From nobody at devnull.spamcop.net Thu Jul 1 08:38:48 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 30 15:35:24 2004 Subject: [SC-Help] Re: Citibank - it's the BANK that's STUPID ;-) References: Message-ID: "Martin Edwards" wrote > See same heading in .spam. On the one hand you would have to be stupid > to fall for this, but am I alone in finding this kind of thing > despicable even if anyone is that stupid? STUPID? *I'LL* tell you who's STUPID. The banks! Have you any idea of the number of times I have gone to that site to correct and confirm my information?? And what do they do? Keep asking me to do it again and again! And as if THAT isn't enough, they keep putting through horrendous charges on MY account for the 'privilege'! Not only Citibank, but Westpac & all my other banks do it too! If this carries on, soon ALL my money will be gone on these STUPID BANKS WHO CAN'T GET IT RIGHT!!! -- Brewman Brewman.Luser@brycom.cX.nX which really ends with dot co dot nz From deadmail at snea.invalid Thu Jul 1 00:26:13 2004 From: deadmail at snea.invalid (zaax) Date: Wed Jun 30 18:30:05 2004 Subject: [SC-Help] SpamCop encountered errors Message-ID: What went wrong? SpamCop encountered errors while saving spam for processing: SpamCop could not find your spam message in this email: Return-Path: Received: from vmx1.spamcop.net (unknown [192.168.18.81]) by sc-app4.eq.ironport.com (Postfix) with ESMTP id B918950E7 for ; Wed, 30 Jun 2004 15:16:29 -0700 (PDT) Received: from sitemail3.everyone.net (HELO omta06.mta.everyone.net) (216.200.145.37) by vmx1.spamcop.net with ESMTP; 30 Jun 2004 15:16:29 -0700 Received: from imta15.mta.everyone.net (bigip34 [216.200.145.26]) by omta06.mta.everyone.net (Postfix) with ESMTP id C04957C10F for ; Wed, 30 Jun 2004 15:16:23 -0700 (PDT) Received: by imta15.mta.everyone.net (Postfix) id 274112F04D; Wed, 30 Jun 2004 15:16:22 -0700 (PDT) Delivered-To: gatsos@ukgatsos.com Received: from pmta11.mta.everyone.net (bigiplb-dsnat [172.16.0.19]) by imta15.mta.everyone.net (Postfix) with ESMTP id A48822F02C for ; Wed, 30 Jun 2004 15:16:21 -0700 (PDT) Received: from pcp01461317pcs.hershy01.pa.comcast.net (68.83.9.95 [68.83.9.95]) by pmta11.mta.everyone.net (EON-PMTA) with SMTP id CFC9697D; Wed, 30 Jun 2004 15:16:21 -0700 X-Message-Info: %RNDUCCHAR14%RNDLCCHAR13%RNDUCCHAR13%RNDDIGIT13%RNDLCCHAR13%RNDUCCHAR13%R NDLCCHAR13%RNDUCCHAR13%RNDLCCHAR13%RNDDIGIT13%RNDLCCHAR13%RNDDIGIT13%RNDU CCHAR13%RNDDIGIT13%RNDUCCHAR13%RNDLCCHAR13%RNDUCCHAR13%RNDLCCHAR13 Received: from %RNDLCCHAR19%RNDDIGIT12.charter.com (232.40.143.166) by %RNDLCCHAR13%RNDDIGIT13-%RNDLCCHAR13.charter.com with Microsoft SMTPSVC(5.0.2195.6824); Thu, 01 Jul 2004 02:23:19 +0500 Received: from %RNDWORD13%RNDLCCHAR13%RNDDIGIT13 (electrolytic40.188.64.174) by charter.com (%RNDLCCHAR26%RNDDIGIT13) with SMTP id <%RNDDIGIT515%RNDLCCHAR13%RNDDIGIT15%RNDLCCHAR13> (Authid: voncronk); Wed, 30 Jun 2004 15:26:19 -0600 From: "von cronk" To: "'Gatsos'" Subject: Fwd: Need Meds V1co\din ' Va|ium ` V|@gra ~ :X:ANAx Pntermin ' :Soma: hodqbuuzutpe Date: Wed, 30 Jun 2004 23:25:19 +0200 Message-ID: <%RNDDIGIT27%RNDLCCHAR13%RNDDIGIT13%RNDLCCHAR13%RNDDIGIT13$%RNDDIGIT13%RN DLCCHAR13%RNDDIGIT13%RNDLCCHAR13%RNDDIGIT14$%RNDDIGIT13%RNDLCCHAR13%RNDDI GIT13%RNDLCCHAR14@%RNDWORD13%RNDLCCHAR13%RNDDIGIT13%RNDDIGIT13> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--66424844991339160" Sender: dietrich_kiana@bluerocketonline.com ----66424844991339160 Content-Type: text/html; Content-Transfer-Encoding: quoted-printable pillomatic.biz

Hi Gatsos,

We supply high qualit= y medications by mail order at very competit= ive prices a= nd provide a professional, convenient and affordable means of purchasing yo= ur prescription medicines online

Highest quality drugs we offer: ; S:o:ma - v|@gra % V+a+lium ~ Xan|a|x # P= nterm.i.n ' At|v:@n

Plus: L'3v|tra, P:r0p3cia, Acyc|0.vir, Pr0z'@c, P@xi`l, Bus.p@r, Ad|p:3x, = I0*nam|n, M'3ridia, X3n'ica|, Ambi3.n, S0na`Ta, Fl3`xeril, Ce|3br'ex, Fi0r= ic`3t, Tram@d'o|, U|t`r@m

We accept almost every form of payment.

Because you can add more to yo= ur life. shop Now. www.pillomatic.biz.

