From wb8tyw at qsl.network Thu Oct 1 09:17:19 2009 From: wb8tyw at qsl.network (John Malmberg) Date: Thu Oct 1 09:20:08 2009 Subject: [Scspamcop] Re: Another Phishing Attempt In-Reply-To: References: Message-ID: Current versions of Thunderbird have a feature where links in spam can be reported to Google, and apparently Google and other services can use those links to mark it unsafe. What I do not know is if Google is smart enough to blacklist the resulting IP address or is only blacklisting the complete URL, which seems to typically have a lifespan of 72 hours. I also do not know if there is some way for spamcop.net to feed the links that it finds to them to make it easier for us. -John wb8tyw@qsl.network Personal Opinion Only From nobody at devnull.spamcop.net Sat Oct 3 03:08:38 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Sat Oct 3 03:10:08 2009 Subject: [Scspamcop] news server status Message-ID: I believe it's back up now. Test post to verify. From nobody at devnull.spamcop.net Sat Oct 3 03:24:52 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Sat Oct 3 03:25:11 2009 Subject: [Scspamcop] Re: news server status References: Message-ID: "Wazoo" wrote in message news:ha6t9f$bq$1@news.spamcop.net... >I believe it's back up now. Test post to verify. Up and running fine now. Didn't take but a few seconds for the hacking crap to start again. Unreal. From g.hyde at bigNOSPAMpond.net.au Sun Oct 4 07:34:35 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Sun Oct 4 07:35:08 2009 Subject: [Scspamcop] Re: news server status References: Message-ID: "Wazoo" wrote in message news:ha6u7t$bj$1@news.spamcop.net... > "Wazoo" wrote in message > news:ha6t9f$bq$1@news.spamcop.net... >>I believe it's back up now. Test post to verify. > > Up and running fine now. Didn't take but a few seconds for the hacking > crap to start again. Unreal. What are you able to get permission from the SpamCop admins to do about the hacking attempts? If I was a server admin, first thing I'd do is find out who's upstream of the news server and block incoming hacking attempts there. YMMV. Cheers ... Geoffrey Hyde From nobody at devnull.spamcop.net Sun Oct 4 14:16:19 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Sun Oct 4 14:20:08 2009 Subject: [Scspamcop] Re: news server status References: Message-ID: "Geoffrey Hyde" wrote in message news:haa197$4tj$1@news.spamcop.net... > >> "Wazoo" wrote in message >> news:ha6t9f$bq$1@news.spamcop.net... >> >> Up and running fine now. Didn't take but a few seconds for the >> hacking crap to start again. Unreal. > > What are you able to get permission from the SpamCop admins to do > about the hacking attempts? Technically, it's the Forum server that I have been given the power to 'control' and maintain. I was given access to the news server way back when for the sole purpose of moving (actually copying) the Archive files over to the restarted MailList/Archiving tools I installed on the Forum server. Technically, I "got permission" (and that access) after the fact. Had I known it would have worked out, I wouldn't have waited so long to make that call. In this case, I logged in, checked the log files, solved the issues found, and re-started the system. (Noting that the last time it got hosed, it wouldn't even respond to a shutdown/reboot command as the file system was so screwed .. so it needed an actual hands-on visit.) Jist so there's no confusion, the server was not hacked .. it was that a log file simply got too huge, such that it could no longer be written to, and therefore posting to the (news)server was refused to everybody. > If I was a server admin, first thing I'd do is find out who's > upstream of the news server and block incoming hacking attempts > there. Running any kind of server involves being a target. Yes, some folks can limit many avenues of access by trying to match their interests to their target audience, i.e., locales, companies, etc. Support for the SpamCop.net tools and data however needs to remain open as much as possible, as one never knows where the next problem/query might come from. From nobody at devnull.spamcop.net Sun Oct 4 21:53:22 2009 From: nobody at devnull.spamcop.net (Patto) Date: Sun Oct 4 21:55:07 2009 Subject: [Scspamcop] Spammers should learn proper HTML Message-ID: http://www.spamcop.net/sc?id=z3385590399z4819b66caaa6e568af57b6ee68517d7cz http://www.spamcop.net/sc?id=z3385590402z07dd6d5d31d5baacfe6239771dc0e7f6z http://www.spamcop.net/sc?id=z3385590406z395c5a8399ba73b403ae3dbf8121426dz http://www.spamcop.net/sc?id=z3385590411z970b66aa8f595add09f5e492bc348472z and many, many others over the last few weeks... Cannot resolve http://www.stoodknew.com

I think that spammers should use proper HTML code, so that Spamcop can correctly identify and report their spamvertized hyperlinks! Well, that is probably the most stupid comment ever posted on this newsgroup... How about if the SC parser would learn that HTML tags are not part of an URL, even if it is not surrounded by proper tags? From g.hyde at bigNOSPAMpond.net.au Mon Oct 5 22:28:18 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Mon Oct 5 22:30:08 2009 Subject: [Scspamcop] Re: Spammers should learn proper HTML References: Message-ID: "Patto" wrote in message news:habjij$mio$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z3385590399z4819b66caaa6e568af57b6ee68517d7cz > http://www.spamcop.net/sc?id=z3385590402z07dd6d5d31d5baacfe6239771dc0e7f6z > http://www.spamcop.net/sc?id=z3385590406z395c5a8399ba73b403ae3dbf8121426dz > http://www.spamcop.net/sc?id=z3385590411z970b66aa8f595add09f5e492bc348472z > and many, many others over the last few weeks... > > > Cannot resolve http://www.stoodknew.com
