From nobody at spamcop.net Mon Nov 2 00:11:13 2009 From: nobody at spamcop.net (Richard W) Date: Mon Nov 2 00:15:09 2009 Subject: [Scspamcop] Re: Yahoo abuse reports - needs fixing In-Reply-To: References: Message-ID: Jonathan Yaniv wrote: > Can you please change the contact email address for yahoo abuse reports > to network-abuse@cc.yahoo-inc.com I am finding that the reports for > Yahoo that I am sending in SpamCop are not doing anything.. We do a lot of work with Yahoo. We send reports to an address they have set up just for our reports. We won't send to a different address without their request. Richard From nobody at nowhere.not Mon Nov 2 14:32:31 2009 From: nobody at nowhere.not (Robert Blair) Date: Mon Nov 2 14:35:08 2009 Subject: [Scspamcop] attention deputies Message-ID: Both of these problems have been previously reported. truncated reporting address ----- rodolfo.rughi@mondoesa http://www.spamcop.net/sc?id=z3463206196ze56434bb5338d5e2a09ccee8b65228aaz HTML code intermingled with the text in the quick reporting response. This is only on the quick reporting reply. The web site does not have this problem. Cached whois for 222.254.105.89 : ipmanager_vtn@vnpt.com.vn ipabuse_vtn@vnpt.com.vn Using abuse net on ipabuse_vtn@vnpt.com.vn abuse net vnpt.com.vn = office@vncert.vn, abuse@vnpt.com.vn Using best contacts office@vncert.vn abuse@vnpt.com.vn error:ISP has indicated spam will cease; ISP resolved this issue sometime after Message is 6 hours old May be saved for future reference: http://www.spamcop.net/sc?id=z3463204929z9135ab2adf14fd2bbfa28fd7e9d04ecez -- Robert Blair From asterix at no_where.net Wed Nov 11 10:01:15 2009 From: asterix at no_where.net (Asterix) Date: Wed Nov 11 11:05:07 2009 Subject: [Scspamcop] Web address in Subject line not parsed Message-ID: <1j910e1.1dzggs61gzsi5fN%asterix@no_where.net> http://www.spamcop.net/sc?id=z3488173676zc119bdc041733c5046cc27fcbcf79374z The subject line i this spam contains "www.sprotiv.org" This address is not parsed by SC. Why? -- I recommend Macs to my friends, and Windows machines to those whom I don't mind billing by the hour From MikeE at ster.invalid Wed Nov 11 13:56:28 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 11 14:00:07 2009 Subject: [Scspamcop] Re: Web address in Subject line not parsed References: <1j910e1.1dzggs61gzsi5fN%asterix@no_where.net> Message-ID: Asterix wrote: > http://www.spamcop.net/sc?id=z3488173676zc119bdc041733c5046cc27fcbcf7937 4z > > The subject line i this spam contains "www.sprotiv.org" > This address is not parsed by SC. Why? SC does not parse the subject for spamvertisers, just the message body in html or plaintext, not graphic. Also, I'm not so sure about this spam's 'purpose' or payload. It looks like it might be either a joejob or a bogus joejob. That website is not anything like what the spam says; it is a .ua Ukranian news site, not kiddy porn and explosives and illegal drugs OTOH; I generally recommend against reading one's spam or trying to figure out what was in the 'mind' of the spammer/spamprocess. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Nov 11 21:16:34 2009 From: nobody at devnull.spamcop.net (Patto) Date: Wed Nov 11 21:20:08 2009 Subject: [Scspamcop] Re: Web address in Subject line not parsed In-Reply-To: References: <1j910e1.1dzggs61gzsi5fN%asterix@no_where.net> Message-ID: Mike Easter wrote: > Asterix wrote: > http://www.spamcop.net/sc?id=z3488173676zc119bdc041733c5046cc27fcbcf7937 > 4z >> The subject line i this spam contains "www.sprotiv.org" >> This address is not parsed by SC. Why? > > SC does not parse the subject for spamvertisers, just the message body > in html or plaintext, not graphic. > > Also, I'm not so sure about this spam's 'purpose' or payload. It looks > like it might be either a joejob or a bogus joejob. > > That website is not anything like what the spam says; it is a .ua > Ukranian news site, not kiddy porn and explosives and illegal drugs > > OTOH; I generally recommend against reading one's spam or trying to > figure out what was in the 'mind' of the spammer/spamprocess. Just curious: what is a "bogus joejob"...? From MikeE at ster.invalid Thu Nov 12 00:12:49 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 12 00:15:09 2009 Subject: [Scspamcop] Re: Web address in Subject line not parsed References: <1j910e1.1dzggs61gzsi5fN%asterix@no_where.net> Message-ID: Patto wrote: > Mike Easter wrote: >> Also, I'm not so sure about this spam's 'purpose' or payload. It looks >> like it might be either a joejob or a bogus joejob. >> >> That website is not anything like what the spam says; it is a .ua >> Ukranian news site, not kiddy porn and explosives and illegal drugs >> >> OTOH; I generally recommend against reading one's spam or trying to >> figure out what was in the 'mind' of the spammer/spamprocess. > > Just curious: what is a "bogus joejob"...? It is hypothetical, because one can only suspect but not prove.... ... but, I have seen situations in which a website was 'promoted' in spam which falsely portrayed the site - a webforum - as being related to all kinds of criminal activity much like this spam -- illegal drugs, kiddy porn, illegal explosives, illegal assault weapons -- which caused a great deal of 'attention' to the webforum which cried out that the spam was a joejob. However and consequently, the webforum site gained a lot of audience which it didn't have before because of all of the publicity and attention which it gained. It gained attention when spamfighters were visiting the site as being spamvertised, it gained more attention when spamfighters were discussing the (alleged) joejob, it gained more attention when bloggers discussed the spam and the site and the (alleged) joe job. A joejob is supposed to cause something 'bad' to happen to the jobbed when their provider squashes their site unfairly. Instead, if someone - some website/webforum - is clever enough to pull off a bogus joejob and get more publicity and webforum members and only good comes of what initally might /appear/ to be a joejob, then I the skeptic am inclined to think about bogus joejob perpetrated by the jobbed who benefitted. -- Mike Easter kibitzer, not SC admin From tmcgraw at spamcop.net Thu Nov 12 00:20:34 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Thu Nov 12 00:25:09 2009 Subject: [Scspamcop] Re: Web address in Subject line not parsed In-Reply-To: References: <1j910e1.1dzggs61gzsi5fN%asterix@no_where.net> Message-ID: Mike Easter wrote: > Patto wrote: >> Just curious: what is a "bogus joejob"...? > A joejob is supposed to cause something 'bad' to happen to the jobbed > when their provider squashes their site unfairly. Instead, if someone - > some website/webforum - is clever enough to pull off a bogus joejob and > get more publicity and webforum members and only good comes of what > initally might /appear/ to be a joejob, then I the skeptic am inclined > to think about bogus joejob perpetrated by the jobbed who benefitted. False Flag. From asterix at no_where.net Thu Nov 12 09:47:27 2009 From: asterix at no_where.net (Asterix) Date: Thu Nov 12 10:50:09 2009 Subject: [Scspamcop] Re: Web address in Subject line not parsed References: <1j910e1.1dzggs61gzsi5fN%asterix@no_where.net> Message-ID: <1j92tue.82kaez155w4fvN%asterix@no_where.net> Mike Easter wrote: > Asterix wrote: > > > http://www.spamcop.net/sc?id=z3488173676zc119bdc041733c5046cc27fcbcf7937 > 4z > > > > The subject line i this spam contains "www.sprotiv.org" > > This address is not parsed by SC. Why? > > SC does not parse the subject for spamvertisers, just the message body > in html or plaintext, not graphic. That was my anticipated answer. > Also, I'm not so sure about this spam's 'purpose' or payload. It looks > like it might be either a joejob or a bogus joejob. > > That website is not anything like what the spam says; it is a .ua > Ukranian news site, not kiddy porn and explosives and illegal drugs > > OTOH; I generally recommend against reading one's spam or trying to > figure out what was in the 'mind' of the spammer/spamprocess. Well, you just did all of the above :-) And I didn't even mention the contents (except the subject line). I also oppose to "not reading" spam. How else can I tell it's spam? Of course, sender and subject line are mostly a giveaway. Nowadays, I only report spam that is *not* cought by my mail client's spam filter, but I frequently - say weekly - get a false positive, so I regularly check the Junk mailbox(es) in my mail client. When in doubt, of course I have to read the spam. I also read selected domestic spam to send LARTs through our Consumer Agency's web site. There you are required to specify what the spammer is trying to promote/sell. Of course you should recommend against opening any attachments in spam - unless it is done in a safe environment - i.e. not Windows or Office :-) -- I recommend Macs to my friends, and Windows machines to those whom I don't mind billing by the hour From MikeE at ster.invalid Thu Nov 12 11:24:20 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 12 11:25:07 2009 Subject: [Scspamcop] Re: Web address in Subject line not parsed References: <1j910e1.1dzggs61gzsi5fN%asterix@no_where.net> <1j92tue.82kaez155w4fvN%asterix@no_where.net> Message-ID: Asterix wrote: > Mike Easter >> OTOH; I generally recommend against reading one's spam or trying to >> figure out what was in the 'mind' of the spammer/spamprocess. > > Well, you just did all of the above :-) > And I didn't even mention the contents (except the subject line). > > I also oppose to "not reading" spam. How else can I tell it's spam? As a 'discipline', I think the process of examining spam is best accomplished by inspecting the message source, not by opening it when it is located in the Inbox as if it were goodmail. Spam is designed to try to get into your Inbox with your goodmail. Spam is similarly designed to 'attract' your attention with its subject/from and to make you think it might be goodmail. It is designed to cause you to open it for one reason or another; because it has eluded filtration and achieved your inbox, because its subject/from has misled you, because its subject/from has caused you to be curious about its body content even tho' you know it is spam. Ideally, I think virtually all of the spam should be properly identified by a powerful discriminatry spamfilter along the lines of SpamPal or SpamAssassin which uses configurable blocklists and message body regex and diverted away from the inbox into a junk folder. Your eyeball brain modulus are not as sophisticated as a blocklist or a regular expression and also function much more slowly. Such a SA/SP filter can do a much better job of inspecting the message source and headers for spammish characteristics than human eyeballs. I say that almost all spam can be identified as such from the headers without even seeing the message body in the message source. > Nowadays, I only report spam that is *not* cought by my mail client's > spam filter, but I frequently - say weekly - get a false positive, so I > regularly check the Junk mailbox(es) in my mail client. When in doubt, > of course I have to read the spam. I think it is very very bad for goodmail to get into the Junk folder; that the ideal spam filter can leak some spam as false negative, but it should not catch goodmail as spam as false positive. That is an invitation to lose goodmail, because digging thru' the spam is a nasty business that can easily overlook a goodmail just like diving in a garbage dumpster is hard to find a lost item. > I also read selected domestic spam to send LARTs through our Consumer > Agency's web site. There you are required to specify what the spammer is > trying to promote/sell. I don't understand the purpose of such a consumer agency site. What is its address? > Of course you should recommend against opening any attachments in spam - > unless it is done in a safe environment - i.e. not Windows or Office :-) Insecure mailagents and operating systems with inboxes containing goodmail, spam, and malware all mixed up together is a formula for disaster. That's one reason that I believe that the discipline of handling mail by its message source instead of opening it is a good practice. It also teaches the 'student' who uses the practice to learn about mailheaders and it motivates that student to configure to keep the spam out of the inbox. It also motivates the student to configure to keep all - 100% - of the goodmail out of the Junk folder, because the student doesn't want the 'tedium' of having to handle all of these mails which need to be inspected by doing so from the message source. -- Mike Easter kibitzer, not SC admin From me at privacy.net Thu Nov 12 13:15:41 2009 From: me at privacy.net (Michael R N Dolbear) Date: Thu Nov 12 13:20:08 2009 Subject: [Scspamcop] Re: Web address in Subject line not parsed References: <1j910e1.1dzggs61gzsi5fN%asterix@no_where.net> Message-ID: <01ca63c2$1edbb180$LocalHost@default> Asterix wrote http://www.spamcop.net/sc?id=z3488173676zc119bdc041733c5046cc27fcbcf7937 4z > > The subject line i this spam contains "www.sprotiv.org" > This address is not parsed by SC. Why? Would the parser have parsed it in the body ? ie not http://www.example.com -- Mike D From asterix at no_where.net Fri Nov 13 18:48:50 2009 From: asterix at no_where.net (Asterix) Date: Fri Nov 13 19:50:07 2009 Subject: [Scspamcop] Re: Web address in Subject line not parsed References: <1j910e1.1dzggs61gzsi5fN%asterix@no_where.net> <01ca63c2$1edbb180$LocalHost@default> Message-ID: <1j95bkg.xkupnn16jubavN%asterix@no_where.net> Michael R N Dolbear wrote: > Asterix wrote > > http://www.spamcop.net/sc?id=z3488173676zc119bdc041733c5046cc27fcbcf7937 > 4z > > > > The subject line i this spam contains "www.sprotiv.org" > > This address is not parsed by SC. Why? > > Would the parser have parsed it in the body ? > > ie not http://www.example.com In my experience, SC would attempt to parse anything starting with "www.". Of course, this may have changed, but I don't think so. Look at Mike Easter's answer - they don't parse Subject: headers. Have a nice day -- I recommend Macs to my friends, and Windows machines to those whom I don't mind billing by the hour From asterix at no_where.net Fri Nov 13 18:48:51 2009 From: asterix at no_where.net (Asterix) Date: Fri Nov 13 19:50:07 2009 Subject: [Scspamcop] Re: Web address in Subject line not parsed References: <1j910e1.1dzggs61gzsi5fN%asterix@no_where.net> <1j92tue.82kaez155w4fvN%asterix@no_where.net> Message-ID: <1j95brq.od7cgj1qldqihN%asterix@no_where.net> Mike Easter wrote: > Asterix wrote: > > Mike Easter > > >> OTOH; I generally recommend against reading one's spam or trying to > >> figure out what was in the 'mind' of the spammer/spamprocess. > > > > Well, you just did all of the above :-) > > And I didn't even mention the contents (except the subject line). > > > > I also oppose to "not reading" spam. How else can I tell it's spam? > > As a 'discipline', I think the process of examining spam is best > accomplished by inspecting the message source, not by opening it when it > is located in the Inbox as if it were goodmail. Spam is designed to try > to get into your Inbox with your goodmail. Spam is similarly designed > to 'attract' your attention with its subject/from and to make you think > it might be goodmail. It is designed to cause you to open it for one > reason or another; because it has eluded filtration and achieved your > inbox, because its subject/from has misled you, because its subject/from > has caused you to be curious about its body content even tho' you know > it is spam. Of course, by "open", I mean, inspecting the source. But, in most mail clients, you need to open the mail one way or the other - at least in preview mode - in order to access the "View as source" option. Of course, you can disable the preview pane, but it's quite useful for goodmail. I used to have it turned off when I used Eudora, but not any more. > Ideally, I think virtually all of the spam should be properly identified > by a powerful discriminatry spamfilter along the lines of SpamPal or > SpamAssassin which uses configurable blocklists and message body regex > and diverted away from the inbox into a junk folder. Your eyeball brain > modulus are not as sophisticated as a blocklist or a regular expression > and also function much more slowly. I know about that, but I'm quite comfortable with the built-in spam filter of Apple's Mail. Anyway, around 90% of my spam is marked |SPAM] by SA on a mail server I've used for 20+ years. Most of the rest is domestic spam to a private address conneted to a elective office I hold. Those spammers are bending the spam rules by sending essentially "serious" marketing stuff to a lot more people than they should. > Such a SA/SP filter can do a much better job of inspecting the message > source and headers for spammish characteristics than human eyeballs. I > say that almost all spam can be identified as such from the headers > without even seeing the message body in the message source. As I said, I don't "open" any spam in the Junk box, as I don't report that spam any more. I only report false negatives. > > Nowadays, I only report spam that is *not* cought by my mail client's > > spam filter, but I frequently - say weekly - get a false positive, so > I > > regularly check the Junk mailbox(es) in my mail client. When in doubt, > > of course I have to read the spam. > > I think it is very very bad for goodmail to get into the Junk folder; > that the ideal spam filter can leak some spam as false negative, but it > should not catch goodmail as spam as false positive. That is an > invitation to lose goodmail, because digging thru' the spam is a nasty > business that can easily overlook a goodmail just like diving in a > garbage dumpster is hard to find a lost item. I'm still quite comfy with browsing the junk box on a daily basis, and with around 20-30 pieces of spam a day it's in no way tedious or hard. > > I also read selected domestic spam to send LARTs through our Consumer > > Agency's web site. There you are required to specify what the spammer > is > > trying to promote/sell. > > I don't understand the purpose of such a consumer agency site. What is > its address? It's a government office. It is our counterpart to FTC. http://www.konsumentverket.se/ The site is in Swedish: But I agree, It's a clunky way to report spam, but it also adds data to the office's registry so they can pursue lawsuites and other measures. > > Of course you should recommend against opening any attachments in > spam - > > unless it is done in a safe environment - i.e. not Windows or Office > :-) > > Insecure mailagents and operating systems with inboxes containing > goodmail, spam, and malware all mixed up together is a formula for > disaster. That's one reason that I believe that the discipline of > handling mail by its message source instead of opening it is a good > practice. It also teaches the 'student' who uses the practice to learn > about mailheaders and it motivates that student to configure to keep the > spam out of the inbox. It also motivates the student to configure to > keep all - 100% - of the goodmail out of the Junk folder, because the > student doesn't want the 'tedium' of having to handle all of these mails > which need to be inspected by doing so from the message source. In my experience *no* spam filter - keep 100% of the goodmail out of the Junk folder. You *will* get false positives eventually. In my view it's much better to accept that as a fact instead of losing mail because I never look in the junk box. I wouldn't trust any filter that much. I am the final judge of what is spam in my mailbox. -- I recommend Macs to my friends, and Windows machines to those whom I don't mind billing by the hour From OCXZIBYDBUTE at spammotel.com Mon Nov 16 14:04:09 2009 From: OCXZIBYDBUTE at spammotel.com (Karl-Josef Ziegler) Date: Mon Nov 16 14:05:09 2009 Subject: [Scspamcop] Re: Web address in Subject line not parsed In-Reply-To: References: <1j910e1.1dzggs61gzsi5fN%asterix@no_where.net> Message-ID: Mike Easter wrote: > Also, I'm not so sure about this spam's 'purpose' or payload. It looks > like it might be either a joejob or a bogus joejob. Surely, it's really crying joejob: [quote] Subject: Everything for terrorism on www.sprotiv.org Drugs (cocaine, heroin), missile (made in Russia), C4 explosive, children`s organs, and much more! Best child porno on the netSee Free Porno Pictures, Free Porn Videos, Hot Porno Movies in Daily Updated Porn Galleries. ... Hot Virtual Sex Game! Get a realistic pussy today [/quote] It's a critical political website in .ua so the joejob seems to be politically motivated. - Karl-Josef From asterix at no_where.net Mon Nov 16 13:48:45 2009 From: asterix at no_where.net (Asterix) Date: Mon Nov 16 14:50:08 2009 Subject: [Scspamcop] Re: Web address in Subject line not parsed References: <1j910e1.1dzggs61gzsi5fN%asterix@no_where.net> Message-ID: <1j9ak37.jy0o2ujs5yupN%asterix@no_where.net> Karl-Josef Ziegler wrote: > Mike Easter wrote: > > > Also, I'm not so sure about this spam's 'purpose' or payload. It looks > > like it might be either a joejob or a bogus joejob. > > Surely, it's really crying joejob: That is a strong argument against the "don't read your spam" advice. If you don't read the body, you can't tell, can you? Well, maybe in this case, the subject is a giveaway... Actually, I didn't read this one before reporting, so if www.sprotiv.org had been in the body it would have been reported. > > [quote] > Subject: Everything for terrorism on www.sprotiv.org > Drugs (cocaine, heroin), missile (made in Russia), C4 explosive, > children`s organs, and much more! > Best child porno on the netSee Free Porno Pictures, Free Porn Videos, > Hot Porno Movies in Daily Updated Porn Galleries. ... Hot Virtual Sex > Game! Get a realistic pussy today > [/quote] > > It's a critical political website in .ua so the joejob seems to be > politically motivated. > > - Karl-Josef -- I recommend Macs to my friends, and Windows machines to those whom I don't mind billing by the hour From MikeE at ster.invalid Mon Nov 16 15:27:14 2009 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 16 15:30:08 2009 Subject: [Scspamcop] Re: Web address in Subject line not parsed References: <1j910e1.1dzggs61gzsi5fN%asterix@no_where.net> Message-ID: Karl-Josef Ziegler wrote: > Mike Easter wrote: > >> Also, I'm not so sure about this spam's 'purpose' or payload. It looks >> like it might be either a joejob or a bogus joejob. > > Surely, it's really crying joejob: > > [quote] > Subject: Everything for terrorism on www.sprotiv.org > Drugs (cocaine, heroin), missile (made in Russia), C4 explosive, > children`s organs, and much more! > Best child porno on the netSee Free Porno Pictures, Free Porn Videos, > Hot Porno Movies in Daily Updated Porn Galleries. ... Hot Virtual Sex > Game! Get a realistic pussy today > [/quote] > > It's a critical political website in .ua so the joejob seems to be > politically motivated. Yabbut; if the purpose of a joejob is to cause trouble for the jobbed; how is such a blatant lie/misrepresentation going to cause the site trouble with the provider? More like a joke. The provider for source or spamvertiser gets a complaint about the spam. The provider looks at the spam and finds that it can't possibly be purposed to promote the site - that it is glaringly bogus - as the discussion in .it.news.net-abuse says, 'it is too blatant'. I didn't go to the trouble to translate the rest of the .it conversation but the topic of joejob arose. How is that going to hurt the site? http://snipr.com/t9lz0 Newsgroups: it.news.net-abuse Subject: Con questi non ci si fa mancare nulla... Date: Tue, 10 Nov 2009 11:19:50 +0100 Message-ID: -- Mike Easter kibitzer, not SC admin From tmcgraw at spamcop.net Mon Nov 16 17:09:07 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Mon Nov 16 17:15:08 2009 Subject: [Scspamcop] Re: Web address in Subject line not parsed In-Reply-To: References: <1j910e1.1dzggs61gzsi5fN%asterix@no_where.net> Message-ID: Mike Easter wrote: > Karl-Josef Ziegler wrote: >> Surely, it's really crying joejob: >> >> ... >> >> It's a critical political website in .ua so the joejob seems to be >> politically motivated. > > Yabbut; if the purpose of a joejob is to cause trouble for the jobbed; > how is such a blatant lie/misrepresentation going to cause the site > trouble with the provider? More like a joke. > > Two thoughts: One, automated listings, such as www.surbl.org. Two, you never know what people will and won't believe. If you send out one million emails with the subject "Shadowcrew has charged $149.95 to your credit card for membership fees and a '3 pack of child porn CD.'" a few hundred will respond, and I bet some of them don't even have credit cards. From nobody at spamcop.net Mon Nov 16 18:31:50 2009 From: nobody at spamcop.net (Richard W) Date: Mon Nov 16 18:35:08 2009 Subject: [Scspamcop] Planned Maintenance Window - Tuesday, November 17, 1:00pm to 4:00pm -0800 Message-ID: Scheduled server maintenance and software upgrades will be taking place starting at 1:00 p.m. PST (-0800) Tuesday, November 17, 2009. During this time the SpamCop Reporting Service will not be available for a period of up to three hours in duration. Visitors will find the site in maintenance mode. Emailed spam submissions will be accepted, but processing will be delayed until after the maintenance process. There will also most likely be a processing delay for several hours after the service is brought back online to clear the backlog. The purpose of this maintenance will be to deploy a hot patch, bringing SpamCop to version 4.6.0.030 and fixing some minor bugs in the last deployment. This will not affect the SpamCop/CESmail email service, newsgroups or forums. Richard From nobody at spamcop.net Tue Nov 17 12:23:23 2009 From: nobody at spamcop.net (Dar Sword) Date: Tue Nov 17 12:25:09 2009 Subject: [Scspamcop] No source IP address found Message-ID: No source IP address found, cannot proceed. http://www.spamcop.net/sc?id=z3505146720z4e84ef2f89803e31d87ee5c089beb1bfz When I read the headers, I see: invoked from network? Anyone? ~ Dar From bert at iphouse.com Tue Nov 17 12:41:21 2009 From: bert at iphouse.com (Bert Hyman) Date: Tue Nov 17 12:45:08 2009 Subject: [Scspamcop] Re: No source IP address found References: Message-ID: In news:hdum6f$agm$1@news.spamcop.net "Dar Sword" wrote: > No source IP address found, cannot proceed. > > http://www.spamcop.net/sc?id=z3505146720z4e84ef2f89803e31d87ee5c089beb1 > bfz > > When I read the headers, I see: invoked from network? Anyone? The addresses in this header look like they're in IPv6 format: Received: from EXVS01.secure.hosting ([fe80::4cba:1e2c:9b89:cacb]) by EXHUB01.secure.hosting ([2002:74d5:223::74d5:223]) with mapi; Mon, 16 Nov 2009 21:24:47 +1100 -- Bert Hyman St. Paul, MN bert@iphouse.com From MikeE at ster.invalid Tue Nov 17 13:07:28 2009 From: MikeE at ster.invalid (Mike Easter) Date: Tue Nov 17 13:10:08 2009 Subject: [Scspamcop] Re: No source IP address found References: Message-ID: Dar Sword wrote: > No source IP address found, cannot proceed. > > http://www.spamcop.net/sc?id=z3505146720z4e84ef2f89803e31d87ee5c089beb1b fz > > When I read the headers, I see: invoked from network? Anyone? The problem is that the (possibly) 'securehosting' server which received the message failed to stamp its traceline compliantly. Received: from smtp01.ozhosting.com (HELO EXHUB01.secure.hosting) (116.213.2.35) by with (AES128-SHA encrypted) SMTP; 16 Nov 2009 02:26:06 -0800 In between 'by' and 'with' above belongs an essential element, the hostname of the server which received it -- that would be *your* mailserver which has the mailbox where you got the message. As an example, EL's server's by field is mx-bracke.atl.sa.earthlink.net That is, the message was received from 116.213.2.35 rDNS smtp01.ozhosting.com which is stamped with a bad or bogus helo EXHUB01.secure.hosting - that helo could be 'bogus' created by the sender, or, since the receiving server is misconfigured in the 'by' field, it may be misconfigured 'all over the place'. This server's received mail cannot be parsed by spamcop in its current condition. What is its name? I suspect it also stamped the messageid, or else the sender stamped everything that way, mid, helo, etc. Message-ID: <814D__9141@EXVS01.secure.hosting> -- Mike Easter kibitzer, not SC admin From CBXXX at webtv.net Tue Nov 17 22:02:42 2009 From: CBXXX at webtv.net (R P) Date: Tue Nov 17 22:10:08 2009 Subject: [Scspamcop] Does SC ever do any good Message-ID: <15292-4B0363D2-929@storefull-3172.bay.webtv.net> I have been harassed by a Gmail user and have reported it to SC everytime they email and SC supposedly sent it to Google but nothing is done?? From nobody at spamcop.net Tue Nov 17 23:19:10 2009 From: nobody at spamcop.net (Dar Sword) Date: Tue Nov 17 23:20:08 2009 Subject: [Scspamcop] Re: No source IP address found References: Message-ID: > Dar Sword wrote: >> No source IP address found, cannot proceed. >> >> > http://www.spamcop.net/sc?id=z3505146720z4e84ef2f89803e31d87ee5c089beb1b >> >> When I read the headers, I see: invoked from network? Anyone? > The problem is that the (possibly) 'securehosting' server which received > the message failed to stamp its traceline compliantly. > > Received: from smtp01.ozhosting.com (HELO EXHUB01.secure.hosting) > (116.213.2.35) by with (AES128-SHA encrypted) SMTP; 16 Nov 2009 > 02:26:06 -0800 > > In between 'by' and 'with' above belongs an essential element, the > hostname of the server which received it -- that would be *your* > mailserver which has the mailbox where you got the message. As an > example, EL's server's by field is mx-bracke.atl.sa.earthlink.net > > That is, the message was received from 116.213.2.35 rDNS > smtp01.ozhosting.com which is stamped with a bad or bogus helo > EXHUB01.secure.hosting - that helo could be 'bogus' created by the > sender, or, since the receiving server is misconfigured in the 'by' > field, it may be misconfigured 'all over the place'. > > This server's received mail cannot be parsed by spamcop in its current > condition. What is its name? I suspect it also stamped the messageid, > or else the sender stamped everything that way, mid, helo, etc. > > Message-ID: <814D__9141@EXVS01.secure.hosting> > > -- > Mike Easter > kibitzer, not SC admin > I rarely, but sometimes, receive this error message from spamcop, but if it helps to clarify, this is another spam message: http://www.spamcop.net/sc?id=z3506289201zf4e9e778413c54f708dc860ec65b5315z ~ Dar From V at nguard.LH Wed Nov 18 02:31:31 2009 From: V at nguard.LH (VanguardLH) Date: Wed Nov 18 02:35:09 2009 Subject: [Scspamcop] Re: No source IP address found References: Message-ID: Dar Sword wrote: NOTE: Restored the attribution lines for quoted content. Mike Easter wrote: > >> Dar Sword wrote: >> >>> No source IP address found, cannot proceed. >>> http://www.spamcop.net/sc?id=z3505146720z4e84ef2f89803e31d87ee5c089beb1b >> >> Received: from smtp01.ozhosting.com (HELO EXHUB01.secure.hosting) >> (116.213.2.35) by with (AES128-SHA encrypted) SMTP; 16 Nov 2009 >> 02:26:06 -0800 >> >> In between 'by' and 'with' above belongs an essential element, the >> hostname of the server which received it -- that would be *your* >> mailserver which has the mailbox where you got the message. > > I rarely, but sometimes, receive this error message from spamcop, but > if it helps to clarify, this is another spam message: > > http://www.spamcop.net/sc?id=z3506289201zf4e9e778413c54f708dc860ec65b5315z But your 2nd example did not produce the "No source IP address found, cannot proceed" error from SpamCop's parser. So it's back to your 1st example where the "by" host is blank in the Received header. The chain was broken by your mail service in tracing back through the Received headers. From DLipman~nospam~ at Verizon.Net Wed Nov 18 06:43:06 2009 From: DLipman~nospam~ at Verizon.Net (David H. Lipman) Date: Wed Nov 18 06:45:07 2009 Subject: [Scspamcop] Re: Does SC ever do any good References: <15292-4B0363D2-929@storefull-3172.bay.webtv.net> Message-ID: From: "R P" | I have been harassed by a Gmail user and have reported it to SC | everytime they email and SC supposedly sent it to Google but nothing is | done?? Why didn't YOU report it to Google Abuse ? -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp From V at nguard.LH Wed Nov 18 10:24:54 2009 From: V at nguard.LH (VanguardLH) Date: Wed Nov 18 10:25:08 2009 Subject: [Scspamcop] Re: Does SC ever do any good References: <15292-4B0363D2-929@storefull-3172.bay.webtv.net> Message-ID: R P wrote: > I have been harassed by a Gmail user and have reported it to SC > everytime they email and SC supposedly sent it to Google but nothing is > done?? Then obviously you abused SpamCop. You didn't report spam. You reported unwanted e-mail. Those are NOT the same. So you are not just a poor reporter but a malicious one by reporting as spam something that is not spam. Just how is SpamCop going to do anything regarding termination of accounts at someone else's service? SpamCop isn't Google. SpamCop reports spam, not on someone harassing you. Call your local police regarding harassment. Check with a lawyer on charges you can bring against the offender. Contact Google yourself to report the harrassment. SpamCop isn't responsible for your personal life. SpamCop