From MikeE at ster.invalid Wed Sep 2 05:24:38 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Sep 2 05:25:08 2009 Subject: [Scspamcop] Re: Google spam References: Message-ID: Larry in AZ wrote: > Patto >> Larry in AZ wrote: >>> Lots of spam lately that Spamcop wants to report to abuse@google.com. >>> >>> IPs block is 209.85.128.0 - 209.85.255.255 >>> >>> Is this Gmail or somethng else..? >> >> Difficult to say without a tracker... >> >> Anyway, abuse@google.com does not normally want SC reports. > > They do when coming from the above IP block... Discussions about spam and reporting are best done with a tracker. How to make a tracker: 1 select and obtain the complete spam 2 privatize the header&body content 3 webparse it & copy the tracking URL 4 cancel the report & paste the tracker in here 1 ... in the manner described by the SC faq http://www.spamcop.net/fom-serve/cache/19.html How do I get my email program to reveal the full, unmodified email? 2 ... by modestly and unambiguously mungeing any private information you don't want to expose, such as your name or email address which might appear anywhere in the header or body. Avoid excessive or confusing mungeing. 3 login to the SC webparser, paste in the spam, and click Process Spam button; then copy the tracking URL from the top 'Here is your TRACKING URL' of the appearance 4 ... after parsing, the report is 'live' until the cancel button is used. After cancelling the tracker disappears; the munged spam report should be cancelled because it has been materially changed and because you don't want to leave a tracker live. -- Mike Easter kibitzer, not SC admin From g.hyde at bigNOSPAMpond.net.au Wed Sep 2 21:16:59 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Wed Sep 2 21:20:09 2009 Subject: [Scspamcop] What's going on with hostmysite.com in this SpamCop report? Message-ID: I seem to be getting a lot of spam reported and the abuse at hostmysite dot com address always refuses munged reports, so is unchecked by default. Question is, why is it listed as an abuse address for the source? Their abuse address is apparently level3 at admin dot spamcop dot net? So what's going on with hostmysite.com in this SpamCop report? Cheers ... Geoffrey Hyde From g.hyde at bigNOSPAMpond.net.au Wed Sep 2 23:33:52 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Wed Sep 2 23:35:08 2009 Subject: [Scspamcop] Re: What's going on with hostmysite.com in this SpamCop report? References: Message-ID: Sorry, forgot report link: http://www.spamcop.net/sc?id=z3282047183z5e6436a9d95774e84c55126ea11323ddz Cheers ... Geoffrey Hyde "Geoffrey Hyde" wrote in message news:h7n5ep$24b$1@news.spamcop.net... >I seem to be getting a lot of spam reported and the abuse at hostmysite dot >com address always refuses munged reports, so is unchecked by default. > > Question is, why is it listed as an abuse address for the source? Their > abuse address is apparently level3 at admin dot spamcop dot net? > > So what's going on with hostmysite.com in this SpamCop report? > > > > Cheers ... > > Geoffrey Hyde > > > From MikeE at ster.invalid Thu Sep 3 02:01:51 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 3 02:05:07 2009 Subject: [Scspamcop] Re: What's going on with hostmysite.com in this SpamCop report? References: Message-ID: Geoffrey Hyde wrote: www.spamcop.net/sc?id=z3282047183z5e6436a9d95774e84c55126ea11323ddz spamsource: 76.12.124.76 rDNS tropicana.safesecureweb.com The source is on several blocklists but not SC's. whois -h whois.arin.net 76.12.124.76 ... OrgName: HostMySite NetRange: 76.12.0.0 - 76.12.255.255 CIDR: 76.12.0.0/16 OrgAbuseEmail: abuse@hostmysite.com whois -h whois.abuse.net hostmysite.com ... abuse@level3.com abuse@hostmysite.com abuse@above.net abuse@gblx.net (for hostmysite.com) -- Mike Easter kibitzer, not SC admin From bert at iphouse.com Thu Sep 3 13:36:58 2009 From: bert at iphouse.com (Bert Hyman) Date: Thu Sep 3 13:40:07 2009 Subject: [Scspamcop] "spam@uce.gov" as a reporting address? Message-ID: I got this: http://www.spamcop.net/sc?id=z3284242164z2eaa45824222d2be82d04e3d3802270az and in the analysis is: Tracking message source: 208.98.50.208: Routing details for 208.98.50.208 [refresh/show] Cached whois for 208.98.50.208 : abuse@sharktech.net Using abuse net on abuse@sharktech.net abuse net sharktech.net = spam@uce.gov, abuse@comcast.net, abuse@sharktech.net Using best contacts spam@uce.gov abuse@comcast.net abuse@sharktech.net I don't think I've ever seen "spam@uce.gov" pop up like that. -- Bert Hyman St. Paul, MN bert@iphouse.com From MikeE at ster.invalid Thu Sep 3 13:59:25 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 3 14:00:08 2009 Subject: [Scspamcop] Re: "spam@uce.gov" as a reporting address? References: Message-ID: Bert Hyman wrote: > Using abuse net on abuse@sharktech.net > abuse net sharktech.net = spam@uce.gov, abuse@comcast.net, > abuse@sharktech.net Using best contacts spam@uce.gov abuse@comcast.net > abuse@sharktech.net > > I don't think I've ever seen "spam@uce.gov" pop up like that. Anyone can contribute an address to the abuse.net database, and if abuse.net doesn't remove or change it, then it comes up when the db is queried at the abuse.net website or the whois.abuse.net server. http://abuse.net/addnew.phtml Submitting new entries for the contact database The FTC stores those uce.gov submissions in a db - "The FTC's spam database has served as the basis for FTC cases involving pyramid schemes, money-making chain letters, credit card scams, credit repair scams, bogus weight-loss plans, fraudulent business opportunities, and other scams that were promoted via email." Some people like to include the uce.gov addy on everything, while others don't. -- Mike Easter kibitzer, not SC admin From anthony.edwards at uk.easynet.net Sat Sep 5 15:29:40 2009 From: anthony.edwards at uk.easynet.net (Anthony Edwards) Date: Sat Sep 5 15:30:08 2009 Subject: [Scspamcop] Re: Google spam References: Message-ID: On Tue, 1 Sep 2009 01:08:38 +0000 (UTC), Larry in AZ wrote: > Lots of spam lately that Spamcop wants to report to abuse@google.com. > > IPs block is 209.85.128.0 - 209.85.255.255 > > Is this Gmail or somethng else..? It is one of the (many) googlemail.com & gmail.com outbound mail server IP address ranges, according to the googlemail.com & gmail.com SPF records: anthony@localhost:~$ host -t txt googlemail.com googlemail.com descriptive text "v=spf1 redirect=_spf.google.com" anthony@localhost:~$ host -t txt gmail.com gmail.com descriptive text "v=spf1 redirect=_spf.google.com" anthony@localhost:~$ host -t txt _spf.google.com _spf.google.com descriptive text "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ^^^^^^^^^^^^^^^^^^^ ip4:207.126.144.0/20 ?all" http://www.openspf.org/ http://www.openspf.org/SPF_Record_Syntax -- Anthony Edwards * anthony.edwards@uk.easynet.net Abuse Team Manager * Tel: 020 7900 4444 Easynet Ltd * DDI: 0161 888 3507 http://www.easynet.com * Fax: 0845 333 4503 From me at privacy.net Mon Sep 7 15:42:55 2009 From: me at privacy.net (Michael R N Dolbear) Date: Mon Sep 7 15:45:09 2009 Subject: [Scspamcop] Re: Google spam References: Message-ID: <01ca2fed$d03b9200$LocalHost@default> Charles wrote > No way it was me! It was Larry in AZ ! > > What's up with the Amazon > > thing..? Are they offering email accounts now..? > Amazon has weird services. I know people with file/image hosting there. > It wouldn't surprise me that they would also offer email. They do, provided you buy a Kindle e-book reader - "Now Only $299" {Kindle User Guide - can be downloaded free} "Each Kindle has its own unique e-mail address" You can e-mail Microsoft Word, TXT, HTML, or image files like JPEGs and GIFs to your dedicated Kindle e-mail address (found on the Manage Your Kindle page on Amazon.com). We will convert the document into Kindle format and wirelessly deliver it directly to your Kindle for a small fee or back to your computer for free. == Note that you can also buy content from non-Amazon sources, eg unprotected Mobipocket format books (.MOBI, .PRC) from Fictionwise and from Webscriptions.net -- Mike D From df at nowhere.invalid Tue Sep 8 22:26:59 2009 From: df at nowhere.invalid (David F.) Date: Tue Sep 8 22:30:08 2009 Subject: [Scspamcop] Whitelist keywords? Message-ID: Hello, Is it possible to setup particular keywords in my account to allow an email to not get moved to held mail? Say in body or subject. Thanks. From nobody at devnull.spamcop.net Tue Sep 8 23:31:10 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Tue Sep 8 23:35:08 2009 Subject: [Scspamcop] Re: Whitelist keywords? References: Message-ID: "David F." wrote in message news:h873pq$k5o$1@news.spamcop.net... > > Is it possible to setup particular keywords in my account to allow > an email to not get moved to held mail? Say in body or subject. Making an assumption: you are asking about a SpamCop.net/CESmail account. Easy answer is "yes" However, the support effort for the e-mail tool is either in the basically dead spamcop.mail newsgroup or over in the Forum at http://forum.spamcop.net/ For example, there's a large Topic about dealing with Cyrillic spam that matches your query exactly. From MikeE at ster.invalid Wed Sep 9 11:11:27 2009 From: MikeE at ster.invalid (Mike Easter) Date: Wed Sep 9 11:15:07 2009 Subject: [Scspamcop] Re: Whitelist keywords? References: Message-ID: Wazoo wrote: > "David F." >> Is it possible to setup particular keywords in my account to allow >> an email to not get moved to held mail? Say in body or subject. > > Making an assumption: you are asking about a SpamCop.net/CESmail > account. > > Easy answer is "yes" However, the support effort for the e-mail > tool is either in the basically dead spamcop.mail newsgroup or over > in the Forum at http://forum.spamcop.net/ For example, there's a > large Topic about dealing with Cyrillic spam that matches your query > exactly. Are you saying that there is a forum discussion on whitelisting Cyrillic mail? Or are you saying there is a discussion on what is wrong with the cesmail whitelisting function which went on for a few years in which there is a post mentioning Cyrillic spam which references another message/thread about *black*listing some types of mail including Cyrillic? Blacklisting is not whitelisting. That is, where in the forum in there a thread to help the OP with whitelisting keywords and what does that thread on whitelisting keywords have to do with Cyrillic (words)? -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed Sep 9 18:35:54 2009 From: nobody at spamcop.net (Bar0) Date: Wed Sep 9 18:40:08 2009 Subject: [Scspamcop] Re: Whitelist keywords? References: Message-ID: "Mike Easter" wrote in message news:h88gim$f30$1@news.spamcop.net... > Wazoo wrote: >> "David F." > >>> Is it possible to setup particular keywords in my account to allow >>> an email to not get moved to held mail? Say in body or subject. ;;;;; > > That is, where in the forum in there a thread to help the OP with > whitelisting keywords and what does that thread on whitelisting keywords > have to do with Cyrillic (words)? 2 words: White Russians From me at privacy.net Wed Sep 9 19:18:58 2009 From: me at privacy.net (Michael R N Dolbear) Date: Wed Sep 9 19:20:09 2009 Subject: [Scspamcop] Re: Whitelist keywords? References: Message-ID: <01ca319e$2cdc2860$LocalHost@default> Mike Easter wrote > Blacklisting is not whitelisting. > > That is, where in the forum in there a thread to help the OP with > whitelisting keywords and what does that thread on whitelisting keywords > have to do with Cyrillic (words)? True but the Spamcop Mail/ Webmail personal whitelist works just like the personal blacklist and items like charset=KOI8-R can be regarded as keywords. However the personal whitelist does not provide the feature requested. What does are webmail's 'Filter' and 'Search' features which are only active when logged into webmail and the discussion referenced (where I appear as Michaelanglo) discusses workarounds that may help the OP. One workaround is to display only the emails in the held folder which have SpamAssassin hits of 5 or less and thus the overwhelming number of false positives. === Entire message contains hits=- OR Entire message contains hits=0. hits=1. =2. =3. =4. =5. OR Entire message hits= NO Match === Scanning 8 items or less instead of 150 is good and since by using 'Search' the results are displayed as a virtual folder, releasing some to inbox is trivail. Adding some Subject or Entire Message keywords to the virtual folder definition is also easy. -- Mike D From bakesph at comcast.net Thu Sep 10 02:05:31 2009 From: bakesph at comcast.net (Steve Baker) Date: Thu Sep 10 02:10:08 2009 Subject: [Scspamcop] Question about user generated reports to ISPs Message-ID: In news.admin.net-abuse.email, Subject: "Comcast and port 25 blocking the wrong party", MID , a Comcast user says: "Has anyone else experienced this? I reported a spam from a comcast IP with Spamcop the other night. This morning I got an email from Comcast telling me that they have recieved reports of spam coming from my modem and have blocked port 25 on the modem, not the IP but the modem... It seems everytime I report spam via Spamcop and it shows as coming from a Comcast IP a few days later I get an email telling me they have recieved reports of spam coming from my PC. They tell me that my system is infected and that they have blocked port 25 on my IP." So, my question is simple, I think. Do user generated Spamcop reports show the IP address of the user? If yes, is it in the body or the header of the report? -- Steve Baker From borgholio at storymind.com Thu Sep 10 04:42:08 2009 From: borgholio at storymind.com (Borgholio) Date: Thu Sep 10 04:45:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs In-Reply-To: References: Message-ID: Steve Baker wrote: > In news.admin.net-abuse.email, Subject: "Comcast and port 25 > blocking the wrong party", MID > , a Comcast user says: > > "Has anyone else experienced this? I reported a spam from a comcast IP > with Spamcop the other night. This morning I got an email from Comcast > telling me that they have recieved reports of spam coming from my > modem and have blocked port 25 on the modem, not the IP but the > modem... > > It seems everytime I report spam via Spamcop and it shows as coming > from a Comcast IP a few days later I get an email telling me they have > recieved reports of spam coming from my PC. They tell me that my > system is infected and that they have blocked port 25 on my IP." > > So, my question is simple, I think. Do user generated Spamcop > reports show the IP address of the user? If yes, is it in the body or > the header of the report? > Sounds to me like you need to set up your mailhosts, as that will help prevent exactly the problem you are describing. From MikeE at ster.invalid Thu Sep 10 12:17:51 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 10 12:20:07 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: Steve Baker wrote: > In news.admin.net-abuse.email, Subject: "Comcast and port 25 > blocking the wrong party", MID > , a Comcast user says: I've just read that thread. That isn't a really competent report on anything. If we were going to actually talk about a spam report, we should be using the tracker so that we could see the spam item behind the report in question. For all I know, the Viper poster may have been reporting their own provider's IP, since they are comcast reporting a comcast IP source. > "Has anyone else experienced this? I reported a spam from a comcast IP > with Spamcop the other night. This morning I got an email from Comcast > telling me that they have recieved reports of spam coming from my > modem and have blocked port 25 on the modem, not the IP but the > modem... It is also possible that comcast admin misinterpreted the report and misinterpreted that spam was coming from Viper's comcast IP but the spam which was reported was from some other comcast > It seems everytime I report spam via Spamcop and it shows as coming > from a Comcast IP a few days later I get an email telling me they have > recieved reports of spam coming from my PC. They tell me that my > system is infected and that they have blocked port 25 on my IP." Viper's reporting error or Comcast's interpretation error. > So, my question is simple, I think. Do user generated Spamcop > reports show the IP address of the user? If yes, is it in the body or > the header of the report? When a spamcop reporter causes generation of a regular spamcop report, the only thing which is munged in the original spam is the algorithm's finding of the reporter's To address in the headers or body. The IP address of the reporter's mailserver is not munged. The IP address of the reporter is not a part of the original spam and the report is submitted from the spamcop servers, not the reporter's connecting IP. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Sep 10 13:22:53 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Thu Sep 10 13:25:07 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: "Borgholio" wrote in message news:h8ae54$sdl$1@news.spamcop.net > Steve Baker wrote: >> In news.admin.net-abuse.email, Subject: "Comcast and port 25 >> blocking the wrong party", MID >> , a Comcast user says: >> >> "Has anyone else experienced this? I reported a spam from a comcast >> IP with Spamcop the other night. So it was well over 24 hours ago you reported the spam? This morning I got an email from >> Comcast telling me that they have recieved reports of spam coming >> from my modem and have blocked port 25 on the modem, not the IP but >> the modem... Do they specifically mean YOUR modem? That seems pretty unlikely. They have to be talking about the port 25 you connect to at Comcast, your smtp port setting. >> >> It seems everytime I report spam via Spamcop and it shows as coming >> from a Comcast IP a few days later I get an email telling me they >> have recieved reports of spam coming from my PC. They tell me that my >> system is infected and that they have blocked port 25 on my IP." THAT might make sense. ARE you infected? Have you checked? And what have you used to check? You could be sending spams without knowing it; you could even be zombied I suppose. ARE you sending anything that could be considered spam? Did they mention getting reports against you? Have you checked blocklists to see if you're on any of them? I find Robtex.com pretty reasonable for checking blocklists one might be on. >> >> So, my question is simple, I think. Do user generated Spamcop >> reports show the IP address of the user? If yes, is it in the body or >> the header of the report? Yes, the IP shows in several places in the headers. The IP only identifies the ISP and not the person it was assigned to. The IP does not identify YOU in particular unless you have and are paying for a static IP though. I get a new IP every time I turn around here on Verizon-Yahoo; I watched it for awhile, just for grins. But then if you're a Comcast customer I suppose they could tell by the logs when you were usiing that IP, but it would seem like an awful lot of trouble for them to go thru. IF the mail actually came from them, and if Comcast is also your ISP. If your machine is somehow infected or zombied though, it could be sending out almost anything. Or, you're being spammed by someone who knows you and knows you report them? Have you ever parsed those Comcast reports to see if they're forged or malformed? Hope you'll inform the group what it turns out to be. Twayne` From bakesph at comcast.net Fri Sep 11 16:28:09 2009 From: bakesph at comcast.net (Steve Baker) Date: Fri Sep 11 16:30:07 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: <8dcla5h0isrbm5ljmvh4ggbqtnslosqqnv@4ax.com> On Thu, 10 Sep 2009 09:17:51 -0700, "Mike Easter" wrote: >It is also possible that comcast admin misinterpreted the report and >misinterpreted that spam was coming from Viper's comcast IP but the spam >which was reported was from some other comcast That gets to the heart of my question. How could Comcast think that the spam came from Viper's IP address if his IP address isn't visible anywhere in the Spamcop report? They'd have to do some tricky to impossible searching of their logs/mail stores to find his IP address if it wasn't in the report. -- Steve Baker From bakesph at comcast.net Fri Sep 11 16:55:35 2009 From: bakesph at comcast.net (Steve Baker) Date: Fri Sep 11 17:00:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: On Thu, 10 Sep 2009 13:22:53 -0400, "Twayne" wrote: >"Borgholio" wrote in message >news:h8ae54$sdl$1@news.spamcop.net >> Steve Baker wrote: >>> In news.admin.net-abuse.email, Subject: "Comcast and port 25 >>> blocking the wrong party", MID >>> , a Comcast user says: >>> >>> "Has anyone else experienced this? I reported a spam from a comcast >>> IP with Spamcop the other night. > >So it was well over 24 hours ago you reported the spam? It wasn't me, I was quoting someone. I wanted to know if a user's IP address would be mentioned in Spamcop reports... like maybe sending an abuse report via Spamcop might be similar to forwarding. A couple points of information follow. > This morning I got an email from >>> Comcast telling me that they have recieved reports of spam coming >>> from my modem and have blocked port 25 on the modem, not the IP but >>> the modem... > >Do they specifically mean YOUR modem? That seems pretty unlikely. They >have to be talking about the port 25 you connect to at Comcast, your >smtp port setting. When Comcast blocks port 25 they do it via a modem config file that they upload to the user. They upload a modem config file to all users, that's the nature of the beast, and they modify that file for "problem" users such that port 25 is blocked in both directions. >>> >>> It seems everytime I report spam via Spamcop and it shows as coming >>> from a Comcast IP a few days later I get an email telling me they >>> have recieved reports of spam coming from my PC. They tell me that my >>> system is infected and that they have blocked port 25 on my IP." > >THAT might make sense. ARE you infected? Have you checked? And what >have you used to check? You could be sending spams without knowing it; >you could even be zombied I suppose. On the other hand, their policy on blocking port 25 is to "shoot first, and not bother to ask any questions at all". If a user accidently clicks on the "this is spam" button for an email from their mother, that could result in a port 25 block on the mother. > ARE you sending anything that could be considered spam? Did they >mention getting reports against you? Have you checked blocklists to see >if you're on any of them? > I find Robtex.com pretty reasonable for checking blocklists one might >be on. > >>> >>> So, my question is simple, I think. Do user generated Spamcop >>> reports show the IP address of the user? If yes, is it in the body or >>> the header of the report? > >Yes, the IP shows in several places in the headers. The IP only >identifies the ISP and not the person it was assigned to. The IP address of the user who submitted the Spamcop report shows up in the Spamcop report? > The IP does not identify YOU in particular unless you have and are >paying for a static IP though. I get a new IP every time I turn around >here on Verizon-Yahoo; I watched it for awhile, just for grins. Comcast uses DHCP, which will reassign the same IP address as before every time a lease is renewed (provided the MAC address of the device connected to the modem is the same). I've had the same IP address for 4 year stretches with Comcast. > But then if you're a Comcast customer I suppose they could tell by >the logs when you were usiing that IP, but it would seem like an awful >lot of trouble for them to go thru. IF the mail actually came from >them, and if Comcast is also your ISP. > >If your machine is somehow infected or zombied though, it could be >sending out almost anything. Or, you're being spammed by someone who >knows you and knows you report them? Have you ever parsed those Comcast >reports to see if they're forged or malformed? > >Hope you'll inform the group what it turns out to be. I don't know, but I think, going by what Mike said (that Spamcop reports don't reveal the IP address of the Spamcop reporter), that it must be coincidence. -- Steve Baker From nobody at devnull.spamcop.net Fri Sep 11 19:23:18 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Fri Sep 11 19:25:07 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: "Steve Baker" wrote in message news:b15ha5dmanan2dvu2gunrk9tquijsh7eiq@4ax.com... > > So, my question is simple, I think. Do user generated Spamcop > reports show the IP address of the user? If yes, is it in the body > or > the header of the report? Yes, the submitting IP Address is found within the outgoing SpamCop.net Report. I have spent some time trying to find Don's words on this, but I suspect the issue is his use of the X-NoArchive bit in his newsgroup postings. [Why he (or any of the Deputies) hasn't weighed in here yet would be the question.] I'm of the thought that this dates back to the days when Julian was working with the SpamAssassin folks, but ....???? All I can say is that this has been true for a number of years now. The next parse you make, take a look at the "Preview" .. you'll see 'your' IP Address in the first Received: line of the outgoing Report. Assumedly, this is where the ISP's tech folks are stopping their reading, assumedly ignoring the Subject: line and explanation of the actual issue involved with that Report. From nobody at devnull.spamcop.net Fri Sep 11 19:27:47 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Fri Sep 11 19:30:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: <8dcla5h0isrbm5ljmvh4ggbqtnslosqqnv@4ax.com> Message-ID: "Steve Baker" wrote in message news:8dcla5h0isrbm5ljmvh4ggbqtnslosqqnv@4ax.com... > On Thu, 10 Sep 2009 09:17:51 -0700, "Mike Easter" > > wrote: > >>It is also possible that comcast admin misinterpreted the report >>and >>misinterpreted that spam was coming from Viper's comcast IP but >>the spam >>which was reported was from some other comcast > > That gets to the heart of my question. How could Comcast think > that > the spam came from Viper's IP address if his IP address isn't > visible > anywhere in the Spamcop report? They'd have to do some tricky to > impossible searching of their logs/mail stores to find his IP > address > if it wasn't in the report. As noted in another Post in this thread, the IP Address of the submitting system is in fact showing in the first Received: line in the outgoing Report. Take a look at a 'Preview' of your next successful parse (or re-run one of your past Reports) and take a look. From nobody at devnull.spamcop.net Fri Sep 11 19:34:41 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Fri Sep 11 19:35:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: "Steve Baker" wrote in message news:bncla55i1rrg3mmrj2p4qqr7vdqkogfj7t@4ax.com... > > I don't know, but I think, going by what Mike said (that Spamcop > reports don't reveal the IP address of the Spamcop reporter), that > it > must be coincidence. You have no idea how much this hurts to say, but Mike Easter is wrong in this case.The IP Address of the system used to submit the spam is in fact in the outgoing Report. However, the ISP's tech/abuse folks are not handling the actual Report correctly, apparently trying to read the headers of that outgoing Report as they would any other (spam) e-mail complaint/report. From bakesph at comcast.net Fri Sep 11 21:23:41 2009 From: bakesph at comcast.net (Steve Baker) Date: Fri Sep 11 21:25:09 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: On Fri, 11 Sep 2009 18:34:41 -0500, "Wazoo" wrote: >"Steve Baker" wrote in message >news:bncla55i1rrg3mmrj2p4qqr7vdqkogfj7t@4ax.com... >> >> I don't know, but I think, going by what Mike said (that Spamcop >> reports don't reveal the IP address of the Spamcop reporter), that >> it >> must be coincidence. > >You have no idea how much this hurts to say, but Mike Easter is >wrong in this case.The IP Address of the system used to submit the >spam is in fact in the outgoing Report. Maybe I misunderstood what Mike was saying. I've done a lot of head scratching over the years trying to figure out what Mike was trying to say... even when I already perfectly understood what it was he was trying to explain! ;-) -- Steve Baker From nobody at devnull.spamcop.net Fri Sep 11 23:08:44 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Fri Sep 11 23:10:07 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: "Steve Baker" wrote in message news:qmtla59kphetjopajai7fg4jttnr65bsk0@4ax.com... > On Fri, 11 Sep 2009 18:34:41 -0500, "Wazoo" > wrote: >> >>You have no idea how much this hurts to say, but Mike Easter is >>wrong in this case.The IP Address of the system used to submit the >>spam is in fact in the outgoing Report. > > Maybe I misunderstood what Mike was saying. I've done a lot of > head > scratching over the years trying to figure out what Mike was > trying to > say... even when I already perfectly understood what it was he was > trying to explain! ;-) OK, let's put Mike E. back up on high ... If we go with the phrase "IP Address that identifies the reporter" as the key, then in general, the reporter isn't actually identified. Worst case, one would end up back in the discussion and philosophy of whether or not spammers 'track' their results. And one step further .... if the spam is submitted via the web-form, then the IP Address in question would be the reporter's system ISP/Host assigned IP Address. On the other hand, if the submittal was done via e-mail, perhaps then the IP Address in question would be that of the outgoing ISP/Host's e-mail server. That I will have to leave for someone else to check/verify. From bakesph at comcast.net Fri Sep 11 23:34:01 2009 From: bakesph at comcast.net (Steve Baker) Date: Fri Sep 11 23:35:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: On Fri, 11 Sep 2009 18:23:18 -0500, "Wazoo" wrote: >The next parse you make, take a look at the "Preview" .. you'll see >'your' IP Address in the first Received: line of the outgoing >Report. I'm not a Spamcop user, can I still do what you're suggesting to get a handle on what goes on? By "first", you mean the lowest Received: line? That would certainly explain everything! >Assumedly, this is where the ISP's tech folks are stopping >their reading, assumedly ignoring the Subject: line and explanation >of the actual issue involved with that Report. Yeah!!! That suggests that *any* abuse report sent to Comcast by a Comcast user could get their port 25 blocked. Wait... does Spamcop send to a "special" abuse address at Comcast? That would make this situation even *more* ridiculous! -- Steve Baker From bakesph at comcast.net Fri Sep 11 23:38:43 2009 From: bakesph at comcast.net (Steve Baker) Date: Fri Sep 11 23:40:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: On Fri, 11 Sep 2009 22:08:44 -0500, "Wazoo" wrote: >OK, let's put Mike E. back up on high ... If we go with the >phrase "IP Address that identifies the reporter" as the key, then in >general, the reporter isn't actually identified. Worst case, one >would end up back in the discussion and philosophy of whether or not >spammers 'track' their results. > >And one step further .... if the spam is submitted via the web-form, >then the IP Address in question would be the reporter's system >ISP/Host assigned IP Address. On the other hand, if the submittal >was done via e-mail, perhaps then the IP Address in question would >be that of the outgoing ISP/Host's e-mail server. That I will have >to leave for someone else to check/verify. Umm... you "Miked" me there, I'm scratching my head. -- Steve Baker From user at domain.invalid Sat Sep 12 00:16:51 2009 From: user at domain.invalid (Farelf) Date: Sat Sep 12 00:20:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs In-Reply-To: References: Message-ID: Steve Baker wrote: > ... Wait... does Spamcop > send to a "special" abuse address at Comcast? That would make this > situation even *more* ridiculous! > Doesn't appear so - they don't send me spam anymore :-( but not hard to find a Comcast address on the SCbl at any given time (check SenderBase) and looking at http://spamcop.net/sc?track=173.8.58.41 shows: Reporting addresses: abuse@comcast.net From user at domain.invalid Sat Sep 12 00:28:14 2009 From: user at domain.invalid (Farelf) Date: Sat Sep 12 00:30:09 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs In-Reply-To: References: Message-ID: Farelf wrote: > > ...but not hard to > find a Comcast address on the SCbl at any given time (check SenderBase) > I would have to add that not that long ago, it was even easier to find them, they would consistently be at or near the top of the "Hall of Shame" - http://spamcop.net/w3m?action=hoshame#domsum - these days they barely get a mention (though you can usually find a mention even now, the *are* a huge network). Had assumed their great 'improvement' was because they had gotten on top of their network. Well, maybe they have, but this discussion questions their methods. From bakesph at comcast.net Sat Sep 12 01:26:08 2009 From: bakesph at comcast.net (Steve Baker) Date: Sat Sep 12 01:30:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: On Sat, 12 Sep 2009 12:28:14 +0800, Farelf wrote: >Farelf wrote: > >> >> ...but not hard to >> find a Comcast address on the SCbl at any given time (check SenderBase) >> > >I would have to add that not that long ago, it was even easier to find >them, they would consistently be at or near the top of the "Hall of >Shame" - http://spamcop.net/w3m?action=hoshame#domsum - And also listed in the Spamhaus top 3 or so as a spamsource ISP for a long time, years ago. >these days they >barely get a mention (though you can usually find a mention even now, >the *are* a huge network). Had assumed their great 'improvement' was >because they had gotten on top of their network. Well, maybe they have, >but this discussion questions their methods. I'm a Comcast customer, and I don't question the itchy trigger finger on the port 25 blocks (although I do find the apparent capriciousness somewhat annoying). I question why port 25 isn't blocked for all their residential customers. But my port 25 is open and I find it useful, so I'm not bending any ears at Comcast about how port 25 should be universally blocked for residential customers. I'm not sure if I think that Comcast doesn't block outgoing port 25 for all residential customers just because they don't want to take the support hit, or because they can't quite sort out the business customers from the residential customers in the routers. -- Steve Baker From user at domain.invalid Sat Sep 12 02:05:25 2009 From: user at domain.invalid (Farelf) Date: Sat Sep 12 02:10:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs In-Reply-To: References: Message-ID: Steve Baker wrote: > > I'm a Comcast customer, and I don't question the itchy trigger > finger on the port 25 blocks (although I do find the apparent > capriciousness somewhat annoying). I question why port 25 isn't > blocked for all their residential customers. I think quite a few providers do that - all mail through their servers/smarthost, otherwise blocked. SMTP port 25 is a residential account-level default block with my ISP/network but it can be toggled/re-enabled by users. Quite a few use it apparently, all hell breaks loose whenever a 'network glitch' (a matter for suspicion to some) toggles them all closed again. First instituted some 5-6 years ago when a nasty worm was running rampant. Obviously the network retains contingency plans :-) > I'm not sure if I think that Comcast doesn't block outgoing port 25 > for all residential customers just because they don't want to take the > support hit, or because they can't quite sort out the business > customers from the residential customers in the routers. I would think they don't want to upset (lose) residential users who find it useful (as you do) and there's too big a price difference between their business plans with static IPs and their residential plans with dynamic IPs to be able to coax the latter group into the former just to retain access to port 25. I can imagine their beancounters revisit the cost-benefit analysis constantly. But I'm just guessing of course. From MikeE at ster.invalid Sat Sep 12 03:09:04 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 12 03:10:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: Wazoo wrote: > "Steve Baker" >> So, my question is simple, I think. Do user generated Spamcop >> reports show the IP address of the user? If yes, is it in the body >> or >> the header of the report? > > Yes, the submitting IP Address is found within the outgoing > SpamCop.net Report. I stand/sit partially corrected. The report submission process for a regular spamcop report (but not a quick report) requires that the submitting reporter access the spamcop website to complete the report submission process. The IP address which *accesses the website* is included in the regular report. > The next parse you make, take a look at the "Preview" .. you'll see > 'your' IP Address in the first Received: line of the outgoing > Report. Assumedly, this is where the ISP's tech folks are stopping > their reading, assumedly ignoring the Subject: line and explanation > of the actual issue involved with that Report. The IP address in the Preview is not the IP address of the 'spammee' ie recipient IP where the spam was received. The IP address in the preview (and thus report) is the IP address accessing the spamcop website. A quick reporter doesn't access the website; (I think) I'm doubtful that an IP address is included in the quick report since the report process acquires the IP seen in the preview from the website access which website access never occurs for the quick reporter. The regular reporter who submits the spam via email still has to access the spamcop website to report and that website accessing IP is the IP which is seen here: Received: from [24.152.189.170] by spamcop.net with HTTP; Sat, 12 Sep 2009 05:48:23 GMT The IP above may have nothing whatsoever to do with where the spam was received nor the (current) IP address of the reporting account. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Sep 12 03:22:18 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 12 03:25:07 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: Wazoo wrote: > "Steve Baker" >> I don't know, but I think, going by what Mike said (that Spamcop >> reports don't reveal the IP address of the Spamcop reporter), that >> it >> must be coincidence. > > You have no idea how much this hurts to say, but Mike Easter is > wrong in this case.The IP Address of the system used to submit the > spam is in fact in the outgoing Report. The process of approval of the report sending records the IP address of the 'approver' ie the IP interacting with the spamcop website report approval process. That IP is included in the report regardless of whether it has anything to do with the recipient of the spam. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Sep 12 03:23:00 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 12 03:25:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: Steve Baker wrote: > "Wazoo" >> You have no idea how much this hurts to say, but Mike Easter is >> wrong in this case. > Maybe I misunderstood what Mike was saying. I've done a lot of head > scratching over the years trying to figure out what Mike was trying to > say... even when I already perfectly understood what it was he was > trying to explain! ;-) Ha! -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Sep 12 03:30:52 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 12 03:35:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: Wazoo wrote: > On the other hand, if the submittal > was done via e-mail, perhaps then the IP Address in question would > be that of the outgoing ISP/Host's e-mail server. No. The report approval of a regular reporter requires that (someone) access the website link. The accessing IP is what is included in the report. The reporter emails the spam to a submit address corresponding to some spamcop account. That emailing 'source' may have nothing to do with the reporter's account. Spamcop sends the report processing link to the email address registered for the account. Whoever uses that link accesses the spamcop website to approve the report, and when that access is 'handled', the accessing IP is recorded for the report. I can imagine some reasons why, for purposes of 'security' re bogus reporting, but it seems to me that the disadvantages might outweigh the advantages. If there is some kind of 'bad' reporting going on for a spamcop account, then the account should be killed. If the spamcop reporting process wants to record the IP which is approving the submitting of the report, it should not be sending that information to the recipients of the report, but maintained 'internally' by spamcop. Spamcop sends a lot of reports/notifies to 'bad guys' and to admins who screw up regularly. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Sep 12 03:32:30 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 12 03:35:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: Steve Baker wrote: > "Wazoo" > >> The next parse you make, take a look at the "Preview" .. you'll see >> 'your' IP Address in the first Received: line of the outgoing >> Report. > > I'm not a Spamcop user, can I still do what you're suggesting to get > a handle on what goes on? By "first", you mean the lowest Received: > line? That would certainly explain everything! The IP address Wazoo is describing is the IP accessing the spamcop webpage for approval of the report which is sent, not the IP receiving the spam. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Sep 12 03:44:03 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 12 03:45:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: Mike Easter wrote: > The IP address of > the reporter is not a part of the original spam and the report is > submitted from the spamcop servers, not the reporter's connecting IP. While the statement above is correct, it has an important omission/oversight. When the regular reporter connects to the webpage for approving the report, the regular reporter's connecting IP address is both recorded and provided to all of the recipients of the regular report. I consider this to be a flaw in the spamcop reporting process which I had overlooked, not having been a regular reporter for a long time. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sat Sep 12 14:15:49 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Sat Sep 12 14:20:09 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: "Farelf" wrote in message news:h8f80q$iem$1@news.spamcop.net > Farelf wrote: > >> >> ...but not hard to >> find a Comcast address on the SCbl at any given time (check >> SenderBase) > > I would have to add that not that long ago, it was even easier to find > them, they would consistently be at or near the top of the "Hall of > Shame" - http://spamcop.net/w3m?action=hoshame#domsum - these days > they barely get a mention (though you can usually find a mention even > now, the *are* a huge network). Had assumed their great > 'improvement' was because they had gotten on top of their network. > Well, maybe they have, but this discussion questions their methods. It sure does; I'll be damned if I'd let an ISP configure a modem located in/on MY machine. I'd stand for that for exactly the length of time it took me to discover it. I wonder what happens if you happen to have more than one ISP and only one is Comcast? Twayne` From nobody at devnull.spamcop.net Sat Sep 12 14:19:52 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Sat Sep 12 14:20:09 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: "Mike Easter" wrote in message news:h8fhef$psn$1@news.spamcop.net > Wazoo wrote: >> "Steve Baker" > >>> So, my question is simple, I think. Do user generated Spamcop >>> reports show the IP address of the user? If yes, is it in the body >>> or >>> the header of the report? >> >> Yes, the submitting IP Address is found within the outgoing >> SpamCop.net Report. > > I stand/sit partially corrected. > > The report submission process for a regular spamcop report (but not a > quick report) requires that the submitting reporter access the spamcop > website to complete the report submission process. > > The IP address which *accesses the website* is included in the regular > report. > >> The next parse you make, take a look at the "Preview" .. you'll see >> 'your' IP Address in the first Received: line of the outgoing >> Report. Assumedly, this is where the ISP's tech folks are stopping >> their reading, assumedly ignoring the Subject: line and explanation >> of the actual issue involved with that Report. > > The IP address in the Preview is not the IP address of the 'spammee' > ie recipient IP where the spam was received. > > The IP address in the preview (and thus report) is the IP address > accessing the spamcop website. > > A quick reporter doesn't access the website; (I think) I'm doubtful > that an IP address is included in the quick report since the report > process acquires the IP seen in the preview from the website access > which website access never occurs for the quick reporter. The regular > reporter who submits the spam via email still has to access the > spamcop website to report and that website accessing IP is the IP > which is seen here: > > Received: from [24.152.189.170] by spamcop.net > with HTTP; Sat, 12 Sep 2009 05:48:23 GMT > > The IP above may have nothing whatsoever to do with where the spam was > received nor the (current) IP address of the reporting account. To parrot someone else's suggestion, an example is worth a gazillion words for those of us who have spatial concept issues. Past Reports doesn't seem to be working for me right now so I can't pull one up to see anything useful. If it's unreasonable to do that, just ignore this post. Twayne` From MikeE at ster.invalid Sat Sep 12 15:11:42 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 12 15:15:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: Twayne wrote: > "Mike Easter" >> Received: from [24.152.189.170] by spamcop.net >> with HTTP; Sat, 12 Sep 2009 05:48:23 GMT >> >> The IP above may have nothing whatsoever to do with where the spam was >> received nor the (current) IP address of the reporting account. > > To parrot someone else's suggestion, an example is worth a gazillion > words for those of us who have spatial concept issues. Past Reports > doesn't seem to be working for me right now so I can't pull one up to > see anything useful. > If it's unreasonable to do that, just ignore this post. Unfortunately past reports does not 'illustrate' the actual content of the report, it only tells the report number and who it was mailed about what. A good illustration should be to create a live tracker, then whoever accesses it can see their own IP address in the Preview section, so the tracker should not be something which would be harmful if actually submitted . Alternatively, if you want to see for yourself while you are waiting for me to figure out something I'm willing to use to create a live tracker, you can make your own by submitting your own real spam to the webparser while logged in at: http://www.spamcop.net/ After processing the spam, go to the Preview reports section... Send Spam Report(s) Now - Preview Reports - Cancel ... and click 'Preview Reports'. The top will say... SpamCop - your complaint has not been sent. CLICK YOUR BROWSER'S BACK BUTTON TO SEND REPORTS! ## ## (Recipient:report@address.tld Received: from [xx.xx.xx.xx] by spamcop.net with HTTP; Sat, 12 Sep 2009 05:48:23 GMT ... where xx.xx.xx.xx is your own accessing IP address. Suggesting that the ultimate report (might likely) start with Received: from xx.xx.xx.xx -- Mike Easter kibitzer, not SC admin From nobody at nowhere.not Sat Sep 12 21:05:10 2009 From: nobody at nowhere.not (Robert Blair) Date: Sat Sep 12 21:10:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: On Sat, 12 Sep 2009 07:09:04 UTC, "Mike Easter" wrote: > A quick reporter doesn't access the website; (I think) I'm doubtful > that an IP address is included in the quick report since the report > process acquires the IP seen in the preview from the website access > which website access never occurs for the quick reporter. Correct. Quick reporting does not include the submitters IP address. -- Robert Blair From bakesph at comcast.net Sun Sep 13 01:28:40 2009 From: bakesph at comcast.net (Steve Baker) Date: Sun Sep 13 01:30:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: On Sat, 12 Sep 2009 12:11:42 -0700, "Mike Easter" wrote: >SpamCop - your complaint has not been sent. >CLICK YOUR BROWSER'S BACK BUTTON TO SEND REPORTS! >## ## > (Recipient:report@address.tld >Received: from [xx.xx.xx.xx] by spamcop.net >with HTTP; Sat, 12 Sep 2009 05:48:23 GMT > >... where xx.xx.xx.xx is your own accessing IP address. > >Suggesting that the ultimate report (might likely) start with Received: >from xx.xx.xx.xx Yup, I set up a free account and CCed myself on a report. Here's what it looked like: Return-Path: 4535591396.7ce36953@bounces.spamcop.net Received: from imta02.emeryville.ca.mail.comcast.net (LHLO IMTA02.emeryville.ca.mail.comcast.net) (76.96.30.21) by sz0038.wc.mail.comcast.net with LMTP; Sun, 13 Sep 2009 05:10:16 +0000 (UTC) Received: from sc-smtp4-bulkmx.soma.ironport.com ([204.15.82.126]) by IMTA02.emeryville.ca.mail.comcast.net with comcast id g5AD1c00u2jXcSs015AFBd; Sun, 13 Sep 2009 05:10:15 +0000 X-CAA-SPAM: N00001 X-Authority-Analysis: v=1.0 c=1 p=DE9RDr00AAAA:8 p=RnfJecR5AAAA:8 a=mxwuLqhtAmoA:10 a=ovQfigWjL67SkrKV2A8SZw==:17 a=9BvCZD0AAAAA:8 a=C_IRinGWAAAA:8 a=pWjGaSjkznrU5gmbCagA:9 a=olebkV1cL9kHqdICB8YA:7 a=3Nltp4wBnrZbcDKqWhDNFLdcLnoA:4 a=hM4tHxjDsF8A:10 a=CfeDSPUWqKoA:10 a=11eSDyc2-qAA:10 a=oIWDkQLH8BMA:10 Received: from prod-sc-www3.soma.ironport.com (HELO prod-sc-www3.spamcop.net) ([192.168.50.138]) by sc-smtp-vip.soma.ironport.com with SMTP; 12 Sep 2009 22:10:09 -0700 Received: from [] by spamcop.net with HTTP; Sun, 13 Sep 2009 05:10:09 GMT ... -- Steve Baker From bakesph at comcast.net Sun Sep 13 01:38:22 2009 From: bakesph at comcast.net (Steve Baker) Date: Sun Sep 13 01:40:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: On Sat, 12 Sep 2009 14:15:49 -0400, "Twayne" wrote: >It sure does; I'll be damned if I'd let an ISP configure a modem located >in/on MY machine. I'd stand for that for exactly the length of time it >took me to discover it. No ISP provided config file, no Internet; it's necessary. Among other things, it determines your service level (upload and download speeds). >I wonder what happens if you happen to have >more than one ISP and only one is Comcast? Well, if the other ISP is a cable provider, you'd need a separate modem with it's own coax feed. And another NIC. Your computer might get confused, although I've been hooked up via cable and dialup simultaneously and things worked OK. -- Steve Baker From user at domain.invalid Sun Sep 13 01:50:29 2009 From: user at domain.invalid (Farelf) Date: Sun Sep 13 01:55:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs In-Reply-To: References: Message-ID: Twayne wrote: > > It sure does; I'll be damned if I'd let an ISP configure a modem located > in/on MY machine. I'd stand for that for exactly the length of time it > took me to discover it. I wonder what happens if you happen to have > more than one ISP and only one is Comcast? My ISP has a block set by default. It is actually a heap of ports: The following can be toggled: * Port 25 (smtp) inbound and outbound * Port 80 (http) inbound * Port 135 DCOM SCM inbound * Port 139 (netbeui/ipx) inbound * Port 443 inbound * Port 445 Microsoft Windows File sharing / NETBIOS inbound I can toggle to unblock them (all at once) anytime I want - and back again. As said elsewhere, this is account level. My router, as such, is not touched AFAICT. They can't touch it unless I allow them. As far as I know, they never want to. From MikeE at ster.invalid Sun Sep 13 03:21:20 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 13 03:25:07 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: Steve Baker wrote: > "Mike Easter" >> ... where xx.xx.xx.xx is your own accessing IP address. >> >> Suggesting that the ultimate report (might likely) start with Received: >> from xx.xx.xx.xx > > Yup, I set up a free account and CCed myself on a report. Here's > what it looked like: > Received: from [] by spamcop.net > with HTTP; Sun, 13 Sep 2009 05:10:09 GMT There are several reasons that I recommend against being a regular spamcop reporter in favor of being a quick reporter: #1 and far and away the most important - being a quick reporter enables one to submit tons of spam very quickly because it avoids the tedium of approving each and every notify. Quick reporting provides the same contribution to the SCbl as regular reporting, but much much more efficiently. The disadvantages of quick reporting are that if the mailhosted system breaks down by changing, it is possible to report your own provider much more aggressively before you 'notice' the results of a bad parse by inspecting the quick report notification. A minor disadvantage of quick reporting is that you contribute nothing to the sc-surbl blocklist which is fed from the spamcop spamvertisers stats. Another advantage of quick reporting is that you avoid a weakness of the spamcop default configuration which notifies blackhat spamvertiser providers. Many spammees receive spam which is almost all blackhat and unresponsive spamvertiser providers and which notification is not only a waste of time and bandwidth, but also potentially counterproductive by giving good evidence to bad providers. Now we find yet another advantage of quick reporting is this business about the default configuration of the notify process giving the IP address which is accessing the notify webpage which is generally going to be that of the regular reporter's connectivity. -- Mike Easter kibitzer, not SC admin From g.hyde at bigNOSPAMpond.net.au Sun Sep 13 04:25:35 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Sun Sep 13 04:30:08 2009 Subject: [Scspamcop] Is SpamCop finding the proper source for this email? Message-ID: http://www.spamcop.net/sc?id=z3312544939z6dcb731415da84e2f70b5db2f1accbd0z I've been seeing this spam a lot more regularly than the others, and always SpamCop goes for the second line and totally ignores the third line. I'm not sure, therefore, if SpamCop's finding the proper source for this email, anyone know for sure if it's finding the right source address here? Cheers ... Geoffrey Hyde From user at domain.invalid Sun Sep 13 05:28:17 2009 From: user at domain.invalid (Farelf) Date: Sun Sep 13 05:30:08 2009 Subject: [Scspamcop] Re: Is SpamCop finding the proper source for this email? In-Reply-To: References: Message-ID: Geoffrey Hyde wrote: > http://www.spamcop.net/sc?id=z3312544939z6dcb731415da84e2f70b5db2f1accbd0z > > anyone know for sure if it's finding the right source address here? > Not 'for sure' no, but the parser comes to pretty much the same conclusion *without* mailhosting: http://www.spamcop.net/sc?id=z3312626161z274ff69e72722c850bf8836c9bc94fd0z But I see what you mean. If we arbitrarily delete that wacky first BigPond "Received:" line we then get: http://www.spamcop.net/sc?id=z3312709296zfe4dc032cf0e5a825adf1c5b4abeb7caz I don't know what to make of it all, either. I should, maybe. Perhaps Mike Easter has explained (something like it) before. If so, I wasn't paying attention. From MikeE at ster.invalid Sun Sep 13 05:36:44 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 13 05:40:07 2009 Subject: [Scspamcop] Re: Is SpamCop finding the proper source for this email? References: Message-ID: Geoffrey Hyde wrote: www.spamcop.net/sc?id=z3312544939z6dcb731415da84e2f70b5db2f1accbd0z Subject: Is SpamCop finding the proper source for this email? There are 3 tracelines and 2 of them were stamped by your provider which stamps 1 funky line. The best way to interpret bigpond headers is to start out by getting rid of the top traceline. That leaves us with this abbreviated version: Abbreviated Received tracelines *comment from birthandbeyondokc.com ([65.66.26.193]) by nschwingx01p.mx.bigpond.com *mailserver relay line from User (genkt-048-093.t-mobile.co.uk [149.254.48.93]) by birthandbeyondokc.com *relay source SC names the relaying/MTX 65.66.26.193 rDNS birthandbeyondokc.com instead of the source IP because your account is mailhosted and the algo doesn't appear to try to chain to the next line because of that. If we submit the same headers to a nonmailhosted account, the algo is apparently confused by the unconventional top line stamped by bigpond and also parses incorrectly. Only if I forge the headers experimentally by removing the unconventional bigpond topline and submitting to a parse for a nonmailhosted account does SC name the source behind the relay: http://www.spamcop.net/sc?id=z3312704178z2606b8fd89ff4f51d09582ccc14d882 8z If reported today, reports would be sent to: Re: 149.254.48.93 (Administrator of network where email originates) abuse@t-mobile.co.uk That Postfix mailserver doesn't relay promiscuously for the simple open relay tester at abuse.net, but there is a webserver and a webmailer: http://birthandbeyondokc.com/ - an OKC (Oklahoma City, OK) gynecologist website with a webmailer https://www.birthandbeyondokc.com:81/webmail/ ... which may be insecure. Traditionally the algo has been philosophically tuned to score the source IP behind a mail relay whether it is open/promiscuous or not, but the mailhosted parse is generally 'tight' and doesn't try to go beyond the IP which hands to the mailhost; whereas the nonmailhosted account parse generally works harder at chaining back beyond a relay to the source behind it. > I've been seeing this spam a lot more regularly than the others, and > always SpamCop goes for the second line and totally ignores the third > line. I'm not sure, therefore, if SpamCop's finding the proper source > for this email, anyone know for sure if it's finding the right source > address here? IMO the source is the mobile.co.uk behind the mailserver whose IP is in the 3rd line. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Sep 13 05:47:01 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 13 05:50:09 2009 Subject: [Scspamcop] Re: Is SpamCop finding the proper source for this email? References: Message-ID: Farelf wrote: > Geoffrey Hyde wrote: >> anyone know for sure if it's finding the right source address here? > Not 'for sure' no, but the parser comes to pretty much the same > conclusion *without* mailhosting: > But I see what you mean. If we arbitrarily delete that wacky first > BigPond "Received:" line we then get: > I don't know what to make of it all, either. I should, maybe. Perhaps > Mike Easter has explained (something like it) before. If so, I wasn't > paying attention. It looks to me like the new version algo doesn't even try to chain past the mailhost any more. The bigpond first traceline is very bad, so it isn't surprising that a nonmailhosted parse of its headers might put the parser in a bad mood. I agree with your strategy of snipping the top line for a test -- that's the same way I was able to get a parse that would go all the way to the mobile IP. -- Mike Easter kibitzer, not SC admin From blacklist-me at davjam.org Sun Sep 13 14:54:35 2009 From: blacklist-me at davjam.org (David Bolt) Date: Sun Sep 13 15:05:08 2009 Subject: [Scspamcop] Re: Is SpamCop finding the proper source for this email? References: Message-ID: <1530053.4r2XA0I09U@dev.null.davjam.org> On Sunday 13 Sep 2009 10:36, Mike Easter played with alphabet spaghetti and left this residue on the plate: > from User (genkt-048-093.t-mobile.co.uk [149.254.48.93]) by ^^^^^^^^^^^^^^ > birthandbeyondokc.com *relay source > IMO the source is the mobile.co.uk behind the mailserver whose IP is in > the 3rd line. ITYM t-mobile.co.uk Regards, David Bolt -- Team Acorn: www.distributed.net OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s openSUSE 10.3 32b | openSUSE 11.0 32b | | openSUSE 10.3 64b | openSUSE 11.0 64b | openSUSE 11.1 64b | openSUSE 11.2m6 RISC OS 3.6 | RISC OS 3.11 | openSUSE 11.1 PPC | TOS 4.02 From tmcgraw at spamcop.net Sun Sep 13 22:37:23 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Sun Sep 13 22:40:07 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs In-Reply-To: References: Message-ID: Steve Baker wrote: > I set up a free account and CCed myself on a report. Here's > what it looked like: > > > > Received: from [] by spamcop.net > with HTTP; Sun, 13 Sep 2009 05:10:09 GMT Yabbut that's not the same IP address as your mail server, and that is typical for most ISPs. Which makes the story Steve cited in the original post about Comcast warning a user appear even more bogus. Even the most clueless Comcast tech would no there is a limited number of IP#s assigned to mail servers for their entire network, and they are not the same as the dynamic IP#s for other network usage (primarily browsing). And while I too was disturbed that a single parse could reveal a user's "browser" IP#, I have come to the conclusion very little harm is done by it. I'd also bet it is a post-Julian coding error, if even thought of as an error at all by the current programmers. From user at domain.invalid Sun Sep 13 22:55:24 2009 From: user at domain.invalid (Farelf) Date: Sun Sep 13 23:00:07 2009 Subject: [Scspamcop] Re: Is SpamCop finding the proper source for this email? In-Reply-To: References: Message-ID: Mike Easter wrote: > > It looks to me like the new version algo doesn't even try to chain past > the mailhost any more. > > The bigpond first traceline is very bad, so it isn't surprising that a > nonmailhosted parse of its headers might put the parser in a bad mood. > I agree with your strategy of snipping the top line for a test -- that's > the same way I was able to get a parse that would go all the way to the > mobile IP. > Thanks Mike. Y'know, looking at the whole thing, I'm starting to feel that 65.66.26.193 ought to get 'pinged' anyway/as well? That's working as mail.birthandbeyondokc.com but why is it forwarding stuff from genkt-048-093.t-mobile.co.uk [149.254.48.93] anyway? That's not an MX for t-mobile.co.uk. Seems like mail.birthandbeyondokc.com could be more of a problem than genkt-048-093.t-mobile.co.uk, which could even be one of those 'clever forgeries' anyway? I can't tell, though the relay tester at abuse.net says of 65.66.26.193 "All tests performed, no relays accepted." which seems to me to indicate it could be. I just don't 'get' the apparent source legitimately/actually sending through birthandbeyondokc.com/mail.birthandbeyondokc.com at all. That relay has to be hacked somehow, I think. 65.66.26.193 is starting to accumulate some blacklistings according to Robtex (apart from SC). But not as many as 149.254.48.93. I'm just not sure ... From MikeE at ster.invalid Mon Sep 14 00:11:47 2009 From: MikeE at ster.invalid (Mike Easter) Date: Mon Sep 14 00:15:07 2009 Subject: [Scspamcop] Re: Is SpamCop finding the proper source for this email? References: Message-ID: Farelf wrote: > Thanks Mike. Y'know, looking at the whole thing, I'm starting to feel > that 65.66.26.193 ought to get 'pinged' anyway/as well? Yes. It isn't a real mailserver and it is doing bad things and is listed on multiple blocklists for various things including backscatter -- it might as well get listed on a good blocklist, SCbl. > That's working > as mail.birthandbeyondokc.com but why is it forwarding stuff from > genkt-048-093.t-mobile.co.uk [149.254.48.93] anyway? That's not an MX > for t-mobile.co.uk. Correct. And if you dig around and find some other blocklists which provide evidence, the other IPs it is relaying for aren't appropriate. It is an insecure webmail webserver mailserver. > Seems like mail.birthandbeyondokc.com could be more of a problem than > genkt-048-093.t-mobile.co.uk, which could even be one of those 'clever > forgeries' anyway? I can't tell, though the relay tester at abuse.net > says of 65.66.26.193 "All tests performed, no relays accepted." which > seems to me to indicate it could be. The abuse.net script for relay testing isn't very powerful. My sense of this issue is that the gynecologist's toy webmailserver at birthandbeyondokc.com is insecure. > I just don't 'get' the apparent source legitimately/actually sending > through birthandbeyondokc.com/mail.birthandbeyondokc.com at all. That > relay has to be hacked somehow, I think. 65.66.26.193 is starting to > accumulate some blacklistings according to Robtex (apart from SC). But > not as many as 149.254.48.93. > > I'm just not sure ... I confess, I didn't actually look at the listings for the t-mobile.co.uk. -- Mike Easter kibitzer, not SC admin From user at domain.invalid Mon Sep 14 04:06:10 2009 From: user at domain.invalid (Farelf) Date: Mon Sep 14 04:10:08 2009 Subject: [Scspamcop] Re: Is SpamCop finding the proper source for this email? In-Reply-To: References: Message-ID: Mike Easter wrote: > Farelf wrote: > >> Thanks Mike. Y'know, looking at the whole thing, I'm starting to feel >> that 65.66.26.193 ought to get 'pinged' anyway/as well? > > Yes. It isn't a real mailserver and it is doing bad things and is > listed on multiple blocklists for various things including > backscatter -- it might as well get listed on a good blocklist, SCbl. > >> That's working >> as mail.birthandbeyondokc.com but why is it forwarding stuff from >> genkt-048-093.t-mobile.co.uk [149.254.48.93] anyway? That's not an MX >> for t-mobile.co.uk. > > Correct. And if you dig around and find some other blocklists which > provide evidence, the other IPs it is relaying for aren't appropriate. > It is an insecure webmail webserver mailserver. > Thanks again Mike, that last is the part I needed to do for some (re)assurance but hadn't joined the dots on my own. Having once been on the inside of a corporate 'mailserver' that was hacked I can say multiple listings would have to indicate a substantial level of abuse (ours 'only' made it to the SCbl). You were too much of a gentleman to say it but I am not - birthandbeyondokc.com could well prefix their domain name with '266daysbefore'. If their mailserver is so promiscuous it is something of a chokepoint for spam and it is actually 'better'/more efficient for it to be throttled there. From bakesph at comcast.net Mon Sep 14 06:01:05 2009 From: bakesph at comcast.net (Steve Baker) Date: Mon Sep 14 06:05:07 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: On Sun, 13 Sep 2009 19:37:23 -0700, Tim McGraw wrote: >Steve Baker wrote: >> I set up a free account and CCed myself on a report. Here's >> what it looked like: >> >> >> >> Received: from [] by spamcop.net >> with HTTP; Sun, 13 Sep 2009 05:10:09 GMT > >Yabbut that's not the same IP address as your mail server, and that is >typical for most ISPs. What does that have to do with it? Or, more appropriately, WTF are you talking about? >Which makes the story Steve cited in the original post about Comcast >warning a user appear even more bogus. No it doesn't, it supports that story. The bottom Received: line of the Spamcop report I sent/received showed my IP address, and if I'd sent that abuse report to Comcast, they would have seen my IP address as the source of that email. Which it would have been. If they also interpreted that Spamcop report as spam rather than a spam report... >Even the most clueless Comcast >tech would no there is a limited number of IP#s assigned to mail servers >for their entire network, and they are not the same as the dynamic IP#s >for other network usage (primarily browsing). So? The relevant question is, would they know that that a Spamcop report wasn't a spam? Your talk about the Comcast mailservers is totally irrelevant in this context. >And while I too was disturbed that a single parse could reveal a user's >"browser" IP#, I have come to the conclusion very little harm is done by it. In almost every case, a user's "browser IP#" will be the IP address he generally uses on the Internet. Spammers can be vindictive fucks, Spamcop users should know that using the free service that I used doesn't anonymize them. >I'd also bet it is a post-Julian coding error, if even thought of as an >error at all by the current programmers. I'll take that bet. You've been wrong about everything else in your post, and spouting BS ain't quite the same thing as flipping coins. -- Steve Baker From MikeE at ster.invalid Mon Sep 14 08:16:37 2009 From: MikeE at ster.invalid (Mike Easter) Date: Mon Sep 14 08:20:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: Steve Baker wrote: >Tim McGraw >> Which makes the story Steve cited in the original post about Comcast >> warning a user appear even more bogus. > > No it doesn't, it supports that story. I also have a problem with the original story as 'perceived'. Where my perception is "Send a spamcop report to the comcast abuse desk about a comcast sourced spam and your notify will be interpreted as spam sourced from your own IP and thus your own port 25 blocked." > The bottom Received: line of > the Spamcop report I sent/received showed my IP address, and if I'd > sent that abuse report to Comcast, they would have seen my IP address > as the source of that email. Which it would have been. ... while the above is now known to be correct... > If they also > interpreted that Spamcop report as spam rather than a spam report... ... that interpretation by an abuse desk is rather unbelievable. Let's leave spamcop out of it. If I am a comcast user and an antispam reporter/notifier and I receive a spam sourced by some comcast IP and I notify the comcast abuse desk/department about the comcast spam I received, should the comcast abuse desk interpret my notify as spam sourced by me? >The relevant question is, would they know that that a Spamcop > report wasn't a spam? What do you think? (My question isn't sarcastic or rhetorical, I'm asking you.) Do you think that a comcast abuse desk which must have to handle thousands or even tens of thousands of emails a day, many many of which are going to be spam, should be able to 'manage' the abuse notifies competently and not be using its own abuse address as an incompetent spamtrap for purposes of blocking port 25 of its own users who are notifying? > Spamcop users should know that using the free service that I used > doesn't anonymize them. That point is pertinent. Many spamcop users are concerned that their email address may appear in the headers or body in some kind of encoded manner which is not picked up by the simplistic mungeing process of the parser. However, I haven't seen spamcop reporters ask the question of whether their connectivity IP address can be determined from the notify. Until this issue arose, I would have said "No." but I would have been wrong. However -- even tho' the regular spamcop reporter's connectivity IP address is seen in the notify, it doesn't follow to me what the OP Viper's 'position' on the matter was (below cite marked with excisional ellipses and for brevity... I reported a spam from a comcast IP with Spamcop ... I got an email from Comcast telling me that they have recieved reports of spam coming from my modem and have blocked port 25 on the modem, not the IP but the modem... everytime I report spam via Spamcop ... a few days later I get an email telling me they have recieved reports of spam coming from my PC. They tell me that my system is infected and that they have blocked port 25 on my IP. This was all interpreted as 'comcast making an error interpreting the notify'. Then, you asked "Do user generated Spamcop reports show the IP address of the user?" ... which answer now turns out to be 'Yes.' for regular reporters... ... but to which I would ask, "What should we do with that information? -- other than suggest that spamcop should either be not configured that way, or else such spamcop configuration should be 'disclosed' to the reporters." Currently the reporters are being assured that their email address is being simplistically munged and that the correspondence with the notifieds is handled via a spamcop address. "SpamCop will parse the headers of unwanted email and (if all goes well) phrase a complaint to the system administrator responsible for the spammer's internet access. This complaint will be addressed from a blind SpamCop.net email address, however any responses to that address will be routed to the email address you have provided with your SpamCop account." http://www.spamcop.net/fom-serve/cache/3.html Presumably, ideally the same paragraph should include, "However, your connectivity IP for the notify will be determinable by the notified." -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Sep 14 08:58:29 2009 From: MikeE at ster.invalid (Mike Easter) Date: Mon Sep 14 09:00:09 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: Mike Easter wrote: > Steve Baker wrote: >> If they also >> interpreted that Spamcop report as spam rather than a spam report... > > ... that interpretation by an abuse desk is rather unbelievable. ... or if not (totally) unbelievable, at least or perhaps plausibly believable, but totally unacceptable. -- Mike Easter kibitzer, not SC admin From tmcgraw at spamcop.net Mon Sep 14 13:59:19 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Mon Sep 14 14:00:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs In-Reply-To: References: Message-ID: Steve Baker wrote: > Tim McGraw wrote: >> Steve Baker wrote: >>> I set up a free account and CCed myself on a report. Here's >>> what it looked like: >>> >>> >>> >>> Received: from [] by spamcop.net >>> with HTTP; Sun, 13 Sep 2009 05:10:09 GMT >> Yabbut that's not the same IP address as your mail server, and that is >> typical for most ISPs. > > What does that have to do with it? Or, more appropriately, WTF are > you talking about? My IP address, as revealed by this post, would be 24.6.239.148. The nearest comcast mail server is 76.96.30.74 and is identified canonically with the city and province it services followed by ".mail.comcast.net." >> Which makes the story Steve cited in the original post about Comcast >> warning a user appear even more bogus. > > No it doesn't, it supports that story. If a comcast tech doesn't know that only authorized mail servers end in ".mail.comcast.net." then they failed orientation. When a Web page is stamped "with HTTP" from 24.6.239.148 that is not mail. If they detect mail server activity at 24.6.239.148 that would require investigation. > In almost every case, a user's "browser IP#" will be the IP address > he generally uses on the Internet. Spammers can be vindictive fucks, > Spamcop users should know that using the free service that I used > doesn't anonymize them. Fundamentally we are in violent agreement. I don't accept 99% of the cookies I am offered, but I decide manually on a case-by-case basis. I do get mighty prickly about people putting me on "mailing lists" without asking me. But trying to maintain total anonymity on the Internet is a fool's errand. In practice there are no guarantees on the Internet. IP#s