Best Regards,

von cronk <= nilpotent>= <=appearance> <= Gatsos> <=wangle> ----66424844991339160-- The email which triggered this auto-response had the following headers: Return-Path: Received: from vmx1.spamcop.net (unknown [192.168.18.81]) by sc-app4.eq.ironport.com (Postfix) with ESMTP id B918950E7 for ; Wed, 30 Jun 2004 15:16:29 -0700 (PDT) Received: from sitemail3.everyone.net (HELO omta06.mta.everyone.net) (216.200.145.37) by vmx1.spamcop.net with ESMTP; 30 Jun 2004 15:16:29 -0700 Received: from imta15.mta.everyone.net (bigip34 [216.200.145.26]) by omta06.mta.everyone.net (Postfix) with ESMTP id C04957C10F for ; Wed, 30 Jun 2004 15:16:23 -0700 (PDT) Received: by imta15.mta.everyone.net (Postfix) id 274112F04D; Wed, 30 Jun 2004 15:16:22 -0700 (PDT) Delivered-To: gatsos@ukgatsos.com Received: from pmta11.mta.everyone.net (bigiplb-dsnat [172.16.0.19]) by imta15.mta.everyone.net (Postfix) with ESMTP id A48822F02C for ; Wed, 30 Jun 2004 15:16:21 -0700 (PDT) Received: from pcp01461317pcs.hershy01.pa.comcast.net (68.83.9.95 [68.83.9.95]) by pmta11.mta.everyone.net (EON-PMTA) with SMTP id CFC9697D; Wed, 30 Jun 2004 15:16:21 -0700 X-Message-Info: %RNDUCCHAR14%RNDLCCHAR13%RNDUCCHAR13%RNDDIGIT13%RNDLCCHAR13%RNDUCCHAR13%R NDLCCHAR13%RNDUCCHAR13%RNDLCCHAR13%RNDDIGIT13%RNDLCCHAR13%RNDDIGIT13%RNDU CCHAR13%RNDDIGIT13%RNDUCCHAR13%RNDLCCHAR13%RNDUCCHAR13%RNDLCCHAR13 Received: from %RNDLCCHAR19%RNDDIGIT12.charter.com (232.40.143.166) by %RNDLCCHAR13%RNDDIGIT13-%RNDLCCHAR13.charter.com with Microsoft SMTPSVC(5.0.2195.6824); Thu, 01 Jul 2004 02:23:19 +0500 Received: from %RNDWORD13%RNDLCCHAR13%RNDDIGIT13 (electrolytic40.188.64.174) by charter.com (%RNDLCCHAR26%RNDDIGIT13) with SMTP id <%RNDDIGIT515%RNDLCCHAR13%RNDDIGIT15%RNDLCCHAR13> (Authid: voncronk); Wed, 30 Jun 2004 15:26:19 -0600 From: "von cronk" To: "'Gatsos'" Subject: Fwd: Need Meds V1co\din ' Va|ium ` V|@gra ~ :X:ANAx Pntermin ' :Soma: hodqbuuzutpe Date: Wed, 30 Jun 2004 23:25:19 +0200 Message-ID: <%RNDDIGIT27%RNDLCCHAR13%RNDDIGIT13%RNDLCCHAR13%RNDDIGIT13$%RNDDIGIT13%RN DLCCHAR13%RNDDIGIT13%RNDLCCHAR13%RNDDIGIT14$%RNDDIGIT13%RNDLCCHAR13%RNDDI GIT13%RNDLCCHAR14@%RNDWORD13%RNDLCCHAR13%RNDDIGIT13%RNDDIGIT13> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--66424844991339160" Sender: dietrich_kiana@bluerocketonline.com -- Zaax http://www.ukgatsos.com From ob1db at spamcop.net Thu Jul 1 02:01:38 2004 From: ob1db at spamcop.net (David Butler) Date: Thu Jul 1 01:05:12 2004 Subject: [SC-Help] Re: Citibank - it's the BANK that's STUPID ;-) References: Message-ID: "brewman" wrote in message news:cbv4l4$rji$1@news.spamcop.net... > "Martin Edwards" wrote > > See same heading in .spam. On the one hand you would have to be > stupid > > to fall for this, but am I alone in finding this kind of thing > > despicable even if anyone is that stupid? > > STUPID? *I'LL* tell you who's STUPID. The banks! Have you any idea of > the number of times I have gone to that site to correct and confirm my > information?? And what do they do? Keep asking me to do it again and > again! And as if THAT isn't enough, they keep putting through > horrendous charges on MY account for the 'privilege'! > > Not only Citibank, but Westpac & all my other banks do it too! If this > carries on, soon ALL my money will be gone on these STUPID BANKS WHO > CAN'T GET IT RIGHT!!! > Really ? I have NEVER had a legitimate bank ask for this online nor ever paid a dime on fees for any online updates I have done on my own. And Fleet Bank is the biggest, most overcharging bunch of bankers in New England! Change banks, lad ! From nobody at spamcop.net Thu Jul 1 00:34:17 2004 From: nobody at spamcop.net (Don Wannit) Date: Thu Jul 1 02:35:03 2004 Subject: [SC-Help] Re: "no Java Script, No Report" In-Reply-To: References: Message-ID: Glenn Daniels wrote: > "Blammo" wrote in message > news:Xns9517EAFA17225blammo@216.154.195.61... > >>On 29 Jun 2004 Larry Kilgallen entered spamcop.help and left >>news:fbjUnrQlkeg1@eisner.encompasserve.org: >> >> >>>Because SpamCop is programmed to insist you lower your browser security >>>to perform certain functions. > > >>I fail to see the connection between security and basic Javascript >>functionality. I don't see how you can blame this on SpamCop. > > > > Ah... but when you set IE6 security in Internet Zone to "high", > you disable basic Javascript functionality: Then you are > supposed to put sites you trust in the "Trusted Sites > Zone" and relax the restrictions on what is allowed > using default or customized settings specific to that zone. > > Glenn Daniels That sure sounds like another reason not to use IE as a browser (as if more reasons were needed). Other browsers don't mix those unrelated concepts and create such unintended (I hope) consequences. Typically I've got Safari 1.2.2, Netscape 7.1, Firefox 0.8, and Opera 7.5.1 all running simultaneously on my Mac running OS X. The application dock at the bottom of the screen makes it super simple to switch back and forth and try a web page in various browsers. [plug, plug] Since I'm doing web site development now, I also have to fire up IE 5.2 on MacOS, and also run IE6 and other versions on Windoze, for which I use VirtualPC with quite acceptable performance on a G4. Once in a while I resort to a real PC running native Windows, but only for final verification. Not for daily use. (Linux makes better use of available CPU cycles). The only reason I ever use IE is to check for browser compatibility (c.f. other threads). It definitely is not my browser of choice, and this comment about Javascript disabled unless other trust is granted as well makes me even less likely to recommend IE to friends and customers. I need to try to make my web sites work at least acceptably with every browser, with Javascript enabled or disabled. But it's for business, and it's a shame to turn away a potential customer for any reason if it's at all avoidable. Javascript should enable additional functionality (like a "Check All" button), but the same effect should be available to the user without Javascript (checking all the boxes manually). Javascript can do client-side validation and error-checking to make it faster from the user's perspective, but should never be relied on from the server's point of view. Requiring Javascript to perform the action, and thereby presuming that Javascript performed the pre-checking, without verifying again on the server side is just plain naiive. Enough rant for now. -- Don Wannit A paid SpamCop user since 1999 From nobody at spamcop.net Thu Jul 1 00:51:21 2004 From: nobody at spamcop.net (Don Wannit) Date: Thu Jul 1 02:55:03 2004 Subject: [SC-Help] Re: Citibank In-Reply-To: References: Message-ID: [top-posting corrected for conversational flow] nobody wrote: > eddie wrote: >> Why should they? It's not their fault that some of their customers are >> idiots. And it keeps the worldwide cashflow up. It benefits the poor. >> It's >> a good liberal thing to do. > > Why should they care? There customer is only responsible for the first > $50.00 of charges. They eat the rest. These scams are costing the banks > a fortune. > No, you're quite wrong there. The credit card issuing banks are *not*, I say again, *not*, eating the rest. They have little or no loss due to fraudulent use of credit card numbers. This is their dirty little secret. It's the merchants and especially small businesses that incur those losses. The banks don't lose a thing. They control the game completely, and bill all disputed credit card charges back to the merchant, plus a "chargeback" penalty fee. The merchant gets hit with the entire loss, not the bank. And, since this becomes part of the cost of doing business, ultimately it's consumers who pay the price of the fraud. True, any individual consumer's loss is limited to $50 (subject to limits and exclusions, be careful about long trips and crossing state lines!). But eventually everyone pays the cost collectively in the form of higher prices, because that loss has to be paid somehow, just like the utility bills and employee salaries. The banks would love to have everyone believe that they are taking it on the chin, and that's why they have interest rates of 18%, 19%, 22%, plus other fees. Don't believe it for a second. The banks pass *every* *single* *loss* right back to the merchant who was unfortunate enough to believe the customer and ship goods on a credit card transaction that was approved in real-time by the bank. If the banks did in fact "eat" the loss for a transaction they approved but which later turned out to be fraudulent, then they might be justified in charging rates and fees that until recently were illegal and were called "usury". But they don't, so they should not be. Instead, they're rolling in dough, with lots of gravy. [images of chicken-and-dumplings come to mind, it's time to get something to eat!] -- Don Wannit A paid SpamCop user since 1999 From nobody at spamcop.net Thu Jul 1 01:08:50 2004 From: nobody at spamcop.net (Don Wannit) Date: Thu Jul 1 03:10:05 2004 Subject: [SC-Help] Re: Citibank In-Reply-To: References: Message-ID: David Butler wrote: > "Martin Edwards" wrote in message > news:cbutjc$lhv$2@news.spamcop.net... > >>See same heading in .spam. On the one hand you would have to be stupid >>to fall for this, but am I alone in finding this kind of thing >>despicable even if anyone is that stupid? > > > I see in Eweek there is a Congressional move on to pass legislation on this > ASAP > > But it's already illegal. I'm certainly relieved that Congress is going to make it even more illegal. *That* should cut it off straightaway. :-P From flippetyfloo at fake.com Thu Jul 1 01:39:21 2004 From: flippetyfloo at fake.com (RandallW) Date: Thu Jul 1 03:40:04 2004 Subject: [SC-Help] Re: Citibank References: Message-ID: "Martin Edwards" wrote in message news:cbutjc$lhv$2@news.spamcop.net... > See same heading in .spam. On the one hand you would have to be stupid > to fall for this, but am I alone in finding this kind of thing > despicable even if anyone is that stupid? There is an estimate that perhaps 5% of these phising mails are answered. From deadmail at snea.invalid Thu Jul 1 11:57:20 2004 From: deadmail at snea.invalid (zaax) Date: Thu Jul 1 06:05:25 2004 Subject: [SC-Help] Re: SpamCop encountered errors References: Message-ID: In article , Anon_ writes > >"zaax" wrote in message >news:AWtqddLF4z4AFwKY@ntl.com... >> What went wrong? >> >> SpamCop encountered errors while saving spam for processing: SpamCop >> could not find your spam message in this email: >> >> Return-Path: >> Received: from vmx1.spamcop.net (unknown [192.168.18.81]) >> by sc-app4.eq.ironport.com (Postfix) with ESMTP id B918950E7 >> for ; Wed, 30 Jun 2004 >> 15:16:29 -0700 (PDT) >> Received: from sitemail3.everyone.net (HELO omta06.mta.everyone.net) >> (216.200.145.37) >> by vmx1.spamcop.net with ESMTP; 30 Jun 2004 15:16:29 -0700 >> Received: from imta15.mta.everyone.net (bigip34 [216.200.145.26]) >> by omta06.mta.everyone.net (Postfix) with ESMTP id C04957C10F >> for ; Wed, 30 Jun 2004 >> 15:16:23 -0700 (PDT) >> Received: by imta15.mta.everyone.net (Postfix) >> id 274112F04D; Wed, 30 Jun 2004 15:16:22 -0700 (PDT) >> Delivered-To: gatsos@ukgatsos.com >> Received: from pmta11.mta.everyone.net (bigiplb-dsnat [172.16.0.19]) >> by imta15.mta.everyone.net (Postfix) with ESMTP id A48822F02C >> for ; Wed, 30 Jun 2004 15:16:21 -0700 (PDT) >> Received: from pcp01461317pcs.hershy01.pa.comcast.net (68.83.9.95 >> [68.83.9.95]) >> by pmta11.mta.everyone.net (EON-PMTA) with SMTP >> id CFC9697D; Wed, 30 Jun 2004 15:16:21 -0700 >> X-Message-Info: >> %RNDUCCHAR14%RNDLCCHAR13%RNDUCCHAR13%RNDDIGIT13%RNDLCCHAR13%RNDUCCHAR13%R >> NDLCCHAR13%RNDUCCHAR13%RNDLCCHAR13%RNDDIGIT13%RNDLCCHAR13%RNDDIGIT13%RNDU >> CCHAR13%RNDDIGIT13%RNDUCCHAR13%RNDLCCHAR13%RNDUCCHAR13%RNDLCCHAR13 >> Received: from %RNDLCCHAR19%RNDDIGIT12.charter.com (232.40.143.166) by >> %RNDLCCHAR13%RNDDIGIT13-%RNDLCCHAR13.charter.com with Microsoft >> SMTPSVC(5.0.2195.6824); >> Thu, 01 Jul 2004 02:23:19 +0500 >> Received: from %RNDWORD13%RNDLCCHAR13%RNDDIGIT13 >> (electrolytic40.188.64.174) >> by charter.com (%RNDLCCHAR26%RNDDIGIT13) with SMTP >> id <%RNDDIGIT515%RNDLCCHAR13%RNDDIGIT15%RNDLCCHAR13> >> (Authid: voncronk); >> Wed, 30 Jun 2004 15:26:19 -0600 >> From: "von cronk" >> To: "'Gatsos'" >> Subject: Fwd: Need Meds V1co\din ' Va|ium ` V|@gra ~ :X:ANAx Pntermin ' >> :Soma: hodqbuuzutpe >> Date: Wed, 30 Jun 2004 23:25:19 +0200 >> Message-ID: >> <%RNDDIGIT27%RNDLCCHAR13%RNDDIGIT13%RNDLCCHAR13%RNDDIGIT13$%RNDDIGIT13%RN >> DLCCHAR13%RNDDIGIT13%RNDLCCHAR13%RNDDIGIT14$%RNDDIGIT13%RNDLCCHAR13%RNDDI >> GIT13%RNDLCCHAR14@%RNDWORD13%RNDLCCHAR13%RNDDIGIT13%RNDDIGIT13> >> MIME-Version: 1.0 >> Content-Type: multipart/alternative; >> boundary="--66424844991339160" >> Sender: dietrich_kiana@bluerocketonline.com >> >> - > >> -- >> Zaax >> http://www.ukgatsos.com > >** >What part of DO NOT POST SPAM HERE do you not understand?? > What I don't understand when I ask for help a prat like you answers -- Zaax http://www.ukgatsos.com From x-code at no-spam-please.hotpop.com Thu Jul 1 17:33:17 2004 From: x-code at no-spam-please.hotpop.com (Dmitriy Lapshin) Date: Thu Jul 1 09:35:13 2004 Subject: [SC-Help] Changing registration type? Message-ID: Hi all, I initially registered with SpamCop as a mole, but now it turns out that the mole experiment've failed. Given that, how can I change my registration to the normal one? I've tried searching the FAQ but found nothing related. Is this just me? If yes - pointing me to the right FAQ page would be greatly appreciated. Thanks in advance! Dima. From aukword666 at attglobal.net Thu Jul 1 10:59:44 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Thu Jul 1 10:00:07 2004 Subject: [SC-Help] Re: Changing registration type? References: Message-ID: "Dmitriy Lapshin" wrote in message news:cc13qv$kod$1@news.spamcop.net... > Hi all, > > I initially registered with SpamCop as a mole, but now it turns out that the > mole experiment've failed. Given that, how can I change my registration to > the normal one? Log in. Look for "Preferences" on the Login page: it takes you here... http://www.spamcop.net/mcgi?action=prefmenu umm... scroll down and uncheck the "Report as mole" box. Scroll down and "Save changes". 'Saboutit... Glenn From MikeE at ster.invalid Thu Jul 1 08:34:29 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 1 10:40:05 2004 Subject: [SC-Help] Re: Changing registration type? References: Message-ID: Glenn Daniels wrote: > "Dmitriy Lapshin" >> I initially registered with SpamCop as a mole, but now it turns out >> that the mole experiment've failed. Given that, how can I change my >> registration to the normal one? > > > Log in. > Look for "Preferences" on the Login page: it takes you > here... > http://www.spamcop.net/mcgi?action=prefmenu > umm... scroll down and uncheck the > "Report as mole" box. > Scroll down and "Save changes". Preferences is a function for paid people who can login, but not free reporters. If you are a free reporter, you need to 're-do' your signup authorization, and when you re-do it, uncheck report as mole. http://www.spamcop.net/anonsignup.shtml You may re-run this free authorization whenever you need to. If you do, any previous authorization information associated with your email address will be deleted. The same applies to such as having a 'bad' friendly name on the webparser page, unless there's some secret I don't know. -- Mike Easter kibitzer, not SC admin From ob1db at spamcop.net Thu Jul 1 11:39:27 2004 From: ob1db at spamcop.net (David Butler) Date: Thu Jul 1 10:40:08 2004 Subject: [SC-Help] Re: SpamCop encountered errors References: Message-ID: "Anon_" wrote in message news:cbvp45$gq0$1@news.spamcop.net... > > "zaax" wrote in message snip > > ** > What part of DO NOT POST SPAM HERE do you not understand?? > > -- What part of "you are acting like a putz with a newbie" don't YOU understand? He posted the headers, not the full spam. An intelligent response would be "it is better not to post this here, please post to .spam and put your questions here." That would be an adult response... Don't bother responding. From ob1db at spamcop.net Thu Jul 1 11:42:43 2004 From: ob1db at spamcop.net (David Butler) Date: Thu Jul 1 10:45:04 2004 Subject: [SC-Help] Re: SpamCop encountered errors References: Message-ID: "zaax" wrote in message news:AWtqddLF4z4AFwKY@ntl.com... > What went wrong? > > SpamCop encountered errors while saving spam for processing: SpamCop > could not find your spam message in this email: > Ongoing problem with the email system. Next time, two suggestions: A: search the NG for related topics, this has been discussed MANY times. B: don't post the email here at all, just post your question and place the email or spam in the .spam group If you still have the original spams, resubmit... David From eddie at eddie.web Thu Jul 1 13:05:44 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 1 12:10:03 2004 Subject: [SC-Help] Re: Citibank - it's the BANK that's STUPID ;-) References: Message-ID: On Thu, 01 Jul 2004 01:01:38 -0400, David Butler scratched out the following: snip > And Fleet Bank is the biggest, most overcharging bunch of bankers in New > England! Fleet is a good name - they used to be named Fly by Night, and Fleet Street is in Old England, so it figures. They had thought of calling themselves Fleece Bank, thinking they could pull the wool over their client's eyes, but they decided on Fleet - which, BTW, is also the name of an enema company and product. From eddie at eddie.web Thu Jul 1 13:07:32 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 1 12:10:05 2004 Subject: [SC-Help] Re: Citibank References: Message-ID: On Thu, 01 Jul 2004 00:08:50 -0700, Don Wannit scratched out the following: snip > > But it's already illegal. I'm certainly relieved that Congress is going > to make it even more illegal. *That* should cut it off straightaway. I keep hoping for more laws against murder for the same reason. The rule is that if one law doesn't work, make more, not less. And if money doesn't fix it, use more money, and if more doesn't fix it, use even more. It's only taxpayers money anyway, and they don't care. From eddie at eddie.web Thu Jul 1 13:12:18 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 1 12:15:03 2004 Subject: [SC-Help] Re: Citibank References: Message-ID: On Wed, 30 Jun 2004 23:51:21 -0700, Don Wannit scratched out the following: > [top-posting corrected for conversational flow] > > nobody wrote: > > eddie wrote: > >> Why should they? It's not their fault that some of their customers are > >> idiots. And it keeps the worldwide cashflow up. It benefits the poor. > >> It's > >> a good liberal thing to do. > > > > Why should they care? There customer is only responsible for the first > > $50.00 of charges. They eat the rest. These scams are costing the banks > > a fortune. > > > > > > No, you're quite wrong there. The credit card issuing banks are *not*, I > say again, *not*, eating the rest. They have little or no loss due to > fraudulent use of credit card numbers. This is their dirty little secret. > > It's the merchants and especially small businesses that incur those > losses. The banks don't lose a thing. They control the game completely, > and bill all disputed credit card charges back to the merchant, plus a > "chargeback" penalty fee. The merchant gets hit with the entire loss, not > the bank. > > And, since this becomes part of the cost of doing business, ultimately > it's consumers who pay the price of the fraud. snip So I was right - it is the liberal way. The poor who can't afford it steal it and their charges get passed back to the working people as higher prices. Simple redistribution of wealth, in this case the government is not directly in the loop - - yet. They will figure a way, thought. Take from the working class - give to the poor, even if they are breaking the law. Liberalism at its best. From Martin.Edwards5 at btinternet.com Thu Jul 1 19:33:39 2004 From: Martin.Edwards5 at btinternet.com (Martin Edwards) Date: Thu Jul 1 13:30:03 2004 Subject: [SC-Help] Re: Citibank - it's the BANK that's STUPID ;-) In-Reply-To: References: Message-ID: eddie wrote: > On Thu, 01 Jul 2004 01:01:38 -0400, David Butler scratched out the > following: > > snip > >>And Fleet Bank is the biggest, most overcharging bunch of bankers in New >>England! > > > Fleet is a good name - they used to be named Fly by Night, and > Fleet Street is in Old England, so it figures. > They had thought of calling themselves Fleece Bank, thinking they could > pull the wool over their client's eyes, but they decided on Fleet - which, > BTW, is also the name of an enema company and product. Fleet Street covers the River Fleet, which was the biggest open sewer in London till it was rafted. From eddie at eddie.web Thu Jul 1 15:00:46 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 1 14:05:03 2004 Subject: [SC-Help] Re: Citibank - it's the BANK that's STUPID ;-) References: Message-ID: On Thu, 01 Jul 2004 18:33:39 +0100, Martin Edwards scratched out the following: snip > Fleet Street covers the River Fleet, which was the biggest open sewer in > London till it was rafted. Perfect! :) From h9vzc2i02 at sneakemail.com Thu Jul 1 12:42:59 2004 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Thu Jul 1 14:45:18 2004 Subject: [SC-Help] Re: Citibank - it's the BANK that's STUPID ;-) References: Message-ID: "eddie" wrote in message news:pan.2004.07.01.18.00.46.339000@eddie.web... > On Thu, 01 Jul 2004 18:33:39 +0100, Martin Edwards scratched out the > following: > > snip > > Fleet Street covers the River Fleet, which was the biggest open sewer in > > London till it was rafted. > > Perfect! :) ** Didn't a previous poster mention that Fleet is an enema? Now we know where THAT name came from! -- A SpamCop user and forum reader, Not Admin *** From eddie at eddie.web Thu Jul 1 16:28:22 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 1 15:30:02 2004 Subject: [SC-Help] Re: Citibank - it's the BANK that's STUPID ;-) References: Message-ID: On Thu, 01 Jul 2004 11:42:59 -0700, Anon_ scratched out the following: >snip > Didn't a previous poster mention that Fleet is an enema? Now we know where > THAT name came from! that was me - eddie :) I guess they just package the water and ship it :) From flippetyfloo at fake.com Thu Jul 1 14:48:36 2004 From: flippetyfloo at fake.com (RandallW) Date: Thu Jul 1 16:50:12 2004 Subject: [SC-Help] newsgroup spam Message-ID: Anyone know of a good FAQ/instruction site on how to read/study/report newsgroup spam? From aukword666 at attglobal.net Thu Jul 1 18:13:10 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Thu Jul 1 17:15:03 2004 Subject: [SC-Help] Re: newsgroup spam References: Message-ID: "RandallW" wrote in message news:cc1tb4$euk$1@news.spamcop.net... > Anyone know of a good FAQ/instruction site on how to read/study/report > newsgroup spam? > Refer thread "heads up!" above. This difficulty seems to have generated no interest. The .nws extension on the spam causes it to be handled differently in OE6 as compared to Netscape 7.1 Mail client. My experience: if it shows up in OE as a .nws post I know that it faults through if I submit as attachment, see note below. My options: Either websubmit using copy-paste, or submit as attachment using Netscape Mail. I found no FAQ on it, but that does not mean there isn't one. No one responded to my previous post on 19 June. Note: If you previously submitted using OE, most likely the spam has been processed and reports were sent without your intervention. You might verify this by finding the Autoresponder for it, or by checking your recent reports. hth, Glenn From nobody at devnull.spamcop.net Thu Jul 1 17:26:05 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jul 1 17:30:03 2004 Subject: [SC-Help] Re: newsgroup spam References: Message-ID: "RandallW" wrote in message news:cc1tb4$euk$1@news.spamcop.net... > Anyone know of a good FAQ/instruction site on how to read/study/report > newsgroup spam? http://home.att.net/~marjie1/index.htm http://www.spamfaq.net/usenetfaqs.shtml From nobody at devnull.spamcop.net Thu Jul 1 17:42:12 2004 From: nobody at devnull.spamcop.net (Cat) Date: Thu Jul 1 17:45:02 2004 Subject: [SC-Help] Re: SpamCop encountered errors In-Reply-To: References: Message-ID: zaax wrote: > In article , Anon_ > writes >> What part of DO NOT POST SPAM HERE do you not understand?? >> > What I don't understand when I ask for help a prat like you answers The forum page states that spam should only be posted in the spamcop.spam newsgroup and discussed here in spamcop.help or in the main spamcop newsgroup. If you had read the forum page, you would have known that. When you blatantly ignore things like the "no spam posting" rule, people are less likely to want to help you, and you shouldn't be surprised when you get a response like Anon_'s. Please understand that Anon_'s frustration was due to the fact that the forum page clearely states where spam should be posted, so you don't have any excuse for not knowing that you weren't supposed to post spam here. We all get more than enough spam of our own without having to also see yours in a place where we are promised a spam free environment. -Cat SpamCop user, not an admin From nobody at devnull.spamcop.net Thu Jul 1 17:46:59 2004 From: nobody at devnull.spamcop.net (Cat) Date: Thu Jul 1 17:50:02 2004 Subject: [SC-Help] Re: newsgroup spam In-Reply-To: References: Message-ID: Glenn Daniels wrote: > Note: If you previously submitted using OE, > most likely the spam has been processed and reports > were sent without your intervention. Unless you're using quick reporting, SpamCop isn't going to automatically send reports without you checking the report page first to send it yourself. From ob1db at spamcop.net Thu Jul 1 11:44:00 2004 From: ob1db at spamcop.net (David Butler) Date: Thu Jul 1 17:50:04 2004 Subject: [SC-Help] Re: SpamCop encountered errors References: Message-ID: "David Butler" wrote in message news:cc17n8$nvb$1@news.spamcop.net... > "Anon_" wrote in message > news:cbvp45$gq0$1@news.spamcop.net... > > > > "zaax" wrote in message > > snip > > > > > ** > > What part of DO NOT POST SPAM HERE do you not understand?? > > > > -- > > What part of "you are acting like a putz with a newbie" don't YOU > understand? > > He posted the headers, not the full spam. My error on this part, the full email did not show first time. My remaining response to you is still the same. An intelligent response would be > "it is better not to post this here, please post to .spam and put your > questions here." > > That would be an adult response... > > Don't bother responding. > > From aukword666 at attglobal.net Thu Jul 1 18:50:58 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Thu Jul 1 17:55:03 2004 Subject: [SC-Help] Re: newsgroup spam References: Message-ID: "Cat" wrote in message news:cc20oi$j63$1@news.spamcop.net... > Glenn Daniels wrote: > > > Note: If you previously submitted using OE, > > most likely the spam has been processed and reports > > were sent without your intervention. > > Unless you're using quick reporting, SpamCop isn't going to > automatically send reports without you checking the report page first to > send it yourself. > My point exactly: that was what I would have expected, not what happened! From ob1db at spamcop.net Thu Jul 1 20:23:25 2004 From: ob1db at spamcop.net (David Butler) Date: Thu Jul 1 19:25:03 2004 Subject: [SC-Help] Links not found again Message-ID: http://www.spamcop.net/sc?id=z528220788zac98fce44aabab656bd876d9429f0c10z I see no html or header error, no error message, I know the link parses, I have had 10 from these idiots this week alone... oh, maybe they shifted IPs ?? Whoisurl found them, Query : www.pillomatic.biz Offical Name = www.pillomatic.biz Aliases = Addresses = 61.186.254.92 which SC parses to same collection as earlier reports: Parsing input: 61.186.254.92 host 61.186.254.92 (getting name) no name No recent reports, no history available Routing details for 61.186.254.92 [refresh/show] Cached whois for 61.186.254.92 : abuse@cta.cq.cn Using abuse net on abuse@cta.cq.cn abuse net cta.cq.cn = spam@ctsi.com.cn, ctsummary@special.abuse.net, zhong@public.cta.cq.cn, dnsmail@public.cta.cq.cn, wangyan@public.cta.cq.cn, postmaster@cta.cq.cn, anti-spam@chinanet.cn.net, jieliang@ix.netcom.com Using best contacts spam@ctsi.com.cn zhong@public.cta.cq.cn dnsmail@public.cta.cq.cn wangyan@public.cta.cq.cn postmaster@cta.cq.cn anti-spam@chinanet.cn.net jieliang@ix.netcom.com ctsummary@special.abuse.net spam@ctsi.com.cn bounces (103 sent : 99 bounces) Using spam#ctsi.com.cn@devnull.spamcop.net for statistical tracking. zhong@public.cta.cq.cn bounces (1189171 sent : 599828 bounces) Using zhong#public.cta.cq.cn@devnull.spamcop.net for statistical tracking. dnsmail@public.cta.cq.cn bounces (1190004 sent : 600367 bounces) Using dnsmail#public.cta.cq.cn@devnull.spamcop.net for statistical tracking. wangyan@public.cta.cq.cn bounces (1189149 sent : 599896 bounces) Using wangyan#public.cta.cq.cn@devnull.spamcop.net for statistical tracking. jieliang@ix.netcom.com bounces (24937 sent : 12481 bounces) Using jieliang#ix.netcom.com@devnull.spamcop.net for statistical tracking. ctsummary@special.abuse.net redirects to ct-abuse@sprint.net ct-abuse@sprint.net refuses SpamCop reports From flippetyfloo at fake.com Thu Jul 1 18:45:19 2004 From: flippetyfloo at fake.com (RandallW) Date: Thu Jul 1 20:50:03 2004 Subject: [SC-Help] spamvertised link not detected? Message-ID: Spam will be pasted in .spam; subject is inkjets on sale From bite_me at its.fun Thu Jul 1 19:19:22 2004 From: bite_me at its.fun (salamandir) Date: Thu Jul 1 21:20:03 2004 Subject: [SC-Help] Cannot log into IMAP mailserver as Message-ID: i'm getting this error that i see every now and then when i check my held email that says "Cannot log into IMAP mailserver as" salamandir at spamcop dot net. i see it pretty irregularly, and when i "report" it, meaning when i bring it up here, it's either ignored all together, or people say "it's not happening to me," and by the time someone gets around to looking, it's fixed itself. i'm reporting it immediately this time, in the hopes that maybe whoever is responsible for such things can take a look more quickly this time, and perhaps give me an update to let me know what's happening. From nobody at spamcop.net Thu Jul 1 23:01:47 2004 From: nobody at spamcop.net (Jim) Date: Thu Jul 1 22:05:03 2004 Subject: [SC-Help] Re: Cannot log into IMAP mailserver as References: Message-ID: "salamandir" wrote in message news:pan.2004.07.02.01.19.21.850254@underwear.is.fun... > i'm getting this error that i see every now and then when i check my held > email that says "Cannot log into IMAP mailserver as" salamandir at spamcop > dot net. > > i see it pretty irregularly, and when i "report" it, meaning when i bring > it up here, it's either ignored all together, or people say "it's not > happening to me," and by the time someone gets around to looking, it's > fixed itself. > I can not get in at all now either. Before when I could not get in I would turn off zone alarm, log in and then turn zone alarm back on. Then it would be ok for awhile. Jim From eddie at eddie.web Thu Jul 1 23:05:17 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 1 22:10:02 2004 Subject: [SC-Help] Re: Cannot log into IMAP mailserver as References: Message-ID: On Thu, 01 Jul 2004 18:19:22 -0700, salamandir scratched out the following: > i'm getting this error that i see every now and then when i check my held > email that says "Cannot log into IMAP mailserver as" salamandir at spamcop > dot net. > I reported it under spamcop earlier. I can report manually, but the mail/report link via "held mail" is broken. From eddie at eddie.web Thu Jul 1 23:17:10 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 1 22:20:03 2004 Subject: [SC-Help] Re: spamvertised link not detected? References: Message-ID: On Thu, 01 Jul 2004 17:45:19 -0700, RandallW scratched out the following: > Spam will be pasted in .spam; subject is inkjets on sale SC has not been finding spamvertized sites all day. There are other complaints about this here and on the webpage newsgroup. The system is broken. From h9vzc2i02 at sneakemail.com Thu Jul 1 21:19:19 2004 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Thu Jul 1 23:20:03 2004 Subject: [SC-Help] Re: Cannot log into IMAP mailserver as References: Message-ID: "Jim" wrote in message news:cc2fmc$5pm$1@news.spamcop.net... > > "salamandir" wrote in message > news:pan.2004.07.02.01.19.21.850254@underwear.is.fun... > > i'm getting this error that i see every now and then when i check my held > > email that says "Cannot log into IMAP mailserver as" salamandir at spamcop > > dot net. > > > > > > I can not get in at all now either. Before when I could not get in I would > turn off zone alarm, log in and then turn zone alarm back on. Then it would > be ok for awhile. > ** If you have ZA Pro there are all sorts of things you can do to make it work for you. If you have ZA free - go to the "firewall" menu and the "zones" tab - you can add whatever you want to the 'trusted" list. (Mine already had PPP and the NIC in the list and I added newsgroups to the list as it suddenly quit downloading the newsgroup information - that addition cured the problem. (It wants a name and an IP address for the listing.) That may be all that is needed (my ISP suggested turning ZA off to see if the ng download would work then - it did so I looked in ZA help and it "walked me through" the addition.) -- A SpamCop user and forum reader, Not Admin *** > Jim > > From bite_me at its.fun Thu Jul 1 23:05:43 2004 From: bite_me at its.fun (salamandir) Date: Fri Jul 2 01:05:04 2004 Subject: [SC-Help] Re: Cannot log into IMAP mailserver as References: Message-ID: On Thu, 01 Jul 2004 21:25:01 -0600, SpamCop Admin, an eminent manifestation of divinity, wrote: > Something is broken. Jeff and Julian are working on it now. I doubt that > the fix will take long, but you never know. If there is something > seriously wrong, I'll post about it again. > > As always, when you experience a failure with SpamCop, the immediate > action drill is to shut down your browser and go lie on the couch. :-) it works again... whether they did something or not i think i'll never know. From Martin.Edwards5 at btinternet.com Fri Jul 2 19:22:47 2004 From: Martin.Edwards5 at btinternet.com (Martin Edwards) Date: Fri Jul 2 13:20:07 2004 Subject: [SC-Help] Re: newsgroup spam In-Reply-To: References: Message-ID: RandallW wrote: > Anyone know of a good FAQ/instruction site on how to read/study/report > newsgroup spam? > > If you use the Spamcop Web form it's fairly simple. Tick "Show Full Headers" in your reader and put it through the parser in the usual way. I use Free Agent for groups from my ISP, but I assume it's pretty similar for most. From eddie at eddie.web Fri Jul 2 15:05:20 2004 From: eddie at eddie.web (eddie) Date: Fri Jul 2 14:10:14 2004 Subject: [SC-Help] Re: newsgroup spam References: Message-ID: On Fri, 02 Jul 2004 18:22:47 +0100, Martin Edwards scratched out the following: > RandallW wrote: >> Anyone know of a good FAQ/instruction site on how to read/study/report >> newsgroup spam? >> >> > If you use the Spamcop Web form it's fairly simple. Tick "Show Full > Headers" in your reader and put it through the parser in the usual way. > I use Free Agent for groups from my ISP, but I assume it's pretty > similar for most. Many NG allow anonymous posting; and posting through google (I believe) or any of the other similar services completely hides the headers. Most legit NG posts contain an abuse address, so if it's missing it's probably very difficult to report. Then, while I absolutely am against spam, I don't know if the current definition fits "spam" in a NG, where nobody is actually sending me stuff directly. When I go to a news group I choose to do so. Also, many newsgroups look like spam sites when they are not, what with all the flames and such. As I noted previously, I turn on my filters when I visit NGs and don't see the stuff most people complain about. From eddie at eddie.web Fri Jul 2 17:06:31 2004 From: eddie at eddie.web (eddie) Date: Fri Jul 2 16:10:04 2004 Subject: [SC-Help] strange error when clicking on spam Message-ID: I use the SC webmail/parser interface. Every once and a while, when I click on the subject of a piece of spam in "held" I am returned to the Inbox page with an error message, "error opening message" or something like that. Also, sometimes after opening the spam, I get the same bounce back to the Inbox when I click on "Message Source." I wind up on the Inbox page. Just wondering if anyone else has this problem. I got it with Mozilla 1.4, and again with 1.7 and also IE6, so I don't think it's a browser problem. I suspect the problem is not on my end. From nobody at devnull.spamcop.net Fri Jul 2 16:23:50 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Jul 2 16:25:05 2004 Subject: [SC-Help] Re: strange error when clicking on spam References: Message-ID: "eddie" wrote in message news:pan.2004.07.02.20.06.30.956000@eddie.web... > I use the SC webmail/parser interface. > Every once and a while, when I click on the subject of a piece of spam in > "held" I am returned to the Inbox page with an error message, "error > opening message" or something like that. > Also, sometimes after opening the spam, I get the same bounce back to the > Inbox when I click on "Message Source." I wind up on the Inbox page. > Just wondering if anyone else has this problem. > I got it with Mozilla 1.4, and again with 1.7 and also IE6, so I don't > think it's a browser problem. I suspect the problem is not on my end. As usual, here I go again. Primary support for the e-mail side of the house is over in the Forums. And, this particular issue has two, maybe three Topic / threads on this particular scenario ... stuff is so time-scattered and some "descriptions" are so "different" (yet deal with the same thing) that I've not combined them into a single item .. but what's needed is a few more folks to put their heads together over there and continue with the stringing together of data points to try to help isolate this. There are a couple of suggestions, and a few more questions, as I recall .... Check the E-Mail Forums for this issue ... From eddie at eddie.web Fri Jul 2 17:44:45 2004 From: eddie at eddie.web (eddie) Date: Fri Jul 2 16:45:03 2004 Subject: [SC-Help] Re: strange error when clicking on spam References: Message-ID: On Fri, 02 Jul 2004 15:23:50 -0500, WazoO scratched out the following: snip > There are a couple of suggestions, and a few more > questions, as I recall .... Check the E-Mail Forums for this issue ... thanks - between here and there, and this problem being an interface problem, somewhere between the email side and the spam side it would probably be good to have an interface forum or group for problems related to going between the webmail interface and the web reporting interface, as is the case with that "logon failed IMAP" error. That's why I stuck this in the help NG. I'll look over "there" thanks again. From eddie at eddie.web Sat Jul 3 13:47:26 2004 From: eddie at eddie.web (eddie) Date: Sat Jul 3 12:50:03 2004 Subject: [SC-Help] Re: strange error when clicking on spam References: Message-ID: On Fri, 02 Jul 2004 15:23:50 -0500, WazoO scratched out the following: snip >There are a couple of suggestions, and a few more > questions, as I recall .... Check the E-Mail Forums for this issue ... I saw nothing specifically related to this bug anywhere. I posted it again under spamcop since it happens when I am in the spam reporting area of the service. Today it happened 5 times, almost in a row. From xxx at xx.xcom Sat Jul 3 18:48:07 2004 From: xxx at xx.xcom (keith) Date: Sat Jul 3 12:50:06 2004 Subject: [SC-Help] spam that looks like bounces Message-ID: I'm sure this has been raised at some point, but there seems to be an increasing amount of junk mail (leaving out the netsky stuff) that looks like a bounce but with a prominent URL in it Is this a way of circumventing SpamCop's reporting system and is there a way round it, like putting a false return address in the headers and then removing it before reporting to SC? From MikeE at ster.invalid Sat Jul 3 11:23:25 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 3 13:25:04 2004 Subject: [SC-Help] Re: spam that looks like bounces References: Message-ID: keith wrote: > I'm sure this has been raised at some point, but there seems to be an > increasing amount of junk mail (leaving out the netsky stuff) that > looks like a bounce but with a prominent URL in it Bounces can have the original spam and the spamvertisement included/attached. > Is this a way of circumventing SpamCop's reporting system and is > there a way round it, like putting a false return address in the > headers and then removing it before reporting to SC? Almost all 'bounces' are actually bounces and cannot be spamcop reported. The only 'way round' permissible is to use the parser on the original spamitem 'under' the bounce headers but to only report it /manually/, not with spamcop. That is, spamcop can only be used in that way to determine the notify addresses for your /own/ manual report - not as a spamcop report. This also applies to those items in which you have decided to 'read the mind' of the spammer and think that s/he was /thinking of/ 'bounce spamming' in the first place. Even if you /can/ read the mind of a spammer, bounce spams are not spamcop reportable. -- Mike Easter kibitzer, not SC admin From tbittner at online.mvpatwork.de Sat Jul 3 21:10:21 2004 From: tbittner at online.mvpatwork.de (Thomas K.H. Bittner) Date: Sat Jul 3 14:15:03 2004 Subject: [SC-Help] No response Message-ID: ... since two weeks or more, I get no response from the emails I send to spamcop since I did in the past. Has something changed? Regards, Thomas From nobody at devnull.spamcop.net Sat Jul 3 14:25:39 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Jul 3 14:30:03 2004 Subject: [SC-Help] Re: No response References: Message-ID: "Thomas K.H. Bittner" wrote in message news:cc6sqe$9h4$1@news.spamcop.net... > ... since two weeks or more, I get no response from the emails I send to > spamcop since I did in the past. Has something changed? Primary e-mail support is handled over in the web- based Forums ... http://forum.spamcop.net/forums/index.php? Your specific question is probably already answered in a Pinned item at; http://forum.spamcop.net/forums/index.php?showtopic=1848 From nobody at devnull.spamcop.net Sat Jul 3 14:33:15 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Jul 3 14:35:03 2004 Subject: [SC-Help] Re: strange error when clicking on spam References: Message-ID: "eddie" wrote in message news:pan.2004.07.03.16.47.26.59000@eddie.web... > On Fri, 02 Jul 2004 15:23:50 -0500, WazoO scratched out the following: > > snip > >There are a couple of suggestions, and a few more > > questions, as I recall .... Check the E-Mail Forums for this issue ... > > I saw nothing specifically related to this bug anywhere. > I posted it again under spamcop since it happens when I am in the spam > reporting area of the service. > Today it happened 5 times, almost in a row. OK, here's one post that also links to several other Topics/Threads that concern this issue .. http://forum.spamcop.net/forums/index.php?showtopic=1930 From eddie at eddie.web Sat Jul 3 16:02:33 2004 From: eddie at eddie.web (eddie) Date: Sat Jul 3 15:05:02 2004 Subject: [SC-Help] Re: strange error when clicking on spam References: Message-ID: On Sat, 03 Jul 2004 13:33:15 -0500, WazoO scratched out the following: snip > > OK, here's one post that also links to several other Topics/Threads that > concern this issue .. > http://forum.spamcop.net/forums/index.php?showtopic=1930 Great! and pardon my ignorance in not being able to find it before. Mucho appreciatato :) I tend to come here first and do my complaining because I like Pan better than a browser. I'll go over all those bugs carefully and not bother anyone anymore over here. From Roger at NoSpam.FromU.com Sat Jul 3 17:06:36 2004 From: Roger at NoSpam.FromU.com (Roger Cooper) Date: Sat Jul 3 16:10:02 2004 Subject: [SC-Help] AOL mail "....forged...Nothing to do" Message-ID: All of a sudden all of the spam forwarded from my AOL accounts is not being processed. It does not seem to matter whether I forward it directly from within the AOL client or from the web-mail system of if I input the header and body manually. SpamCop assumes that it is a forgery. SpamCop has become useless to me now. What is going on there? <> From tjtmdREMOVE_THIS at attglobal.net Sat Jul 3 21:22:52 2004 From: tjtmdREMOVE_THIS at attglobal.net (Tanya) Date: Sat Jul 3 20:45:13 2004 Subject: [SC-Help] Re: new look and nn 4.x References: <40DDB047.6D2B6524@attglobal.net> <40DE1F93.D9EF7B7F@attglobal.net> <40DF747F.B6FDDCA8@attglobal.net> <40E08058.F0B434E@attglobal.net> <40E21FDB.C6650E4B@attglobal.net> Message-ID: <40E74DDC.F744CD0B@attglobal.net> Blammo wrote: > On 29 Jun 2004 Tanya entered spamcop.help and left > news:40E21FDB.C6650E4B@attglobal.net: > > > Blammo wrote: > > > Yep, it's fixed, and it will get better ;-) > > > > if 1.7 is *better* ?more stable than 1.6 i might try it -- i really > > think the problem's nn 4.77 > > thanks for the suggestion > > > > It is faster, smaller, and renders pages faster. Also some more bugs are > squished. that settles it -- thanks > > > > > > it's odd that nn has the most problems (vs. other programs / browsers) > > with js since they created js.......... > > Actually Netscape handles *Javascript* perfectly, that is up to Javascript > version 1.3, it can't handle Javascript version 1.5 or MS VBScript / > JScript. The problem is mainly style sheets and partly some HTML like > tables. Seems to me that Netscape fell apart in the late 90's and never got > this stuff fixed (i.e. Netscape 5 was never released). Apparently all their > focus was on the Netscape Server software. i took courses comparing ie, op and nc wrt css and wrt script nc lost in every respect -- op won. > > it's actually amazing -- as though they (spamCop) read these posts > > since nn has the old look and no js error and mozilla has the new and > > improved look i repeat this out of amazement :) > > thanks Ric > > Yep, that's fixed, notice no Style selector for NC either. it's far faster -- it's 1 of the most frequent site i access SO really appreciate the fact that nc can tolerate it thank you, sincerely Tanya > > > -- > | Ric > | From tjtmdREMOVE_THIS at attglobal.net Sat Jul 3 21:54:31 2004 From: tjtmdREMOVE_THIS at attglobal.net (Tanya) Date: Sat Jul 3 21:20:10 2004 Subject: [SC-Help] uncooperative spam Message-ID: <40E75547.E479A642@attglobal.net> hello, received 2 identical spams yesterday which when trying to "forward as an attachment" for sc gave the following: 'a communications error has occurred. please try again' plus even when replying to them the recipient is blank (just as an experiment:) i thought that spammers were brainLess / brainDead so don't understand how they could create a simple looking message (2) that cannot be forwarded. fwiw: communicator 4.77; win95b and win98se thanks From aukword666 at attglobal.net Sat Jul 3 22:32:42 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sat Jul 3 21:35:03 2004 Subject: [SC-Help] Re: uncooperative spam References: <40E75547.E479A642@attglobal.net> Message-ID: "Tanya" wrote in message news:40E75547.E479A642@attglobal.net... > hello, > received 2 identical spams yesterday which when trying to "forward as an > attachment" for sc gave the following: 'a communications error has > occurred. please try again' > plus even when replying to them the recipient is blank (just as an > experiment:) > i thought that spammers were brainLess > / brainDead so don't understand how they could create a simple looking > message (2) that cannot be forwarded. > fwiw: communicator 4.77; win95b and win98se > thanks > Could you post an example in .spam so others might have a sense of the problem spam: most are usually errors generated by the spam forging software, not a malignant creation of creative intellect. -Glenn Daniels From tjtmdREMOVE_THIS at attglobal.net Sat Jul 3 23:21:39 2004 From: tjtmdREMOVE_THIS at attglobal.net (Tanya) Date: Sat Jul 3 22:45:04 2004 Subject: [SC-Help] Re: uncooperative spam References: <40E75547.E479A642@attglobal.net> Message-ID: <40E769B2.9C61A24@attglobal.net> Glenn Daniels wrote: > "Tanya" wrote in message > news:40E75547.E479A642@attglobal.net... > > hello, > > received 2 identical spams yesterday which when trying to "forward as an > > attachment" for sc gave the following: 'a communications error has > > occurred. please try again' > > plus even when replying to them the recipient is blank (just as an > > experiment:) > > i thought that spammers were brainLess > > / brainDead so don't understand how they could create a simple looking > > message (2) that cannot be forwarded. > > fwiw: communicator 4.77; win95b and win98se > > thanks > > > > Could you post an example in .spam so others might > have a sense of the problem spam: most are usually > errors generated by the spam forging software, not > a malignant creation of creative intellect. > > -Glenn Daniels thanks... done same subject sincerely, Tanya From aukword666 at attglobal.net Sun Jul 4 01:26:39 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sun Jul 4 00:30:02 2004 Subject: [SC-Help] Re: uncooperative spam References: <40E75547.E479A642@attglobal.net> <40E769B2.9C61A24@attglobal.net> Message-ID: "Tanya" wrote in message news:40E769B2.9C61A24@attglobal.net... > Glenn Daniels wrote: etc.,etc. If you posted what you received, it looks like way too much white space in too many places... I don't have any idea how it came to be that way, but doubt it was intentional, more likely an error in the spam forging software. I attempted to reconstruct the intended *like I read minds?* spam message by doing nothing more than extracting excess white space and encountered no problems whatever with the resulting .eml. I'm guessing my reconstruction is NOT what you received, but it does support my previous suggestion that the problem in the .eml was not the work of a creative spammer. I have posted the reconstruction in .spam under your post so that you may better judge whether it looks like what you received. I am suspecting the white space I removed, removed the "uncooperative" from the spam as well, like losing the baby in the bath water. Bottom line: looks like you received this spam in a damaged, "spaced out", condition which might make it difficult to forward if the headers failed to track because of the damage. No way to begin to guess where the damage occured. Query: Were you able to post/parse the spam using the websubmit copy-paste procedure? Apology: sorry, I don't have a clue what the problem might be... I can remove it, but I can't reproduce it. Possibly another .help reader has similar experience and can provide a more intelligent take on the difficulty. -Glenn, without the Mark of the Beast. From aukword666 at attglobal.net Sun Jul 4 03:51:13 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sun Jul 4 02:55:03 2004 Subject: [SC-Help] piloomatic spam Message-ID: Berny: Using OE6, I opened your posted "attachment", opened its "attachment" which appeared to be your original spam, maybe munged, I would not guess. Saved the open file as .eml, opened in notepad, copied and pasted to websubmit and it parsed without difficulty (sorry, I did not "send reports", not sure that's allowed as it isn't for me to OK your options)... hth, Glenn, dehexed From aukword666 at attglobal.net Sun Jul 4 04:11:39 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sun Jul 4 03:15:04 2004 Subject: [SC-Help] Re: piloomatic spam References: Message-ID: "Glenn Daniels" wrote in message news:cc89cq$7mm$1@news.spamcop.net... > Berny: > Saved the open file as .eml, opened in notepad, copied > and pasted to websubmit and it parsed without difficulty > (sorry, I did not "send reports", not sure that's allowed as it > isn't for me to OK your options)... Pardon me for not knowing anything, but your parse tracker is showing reports already sent, so I'm guessing you think the parse is invalid and there I have not got a clue how to respond... Escusa, Glenn From bar_n0ne at hotmail.com Sun Jul 4 12:17:15 2004 From: bar_n0ne at hotmail.com (Berny) Date: Sun Jul 4 03:20:03 2004 Subject: [SC-Help] Re: piloomatic spam did it get the body? References: Message-ID: "Glenn Daniels" wrote in message news:cc89cq$7mm$1@news.spamcop.net... > Berny: > Using OE6, I opened your posted "attachment", opened its > "attachment" which appeared to be your original spam, > maybe munged, I would not guess. > > Saved the open file as .eml, opened in notepad, copied > and pasted to websubmit and it parsed without difficulty > (sorry, I did not "send reports", not sure that's allowed as it > isn't for me to OK your options)... > > hth, > > Glenn, > dehexed Thanks, you don't mention if it parsed the body or not, the headers always parse for me also. From bar_n0ne at hotmail.com Sun Jul 4 12:18:12 2004 From: bar_n0ne at hotmail.com (Berny) Date: Sun Jul 4 03:20:07 2004 Subject: [SC-Help] Re: piloomatic spam References: Message-ID: "Glenn Daniels" wrote in message news:cc8aj5$95f$1@news.spamcop.net... > "Glenn Daniels" wrote in message > news:cc89cq$7mm$1@news.spamcop.net... > > Berny: > > Saved the open file as .eml, opened in notepad, copied > > and pasted to websubmit and it parsed without difficulty > > (sorry, I did not "send reports", not sure that's allowed as it > > isn't for me to OK your options)... > > Pardon me for not knowing anything, but your parse > tracker is showing reports already sent, so I'm guessing > you think the parse is invalid and there I have not > got a clue how to respond... > > Escusa, > Glenn They were cancelled From aukword666 at attglobal.net Sun Jul 4 04:32:35 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sun Jul 4 03:35:03 2004 Subject: [SC-Help] Re: piloomatic spam did it get the body? References: Message-ID: "Berny" wrote in message news:cc8att$9gi$1@news.spamcop.net... > "Glenn Daniels" wrote in message > news:cc89cq$7mm$1@news.spamcop.net... > > Berny: > > Saved the open file as .eml, opened in notepad, copied > > and pasted to websubmit and it parsed without difficulty > > (sorry, I did not "send reports", not sure that's allowed as it > > isn't for me to OK your options)... > > > > Thanks, you don't mention if it parsed the body or not, the headers always > parse for me also. > parse tracker: http://www.spamcop.net/sc?id=z532152730ze604a65bc0a0cbba99585064a6f0e444z If you mean, did it see the URL http://www.piloomatic.biz ?, I think not: maybe because it does not exist/ is misspelled/ is already shut down... ??? should SC report the invalid spamvertised link ??? -Glenn From MikeE at ster.invalid Sun Jul 4 01:52:03 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 4 03:55:02 2004 Subject: [SC-Help] Re: piloomatic spam did it get the body? References: Message-ID: Glenn Daniels wrote: > "Berny" >> Thanks, you don't mention if it parsed the body or not, the headers >> always parse for me also. www.spamcop.net/sc?id=z532152730ze604a65bc0a0cbba99585064a6f0e444z > If you mean, did it see the URL > http://www.piloomatic.biz ?, I think not: > maybe because it does not exist/ is misspelled/ > is already shut down... On all 3 items I've looked at... - Berny's tracker1 posted in .spam - Berny's tracker 2 posted in .spam - Glenn's tracker posted in this thread ...SC found the body url in all 3, but it would not resolve. The verbose sez... Resolving link obfuscation http://www.piloomatic.biz Tracking link: http://www.piloomatic.biz No recent reports, no history available Cannot resolve http://www.piloomatic.biz Not only will piloomatic not resolve, it doesn't even show in neulevel.biz as a registered domainname. > ??? should SC report the invalid spamvertised link ??? No. SC notifies the holder of the netblock, of which there isn't one for an unresolving url. -- Mike Easter kibitzer, not SC admin From bar_n0ne at hotmail.com Sun Jul 4 12:59:55 2004 From: bar_n0ne at hotmail.com (Berny) Date: Sun Jul 4 04:00:02 2004 Subject: [SC-Help] Re: piloomatic spam Thanks Mike References: Message-ID: "Mike Easter" wrote in message news:cc8d1o$bts$1@news.spamcop.net... > Glenn Daniels wrote: > > "Berny" > >> Thanks, you don't mention if it parsed the body or not, the headers > >> always parse for me also. > > www.spamcop.net/sc?id=z532152730ze604a65bc0a0cbba99585064a6f0e444z > > > If you mean, did it see the URL > > http://www.piloomatic.biz ?, I think not: > > maybe because it does not exist/ is misspelled/ > > is already shut down... > > On all 3 items I've looked at... > > - Berny's tracker1 posted in .spam > - Berny's tracker 2 posted in .spam > - Glenn's tracker posted in this thread > > ...SC found the body url in all 3, but it would not resolve. The > verbose sez... > > Resolving link obfuscation > http://www.piloomatic.biz > Tracking link: http://www.piloomatic.biz > No recent reports, no history available > Cannot resolve http://www.piloomatic.biz > > Not only will piloomatic not resolve, it doesn't even show in > neulevel.biz as a registered domainname. > > > ??? should SC report the invalid spamvertised link ??? > > No. SC notifies the holder of the netblock, of which there isn't one > for an unresolving url. > > -- > Mike Easter > kibitzer, not SC admin > Thanks Mike, I now think some spammer is just trying to bug me, I've been getting them for weeks, and they've never resolved to a real domain it seems. I did get one today for a pillomatic.biz (double l instead of o)which resolved. From aukword666 at attglobal.net Sun Jul 4 05:12:15 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sun Jul 4 04:15:03 2004 Subject: [SC-Help] Re: piloomatic spam did it get the body? References: Message-ID: "Mike Easter" wrote in message news:cc8d1o$bts$1@news.spamcop.net... > Glenn Daniels wrote: > > "Berny" > >> Thanks, you don't mention if it parsed the body or not, the headers > >> always parse for me also. > > www.spamcop.net/sc?id=z532152730ze604a65bc0a0cbba99585064a6f0e444z > > > If you mean, did it see the URL > > http://www.piloomatic.biz ?, I think not: > > maybe because it does not exist/ is misspelled/ > > is already shut down... > > On all 3 items I've looked at... > > - Berny's tracker1 posted in .spam > - Berny's tracker 2 posted in .spam > - Glenn's tracker posted in this thread > > ...SC found the body url in all 3, but it would not resolve. The > verbose sez... > > Resolving link obfuscation > http://www.piloomatic.biz > Tracking link: http://www.piloomatic.biz > No recent reports, no history available > Cannot resolve http://www.piloomatic.biz > > Not only will piloomatic not resolve, it doesn't even show in > neulevel.biz as a registered domainname. > > > ??? should SC report the invalid spamvertised link ??? > > No. SC notifies the holder of the netblock, of which there isn't one > for an unresolving url. > > -- > Mike Easter > kibitzer, not SC admin > Thanks Mike: Being a bit of a newbie and a bit of an idiot, I am still "throwing sand".... Not yet clever enough to want to see the "technical data", but stupid enough to test the link and determine for myself that it did not exist... But "learned something I have" and "use it I may" and "help me it will". It is good to know that that information is there, would have been easy to check, had I any idea what to look for. Always appreciate your 2ĸ Glenn From ric.gates at bigsleep.org Sun Jul 4 09:24:13 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sun Jul 4 04:25:04 2004 Subject: [SC-Help] Re: uncooperative spam References: <40E75547.E479A642@attglobal.net> <40E769B2.9C61A24@attglobal.net> Message-ID: On 03 Jul 2004 Glenn Daniels entered spamcop.help and left news:cc80tp$v8t$1@news.spamcop.net: > If you posted what you received, it looks like way too much > white space in too many places... Actually Tanya copied it incorrectly. Select the message, press CTRL + U (View Page Source) and copy it from there. -- | Ric | From MikeE at ster.invalid Sun Jul 4 02:33:22 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 4 04:35:02 2004 Subject: [SC-Help] Re: piloomatic spam did it get the body? References: Message-ID: Glenn Daniels wrote: > Not yet clever enough to want to > see the "technical data", SC's verbose output of what it is doing and thinking is very educational. It is confusing and 'misleading' sometimes because of how it is sequenced or organized and 'phrased', but I think people would do very well to 'follow' its logic, even on items which are not problematic - to learn the SC language so as to be able to understand what's happening when things are more 'screwed up' and not going normally or as expected. When I first started parsing spamheaders for manual notifies, I submitted all of them to spamcop /after/ I had derived all of my own notifies. Then, in the comparison, if the SC notifies differed from my own, I had to understand why, which of course necessitates following its logic. In the very beginning, I was cancelling all SC reports in favor of my own manual notifies. Later I began approving SC reports for the sake of the SCbl. In the old days, SC made more parsing errors in the headers than it does now. Also, spambody parsing was 'simpler' and more straightforward then. You could say that I learned to parse headers 'with' spamcop - also 'against' spamcop. In the beginning SC was faster and sometimes better. Later I became the better, but that also includes my using more tools than SC does. SC is still faster than I, usually. -- Mike Easter kibitzer, not SC admin From Martin.Edwards5 at btinternet.com Sun Jul 4 11:57:36 2004 From: Martin.Edwards5 at btinternet.com (Martin Edwards) Date: Sun Jul 4 05:55:04 2004 Subject: [SC-Help] Re: spam that looks like bounces In-Reply-To: References: Message-ID: Mike Easter wrote: > keith wrote: > >>I'm sure this has been raised at some point, but there seems to be an >>increasing amount of junk mail (leaving out the netsky stuff) that >>looks like a bounce but with a prominent URL in it > > > Bounces can have the original spam and the spamvertisement > included/attached. > > >>Is this a way of circumventing SpamCop's reporting system and is >>there a way round it, like putting a false return address in the >>headers and then removing it before reporting to SC? > > > Almost all 'bounces' are actually bounces and cannot be spamcop > reported. The only 'way round' permissible is to use the parser on the > original spamitem 'under' the bounce headers but to only report it > /manually/, not with spamcop. That is, spamcop can only be used in that > way to determine the notify addresses for your /own/ manual report - not > as a spamcop report. > > This also applies to those items in which you have decided to 'read the > mind' of the spammer and think that s/he was /thinking of/ 'bounce > spamming' in the first place. Even if you /can/ read the mind of a > spammer, bounce spams are not spamcop reportable. > I can't agree with your first comment: I get dozens of false bounces, many of them on a Netscape account, which show clearly that they were virus-generated because they have been stripped. On days when the spam is not too heavy I do what you say: parse the header and report them manually. From nospam at nospam Sun Jul 4 15:20:17 2004 From: nospam at nospam (*-* Kingdom *-*) Date: Sun Jul 4 09:25:03 2004 Subject: [SC-Help] author code Message-ID: <40e804ab$1_3@news.athenanews.com> how can I recover my spamcop authourization code?? I need it to work with spam inspector?? -- --------------------------------------------------------------------- "Are you still wasting your time with spam?... There is a solution!" Protected by GIANT Company's Spam Inspector The most powerful anti-spam software available. http://mail.spaminspector.com From tbittner at online.mvpatwork.de Sun Jul 4 17:01:33 2004 From: tbittner at online.mvpatwork.de (Thomas K.H. Bittner) Date: Sun Jul 4 10:05:03 2004 Subject: [SC-Help] Re: No response References: Message-ID: WazoO wrote: [...] > Your specific question is probably already answered > in a Pinned item at; > http://forum.spamcop.net/forums/index.php?showtopic=1848 ... tnx! Regards, Thomas From MikeE at ster.invalid Sun Jul 4 08:06:06 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 4 10:10:03 2004 Subject: [SC-Help] Re: spam that looks like bounces References: Message-ID: Martin Edwards wrote: > Mike Easter wrote: >> keith wrote: >>> I'm sure this has been raised at some point, but there seems to be >>> an increasing amount of junk mail (leaving out the netsky stuff) >>> that looks like a bounce but with a prominent URL in it >> Almost all 'bounces' are actually bounces and cannot be spamcop >> reported. > I can't agree with your first comment: I get dozens of false bounces, > many of them on a Netscape account, which show clearly that they were > virus-generated because they have been stripped. On days when the > spam is not too heavy I do what you say: parse the header and report > them manually. The OP restricted the discussion to *spam* items when he sed "leaving out the netsky stuff" - which I interpreted as virms in general. And, /I/ restricted the discussion to 'bounces' in quotes - in which I was trying to imply or suggest that most of the time that people post something in .spam that is a spam which spamcop interpreted as a bounce which they think is /not/ a bounce, that in fact it is. Also notice the OP's Subject - spam that /looks like/ a bounce - to address what the OP feels is both spam not virm and also he tho't /not/ a bounce. What I was trying to say is that almost all of the time that people have posted a spamitem here which they think is /not/ a bounce, it /is/ a bounce. However, we are or I am making a lot of words about what the OP was 'saying' - when in fact it would be oh so much better if we were actually talking about a particular *item* which the OP had in mind, instead of something hypothetical. Discussing hypothetical vaguely described or referred items instead of the real thing is a big waste of time, IMO. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Jul 4 08:15:40 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 4 10:20:03 2004 Subject: [SC-Help] Re: author code References: <40e804ab$1_3@news.athenanews.com> Message-ID: *-* Kingdom *-* wrote: > how can I recover my spamcop authourization code?? I need it to work > with spam inspector?? Your spamcop.net [note the dot net] authorization code is found in: - the original spamcop authorization email - within the submit email addy and the website address^1 - a 16 character alphanumeric code - 16charANcodeNMBR ^1 submit.16charANcodeNMBR@spam.spamcop.net &/or http://www.spamcop.net/?code=16charANcodeNMBR OTOH - since your post was 'branded' with the Giant company's branding iron for Spam Inspector, which is associated with spamcop.com [note the dot com] it is possible that you are talking about some authorization code to use for SI. That is, do not confuse spamcop.net with spamcop.com -- Mike Easter kibitzer, not SC admin From xxx at xx.xcom Sun Jul 4 18:40:17 2004 From: xxx at xx.xcom (keith) Date: Sun Jul 4 12:45:22 2004 Subject: [SC-Help] Re: spam that looks like bounces References: Message-ID: "Mike Easter" wrote in message news:cc92v5$9di$1@news.spamcop.net... > Martin Edwards wrote: > > Mike Easter wrote: > >> keith wrote: > >>> I'm sure this has been raised at some point, but there seems to be > >>> an increasing amount of junk mail (leaving out the netsky stuff) > >>> that looks like a bounce but with a prominent URL in it > > >> Almost all 'bounces' are actually bounces and cannot be spamcop > >> reported. > > > I can't agree with your first comment: I get dozens of false bounces, > > many of them on a Netscape account, which show clearly that they were > > virus-generated because they have been stripped. On days when the > > spam is not too heavy I do what you say: parse the header and report > > them manually. > > The OP restricted the discussion to *spam* items when he sed "leaving > out the netsky stuff" - which I interpreted as virms in general. And, > /I/ restricted the discussion to 'bounces' in quotes - in which I was > trying to imply or suggest that most of the time that people post > something in .spam that is a spam which spamcop interpreted as a bounce > which they think is /not/ a bounce, that in fact it is. > > Also notice the OP's Subject - spam that /looks like/ a bounce - to > address what the OP feels is both spam not virm and also he tho't /not/ > a bounce. What I was trying to say is that almost all of the time that > people have posted a spamitem here which they think is /not/ a bounce, > it /is/ a bounce. > > However, we are or I am making a lot of words about what the OP was > 'saying' - when in fact it would be oh so much better if we were > actually talking about a particular *item* which the OP had in mind, > instead of something hypothetical. Discussing hypothetical vaguely > described or referred items instead of the real thing is a big waste of > time, IMO. > > -- > Mike Easter > kibitzer, not SC admin > what's OP? original poster? odd person? olive pear? outrageous prick? overt plucker? my name is Keith From tjtmdREMOVE_THIS at attglobal.net Sun Jul 4 13:26:26 2004 From: tjtmdREMOVE_THIS at attglobal.net (Tanya) Date: Sun Jul 4 12:50:03 2004 Subject: [SC-Help] Re: uncooperative spam References: <40E75547.E479A642@attglobal.net> <40E769B2.9C61A24@attglobal.net> Message-ID: <40E82FB2.31DF32E1@attglobal.net> Glenn Daniels wrote: > "Tanya" wrote in message > news:40E769B2.9C61A24@attglobal.net... > > Glenn Daniels wrote: > > etc.,etc. > > If you posted what you received, it looks like way too much > white space in too many places... I don't have any idea how > it came to be that way, but doubt it was intentional, more > likely an error in the spam forging software. I attempted to > reconstruct the intended *like I read minds?* spam message > by doing nothing more than extracting excess white space > and encountered no problems whatever with the resulting > .eml. I'm guessing my reconstruction is NOT what you > received, but it does support my previous suggestion that > the problem in the .eml was not the work of a creative > spammer. I have posted the reconstruction in .spam > under your post so that you may better judge whether it > looks like what you received. I am suspecting the white > space I removed, removed the "uncooperative" from > the spam as well, like losing the baby in the bath water. the 'uncooperative' was the subject for the news group. the original messages did not have white space (i guess that was due to NOT using ctrl + u) > Bottom line: looks like you received this spam in a > damaged, "spaced out", condition which might make it > difficult to forward if the headers failed to track because > of the damage. No way to begin to guess where the > damage occured. > > Query: Were you able to post/parse the spam using > the websubmit copy-paste procedure? i did and it / they were reported > Apology: sorry, I don't have a clue what the problem > might be... I can remove it, but I can't reproduce it. > Possibly another .help reader has similar experience > and can provide a more intelligent take on the difficulty. > > -Glenn, > without the Mark of the Beast. i've now posted it in .spam using ctrl + u (no white space) thanks sincerely, Tanya From aukword666 at attglobal.net Sun Jul 4 14:12:14 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sun Jul 4 13:15:11 2004 Subject: [SC-Help] confused References: <40e804ab$1_3@news.athenanews.com> Message-ID: "Mike Easter" wrote in message news:cc93h3$a2v$1@news.spamcop.net... > *-* Kingdom *-* wrote: > OTOH - since your post was 'branded' with the Giant company's branding > iron for Spam Inspector, which is associated with spamcop.com [note the > dot com] it is possible that you are talking about some authorization > code to use for SI. > > That is, do not confuse spamcop.net with spamcop.com > Mike: If *_* Kingdom *_* is confused, the confusion is acquired honestly. Whereas http://vww.spamcop.com (note the *vww*) is associated with SI, SI itself sports a link to http://www.spamcop.net and appears to offer to forward reports to user's SpamCop.net account. Such reports, if sent, are never acknowledged as received nor have I ever received any verification that any reports submitted by SI over a six month period have ever been received. That is how I came to begin submitting spams to SpamCop.net for myself. I have since learned that reports I believed I had submitted to nfic@internetmci.com and pyramid@ftc.gov were not likely received either as those addys are no longer valid. Similarly, I have no idea what happens to reports to uce@ftc.gov as the current addy for such complaints is spam@uce.gov. When I started with SI, I actually believed that bounced spams would find their way back to the offending spammer rather than the forged "From:" In all sincerity I believed I was doing a good thing, fighting back against spam. However, I was frustrated that 99% of bounces were unsuccessful, time wasted, and I was greatly pained to learn that I was party to the "brain dead" who bounce spams with the best of intentions and the worst of results. To make matters worse, SI opens port 110 to hackers who seem to know exactly how to attack the vulnerability. I am so thoroughly disabused of my trust in SI that I have completely abandoned using it, but as I have not yet uninstalled it, I feel that in all fairness, we ought not assume that *_* Kingdom *_* is confused by his own design, rather the confusion is integral to SI itself. I am much worse than confused: after six months of mechanically reporting thousands of spams using SI I feel as though I have been played for a fool. And I have only myself to blame for my eager willingness to believe that useful reports were actually being sent to abuse@SpamAbuse.org when in fact that addy blocks all incoming spam reports. As ever, my saving grace is my willingness to learn from my experience and modify my behavior. "Fool me once, no problem; Fool me twice, shame on you; Fool me three times, shame on me". Glenn, "I want to believe" From aukword666 at attglobal.net Sun Jul 4 16:15:23 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sun Jul 4 15:20:04 2004 Subject: [SC-Help] AmazingFreeWorld News Message-ID: Martin: Excuse me before I begin. I have seen your post in .spam and think netiquette would have me wait for you to post a related query in .help. My fault here is aggravated in having no relevant reponse to your post in .spam. Evenso, my rude and irrelevant response is to suggest that you manually post the problem spam to spam@uce.gov , or use the formal online reporting option at the FTC website, and specify a formal complaint such as "invalid unsubscribe offered: no subscribe was ever offered or agreed to" and/or "data mining scam targeting minors" citing "Short survey, FREE tickets, Popcorn, Soda and Candies!". Although I doubt the spammer intended to portray himself as a pedophile, and I believe children need to be protected from those who would abuse their innocence, I also believe children need to learn that we live in a world fraught with many dangers. However right or wrong it may be to scam unsuspecting adults, I am strangely offended by the apparent intent to scam children: how are they to know that this innocent looking "looks like spam", is not in fact a ploy of organized pedophiles seeking easy "marks". To further aggravate the stupidity of my remarks, I am assuming that you have blocklisted the sending IP's: Before most filters reach the blocklists, they screen in emails based on "whitelists" such as address books. No doubt you have already checked, but if you have not, check your address books and ensure that the spam is not being "Whitelisted" in before it reaches your blocking filter rule. At least in principle, if you are blocking "xs4all" in the received header it should not matter that the spam headers later encountered suggest "xs4all" is not DNSBL, although I would be very surprised if it is not. Again, please forgive the rude and irrelevant rant. Although the stupidest response is usually the first one, such a response may serve to prompt more intelligent, more considered responses. Unless, of course, the dialogue goes downhill from here. Glenn, "wish I knew" From MikeE at ster.invalid Sun Jul 4 14:05:21 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 4 16:10:03 2004 Subject: [SC-Help] Re: spam that looks like bounces References: Message-ID: keith wrote: > what's OP? > > original poster? odd person? olive pear? outrageous prick? overt > plucker? > > my name is Keith Original poster. Here's a general acronym and abbreviation place which has a usenet section... http://www.utdallas.edu/ir/tcs/techsupp/acronyms.htm ...and the usenet O section has the definition in question also here http://mindprod.com/jgloss/op.html and here http://www.stampinscrappin.com/forums/forumfaq.aspx and here http://catb.org/~esr/jargon/html/index.html and here http://www.e-consultancy.com/knowledge/glossary/default.asp and here http://www.gaarde.org/acronyms/ and even here, for goodness sake http://www.babycenter.com/general/1145946 and many other places. So, it's not like it was an obscure abbreviation. The choice to call the original poster the OP rather than by their name, while citing them/their handle 'automatically' with the newsreader is a very common practice. Don't feel slighted because your name was only mentioned once in my post, while I used OP twice. And don't forget that it is always better to post an example of something you want to discuss than to try to characterize it keith wrote: > there seems to be an > increasing amount of junk mail (leaving out the netsky stuff) that > looks like a bounce but with a prominent URL in it After 6 posts in this thread, there is still uncertainty about just exactly what you were alluding to in the first place, as the OP. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Jul 4 14:20:41 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 4 16:25:03 2004 Subject: [SC-Help] Re: spam that looks like bounces References: Message-ID: Mike Easter wrote: > Don't feel slighted because your name was only mentioned > once in my post, while I used OP twice. Oops. s/twice/four times/ I used OP 4 times. keith wrote: > my name is Keith Surely you didn't want me to say keith 4 times /after/ the original keith attribute. What's wrong with being the OP? You get to 'own' the thread that way; someone might lose sight of that fact after a few posts. Being the OP has some significance besides being a handy shorthand - it means more than just having a name which contributed in a particular thread. It means that the whole reason that a topic is being discussed in the first place is because the OP brought it up; whatever else happens as topics tend to drift. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sun Jul 4 16:25:24 2004 From: nobody at devnull.spamcop.net (Cat) Date: Sun Jul 4 16:30:06 2004 Subject: [SC-Help] Re: AmazingFreeWorld News In-Reply-To: References: Message-ID: Glenn Daniels wrote: > Martin: > Excuse me before I begin. I have seen your post in .spam > and think netiquette would have me wait for you to post > a related query in .help. My fault here is aggravated in > having no relevant reponse to your post in .spam. He didn't need to post about it here in .help since he posted about it in the main spamcop newsgroup (note that's spamcop without anything like .help at the end). I'm not sure why you automatically assumed he'd post the accompanying discussion post to spamcop.help instead of spamcop. You should pop over there and post your reply to him in the thread he started about this titled "kids" although he really should have kept the subject the same over there as he did in .spam since his post over there is related to the post in .spam. From MikeE at ster.invalid Sun Jul 4 15:16:02 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 4 17:20:08 2004 Subject: [SC-Help] Re: confused References: <40e804ab$1_3@news.athenanews.com> Message-ID: Glenn Daniels wrote: > "Mike Easter" >> That is, do not confuse spamcop.net with spamcop.com > SI itself sports > a link to http://www.spamcop.net and appears to offer > to forward reports to user's SpamCop.net account. Where is that? I can't find that mentioned at the Giant website. Is that only seen from 'inside' SI? Presumably it/SI might want the SC submit addy as a notify. That /could/ work if SI didn't 'mess up' the item - ie if the headers from SI client to SC were followed immediately by the spamheaders and body, just as if it had been forwarded as an attachment. > To make matters worse, SI opens port 110 to > hackers who seem to know exactly how to attack > the vulnerability. What do you mean? 110 is your pop port. What kind of 'open' does SI do? Do you have something in some ZA Zone Alarm logs or something? -- Mike Easter kibitzer, not SC admin From ob1db at spamcop.net Sun Jul 4 22:06:41 2004 From: ob1db at spamcop.net (David Butler) Date: Sun Jul 4 21:10:04 2004 Subject: [SC-Help] Yet another "links not found" (engine failure with subdomain?) Message-ID: http://www.spamcop.net/sc?id=z533454797zadca6735d766ca87584a9faa8fd7c269z links not found: I don't see ANY reason why not! Tracking link: http://fuizuss.makingthemost.net/sddg/mxp/ No recent reports, no history available Cannot resolve http://fuizuss.makingthemost.net/sddg/mxp/ yet without the subdomain: Parsing input: makingthemost.net host 200.193.29.210 (getting name) no name No recent reports, no history available Routing details for 200.193.29.210 [refresh/show] Cached whois for 200.193.29.210 : abuse@noc.brasiltelecom.net.br mail-abuse@nic.br Using abuse net on abuse@noc.brasiltelecom.net.br abuse net brasiltelecom.net.br = abuse@noc.brasiltelecom.net.br, postmaster@brasiltelecom.net.br, netadmin@noc.brasiltelecom.net.br, mail-abuse@nic.br, antispambr@abuse.net Using abuse net on mail-abuse@nic.br abuse net nic.br = postmaster@nic.br, mail-abuse@nic.br, antispambr@abuse.net Using best contacts abuse@noc.brasiltelecom.net.br postmaster@nic.br postmaster@brasiltelecom.net.br netadmin@noc.brasiltelecom.net.br mail-abuse@nic.br antispambr@abuse.net I refuse to bother postmaster@nic.br postmaster@brasiltelecom.net.br bounces (99 sent : 99 bounces) Using postmaster#brasiltelecom.net.br@devnull.spamcop.net for statistical tracking. antispambr@abuse.net redirects to spambr@admin.spamcop.net Statistics: 200.193.29.210 not listed in bl.spamcop.net More Information.. 200.193.29.210 not listed in dnsbl.njabl.org 200.193.29.210 not listed in dnsbl.njabl.org 200.193.29.210 not listed in cbl.abuseat.org 200.193.29.210 not listed in dnsbl.sorbs.net 200.193.29.210 not listed in relays.ordb.org. Reporting addresses: abuse@noc.brasiltelecom.net.br netadmin@noc.brasiltelecom.net.br mail-abuse@nic.br From aukword666 at attglobal.net Sun Jul 4 22:11:12 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sun Jul 4 21:15:05 2004 Subject: [SC-Help] Re: AmazingFreeWorld News References: Message-ID: "Cat" wrote in message news:cc9p3e$7k6$3@news.spamcop.net... > He didn't need to post about it here in .help since he posted about it > in the main spamcop newsgroup (note that's spamcop without anything like > .help at the end). I'm not sure why you automatically assumed he'd post > the accompanying discussion post to spamcop.help instead of spamcop. You > should pop over there and post your reply to him in the thread he > started about this titled "kids" although he really should have kept the > subject the same over there as he did in .spam since his post over there > is related to the post in .spam. > Well, now, that explains a lot. It's like if it had been a snake it would have bitten me. Seems no matter how many times I looked at the link Help/discussion forum - let your voice be heard I never saw http://www.spamcop.net/forum.shtml. It never registered in my mind that it was a link. Seems I mistook it for a section header for the "quick newsgroup links:" under it, and it actually only registered for me that I was "missing" it because of your feedback. I had never subscribed to that forum or even seen it before just now. However humiliating for me, in all sincerity, thanks for the feedback. Evenso, I sense my entry here is a pointless rant on my part and is way off base for the direction the dialogue "over there" is going and would mostly be an uninvited intrusion, so I don't expect to repeat this mistake "over there". Glenn From MikeE at ster.invalid Sun Jul 4 19:37:39 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 4 21:40:09 2004 Subject: [SC-Help] Re: Yet another "links not found" (engine failure with subdomain?) References: Message-ID: David Butler wrote: www.spamcop.net/sc?id=z533454797zadca6735d766ca87584a9faa8fd7c269z > > links not found: I don't see ANY reason why not! It /isn't/ links not found. It /is/ that the link doesn't resolve. Quite a difference. > Tracking link: http://fuizuss.makingthemost.net/sddg/mxp/ > No recent reports, no history available > Cannot resolve http://fuizuss.makingthemost.net/sddg/mxp/ That is exactly correct. The link doesn't resolve. There is no notify for a link which doesn't resolve. > yet without the subdomain: What is your point in resolving the subdomain? I don't get it. The spamvertised link is above. Resolving something else has nothing to do with the issue. SC found the link. It doesn't resolve. Case closed. Next case. -- Mike Easter kibitzer, not SC admin From redwolfe_98 at nospam.com Sun Jul 4 23:05:57 2004 From: redwolfe_98 at nospam.com (redwolfe_98) Date: Sun Jul 4 22:10:05 2004 Subject: [SC-Help] Cookie Problem Message-ID: there seems to be a problem with cookies at spamcop.. i cannot login.. it says, "browser did not accept cookie".. i tried every way i knew to get my browser to accept the cookie.. i did not have this problem before, until just now.. From redwolfe_98 at nospam.com Sun Jul 4 23:20:10 2004 From: redwolfe_98 at nospam.com (redwolfe_98) Date: Sun Jul 4 22:25:03 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: ok.. it looks like if i turn off all the "privacy" features in zone alarm (4.5), them the cookie will be recognized.. still, this only recently became an issue (sunday nite).. i wish i could figure some way to use spamcop without reconfiguring my firewall every time i use the spamcop website, using the lowest security settings (which i aready had set, i thought).. From redwolfe_98 at nospam.com Sun Jul 4 23:27:45 2004 From: redwolfe_98 at nospam.com (redwolfe_98) Date: Sun Jul 4 22:30:03 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: nevermind.. i think it is a bug in the firewall, in its "cookie control".. i just started using it.. i had a similar problem logging into the zone labs forums, last night.. From nobody at devnull.spamcop.net Sun Jul 4 22:36:41 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jul 4 22:40:03 2004 Subject: [SC-Help] Re: Yet another "links not found" (engine failure with subdomain?) References: Message-ID: "David Butler" wrote in message news:cca9it$sv7$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z533454797zadca6735d766ca87584a9faa8fd7c269z > > Tracking link: http://fuizuss.makingthemost.net/sddg/mxp/ > No recent reports, no history available Huge thread already exists on this Domain in the spamcop group. From h9vzc2i02 at sneakemail.com Sun Jul 4 21:10:14 2004 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Sun Jul 4 23:15:05 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: "redwolfe_98" wrote in message news:ccadso$1jd$1@news.spamcop.net... > ok.. it looks like if i turn off all the "privacy" features in zone alarm > (4.5), them the cookie will be recognized.. still, this only recently became > an issue (sunday nite).. i wish i could figure some way to use spamcop > without reconfiguring my firewall every time i use the spamcop website, > using the lowest security settings (which i aready had set, i thought).. > > ** See my comment of July 1, 2004 at 8:19 pm - subject: "Re: Cannot log into IMAP mailserver as" for suggestions about ZA stopping some sites. -- A SpamCop user and forum reader, Not Admin *** From aukword666 at attglobal.net Mon Jul 5 00:18:07 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sun Jul 4 23:20:04 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: "redwolfe_98" wrote in message news:ccad23$r0$1@news.spamcop.net... > there seems to be a problem with cookies at spamcop.. i cannot login.. it > says, "browser did not accept cookie".. i tried every way i knew to get my > browser to accept the cookie.. i did not have this problem before, until > just now.. > I probably saw where you posted your "browser" in some other posting, but can't remember... Because "cookie management" is quite browser specific, I would "hang" on the query for want of more data... In NS, all cookies are string entries within a single "file" while in IE, each cookie "string" has its own "file" within the Cookies folder. Each way of managing cookies has its quirks. Although opening, writing to, and closing a file sounds straightforward enough, problems can arise for example if an open file is not closed prior to a new instruction to open it. Then debugging routines may lock the file in its opened state which effectively creates a read only attribute for the file. If the file continues in its open and locked state, that can really hang programs trying to access that file for use. And if the file is left in that state on system shutdown, the data in memory may fail to write to the drive creating an allocation error: in other words disk space is allocated for the file, the data may or may not be there, and the file was never formally closed and discrepancies can occur between the primary and backup file allocation tables. To complicate things, even if you close and reopen the browser, your OS or another disk utility may intervene and "lock" the disk as well to avoid having further errors written to the disk. Without knowing more about the nature of the problem, I would shut down the computer, wait for the RAM to go cold and reboot. Then, if it is an option, run a disk utility as Scandisk or NDD in DOS mode. Once your OS loads, the disk FATs, with any errors may be loaded to 32 bit RAM as virtual FATs (VFAT.vxd) making repairs all but unworkable using 32bit disk utilities. So, once the OS is back online, you will need to run a disk utility again to to ensure the integrity of the file system/ disk. If these procedures fail to resolve the problem, you could search (for IE) the cookies folder for files modified in the past 24 hours and try to identify and remove the SC cookie as it may be itself corrupt and as such not possible for IE to open without reproducing the difficulty repeatedly. I can't really hope to be helpful without more information. I use IE and NS (Mozilla 1.7) exclusively, and other forum participants have their own preferences. I am comfortable with these browsers because of prolonged familiarity, not because they are better for others, but because I never have problems with them I have not seen before and worked through. The bottom line is, without clarification, your query is essentially unanswerable. Glenn From h9vzc2i02 at sneakemail.com Sun Jul 4 21:19:55 2004 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Sun Jul 4 23:25:03 2004 Subject: [SC-Help] Re: AmazingFreeWorld News References: Message-ID: "Glenn Daniels" wrote in message news:cca9r6$t6n$1@news.spamcop.net... > "Cat" wrote in message > news:cc9p3e$7k6$3@news.spamcop.net... > > > He didn't need to post about it here in .help since he posted about it > > in the main spamcop newsgroup (note that's spamcop without anything like > > .help at the end). I'm not sure why you automatically assumed he'd post > > the accompanying discussion post to spamcop.help instead of spamcop. You > > should pop over there and post your reply to him in the thread he > > started about this titled "kids" although he really should have kept the > > subject the same over there as he did in .spam since his post over there > > is related to the post in .spam. > > > > Well, now, that explains a lot. It's like if it had been a snake it > would have bitten me. Seems no matter how many times > I looked at the link > Help/discussion forum - let your voice be heard > I never saw > http://www.spamcop.net/forum.shtml. > It never registered in my mind that it was a link. > Seems I mistook it for a section header for the > "quick newsgroup links:" under it, and it actually > only registered for me that I was "missing" it > because of your feedback. I had never subscribed > to that forum or even seen it before just now. > > However humiliating for me, in all sincerity, > thanks for the feedback. > > Evenso, I sense my entry here is a pointless rant > on my part and is way off base for the direction > the dialogue "over there" is going and would > mostly be an uninvited intrusion, so I don't expect > to repeat this mistake "over there". > > Glenn > > ** Actually the correct link to the /actual/ forua is http://forum.spamcop.net/forums/ note the "forum" in front of the "spamcop.net". The link in the above post just gives you page with the news.spamcop.net "forua" -- A SpamCop user and forum reader, Not Admin *** From aukword666 at attglobal.net Mon Jul 5 00:31:25 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sun Jul 4 23:35:03 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: "Glenn Daniels" wrote in message news:ccah95$5l5$1@news.spamcop.net... > "redwolfe_98" wrote in message > news:ccad23$r0$1@news.spamcop.net... > > there seems to be a problem with cookies at spamcop.. i cannot login.. it > > says, "browser did not accept cookie".. i tried every way i knew to get my > > browser to accept the cookie.. i did not have this problem before, until > > just now.. After sending the above, it appears that my input has been "Overtaken by Events". I ask again, are you using IE? If so, go to "Properties", "Privacy" tab and elect to "override cookie handling for individual websites". This may permit you to have secure cookie settings in the general instance, while allowing for a greater trust at a specific site. Glenn From xxx at xx.xcom Mon Jul 5 06:15:24 2004 From: xxx at xx.xcom (keith) Date: Mon Jul 5 00:20:07 2004 Subject: [SC-Help] Re: spam that looks like bounces References: Message-ID: "Mike Easter" wrote in message news:cc9otl$7id$1@news.spamcop.net... > Mike Easter wrote: > > Don't feel slighted because your name was only mentioned > > once in my post, while I used OP twice. > > Oops. s/twice/four times/ > > I used OP 4 times. > > keith wrote: > > my name is Keith > > Surely you didn't want me to say keith 4 times /after/ the original > keith attribute. What's wrong with being the OP? You get to 'own' the > thread that way; someone might lose sight of that fact after a few > posts. Being the OP has some significance besides being a handy > shorthand - it means more than just having a name which contributed in a > particular thread. It means that the whole reason that a topic is being > discussed in the first place is because the OP brought it up; whatever > else happens as topics tend to drift. > > -- > Mike Easter > kibitzer, not SC admin > I'm teasing, Mike! did you say that there was some confusion as to what I was asking about? basically the spam I am getting seems to have moved in two directions, neither of which I can report to SC (surprise, surprise) one is the 'bounce' that has a URL in it - it seems from your replies I would have to do this manually the other type is the 'mail undelivered' of which I am getting a large amount just lately Keith From nobody at spamcop.net Sun Jul 4 22:09:14 2004 From: nobody at spamcop.net (Ellen) Date: Mon Jul 5 00:35:04 2004 Subject: [SC-Help] Re: Yet another "links not found" (engine failure with subdomain?) References: Message-ID: "David Butler" wrote in message news:cca9it$sv7$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z533454797zadca6735d766ca87584a9faa8fd7c269z > > links not found: I don't see ANY reason why not! > > > Tracking link: http://fuizuss.makingthemost.net/sddg/mxp/ > No recent reports, no history available > > Cannot resolve http://fuizuss.makingthemost.net/sddg/mxp/ > > yet without the subdomain: > I believe we just had a discussion about this very situation over in spamcop yesterday. Ellen From nobody at devnull.spamcop.net Mon Jul 5 00:56:17 2004 From: nobody at devnull.spamcop.net (Cat) Date: Mon Jul 5 01:00:02 2004 Subject: [SC-Help] Re: AmazingFreeWorld News In-Reply-To: References: Message-ID: Glenn Daniels wrote: > "Cat" wrote in message > news:cc9p3e$7k6$3@news.spamcop.net... >>You >>should pop over there and post your reply to him in the thread he >>started about this titled "kids" although he really should have kept the >>subject the same over there as he did in .spam since his post over there >>is related to the post in .spam. > Well, now, that explains a lot. It's like if it had been a snake it > would have bitten me. Seems no matter how many times > I looked at the link > Help/discussion forum - let your voice be heard > I never saw > http://www.spamcop.net/forum.shtml. If you're not subscribed to everything on the news server, check your newsreader to see the other groups on the SpamCop server that you can subscribe to. I'm surprised you found the .help newsgroup on your newsreader first before the main spamcop group since .help isn't listed on the forum link page any more. I guess you must have subscribed to this one before they took down the link to it. The groups listed on the forum page are spamcop, spamcop.social, spamcop.geeks, and spamcop.spam. From aukword666 at attglobal.net Mon Jul 5 03:04:07 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Mon Jul 5 02:05:03 2004 Subject: [SC-Help] Re: confused References: <40e804ab$1_3@news.athenanews.com> Message-ID: Mike Easter wrote: > Glenn Daniels wrote: > > SI itself sports > > a link to http://www.spamcop.net and appears to offer > > to forward reports to user's SpamCop.net account. > > Where is that? I can't find that mentioned at the Giant website. Is > that only seen from 'inside' SI? Presumably it/SI might want the SC > submit addy as a notify. That /could/ work if SI didn't 'mess up' the > item - ie if the headers from SI client to SC were followed immediately > by the spamheaders and body, just as if it had been forwarded as an > attachment. Exactly. It appears on the "Report" window as a link at first. After entering the registered SC email addy a checkbox for submitting reports to SC is added under the box for SpamAbuse.org. In trying to submit spam as attachments to the listed addy for SpamAbuse.org, all are rejected as spam because the account is Brightmail protected. No spams reported to SC through SI are acknowledged, so they are not even generating an "error encountered" or "spam received" autoresponder. So it is unclear what if anything is sent. > > To make matters worse, SI opens port 110 to > > hackers who seem to know exactly how to attack > > the vulnerability. > > What do you mean? 110 is your pop port. What kind of 'open' does SI > do? Do you have something in some ZA Zone Alarm logs or something? I mean, I may have finished sending/receiving email and during a period when nothing should be coming/going I see a steady flow of data I/O through the SI mailserver. SI "listens" on port 110 and filters the incoming email as "localhost" at 127.0.0.1 and passes the filtered mail to the email client. Even after the mail client is closed, the SI mailserver still reponds to probes on port 110. I use Sygate by way of extensive positive experience with it, and the traffic log records the unwanted activity I refer to. Before installing SI, the system tested as completely "stealthed" on all ports. After installing SI, the system tested either as stealthed on all ports except 80 an 110, which reported as "closed" but responding to probes, or, all ports from 80 or 110 and up reported as closed but responding to probes. The non-stealthed status of the firewall was not anticipated, but was revealed on testing the firewall after what I perceived was an attack through the SI mailserver client. I have restored the stealthed status of the ports by use of additional firewall rules blocking traffic at ports 80 and 110. Observing the unsolicited traffic through the SI mailserver client, I thought it might be some sort of autoupdate, but that did not bear out. Although there was no serious harm to the system, and there was no evidence of a viral intrusion, a third port used by trojans was rendered "closed" rather than stealthed. Nor McAfee, nor Ontrack, nor Norton, nor Avast! found any evidence of a viral intrusion or trojan, but an additional scan using AdAware picked up registry modifications in the shell menu entries for .reg and .scr filetypes. Rather than the default values of "Merge" and "Test", the defaults had been changed to simply "Open". These mods could make the system a bit more vulnerable to a virus received as an email attachment with those extensions. That AdAware defs picked up the mods tells me that my experience is not unique: It would appear that there is a network aware virus in the environment capable of probing ports that are not stealthed, and making changes in security of the target machine to make it more vulnerable to further intrusion. Anyway, Mike, these are just petty gripes, nothing I meant to make a big issue of. The real "slap in the face" wakeup call was finding out I had probably bounced spams not to the originating IP's but to forged "From:" addresses taken from the spam forge's mailing list to be used as the "sender" for that particular run. I seriously expected SI to ignore that shammed "From:" as SC does: "bounce" to me does not mean deflect to a target of opportunity but send it back from whence it came. SI did not make it clear that that would never happen, and that it does not is not acceptable. Besides, it goes way off the mark: You were taking exception to the OP's wanting the SC code for use with SI, suggesting he might be confused. And I am taking exception to that: the OP is not confused, SI makes it appear that reports will be sent to SC, where experience suggests things may not be as they appear to be... Glenn, confused, but learning From aukword666 at attglobal.net Mon Jul 5 04:10:52 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Mon Jul 5 03:15:04 2004 Subject: [SC-Help] Re: AmazingFreeWorld News References: Message-ID: "Cat" wrote: > I guess you must have subscribed to > this one before they took down the link to it. The groups listed on the > forum page are spamcop, spamcop.social, spamcop.geeks, and spamcop.spam. > No, I think I clicked on "General Help" near the bottom of the SC login page... I've never "done" a newsgroup of any kind before, so it is a lot like being "lost in the woods"... but being too old to get excited, I'm not likely to come to much harm! And I have been pleased that people here have tried to be helpful however they may be shocked at my ignorance. Glenn From redwolfe_98 at nospam.com Mon Jul 5 05:52:43 2004 From: redwolfe_98 at nospam.com (redwolfe_98) Date: Mon Jul 5 04:56:03 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: it is still not working for me.. the only way i can log in is to turn off all the "privacy" features in zone alarm, even though i have them all custom-set to be "off" for the spamcop webpage.. From ric.gates at bigsleep.org Mon Jul 5 10:02:35 2004 From: ric.gates at bigsleep.org (Blammo) Date: Mon Jul 5 05:05:38 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: On 05 Jul 2004 redwolfe_98 entered spamcop.help and left news:ccb4sr$2lv$1@news.spamcop.net: > it is still not working for me.. the only way i can log in is to turn off > all the "privacy" features in zone alarm, even though i have them all > custom-set to be "off" for the spamcop webpage.. > > > In my opinion the ZoneAlarm web features are completely useless, especially if you don't use IE. -- | Ric | From MikeE at ster.invalid Mon Jul 5 03:04:09 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 5 05:10:13 2004 Subject: [SC-Help] Re: confused References: <40e804ab$1_3@news.athenanews.com> Message-ID: Glenn Daniels wrote: > Mike Easter wrote: >> That /could/ work if SI didn't 'mess up' >> the item - ie if the headers from SI client to SC were followed >> immediately by the spamheaders and body, just as if it had been >> forwarded as an attachment. > In trying to submit spam as attachments to the listed addy for > SpamAbuse.org, all are rejected as spam because the account > is Brightmail protected. No spams reported to SC through > SI are acknowledged, so they are not even generating > an "error encountered" or "spam received" autoresponder. > So it is unclear what if anything is sent. I can't investigate the old spamabuse.org site because it is currently offline. That's a giant company site as well, just like spamcop.com is a 'front' for SI/Giant. In the case of spamabuse - it is actually registered to giant, just like the giantcompany.com site is - spamcop.com is registered to interspectrum, for some reason. > I mean, I may have finished sending/receiving email and during > a period when nothing should be coming/going I see a steady > flow of data I/O through the SI mailserver. SI "listens" on > port 110 and filters the incoming email as "localhost" > at 127.0.0.1 and passes the filtered mail to the email client. > Even after the mail client is closed, the SI mailserver still > reponds to probes on port 110. I use Sygate by way > of extensive positive experience with it, and the traffic log > records the unwanted activity I refer to. Until I did some more reading, I didn't realize that SI acts as a proxy for your mua; so it changes the configurations for the mua so that the mua accesses SI and SI accesses your mailserver. I should've realized that by whatall it does. It turns out that SI has a lot more correspondence going on than just acting as proxy. Among other things it has its automatic update function.so it needs/wants to have all kinds of access past the firewall. > Observing the unsolicited > traffic through the SI mailserver client, I thought > it might be some sort of autoupdate, but that did > not bear out. Here's what SI wants the ZA firewall to let thru' [full Program Internet access]... siSpamFilterEngine.exe siBounceMailService.exe siClientUI.exe siGlobalReport.exe siMailProxyServer.exe (needs run as server access as well) siMain.exe siRemoteUpdateService.exe ... and some components > The real "slap > in the face" wakeup call was finding out I had > probably bounced spams not to the originating > IP's but to forged "From:" addresses taken > from the spam forge's mailing list to be used as > the "sender" for that particular run. The bouncing functions of SI and MW MailWasher are definitely bad news and both of them mislead the user to believe they are helpful and/or harmless. Look how many 'nefarious' things SI does - pretending to be spamcop and then also hiding under the 'vww' trick, bogus bouncing, plus branding users with promotional trailers > Besides, it goes way off the mark: Well, as far as I'm concerned we are still on the mark of whatall SI is up to. > You were taking > exception to the OP's wanting the SC code for > use with SI, suggesting he might be confused. I don't know about 'exception' - I considered that he might need the submit information /and/ that he might be confused. > And > I am taking exception to that: the OP is not confused, > SI makes it appear that reports will be sent to SC, > where experience suggests things may not be as > they appear to be... While I consider SI to be full of badness, it might be that the failure to successfully submit to SC might simply be a poor implementation. If we really wanted to help them out, which I don't, an SI user could send themselves a spam report so that we could look at its structure for acceptability to SC. I suspect they screwed that up. -- Mike Easter kibitzer, not SC admin From redwolfe_98 at nospam.com Mon Jul 5 06:13:45 2004 From: redwolfe_98 at nospam.com (redwolfe_98) Date: Mon Jul 5 05:15:18 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: ok, i added spamcop to "trusted zone" in zone alarm, and it is working.. (thanks anon) still, this should not be necessary in order to use spamcop, imo.. i don't have any trouble with any other websites.. From MikeE at ster.invalid Mon Jul 5 03:14:45 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 5 05:20:04 2004 Subject: [SC-Help] Re: spam that looks like bounces References: Message-ID: keith wrote: > I'm teasing, Mike! okey dokey. > did you say that there was some confusion as to what I was asking > about? Yes, I don't understand the two directions you mention below. > basically the spam I am getting seems to have moved in two directions, > neither of which I can report to SC (surprise, surprise) > > one is the 'bounce' that has a URL in it - it seems from your replies > I would have to do this manually > > the other type is the 'mail undelivered' of which I am getting a large > amount just lately If you aren't clear on what's going on, you can paste 'the whole enchilada' of each of the 'two directions' in .spam and we can talk about them here. The whole enchilada for a bounced spam typically would consist of bounce headers + little bounce body + spamheaders + spambody with spamvertised url. There may be sometimes be deficiencies of those latter components. That 'bounce' - which is a vague term to me - is a 'belated bounce' - in which the server receiving the spam accepted it for delivery. Then, after accepting the item, it decided that it didn't know what to do with it, so it decided to create a brand new mail item and mail the item to the From: or perhaps Return-Path. That is a very dumb sequence of moves for handling spam or virms based on old smtp philosophy. -- Mike Easter kibitzer, not SC admin From aukword666 at attglobal.net Mon Jul 5 06:57:23 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Mon Jul 5 06:00:02 2004 Subject: [SC-Help] Re: confused References: <40e804ab$1_3@news.athenanews.com> Message-ID: "Mike Easter" wrote in message: > Well, as far as I'm concerned we are still on the mark of whatall SI is > up to. > > > You were taking > > exception to the OP's wanting the SC code for > > use with SI, suggesting he might be confused. > > I don't know about 'exception' - I considered that he might need the > submit information /and/ that he might be confused. > I was not taking exception to what you were saying but to what I thought you might be saying (suggesting): I accept all responsibility for the meaning I give your message. I am after all pathologically personalized and privatized in my thought process... you have nothing to do with that! > > And > > I am taking exception to that: the OP is not confused, > > SI makes it appear that reports will be sent to SC, > > where experience suggests things may not be as > > they appear to be... > > While I consider SI to be full of badness, it might be that the failure > to successfully submit to SC might simply be a poor implementation. If > we really wanted to help them out, which I don't, an SI user could send > themselves a spam report so that we could look at its structure for > acceptability to SC. I suspect they screwed that up. > Great f/ups. Thanks much for clearing me up. Now, if OP is taking in what we are sharing by way of experience he may be rewarded with much more than he sought. Or not... Have a Most Excellent day!, Glenn From nobody at spamcop.net Mon Jul 5 09:08:54 2004 From: nobody at spamcop.net (Miss Betsy) Date: Mon Jul 5 09:10:03 2004 Subject: [SC-Help] Re: AmazingFreeWorld News References: Message-ID: > And I have been pleased that people here have > tried to be helpful however they may be shocked > at my ignorance. Everyone has been a newbie sometime. Having a good sense of humor and not whining about how difficult it is have probably made you a lot of friends! I know I generally read your posts - if I have time - even when I am not interested in the topic - because I like your attitude. Miss Betsy BTW, I am 'almost new' to newsgroups - partly a reference to the huge area where I still have no clue and partly a reference to my age. 'almost new' sounds a lot better than 'old'! From peter at loud-n-clear.net Mon Jul 5 16:37:02 2004 From: peter at loud-n-clear.net (Peter Scales) Date: Mon Jul 5 10:45:03 2004 Subject: [SC-Help] ADMINS: Bounce Error Message-ID: Hi How can this be? From the main page: "Bounce error Your email address, peters1956@spamcop.net has returned a bounce: Subject: Please ensure your email account is reliable, then click below: " How can I resolve this? The address @spamcop.net is under your control, not mine... Regards Pete -- Peter Scales From ob1db at spamcop.net Mon Jul 5 12:01:26 2004 From: ob1db at spamcop.net (David Butler) Date: Mon Jul 5 11:05:03 2004 Subject: [SC-Help] Re: Yet another "links not found" (engine failure with subdomain?) References: Message-ID: "WazoO" wrote in message news:ccaerp$2pm$1@news.spamcop.net... > "David Butler" wrote in message > news:cca9it$sv7$1@news.spamcop.net... > > http://www.spamcop.net/sc?id=z533454797zadca6735d766ca87584a9faa8fd7c269z > > > > Tracking link: http://fuizuss.makingthemost.net/sddg/mxp/ > > No recent reports, no history available > > Huge thread already exists on this Domain in the spamcop group. > Didn't see, will look now. Thanks. David From newspost at deletethispart.hypercreations.com Mon Jul 5 16:09:04 2004 From: newspost at deletethispart.hypercreations.com (D. T.) Date: Mon Jul 5 11:10:03 2004 Subject: [SC-Help] "listed" in BL, but not blocked? Message-ID: I have several SC email addresses, and in my blacklist options, I use: SpamCop Blacklist Composite Blocking List SORBS DNSbl Recently, when spams get past the BL's and SpamAssassin into my Inbox, I've been running them through the web-based SC reporting system, and some of the email sources are indeed "listed" with SORBS, and yet aren't getting routed to my Held Mail. Here's an example Tracking URL from one that I just reported: http://www.spamcop.net/sc?id=z534420013z540e8875a3d473f0f40e410ca1d2f3cez In the parsing results, you'll see this about the IP source of the spam: 219.160.69.165 listed in dnsbl.sorbs.net ( 127.0.0.10 ) If the source IP is indeed "listed in dnsbl.sorbs.net" and I've configured my SC email account to use the SORBS DNSbl, then why did this message get through (it wasn't a whitelist issue, BTW)? I posted this on the SC web forum, and someone there responded: "just that an IP is "listed" doesn't necessarily mean that there's an immediate "red alert" flag needed" When does "listed" NOT really mean that an IP is "listed"? TIA, David From ob1db at spamcop.net Mon Jul 5 12:16:32 2004 From: ob1db at spamcop.net (David Butler) Date: Mon Jul 5 11:20:03 2004 Subject: [SC-Help] spam@uce.gov has replaced uce@ftc.gov Message-ID: spam@uce.gov has replaced uce@ftc.gov. Just saw this in someone elses post. Have had the old one in my "user notify" list, no idea why it has not been listed as bouncing. Thought folks would want to know. David From notgiven at nodomain.net Mon Jul 5 12:28:06 2004 From: notgiven at nodomain.net (C. S.) Date: Mon Jul 5 11:30:03 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: Message-ID: Sometime around Mon, 5 Jul 2004 11:16:32 -0400, "David Butler" deemed it necessary to offer: > spam@uce.gov has replaced uce@ftc.gov. Just saw this in someone elses post. > Have had the old one in my "user notify" list, no idea why it has not been > listed as bouncing. > > Thought folks would want to know. > > David > Interesting. While there's no mention of this new address being a replacement, it's now shown at this URL: with no reference to the old uce@ftc.gov. A Google search for spam@uce.gov returns "about 44" hits. From MikeE at ster.invalid Mon Jul 5 09:27:36 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 5 11:30:07 2004 Subject: [SC-Help] Re: "listed" in BL, but not blocked? References: Message-ID: D. T. wrote: > If the source IP is indeed "listed in dnsbl.sorbs.net" and I've > configured my SC email account to use the SORBS DNSbl, then why did > this message get through (it wasn't a whitelist issue, BTW)? I don't know the answer to your question - and I suppose it is /actually/ a mail question. > When does "listed" NOT really mean that an IP is "listed"? I can answer that question, altho' it doesn't apply to this circumstance, I don't think. For example, sorbs has 10 different dnsbl.sorbs.net 'zones' - [also 3 different rhs.sorbs.net zones] and some people might use one or another or a combination of them. But, that, being sed... the 'naked' dnsbl.sorbs.net zone is the aggregate of the 9 other different specific 'dns' zones - so it should include all of them. In this specific case, the IP is listed as a dynamic or dul, in the dul.dnsbl.sorbs.net *and* dnsbl.sorbs.net the aggregate. If you are crystal clear on how you are using sorbs, then those comments have nothing to do with what you are asking. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon Jul 5 11:59:07 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Jul 5 12:00:27 2004 Subject: [SC-Help] Re: "listed" in BL, but not blocked? References: Message-ID: "D. T." wrote in message news:Xns951D52E5DD52Enewsaddresshypercrea@216.154.195.61... > > I posted this on the SC web forum, and someone there responded: > > "just that an IP is "listed" doesn't necessarily mean that there's an > immediate "red alert" flag needed" > > When does "listed" NOT really mean that an IP is "listed"? That "someone" was me .. and just a bit out of context, I might add. My actual response; =-=-=-=- OK, that last link you provided is just what "we" are looking for, the Tracking URL ... note the sorbs "result", ending with a ".10" .... Most BLs work with a simple set of reactions, no response if the IP isn't listed, a response if it is listed ... the pretty much agreed to 'standard' of a listed item is 127.0.0.2 ... but,, as seen here, some lists have various categories involved in their listings. As stated before, just that an IP is "listed" doesn't necessarily mean that there's an immediate "red alert" flag needed. For example, I know that my IP is in several lists, though not having changed in months, it's still considered as a dynamic IP, therefore should not be seen as any kind of server. There's more that could be said, but ... I'm dealing right now with a 200+ pound white German Shepard that is not happy with some thunder mixed in with the kids down the street tossing out fireworks. =-=-=-=-=- and in yet another / later post; =-=-=-=- I went to SORBS, the ".10" says that it's within a block of dial-up assignments, just as I conjectured. No, I can't say specifically what the SpamCop filter set does with a .10 result, other than to suggest that it's not treated as a "flag" .. possibly just more of an indicator that the e-mail may be suspect, as compared to a known spam spew source. =-=-=-=-=- From nobody at devnull.spamcop.net Mon Jul 5 12:20:46 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Jul 5 12:25:25 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: Message-ID: "C. S." wrote in message news:plsie0105804kd45uvjfhuj0duh7bveekp@4ax.com... > > Interesting. > While there's no mention of this new address being a replacement, > it's now shown at this URL: > with no reference to the old uce@ftc.gov. Phone call got the "closed for the day" message, e-mail sent asking about the change, why there is no reference to the old address, what's the difference, etc. ...This new address is on several of the FTC pages, www.ftc.gov/spam and sub-links for instance ... From h9vzc2i02 at sneakemail.com Mon Jul 5 10:27:07 2004 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Mon Jul 5 12:30:02 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: "redwolfe_98" wrote in message news:ccb649$4a4$1@news.spamcop.net... > ok, i added spamcop to "trusted zone" in zone alarm, and it is working.. > (thanks anon) still, this should not be necessary in order to use spamcop, > imo.. i don't have any trouble with any other websites.. > > ** You can always contact ZA's support for a clarification - I have had good luck with them answering questions. -- A SpamCop user and forum reader, Not Admin *** From redwolfe_98 at nospam.com Mon Jul 5 13:50:52 2004 From: redwolfe_98 at nospam.com (redwolfe_98) Date: Mon Jul 5 12:55:01 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: "Glenn Daniels" wrote in message I ask again, are you using IE? If so, go to "Properties", "Privacy" tab and elect to "override cookie handling for individual websites". This may permit you to have secure cookie settings in the general instance, while allowing for a greater trust at a specific site. yes, glenn, i am using ie.. i use the cookie manager in ie with both first- and third-party cookies blocked, but "allowing" selected sites like spamcop, and other sites that i use that require cookies.. thanks.. :) From MikeE at ster.invalid Mon Jul 5 10:57:16 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 5 13:00:04 2004 Subject: [SC-Help] Re: "listed" in BL, but not blocked? References: Message-ID: WazoO wrote: > I went to SORBS, the ".10" says that it's within a block of dial-up > assignments, just as I conjectured. No, I can't say specifically what > the SpamCop filter set does with a .10 result, other than to suggest > that it's not treated as a "flag" .. possibly just more of an > indicator that the e-mail may be suspect, as compared to a known spam > spew source. I would hope that when SC gives users the choice to use a particular db like sorbs which has multiple kinds of return codes, that SC will be clear about what the options are, and that SC will treat the result codes 'appropriately' for them. There are many db/s which have a variety of returns other than 127.0.0.2 Here is a little part of sorbs explanation of how it handles various results, with 2 examples, one of which is a 127.0.0.2, which has a specific and limited meaning of http at sorbs. SORBS Return Codes SORBS returns 127.0.0.x codes depending on the database the result is obtained from. In the case of the aggregate zone the same return codes are used.i eg: 4.3.2.1.socks.dnsbl.sorbs.net would return 127.0.0.3 and also 4.3.2.1.dnsbl.sorbs.net would return 127.0.0.3. In the case of multiple entries in more than one database, all codes are returned from the aggregate zone. eg: if 4.3.2.1.http.dnsbl.sorbs.net also returns 127.0.0.2 4.3.2.1.dnsbl.sorbs.net would return both 127.0.0.2 and 127.0.0.3 Return codes are: http.dnsbl.sorbs.net 127.0.0.2 socks.dnsbl.sorbs.net 127.0.0.3 misc.dnsbl.sorbs.net 127.0.0.4 smtp.dnsbl.sorbs.net 127.0.0.5 spam.dnsbl.sorbs.net 127.0.0.6 web.dnsbl.sorbs.net 127.0.0.7 block.dnsbl.sorbs.net 127.0.0.8 zombie.dnsbl.sorbs.net 127.0.0.9 dul.dnsbl.sorbs.net 127.0.0.10 badconf.rhsbl.sorbs.net 127.0.0.11 nomail.rhsbl.sorbs.net 127.0.0.12 -- Mike Easter kibitzer, not SC admin From aukword666 at attglobal.net Mon Jul 5 14:03:10 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Mon Jul 5 13:05:03 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: Message-ID: "David Butler" wrote in message news:ccbrcb$rh9$1@news.spamcop.net... > spam@uce.gov has replaced uce@ftc.gov. Just saw this in someone elses post. > Have had the old one in my "user notify" list, no idea why it has not been > listed as bouncing. > > Thought folks would want to know. And I thought I was being ignored... Actually the old one still works, I only accessed the new one through a site visit on a quest for submission guidelines. I kinda sorta maybe got the impression that they would kinda sorta maybe see the submission as interesting. Like they would like for you to state a complaint, as I am certain they must see millions of spams. So, when I submitted a spam earlier, I entered: "Complaint: Child Pornography suggested. Also submitted to National Center for Missing & Exploited Children" https://secure.missingkids.com/missingkids/servlet/CybertipServlet?LanguageCountry=en_US or: "Complaint: Solicits popular drugs of abuse" IMO, one sees this stuff so many times that it dulls the senses and we begin to be accepting/ get comfortable with it by way of familiarity. Somehow, I think a "wakeup" message is needed, like why is this a problem or why now is this a problem... Or not... Glenn From nobody at devnull.spamcop.net Mon Jul 5 13:10:11 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Jul 5 13:15:03 2004 Subject: [SC-Help] Re: "listed" in BL, but not blocked? References: Message-ID: "Mike Easter" wrote in message news:ccc1c6$2ia$1@news.spamcop.net... > > I would hope that when SC gives users the choice to use a particular db > like sorbs which has multiple kinds of return codes, that SC will be > clear about what the options are, and that SC will treat the result > codes 'appropriately' for them. There are many db/s which have a > variety of returns other than 127.0.0.2 Like you, I have no idea .. and it's a week-end, so most of the "filter expert" folks are out enjoying life Final voice is JT, who hasn't kicked me an answer yet either > Here is a little part of sorbs explanation of how it handles various > results, with 2 examples, one of which is a 127.0.0.2, which has a > specific and limited meaning of http at sorbs. Right now, I can't remember if I posted the link to the "how to use" page, but the OP had already referenced doing his own lookups there, so figured he could follow that up himself .... From MikeE at ster.invalid Mon Jul 5 11:09:29 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 5 13:15:08 2004 Subject: [SC-Help] Re: "listed" in BL, but not blocked? References: Message-ID: WazoO wrote: > There's more that could be said, but ... I'm dealing right now with a > 200+ pound white German Shepard that is not happy with some thunder > mixed in with the kids down the street tossing out fireworks. Yowza! 200+# big guy -- very *BIG* shepherd. I hope his/her hips are doing OK. Get that poor guy some noise cancelling headsets ;-) ....and tell hir to watch hir diet and be sure and exercise when possible.:-) -- Mike Easter kibitzer, not SC admin From newspost at deletethispart.hypercreations.com Mon Jul 5 18:43:36 2004 From: newspost at deletethispart.hypercreations.com (D. T.) Date: Mon Jul 5 13:45:03 2004 Subject: [SC-Help] Re: "listed" in BL, but not blocked? References: Message-ID: "Mike Easter" wrote in news:ccc1c6$2ia$1 @news.spamcop.net: > I would hope that when SC gives users the choice to use a particular db > like sorbs which has multiple kinds of return codes, that SC will be > clear about what the options are, and that SC will treat the result > codes 'appropriately' for them. Hope springs eternal...but no, there doesn't appear to be any detailed info on the third-party blacklists and how they are used when selected in SpamCop mail Options. DT From newspost at deletethispart.hypercreations.com Mon Jul 5 20:00:04 2004 From: newspost at deletethispart.hypercreations.com (D. T.) Date: Mon Jul 5 15:05:04 2004 Subject: [SC-Help] Re: "listed" in BL, but not blocked? References: Message-ID: a brief followup....I ran my own cable broadband IP through the SC web system and came up with this: listed in dnsbl.sorbs.net ( 127.0.0.10 ) So it would be a bad thing if that particular type of SORBS hit was enough to trigger blocking on the SpamCop server. However, I'd still like to know the details of what kind of SORBS listing would actually trigger blocking, given that I've got SORBS DNSbl on my blocking list configuration for my SC mailboxes. I did a little Googling, and found various hits for the following: "listed in dnsbl.sorbs.net ( 127.0.0.6" "listed in dnsbl.sorbs.net ( 127.0.0.7" "listed in dnsbl.sorbs.net ( 127.0.0.10" All those hits are probably to SpamCop parser results. Interesting enough, one of them was to the SC web forums, on an almost identical topic to my own: http://forum.spamcop.net/forums/index.php?showtopic=872 I read through that thread, and the person's question was never fully answered, which I've found frequently to be the case with the web-based SC forums...people lose interest after a dozen or so posts. dt From ob1db at spamcop.net Mon Jul 5 16:35:36 2004 From: ob1db at spamcop.net (David Butler) Date: Mon Jul 5 15:40:02 2004 Subject: [SC-Help] SC or SA not recognizing AOL MXs ?? Message-ID: Second authentic email bounced to held today, maybe it is SpamAssassin, but I also saw an earlier message about mailhosts for AOL not recognizing: http://www.spamcop.net/sc?id=z534772903z199956da369d913f88df250e89f2c683z I think it is an SA error on closer look: X-Spam-Status: hits=6.1 tests=FAKE_HELO_AOL,FROM_ENDS_IN_NUMS,HTML_60_70, HTML_MESSAGE,NO_RDNS_DOTCOM_HELO,NO_REAL_NAME version=2.63 but SC parses source OK: Please make sure this email IS spam: From: KraZZy9202@aol.com (Re: Question for x #3733982001 - NEUMANN U87AI SET LAST TIME OLD PRICE 5 D...) View full message Report Spam to: Re: 64.12.137.4 (Administrator of network where email originates) To: abuse@aol.com (Notes) From ob1dbNOSPAM at spamcop.net Mon Jul 5 16:59:31 2004 From: ob1dbNOSPAM at spamcop.net (David Butler) Date: Mon Jul 5 16:00:03 2004 Subject: [SC-Help] Relay at 81.169.152.110 fixed by Strato.de ! (was:Think SC is trying to report wrong IP) Message-ID: someone can confirm this excellent LOOKING reply, ref: "Your server at 81.169.152.110 may be compromised" I manually LARTed as well as sending through SC to abuse@strato.de: ********** Dear ladies and gentlemen, we come back on your news from the 30.06.04. Please excuse the late answer. We have taken care of the circumstances described by you and can inform you that all other measures were introduced by us. Please, have understanding that we can give you for data security-legal reasons no other information. Many thanks and sincerely Yours STRATO Medien AG Berlin abuse@strato.de --------------------------------------- STRATO Medien AG Pascalstrasse 10 10587 Berlin From ob1db at spamcop.net Mon Jul 5 17:05:59 2004 From: ob1db at spamcop.net (David Butler) Date: Mon Jul 5 16:10:02 2004 Subject: [SC-Help] Re: piloomatic spam Thanks Mike References: Message-ID: "Berny" wrote in message news:cc8ddt$c9d$1@news.spamcop.net... > > > Thanks Mike, I now think some spammer is just trying to bug me, I've been > getting them for weeks, and they've never resolved to a real domain it > seems. I did get one today for a pillomatic.biz (double l instead of o)which > resolved. > I have been getting dozens, all from pillomatic.biz From ric.gates at bigsleep.org Mon Jul 5 21:07:49 2004 From: ric.gates at bigsleep.org (Blammo) Date: Mon Jul 5 16:10:10 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: On 05 Jul 2004 Anon_ entered spamcop.help and left news:ccbvhb$pi$1@news.spamcop.net: > You can always contact ZA's support for a clarification - I have had good > luck with them answering questions. I have a disapointing transcript of a conversation with them. I don't have a problem with their firewall, but why the web features can't be enabled for just one browser is beyond me. And they refuse to admit there is a bug when I clearly point it out. Look at the source of a web page with Zonealarm on, then look again with it off, and you'll see how it modifies, I think, every page. -- | Ric | From ric.gates at bigsleep.org Mon Jul 5 21:18:04 2004 From: ric.gates at bigsleep.org (Blammo) Date: Mon Jul 5 16:20:03 2004 Subject: [SC-Help] Re: uncooperative spam References: <40E75547.E479A642@attglobal.net> <40E769B2.9C61A24@attglobal.net> <40E82FB2.31DF32E1@attglobal.net> Message-ID: On 04 Jul 2004 Tanya entered spamcop.help and left news:40E82FB2.31DF32E1@attglobal.net: > i've now posted it in .spam using ctrl + u (no white space) > thanks > sincerely, > Tanya > I don't know why you were having a problem with it, but "View Full Headers" will show "fancy" headers (note how they are all lined up) and a formatted body (HTML formatted in color, etc.), while CTRL+U will show the raw message. You can close the preview pane and just select a message and press CTRL+U, that way you don't open the spam and don't download any images. This also works in Mozilla and Thunderbird. -- | Ric | From nobody at devnull.spamcop.net Mon Jul 5 16:48:48 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Jul 5 16:50:26 2004 Subject: [SC-Help] Re: "listed" in BL, but not blocked? References: Message-ID: "D. T." wrote in message news:Xns951D7A0FB2836newsaddresshypercrea@216.154.195.61... > a brief followup....I ran my own cable broadband IP through the SC web > system and came up with this: > > listed in dnsbl.sorbs.net ( 127.0.0.10 ) Which is exactly what I said over there, even my own IP would be listed as such, as it is not a static IP. > All those hits are probably to SpamCop parser results. Interesting enough, > one of them was to the SC web forums, on an almost identical topic to my > own: > > http://forum.spamcop.net/forums/index.php?showtopic=872 Almost exactly, the way I read it ..... a ".10" result from SORBS, the same suggestions, the same possibilities offered, the same suggestions ... > I read through that thread, and the person's question was never fully > answered, which I've found frequently to be the case with the web-based SC > forums...people lose interest after a dozen or so posts. That's a pretty strange statement, I must say, even your Topic now showing 22 replies, and factoring in that it's on a long week-end and most of the regulars haven't logged in at all. Funny that you didn't include this last paragraph in your last Forum post .... From nobody at spamcop.net Mon Jul 5 17:55:04 2004 From: nobody at spamcop.net (Ellen) Date: Mon Jul 5 17:00:02 2004 Subject: [SC-Help] Re: ADMINS: Bounce Error References: Message-ID: "Peter Scales" wrote in message news:CouXfQEOeW6AFwJD@loud-n-clear.net... > Hi > > How can this be? From the main page: > > "Bounce error > Your email address, @spamcop.net has returned a bounce: > Subject: > > Please ensure your email account is reliable, then click below: > > " > > How can I resolve this? The address @spamcop.net is under your control, > not mine... > > Regards > > Pete > It looks OK now so I assume that you pushed the resolved button? Ellen From redwolfe_98 at nospam.com Mon Jul 5 18:11:25 2004 From: redwolfe_98 at nospam.com (redwolfe_98) Date: Mon Jul 5 17:15:03 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: thank you all for your patience.. i would not have posted this "problem" here in the forum if i did not think that it was an issue with the spamcop webpage, since i had already tried every way i knew to get my ie browser to "accept" the spamcop cookie.. i seem to have the "problem" resolved.. :) From newspost at deletethispart.hypercreations.com Mon Jul 5 22:16:09 2004 From: newspost at deletethispart.hypercreations.com (D. T.) Date: Mon Jul 5 17:20:03 2004 Subject: [SC-Help] Re: "listed" in BL, but not blocked? References: Message-ID: "WazoO" wrote in news:cccesi$j86$1@news.spamcop.net: > That's a pretty strange statement, I must say, even your Topic now > showing 22 replies, and factoring in that it's on a long week-end > and most of the regulars haven't logged in at all. Funny that you > didn't include this last paragraph in your last Forum post .... Don't go all "black helicopters" on me....it's my own observation of the nature of the web-based SC forums...I can back it up with lots of examples if you like. I posted that comment here because I was referring about the web-based system...I don't want to discourage people who only use the web forum...I think there's still hope, especially if there could be more authoritative answers from people who fully understand the backend issues and less speculation from those of us who don't. :-) dt From nobody at devnull.spamcop.net Mon Jul 5 17:31:20 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Jul 5 17:35:03 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: "redwolfe_98" wrote in message news:cccg5s$l6u$1@news.spamcop.net... > thank you all for your patience.. i would not have posted this "problem" > here in the forum if i did not think that it was an issue with the spamcop > webpage, since i had already tried every way i knew to get my ie browser to > "accept" the spamcop cookie.. i seem to have the "problem" resolved.. :) Just so there's less confusion, you have posted into a "newsgroup" ... quite a bit different than the web-based "Forums" ... From aukword666 at attglobal.net Mon Jul 5 18:52:22 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Mon Jul 5 17:55:03 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: "WazoO" wrote: > Just so there's less confusion, you have posted into a > "newsgroup" ... quite a bit different than the web-based > "Forums" ... > Besides, there are myriad things as may go badly just to open, write, and close a file... However, I see I am more oblivious than I would have guessed... I thought they were "same-same", have no idea different, how? Care to start me a new thread on this? Glenn From nobody at devnull.spamcop.net Mon Jul 5 18:24:35 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Jul 5 18:25:04 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: "Glenn Daniels" wrote in message news:cccii7$phb$1@news.spamcop.net... > "WazoO" wrote: > > Just so there's less confusion, you have posted into a > > "newsgroup" ... quite a bit different than the web-based > > "Forums" ... > > However, I see I am more oblivious than I would have > guessed... I thought they were "same-same", have no > idea different, how? Care to start me a new thread on this? I don't understand. You just posted within the last couple of days about the help links and Forums, someone else corrected your link to the Forums ... shouldn't take but a second or two to head off to the Forums and see that there shouldn't be much confusion as to the "small" differences. And to note that just a bit ago, someone posted "here" that they had posted their spam "to the list" which makes very little sense at all, as a "list" is a long way from a newsgroups and/or a web-based Forum. http://forum.spamcop.net/forums/index.php? From aukword666 at attglobal.net Mon Jul 5 21:32:46 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Mon Jul 5 20:35:03 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: "WazoO" wrote: [...] Easy, easy... I "see" it now! > http://forum.spamcop.net/forums/index.php? The link was a big help, like I knew I was lost in the woods, but the link put a perspective on where I am. I just was not seeing the forest for the trees. Hopefully, not a permanent condition for me, but it could be. Now edumacate me one further: I know what a blog is. So finish this syllogism: newsgroup:forum::blog:????? Again, thanks, really! Glenn From MikeE at ster.invalid Tue Jul 6 08:49:00 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 6 10:55:22 2004 Subject: [SC-Help] Re: Relay at 81.169.152.110 fixed by Strato.de ! (was:Think SC is trying to report wrong IP) References: Message-ID: David Butler wrote: Subject: Relay at 81.169.152.110 fixed by Strato.de ! > someone can confirm this excellent LOOKING reply, ref: > > "Your server at 81.169.152.110 may be compromised" > > I manually LARTed as well as sending through SC to abuse@strato.de: > We have taken care of the circumstances described by you and can > inform you that all other measures were introduced by us. /Fixed/ is a severe overstatement. More like disabled. The issue was that 81.169.152.110 - the #1 mx for teh-x.de - was insecure and had an abusable port 32421 and outputting spam. It was necessary for Ellen to manually untrust it as a server - resulting in its getting SCbl listed for spam - and it was also listed in cbl and dsbl as insecure. Currently the IP is offline - shows no ping, no port 25, no port 32421 - so, in that sense it is a big improvement. The dig still shows teh-x.de as an mx, but it doesn't resolve. The other mx is mx0.serverkompetenz.de which resolves to 81.169.148.65 & .66 - both of which are online, show a port 25 and are unlisted and appear to be secure. So, from that sense the domain's mx/es appear to be secure now. Those IPs are also the mxes for kundenservices.net and call themselves mx0. & mx1.kundenservices.net in that role. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Jul 6 09:17:07 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 6 11:20:22 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: Glenn Daniels wrote: > Now edumacate me one further: I know what a blog > is. So finish this syllogism: > newsgroup:forum::blog:????? That 'syllogism' isn't going to work - and it isn't a syllogism. A syllogism is a formal deductive argument involving 3 propositions; major and minor premises and a conclusion. [birds have feathers, penguins are birds, ergo penguins have feathers] You have constructed a 'relationship' or analogy question popularized in IQ tests among other places, which also won't work as constructed. It would be better to stick to 'definitions' which also won't work very well because of 'crossovers' and ambiguities. newsgroup means, mostly, nntp based discussion groups, mainly managed by software of newsservers and newsreaders - largely on usenet a highly structured anarchy, but also publicly private, such as spamcop and grc and others. newsgroups can also be accessed with a browser in their archives, such as google and others, and even by mail. forums is ambiguous - because newsgroups were once called forums - but because of the emerging popularity of webbased forums such as slashdot and myriad others, forum has come to mean browser accessed discussion groups. blog, short for web log, is a web page that serves as a personal journal for an individual, typically, and is publicly accessible. In that sense it is a 'one man' [wo/man] web based 'discussion' group. Bloggers often introduce the commentary from email correspondents as fodder for their commentary. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue Jul 6 11:52:27 2004 From: nobody at devnull.spamcop.net (Cat) Date: Tue Jul 6 11:55:03 2004 Subject: [SC-Help] Re: Cookie Problem In-Reply-To: References: Message-ID: Mike Easter wrote: > That 'syllogism' isn't going to work - and it isn't a syllogism. A > syllogism is a formal deductive argument involving 3 propositions; > major and minor premises and a conclusion. [birds have feathers, > penguins are birds, ergo penguins have feathers] > blog, short for web log, is a web page that serves as a personal journal > for an individual, typically, and is publicly accessible. In that sense > it is a 'one man' [wo/man] web based 'discussion' group. Bloggers often > introduce the commentary from email correspondents as fodder for their > commentary. LiveJournal kind of works as a forum. The journal owner writes the post, and anyone can comment on it. This turns it into a forum and also sends an e-mail notify to the journal owner whenever someone replies or e-mail notifies any time someone replies to one of your posts in another journal (if you're a LiveJournal member). They also have communities where many people can join and post entries and comment to each other. Anyway, not to distract from your original blog description like most blogs do, but I just wanted to mention LiveJournal which sort of works as a forum type deal for people who comment on journal entries. From aukword666 at attglobal.net Tue Jul 6 13:49:34 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Tue Jul 6 12:50:06 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: "Cat" wrote: > Mike Easter wrote: [...] Thanks! I should probably aquire a link to a glossary of such terms: anything to be commended? Glenn From MikeE at ster.invalid Tue Jul 6 10:53:57 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 6 13:00:02 2004 Subject: [SC-Help] Re: Cookie Problem References: Message-ID: Glenn Daniels wrote: > Thanks! I should probably aquire a link to a glossary of > such terms: anything to be commended? wikipedia and webopedia come about their mission differently, but using both is useful for these issues, including wiki for analogy and syllogism. Wiki is turning into a nice resource, which needs a definition of its own ;-) -- Mike Easter kibitzer, not SC admin From billrubin at prodigy.net Tue Jul 6 14:06:35 2004 From: billrubin at prodigy.net (Bill Rubin) Date: Tue Jul 6 13:10:03 2004 Subject: [SC-Help] Re: No data / Too much data References: Message-ID: <40EADC1B.F81E7D8F@prodigy.net> Mike Easter wrote: > > Don Doumakes wrote: > > I've got similar symptoms. When I try to report this spam > > > a689z> > > I get the "No data / Too much data" error message whether I hit Report > > or Cancel. Thus all the spam in my queue, is stuck. > > I was able to access the parse which was 'live' ie unreported and > uncancelled. I cancelled it, so if you want to report that spam you'll > have to resubmit it. > > Don't be afraid ;-) maybe it'll parse nicely this time. > > -- > Mike Easter > kibitzer, not SC admin Is this problem likely to be fixed? I've got mail with the same problem. http://www.spamcop.net/sc?id=z535114926z70169c32877897e2512c20f696519af1z I had this a few weeks ago, and eventually the problem fixed itself and I was able to process the mail by unclicking a few of the email boxes. Then I had this same problem a couple of weeks ago, and like now, even clicking on "Cancel" generates the error. I can live with not being able to report the spam, but being in a situation where even trying to cancel the submission of the spam causes the error to occur seems like a bug. Bill From billrubin at prodigy.net Tue Jul 6 14:11:09 2004 From: billrubin at prodigy.net (Bill Rubin) Date: Tue Jul 6 13:15:03 2004 Subject: [SC-Help] Please highlight the age of the spam Message-ID: <40EADD2D.DA277429@prodigy.net> It would be nice if Spamcop were to somehow highlight (like use a different color) the age of the spam when on the processing screen. I know that the "Yum, this spam is fresh" used to be in a different color, although of late it seems to be the same as the normal text. I'd really like all of the "Message is nn hours old" messages highlighted just to make it easier to see when I view the page, to decide whether I want to actually submit the spam or not (it may be that it's too old, and from a normal spam source that won't likely get addressed by reporting (like Brazil or China) and will raise my average submission time, so I'll cancel it instead). Thanks.. Bill From MikeE at ster.invalid Tue Jul 6 11:17:19 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 6 13:20:04 2004 Subject: [SC-Help] Re: No data / Too much data References: <40EADC1B.F81E7D8F@prodigy.net> Message-ID: Bill Rubin wrote: > Mike Easter wrote: >> I was able to access the parse which was 'live' ie unreported and >> uncancelled. I cancelled it, so if you want to report that spam >> you'll have to resubmit it. >> >> Don't be afraid ;-) maybe it'll parse nicely this time. > Is this problem likely to be fixed? I've got mail with the same > problem. www.spamcop.net/sc?id=z535114926z70169c32877897e2512c20f696519af1z I was able to access the parse, which is 'live' ie unreported and uncancelled. I didn't cancel, but left it live for a little while, say an hour. If you can click it up, do what you want with it -- if it's still there in an hour I'll cancel it. Report Spam to: Re: 200.212.63.5 (Administrator of network where email originates) To: abuse@embratel.net.br (Notes) To: mail-abuse@nic.br (Notes) To: Internal spamcop handling: (spambr) (Notes) Re: 200.212.63.5 (Third party interested in email source) To: Cyveillance spam collection (Notes) Re: http://parceiros.catho.com.br/enviaWCamigo.php (Administrator of network hosting website referenced in spam) To: Internal spamcop handling: (spambr) (Notes) To: mail-abuse@nic.br (Notes) To: abuse@embratel.net.br (Notes) Re: http://www.catho.com.br/out.phtml?e=x (Administrator of network hosting website referenced in spam) To: Internal spamcop handling: (spambr) (Notes) To: mail-abuse@nic.br (Notes) To: abuse@embratel.net.br (Notes) -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Jul 6 11:22:22 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 6 13:25:03 2004 Subject: [SC-Help] Re: Please highlight the age of the spam References: <40EADD2D.DA277429@prodigy.net> Message-ID: Bill Rubin wrote: > my average submission time You are taking your average submission time *WAY* too seriously. IMO the 'point' of calculating average submission time was to motivate people to report spam promptly, say as opposed to 'saving it up' all day and submitting it all in one swell foop. That is, push the reporter 'just a little bit' to go to a little extra trouble to submit as timely as 'possible'. The result of people whining about what's wrong with their a.s.t. and declining to report something because it will adversely impact the a.s.t. is a result of 'unintended consequences'. I think it would be a great idea if SC completely jettisoned the a.s.t. -- Mike Easter kibitzer, not SC admin From dkona7b02 at sneakemail.com Tue Jul 6 14:34:06 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Tue Jul 6 13:34:14 2004 Subject: [SC-Help] Re: Please highlight the age of the spam In-Reply-To: <40EADD2D.DA277429@prodigy.net> Message-ID: <3.0.5.32.20040706133406.00fb3e30@loki.fstrf.org> You've already reported the SPAM, doesn't make sense not to submit it! Your average submission time is a meaningless artifact. I have no idea why Julian includes it, but just ignore it!!! As long as the SPAM is under 3 days old, it is submittable. If it is too old, SpamCop won't even let you submit it, so let the parser be the judge... If no one ever reports SPAM more than a few hours old just to keep their average submission time down, then these sites will all be falling off the blocklist that much sooner! :( Ideally, a bunch of people will report them immediately and that will get them listed and then others will report them just shy of the 3 day window and that will keep them on the list the maximum amount of time possible! At 01:11 PM 7/6/2004 -0400, Bill Rubin typed: >It would be nice if Spamcop were to somehow highlight (like use >a different color) the age of the spam when on the processing >screen. I know that the "Yum, this spam is fresh" used to be in >a different color, although of late it seems to be the same as >the normal text. I'd really like all of the "Message is nn hours >old" messages highlighted just to make it easier to see when I >view the page, to decide whether I want to actually submit the >spam or not (it may be that it's too old, and from a normal spam >source that won't likely get addressed by reporting (like Brazil >or China) and will raise my average submission time, so I'll >cancel it instead). From MikeE at ster.invalid Tue Jul 6 13:17:03 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 6 15:20:11 2004 Subject: [SC-Help] Re: No data / Too much data References: <40EADC1B.F81E7D8F@prodigy.net> Message-ID: Mike Easter wrote: > Bill Rubin wrote: www.spamcop.net/sc?id=z535114926z70169c32877897e2512c20f696519af1z > > I was able to access the parse, which is 'live' ie unreported and > uncancelled. I didn't cancel, but left it live for a little while, > say an hour. > > If you can click it up, do what you want with it -- if it's still > there in an hour I'll cancel it. Aha. It doesn't want to cancel. No data/ too much data. It has enough room in the buffer to show the whole message and do the parse - but it isn't able to preview the reports, report or cancel. That's cute. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue Jul 6 16:08:23 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Jul 6 16:10:05 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: Message-ID: "WazoO" wrote in message news:ccbv4u$vt4$1@news.spamcop.net... > > Phone call got the "closed for the day" message, e-mail > sent asking about the change, why there is no reference > to the old address, what's the difference, etc. ...This new > address is on several of the FTC pages, www.ftc.gov/spam > and sub-links for instance ... OK, called the 1-877-FTC-HELP number, talked to three people that have never heard of the new address, as they also still refer folks to use the uce@ftc.gov ... Their only suggestion was for me to dial up 1-202-326-2830, something like Public Referral Office and see if they have a clue as to where the new address might have came from. Being retired U.S.Army (read that as broke) long distance isn't an option here ... anyone else want to take on the task of figuring out where the individual that has done up the web pages got his/her data? I've got three e-mails out to various addresses, one found on a page, one found as tech in the registration, and of course webmaster .. but no response from any of them either. From billrubin at prodigy.net Tue Jul 6 17:22:25 2004 From: billrubin at prodigy.net (Bill Rubin) Date: Tue Jul 6 16:25:03 2004 Subject: [SC-Help] Re: No data / Too much data References: <40EADC1B.F81E7D8F@prodigy.net> Message-ID: <40EB0A01.712EA7D1@prodigy.net> Mike Easter wrote: > > Mike Easter wrote: > > Bill Rubin wrote: > www.spamcop.net/sc?id=z535114926z70169c32877897e2512c20f696519af1z > > > > I was able to access the parse, which is 'live' ie unreported and > > uncancelled. I didn't cancel, but left it live for a little while, > > say an hour. > > > > If you can click it up, do what you want with it -- if it's still > > there in an hour I'll cancel it. > > Aha. It doesn't want to cancel. No data/ too much data. Ta da! > It has enough room in the buffer to show the whole message and do the > parse - but it isn't able to preview the reports, report or cancel. > That's cute. And really annoying.. Bill From me at privacy.net Tue Jul 6 18:16:52 2004 From: me at privacy.net (Frog Prince) Date: Tue Jul 6 17:25:02 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: Message-ID: "WazoO" wrote in message news:ccf0rn$7no$1@news.spamcop.net... | "WazoO" wrote in message | news:ccbv4u$vt4$1@news.spamcop.net... | > | > Phone call got the "closed for the day" message, e-mail | > sent asking about the change, why there is no reference | > to the old address, what's the difference, etc. ...This new | > address is on several of the FTC pages, www.ftc.gov/spam | > and sub-links for instance ... | | OK, called the 1-877-FTC-HELP number, talked to | three people that have never heard of the new address, | as they also still refer folks to use the uce@ftc.gov ... | Their only suggestion was for me to dial up | 1-202-326-2830, something like Public Referral | Office and see if they have a clue as to where the | new address might have came from. Being retired | U.S.Army (read that as broke) long distance isn't | an option here ... anyone else want to take on the | task of figuring out where the individual that has | done up the web pages got his/her data? | | I've got three e-mails out to various addresses, | one found on a page, one found as tech in the | registration, and of course webmaster .. but | no response from any of them either. Call your local congress critter's office let one of the staff worker bees run it down. From me at privacy.net Tue Jul 6 18:18:27 2004 From: me at privacy.net (Frog Prince) Date: Tue Jul 6 17:25:09 2004 Subject: [SC-Help] Re: Please highlight the age of the spam References: <40EADD2D.DA277429@prodigy.net> Message-ID: "Mike Easter" | You are taking your average submission time *WAY* too seriously. | | IMO the 'point' of calculating average submission time was to motivate | people to report spam promptly, say as opposed to 'saving it up' all | day and submitting it all in one swell foop. That is, push the reporter | 'just a little bit' to go to a little extra trouble to submit as timely | as 'possible'. | | The result of people whining about what's wrong with their a.s.t. and | declining to report something because it will adversely impact the | a.s.t. is a result of 'unintended consequences'. | | I think it would be a great idea if SC completely jettisoned the a.s.t. I'd vote for that. I'd be more interested in how many more reports are pending. From baloo at ursine.ca Wed Jul 7 00:01:57 2004 From: baloo at ursine.ca (Paul Johnson) Date: Wed Jul 7 02:05:34 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: Message-ID: <873c4473u2.fsf@ursine.ca> "WazoO" writes: > Their only suggestion was for me to dial up 1-202-326-2830, something > like Public Referral Office and see if they have a clue as to where > the new address might have came from. Being retired U.S.Army (read > that as broke) long distance isn't an option here What crappy phone company do you use that all of country code 1 isn't local? From nobody at devnull.spamcop.net Wed Jul 7 19:19:21 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jul 7 02:20:03 2004 Subject: [SC-Help] Re: Please highlight the age of the spam References: <40EADD2D.DA277429@prodigy.net> Message-ID: "Bill Rubin" wrote in message news:40EADD2D.DA277429@prodigy.net... > It would be nice if Spamcop were to somehow highlight (like use > a different color) the age of the spam when on the processing > screen. I know that the "Yum, this spam is fresh" used to be in > a different color, although of late it seems to be the same as > the normal text. I'd really like all of the "Message is nn hours > old" messages highlighted just to make it easier to see when I > view the page, to decide whether I want to actually submit the > spam or not (it may be that it's too old, and from a normal spam > source that won't likely get addressed by reporting (like Brazil > or China) and will raise my average submission time, so I'll > cancel it instead). AFAIK cancelling does no good. I've just been bombed with over 100 bounced spam and still counting :-( . I waited around 24 hours before starting 'processing' it through SC thru' web page (but NOT submitting!). By the time I'd finished, my 3 hour average had dropped to 4 hours. The only explanation that I can give, is that even cancelled parsing counts towards average. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From flippetyfloo at fake.com Wed Jul 7 00:28:07 2004 From: flippetyfloo at fake.com (RandallW) Date: Wed Jul 7 02:30:03 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: <873c4473u2.fsf@ursine.ca> Message-ID: "Paul Johnson" wrote in message news:873c4473u2.fsf@ursine.ca... > > > What crappy phone company do you use that all of country code 1 isn't > local? > America has multiple crappy phone companies, spread through multiple time zones. Calling someone 2000 miles away isn't 'local'. From gospamming at yourdomain.invalid Wed Jul 7 08:02:40 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Jul 7 03:05:04 2004 Subject: [SC-Help] Re: No data / Too much data References: <40EADC1B.F81E7D8F@prodigy.net> <40EB0A01.712EA7D1@prodigy.net> Message-ID: Bill Rubin wrote in news:40EB0A01.712EA7D1@prodigy.net: >> Aha. It doesn't want to cancel. No data/ too much data. > > Ta da! > >> It has enough room in the buffer to show the whole message and do the >> parse - but it isn't able to preview the reports, report or cancel. >> That's cute. > > And really annoying.. > > Bill > I've come across a similar one, myself. No data / Too much data if I tried to report it, No data / Too much data if I tried to cancel it. What I did to cancel it without having to go to the "Remove all unreported spam" link was the following: * Uncheck all the checkboxes * Press the Cancel button -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From nobody at spamcop.net Wed Jul 7 14:32:19 2004 From: nobody at spamcop.net (JohnL) Date: Wed Jul 7 09:35:02 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: <873c4473u2.fsf@ursine.ca> Message-ID: Paul Johnson scribbled in news:873c4473u2.fsf@ursine.ca: > "WazoO" writes: > >> Their only suggestion was for me to dial up 1-202-326-2830, >> something like Public Referral Office and see if they have a clue >> as to where the new address might have came from. Being retired >> U.S.Army (read that as broke) long distance isn't an option here > > What crappy phone company do you use that all of country code 1 > isn't local? > Uh, Canada (At least in Alberta), you have to use 1-(area code)- number even calling within the same area code if it is out of the local area. From me at privacy.net Wed Jul 7 11:16:58 2004 From: me at privacy.net (Frog Prince) Date: Wed Jul 7 10:40:11 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: <873c4473u2.fsf@ursine.ca> Message-ID: "JohnL" | > | >> Their only suggestion was for me to dial up 1-202-326-2830, | >> something like Public Referral Office and see if they have a clue | >> as to where the new address might have came from. Being retired | >> U.S.Army (read that as broke) long distance isn't an option here | > | > What crappy phone company do you use that all of country code 1 | > isn't local? | > | | Uh, Canada (At least in Alberta), you have to use 1-(area code)- number | even calling within the same area code if it is out of the local area. The 1+ requirement for all toll calls is the norm in most of the USA as well. There are exceptions when the local phone company has zoned the billing even within the local exchange to provide a 'service' where the caller is not required to dial 1+ but is billed as a metered call. I've seem cases where there is a toll call across a street where both calling party and the called party are served by the same switching office. From nobody at spamcop.net Wed Jul 7 15:44:41 2004 From: nobody at spamcop.net (JohnL) Date: Wed Jul 7 10:45:02 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: <873c4473u2.fsf@ursine.ca> Message-ID: "Frog Prince" scribbled in news:cch1ud$6f5$1@news.spamcop.net: > The 1+ requirement for all toll calls is the norm in most of the > USA as well. There are exceptions when the local phone company > has zoned the billing even within the local exchange to provide a > 'service' where the caller is not required to dial 1+ but is > billed as a metered call. > > I've seem cases where there is a toll call across a street where > both calling party and the called party are served by the same > switching office. I "think" I remember (age) when I was living in So. Cal. that if it was in the same area code, the toll call would go thru. I only remember using the 1+ for calling a different area code. From ob1db at spamcop.net Wed Jul 7 12:14:21 2004 From: ob1db at spamcop.net (David Butler) Date: Wed Jul 7 11:15:02 2004 Subject: [SC-Help] no reports sent, not even devnull ?? Message-ID: spot checking my quick reports, saw this: Processing spam: From: cetucyinqztn@spray.se Subject: gaul error:ISP has indicated spam will cease; ISP resolved this issue sometime after Tue Jul 6 23:01:00 2004 GMT http://www.spamcop.net/sc?id=z537763758zf960a936859ba92e1f4ffd31eb8df0ddz with no reports or devnull. (and was received early today so it ain't ceased yet!) the report was actually strangely mangled, here it is as it was in my email: Processing spam: From: cetucyinqztn@spray.se Subject: gaul error:ISP has indicated spam will cease; ISP resolved this issue sometime after Tue Jul 6 23:01:00 2004 GMThttp://www.spamcop.net/sc?id=z537763758zf960a936859ba92e1f4ffd31eb8df0ddz Processing spam: From: ggetfitm32kg03bj@hotmail.com Subject: Don't just do it!!.. ; ) /dev/null'ing report for postmaster#tm.net.my@devnull.spamcop.net /dev/null'ing report for tmcops#tm.net.my@devnull.spamcop.net Spam report id 1100430145 sent to: abuse@tm.net.my May be saved for future reference: http://www.spamcop.net/sc?id=z537763752zd7bb3b2d472aa2bc562dcb35e653dfbcz see where the GMT got attached to the first tracker? And the second report kinda mushed in ?? From me at privacy.net Wed Jul 7 12:34:35 2004 From: me at privacy.net (Frog Prince) Date: Wed Jul 7 11:35:02 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: <873c4473u2.fsf@ursine.ca> Message-ID: "JohnL" | | > The 1+ requirement for all toll calls is the norm in most of the | > USA as well. There are exceptions when the local phone company | > has zoned the billing even within the local exchange to provide a | > 'service' where the caller is not required to dial 1+ but is | > billed as a metered call. | > | > I've seem cases where there is a toll call across a street where | > both calling party and the called party are served by the same | > switching office. | | I "think" I remember (age) when I was living in So. Cal. that if it was | in the same area code, the toll call would go through. I only remember | using the 1+ for calling a different area code. I recall 10+ years back that that was the norm for LA but then every call in LA was a metered call. Just calling my land lord two apartments over was a metered call. From h9vzc2i02 at sneakemail.com Wed Jul 7 11:22:06 2004 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Wed Jul 7 13:25:02 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: <873c4473u2.fsf@ursine.ca> Message-ID: "Paul Johnson" wrote in message news:873c4473u2.fsf@ursine.ca... > "WazoO" writes: > > > Their only suggestion was for me to dial up 1-202-326-2830, something > > like Public Referral Office and see if they have a clue as to where > > the new address might have came from. Being retired U.S.Army (read > > that as broke) long distance isn't an option here > > What crappy phone company do you use that all of country code 1 isn't > local? > ** Actually, more and more of the normal, usual, big telephone companies are requiring the 1+ for local calls (I think this may be an outgrowth of the "portable number" and cell phone use explosion.) -- A SpamCop user and forum reader, Not Admin *** From nobody at devnull.spamcop.net Wed Jul 7 22:01:54 2004 From: nobody at devnull.spamcop.net (Robert Slade) Date: Wed Jul 7 16:15:10 2004 Subject: [SC-Help] Something Odd Message-ID: Dear all, I have posted about this before but I am still getting spam with encripted titles. The latest is: http://www.spamcop.net/sc?id=z538085324zbc50834dee6b67ccc07321aa2d644660z The SC parser thinks that AOL is the source, but they would not be using earthlink as the relay. Athough, the paser adds earthlink as a 3rd party interested in the source, I belive that the earthlink server is at fault here and the AOL stamp is forged. I guess it is a problem with mail hosts. BTW google shows other reports of spam originating with 207.217.120.228. Rob From nobody at devnull.spamcop.net Wed Jul 7 16:24:44 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jul 7 16:25:02 2004 Subject: [SC-Help] Re: Something Odd References: Message-ID: "Robert Slade" wrote in message news:cchlb6$rkq$1@news.spamcop.net... > > http://www.spamcop.net/sc?id=z538085324zbc50834dee6b67ccc07321aa2d644660z > > The SC parser thinks that AOL is the source, but they would not be using > earthlink as the relay. Athough, the paser adds earthlink as a 3rd party > interested in the source, I belive that the earthlink server is at fault > here and the AOL stamp is forged. I guess it is a problem with mail hosts. > > BTW google shows other reports of spam originating with 207.217.120.228. Suspicions would have to be that there's a database issue, perhaps the "Trusted" flag should be looked at. Seen in the parse as; (IP = 207.217.120.228) Trusted site mail.pas.earthlink.net received mail from 172.181.5.241 From aukword666 at attglobal.net Wed Jul 7 18:32:04 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Wed Jul 7 17:35:06 2004 Subject: [SC-Help] Is this a 4-1-9 scam? Message-ID: I see so many of these "mortgage" spams go by, and I seem to blow them all off as "Data Mining Scams" as I can't imagine refinancing with a mystery party in Hong Kong, Korea, wherever. I figure they just want info that would help them target me for more spam scams, or might be seeking credit info to take advantage of. The posted spam, however, broke the "rule", however, by entering the unnecessary bit about turning a nonexistent account over to an "estate planner". The "estate planner" thing I find provocational as my octagenarian Mother gets targeted for such scam operations, even by snail mail. So it is like not enough to just blow them off, I want to tell them to crawl back under the rock from whence they came and not venture again into the light of day. Like this spam came from a lower form of vermin than the rest. Then I crossed my wires up over something I had read about the ploys used by 4-1-9 scammers, something about an alleged inheritance requiring more input and the participation of an "estate planner", like they already have plans for my estate. So I was left thinking, is this/ could this be/ a 4-1-9 scam? or am I just reading too much into it? I have not, but am seriously considering, submitting this to enforcement@sec.gov for investigation as a 4-1-9 scam. On the other hand, I am thinking, I may be simply overreating to a few misplaced words. So I ambivalated pending more considered judgements and cooler thinking as I might acquire here. In all seriousness, considered opinions regarding the post will be appreciated... TIA, Glenn From nobody at spamcop.net Wed Jul 7 20:27:46 2004 From: nobody at spamcop.net (Ellen) Date: Wed Jul 7 19:40:02 2004 Subject: [SC-Help] Re: Something Odd References: Message-ID: "Robert Slade" wrote in message news:cchlb6$rkq$1@news.spamcop.net... > Dear all, > > I have posted about this before but I am still getting spam with encripted > titles. The latest is: > > http://www.spamcop.net/sc?id=z538085324zbc50834dee6b67ccc07321aa2d644660z > > The SC parser thinks that AOL is the source, but they would not be using > earthlink as the relay. Athough, the paser adds earthlink as a 3rd party > interested in the source, I belive that the earthlink server is at fault > here and the AOL stamp is forged. I guess it is a problem with mail hosts. > I don't know -- TTBMK that is an earthlink mailserver ... I see some other spams where the IP connecting to the earthlink server is other than the AOL server ... but we are looking at it ... Ellen From nobody at devnull.spamcop.net Thu Jul 8 13:15:12 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jul 7 20:15:02 2004 Subject: [SC-Help] Re: Is this a 4-1-9 scam? References: Message-ID: "Glenn Daniels" wrote [about spam in SC.spam] FWIW I think that it *isn't* a 419. 419s are typically just badly typed emails and no obvious lies except what common (not that common!) sense tells you, tugging at your greed, and giving an email address rather than web page. This looks more like run-of-the-mill spam; it uses random text, html-split words & points to a web page, and they are blatantly lying (unless you really *did* send them info for a mortgage). -- Brewman Just waiting for my share of $20M to arrive. Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at devnull.spamcop.net Thu Jul 8 09:16:10 2004 From: nobody at devnull.spamcop.net (Robert Slade) Date: Thu Jul 8 03:25:02 2004 Subject: [SC-Help] Re: Something Odd References: Message-ID: "Ellen" wrote in message news:cci1hu$9nk$1@news.spamcop.net... > > > "Robert Slade" wrote in message > news:cchlb6$rkq$1@news.spamcop.net... > > Dear all, > > > > I have posted about this before but I am still getting spam with encripted > > titles. The latest is: > > > > http://www.spamcop.net/sc?id=z538085324zbc50834dee6b67ccc07321aa2d644660z > > > > The SC parser thinks that AOL is the source, but they would not be using > > earthlink as the relay. Athough, the paser adds earthlink as a 3rd party > > interested in the source, I belive that the earthlink server is at fault > > here and the AOL stamp is forged. I guess it is a problem with mail hosts. > > > > I don't know -- TTBMK that is an earthlink mailserver ... I see some other > spams where the IP connecting to the earthlink server is other than the AOL > server ... but we are looking at it ... > > Ellen > > Ellen, I have been getting several of these a day. They all come through the earthlink mail server which is acting as a relay. The spamvertised site is in verio space, but different URLs. The question is why is the earthlink server relaying the mail when the mail appears to originate from an ISP which should be sending direct? Rob From aukword666 at attglobal.net Thu Jul 8 04:40:28 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Thu Jul 8 03:45:03 2004 Subject: [SC-Help] Re: Is this a 4-1-9 scam? References: Message-ID: "Bob W." wrote in message > Yabbut, that's the Securities and Exchange Commission's address, which > is where you would send stock fraud spams, not 4-1-9's. > > If you're in the U.S. 4-1-9's go to the Secret Service, at: > > 419.fcd@USSS.treas.gov > Believe it or not, you are not mistaken. And I should not have mixed myself up that way. I still haven't reconciled what mortgage refinancing has to do with turning a (nonexistent) case over to a "professional estate planner"... I am think somebody let slip something they ought not. The revealing Freudian, the idea that they are not simply "data mining" but data mining with intent to commit. The "mortgage" thing is the "acceptable" face on the scam, what they do with your data is usually better concealed. I understand my slip, having just the day before been back and forth between the SEC site and the SS site. The confusion is on my part, I just nailed the wrong addy, a reflection of my real upset with this particular spam. Is bad enough to see so many of these "biters", but to see the blatant lie lied so badly, hit a nerve. I am frustrated by the mortgage spams. I report every spam to SpamCop and spam@uce.gov. And then I sort out the next level, pinning the tail on the donkey. Software scams: post piracy@adobe.com, piracy@microsoft.com, tip@macromedia.com, spamwatch@symantec.com. Pushers: post webcomplaints@ora.fda.gov. OTC fraud: post otcfraud@cder.fda.gov. Pump'nDump: post enforcement@sec.gov. Child porn: post National Center for Missing & Exploited Children. That leaves the oddball stuff I don't really know what else I should do about: The hackware promos, and the mortgage scams. I don't get much else, and I don't freek for a few "frea speach" spams a week when they are not much "in your face" with it. So it mostly comes down to the "debt reduction" scams that are frustrating me. I've never received a 4-1-9 scam, so I have a tool I don't need. And I have a problem with the mortgage scams, and no tool. I see so freeking many of them, I do believe they have sensitized me. And I am seeing this thing, what I posted, and I am more upset by it than makes any sense. So I posted here in the interest of recouping some lost perspective. I am increasingly convinced the whole thing was just the two of us taking silly pills. I am still frustrated for want of a way to confront the daily assault of mortgage spams. But I can hold ourselves together better in the delusion that I may be asking for too much and doing the spammers quite enough damage already. I know better, but it must be believed, I simply don't know what more harm I can do them that I am not already. I do have limitations, even Dirty Harry knows that. Lucky for me that you caught the worst mistake I've ever made. ;-) Thanks for bringing us back to our senses. I can afford to "let it go", I can ill afford not to. Glenn From baloo at ursine.ca Thu Jul 8 03:11:40 2004 From: baloo at ursine.ca (Paul Johnson) Date: Thu Jul 8 05:15:04 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: <873c4473u2.fsf@ursine.ca> Message-ID: <87zn6ahnhv.fsf@ursine.ca> "RandallW" writes: > "Paul Johnson" wrote in message > news:873c4473u2.fsf@ursine.ca... >> > >> What crappy phone company do you use that all of country code 1 isn't >> local? >> > > America has multiple crappy phone companies, spread through multiple time > zones. Calling someone 2000 miles away isn't 'local'. Hmm, that's odd, it is on my phone... From baloo at ursine.ca Thu Jul 8 03:13:01 2004 From: baloo at ursine.ca (Paul Johnson) Date: Thu Jul 8 05:15:12 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: <873c4473u2.fsf@ursine.ca> Message-ID: <87vfgyhnfm.fsf@ursine.ca> "Frog Prince" writes: > "JohnL" > | > | > The 1+ requirement for all toll calls is the norm in most of the > | > USA as well. There are exceptions when the local phone company > | > has zoned the billing even within the local exchange to provide a > | > 'service' where the caller is not required to dial 1+ but is > | > billed as a metered call. > | > > | > I've seem cases where there is a toll call across a street where > | > both calling party and the called party are served by the same > | > switching office. > | > | I "think" I remember (age) when I was living in So. Cal. that if it was > | in the same area code, the toll call would go through. I only remember > | using the 1+ for calling a different area code. > > I recall 10+ years back that that was the norm for LA but then every call in > LA was a metered call. Just calling my land lord two apartments over was a > metered call. Oh, that's right, LA has lousy phone companies that kick up to long distance at 15 miles and rape you like a payphone on local... From oleg at rinet.ru Thu Jul 8 13:13:10 2004 From: oleg at rinet.ru (Oleg Bulyzhin) Date: Thu Jul 8 08:15:22 2004 Subject: [SC-Help] reports affect nothing? Message-ID: Hello. Something weird happens with my reports - seems they affect nothing. Even if i report tens of emails with same source ip it never get listed. (no signs of that ip in statistic page too). Any clues? -- Oleg. From nobody at spamcop.net Thu Jul 8 14:48:55 2004 From: nobody at spamcop.net (JohnL) Date: Thu Jul 8 09:50:04 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: <873c4473u2.fsf@ursine.ca> <87vfgyhnfm.fsf@ursine.ca> Message-ID: Paul Johnson scribbled in news:87vfgyhnfm.fsf@ursine.ca: > Oh, that's right, LA has lousy phone companies that kick up to long > distance at 15 miles and rape you like a payphone on local... Don't know where you get your info. Have you ever been there? And which LA are you referring to? I don't know _anywhere_ in N.A. that you don't have to use 1 before the area code and the number From maddsybil at spamcop.net Thu Jul 8 11:19:11 2004 From: maddsybil at spamcop.net (MaddSybil) Date: Thu Jul 8 10:20:17 2004 Subject: [SC-Help] Re: Is this a 4-1-9 scam? References: Message-ID: "Glenn Daniels" wrote in message news:ccitov$87i$1@news.spamcop.net... snip > > I still haven't reconciled what mortgage refinancing has > to do with turning a (nonexistent) case over to a > "professional estate planner"... I am think somebody let > slip something they ought not. > > The revealing Freudian, the idea that they are not > simply "data mining" but data mining with intent to > commit. The "mortgage" thing is the "acceptable" > face on the scam, what they do with your data is > usually better concealed. snip > > I am frustrated by the mortgage spams. I report > every spam to SpamCop and spam@uce.gov. > And then I sort out the next level, pinning the tail > on the donkey. Software scams: post piracy@adobe.com, > piracy@microsoft.com, tip@macromedia.com, > spamwatch@symantec.com. Pushers: post > webcomplaints@ora.fda.gov. OTC fraud: post > otcfraud@cder.fda.gov. Pump'nDump: post > enforcement@sec.gov. Child porn: post > National Center for Missing & Exploited Children. > > That leaves the oddball stuff I don't really know > what else I should do about: The hackware promos, > and the mortgage scams. I don't get much else, > and I don't freek for a few "frea speach" spams a week > when they are not much "in your face" with it. So > it mostly comes down to the "debt reduction" scams > that are frustrating me. I've never received a 4-1-9 > scam, so I have a tool I don't need. And I have a > problem with the mortgage scams, and no tool. > > I see so freeking many of them, I do believe they > have sensitized me. And I am seeing this thing, what > I posted, and I am more upset by it than makes any > sense. So I posted here in the interest of recouping > some lost perspective. I am increasingly convinced > the whole thing was just the two of us taking silly > pills. > > I am still frustrated for want of a way to confront > the daily assault of mortgage spams. But I can > hold ourselves together better in the delusion > that I may be asking for too much and doing the > spammers quite enough damage already. I know > better, but it must be believed, I simply don't > know what more harm I can do them that I am not > already. I do have limitations, even Dirty Harry > knows that. > > Lucky for me that you caught the worst mistake > I've ever made. ;-) > > Thanks for bringing us back to our senses. > I can afford to "let it go", I can ill afford not to. > > Glenn > > I think they just put in 'estate planner' because it sounds professional. Domain Name:GETOURHELP.INFO Created On:04-Jul-2004 07:22:50 UTC Sponsoring Registrar:R126-LRMS Status:ACTIVE Status:OK Registrant Name:Brad Holm Registrant Organization:Skala Registrant Street1:Le Jokala 32 9 Registrant City:Bordoston Registrant State/Province:FR Registrant Postal Code:23122 Registrant Country:FR Registrant Email:bradholm222@yahoo.com Name Server:NS1.APBWVPZWD.BIZ Name Server:NS2.APBWVPZWD.BIZ Registrar: R126-LRMS Invalid WHOIS- no phone number R126-LRMS eNom, Inc. kelsie@enom.com whois@enom.com abuse@enom.com Domain Name: APBWVPZWD.BIZ Sponsoring Registrar: ENOM, INC. Domain Status: clientTransferProhibited Registrant ID: A07AB308BBAADBE6 Registrant Name: Sabaka Strashnaya Registrant Organization: KONURA Registrant Address1: NII Batsa 391 Registrant City: Gorodnah Registrant State/Province: OW Registrant Postal Code: 912312 Registrant Country: China Registrant Country Code: CN Registrant Email: alena222@msn.com The following message to alena222@msn.com was undeliverable. no phone number Report invalid WHOIS data- http://wdprs.internic.net/ CHINA SPAM REPORTS spam@ccert.edu.cn From me at privacy.net Thu Jul 8 12:39:36 2004 From: me at privacy.net (Frog Prince) Date: Thu Jul 8 12:10:05 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: <873c4473u2.fsf@ursine.ca> <87vfgyhnfm.fsf@ursine.ca> Message-ID: "JohnL" | | > Oh, that's right, LA has lousy phone companies that kick up to long | > distance at 15 miles and rape you like a payphone on local... | | Don't know where you get your info. Have you ever been there? | And which LA are you referring to? | | I don't know _anywhere_ in N.A. that you don't have to use 1 before the | area code and the number Various parts of NC, parts of Louisiana in the DFW metroplex, and as of <'88/89 all over L.A. ( I was expanding/installing the cellular system and we had a devil of a time with that requirement). From nobody at spamcop.net Thu Jul 8 17:25:17 2004 From: nobody at spamcop.net (JohnL) Date: Thu Jul 8 12:30:03 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: <873c4473u2.fsf@ursine.ca> <87vfgyhnfm.fsf@ursine.ca> Message-ID: "Frog Prince" scribbled in news:ccjrje$1rn$1@news.spamcop.net: > > "JohnL" >| >| > Oh, that's right, LA has lousy phone companies that kick up to >| > long distance at 15 miles and rape you like a payphone on >| > local... >| >| Don't know where you get your info. Have you ever been there? >| And which LA are you referring to? >| >| I don't know _anywhere_ in N.A. that you don't have to use 1 >| before the area code and the number > > Various parts of NC, parts of Louisiana in the DFW metroplex, and > as of <'88/89 all over L.A. ( I was expanding/installing the > cellular system and we had a devil of a time with that > requirement). > > > Uh, FP, that wasn't directed at _you_. :) From aukword666 at attglobal.net Thu Jul 8 14:04:17 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Thu Jul 8 13:05:04 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: <873c4473u2.fsf@ursine.ca> <87vfgyhnfm.fsf@ursine.ca> Message-ID: "Frog Prince" wrote in message [...] Puleeeze! Back up a little to: >> America has multiple crappy phone companies, spread through multiple time >> zones. Calling someone 2000 miles away isn't 'local'. >Hmm, that's odd, it is on my phone... Yewall have me thinking yewall think he be serious... Get serious! He be roflol about now: He be too droll, thassall! FWIW, PJ, I think they be trying to tell you not to give up your day job: some people are naturally funny, some are funny, naturally... Your "bit" gave me a chuckle, but my sense of humour is wry and dry... some call it sick... Like this one: walking a bridle path in Switzerland, where many are fluent in German, French and English, you have occasion to warn your companion not to step in the pferd merd. If he is with you he laughs, if not, you just get a stupid look, like what the heck are you talking about: until he steps in it! On the other hand, dropping your long distance carrier because you are military retired is anything but funny. And joking about that, is, I suspect, in poor taste. And it does not particularly surprise me that WazoO dropped out of the thread at that juncture, but I am not fixed in my mind on the meaning of his silence. That this thread related to spam also ended when WazoO left the room, and this may not be the right newsgroup for where it seems to be going. Can anyone put this train back on the track? Glenn From louisxiv at spamcop.net Thu Jul 8 21:33:40 2004 From: louisxiv at spamcop.net (pete) Date: Thu Jul 8 15:35:03 2004 Subject: [SC-Help] Mistaken Reports Message-ID: <1ggmguc.o29sqqay4wnkN%louisxiv@spamcop.net> Processing my held mail I carefully selected all the spam and reported it, then selected the one non-spam mail list message to send on... and reported it. Muscle memory I suppose - I just went through the usual sequence of mouse movements and clicks, only noticing the mistake after I'd hit the send button. What is the official (or practical) way of saying "Whoops, sorry, I didn't mean that!" ? From nobody at devnull.spamcop.net Thu Jul 8 15:51:39 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jul 8 15:55:03 2004 Subject: [SC-Help] Re: Mistaken Reports References: <1ggmguc.o29sqqay4wnkN%louisxiv@spamcop.net> Message-ID: "pete" wrote in message news:1ggmguc.o29sqqay4wnkN%louisxiv@spamcop.net... > Processing my held mail I carefully selected all the spam and reported > it, then selected the one non-spam mail list message to send on... and > reported it. > > What is the official (or practical) way of saying "Whoops, sorry, I > didn't mean that!" ? http://forum.spamcop.net/forums/index.php?showtopic=138 From baloo at ursine.ca Thu Jul 8 14:10:41 2004 From: baloo at ursine.ca (Paul Johnson) Date: Thu Jul 8 16:15:03 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: <873c4473u2.fsf@ursine.ca> <87vfgyhnfm.fsf@ursine.ca> Message-ID: <87hdsi5kfy.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 JohnL writes: > Paul Johnson scribbled in > news:87vfgyhnfm.fsf@ursine.ca: > >> Oh, that's right, LA has lousy phone companies that kick up to long >> distance at 15 miles and rape you like a payphone on local... > > Don't know where you get your info. Have you ever been there? I had the sad misfortune of living in that sad shithole for five years. That hole region can suck it, suck it hard, and suck it long. > And which LA are you referring to? Los Angeles. > I don't know _anywhere_ in N.A. that you don't have to use 1 before the > area code and the number Oregon. All phone numbers are 10 digits, because the Metro Region has two area codes (My roommate's phone and my phone are in 971, my other roommate's phone and my mobile is in 503, anywhere in the US or Canada is local on all those phones). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA7apDUzgNqloQMwcRAkHYAKDTe7cWtUhJPUt5JcbB8d1O8hDHFQCeN4PY 4FFCfHGwyXvxKuVx/TErCqc= =/gFl -----END PGP SIGNATURE----- From nobody at spamcop.net Thu Jul 8 21:17:47 2004 From: nobody at spamcop.net (JohnL) Date: Thu Jul 8 16:20:02 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: <873c4473u2.fsf@ursine.ca> <87vfgyhnfm.fsf@ursine.ca> <87hdsi5kfy.fsf@ursine.ca> Message-ID: Paul Johnson scribbled in news:87hdsi5kfy.fsf@ursine.ca: > Oregon. All phone numbers are 10 digits, because the Metro Region > has two area codes (My roommate's phone and my phone are in 971, > my other roommate's phone and my mobile is in 503, anywhere in the > US or Canada is local on all those phones). So you're saying that you can call for example New York info with just... 212-555-1212 ? If so, that is an unusual situation. Everywhere I've been in the U.S. (haven't been to Oregon, but passed thru once - beautiful scenery), I have _always_ needed to use the 1 in front of the area code and number. From baloo at ursine.ca Thu Jul 8 14:57:42 2004 From: baloo at ursine.ca (Paul Johnson) Date: Thu Jul 8 17:00:03 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: <873c4473u2.fsf@ursine.ca> <87vfgyhnfm.fsf@ursine.ca> Message-ID: <87fz8243p5.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Glenn Daniels" writes: > "Frog Prince" wrote in message > [...] > > Puleeeze! > > Back up a little to: >>> America has multiple crappy phone companies, spread through multiple time >>> zones. Calling someone 2000 miles away isn't 'local'. > >>Hmm, that's odd, it is on my phone... > > Yewall have me thinking yewall think he be serious... > Get serious! > He be roflol about now: He be too droll, thassall! > > FWIW, PJ, I think they be trying to tell you not > to give up your day job: some people are naturally > funny, some are funny, naturally... > > Your "bit" gave me a chuckle, but my sense of > humour is wry and dry... some call it sick... I wasn't joking...it's about two years since I've picked up something other than a payphone that wasn't able to call anywhere in the US or Canada for the same rate as local, and a decade since anywhere in the state became same-as-local. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA7bVGUzgNqloQMwcRAu68AKCXvTQcuNff8Ym2PcnWjtzVLMgbRACeIoXq g1YJHqBJ2XtAY70rwYPhwEM= =FoIr -----END PGP SIGNATURE----- From baloo at ursine.ca Thu Jul 8 14:58:12 2004 From: baloo at ursine.ca (Paul Johnson) Date: Thu Jul 8 17:00:10 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov References: <873c4473u2.fsf@ursine.ca> <87vfgyhnfm.fsf@ursine.ca> <87hdsi5kfy.fsf@ursine.ca> Message-ID: <87briq43ob.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 JohnL writes: > Paul Johnson scribbled in > news:87hdsi5kfy.fsf@ursine.ca: > >> Oregon. All phone numbers are 10 digits, because the Metro Region >> has two area codes (My roommate's phone and my phone are in 971, >> my other roommate's phone and my mobile is in 503, anywhere in the >> US or Canada is local on all those phones). > > So you're saying that you can call for example New York info with > just... 212-555-1212 ? No, I still have to dial the one (even for local calls). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA7bVkUzgNqloQMwcRAtoRAJ0TanTT4Pg2PJ+nyvLUxDOoOge6lgCguqXU 49dY3PJI0gpnwUZVILlASgo= =78bS -----END PGP SIGNATURE----- From louisxiv at spamcop.net Fri Jul 9 01:49:53 2004 From: louisxiv at spamcop.net (pete) Date: Thu Jul 8 19:50:03 2004 Subject: [SC-Help] Re: Mistaken Reports References: <1ggmguc.o29sqqay4wnkN%louisxiv@spamcop.net> Message-ID: <1ggmsve.yn20yqynyiyoN%louisxiv@spamcop.net> WazoO wrote: > "pete" wrote in message > news:1ggmguc.o29sqqay4wnkN%louisxiv@spamcop.net... > > Processing my held mail I carefully selected all the spam and reported > > it, then selected the one non-spam mail list message to send on... and > > reported it. > > > > What is the official (or practical) way of saying "Whoops, sorry, I > > didn't mean that!" ? > > http://forum.spamcop.net/forums/index.php?showtopic=138 Thanks. I'd looked, but not spotted that. Retractions are en route. From aharper at dnai.com Thu Jul 8 23:56:47 2004 From: aharper at dnai.com (Alan Harper) Date: Fri Jul 9 02:00:03 2004 Subject: [SC-Help] ISP has already taken action against the account... Message-ID: <080720042256475242%aharper@dnai.com> What is the proper thing to do when Spamcop reports "ISP has already taken action against the account" and it is clear that they have not? I received a spam in Russian http://www.spamcop.net/sc?id=z540733551z8d9dd664eea93f06540a1acc7658776a z that refers me to a web site. I don't read Russian, but I can see that the telephone #s advertised in the spam and on the web site are the same, making me believe that someone is "shining spamcop on". Not that I think reports regarding web sites advertised in spams are worth the electrons that they are printed on, but it is the principle of the thing. Alan From mrichter at cpl.net Fri Jul 9 01:55:15 2004 From: mrichter at cpl.net (Mike Richter) Date: Fri Jul 9 04:00:03 2004 Subject: [SC-Help] Re: ISP has already taken action against the account... In-Reply-To: <080720042256475242%aharper@dnai.com> References: <080720042256475242%aharper@dnai.com> Message-ID: Alan Harper wrote: > What is the proper thing to do when Spamcop reports "ISP has already > taken action against the account" and it is clear that they have not? > > I received a spam in Russian > http://www.spamcop.net/sc?id=z540733551z8d9dd664eea93f06540a1acc7658776a > z that refers me to a web site. I don't read Russian, but I can see > that the telephone #s advertised in the spam and on the web site are > the same, making me believe that someone is "shining spamcop on". > > Not that I think reports regarding web sites advertised in spams are > worth the electrons that they are printed on, but it is the principle > of the thing. > > Alan Posted by a (mostly) happy SpamCop user, not an official: The message that the ISP has already taken action means that the ISP has asserted to SC that it has done what it will - in effect, that it's not interested in SC's reports. Therefore SC doesn't send in pointless reports. If someone tells me he won't listen, I stop talking to him. Under some circumstances, SC will return to action; otherwise, you can always send a manual LART. Mike -- mrichter@cpl.net http://www.mrichter.com/ From kjz at despammed.com Fri Jul 9 11:22:07 2004 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Fri Jul 9 04:25:02 2004 Subject: [SC-Help] Re: ISP has already taken action against the account... In-Reply-To: References: <080720042256475242%aharper@dnai.com> Message-ID: Mike Richter wrote: > The message that the ISP has already taken action means that the ISP has > asserted to SC that it has done what it will - in effect, that it's not > interested in SC's reports. For me it reads like: yes, we are in bed with spammers and we're greedy and do intentionally support spammers. So please don't send us such stupid reports.... - Karl-Josef From nobody at spamcop.net Fri Jul 9 08:10:44 2004 From: nobody at spamcop.net (Miss Betsy) Date: Fri Jul 9 08:15:03 2004 Subject: [SC-Help] Re: ISP has already taken action against the account... References: <080720042256475242%aharper@dnai.com> Message-ID: "Karl-Josef Ziegler" wrote in message news:cclkjf$pf7$1@news.spamcop.net... > Mike Richter wrote: > > > The message that the ISP has already taken action means that the ISP has > > asserted to SC that it has done what it will - in effect, that it's not > > interested in SC's reports. > > For me it reads like: yes, we are in bed with spammers and we're greedy > and do intentionally support spammers. So please don't send us such > stupid reports.... Theoretically, it can also mean that the ISP has cancelled the spammer in which case more reports are superfluous. It may also mean that the ISP has issued a warning not to spam again. In reality, it seems as if most "ISP has taken action" does mean that they don't care. spamcop does not send unwanted email because that would be descending to the level of the spammer. Miss Betsy From h9vzc2i02 at sneakemail.com Fri Jul 9 09:35:47 2004 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Fri Jul 9 11:40:03 2004 Subject: [SC-Help] Re: ISP has already taken action against the account... References: <080720042256475242%aharper@dnai.com> Message-ID: "Alan Harper" wrote in message news:080720042256475242%aharper@dnai.com... > What is the proper thing to do when Spamcop reports "ISP has already > taken action against the account" and it is clear that they have not? > > I received a spam in Russian > http://www.spamcop.net/sc?id=z540733551z8d9dd664eea93f06540a1acc7658776a > z that refers me to a web site. I don't read Russian, but I can see > that the telephone #s advertised in the spam and on the web site are > the same, making me believe that someone is "shining spamcop on". > ** Sounds as if you open the spams - PLEASE NEVER, NEVER open the spams as this many times tells the spammer that he has /live/ e-mail address. In order to see what the spam "looks like" go to 'message source' (in oe click on properties -> details -> message source. If you want, you can copy the message source into notepad and edit (munge) it. -- A SpamCop user and forum reader, Not Admin *** > Not that I think reports regarding web sites advertised in spams are > worth the electrons that they are printed on, but it is the principle > of the thing. > > Alan From eddie at eddie.web Fri Jul 9 12:40:52 2004 From: eddie at eddie.web (eddie) Date: Fri Jul 9 11:45:03 2004 Subject: [SC-Help] Re: ISP has already taken action against the account... References: <080720042256475242%aharper@dnai.com> Message-ID: On Fri, 09 Jul 2004 07:10:44 -0500, Miss Betsy scratched out the following: snip > Theoretically, it can also mean that the ISP has cancelled the spammer in > which case more reports are superfluous. It may also mean that the ISP > has issued a warning not to spam again. > > In reality, it seems as if most "ISP has taken action" does mean that they > don't care. spamcop does not send unwanted email because that would be > descending to the level of the spammer. > > Miss Betsy I haven't read the statement carefully, but the statement could say, "ISP says that they have taken action .." and "ISP has taken action against..." Two completely different things. From kjz at despammed.com Fri Jul 9 20:07:41 2004 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Fri Jul 9 13:10:03 2004 Subject: [SC-Help] Re: ISP has already taken action against the account... In-Reply-To: <080720042256475242%aharper@dnai.com> References: <080720042256475242%aharper@dnai.com> Message-ID: Alan Harper wrote: > What is the proper thing to do when Spamcop reports "ISP has already > taken action against the account" and it is clear that they have not? Is this based on a list of domain names or on IPs? I've a notorious spammer which owns a domain for a long time, but is hopping from (rogue) ISP to ISP. So the domain name is the same, but IPs are changing. How does Spamcop handle such a situation? - Karl-Josef From ob1db at spamcop.net Fri Jul 9 15:56:27 2004 From: ob1db at spamcop.net (David Butler) Date: Fri Jul 9 15:00:02 2004 Subject: [SC-Help] Re: ISP has already taken action against the account... References: <080720042256475242%aharper@dnai.com> Message-ID: "Anon_" wrote in message news:ccme13$f42$1@news.spamcop.net... > > "Alan Harper" wrote in message > > I received a spam in Russian > > http://www.spamcop.net/sc?id=z540733551z8d9dd664eea93f06540a1acc7658776a > > z that refers me to a web site. I don't read Russian, but I can see > > that the telephone #s advertised in the spam and on the web site are > > the same, making me believe that someone is "shining spamcop on". snip > Sounds as if you open the spams - PLEASE NEVER, NEVER open the spams as this > many times tells the spammer that he has /live/ e-mail address. > > In order to see what the spam "looks like" go to 'message source' (in oe > click on properties -> details -> message source. If you want, you can copy > the message source into notepad and edit (munge) it. > Or in Eudora and Yahoo and several other mail clients you just turn off html graphics and there is no way for info to go back to spammer... David From nobody at spamcop.net Fri Jul 9 14:38:35 2004 From: nobody at spamcop.net (Ellen) Date: Fri Jul 9 15:05:02 2004 Subject: [SC-Help] Re: ISP has already taken action against the account... References: <080720042256475242%aharper@dnai.com> Message-ID: "Karl-Josef Ziegler" wrote in message news:ccmjbb$k68$1@news.spamcop.net... > Alan Harper wrote: > > > What is the proper thing to do when Spamcop reports "ISP has already > > taken action against the account" and it is clear that they have not? > > Is this based on a list of domain names or on IPs? I've a notorious > spammer which owns a domain for a long time, but is hopping from > (rogue) ISP to ISP. So the domain name is the same, but IPs are > changing. How does Spamcop handle such a situation? > For injecting IPs: ISP has taken action means the ISP has turned off reports for the IP; they reopen automagically after 24 hours; the reports still count towards the BL For spamvertized urls: ISP has taken action means that the ISP/report recipient has clicked a button saying spam will cease. Reports stop until a paid user files an appeal using the appeal popup during a parse. This is based on the url not the underlying IP. Ellen From howieh at nospam-bigfoot.com Fri Jul 9 16:12:31 2004 From: howieh at nospam-bigfoot.com (Howie) Date: Fri Jul 9 15:15:04 2004 Subject: [SC-Help] Spammer sending porno to minor Message-ID: Is there any recourse for this? I'm hesitant to report this due to the fact that the SPAM contains tracking info which, of course, would reveal the child's email address to the SPAMMER. However, I'm so PO'd - I would like to get these SOBs reamed. The porn spamvertised site is boocenter.com and the sending mail server is 218.16.121.18, BTW. Thanks, Howie From eddie at eddie.web Fri Jul 9 18:18:47 2004 From: eddie at eddie.web (eddie) Date: Fri Jul 9 17:20:03 2004 Subject: [SC-Help] Re: Spammer sending porno to minor References: Message-ID: On Fri, 09 Jul 2004 15:12:31 -0400, Howie scratched out the following: > Is there any recourse for this? I'm hesitant to report this due to the > fact that the SPAM contains tracking info which, of course, would reveal > the child's email address to the SPAMMER. > > However, I'm so PO'd - I would like to get these SOBs reamed. > > The porn spamvertised site is boocenter.com and the sending mail server is > 218.16.121.18, BTW. > > Thanks, > > Howie File an FBI report. I think the porn desk is in Chigago but if you go to fbi.gov you can fill out a form or call them. From nobody at spamcop.net Fri Jul 9 19:14:03 2004 From: nobody at spamcop.net (Miss Betsy) Date: Fri Jul 9 19:15:05 2004 Subject: [SC-Help] Re: ISP has already taken action against the account... References: <080720042256475242%aharper@dnai.com> Message-ID: "eddie" wrote in message news:pan.2004.07.09.15.40.52.263000@eddie.web... > I haven't read the statement carefully, but the statement could say, > "ISP says that they have taken action .." > and > "ISP has taken action against..." > Two completely different things. No, it is not. When the "ISP has taken action.." it doesn't say what action. It could be all the action taken was reading the spamcop report. Miss Betsy From howieh at nospam-bigfoot.com Fri Jul 9 20:19:07 2004 From: howieh at nospam-bigfoot.com (Howie) Date: Fri Jul 9 19:20:03 2004 Subject: [SC-Help] Re: Spammer sending porno to minor References: Message-ID: "eddie" wrote in message news:pan.2004.07.09.21.18.47.233000@eddie.web... > On Fri, 09 Jul 2004 15:12:31 -0400, Howie scratched out the following: > > > Is there any recourse for this? I'm hesitant to report this due to the > > fact that the SPAM contains tracking info which, of course, would reveal > > the child's email address to the SPAMMER. > > > > However, I'm so PO'd - I would like to get these SOBs reamed. > > > > The porn spamvertised site is boocenter.com and the sending mail server is > > 218.16.121.18, BTW. > > > > Thanks, > > > > Howie > File an FBI report. I think the porn desk is in Chigago but if you go to > fbi.gov you can fill out a form or call them. Thanks - I'm just being cautious because I don't want these spamming idiots to know that any reports are due to my kid's email address (like I mentioned - there's tracking stuff in the email). From eddie at eddie.web Fri Jul 9 20:36:35 2004 From: eddie at eddie.web (eddie) Date: Fri Jul 9 19:40:02 2004 Subject: [SC-Help] Re: ISP has already taken action against the account... References: <080720042256475242%aharper@dnai.com> Message-ID: On Fri, 09 Jul 2004 18:14:03 -0500, Miss Betsy scratched out the following: snip > No, it is not. When the "ISP has taken action.." it doesn't say what > action. It could be all the action taken was reading the spamcop report. > > Miss Betsy not to overbeat a dead horse, if they didn't even read the SC report, they could still say they have taken action (and be lying) as opposed to taking no action. I was simply parsing the word "say" "He said he was busy" is not the same as "He was busy" But I am just being curmudgeonly If you have ever read "Through the Looking Glass" or "Goedel, Escher and Bach," you know from where I am coming. In Alice, its the story of the "Haddocks' Eyes" But rather unimportant. From nobody at spamcop.net Fri Jul 9 21:04:14 2004 From: nobody at spamcop.net (Miss Betsy) Date: Fri Jul 9 21:05:02 2004 Subject: [SC-Help] Re: ISP has already taken action against the account... References: <080720042256475242%aharper@dnai.com> Message-ID: "eddie" wrote in message news:pan.2004.07.09.23.36.34.361000@eddie.web... > On Fri, 09 Jul 2004 18:14:03 -0500, Miss Betsy scratched out the > following: > > snip > > No, it is not. When the "ISP has taken action.." it doesn't say what > > action. It could be all the action taken was reading the spamcop report. > > > > Miss Betsy > not to overbeat a dead horse, > if they didn't even read the SC report, they could still say they have > taken action (and be lying) as opposed to taking no action. > I was simply parsing the word "say" > > "He said he was busy" is not the same as > "He was busy" > But I am just being curmudgeonly > If you have ever read "Through the Looking Glass" or "Goedel, Escher and > Bach," you know from where I am coming. > In Alice, its the story of the "Haddocks' Eyes" > But rather unimportant. I get your distinction, but it doesn't really matter what action they take, even if it is ignoring the spamcop report (which is an action). They have said that they have 'acted.' Most of the time, it is not an action that a spamcop reporter would agree with, but it is possible that it could be. It is an etiquette thing that spamcop doesn't dispute whether that action is a proper response to the spamcop report. If it turns out to be that they have simply responded without doing anything, then spamcop starts reporting again. It is a little like the Miss Manners tactic of replying to intrusive questions: 'Thank you for your interest in my personal life.' Miss Betsy From MikeE at ster.invalid Sat Jul 10 01:38:30 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 10 03:45:21 2004 Subject: [SC-Help] Re: ISP has already taken action against the account... References: <080720042256475242%aharper@dnai.com> Message-ID: Alan Harper wrote: > What is the proper thing to do when Spamcop reports "ISP has already > taken action against the account" and it is clear that they have not? I don't think that language necessarily reflects what is going on - if you interpret it as meaning that the spamvertisers webspace access has been squashed. This instance is about this line: ISP has already taken action against the account:http://www.armadacable.ru/cables.html so we will talk about what just that means. In the faq^1 it sez to an admin that SpamCop reports include a URL that allows you to register an issue (IP/datestamp or website) as "resolved." For a website, you even have the option of registering as an "innocent bystander." In either case, anyone who tries to report the same issue through SpamCop in the future will receive a message stating what action you have taken and they will be prevented from filing a report on the same issue. This keeps your workload to a minimum and lets spam fighters know you are helping wipe out spam! ^1 http://www.spamcop.net/fom-serve/cache/117.html That means to me that the admin who receives a notification of a spamvertisement can - do nothing - claim 'resolved' meaning whatever - claim IB Here's an example of a link associated with a notify to an admin of a spamvertised site [this is about creativevenue.nl posted here recently] spamcop.net/w3m?i=z1102382077z1b1561164ffa4e80dbf371992569df6az If you follow the sublinks around to see what the admin can do about the notify, you can easily imagine that the admin who doesn't want to be hearing about that site anymore would check 'resolved' - because - it isn't an IB - they don't want to hear anymore about that link, but don't want to cancel all future spamcop reports, so they don't want to do 'nothing' "Resolved" then, is the 'best' choice for an admin who is notified about a site and has looked into it and wants to say "Okay, I've heard about that issue; I don't really need to hear about it anymore." Of course, that 'resolved' would also be used by a provider who /had/ squashed an account. SC wants to be 'cooperative' with the spamvertiser provider - especially considering that there is very little 'fallout' from a SC report of a spamvertisement ^2 - so not sending anymore reports is cooperative. Which leads us to what Ellen sez about what can change that condition of not sending any more reports. Ellen wrote: > For spamvertized urls: ISP has taken action means that the ISP/report > recipient has clicked a button saying spam will cease. Reports stop > until a paid user files an appeal using the appeal popup during a > parse. This is based on the url not the underlying IP. She sez the report recipient has sed 'spam will cease' - possibly that means = 'resolved' - clearly it isn't saying IB and it isn't doing 'nothing'. And she is also saying what has to happen for the spamvertiser provider to begin to receive reports again. The business of receiving or not receiving reports doesn't actually change anything about what 'happens' about there being a report generated - either in the case of the spamsource /or/ in the case of the spamvertiser. A spamsource still counts toward the SCbl whether or not the provider gets a report - and a spamvertiser report still 'doesn't do anything' ^2 whether or not the provider gets a notify. ^2 /doesn't do anything/ about such as the SCbl. There is some consequence to being named as spamvertiser as a result of the surbl - an 'external' list of spamvertisers fetched from the SC statistics page. There can also be other consequences to spamvertisers from listing db/s outside of SC such as spamhaus and spews. -- Mike Easter kibitzer, not SC admin From marvonospam at spamcop.net Sat Jul 10 12:04:33 2004 From: marvonospam at spamcop.net (marvo) Date: Sat Jul 10 11:05:02 2004 Subject: [SC-Help] Change email address Message-ID: Is it possible to change my email address at SC. That is if I am now joe123@spamcop.net , can I change it to george123@spamcop.net under options? Thanks in advance.... From eddie at eddie.web Sat Jul 10 13:36:11 2004 From: eddie at eddie.web (eddie) Date: Sat Jul 10 12:40:21 2004 Subject: [SC-Help] Re: Change email address References: Message-ID: On Sat, 10 Jul 2004 11:04:33 -0400, marvo scratched out the following: > Is it possible to change my email address at SC. That is if I am now > joe123@spamcop.net , can I change it to george123@spamcop.net under > options? Thanks in advance.... I suspect that it's a lot more complicated than that. I seem to recall that it's a "front office" kind of change, not one a user can make on his own. From nobody at spamcop.net Sat Jul 10 18:51:12 2004 From: nobody at spamcop.net (John McLusky) Date: Sat Jul 10 12:55:02 2004 Subject: [SC-Help] Re: Change email address References: Message-ID: eddie wrote: > On Sat, 10 Jul 2004 11:04:33 -0400, marvo scratched out the following: > >> Is it possible to change my email address at SC. That is if I am now >> joe123@spamcop.net , can I change it to george123@spamcop.net under >> options? Thanks in advance.... > > I suspect that it's a lot more complicated than that. > I seem to recall that it's a "front office" kind of change, not one a > user can make on his own. Don (service at admin.spamcop.net) may be able to help with this. From DougThegarden at hotmail.com Sat Jul 10 18:54:37 2004 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Sat Jul 10 12:55:10 2004 Subject: [SC-Help] Mozilla patch Message-ID: For those here using Mozilla, Firefox or Thunderbird, there is a security flaw found on Wednesday which requires a patch. Details at http://www.mozilla.org/security/shell.html in case you haven't seen it. Doug From aukword666 at attglobal.net Sat Jul 10 17:51:38 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sat Jul 10 16:55:02 2004 Subject: [SC-Help] Re: Change email address References: Message-ID: "John McLusky" wrote > eddie wrote: > > On Sat, 10 Jul 2004 11:04:33 -0400, marvo scratched out the following: > > > >> Is it possible to change my email address [...] > > > > I suspect that it's a lot more complicated than that. > > I seem to recall that it's a "front office" kind of change, not one a > > user can make on his own. > > Don (service at admin.spamcop.net) may be able to help with this. > The question is unanswerable without clarification: If he means "change" his newsgroup poster alias, he may pursue tools to accounts to newsgroups to properties and modify his alias pretty much as he pleases, but I think it could be ugly to post using a known valid account for spambot bait. Glenn From mrogoff at cesmail.net Sat Jul 10 23:37:01 2004 From: mrogoff at cesmail.net (Martin Rogoff) Date: Sat Jul 10 23:40:15 2004 Subject: [SC-Help] http://webmail.spamcop.net/ down? Message-ID: I am trying to log into http://webmail.spamcop.net/, and it continuously gives me the error "Your Mail session has expired. Please login again." Anyone else seeing this? From ric.gates at bigsleep.org Sun Jul 11 04:39:40 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sat Jul 10 23:40:32 2004 Subject: [SC-Help] Re: Mozilla patch References: Message-ID: On 10 Jul 2004 Doug Thegarden entered spamcop.help and left news:ccp706$oqk$1@news.spamcop.net: > For those here using Mozilla, Firefox or Thunderbird, there is a > security flaw found on Wednesday which requires a patch. Details at > http://www.mozilla.org/security/shell.html in case you haven't seen it. > > Doug > Discussed briefly in .geeks as well. And mentioned here: news:cckucv$66a$1@news.spamcop.net -- | Ric | From eddie at eddie.web Sun Jul 11 01:37:57 2004 From: eddie at eddie.web (eddie) Date: Sun Jul 11 00:40:14 2004 Subject: [SC-Help] Re: http://webmail.spamcop.net/ down? References: Message-ID: On Sat, 10 Jul 2004 22:37:01 -0500, Martin Rogoff scratched out the following: > I am trying to log into http://webmail.spamcop.net/, and it continuously > gives me the error "Your Mail session has expired. Please login again." > Anyone else seeing this? It's fine here - I suggest deleting your cache and SC-related cookies and starting a new session. From Martin.Edwards5 at btinternet.com Sun Jul 11 10:13:33 2004 From: Martin.Edwards5 at btinternet.com (Martin Edwards) Date: Sun Jul 11 04:10:19 2004 Subject: [SC-Help] Re: Mozilla patch In-Reply-To: References: Message-ID: Blammo wrote: > On 10 Jul 2004 Doug Thegarden entered spamcop.help and left > news:ccp706$oqk$1@news.spamcop.net: > > >>For those here using Mozilla, Firefox or Thunderbird, there is a >>security flaw found on Wednesday which requires a patch. Details at >>http://www.mozilla.org/security/shell.html in case you haven't seen it. >> >>Doug >> > > > Discussed briefly in .geeks as well. > And mentioned here: news:cckucv$66a$1@news.spamcop.net > Patch quick and easy. Phew! From eddie at eddie.web Sun Jul 11 12:31:39 2004 From: eddie at eddie.web (eddie) Date: Sun Jul 11 11:35:03 2004 Subject: [SC-Help] Re: Mozilla patch References: Message-ID: On Sun, 11 Jul 2004 09:13:33 +0100, Martin Edwards scratched out the following: snip >> Discussed briefly in .geeks as well. >> And mentioned here: news:cckucv$66a$1@news.spamcop.net >> > Patch quick and easy. Phew! I think it was a tad over 600 bytes and did not require a reboot. In fairness, the MS patch for IE also did not require a reboot, but I always reboot after anything MS does as a general rule. From NoBody at spamcop.net Sun Jul 11 16:31:38 2004 From: NoBody at spamcop.net (SJones) Date: Sun Jul 11 15:35:22 2004 Subject: [SC-Help] Re: spam@uce.gov has replaced uce@ftc.gov In-Reply-To: References: <873c4473u2.fsf@ursine.ca> <87vfgyhnfm.fsf@ursine.ca> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On or about 7/8/2004 09:48, JohnL penned the following: > Paul Johnson scribbled in > news:87vfgyhnfm.fsf@ursine.ca: > >> Oh, that's right, LA has lousy phone companies that kick up to >> long distance at 15 miles and rape you like a payphone on local... > > Don't know where you get your info. Have you ever been there? > And which LA are you referring to? > > I don't know _anywhere_ in N.A. that you don't have to use 1 before > the area code and the number Move to the 610 area code. All calls from a 610 number to a 610 number do NOT require a 1+ , just the area code and the 7 digit number. SJones - -- All spam & UCE are reported. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 - not licensed for commercial use: www.pgp.com Comment: Attachments scanned by Norton AntiVirus iQA/AwUBQPGVlJqPqrj61A04EQIYiACfTjA64gh6NtU2zZ6jfu3kqwJAq5cAnRko HwvfI4X+4YjY8vUgqb1iDm1v =tw8J -----END PGP SIGNATURE----- From ob1db at spamcop.net Sun Jul 11 17:19:15 2004 From: ob1db at spamcop.net (David Butler) Date: Sun Jul 11 16:20:03 2004 Subject: [SC-Help] Newsgroup FAQs are WHERE ?? (for ALL NG) Message-ID: I was trying to help a Korean newbie to grasp that spam goes to .spam and then the request to the other groups. He replied that an adminstrator had told him to put his in .mail with the spam (didn't mention WHO). He asked where I got my info from. To my surprise, I can find NO FAQ relating to what goes where! Am I missing someting? Were they moved?? Thanks! David From eddie at eddie.web Sun Jul 11 17:32:56 2004 From: eddie at eddie.web (eddie) Date: Sun Jul 11 16:35:03 2004 Subject: [SC-Help] Re: Newsgroup FAQs are WHERE ?? (for ALL NG) References: Message-ID: On Sun, 11 Jul 2004 16:19:15 -0400, David Butler scratched out the following: > I was trying to help a Korean newbie to grasp that spam goes to .spam and > then the request to the other groups. He replied that an adminstrator had > told him to put his in .mail with the spam (didn't mention WHO). > > He asked where I got my info from. To my surprise, I can find NO FAQ > relating to what goes where! > > Am I missing someting? > > Were they moved?? > > Thanks! > > David My newsreader lists the description of each newsgroup here are some of the relevant ones spamcop General SpamCop discussion geeks Technical discussions about non-SC help Help with spam and using SC mail spam The appropriate place to post copies of spam From MikeE at ster.invalid Sun Jul 11 16:30:29 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 11 18:35:12 2004 Subject: [SC-Help] Re: Newsgroup FAQs are WHERE ?? (for ALL NG) References: Message-ID: David Butler wrote: > I was trying to help a Korean newbie to grasp that spam goes to .spam > and then the request to the other groups. That concept isn't spelled out exactly so on the faq page. > He replied that an > adminstrator had told him to put his in .mail with the spam (didn't > mention WHO). The faq page sez don't do that. It also sez use tracking urls. "No spam. Please do not post copies of spam or other commercials except in the spamcop.spam group specifically designated for it. SpamCop provides "tracking URL"s for posting spam samples. Please use them. " http://www.spamcop.net/forum.shtml > He asked where I got my info from. To my surprise, I can find NO FAQ > relating to what goes where! http://www.spamcop.net/forum.shtml - SpamCop (spamcop) General Discussion of spam and SpamCop - Geek talk (spamcop.geeks) Geeky issues not related to spam or SpamCop - Social room (spamcop.social) Anything that dosn't fit in the other groups - Spam lab (spamcop.spam) Posting and discussion of specific spam - often contains de-obfuscation 'workshops' There are links to that page from the sitemap which is accessible from about every page. Some help links only point to the webbased forums. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Jul 11 18:46:41 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 11 20:50:02 2004 Subject: [SC-Help] Re: Is this a 4-1-9 scam? References: Message-ID: C. S. wrote: > "Jonathan Campbell" >> "Glenn Daniels" - post the spam in .spam, but discuss it somewhere else, like .help - trim and contextualize inline to make conversation - not a 419, mortgage - posted to .spam & .help, f/ups to .help -- Mike Easter kibitzer, not SC admin From aukword666 at attglobal.net Sun Jul 11 22:41:04 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sun Jul 11 21:45:03 2004 Subject: [SC-Help] Re: Is this a 4-1-9 scam? References: Message-ID: "Mike Easter" wrote in message [...] > > - post the spam in .spam, but discuss it somewhere else, like .help > - trim and contextualize inline to make conversation > - not a 419, mortgage > - posted to .spam & .help, f/ups to .help > Thanks Mike. I may be educable, or is that educatable. I have already appreciated that in the heat of the post, I failed to direct attention to the thread in .help. I can sincerely appreciate your feedback. I fumbled the ball, inexperience has its reward. Fortunately, I got all the help I sought and learned a few things as well, in spite of my clumsiness. I believe the question has been adequately resolved. I believe the spammer may have had something else on his mind. I was not believing it was a 419, but by invoking the "professional estate planners" clause, as outlined by USSS, it made the spam "smell funny". Funny enough to grab at least one other SC user the wrong way. I have seen several thousand similars that were written off immediately as data mining scams. I understood that I was probably trying to read too much into the bad lie, that is why I posted the query. I can accept that explanation. I also believe any misunderstanding of the meaning in the message is traceable to a faulty message. Walter Annenberg and other pioneers in the field of communications are not unclear in my mind: The meaning in any message is the sole province and responsibilty of the recipient. I did not seek endorsement of any specific interpretation, but sought to call attention to the incongruity. "Help" refinancing a mortgage simply does not jive with connecting me with an "estate planner". This spam catches spammy not only lying, but aggravating one lie with another. In my bizarre way of seeing things, it just did not make sense to try to cover a data mining scam by bringing in the clause better suited to a 419 scam. Neither did it make sense to disguise a 419 scam as a data mining scam. What does make sense is that some liars lie badly. That answer works for me. 'nuff said, Glenn From bar_n0ne at hotmail.com Mon Jul 12 10:42:57 2004 From: bar_n0ne at hotmail.com (Berny) Date: Mon Jul 12 01:45:03 2004 Subject: [SC-Help] Email submissions being lost again, kick a mailserver time? Message-ID: Yesterday most large reporting submissions (about 90k) disappeared into /dev/null it seems. smaller submissions (<10k) seem to get through, out of 6 submits 2 returns. Submissions were sent from corporate as well as hotmail and yahoo addresses with no apparent failure pattern as one of the large ones did get through. Does some mx need kicking/restarting? From DougThegarden at hotmail.com Mon Jul 12 08:33:15 2004 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Mon Jul 12 02:35:03 2004 Subject: [SC-Help] Re: Mozilla patch In-Reply-To: References: Message-ID: Blammo wrote: > On 10 Jul 2004 Doug Thegarden entered spamcop.help and left > news:ccp706$oqk$1@news.spamcop.net: > > >>For those here using Mozilla, Firefox or Thunderbird, there is a >>security flaw found on Wednesday which requires a patch. Details at >>http://www.mozilla.org/security/shell.html in case you haven't seen it. >> >>Doug >> > > > Discussed briefly in .geeks as well. > And mentioned here: news:cckucv$66a$1@news.spamcop.net > Unfortunately they do not keep a record or users nor have any means of getting the word out other than by word of mouth nor have the profile to generate media interest in reporting the story. Doug From bar_n0ne at hotmail.com Mon Jul 12 12:05:16 2004 From: bar_n0ne at hotmail.com (Berny) Date: Mon Jul 12 03:10:03 2004 Subject: [SC-Help] Re: Email submissions being lost again, kick a mailserver time? References: Message-ID: Berny" wrote in message news:cct8d2$dqo$1@news.spamcop.net... > Yesterday most large reporting submissions (about 90k) disappeared into > /dev/null it seems. smaller submissions (<10k) seem to get through, out of 6 > submits 2 returns. > > Submissions were sent from corporate as well as hotmail and yahoo addresses > with no apparent failure pattern as one of the large ones did get through. > > Does some mx need kicking/restarting? 2 more "disappeared" late this evening, 90k and 45k each (total size if submissions as computed by OE which grossly overestimates) From ric.gates at bigsleep.org Mon Jul 12 08:24:01 2004 From: ric.gates at bigsleep.org (Blammo) Date: Mon Jul 12 03:25:02 2004 Subject: [SC-Help] Re: Mozilla patch References: Message-ID: On 11 Jul 2004 Doug Thegarden entered spamcop.help and left news:cctbb4$hd1$1@news.spamcop.net: > > Unfortunately they do not keep a record or users nor have any means of > getting the word out other than by word of mouth nor have the profile to > generate media interest in reporting the story. > Are you talking about Mozilla.org? If you enable update notifications it lets you know there is a new version out. -- | Ric | From a_s_y at sama.ru Mon Jul 12 13:27:16 2004 From: a_s_y at sama.ru (Serg) Date: Mon Jul 12 03:30:03 2004 Subject: [SC-Help] About SPAM report's format Message-ID: Hello. I'm system administrator of ISP. I routinely receive complains from Spamcomp, but I can't take action for every complain because I can't read initial message. This message enter into complains as is and can't decode by mail user agent (I use KMail) when consist of UTF-8, Base64 or QP codes. I can decode it manualy, bat I have not time for it. I propose to change complain's format from plain text to multipart and include initial message as message/rfc822 part. It's make possible to decode message by MUA. -- Regards, Serey. a_s_y @ sama . ru From aukword666 at attglobal.net Mon Jul 12 04:37:58 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Mon Jul 12 03:40:03 2004 Subject: [SC-Help] Re: Mozilla patch References: Message-ID: "Blammo" wrote in message > On 11 Jul 2004 Doug Thegarden entered spamcop.help and left [...] > > Are you talking about Mozilla.org? If you enable update notifications it > lets you know there is a new version out. > Perhaps, if one is using Mozilla 1.7... Be that as it may, the patch was applied successfully in Netscape 7.1, which proferred no acknowledge of the update/patch... Mayhaps Netscape is just getting a round tuit, and I jumped the gun. Glenn, but what do we know? From ric.gates at bigsleep.org Mon Jul 12 09:08:10 2004 From: ric.gates at bigsleep.org (Blammo) Date: Mon Jul 12 04:10:03 2004 Subject: [SC-Help] Re: Mozilla patch References: Message-ID: On 12 Jul 2004 Glenn Daniels entered spamcop.help and left news:cctf4h$ltv$1@news.spamcop.net: >> >> Are you talking about Mozilla.org? If you enable update notifications it >> lets you know there is a new version out. >> > > Perhaps, if one is using Mozilla 1.7... Be that as it may, the > patch was applied successfully in Netscape 7.1, which proferred > no acknowledge of the update/patch... Mayhaps Netscape is > just getting a round tuit, and I jumped the gun. > Both I and (apparently) AOL forgot about Netscape, but the patch is a simple preference change and will work in any Mozilla 1.x version, that includes Netscape 7.x. You do have to allow software installation. Netscape won't notify you since there's isn't a new version out. But there is a rumor that AOL/Netscape will release a 7.2 version. I rarely visit their site because I'm really tired of waiting around for them. -- | Ric | From DougThegarden at hotmail.com Mon Jul 12 10:51:13 2004 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Mon Jul 12 04:55:48 2004 Subject: [SC-Help] Re: Mozilla patch In-Reply-To: References: Message-ID: Blammo wrote: > On 11 Jul 2004 Doug Thegarden entered spamcop.help and left > news:cctbb4$hd1$1@news.spamcop.net: > > >>Unfortunately they do not keep a record or users nor have any means of >>getting the word out other than by word of mouth nor have the profile to >>generate media interest in reporting the story. >> > > > Are you talking about Mozilla.org? If you enable update notifications it > lets you know there is a new version out. > > I have update notifications checked but so far have not received any update notification - or maybe I have but its masked by the update notification bug that keeps popping up the notification regardless to the point that I accepted and ignored it (yes I did try the fix but the fix procedure didn't tally when I tried it - IIRC you had to look for an entry in bold in about:config and there was none in bold) Doug From aukword666 at attglobal.net Mon Jul 12 05:53:44 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Mon Jul 12 04:56:11 2004 Subject: [SC-Help] Re: Mozilla patch References: Message-ID: "Blammo" wrote in message > On 12 Jul 2004 Glenn Daniels entered spamcop.help and left [...] > > Both I and (apparently) AOL forgot about Netscape, but the patch is a > simple preference change and will work in any Mozilla 1.x version, that > includes Netscape 7.x. You do have to allow software installation. > Netscape won't notify you since there's isn't a new version out. But there > is a rumor that AOL/Netscape will release a 7.2 version. I rarely visit > their site because I'm really tired of waiting around for them. > As Freud put it, there is something comfortable about the familiar. I go back to programming in Fortran and remember 8" floppies and DOS 2.0. I have archives of IE installers (and patches) going back to 2.0. It is that with which I am most familiar. My significant other prefers to communicate in a language I lack proficiency in, when I speak computerese. And there is a fixation there with Netscape, although it is my responsibility to "just make it happen". I am pleased to be able to "keep up" with the technology, but flexibility comes at a premium with age. It is apparent to me that I am falling behind. I sense that there are better browser options available, it's just not likely going to "happen" for us. The value of progress weighs against the cost of change to the point that exploring options is not an agreeable option. It appears that there is a better future for these "browser" things, as it has been so from the outset. But there is ever less future for us as time marches on, and we fall inexorably to the eventual grey, terminal inflexibility. You can afford to be impatient, can't afford not to "go with progress", whereas getting older is a wonderful thing when one considers the alternatives: change can wait. Glenn, what, me worry? From redwolfe_98 at nospam.com Mon Jul 12 08:33:47 2004 From: redwolfe_98 at nospam.com (redwolfe_98) Date: Mon Jul 12 07:35:03 2004 Subject: [SC-Help] Re: Email submissions being lost again, kick a mailserver time? References: Message-ID: it's working for me.. when i forward the email to spamcop, i am getting replies back, "spamcop is now ready to process your spam".. From wb8tyw at qsl.network Mon Jul 12 08:57:21 2004 From: wb8tyw at qsl.network (John E. Malmberg) Date: Mon Jul 12 08:00:03 2004 Subject: [SC-Help] Re: About SPAM report's format In-Reply-To: References: Message-ID: Serg wrote: > Hello. > > I'm system administrator of ISP. I routinely receive complains from Spamcomp, > but I can't take action for every complain because I can't read initial > message. This message enter into complains as is and can't decode by mail > user agent (I use KMail) when consist of UTF-8, Base64 or QP codes. I can > decode it manualy, bat I have not time for it. > > I propose to change complain's format from plain text to multipart and > include initial message as message/rfc822 part. It's make possible to > decode message by MUA. Many abuse and postmaster accounts at ISPs claim that they delete unread anything that has an attachment in their auto-acknowledgments. And about half the ones that abusively send virus notifications to innocent victims also will reject plain text reports of their error because they say it has a virus present. That all said, you probably need to work things out with a deputy to find out if there is someway that Spamcop could better accommodate you. deputies(at)spamcop.net. Generally though, if your network is the origin of the spam, it means that you have a seriously compromised system on your network, and the content of the spam is probably irrelevant. That compromised system is probably costing you more bandwidth charges in a day than you have budgeted it for a week or even a month. So all you really need in that case is the I.P. address of the source. If it is a website on your network, then what you need is the URL to see what the content is. That may be more tricky, as spammers can rig the web site to display different content when you look from inside the network, than when others look. And again, spammers are now hosting web sites, and even DNS servers on compromised machines. So at a minimum, you should run a security scan, such as the ones available open source from the DSBL.ORG on every one of your I.P. addresses that show up on any abuse report. That type of scan can be automated with a script by a robot that monitors the abuse address. Unless someone at your network is deliberately selling web space to spammers, the majority of spamcop.net complaints that you will be getting are likely to be about compromised systems. -John wb8tyw@qsl.network Personal Opinion Only From jose at barkerjr.net Mon Jul 12 08:23:49 2004 From: jose at barkerjr.net (BarkerJr) Date: Mon Jul 12 08:05:03 2004 Subject: [SC-Help] Re: Email submissions being lost again, kick a mailserver time? References: Message-ID: > 90k and 45k each (total size if submissions as computed by OE which grossly > overestimates) OE doesn't overestimate. From burke10 at attglobal.net Mon Jul 12 13:13:47 2004 From: burke10 at attglobal.net (bi-ker-shi) Date: Mon Jul 12 08:15:03 2004 Subject: [SC-Help] SPAMCOP NEVER SEEMS TO FIND THE SPAMVERTIZED URL'S IN DREW AUMAN'S CRAP Message-ID: Dear Spam Cop, I thought you fixed this last week? A sample follows: ======================== Received: from in2.prserv.net ([32.97.166.42]) by win2ksvr1.treetops with Microsoft SMTPSVC(5.0.2195.6713); Mon, 12 Jul 2004 11:06:24 +0000 Received: from 201009105031.user.veloxzone.com.br ([201.9.105.31]) by prserv.net (in2) with SMTP id <2004071211061510203bro05e>; Mon, 12 Jul 2004 11:06:22 +0000 X-Originating-IP: [201.9.105.31] Received: from 155.26.129.0 by 201.9.105.31 Mon, 12 Jul 2004 09:01:16 -0300 Message-ID: From: "alex Fritz" Reply-To: "alex Fritz" To: burgwyn@attglobal.net Subject: You have a new message Date: Mon, 12 Jul 2004 06:01:16 -0600 X-Mailer: thallophyte grantor waterproof-depressible: character admonition olav MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--463100583230358058" Return-Path: Shelbybotswana@highstream.com X-OriginalArrivalTime: 12 Jul 2004 11:06:24.0801 (UTC) FILETIME=[45783110:01C46800] [ Priority: ] ----463100583230358058 Content-Type: text/html; Content-Encoding: BitBitNUM Hey, this is Tiffany! One of my friends said she knew you and we should get in contact with each other.