... > Cannot resolve http://www.twentyfirm.com
... > > > I think that spammers should use proper HTML code, so that Spamcop can > correctly identify and report their spamvertized hyperlinks! > > Well, that is probably the most stupid comment ever posted on this > newsgroup... > > How about if the SC parser would learn that HTML tags are not part of an > URL, even if it is not surrounded by proper tags? How about if the spammers even cared about what they break? The spammers will try any and every trick to keep their links from being reported, and SpamCop doesn't want to waste time trying to parse it's way through link munging like this. I could write a 500-page thesis on the subject but I don't have time for that. :P Maybe you should worry more about reporting the broken links manually, you seem to have plenty of time on your hands for that! Cheers ... Geoffrey Hyde From usenet-imp at exp09.spam.woody.ch Tue Oct 6 07:04:15 2009 From: usenet-imp at exp09.spam.woody.ch (Benoit Panizzon) Date: Tue Oct 6 07:05:08 2009 Subject: [Scspamcop] Bonded Sender reporting deadlock? Message-ID: Hello There seams to be a deadlock preventing getting to further reports if an ip is in one of the bonded senders list... http://www.spamcop.net/sc?id=z3389540662z080e0c7f792f11369e1b81f1d35a0983z 193.164.158.74 not listed in dnsbl.njabl.org ( 127.0.0.8 ) 193.164.158.74 not listed in dnsbl.njabl.org ( 127.0.0.9 ) 193.164.158.74 not listed in cbl.abuseat.org 193.164.158.74 not listed in dnsbl.sorbs.net 193.164.158.74 listed in accredit.habeas.com ( 127.0.0.30 ) Habeas confirmed opt-in only 193.164.158.74 listed in plus.bondedsender.org ( 127.0.0.10 ) BondedSender+ confirmed opt-in only 193.164.158.74 not listed in iadb.isipp.com Well, I'm absolutely sure the email was sent to a non opted-in email address (our support address). Report Spam to: Re: 193.164.158.74 (Third party interested in email source) To: Internal spamcop handling: (bondedsender) => Send Spam Report Now <= Reports disabled for bondedsender@admin.spamcop.net Reports disabled for bondedsender@admin.spamcop.net Then klicking on: Unreported Spam Saved: Report Now Get's me back to the same report again and again which does not go away because those reports seam to be disabled. Any hint? -Benoit- From nobody at spamcop.net Mon Oct 12 01:16:36 2009 From: nobody at spamcop.net (Richard W) Date: Mon Oct 12 01:20:08 2009 Subject: [Scspamcop] Re: Bonded Sender reporting deadlock? In-Reply-To: References: Message-ID: Bonded Sender is a former sister company to SpamCop, both owned by Ironport. Bonded Sender was sold to Returnpath and now operates under the name SenderScore. Returnpath asked us to stop sending these reports two years ago. All routes for bondedsender@admin.spamcop.net have now been removed, so this problem shouldn't come up anymore. Richard Benoit Panizzon wrote: > Hello > > There seams to be a deadlock preventing getting to further reports if an ip > is in one of the bonded senders list... > > http://www.spamcop.net/sc?id=z3389540662z080e0c7f792f11369e1b81f1d35a0983z > > 193.164.158.74 not listed in dnsbl.njabl.org ( 127.0.0.8 ) > 193.164.158.74 not listed in dnsbl.njabl.org ( 127.0.0.9 ) > 193.164.158.74 not listed in cbl.abuseat.org > 193.164.158.74 not listed in dnsbl.sorbs.net > 193.164.158.74 listed in accredit.habeas.com ( 127.0.0.30 ) > Habeas confirmed opt-in only > 193.164.158.74 listed in plus.bondedsender.org ( 127.0.0.10 ) > BondedSender+ confirmed opt-in only > 193.164.158.74 not listed in iadb.isipp.com > > Well, I'm absolutely sure the email was sent to a non opted-in email address > (our support address). > > Report Spam to: > > Re: 193.164.158.74 (Third party interested in email source) > To: Internal spamcop handling: (bondedsender) > > => Send Spam Report Now <= > > Reports disabled for bondedsender@admin.spamcop.net > Reports disabled for bondedsender@admin.spamcop.net > > Then klicking on: > Unreported Spam Saved: Report Now > > Get's me back to the same report again and again which does not go away > because those reports seam to be disabled. > > Any hint? > -Benoit- From nobody at spamcop.net Mon Oct 12 01:22:07 2009 From: nobody at spamcop.net (Richard W) Date: Mon Oct 12 01:25:08 2009 Subject: [Scspamcop] Re: Leaving SpamCop In-Reply-To: References: Message-ID: Ellen wrote: > Mike Easter wrote: > >> >> Does this mean that one of the other deputies will take your place >> deputy-interacting in the newsgroups or does that mean something else? > > well Richard and Don interact here as necessary or as time permits ... > and IIRC both Don and Kelly have posted to the forum I know Don gets through here a little more often than I do, though I do try to at least glance at posts every few days. We haven't had an increase in hours and we've absorbed most of Ellen's work, so time will only tell how often you hear from us. As for the forums, I hate forums. I don't even remember my login details... my last login was like three computers ago. Richard >> >> I have a number of