are practically commodities. Most people don't have a clue how much information they are giving away, and their IP# is at the top of the list. As far as spammers being "vindictive fucks" I haven't had much of a problem since a couple of Sanford Wallace's "employees" cut a circuit breaker to my house (in broad daylight no less) but that was a millennium ago. Since then I get far more guff from so-called "spam fighters." >> I'd also bet it is a post-Julian coding error, if even thought of as an >> error at all by the current programmers. > > I'll take that bet. You've been wrong about everything else in your > post, and spouting BS ain't quite the same thing as flipping coins. I see. After millions upon millions of spamcop reports sent for more than a decade, you just now happened upon this strange anomaly. You are some kind of genius. From nobody at nowhere.not Mon Sep 14 14:34:14 2009 From: nobody at nowhere.not (Robert Blair) Date: Mon Sep 14 14:35:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: On Mon, 14 Sep 2009 17:59:19 UTC, Tim McGraw wrote: > >> I'd also bet it is a post-Julian coding error, if even thought of as an > >> error at all by the current programmers. > > > > I'll take that bet. You've been wrong about everything else in your > > post, and spouting BS ain't quite the same thing as flipping coins. > > I see. After millions upon millions of spamcop reports sent for more > than a decade, you just now happened upon this strange anomaly. At one time I used an anonymous web relay to approve my spam reports so that my real IP was not in the spam report. This goes back to when Julian was still the owner of spamcop. I switched to quick reporting which does not include my IP in the spam report. -- Robert Blair From tmcgraw at spamcop.net Mon Sep 14 15:01:49 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Mon Sep 14 15:05:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs In-Reply-To: References: Message-ID: Robert Blair wrote: > Tim McGraw wrote: >> I see. After millions upon millions of spamcop reports sent for more >> than a decade, you just now happened upon this strange anomaly. > > At one time I used an anonymous web relay to approve my spam reports so that > my real IP was not in the spam report. This goes back to when Julian was > still the owner of spamcop. > > I switched to quick reporting which does not include my IP in the spam report. Yet you do not mind revealing your IP# by posting here. Actually you've revealed two IP#s in this thread. If I were a real "vindictive fuck" I just struck gold, I think that's what's being said, right? From nobody at nowhere.not Mon Sep 14 18:24:28 2009 From: nobody at nowhere.not (Robert Blair) Date: Mon Sep 14 18:25:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: On Mon, 14 Sep 2009 19:01:49 UTC, Tim McGraw wrote: > Robert Blair wrote: > > Tim McGraw wrote: > >> I see. After millions upon millions of spamcop reports sent for more > >> than a decade, you just now happened upon this strange anomaly. > > > > At one time I used an anonymous web relay to approve my spam reports so that > > my real IP was not in the spam report. This goes back to when Julian was > > still the owner of spamcop. > > > > I switched to quick reporting which does not include my IP in the spam report. > > Yet you do not mind revealing your IP# by posting here. > > Actually you've revealed two IP#s in this thread. > > If I were a real "vindictive fuck" I just struck gold, I think that's > what's being said, right? There is a BIG difference reveling an IP on a news group and reveling an IP on a spam report. While a spammer my see my IP here he can not connect it to a spam report but if he receives a spam report with my IP it is a given where the report came from. -- Robert Blair From tmcgraw at spamcop.net Mon Sep 14 18:51:02 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Mon Sep 14 18:55:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs In-Reply-To: References: Message-ID: Robert Blair wrote: > There is a BIG difference reveling an IP on a news group and reveling an IP on > a spam report. While a spammer my see my IP here he can not connect it to a > spam report but if he receives a spam report with my IP it is a given where > the report came from. From what I have observed for more than a decade, none of the spammers I have dealt with (save one) cared enough to do something about it. But then, I've been a paid user of spamcop for 11 years, but I've sent plenty of manual LARTs. Bottom line: if you cared enough to send a manual LART to a spam source you'd be revealing the same IP#. I don't understand why the big deal. From DeathToSpam at crazyhat.net Mon Sep 14 22:14:54 2009 From: DeathToSpam at crazyhat.net (DevilsPGD) Date: Mon Sep 14 22:15:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: In message Steve Baker was claimed to have wrote: > I'm a Comcast customer, and I don't question the itchy trigger >finger on the port 25 blocks (although I do find the apparent >capriciousness somewhat annoying). I question why port 25 isn't >blocked for all their residential customers. But my port 25 is open >and I find it useful, so I'm not bending any ears at Comcast about how >port 25 should be universally blocked for residential customers. > I'm not sure if I think that Comcast doesn't block outgoing port 25 >for all residential customers just because they don't want to take the >support hit, or because they can't quite sort out the business >customers from the residential customers in the routers. Given that they have the capability to control port-25 blocking on a per-user basis, I'm a little surprised they don't block port-25 access by default for all residential users, leaving it open by default for business users, then toggling it in the appropriate direction either upon request or an abuse report. But that's just me. From nobody at nowhere.not Tue Sep 15 02:41:23 2009 From: nobody at nowhere.not (Robert Blair) Date: Tue Sep 15 02:45:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: On Mon, 14 Sep 2009 22:51:02 UTC, Tim McGraw wrote: > Robert Blair wrote: > > There is a BIG difference reveling an IP on a news group and reveling an IP on > > a spam report. While a spammer my see my IP here he can not connect it to a > > spam report but if he receives a spam report with my IP it is a given where > > the report came from. > > From what I have observed for more than a decade, none of the spammers > I have dealt with (save one) cared enough to do something about it. In the past I have had problems with spammers. This made me paranoid but since they have taken over other peoples computers they have changed and now most spammers don't care. But that does not change the fact that spam reports will go to a spammer if they want them. > But then, I've been a paid user of spamcop for 11 years, but I've sent > plenty of manual LARTs. > > Bottom line: if you cared enough to send a manual LART to a spam source > you'd be revealing the same IP#. I don't understand why the big deal. When I send a manual LART I use sneakemail to conceal my identity. In the past I have used an anonymous proxy to conceal my identity. Bottom line, I may still be somewhat paranoid but I am not going to give my identity to a spammer. While most spammers don't care it is not all of them. -- Robert Blair From bakesph at comcast.net Tue Sep 15 13:39:37 2009 From: bakesph at comcast.net (Steve Baker) Date: Tue Sep 15 13:40:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: On Mon, 14 Sep 2009 06:01:05 -0400, Steve Baker wrote: >On Sun, 13 Sep 2009 19:37:23 -0700, Tim McGraw ... >>I'd also bet it is a post-Julian coding error, if even thought of as an >>error at all by the current programmers. > > I'll take that bet. I win! -- Steve Baker From tmcgraw at spamcop.net Tue Sep 15 13:58:09 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Sep 15 14:00:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs In-Reply-To: References: Message-ID: Steve Baker wrote: > I win! Yes, but RB must have had some kind of spam load or deal with Julian, if Julian was willing to make an exception for a free account holder. From bakesph at comcast.net Tue Sep 15 15:12:32 2009 From: bakesph at comcast.net (Steve Baker) Date: Tue Sep 15 15:15:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: On Tue, 15 Sep 2009 10:58:09 -0700, Tim McGraw wrote: >Steve Baker wrote: >> I win! > >Yes, but RB must have had some kind of spam load or deal with Julian, if >Julian was willing to make an exception for a free account holder. What exception do you mean? -- Steve Baker From tmcgraw at spamcop.net Tue Sep 15 16:01:04 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Sep 15 16:05:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs In-Reply-To: References: Message-ID: Steve Baker wrote: > Tim McGraw wrote: >> Steve Baker wrote: >>> I win! >> Yes, but RB must have had some kind of spam load or deal with Julian, if >> Julian was willing to make an exception for a free account holder. > > What exception do you mean? The IP# is revealed only on free user's reports. It's never been a factor for paid users. Why would Julian be inclined to accommodate free user? Wouldn't he had just encouraged them to open a paid account? From bakesph at comcast.net Tue Sep 15 16:58:43 2009 From: bakesph at comcast.net (Steve Baker) Date: Tue Sep 15 17:00:07 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: On Tue, 15 Sep 2009 13:01:04 -0700, Tim McGraw wrote: >Steve Baker wrote: >> Tim McGraw wrote: >>> Steve Baker wrote: >>>> I win! >>> Yes, but RB must have had some kind of spam load or deal with Julian, if >>> Julian was willing to make an exception for a free account holder. >> >> What exception do you mean? > >The IP# is revealed only on free user's reports. It's never been a >factor for paid users. > >Why would Julian be inclined to accommodate free user? Wouldn't he had >just encouraged them to open a paid account? OK, then, what accomodation are you talking about? -- Steve Baker From tmcgraw at spamcop.net Tue Sep 15 17:23:57 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Sep 15 17:25:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs In-Reply-To: References: Message-ID: Steve Baker wrote: > OK, then, what accomodation are you talking about? sc has always consisted of free accounts and paid accounts. reports sent from free accounts may reveal user IP#s. reports sent from paid accounts have never revealed user IP#s. Robert Blair wrote: > At one time I used an anonymous web relay to approve my spam reports so that my real IP was not in the spam report. This goes back to when Julian was still the owner of spamcop. So I misread that comment the first (and second) time, I thought the poster was saying Julian helped him with the work-around. Robert Blair wrote: > I switched to quick reporting which does not include my IP in the spam report. There's your workaround. From tmcgraw at spamcop.net Tue Sep 15 17:25:51 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Sep 15 17:30:07 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs In-Reply-To: References: Message-ID: Robert Blair wrote: > I switched to quick reporting which does not include my IP in the spam report. If you have a paid account no reports include your IP#, not just QR. From nobody at nowhere.not Wed Sep 16 00:25:28 2009 From: nobody at nowhere.not (Robert Blair) Date: Wed Sep 16 00:30:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: On Tue, 15 Sep 2009 21:25:51 UTC, Tim McGraw wrote: > > I switched to quick reporting which does not include my IP in the spam report. > > If you have a paid account no reports include your IP#, not just QR. It is obvious that you have not been following this thread very closely. If you approve a spam report using the web page your IP will be in the email headers of the spam report, paid reporter or not. -- Robert Blair From tmcgraw at spamcop.net Wed Sep 16 03:21:46 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Sep 16 03:25:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs In-Reply-To: References: Message-ID: Robert Blair wrote: > Tim McGraw wrote: >>> I switched to quick reporting which does not include my IP in the spam report. >> If you have a paid account no reports include your IP#, not just QR. > It is obvious that you have not been following this thread very closely. If > you approve a spam report using the web page your IP will be in the email > headers of the spam report, paid reporter or not. Not true. I've done several tests. If you are getting different results I'd ask a deputy why. If you have a paid account NO reports include your IP#. From tmcgraw at spamcop.net Wed Sep 16 03:32:43 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Sep 16 03:35:07 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs In-Reply-To: References: Message-ID: Tim McGraw wrote: > If you have a paid account NO reports include your IP#. Okay, true enough, it's in the email headers. I'm 0 for 2 if anyone is keeping score. Yeah, I knew you were. So how can you really know that the Quick Reports don't include your IP# in the individual email headers sent to the source abuse addys? From nobody at nowhere.not Wed Sep 16 13:13:51 2009 From: nobody at nowhere.not (Robert Blair) Date: Wed Sep 16 13:15:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: On Wed, 16 Sep 2009 07:32:43 UTC, Tim McGraw wrote: > So how can you really know that the Quick Reports don't include your IP# > in the individual email headers sent to the source abuse addys? The same way I found out that my IP was in the headers originally. Some ISPs acknowledge spam reports and a few of those include the entire report including the headers in their ack. -- Robert Blair From bakesph at comcast.net Wed Sep 16 18:39:54 2009 From: bakesph at comcast.net (Steve Baker) Date: Wed Sep 16 18:40:08 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: <8u02b5pidtfacborstvrssnstmfdrgfs9h@4ax.com> On Mon, 14 Sep 2009 05:16:37 -0700, "Mike Easter" wrote: >Steve Baker wrote: >>Tim McGraw > >>> Which makes the story Steve cited in the original post about Comcast >>> warning a user appear even more bogus. >> >> No it doesn't, it supports that story. > >I also have a problem with the original story as 'perceived'. Where my >perception is "Send a spamcop report to the comcast abuse desk about a >comcast sourced spam and your notify will be interpreted as spam sourced >from your own IP and thus your own port 25 blocked." Sounds pretty unlikely to me, too, but my curiosity was aroused, and I came here to ask about whether or not a user's IP address shows up in a Spamcop report. If not (as I suspected), then it would be very difficult to impossible for Comcast to even figure out their user's IP address, and I would have concluded that there was no relationship between Spamcop reports and port 25 blocking. But finding out that a user's IP address can appear in a Spamcop supports his story... at least to the degree that nothing turned up that disproves it. >> The bottom Received: line of >> the Spamcop report I sent/received showed my IP address, and if I'd >> sent that abuse report to Comcast, they would have seen my IP address >> as the source of that email. Which it would have been. > >... while the above is now known to be correct... > >> If they also >> interpreted that Spamcop report as spam rather than a spam report... > >... that interpretation by an abuse desk is rather unbelievable. > >Let's leave spamcop out of it. If I am a comcast user and an antispam >reporter/notifier and I receive a spam sourced by some comcast IP and I >notify the comcast abuse desk/department about the comcast spam I >received, should the comcast abuse desk interpret my notify as spam >sourced by me? I'm not arguing that it isn't ridiculous, but it's easy to distinguish internal Comcast email from email received from the outside. Unlike internal email, outside email comes in through the MX servers; residential users can't access the MX servers. >>The relevant question is, would they know that that a Spamcop >> report wasn't a spam? > >What do you think? (My question isn't sarcastic or rhetorical, I'm >asking you.) Do you think that a comcast abuse desk which must have to >handle thousands or even tens of thousands of emails a day, many many of >which are going to be spam, should be able to 'manage' the abuse >notifies competently and not be using its own abuse address as an >incompetent spamtrap for purposes of blocking port 25 of its own users >who are notifying? I actually find the possiblilty that Viper is right about what's going on to not be totally ridiculous. I haven't really come up with any solid logic to support it, but Comcast has a very itchy trigger finger on the port 25 blocks, and they're not particularly concerned about making a mistake. I may have mentioned that I describe their policy as "shoot first, and don't bother asking any questions at all". It could be that some "spamtrap logic" was poorly implemented, maybe even being applied to the wrong addresses. I know that their spam filters are sometimes totally whacky in what they catch. Maybe they do block port 25 as a result of internally generated spam reports. My port 25 has been mysteriously blocked a couple times, and that might explain it. I'm not really presenting theories that I believe in, I'm just saying that I wouldn't be shocked if Viper is right. ... -- Steve Baker From nobody at spamcop.net Thu Sep 17 14:36:46 2009 From: nobody at spamcop.net (RandallW) Date: Thu Sep 17 14:40:08 2009 Subject: [Scspamcop] SpamCop down for maintenance Message-ID: Any ideas how long this will be? From nobody at spamcop.net Thu Sep 17 14:53:02 2009 From: nobody at spamcop.net (Richard W) Date: Thu Sep 17 14:55:07 2009 Subject: [Scspamcop] Re: SpamCop down for maintenance In-Reply-To: References: Message-ID: RandallW wrote: > Any ideas how long this will be? > > Sorry, I meant to post yesterday, then realized I didn't have the SC news server set up on my laptop. One thing lead to another.... The system is down for approximately four hours beginning at 11:00am PDT (-0700) for software upgrades. This doesn't affect SpamCop mail accounts or access. Submissions are accepted, but processing is delayed until the systems are brought back up. When the systems are back online, expect a processing delay due to backlog. I also just got word this maintenance will not fix the 'unreported spam' bug/issue. That fix is currently in QA and they expect to hot patch on Monday to fix that and a couple of other issues. Richard From nobody at spamcop.net Thu Sep 17 18:15:18 2009 From: nobody at spamcop.net (Ellen) Date: Thu Sep 17 18:20:08 2009 Subject: [Scspamcop] Re: SpamCop down for maintenance In-Reply-To: References: Message-ID: Richard W wrote: > RandallW wrote: >> Any ideas how