I just got my videocamera working so we can talk as long as you want at my website and it doesn't cost you anything if you wanna watch/see me!

Just Copy and Paste the URL below in your Broswer

www.TIFFHUH.com/tiffany.html

I hope you visit soon... I'll be waiting for you ;-)

bye bye, Tiff















kerry leather comprehensive sincere torrance davy teheran official
nepenthe skit cultivate irreclaimable broke koch platypus transmittable
regretted someone'll approximate lemonade arid albuquerque measle amperage 2 ----463100583230358058-- From JohnJBurnessAT at ieeDOT.orgNOSPAM Mon Jul 12 14:54:50 2004 From: JohnJBurnessAT at ieeDOT.orgNOSPAM (John J. Burness) Date: Mon Jul 12 08:55:09 2004 Subject: [SC-Help] Re: SPAMCOP NEVER SEEMS TO FIND THE SPAMVERTIZED URL'S IN DREW AUMAN'S CRAP In-Reply-To: References: Message-ID: bi-ker-shi wrote: > Dear Spam Cop, I thought you fixed this last week? > > A sample follows: > > ======================== > > Received: from in2.prserv.net ([32.97.166.42]) by win2ksvr1.treetops with > Microsoft SMTPSVC(5.0.2195.6713); > Mon, 12 Jul 2004 11:06:24 +0000 > Received: from 201009105031.user.veloxzone.com.br ([201.9.105.31]) > by prserv.net (in2) with SMTP > id <2004071211061510203bro05e>; Mon, 12 Jul 2004 11:06:22 +0000 > X-Originating-IP: [201.9.105.31] > Received: from 155.26.129.0 by 201.9.105.31 Mon, 12 Jul 2004 09:01:16 -0300 > Message-ID: > From: "alex Fritz" > Reply-To: "alex Fritz" > To: burgwyn@attglobal.net > Subject: You have a new message > Date: Mon, 12 Jul 2004 06:01:16 -0600 > X-Mailer: thallophyte grantor > waterproof-depressible: character admonition olav > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="--463100583230358058" > Return-Path: Shelbybotswana@highstream.com > X-OriginalArrivalTime: 12 Jul 2004 11:06:24.0801 (UTC) > FILETIME=[45783110:01C46800] > > [ Priority: > ] > > ----463100583230358058 > Content-Type: text/html; > Content-Encoding: BitBitNUM > > > Hey, this is Tiffany! One of my friends said she knew > you and we should get in contact with each other. >

> I just got my videocamera working so we can talk as long > as you want at my website and it doesn't cost you anything > if you wanna watch/see me! >