other unanswered questions, such as what's next? and >> some others, but.... > > dunno what's next ... > > >> >> Good luck, have fun, and you will be missed. >> >> > > thanks! > > > Ellen > From nobody at spamcop.net Mon Oct 12 10:47:29 2009 From: nobody at spamcop.net (Steven Underwood) Date: Mon Oct 12 10:50:08 2009 Subject: [Scspamcop] Re: Leaving SpamCop In-Reply-To: References: Message-ID: "Richard W" wrote in message news:hauedp$k24$1@news.spamcop.net... >> Mike Easter wrote: >> >>> >>> Does this mean that one of the other deputies will take your place >>> deputy-interacting in the newsgroups or does that mean something else? >> >> well Richard and Don interact here as necessary or as time permits ... >> and IIRC both Don and Kelly have posted to the forum > > I know Don gets through here a little more often than I do, though I do > try to at least glance at posts every few days. We haven't had an > increase in hours and we've absorbed most of Ellen's work, so time will > only tell how often you hear from us. > > As for the forums, I hate forums. I don't even remember my login > details... my last login was like three computers ago. > > Richard Don has been seen in the forums quite a bit and Ellen rarely went there anymore so no real change there. Steve From bcs1 at spamcop.net Thu Oct 15 07:49:47 2009 From: bcs1 at spamcop.net (Bill) Date: Thu Oct 15 07:50:08 2009 Subject: [Scspamcop] fake link spam trying to send reports to my provider Message-ID: morning, in http://www.spamcop.net/sc?id=z3413070978z8ed2be1d9e23534e1af674f48faf4001z the parser is trying to send reports to my colo host. the thing is that the link in the email is obfuscated so that what is really: http://bcs-bcs.com.nerrasssp.eu/owa/service_directory/settings.php?email=x&from=bcs-bcs.com&fromname=bill looks in the email as though it's: http://bcs-bcs.com/owa/service_directory/settings.php?email=bill@bcs-bcs.com&from=bcs-bcs.com&fromname=bill why is the parser trying to send a notice to my provider on this? Thanks Bill From V at nguard.LH Thu Oct 15 08:40:24 2009 From: V at nguard.LH (VanguardLH) Date: Thu Oct 15 08:45:08 2009 Subject: [Scspamcop] Re: fake link spam trying to send reports to my provider References: Message-ID: Bill wrote: > morning, > in > http://www.spamcop.net/sc?id=z3413070978z8ed2be1d9e23534e1af674f48faf4001z > the parser is trying to send reports to my colo host. > the thing is that the link in the email is obfuscated so that what is > really: > http://bcs-bcs.com.nerrasssp.eu/owa/service_directory/settings.php?email=x&from=bcs-bcs.com&fromname=bill > looks in the email as though it's: > http://bcs-bcs.com/owa/service_directory/settings.php?email=bill@bcs-bcs.com&from=bcs-bcs.com&fromname=bill > > why is the parser trying to send a notice to my provider on this? > > Thanks > Bill The only "obfuscation" (which this is not) is that the text showing the URL isn't the same as the href for the tag in the HTML. Taking out the font tags and the encoding for the quoted-printable format, and removing all the parameters (shown as "..." but which aren't relevant to the location for the target host), the hyperlink is: http://bcs-bcs.com/... So which is your colocation host? nerrasssp.eu (that actual URL) or bcs-bcs.com (which is just the comment)? Notice in the parsing info from SpamCop that it says: Finding links in message body Recurse multipart: Parsing text part Parsing HTML part It is analyzing BOTH the href value in the tag (the actual URL) and the comment string (what you see but what isn't the actual URL but is what the user sees in the rendered HTML). The parser tries to do a lookup on nerrasssp.eu but can't find it. That domain doesn't exist. It does find a lookup on the bcs-bcs.com but that was from the displayed text, not the actual URL. While I can see your point that the actual URL is inside the tag and points to the intended target for the link, also remember that spammers and phishpers send their crap to users that use e-mail client that do not handle HTML or have been configured to "read as plain text". That means those users will not see HTML so what's inside the tags is not what they will have for the available link. You and I can read the message to see that it is a phishing attempt. That's why the href and comment don't match since they want to mislead the user. SpamCop's parser won't have that level of intelligence to know it is a phishing e-mail. It knows that some readers will render the HTML and the link will go to the href value. It knows some readers don't render HTML and will see the comment value (since, in plain text, that is the only URL string available). Look at the full source of the e-mail again. Notice there is are text/plain and text/html MIME parts in that e-mail. The text/plain portion has the bcs-bcs.com URL in it. That will be the link that non-HTML users will see. How is the parser supposed to know that a URL string in the text isn't the one the phisher wants the user to use? How does the parser know it is a phishing e-mail? Hence the point of showing you the detailed parsing report so YOU use your brain to decide if what the parser found is what should be used. From bcs1 at spamcop.net Thu Oct 15 09:34:02 2009 From: bcs1 at spamcop.net (Bill) Date: Thu Oct 15 09:35:08 2009 Subject: [Scspamcop] Re: fake link spam trying to send reports to my