long this will be? >> > > Sorry, I meant to post yesterday, then realized I didn't have the SC > news server set up on my laptop. One thing lead to another.... > > The system is down for approximately four hours beginning at 11:00am PDT > (-0700) for software upgrades. This doesn't affect SpamCop mail > accounts or access. Submissions are accepted, but processing is delayed > until the systems are brought back up. When the systems are back > online, expect a processing delay due to backlog. > > I also just got word this maintenance will not fix the 'unreported spam' > bug/issue. That fix is currently in QA and they expect to hot patch on > Monday to fix that and a couple of other issues. > > Richard The maintenance may run longer than originally scheduled. I do not have a new ETA for completion. Ellen SpamCop From nobody at spamcop.net Thu Sep 17 19:37:51 2009 From: nobody at spamcop.net (Ellen) Date: Thu Sep 17 19:40:07 2009 Subject: [Scspamcop] Re: SpamCop down for maintenance update In-Reply-To: References: Message-ID: Ellen wrote: > > The maintenance may run longer than originally scheduled. I do not have > a new ETA for completion. > > > Ellen > SpamCop Operations estimates that we should be back up around 1700 PDT. Ellen SpamCop From nobody at spamcop.net Fri Sep 18 10:41:34 2009 From: nobody at spamcop.net (Richard W) Date: Fri Sep 18 10:45:08 2009 Subject: [Scspamcop] Re: SpamCop down for maintenance In-Reply-To: References: Message-ID: Richard W wrote: > I also just got word this maintenance will not fix the 'unreported spam' > bug/issue. That fix is currently in QA and they expect to hot patch on > Monday to fix that and a couple of other issues. I stand corrected. Because the maintenance took longer than expected (they always forget how big our DB is and how long syncing takes), the hot patch went ahead Thursday. The 'unreported spam' issue should now be fixed. Let us know if you see otherwise. Thanks, Richard > RandallW wrote: >> Any ideas how long this will be? >> > > Sorry, I meant to post yesterday, then realized I didn't have the SC > news server set up on my laptop. One thing lead to another.... > > The system is down for approximately four hours beginning at 11:00am PDT > (-0700) for software upgrades. This doesn't affect SpamCop mail > accounts or access. Submissions are accepted, but processing is delayed > until the systems are brought back up. When the systems are back > online, expect a processing delay due to backlog. > > I also just got word this maintenance will not fix the 'unreported spam' > bug/issue. That fix is currently in QA and they expect to hot patch on > Monday to fix that and a couple of other issues. > > Richard From bakesph at comcast.net Sat Sep 19 06:02:10 2009 From: bakesph at comcast.net (Steve Baker) Date: Sat Sep 19 06:05:09 2009 Subject: [Scspamcop] Re: Question about user generated reports to ISPs References: Message-ID: On Mon, 14 Sep 2009 19:14:54 -0700, DevilsPGD wrote: >In message Steve Baker > was claimed to have wrote: > >> I'm a Comcast customer, and I don't question the itchy trigger >>finger on the port 25 blocks (although I do find the apparent >>capriciousness somewhat annoying). I question why port 25 isn't >>blocked for all their residential customers. But my port 25 is open >>and I find it useful, so I'm not bending any ears at Comcast about how >>port 25 should be universally blocked for residential customers. >> I'm not sure if I think that Comcast doesn't block outgoing port 25 >>for all residential customers just because they don't want to take the >>support hit, or because they can't quite sort out the business >>customers from the residential customers in the routers. > >Given that they have the capability to control port-25 blocking on a >per-user basis, I'm a little surprised they don't block port-25 access >by default for all residential users, leaving it open by default for >business users, then toggling it in the appropriate direction either >upon request or an abuse report. > >But that's just me. I misspoke/misled above. My understanding is that the modem configuration that Comcast uses to block port 25 is, per force by the DOCSIS standard, an all or nothing deal. It blocks all port 25, which means that it can't block just outgoing (from the system's point of view). So, the port 25 blocked users can't reach anything on port 25, including the SMTP servers set up for the customer's use; those blocked customers have to reconfigure their email clients to use either port 587 or 465. Considering that they're handing out port 25 blocks like candy on Halloween, that has to result in a substantial support hit. On the other hand, if they just blocked outgoing port 25 and left internal port 25 open so that users could reach the Comcast SMTP servers on port 25, almost no residential users would notice. That's what has me baffled, and speculating that they can't quite sort out the residential users from the business users in their routers. -- Steve Baker From nobody at spamcop.net Sat Sep 19 09:05:59 2009 From: nobody at spamcop.net (Steven Underwood) Date: Sat Sep 19 09:10:08 2009 Subject: [Scspamcop] elizabeth.underwood@tufts.edu Message-ID: Test to elizabeth.underwood@tufts.edu From nobody at spamcop.net Sat Sep 19 09:29:48 2009 From: nobody at spamcop.net (bar0) Date: Sat Sep 19 09:30:07 2009 Subject: [Scspamcop] Re: elizabeth.underwood@tufts.edu References: Message-ID: "Steven Underwood" wrote in message news:h92kvm$pto$1@news.spamcop.net... > Test to elizabeth.underwood@tufts.edu WTF? From nobody at spamcop.net Sat Sep 19 10:18:18 2009 From: nobody at spamcop.net (Steven Underwood) Date: Sat Sep 19 10:20:08 2009 Subject: [Scspamcop] Re: elizabeth.underwood@tufts.edu In-Reply-To: References: Message-ID: Sorry... meant to send test email but was in the news section of Windows Live Mail "bar0" wrote in message news:h92mch$r2e$1@news.spamcop.net... > > "Steven Underwood" wrote in message > news:h92kvm$pto$1@news.spamcop.net... >> Test to elizabeth.underwood@tufts.edu > > WTF? > From me at privacy.net Tue Sep 22 17:09:05 2009 From: me at privacy.net (Frog Prince) Date: Tue Sep 22 17:10:07 2009 Subject: [Scspamcop] Rejection of a spam post notice sent to abuse@hotmail.com Message-ID: Strange rejection. Apparently many are getting similar rejection notices from hotmail and live.com for various messages but a rejection of a message to abuse? Makes no sense. To: , Your message cannot be delivered to the following recipients: (entire rejection notice posted to spamcop.spam) From g.hyde at bigNOSPAMpond.net.au Tue Sep 22 18:45:41 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Tue Sep 22 18:50:08 2009 Subject: [Scspamcop] Re: Rejection of a spam post notice sent to abuse@hotmail.com References: Message-ID: "Frog Prince" wrote in message news:h9beds$mh0$2@news.spamcop.net... > Strange rejection. Apparently many are getting similar rejection notices > from hotmail and live.com for various messages but a rejection of a > message > to abuse? > > Makes no sense. > > > To: , > > Your message cannot be delivered to the following recipients: > > (entire rejection notice posted to spamcop.spam) Was that the entire original message source, including full headers? What I would guess you have there is the body of a message looking to the inexperienced like a hotmail message rejection notice. Since there are no message headers and no tracker to view the original headers which were on that message, I would have to say you need to provide a tracker which shows those (if indeed there are any) before anyone here could speculate on what you have. Further since the news post inself doesn't keep the headers of the email, they may have been deleted from the headers of the news message you posted, those headers - after you decide if you want to munge identifiable addresses contained in them - should be posted in their entirety to spamcop.spam so we can see what's in them. Cheers ... Geoffrey Hyde From me at privacy.net Tue Sep 22 20:00:16 2009 From: me at privacy.net (Frog Prince) Date: Tue Sep 22 20:05:08 2009 Subject: [Scspamcop] Re: Rejection of a spam post notice sent to abuse@hotmail.com References: Message-ID: "Geoffrey Hyde" wrote in message news:h9bk32$qim$1@news.spamcop.net... : "Frog Prince" wrote in message : news:h9beds$mh0$2@news.spamcop.net... : > Strange rejection. Apparently many are getting similar rejection notices : > from hotmail and live.com for various messages but a rejection of a : > message : > to abuse? : > : > Makes no sense. : > : > : > To: , : > : > Your message cannot be delivered to the following recipients: : > : > (entire rejection notice posted to spamcop.spam) : : Was that the entire original message source, including full headers? : : What I would guess you have there is the body of a message looking to the : inexperienced like a hotmail message rejection notice. : : Since there are no message headers and no tracker to view the original : headers which were on that message, I would have to say you need to provide : a tracker which shows those (if indeed there are any) before anyone here : could speculate on what you have. : : Further since the news post inself doesn't keep the headers of the email, : they may have been deleted from the headers of the news message you posted, : those headers - after you decide if you want to munge identifiable addresses : contained in them - should be posted in their entirety to spamcop.spam so we : can see what's in them. I did not report via spamcop and was only vert mildly interested in why hotmail would reject an abuse report as spam. From user at domain.invalid Tue Sep 22 23:14:54 2009 From: user at domain.invalid (Farelf) Date: Tue Sep 22 23:15:08 2009 Subject: [Scspamcop] Re: Rejection of a spam post notice sent to abuse@hotmail.com In-Reply-To: References: Message-ID: Frog Prince wrote: > Strange rejection. Apparently many are getting similar rejection notices > from hotmail and live.com for various messages but a rejection of a message > to abuse? Abuse addresses get bombed a lot, I guess, especially theirs. The IP address shown in the rejection notice (in spamcop.spam) is on several 'public' BLs, no knowing about in-house/private lists. > Makes no sense. Agreed, it doesn't make sense, they should use greylisting or something instead of a hard block for the abuse address. They haven't thought it through, notwithstanding the massed intellects and vast experience at their disposal. Or they don't care. A murrain on their herds, whichever. But at least it indicates they might attend to their abuse address. Unlike many, we suspect. And you can re-send from some other IP (somehow). From me at privacy.net Wed Sep 23 00:39:35 2009 From: me at privacy.net (Frog Prince) Date: Wed Sep 23 00:45:08 2009 Subject: [Scspamcop] Re: Rejection of a spam post notice sent to abuse@hotmail.com References: Message-ID: "Farelf" wrote in message news:h9c3rd$5uq$1@news.spamcop.net... : Frog Prince wrote: : > Strange rejection. Apparently many are getting similar rejection notices : > from hotmail and live.com for various messages but a rejection of a message : > to abuse? : : Abuse addresses get bombed a lot, I guess, especially theirs. The IP : address shown in the rejection notice (in spamcop.spam) is on several : 'public' BLs, no knowing about in-house/private lists. : : > Makes no sense. : : Agreed, it doesn't make sense, they should use greylisting or something : instead of a hard block for the abuse address. They haven't thought it : through, notwithstanding the massed intellects and vast experience at : their disposal. Or they don't care. A murrain on their herds, : whichever. But at least it indicates they might attend to their abuse : address. Unlike many, we suspect. And you can re-send from some other IP : (somehow). Did an end run. Contact the ISP asked for a public IP release and new lease. Level 1 'no can do' went round and round and asked for next level support round and round again. Finally I asked are you going to switch me to level 2? same round and round. Repeat the question answer yes or no mentioned it was a binary function finally reached level 2. Two min conversation: buttons pushed, new IP (problem solved for the short term) From user at domain.invalid Wed Sep 23 03:15:12 2009 From: user at domain.invalid (Farelf) Date: Wed Sep 23 03:20:09 2009 Subject: [Scspamcop] Re: Rejection of a spam post notice sent to abuse@hotmail.com In-Reply-To: References: Message-ID: Frog Prince wrote: > > Did an end run. Contact the ISP asked for a public IP release and new > lease. Level 1 'no can do' went round and round and asked for next level > support round and round again. Finally I asked are you going to switch me > to level 2? same round and round. > > Repeat the question answer yes or no mentioned it was a binary function > finally reached level 2. > > Two min conversation: buttons pushed, new IP (problem solved for the short > term) Brilliant result, not any easy thing to achieve. From g.hyde at bigNOSPAMpond.net.au Wed Sep 23 07:25:32 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Wed Sep 23 07:30:09 2009 Subject: [Scspamcop] Re: Rejection of a spam post notice sent to abuse@hotmail.com References: Message-ID: "Frog Prince" wrote in message news:h9c8tf$ic0$1@news.spamcop.net... > Did an end run. Contact the ISP asked for a public IP release and new > lease. Level 1 'no can do' went round and round and asked for next level > support round and round again. Finally I asked are you going to switch me > to level 2? same round and round. > > Repeat the question answer yes or no mentioned it was a binary function > finally reached level 2. > > Two min conversation: buttons pushed, new IP (problem solved for the short > term) If you can, next time you have to get a new IP grab his name and if possible extension number. If you're able to talk to the L2 tech without the yes/no binary L1 operator in the way, it should speed things along a bit. Cheers ... Geoffrey Hyde From nobody at spamcop.net Wed Sep 23 07:57:33 2009 From: nobody at spamcop.net (Ellen) Date: Wed Sep 23 08:05:09 2009 Subject: [Scspamcop] Leaving SpamCop Message-ID: Hi folks -- tomorrow is my last day at SpamCop. After 7 or 8 years it's going to be strange to wake up in the morning, stumble over to the computer (I telecommute) and not tell people that yes, yes they are sending spam. Thanks for the support over the years! Richard, Don and Kelly are still deps so I know I leave you in good hands! Ellen From me at privacy.net Wed Sep 23 12:11:35 2009 From: me at privacy.net (Frog Prince) Date: Wed Sep 23 12:15:09 2009 Subject: [Scspamcop] Re: Rejection of a spam post notice sent to abuse@hotmail.com References: Message-ID: "Farelf" wrote in message news:h9chtv$p9j$1@news.spamcop.net... : Frog Prince wrote: : : > : > Did an end run. Contact the ISP asked for a public IP release and new : > lease. Level 1 'no can do' went round and round and asked for next level : > support round and round again. Finally I asked are you going to switch me : > to level 2? same round and round. : > : > Repeat the question answer yes or no mentioned it was a binary function : > finally reached level 2. : > : > Two min conversation: buttons pushed, new IP (problem solved for the short : > term) : : Brilliant result, not any easy thing to achieve. Every once in a while the world elects me S.O.B for the day. When that happens I endeavor to make the most of the honor. From nobody at nowhere.not Wed Sep 23 13:21:09 2009 From: nobody at nowhere.not (Robert Blair) Date: Wed Sep 23 13:25:09 2009 Subject: [Scspamcop] Re: Leaving SpamCop References: Message-ID: On Wed, 23 Sep 2009 11:57:33 UTC, Ellen wrote: Good luck in your next endeavor, we will miss you. -- Robert Blair From nobody at spamcop.net Wed Sep 23 14:22:42 2009 From: nobody at spamcop.net (Ellen) Date: Wed Sep 23 14:30:08 2009 Subject: [Scspamcop] Re: Leaving SpamCop In-Reply-To: References: Message-ID: Charles wrote: > It wasn't me! It was Ellen ! > >> tomorrow is my last day at SpamCop. > > Hey. Whoa. Hey... You still going to stop by to visit from time to time? well yeah sure :-) Ellen From borgholio at storymind.com Wed Sep 23 15:58:51 2009 From: borgholio at storymind.com (Borgholio) Date: Wed Sep 23 16:00:08 2009 Subject: [Scspamcop] Re: Leaving SpamCop In-Reply-To: References: Message-ID: Ellen wrote: > Charles wrote: >> It wasn't me! It was Ellen ! >> >>> tomorrow is my last day at SpamCop. >> >> Hey. Whoa. Hey... You still going to stop by to visit from time to >> time? > > well yeah sure :-) > > Ellen What are you nuts? Run away as fast as you can! From anthony.edwards at uk.easynet.net Thu Sep 24 08:19:02 2009 From: anthony.edwards at uk.easynet.net (Anthony Edwards) Date: Thu Sep 24 08:20:08 2009 Subject: [Scspamcop] Re: Leaving SpamCop References: Message-ID: On Wed, 23 Sep 2009 07:57:33 -0400, Ellen wrote: > Hi folks -- tomorrow is my last day at SpamCop. After 7 or 8 years it's > going to be strange to wake up in the morning, stumble over to the > computer (I telecommute) and not tell people that yes, yes they are > sending spam. Thanks for the support over the years! Farewell, Ellen. You will be missed. -- Anthony Edwards * anthony.edwards@uk.easynet.net Abuse Team Manager * Tel: 020 7900 4444 Easynet Ltd * DDI: 0161 888 3507 http://www.easynet.com * Fax: 0845 333 4503 From MikeE at ster.invalid Thu Sep 24 12:28:11 2009 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 24 12:30:08 2009 Subject: [Scspamcop] Re: Leaving SpamCop References: Message-ID: Ellen wrote: > Hi folks -- tomorrow is my last day at SpamCop. > Richard, Don and Kelly are still deps so I know I leave you in good > hands! Does this mean that one of the other deputies will take your place deputy-interacting in the newsgroups or does that mean something else? I have a number of other unanswered questions, such as what's next? and some others, but.... Good luck, have fun, and you will be missed. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu Sep 24 13:52:05 2009 From: nobody at spamcop.net (Ellen) Date: Thu Sep 24 13:55:09 2009 Subject: [Scspamcop] Re: Leaving SpamCop In-Reply-To: References: Message-ID: Charles wrote: > It wasn't me! It was Ellen ! >> Charles wrote: > >>> Hey. Whoa. Hey... You still going to stop by to visit from time to >>> time? >> well yeah sure > > So??? Are you still here??? Or is it time for the trash talk to start > (ha)??? > > How does it feel to be done with it? Any difference at all? well as it's still Thurs -- ask me tomorrow :-) E From nobody at spamcop.net Thu Sep 24 13:54:09 2009 From: nobody at spamcop.net (Ellen) Date: Thu Sep 24 13:55:09 2009 Subject: [Scspamcop] Re: Leaving SpamCop In-Reply-To: References: Message-ID: Mike Easter wrote: > > Does this mean that one of the other deputies will take your place > deputy-interacting in the newsgroups or does that mean something else? well Richard and Don interact here as necessary or as time permits ... and IIRC both Don and Kelly have posted to the forum > > I have a number of other unanswered questions, such as what's next? and > some others, but.... dunno what's next ... > > Good luck, have fun, and you will be missed. > > thanks! Ellen From pssawyer at comcast.BAD.EXAMPLE.net Thu Sep 24 16:19:55 2009 From: pssawyer at comcast.BAD.EXAMPLE.net (Paul) Date: Thu Sep 24 16:20:09 2009 Subject: [Scspamcop] Re: Leaving SpamCop References: Message-ID: Ellen wrote in news:h9d2nn$4ul$1@news.spamcop.net: > Hi folks -- tomorrow is my last day at SpamCop. After 7 or 8 years > it's going to be strange to wake up in the morning, stumble over > to the computer (I telecommute) and not tell people that yes, yes > they are sending spam. Thanks for the support over the years! Thank YOU for the support. You will be missed. > Richard, Don and Kelly are still deps so I know I leave you in > good hands! -- Paul From avoozl at spamcop.net Thu Sep 24 22:02:45 2009 From: avoozl at spamcop.net (Chris F. Willoughby) Date: Thu Sep 24 22:05:08 2009 Subject: [Scspamcop] Re: Leaving SpamCop References: Message-ID: "Ellen" wrote in message news:h9d2nn$4ul$1@news.spamcop.net... > Hi folks -- tomorrow is my last day at SpamCop. After 7 or 8 years it's > going to be strange to wake up in the morning, stumble over to the > computer (I telecommute) and not tell people that yes, yes they are > sending spam. Thanks for the support over the years! > > Richard, Don and Kelly are still deps so I know I leave you in good hands! > > > > Ellen > Good luck with whatever you choose to do next! :) Ciao. From andrewb at zagam.net Sun Sep 27 01:15:26 2009 From: andrewb at zagam.net (Andrew Buckeridge) Date: Sun Sep 27 01:20:09 2009 Subject: [Scspamcop] Safe Out of Office replies? Message-ID: <20090927131526.c0167051.andrewb@zagam.net> Many people expect that they should be able to send "Out of Office" replies, but don't want to or are unable to comprehend how destructive such a reckless act is to the Internet. The problem is that "Out of Office" replies and other bounces still make up a significant proportion of spam and dealing with spam requires a comprehensive approach knocking out a little bit at a time. A more conventional approach would be to use use empty "MAIL FROM:<>" and "Return-Path: <>" in the bounce as required by the SMTP (RFC 5321 4.5.5). Sites that do not wish to receive such "notifications" can discard email with an empty "MAIL FROM:<>" or "Return-Path: <>" from the Internet and only accept it from within their own protected networks. "Out of Office" replies are sometime sent with a non-empty "MAIL FROM:<>" or "Return-Path: <>" in violation of the SMTP which means that this simple filtering scheme will not work. My idea is to have a directory "vacation" of user vacation messages where file name is the address or the local part of the address. (As the SMTP and DNS are case insesitive you will need to squash the email address to lower case before searching this directory.) RCPT TOs including those in the "vacation" directory are accepted normally. DATA is processed normally and after the dot '.' the email is spooled for delivery to each RCPT, however a hard fail 550 response will be sent if any of the RCPTs are in the "vacation" directory and contents files found displayed as continuation lines "550-" before the final "550 " descriptive message explaining this action. Our site operating such an MTA would then not be producing any bounce. Sites running correctly configured MTAs will be generating bounces only for their own users. All that is then required for a meaningful reply is that their MTA includes our MTA's 550 response in its own bounce. Does such a solution exist? From MikeE at ster.invalid Sun Sep 27 02:03:23 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 27 02:05:08 2009 Subject: [Scspamcop] Re: Safe Out of Office replies? References: <20090927131526.c0167051.andrewb@zagam.net> Message-ID: Andrew Buckeridge wrote: > Many people expect that they should be able to send "Out of Office" > replies, but don't want to or are unable to comprehend how destructive > such a reckless act is to the Internet. Autoresponders are bad http://www.spamcop.net/fom-serve/cache/329.html Why are auto responders bad? > The problem is that "Out of Office" replies and other bounces still > make up a significant proportion of spam and dealing with spam requires > a comprehensive approach knocking out a little bit at a time. A 'comprehensive' approach is blocklisting backscatterers and them ceasing autoresponding backscatter. http://www.spamcop.net/fom-serve/cache/329.html Solution: Do not use these systems. Inform your normal corespondents of your absence before you depart. Or let a co-worker answer your email in your absence. Publish FAQ information on a web-site. If you wish to dispense information via email, it's easy to reject a message while referring the sender to a FAQ web-page. > A more conventional approach would be to use use empty "MAIL FROM:<>" > and "Return-Path: <>" in the bounce (Misdirected) Autoresponders are not 'bounces' in the sense of a rejected transaction (hard bounce), but instead they are a newmail. So-called soft bounce is a misnomer for newly generated mail auto-addressed to the (bogus) From. > as required by the SMTP (RFC 5321 > 4.5.5). RFC 5321 4.5.5 does not make autoresponders 'legal' nor mean that backscatterers don't get blocklisted. The old RFC excuse doesn't cut it anymore. > Sites that do not wish to receive such "notifications" can > discard email with an empty "MAIL FROM:<>" or "Return-Path: <>" from > the Internet and only accept it from within their own protected > networks. Better yet. Blocklist such backscatterers and force them to stop. > "Out of Office" replies are sometime sent with a non-empty > "MAIL FROM:<>" or "Return-Path: <>" in violation of the SMTP which > means that this simple filtering scheme will not work. Whether such new mail autogeneration of misdirected autoresponders have an empty mailfrom or not, it is spam and it will be a cause of such a server getting itself reported and blocklisted. > My idea is to have a directory "vacation" of user vacation messages > where file name is the address or the local part of the address. (As > the SMTP and DNS are case insesitive you will need to squash the email > address to lower case before searching this directory.) See the link above for a better idea. Don't use such autoresponders but use the aforementioned solutions. > RCPT TOs including those in the "vacation" directory are accepted > normally. > > DATA is processed normally and after the dot '.' the email is spooled > for delivery to each RCPT, however a hard fail 550 response will be > sent if any of the RCPTs are in the "vacation" directory and contents > files found displayed as continuation lines "550-" before the final > "550 " descriptive message explaining this action. I think you are describing the part at the link above called "it's easy to reject a message while referring the sender..." or otherwise giving information in a mail rejection (instead of accepting a mail for delivery and then turning around and creating a newmail addressed to the From). > Our site operating such an MTA would then not be producing any bounce. > Sites running correctly configured MTAs will be generating bounces only > for their own users. All that is then required for a meaningful reply is > that their MTA includes our MTA's 550 response in its own bounce. > > Does such a solution exist? I don't think you should be using an ambiguous 'bounce' term. You can say that rejecting mail does not produce misdirected autoresponders. The link above that has been mentioned twice refers to one such solution... Using sendmail, this is done in the access.db table like so: to:oldaddress@example.com 550 Old address no longer valid, please see: http://www.example.com/NewAddressInfo.html That link also addresses avoiding qmail and exchange misdirected bounces. -- Mike Easter kibitzer, not SC admin From andrewb at zagam.net Sun Sep 27 11:34:30 2009 From: andrewb at zagam.net (Andrew Buckeridge) Date: Sun Sep 27 11:35:08 2009 Subject: [Scspamcop] Re: Safe Out of Office replies? In-Reply-To: References: <20090927131526.c0167051.andrewb@zagam.net> Message-ID: <20090927233430.400c0a56.andrewb@zagam.net> I now have safe vacation "bounce" functionality in Exim4 thanks to fakereject. In an Exim4 acl_smtp_rcpt ACL before you accept have: warn domains = +local_domains condition = ${lookup{$local_part}dsearch{/etc/exim4/away}\ {yes}{no}} control = fakereject/\ $local_part@$domain is away; please try \ <${readfile{/etc/exim4/away/$local_part}{}}@$domain> The sender will get a response like: 550 away@example.com is away; please try However when away@example.com gets back they have the email. Exim4 also has the verify = recipient test that can reject at RCPT TO. From MikeE at ster.invalid Sun Sep 27 14:26:42 2009 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 27 14:30:09 2009 Subject: [Scspamcop] Re: Safe Out of Office replies? References: <20090927131526.c0167051.andrewb@zagam.net> <20090927233430.400c0a56.andrewb@zagam.net> Message-ID: Andrew Buckeridge wrote: > I now have safe vacation "bounce" functionality in Exim4 thanks to > fakereject. In an Exim4 acl_smtp_rcpt ACL before you accept have: > > warn domains = +local_domains > condition = ${lookup{$local_part}dsearch{/etc/exim4/away}\ > {yes}{no}} > control = fakereject/\ > $local_part@$domain is away; please try \ > <${readfile{/etc/exim4/away/$local_part}{}}@$domain> > > The sender will get a response like: > > 550 away@example.com is away; please try > > However when away@example.com gets back they have the email. Ah so. Good. > Exim4 also has the verify = recipient test that can reject at RCPT TO. The link I've been citing has this request... Others: If you know or find other tips for fixing this problem in other popular software, please Post it to the forum and we will be happy to add it to this FAQ. ... where 'forum' is a link to the webforum (generic location) http://forum.spamcop.net/forums/index.php?showforum=10 But SC has always made it a little awkward to communicate 'directly' with some'one'. You can say something here in the newsgroups, but the admin types don't show up here much - Ellen who did show just left SC. There are volunteer moderators in the forums and there is a mechanism by which you can input something via a web form/process here http://www.spamcop.net/fom-serve/cache/91.html How can I contact a real person about this? There're a couple of deputy addresses, but since they don't seem to be posted anywhere, I never know when to give one out. I guess they are afraid it will be bombarded by disgruntled spam notifieds. -- Mike Easter kibitzer, not SC admin From andrewb at zagam.net Mon Sep 28 09:24:10 2009 From: andrewb at zagam.net (Andrew Buckeridge) Date: Mon Sep 28 09:25:08 2009 Subject: [Scspamcop] Re: Safe Out of Office replies? References: <20090927131526.c0167051.andrewb@zagam.net> <20090927233430.400c0a56.andrewb@zagam.net> Message-ID: <20090928212410.66370688.andrewb@zagam.net> On Sun, 27 Sep 2009 11:26:42 -0700 "Mike Easter" wrote: > ... where 'forum' is a link to the webforum (generic location) > http://forum.spamcop.net/forums/index.php?showforum=10 Bad mistake. I would stay away from this if I could. Looks like Java put my email in as username. Could no log in with my user name only email! How do I get rid of it? "Name Change: << old name>> | << new name>>" will not fit PM Title. I'll stick to NNTP thanks. From MikeE at ster.invalid Mon Sep 28 10:18:22 2009 From: MikeE at ster.invalid (Mike Easter) Date: Mon Sep 28 10:20:09 2009 Subject: [Scspamcop] Re: Safe Out of Office replies? References: <20090927131526.c0167051.andrewb@zagam.net><20090927233430.400c0a56.andrewb@zagam.net> <20090928212410.66370688.andrewb@zagam.net> Message-ID: Andrew Buckeridge wrote: > "Mike Easter" >> ... where 'forum' is a link to the webforum (generic location) >> http://forum.spamcop.net/forums/index.php?showforum=10 > > Bad mistake. I would stay away from this if I could. I do. (Stay away) > Looks like Java put my email in as username. > Could no log in with my user name only email! > How do I get rid of it? > > "Name Change: << old name>> | << new name>>" will not fit PM Title. I don't know how to work things in the forum, but there are some forum moderator/volunteers that come in here from time to time. > I'll stick to NNTP thanks. me2. -- Mike Easter kibitzer, not SC admin From user at domain.invalid Mon Sep 28 12:24:45 2009 From: user at domain.invalid (Farelf) Date: Mon Sep 28 12:25:07 2009 Subject: [Scspamcop] Re: Safe Out of Office replies? In-Reply-To: <20090928212410.66370688.andrewb@zagam.net> References: <20090927131526.c0167051.andrewb@zagam.net> <20090927233430.400c0a56.andrewb@zagam.net> <20090928212410.66370688.andrewb@zagam.net> Message-ID: Andrew Buckeridge wrote: > > Bad mistake. I would stay away from this if I could. > Looks like Java put my email in as username. > Could no log in with my user name only email! > How do I get rid of it? > > "Name Change: << old name>> | << new name>>" will not fit PM Title. > Not to worry, just put the detail (in that format) in the body of the PM, make the PM subject simply "Name Change Request". Wazoo will handle it for you. From wb8tyw at qsl.network Mon Sep 28 13:41:27 2009 From: wb8tyw at qsl.network (John E. Malmberg) Date: Mon Sep 28 13:45:08 2009 Subject: [Scspamcop] Re: Safe Out of Office replies? References: <20090927131526.c0167051.andrewb@zagam.net> <20090927233430.400c0a56.andrewb@zagam.net> Message-ID: In article <20090927233430.400c0a56.andrewb@zagam.net>, Andrew Buckeridge writes: > I now have safe vacation "bounce" functionality in Exim4 thanks to > fakereject. It depends on what you consider safe. Most office e-mail systems have a feature that allows someone trusted to monitor an e-mail account while someone is on vacation. That way no important business e-mails will get lost. I would recommend blocking all out-of-office messages for external delivery, and banning voice mail systems from explaining how long and why someone will be out of the office. Convicted criminals have been interviewed that they use out-of-office messages on voice mail to successfully steal from companies by either impersonating the person identifined as out of the office or by claiming that they are operating under their authority. At least one was successful in getting pre-production prototypes and confidential technical documents shipped to him at the company's expense. It appears that these vacation auto-repsonders are more useful to criminals than to anyone else. To send an out of office message to a business partner/customer instead of using a delegate to monitor a mail could also be seen as an insult to them. > In an Exim4 acl_smtp_rcpt ACL before you accept have: > > warn domains = +local_domains > condition = ${lookup{$local_part}dsearch{/etc/exim4/away}\ > {yes}{no}} > control = fakereject/\ > $local_part@$domain is away; please try \ > <${readfile{/etc/exim4/away/$local_part}{}}@$domain> > > The sender will get a response like: > > 550 away@example.com is away; please try Test that from a gmail account, you will likely find the bounce generated by the gmail server was put in the spam folder. (Over 95% for my personal experience) Other Mail servers are set to blackhole undelivery reports, or instead of reporting the response line, replace it with a meaningly line. I have also found some mail servers that honor 5xx codes at the initial connect, but treat them as 4xx after they have sent the data. -John wb8tyw@qsl.network Personal Opinion Only From g.hyde at bigNOSPAMpond.net.au Mon Sep 28 19:04:23 2009 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Mon Sep 28 19:05:08 2009 Subject: [Scspamcop] Re: Safe Out of Office replies? References: <20090927131526.c0167051.andrewb@zagam.net> Message-ID: "Andrew Buckeridge" wrote in message news:20090927131526.c0167051.andrewb@zagam.net... > Many people expect that they should be able to send "Out of Office" > replies, but don't want to or are unable to comprehend how destructive > such a reckless act is to the Internet. With what you're trying to implement on your server, what happens if the spammer fills up someone's mailbox allowance while they're on vacation? As per a recent RFC, it is no longer required that a mailserver forward on a mail item if it can be determined that it's a likely spam mail. If you can identify someone's spam for them via an incoming mail server filter, and direct it to someplace other than their mail inbox, or throw it away, it's likely that they'll never get their mailbox filled this way. If not, I would strongly suggest that you implement something before it becomes a problem. Cheers ... Geoffrey Hyde From nobody at devnull.spamcop.net Mon Sep 28 19:51:03 2009 From: nobody at devnull.spamcop.net (Wazoo) Date: Mon Sep 28 19:55:08 2009 Subject: [Scspamcop] Re: Safe Out of Office replies? References: <20090927131526.c0167051.andrewb@zagam.net><20090927233430.400c0a56.andrewb@zagam.net> <20090928212410.66370688.andrewb@zagam.net> Message-ID: "Andrew Buckeridge" wrote in message news:20090928212410.66370688.andrewb@zagam.net... > On Sun, 27 Sep 2009 11:26:42 -0700 > "Mike Easter" wrote: > >> ... where 'forum' is a link to the webforum (generic location) >> http://forum.spamcop.net/forums/index.php?showforum=10 > > Bad mistake. I would stay away from this if I could. > Looks like Java put my email in as username. Don't follow that. Typical web-form entry mode is used, which means "you" enter in the data. User/Display name and e-mail address are two separate fields. > Could no log in with my user name only email! > How do I get rid of it? Forum FAQ - SECTION 7 - Change of Username http://forum.spamcop.net/forums/index.php?s=&showtopic=4351&view=findpost&p=29130 > "Name Change: << old name>> | << new name>>" will not fit PM > Title. Checked for the e-mail address used here, doesn't exist in the Forum database. Hmmm, checked the IP Address and scored a hit. An account that had my first thoughts at handling by Banning based on the use of role account data and the use of "spamtrap" as an address. From joegill at removethis Tue Sep 29 13:34:39 2009 From: joegill at removethis (Joe Gill) Date: Tue Sep 29 13:40:08 2009 Subject: [Scspamcop] Re: Safe Out of Office replies? In-Reply-To: <20090927131526.c0167051.andrewb@zagam.net> References: <20090927131526.c0167051.andrewb@zagam.net> Message-ID: "Andrew Buckeridge" wrote in message news:20090927131526.c0167051.andrewb@zagam.net... > Many people expect that they should be able to send "Out of Office" > replies, but don't want to or