
renew it).

I cannot imagine a domainname registrar being able to 'immediately' cnx
the name registration -- the important part of which is actually the
nameservice.



-- 
Mike Easter
kibitzer, not SC admin

From nobody at spamcop.net  Tue May 19 21:19:49 2009
From: nobody at spamcop.net (RandallW)
Date: Tue May 19 21:20:03 2009
Subject: [Scspamcop] parser not working
Message-ID: <guvlrl$4hv$1@news.spamcop.net>

I attempted to sort some spam through the parser less than 2 minutes ago. 
One of the messages that appears:
Failed to load spam header: 2909482933 / 8b9e9dfae3598e57cd8b5c912203ac4c 



From dmitton at comcast.net  Tue May 19 21:40:30 2009
From: dmitton at comcast.net (Dave Mitton)
Date: Tue May 19 21:45:03 2009
Subject: [Scspamcop] Re: parser not working
References: <guvlrl$4hv$1@news.spamcop.net>
Message-ID: <hrn615dle986uftev05oju03lmkionr1ic@4ax.com>

I got the same myself on several attempts.

"RandallW" <nobody@spamcop.net> wrote:

>I attempted to sort some spam through the parser less than 2 minutes ago. 
>One of the messages that appears:
>Failed to load spam header: 2909482933 / 8b9e9dfae3598e57cd8b5c912203ac4c 
>
>
From nobody at devnull.spamcop.net  Tue May 19 22:38:27 2009
From: nobody at devnull.spamcop.net (Patto)
Date: Tue May 19 22:40:03 2009
Subject: [Scspamcop] Re: parser not working
In-Reply-To: <guvlrl$4hv$1@news.spamcop.net>
References: <guvlrl$4hv$1@news.spamcop.net>
Message-ID: <guvqf6$ls0$1@news.spamcop.net>

RandallW wrote:
> I attempted to sort some spam through the parser less than 2 minutes ago. 
> One of the messages that appears:
> Failed to load spam header: 2909482933 / 8b9e9dfae3598e57cd8b5c912203ac4c

I am finding myself in a loop - after reporting one spam, the same one 
comes up again and again.

I can only report one-by-one - send one, report it, remove all 
unreported spam, send the next, report it...
From user at domain.invalid  Tue May 19 23:07:18 2009
From: user at domain.invalid (Farelf)
Date: Tue May 19 23:10:03 2009
Subject: [Scspamcop] Re: parser not working
In-Reply-To: <guvqf6$ls0$1@news.spamcop.net>
References: <guvlrl$4hv$1@news.spamcop.net> <guvqf6$ls0$1@news.spamcop.net>
Message-ID: <guvs53$stn$1@news.spamcop.net>

Patto wrote:
> RandallW wrote:
>> I attempted to sort some spam through the parser less than 2 minutes 
>> ago. One of the messages that appears:
>> Failed to load spam header: 2909482933 / 8b9e9dfae3598e57cd8b5c912203ac4c
> 
> I am finding myself in a loop - after reporting one spam, the same one 
> comes up again and again.
> 
> I can only report one-by-one - send one, report it, remove all 
> unreported spam, send the next, report it...

Don has seen it - 
http://forum.spamcop.net/forums/index.php?s=&showtopic=10384&view=findpost&p=71538

... but this looks a little more serious than the "lie down on the couch 
for a while" prescription?  But I just submitted a spam and verified 
reports with no difficulty.  Just the one (that's all they give me these 
days).
From user at domain.invalid  Wed May 20 00:05:00 2009
From: user at domain.invalid (Farelf)
Date: Wed May 20 00:05:03 2009
Subject: [Scspamcop] Re: parser not working
In-Reply-To: <guvs53$stn$1@news.spamcop.net>
References: <guvlrl$4hv$1@news.spamcop.net> <guvqf6$ls0$1@news.spamcop.net>
	<guvs53$stn$1@news.spamcop.net>
Message-ID: <guvvh9$59a$1@news.spamcop.net>

Farelf wrote:
> Patto wrote:
<snip>
>>
>> I am finding myself in a loop - after reporting one spam, the same one 
>> comes up again and again.
>>
>> I can only report one-by-one - send one, report it, remove all 
>> unreported spam, send the next, report it...
> 
> Don has seen it - 
> http://forum.spamcop.net/forums/index.php?s=&showtopic=10384&view=findpost&p=71538 
> 
> 
> ... but this looks a little more serious than the "lie down on the couch 
> for a while" prescription?  But I just submitted a spam and verified 
> reports with no difficulty.  Just the one (that's all they give me these 
> days).

Come to think of it, the 'Unreported spam saved' link persisted after I 
had reported.  I just followed it, saw "Reports have already been sent" 
and it was no longer there.  Maybe it's not a 'loop' but a 'stutter'? 
Bad enough, but not AS bad, if so.
From nobody at spamcop.net  Wed May 20 00:19:09 2009
From: nobody at spamcop.net (RW)
Date: Wed May 20 00:20:02 2009
Subject: [Scspamcop] Re: parser not working
In-Reply-To: <guvs53$stn$1@news.spamcop.net>
References: <guvlrl$4hv$1@news.spamcop.net> <guvqf6$ls0$1@news.spamcop.net>
	<guvs53$stn$1@news.spamcop.net>
Message-ID: <gv00bp$6ke$1@news.spamcop.net>

Farelf wrote:
> Patto wrote:
>> RandallW wrote:
>>> I attempted to sort some spam through the parser less than 2 minutes 
>>> ago. One of the messages that appears:
>>> Failed to load spam header: 2909482933 / 
>>> 8b9e9dfae3598e57cd8b5c912203ac4c
>>
>> I am finding myself in a loop - after reporting one spam, the same one 
>> comes up again and again.
>>
>> I can only report one-by-one - send one, report it, remove all 
>> unreported spam, send the next, report it...
> 
> Don has seen it - 
> http://forum.spamcop.net/forums/index.php?s=&showtopic=10384&view=findpost&p=71538 
> 
> 
> ... but this looks a little more serious than the "lie down on the couch 
> for a while" prescription?  But I just submitted a spam and verified 
> reports with no difficulty.  Just the one (that's all they give me these 
> days).

There's some hot-patching going on today to fix some critical issues, 
one server at a time.  This could be you getting bounced around from 
server to server, which may not be exactly in sync, creating some errors.

If we see problems persist into Wednesday, we'll file a bug.  In the 
meantime, I'm going to bypass the couch and go straight to bed  ;-)

Richard
From Pearson_H_J at yahoo.com  Wed May 20 06:45:00 2009
From: Pearson_H_J at yahoo.com (Jim)
Date: Wed May 20 06:50:04 2009
Subject: [Scspamcop] Re: parser not working
In-Reply-To: <guvvh9$59a$1@news.spamcop.net>
References: <guvlrl$4hv$1@news.spamcop.net> <guvqf6$ls0$1@news.spamcop.net>
	<guvs53$stn$1@news.spamcop.net> <guvvh9$59a$1@news.spamcop.net>
Message-ID: <gv0mvk$uou$1@news.spamcop.net>

I find this only happens when there is a URL in the spam and Spamcop decides not to send a 
report on it.  If I put anything in the "User Notication" field" it seems I am not getting a 
repeat.
From nobody at devnull.spamcop.net  Wed May 20 10:11:59 2009
From: nobody at devnull.spamcop.net (Blue Rock)
Date: Wed May 20 10:15:04 2009
Subject: [Scspamcop] Re: How to determine Network Owner for site InfoUSA.com?
References: <guupus$fs9$1@news.spamcop.net> <guutil$vdd$1@news.spamcop.net>
	<guuv4u$5tn$1@news.spamcop.net> <guv21e$k0h$1@news.spamcop.net>
	<guv7c4$cui$1@news.spamcop.net> <guva25$o8i$1@news.spamcop.net>
Message-ID: <gv133e$qre$1@news.spamcop.net>

"Mike Easter" wrote:
> Blue Rock wrote:
>> "Mike Easter"
>
>>> My 'theory' is that typically there is nothing in the contract between
>>> a domainname registrar and the registrant which would 'compel' a
>>> registrant to be responsible to a registrar to not use the domainname
>>> user's servers for spam sourcing or spamvertising.
>
>> In this case, the registrar, Network Solutions, has posted an
>> Acceptable Use Policy, and made it part of any service they offer,
>> including Domain Registration.  This policy
>> (http://www.networksolutions.com/legal/aup.jsp), prohibits the sending
>> of Unsolicited Bulk Email, and use of Unconfirmed Mailing Lists.
>
> I can read what that sez, but it isn't clear to me whether that AUP
> 'operationally' pertains to those to whom netsol provides webspace or
> mailservers^1 - or if in reality netsol 'cares' (where cares means that
> netsol would threaten a client with something or other based on a
> reporter's complaint of netsol being the registrar for a domainname that
> the reporter alleges sent an unsolicited bulk commercial email)
>
> ^1 netsol sells domainnames, websites and hosting, online emarketing,
> email services, SSL certificates, website security, credit card services
>

I only posted a link to the AUP.  The Terms of Service is here:

http://www.networksolutions.com/legal/static-service-agreement.jsp

Under GENERAL PROVISION, it says:

"All services are governed by the general terms and conditions that are 
listed below along with the terms in the applicable schedule(s) for the 
specific services that are purchased."

Under GENERAL PROVISIONS, section 10 TERMINATION, it says:

"b. [Termination] By Us. We may terminate this Agreement or any part of the 
Network Solutions services at any time ... if we determine in our sole 
discretion that you have violated the Network Solutions Acceptable Use 
Policy, which is located on our Web site at 
http://www.networksolutions.com/legal/aup.jsp and is incorporated herein and 
made part of this Agreement by reference..."


>> I have found that the majority of web hosts and email providers don't
>> enforce their own AUP.
>
> An AUP is there for the one who 'requires' the agreement to the AUP to be
> able to use as that entity wants it to be used;  the AUP isn't there for
> your/ the spam reporter's personal use and interpretation.

The AUP is generally posted on a public web site, so that anybody can read 
and understand the policies of that company.  Whenever I decide to manually 
notify, it is after I have read the policies of the Web Host, Email 
Provider, or ISP.  My manual notification is always something to the effect 
of:

"This user has sent an email to me, in violation of your Terms of 
Service...", and then I quote the policy that has been violated.

I understand that the AUP or TOS is not for me, a third party in this 
relationship.  However, they are normally part of a legal contract between 
the provider and their customer.  I feel that I am justified in notifying a 
provider that one of their customers has violated that contract!

>
>> They would rather just listwash me, than lose a
>> paying customer.  However, I have found a few providers that have
>> immediately canceled the accounts of the spammers.  One of them did,
>> within an hour of my sending them a manual report.
>
> There are providers for such as webhosting who feel strongly that they
> don't want their website clients to be spamming or scamming or being of
> immoral character.  When you notify them, the action they take isn't
> because you notified them, the action they take is based on what they
> determine about their client.  Your notification may lead them to
> determine something they didn't know.

That is exactly my intention - to call attention to the fact that they have 
a customer violating their contract.  If the provider does not respond, I 
usually take no further action (other than to report continuing spam to 
SpamCop).  However, I have more respect for those providers that do respond, 
and that don't just listwash me.  I have noted their names, and would use 
their services in the future, or recommend them to others!

>
>> I guess I am asking if, in your opinion (or in the opinion of anybody
>> more experienced than myself) notifying the registrar that one of their
>> customers was in violation of their own policy would have any effect?
>> More specifically, would notifying Network Solutions have any effect?
>
> I'm saying that such a notification would only have an effect if netsol
> were so inclined to care whether or not someone they sold a domainname
> registration to had spammed, and if they did care, if they netsol thought
> that the nature of their contract with the client were written in such a
> way that they could terminate their domainname registration (or refuse to
> renew it).
>
> I cannot imagine a domainname registrar being able to 'immediately' cnx
> the name registration -- the important part of which is actually the
> nameservice.
>

OK, thanks!  In another thread of this post, David Ritz has pointed out that 
it would be legitimate to notify gblx.net (Global Crossing), because they 
are a supplier of service to InfoUSA.  I have read Global Crossing's Terms 
of Service - they also have an anti-spam policy.