provider References: Message-ID: "VanguardLH" wrote in message news:hb7579$693$1@news.spamcop.net... > Bill wrote: > >> morning, >> in >> http://www.spamcop.net/sc?id=z3413070978z8ed2be1d9e23534e1af674f48faf4001z >> the parser is trying to send reports to my colo host. >> the thing is that the link in the email is obfuscated so that what is >> really: >> http://bcs-bcs.com.nerrasssp.eu/owa/service_directory/settings.php?email=x&from=bcs-bcs.com&fromname=bill >> looks in the email as though it's: >> http://bcs-bcs.com/owa/service_directory/settings.php?email=bill@bcs-bcs.com&from=bcs-bcs.com&fromname=bill >> >> why is the parser trying to send a notice to my provider on this? >> >> Thanks >> Bill > > The only "obfuscation" (which this is not) is that the text showing the > URL isn't the same as the href for the tag in the HTML. Taking out > the font tags and the encoding for the quoted-printable format, and > removing all the parameters (shown as "..." but which aren't relevant to > the location for the target host), the hyperlink is: > > > http://bcs-bcs.com/... > > > So which is your colocation host? nerrasssp.eu (that actual URL) or > bcs-bcs.com (which is just the comment)? Notice in the parsing info > from SpamCop that it says: > > Finding links in message body > Recurse multipart: > Parsing text part > Parsing HTML part > > It is analyzing BOTH the href value in the tag (the actual URL) and > the comment string (what you see but what isn't the actual URL but is > what the user sees in the rendered HTML). The parser tries to do a > lookup on nerrasssp.eu but can't find it. That domain doesn't exist. > It does find a lookup on the bcs-bcs.com but that was from the displayed > text, not the actual URL. > > While I can see your point that the actual URL is inside the tag and > points to the intended target for the link, also remember that spammers > and phishpers send their crap to users that use e-mail client that do > not handle HTML or have been configured to "read as plain text". That > means those users will not see HTML so what's inside the tags is not > what they will have for the available link. > > You and I can read the message to see that it is a phishing attempt. > That's why the href and comment don't match since they want to mislead > the user. SpamCop's parser won't have that level of intelligence to > know it is a phishing e-mail. It knows that some readers will render > the HTML and the link will go to the href value. It knows some readers > don't render HTML and will see the comment value (since, in plain text, > that is the only URL string available). > > Look at the full source of the e-mail again. Notice there is are > text/plain and text/html MIME parts in that e-mail. The text/plain > portion has the bcs-bcs.com URL in it. That will be the link that > non-HTML users will see. How is the parser supposed to know that a URL > string in the text isn't the one the phisher wants the user to use? How > does the parser know it is a phishing e-mail? Hence the point of > showing you the detailed parsing report so YOU use your brain to decide > if what the parser found is what should be used. I understand that part of the thing, but i'm curious about it trying to send the spam report since it locates both parts, the href link and the text that's displayed. maybe i shouldn't have phrased it as obfuscated, but it still remains that in this case bcs-bcs.com is an IB as are the others I've gotten. my colo host is the nobistech address listed in the reporting section, and the bcs-bcs.com address isn't the only one that's receiving these type spams, I have them from one/two of our other domains as well, different system different info, ect ect... granted that parsing these manually does let you or I see the info, but running them through the QR will send a spam report to nobistech (whom i also work for) and will add to the reports for our domain(s) when it shouldn't... I deal with probably 500 or more spam emails a day between the various domains and servers that i work for/with, many of them i manually run through just to try to avoid issues like this, but i can't take the time to go through every single one, that's why i use the spamcop paid services to pop my emails directly from my personal server(s) I guess maybe i need to get ahold of one of the deputies to get the affected domains marked as IB for this run of spam so that i can continue to report these spammers without reporting my/our own systems in the process.. otherwise, I'm forced to let the spammers have their way, and that sort of defeats the whole purpose of having the service at all if all a spammer has to do is hide a link inside an href tag... From nobody at nowhere.not Thu Oct 15 13:50:53 2009 From: nobody at nowhere.not (Robert Blair) Date: Thu Oct 15 13:55:09 2009 Subject: [Scspamcop] Re: fake link spam trying to send reports to my provider References: Message-ID: On Thu, 15 Oct 2009 13:34:02 UTC, "Bill" wrote: > granted that parsing these manually does let you or I see the info, but > running them through the QR will send a spam report to nobistech (whom i > also work for) and will add to the reports for our domain(s) when it > shouldn't... Quick reporting does not send reports for links in the spam. QR spam reports are only sent to the ISP of the originating IP. -- Robert Blair From bcs1 