are unable to comprehend how destructive > such a reckless act is to the Internet. > > The problem is that "Out of Office" replies and other bounces still > make up a significant proportion of spam and dealing with spam requires > a comprehensive approach knocking out a little bit at a time. > > A more conventional approach would be to use use empty "MAIL FROM:<>" > and "Return-Path: <>" in the bounce as required by the SMTP (RFC 5321 > 4.5.5). Sites that do not wish to receive such "notifications" can > discard email with an empty "MAIL FROM:<>" or "Return-Path: <>" from > the Internet and only accept it from within their own protected > networks. > > "Out of Office" replies are sometime sent with a non-empty > "MAIL FROM:<>" or "Return-Path: <>" in violation of the SMTP which > means that this simple filtering scheme will not work. > > My idea is to have a directory "vacation" of user vacation messages > where file name is the address or the local part of the address. (As > the SMTP and DNS are case insesitive you will need to squash the email > address to lower case before searching this directory.) > > RCPT TOs including those in the "vacation" directory are accepted > normally. > > DATA is processed normally and after the dot '.' the email is spooled > for delivery to each RCPT, however a hard fail 550 response will be > sent if any of the RCPTs are in the "vacation" directory and contents > files found displayed as continuation lines "550-" before the final > "550 " descriptive message explaining this action. > > Our site operating such an MTA would then not be producing any bounce. > Sites running correctly configured MTAs will be generating bounces only > for their own users. All that is then required for a meaningful reply is > that their MTA includes our MTA's 550 response in its own bounce. > > Does such a solution exist? > I guess I am one who 'goes against the grain' on this one. I believe that 'Out of Office' replies, responsiblely used are NOT spam. The last exchange server I was connected to, only sent out ONE(1) out of office reply for a current setting of 'out of office', for any given recpient. These replies responsibly used can be of great value! Mine would usually say something like I am currently out of the office and expect to return on xx/xx/xxxx. In my absence please contact In my abscence, please contact: - For AreaA person1 person1@mycompany.com xxx-xxx-xxxx - For AreaB person2 person2@mycompany.com xxx-xxx-xxxxx - etc, etc, All message requiring my assistance will be returned on xx/xx/xxxx If you need my immediate attention, please call xxx-xxx-xxxx and leave a voice mail, which will page me. I really do not beleive responsible use of Out of Office is SPAM. They serve an important business function in today's world! From wb8tyw at qsl.network Tue Sep 29 19:40:39 2009 From: wb8tyw at qsl.network (John Malmberg) Date: Tue Sep 29 19:45:08 2009 Subject: [Scspamcop] Re: Safe Out of Office replies? In-Reply-To: References: <20090927131526.c0167051.andrewb@zagam.net> Message-ID: Joe Gill wrote: > >> > I guess I am one who 'goes against the grain' on this one. > I believe that 'Out of Office' replies, responsiblely used are NOT spam. > The last exchange server I was connected to, only sent out ONE(1) out of > office reply for a current setting of 'out of office', for any given > recpient. Unfortunately I have seen too many examples of them set up incorrectly and have flooded mailing lists with a reply to each unique user on the list. Even worse, it was not possible to determine what e-mail address was actually subscribed as the From: did not match any domain that was on the list. Can you verify that your mail server will never send an Out of Office message to a message from a properly configured mailing list? Such will have a header line to indicate that the precedence is bulk. > These replies responsibly used can be of great value! Yes, as has been reported on US Network TV and various press articles. Convicted criminals have reported that vacation/out of office messages on voice-mail are one of their best tools for stealing from companies. > Mine would usually say something like > I am currently out of the office and expect to return on > xx/xx/xxxx. In my absence please contact > In my abscence, please contact: > - For AreaA person1 person1@mycompany.com xxx-xxx-xxxx > - For AreaB person2 person2@mycompany.com xxx-xxx-xxxxx > - etc, etc, > All message requiring my assistance will be returned on xx/xx/xxxx > If you need my immediate attention, please call xxx-xxx-xxxx and > leave a voice mail, which will page me. Can you set up that to only be sent in response to those people that are already in your address book? It is not much of a stretch that if professional criminals are actively using voice-mail out of office messages for identity theft, that they are not actively using out of office responders in the same way. What the criminal wants to know is who is out of the office, and for how long they can impersonate them. One famous criminal who now claims to be reformed, was able to get expensive prototypes and confidential documents to be sent to the alleged hotel room of the person that was out of the office. > I really do not beleive responsible use of Out of Office is SPAM. > They serve an important business function in today's world! Why not take the safe and secure route of using delegates so that the important message for your business gets immediately delivered to a real person? Wouldn't that be much nicer? It gives a better impression of your company than an out of office messages, it prevents the out-of-office messages from showing up in mailing lists and news groups. It also makes it difficult for a criminal to pretend they are you. -John wb8tyw@qsl.network Personal Opinion Only From nobody at nowhere.not Wed Sep 30 02:44:08 2009 From: nobody at nowhere.not (Robert Blair) Date: Wed Sep 30 02:45:08 2009 Subject: [Scspamcop] Re: Safe Out of Office replies? References: <20090927131526.c0167051.andrewb@zagam.net> Message-ID: On Tue, 29 Sep 2009 17:34:39 UTC, "Joe Gill" wrote: > I guess I am one who 'goes against the grain' on this one. > I believe that 'Out of Office' replies, responsiblely used are NOT spam. I get a lot of 'Out of Office' messages and all of them are spam. > The last exchange server I was connected to, only sent out ONE(1) out of > office reply for a current setting of 'out of office', for any given > recpient. Even if I only get one of these it is still spam because I never sent you an email in the first place. > These replies responsibly used can be of great value! > Mine would usually say something like > I am currently out of the office and expect to return on xx/xx/xxxx. > In my absence please contact > In my abscence, please contact: > - For AreaA person1 person1@mycompany.com xxx-xxx-xxxx > - For AreaB person2 person2@mycompany.com xxx-xxx-xxxxx > - etc, etc, > All message requiring my assistance will be returned on xx/xx/xxxx > If you need my immediate attention, please call xxx-xxx-xxxx and leave > a voice mail, which will page me. > > I really do not beleive responsible use of Out of Office is SPAM. > They serve an important business function in today's world! If someone can configure an email server to handle 'Out of Office' messages correctly, so no spam is sent, I would like to see the configuration distributed to the world. In the meantime do not use the 'Out of Office' message because they send way too much spam. -- Robert Blair From ppearson at nowhere.invalid Wed Sep 30 10:21:28 2009 From: ppearson at nowhere.invalid (Peter Pearson) Date: Wed Sep 30 10:25:08 2009 Subject: [Scspamcop] Re: Another Phishing Attempt References: Message-ID: On Wed, 30 Sep 2009 06:45:21 -0500, Kenneth Loafman wrote: > This time from Korea... > > http://www.spamcop.net/sc?id=z3370162987z6d17255fda03ccf7ed69439f84c658b2z And Canada... http://www.spamcop.net/sc?id=z3370592655z77d52ff51884b3cffa4f5f0bec4149f8z -- To email me, substitute nowhere->spamcop, invalid->net. From tmcgraw at spamcop.net Wed Sep 30 11:33:23 2009 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Sep 30 11:35:08 2009 Subject: [Scspamcop] Re: Another Phishing Attempt In-Reply-To: References: Message-ID: Peter Pearson wrote: > On Wed, 30 Sep 2009 06:45:21 -0500, Kenneth Loafman wrote: >> This time from Korea... >> >> http://www.spamcop.net/sc?id=z3370162987z6d17255fda03ccf7ed69439f84c658b2z > > And Canada... > > http://www.spamcop.net/sc?id=z3370592655z77d52ff51884b3cffa4f5f0bec4149f8z With no link, but all REPLY TOs going back to webservices@gala.net. Reports about phish using dropbox webservices@gala.net sent to abuse/at/gblx.net and abuse/a/ip.datagroup.ua. From nobody at devnull.spamcop.net Wed Sep 30 14:37:02 2009 From: nobody at devnull.spamcop.net (Lou) Date: Wed Sep 30 14:40:08 2009 Subject: [Scspamcop] Re: Safe Out of Office replies? In-Reply-To: References: <20090927131526.c0167051.andrewb@zagam.net> Message-ID: Joe Gill wrote, On 9/29/2009 11:34 AM: > > They serve an important business function in today's world! > This thread and business practices must cycle back and forth like tie width. Back in the dark ages when I was a belt-way-bandit our firm used "out of the office phone and email messages" until a vice pres, 3 levels up got a phone call that was reported to have gone something like: 'Joe, I sent Pinhead Underling an email to modify our contract to grab $500,000.00 of end of year money that DOD had. I understand he is in Scottsdale. The Navy's contractor was able to move on this so they got the funds for their competing project.' When Pinhead returned, they let him complete his trip report before cleaning out his desk. New policy became as suggested here, someone monitor phone and email messages and found the right person to respond and not with "can you wait until he gets back?" Phone messages did not change if you were out to lunch or in Arabia. That became true if a secretary answered your phone or (one of) your cubical mate(s). I guess somethings must be learned again and again and ... From nobody at devnull.spamcop.net Wed Sep 30 14:32:15 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Wed Sep 30 14:45:09 2009 Subject: [Scspamcop] Re: Safe Out of Office replies? References: <20090927131526.c0167051.andrewb@zagam.net> Message-ID: "Joe Gill" wrote in message news:h9tgkt$5vk$1@news.spamcop.net > "Andrew Buckeridge" wrote in message > news:20090927131526.c0167051.andrewb@zagam.net... >> Many people expect that they should be able to send "Out of Office" >> replies, but don't want to or are unable to comprehend how >> destructive such a reckless act is to the Internet. >> >> The problem is that "Out of Office" replies and other bounces still >> make up a significant proportion of spam and dealing with spam >> requires a comprehensive approach knocking out a little bit at a >> time. A more conventional approach would be to use use empty "MAIL >> FROM:<>" >> and "Return-Path: <>" in the bounce as required by the SMTP (RFC 5321 >> 4.5.5). Sites that do not wish to receive such "notifications" can >> discard email with an empty "MAIL FROM:<>" or "Return-Path: <>" from >> the Internet and only accept it from within their own protected >> networks. >> >> "Out of Office" replies are sometime sent with a non-empty >> "MAIL FROM:<>" or "Return-Path: <>" in violation of the SMTP which >> means that this simple filtering scheme will not work. >> >> My idea is to have a directory "vacation" of user vacation messages >> where file name is the address or the local part of the address. (As >> the SMTP and DNS are case insesitive you will need to squash the >> email address to lower case before searching this directory.) >> >> RCPT TOs including those in the "vacation" directory are accepted >> normally. >> >> DATA is processed normally and after the dot '.' the email is spooled >> for delivery to each RCPT, however a hard fail 550 response will be >> sent if any of the RCPTs are in the "vacation" directory and contents >> files found displayed as continuation lines "550-" before the final >> "550 " descriptive message explaining this action. >> >> Our site operating such an MTA would then not be producing any >> bounce. Sites running correctly configured MTAs will be generating >> bounces only for their own users. All that is then required for a >> meaningful reply is that their MTA includes our MTA's 550 response >> in its own bounce. Does such a solution exist? >> > I guess I am one who 'goes against the grain' on this one. > I believe that 'Out of Office' replies, responsiblely used are NOT > spam. The last exchange server I was connected to, only sent out > ONE(1) out of office reply for a current setting of 'out of office', > for any given recpient. > These replies responsibly used can be of great value! > Mine would usually say something like > I am currently out of the office and expect to return on > xx/xx/xxxx. In my absence please contact > In my abscence, please contact: > - For AreaA person1 person1@mycompany.com xxx-xxx-xxxx > - For AreaB person2 person2@mycompany.com xxx-xxx-xxxxx > - etc, etc, > All message requiring my assistance will be returned on xx/xx/xxxx > If you need my immediate attention, please call xxx-xxx-xxxx and > leave a voice mail, which will page me. > > I really do not beleive responsible use of Out of Office is SPAM. > They serve an important business function in today's world! It isn't YOU that makes them spam, or at least not directly. But if you respond to a spam, you've not only given the bottom feeders the impression you read spam, your address will instantly sell for a higher price. Plus, when it ends up in MY mailbox because of the forgeries, you WILL be reported for spamming. It's not your fault necessarily, but ... it's your fault if you do so knowing better and I get one that traces back to you. Remember, the content of spam is useless; I don't even read it anymore, I just report it. From nobody at devnull.spamcop.net Wed Sep 30 14:56:22 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Wed Sep 30 15:00:08 2009 Subject: [Scspamcop] Re: Safe Out of Office replies? References: <20090927131526.c0167051.andrewb@zagam.net> Message-ID: "Lou" wrote in message news:ha08gn$s87$1@news.spamcop.net > Joe Gill wrote, On 9/29/2009 11:34 AM: >> >> They serve an important business function in today's world! >> > This thread and business practices must cycle back and forth like tie > width. > Back in the dark ages when I was a belt-way-bandit our firm used "out > of the office phone and email messages" until a vice pres, 3 levels > up got a phone call that was reported to have gone something like: > 'Joe, I sent Pinhead Underling an email to modify our contract to grab > $500,000.00 of end of year money that DOD had. I understand he is in > Scottsdale. The Navy's contractor was able to move on this so they got > the funds for their competing project.' > > When Pinhead returned, they let him complete his trip report before > cleaning out his desk. > > New policy became as suggested here, someone monitor phone and email > messages and found the right person to respond and not with "can you > wait until he gets back?" Phone messages did not change if you were > out to lunch or in Arabia. That became true if a secretary answered > your > phone or (one of) your cubical mate(s). > > I guess somethings must be learned again and again and ... How true. Beltway or Pirate Bay, it's the same all over too. Common sense and forethought seem to have been abandoned these days. It's a "do it & forget it" world today. From nobody at devnull.spamcop.net Wed Sep 30 14:58:15 2009 From: nobody at devnull.spamcop.net (Twayne) Date: Wed Sep 30 15:00:09 2009 Subject: [Scspamcop] Re: Safe Out of Office replies? References: <20090927131526.c0167051.andrewb@zagam.net> Message-ID: "Geoffrey Hyde" wrote in message news:h9rfe9$pjj$1@news.spamcop.net > "Andrew Buckeridge" wrote in message > news:20090927131526.c0167051.andrewb@zagam.net... >> Many people expect that they should be able to send "Out of Office" >> replies, but don't want to or are unable to comprehend how >> destructive such a reckless act is to the Internet. > > With what you're trying to implement on your server, what happens if > the spammer fills up someone's mailbox allowance while they're on > vacation? > As per a recent RFC, it is no longer required that a mailserver > forward on a mail item if it can be determined that it's a likely > spam mail. > If you can identify someone's spam for them via an incoming mail > server filter, and direct it to someplace other than their mail > inbox, or throw it away, it's likely that they'll never get their > mailbox filled this way. If not, I would strongly suggest that you > implement something before it becomes a problem. > > > Cheers ... > > Geoffrey Hyde Not to be a party pooper, but ... Out of Office messages should be verboten completely outside the demarc. It's not that much trouble to notify your list before you leave that you'll be OOO, or assign someone, perhaps your dept secretary, to collect your mails for you or maybe respond that your'e OOO or better yet, send people on to someone who CAN help them. It's just not necessary to use them, and there are too many ways to avoid the necessity. The ONLY way I can see to do it would be to refuse anything from anyone not already in your address book; but that has some pretty bad downsides. No one is indispensible and there is always someone that can pitch hit in the interims. Twayne` From nobody at spamcop.net Wed Sep 30 17:01:56 2009 From: nobody at spamcop.net (Bar0) Date: Wed Sep 30 17:05:09 2009 Subject: [Scspamcop] Re: Another Phishing Attempt References: Message-ID: "Tim McGraw" wrote in message news:h9vtoj$lnq$1@news.spamcop.net... > Peter Pearson wrote: >> On Wed, 30 Sep 2009 06:45:21 -0500, Kenneth Loafman >> wrote: >>> This time from Korea... >>> >>> http://www.spamcop.net/sc?id=z3370162987z6d17255fda03ccf7ed69439f84c658b2z >> >> And Canada... >> >> http://www.spamcop.net/sc?id=z3370592655z77d52ff51884b3cffa4f5f0bec4149f8z > > With no link, but all REPLY TOs going back to webservices@gala.net. > > Reports about phish using dropbox webservices@gala.net sent to > abuse/at/gblx.net and abuse/a/ip.datagroup.ua. I've been seeing gala.net registered in Ukraine as a phishing site and dropbox for about 1/2 a year now. I gala is setup for that function. From nobody at devnull.spamcop.net Wed Sep 30 21:26:11 2009 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Wed Sep 30 21:30:09 2009 Subject: [Scspamcop] Re: Leaving SpamCop In-Reply-To: References: Message-ID: Ellen wrote: > Hi folks -- tomorrow is my last day at SpamCop. Wow. Strange coincidence that I haven't read this group in a long time and come back to read this news. It's been good to read your posts here!