From nobody at devnull.spamcop.net  Wed May 20 10:17:41 2009
From: nobody at devnull.spamcop.net (Blue Rock)
Date: Wed May 20 10:20:02 2009
Subject: [Scspamcop] Re: How to determine Network Owner for site InfoUSA.com?
References: <guupus$fs9$1@news.spamcop.net>
	<dritz-2172BA.14593819052009@news.cesmail.net>
	<guv5o7$48d$1@news.spamcop.net>
	<dritz-F4B5AB.16500219052009@news.cesmail.net>
Message-ID: <gv13e4$sr2$1@news.spamcop.net>

"David Ritz" wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tuesday, 19 May 2009 16:44 -0400, in article 
> <guv5o7$48d$1@news.spamcop.net>,
>   Blue Rock <nobody@devnull.spamcop.net> wrote:
>
>> > "Blue Rock" <nobody@devnull.spamcop.net> wrote:
>
>> >> http://www.spamcop.net/sc?id=z2901524526z88318267155b0f671a3fce4c4986dfebz
>
>> [SNIP]
>
>> >> tracert simply says that the destination network is not found:
>
>> >> Tracing route to infousa.com [199.125.12.10]
>> >> over a maximum of 30 hops:
>
>> >>  11    21 ms    21 ms    25 ms  162.97.118.113
>> >>  12  Infousa.so-4-3-0.ar2.CHI1.gblx.net [208.49.135.186]  reports:
>> >       ^^^^^^^                   ^^^^^^^^
>> >> Destination net unreachable.
>
>> [SNIP]
>
>> > If you absolutely feel that it is necessary to annoy an upstream for
>> > 199.125.12.0/24, your best bet will be GBLX.net.
>
>> > dritz:~> whois -h whois.abuse.net gblx.net
>> > abuse@gblx.net (for gblx.net)
>
>> Thanks for the detailed analysis.  I considered notifying gblx.net,
>> because the last server that responded to my tracert was a gblx.net
>> server. However, I wasn't sure that was a legitimate way to choose
>> the next responsible network, especially since the trace stopped at
>> that point.
>
>   The host name, Infousa.so-4-3-0.ar2.CHI1.gblx.net, rather clearly
>   indicates that InfoUSA is a customer of Global Crossing Limited
>   (GBLX.NET).  Your complaint to <abuse@gblx.net> will not be
>   misdirected.
>
>> Also, I found a path diagram at robtex.com, that showed there were
>> other routes to infousa.com - one through UUNET, and one through
>> that unknown ASN (29973) that you found.
>
>   I did mention the route via AS701, which you snipped.
>

You are right, you did mention that route, and I overlooked it.  My 
apologies.

...

>> I am still not sure that gblx.net would be the correct ones to
>> notify.  If they are, I have already read their (gblx.net's)
>> Acceptable Use Policy. Infousa.com is definitely in violation of
>> that policy.
>
>   <abuse@gblx.net> is the single most correct address for your
>   complaint regarding InfoUSA's epending practices.
>

OK, I will notify them, thanks!


From bcs1 at spamcop.net  Wed May 20 11:51:43 2009
From: bcs1 at spamcop.net (Bill)
Date: Wed May 20 11:55:03 2009
Subject: [Scspamcop] Re: Why does SpamCop print obvious remarks in reports?
References: <gujdv5$n62$1@news.spamcop.net> <gujqds$s2$1@news.spamcop.net>
	<gum6rp$ekl$1@news.spamcop.net> <gun1b7$b91$1@news.spamcop.net>
	<gun39b$ifq$1@news.spamcop.net> <gus02u$bij$1@news.spamcop.net>
Message-ID: <gv18uf$lhc$1@news.spamcop.net>


"Twayne" <nobody@devnull.spamcop.net> wrote in message 
news:gus02u$bij$1@news.spamcop.net...

>> I DO!!!
>>
>> LMAO...
>> that was a big cookbook too wasn't it?
>>
>>
>> well, now we've given away our age... LOL
>
> Well, I could say my gramps recorded it for me, but ... I'd be lying<G>
>
> lol,
> Twayne`
>

 HAHA, me too.... 


From nobody at spamcop.net  Wed May 20 12:36:19 2009
From: nobody at spamcop.net (Newsman)
Date: Wed May 20 12:40:03 2009
Subject: [Scspamcop] Phishing VS 419
Message-ID: <pan.2009.05.20.16.36.18@spamcop.net>

Question:
Are 419 scams a variant of phishing or are phishing attempts variants of 
419 scams? Should I report phishing scams to the Secret Service's 419 
reporting address? Should I report 419 scams to CERT.GOV (note, they have 
their own phishing reporting email address to which they *request* you 
send them copies of phishing emails)???

Looking for a little guidance here. I know I've been reporting spam for a 
LONG time, but I know there are still some who are more experienced spam 
reporters than I.

Thanks!
From nobody at spamcop.net  Wed May 20 12:40:15 2009
From: nobody at spamcop.net (Newsman)
Date: Wed May 20 12:45:03 2009
Subject: [Scspamcop] Re: ConstantContact
References: <pan.2009.04.23.15.13.03@spamcop.net>
	<gsqb1r$lpi$1@news.spamcop.net> <pan.2009.04.23.18.57.57@spamcop.net>
	<gss704$dc7$1@news.spamcop.net>
Message-ID: <pan.2009.05.20.16.40.15@spamcop.net>

On Fri, 24 Apr 2009 06:47:13 -0400, Ellen wrote:
> 
> Let's not get carried away, John :-) I think their abuse peeps are good
> about herding their customers but there *are* spam complaints for CC IPs
> and they do not require COI TTBMK but they do whap spamming customers
> upside the head and do terminate. Obviously, I would be happier if COI
> were required.
> 
Well, I did say "as close to a glowing recommendation as I'm going to 
get." :D

It sounds like CC is probably about as good as you're going to get from a 
mailing-list management company. Light-grey hat, shall we say? :-)

Anyway, I've told the sales manager that we're not likely to get in too 
much trouble if we let our sales folks use CC.

From nobody at devnull.spamcop.net  Wed May 20 13:02:23 2009
From: nobody at devnull.spamcop.net (Blue Rock)
Date: Wed May 20 13:05:03 2009
Subject: [Scspamcop] Re: Phishing VS 419
References: <pan.2009.05.20.16.36.18@spamcop.net>
Message-ID: <gv1d3a$73u$1@news.spamcop.net>

"Newsman" <nobody@spamcop.net> wrote in message 
news:pan.2009.05.20.16.36.18@spamcop.net...
> Question:
> Are 419 scams a variant of phishing or are phishing attempts variants of
> 419 scams? Should I report phishing scams to the Secret Service's 419
> reporting address? Should I report 419 scams to CERT.GOV (note, they have
> their own phishing reporting email address to which they *request* you
> send them copies of phishing emails)???
>
> Looking for a little guidance here. I know I've been reporting spam for a
> LONG time, but I know there are still some who are more experienced spam
> reporters than I.
>
> Thanks!

Phishing is attempting to make you believe that a message came from a 
legitimate business (usually a bank or credit card company), in order to 
capture your password, account number, or other personal information.

419 scams are attempts to get you to belive that you will earn some reward, 
if you follow a complex script that often involves giving your account 
number to the scammer.  Many people believe that the end game for these 
scammers is to get your account number, at which point they will drain it. 
However, some 419 scams have a much more nefarious purpose, and if you give 
them your account number, they will not steal money from you.  Due to the 
general belief that the purpose of the scammer is to steal money from your 
account, the victim often trusts the scammer (when the scammer does not 
steal from him) - and this leads to even worse consequences!

See this site for more information:

http://www.fbi.gov/majcases/fraud/fraudschemes.htm

In short, phishing and 419 scams are two very different things.  I would not 
report a phishing email as if it was a 419, or vice versa. 


From nobody at spamcop.net  Wed May 20 13:22:46 2009
From: nobody at spamcop.net (Newsman)
Date: Wed May 20 13:25:02 2009
Subject: [Scspamcop] Re: Phishing VS 419
References: <pan.2009.05.20.16.36.18@spamcop.net>
	<gv1d3a$73u$1@news.spamcop.net>
Message-ID: <pan.2009.05.20.17.22.46@spamcop.net>

On Wed, 20 May 2009 13:02:23 -0400, Blue Rock wrote:

> Phishing is attempting to make you believe that a message came from a
> legitimate business (usually a bank or credit card company), in order to
> capture your password, account number, or other personal information.
> 
> 419 scams are attempts to get you to belive that you will earn some
> reward, if you follow a complex script that often involves giving your
> account number to the scammer.  Many people believe that the end game
> for these scammers is to get your account number, at which point they
> will drain it. However, some 419 scams have a much more nefarious
> purpose, and if you give them your account number, they will not steal
> money from you.  Due to the general belief that the purpose of the
> scammer is to steal money from your account, the victim often trusts the
> scammer (when the scammer does not steal from him) - and this leads to
> even worse consequences!
> 
Ok. So they operate in similar ways (i.e. both are attempting to get your 
bank/personal info for various nefarious purposes) but they are different 
things. So, I'll only report true 419 scams to the Secret Service's 419 
reporting address. I'll report just about everything else to cert.gov.

That clears it up a bit... still a bit hazy as to where the line is drawn, 
but that's OK. I think I got the main idea.
From nobody at devnull.spamcop.net  Wed May 20 14:06:53 2009
From: nobody at devnull.spamcop.net (Blue Rock)
Date: Wed May 20 14:10:04 2009
Subject: [Scspamcop] Re: Phishing VS 419
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
Message-ID: <gv1gs3$mcc$1@news.spamcop.net>


"Newsman" <nobody@spamcop.net> wrote in message 
news:pan.2009.05.20.17.22.46@spamcop.net...
> On Wed, 20 May 2009 13:02:23 -0400, Blue Rock wrote:
>
>> Phishing is attempting to make you believe that a message came from a
>> legitimate business (usually a bank or credit card company), in order to
>> capture your password, account number, or other personal information.
>>
>> 419 scams are attempts to get you to belive that you will earn some
>> reward, if you follow a complex script that often involves giving your
>> account number to the scammer.  Many people believe that the end game
>> for these scammers is to get your account number, at which point they
>> will drain it. However, some 419 scams have a much more nefarious
>> purpose, and if you give them your account number, they will not steal
>> money from you.  Due to the general belief that the purpose of the
>> scammer is to steal money from your account, the victim often trusts the
>> scammer (when the scammer does not steal from him) - and this leads to
>> even worse consequences!
>>
> Ok. So they operate in similar ways (i.e. both are attempting to get your
> bank/personal info for various nefarious purposes) but they are different
> things. So, I'll only report true 419 scams to the Secret Service's 419
> reporting address. I'll report just about everything else to cert.gov.
>
> That clears it up a bit... still a bit hazy as to where the line is drawn,
> but that's OK. I think I got the main idea.

I am sorry my answer wasn't clear.

They (419 and Phish) are both trying to steal from you.  They are both 
trying to fool you to gain your trust.  They both use email to initiate 
communications with the victim.  So, yes, from that point of view they are 
the same.  But I could say the same for some other forms of spam, as well. 
Pump and Dump, and fake pills spam both fool you into losing money.  So 
where do you draw the line between 419 and Pump and Dump?

In this case, here are a couple of places where a line can be drawn:



Email looks like it comes from a legitimate bank, credit card company, or 
other business within your own country.
(PHISH)

-------LINE-------------------

(419)
Email apparently comes from a rich grieving widow, ex-government employee, 
former president of an oil company, or other wealthy person, usually from a 
foreign country - Nigeria, promising you financial gain if you contact them, 
to help them in some way.


-OR-


Purpose is to deceptively obtain your password, or account access 
information so they can steal from your account, or steal your identity.
(PHISH)

-------LINE-------------------

(419)
Purpose is to personlly gain your confidence, so that you trust the person 
enough that you give them a bank account number, or possibly even visit 
their country to collect your money (at which pont, you are in real 
trouble).


From nobody at devnull.spamcop.net  Wed May 20 19:31:26 2009
From: nobody at devnull.spamcop.net (Twayne)
Date: Wed May 20 19:35:04 2009
Subject: [Scspamcop] Re: Phishing VS 419
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net>
Message-ID: <gv23sc$fq9$1@news.spamcop.net>

Blue Rock wrote:
> "Newsman" <nobody@spamcop.net> wrote in message
> news:pan.2009.05.20.17.22.46@spamcop.net...
>> On Wed, 20 May 2009 13:02:23 -0400, Blue Rock wrote:
>>
>>> Phishing is attempting to make you believe that a message came from
>>> a legitimate business (usually a bank or credit card company), in
>>> order to capture your password, account number, or other personal
>>> information. 419 scams are attempts to get you to belive that you 
>>> will earn some
>>> reward, if you follow a complex script that often involves giving
>>> your account number to the scammer.  Many people believe that the
>>> end game for these scammers is to get your account number, at which
>>> point they will drain it. However, some 419 scams have a much more
>>> nefarious purpose, and if you give them your account number, they
>>> will not steal money from you.  Due to the general belief that the
>>> purpose of the scammer is to steal money from your account, the
>>> victim often trusts the scammer (when the scammer does not steal
>>> from him) - and this leads to even worse consequences!
>>>
>> Ok. So they operate in similar ways (i.e. both are attempting to get
>> your bank/personal info for various nefarious purposes) but they are
>> different things. So, I'll only report true 419 scams to the Secret
>> Service's 419 reporting address. I'll report just about everything
>> else to cert.gov. That clears it up a bit... still a bit hazy as to 
>> where the line is
>> drawn, but that's OK. I think I got the main idea.
>
> I am sorry my answer wasn't clear.
>
> They (419 and Phish) are both trying to steal from you.  They are both
> trying to fool you to gain your trust.  They both use email to
> initiate communications with the victim.  So, yes, from that point of
> view they are the same.  But I could say the same for some other
> forms of spam, as well. Pump and Dump, and fake pills spam both fool
> you into losing money.  So where do you draw the line between 419 and
> Pump and Dump?
> In this case, here are a couple of places where a line can be drawn:
>
>
>
> Email looks like it comes from a legitimate bank, credit card
> company, or other business within your own country.
> (PHISH)
>
> -------LINE-------------------
>
> (419)
> Email apparently comes from a rich grieving widow, ex-government
> employee, former president of an oil company, or other wealthy
> person, usually from a foreign country - Nigeria, promising you
> financial gain if you contact them, to help them in some way.
>
>
> -OR-
>
>
> Purpose is to deceptively obtain your password, or account access
> information so they can steal from your account, or steal your
> identity. (PHISH)
>
> -------LINE-------------------
>
> (419)
> Purpose is to personlly gain your confidence, so that you trust the
> person enough that you give them a bank account number, or possibly
> even visit their country to collect your money (at which pont, you
> are in real trouble).