> Just Copy and Paste the URL below in your Broswer >

> www.TIFFHUH.com/tiffany.html >

> I hope you visit soon... I'll be waiting for you ;-) >

> bye bye, Tiff >

>

>

>

>

>

>

>
> >
kerry leather comprehensive sincere torrance davy teheran official >
nepenthe skit cultivate irreclaimable broke koch platypus transmittable >
regretted someone'll approximate lemonade arid albuquerque measle > amperage > 2 > > ----463100583230358058-- > > > > > I get literally hundreds of these (or their variations)!! The problem is that spamcop has forgotten the goldern rule:- "Never trust what a spammer tells you"!! The spammer has stated that the message is in HTML, which spamcop is believing, & then deliberately puts the URL in plain text!! I personally think that it is about time that spamcop reviewed this bit of coding & reported on URL links REGARDLESS of whether they are in plain or HTML!! Regards, John From nobody at devnull.spamcop.net Mon Jul 12 08:54:16 2004 From: nobody at devnull.spamcop.net (Cat) Date: Mon Jul 12 08:55:22 2004 Subject: [SC-Help] Re: SPAMCOP NEVER SEEMS TO FIND THE SPAMVERTIZED URL'S IN DREW AUMAN'S CRAP In-Reply-To: References: Message-ID: bi-ker-shi wrote: > Dear Spam Cop, I thought you fixed this last week? > > A sample follows: Please follow the "no spam posting" rule at http://spamcop.net/forum.shtml and post spam only in spamcop.spam then post discussion about it here in spamcop.help or the main spamcop newsgroup. The people who read and post here get enough spam of their own without having to see yours in a place where they are promised a spam free environment. From me at privacy.net Mon Jul 12 09:34:01 2004 From: me at privacy.net (Frog Prince) Date: Mon Jul 12 08:55:29 2004 Subject: [SC-Help] Re: Email submissions being lost again, kick a mailserver time? References: Message-ID: "redwolfe_98" wrote in message news:cctsus$2cq$1@news.spamcop.net... | it's working for me.. when i forward the email to spamcop, i am getting | replies back, "spamcop is now ready to process your spam".. Most of mine show up in a few minutes some take considerable time. I'm not keeping a log so I have no idea if any are disappearing. From nobody at devnull.spamcop.net Mon Jul 12 08:59:16 2004 From: nobody at devnull.spamcop.net (Cat) Date: Mon Jul 12 09:00:03 2004 Subject: [SC-Help] Re: SPAMCOP NEVER SEEMS TO FIND THE SPAMVERTIZED URL'S IN DREW AUMAN'S CRAP In-Reply-To: References: Message-ID: John J. Burness wrote: > bi-ker-shi wrote: > >> Dear Spam Cop, I thought you fixed this last week? > The problem is that spamcop has forgotten the goldern rule:- "Never > trust what a spammer tells you"!! Looks like you forgot another golden rule: "If someone post spam somewhere other than spamcop.spam, don't quote the spam in your reply to that person." ;-P Sorry to comment on that, but I was just trying to set an example in my other reply in this thread for bi-ker-shi to keep spam posts in the newsgroup where they belong. From a_s_y at sama.ru Mon Jul 12 20:14:11 2004 From: a_s_y at sama.ru (Serg) Date: Mon Jul 12 10:15:04 2004 Subject: [SC-Help] Re: About SPAM report's format References: Message-ID: John E. Malmberg wrote: >> I propose to change complain's format from plain text to multipart and >> include initial message as message/rfc822 part. It's make possible to >> decode message by MUA. > > Many abuse and postmaster accounts at ISPs claim that they delete unread > anything that has an attachment in their auto-acknowledgments. I'm understand... Is may possible configure it for ISP profile ? > That all said, you probably need to work things out with a deputy to > find out if there is someway that Spamcop could better accommodate you. > > deputies(at)spamcop.net. Thanks, I will be attempt. > Generally though, if your network is the origin of the spam, it means > that you have a seriously compromised system on your network, and the We have some tens thousands abonents. :-) Yes, some times (very frequently) some hosts stand compromised. > content of the spam is probably irrelevant. That compromised system is > probably costing you more bandwidth charges in a day than you have > budgeted it for a week or even a month. I known. I'm to stop abonent's access to network when receive good complain, but I need of several reasons including readable initial message for accordance to abonent. -- Regards, Serey. a_s_y @ sama . ru From nobody at spamcop.net Mon Jul 12 11:50:27 2004 From: nobody at spamcop.net (Miss Betsy) Date: Mon Jul 12 11:55:19 2004 Subject: [SC-Help] Ironport filtering for chinese abuse desk? Message-ID: I made a manual lart to a chinese abuse desk. It was returned as being undeliverable - mail box full. However, the original email caught my eye. Should I report them to the bonded sender program? Or do you think Ironport automatically knows? Received: from ironport1.jsmail.com.cn([10.100.0.29]) by js.cn(AIMC 2.9.5.2) with SMTP id jm1240eed380; Sat, 10 Jul 2004 00:37:21 +0800 Received: from sccimhc91.asp.att.net (63.240.76.165) by ironport1.jsmail.com.cn with ESMTP; 10 Jul 2004 01:00:08 +0800 full headers in .spam From nobody at spamcop.net Mon Jul 12 13:55:57 2004 From: nobody at spamcop.net (Ellen) Date: Mon Jul 12 13:00:04 2004 Subject: [SC-Help] Re: Ironport filtering for chinese abuse desk? References: Message-ID: "Miss Betsy" wrote in message news:ccubvs$i5c$1@news.spamcop.net... > I made a manual lart to a chinese abuse desk. It was returned as being > undeliverable - mail box full. However, the original email caught my > eye. Should I report them to the bonded sender program? Or do you > think Ironport automatically knows? > > Received: from ironport1.jsmail.com.cn([10.100.0.29]) by js.cn(AIMC > 2.9.5.2) > with SMTP id jm1240eed380; Sat, 10 Jul 2004 00:37:21 +0800 > Received: from sccimhc91.asp.att.net (63.240.76.165) > by ironport1.jsmail.com.cn with ESMTP; 10 Jul 2004 01:00:08 +0800 > > full headers in .spam > Having Ironport hardware does not automatically mean that the entity is part of bonded sender. It just looks like these folks have bought a server to handle their email. Ellen From Kilgallen at SpamCop.net Mon Jul 12 13:15:04 2004 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Mon Jul 12 13:20:02 2004 Subject: [SC-Help] Re: Ironport filtering for chinese abuse desk? References: Message-ID: In article , "Ellen" writes: > > "Miss Betsy" wrote in message > news:ccubvs$i5c$1@news.spamcop.net... >> I made a manual lart to a chinese abuse desk. It was returned as being >> undeliverable - mail box full. However, the original email caught my >> eye. Should I report them to the bonded sender program? Or do you >> think Ironport automatically knows? >> >> Received: from ironport1.jsmail.com.cn([10.100.0.29]) by js.cn(AIMC >> 2.9.5.2) >> with SMTP id jm1240eed380; Sat, 10 Jul 2004 00:37:21 +0800 >> Received: from sccimhc91.asp.att.net (63.240.76.165) >> by ironport1.jsmail.com.cn with ESMTP; 10 Jul 2004 01:00:08 +0800 >> >> full headers in .spam >> > > Having Ironport hardware does not automatically mean that the entity is part > of bonded sender. It just looks like these folks have bought a server to > handle their email. I doubt that the Ironport company has any control over people using the string "ironport" in their subdomain names. It might not even be using their hardware. From ric.gates at bigsleep.org Mon Jul 12 21:20:19 2004 From: ric.gates at bigsleep.org (Blammo) Date: Mon Jul 12 16:25:24 2004 Subject: [SC-Help] Re: Mozilla patch References: Message-ID: On 12 Jul 2004 Glenn Daniels entered spamcop.help and left news:cctjij$pt4$1@news.spamcop.net: > As Freud put it, there is something comfortable about the > familiar. Nothing wrong with that, but I won't wait around for bug fixes and new features I want when I can switch to something that's more up-to-date. -- | Ric | From ob1db at spamcop.net Mon Jul 12 17:30:18 2004 From: ob1db at spamcop.net (David Butler) Date: Mon Jul 12 16:35:04 2004 Subject: [SC-Help] No links found in Yahoo spam Message-ID: http://www.spamcop.net/sc?id=z545959959z35eb021041d562731a2ff36af324a788z cannot see why, link is there and valid From ob1db at spamcop.net Mon Jul 12 17:31:54 2004 From: ob1db at spamcop.net (David Butler) Date: Mon Jul 12 16:35:11 2004 Subject: [SC-Help] Re: No links found in Yahoo spam References: Message-ID: "David Butler" wrote in message news:ccuscl$55u$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z545959959z35eb021041d562731a2ff36af324a788z > > cannot see why, link is there and valid > NM: Duh, "multipart, etc..." Sorry Not enough sleep From skiwi+newsgroups at spamcop.net Mon Jul 12 14:41:04 2004 From: skiwi+newsgroups at spamcop.net (Skiwi) Date: Mon Jul 12 16:45:04 2004 Subject: [SC-Help] Re: Mozilla patch In-Reply-To: References: Message-ID: Doug Thegarden wrote: > For those here using Mozilla, Firefox or Thunderbird, there is a > security flaw found on Wednesday which requires a patch. Details at > http://www.mozilla.org/security/shell.html in case you haven't seen it. *seemed* to install OK in Mozilla 1.8a1, but when I went to 'about:config' and filtered for 'shell' no sign of anything - suggestions? TIA - Greg... From ob1db at spamcop.net Mon Jul 12 17:42:09 2004 From: ob1db at spamcop.net (David Butler) Date: Mon Jul 12 16:45:11 2004 Subject: [SC-Help] Re: SPAMCOP NEVER SEEMS TO FIND THE SPAMVERTIZED URL'S IN DREW AUMAN'S CRAP References: Message-ID: "bi-ker-shi" wrote in message news:cctv9t$4ru$1@news.spamcop.net... > Dear Spam Cop, I thought you fixed this last week? > next time post the tracker, not the spam. Then we can see what went wrong. here: http://www.spamcop.net/sc?id=z545969741za0fe1900ea75c016c5b42d865b48a366z Don't know if some of this was your news client program or the original, but you had a folded line and a wrong "type" Needs to be white space at the beginning of each additional line of a header, line 2 has none: Received: from in2.prserv.net ([32.97.166.42]) by win2ksvr1.treetops with Microsoft SMTPSVC(5.0.2195.6713); Mon, 12 Jul 2004 11:06:24 +0000 if you look at my link, it should be Received: from in2.prserv.net ([32.97.166.42]) by win2ksvr1.treetops with Microsoft SMTPSVC(5.0.2195.6713); Mon, 12 Jul 2004 11:06:24 +0000 and in the body: Content-Type: text/html; Content-Encoding: BitBitNUM should be Content-Type: text/plain; Content-Encoding: BitBitNUM I also deleted the broken line(s): FILETIME=[45783110:01C46800] [ Priority: ] that parses fine . You can resubmit if you didn't send any reports and manually report the link as I show... From ric.gates at bigsleep.org Tue Jul 13 00:35:48 2004 From: ric.gates at bigsleep.org (Blammo) Date: Mon Jul 12 19:40:19 2004 Subject: [SC-Help] Re: Mozilla patch References: Message-ID: On 12 Jul 2004 Skiwi entered spamcop.help and left news:ccut10$5so$1@news.spamcop.net: > Doug Thegarden wrote: > >> For those here using Mozilla, Firefox or Thunderbird, there is a >> security flaw found on Wednesday which requires a patch. Details at >> http://www.mozilla.org/security/shell.html in case you haven't seen >> it. > > *seemed* to install OK in Mozilla 1.8a1, but when I went to > 'about:config' and filtered for 'shell' no sign of anything - > suggestions? > The nightlies will have it built-in now, it won't show up in config. Try this page... http://www.mccanless.us/mozilla/mozilla_bugs.htm -- | Ric | From ric.gates at bigsleep.org Tue Jul 13 01:05:47 2004 From: ric.gates at bigsleep.org (Blammo) Date: Mon Jul 12 20:10:02 2004 Subject: [SC-Help] Re: Mozilla patch References: Message-ID: > On 12 Jul 2004 Skiwi entered spamcop.help and left > news:ccut10$5so$1@news.spamcop.net: > >> >> *seemed* to install OK in Mozilla 1.8a1, but when I went to >> 'about:config' and filtered for 'shell' no sign of anything - >> suggestions? >> Actually you do need to apply the security patch to 1.8 alpha 1. I suspect that you did not completely quit Mozilla. -- | Ric | From eddie at eddie.web Tue Jul 13 01:32:33 2004 From: eddie at eddie.web (eddie) Date: Tue Jul 13 00:35:03 2004 Subject: [SC-Help] Re: SPAMCOP NEVER SEEMS TO FIND THE SPAMVERTIZED URL'S IN DREW AUMAN'S CRAP References: Message-ID: On Mon, 12 Jul 2004 13:54:50 +0100, John J. Burness scratched out the following: >snip > I get literally hundreds of these (or their variations)!! > > The problem is that spamcop has forgotten the goldern rule:- "Never trust > what a spammer tells you"!! > > The spammer has stated that the message is in HTML, which spamcop is > believing, & then deliberately puts the URL in plain text!! > > I personally think that it is about time that spamcop reviewed this bit of > coding & reported on URL links REGARDLESS of whether they are in plain or > HTML!! For some reason SC continues to use old tactics against the latest spam techniques, which are getting very sophisticated. I mentioned elsewhere, we are stupid if we think we are smarter than the top echelon spam community. Never underestimate your enemy - that's exactly what they want you to do. From burke10 at attglobal.net Tue Jul 13 10:49:53 2004 From: burke10 at attglobal.net (bi-ker-shi) Date: Tue Jul 13 05:50:18 2004 Subject: [SC-Help] Re: SPAMCOP NEVER SEEMS TO FIND THE SPAMVERTIZED URL'S IN DREW AUMAN'S CRAP References: Message-ID: "Cat" wrote in message news:ccu1li$8ar$1@news.spamcop.net... > http://spamcop.net/forum.shtml and post spam only in spamcop.spam then ... will do. From burke10 at attglobal.net Tue Jul 13 11:39:31 2004 From: burke10 at attglobal.net (bi-ker-shi) Date: Tue Jul 13 06:40:04 2004 Subject: [SC-Help] Re: SPAMCOP NEVER SEEMS TO FIND THE SPAMVERTIZED URL'S IN DREW AUMAN'S CRAP References: Message-ID: "David Butler" wrote in message news:ccut2u$6d5$1@news.spamcop.net... > "bi-ker-shi" wrote in message > news:cctv9t$4ru$1@news.spamcop.net... > > Dear Spam Cop, I thought you fixed this last week? > > > > next time post the tracker, not the spam. Then we can see what went wrong. > > here: > > http://www.spamcop.net/sc?id=z545969741za0fe1900ea75c016c5b42d865b48a366z > > Don't know if some of this was your news client program or the original, but > you had a folded line and a wrong "type" > Hi, I received 3 almost identical items today and spamcop failed to find the link. The tracker is: http://www.spamcop.net/sc?id=z546847090zb157d188a1461c1721cd219eb9b9d704z To post the mail, I have mapped exchange to an m: drive and copy the eml file using notepad. I believe that the content is close to being as it was received TCP/IP. I make quite a few reports and mostly spamcop finds the links. Your reply seemed to indicate that if I reformatted the message before posting, spamcop would find the link? From skiwi+newsgroups at spamcop.net Tue Jul 13 11:31:11 2004 From: skiwi+newsgroups at spamcop.net (Skiwi) Date: Tue Jul 13 13:35:07 2004 Subject: [SC-Help] Re: Mozilla patch [1.8a1] In-Reply-To: References: Message-ID: Blammo wrote: >>On 12 Jul 2004 Skiwi entered spamcop.help and left >>news:ccut10$5so$1@news.spamcop.net: >> >> >>>*seemed* to install OK in Mozilla 1.8a1, but when I went to >>>'about:config' and filtered for 'shell' no sign of anything - >>>suggestions? >>> > > > Actually you do need to apply the security patch to 1.8 alpha 1. > I suspect that you did not completely quit Mozilla. Yep - quick start! :-) Finds it perfect now, so I guess after the next log-off or reboot it would have worked just fine... Cheers! Now I just got to get a workaround for crashes if you try to add notes in inline quoted replies to email... :-) From null at null.com Tue Jul 13 22:46:58 2004 From: null at null.com (Martin) Date: Tue Jul 13 16:45:03 2004 Subject: [SC-Help] Mailhost error Message-ID: I have just made two atempts to add my mailhost, first one said something about invalid code refering to my reporting address, the second time I got Sorry, SpamCop has encountered errors: Headers not found. But the headers were pasted into the headers box, re-did it but still no joy. Where do we go from here, forwarded email by post but had no acknowledment to that, can I still carry on reporting? or do I need to re-register and carry on using the old method, since the system seems all screwed up. Wished I had never bothered now. Martin From null at null.com Tue Jul 13 22:53:44 2004 From: null at null.com (Martin) Date: Tue Jul 13 16:55:04 2004 Subject: [SC-Help] Re: Mailhost error References: Message-ID: Tried a third time, got the same as first time, says confirmation codes dont match, then lists from address, from header and from body, all three addresses match, so what gives? From ob1db at spamcop.net Tue Jul 13 18:33:40 2004 From: ob1db at spamcop.net (David Butler) Date: Tue Jul 13 17:35:03 2004 Subject: [SC-Help] Re: SPAMCOP NEVER SEEMS TO FIND THE SPAMVERTIZED URL'S IN DREW AUMAN'S CRAP References: Message-ID: "bi-ker-shi" wrote in message news:cd0e54$id6$1@news.spamcop.net... > > > > > here: > > > > http://www.spamcop.net/sc?id=z545969741za0fe1900ea75c016c5b42d865b48a366z > > > > Don't know if some of this was your news client program or the original, > but > > you had a folded line and a wrong "type" > > > Hi, I received 3 almost identical items today and spamcop failed to find the > link. The tracker is: > > http://www.spamcop.net/sc?id=z546847090zb157d188a1461c1721cd219eb9b9d704z > > To post the mail, I have mapped exchange to an m: drive and copy the eml > file using notepad. I believe that the content is close to being as it was > received TCP/IP. I make quite a few reports and mostly spamcop finds the > links. I don't know what you mean by this "mapped exchange to an m: drive ", all I know is the folds were there in your posting. Could be Exchange, could be the pasting. What news client do you use? > > Your reply seemed to indicate that if I reformatted the message before > posting, spamcop would find the link? > The ONLY changes (besides munging) that SC allows would be "correcting" erroneous content-type: The headers appear intact this time, but it shows Content-Type: text/html when it is NOT html, so type would be Content-Type: text/plain or occasionally Content-Type: text/Plaintext. The FAQ on this says ONLY to do if you are sure. ----841906055892078 Content-Type: text/html; Content-Encoding: BitbitNUM http://www.internationalsexmovies.com/killerbees/index.html ----841906055892078-- which parses with Content-Type: text/plain as: Re: http://www.internationalsexmovies.com/killerbee... (Administrator of network hosting website referenced in spam) To: postmaster#chinanet.cn.net@devnull.spamcop.net (Notes) To: anti-spam@chinanet.cn.net (Notes) To: yzxu#publicf.bta.net.cn@devnull.spamcop.net (Notes) (you can manually notify abuse@chinanet.cn.net as well, I still don't know why SC does not offer that...) If you have another spam with folded lines, you can only use the SC engine to determine who to manually notify, as "corrections" of this type are considered material changes which are forbidden by SC rules... Some of us feel this is overly strict, but it is the rule... Did I make this clear? David From ric.gates at bigsleep.org Tue Jul 13 23:51:32 2004 From: ric.gates at bigsleep.org (Blammo) Date: Tue Jul 13 18:55:04 2004 Subject: [SC-Help] Re: Mozilla patch [1.8a1] References: Message-ID: On 13 Jul 2004 Skiwi entered spamcop.help and left news:cd168v$a6s$1@news.spamcop.net: > Now I just got to get a workaround for crashes if you try to add notes > in inline quoted replies to email... :-) > Possibly related to? http://bugzilla.mozilla.org/show_bug.cgi?id=195104#c10 Though I do this all the time and it's never crashed on me, but I never use preview releases because I currently have little time to report bugs. I do vote for bugs and sometimes comment. -- | Ric | From nobody at devnull.spamcop.net Wed Jul 14 12:57:11 2004 From: nobody at devnull.spamcop.net (brewman) Date: Tue Jul 13 19:55:03 2004 Subject: [SC-Help] Re: Mailhost error References: Message-ID: "Martin" wrote in message news:cd1hka$li2$1@news.spamcop.net... > I have just made two atempts to add my mailhost I have just changed mine a few minutes ago (new ISP for domain). I had to redo email reporting address (? or something - no actual change but it said it was blank?) to advance thru' the new signon/password stuff, but once that was done, everything went fine. Parsed my first spam and submitted it okay. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at spamcop.net Tue Jul 13 22:11:03 2004 From: nobody at spamcop.net (Ellen) Date: Tue Jul 13 21:15:02 2004 Subject: [SC-Help] Re: Mailhost error References: Message-ID: "Martin" wrote in message news:cd1i11$lvj$1@news.spamcop.net... > Tried a third time, got the same as first time, says confirmation codes > dont match, then lists from address, from header and from body, all three > addresses match, so what gives? > > Send your registered SC email address to me and a copy of one of the probes -- it sounds like your email app is wrapping the header lines oddly. deputies spamcop.net Ellen From amenex at amenex.com Wed Jul 14 10:05:56 2004 From: amenex at amenex.com (George Langford, Sc.D.) Date: Wed Jul 14 09:06:14 2004 Subject: [SC-Help] Held Mail folder has become inaccessible; others, too Message-ID: <200407141305.i6ED5u709560@email1.voicenet.com> Mebbe this has happened 'cuz I'm near the end of my paid SpamCop subscription ... but the only folder that I can open in webmail.spamcop.net is my Inbox. If I go to the drop-down menu at the upper right hand corner of my Inbox screen and select "Held Mail" nothing happens. If I select with a right click and tell Mozilla to open _any_ folder in that drop- down menu in a new browser window, all I get is my Inbox again. Is this a new feature or is it CESMail's way of telling me to "Pay Up, Schmuck" ? Along the same vein, when I just tried to use PayPal to ante up for another year, all that CESMail charged was $30 instead of $31 as promised, and I suspect that there is no connection whatsoever between the information I had to enter to satisfy PayPal versus the information by which SpamCop knows me. My questions are: What phone number is there by which I can straighten out the payment issue; and Has SpamCop introduced a new "Feature" without placing any access to that "Feature" on the Inbox screen ? amenex From MikeE at ster.invalid Wed Jul 14 08:40:16 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 14 10:45:34 2004 Subject: [SC-Help] Re: not parsing IP address correctly References: Message-ID: posted to .spam & .help; f/ups to .help Michael Vilain I've gotten 2 spams with headers that didn't parse fully. The > following example doesn't go to the 2nd header (charter-stl.com). > But if I strip out the full name > "southcity-24.107.186.159.charter-stl.com ", it parses correctly. > > Could this be because the string is on the next line? That's a > parsing bug. A newsreader posted spam isn't as good as a tracker url for discussing this kind of issue. What is posted in .spam has a wrapped Received traceline. Those lines when folded properly rather than wrapped should have leading whitespace. See this configuration of your spam's headers www.spamcop.net/sc?id=z548791610z857d9295897110ba4855ec0c9223a7e8z and this faq http://www.spamcop.net/fom-serve/cache/368.html "One common pitfall that still seems to be prevalent is erroneous wrapping of long email header lines being submitted to SpamCop. If this type of problem is present in submitted spam, SpamCop will refuse to scan the message body for links, instead producing an error." -- Mike Easter kibitzer, not SC admin From null at null.com Wed Jul 14 18:42:35 2004 From: null at null.com (Martin) Date: Wed Jul 14 12:45:02 2004 Subject: [SC-Help] Re: Mailhost error References: Message-ID: "Ellen" wrote in message news:cd21a6$2e8$1@news.spamcop.net... > > > Send your registered SC email address to me and a copy of one of the > probes -- it sounds like your email app is wrapping the header lines oddly. > deputies spamcop.net > > Ellen > Have sent you a copy of the return email, cant send you the error message though. Using outlook 2003 From masfjorden at spamcop.net Wed Jul 14 21:51:37 2004 From: masfjorden at spamcop.net (helge) Date: Wed Jul 14 14:55:07 2004 Subject: [SC-Help] no links found (again Message-ID: I have never bothered to study the 'links not found' problem, but this one made me curious. Tracker: http://www.spamcop.net/sc?id=z549063042z58c2b8aabdc77694c29e726b4ef292c3z In the plain(?) text I find: www.hardandhealth.com Is SpamCop's problem that the body is plain text but claims to be text/html ? Is there any hope that SpamCop will learn to see through this simple trick? What does the b, resp /b in brackets mean? Sorry about my ignorance helge From MikeE at ster.invalid Wed Jul 14 13:11:16 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 14 15:15:07 2004 Subject: [SC-Help] Re: no links found (again References: Message-ID: helge wrote: > I have never bothered to study the 'links not found' problem, but this > one made me curious. > Tracker: > www.spamcop.net/sc?id=z549063042z58c2b8aabdc77694c29e726b4ef292c3z It appears that things have changed again and a tracker is no good for demonstrating a spam. > In the plain(?) text I find: > www.hardandhealth.com > > Is SpamCop's problem that the body is plain text but claims to be > text/html ? Altho' I can't see the spam, it sounds like the problem of the link not being in html link format, but the content type of the header saying that the body is text/html. SC doesn't like that. > Is there any hope that SpamCop will learn to see through > this simple trick? > What does the b, resp /b in brackets mean? That's an html style tag for bold. Turning it on and off. -- Mike Easter kibitzer, not SC admin From dkona7b02 at sneakemail.com Wed Jul 14 16:26:12 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Wed Jul 14 15:26:16 2004 Subject: [SC-Help] no links found (again In-Reply-To: Message-ID: <3.0.5.32.20040714152612.013b77e0@loki.fstrf.org> See my responses inline... At 08:51 PM 7/14/2004 +0200, helge typed: >I have never bothered to study the 'links not found' problem, but this >one made me curious. >Tracker: > >http://www.spamcop.net/sc?id=z549063042z58c2b8aabdc77694c29e726b4ef292c3z > >In the plain(?) text I find: > www.hardandhealth.com > >Is SpamCop's problem that the body is plain text but claims to be >text/html ? Yes and no... :) The "body" *is* html, but that link itself is not properly encoded for html interpretation. Some web browsers and email clients may still treat it as a live link, but according to the rules, they shouldn't. It would need an tag to be considered a proper link. >Is there any hope that SpamCop will learn to see through this simple trick? Not likely... If the parser were to "guess" that this was a live link, it would then be easy to trick it into reporting all sorts of innocent bystanders... The parser might be trained to treat these differently, maybe look them up and offer to report them but leave that box unchecked and let the reporter decide if it is innocent or not, BUT past trials have shown that most reporters can't be bothered to actually verify anything and just send LARTs anywhere and everywhere they can. This is the very same reason reporting email addresses in SPAM was discontinued. :( >What does the b, resp /b in brackets mean? Those are the html codes to turn bolding on and off. From ob1db at spamcop.net Wed Jul 14 16:34:23 2004 From: ob1db at spamcop.net (David Butler) Date: Wed Jul 14 15:35:03 2004 Subject: [SC-Help] Re: no links found (again References: Message-ID: "Mike Easter" wrote in message news:cd40jl$mal$1@news.spamcop.net... > helge wrote: > > I have never bothered to study the 'links not found' problem, but this > > one made me curious. > > Tracker: > > > www.spamcop.net/sc?id=z549063042z58c2b8aabdc77694c29e726b4ef292c3z > > It appears that things have changed again and a tracker is no good for > demonstrating a spam. > > > In the plain(?) text I find: > > www.hardandhealth.com > > > > Is SpamCop's problem that the body is plain text but claims to be > > text/html ? > > Altho' I can't see the spam, it sounds like the problem of the link not > being in html link format, but the content type of the header saying > that the body is text/html. SC doesn't like that. > yep body has: ----6362683546963342 Content-Type: text/html; Content-Encoding: bitbitNUM change to text/plain and it will parse. Had a bunch of these lately... From dkona7b02 at sneakemail.com Wed Jul 14 16:38:51 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Wed Jul 14 15:38:56 2004 Subject: [SC-Help] Re: no links found (again In-Reply-To: References: Message-ID: <3.0.5.32.20040714153851.013b7928@loki.fstrf.org> Worked for me... I just clicked on the "View entire message" link to see the original... At 12:11 PM 7/14/2004 -0700, Mike Easter typed: >helge wrote: >> >www.spamcop.net/sc?id=z549063042z58c2b8aabdc77694c29e726b4ef292c3z > >It appears that things have changed again and a tracker is no good for >demonstrating a spam. From masfjorden at spamcop.net Wed Jul 14 22:47:18 2004 From: masfjorden at spamcop.net (helge) Date: Wed Jul 14 15:50:03 2004 Subject: [SC-Help] Re: no links found (again In-Reply-To: References: Message-ID: Thanks to Mike, Spam Hater and David. David Butler wrote: (snip) > yep body has: > > ----6362683546963342 > Content-Type: text/html; Mine had that too. > Content-Encoding: bitbitNUM > > change to text/plain and it will parse. Had a bunch of these lately... The spam was in my held mail, and I submitted it from there When the spam has been submitted, I can't change the content-type, can I? I have to go back to the trash bin and copy/paste from there. helge From MikeE at ster.invalid Wed Jul 14 13:48:28 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 14 15:55:03 2004 Subject: [SC-Help] Re: no links found (again References: Message-ID: Spam Hater wrote: > Mike Easter typed: >> helge wrote: www.spamcop.net/sc?id=z549063042z58c2b8aabdc77694c29e726b4ef292c3z >> >> It appears that things have changed again and a tracker is no good >> for demonstrating a spam. > Worked for me... I just clicked on the "View entire message" link to > see the original... That link does not [now amended to 'did not'] show me anything but the body parse of a mailhosts submitter - it doesn't show me the headers, it doesn't show me a view entire message, but it does give the report number: But, I was logged in at the time. When I logged out, the link now gives me the 'normal' view I expect - headers, view entire message, mailhosts parse, concluded by 'If reported today, reports would be sent to:' and /doesn't/ give the report number. Very strange. I don't think it is supposed to be working that way. -- Mike Easter kibitzer, not SC admin From ob1db at spamcop.net Wed Jul 14 16:50:46 2004 From: ob1db at spamcop.net (David Butler) Date: Wed Jul 14 15:55:11 2004 Subject: [SC-Help] Re: no links found (again References: Message-ID: "helge" wrote in message news:cd42jq$ojo$1@news.spamcop.net... > Thanks to Mike, Spam Hater and David. > > David Butler wrote: > (snip) > > yep body has: > > > > ----6362683546963342 > > Content-Type: text/html; > > Mine had that too. > > Content-Encoding: bitbitNUM > > > > change to text/plain and it will parse. Had a bunch of these lately... > > The spam was in my held mail, and I submitted it from there > When the spam has been submitted, I can't change the content-type, can > I? I have to go back to the trash bin and copy/paste from there. > when a link does not parse, I hit "view entire message" in another Mozilla pane (Mozilla ROCKS, folks). If I see the html is ok, I go back, hit "show reports" then back up OR reload, the engine parses it. If I see a "type" error, I copy the whole email, hit cancel, and re-enter with the content-type cleaned up. David From MikeE at ster.invalid Wed Jul 14 13:55:23 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 14 16:00:04 2004 Subject: [SC-Help] Re: no links found (again References: Message-ID: helge wrote: > When the spam has been submitted, I can't change the content-type, can > I? I have to go back to the trash bin and copy/paste from there. In order to play by the rules, you have to spamcop report that 'as is' which will miss the body link, but get the spamsource. In order to notify the spamvertiser provider you have to do that 'separately' somehow - either by manually reporting or by doing an additional user added notify since you are a spamcop subscriber. If you want SC to do the 'grunt work' for you of finding the link and giving you the notify addresses, you have to either feed SC the link as a separate operation, which would be quickest for this one, or modify the headers to 'force' a 'correct' body parse which you would than have to cancel. The latter 'gaming' might be quicker if we were talking about a spam with a lot of links which needed to be reported but the body parse failed because of a header discrepancy like this one. -- Mike Easter kibitzer, not SC admin From masfjorden at spamcop.net Wed Jul 14 23:14:38 2004 From: masfjorden at spamcop.net (helge) Date: Wed Jul 14 16:15:05 2004 Subject: [SC-Help] Re: no links found (again In-Reply-To: References: Message-ID: Mike Easter wrote: > helge wrote: > >>When the spam has been submitted, I can't change the content-type, can >>I? I have to go back to the trash bin and copy/paste from there. > > > In order to play by the rules, you have to spamcop report that 'as is' > which will miss the body link, but get the spamsource. I prefer to go by the rules. David's method looks somewhat complicated (even in Mozilla), and I could never be sure that a home-made content-type change is correct, anyway. So the spamvertizer will not be reported by me. > In order to notify the spamvertiser provider you have to do that > 'separately' somehow - either by manually reporting or by doing an > additional user added notify since you are a spamcop subscriber. If you > want SC to do the 'grunt work' for you of finding the link and giving > you the notify addresses, you have to either feed SC the link as a > separate operation, which would be quickest for this one, or modify the > headers to 'force' a 'correct' body parse which you would than have to > cancel. (snip) Being kibitzer myself: for /than/ read /then/ Thanks, Mike helge From eddie at eddie.web Wed Jul 14 17:43:28 2004 From: eddie at eddie.web (eddie) Date: Wed Jul 14 16:45:04 2004 Subject: [SC-Help] Re: no links found (again References: Message-ID: On Wed, 14 Jul 2004 12:48:28 -0700, Mike Easter scratched out the following: snip > When I logged out, the link now gives me the 'normal' view I expect - > headers, view entire message, mailhosts parse, concluded by 'If reported > today, reports would be sent to:' and /doesn't/ give the report number. > > Very strange. I don't think it is supposed to be working that way. Send me your tracker and I will have Sherlock diagnose it :) There are many strange things that happen when using SC - you have just discovered one more. From eddie at eddie.web Wed Jul 14 17:46:12 2004 From: eddie at eddie.web (eddie) Date: Wed Jul 14 16:50:04 2004 Subject: [SC-Help] Re: no links found (again References: Message-ID: On Wed, 14 Jul 2004 21:47:18 +0200, helge scratched out the following: snip > The spam was in my held mail, and I submitted it from there When the spam > has been submitted, I can't change the content-type, can I? I have to go > back to the trash bin and copy/paste from there. > Yes, unfortunately you have to recover the original, view the source, copy, paste, edit, copy, paste and then, most importantly, when you resubmit it, UNCHECK the boxes that were previously checked to avoid the sin of double-reporting. Only report the newly found links to their ISPs. It's a lot of work, and sometimes, on a busy day, not worth it, IMHO. From mauril3 at hoymail.com Wed Jul 14 21:46:15 2004 From: mauril3 at hoymail.com (MAURICIO) Date: Wed Jul 14 16:50:11 2004 Subject: [SC-Help] MAKE MONEY NOW ( IT WORKS JUST READ) Message-ID: Make money PLEASE do not pass this up now!! WHAT IF I share with you a way to make some cash, using a copy of this letter and the best Internet Payment System around? You have most likely seen or heard about "The Money Letter" program that was recently televised in several shows, and an article published in the Wall Street Journal . If not, here it is!! HOW IT WORKS: This program relies on the honesty and integrity of the people involved we are in a WIN WIN situation , basically what we are doing is helping each other get enough money to afford those basic things we desperately want , with a lot more extra. Suppose you sent 300 letters asking for $2 and you get 5 replies to begin with. Each of the 5 persons sent you $2.00($10 gain). These 5 people now send the letter, and 5 persons respond to each of the original 5, that is another $50.00 for you, now those 25 each send the lette r and only 5 replies each, this will bring in an additional$250,then $1250.00 and you can see it just goes on and on and on. PLEASE NOTE: Follow these directions EXACTLY GETTING STARTED: If you're not already a user, the very first thing you need to do is go to E-gold(ww.e-gold.com) and SIGN UP here (https://www.e-gold.com/newacct/newaccount.asp?cid=1469578 ,copy and paste in your web browser). Its free and 100% financial risk free.Note:by signing through that link you become my progeny. Then...... MAKE a $2 worth of gold. payment from your e-gold account (yo will need a independent exchange market maker,e-gold provides you with links)to the each account number in this letter along with a note saying "Please add me to your mailing list."(this keeps the program legal) (refer to US Lottery Laws, Title 18, Section 1302 and 1341, or Title 18, Section 3005 in the US code, also in the code of Federal Regulations, Volume 16, Sections 255 and 436, which states a product or service must be exchanged for money received). Erase number one of the list ,add your name at No.4 position having moved up the remaining three (4 becomes 3,3 becomes2 and 2 becomes 1) Now replace the last 6 numbers of the SIGN UP link for your account number. You'll make money until your account number pops out of the list. Now you are ready to send the letter. You need to mail as many copies as possible,you wont get much unless you mail like crazy Start right away, as soon as you pay the 4 email addresses below! 1. 1469584 2. 1469580 3. 1467515 4. 1469578 ************************************* TIPS:get a mass mailer program with a built-in email server(otherwise your internet service provider is likely to ban your email account).Bulk Email is a good one. Do a google search,there are lots ,or get it for free using emule peer-to-peer file sharing program (www.emule-project.net) You also need a mailing list,again use google or emule,there are inmense ones(i´m talking about millions of addresses!) You may also need a easy HTML program to edit this letter,get one at www.download.com for free. Another good option is posting in newsgroups,there are mass posters out there. From eddie at eddie.web Wed Jul 14 17:47:36 2004 From: eddie at eddie.web (eddie) Date: Wed Jul 14 16:50:19 2004 Subject: [SC-Help] Re: no links found (again References: Message-ID: On Wed, 14 Jul 2004 15:50:46 -0400, David Butler scratched out the following: snip > when a link does not parse, I hit "view entire message" in another Mozilla > pane (Mozilla ROCKS, folks). If I see the html is ok, I go back, hit "show > reports" then back up OR reload, the engine parses it. If I see a "type" > error, I copy the whole email, hit cancel, and re-enter with the > content-type cleaned up. > > David That's probably the smartest way to do it. If you have already submitted the report you have to be sure not to resubmit to the links it did find - only the new links. From dkona7b02 at sneakemail.com Wed Jul 14 18:12:51 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Wed Jul 14 17:13:29 2004 Subject: [SC-Help] Re: MAKE MONEY NOW ( IT WORKS JUST READ) In-Reply-To: Message-ID: <3.0.5.32.20040714171251.013a2cf0@loki.fstrf.org> Has anyone come up with a reporting address to replace pyramid@ftc.gov which seems to be defunct?? How come you need to be registered to be able to email to this group but any idiot with a newsreader can post crap like this here??? Isn't there any way to protect us from this abuse? Seems kind of ridiculous that SpamCop allows itself to be SPAMmed! :( At 08:46 PM 7/14/2004 +0000, MAURICIO SPAMmed: >Make money >PLEASE do not pass this up now!! From Merlyn at Spamcop.net Wed Jul 14 18:26:18 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Wed Jul 14 17:30:03 2004 Subject: [SC-Help] Re: MAKE MONEY NOW ( IT WORKS JUST READ) References: Message-ID: "MAURICIO" wrote in message news:cd462m$se5$6@news.spamcop.net... > Make money > PLEASE do not pass this up now!! > > WHAT IF I share with you a way to make some cash, using > a copy of this letter and the best Internet Payment System around? Just another reason to block 200/8 -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From MikeE at ster.invalid Wed Jul 14 15:25:29 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 14 17:30:09 2004 Subject: [SC-Help] Re: no links found (again References: Message-ID: eddie wrote: > Mike Easter >> When I logged out, the link now gives me the 'normal' view I expect - >> headers, view entire message, mailhosts parse, concluded by 'If >> reported today, reports would be sent to:' and /doesn't/ give the >> report number. >> >> Very strange. I don't think it is supposed to be working that way. > > > Send me your tracker and I will have Sherlock diagnose it :) > There are many strange things that happen when using SC - you have > just discovered one more. It is reproducible for me. I can log out and see one thing, log back in and see another, log back out and get the first one again -- indefinitely. Presumably it will work with any tracker. Here's the one I've been playing with from this thread. www.spamcop.net/sc?id=z549063042z58c2b8aabdc77694c29e726b4ef292c3z -- Mike Easter kibitzer, not SC admin From null at null.com Thu Jul 15 00:23:57 2004 From: null at null.com (Martin) Date: Wed Jul 14 18:25:03 2004 Subject: [SC-Help] Re: Mailhost error References: Message-ID: "Ellen" wrote in message news:cd21a6$2e8$1@news.spamcop.net... > > > "Martin" wrote in message > news:cd1i11$lvj$1@news.spamcop.net... > > Tried a third time, got the same as first time, says confirmation codes > > dont match, then lists from address, from header and from body, all three > > addresses match, so what gives? > > > > > > Send your registered SC email address to me and a copy of one of the > probes -- it sounds like your email app is wrapping the header lines oddly. > deputies spamcop.net > I have noticed your submit box is causing the text the wrap even though its not wrapped in the email headers before I paste it, the box needs to be made bigger so the text dosent wrap. From null at null.com Thu Jul 15 00:40:04 2004 From: null at null.com (Martin) Date: Wed Jul 14 18:40:02 2004 Subject: [SC-Help] Re: Mailhost error References: Message-ID: Sorted the problem, had to copy the header into notepad and edit all the spaces out after the confirmation code "X-SpamCop-Conf:" then it was accepted, this really needs sorting so that it disregards spaces. Martin From eddie at eddie.web Wed Jul 14 21:08:37 2004 From: eddie at eddie.web (eddie) Date: Wed Jul 14 20:10:13 2004 Subject: [SC-Help] Re: no links found (again References: Message-ID: On Wed, 14 Jul 2004 14:25:29 -0700, Mike Easter scratched out the following: snip > It is reproducible for me. I can log out and see one thing, log back in > and see another, log back out and get the first one again -- indefinitely. > Presumably it will work with any tracker. Here's the one I've been > playing with from this thread. > > www.spamcop.net/sc?id=z549063042z58c2b8aabdc77694c29e726b4ef292c3z OK, but should it depend on your being logged in or not? That may explain some of my confusion reading trackers - I am almost always logged in. When I turn the box on I log in as one of my first tasks. However, I see the same data logged in and not logged in. I should hedge that a bit. I am logged in with Mozilla and using a separate instance for viewing the logged-in version. I am using IE6 to view the not-logged-in version The second instance of Mozilla is definitely logged in, since going to webmail.spamcop.net brings me to the inbox page, same as the first instance with no additional login required. So I don't see this difference you see. Both my browsers seem to show a complete tracker page starting with Spam Header and ending with "If reported today..." and so on. Curiouser and curiouser it gets. From burke10 at attglobal.net Thu Jul 15 11:51:55 2004 From: burke10 at attglobal.net (bi-ker-shi) Date: Thu Jul 15 06:55:21 2004 Subject: [SC-Help] Re: SPAMCOP NEVER SEEMS TO FIND THE SPAMVERTIZED URL'S IN DREW AUMAN'S CRAP References: Message-ID: "David Butler" wrote in message news:cd1kfk$o6o$1@news.spamcop.net... > > If you have another spam with folded lines, you can only use the SC engine > to determine who to manually notify, as "corrections" of this type are > considered material changes which are forbidden by SC rules... > > Some of us feel this is overly strict, but it is the rule... > > Did I make this clear? > > David > > > Thanks David. I believe in following the rules in general, but I have copped a speeding ticked now and then. In this case I would prefer Spamcop to do something about the no links found issue. I use a SPAM Filtering system that relies on the SURBL list of Spamvertized URL's that is independently generated from Spam Cop live reporting. Since I started using this filter, I started getting an increasing number of these no-links found items. For a URL to get into SURLBL there has to be 10 recent abuse reports to Spam Cop and the reason why there are an increasing number of these no links found items is because Drew Auman and more recently others are evading the system. If Spam Cop fails to make changes you can expect to find an expontential growth in this type of SPAM. When I get one of these I always check the IP address with DNS then check this IP address with Spamhaus and Drew Auman kept comming up over and over. Lately however these are others catching on. I noted recently that Ralsky was pumping out Spam that had a lot of false URL's all over the place causing the Spam Cop robot to send off LARTS to innocent parties. When you looked at the rendered HTML however, the URL's did not look like URL's due to tricky presentation, so that the reader could see the real URL's to click and not the false ones. I responded to this by writing my own filter that recognized this form of deception. The point here is that Spamcop can just as easily be tricked into sending off LARTS to the wrong people when the URL's are in the tags. I understand why Spamcop are reluctant to respond to URL's that are not HTML tags, but it is possible to create a set of rules that can work through the above deceptions. Drew Auman for example sends out stuff about webcam or videocam. I have a number of filters in place that catch a lot of his crap simply by recognising the form of the message. From steve.wright at ukasbestosclaims.biz Thu Jul 15 05:36:30 2004 From: steve.wright at ukasbestosclaims.biz (steve.wright@ukasbestosclaims.biz) Date: Thu Jul 15 08:10:04 2004 Subject: [SC-Help] Logg file Message-ID: ................. From mike_20878 at nospam.hotmail.com Thu Jul 15 12:20:47 2004 From: mike_20878 at nospam.hotmail.com (Michael S. Rosen) Date: Thu Jul 15 11:25:02 2004 Subject: [SC-Help] Cannot obtain password Message-ID: When I submit my spam reports now I'm presented with a link that reads "Security upgrade - please obtain a password." However, clicking on that link results in the error, "No valid email address entered:" How do I set up my password? Thanks, Mike From MikeE at ster.invalid Thu Jul 15 10:41:19 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 15 12:45:11 2004 Subject: [SC-Help] Re: Cannot obtain password References: Message-ID: Michael S. Rosen wrote: > When I submit my spam reports now I'm presented with a link that reads > "Security upgrade - please obtain a password." However, clicking on > that link results in the error, "No valid email address entered:" > > How do I set up my password? Put in a valid eml addy. The pw will be mailed to that addy as an item whose Subject is SpamCop authorization.and whose From is SpamCop Authorization System. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Jul 15 11:16:23 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 15 13:20:03 2004 Subject: [SC-Help] Re: Parsing problem with 'new-style' References: Message-ID: Posted to .spam & .help; f/ups to .help Joris Dobbelsteen wrote: > I'm using the new way where spamcop is aware of my mailhosts... > And here it does find the correct spammer... >>> 208.201.17.33 not listed in relays.ordb.org. Joris, post a spam in .spam, but discuss it in .help or spamcop. Better yet, don't even post the spam at all, but post the tracker only - in .help or spamcop. Since your post in .spam only showed the header, the parse of that is reflected here www.spamcop.net/sc?id=z550575109z653d8cde70ad3d1896d334d14ee755d9z die spammer, putting a question mark at the top of Joris's entire untrimmed cite is 'wasteful' or something else non-contributory Abbreviated Received lines *comment from (wng-03.evisp.enertel.nl) ([213.218.77.203]) by smtp06.freeler.nl *serves you from(charm.il.fontys.nl [145.85.127.2])by wng-03.evisp.enertel.nl *serves you from (localhost [127.0.0.1]) by mail.il.fontys.nl *serves you from (localhost [127.0.0.1]) by mail.il.fontys.nl *serves you from (spf6.us4.outblaze.com [205.158.62.33]) by mail.il.fontys.nl *serves you from [192.168.11.11] (Lp1.cbreinvestors.com [208.201.17.33]) by spf6.us4.outblaze.com *chain breaks, possible misconfigured output server from xng-invla-2.cbreinvestors.com by [192.168.11.11] *misconfigured, possible sourceline from fws-invla-11.cbreinvestors.com ([192.168.13.11]) by xng-invla-2.cbreinvestors.com *possible bogusline from [222.183.16.209] by fws-invla-11.cbreinvestors.com *possible bogusline In the parse you pasted, SC named 208.201.17.33, which I agree with, since the chain breaks there, and 'legitimate' parsing can go no further and the IP /should/ be named as source. But, it might also be a misconfigured output server, serving as a relay for the source. In the parse SC did for me, the tracker for which is pasted above, SC 'wrongly' chained all the way to the bottom 222.183.16.209, but didn't show me any logic for getting past the cbreinvestors server. There is a server at 208.201.17.33 which is calling itself '192.168.11.10' as is the mx similarly calling itself something like that - and altho' both of them are 'manipulable', I couldn't get them to relay for me promiscuously. But, perhaps the spammer injected at a user IP behind the output server, and the misconfigured output server hid the actual source IP. It will be good if the output server gets itself listed in the SCbl, because of its poor condition. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Jul 15 12:18:39 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 15 14:25:04 2004 Subject: [SC-Help] Re: no links found (again References: Message-ID: Mike Easter wrote: > eddie wrote: >> Mike Easter >>> When I logged out, the link now gives me the 'normal' view I expect >>> - headers, view entire message, mailhosts parse, concluded by 'If >>> reported today, reports would be sent to:' and /doesn't/ give the >>> report number. >>> >>> Very strange. I don't think it is supposed to be working that way. >> >> >> Send me your tracker and I will have Sherlock diagnose it :) >> There are many strange things that happen when using SC - you have >> just discovered one more. > > It is reproducible for me. I can log out and see one thing, log back > in and see another, log back out and get the first one again -- > indefinitely. Presumably it will work with any tracker. Here's the > one I've been playing with from this thread. > > www.spamcop.net/sc?id=z549063042z58c2b8aabdc77694c29e726b4ef292c3z Aha! My understanding of this 'condition' grows. Somehow my logged in Preferences was set to not show me the verbose or technical details. As a result, my view of someone's tracker gave me an 'inadequate' result. Now that my Preferences is amended to show the technical details, even when logged in I get the view I want. Very tricky. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Thu Jul 15 15:38:54 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 15 14:40:03 2004 Subject: [SC-Help] Re: no links found (again References: Message-ID: On Thu, 15 Jul 2004 11:18:39 -0700, Mike Easter scratched out the following: snip > Aha! My understanding of this 'condition' grows. Somehow my logged in > Preferences was set to not show me the verbose or technical details. As a > result, my view of someone's tracker gave me an 'inadequate' result. Now > that my Preferences is amended to show the technical details, even when > logged in I get the view I want. > > Very tricky. Good Sherlocking. Apparently the preferences are session sensitive, probably cookie-based, and in the unlogged instance, you had the default preferences which are not cookie-based, or at least not in the same cookie as your logged-in cookie. That's actually reasonable. How could SC know your preferences when you are not logged in? From MikeE at ster.invalid Thu Jul 15 12:58:03 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 15 15:00:10 2004 Subject: [SC-Help] Re: no links found (again References: Message-ID: eddie wrote: > Mike Easter scratched out the > following: > > snip >> Aha! My understanding of this 'condition' grows. Somehow my logged >> in Preferences was set to not show me the verbose or technical >> details. As a result, my view of someone's tracker gave me an >> 'inadequate' result. Now that my Preferences is amended to show the >> technical details, even when logged in I get the view I want. >> >> Very tricky. > > Good Sherlocking. Apparently the preferences are session sensitive, > probably cookie-based, and in the unlogged instance, you had the > default preferences which are not cookie-based, or at least not in > the same cookie as your logged-in cookie. > That's actually reasonable. How could SC know your preferences when > you are not logged in? Logging in is new to me and somewhat undesirable so far. I preferred the 'old style' weblink based on my code, but clearly the current condition of preferences has more flexibility. I presume that someone decided that dividing free and paid in the old way was less desirable than 'lumping' them together. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Thu Jul 15 16:06:26 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 15 15:10:03 2004 Subject: [SC-Help] Re: no links found (again References: Message-ID: On Thu, 15 Jul 2004 11:58:03 -0700, Mike Easter scratched out the following: snip > Logging in is new to me and somewhat undesirable so far. I preferred the > 'old style' weblink based on my code, but clearly the current condition of > preferences has more flexibility. I presume that someone decided that > dividing free and paid in the old way was less desirable than 'lumping' > them together. Some call it progress :) I suspect that making the free and paid services more compatible may, in the long run, make debugging easier and resolve some of the problems we have just seen. Problems is probably the wrong word; discrepancy is closer. It also makes support and software upgrades simpler. On the darker side, it may signal the beginning of the end of free reporting??? Will old Ironsides support freebies? Who knows? From nobody at devnull.spamcop.net Thu Jul 15 16:58:34 2004 From: nobody at devnull.spamcop.net (Cat) Date: Thu Jul 15 17:00:02 2004 Subject: [SC-Help] Re: Cannot obtain password In-Reply-To: References: Message-ID: Mike Easter wrote: > Michael S. Rosen wrote: > >>When I submit my spam reports now I'm presented with a link that reads >>"Security upgrade - please obtain a password." However, clicking on >>that link results in the error, "No valid email address entered:" >> >>How do I set up my password? > > Put in a valid eml addy. The pw will be mailed to that addy as an item > whose Subject is SpamCop authorization.and whose From is SpamCop > Authorization System. And you have to go to some separate link from the "no valid email address" screen. I can't remember what I finally clicked to get the space so I could put in my address to get the password. From schwa at nospam.com Thu Jul 15 22:11:17 2004 From: schwa at nospam.com (Joshua Wachs) Date: Thu Jul 15 21:15:12 2004 Subject: [SC-Help] All of a sudden, too much blocking... Message-ID: <0001HW.BD1CA37500B15963F02845B0@news.spamcop.net> Oddly enough, at some point yesterday and today, spamcop starting blocking a bunch of mail (that's not spam) that's been going through fine for years. Examples: [69197] newsalerts-noreply@google.com (Google News Alert - fast food Preview ) Wed, 14 Jul 2004 00:04:35 -0700 (PDT) (Blocked bl.spamcop.net ) [69198] art@namechangedhere.com (Cool List Digest Wed Jul 14 03:00:02 EDT 2004 Preview ) Wed, 14 Jul 2004 03:00:03 -0400 (Blocked bl.spamcop.net ) there are literally dozens of my emails that are now getting blocked - I was wondering where everything was going. Any ideas how I can track this down? Thanks. -- Schwa From schwa at nospam.com Thu Jul 15 22:28:05 2004 From: schwa at nospam.com (Joshua Wachs) Date: Thu Jul 15 21:30:04 2004 Subject: [SC-Help] Re: All of a sudden, too much blocking... References: <0001HW.BD1CA37500B15963F02845B0@news.spamcop.net> Message-ID: <0001HW.BD1CA76500B245ACF02845B0@news.spamcop.net> Just a little more info... I confirmed that there are 35+ emails that have been held up in the last 24hrs. All on the bl.spamcop.net list. I am quite confident I may have mussed something up in the past, but I am not really sure where to begin to look. Currently my mail is routed as follows: myMainEmailAddress@myAddress.com gets forwarded to mySpamcopEmail@spamcop.net and then the non-spam email gets forwarded to: mySpamFreeAccount@myAddress.com It's been working wonderfully for years. Any help would be greatly appreciated. -- Joshua On Thu, 15 Jul 2004 21:11:17 -0400, Joshua Wachs wrote (in message <0001HW.BD1CA37500B15963F02845B0@news.spamcop.net>): > Oddly enough, at some point yesterday and today, spamcop starting blocking a > bunch of mail (that's not spam) that's been going through fine for years. > Examples: > > > > [69197] newsalerts-noreply@google.com (Google News Alert - fast food > Preview >> > Wed, 14 Jul 2004 00:04:35 -0700 (PDT) (Blocked bl.spamcop.net ) > > [69198] art@namechangedhere.com (Cool List Digest Wed Jul 14 03:00:02 EDT > 2004 Preview ) > Wed, 14 Jul 2004 03:00:03 -0400 (Blocked bl.spamcop.net ) > > there are literally dozens of my emails that are now getting blocked - I was > wondering where everything was going. > > Any ideas how I can track this down? > > Thanks. > > -- Schwa > From MikeE at ster.invalid Thu Jul 15 19:39:11 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 15 21:45:03 2004 Subject: [SC-Help] Re: All of a sudden, too much blocking... References: <0001HW.BD1CA37500B15963F02845B0@news.spamcop.net> <0001HW.BD1CA76500B245ACF02845B0@news.spamcop.net> Message-ID: Joshua Wachs wrote: > Just a little more info... I confirmed that there are 35+ emails that > have been held up in the last 24hrs. All on the bl.spamcop.net list. You're not exposing any blocked items for anyone to see what is going on. Mentioning a scant bit of information of the From, Date, and Subject isn't a sufficient view. You need to thoroughly expose one or perhaps several of the blocked items for 'our' perusal, most certainly the entire headers. You could either... - submit one/some to the parser, capture/copy the tracker url/s and then cancel the report, and paste the tracker/s here or... - paste one/some into the newsgroup .spam, *NOT* here, including the whole item, or at the very least the complete headers, slightly munged as needed. Then, maybe someone can figure out why they are getting blocked/held. If you are concerned about the exposure of your address, you will have to figure out how to munge just the right amount to keep yourself happy, while not mungeing so much as to interfere with the diagnosis of what is happening. -- Mike Easter kibitzer, not SC admin From schwa at nospam.com Thu Jul 15 22:50:16 2004 From: schwa at nospam.com (Joshua Wachs) Date: Thu Jul 15 21:55:03 2004 Subject: [SC-Help] Re: All of a sudden, too much blocking... References: <0001HW.BD1CA37500B15963F02845B0@news.spamcop.net> <0001HW.BD1CA76500B245ACF02845B0@news.spamcop.net> Message-ID: <0001HW.BD1CAC9800B37D98F02845B0@news.spamcop.net> Ok, that's helpful. I will do that w/ the next one to get nabbed. Thanks! On Thu, 15 Jul 2004 21:39:11 -0400, Mike Easter wrote (in message ): > Joshua Wachs wrote: >> Just a little more info... I confirmed that there are 35+ emails that >> have been held up in the last 24hrs. All on the bl.spamcop.net list. > > You're not exposing any blocked items for anyone to see what is going > on. Mentioning a scant bit of information of the From, Date, and > Subject isn't a sufficient view. You need to thoroughly expose one or > perhaps several of the blocked items for 'our' perusal, most certainly > the entire headers. > > You could either... > > - submit one/some to the parser, capture/copy the tracker url/s and > then cancel the report, and paste the tracker/s here or... > - paste one/some into the newsgroup .spam, *NOT* here, including the > whole item, or at the very least the complete headers, slightly munged > as needed. > > Then, maybe someone can figure out why they are getting blocked/held. > If you are concerned about the exposure of your address, you will have > to figure out how to munge just the right amount to keep yourself happy, > while not mungeing so much as to interfere with the diagnosis of what is > happening. > > > From nobody at devnull.spamcop.net Fri Jul 16 15:23:51 2004 From: nobody at devnull.spamcop.net (brewman) Date: Thu Jul 15 22:20:03 2004 Subject: [SC-Help] Re: SPAMCOP NEVER SEEMS TO FIND THE SPAMVERTIZED URL'S IN DREW AUMAN'S CRAP References: Message-ID: "bi-ker-shi" wrote > In this case I would prefer Spamcop to do something about the no links found > issue. I use a SPAM Filtering system that relies on the SURBL list of > Spamvertized URL's that is independently generated from Spam Cop live > reporting. Since I started using this filter, I started getting an > increasing number of these no-links found items. For a URL to get into > SURLBL there has to be 10 recent abuse reports to Spam Cop and the reason > why there are an increasing number of these no links found items is because > Drew Auman and more recently others are evading the system. If Spam Cop > fails to make changes you can expect to find an expontential growth in this > type of SPAM. > [...] > I understand why Spamcop are reluctant to respond to URL's that are not > HTML tags, but it is possible to create a set of rules that can work > through the above deceptions. Drew Auman for example sends out stuff about > webcam or videocam. I have a number of filters in place that catch a lot of > his crap simply by recognising the form of the message. I have suggested adding a 'grep mask' field to 'aid' SC in finding URLs, but it seems to have fallen on deaf ears. This is *not* the same as submitting a URL for SC to report; just to 'guide' SC to a URL that it's ignoring because, say, too many URLs or it's not in an A tag. I'd also like to see a process that allows a humanly-derived URL-chain to report more than just the facade site, but the 'real' site behind it (but I do realise that that is 'hard work'). Whilst it may be hard to find an algorithm for a machine to find what I want to report, it is nowhere nearly as hard for a machine to validate either a URL or URL-chain than has been manually derived - a bit like verifying the reverse engineering of a one-way function. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From reith at racores.com Fri Jul 16 08:04:37 2004 From: reith at racores.com (Jim Reith) Date: Fri Jul 16 07:10:19 2004 Subject: [SC-Help] Re: Email submissions being lost again, kick a mailserver time? In-Reply-To: References: Message-ID: I've been reporting spams for a long time and I've noticed over the last month or so that about 75% of the ones I report never come back. I probably report 20-30 per day and actually get replies to about 5-10. I have noticed that it seems to be the large graphical ones that don't make it. I actually just came into the forum for this specific issue. And when I do my morning manual submissions, i will g3et some but not all of them back. I've noticed this with both email submissions and those done through Spamfire (which probably become email submissions) Berny wrote: > Berny" wrote in message > news:cct8d2$dqo$1@news.spamcop.net... > >>Yesterday most large reporting submissions (about 90k) disappeared into >>/dev/null it seems. smaller submissions (<10k) seem to get through, out of > > 6 > >>submits 2 returns. >> >>Submissions were sent from corporate as well as hotmail and yahoo > > addresses > >>with no apparent failure pattern as one of the large ones did get through. >> >>Does some mx need kicking/restarting? > > > 2 more "disappeared" late this evening, > > 90k and 45k each (total size if submissions as computed by OE which grossly > overestimates) > > From nobody at spamcop.net Fri Jul 16 17:43:25 2004 From: nobody at spamcop.net (Doug) Date: Fri Jul 16 12:45:19 2004 Subject: [SC-Help] Connection closed... Message-ID: Over the past few weeks [about the time the new format reporting page was launched] I been getting the following error message: "Connection closed by remote server" "http//members.spamcop.net/sc" while processing messages. I report spam using the web page only, copying message to the page, processing, reviewing and then reporting. Over the course of reporting a variable number of messages, I get this error message at least once during the session. When I clear the error message, and hit the report button again, I get the message from spamcop that "reports have already been sent", which doesn't make any sense since the connection had been closed, seemingly prior to making the first "report spam" request. The only way I've been able to actually report a spam in this instance is to back up a page and reprocess the spam, and then report it. My browser is Opera [7.5x] and as I mentioned, I only use the web page. Is there some browser setting that I should be tweaking? Is this a SC problem? TIA -- Doug Goodwin YMMV The thing about the cold is that you can never tell how cold it is from looking out a kitchen window. You have to dress up, get out training and when you come back, you then know how cold it is. --Sean Kelly From ob1db at spamcop.net Fri Jul 16 14:15:42 2004 From: ob1db at spamcop.net (David Butler) Date: Fri Jul 16 13:20:03 2004 Subject: [SC-Help] Discoverynetworks.net: reports going to spammer again! Message-ID: recent parses: a.. 1116809259 ( http://xwykistjkqxhs.www.hodevahemulationjerahm... ) To: abuse@discoverynetworks.net a.. 1116784150 ( http://oodoqtnihqs.remove.145885630_18.www.pres... ) To: abuse@discoverynetworks.net But I see over in routing that discoverynetworks.net IS the spammer. This appears to have happened a couple of times, perhaps they are migrating again? I see their site is actually down "for migration" as well right now! 209.50.48.0/20 shows over in the RADB: route: 209.50.48.0/20 descr: Electric Lightwave Inc (ARIN OrgID: ELIX) origin: AS5650 remarks: remarks: -- Operational Contacts -- remarks: Abuse / UCE: abuse@eli.net remarks: NOC / Maint: support@eli.net remarks: BGP Routing: bgp4@eli.net remarks: remarks: proxy-registered route object mnt-by: MAINT-AS5650 changed: mreimer@eli.net 20040525 source: SAVVIS route: 209.50.48.0/20 descr: Kobalt Network, LLC descr: Puregig BGP Customer origin: AS30342 mnt-by: MAINT-AS11588 changed: shawn@eldosales.com 20040528 source: SAVVIS route: 209.50.48.0/20 descr: LLNW cust origin: AS30342 mnt-by: MAINT-LLNW changed: web@limelightnetworks.com 20040528 source: ALTDB route: 209.50.48.0/20 descr: PH CBS TRANSIT origin: AS22773 remarks: Change Ticket# 24220 notify: thebackbone@cox.com notify: CCIATL-NOCEnginee@cox.com mnt-by: CCINET-2-MNT changed: david.burns@cox.com 20040619 source: LEVEL3So maybe they should go to abuse@support.eli.net, abuse@cox.net and thebackbone@cox.com?I see a bunch of blocks belonging to these idiots as well:AS30342: DNI-3 Discovery Networks International Inc. Prefix (AS Path) Aggregation Action 12.44.152.0/22 4637 5650 30342 63.110.22.0/23 4637 5650 30342 66.194.10.0/23 4637 5650 30342 66.249.100.0/22 4637 5650 30342 209.50.48.0/20 4637 5650 30342 209.63.65.0/24 4637 5650 30342 And I see from tracert pn dnsstuff that it appears to go via ATT.net the whole way.Block 12.44.152.0 IS ATT as well. Block 63.110.22.0 is uunet/mci.com. Block 66.194.10.0 is twtelecom.net. 66.249.100.0 is nwig.net. 209.63.65.0 takes us back to eli.net.I'd like to put something in .routing but I would like to make a better case...Thanks,David From ob1db at spamcop.net Fri Jul 16 14:32:31 2004 From: ob1db at spamcop.net (David Butler) Date: Fri Jul 16 13:35:03 2004 Subject: [SC-Help] RE: 66.117.0.0/19 aka supercoolstuff.net, nhicolo.net is "Third party interested in email source" ? Message-ID: http://www.spamcop.net/sc?id=z551511263z70a865d08c75f4b0b5c636691376f94bz I see this regularly for this ISP: Re: 66.117.29.68 (Administrator of network where email originates) To: abuse@he.net (Notes) To: abuse@above.net (refuses munged reports) (Notes) Re: 66.117.29.68 (Third party interested in email source) To: abuse@nhicolo.net (Notes) but researching via openrbl.org, I get: Address: 66.117.29.67 resolved to www.supercoolstuff.net AS: 66.117.29.0/24 AS7385 UNKNOWN Hood River/Oregon Net 66/8 NET66 Chantilly, Virginia IP-Whois 66.117.29.67: (ARIN/NET66) [Querying whois.arin.net] [whois.arin.net] OrgName: New Horizon Collocations OrgID: NHC-34 Address: 603 Wilshire Address: Suite 911 City: Los Angeles StateProv: CA PostalCode: 90017 Country: US ReferralServer: rwhois://rwhois.nhicolo.com:4321 NetRange: 66.117.0.0 - 66.117.31.255 CIDR: 66.117.0.0/19 NetName: NHI-COLO NetHandle: NET-66-117-0-0-1 Parent: NET-66-0-0-0-0 NetType: Direct Allocation NameServer: DNS3.NHICOLO.COM NameServer: DNS1.NHICOLO.COM NameServer: DNS4.NHICOLO.COM NameServer: DNS2.NHICOLO.COM Comment: RegDate: 2002-09-30 Updated: 2003-12-22 AbuseHandle: ABUSE238-ARIN AbuseName: ABUSE AbusePhone: +1-877-322-5188 AbuseEmail: abuse@nhicolo.com Which would make nhicolo.com the primary, not third party! If I look in the RADB link, I see he.net: route: 66.117.29.0/24 descr: Hurricane Electric 55 South Market St San Jose, CA origin: AS30033 notify: noc-dist@he.net mnt-by: HE-NOC changed: mtindle@he.net 20040521 source: RADB route: 66.117.29.0/24 descr: NHI- ARIN origin: AS7385 notify: noc@nhicolo.com mnt-by: MAINT-NHICOLO changed: jamsu@nhicolo.com 20021226 source: VERIO route: 66.117.29.0/24 descr: NHI- ARIN origin: AS30085 notify: noc@nhicolo.com mnt-by: MAINT-NHICOLO changed: jamsu@nhicolo.com 20021226 source: VERIO route: 66.117.16.0/20 descr: NHI ROUTE origin: AS30085 mnt-by: NHI-MNT changed: noc@nhicolo.com 20031106 source: LEVEL3 but nowhere do I find above.net ! Even the tracert shows none.Again, would like to post meaningful info in .routing but I am puzzled on this one...David begin 666 us.gif M1TE&.#EA#@`.`,(``!L;I(F"R/X7&6)/K&,@?/[1S_Y96_Z,C2'^#DUA9&4@ M=VET:"!'24U0`"P`````#@`.```#. BJ)/YNJ5&JK1(T^#*]5D88AD":AG<4 CQ]H>(BD;AQ'<^*OO?