at spamcop.net Thu Oct 15 13:57:52 2009 From: bcs1 at spamcop.net (Bill) Date: Thu Oct 15 14:00:07 2009 Subject: [Scspamcop] Re: fake link spam trying to send reports to my provider References: Message-ID: "Robert Blair" wrote in message news:TECQXhvKj0FX-pn2-Y1nIeO8XePfK@Saturn.home... > On Thu, 15 Oct 2009 13:34:02 UTC, "Bill" wrote: > >> granted that parsing these manually does let you or I see the info, but >> running them through the QR will send a spam report to nobistech (whom i >> also work for) and will add to the reports for our domain(s) when it >> shouldn't... > > Quick reporting does not send reports for links in the spam. QR spam > reports > are only sent to the ISP of the originating IP. > > > -- > Robert Blair Thanks Robert.. as long as I've been here, I did not know that LOL... Bill From bakesph at comcast.net Thu Oct 15 16:05:14 2009 From: bakesph at comcast.net (Steve Baker) Date: Thu Oct 15 16:05:09 2009 Subject: [Scspamcop] Re: fake link spam trying to send reports to my provider References: Message-ID: On Thu, 15 Oct 2009 07:40:24 -0500, VanguardLH wrote: >Bill wrote: > >> morning, >> in >> http://www.spamcop.net/sc?id=z3413070978z8ed2be1d9e23534e1af674f48faf4001z >> the parser is trying to send reports to my colo host. >> the thing is that the link in the email is obfuscated so that what is >> really: >> http://bcs-bcs.com.nerrasssp.eu/owa/service_directory/settings.php?email=x&from=bcs-bcs.com&fromname=bill >> looks in the email as though it's: >> http://bcs-bcs.com/owa/service_directory/settings.php?email=bill@bcs-bcs.com&from=bcs-bcs.com&fromname=bill >> >> why is the parser trying to send a notice to my provider on this? >> >> Thanks >> Bill > >The only "obfuscation" (which this is not) is that the text showing the >URL isn't the same as the href for the tag in the HTML. Taking out >the font tags and the encoding for the quoted-printable format, and >removing all the parameters (shown as "..." but which aren't relevant to >the location for the target host), the hyperlink is: > > >http://bcs-bcs.com/... > > >So which is your colocation host? nerrasssp.eu (that actual URL) or >bcs-bcs.com (which is just the comment)? Notice in the parsing info >from SpamCop that it says: > >Finding links in message body >Recurse multipart: > Parsing text part > Parsing HTML part > >It is analyzing BOTH the href value in the tag (the actual URL) and >the comment string (what you see but what isn't the actual URL but is >what the user sees in the rendered HTML). No, it isn't. It doesn't pay any attention to the http://bcs-bcs.com/... part in the text/html section. >The parser tries to do a >lookup on nerrasssp.eu but can't find it. That domain doesn't exist. Right, and at that point the parser is done with the text/html section. >It does find a lookup on the bcs-bcs.com but that was from the displayed >text, not the actual URL. No, it doesn't. It doesn't do that lookup until it gets to parsing the text/plain section. >While I can see your point that the actual URL is inside the tag and >points to the intended target for the link, also remember that spammers >and phishpers send their crap to users that use e-mail client that do >not handle HTML or have been configured to "read as plain text". That >means those users will not see HTML so what's inside the tags is not >what they will have for the available link. > >You and I can read the message to see that it is a phishing attempt. >That's why the href and comment don't match since they want to mislead >the user. SpamCop's parser won't have that level of intelligence to >know it is a phishing e-mail. It knows that some readers will render >the HTML and the link will go to the href value. It knows some readers >don't render HTML and will see the comment value (since, in plain text, >that is the only URL string available). That's wrong. If a client doesn't render HTML and isn't MIME aware, everything in the email will be displayed as text. If it is MIME aware but doesn't render HTML, only the text/plain section will be displayed. The text section isn't little bits of text from the text/html section, it's the text/plain section of the email as delineated in the MIME parts. >Look at the full source of the e-mail again. Notice there is are >text/plain and text/html MIME parts in that e-mail. The text/plain >portion has the bcs-bcs.com URL in it. Right. That is the heart of the matter, that Spamcop parsed the text/plain section and found the bcs-bcs.com URL. Did you forget what you had just previously written? Everything you wrote previously is BS. >That will be the link that >non-HTML users will see. How is the parser supposed to know that a URL >string in the text isn't the one the phisher wants the user to use? How >does the parser know it is a phishing e-mail? Hence the point of >showing you the detailed parsing report so YOU use your brain to decide >if what the parser found is what should be used. Heh. That's kinda funny. ;-) -- Steve Baker From nobody at devnull.spamcop.net Fri Oct 16 04:08:14 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Fri Oct 16 04:10:09 2009 Subject: [Scspamcop] Re: fake link spam trying to send reports to my provider References: Message-ID: "Bill" wrote in message news:hb7nr1$dam$1@news.spamcop.net... > > "Robert Blair" wrote in message > news:TECQXhvKj0FX-pn2-Y1nIeO8XePfK@Saturn.home... >> >> Quick