419s usually involve somehow getting you to spend a thousand of five 
thousand to get thigns set up right with the promist of placing many 
millions into that account once everything is in place.  Sometimes 
they're referred to as "advanced fee" schemes; spend a thousand, get a 
million.  Phishing is usually after information; 419 goes directly for 
the money.

Originally they were called Nigerian scams and the the 419 scams and 
then 419 Nigerian scams, and were delivered originally by post, and then 
moved into e-mails.  Here's a link that will give you tons of reading 
information about the scam:
http://usasearch.gov/search?v%3Aproject=firstgov-web&query=nigerian+scam

and this one is a search for 419 scams, but it's all the same kind of 
information as the above:
http://usasearch.gov/search?input-form=simple-firstgov&v%3Aproject=firstgov-web&query=419+scam&x=37&y=14

The promise of millions for thousands has tricked a LOT of intelligent 
and well to do people, not just the desparate, almost broke types.  If 
you've never seen a 419 scam, these are good eye openers.  And you'll 
how they're a lot different than phishing, too.  You can do a search for 
phishing to come up with lots of articles about that end of the frauds.
HTH,

Twayne`






From nobody at spamcop.net  Wed May 20 20:03:34 2009
From: nobody at spamcop.net (RW)
Date: Wed May 20 20:05:02 2009
Subject: [Scspamcop] Re: parser not working
In-Reply-To: <gv00bp$6ke$1@news.spamcop.net>
References: <guvlrl$4hv$1@news.spamcop.net> <guvqf6$ls0$1@news.spamcop.net>
	<guvs53$stn$1@news.spamcop.net> <gv00bp$6ke$1@news.spamcop.net>
Message-ID: <gv25ol$n8p$1@news.spamcop.net>

RW wrote:

> There's some hot-patching going on today to fix some critical issues, 
> one server at a time.  This could be you getting bounced around from 
> server to server, which may not be exactly in sync, creating some errors.
> 
> If we see problems persist into Wednesday, we'll file a bug.  In the 
> meantime, I'm going to bypass the couch and go straight to bed  ;-)

This did have to do with the hot patching that occurred Tuesday and the 
servers being left not pointing at the master DB.  We're told this has 
been fixed today.

Richard
From DLipman~nospam~ at Verizon.Net  Fri May 22 06:39:11 2009
From: DLipman~nospam~ at Verizon.Net (David H. Lipman)
Date: Fri May 22 06:40:03 2009
Subject: [Scspamcop] Re: Phishing VS 419
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net>
Message-ID: <gv5vcj$7up$1@news.spamcop.net>

From: "Blue Rock" <nobody@devnull.spamcop.net>


| "Newsman" <nobody@spamcop.net> wrote in message
| news:pan.2009.05.20.17.22.46@spamcop.net...
>> On Wed, 20 May 2009 13:02:23 -0400, Blue Rock wrote:

>>> Phishing is attempting to make you believe that a message came from a
>>> legitimate business (usually a bank or credit card company), in order to
>>> capture your password, account number, or other personal information.

>>> 419 scams are attempts to get you to belive that you will earn some
>>> reward, if you follow a complex script that often involves giving your
>>> account number to the scammer.  Many people believe that the end game
>>> for these scammers is to get your account number, at which point they
>>> will drain it. However, some 419 scams have a much more nefarious
>>> purpose, and if you give them your account number, they will not steal
>>> money from you.  Due to the general belief that the purpose of the
>>> scammer is to steal money from your account, the victim often trusts the
>>> scammer (when the scammer does not steal from him) - and this leads to
>>> even worse consequences!

>> Ok. So they operate in similar ways (i.e. both are attempting to get your
>> bank/personal info for various nefarious purposes) but they are different
>> things. So, I'll only report true 419 scams to the Secret Service's 419
>> reporting address. I'll report just about everything else to cert.gov.

>> That clears it up a bit... still a bit hazy as to where the line is drawn,
>> but that's OK. I think I got the main idea.

| I am sorry my answer wasn't clear.

| They (419 and Phish) are both trying to steal from you.  They are both
| trying to fool you to gain your trust.  They both use email to initiate
| communications with the victim.  So, yes, from that point of view they are
| the same.  But I could say the same for some other forms of spam, as well.
| Pump and Dump, and fake pills spam both fool you into losing money.  So
| where do you draw the line between 419 and Pump and Dump?

| In this case, here are a couple of places where a line can be drawn:



| Email looks like it comes from a legitimate bank, credit card company, or
| other business within your own country.
| (PHISH)

| -------LINE-------------------

| (419)
| Email apparently comes from a rich grieving widow, ex-government employee,
| former president of an oil company, or other wealthy person, usually from a
| foreign country - Nigeria, promising you financial gain if you contact them,
| to help them in some way.


| -OR-


| Purpose is to deceptively obtain your password, or account access
| information so they can steal from your account, or steal your identity.
| (PHISH)

| -------LINE-------------------

| (419)
| Purpose is to personlly gain your confidence, so that you trust the person
| enough that you give them a bank account number, or possibly even visit
| their country to collect your money (at which pont, you are in real
| trouble).


And if a 419 scam asks for personal information, those lines are blurred and becomes 
phishing.

-- 
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp 


From nobody at devnull.spamcop.net  Fri May 22 10:50:08 2009
From: nobody at devnull.spamcop.net (Blue Rock)
Date: Fri May 22 10:55:02 2009
Subject: [Scspamcop] Re: Phishing VS 419
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
Message-ID: <gv6e33$aqd$1@news.spamcop.net>


"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message 
news:gv5vcj$7up$1@news.spamcop.net...
> From: "Blue Rock" <nobody@devnull.spamcop.net>
>
>
> | "Newsman" <nobody@spamcop.net> wrote in message
> | news:pan.2009.05.20.17.22.46@spamcop.net...
>>> On Wed, 20 May 2009 13:02:23 -0400, Blue Rock wrote:
>
>
>
> | Email looks like it comes from a legitimate bank, credit card company, 
> or
> | other business within your own country.
> | (PHISH)
>
> | -------LINE-------------------
>
> | (419)
> | Email apparently comes from a rich grieving widow, ex-government 
> employee,
> | former president of an oil company, or other wealthy person, usually 
> from a
> | foreign country - Nigeria, promising you financial gain if you contact 
> them,
> | to help them in some way.
>
>
> | -OR-
>
>
> | Purpose is to deceptively obtain your password, or account access
> | information so they can steal from your account, or steal your identity.
> | (PHISH)
>
> | -------LINE-------------------
>
> | (419)
> | Purpose is to personlly gain your confidence, so that you trust the 
> person
> | enough that you give them a bank account number, or possibly even visit
> | their country to collect your money (at which pont, you are in real
> | trouble).
>
>
> And if a 419 scam asks for personal information, those lines are blurred 
> and becomes
> phishing.
>

I don't think so, because a 419 is still not a message that is disguised 
such that it appears to come from a legitimate bank, credit card company, or 
other business.

I think we are just arguing semantics here.  Do you, or does anybody, have 
an example of a spam email message, where it is not clear whether it is a 
phish, or a 419?  If so, please post a tracker link to it.


From nobody at devnull.spamcop.net  Fri May 22 13:14:26 2009
From: nobody at devnull.spamcop.net (Twayne)
Date: Fri May 22 13:15:03 2009
Subject: [Scspamcop] Re: Phishing VS 419
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv6e33$aqd$1@news.spamcop.net>
Message-ID: <gv6mhd$q6b$1@news.spamcop.net>

Blue Rock wrote:
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:gv5vcj$7up$1@news.spamcop.net...
>> From: "Blue Rock" <nobody@devnull.spamcop.net>
>>
>>
>>> "Newsman" <nobody@spamcop.net> wrote in message
>>> news:pan.2009.05.20.17.22.46@spamcop.net...
>>>> On Wed, 20 May 2009 13:02:23 -0400, Blue Rock wrote:
>>
>>
>>
>>> Email looks like it comes from a legitimate bank, credit card
>>> company, or other business within your own country.
>>> (PHISH)
>>
>>> -------LINE-------------------
>>
>>> (419)
>>> Email apparently comes from a rich grieving widow, ex-government
>>> employee, former president of an oil company, or other wealthy
>>> person, usually from a foreign country - Nigeria, promising you
>>> financial gain if you contact them, to help them in some way.
>>
>>
>>> -OR-
>>
>>
>>> Purpose is to deceptively obtain your password, or account access
>>> information so they can steal from your account, or steal your
>>> identity. (PHISH)
>>
>>> -------LINE-------------------
>>
>>> (419)
>>> Purpose is to personlly gain your confidence, so that you trust the
>>> person enough that you give them a bank account number, or possibly
>>> even visit their country to collect your money (at which pont, you
>>> are in real trouble).
>>
>>
>> And if a 419 scam asks for personal information, those lines are
>> blurred and becomes
>> phishing.
>>
>
> I don't think so, because a 419 is still not a message that is
> disguised such that it appears to come from a legitimate bank, credit
> card company, or other business.
>
> I think we are just arguing semantics here.  Do you, or does anybody,
> have an example of a spam email message, where it is not clear
> whether it is a phish, or a 419?  If so, please post a tracker link
> to it.

There probably aren't any Blue, but I'm not sure it matters at all. 
I'll bet there have been some 419 scams that are more directed to the 
recipients, just to bring it more authenticity, though.  If someone sent 
me $5000 up front money for a regular scam I might take the time to 
spend a thousand of it to have someone go out and find the public info 
to give it more of a social phish appearance than a regular 419.  It 
would though, still be wanting the advance fees before I got my money, 
so ... the aspects of both, except the part about phising not asking for 
anything illegal sounding of course, would still be there.
   It's something that those who haven't seen plenty of each will have 
differeing opinions on and there isn't a lot one can say, really, about 
it not happening.  I can see why some may feel as T. did, and can fully 
understand why.  At least it shows there is a working brain behind it, 
unlike some who post here<g>.

Just for the sake of anyone reading, Nigerian 419 scams seldom come from 
Nigeria anymore.  I've seen one from France, a couple with unnamed 
countries, other countries in South Africa, South America  and probably 
others I've forgotten.  I've heard there are even still a few going via 
the Post, the original medium for sending them; never seen one of those.
   They are ALWAYS advance fee frauds, though; thus the changing names 
over time.  A lot of money and even a few lives have been lost to those 
criminals, if  you can believe some sources.

Cheers,

Twayne` 


From nobody at spamcop.net  Fri May 22 20:06:44 2009
From: nobody at spamcop.net (bar0)
Date: Fri May 22 20:10:02 2009
Subject: [Scspamcop] Re: Phishing VS 419
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv6e33$aqd$1@news.spamcop.net>
Message-ID: <gv7emo$pjp$1@news.spamcop.net>


"Blue Rock" <nobody@devnull.spamcop.net> wrote in message 
news:gv6e33$aqd$1@news.spamcop.net...
>
......
>>
>> And if a 419 scam asks for personal information, those lines are blurred 
>> and becomes
>> phishing.
>>
>
> I don't think so, because a 419 is still not a message that is disguised 
> such that it appears to come from a legitimate bank, credit card company, 
> or other business.
>
> I think we are just arguing semantics here.  Do you, or does anybody, have 
> an example of a spam email message, where it is not clear whether it is a 
> phish, or a 419?  If so, please post a tracker link to it.


The definition depends on the person using it, Hotmail, for example requests 
users mark as phish any mail asking for personal information.

That includes almost all 419, and other (like lotto) advance fee spams I 
have ever seen. I suppose this could be stretched to include pecker and 
other spams which ultimately want a credit card number and (nominally) a 
delivery address. 