-W.0""KXB(:2Z:D`UD".2V Message-ID: On Fri, 16 Jul 2004 16:43:25 +0000, Doug scratched out the following: > Over the past few weeks [about the time the new format reporting page was > launched] I been getting the following error message: "Connection closed > by remote server" "http//members.spamcop.net/sc" while processing > messages. > I have been getting that on other URLs lately, not just SC. I get it on Mozilla - I don't know what the IE error is - it may be the same. It could just be the result of a bad or corrupted request by the client - but it is a recent phenomena, AFAIAC. I also notice that once and a while, SC requests a second login to the mail page. I have Norton set to report any personal data which includes my password, and the Norton window pops up twice which would indicate SC has ignored or rejected my first password. And yes, I type it in correctly or Norton would not pop up at all. I tested that, too. From aukword666 at attglobal.net Fri Jul 16 20:36:19 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Fri Jul 16 19:40:03 2004 Subject: [SC-Help] Re: Connection closed... References: Message-ID: "eddie" wrote in message > Doug scratched out the following: > [...] > > > I have been getting that on other URLs lately, not just SC. I get it on > Mozilla - I don't know what the IE error is - it may be the same. It could > just be the result of a bad or corrupted request by the client - but it is > a recent phenomena, AFAIAC. > I also notice that once and a while, SC requests a second login to the > mail page. I have Norton set to report any personal data which includes my > password, and the Norton window pops up twice which would indicate SC has > ignored or rejected my first password. And yes, I type it in correctly or > Norton would not pop up at all. I tested that, too. > Not an answer, but a question: When I had similar difficulties about a month back, I *assumed* it was due to not securing my transactions with sites I was attempting to connect to. I *assumed* it was related to CodeRed attacks my firewall was logging when I was logging on to sites such as SC and Yahoo. Because about 95% of the attacks originated in my provider's IP block, I configured a firewall rule to block all transactions to/from that block for all ports and all apps, figuring I could make exceptions to the rule to allow transactions to/from my ISP. Oddly, no exceptions were necessary and my traffic log shows continuing transactions to/from my IP and others in the block when solicited from my machine, but my machine has "gone off the radar" for the DDoS attacks. One further attack did occur shortly after the firewall rule went into effect, and in my annoyance at my lack of secure connections, I migrated to the WindowsUpdate site where I remembered seeing the 1-2-3 security advisory. I implemented the 1-2-3 recommendations and have had no further CodeRed interference for the last month or so. The downside is having to move new sites to the "Trusted" zone all the time, the upside is I no longer get "bumped" from sites where I am *logged in*, and I feel more "secure". The question then is, are you both saying that you are still having this difficulty in spite of implementing the heightened security guidelines? Or do you have options to increase the security of your transactions? Glenn From eddie at eddie.web Fri Jul 16 21:50:12 2004 From: eddie at eddie.web (eddie) Date: Fri Jul 16 20:55:02 2004 Subject: [SC-Help] Re: Connection closed... References: Message-ID: On Fri, 16 Jul 2004 19:36:19 -0400, Glenn Daniels scratched out the following: > "eddie" wrote in message blah >> Doug scratched out the following: snip > The question then is, are you both saying that you are still having this > difficulty in spite of implementing the heightened security guidelines? Or > do you have options to increase the security of your transactions? > > Glenn I rarely have that error, but it is new to me. I first attributed it to the fact that I am using Mozilla nearly all the time, and it was related to Mozilla, with a similar message from IE, perhaps a timeout. I get the same error message on my G5 Safari, which is Netscape-based, but again, very rarely. I have a standard cable modem followed by a router/switcher with NAT and have never seen an attack, unless it's someone pinging my IP "loudly" which is a possibility. Norton hasn't complained, so I am assuming that it's related to network congestion or packet loss resulting in a bad request which the server doesn't understand and therefore closes the connection, perhaps "thinking" it's an attack. If it gets worse, I will make an additional note of it here. From ric.gates at bigsleep.org Sat Jul 17 02:31:50 2004 From: ric.gates at bigsleep.org (Blammo) Date: Fri Jul 16 21:35:02 2004 Subject: [SC-Help] Re: Connection closed... References: Message-ID: On 16 Jul 2004 eddie entered spamcop.help and left news:pan.2004.07.17.00.50.11.223000@eddie.web: > I rarely have that error, but it is new to me. I first attributed it > to the fact that I am using Mozilla nearly all the time, and it was > related to Mozilla, with a similar message from IE, perhaps a timeout. > I get the same error message on my G5 Safari, which is Netscape-based, > but again, very rarely. > The network timeout is probably too low, I don't know how to remedy that. But on dial-up SC sometimes takes a very long time to parse an eMail, but I don't recall ever getting a time-out (other than when the DUN connection fails). You are right that it can be network congestion, just let msblast install and see how it mucks things up ;-) -- | Ric | From h9vzc2i02 at sneakemail.com Sat Jul 17 16:00:03 2004 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Sat Jul 17 18:05:03 2004 Subject: [SC-Help] is help down? Message-ID: Is spamcop.help down? I see no postings later than 7/16/04 10:32 AM this is now 7/18/04 2:57 pm (US) PDT. (Tried several times to download more headers but nothing downloaded in THIS ng - others seem to have current postings.) -- A SpamCop user and forum reader, Not Admin *** From aukword666 at attglobal.net Sat Jul 17 19:23:57 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sat Jul 17 18:25:08 2004 Subject: [SC-Help] Re: is help down? References: Message-ID: "Anon_" wrote in message > Is spamcop.help down? > > I see no postings later than 7/16/04 10:32 AM this is now 7/18/04 2:57 pm > (US) PDT. > Some of us can't *be* helped... Glenn From MikeE at ster.invalid Sat Jul 17 16:33:41 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 17 18:40:02 2004 Subject: [SC-Help] Re: is help down? References: Message-ID: Glenn Daniels wrote: > "Anon_" wrote in message >> Is spamcop.help down? >> >> I see no postings later than 7/16/04 10:32 AM this is now 7/18/04 >> 2:57 pm (US) PDT. > > Some of us can't *be* helped... I hate it when that Twilight Zone time machine thing comes down and scoops up people and moves them around into different zones. -- Mike Easter speaking from Earth, 21st century, 2004 Jul 17 3:31 PM Pacific Daylight Time, UTC -0700 From jimwasson at spamcop.net Sat Jul 17 22:37:28 2004 From: jimwasson at spamcop.net (Jim Wasson) Date: Sun Jul 18 00:40:03 2004 Subject: [SC-Help] My old, deleted mail keep reappearing. Message-ID: I posted this a few weeks ago but now the problem has come back. Periodically large numbers of old mail keeps reappearing in my spamcop webmail and when I pop it, I get hundreds of old emails -- mail from years ago. For clarity, I manually delete all of the mail and empty the trash folder. Today it happened twice. This morning I got 305 old emails back. I signed on, deleted them all and emptied the trash. Tonight, I popped my mail and got over 130 old emails. I just deleted them again and emptied the trash. Any suggestions? -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ From aukword666 at attglobal.net Sun Jul 18 07:09:32 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sun Jul 18 06:10:20 2004 Subject: [SC-Help] Re: Stupid Charter acks References: Message-ID: "Blammo" wrote in message news:Xns95117F8732A24blammo@216.154.195.61... > On 22 Jun 2004 Robert Slade entered spamcop.help and left > news:cbb52k$9bi$1@news.spamcop.net: > > > I've had that, I think that it is a robot reply and it happens when the > > charter address is an open proxy. The robot ignores that and blames the > > previous line which is probably fake. > > > > Yea, I was wondering if they are reading forged headers. Of course they're > forged, who in their right mind would knowingly relay mail through a cable > modem? > I am thinking you are sending spam as attachment to abuse@charter.net maybe. From my experience with their websubmit form it looks like they need you to show them their IP: a seperate entry on the form. They seem to need it fed to them as date, time, etc, like they can't see those in your headers either. Websubmit only allows 2000 characters which may suffice for small spams, I have only positive returns submitting virm headers to go on, but sense they could "see" your spam if you "read" it for them. The websubmit also forces your ID, which is fine if you trust them. I do, as I doubt they have intent to be found guilty of facilitation in transmitting felonious solicitations to drug deals, kiddie porn, stock scams, and money laundering mortgage refinancing schema. If you aren't using the websubmit, you may get lost on them. The websubmit *sends* its output to abuse@charter.net formatted in their language (like robo-talk). This may help: Charter Communications Abuse Report Form: http://abuse.charter.net/ Glenn From aukword666 at attglobal.net Sun Jul 18 07:19:20 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sun Jul 18 06:20:03 2004 Subject: [SC-Help] Re: Stupid Charter acks References: Message-ID: "Glenn Daniels" wrote in message [...] Ooops! Forgot to mention that the websubmit form works fine in IE6 but won't take keyboard entries in NS7 (but you can use paste operations and *make* it usable). Glenn From aukword666 at attglobal.net Sun Jul 18 09:25:44 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sun Jul 18 08:30:15 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: "Jim Wasson" wrote in message > I posted this a few weeks ago but now the problem has come back. > Periodically large numbers of old mail keeps reappearing in my spamcop > webmail and when I pop it, I get hundreds of old emails -- mail from years > ago. For clarity, I manually delete all of the mail and empty the trash > folder. Today it happened twice. This morning I got 305 old emails back. I > signed on, deleted them all and emptied the trash. Tonight, I popped my > mail and got over 130 old emails. I just deleted them again and emptied > the trash. > > Any suggestions? > > -- > Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ I don't use Opera's email client, so I can't point you to the setting. In other clients there is typically a checkbox that permits you to "Leave copy on server", or not. There may be sub-options to "Delete from server when deleted from Trash" and/or "delete after ## days" which may be configurable as well. Sounds like you need to find your settings, usually along a path like "Accounts" ... "Mail" ... "Server settings" ... "Advanced settings". Hopefully another Opera user can reveal the location of the settings as the path may be counter-intuitive. Usually, when you uncheck the "Leave copy on server" box, the spool on the server unwinds and deletes everything stored there. Glenn From h9vzc2i02 at sneakemail.com Sun Jul 18 08:40:16 2004 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Sun Jul 18 10:45:04 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: "Glenn Daniels" wrote in message news:cddq8b$odt$1@news.spamcop.net... > "Jim Wasson" wrote in message > > I posted this a few weeks ago but now the problem has come back. > > Periodically large numbers of old mail keeps reappearing in my spamcop > > webmail and when I pop it, I get hundreds of old emails -- mail from years > > ago. For clarity, I manually delete all of the mail and empty the trash > > folder. Today it happened twice. This morning I got 305 old emails back. I > > signed on, deleted them all and emptied the trash. Tonight, I popped my > > mail and got over 130 old emails. I just deleted them again and emptied > > the trash. > > > > Any suggestions? > > > > -- > > Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ > > I don't use Opera's email client, so I can't point you to > the setting. In other clients there is typically a checkbox > that permits you to "Leave copy on server", or not. There > may be sub-options to "Delete from server when deleted > from Trash" and/or "delete after ## days" which may be > configurable as well. Sounds like you need to find your > settings, usually along a path like "Accounts" ... "Mail" > ... "Server settings" ... "Advanced settings". Hopefully > another Opera user can reveal the location of the settings > as the path may be counter-intuitive. > > Usually, when you uncheck the "Leave copy on server" > box, the spool on the server unwinds and deletes everything > stored there. > > Glenn > > ** In addition, just to make sure the server is clean, delete everything you do not ever want that is in your "deleted mail" folder. I was having a problem with my mail showing up twice (identical entries) in my (not spamcop) inbox and my ISP suggested keeping the server's mailbox empty (it had mails that were six months old on it) - this appeared to cure the problem. I now have the settings at delete from server after 5 days - I usually download my mail each day so the 5 days is more than adequate (if you only download your mail on a weekly basis, set the save to, maybe, 10 days to make sure nothing is deleted before you download it.) -- A SpamCop user and forum reader, Not Admin *** From jimwasson at spamcop.net Sun Jul 18 09:38:50 2004 From: jimwasson at spamcop.net (Jim Wasson) Date: Sun Jul 18 11:40:25 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: On Sun, 18 Jul 2004 08:25:44 -0400, Glenn Daniels wrote: > "Jim Wasson" wrote in message > > I posted this a few weeks ago but now the problem has come back. >> Periodically large numbers of old mail keeps reappearing in my spamcop >> webmail and when I pop it, I get hundreds of old emails -- mail from >> years >> ago. For clarity, I manually delete all of the mail and empty the trash >> folder. Today it happened twice. This morning I got 305 old emails >> back. I >> signed on, deleted them all and emptied the trash. Tonight, I popped my >> mail and got over 130 old emails. I just deleted them again and emptied >> the trash. >> >> Any suggestions? >> >> -- >> Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ > > I don't use Opera's email client, so I can't point you to > the setting. In other clients there is typically a checkbox > that permits you to "Leave copy on server", or not. There > may be sub-options to "Delete from server when deleted > from Trash" and/or "delete after ## days" which may be > configurable as well. Sounds like you need to find your > settings, usually along a path like "Accounts" ... "Mail" > ... "Server settings" ... "Advanced settings". Hopefully > another Opera user can reveal the location of the settings > as the path may be counter-intuitive. > > Usually, when you uncheck the "Leave copy on server" > box, the spool on the server unwinds and deletes everything > stored there. > > Glenn > > Glenn: The same thing happens both with my Opera e-mail client and with Outlook. My usual technique is to pop with Opera (leaving the messages on the server) and later to pop with Outlook (removing the messages from the server.) To be clear, I have manually deleted all of these messages time and time again from the Spamcop webmail interface. Each time I have also deleted everything out of the trash. I only have an Inbox folder, I've never created any other folders. -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ From aukword666 at attglobal.net Sun Jul 18 13:08:54 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sun Jul 18 12:10:08 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: "Jim Wasson" wrote in message > Glenn Daniels wrote: > > > "Jim Wasson" wrote in message > Glenn: The same thing happens both with my Opera e-mail client and with > Outlook. > My usual technique is to pop with Opera (leaving the messages on the > server) and > later to pop with Outlook (removing the messages from the server.) > > To be clear, I have manually deleted all of these messages time and time > again from the Spamcop webmail interface. Each time I have also deleted > everything out of the trash. I only have an Inbox folder, I've never > created > any other folders. > > > -- > Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ Jim: Just guessing here, trying to be helpful, but at least one other possibility comes to mind: The mail client is failing to communicate back to the server that you have deleted the mail. This may happen, for instance, if your client is set up for a one way trip: you may pop your mail off the server, but if your smtp is not configured for the account, the data about your "deletes" fails to get transmitted back. Of course, it may not be a problem at your end, as the mail server may receive your data and being busy with other things for the moment, fail to complete the transaction. Sometimes it may take minutes to delete hundreds of files, and if you terminate on your end thinking "that's done", yet it may not be. My only other consideration would be to suppose that your Opera email client is correctly configured, and may be reading back to the server correct information about your deletions. In any case, would it hurt to set that client to not leave messages on server until you are certain they have all been offloaded from the spooler and then restore your current configuration? If the problem persists, you might need to look to tech-support for your ISP for a solution from their end... You may be deleting messages from your SpamCop Inbox while the originals are still sitting on the spooler for your ISP's mail server. Glenn From eddie at eddie.web Sun Jul 18 13:13:40 2004 From: eddie at eddie.web (eddie) Date: Sun Jul 18 12:15:02 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: On Sun, 18 Jul 2004 08:25:44 -0400, Glenn Daniels scratched out the following: snip > Usually, when you uncheck the "Leave copy on server" box, the spool on the > server unwinds and deletes everything stored there. > > Glenn How exactly, does that work? I have used the "leave a copy..." on all but one of my clients so that I can read the mail from anywhere, but only retrieve it from my main client. Obviously there must be some ID that the client stores in order to not retrieve copies every time it goes to the server, after the first time, but other clients on the same machine will see the email as "new" the first time they go to the server. I often wondered how that worked, and if there was either a time limit on a client not "seeing" the mail the second time or if it was forever. Perhaps some update to the client, a security patch or something, could retrigger the download of mail already seen. I assume it has something to do with the initial handshake between the client and the server, but I do not know the actual mechanism. From aukword666 at attglobal.net Sun Jul 18 14:08:50 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sun Jul 18 13:10:05 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: "eddie" wrote in message > Glenn Daniels scratched out the > following: > > snip > > How exactly, does that work? I have used the "leave a copy..." on all but > one of my clients so that I can read the mail from anywhere, but only > retrieve it from my main client. > Obviously there must be some ID that the client stores in order to not > retrieve copies every time it goes to the server, after the first time, > but other clients on the same machine will see the email as "new" the > first time they go to the server. > I often wondered how that worked, and if there was either a time limit on > a client not "seeing" the mail the second time or if it was forever. > Perhaps some update to the client, a security patch or something, could > retrigger the download of mail already seen. > I assume it has something to do with the initial handshake between the > client and the server, but I do not know the actual mechanism. That has been my experience as well, until you pass the message to the server that you mean to remove the mail, it stays there indefinitely. The more mail you have on the spool, the longer it takes any given client to sort the thread and retrieve the data not previously seen. I'm not clear on a specific client where the data is stored, but in the old NS Mail client it was in the file Inbox.dbf, in the folder with Inbox. When the Inbox became corrupt, it was easy enough to cut both files and store them elsewhere. The Inbox file could be renamed and at least some data could be recovered in Notepad, but the .dbf or .dbx file was all binary data mapping the begin/end points, a directory, for each email in the Inbox file. When next the client would load, it would automatically create a new, clean, Inbox and empty Inbox.dbf. My surmise as to the "handshake" is that the mail gets "popped" off the stack with your pop server, while the return trip is an SMTP transaction. If you pop mail off the spool to another machine, it will still be on the spool unless that machine is itself set up to SMTP back to the spool. So long as the SMTP data to delete the spool entries does not connect to the server, the mail stays on the spool even until you use up your allocation on the spool, usually about 6Mb. To my advantage, I can access my inbox online through my ISP's website: although I can't "see" what is in it, I can "see" how much is in it. And if I choose, I can clear the spool without knowing what is in the thread. With that option, when I believe I have unspooled all the messages on the server, I can verify online that there is in fact no data on the spooler for my Inbox. My sense of OP's difficulty is that he may be handshaking with his ISP with one client, or not, then handshaking with SC, or not, and SC may be handshaking with the ISP, or not, so that his genuine frustration may take a bit of investigation to figure out what may be going on, or not. I am not in a position to examine each connection to ascertain what may be not working, my purpose is to encourage his investigation, not provide an answer, as I have no experience with either SC mail or the Opera client. Glenn From nobody at devnull.spamcop.net Sun Jul 18 13:19:14 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jul 18 13:20:03 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: "Jim Wasson" wrote in message news:opsbca201zy45bd9@archimedes... > > To be clear, I have manually deleted all of these messages time and time > again from the Spamcop webmail interface. Each time I have also deleted > everything out of the trash. I only have an Inbox folder, I've never > created any other folders. I may be way out in left field, but is it possible that a Pinned item http://forum.spamcop.net/forums/index.php?showtopic=128 might be of any value? On one hand you say you "clear trash" but then state that you only have an InBox, but you should have a Held ... so, just adding to the confusion perhaps? From eddie at eddie.web Sun Jul 18 14:46:58 2004 From: eddie at eddie.web (eddie) Date: Sun Jul 18 13:50:03 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: On Sun, 18 Jul 2004 13:08:50 -0400, Glenn Daniels scratched out the following: stuff snip > Glenn Thanks for the explanation. I get most of my email via SC and I use SC's website to do all my presorting and reporting; only downloading what I want - reporting and/or deleting the rest. There is an option on Outlook XP that allows me to delete email on on SC (or any other server), after I delete in in Outlook. It works. It has to be deleted from the "Deleted Items" folder on Outlook, not just deleted from the Inbox. If I delete a piece of email I have downloaded, the next send/receive to SC deletes the item on the SC server. It does not go to trash, as I recall, it goes directly to devnull, but I haven't done it lately, so I am not sure what happens, but it does get deleted on SC. That info is in the handshake. The exact options I have checked on Outlook are Leave a copy on the server Remove from server after 5 days Delete from server when deleted from "Deleted Items" I assume that this is all part of some grand handshake :) From aukword666 at attglobal.net Sun Jul 18 15:13:31 2004 From: aukword666 at attglobal.net (Glenn Daniels) Date: Sun Jul 18 14:15:03 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: "eddie" wrote in message > to SC deletes the item on the SC server. It does not go to trash, as I > recall, it goes directly to devnull, but I haven't done it lately, so I am > not sure what happens, but it does get deleted on SC. That info is in the > handshake. > The exact options I have checked on Outlook are Leave a copy on the server > Remove from server after 5 days > Delete from server when deleted from "Deleted Items" > I assume that this is all part of some grand handshake :) > Sounds about right, as you are looking at your transactions with the SC spool. If it works, it is fair to assume SC has the smtp configuration for the ISP and is not leaving copies of everything on the ISP's spool. And you could verify that by accessing the ISP mailserver using your account settings there, to be certain the spool is "clean" there. I am just not so sure that OP's SC account is clearing his ISP's spool, like its smtp engine may not communicate to the ISP's mail server to "not leave a copy" on the spool. As he is saying, he repeatedly downloads his messages to SC Mail, like they are still on the spool at his ISP and maybe SC needs to know his smtp server to talk back to his ISP. Glenn From alexh at oxymoron.org Sun Jul 18 16:30:21 2004 From: alexh at oxymoron.org (AlexH) Date: Sun Jul 18 15:35:04 2004 Subject: [SC-Help] Very Silly Question Message-ID: Hi. Can anybody tell me why, time after time, I report the same spammers, and they still come back and send more stuff. No, I don't respond to them to unsub me; I use SPAMCOP as (I think) I'm supposed to. A couple of these are THEUSEFUL and MARKETING4PROS, and so many more. They don't seem to even pause; just keep sending that stuff. Just curious ... Thanks, AlexH From alexh at oxymoron.org Sun Jul 18 16:33:46 2004 From: alexh at oxymoron.org (AlexH) Date: Sun Jul 18 15:35:10 2004 Subject: [SC-Help] One more thing Message-ID: Oh yes, this is a non-working email address, as many here have done. I use it to post here, but it will not get any email to me. Very sorry, if you're trying to email me; I'll check for posts here. AlexH From nobody at devnull.spamcop.net Sun Jul 18 15:46:00 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jul 18 15:50:05 2004 Subject: [SC-Help] Re: One more thing References: Message-ID: "AlexH" wrote in message news:cdejaq$c89$1@news.spamcop.net... > Oh yes, this is a non-working email address, as many here have done. Most have followed the requested action of using the address of nobody@devnull.spamcop.net to do this. I'm not going to check, but have you permission from the domain owner you're allegedly forging your address with to do this? While you're making changes in your OE account, please set it to "send as plain text only" .. HTML is not appreciated here. > Very sorry, if you're trying to email me; I'll check for posts here. This is a newsgroup. Normally, you post something here, someone responds here. From nobody at spamcop.net Sun Jul 18 14:02:14 2004 From: nobody at spamcop.net (Don Wannit) Date: Sun Jul 18 16:05:03 2004 Subject: [SC-Help] Re: Very Silly Question In-Reply-To: References: Message-ID: AlexH wrote: > Hi. > > Can anybody tell me why, time after time, I report the same spammers, > and they still come back and send more stuff. > > No, I don't respond to them to unsub me; I use SPAMCOP as (I think) > I'm supposed to. > > A couple of these are THEUSEFUL and MARKETING4PROS, and so many more. > They don't seem to even pause; just keep sending that stuff. > > Just curious ... > > Thanks, AlexH Well, the short answer is that your reporting spam has no immediate and direct impact to prevent same spammer sending you more. If other recipients also report the same IP address (not necessarily the same spam message), then your report and the others together can have some effect. Unfortuately, one report is pretty much just like spitting into the wind. But don't let that discourage you! With some ISPs, a single report to the abuse address *might* have some impact. However, most ISPs don't have such a hair-trigger response, and many don't respond at all (the "Black Hats"). And hair-triggers have been known to get fired accidentally... Longer answer: the effects of reports sent to/via SpamCop are cumulative, and for improved accuracy depend on "the power of numbers". Multiple reports naming a particular injection IP, and coming from multiple different reporters, will get that IP address listed on the SpamCop blocklist based on an automatic algorithm. There are two ways your spam reports can reduce the spam coming into your inbox: 1 - the spammer's ISP terminates their accounts, or the ISPs of the zombies/proxies being exploited by the spammer take action against those irresponsible PC owners. This is the desired outcome, with global benefits for everyone. 2 - use the SpamCop blocklist to divert email coming from IP addresses reported by you and others as originating spam. Your own ISP may make it easy to do this, or might already have it in place. If you administer your own email host, you can set it up yourself. You can also use add-ons like SpamAssassin to check your email against the SpamCop and other blocklists even if your sysadmin doesn't do it systemwide. This has quicker, but more localized benefits. It doesn't materially reduce the bandwidth wasted by spam (unless you block instead of divert), and only users of the blocklist benefit. I highly recommend using the SpamCop email service. You can set it up to filter your incoming email, and divert possible spam to a "Held Mail" folder for you to look at for false positives, and report the rest with SpamCop. You can have SpamCop POP your email from your server, or you can have SpamCop forward the filtered email to your local email host. Nice interface for an IMAP-capable email client. It's $30 a year for unlimited email. I've been a happy user for several years. Hey, I said it was long! -- Don Wannit A paid SpamCop user since 1999 From nobody at spamcop.net Sun Jul 18 14:04:44 2004 From: nobody at spamcop.net (Don Wannit) Date: Sun Jul 18 16:05:11 2004 Subject: [SC-Help] Re: One more thing In-Reply-To: References: Message-ID: WazoO wrote: > "AlexH" wrote in message > news:cdejaq$c89$1@news.spamcop.net... > >>Oh yes, this is a non-working email address, as many here have done. > > > Most have followed the requested action of using the address of > nobody@devnull.spamcop.net to do this. I'm not going to > check, but have you permission from the domain owner you're > allegedly forging your address with to do this? > > While you're making changes in your OE account, please set > it to "send as plain text only" .. HTML is not appreciated here. > > >>Very sorry, if you're trying to email me; I'll check for posts here. > > > This is a newsgroup. Normally, you post something here, > someone responds here. > > WazoO: I checked the whois information for that domain, and the contacts are all alex_howard. So our friend AlexH either is reasonably authorized to use that domain, or happened to pick a newsgroup realname that matched. -- Don Wannit A paid SpamCop user since 1999 From ahab at hiwaay.net Sun Jul 18 16:20:28 2004 From: ahab at hiwaay.net (Hoyt Weathers) Date: Sun Jul 18 16:20:03 2004 Subject: [SC-Help] SpamAssassin for Macs? Message-ID: <40FADB8C.FEE21706@hiwaay.net> [the address above is correct.] I am running a Mac G3, MOS 9.2.2, and Netscape 4.79 and I am a paying customer of SpamCop. I apologize if this is not the proper place to ask this question. Is there a version of SpamAssassin which will work on my Mac? If so, I wish to download it. I have looked into the Apache site and there is no mention of operating systems. It appears that everything is for MS DOS systems. Thank you for any assistance in this matter. Hoyt W. From eddie at eddie.web Sun Jul 18 17:23:26 2004 From: eddie at eddie.web (eddie) Date: Sun Jul 18 16:25:03 2004 Subject: [SC-Help] Re: One more thing References: Message-ID: On Sun, 18 Jul 2004 15:33:46 -0400, AlexH scratched out the following: snip Is your name Columbo, as in Lt. Columbo by any chance? From eddie at eddie.web Sun Jul 18 17:27:03 2004 From: eddie at eddie.web (eddie) Date: Sun Jul 18 16:30:03 2004 Subject: [SC-Help] Re: Very Silly Question References: Message-ID: On Sun, 18 Jul 2004 15:30:21 -0400, AlexH scratched out the following: > Hi. > > Can anybody tell me why, time after time, I report the same spammers, and > they still come back and send more stuff. snip At the very least, reporting a spammer should result in his spam arriving in your held box, if it isn't already getting there. The rest is part of a huge equation that nobody really understands, but even if the level of spam increases, I am sure that it is increasing more slowly because of reporting. The big unknowns are gray and blackhat ISPs, who abet the spammers, and ignorant ISPs who abet the spammers. There are so many zombies out there, that reporting a single one, even if it gets shut down, like those broomsticks in Mickey Mouse's section of Fantasia, they just keep popping up as fast as they get shut down. From nobody at devnull.spamcop.net Sun Jul 18 16:27:35 2004 From: nobody at devnull.spamcop.net (Cat) Date: Sun Jul 18 16:30:13 2004 Subject: [SC-Help] Re: SpamAssassin for Macs? In-Reply-To: <40FADB8C.FEE21706@hiwaay.net> References: <40FADB8C.FEE21706@hiwaay.net> Message-ID: Hoyt Weathers wrote: > I am running a Mac G3, MOS 9.2.2, and Netscape 4.79 and I am a paying customer of > SpamCop. My first suggestion is to get a newer browser than version 4.79. > I apologize if this is not the proper place to ask this question. Shouldn't you write to the SpamAssassin web site to ask them about this instead of here? From MikeE at ster.invalid Sun Jul 18 14:54:32 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 18 17:00:03 2004 Subject: [SC-Help] Re: SpamAssassin for Macs? References: <40FADB8C.FEE21706@hiwaay.net> Message-ID: Hoyt Weathers wrote: > I am running a Mac G3, MOS 9.2.2, > Is there a version of SpamAssassin which will work on my Mac? Not that I know of. This site explains how to install SA for OS X - http://www.stupidfool.org/docs/sa.html - This document describes the process of installing SpamAssassin on OS X You're going to have a harder time back at 9.2 than you would at X. You could use some Eudora filters and addons. > I have looked into the Apache site and there > is no mention of operating systems. This is where the Apache site refers to the above http://spamassassin.apache.org/downloads.html - MacOS X users: Ben Trott of MovableType has written a good how-to on installing SpamAssassin on OSX. > It appears that everything is for > MS DOS systems. No - ./n/x users. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Sun Jul 18 15:56:06 2004 From: nobody at spamcop.net (Don Wannit) Date: Sun Jul 18 18:00:05 2004 Subject: [SC-Help] Re: Very Silly Question In-Reply-To: References: Message-ID: eddie wrote: > On Sun, 18 Jul 2004 15:30:21 -0400, AlexH scratched out the following: > > >>Hi. >> >>Can anybody tell me why, time after time, I report the same spammers, and >>they still come back and send more stuff. > > snip > At the very least, reporting a spammer should result in his spam arriving > in your held box, if it isn't already getting there. No, that's not necessarily true. If you are the only report for that IP, then it won't be on the SpamCop blocklist. And presumably it is already getting past the SpamAssassin or other filtering/tagging you have in place, and just reporting it won't change that. Also, only SpamCop email customers have a Held Mail folder, reporting only users are dependent on someone else to filter or divert their email based on whatever criteria. The SpamCop blocklist might be one criterion. SpamAssassin might be another. Eudora/Mozilla/whatever junk filtering are yet more possibilities. But simply reporting a spam does not mean that you don't get more spam from that same injection point, or identical spams sent from other IP addresses. Since sender addresses are almost always forged, you can't even blacklist or filter based on that. Often the forged sender address is someone you might want to receive legitimate email from. Especially in the face of virmen that send address book information back to the spammer. More social engineering to make it more likely that you'll open a message from someone you had corresponded with in the past. -- Don Wannit A paid SpamCop user since 1999 From ric.gates at bigsleep.org Sun Jul 18 23:39:27 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sun Jul 18 18:40:02 2004 Subject: [SC-Help] Re: Stupid Charter acks References: Message-ID: On 18 Jul 2004 Glenn Daniels entered spamcop.help and left news:cddira$jsd$1@news.spamcop.net: > Ooops! Forgot to mention that the websubmit form works > fine in IE6 but won't take keyboard entries in NS7 (but you > can use paste operations and *make* it usable). > I don't know what you mean, it works fine, tab/paste/cut work. If you're talking about the Javascript validation, it's pure junk, they don't know what they are doing and it just happens to work in IE. Error: unterminated character class 0 Source Code: ValidField(/[0-9/]/,this); Which is not the correct way to pass a RegEx to a function (NN4 also gives this error). And they probably aren't capturing events correctly either, but I don't care, it seems to work just the same. > I am thinking you are sending spam as attachment to > abuse@charter.net maybe. From my experience with their > websubmit form it looks like they need you to show them > their IP: a seperate entry on the form. They seem to need it > fed to them as date, time, etc, like they can't see those in > your headers either. I was talking about reports sent by SpamCop, not manual reports. The form may be useful if I have some problem sending a manual lart, but I believe they are capable of parsing eMail headers sent inline. I think the form just makes sure that the necessary information is supplied. Like it was mentioned before, I think the problem is forged headers. According to http://www.charter.com/service/abuse_IPAdd.asp "For Spam and Threats and Harassment, you will find the offender’s IP address as the lowest FROM line in the e-mail full Internet header." Then further below (smart quotes removed)... "There can be several Received entries. If they are not forged, they will show the path back to the sender in reverse sequence. While it is possible to forge intermediate paths, the very first one at the top of the message header will be accurate. With respect to spam, that is the one address you can be sure is NOT forged. Fortunately, however, those who harass you by email rarely go to the trouble of forging the path." I haven't got any auto-acks back since I started this thread, so maybe they got smart (watch, I'll get one now). -- | Ric | From pete at heypete.com Sun Jul 18 16:48:22 2004 From: pete at heypete.com (Pete Stephenson) Date: Sun Jul 18 18:50:03 2004 Subject: [SC-Help] Re: SpamAssassin for Macs? References: <40FADB8C.FEE21706@hiwaay.net> Message-ID: In article <40FADB8C.FEE21706@hiwaay.net>, Hoyt Weathers wrote: > I am running a Mac G3, MOS 9.2.2, and Netscape 4.79 and I am a paying > customer of SpamCop. Ah, I remember the 4.7x days fondly. First off, I'd suggest getting Mac OS X -- it'll run on your PowerMac G3, and it's far better supported by modern software. > Is there a version of SpamAssassin which will work on my Mac? See http://www.spamnix.com/ -- it works for Eudora for Mac OS X. Eudora is one of the finer mail clients around, far better than Netscape's mail interface. Eudora also supports Bayesian filtering in the recent clients in Sponsored or Paid mode. Definitely a most welcome feature. -- Pete Stephenson HeyPete.com From sam at logan1.loganet.net Sun Jul 18 20:54:37 2004 From: sam at logan1.loganet.net (Sam) Date: Sun Jul 18 20:11:06 2004 Subject: [SC-Help] Porno subject lines - Getting a ton of them lately In-Reply-To: Message-ID: Have any of you been getting deluged with spam with subect lines such as these: (Alert - some of these are somewhat graphic. Stop reading now if that offends you) ----------------------------------------------------- Cum Hungry Chicks lvoe to eat out inertnal creampies Fserh Big Sized Dnowloadable Video Cum Hungry Wohre getting their pussies fileld with cum Levoly Cum Worhe squirt hot creamy loads out their asess The Hteostt Chicks Triplpe Anal ----------------------------------------------------- You get the idea. The Subject line is always filled with mispelled words like these. They come from a plethora of different mailservers. Is there a common tag or item to filter on, such as with the German hate spam that surfaced recently? Thanks Everyone! Sam From nobody at devnull.spamcop.net Sun Jul 18 21:44:31 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Sun Jul 18 20:45:03 2004 Subject: [SC-Help] Re: Porno subject lines - Getting a ton of them lately References: Message-ID: "Sam" wrote in message > Have any of you been getting deluged with spam with subect lines such as > these: > > > (Alert - some of these are somewhat graphic. Stop reading now if that > offends you) > > Is there a common tag or item to filter on, such as with the German hate > spam that surfaced recently? > Only this, they all point in the spam body to http://www.easydatingoffers.com so if you are willing to filter for "easydating" or "datingoffers" in the spam body you take out all of them. My sense of these "Subject:" lines is that they are intended to provoke a reaction: for the naive, there is the disgust which presses the "unsubscribe" button at a visceral level. That is probably the intent, to verify a "hot lead", a belief that is reinforced by the fact that it purports to be an online dating service provided by a marketing service out of Hong Kong. I believe that dating services in general are all con: the bait is a match made in heaven, the hook is you give away your identity. If you choke up at the bait, and push it back, you give up your identity. It is win-win for the scamming spammer, unless you feign death and they listwash you as a "cold lead" (in your dreams!) Glenn From ob1db at spamcop.net Mon Jul 19 01:30:45 2004 From: ob1db at spamcop.net (David Butler) Date: Mon Jul 19 00:35:02 2004 Subject: [SC-Help] Re: Porno subject lines - Getting a ton of them lately References: Message-ID: "Sam" wrote in message news:mailman.188.1090195867.9607.spamcop-help@news.spamcop.net... > Have any of you been getting deluged with spam with subect lines such as > these: > > The Subject line is always filled with mispelled words like these. They > come from a plethora of different mailservers. > > Is there a common tag or item to filter on, such as with the German hate > spam that surfaced recently? > I am getting worse ones and they point to real porn, which is obvious IN the email. I am ....ed the filtering is not catching these. From MikeE at ster.invalid Mon Jul 19 00:51:13 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 19 02:55:03 2004 Subject: [SC-Help] Re: Porno subject lines - Getting a ton of them lately References: Message-ID: Glenn Daniels wrote: > "Sam" >> (Alert - some of these are somewhat graphic. Stop reading now if that >> offends you) > My sense of these "Subject:" lines is that they are intended to > provoke a reaction: Exactly. I continue to argue that 'reading' spamitems - all other things being 'equal' - scores one for the spammer. That is, we should all consider ourselves to be 'at war' with those who spam. The more things we do 'their way' the higher /they/ score. The more things we do 'our way' the higher /we/ score. As a general rule, opening and reading a spam is doing it 'their way' - and the score is in the spammer's favor. As a general rule, simply reporting a spam doesn't do much of anything. So, opening and reading a spam which is subsequently reported scores for the spammer. I can elaborate on the details of scoring more as necessary to describe how to get ahead of the spammer; but the 'simplest' way to get ahead of the spammer would be to stay even by never opening or reading a spam and simply deleting it; or /better/ to report a spam without ever opening and/or reading it. Of course, there are numerous other options for spamfighters, which also includes even 'visiting' or GETing the website -- but there is more complexity in scoring in 'advanced' spamfighting. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Jul 19 01:05:21 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 19 03:10:07 2004 Subject: [SC-Help] Re: Porno subject lines - Getting a ton of them lately References: Message-ID: Mike Easter wrote: > opening and > reading a spam which is subsequently reported scores for the spammer. According to those calculations, the spamreading 'simple' spamcop reporter would be behind the pledged 'just hit deleter'. The advanced spamfighter can make up for spamreading only by being 'particularly' effective at spamfighting. The 'incompetent' spamfighter who reads spam is worse than the pledged deleter on my scorecard. -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Mon Jul 19 08:55:57 2004 From: wb8tyw at qsl.network (John E. Malmberg) Date: Mon Jul 19 08:00:44 2004 Subject: [SC-Help] Re: Porno subject lines - Getting a ton of them lately In-Reply-To: References: Message-ID: <_oOdnXBJK-BQK2bdRVn-sA@adelphia.com> If you are getting a significant amount of spam, it means that your mail server is needlessly accepting e-mail from known spam sources such as open proxies or domains owned by spammers. This is likely raising the cash operating costs of the mail server and the network owner that it is on. If you are using the spamcop.net filtering service, make sure that it is checking the following DNSbls in addition to the bl.spamcop.net: sbl-xbl.spamhaus.org (includes opm.blitzed.org - Confirmed recent open proxies, cbl.abuseat.org - Confirmed spam or virus sources, sbl.spamhaus.org - IP addresses controlled by spammers) list.dsbl.org (Open relays, Open Proxies, and insecure systems) dnsbl.njabl.org (Open relays, Open Proxies, Some DHCP pools) This is a baseline of what many postmasters including Steve Linford use to keep spam out. Steve Linford is reporting on usenet, zero false positives at UXN.COM on these, and that these three lists alone are removing 80 to 85 percent of the spam. Once a spam source gets on one of the three lists above, many reporters no longer see the spam to report. Some then use the more aggressive dul.dnsbl.sorbs.net which is a list of I.P. addresses that are either known or suspected to be dynamically assigned. And finally SpamAssasin 3.0b (still beta?) can be used by some mail servers to identify the I.P. address that the links in spam resolve to and check them against the sbl-xbl.spamhaus.org for reliable detection of more spam. I do not know if the SpamAssasin with the spamcop.net mail service has that feature, you will need to take that up with the person that maintains it. They claim to monitor the web forum for mail issues. -John wb8tyw@qsl.network Personal Opinion Only From jimwasson at spamcop.net Mon Jul 19 07:08:58 2004 From: jimwasson at spamcop.net (Jim Wasson) Date: Mon Jul 19 09:10:22 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: On Sun, 18 Jul 2004 12:08:54 -0400, Glenn Daniels wrote: > "Jim Wasson" wrote in message >> Glenn Daniels wrote: >> >> > "Jim Wasson" wrote in message > >> Glenn: The same thing happens both with my Opera e-mail client and with >> Outlook. >> My usual technique is to pop with Opera (leaving the messages on the >> server) and >> later to pop with Outlook (removing the messages from the server.) >> >> To be clear, I have manually deleted all of these messages time and time >> again from the Spamcop webmail interface. Each time I have also deleted >> everything out of the trash. I only have an Inbox folder, I've never >> created >> any other folders. >> >> >> -- >> Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ > > Jim: > Just guessing here, trying to be helpful, but at least one other > possibility > comes to mind: The mail client is failing to communicate back to the > server that you have deleted the mail. This may happen, for instance, if > your client is set up for a one way trip: you may pop your mail off the > server, but if your smtp is not configured for the account, the data > about > your "deletes" fails to get transmitted back. Of course, it may not be > a problem at your end, as the mail server may receive your data and > being busy with other things for the moment, fail to complete the > transaction. Sometimes it may take minutes to delete hundreds of files, > and if you terminate on your end thinking "that's done", yet it may not > be. > > My only other consideration would be to suppose that your Opera > email client is correctly configured, and may be reading back to > the server correct information about your deletions. In any case, > would it hurt to set that client to not leave messages on server until > you are certain they have all been offloaded from the spooler and > then restore your current configuration? > > If the problem persists, you might need to look to tech-support for > your ISP for a solution from their end... You may be deleting messages > from your SpamCop Inbox while the originals are still sitting on the > spooler for your ISP's mail server. > > Glenn > > That could be possible. It's particularly perplexing because these appear to be some of the "oldsst" messages that there could be in there, I mean back from 2000. Very odd, though. I believe that this began happening about 3 or 4 months ago. I do check the held mail and deal with it, either releasing it or reporting it. I don't think that very many held e-mails are in this group. I usually pop the mail (leaving a copy on the server) with Opera and later pop it with Outlook (this time not leaving a copy on the server). When I later log into SC WebMail, the mail is gone. They just "reappears" sometime later, both in the popped mail and in SC's webmail. When they do reappear, I have to go to the SC WebMail and delete them there. They then don't seem to get removed when I pop them. in SC's server, not the ISP's spool. -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ From eddie at eddie.web Mon Jul 19 13:38:48 2004 From: eddie at eddie.web (eddie) Date: Mon Jul 19 12:40:28 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: On Mon, 19 Jul 2004 06:08:58 -0700, Jim Wasson scratched out the following: snip >They just "reappears" > sometime later, both in the popped mail and in SC's webmail. When they do > reappear, I have to go to the SC WebMail and delete them there. They then > don't seem to > get removed when I pop them. > in SC's server, not the ISP's spool. Could it be some other, intermediate server popping them up out of storage from somewhere on the net? Can you trace the headers to see anything strange? From MikeE at ster.invalid Mon Jul 19 10:50:12 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 19 12:55:26 2004 Subject: [SC-Help] Re: spammers using my domain name, any suggestions? References: Message-ID: posted to .spam & .help - f/ups to .help The ng .spam is 'strictly' for posting spam, not discussing issues, since we don't post any spam in the other ng/s. Evan wrote: > Some spammers have started using my domain name (eustace.net) in the > falsified from addresses in the spam they are sending. The end result > is that I am getting a lot of bounced mail (I receive all mail to the > domain addressed to unknown address e.g. abcd@eustace.net) I have a > feeling that there is nothing I can do about this, but if anyone can > suggest any course of action I would appreciate it. I am worried about > my domain name being blacklisted because of this. Don't worry about adverse effects of your addy appearing in bogus spam Froms. No 'legitimate' blocklisting db pays any attention to spam Froms. The only adverse effect which could come from such would be the foolish users who are sometimes inclined to 'block sender' whenever they receive a spam. Your various usernames + domainname would thus be blocked by those individual silly geese. > The original sending locations of the spam seem to be varied, e.g.: > dsl-152-108.utaonline.at [62.218.152.108] > lon1-mail-2.visp.demon.net [193.195.70.5] > > and the falsified from fields are randomized: wptvhu@eustace.net, > gustul@eustace.net, yekqdiernf@eustace.net > > Please let me know if you have any suggestions on what, if anything, I > can do. There's not much you can do -- bounces can't be spamcop reported, and the original spams can't be spamcop reported. You can 'dissect' the spam part from the bounce, use the SC parser on it to tell you the source, and then cancel the SC report and manually notify the particular source providers. Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon Jul 19 18:42:58 2004 From: nobody at devnull.spamcop.net (Robert Slade) Date: Mon Jul 19 12:55:52 2004 Subject: [SC-Help] Re: spammers using my domain name, any suggestions? References: Message-ID: "Evan" wrote in message news:cdgqbm$1l2$1@news.spamcop.net... > Hi, > Some spammers have started using my domain name (eustace.net) in the > falsified from addresses in the spam they are sending. The end result is > that I am getting a lot of bounced mail (I receive all mail to the > domain addressed to unknown address e.g. abcd@eustace.net) I have a > feeling that there is nothing I can do about this, but if anyone can > suggest any course of action I would appreciate it. I am worried about > my domain name being blacklisted because of this. > The original sending locations of the spam seem to be varied, e.g.: > dsl-152-108.utaonline.at [62.218.152.108] > lon1-mail-2.visp.demon.net [193.195.70.5] > > and the falsified from fields are randomized: wptvhu@eustace.net, > gustul@eustace.net, yekqdiernf@eustace.net > > Please let me know if you have any suggestions on what, if anything, I > can do. > > Thanks, > evan Evan, First of all this newsgroup is for posting samples of spam, so I have set follow-ups to Spamcop.help. Forging someone else's domain name is a common Spammer's technique to get around ,ail servers that verify domain names before accepting mail. It happens to most of us, it is happening to me at the moment. Unfortunately, it is your turn too. You will not get onto any backlist though as these operate by IP address as this cannot be forged. There is little you can do apart from waiting for the spammer to move onto someone else. I have had some success by complaining to the ISP responsible for the originating IP address. Some of the bounce messages will have the full message, including the full header attached and you could identify the actual source ISP from those and complain to the ISP concerned. I have a little worry regarding the apparent sending locations, one of them you quote is my ISPs main mail server. Knowing them (Demon) and how though they are on spam, I suspect that line maybe forged too, but without the full header it is difficult to tell. Unfortunately you cannot report bounces via spamcop, nor can you report the bounced mail as this was not sent to you. If you would like help to identify the actual source, please post the full bounced message in the spamcop.spam newsgroup and refer to it in a post in spamcop.help. As Spammers use newsgroups to collect e-mail addresses, you may want to delete your e-mail address. Rob From nobody at devnull.spamcop.net Mon Jul 19 18:45:11 2004 From: nobody at devnull.spamcop.net (Robert Slade) Date: Mon Jul 19 12:55:57 2004 Subject: [SC-Help] Re: spammers using my domain name, any suggestions? References: Message-ID: "Mike Easter" wrote in message news:cdgu7d$56u$1@news.spamcop.net... > posted to .spam & .help - f/ups to .help > > The ng .spam is 'strictly' for posting spam, not discussing issues, > since we don't post any spam in the other ng/s. > > Evan wrote: > > Some spammers have started using my domain name (eustace.net) in the > > falsified from addresses in the spam they are sending. The end result > > is that I am getting a lot of bounced mail (I receive all mail to the > > domain addressed to unknown address e.g. abcd@eustace.net) I have a > > feeling that there is nothing I can do about this, but if anyone can > > suggest any course of action I would appreciate it. I am worried about > > my domain name being blacklisted because of this. > > Don't worry about adverse effects of your addy appearing in bogus spam > Froms. No 'legitimate' blocklisting db pays any attention to spam > Froms. The only adverse effect which could come from such would be the > foolish users who are sometimes inclined to 'block sender' whenever they > receive a spam. > > Your various usernames + domainname would thus be blocked by those > individual silly geese. > > > The original sending locations of the spam seem to be varied, e.g.: > > dsl-152-108.utaonline.at [62.218.152.108] > > lon1-mail-2.visp.demon.net [193.195.70.5] > > > > and the falsified from fields are randomized: wptvhu@eustace.net, > > gustul@eustace.net, yekqdiernf@eustace.net > > > > Please let me know if you have any suggestions on what, if anything, I > > can do. > > There's not much you can do -- bounces can't be spamcop reported, and > the original spams can't be spamcop reported. You can 'dissect' the > spam part from the bounce, use the SC parser on it to tell you the > source, and then cancel the SC report and manually notify the particular > source providers. > > > Mike Easter > kibitzer, not SC admin > Snap :-) Rob From nobody at devnull.spamcop.net Mon Jul 19 13:58:58 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Mon Jul 19 13:00:06 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: "Jim Wasson" wrote in message > Glenn Daniels wrote: > > etc. > > > >> >> > >> Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ > > That could be possible. It's particularly perplexing because these appear > to > be some of the "oldsst" messages that there could be in there, I mean > back from 2000. Very odd, though. I believe that this began happening about > 3 or 4 months ago. I do check the held mail and deal with it, either > releasing > it or reporting it. I don't think that very many held e-mails are in this > group. I usually pop the mail (leaving a copy on the server) with Opera and > later pop it with Outlook (this time not leaving a copy on the server). > When I > later log into SC WebMail, the mail is gone. They just "reappears" sometime > later, both in the popped mail and in SC's webmail. When they do reappear, > I have to go to the SC WebMail and delete them there. They then don't seem > to > get removed when I pop them. > in SC's server, not the ISP's spool. > -- > Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ At least a bit of detective work might be productive: 1). Convince yourself that the files do not exist on SC's spooler. You may already know that they don't, but just to be sure... Set up your SC account in OE (you can always delete the account later) and see what comes off the SC spool into the new account's Inbox. I will repeat this for myself as necessary to my mental process: What I see in the Inbox exists (at least) only on my computer, and may or may not exist elsewhere. 2). In the very unlikely but remotely possible event that the mystery emails do unwind from SC's spool you have at least this much certain information: they do exist on SC's spool and need to come off. How to do that can wait, first just find out if they are even there. 3). Given at this point that the unwanted emails that mysteriously materialize are not on the ISP's spool, and they are not on SC's spool, then they must be occult to you on your computer. The magic of the rabbit out of the hat is lost when you agree that it must have been been there all along, just hidden to you. There are at least two ways for this to happen that come to mind. 3a). The inbox folder and/or its directory are corrupt. The mail client re-creates the emails as well as it can from retained data but never fully clears the data because it is damaged. In my experience the only way I have seen that works, is to "lose" the inbox altogether. The "inbox" usually exists as two files in a folder unique to your email client - as you are using Opera, I can't help you locate it, but to note that it is probably hidden in "Application Data" or "Local Settings" or "Identities" behind a "hexadecimal key" like {#A#####A-A###-#A##-AAA#-####A##A###A}which is bound to a registry entry which gives the folder special properties. Assuming you locate the Opera mail folder, there is at least a fair chance you will find two files one "Inbox.???" and one "Inbox.db?" The first usually contains a "spool" of received email bodies recorded head to tail to head as they come in. The second contains the email headers and a data record of the byte points in the first file that a given record begins and ends. The mail client builds the Inbox you see from these two records: it really is not a DOS/Windows folder, but a facsimile. If the email client is showing an "empty" Inbox, but the two files you have found contain more than a few kb of data, the records are quite possibly corrupt: sometimes a single illegal character can throw an exception flag in the client, causing further processing to fail, while the client shows only the apparently empty Inbox. 3b). Similar to 3a, except that the bad data tripping up the client consists of a virm or partial virm attachment to an email. Netsky.D or Netsky.P, and Beagle can do this. I have seen it happen: The client shows the folder as "empty" but the data files show a very different picture. 4). Without regard for how the Inbox may be "corrupt", do not delete one component (file) and leave the other as that may really "mess with" the client and result in data overflow errors and crash the program and/or the system. Because the files are probably "protected" behind the hex key noted above, there is a good chance you can't delete them where they stand. However, a cut-paste operation can move them to the desktop or elsewhere and you may study or delete them there (a reboot may be necessary). Next time you run the client, it will usually automatically create new, clean data records for "Inbox", as it is built into clients to do so. Repeating myself as necessary to my mental process: What I see in the Inbox exists (at least) only on my computer, and may or may not exist elsewhere: three and four above are moot if the mystery emails really are on SC's server, but I doubt there is much chance of that. The above is clearly not an answer to your question, but may offer an approach to resolving the problem the question poses. The answer to your question is more likely nobody has the answer, so be patient with me for being obtuse. It is unintentional and probably relates to a long standing impairment. Best of luck working this out. Glenn From gmenini at spamhole.org Mon Jul 19 15:49:33 2004 From: gmenini at spamhole.org (Gabriel Menini) Date: Mon Jul 19 13:55:12 2004 Subject: [SC-Help] Reporting spammers email addresses Message-ID: Hello, there I've been working reporting spam entire messages and email addresses for the las three weeks and I really feel like a /Spam Fighter/ ;-) Now, I have a question: My ISP blocks my email account and every night send me a list of blocked spammers (email addresses, sometimes forged, sometimes real). I want to know if there's a possiblity to report those addresses in a bunch, perhaps one per line in some kind of HTML form at spamcop.net When tried that, the system told me that it was erroneous. So, I had to report 20+ spammer addresses one by one .. :-\ How can I report a list of spammer addresses as a batch? T.I.A. Greetings from Uruguay. -- Gabriel Menini ||| replace domain spamhole.com with sg-guarani.org ||| IT Support Guarani Aquifer System Project From spam at eustace.net Mon Jul 19 15:50:38 2004 From: spam at eustace.net (Evan) Date: Mon Jul 19 14:55:03 2004 Subject: [SC-Help] Re: spammers using my domain name, any suggestions? In-Reply-To: References: Message-ID: Thanks for the responses, and pardon my error in posting to the wrong group. Robert Slade wrote: > "Evan" wrote in message > news:cdgqbm$1l2$1@news.spamcop.net... > >>Hi, >> Some spammers have started using my domain name (eustace.net) in the >>falsified from addresses in the spam they are sending. The end result is >>that I am getting a lot of bounced mail (I receive all mail to the >>domain addressed to unknown address e.g. abcd@eustace.net) I have a >>feeling that there is nothing I can do about this, but if anyone can >>suggest any course of action I would appreciate it. I am worried about >>my domain name being blacklisted because of this. >> The original sending locations of the spam seem to be varied, e.g.: >>dsl-152-108.utaonline.at [62.218.152.108] >>lon1-mail-2.visp.demon.net [193.195.70.5] >> >>and the falsified from fields are randomized: wptvhu@eustace.net, >>gustul@eustace.net, yekqdiernf@eustace.net >> >>Please let me know if you have any suggestions on what, if anything, I >>can do. >> >>Thanks, >>evan > > > Evan, > > First of all this newsgroup is for posting samples of spam, so I have set > follow-ups to Spamcop.help. > > Forging someone else's domain name is a common Spammer's technique to get > around ,ail servers that verify domain names before accepting mail. It > happens to most of us, it is happening to me at the moment. Unfortunately, > it is your turn too. > > You will not get onto any backlist though as these operate by IP address as > this cannot be forged. > > There is little you can do apart from waiting for the spammer to move onto > someone else. I have had some success by complaining to the ISP responsible > for the originating IP address. Some of the bounce messages will have the > full message, including the full header attached and you could identify the > actual source ISP from those and complain to the ISP concerned. > > I have a little worry regarding the apparent sending locations, one of them > you quote is my ISPs main mail server. Knowing them (Demon) and how though > they are on spam, I suspect that line maybe forged too, but without the full > header it is difficult to tell. > > Unfortunately you cannot report bounces via spamcop, nor can you report the > bounced mail as this was not sent to you. If you would like help to identify > the actual source, please post the full bounced message in the spamcop.spam > newsgroup and refer to it in a post in spamcop.help. As Spammers use > newsgroups to collect e-mail addresses, you may want to delete your e-mail > address. > > Rob > > > From nobody at devnull.spamcop.net Mon Jul 19 14:58:33 2004 From: nobody at devnull.spamcop.net (Cat) Date: Mon Jul 19 15:00:03 2004 Subject: [SC-Help] Re: spammers using my domain name, any suggestions? In-Reply-To: References: Message-ID: (Top posting fixed) Evan wrote: > Robert Slade wrote: > >> Evan, >> >> First of all this newsgroup is for posting samples of spam, so I have set >> follow-ups to Spamcop.help. > Thanks for the responses, and pardon my error in posting to the wrong > group. Now if we could just get you to post your own comments inline below the quoted part you're replying to and snip out the rest. Top posting and not snipping is particularly frowned upon in most newsgroups because it gets the conversation out of order and forces your readers to have to spend extra unneeded time to understand the context of your posts. See #6 at http://linux.sgms-centre.com/misc/netiquette.php and #1 and #2 at http://www.river.com/users/share/etiquette/ for more snipping and inline posting netiquette. -Cat SpamCop user, not an admin From ob1db at spamcop.net Mon Jul 19 18:59:05 2004 From: ob1db at spamcop.net (David Butler) Date: Mon Jul 19 18:00:22 2004 Subject: [SC-Help] Curious why possible relay not reported Message-ID: http://www.spamcop.net/sc?id=z557593125z5dea320fc3b8904bbc8fb95e0bb3bfd2z I am probably reading this wrong, Received: from 202.82.33.199 (HELO 64.156.215.7) (202.82.33.199) by mta246.mail.scd.yahoo.com with SMTP; Mon, 19 Jul 2004 07:30:19 -0700 Bogus IP in HELO removed: Received: from 202.82.33.199 ( HELO [x.x.x.x] ) (202.82.33.199) by mta246.mail.scd.yahoo.com with SMTP; Mon, 19 Jul 2004 07:30:19 -0700 202.82.33.199 found host 202.82.33.199 (getting name) no name Possible spammer: 202.82.33.199 Received line accepted Received: from a-73-7-790-670.YWYLBM7.mxkcez@msn.com ([166.140.54.243]) by tz7-jmfy9.USHDDGKZDIHEA@msn.com with Microsoft SMTPSVC(5.0.7107.4388); Mon, 19 Jul 2004 20:31:28 +0500 166.140.54.243 found host 166.140.54.243 = 243.sub-166-140-54.myvzw.com (cached) host 243.sub-166-140-54.myvzw.com (checking ip) = 166.140.54.243 202.82.33.199 not listed in dnsbl.njabl.org 202.82.33.199 listed in cbl.abuseat.org ( 127.0.0.2 ) Open proxies untrusted as relays shouldn't 166.140.54.243 get reported as a possible relay? Or is it just a fake based on the IP not being valid for the alleged source and not showing the handoff to 202.82.33.199? Thanks David From ob1db at spamcop.net Mon Jul 19 19:38:55 2004 From: ob1db at spamcop.net (David Butler) Date: Mon Jul 19 18:40:03 2004 Subject: [SC-Help] Re: Reporting spammers email addresses References: Message-ID: "Gabriel Menini" wrote in message news:cdh1mu$86k$1@news.spamcop.net... > Hello, there > > I've been working reporting spam entire messages and email addresses for > the las three weeks and I really feel like a /Spam Fighter/ ;-) > > Now, I have a question: > > My ISP blocks my email account and every night send me a list of blocked > spammers (email addresses, sometimes forged, sometimes real). > > I want to know if there's a possiblity to report those addresses in a > bunch, perhaps one per line in some kind of HTML form at spamcop.net > > When tried that, the system told me that it was erroneous. > So, I had to report 20+ spammer addresses one by one .. :-\ > > How can I report a list of spammer addresses as a batch? > > You can't do this way, almost ALL spam has forged return addresses. Unless they can send you the full headers to parse, there really is no accurate way to report them. And no way to bulk report here, sorry, except by having SPamcop filter your mail first and using QuickReport option. See SPamcop mail service description for more explanation. Welcome! David From MikeE at ster.invalid Mon Jul 19 17:11:02 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 19 19:15:03 2004 Subject: [SC-Help] Re: Curious why possible relay not reported References: Message-ID: David Butler wrote: www.spamcop.net/sc?id=z557593125z5dea320fc3b8904bbc8fb95e0bb3bfd2z > > I am probably reading this wrong, > > Received: from 202.82.33.199 (HELO 64.156.215.7) (202.82.33.199) Sourceline, listed proxy, chain breaks, helo bogosity, end of line. >From the parser's point of view, it will not chain past a listed open proxy whether it can 'see' the helo bogosity or not. > 202.82.33.199 listed in cbl.abuseat.org ( 127.0.0.2 ) > Open proxies untrusted as relays > > shouldn't 166.140.54.243 get reported as a possible relay? No. I find 'open proxies untrusted as relays' to not be a good way to say what is going on, except SC is 'saying' "I'm not going any further than this regardless of whether the next 'by' field down looks like it belongs to this IP or not." That is, even if the next line were somehow constructed to 'look good' as a relay's domainstamp, SC isn't going to regard it. > Or is it just a fake based on the IP not being valid for the alleged > source and not showing the handoff to 202.82.33.199? The next line down isn't even a properly constructed trace line; it wouldn't fool SC even if SC tried to look at it, which it doesn't. Altho' it appears that SC 'starts' to look at the next line down by looking at the IP in the 'from' field, it never 'bothers' to look at the 'by' field - it just 'drops' the examination of the last traceline because it is 'locked' on the '202.82.33.199 listed in cbl.abuseat.org ( 127.0.0.2 )' -- Mike Easter kibitzer, not SC admin From gmenini at spamhole.org Mon Jul 19 21:15:59 2004 From: gmenini at spamhole.org (Gabriel Menini) Date: Mon Jul 19 19:20:02 2004 Subject: [SC-Help] Re: Reporting spammers email addresses In-Reply-To: References: Message-ID: David Butler wrote: > "Gabriel Menini" wrote in message > news:cdh1mu$86k$1@news.spamcop.net... > >>Hello, there >> >>I've been working reporting spam entire messages and email addresses for >>the las three weeks and I really feel like a /Spam Fighter/ ;-) >> >>Now, I have a question: >> >>My ISP blocks my email account and every night send me a list of blocked >>spammers (email addresses, sometimes forged, sometimes real). >> >>I want to know if there's a possiblity to report those addresses in a >>bunch, perhaps one per line in some kind of HTML form at spamcop.net >> >>When tried that, the system told me that it was erroneous. >>So, I had to report 20+ spammer addresses one by one .. :-\ >> >>How can I report a list of spammer addresses as a batch? >> >> > > > You can't do this way, almost ALL spam has forged return addresses. > > Unless they can send you the full headers to parse, there really is no > accurate way to report them. > > And no way to bulk report here, sorry, except by having SPamcop filter your > mail first and using QuickReport option. > > See SPamcop mail service description for more explanation. > > Welcome! > > David > > Thanks, David -- Gabriel Menini ||| replace domain spamhole.com with sg-guarani.org ||| IT Support Guarani Aquifer System Project From no_one at noplace.org Mon Jul 19 17:26:24 2004 From: no_one at noplace.org (Perky Not) Date: Mon Jul 19 19:30:02 2004 Subject: [SC-Help] A Bounce to 9 Recipients Message-ID: Message posted in .spam Can this be reported to spamcop? I appears to be a bounce but to 9 recipients? I guess we all sent the same spam to the same person. -- Perky Not From wb8tyw at qsl.network Mon Jul 19 22:52:11 2004 From: wb8tyw at qsl.network (John E. Malmberg) Date: Mon Jul 19 21:55:11 2004 Subject: [SC-Help] Re: A Bounce to 9 Recipients In-Reply-To: References: Message-ID: <8JidnTtFBMNW52HdRVn-qg@adelphia.com> Perky Not wrote: > Message posted in .spam > > Can this be reported to spamcop? That would take a deputy to determine. > I appears to be a bounce but to 9 > recipients? I guess we all sent the same spam to the same person. That sure does not look like a bounce to me. Does the spamcop.net parser think it is a bounce? -John wb8tyw@qsl.network Personal Opinion Only From jimwasson at spamcop.net Mon Jul 19 20:39:06 2004 From: jimwasson at spamcop.net (Jim Wasson) Date: Mon Jul 19 22:40:03 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: On Mon, 19 Jul 2004 12:58:58 -0400, Glenn Daniels wrote: > "Jim Wasson" wrote in message >> Glenn Daniels wrote: >> > etc. >> > >> >> >> >> >> Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ > >> >> That could be possible. It's particularly perplexing because these >> appear >> to >> be some of the "oldsst" messages that there could be in there, I mean >> back from 2000. Very odd, though. I believe that this began happening > about >> 3 or 4 months ago. I do check the held mail and deal with it, either >> releasing >> it or reporting it. I don't think that very many held e-mails are in >> this >> group. I usually pop the mail (leaving a copy on the server) with Opera > and >> later pop it with Outlook (this time not leaving a copy on the server). >> When I >> later log into SC WebMail, the mail is gone. They just "reappears" > sometime >> later, both in the popped mail and in SC's webmail. When they do >> reappear, >> I have to go to the SC WebMail and delete them there. They then don't >> seem >> to >> get removed when I pop them. >> in SC's server, not the ISP's spool. >> -- >> Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ > > At least a bit of detective work might be productive: > > 1). Convince yourself that the files do not exist on SC's spooler. > You may already know that they don't, but just to be sure... > Set up your SC account in OE (you can always delete the account later) > and see what comes off the SC spool into the new account's Inbox. > I will repeat this for myself as necessary to my mental process: What > I see in the Inbox exists (at least) only on my computer, and may or may > not exist elsewhere. > > 2). In the very unlikely but remotely possible event that the mystery > emails do unwind from SC's spool you have at least this much certain > information: they do exist on SC's spool and need to come off. How > to do that can wait, first just find out if they are even there. > > 3). Given at this point that the unwanted emails that mysteriously > materialize are not on the ISP's spool, and they are not on SC's > spool, then they must be occult to you on your computer. The magic > of the rabbit out of the hat is lost when you agree that it must have > been > been there all along, just hidden to you. There are at least two ways > for this to happen that come to mind. > 3a). The inbox folder and/or its directory are corrupt. The mail > client re-creates the emails as well as it can from retained data but > never fully clears the data because it is damaged. In my experience > the only way I have seen that works, is to "lose" the inbox altogether. > The "inbox" usually exists as two files in a folder unique to your email > client - as you are using Opera, I can't help you locate it, but to note > that it is probably hidden in "Application Data" or "Local Settings" > or "Identities" behind a "hexadecimal key" like > {#A#####A-A###-#A##-AAA#-####A##A###A}which is > bound to a registry entry which gives the folder special properties. > Assuming you locate the Opera mail folder, there is at least a fair > chance you will find two files one "Inbox.???" and one "Inbox.db?" > The first usually contains a "spool" of received email bodies recorded > head > to tail to head as they come in. The second contains the email headers > and a data record of the byte points in the first file that a given > record > begins and ends. The mail client builds the Inbox you see from these > two records: it really is not a DOS/Windows folder, but a facsimile. > If the email client is showing an "empty" Inbox, but the two files you > have found contain more than a few kb of data, the records are > quite possibly corrupt: sometimes a single illegal character can throw > an exception flag in the client, causing further processing to fail, > while > the client shows only the apparently empty Inbox. > 3b). Similar to 3a, except that the bad data tripping up the > client consists of a virm or partial virm attachment to an email. > Netsky.D > or Netsky.P, and Beagle can do this. I have seen it happen: The client > shows the folder as "empty" but the data files show a very different > picture. > > 4). Without regard for how the Inbox may be "corrupt", do not delete > one component (file) and leave the other as that may really "mess with" > the > client and result in data overflow errors and crash the program and/or > the system. Because the files are probably "protected" behind the hex > key noted above, there is a good chance you can't delete them where > they stand. However, a cut-paste operation can move them to the desktop > or elsewhere and you may study or delete them there (a reboot may be > necessary). Next time you run the client, it will usually automatically > create new, clean data records for "Inbox", as it is built into clients > to > do so. > > Repeating myself as necessary to my mental process: What I see in > the Inbox exists (at least) only on my computer, and may or may > not exist elsewhere: three and four above are moot if the mystery > emails really are on SC's server, but I doubt there is much chance of > that. > > The above is clearly not an answer to your question, but may offer an > approach to resolving the problem the question poses. The answer to > your question is more likely nobody has the answer, so be patient with > me for being obtuse. It is unintentional and probably relates to a > long standing impairment. Best of luck working this out. > > Glenn > > Sorry about late replies. I can't get to lists during the day because of my employer's firewall. This is intriguing, although I am unsure how both Opera and Outlook files would be damaged in exactly the same way. I will follow up on this. I will also try a completely different machine to see if the problem reoccurs there as well. I have a clean XP machine that has never been used for e-mail. -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ From nobody at devnull.spamcop.net Mon Jul 19 23:47:52 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Mon Jul 19 22:50:02 2004 Subject: [SC-Help] Re: A Bounce to 9 Recipients References: <8JidnTtFBMNW52HdRVn-qg@adelphia.com> Message-ID: "John E. Malmberg" wrote in message > Perky Not wrote: > > Message posted in .spam > > > > Can this be reported to spamcop? > > That sure does not look like a bounce to me. > > Does the spamcop.net parser think it is a bounce? > Agreed. It is most unlike Mailer-Daemon to bounce to a list. In setting up filters it has been my practice to filter in the important communications from Mailer-Daemon as necessary if evil, he's a good daemon if indeed a daemon at all. Looks to me like spammy