reporting does not send reports for links in the spam. QR >> spam reports >> are only sent to the ISP of the originating IP. > > Thanks Robert.. > as long as I've been here, I did not know that LOL... QuickReporting Wiki Page http://forum.spamcop.net/scwik/QuickReporting explanations, warnings, etc. From nobody at devnull.spamcop.net Sat Oct 17 15:37:54 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Sat Oct 17 15:40:07 2009 Subject: [Scspamcop] Re: fake link spam trying to send reports to my provider References: Message-ID: "Bill" wrote in message news:hb728r$585$1@news.spamcop.net > morning, > in > http://www.spamcop.net/sc?id=z3413070978z8ed2be1d9e23534e1af674f48faf4001z > the parser is trying to send reports to my colo host. > the thing is that the link in the email is obfuscated so that what is > really: > http://bcs-bcs.com.nerrasssp.eu/owa/service_directory/settings.php?email=x&from=bcs-bcs.com&fromname=bill > looks in the email as though it's: > http://bcs-bcs.com/owa/service_directory/settings.php?email=bill@bcs-bcs.com&from=bcs-bcs.com&fromname=bill > > why is the parser trying to send a notice to my provider on this? > > Thanks > Bill FWIW, I've had two spams like that in the past week. It not only wanted to notify my provider, it wanted to use one of my websites as a source of advertising. None of the paths it gave ever existed and a check of the site verified I hadn't been hacked, so ... I'm assuming it's a malcontent I kicked off the site for vulgarities; most likely college kids since we're close to a college/university town. There was an unusually high number of failed form accesses though, but all from different IPs with a couple proxies thrown in. Cheers, Twayne` From nobody at devnull.spamcop.net Sat Oct 17 15:44:19 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Sat Oct 17 15:45:08 2009 Subject: [Scspamcop] Re: fake link spam trying to send reports to my provider References: Message-ID: "Bill" wrote in message news:hb728r$585$1@news.spamcop.net > morning, > in > http://www.spamcop.net/sc?id=z3413070978z8ed2be1d9e23534e1af674f48faf4001z > the parser is trying to send reports to my colo host. > the thing is that the link in the email is obfuscated so that what is > really: > http://bcs-bcs.com.nerrasssp.eu/owa/service_directory/settings.php?email=x&from=bcs-bcs.com&fromname=bill > looks in the email as though it's: > http://bcs-bcs.com/owa/service_directory/settings.php?email=bill@bcs-bcs.com&from=bcs-bcs.com&fromname=bill > > why is the parser trying to send a notice to my provider on this? > > Thanks > Bill Well, to say because that's how the spammer/phisher designed it to be is a little flip, but true. This is a great example of why SC says to LOOK at the reporting addresses and uncheck any that are not applicable. After all, it's only a "tool" and works with highly forged information and IMO does an excellent job. SC may have some competition but I haven't found anything to meet or beat it yet. And BTW, I have reported my own ISP in the past as long as I was sure nothing pointed to ME. If in doubt, I unchecked the box. Regards, Twayne` From me at privacy.net Sat Oct 17 19:59:27 2009 From: me at privacy.net (anon) Date: Sat Oct 17 20:00:08 2009 Subject: [Scspamcop] Re: fake link spam trying to send reports to my provider References: Message-ID: "Bill" wrote in message news:hb728r$585$1@news.spamcop.net... > morning, > in > http://www.spamcop.net/sc?id=z3413070978z8ed2be1d9e23534e1af674f48faf4001z > the parser is trying to send reports to my colo host. > the thing is that the link in the email is obfuscated so that what is > really: > http://bcs-bcs.com.nerrasssp.eu/owa/service_directory/settings.php?email=x&from=bcs-bcs.com&fromname=bill > looks in the email as though it's: > http://bcs-bcs.com/owa/service_directory/settings.php?email=bill@bcs-bcs.com&from=bcs-bcs.com&fromname=bill > > why is the parser trying to send a notice to my provider on this? > If this is true, then YOU have not told SC the correct info to prevent this. You have been requested multiple times by SC to properly configure your account so you do not report yourself. > Thanks > Bill > > From snowbat at geocities.com Sat Oct 17 21:32:43 2009 From: snowbat at geocities.com (Snowbat) Date: Sat Oct 17 21:35:09 2009 Subject: [Scspamcop] Re: fake link spam trying to send reports to my provider References: Message-ID: On Sat, 17 Oct 2009 16:59:27 -0700, anon wrote: > "Bill" wrote in message > news:hb728r$585$1@news.spamcop.net... >> http://bcs-bcs.com/owa/service_directory/settings.php?email=bill@bcs- bcs.com&from=bcs-bcs.com&fromname=bill >> >> why is the parser trying to send a notice to my provider on this? >> >> > If this is true, then YOU have not told SC the correct info to prevent > this. > > You have been requested multiple times by SC to properly configure your > account so you do not report yourself. Mailhosts protection does not apply to spamvertised websites found in the body. From bcs1 at spamcop.net Mon Oct 19 12:34:21 2009 From: bcs1 at spamcop.net (Bill) Date: Mon Oct 19 12:35:09 2009 Subject: [Scspamcop] Re: fake link spam trying to send reports to my provider References: Message-ID: "anon" wrote in message news:hbdlpa$pmt$1@news.spamcop.net... >> >> why is the parser trying to send a notice to my provider on this? >> > > If this is