From nobody at devnull.spamcop.net  Sat May 23 08:21:20 2009
From: nobody at devnull.spamcop.net (Miss Betsy)
Date: Sat May 23 08:25:03 2009
Subject: [Scspamcop] Re: Phishing VS 419
In-Reply-To: <gv5vcj$7up$1@news.spamcop.net>
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
Message-ID: <gv8pn5$41f$1@news.spamcop.net>



"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message 
news:gv5vcj$7up$1@news.spamcop.net...
<snip>
> | In this case, here are a couple of places where a line can be drawn:
>
> | Email looks like it comes from a legitimate bank, credit card company, 
> or
> | other business within your own country.
> | (PHISH)
>
> | -------LINE-------------------
>
> | (419)
> | Email apparently comes from a rich grieving widow, ex-government 
> employee,
> | former president of an oil company, or other wealthy person, usually 
> from a
> | foreign country - Nigeria, promising you financial gain if you contact 
> them,
> | to help them in some way.
>
>
> | -OR-
>
>
> | Purpose is to deceptively obtain your password, or account access
> | information so they can steal from your account, or steal your identity.
> | (PHISH)
>
> | -------LINE-------------------
>
> | (419)
> | Purpose is to personlly gain your confidence, so that you trust the 
> person
> | enough that you give them a bank account number, or possibly even visit
> | their country to collect your money (at which pont, you are in real
> | trouble).
>
>
> And if a 419 scam asks for personal information, those lines are blurred 
> and becomes
> phishing.

Any scam that intends to separate you from your money is a felony.  It is 
the manner in which they go about it that distinguishes one scam from 
another.

PHISH = a scammer posing as a legitimate business (online this is done by 
making websites that look exactly like the legitimate business - usually 
banks or credit card companies) in order to trick you into giving him your 
personal account numbers, etc. so that then they may use them to act as you. 
They may clean out your account, charge things to your credit card, apply 
for loans, etc.  The victim is unsuspecting and does not realize that his 
personal information is being stolen.

419 = a scammer who promises you  a lot more money if you pay him money for 
various reasons that he says will expedite the payment to you.  It is also 
called 'advance fee'   If they can convince you to give them your account 
number, they may then clean out all your money.  However, some advance fee 
scams just disappear after you advance them the money.  The victim is fully 
aware that he is participating in a slightly illegal transaction, but is 
willing to take the risk to get a great deal of money.  There are lots of 
variations that are not from Nigeria.  There was one where a supposed 
soldier in Iraq had found money and needed help getting it back to the US.

Other advance fee scams, like 'lottery winner', are technically not 419 
scams which specifically involve an official or other person who has an 
insider position offering you a cut if you help him/her get the money out of 
the country saying that money for bribes, etc. are needed to do this and 
that you will be paid back when the money is deposited to your account.  In 
some 'advance fee' schemes like the lottery, the victim does not know that 
the offer is bogus; in others, like the 419, the victim participates knowing 
that it is not an above board transaction.

Phish refers specifically to emails that are designed to look, read, and 
contain links that look like real links, but go to a bogus website that 
looks like the real thing and all of this is done to gain personal 
information to use to get money or be able to charge things.  Offline, it is 
more difficult to impersonate a legitimate business, however it has been 
done.  Sometimes phone calls can seem 'real' and also letters.  Usually, 
however, the offline impersonations have not been to get personal 
information to use to gain money, but to get the victim to give them money 
thinking that the bank or business has that kind of fee.  So the style of 
Phishes is peculiar to the internet.

419 or advance fee scams have been around a long time by letter and fax - in 
fact, they still show up.  There is no difference in the approach by letter, 
fax, or email.

In both kinds of scams, I understand that law enforcement does not act 
unless the receiver is actually a victim and has lost a significant amount 
of money.  At this time, IMHO, it is unnecessary to report either phishes or 
419 scams to law enforcement.  I am sure that they have spam traps to get 
all the evidence that they need.  The value of reporting phishes and scams 
is to get the IP addresses where they come from on blocklists so that nobody 
gets their email, to alert ISPs to abuse (the stakes are so high that 
scammers can work around the controls set for high volume spam), and to 
alert companies who are affected so they can warn their customers.

Reporting to 'junk' in those email services that have such a thing is also a 
good idea so that better content filters can be devised.

Miss Betsy
an almost new internet user










 

From kopfj at worldnet.att.net  Sat May 23 13:34:36 2009
From: kopfj at worldnet.att.net (John O. Kopf)
Date: Sat May 23 13:35:04 2009
Subject: [Scspamcop] Re: Phishing VS 419
In-Reply-To: <gv8pn5$41f$1@news.spamcop.net>
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv8pn5$41f$1@news.spamcop.net>
Message-ID: <gv9bve$3i8$1@news.spamcop.net>

Miss Betsy wrote:
> 
SNIP
> 
> In both kinds of scams, I understand that law enforcement does not act 
> unless the receiver is actually a victim and has lost a significant 
> amount of money.  At this time, IMHO, it is unnecessary to report either 
> phishes or 419 scams to law enforcement.  I am sure that they have spam 
> traps to get all the evidence that they need.  The value of reporting 
> phishes and scams is to get the IP addresses where they come from on 
> blocklists so that nobody gets their email, to alert ISPs to abuse (the 
> stakes are so high that scammers can work around the controls set for 
> high volume spam), and to alert companies who are affected so they can 
> warn their customers.
> 
> Reporting to 'junk' in those email services that have such a thing is 
> also a good idea so that better content filters can be devised.
> 
> Miss Betsy
> an almost new internet user

It depends on which "law enforcement" you report it to.  I have not been 
a victim, but report *all* 419's to "419scam@ultrascan.nl", which is an 
agency in Holland that also covers Spain.

Occasionally they send me a press release (this one dated 6/16/2007 1:53 
PM):


Today 111 419 advance fee scammers arrested in Amsterdam

The amsterdam police arrested 111 mainly Nigerian fraudsters in a
nightclub where they celebrated their weekly victories, scamming
gullible victims from all over the world.

Most will be processed as illegal and send back to Nigeria, 8 will be
processed in The Netherlands because they carried false passports.

Regards

419Unit


John Kopf
From nobody at devnull.spamcop.net  Sat May 23 16:26:44 2009
From: nobody at devnull.spamcop.net (Miss Betsy)
Date: Sat May 23 16:30:04 2009
Subject: [Scspamcop] Re: Phishing VS 419
In-Reply-To: <gv9bve$3i8$1@news.spamcop.net>
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv8pn5$41f$1@news.spamcop.net> <gv9bve$3i8$1@news.spamcop.net>
Message-ID: <gv9m58$n3u$1@news.spamcop.net>



"John O. Kopf" <kopfj@worldnet.att.net> wrote in message 
news:gv9bve$3i8$1@news.spamcop.net...
> Miss Betsy wrote:
>>
> SNIP
>>
> It depends on which "law enforcement" you report it to.  I have not been a 
> victim, but report *all* 419's to "419scam@ultrascan.nl", which is an 
> agency in Holland that also covers Spain.
>
> Occasionally they send me a press release (this one dated 6/16/2007 1:53 
> PM):
>
>
> Today 111 419 advance fee scammers arrested in Amsterdam
>
> The amsterdam police arrested 111 mainly Nigerian fraudsters in a
> nightclub where they celebrated their weekly victories, scamming
> gullible victims from all over the world.
>
> Most will be processed as illegal and send back to Nigeria, 8 will be
> processed in The Netherlands because they carried false passports.
>

Well, since the scammers  were celebrating their 'victories' perhaps there 
/were/ victims who lost money.  I would think that just writing and sending 
the email would qualify for arrest so that gullible people do not lose their 
money, but I don't think it is so.  It might help law enforcement to find 
the scammer to receive forwarded copies of the spam, but, again, I would 
think that law enforcement would rely on their own spam traps just to avoid 
possible 'reporter errors' so they don't waste time on a false lead.

Miss Betsy
an almost new internet user

 

From me at privacy.net  Sat May 23 19:09:48 2009
From: me at privacy.net (Michael R N Dolbear)
Date: Sat May 23 19:10:03 2009
Subject: [Scspamcop] Re: Phishing VS 419
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv8pn5$41f$1@news.spamcop.net>
Message-ID: <01c9dbe7$4d23f420$LocalHost@default>

Miss Betsy <nobody@devnull.spamcop.net> wrote 

> Any scam that intends to separate you from your money is a felony. 
It is 
> the manner in which they go about it that distinguishes one scam from

> another.

Either a tautology or not true.

Thus "recognized UniversityDegree based on work or life experience from
University within 10 days" is a scam because 'recognised' is
fraudulently stated. but probably not a felony and certainly not if
'recognised' is changed to 'genuine'.

(Just had four of these leak through my SC mail filters, apparently
SpamAssassin can't stop them and the Brazil DSNBL needs updating.)

Here is your TRACKING URL - 3 hrs 20:50 23May09 
http://www.spamcop.net/sc?id=z2924541613z4bc773c8bbe352827a11cc381620136
4z

-- 
Mike D


From me at privacy.net  Sun May 24 10:51:57 2009
From: me at privacy.net (Frog Prince)
Date: Sun May 24 10:55:03 2009
Subject: [Scspamcop] Re: Phishing VS 419
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv8pn5$41f$1@news.spamcop.net> <gv9bve$3i8$1@news.spamcop.net>
Message-ID: <gvbmvv$ua0$1@news.spamcop.net>



"John O. Kopf" <kopfj@worldnet.att.net> wrote in message 
news:gv9bve$3i8$1@news.spamcop.net...
: Miss Betsy wrote:
: >
: SNIP
: >
: > In both kinds of scams, I understand that law enforcement does not act
: > unless the receiver is actually a victim and has lost a significant
: > amount of money.  At this time, IMHO, it is unnecessary to report either
: > phishes or 419 scams to law enforcement.  I am sure that they have spam
: > traps to get all the evidence that they need.  The value of reporting
: > phishes and scams is to get the IP addresses where they come from on
: > blocklists so that nobody gets their email, to alert ISPs to abuse (the
: > stakes are so high that scammers can work around the controls set for
: > high volume spam), and to alert companies who are affected so they can
: > warn their customers.
: >
: > Reporting to 'junk' in those email services that have such a thing is
: > also a good idea so that better content filters can be devised.
: >
: > Miss Betsy
: > an almost new internet user
:
: It depends on which "law enforcement" you report it to.  I have not been
: a victim, but report *all* 419's to "419scam@ultrascan.nl", which is an
: agency in Holland that also covers Spain.
:
: Occasionally they send me a press release (this one dated 6/16/2007 1:53
: PM):
:
:
: Today 111 419 advance fee scammers arrested in Amsterdam
:
: The amsterdam police arrested 111 mainly Nigerian fraudsters in a
: nightclub where they celebrated their weekly victories, scamming
: gullible victims from all over the world.
:
: Most will be processed as illegal and send back to Nigeria, 8 will be
: processed in The Netherlands because they carried false passports.

Houston (TX) had a nest of Nigerian scammers.  Their email activities came 
to light because they were also scamming people who were part of the 
legitimate Nigerian Houston community. 


From nobody at devnull.spamcop.net  Sun May 24 12:47:56 2009
From: nobody at devnull.spamcop.net (Twayne)
Date: Sun May 24 12:55:04 2009
Subject: [Scspamcop] Re: Phishing VS 419
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv6e33$aqd$1@news.spamcop.net> <gv7emo$pjp$1@news.spamcop.net>
Message-ID: <gvbtsl$smu$1@news.spamcop.net>

bar0 wrote:
> "Blue Rock" <nobody@devnull.spamcop.net> wrote in message
> news:gv6e33$aqd$1@news.spamcop.net...
>>
> ......
>>>
>>> And if a 419 scam asks for personal information, those lines are
>>> blurred and becomes
>>> phishing.
>>>
>>
>> I don't think so, because a 419 is still not a message that is
>> disguised such that it appears to come from a legitimate bank,
>> credit card company, or other business.
>>
>> I think we are just arguing semantics here.  Do you, or does
>> anybody, have an example of a spam email message, where it is not
>> clear whether it is a phish, or a 419?  If so, please post a tracker
>> link to it.
>
>
> The definition depends on the person using it, Hotmail, for example
> requests users mark as phish any mail asking for personal information.
>
> That includes almost all 419, and other (like lotto) advance fee
> spams I have ever seen. I suppose this could be stretched to include
> pecker and other spams which ultimately want a credit card number and
> (nominally) a delivery address.

Actually, internet 419's don't ask for any information at all to start 
with. All they ask is you reply to them somehow indicating you will 
"help" them out (in fleecing you).  I've read some of the case histories 
of people who played with them and it's several mails later, when the 
bank accounts need to be created, before it's asked for. They'll even 
correspond with sneakemail accounts!   Then it gets pretty strange<g>. 
At least in the ones I looked at, it was the third contact, 
consistantly, where they started talking about banks etc..
   OTOH, there are a LOT of spin-offs and copycats that DO ask for 
personal info, but those aren't the actual criminals; they are the 
current spammer/scammer bottom feeders just playing copycat.  I suspect 
that's why there are such gray areas today about what's what with these 
things.  I do get a certain amount of satisfaction from reporting them 
to the FBI, IRS and other relevant gvt agencies, not that it does any 
good I'm sure.
   Apparently they're listwashers, too because I haven't received a 419 
at any address but my publicly exposed addresses in quite awhile now; I 
use them as honeypots now.  I imagine my ISP stops a bunch of them too 
for the addresses I actually use now.