can report *spam* abuse on your behalf. However, that doesn't mean anyone has to do anything about SpamCop's reports of *spam* abuse. You can ask someone to move out of the way when you have to cut through a long line but that doesn't mean they have to. You can ask. They can refuse or ignore you. The "Cop" in SpamCop doesn't mean they have any legal authority to enforce anyone to do anything. From MikeE at ster.invalid Wed Nov 18 20:19:03 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 18 20:20:09 2009 Subject: [Scspamcop] Re: No source IP address found References: Message-ID: Dar Sword wrote: > >> Received: from smtp01.ozhosting.com (HELO EXHUB01.secure.hosting) >> (116.213.2.35) by with (AES128-SHA encrypted) SMTP; 16 Nov 2009 >> 02:26:06 -0800 >> >> In between 'by' and 'with' above belongs an essential element, the >> hostname of the server which received it -- that would be *your* >> mailserver which has the mailbox where you got the message. > if it helps to clarify, this is another spam message: www.spamcop.net/sc?id=z3506289201zf4e9e778413c54f708dc860ec65b5315z No that doesn't help clarify anything because those header traceline by your server do not appear to be anything like the traceline of the mailserver in the first tracker you posted. How come you didn't answer the question? Pasted below again. > >> This server's received mail cannot be parsed by spamcop in its current >> condition. What is its name? -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Nov 18 22:17:06 2009 From: nobody at devnull.spamcop.net (Patto) Date: Wed Nov 18 22:20:08 2009 Subject: [Scspamcop] Re: Does SC ever do any good In-Reply-To: <15292-4B0363D2-929@storefull-3172.bay.webtv.net> References: <15292-4B0363D2-929@storefull-3172.bay.webtv.net> Message-ID: R P wrote: > I have been harassed by a Gmail user and have reported it to SC > everytime they email and SC supposedly sent it to Google but nothing is > done?? SpamCop desn't send anything to Google. The best way is reporting it yourself, either by the known abuse address, or via the web interface http://mail.google.com/support/bin/request.py?contact_type=abuse_spoofing From nobody at spamcop.net Thu Nov 19 10:08:19 2009 From: nobody at spamcop.net (Bar0) Date: Thu Nov 19 10:10:08 2009 Subject: [Scspamcop] Re: Does SC ever do any good References: <15292-4B0363D2-929@storefull-3172.bay.webtv.net> Message-ID: "Patto" wrote in message news:he2dbi$jua$1@news.spamcop.net... >R P wrote: >> I have been harassed by a Gmail user and have reported it to SC >> everytime they email and SC supposedly sent it to Google but nothing is >> done?? > > SpamCop desn't send anything to Google. The best way is reporting it > yourself, either by the known abuse address, or via the web interface > http://mail.google.com/support/bin/request.py?contact_type=abuse_spoofing Not entirely true. spam sent FROM Google servers is reported to google. Google related links in spam are generally NOT reported to Google. However spam sent by gmail users is normally reported to the users ISP. I think spam launched via Googles Webmail interface does not report to the users IP, but to Google. From user at domain.invalid Thu Nov 19 10:21:55 2009 From: user at domain.invalid (Farelf) Date: Thu Nov 19 10:25:08 2009 Subject: [Scspamcop] Re: Do you need steerability? In-Reply-To: References: Message-ID: Charles wrote: > These people are driving me nuts. I don't need steerability. I don't! > Arg! Make them go away! No icebergs yet then? From nobody at spamcop.net Thu Nov 19 14:20:25 2009 From: nobody at spamcop.net (Dar Sword) Date: Thu Nov 19 14:25:09 2009 Subject: [Scspamcop] Re: No source IP address found References: Message-ID: > How come you didn't answer the question? Pasted below again. > >> >>> This server's received mail cannot be parsed by spamcop in its > current >>> condition. What is its name? > > > -- > Mike Easter > kibitzer, not SC admin I'm sorry, I missed the question. I believe the answer you're looking for is server1.designbydar.net / 64.34.168.198 ~ Dar From MikeE at ster.invalid Thu Nov 19 15:13:39 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 19 15:15:09 2009 Subject: [Scspamcop] Re: No source IP address found References: Message-ID: Dar Sword wrote: >>> >>>> This server's received mail cannot be parsed by spamcop in its >>>> current condition. What is its name? > I'm sorry, I missed the question. I believe the answer you're looking > for is server1.designbydar.net / 64.34.168.198 I don't understand yet. This mail: www.spamcop.net/sc?id=z3506289201zf4e9e778413c54f708dc860ec65b5315z From: "Networking Services" Subject: **ATTACHMENT**Update Your Profile ...appears to have been received by designbydar.net. However and But, this mail: www.spamcop.net/sc?id=z3505146720z4e84ef2f89803e31d87ee5c089beb1bfz From: Queens Postcode Lottery Subject: Winner Notice ... does not have the same appearance in the important traceline as the previous. My question is and was, where was the mail for the _Winner Notice_, not the _Update Your Profile_ received? Do you personally admin designbydar? Did you very recently change its configuration significantly between the two trackers you posted? Or did you post trackers from mail received by two different servers here, the first one in the first message you posted in this thread and the other server's mail's tracker in the second message you posted here? Do you understand my question yet? -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Fri Nov 20 01:35:19 2009 From: nobody at spamcop.net (Dar Sword) Date: Fri Nov 20 01:40:07 2009 Subject: [Scspamcop] Re: No source IP address found References: Message-ID: > Dar Sword wrote: > >>>> >>>>> This server's received mail cannot be parsed by spamcop in its >>>>> current condition. What is its name? > >> I'm sorry, I missed the question. I believe the answer you're looking >> for is server1.designbydar.net / 64.34.168.198 > > I don't understand yet. > > This mail: > > www.spamcop.net/sc?id=z3506289201zf4e9e778413c54f708dc860ec65b5315z > From: "Networking Services" > Subject: **ATTACHMENT**Update Your Profile > > ...appears to have been received by designbydar.net. > > > However and But, this mail: > > www.spamcop.net/sc?id=z3505146720z4e84ef2f89803e31d87ee5c089beb1bfz > From: Queens Postcode Lottery > Subject: Winner Notice > > ... does not have the same appearance in the important traceline as the > previous. My question is and was, where was the mail for the _Winner > Notice_, not the _Update Your Profile_ received? > > Do you personally admin designbydar? Did you very recently change its > configuration significantly between the two trackers you posted? Or did > you post trackers