true, then YOU have not told SC the correct info to prevent > this. > > You have been requested multiple times by SC to properly configure your > account so you do not report yourself. > that's incorrect my friend, I have setup my mailhosts properly, my mailhosts aren't the issue here... however snowbat replied to you about this already, so i won't bother repeating it again... From bcs1 at spamcop.net Mon Oct 19 12:37:10 2009 From: bcs1 at spamcop.net (Bill) Date: Mon Oct 19 12:40:08 2009 Subject: [Scspamcop] Re: fake link spam trying to send reports to my provider References: Message-ID: "Twayne" wrote in message news:hbd6qf$jso$1@news.spamcop.net... > > Well, to say because that's how the spammer/phisher designed it to be is a > little flip, but true. This is a great example of why SC says to LOOK at > the reporting addresses and uncheck any that are not applicable. After > all, it's only a "tool" and works with highly forged information and IMO > does an excellent job. SC may have some competition but I haven't found > anything to meet or beat it yet. > > And BTW, I have reported my own ISP in the past as long as I was sure > nothing pointed to ME. If in doubt, I unchecked the box. > > Regards, > > Twayne` I agree wholeheartedly, Sc is the only way to go as far as I'm concerned too, it just cuaght me off guard a bit when I saw these.. also, I got like 5 or 6 more over the weekend in my personal email account, and I created a regexp in one of the other domain's Kayako to simply ignore those type emails, and there were about 10 sent to there over the weekend that weeren't even processed as tickets /Dev>null'd so to speak. From emfril at gmail.com Tue Oct 20 11:37:24 2009 From: emfril at gmail.com (Eustace) Date: Tue Oct 20 11:40:08 2009 Subject: [Scspamcop] Message body missing Message-ID: I received a message saying the delivery failed, however it was a spam that had my email at the From field. It contained only the header of the spam. I submitted the header to SpamCop but it was not accepted. Should I add a line like "Message body missing" under the headers and resubmit it? emf -- It ain't THAT, babe! - A radical reinterpretation https://files.nyu.edu/emf202/public/itaintmebabe/itaintme.html From MikeE at ster.invalid Tue Oct 20 13:13:05 2009 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 20 13:15:08 2009 Subject: [Scspamcop] Re: Message body missing References: Message-ID: Eustace wrote: > I received a message saying the delivery failed, however it was a spam > that had my email at the From field. It contained only the header of the > spam. I submitted the header to SpamCop but it was not accepted. Should > I add a line like "Message body missing" under the headers and resubmit > it? Yes. -- Mike Easter kibitzer, not SC admin From usenet-imp at exp09.spam.woody.ch Wed Oct 21 06:03:28 2009 From: usenet-imp at exp09.spam.woody.ch (Benoit Panizzon) Date: Wed Oct 21 06:05:07 2009 Subject: [Scspamcop] How to send spam reports to abuse departments? Message-ID: Hi all As I operate my own spamtraps and blacklist, I started hacking togehter some scripts to parse email header and whois replies to notify the owners of the ip ranges about their spamming customers. I attache the full header and the first 100 lines of the body into the notification to the abuse mailbox. I experienced, that this caused a lot of those emails to be blocked, because the are spam... So I removed the body, and just added a pointer to a website displaying the body saved into my spamtrap database. This caused other abuse contacts to complaint, that they need to get the full email body by email to process my notifications. How does Spamcop solve that issue? I also noticed that an great number of abuse-mailbox: or other 'anti-spam' contacts found in whois entries point to invalid email addresses or full mailboxes and that these are mostly from those network which send most of the spam to my spamtraps. This renders spam abuse fighting a bit useless... -Benoit- From MikeE at ster.invalid Wed Oct 21 10:56:07 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 21 11:00:08 2009 Subject: [Scspamcop] Re: How to send spam reports to abuse departments? References: Message-ID: Benoit Panizzon wrote: > As I operate my own spamtraps and blacklist, I started hacking togehter > some scripts to parse email header and whois replies to notify the > owners of the > ip ranges about their spamming customers. When I was doing manual notifies, I pasted the spam into the body, inline after a very very brief introductory line to each notified about what their role was, source provider, spamvertiser provider, open relay (back in those days). If it was big and fat, I truncated the body. > I attache the full header and the first 100 lines of the body into the > notification to the abuse mailbox. > > I experienced, that this caused a lot of those emails to be blocked, > because the are spam... Abuse addresses shouldn't be blocking spam. Are you talking about your provider blocking? > So I removed the body, and just added a pointer to a website displaying > the body saved into my spamtrap database. That wouldn't be satisfactory for many abuse desks. > This caused other abuse contacts to complaint, that they need to get the > full email body by email to process my notifications. Exactly. > How does Spamcop solve that issue? SC