Cheers,

Twayne


From nobody at devnull.spamcop.net  Sun May 24 12:50:37 2009
From: nobody at devnull.spamcop.net (Twayne)
Date: Sun May 24 12:55:04 2009
Subject: [Scspamcop] Re: Phishing VS 419
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv8pn5$41f$1@news.spamcop.net>
Message-ID: <gvbtsm$smu$2@news.spamcop.net>

Miss Betsy wrote:
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:gv5vcj$7up$1@news.spamcop.net...
> <snip>
>>> In this case, here are a couple of places where a line can be drawn:
>>
>>> Email looks like it comes from a legitimate bank, credit card
>>> company, or other business within your own country.
>>> (PHISH)
>>
>>> -------LINE-------------------
>>
>>> (419)
>>> Email apparently comes from a rich grieving widow, ex-government
>>> employee, former president of an oil company, or other wealthy
>>> person, usually from a foreign country - Nigeria, promising you
>>> financial gain if you contact them, to help them in some way.
>>
>>
>>> -OR-
>>
>>
>>> Purpose is to deceptively obtain your password, or account access
>>> information so they can steal from your account, or steal your
>>> identity. (PHISH)
>>
>>> -------LINE-------------------
>>
>>> (419)
>>> Purpose is to personlly gain your confidence, so that you trust the
>>> person enough that you give them a bank account number, or possibly
>>> even visit their country to collect your money (at which pont, you
>>> are in real trouble).
>>
>>
>> And if a 419 scam asks for personal information, those lines are
>> blurred and becomes
>> phishing.
>
> Any scam that intends to separate you from your money is a felony. It 
> is the manner in which they go about it that distinguishes one
> scam from another.
>
> PHISH = a scammer posing as a legitimate business (online this is
> done by making websites that look exactly like the legitimate
> business - usually banks or credit card companies) in order to trick
> you into giving him your personal account numbers, etc. so that then
> they may use them to act as you. They may clean out your account,
> charge things to your credit card, apply for loans, etc.  The victim
> is unsuspecting and does not realize that his personal information is
> being stolen.
> 419 = a scammer who promises you  a lot more money if you pay him
> money for various reasons that he says will expedite the payment to
> you.  It is also called 'advance fee'   If they can convince you to
> give them your account number, they may then clean out all your
> money.  However, some advance fee scams just disappear after you
> advance them the money.  The victim is fully aware that he is
> participating in a slightly illegal transaction, but is willing to
> take the risk to get a great deal of money.  There are lots of
> variations that are not from Nigeria.  There was one where a supposed
> soldier in Iraq had found money and needed help getting it back to
> the US.
> Other advance fee scams, like 'lottery winner', are technically not
> 419 scams which specifically involve an official or other person who
> has an insider position offering you a cut if you help him/her get
> the money out of the country saying that money for bribes, etc. are
> needed to do this and that you will be paid back when the money is
> deposited to your account.  In some 'advance fee' schemes like the
> lottery, the victim does not know that the offer is bogus; in others,
> like the 419, the victim participates knowing that it is not an above
> board transaction.
> Phish refers specifically to emails that are designed to look, read,
> and contain links that look like real links, but go to a bogus
> website that looks like the real thing and all of this is done to
> gain personal information to use to get money or be able to charge
> things.  Offline, it is more difficult to impersonate a legitimate
> business, however it has been done.  Sometimes phone calls can seem
> 'real' and also letters.  Usually, however, the offline
> impersonations have not been to get personal information to use to
> gain money, but to get the victim to give them money thinking that
> the bank or business has that kind of fee.  So the style of Phishes
> is peculiar to the internet.
> 419 or advance fee scams have been around a long time by letter and
> fax - in fact, they still show up.  There is no difference in the
> approach by letter, fax, or email.
>
> In both kinds of scams, I understand that law enforcement does not act
> unless the receiver is actually a victim and has lost a significant
> amount of money.  At this time, IMHO, it is unnecessary to report
> either phishes or 419 scams to law enforcement.  I am sure that they
> have spam traps to get all the evidence that they need.  The value of
> reporting phishes and scams is to get the IP addresses where they
> come from on blocklists so that nobody gets their email, to alert
> ISPs to abuse (the stakes are so high that scammers can work around
> the controls set for high volume spam), and to alert companies who
> are affected so they can warn their customers.
> Reporting to 'junk' in those email services that have such a thing is
> also a good idea so that better content filters can be devised.
>
> Miss Betsy
> an almost new internet user

Miss Betsy, you'll get the hang of this internet thing, just keep on 
trying!  < very, very wide grim >
   Good collection of data.
Twayne` 


From kopfj at worldnet.att.net  Sun May 24 13:47:12 2009
From: kopfj at worldnet.att.net (John O. Kopf)
Date: Sun May 24 13:45:03 2009
Subject: [Scspamcop] Re: Phishing VS 419
In-Reply-To: <gvbtsm$smu$2@news.spamcop.net>
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv8pn5$41f$1@news.spamcop.net> <gvbtsm$smu$2@news.spamcop.net>
Message-ID: <gvc12u$98t$1@news.spamcop.net>

Twayne wrote:
> SNIP

>> Phish refers specifically to emails that are designed to look, read,
>> and contain links that look like real links, but go to a bogus
>> website that looks like the real thing ...SNIP
> 
> Miss Betsy, you'll get the hang of this internet thing, just keep on 
> trying!  < very, very wide grim >
>    Good collection of data.
> Twayne` 
> 
> 

HINT - Most browsers/Email readers will display the URL to be used when 
you move your cursor over a "URL" shown in the text.  If the URL shown 
is not the same as the URL the program displays, it's certain to be a 
scam of some sort!

John Kopf
From nobody at devnull.spamcop.net  Sun May 24 19:50:14 2009
From: nobody at devnull.spamcop.net (Miss Betsy)
Date: Sun May 24 19:50:03 2009
Subject: [Scspamcop] Re: Phishing VS 419
In-Reply-To: <01c9dbe7$4d23f420$LocalHost@default>
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv8pn5$41f$1@news.spamcop.net>
	<01c9dbe7$4d23f420$LocalHost@default>
Message-ID: <gvcmen$gs5$1@news.spamcop.net>



"Michael R N Dolbear" <me@privacy.net> wrote in message 
news:01c9dbe7$4d23f420$LocalHost@default...
> Miss Betsy <nobody@devnull.spamcop.net> wrote
>
>> Any scam that intends to separate you from your money is a felony.
> It is
>> the manner in which they go about it that distinguishes one scam from
>
>> another.
>
> Either a tautology or not true.

Yes, there are scams that are 'legal' - the Sheets 'scam' for instance.  The 
getrichquick idea is legitimate - buy fixer-uppers at low prices and fix 
them up and sell them.  However, it requires real work and expertise - 
knowing the market, having the ability to fix, etc.  Sheets makes his money 
from selling the program as an 'easy' way to make a lot of money which most 
people buy and never read or give up because they realize they don't have 
the expertise.

There are others where the words are carefully chosen so that the buyer 
can't complain.  Others like the YellowPages 'invoice' that isn't an 
invoice, but it says so.  People who don't read the fine print may bite.  In 
fact, I know someone who did.

I was using 'scam' as a scam which is illegal.  There are others.  Sheets 
even can pay for infomercials.  And that's something else.  Web hosts can 
certainly can the same 'immunity' from conspiracy as newspapers and TV 
stations do for contracting with these unethical, but legal scams.  My 
newspaper now carries an 'ad' that warns against being too trusting - don't 
know whether that's a result of regulation.  But it is unreasonable to 
expect newspapers or TV stations to investigate every advertiser.

Miss Betsy



 

From nobody at devnull.spamcop.net  Sun May 24 20:02:38 2009
From: nobody at devnull.spamcop.net (Miss Betsy)
Date: Sun May 24 20:05:02 2009
Subject: [Scspamcop] Re: Phishing VS 419
In-Reply-To: <gvc12u$98t$1@news.spamcop.net>
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv8pn5$41f$1@news.spamcop.net> <gvbtsm$smu$2@news.spamcop.net>
	<gvc12u$98t$1@news.spamcop.net>
Message-ID: <gvcn5v$jq0$1@news.spamcop.net>



"John O. Kopf" <kopfj@worldnet.att.net> wrote in message 
news:gvc12u$98t$1@news.spamcop.net...
> Twayne wrote:
>> SNIP
>
>>> Phish refers specifically to emails that are designed to look, read,
>>> and contain links that look like real links, but go to a bogus
>>> website that looks like the real thing ...SNIP
>>
>> Miss Betsy, you'll get the hang of this internet thing, just keep on 
>> trying!  < very, very wide grim >
>>    Good collection of data.
>> Twayne`
>
> HINT - Most browsers/Email readers will display the URL to be used when 
> you move your cursor over a "URL" shown in the text.  If the URL shown is 
> not the same as the URL the program displays, it's certain to be a scam of 
> some sort!
>
> John Kopf

That's good advice!  Problem is I have my email set to plain text and hardly 
ever open anything suspicious except in Message Source so I haven't seen 
that.

Part of my signature designates my age - as well as the fact that, like the 
URL advice above, there are huge gaps in my knowledge.  (I think Twayne 
remembers me - that's why the <very, very wide grin> - but I haven't 
frequented the ngs lately).

Miss Betsy
an almost new internet user

 

From nobody at devnull.spamcop.net  Sun May 24 20:09:50 2009
From: nobody at devnull.spamcop.net (Miss Betsy)
Date: Sun May 24 20:10:03 2009
Subject: [Scspamcop] Re: Phishing VS 419
In-Reply-To: <gvbtsl$smu$1@news.spamcop.net>
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv6e33$aqd$1@news.spamcop.net> <gv7emo$pjp$1@news.spamcop.net>
	<gvbtsl$smu$1@news.spamcop.net>
Message-ID: <gvcnje$m1l$1@news.spamcop.net>



"Twayne" <nobody@devnull.spamcop.net> wrote in message 
news:gvbtsl$smu$1@news.spamcop.net...
> bar0 wrote:
<snip> I've read some of the case histories
> of people who played with them and it's several mails later, when the bank 
> accounts need to be created, before it's asked for. <snip>

Hi Twayne, glad to see you are still here!

My favorite 419 correspondence was the guy who actually got the scammer to 
send him a $3.15 money order!  He was a pro.  'I read your email to my wife 
and she said, "HELP THEM NOW!"  she was so UPSET...but there is a little 
problem, I am not sure that I can....'

Miss Betsy
an almost new internet user 

From user at domain.invalid  Mon May 25 00:40:38 2009
From: user at domain.invalid (Farelf)
Date: Mon May 25 00:45:03 2009
Subject: [Scspamcop] Re: Phishing VS 419
In-Reply-To: <gvcn5v$jq0$1@news.spamcop.net>
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv8pn5$41f$1@news.spamcop.net> <gvbtsm$smu$2@news.spamcop.net>
	<gvc12u$98t$1@news.spamcop.net> <gvcn5v$jq0$1@news.spamcop.net>
Message-ID: <gvd7g5$14h$1@news.spamcop.net>

Miss Betsy wrote:
> 
> 
> "John O. Kopf" <kopfj@worldnet.att.net> wrote in message 
> news:gvc12u$98t$1@news.spamcop.net...
>> Twayne wrote:
>>> SNIP
>>
<snip>
>>
>> HINT - Most browsers/Email readers will display the URL to be used 
>> when you move your cursor over a "URL" shown in the text.  If the URL 
>> shown is not the same as the URL the program displays, it's certain to 
>> be a scam of some sort!
>>
>> John Kopf
> 
> That's good advice!  Problem is I have my email set to plain text and 
> hardly ever open anything suspicious except in Message Source so I 
> haven't seen that.
> 
<snip>
> Miss Betsy
> an almost new internet user
> 

(Stay with me now <g>) The message source always shows when that trick 
is in place (*caution, actual phishing site taken down last time I 
looked but other exploits/annoyances may be present*)  - like

<A href="http://www3netcommbank.byethost15.com/netbank-bankmain/">
https://www3.netbank.commbank.com.au/netbank/bankmain/</A>

In an HTML mail (which, sadly, most use because it is the common default 
foisted on the thrill-seeking public to "maximize" their experience - as 
it surely does <g>) that would show as a link to 
https://www3.netbank.commbank.com.au/netbank/bankmain/ (which does not 
exist but "looks" very legitimate) but *actually* links to the 
byethost15.com domain where the phishing site lives/lived - which is 
clearly nothing to do with the bank and would worry most if it were more 
apparent.  The href is where it goes but the bit between the inner 
brackets (> ...<) is where the user is meant to think it goes.  The 
'alias' address is a very useful feature in HTML but a real godsend to 
phishers.