from mail received by two different servers here, the > first one in the first message you posted in this thread and the other > server's mail's tracker in the second message you posted here? > > Do you understand my question yet? > > > -- > Mike Easter > kibitzer, not SC admin I do understand, I promise, and yes they were both received by the same server. That's why I submitted both for viewing. They were not both sent to the same email address, but both were sent to an email address on the same, shared server. Again, the "invoked from network" part on the first one was, I thought, significant, but I guess not. ~ Dar From bakesph at comcast.net Sat Nov 21 00:28:38 2009 From: bakesph at comcast.net (Steve Baker) Date: Sat Nov 21 00:30:08 2009 Subject: [Scspamcop] Re: No source IP address found References: Message-ID: On Thu, 19 Nov 2009 22:35:19 -0800, "Dar Sword" wrote: >I do understand, I promise, and yes they were both received by the same >server. Hmm. The headers indicate that one receiving server was using Qmail and that the other was using MailEnable. I wouldn't think that was possible unless the server had more than one IP address. >That's why I submitted both for viewing. They were not both sent >to the same email address, but both were sent to an email address on the >same, shared server. Were they sent to the same email domain? What was the email domain(s) those emails were sent to? >Again, the "invoked from network" part on the first one was, I thought, >significant, but I guess not. I don't think it's significant, but I don't really know what Qmail is saying with that. Qmail is quirky server software. -- Steve Baker From MikeE at ster.invalid Sat Nov 21 10:20:50 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sat Nov 21 10:25:08 2009 Subject: [Scspamcop] Re: No source IP address found References: Message-ID: Dar Sword wrote: X-Newsreader: Microsoft Outlook Express 6.00.2900.5843 > I'm sorry, I missed the question. That's because the way you use your newsreader to reply interferes with your ability to comprehend what was said before and to reply responsively to what was said. Here's what you apparently do when you reply. Sometime while you are reading the message, a thought comes into your head that you feel you must express immediately. So, you hit the Reply button and scoot your cursor down to the bottom of the reply message and start typing. You do nothing about trimming or contextualizing. That is called (untrimmed uncontextualized) bottom posting, and it is just about as bad as untrimmed uncontextualized top posting in terms of how the communication doesn't work. Here's how you could/should use your newsreader to reply, which has the impairment of not autotrimming the sig. When you hit reply, your cursor is at the top of the message. That is good, because that is very close to where you should start trimming. You will /not/ immediately begin to start typing, so that is a habit which you will have to break. The trimming has a very very important influence on what you have to say/type. You should be trimming away every single line which is in the attributed quotating to which you aren't going to directly reply, which is almost every line. Naturally you should also be trimming away the signature, because there is nothing in there that you re directly replying. Generally speaking, I expect that in many conversations, you will only have to leave one attribution line and one or two quotation lines, and everything else will be removed. That style makes your replies more 'comprehending' because the very words to which you are going to reply are right in front of your eyeballs while you are trimming around them and isolating them. That style also makes your replies more 'responsive' to the very words, because when you are looking at the words and you are typing your reply, your reply becomes 'framed' or 'pointed' directly at the exact words to which you are replying. None of that happens when you toppost or bottompost (untrimmed and uncontextualized). -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Sat Nov 21 16:11:21 2009 From: nobody at spamcop.net (Dar Sword) Date: Sat Nov 21 16:15:08 2009 Subject: [Scspamcop] Re: No source IP address found References: Message-ID: >> I'm sorry, I missed the question. > > That's because the way you use your newsreader to reply interferes with > your ability to comprehend what was said before and to reply > responsively to what was said. I stand sufficiently admonished. ~ Dar From MikeE at ster.invalid Sat Nov 21 17:52:37 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sat Nov 21 17:55:09 2009 Subject: [Scspamcop] Re: No source IP address found References: Message-ID: Dar Sword wrote: > I stand sufficiently admonished. Thanks for trimming. -- Mike Easter kibitzer, not SC admin From borgholio at storymind.com Mon Nov 23 16:38:54 2009 From: borgholio at storymind.com (Borgholio) Date: Mon Nov 23 16:40:08 2009 Subject: [Scspamcop] Joe job of the year Message-ID: While I occasionally get a joe job where someone claims to have child porn and such, then links to a seemingly innocent news website, this one is actually made me chuckle a bit. Well, the part about the troopers anyways. I left the links in because they appear to be legit...at least on the surface. Anybody speak russian? Heil to the great Germany! We represent young facist organization "die volle Wahrheit". We prepared a nice surprise for you, at the moment, our troopers have arrived to the Budapest and deployed a quarters over there. Yesterday we caught a child and cut off his tongue and ears, now you can find the video, that shows how we purge our planet from cursed races at http://dirkino.su. We will do the same every day, record and upload such vids, untill EU won't notice that our streets are BLACK from god damn niggers, indies, judas and else garbage. Welcome to http://dirkino.su, access only for 10$, you can find torture video after registering inside the closed part of the site. If you are willing to help us with financing "die volle Wahrheit", register at http://dircash.ru and earn good profit, helping us to share the vids. Heil Hitler! From pssawyer at comcast.BAD.EXAMPLE.net Wed Nov 25 13:06:10 2009 From: pssawyer at comcast.BAD.EXAMPLE.net (Paul) Date: Wed Nov 25 13:10:08 2009 Subject: [Scspamcop] VISA Phish Message-ID: My VISA provider seems to want people to learn to be phished. They sent me a warning, complete with the "click here to ..." link. Lower down, it said something like "If you think this is possibly a fake, click here." I clicked nothing, and called the number on the card (which was different than the one on the e-mail), and confirmed the e-mail was real (yet for a misdiagnosed problem). Sheesh. -- Paul From g.hyde at bigNOSPAMpond.net.au Thu Nov 26 05:07:50 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Thu Nov 26 05:10:08 2009 Subject: [Scspamcop] Re: VISA Phish References: Message-ID: "Paul" wrote in message news:Xns9CCE854A03A7ESenex@216.154.195.61... > My VISA provider seems to want people to learn to be phished. They > sent me a warning, complete with the "click here to ..." link. > Lower down, it said something like "If you think this is possibly a > fake, click here." > > I clicked nothing, and called the number on the card (which was > different than the one on the e-mail), and confirmed the e-mail was > real (yet for a misdiagnosed problem). Let me see if I have this straight: You're saying a credit card provider you're already with SENT you a phishing email? If that is true, what does that make them as far as SpamCop admins are concerned? You did not provide a link to the email you presumably parsed through SpamCop first. You did parse it through SpamCop first, right? If you had done this you might have noticed that SpamCop should chain back to whomever is the actual hosting company for the credit card's email provider. I've checked some genuine emails (different subject matter), and whenever it does actually chain back to what could be the hosting provider, I cancel the tracker resulting from the parse. Cheers ... Geoffrey Hyde From DeathToSpam at crazyhat.net Thu Nov 26 15:15:25 2009 From: DeathToSpam at crazyhat.net (DevilsPGD) Date: Thu Nov 26 15:20:08 2009 Subject: [Scspamcop] Re: VISA Phish References: Message-ID: In message "Geoffrey Hyde" was claimed to have wrote: > >"Paul" wrote in message >news:Xns9CCE854A03A7ESenex@216.154.195.61... >> My VISA provider seems to want people to learn to be phished. They >> sent me a warning, complete with the "click here to ..." link. >> Lower down, it said something like "If you think this is possibly a >> fake, click here." >> >> I clicked nothing, and called the number on the card (which was >> different than the one on the e-mail), and confirmed the e-mail was >> real (yet for a misdiagnosed problem). > >Let me see if I have this straight: You're saying a credit card provider >you're already with SENT you a phishing email? No. He's saying his credit card provider sent a legitimate email with various hallmarks of phishers, training users by encouraging bad behaviour. Amex is similar, you get emails that sometimes pass DKIM/SPF, sometimes not. You get instructed to click links and provide your username/password for more information, and to make it better, the links look like this: www.americanexpress.com (and yes, the emails are legit transactional emails that I both requested and want) From pssawyer at comcast.BAD.EXAMPLE.net Thu Nov 26 17:02:57 2009 From: pssawyer at comcast.BAD.EXAMPLE.net (Paul) Date: Thu Nov 26 17:05:08 2009 Subject: [Scspamcop] Re: VISA Phish References: Message-ID: DevilsPGD wrote in news:tuntg5t7vk72ehe9amjonh9l8p9av78vfg@4ax.com: > In message "Geoffrey Hyde" > was claimed to have wrote: > >> >>"Paul" wrote in message >>news:Xns9CCE854A03A7ESenex@216.154.195.61... >>> My VISA provider seems to want people to learn to be phished. >>> They sent me a warning, complete with the "click here to ..." >>> link. Lower down, it said something like "If you think this is >>> possibly a fake, click here." >>> >>> I clicked nothing, and called the number on the card (which was >>> different than the one on the e-mail), and confirmed the e-mail >>> was real (yet for a misdiagnosed problem). >> >>Let me see if I have this straight: You're saying a credit card >>provider you're already with SENT you a phishing email? > > No. He's saying his credit card provider sent a legitimate email > with various hallmarks of phishers, training users by encouraging > bad behaviour. Exactly. > Amex is similar, you get emails that sometimes pass DKIM/SPF, > sometimes not. You get instructed to click links and provide your > username/password for more information, and to make it better, the > links look like this: > > www.americanexpress.com > > (and yes, the emails are legit transactional emails that I both > requested and want) I get similar mails from such as alumni associations, and I have given up trying to educate them. It frosts me to know that companies with supposedly good reputations are paying someone to design this crap! -- Paul From DeathToSpam at crazyhat.net Sat Nov 28 04:27:09 2009 From: DeathToSpam at crazyhat.net (DevilsPGD) Date: Sat Nov 28 04:30:07 2009 Subject: [Scspamcop] Re: VISA Phish References: Message-ID: In message Paul was claimed to have wrote: >DevilsPGD wrote in >news:tuntg5t7vk72ehe9amjonh9l8p9av78vfg@4ax.com: > >> Amex is similar, you get emails that sometimes pass DKIM/SPF, >> sometimes not. You get instructed to click links and provide your >> username/password for more information, and to make it better, the >> links look like this: >> >> www.americanexpress.com >> >> (and yes, the emails are legit transactional emails that I both >> requested and want) > >I get similar mails from such as alumni associations, and I have given >up trying to educate them. It frosts me to know that companies with >supposedly good reputations are paying someone to design this crap! Forget reputations, companies that should have a vested interest in making social attacks more difficult seem to go out of their way to mimic phishing behaviour. Citibank is another one, their fraud call center that is responsible for verifying suspicious transactions shares an outbound number with their outbound telemarketing, so I've already got them routed directly to voicemail (after an extra long time listening to my line ringing) Citibank leaves a voicemail asking me to call back to a tollfree number that isn't the one on the back of the card, when I do, they refuse to talk to me unless I provide my card number and various other personal information. I call the number on the card and they have no record of the call from fraud, and can't transfer me to anyone that does, nor can they even confirm the number, their suggestion is to "call the number left on my voicemail" And yes, I do hope some phisher is reading this and starts calling people and using this loophole. While I feel bad for those that get burned, only their time will be wasted since Citibank will (eventually) cover their loss, the resulting class action lawsuit might be all it takes to finally drive Citibank under. (For the record, the transaction was legit, and so was the verification call, they tried again the following day and I spoke to someone who needed no information from me, and was able to confirm account details.)