provides the spam and a link to its logic in processing. > I also noticed that an great number of abuse-mailbox: or other > 'anti-spam' contacts found in whois entries point to invalid email > addresses > or full mailboxes and that these are mostly from those network which > send > most of the spam to my spamtraps. This renders spam abuse fighting a > bit useless... As a general rule, I believe that the goodguys/whitehats who want to know about spam are the only people who should be notified; that the badguys/blackhats should not be notified. Sometimes you could be notifying an upstream or parent that the downstream or child is nonresponsive to spam reports -- or has bad abuse contact information. -- Mike Easter kibitzer, not SC admin From ppearson at nowhere.invalid Wed Oct 21 18:32:55 2009 From: ppearson at nowhere.invalid (Peter Pearson) Date: Wed Oct 21 18:35:07 2009 Subject: [Scspamcop] Re: How to send spam reports to abuse departments? References: Message-ID: On Wed, 21 Oct 2009 07:56:07 -0700, Mike Easter wrote: > Benoit Panizzon wrote: [snip] >> I attache the full header and the first 100 lines of the >> body into the notification to the abuse mailbox. >> >> I experienced, that this caused a lot of those emails to >> be blocked, because the are spam... > > Abuse addresses shouldn't be blocking spam. Are you > talking about your provider blocking? Since it might help the original poster locate the problem, let me point out that my Internet Service Provider, Charter Communications, has usually discarded my spam reports (to other parties) without even notifying me that it was doing so. -- To email me, substitute nowhere->spamcop, invalid->net. From usenet-imp at exp09.spam.woody.ch Thu Oct 22 02:55:05 2009 From: usenet-imp at exp09.spam.woody.ch (Benoit Panizzon) Date: Thu Oct 22 02:55:08 2009 Subject: [Scspamcop] Re: How to send spam reports to abuse departments? References: Message-ID: > Abuse addresses shouldn't be blocking spam. Are you talking about your > provider blocking? No, I work at an ISP and we don't block spam to abuse. We have to sort those emails manualy. I talk about the many other abuse contacts my spam reporting script sends reports to. I get quite a lot of bounces telling me, that the email was blocked because it was identified as spam. (Well I'm forwarding spam of course). > As a general rule, I believe that the goodguys/whitehats who want to > know about spam are the only people who should be notified; that the > badguys/blackhats should not be notified. > > Sometimes you could be notifying an upstream or parent that the > downstream or child is nonresponsive to spam reports -- or has bad abuse > contact information. Well that get's a bit complicated to implement with a script then. It's aleady quite tricky to parse the whois repliy of the different RIR (and follow referals in the case of ARIN) and try to automaticly find the best matching abuse contact. At the moment I have this simple set of rules: If there is a contact 'e-mail:' line use that. If there is an email address containing the string 'abuse' use that instead. If there is a contact 'abuse-mailbox:' use that instead. If there is an email containing the string 'spam' use that instead. Don't use an address found in a 'notify:' line. -Benoit- From nobody at spamcop.net Mon Oct 26 00:57:37 2009 From: nobody at spamcop.net (Richard W) Date: Mon Oct 26 01:00:08 2009 Subject: [Scspamcop] Re: How to send spam reports to abuse departments? In-Reply-To: References: Message-ID: Benoit Panizzon wrote: > Hi all > > As I operate my own spamtraps and blacklist, I started hacking togehter some > scripts to parse email header and whois replies to notify the owners of the > ip ranges about their spamming customers. > > I attache the full header and the first 100 lines of the body into the > notification to the abuse mailbox. > > I experienced, that this caused a lot of those emails to be blocked, because > the are spam... > > So I removed the body, and just added a pointer to a website displaying the > body saved into my spamtrap database. > > This caused other abuse contacts to complaint, that they need to get the > full email body by email to process my notifications. > > How does Spamcop solve that issue? To be honest, we've been around 11 years now, so we have a working relationship with most ISPs and many have made exceptions in their filters for our reports. We also give them the option of receiving reports in ARF format, which quite a few have opted for. It wasn't always a rosy picture. There was a lot of dissension when Julian started the service, not that there is 100% acceptance even now. Richard > > I also noticed that an great number of abuse-mailbox: or other > 'anti-spam' contacts found in whois entries point to invalid email addresses > or full mailboxes and that these are mostly from those network which send > most of the spam to my spamtraps. This renders spam abuse fighting a bit useless... > > -Benoit- From jy at live.ca Mon Oct 26 15:36:56 2009 From: jy at live.ca (Jonathan Yaniv) Date: Mon Oct 26 15:40:08 2009 Subject: [Scspamcop] Yahoo abuse reports - needs fixing Message-ID: Can you please change the contact email address for yahoo abuse reports to network-abuse@cc.yahoo-inc.com I am finding that the reports for Yahoo that I am sending in SpamCop are not doing anything..