Often 'they' will try to further obscure things - as in the original of 
the above - by adding additional formatting code (font, color, size) for 
the alias, which might also make it look more impressive/authoritative 
when viewed in HTML.  But the basic structure is unchanged.  The actual 
target (which may be a redirector to yet other sites, ending up at the 
'real' phishing site but that's beside the point) is in the bit <a 
href="...">.
From nobody at devnull.spamcop.net  Mon May 25 10:24:10 2009
From: nobody at devnull.spamcop.net (Miss Betsy)
Date: Mon May 25 10:25:04 2009
Subject: [Scspamcop] Re: Phishing VS 419
In-Reply-To: <gvd7g5$14h$1@news.spamcop.net>
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv8pn5$41f$1@news.spamcop.net> <gvbtsm$smu$2@news.spamcop.net>
	<gvc12u$98t$1@news.spamcop.net> <gvcn5v$jq0$1@news.spamcop.net>
	<gvd7g5$14h$1@news.spamcop.net>
Message-ID: <gve9l9$ik3$1@news.spamcop.net>

"Farelf" <user@domain.invalid> wrote in message 
news:gvd7g5$14h$1@news.spamcop.net...
> Miss Betsy wrote:
>>
>>
>> "John O. Kopf" <kopfj@worldnet.att.net> wrote in message 
>> news:gvc12u$98t$1@news.spamcop.net...
>>> Twayne wrote:
>>>> SNIP
>>>
> <snip>
>>>
>>> HINT - Most browsers/Email readers will display the URL to be used when 
>>> you move your cursor over a "URL" shown in the text.  If the URL shown 
>>> is not the same as the URL the program displays, it's certain to be a 
>>> scam of some sort!
>>>
>>> John Kopf
>>
>> That's good advice!  Problem is I have my email set to plain text and 
>> hardly ever open anything suspicious except in Message Source so I 
>> haven't seen that.
>>
> <snip>
>> Miss Betsy
>> an almost new internet user
>>
>
> (Stay with me now <g>) The message source always shows when that trick is 
> in place (*caution, actual phishing site taken down last time I looked but 
> other exploits/annoyances may be present*)  - like
>
> <A href="http://www3netcommbank.byethost15.com/netbank-bankmain/">
> https://www3.netbank.commbank.com.au/netbank/bankmain/</A>
>
> In an HTML mail (which, sadly, most use because it is the common default 
> foisted on the thrill-seeking public to "maximize" their experience - as 
> it surely does <g>) that would show as a link to 
> https://www3.netbank.commbank.com.au/netbank/bankmain/ (which does not 
> exist but "looks" very legitimate) but *actually* links to the 
> byethost15.com domain where the phishing site lives/lived - which is 
> clearly nothing to do with the bank and would worry most if it were more 
> apparent.  The href is where it goes but the bit between the inner 
> brackets (> ...<) is where the user is meant to think it goes.  The 
> 'alias' address is a very useful feature in HTML but a real godsend to 
> phishers.
>
> Often 'they' will try to further obscure things - as in the original of 
> the above - by adding additional formatting code (font, color, size) for 
> the alias, which might also make it look more impressive/authoritative 
> when viewed in HTML.  But the basic structure is unchanged.  The actual 
> target (which may be a redirector to yet other sites, ending up at the 
> 'real' phishing site but that's beside the point) is in the bit <a 
> href="...">.

And, even though I don't really know HTML code, I do know that!  I might 
even be able to reproduce it (though not in an email maybe - only if I could 
find out how to edit code in an email).  I didn't learn it in a ng, but I 
have learned a lot of other things here.  I hope someone else will take 
advantage of your explanation so they can identify the /real/ source in the 
Message Source.

Miss Betsy
an almost new internet user

 

From nobody at devnull.spamcop.net  Mon May 25 13:27:41 2009
From: nobody at devnull.spamcop.net (Twayne)
Date: Mon May 25 13:30:03 2009
Subject: [Scspamcop] Re: Phishing VS 419
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv6e33$aqd$1@news.spamcop.net> <gv7emo$pjp$1@news.spamcop.net>
	<gvbtsl$smu$1@news.spamcop.net> <gvcnje$m1l$1@news.spamcop.net>
Message-ID: <gveke3$f1n$1@news.spamcop.net>

Miss Betsy wrote:
> "Twayne" <nobody@devnull.spamcop.net> wrote in message
> news:gvbtsl$smu$1@news.spamcop.net...
>> bar0 wrote:
> <snip> I've read some of the case histories
>> of people who played with them and it's several mails later, when
>> the bank accounts need to be created, before it's asked for. <snip>
>
> Hi Twayne, glad to see you are still here!
>
> My favorite 419 correspondence was the guy who actually got the
> scammer to send him a $3.15 money order!  He was a pro.  'I read your
> email to my wife and she said, "HELP THEM NOW!"  she was so
> UPSET...but there is a little problem, I am not sure that I can....'
>
> Miss Betsy
> an almost new internet user

Yeah, there are some interesting stories out there.  The FTC pages used 
to have a lot of them right up front but they're not so obvious or easy 
to find anymore.  They're interesting on so many different levels, each 
one very hard to imagine the person falling for.   Takes all kinds, I 
guess.  Must be rough on newbies just discovering the wonders of the 
internet & e-mail!

Cheers,

Twayne


From tmcgraw at spamcop.net  Mon May 25 15:11:21 2009
From: tmcgraw at spamcop.net (Tim McGraw)
Date: Mon May 25 15:15:04 2009
Subject: [Scspamcop] Re: Phishing VS 419
In-Reply-To: <01c9dbe7$4d23f420$LocalHost@default>
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv8pn5$41f$1@news.spamcop.net>
	<01c9dbe7$4d23f420$LocalHost@default>
Message-ID: <gveqgp$g4g$1@news.spamcop.net>

Michael R N Dolbear wrote:
> Miss Betsy wrote 
>> Any scam that intends to separate you from your money is a felony. It is 
>> the manner in which they go about it that distinguishes one scam from
>> another.
> Either a tautology or not true.
> 
> Thus "recognized UniversityDegree based on work or life experience from
> University within 10 days" is a scam because 'recognised' is
> fraudulently stated. but probably not a felony and certainly not if
> 'recognised' is changed to 'genuine'.

What I think Miss B was trying to express was "Any scam that intends to 
separate you from your money *with only a promise of something in 
return* is a felony."

I have never ordered a degree from a "recognized university" but it is 
my understanding that you will receive a fancy piece of paper for your 
money.

As far as "recognised" being fraudulently stated, that would be subject 
to local laws regarding advertising, and to be practical an actual 
conviction would require the scammer and the scammee "reside" in the 
same country.

Of course, with the Internet being a worldwide phenom much of this 
discussion over what can be prosecuted and what is felonious is rather moot.
From nobody at devnull.spamcop.net  Mon May 25 18:33:50 2009
From: nobody at devnull.spamcop.net (Miss Betsy)
Date: Mon May 25 18:35:03 2009
Subject: [Scspamcop] Re: Phishing VS 419
In-Reply-To: <gveqgp$g4g$1@news.spamcop.net>
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv8pn5$41f$1@news.spamcop.net>
	<01c9dbe7$4d23f420$LocalHost@default>
	<gveqgp$g4g$1@news.spamcop.net>
Message-ID: <gvf6bb$h02$1@news.spamcop.net>



"Tim McGraw" <tmcgraw@spamcop.net> wrote in message 
news:gveqgp$g4g$1@news.spamcop.net...
<snip>
> As far as "recognised" being fraudulently stated, that would be subject to 
> local laws regarding advertising, and to be practical an actual conviction 
> would require the scammer and the scammee "reside" in the same country.
>
> Of course, with the Internet being a worldwide phenom much of this 
> discussion over what can be prosecuted and what is felonious is rather 
> moot.

So, why is it important to report these scams to the proper agency?

Miss Betsy
an almost new internet user 

From tmcgraw at spamcop.net  Tue May 26 17:23:29 2009
From: tmcgraw at spamcop.net (Tim McGraw)
Date: Tue May 26 17:25:03 2009
Subject: [Scspamcop] Re: Phishing VS 419
In-Reply-To: <gvf6bb$h02$1@news.spamcop.net>
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv8pn5$41f$1@news.spamcop.net>
	<01c9dbe7$4d23f420$LocalHost@default>
	<gveqgp$g4g$1@news.spamcop.net> <gvf6bb$h02$1@news.spamcop.net>
Message-ID: <gvhmkh$qvm$1@news.spamcop.net>

Miss Betsy wrote:
> Tim McGraw wrote:
> <snip>
>> As far as "recognised" being fraudulently stated, that would be 
>> subject to local laws regarding advertising, and to be practical an 
>> actual conviction would require the scammer and the scammee "reside" 
>> in the same country.
>>
>> Of course, with the Internet being a worldwide phenom much of this 
>> discussion over what can be prosecuted and what is felonious is rather 
>> moot.
> 
> So, why is it important to report these scams to the proper agency?

It's not.

As you said earlier in this thread, it is unnecessary to report either 
phishes or 419 scams to law enforcement.
From g.hyde at bigNOSPAMpond.net.au  Wed May 27 05:13:58 2009
From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde)
Date: Wed May 27 05:15:04 2009
Subject: [Scspamcop] Re: Phishing VS 419
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv8pn5$41f$1@news.spamcop.net>
	<01c9dbe7$4d23f420$LocalHost@default>
	<gveqgp$g4g$1@news.spamcop.net> <gvf6bb$h02$1@news.spamcop.net>
	<gvhmkh$qvm$1@news.spamcop.net>
Message-ID: <gvj09f$vt0$1@news.spamcop.net>


"Tim McGraw" <tmcgraw@spamcop.net> wrote in message 
news:gvhmkh$qvm$1@news.spamcop.net...
> Miss Betsy wrote:
>> So, why is it important to report these scams to the proper agency?
>
> It's not.
>
> As you said earlier in this thread, it is unnecessary to report either 
> phishes or 419 scams to law enforcement.

As far as the letter of the law goes, that's true.

Morally speaking, some people feel obliged to report every phish and 419 
scam to the law enforcement.  This is rarely done in practice, however.  If 
people did report them more often, the law enforcement agencies could be a 
lot more interested in cracking down on these scammers and phishers and 
themr scam/spam zombiefied PC armies.


Cheers ...

Geoffrey Hyde


From MikeE at ster.invalid  Wed May 27 16:45:18 2009
From: MikeE at ster.invalid (Mike Easter)
Date: Wed May 27 16:50:04 2009
Subject: [Scspamcop] Re: Grouse, grouse, grouse
References: <Xns9C18866CE3FECTheShrubIsAnAss@216.154.195.61>
Message-ID: <gvk8ou$ouc$1@news.spamcop.net>

Charles wrote:
Subject: Grouse, grouse, grouse

We have sooty grouse around here, but not really so very many.
http://snipr.com/iw7kl

> Hi!  I got spammed today!

But, spam -- we have plenty of spam.

-- 
Mike Easter
kibitzer, not SC admin

From me at privacy.net  Thu May 28 08:32:35 2009
From: me at privacy.net (Michael R N Dolbear)
Date: Thu May 28 08:35:04 2009
Subject: [Scspamcop] Re: Phishing VS 419
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv8pn5$41f$1@news.spamcop.net>
	<01c9dbe7$4d23f420$LocalHost@default>
	<gveqgp$g4g$1@news.spamcop.net> <gvf6bb$h02$1@news.spamcop.net>
	<gvhmkh$qvm$1@news.spamcop.net> <gvj09f$vt0$1@news.spamcop.net>
Message-ID: <01c9df21$bbb536a0$LocalHost@default>

Geoffrey Hyde <g.hyde@bigNOSPAMpond.net.au> wrote 

> Morally speaking, some people feel obliged to report every phish and
419 
> scam to the law enforcement.  This is rarely done in practice,
however.  If 
> people did report them more often, the law enforcement agencies could
be a 
> lot more interested in cracking down on these scammers and phishers
and 
> themr scam/spam zombiefied PC armies.

Why should they be "a lot more interested" ?

They would have to spend a lot of money on data analysis to extract
email drop boxes and phone numbers for 419 scams and maybe a whole
network to get phish web sites taken down or blocked as rapidly as
possible. Would this be cost effective as against the current
"investigate only if > $BIG has been lost" ?

Would the ISPs like to pay for policing redirects ?
 an anti-botnet campaign ?

Would the money be better spent otherwise, eg a required option for
ISPs to block "bullet-proof hosting" IP ranges for their clients if
they so request ? 

-- 
Mike D


From tmcgraw at spamcop.net  Thu May 28 13:02:07 2009
From: tmcgraw at spamcop.net (Tim McGraw)
Date: Thu May 28 13:05:04 2009
Subject: [Scspamcop] Re: Phishing VS 419
In-Reply-To: <gvj09f$vt0$1@news.spamcop.net>
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv8pn5$41f$1@news.spamcop.net>
	<01c9dbe7$4d23f420$LocalHost@default>
	<gveqgp$g4g$1@news.spamcop.net> <gvf6bb$h02$1@news.spamcop.net>
	<gvhmkh$qvm$1@news.spamcop.net> <gvj09f$vt0$1@news.spamcop.net>
Message-ID: <gvmg2i$vbf$1@news.spamcop.net>

Geoffrey Hyde wrote:
> Tim McGraw wrote:
>> Miss Betsy wrote:
>>> So, why is it important to report these scams to the proper agency?
>> It's not.
>>
>> As you said earlier in this thread, it is unnecessary to report either 
>> phishes or 419 scams to law enforcement.
> As far as the letter of the law goes, that's true.
> 
> Morally speaking, some people feel obliged to report every phish and 419 
> scam to the law enforcement.  This is rarely done in practice, however.  If 
> people did report them more often, the law enforcement agencies could be a 
> lot more interested in cracking down on these scammers and phishers and 
> themr scam/spam zombiefied PC armies.

There is not a law enforcement agency with the authority to prosecute a 
phish sent from a server in Brazil by a Nigerian in Belgium to a 
recipient in the U.S. If there were, I would prefer that they 
concentrate on more important matters, like international terrorism.

If people reported phish attempts more often, the "lucky" law 
enforcement agency that received them would merely be overwhelmed. As it 
is, I suspect most of these "reported phish attempts" go to the agency's 
bit bucket.
From MikeE at ster.invalid  Thu May 28 20:08:31 2009
From: MikeE at ster.invalid (Mike Easter)
Date: Thu May 28 20:10:03 2009
Subject: [Scspamcop] Re: Phishing VS 419
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv8pn5$41f$1@news.spamcop.net>
	<01c9dbe7$4d23f420$LocalHost@default>
	<gveqgp$g4g$1@news.spamcop.net> <gvf6bb$h02$1@news.spamcop.net>
	<gvhmkh$qvm$1@news.spamcop.net> <gvj09f$vt0$1@news.spamcop.net>
	<gvmg2i$vbf$1@news.spamcop.net>
Message-ID: <gvn91n$5he$1@news.spamcop.net>

Tim McGraw wrote:
> Geoffrey Hyde wrote:

>> if people did report them more often, the law enforcement
>> agencies could be a lot more interested

> As it
> is, I suspect most of these "reported phish attempts" go to the
agency's
> bit bucket.

That's what I think happens, in general.

I think that many/most spam reporters think that reports/notifies are
opened and read and (they thus think) it would seem to follow that the
more reports there are (sent), the more likely that something or other
positive antispam would happen.

I think that almost zero notifies are opened or read -- some extremely
tiny really insignificant number/percentage.

In the provider area, we can say that we can consider all providers to
belong to some spectrum from blackhat to greyhat to whitehat to clueless
hat.  Almost none of those are going to be opening/reading reports.  The
blackhats -none unless they are using the report somehow to their
advantage - so their reports are either bitbucketed or somehow used
against some antispam process.

The grey and clueless hats might 'amass' notifies in some way, much as I
amass the spam I receive which is diverted from my inbox into a Junk
folder.  The amassing might result in 'weighing' its bulk, like counting
or something.

The whitehats are only going to open one report on an issue they don't
know about yet, but they probably already know, so they aren't even going
ot open one.  They might have a process to autoack it without a human
having to touch it.  So all the reports to whitehats are also
useless/pointless.

Such nonproviders such as bureaucracies are only going to sort, amass and
weigh, not open any.  There's no point in opening them;  it isn't like
they are going to be doing anything differently based on emailed
notifies.

All these notifies are pretty much like so much 'spam' in a spam
reporter's Junk folders - considering both their intent and their
result - namely that while the spammers' purpose was to accomplish
something profitable with the email, s/he didn't;  hir spam was
harmlessly diverted.

Similarly all those bazillions of notifies are functionlessly diverted
and bitbucketed, (or) sorted and amassed and weighed.  Not opened or
read.  Spam reporters read more spam curiously than provider abuse desks
and bureaucracies read their notifies.

-- 
Mike Easter
kibitzer, not SC admin

From g.hyde at bigNOSPAMpond.net.au  Fri May 29 00:58:36 2009
From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde)
Date: Fri May 29 01:00:03 2009
Subject: [Scspamcop] Is this really from optusnet or is it another spammer
	trick?
Message-ID: <gvnq24$aue$1@news.spamcop.net>

http://www.spamcop.net/sc?id=z2946458899z053122ccfbf97572921bc1ed4f704115z

Spamcop's never seen optusnet send spam before, but something told it to 
trust that it was forwarding spam when my bigpond mail account receives it.

I'm suspicious, why does SpamCop suddenly trust that my bigpond host is 
receiving mail from optusnet when it doesn't even trust mail sent from other 
domains to bigpond?

Or is it really the case that optusnet suddenly has an open relay on their 
network?

I also wonder if my mailhosts setup needs to be reset?  Perhaps one of the 
SC admins can investigate further and let me know.

Cheers ...

Geoffrey Hyde



From MikeE at ster.invalid  Fri May 29 05:48:34 2009
From: MikeE at ster.invalid (Mike Easter)
Date: Fri May 29 05:50:04 2009
Subject: [Scspamcop] Re: Is this really from optusnet or is it another
	spammer trick?
References: <gvnq24$aue$1@news.spamcop.net>
Message-ID: <gvob19$svk$1@news.spamcop.net>

Geoffrey Hyde wrote:
www.spamcop.net/sc?id=z2946458899z053122ccfbf97572921bc1ed4f704115z

Subject: Is this really from optusnet or is it another spammer trick?

This is really sourced from a optusnet user via optusnet mailservers.

  Abbreviated Received tracelines *comment
  from nskntingx04p.mx.bigpond.com ([211.29.132.10]) by
nskntmtas05p.mx.bigpond.com *zany bigpond
  from fallbackmx08.syd.optusnet.com.au ([211.29.132.10]) by
nskntingx04p.mx.bigpond.com
  from (mail16.syd.optusnet.com.au [211.29.132.197]) by
fallbackmx08.syd.optusnet.com.au *timestamp 2h
  from User (58.108.192.80.optusnet.com.au [58.108.192.80] by
mail16.syd.optusnet.com.au

optusnet user > 2 optusnet mailservers > bigpond

The body contains a Commonwealth Bank phish whose payload is at an EL
earthlink/mindspring user IP.  SC offers to notify optusnet for the
relaying (optusnet request) and the sourcing and EL for the spamvertised
payload.

The spamvertised/phish link 'redirects' from one name to another, but
they are both (currently) the same EL cableuser IP, probably geo NYC, NY.

> Spamcop's never seen optusnet send spam before, but something told it
to
> trust that it was forwarding spam when my bigpond mail account receives
> it.

Correct.  SC chained back thru' the mailserver to the source IP.

> I'm suspicious, why does SpamCop suddenly trust that my bigpond host is
> receiving mail from optusnet when it doesn't even trust mail sent from
> other domains to bigpond?

SC is familiar with the optusnet servers.

> Or is it really the case that optusnet suddenly has an open relay on
> their network?

A server doing its normal job isn't an open relay.  It is just a
mailserver(s) doing its job like your bigpond mailservers do their job.

> I also wonder if my mailhosts setup needs to be reset?  Perhaps one of
> the SC admins can investigate further and let me know.

I'm not a SC admin.  (And/But)  There isn't anything about this item that
would cause me to be concerned that anything needs to be fixed about your
mailhost.


-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Fri May 29 05:57:13 2009
From: MikeE at ster.invalid (Mike Easter)
Date: Fri May 29 06:00:03 2009
Subject: [Scspamcop] Re: Is this really from optusnet or is it another
	spammer trick?
References: <gvnq24$aue$1@news.spamcop.net>
Message-ID: <gvobhg$ua4$1@news.spamcop.net>

Geoffrey Hyde wrote:
Subject: Is this really from optusnet or is it another spammer trick?

PS:  Don't start a message question by typing in the subject field.

Create a proper messagebody^1 first.  Then give it a good subject^2.

If you start your typing in the subject, you will end up with both a
flawed/suboptimal message body as well as subject.


^1 a message body provides sufficient unambiguous background and is made
of complete sentences and asks the intended question
^2 a message subject is a very brief title for the message body and is
not a complete sentence


-- 
Mike Easter
kibitzer, not SC admin

From g.hyde at bigNOSPAMpond.net.au  Fri May 29 06:30:16 2009
From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde)
Date: Fri May 29 06:35:03 2009
Subject: [Scspamcop] Re: Is this really from optusnet or is it another
	spammer trick?
References: <gvnq24$aue$1@news.spamcop.net> <gvobhg$ua4$1@news.spamcop.net>
Message-ID: <gvodfu$6jv$1@news.spamcop.net>


"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:gvobhg$ua4$1@news.spamcop.net...
> Geoffrey Hyde wrote:
> Subject: Is this really from optusnet or is it another spammer trick?
>
> PS:  Don't start a message question by typing in the subject field.

Don't start an irrelevant discussion about how I construct my posts and/or 
subject lines.

A final note on the whole "ettiquette" thing:  Don't go there again, I'm 
just going to ignore messages like these that have no relevance to what I'm 
asking about, in future.  You might want to try telling me how I can set up 
OE to do this (in private email please) but if you can't do that (or won't, 
as the case may be) then kindly shut off this faucet of yours.


Cheers ...

Geoffrey Hyde



From nobody at devnull.spamcop.net  Fri May 29 06:45:41 2009
From: nobody at devnull.spamcop.net (Miss Betsy)
Date: Fri May 29 06:50:02 2009
Subject: [Scspamcop] Re: Phishing VS 419
In-Reply-To: <01c9df21$bbb536a0$LocalHost@default>
References: <pan.2009.05.20.16.36.18@spamcop.net><gv1d3a$73u$1@news.spamcop.net>
	<pan.2009.05.20.17.22.46@spamcop.net>
	<gv1gs3$mcc$1@news.spamcop.net> <gv5vcj$7up$1@news.spamcop.net>
	<gv8pn5$41f$1@news.spamcop.net>
	<01c9dbe7$4d23f420$LocalHost@default>
	<gveqgp$g4g$1@news.spamcop.net> <gvf6bb$h02$1@news.spamcop.net>
	<gvhmkh$qvm$1@news.spamcop.net> <gvj09f$vt0$1@news.spamcop.net>
	<01c9df21$bbb536a0$LocalHost@default>
Message-ID: <gvoecg$91n$1@news.spamcop.net>



"Michael R N Dolbear" <me@privacy.net> wrote in message 
news:01c9df21$bbb536a0$LocalHost@default...
<snip>
> They would have to spend a lot of money on data analysis to extract
> email drop boxes and phone numbers for 419 scams and maybe a whole
> network to get phish web sites taken down or blocked as rapidly as
> possible. Would this be cost effective as against the current
> "investigate only if > $BIG has been lost" ?

I was thinking about why law enforcement agencies are not interested in 
<$BIG.  For one thing, it probably is not against any law to send an email 
suggesting the possibility of the recipient receiving a lot of money.  In 
the US, it is against the law, I believe, to send that kind of solicitation 
through the US Mail.  For another, just sending an offer would not carry as 
big a jail sentence as actually defrauding a victim above a certain $ 
amount.   Law enforcement agencies have budgets too.  Why not put away a 
criminal for a number of years rather than a few months?  It surely is more 
cost effective.  If no one takes the bait, then the scammer is going to 
starve anyway.

In the beginning, when spamcop was first formed, there were not that many 
reporters and there may have been a good chance that an end user 
notification would be the first to alert a law enforcement agency that a 
scam was operating.  However, now that anti-spam practices have become more 
sophisticated, law enforcement almost certainly never looks at any 
unsolicited reports.  Why should they, when they can collect a specimen to 
one of their spamtraps, untouched by human hands except the perpetuator?

In addition, the possibility of an end user being there with the first 
report is very, very slim because of the number of reporters.  Only once 
have I ever been the first to report a spam (I don't remember all the 
details, but it couldn't be a spamcop report).  Since I was not a technical 
person - and it being the first report - the server admin did not believe 
me.  However, a few minutes later, I got an email that the server admin had 
gotten several more emails about the problem (open proxy, IIRC) and I had 
been correct.  I think it was in an exchange in the ngs that I got the 
impression that  server admins let other server admins know about problems - 
sort of like a neighbor calling to let you know that your car lights are on. 
That's when I realized that, as an end user, my spamcop reports were really 
only useful to beef up the scbl and that notifying law enforcement was 
absolutely a waste of time.

The chances are probably also  slim about being first to report drop boxes, 
but numbers might make a difference there.  I can't remember now, but IIRC, 
I once got a differently worded reply from yahoo that indicated that no 
action had been taken yet so I could infer that mine was the first report 
or, at least, among the first.

There is a certain satisfaction in reporting spam, though!  As long as the 
law enforcement agencies are willing to accept the reports, it does no harm.

Miss Betsy
an almost new internet user


 

From MikeE at ster.invalid  Fri May 29 09:16:12 2009
From: MikeE at ster.invalid (Mike Easter)
Date: Fri May 29 09:20:05 2009
Subject: [Scspamcop] Re: Is this really from optusnet or is it another
	spammer trick?
References: <gvnq24$aue$1@news.spamcop.net> <gvobhg$ua4$1@news.spamcop.net>
	<gvodfu$6jv$1@news.spamcop.net>
Message-ID: <gvon6i$8dh$1@news.spamcop.net>

Geoffrey Hyde wrote:
> "Mike Easter"

>> PS:  Don't start a message question by typing in the subject field.
>
> Don't start an irrelevant discussion about how I construct my posts
> and/or subject lines.

Its relevant.

> You might want to try telling me how I
> can set up OE to do this

It has nothing to do with your newsagent.  It is the factor BKAC -
between keyboard and chair - namely you the person creating a new message
thread.

> (in private email please)

How you construct your email is up to you, but I'm not interested in
getting any of it.



-- 
Mike Easter
kibitzer, not SC admin

From tmcgraw at spamcop.net  Fri May 29 12:15:27 2009
From: tmcgraw at spamcop.net (Tim McGraw)
Date: Fri May 29 12:20:03 2009
Subject: [Scspamcop] Re: Is this really from optusnet or is it another
	spammer trick?
In-Reply-To: <gvodfu$6jv$1@news.spamcop.net>
References: <gvnq24$aue$1@news.spamcop.net> <gvobhg$ua4$1@news.spamcop.net>
	<gvodfu$6jv$1@news.spamcop.net>
Message-ID: <gvp1n4$qci$1@news.spamcop.net>

Geoffrey Hyde wrote:
> Mike Easter wrote:
>> Geoffrey Hyde wrote:
>> Subject: Is this really from optusnet or is it another spammer trick?
>>
>> PS:  Don't start a message question by typing in the subject field.
> Don't start an irrelevant discussion about how I construct my posts and/or 
> subject lines.
> 
> A final note on the whole "ettiquette" thing:  Don't go there again, I'm 
> just going to ignore messages like these that have no relevance to what I'm 
> asking about, in future.  You might want to try telling me how I can set up 
> OE to do this (in private email please) but if you can't do that (or won't, 
> as the case may be) then kindly shut off this faucet of yours.

If you don't like them, don't read ME's posts.

Unless you're really into trying to make people bend to your will.
From nobody at devnull.spamcop.net  Fri May 29 21:10:28 2009
From: nobody at devnull.spamcop.net (Twayne)
Date: Fri May 29 21:15:03 2009
Subject: [Scspamcop] OT Re: Is this really from optusnet or is it another
	spammer trick?
References: <gvnq24$aue$1@news.spamcop.net> <gvobhg$ua4$1@news.spamcop.net>
	<gvodfu$6jv$1@news.spamcop.net> <gvp1n4$qci$1@news.spamcop.net>
Message-ID: <gvq123$tjm$1@news.spamcop.net>

Tim McGraw wrote:
> Geoffrey Hyde wrote:
>> Mike Easter wrote:
>>> Geoffrey Hyde wrote:
>>> Subject: Is this really from optusnet or is it another spammer
>>> trick? PS:  Don't start a message question by typing in the subject 
>>> field.
>> Don't start an irrelevant discussion about how I construct my posts
>> and/or subject lines.
>>
>> A final note on the whole "ettiquette" thing:  Don't go there again,
>> I'm just going to ignore messages like these that have no relevance
>> to what I'm asking about, in future.  You might want to try telling
>> me how I can set up OE to do this (in private email please) but if
>> you can't do that (or won't, as the case may be) then kindly shut
>> off this faucet of yours.
>
> If you don't like them, don't read ME's posts.
>
> Unless you're really into trying to make people bend to your will.

Well, that thread certainly went atopically. An OT here & there would 
help people know that there isn't anything left worth reading on the 
OP's side, folks.  When one has nothing to say in support of the OP's 
questions and comments, then that's exactly what they should say - 
nothing.  Or at least start a new post about being off topic or go to 
geeks, or better yet, .social; I never bother to read that one.
   I CAN get x-No Archive to work, but why bother? OT should be enough 
to say that this post had nothing of any use to the OP.

Twayne 


From MikeE at ster.invalid  Fri May 29 22:37:23 2009
From: MikeE at ster.invalid (Mike Easter)
Date: Fri May 29 22:40:03 2009
Subject: [Scspamcop] Re: OT Re: Is this really from optusnet or is it
	another spammer trick?
References: <gvnq24$aue$1@news.spamcop.net> <gvobhg$ua4$1@news.spamcop.net>
	<gvodfu$6jv$1@news.spamcop.net> <gvp1n4$qci$1@news.spamcop.net>
	<gvq123$tjm$1@news.spamcop.net>
Message-ID: <gvq64o$gaa$1@news.spamcop.net>

Twayne wrote:

>   OT should be enough
> to say that this post had nothing of any use to the OP.

Some people like to change the Subject field of a thread which is still
strung together by its References line, depending upon how a person likes
to sort their message view, by chronological subject or by references.

Some people don't - aren't partial to subject changing.  I'm not
(inclined to subject change).  I just let the content drift where it
will, since I consider the content of the message body to be what is
currently going on in a particular thread not what its subject *used to
be* as created by the OP.  Any OP in this case, not just GH.

This 'subthread' is all about the subject field handling - first the
original, now its evolution.  If we wanted, everyone could change the
References thread subject for every post in a thread to reflect the
direction that the original References thread has wandered from the OP.

I could change this Subject: to 'Subject field' or something.



-- 
Mike Easter
kibitzer, not SC admin

From nobody at devnull.spamcop.net  Sat May 30 15:40:55 2009
From: nobody at devnull.spamcop.net (Twayne)
Date: Sat May 30 15:45:04 2009
Subject: [Scspamcop] Re: OT Re: Is this really from optusnet or is it
	another spammer trick?
References: <gvnq24$aue$1@news.spamcop.net> <gvobhg$ua4$1@news.spamcop.net>
	<gvodfu$6jv$1@news.spamcop.net> <gvp1n4$qci$1@news.spamcop.net>
	<gvq123$tjm$1@news.spamcop.net> <gvq64o$gaa$1@news.spamcop.net>
Message-ID: <gvs244$m31$1@news.spamcop.net>

Mike Easter wrote:

>
> I could change this Subject: to 'Subject field' or something.

You could, but that would be silly.  I know you're aware of it so you 
may wish to reread the RFC section on Subjects in newgroups.  All that 
would do is confuse the issue for anyone looking for relevant Subjects. 
You're often about netiquette; I'm surprised you wouldn't wish to follow 
it.

Twayne`


From tmcgraw at spamcop.net  Sat May 30 16:51:09 2009
From: tmcgraw at spamcop.net (Tim McGraw)
Date: Sat May 30 16:55:03 2009
Subject: [Scspamcop] Re: OT Re: Is this really from optusnet or is it
 another spammer trick?
In-Reply-To: <gvs244$m31$1@news.spamcop.net>
References: <gvnq24$aue$1@news.spamcop.net> <gvobhg$ua4$1@news.spamcop.net>
	<gvodfu$6jv$1@news.spamcop.net> <gvp1n4$qci$1@news.spamcop.net>
	<gvq123$tjm$1@news.spamcop.net> <gvq64o$gaa$1@news.spamcop.net>
	<gvs244$m31$1@news.spamcop.net>
Message-ID: <4A219C3D.9020302@spamcop.net>

Twayne wrote:
> Mike Easter wrote:
> 
>> I could change this Subject: to 'Subject field' or something.
> 
> You could, but that would be silly.  I know you're aware of it so you 
> may wish to reread the RFC section on Subjects in newgroups.

Funny that you should mention that, since the RFC that applies only 
states that if the message is submitted in response to another message, 
the default subject should begin with "Re:".

> You're often about netiquette; I'm surprised you wouldn't wish to follow 
> it.

By the context it was clear enough ME was speaking hypothetically, 
though it might have been clearer had he said, "I could change the 
Subject: to 'Foo'."
From jay at spam-block.net  Sat May 30 17:10:21 2009
From: jay at spam-block.net (Jay Teutenberg)
Date: Sat May 30 17:15:03 2009
Subject: [Scspamcop] Re: spamcop thinks my ips from 5 years ago are still
	mine
References: <gs4kgc$9aq$1@news.spamcop.net> <gs4p3o$q8t$1@news.spamcop.net>
	<gs9ubo$2vf$1@news.spamcop.net> <gsa3b8$nb2$1@news.spamcop.net>
	<gsse0i$j89$1@news.spamcop.net> <gssj5o$bee$1@news.spamcop.net>
	<gsski6$lh1$1@news.spamcop.net>
Message-ID: <gvs7bs$g6t$1@news.spamcop.net>

Sorry if I wasnt clear in my communication,
spamcop sends to me still, even today,
and my email address is not jwbewster@ptci.com,
thats why I sent headers, so that maybe spamcop
can drill down on the problem.

Jay


"Mike Easter" <MikeE@ster.invalid> wrote in message 
news:gsski6$lh1$1@news.spamcop.net...
> Mike Easter wrote:
>
>> I'm not Ellen or any other SC admin, but I can see where SC got the ARIN
>> contact information.
>>
>> Someone needs to fix the arin data.  Here is a link to what arin wants
>> done to fix the contact information:
>
> Disregard the above.
>
> I'm not understanding the Jay Teutenberg communication.  All I know is
> that SC and arin think that jwbrewster@ptci.com is the contact for
> 216.176.160.0/20 based on arin reg'd comments
>
> http://www.spamcop.net/sc?track=216.176.161.237
>
>
>
> -- 
> Mike Easter
> kibitzer, not SC admin
> 


From MikeE at ster.invalid  Sat May 30 17:56:11 2009
From: MikeE at ster.invalid (Mike Easter)
Date: Sat May 30 18:00:03 2009
Subject: [Scspamcop] Re: spamcop thinks my ips from 5 years ago are still
	mine
References: <gs4kgc$9aq$1@news.spamcop.net> <gs4p3o$q8t$1@news.spamcop.net>
	<gs9ubo$2vf$1@news.spamcop.net> <gsa3b8$nb2$1@news.spamcop.net>
	<gsse0i$j89$1@news.spamcop.net> <gssj5o$bee$1@news.spamcop.net>
	<gsski6$lh1$1@news.spamcop.net> <gvs7bs$g6t$1@news.spamcop.net>
Message-ID: <gvsa1t$q5p$1@news.spamcop.net>

Jay Teutenberg wrote:
> Sorry if I wasnt clear in my communication,
> spamcop sends to me still, even today,
> and my email address is not jwbewster@ptci.com,
> thats why I sent headers, so that maybe spamcop
> can drill down on the problem.

 -1- Don't top post
 -2- If you want to talk to spamcop admin, email deputies at
admin.spamcop.net if you can't accomplish your aims with this section
http://www.spamcop.net/fom-serve/cache/266.html  How can I control what
type of reports I receive?
 -3- Not that it is important for me to understand anything you are
trying to say, but I still don't know what you are talking about, while I
do know that SC is currently^1 (after I refreshed the cache) using the
default RIR/ARIN algo for notifies for the following blocks, not showing
any routing information from a SC deputy.

12.174.25.0/24 = abuse@att.net
207.230.56.0/23 = jay@dam.net
216.178.0.0/19 = dan@dextermo.net


^1 based on the lookup on the individual IP, not based on a spam parse


-- 
Mike Easter
kibitzer, not SC admin

From MikeE at ster.invalid  Sat May 30 18:11:59 2009
From: MikeE at ster.invalid (Mike Easter)
Date: Sat May 30 18:15:03 2009
Subject: [Scspamcop] Re: OT Re: Is this really from optusnet or is it
	another spammer trick?
References: <gvnq24$aue$1@news.spamcop.net> <gvobhg$ua4$1@news.spamcop.net>
	<gvodfu$6jv$1@news.spamcop.net> <gvp1n4$qci$1@news.spamcop.net>
	<gvq123$tjm$1@news.spamcop.net> <gvq64o$gaa$1@news.spamcop.net>
	<gvs244$m31$1@news.spamcop.net>
Message-ID: <gvsavh$srs$1@news.spamcop.net>

Twayne wrote:
> Mike Easter wrote:

>> I could change this Subject: to 'Subject field' or something.
>
> You could, but that would be silly.

No it wouldn't be silly at all.  The subject, which in this case is a bad
one created by GH and which has been altered 'inappropriately' (not
according to guidelines) by you, is not the topic we are discussing down
here in the body.

What would be more appropriate would be if -1- GH had made a proper
subject in the first place and then -2- if you were going to change it,
that you change it in the manner of 'newsubject' was: 'oldsubject' and
then -3- if I were going to change it again to what we are really talking
about, I would change it again and do it in the described fashion of
'was' again.

> I know you're aware of it so you
> may wish to reread the RFC section on Subjects in newgroups.

No.  I'm not aware of the rfc section on subjects.  What is it that you
want to say it sez?

> All that
> would do is confuse the issue for anyone looking for relevant Subjects.

I don't know what you mean by that.  Confuse what issue for anyone doing
what with subjects?  IMO, you cannot find a discussion about something in
a newsgroup (or in the pipermail archives) by searching on the subjects.
You have to search for your terms in the whole body of the message.  I
don't find newsgroup subjects to be a very useful tool for searching at
all, whether I'm using googleweb on pipermail or GG on usenet.

> You're often about netiquette; I'm surprised you wouldn't wish to
follow
> it.

You've completely lost me.  Are you saying that you think it is against
the netiquette to change subjects in the manner I described?  Or are you
thinking that it is against the netiquette to change subjects in some
manner as yet undescribed?

I'm not talking about some kind of 'bad' subject changing in which
someone starts a new topic by replying to a message and deletes all of
the message body and deletes all of the subject and replaces the old
subject with a new subject and creates an entirely new body not based on
a reply.

Under those circumstances, everything about the message looks like a new
thread except the message has a References line reflecting its
association with the pre-existing thread.


-- 
Mike Easter
kibitzer, not SC admin