figured it for a good sender to forge as the from, but Spammy has his fingerprints on the mailing list. I would report as spam AND manually alert Yahoo! to this new abuse of their valued and trusted trademark. I'd not like to be in Spammy's shoes if Yahoo! tracks him down and sues for damages! Glenn From jimwasson at spamcop.net Mon Jul 19 20:50:01 2004 From: jimwasson at spamcop.net (Jim Wasson) Date: Mon Jul 19 22:50:10 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: On Mon, 19 Jul 2004 12:38:48 -0400, eddie wrote: > On Mon, 19 Jul 2004 06:08:58 -0700, Jim Wasson scratched out the > following: > > snip >> They just "reappears" >> sometime later, both in the popped mail and in SC's webmail. When they >> do >> reappear, I have to go to the SC WebMail and delete them there. They >> then >> don't seem to >> get removed when I pop them. >> in SC's server, not the ISP's spool. > > Could it be some other, intermediate server popping them up out of > storage from somewhere on the net? Can you trace the headers to see > anything strange? I guess it's possible. I use Earthlink broadband in San Diego (same physical plant as Road Runner). My next step is to use my fresh XP box to see if the problem shows up there, too. I will use a completely different pop3 client there, too. Here is a sample header from one of the messages I culled from Opera, originally received in 2001 and received again on 10 Jul 2004: Return-Path: Delivered-To: spamcop-net-jimwasson@spamcop.net Received: (qmail 28503 invoked from network); 10 Jul 2004 10:39:35 -0000 Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade4.cesmail.net with SMTP; 10 Jul 2004 10:39:35 -0000 Received: from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with SMTP; 10 Jul 2004 06:39:18 -0400 X-Ironport-AV: i="3.81R,160,1083556800"; d="scan'208"; a="86769620:sNHT27875896" Received: (qmail 20714 invoked from network); 10 Jul 2004 10:39:18 -0000 Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by mailgate.cesmail.net with SMTP; 10 Jul 2004 10:39:18 -0000 X-RocketMail: 00000001;----S-----------;1764 X-RocketMIF: 986757115;3047;122a928d529de2c59f083c6200a03a96 X-RocketRCL: 2306;1;2743017508 X-RocketUID: 0000000075 X-Apparently-To: jimwasson1@yahoo.com via web12801.mail.yahoo.com Received: from popgate.cesmail.net [192.168.1.201] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for jimwasson@spamcop.net (single-drop); Sat, 10 Jul 2004 06:39:18 -0400 (EDT) Received: from smtppassport2.microsoft.com (207.46.198.49) by mta108.mail.yahoo.com with SMTP; 08 Apr 2001 12:11:55 -0700 (PDT) Received: from mail pickup service by smtppassport2.microsoft.com with Microsoft SMTPSVC; Sun, 8 Apr 2001 12:11:49 -0700 From: Passport Member Services To: jimwasson1@yahoo.com Subject: Welcome to Microsoft Passport--Making the Web Easier, Faster, and More Secure Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-ID: <008024911190841CPPPWBUTLB05@smtppassport2.microsoft.com> Date: 8 Apr 2001 12:11:49 -0700 Content-Length: 1110 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade4 X-Spam-Level: X-Spam-Status: hits=0.0 tests=none version=2.63 X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 192.168.1.201 207.46.198.49 -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ From eddie at eddie.web Tue Jul 20 00:21:45 2004 From: eddie at eddie.web (eddie) Date: Mon Jul 19 23:25:13 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: On Mon, 19 Jul 2004 19:50:01 -0700, Jim Wasson scratched out the following: snip > Here is a sample header from one of the messages I culled from Opera, > originally received in 2001 and received again on 10 Jul 2004: > Return-Path: Delivered-To: could be a MS server problem. Do you have the headers from the 2001 transaction? From eddie at eddie.web Tue Jul 20 00:24:08 2004 From: eddie at eddie.web (eddie) Date: Mon Jul 19 23:25:27 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: On Sat, 17 Jul 2004 21:37:28 -0700, Jim Wasson scratched out the following: > I posted this a few weeks ago but now the problem has come back. > Periodically large numbers of old mail keeps reappearing in my spamcop > webmail and when I pop it, I get hundreds of old emails -- mail from years > ago. snip Slightly off-topic - I read a while ago that with the internet, nothing ever goes away. Every email, website, newsgroup posting, - it's all there forever, even when you think you have deleted it. Much like in hologram, in which any small part can be used to regenerate the whole. With your strange email problem, you are definitely proving it. :) From no_one at noplace.org Mon Jul 19 21:29:24 2004 From: no_one at noplace.org (Perky Not) Date: Mon Jul 19 23:30:02 2004 Subject: [SC-Help] Re: A Bounce to 9 Recipients References: <8JidnTtFBMNW52HdRVn-qg@adelphia.com> Message-ID: "Glenn Daniels" wrote in message news:cdi14h$288$1@news.spamcop.net... > "John E. Malmberg" wrote in message > > Perky Not wrote: > > > Message posted in .spam > > > > > > Can this be reported to spamcop? > > > > That sure does not look like a bounce to me. > > > > Does the spamcop.net parser think it is a bounce? > > > > Agreed. It is most unlike Mailer-Daemon to bounce to a list. > In setting up filters it has been my practice to filter in the important > communications from Mailer-Daemon as necessary if evil, he's > a good daemon if indeed a daemon at all. Looks to me like > spammy figured it for a good sender to forge as the from, but > Spammy has his fingerprints on the mailing list. I would > report as spam AND manually alert Yahoo! to this new abuse > of their valued and trusted trademark. I'd not like to be in > Spammy's shoes if Yahoo! tracks him down and sues for > damages! > > Glenn > > Thanks for the feedback. I did manually submit to the parser and it was accepted. If you care the link is: http://www.spamcop.net/sc?id=z558056561zb4cdd3abe3f5469ca6f4a38864bd0a4dz -- Perky Not From nobody at devnull.spamcop.net Tue Jul 20 00:39:47 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Mon Jul 19 23:40:02 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: "Jim Wasson" wrote in message > Glenn Daniels wrote: > [...], etc. > > > > Sorry about late replies. I can't get to lists during the day because > of my employer's firewall. > > This is intriguing, although I am unsure how both Opera and Outlook > files would be damaged in exactly the same way. I will follow > up on this. I will also try a completely different machine to see if > the problem reoccurs there as well. I have a clean XP machine that has > never been used for e-mail. > I see that I have misperceived the difficulty. I was thinking you were having the difficulty with Opera only as used with the SC account, and that you were not having the problem with OE as used with the ISP account. In any case the first step to unraveling a magician's trick is to accept that it is a trick: the rabbit does not materialize, but does come out of hiding. You need only find the hiding place to learn the trick. Is there any way to access the ISP account online and manage to clear the spool from there? I am guessing that the thread on the ISP's spooler is corrupt, sometimes you access the whole thread and sometimes you don't, but the thread never comes completely off the spool because the thread is broken at one (or more) places, from several years back. There may be merit in trying to unwind the spool from another machine on your end, but if that fails, you may need to access the account from the server through the ISP's online interface. You know that the rabbit is hidden from you, and there is no magic in the trick when once you find the rabbit. Glenn From ob1db at spamcop.net Tue Jul 20 00:49:22 2004 From: ob1db at spamcop.net (David Butler) Date: Mon Jul 19 23:50:03 2004 Subject: [SC-Help] Re: Curious why possible relay not reported References: Message-ID: "Mike Easter" wrote in message news:cdhkhe$obt$1@news.spamcop.net... > David Butler wrote: > www.spamcop.net/sc?id=z557593125z5dea320fc3b8904bbc8fb95e0bb3bfd2z > > > > I am probably reading this wrong, > > > > Received: from 202.82.33.199 (HELO 64.156.215.7) (202.82.33.199) > > Sourceline, listed proxy, chain breaks, helo bogosity, end of line. > From the parser's point of view, it will not chain past a listed open > proxy whether it can 'see' the helo bogosity or not. > > > 202.82.33.199 listed in cbl.abuseat.org ( 127.0.0.2 ) > > Open proxies untrusted as relays > > > > shouldn't 166.140.54.243 get reported as a possible relay? > > No. > > I find 'open proxies untrusted as relays' to not be a good way to say > what is going on, except SC is 'saying' "I'm not going any further than > this regardless of whether the next 'by' field down looks like it > belongs to this IP or not." That is, even if the next line were somehow > constructed to 'look good' as a relay's domainstamp, SC isn't going to > regard it. > > > Or is it just a fake based on the IP not being valid for the alleged > > source and not showing the handoff to 202.82.33.199? > > The next line down isn't even a properly constructed trace line; it > wouldn't fool SC even if SC tried to look at it, which it doesn't. > Altho' it appears that SC 'starts' to look at the next line down by > looking at the IP in the 'from' field, it never 'bothers' to look at the > 'by' field - it just 'drops' the examination of the last traceline > because it is 'locked' on the '202.82.33.199 listed in cbl.abuseat.org > ( 127.0.0.2 )' > Thanks, Maestro! David From nobody at devnull.spamcop.net Tue Jul 20 01:12:15 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Tue Jul 20 00:15:03 2004 Subject: [SC-Help] Re: A Bounce to 9 Recipients References: <8JidnTtFBMNW52HdRVn-qg@adelphia.com> Message-ID: "Perky Not" wrote in message > "Glenn Daniels" wrote in message > > "John E. Malmberg" wrote in message > > > Perky Not wrote: > > > > Message posted in .spam > > > > Can this be reported to spamcop? > > > That sure does not look like a bounce to me. > > > Does the spamcop.net parser think it is a bounce? > > Agreed. It is most unlike Mailer-Daemon to bounce to a list. > > Spammy has his fingerprints on the mailing list. I would > > report as spam AND manually alert Yahoo! to this new abuse > > of their valued and trusted trademark. > Thanks for the feedback. I did manually submit to the parser and it was > accepted. If you care the link is: > > http://www.spamcop.net/sc?id=z558056561zb4cdd3abe3f5469ca6f4a38864bd0a4dz > Small comfort for me that the algorithm agrees with three humans: If it did not, we would simply accept that it could be in error, and seek to correct the algorithm. Any hope of prodding you to manually report the abuser to Yahoo!? I understand that their foremost concern is for keeping spammers out of their space. But being big means being an easy target, and as a loyal Yahoo! fan I am offended as much by the abuse of their trademark as I am by the violation of all the whitelists that filter in "Mailer-Daemon" without respect to which ISP he speaks for at the moment. I would like to see spammy grappling with a meaningful consequence as would discourage any other spammer from taking his lead. As a Yahoo! client I coud report spam I receive in my Yahoo! account, but that I've never gotten any. I don't know exactly how to apprise Yahoo! of the abuse of their trademark, but would try to access the path to the right abuse desk if you could see fit to report your spam to them. There must be a way to communicate to them that it is not to complain of an in-house Yahoo! abuser but about an out-house Yahoo! abuser, so that admin at Yahoo! might have a kind word with admin at Spammy's ISP so that this does not happen in the future. Glenn From no_one at noplace.org Mon Jul 19 23:04:30 2004 From: no_one at noplace.org (Perky Not) Date: Tue Jul 20 01:05:24 2004 Subject: [SC-Help] Re: A Bounce to 9 Recipients References: <8JidnTtFBMNW52HdRVn-qg@adelphia.com> Message-ID: "Glenn Daniels" wrote in message news:cdi62o$6fe$1@news.spamcop.net... > "Perky Not" wrote in message > > "Glenn Daniels" wrote in message > > > "John E. Malmberg" wrote in message > > > > Perky Not wrote: > > > > > Message posted in .spam > > > > > Can this be reported to spamcop? > > > > > That sure does not look like a bounce to me. > > > > Does the spamcop.net parser think it is a bounce? > > > > Agreed. It is most unlike Mailer-Daemon to bounce to a list. > > > Spammy has his fingerprints on the mailing list. I would > > > report as spam AND manually alert Yahoo! to this new abuse > > > of their valued and trusted trademark. > > > Thanks for the feedback. I did manually submit to the parser and it was > > accepted. If you care the link is: > > > > http://www.spamcop.net/sc?id=z558056561zb4cdd3abe3f5469ca6f4a38864bd0a4dz > > > > Small comfort for me that the algorithm agrees with three humans: > If it did not, we would simply accept that it could be in error, and > seek to correct the algorithm. > > Any hope of prodding you to manually report the abuser to Yahoo!? > I understand that their foremost concern is for keeping spammers out > of their space. But being big means being an easy target, and as a > loyal Yahoo! fan I am offended as much by the abuse of their trademark > as I am by the violation of all the whitelists that filter in > "Mailer-Daemon" > without respect to which ISP he speaks for at the moment. I would > like to see spammy grappling with a meaningful consequence as would > discourage any other spammer from taking his lead. As a Yahoo! client > I coud report spam I receive in my Yahoo! account, but that I've never > gotten any. I don't know exactly how to apprise Yahoo! of the abuse > of their trademark, but would try to access the path to the right abuse > desk if you could see fit to report your spam to them. > > There must be a way to communicate to them that it is not to complain > of an in-house Yahoo! abuser but about an out-house Yahoo! abuser, > so that admin at Yahoo! might have a kind word with admin at Spammy's > ISP so that this does not happen in the future. > > Glenn > > Done -- Perky Not From nobody at devnull.spamcop.net Tue Jul 20 02:14:03 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Tue Jul 20 01:15:03 2004 Subject: [SC-Help] Re: A Bounce to 9 Recipients References: <8JidnTtFBMNW52HdRVn-qg@adelphia.com> Message-ID: "Perky Not" wrote in message [...] > > Done > > -- > > Perky Not > > Thank you, really, thank you a lot! Glenn From flippetyfloo at fake.com Tue Jul 20 00:20:12 2004 From: flippetyfloo at fake.com (RandallW) Date: Tue Jul 20 02:25:03 2004 Subject: [SC-Help] change of topic, now about reading/viewing spam References: Message-ID: "Mike Easter" wrote in message news:cdfr4b$cbr$1@news.spamcop.net... > As a general rule, opening and reading a spam is doing it 'their way' - > and the score is in the spammer's favor. As a general rule, simply > reporting a spam doesn't do much of anything. So, opening and reading a > spam which is subsequently reported scores for the spammer. > > I can elaborate on the details of scoring more as necessary to describe > how to get ahead of the spammer; but the 'simplest' way to get ahead of > the spammer would be to stay even by never opening or reading a spam and > simply deleting it; or /better/ to report a spam without ever opening > and/or reading it. > > Of course, there are numerous other options for spamfighters, which also > includes even 'visiting' or GETing the website -- but there is more > complexity in scoring in 'advanced' spamfighting. > I have my preview pane in Outlook Express off, and I 'read' the mail by looking at the Properties/Details; this doesn't 'open' the mail, does it? From nobody at devnull.spamcop.net Tue Jul 20 04:08:58 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Tue Jul 20 03:10:22 2004 Subject: [SC-Help] Re: change of topic, now about reading/viewing spam References: Message-ID: "RandallW" wrote in message > "Mike Easter" wrote > > As a general rule, opening and reading a spam is doing it 'their way' - > > and the score is in the spammer's favor. As a general rule, simply > > reporting a spam doesn't do much of anything. So, opening and reading a > > spam which is subsequently reported scores for the spammer. > > [...] > > > > Of course, there are numerous other options for spamfighters, which also > > includes even 'visiting' or GETing the website -- but there is more > > complexity in scoring in 'advanced' spamfighting. > > > > I have my preview pane in Outlook Express off, and I 'read' the mail by > looking at the Properties/Details; this doesn't 'open' the mail, does it? > I think it may be a problem verb or a proverbial verbal problem. It is not that you have 'opened' the file, and are reading it in a plain text editor, but that you are not 'opening' it in an email client with html support and javascript support which may permit security compromises that allow data to be returned to the spammer that the email was even received, even when you may have specifically opted not to respond to notifications of receipt to be returned. Although M$FT may have provided patches for known java exploits, people have come, from experience, to mistrust spammers, and it is the undiscovered exploits that raise the bar to "seeing" spam. After you see a few of the "tricks" like hiding a link to a porn site behind an unsubscribe link, you just don't want to see any more. Spammy makes it his business to get a reaction, and even a negative reaction validates your addy as a "hot lead" that can be sold and resold at auction, while a "cold lead" has less marketability. I can't find the right verb. But the desired effect is to "see" the spam without "seeing" it, and depriving Spammy of a score for your "not seeing it": if you can make sense of the angulation. Glenn From infinite at nospam-totalink.net Tue Jul 20 04:44:39 2004 From: infinite at nospam-totalink.net (Wayne P.) Date: Tue Jul 20 03:45:02 2004 Subject: [SC-Help] SDK / Integration Docs? Message-ID: I am writing an application and I would like to include SpamCop lookup funtionality, but I cannot seem to find links to such documentation on the website. Could someone point me to such docs? Thanks! Wayne P. From nobody at devnull.spamcop.net Tue Jul 20 04:03:01 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Jul 20 04:05:03 2004 Subject: [SC-Help] Re: SDK / Integration Docs? References: Message-ID: "Wayne P." wrote in message news:cdiigq$g31$1@news.spamcop.net... > I am writing an application and I would like to include SpamCop lookup > funtionality, but I cannot seem to find links to such documentation on the > website. > > Could someone point me to such docs? http://www.spamcop.net/fom-serve/cache/3.html SpamCop uses a combination of Unix utilities (dig, nslookup, finger) to cross-check all the information in an email header and find the email address of the administrator on the network where the email originated. Noting that there's just a bit more to it, thus the lack of any real competitor in the same league as Julian's tool set. From MikeE at ster.invalid Tue Jul 20 03:41:57 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 20 05:45:23 2004 Subject: [SC-Help] Re: change of topic, now about reading/viewing spam References: Message-ID: RandallW wrote: > I have my preview pane in Outlook Express off, and I 'read' the mail > by looking at the Properties/Details; this doesn't 'open' the mail, > does it? No. According to my scoring system you are 'inspecting' the spam on the way to the reporting process. That 'style' of examination could be used by a 'primitive' and security vulnerable unpatched Outlook Express on a spam while working online and thus avoiding rendering the html and activating any webbugs. It could also be used on a virm to isolate and 'capture' the executable portion of the propagation even if the 'handler' didn't have an AV agent working. Examination of the interior of a spam doesn't count as spamreading. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Jul 20 03:50:50 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 20 05:55:03 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: Jim Wasson wrote: > Here is a sample header from one of the messages I culled from Opera, > originally received in 2001 and received again on 10 Jul 2004: > X-Apparently-To: jimwasson1@yahoo.com via web12801.mail.yahoo.com > Received: from smtppassport2.microsoft.com (207.46.198.49) by > mta108.mail.yahoo.com with SMTP; 08 Apr 2001 12:11:55 -0700 (PDT) There's the spool where that one is 'stuck'. That yahoo webmail gizmo. -- Mike Easter kibitzer, not SC admin From burke10 at attglobal.net Tue Jul 20 11:32:17 2004 From: burke10 at attglobal.net (bi-ker-shi) Date: Tue Jul 20 06:35:02 2004 Subject: [SC-Help] Re: spammers using my domain name, any suggestions? References: Message-ID: > "Evan" wrote in message > news:cdgqbm$1l2$1@news.spamcop.net... > Hi, > Some spammers have started using my domain name (eustace.net) in the > falsified from addresses in the spam they are sending. The end result is > that I am getting a lot of bounced mail (I receive all mail to the > domain addressed to unknown address e.g. abcd@eustace.net) I have a > feeling that there is nothing I can do about this, but if anyone can > suggest any course of action I would appreciate it. I am worried about > my domain name being blacklisted because of this. > The original sending locations of the spam seem to be varied, e.g.: > dsl-152-108.utaonline.at [62.218.152.108] > lon1-mail-2.visp.demon.net [193.195.70.5] > > and the falsified from fields are randomized: wptvhu@eustace.net, > gustul@eustace.net, yekqdiernf@eustace.net > > Please let me know if you have any suggestions on what, if anything, I > can do. > > Thanks, > evan > Evan, If you have the time and energy to fight this thing, here are some suggestions: 1. Reporting The Proxies / Zombies. Since it is a criminal offence to forge email headers like this, the spammers are careful to cover their tracks. They use open proxies and zombie robots to relay the spam. If you have a large number of bounces, you can run grep over them and pull out the originating IP address as reported by the bouncing MTA. This will be a line that has your domain name in it plus an IP address. You can report these to Spamcop as single line IP addresses. Spamcop replies with some details of the ISP involved if you want to send off a complaint. I believe that Spamcop will also take your report on the IP address into account when blacklisting the IP. Almost everytime I have tried this however, Spamcop had already blacklisted the IP address. 2. You can send copies of the Spam to BrightMail and ask them to analyse it for incorporation into their filters. The address I use is spammail@attglobal.net since I have an at&t account. I mark it for the attention of Brightmail.Brightmail provide a very widely used spam filtering service, used by at&t and by IronPort the parent company of SpamCop in their email filtering systems. Interestingly I have never received a bounce from AT&T, but I get them from others like AOL. 3. If the Spam contains a URL, it is possible to follow the money and create a lot of trouble for the spammer. The URL may be hosted in China, but you can usually track down the real identities of those behind the crimes by consulting the spamhaus roxo data base. You can then quote these identities in complaints to both the bouncers and the relayers. Also such URL's need some way for the targets to make contact, e.g. they may list a phone number where drugs are prescribed, this becomes another weak point as these numbers can be traced back by various means. Some types of Spam are not easily traceable. There has been a Speight of Pump and Dump penny stock scams going around lately. They buy a large block of stock, send out spam promoting it and hope to sell at a profit. Report all such events to enforcement@sec.gov. I am planning to start my own NG for victims of this sort of Spam. If enough of us get together we could make very strong demands against some ISP's who's lax policies allow this sort of crime to continue. From rvaessen at spamcop.net Tue Jul 20 07:33:57 2004 From: rvaessen at spamcop.net (Robert L. Vaessen) Date: Tue Jul 20 08:34:22 2004 Subject: [SC-Help] Reporting spammers email addresses In-Reply-To: References: Message-ID: <11F720DC-DA49-11D8-AE90-000A95B66266@spamcop.net> Gabriel - Please don't report email addresses. Most are forged (upwards of 90%), many are hijacked email addresses. My email address (multiple domains) has been hijacked several times. Reporting the email addresses from spam only makes things worse. Imagine if your email address were forged onto the From: or Reply-To: address of a million spam messages! Now imagine explaining to your ISP, system administrators, and irate individuals that you are not a spammer! I wouldn't be surprised If you've seen a few spam messages with your email address in the From: or Reply-To: field. It's an increasingly used tactic by spammers. Most people white list/accept email messages from themselves, without regard to content. Spammers often forge the addresses of known anti-spammers just to make our life more like theirs. Full of hate, deceit and confusion. - Robert On Jul 19, 2004, at 11:49, Gabriel Menini wrote: > Hello, there > > I've been working reporting spam entire messages and email addresses > for the las three weeks and I really feel like a /Spam Fighter/ ;-) > > Now, I have a question: > > My ISP blocks my email account and every night send me a list of > blocked spammers (email addresses, sometimes forged, sometimes real). > > I want to know if there's a possiblity to report those addresses in a > bunch, perhaps one per line in some kind of HTML form at spamcop.net > > When tried that, the system told me that it was erroneous. > So, I had to report 20+ spammer addresses one by one .. :-\ > > How can I report a list of spammer addresses as a batch? > > > T.I.A. > > Greetings from Uruguay. > -- > Gabriel Menini > > ||| replace domain spamhole.com with sg-guarani.org ||| > > IT Support > Guarani Aquifer System Project ------------------ "I don't do .INI, .BAT, .DLL, or .SYS files. I don't assign apps to files. I don't configure peripherals or networks before using them. I have a computer to do all that. I have a Macintosh, not a hobby." -- Fritz Anderson ------------------ From jimwasson at spamcop.net Tue Jul 20 06:43:09 2004 From: jimwasson at spamcop.net (Jim Wasson) Date: Tue Jul 20 08:45:03 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: On Mon, 19 Jul 2004 23:21:45 -0400, eddie wrote: > On Mon, 19 Jul 2004 19:50:01 -0700, Jim Wasson scratched out the > following: > > snip >> Here is a sample header from one of the messages I culled from Opera, >> originally received in 2001 and received again on 10 Jul 2004: >> > Return-Path: Delivered-To: > > could be a MS server problem. > Do you have the headers from the 2001 transaction? What I posted seems to be the entire header. It's from my Opera client. I had already deleted the copies from Outlook. -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ From jimwasson at spamcop.net Tue Jul 20 06:44:27 2004 From: jimwasson at spamcop.net (Jim Wasson) Date: Tue Jul 20 08:45:13 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: On Tue, 20 Jul 2004 02:50:50 -0700, Mike Easter wrote: > Jim Wasson wrote: >> Here is a sample header from one of the messages I culled from Opera, >> originally received in 2001 and received again on 10 Jul 2004: > >> X-Apparently-To: jimwasson1@yahoo.com via web12801.mail.yahoo.com > >> Received: from smtppassport2.microsoft.com (207.46.198.49) by >> mta108.mail.yahoo.com with SMTP; 08 Apr 2001 12:11:55 -0700 (PDT) > > There's the spool where that one is 'stuck'. That yahoo webmail gizmo. > I think that is from the original message from April 2001. The mail was taken by Spamcop from my Yahoo account. -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ From nobody at spamcop.net Tue Jul 20 07:52:49 2004 From: nobody at spamcop.net (Ellen) Date: Tue Jul 20 08:55:04 2004 Subject: [SC-Help] Re: A Bounce to 9 Recipients References: <8JidnTtFBMNW52HdRVn-qg@adelphia.com> Message-ID: > "Glenn Daniels" wrote in message > news:cdi14h$288$1@news.spamcop.net... > > "John E. Malmberg" wrote in message > > > Perky Not wrote: > > > > Message posted in .spam > > > > > > > > Can this be reported to spamcop? > > > > > > That sure does not look like a bounce to me. > > > > > > Does the spamcop.net parser think it is a bounce? > > > > > > > Thanks for the feedback. I did manually submit to the parser and it was > accepted. If you care the link is: > > http://www.spamcop.net/sc?id=z558056561zb4cdd3abe3f5469ca6f4a38864bd0a4dz > Looks me like these are the only legit items in the header: Received: from 165.254.adsl.sltnet.lk ([220.247.254.165](misconfigured sender)) by worldnet.att.net (mtiwmxc14) with SMTP id <2004071921551501400igj1se>; Mon, 19 Jul 2004 21:55:32 +0000 X-Originating-IP: [220.247.254.165] The rest is probably forged I would suspect or at least highly unreliable. There is nothing that indicates to me that the yahoo/egroups headers are legit but perhaps they are. I have seen similar forged sets of yahoo/egroups headers on other spams in the past. Personally I think yahoo had nothing to do with this but I may be wrong about that. Ellen From MikeE at ster.invalid Tue Jul 20 08:44:32 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 20 10:50:20 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: Jim Wasson wrote: > Mike Easter >> Jim Wasson wrote: >>> Here is a sample header from one of the messages I culled from >>> Opera, originally received in 2001 and received again on 10 Jul >>> 2004: >> >>> X-Apparently-To: jimwasson1@yahoo.com via web12801.mail.yahoo.com >> >>> Received: from smtppassport2.microsoft.com (207.46.198.49) by >>> mta108.mail.yahoo.com with SMTP; 08 Apr 2001 12:11:55 -0700 (PDT) >> >> There's the spool where that one is 'stuck'. That yahoo webmail >> gizmo. > > I think that is from the original message from April 2001. The mail > was taken by Spamcop from my Yahoo account. I understand perfectly. Here is the whole route: Abbreviated Recvd lines *comment from (192.168.1.105) by blade4.cesmail.net from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net from (192.168.1.101) by mailgate.cesmail.net from popgate.cesmail.net [192.168.1.201] by mailgate.cesmail.net from smtppassport2.microsoft.com (207.46.198.49) by mta108.mail.yahoo.com *timeshift from mail pickup service by smtppassport2.microsoft.com If the yahoo gets 'stuck' it will feed oldstuff to the spamcop. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue Jul 20 11:54:58 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Tue Jul 20 10:55:03 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: "Mike Easter" wrote in message > Jim Wasson wrote: > > Here is a sample header from one of the messages I culled from Opera, > > originally received in 2001 and received again on 10 Jul 2004: > > > X-Apparently-To: jimwasson1@yahoo.com via web12801.mail.yahoo.com > > There's the spool where that one is 'stuck'. That yahoo webmail gizmo. > Mike: That was my "read" of the line, but I kind of took it as a possible forgery. You *are* the scherpa here, but I thought I might have covered that base by suggesting that he access the account through the ISP's online interface and deleting the unwanted holdouts from there. If indeed you are correct as I suspect, that may be not only his best bet, but may well be his only option. As a user of a "free" Yahoo! account, I have no POP access to the account. POP access is only available to paid Yahoo! mail accounts. Jim must be using a paid Yahoo! account if SC is able to read that spool at all. I am thinking in my confused way that he may have originally opened a "free" account and, later, deciding that he liked it, converted to a paid account. SC might then be able to "see" the older thread on the spool, but not have permission to "touch" it as the files may not "belong" to a POP thread and can't be manipulated through the POP/SMTP protocols. SC may make the right transactions to delete the old files, but can't using its protocols, and neither can Jim using his mail client from his own machine because they may be a "forbidden fruit": look, but don't touch, these emails are not the property of your POP thread. If I am right, he has no choice but to log in to his Yahoo! mail account from their online interface, and manipulate the emails to his satisfaction from there. Once those emails are removed from Yahoo!'s spool, they ought not be visible from anywhere. As a side note, Yahoo! is not the right ISP for Spammy to be spamming, because they are overtly not spam friendly. I have been with them for at least five years and I have yet to receive spam on that account. If I did, they provide a workable set of tools for sorting out and discarding bulk emails and reporting spam as well, so at least in theory, Jim need not be seeing much spam. If he is getting much spam, he may do well to let Yahoo! filter out the obvious, blocklisted spams, for him, and focus his SC efforts on reporting only the spams that are not already blocklisted and manage to slip by their filters. Glenn, but what would I know? From MikeE at ster.invalid Tue Jul 20 09:25:08 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 20 11:30:02 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: Glenn Daniels wrote: > "Mike Easter" >> There's the spool where that one is 'stuck'. That yahoo webmail >> gizmo. > That was my "read" of the line, but I kind of took it as a possible > forgery. The headers he posted are a 'straightup' MS Passport 'spam' - no forgery involved. Subject: Welcome to Microsoft Passport--Making the Web Easier, Faster, and More Secure The item was sent from a MS server with a MS msgid promoting a MS product sourced from a MS IP with a MS From. While it is true that many of those could be forged, and we don't see the actual body, you can find one in sightings from 2001 Nov http://snipurl.com/7vwx [snurled googlegroups] Newsgroups: news.admin.net-abuse.sightings Subject: [email] Welcome to Microsoft .NET Passport! Date: Sat, 3 Nov 2001 02:22:37 +0000 (UTC) Message-ID: <20011103032230.B14310@spin.it> The 'message' in that '01 Nov item is welcoming the individual who signed up for MS Passport NET. and its header looks like the item here until it gets to yahoo and beyond. > If I am > right, he has no choice but to log in to his Yahoo! mail account > from their online interface, and manipulate the emails to his > satisfaction from there. That sounds like a plan, Stan. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Tue Jul 20 13:05:08 2004 From: eddie at eddie.web (eddie) Date: Tue Jul 20 12:10:03 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: On Tue, 20 Jul 2004 02:50:50 -0700, Mike Easter scratched out the following: snip >> Received: from smtppassport2.microsoft.com (207.46.198.49) by >> mta108.mail.yahoo.com with SMTP; 08 Apr 2001 12:11:55 -0700 (PDT) > > There's the spool where that one is 'stuck'. That yahoo webmail gizmo. I wonder if that's the result of a Y2K+ glitch ? :) With Yahoo, all things are possible. And, of course, with Yahoo, who do you call? From eddie at eddie.web Tue Jul 20 13:07:17 2004 From: eddie at eddie.web (eddie) Date: Tue Jul 20 12:10:14 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: On Tue, 20 Jul 2004 05:43:09 -0700, Jim Wasson scratched out the following: snip > What I posted seems to be the entire header. It's from my Opera client. I > had already deleted the copies from Outlook. I missed it the first time around, but it seems as if we now understand the problem. A stuck needle on Yahoo's record player. From gmenini at spamhole.org Tue Jul 20 16:34:05 2004 From: gmenini at spamhole.org (Gabriel Menini) Date: Tue Jul 20 14:40:02 2004 Subject: [SC-Help] Reporting spammers email addresses In-Reply-To: References: Message-ID: Robert L. Vaessen wrote: > Gabriel - > > Please don't report email addresses. Most are forged (upwards of 90%), > many are hijacked email addresses. My email address (multiple domains) > has been hijacked several times. Thanks for the advice. > > Reporting the email addresses from spam only makes things worse. Imagine > if your email address were forged onto the From: or Reply-To: address of > a million spam messages! Now imagine explaining to your ISP, system > administrators, and irate individuals that you are not a spammer! Yes, I agree with you. Sometimes I get reports regarding my email address was used to spread some kind of virus/spam. That's because some fu?#~?#in' spammer forged my email address. > > I wouldn't be surprised If you've seen a few spam messages with your > email address in the From: or Reply-To: field. It's an increasingly used > tactic by spammers. Most people white list/accept email messages from > themselves, without regard to content. I wouldn't be surprised, too. ;-) > > Spammers often forge the addresses of known anti-spammers just to make > our life more like theirs. Full of hate, deceit and confusion. On the other hand, fighting the spam is a good choice. Go ahead, let's keep on working to reverse this nasty situation! > > - Robert Best regards, Gabriel > > > On Jul 19, 2004, at 11:49, Gabriel Menini wrote: > >> Hello, there >> >> I've been working reporting spam entire messages and email addresses >> for the las three weeks and I really feel like a /Spam Fighter/ ;-) >> >> Now, I have a question: >> >> My ISP blocks my email account and every night send me a list of >> blocked spammers (email addresses, sometimes forged, sometimes real). >> >> I want to know if there's a possiblity to report those addresses in a >> bunch, perhaps one per line in some kind of HTML form at spamcop.net >> >> When tried that, the system told me that it was erroneous. >> So, I had to report 20+ spammer addresses one by one .. :-\ >> >> How can I report a list of spammer addresses as a batch? >> >> >> T.I.A. >> >> Greetings from Uruguay. >> -- >> Gabriel Menini >> >> ||| replace domain spamhole.com with sg-guarani.org ||| >> >> IT Support >> Guarani Aquifer System Project > > > > ------------------ > "I don't do .INI, .BAT, .DLL, or .SYS files. I don't assign apps to > files. I don't configure peripherals or networks before using them. I > have a computer to do all that. I have a Macintosh, not a hobby." -- > Fritz Anderson > ------------------ > -- Gabriel Menini ||| replace domain spamhole.com with sg-guarani.org ||| IT Support Guarani Aquifer System Project From no_one at noplace.org Tue Jul 20 14:10:12 2004 From: no_one at noplace.org (Perky Not) Date: Tue Jul 20 16:15:03 2004 Subject: [SC-Help] Re: A Bounce to 9 Recipients References: <8JidnTtFBMNW52HdRVn-qg@adelphia.com> Message-ID: "Ellen" wrote in message news:cdj4fp$u47$1@news.spamcop.net... > > > > "Glenn Daniels" wrote in message > > news:cdi14h$288$1@news.spamcop.net... > > > "John E. Malmberg" wrote in message > > > > Perky Not wrote: > > > > > Message posted in .spam > > > > > > > > > > Can this be reported to spamcop? > > > > > > > > That sure does not look like a bounce to me. > > > > > > > > Does the spamcop.net parser think it is a bounce? > > > > > > > > > > > Thanks for the feedback. I did manually submit to the parser and it was > > accepted. If you care the link is: > > > > http://www.spamcop.net/sc?id=z558056561zb4cdd3abe3f5469ca6f4a38864bd0a4dz > > > > > Looks me like these are the only legit items in the header: > > Received: from 165.254.adsl.sltnet.lk ([220.247.254.165](misconfigured > sender)) > by worldnet.att.net (mtiwmxc14) with SMTP > id <2004071921551501400igj1se>; Mon, 19 Jul 2004 21:55:32 +0000 > X-Originating-IP: [220.247.254.165] > > The rest is probably forged I would suspect or at least highly unreliable. > There is nothing that indicates to me that the yahoo/egroups headers are > legit but perhaps they are. I have seen similar forged sets of yahoo/egroups > headers on other spams in the past. Personally I think yahoo had nothing to > do with this but I may be wrong about that. > > Ellen > > Ellen, When I sent the spam (as and attachment) to Yahoo I advised them that I was not reporting this as spam from Yahoo. I stated that I had sent it to SpamCop and was just notifying them that someone was spoofing their name. Thought they might be interested. -- Perky Not From nobody at devnull.spamcop.net Tue Jul 20 16:39:58 2004 From: nobody at devnull.spamcop.net (Cat) Date: Tue Jul 20 16:40:03 2004 Subject: [SC-Help] Reporting spammers email addresses In-Reply-To: References: Message-ID: (Top posting fixed) Robert L. Vaessen wrote: > On Jul 19, 2004, at 11:49, Gabriel Menini wrote: >> I want to know if there's a possiblity to report those addresses in a >> bunch, perhaps one per line in some kind of HTML form at spamcop.net >> >> When tried that, the system told me that it was erroneous. >> So, I had to report 20+ spammer addresses one by one .. :-\ >> >> How can I report a list of spammer addresses as a batch? > Gabriel - > > Please don't report email addresses. Most are forged (upwards of 90%), > many are hijacked email addresses. My email address (multiple domains) > has been hijacked several times. > > Reporting the email addresses from spam only makes things worse. Imagine > if your email address were forged onto the From: or Reply-To: address of > a million spam messages! Now imagine explaining to your ISP, system > administrators, and irate individuals that you are not a spammer! You're right that reporting e-mail addresses since they're often forged. If his address is ever forged and someone else reports him to his own ISP because that person doesn't understand about e-mail header forgery, then his ISP abuse admins should be smart enough to disregard such complaints. I think the other replies here pretty much covered everything to educate Gabriel that reporting forged e-mail addresses is useless. Also, when you reply to other people, please do not top post since that gets the conversation out of order. You'll notice by paying attention to most of the other posts in this newsgroup that the preferred method of netiquette is to snip any quoting you aren't replying to and add your own comments below each quoted point. See #6 at http://linux.sgms-centre.com/misc/netiquette.php and #1 and #2 at http://www.river.com/users/share/etiquette/ for more snipping and inline posting netiquette. -Cat SpamCop user, not an admin From jimwasson at spamcop.net Tue Jul 20 18:58:05 2004 From: jimwasson at spamcop.net (Jim Wasson) Date: Tue Jul 20 21:00:03 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: On Tue, 20 Jul 2004 12:07:17 -0400, eddie wrote: > On Tue, 20 Jul 2004 05:43:09 -0700, Jim Wasson scratched out the > following: > > snip >> What I posted seems to be the entire header. It's from my Opera client. >> I >> had already deleted the copies from Outlook. > > I missed it the first time around, but it seems as if we now understand > the problem. > A stuck needle on Yahoo's record player. Hmmmmm. I guess I need to study the mails further. I did do a number of things. All of these had been deleted from my Yahoo account using their on-line webmail interface. I only have a free Yahoo account, no paid access. I don't directly pop mail from that account. Spamcop accesses it for me and I subsequently pop the messages from there. I also deleted these from my Spamcop account using the webmail interface (numerous times). Maybe I should contact Yahoo's tech support. -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ From MikeE at ster.invalid Tue Jul 20 21:07:38 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 20 23:10:03 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: Jim Wasson wrote: > Maybe I should contact Yahoo's tech support. Be sure to include some items with headers like the one you posted in this thread to show them what you are talking about. -- Mike Easter kibitzer, not SC admin From jimwasson at spamcop.net Tue Jul 20 22:57:00 2004 From: jimwasson at spamcop.net (Jim Wasson) Date: Wed Jul 21 01:00:03 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: On Mon, 19 Jul 2004 23:39:47 -0400, Glenn Daniels wrote: > "Jim Wasson" wrote in message >> Glenn Daniels wrote: >> [...], etc. >> > >> >> Sorry about late replies. I can't get to lists during the day because >> of my employer's firewall. >> >> This is intriguing, although I am unsure how both Opera and Outlook >> files would be damaged in exactly the same way. I will follow >> up on this. I will also try a completely different machine to see if >> the problem reoccurs there as well. I have a clean XP machine that has >> never been used for e-mail. >> > > I see that I have misperceived the difficulty. I was thinking you were > having the difficulty with Opera only as used with the SC account, and > that you were not having the problem with OE as used with the ISP > account. In any case the first step to unraveling a magician's trick > is to accept that it is a trick: the rabbit does not materialize, but > does > come out of hiding. You need only find the hiding place to learn the > trick. > > Is there any way to access the ISP account online and manage to clear > the spool from there? I am guessing that the thread on the ISP's spooler > is corrupt, sometimes you access the whole thread and sometimes you > don't, but the thread never comes completely off the spool because the > thread is broken at one (or more) places, from several years back. > > There may be merit in trying to unwind the spool from another machine > on your end, but if that fails, you may need to access the account from > the server through the ISP's online interface. You know that the rabbit > is hidden from you, and there is no magic in the trick when once you > find the rabbit. > > Glenn > > Well, the account from which these come is Yahoo. I have accessed it via their web browser interface and deleted these messages. They may still have some crazy glitch somewhere, though. -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ From nobody at devnull.spamcop.net Wed Jul 21 02:56:11 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Wed Jul 21 02:00:03 2004 Subject: [SC-Help] Re: My old, deleted mail keep reappearing. References: Message-ID: "Jim Wasson" wrote in message > Glenn Daniels wrote > > and so on... > > > > [...], etc. > Well, the account from which these come is Yahoo. I have accessed > it via their web browser interface and deleted these messages. They > may still have some crazy glitch somewhere, though. > Well, like you are way out of my league if you can access your free Yahoo! account from a POP client. I have gone to the other side of the hill, my journey being mostly downhill from where I am. And, with time, memory deteriorates. I have used Yahoo! Mail for what, maybe seven or eight years? I had always accepted it at face value, I could use the online ad supported interface for free, but I would need to convert to a paid account for POP services. I have never even tried to access the account through a mail client, and I'm a little surprised, no make that quite surprised, that you can make that work at all for a free account. I seem to remember access to POP services as one of the sell points for upgrading to a paid account. I honestly have no idea how you are doing what you are doing, but more power to you. If you can't get it to work the way you want it to work, now that sounds about right to me, as it has been my long term understanding that it ought not work at all! Be all that as it may, I do wish you the best of luck in resolving the case of the mysteriously materializing emails. Your magic skills are clearly far more advanced than my own. Glenn From infinite at nospam-totalink.net Wed Jul 21 03:23:14 2004 From: infinite at nospam-totalink.net (Wayne P.) Date: Wed Jul 21 02:25:02 2004 Subject: [SC-Help] Confused - different results Message-ID: I was playing around with the SpamCop Blacklist, via the web interface and the command line, but I got different results. >From the SpamCop stats page, I grabbed IP 62.50.9.18 to do lookups on. Via the web, it tells me the ip is listed in the blacklist. Via command line: nslookup 62.50.9.18.bl.spamcop.net Server: devserv.dtndev.data-trak.net Address: 192.168.0.1 *** devserv.dtndev.data-trak.net can't find 62.50.9.18.bl.spamcop.net: Non-existent domain According to the docs, I would assume that this ip is NOT in the blacklist. What am I doing wrong? TIA! Wayne P. From ric.gates at bigsleep.org Wed Jul 21 07:34:52 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Jul 21 02:35:03 2004 Subject: [SC-Help] Re: change of topic, now about reading/viewing spam References: Message-ID: On 20 Jul 2004 Glenn Daniels entered spamcop.help and left news:cdige2$ebj$1@news.spamcop.net: > I can't find the right verb. But the desired effect is to "see" the > spam without "seeing" it, and depriving Spammy of a score for > your "not seeing it": if you can make sense of the angulation. > Quite simply, you should be viewing the source and not rendering the HTML. Technically, the program *could* still be "pre-rendering" the code and pre- fetching content, in the background, but I don't believe it does. -- | Ric | From infinite at nospam-totalink.net Wed Jul 21 03:41:37 2004 From: infinite at nospam-totalink.net (Wayne P.) Date: Wed Jul 21 02:45:03 2004 Subject: [SC-Help] Re: Confused - different results References: Message-ID: I just figured it out. I was not reversing the IP address (for 1.2.3.4, I needed 4.3.2.1.bl.spamcop.net). Been a long night - didn't read straight. Must be time for bed.... Sorry to bug the group. "Wayne P." wrote in message news:cdl24l$k2u$1@news.spamcop.net... > I was playing around with the SpamCop Blacklist, via the web interface and > the command line, but I got different results. > > From the SpamCop stats page, I grabbed IP 62.50.9.18 to do lookups on. Via > the web, it tells me the ip is listed in the blacklist. > > Via command line: > nslookup 62.50.9.18.bl.spamcop.net > Server: devserv.dtndev.data-trak.net > Address: 192.168.0.1 > > *** devserv.dtndev.data-trak.net can't find 62.50.9.18.bl.spamcop.net: > Non-existent domain > > According to the docs, I would assume that this ip is NOT in the blacklist. > > What am I doing wrong? > > TIA! > > Wayne P. > > From MikeE at ster.invalid Wed Jul 21 01:47:01 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 21 03:50:03 2004 Subject: [SC-Help] Re: Confused - different results References: Message-ID: Wayne P. wrote: > "Wayne P." >> I was playing around with the SpamCop Blacklist, via the web >> interface and the command line, but I got different results. >> >> From the SpamCop stats page, I grabbed IP 62.50.9.18 to do lookups >> on. Via the web, it tells me the ip is listed in the blacklist. > I just figured it out. I was not reversing the IP address (for > 1.2.3.4, I needed 4.3.2.1.bl.spamcop.net). Been a long night - > didn't read straight. Must be time for bed.... However, it /is/ sometimes possible to temporarily get different results from the website function than from the 4.3.2.1.bl.spamcop.net dnsbl lookup. At the time of checking that particular IP, it was listed 'consistently' both ways [timestamp PDT -0700 UTC] 07/21/04 00:43:29 dns 18.9.50.62.bl.spamcop.net Canonical name: 18.9.50.62.bl.spamcop.net Addresses: 127.0.0.2 Query bl.spamcop.net - 62.50.9.18 62.50.9.18 listed in bl.spamcop.net (127.0.0.2) -- Mike Easter kibitzer, not SC admin From bseymour at spamcop.net Wed Jul 21 09:52:14 2004 From: bseymour at spamcop.net (Barry Seymour) Date: Wed Jul 21 11:55:03 2004 Subject: [SC-Help] Can't Whitelist Sender Message-ID: I have a friend who uses WebTV. His quite legitimate emails to me get held every time. I repeatedly check the email and click "forward (and whitelist sender)" but it seems to have no effect. His next email gets held again. Anyone know why this is? Thanks in advance... Barry Seymour Manhattan Beach CA bseymour@spamcop.net From nobody at devnull.spamcop.net Wed Jul 21 12:40:44 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jul 21 12:45:03 2004 Subject: [SC-Help] Re: Can't Whitelist Sender References: Message-ID: "Barry Seymour" wrote in message news:cdm3dn$fl7$2@news.spamcop.net... > I have a friend who uses WebTV. His quite legitimate emails to me get held > every time. I repeatedly check the email and click "forward (and whitelist > sender)" but it seems to have no effect. His next email gets held again. > > Anyone know why this is? Thanks in advance... Well, you've asked in spamcop, now re-posting in spamcop.help ... you're asking for help on a filtered e-mail account question, so wondering why you've not posted in spamcop.mail or followed any of the links dealing with help on e-mail accounts that all point to the web-based Forums at http://forum.spamcop.net/forums/index.php? where you'd find this question asked / answered and in a FAQ-in- progress ..... From nobody at spamcop.net Wed Jul 21 11:18:58 2004 From: nobody at spamcop.net (Eric) Date: Wed Jul 21 13:20:03 2004 Subject: [SC-Help] Forums down since 7/20? (Deputies) Message-ID: Is it just me, or has anyone else noticed that the forums have been unavailble since yesterday afternoon? I keep getting the popular "connection refused by forum.spamcop.net" error. But then, many (most?) people here don't go over there... Maybe Spammy is hammering the SpamCop web server so hard that it's buckling under the load? Somebody running a DDoS against the SpamCop forum web server? We already know spammers lurk here, and there has been lots of discussion about Fried Spam and other ways to hit back at spammers' web sites. Eric From Merlyn at Spamcop.net Wed Jul 21 14:26:08 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Wed Jul 21 13:30:03 2004 Subject: [SC-Help] Re: Forums down since 7/20? (Deputies) References: Message-ID: "Eric" wrote in message news:cdm8i4$jue$1@news.spamcop.net... > Is it just me, or has anyone else noticed that the forums have been > unavailble since yesterday afternoon? I keep getting the popular > "connection refused by forum.spamcop.net" error. > > But then, many (most?) people here don't go over there... > > Maybe Spammy is hammering the SpamCop web server so hard that it's > buckling under the load? Somebody running a DDoS against the SpamCop > forum web server? We already know spammers lurk here, and there has > been lots of discussion about Fried Spam and other ways to hit back at > spammers' web sites. > Everything is fine. It's up and I have posted. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From nobody at devnull.spamcop.net Wed Jul 21 13:46:20 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jul 21 13:50:03 2004 Subject: [SC-Help] Re: Forums down since 7/20? (Deputies) References: Message-ID: "Eric" wrote in message news:cdm8i4$jue$1@news.spamcop.net... > Is it just me, or has anyone else noticed that the forums have been > unavailble since yesterday afternoon? I keep getting the popular > "connection refused by forum.spamcop.net" error. Must be you, is the first thought, but do have to admit that the number of posts there has been next to nil. On the other hand, JT upgraded the software, new cookies are needed ... maybe there's a connection there? From nobody at spamcop.net Wed Jul 21 12:36:48 2004 From: nobody at spamcop.net (Eric) Date: Wed Jul 21 14:40:25 2004 Subject: [SC-Help] Re: Forums down since 7/20? (Deputies) In-Reply-To: References: Message-ID: WazoO wrote: > "Eric" wrote in message > news:cdm8i4$jue$1@news.spamcop.net... > >>Is it just me, or has anyone else noticed that the forums have been >>unavailble since yesterday afternoon? I keep getting the popular >>"connection refused by forum.spamcop.net" error. > > > Must be you, is the first thought, but do have to admit > that the number of posts there has been next to nil. On > the other hand, JT upgraded the software, new cookies > are needed ... maybe there's a connection there? > > I'm trying different browsers, different machines, even different ISP's (home broadband, work T1, even Earthlink dialup). Here's an interesting test: eric$ telnet forum.spamcop.net 80 Trying 216.154.195.60... Connected to forum.spamcop.net. Escape character is '^]'. GET / Connection closed by foreign host. eric$ Kind of rules out cookies. Maybe it's a routing problem localized to California? From eddie at eddie.web Wed Jul 21 16:36:09 2004 From: eddie at eddie.web (eddie) Date: Wed Jul 21 15:40:03 2004 Subject: [SC-Help] Re: Forums down since 7/20? (Deputies) References: Message-ID: On Wed, 21 Jul 2004 11:36:48 -0700, Eric scratched out the following: snip > > Connection closed by foreign host. > eric$ > Kind of rules out cookies. Maybe it's a routing problem localized to > California? Durn xenophobic furners :) From maddsybil at spamcop.net Wed Jul 21 20:02:26 2004 From: maddsybil at spamcop.net (MaddSybil) Date: Wed Jul 21 19:05:03 2004 Subject: [SC-Help] Re: Forums down since 7/20? (Deputies) References: Message-ID: "Eric" wrote in message news:cdmd41$nfa$1@news.spamcop.net... > WazoO wrote: > > > "Eric" wrote in message > > news:cdm8i4$jue$1@news.spamcop.net... > > > >>Is it just me, or has anyone else noticed that the forums have been > >>unavailble since yesterday afternoon? I keep getting the popular > >>"connection refused by forum.spamcop.net" error. > > > > > > Must be you, is the first thought, but do have to admit > > that the number of posts there has been next to nil. On > > the other hand, JT upgraded the software, new cookies > > are needed ... maybe there's a connection there? > > > > > > I'm trying different browsers, different machines, even different > ISP's (home broadband, work T1, even Earthlink dialup). Here's > an interesting test: > > eric$ telnet forum.spamcop.net 80 > Trying 216.154.195.60... > Connected to forum.spamcop.net. > Escape character is '^]'. > GET / > > Connection closed by foreign host. > eric$ > > > Kind of rules out cookies. Maybe it's a routing problem localized > to California? > I had to re-bookmark. The URL changed!?!?! Try http://forum.spamcop.net/forums/index.php?showforum=3 It used to be something else. From 79ytka802 at sneakemail.com Thu Jul 22 01:14:40 2004 From: 79ytka802 at sneakemail.com (Aviatrix) Date: Wed Jul 21 19:20:11 2004 Subject: [SC-Help] How to send spam and get away with it Message-ID: I know this topic has come up before... but I have seen a marked increase in spammers disguising their spam as bounce message - and Spamcop still hasn't latched on to it! It seems that spammers can get away with spamming if they put something like "Undelivered Mail" in the subject line as Spamcop will not report anything with bounce-type subject lines even when it's not a bounce. Example posted to .spam From nobody at devnull.spamcop.net Wed Jul 21 19:15:52 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jul 21 19:20:26 2004 Subject: [SC-Help] Re: Forums down since 7/20? (Deputies) References: Message-ID: "MaddSybil" wrote in message news:cdmsm3$59q$1@news.spamcop.net... > > I had to re-bookmark. The URL changed!?!?! > > Try > http://forum.spamcop.net/forums/index.php?showforum=3 The catch is that this URL takes you directly into the Help Forum, vice where one would really like to end up, which would be http://forum.spamcop.net/forums/index.php? as there are other Forums ... as a matter of fact, I'd just sent JT and Deputies an e-mail yesterday, once again asking that the FAQ links be changed to come into those Forums at the "top" level, so as the Announcements section could/would be seen upon arrival there. From nobody at spamcop.net Wed Jul 21 17:31:34 2004 From: nobody at spamcop.net (Eric) Date: Wed Jul 21 19:35:03 2004 Subject: [SC-Help] Re: Forums down since 7/20? (Deputies) In-Reply-To: References: Message-ID: MaddSybil wrote: > > I had to re-bookmark. The URL changed!?!?! > > Try > http://forum.spamcop.net/forums/index.php?showforum=3 > > It used to be something else. > That's the URL I'm using. In fact, I'm getting to that URL by clicking on the link found at http://www.spamcop.net/help.shtml No go. This is puzzling! I can telnet to the forums web server, it connects, but when I do the GET the server end hangs up on the connection, without a status message coming back: eric$ telnet forum.spamcop.net 80 Trying 216.154.195.60... Connected to forum.spamcop.net. Escape character is '^]'. GET /forums/index.php Connection closed by foreign host. eric$ From nobody at spamcop.net Wed Jul 21 19:03:27 2004 From: nobody at spamcop.net (Eric) Date: Wed Jul 21 21:05:04 2004 Subject: [SC-Help] Re: Forums down since 7/20? (Deputies) In-Reply-To: References: Message-ID: Eric wrote: > MaddSybil wrote: > >> >> I had to re-bookmark. The URL changed!?!?! >> >> Try >> http://forum.spamcop.net/forums/index.php?showforum=3 >> >> It used to be something else. >> > > > That's the URL I'm using. In fact, I'm getting to that URL > by clicking on the link found at http://www.spamcop.net/help.shtml > > No go. This is puzzling! I can telnet to the forums web > server, it connects, but when I do the GET the server end > hangs up on the connection, without a status message coming > back: > > eric$ telnet forum.spamcop.net 80 > Trying 216.154.195.60... > Connected to forum.spamcop.net. > Escape character is '^]'. > GET /forums/index.php > Connection closed by foreign host. > eric$ > > Now it's working for me. No change that I can determine other than the passing of time. I hate it when that happens. Although it's more often associated with going to the car repair shop or to the doctor, than with web surfing! "Fascinating." -Mr. Spock From newandrew at rump.dk Thu Jul 22 08:38:49 2004 From: newandrew at rump.dk (Andrew Engels Rump (formerly Leif Andrew Rump)) Date: Thu Jul 22 03:40:03 2004 Subject: [SC-Help] Style selection has gone missing!?! Message-ID: The SpamCop stylesheet selectionbox has gone and I cannot get it back!?! My screen looks something like this: <@spamcop.net-logo> Help Site Map Statistics Mailhosts Report Spam | Check Mail Held Email Past Reports Preferences ----------------------------------------------- SpamCop v 1.360 (c) SpamCop.net, Inc. 1998-2004 All Rights Reserved ... But the style selectionbox is nowhere to be found and I have even deleted my @mailsc.spamcop-cookie, closed the browser and locked in again!?! Andrew -- *** The opinions expressed are not necessarily those of my employer. *** * Software Engineer Andrew Engels Rump * BLIK og ROERarbejderforbundet * * Immerkaer 42, 2650 Hvidovre * Tlf: +45 3638 3638, Fax: +45 3638 3639 * Home: N55?41'38.9" E12?29'08.6" (WGS 84) Work: N55?39'50.9" E12?27'47.4" E-mail: mailto:newandrew@rump.dk WWW http://www.rump.dk/homepage/andrew/ From infinite at nospam-totalink.net Thu Jul 22 06:21:04 2004 From: infinite at nospam-totalink.net (Wayne P.) Date: Thu Jul 22 05:25:23 2004 Subject: [SC-Help] Header Help Message-ID: Would someone direct me where I may learn in grave detail (apart from the RFC's) about email headers? I'm curious to learn where the best place in the header to look for domain/ip info of the sender (for x-reference to bl.spamcop.net). TIA! Wayne From joseph_k at invalid.com Thu Jul 22 03:52:43 2004 From: joseph_k at invalid.com (Joseph_K) Date: Thu Jul 22 05:55:02 2004 Subject: [SC-Help] Re: How to send spam and get away with it References: Message-ID: On Thu, 22 Jul 2004 00:14:40 +0100, Aviatrix <79ytka802@sneakemail.com> wrote: > I know this topic has come up before... but I have seen a marked > increase in spammers disguising their spam as bounce message - and > Spamcop still hasn't latched on to it! It seems that spammers can get > away with spamming if they put something like "Undelivered Mail" in the > subject line as Spamcop will not report anything with bounce-type > subject lines even when it's not a bounce. > > Example posted to .spam Assuming the .spam posting is complete, it is definitely not a real bounce. From MikeE at ster.invalid Thu Jul 22 04:07:47 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 22 06:10:02 2004 Subject: [SC-Help] Re: Header Help References: Message-ID: Wayne P. wrote: > Would someone direct me where I may learn in grave detail (apart from > the RFC's) about email headers? I'm curious to learn where the best > place in the header to look for domain/ip info of the sender (for > x-reference to bl.spamcop.net). This one is old and popular http://www.stopspam.org/email/headers.html There's a giant collection of spam tracing links at spamlinks http://spamlinks.openrbl.org/trace.htm You can actually learn a lot from observing SpamCop's 'style' if you can interpret the verbose output which shows how the parser chains backward thru' the 'from' and 'by' elements of the Received trace lines toward the 'bottom' or the first sign of bogosity, whichever comes first. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Jul 22 07:54:55 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Jul 22 06:55:03 2004 Subject: [SC-Help] Enlighten me on this. Message-ID: On one of my email accounts I receive only spam that starts out with: Received: from pmta06.mta.everyone.net (bigiplb-dsnat [172.16.0.19]) by imta27.mta.everyone.net (Postfix) with ESMTP id B51185161B; Mon, 19 Jul 2004 14:06:48 -0700 (PDT) This tracker reflects SC's parser's handling of the header in question in every instance: http://www.spamcop.net/sc?id=z562176966zbe13010c1888189774749dfc52c9b293z In every case, SC seems to ignore the header. WHOIS returns IANA as the owner of the IP but SC appears never to return a name. I receive no legitimate email with this header on this account. I receive no spam without it on this account. Although SC says the spam is sent from around the world, I can easily blocklist all spam for the account using simply 172.16.0.19. Because few of these items are even addressed "To:" my addy, I am loath to report any of them because I don't want to confirm receiving them. Besides which, SC never offers to report any of them to the owner of the IP, only to the many ISP's designated as the spam sourcers. It appears to me that the IP in question is being abused as the apparent front runner in the headers in a way that for the unenlightened (moi) would have it appear to be the source of all spam for that account. I am mystified. Is this consistent but invalid header a forgery? How do they do that? Why do they do that? What is going on with 172.16.0.19? Will someone please enlighten me here? TIA, Glenn, clueless in the bewilderness. From MikeE at ster.invalid Thu Jul 22 05:08:40 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 22 07:15:05 2004 Subject: [SC-Help] Re: Enlighten me on this. References: Message-ID: Glenn Daniels wrote: www.spamcop.net/sc?id=z562176966zbe13010c1888189774749dfc52c9b293z from pmta06.mta.everyone.net (bigiplb-dsnat [172.16.0.19]) by imta27.mta.everyone.net from 200-158-41-48.dsl.telesp.net.br (200.158.41.48 [200.158.41.48]) by pmta06.mta.everyone.net pmta06.mta.everyone.net DNS 216.200.145.35 216.200.145.35 rDNS sitemail.everyone.net 172.16.0.0 - 172.31.255.255 and others are 'reserved' and are non-routing IPs, often used for internal networks and such. So, the everyone mta is choosing to use a non-routing IP for its internal handling. When the item isn't 'going anywhere else' that non-routing usage is OK -- SC uses non-routing IPs in its internal mta handling as well. It would also be all right if the everyone mta used 216.200.145.35 or one of its other mx/es. > I am mystified. Is this consistent but invalid header a forgery? No, it belongs to your provider. > How do they do that? Why do they do that? What is going on > with 172.16.0.19? That mta is 'calling itself' by that IP internally; which is OK. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Thu Jul 22 12:39:12 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 22 11:40:05 2004 Subject: [SC-Help] Re: Style selection has gone missing!?! References: Message-ID: On Thu, 22 Jul 2004 07:38:49 +0000, Andrew Engels Rump (formerly Leif Andrew Rump) scratched out the following: > The SpamCop stylesheet selectionbox has gone and I cannot get it back!?! snip > But the style selectionbox is nowhere to be found and I have even deleted > my @mailsc.spamcop-cookie, closed the browser and locked in again!?! > > Andrew On my reporting page, which uses the "clean" style, the dropdown box is on the extreme right of the line which says "Welcome, xxxxxxxxx. The very next line is Your average reporting time ..... Then a blank and then the line Forward you spam to:... I know that IE displays "white on white" text at times, so perhaps the dropdown box is simply invisible. Try wiping your cursor over the top area and see if it appears. From eddie at eddie.web Thu Jul 22 12:43:22 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 22 11:45:04 2004 Subject: [SC-Help] Re: How to send spam and get away with it References: Message-ID: On Thu, 22 Jul 2004 00:14:40 +0100, Aviatrix scratched out the following: > I know this topic has come up before... but I have seen a marked increase > in spammers disguising their spam as bounce message - and Spamcop still > hasn't latched on to it! snip There are lots of new tricks spammers are using that SC has fallen behind in catching. You mention just one, but there are also the well-known, "too many links" and "no links found" bugs which are not real but simply the result of defect in the SC parser. SC had asked for samples of these types of failures several months ago, but nothing has been done to fix them. The still require manual labor to process. As spamming becomes even more lucrative, they will hire better programmers to figure ways to get their spam around the various systems. I think that they are well-funded and willing to spend the bucks to avoid blocks. From MikeE at ster.invalid Thu Jul 22 09:51:30 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 22 11:55:24 2004 Subject: [SC-Help] Re: Style selection has gone missing!?! References: Message-ID: eddie wrote: > Andrew >> The SpamCop stylesheet selectionbox has gone > On my reporting page, which uses the "clean" style, the dropdown box > is on the extreme right of the line which says "Welcome, xxxxxxxxx. > The very next line is Your average reporting time ..... > Then a blank > and then the line > Forward you spam to:... I agree with Andrew that it is not there for me. I can see the 'parts' of site style if I view source, but they are not present on my view. I also can't see site search, 'powered by google', and perhaps some other stuff on the right side of the screen. I'm driving an 800x600 screensize. -- Mike Easter kibitzer, not SC admin From dkona7b02 at sneakemail.com Thu Jul 22 13:03:50 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Thu Jul 22 12:07:47 2004 Subject: [SC-Help] Re: How to send spam and get away with it In-Reply-To: References: Message-ID: <3.0.5.32.20040722120350.019edf40@loki.fstrf.org> Why do you keep whining about alleged defects in the SpamCop parser without any facts to back up your ridiculous statements??? I've tried to explain to you several times that just because you as a human can easily spot the problems in the parse, there simply is no way to modify the parser to handle ALL possible permutations of SPAM without breaking it and making it totally useless. The parser isn't broken, it is non-compliant mail clients and web browsers that are causing most of these issues. The parser is tweaked to deal with some of them, but some will always get stuck because there is no way for a machine to make a judgement call like a human can!!!! If you were a programmer you would understand this simple statement. Yes, there are some cases where the parser fails. Deal with it! Either report those manually or Just Hit Delete! There is no need to whine each and every time you hit the same shortcomings of the parser. If you think you can do a better job than Julian, what are you waiting for? At 11:43 AM 7/22/2004 -0400, eddie whined: >On Thu, 22 Jul 2004 00:14:40 +0100, Aviatrix scratched out the following: > >> I know this topic has come up before... but I have seen a marked increase >> in spammers disguising their spam as bounce message - and Spamcop still >> hasn't latched on to it! >snip >There are lots of new tricks spammers are using that SC has fallen behind >in catching. >You mention just one, but there are also the well-known, "too many links" >and "no links found" bugs which are not real but simply the result of >defect in the SC parser. SC had asked for samples of these types of >failures several months ago, but nothing has been done to fix them. The >still require manual labor to process. As spamming becomes even more >lucrative, they will hire better programmers to figure ways to get their >spam around the various systems. I think that they are well-funded and >willing to spend the bucks to avoid blocks. From MikeE at ster.invalid Thu Jul 22 10:03:28 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 22 12:10:03 2004 Subject: [SC-Help] Re: Style selection has gone missing!?! References: Message-ID: Mike Easter wrote: > I agree with Andrew that it is not there for me. I can see the > 'parts' of site style if I view source, but they are not present on > my view. I also can't see site search, 'powered by google', and > perhaps some other stuff on the right side of the screen. I'm > driving an 800x600 screensize. With my configuration of IE 5.5 I also can't see it at 1024x768 - so I don't think the resolution is the factor. I can see it [the site style, site search, powered by google & more] in the left column with my IE6 rig, which also shows some buttons for help, sitemap, etc. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Thu Jul 22 13:35:39 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 22 12:40:02 2004 Subject: [SC-Help] Re: How to send spam and get away with it References: Message-ID: On Thu, 22 Jul 2004 12:03:50 -0400, Spam Hater scratched out the following: snip > Yes, there are some cases where the parser fails. Deal with it! Either > report those manually or Just Hit Delete! There is no need to whine each > and every time you hit the same shortcomings of the parser. > > If you think you can do a better job than Julian, what are you waiting > for? > > At 11:43 AM 7/22/2004 -0400, eddie whined: First, please do not top post. It shows a complete and utter lack of courtesy. If I see another top post by you, I shall have to "plonk" you. You make all the rest of the posts impossible to follow, unless someone else straightens out your message. You also seem to confuse stating a problem with "whining," which is your problem, not mine. Clearly you are not in the software business or in a business that looks for feedback. You simply take comments as "whining." Nagging, perhaps, whining? I do not think so. I have mentioned in previous posts that I do either delete or manually parse the spam SC cannot parse properly. And your obvious and simplistic generalization that SC cannot parse everything is an inane tautology. Who ever thought they could? I am simply referring to the fact that SC themselves *asked* for these misparsed spams and other bugs months ago, and so far, has done nothing about the problem. Did you miss that comment? Or did it not fit your purpose? From Martin.Edwards5 at btinternet.com Thu Jul 22 19:27:09 2004 From: Martin.Edwards5 at btinternet.com (Martin Edwards) Date: Thu Jul 22 13:25:03 2004 Subject: [SC-Help] Re: How to send spam and get away with it In-Reply-To: References: Message-ID: eddie wrote: > On Thu, 22 Jul 2004 12:03:50 -0400, Spam Hater scratched out the > following: > snip > >>Yes, there are some cases where the parser fails. Deal with it! Either >>report those manually or Just Hit Delete! There is no need to whine each >>and every time you hit the same shortcomings of the parser. >> >>If you think you can do a better job than Julian, what are you waiting >>for? >> >>At 11:43 AM 7/22/2004 -0400, eddie whined: > > > First, please do not top post. It shows a complete and utter lack of > courtesy. If I see another top post by you, I shall have to "plonk" you. > You make all the rest of the posts impossible to follow, unless someone > else straightens out your message. > > You also seem to confuse stating a problem with "whining," which is your > problem, not mine. Clearly you are not in the software business or in a > business that looks for feedback. You simply take comments as "whining." > Nagging, perhaps, whining? I do not think so. > > I have mentioned in previous posts that I do either delete > or manually parse the spam SC cannot parse properly. > And your obvious and simplistic generalization that SC cannot parse > everything is an inane tautology. Who ever thought they could? > I am simply referring to the fact that SC themselves *asked* for these > misparsed spams and other bugs months ago, and so far, has done nothing > about the problem. Did you miss that comment? Or did it not fit your > purpose? > If I get a false bounce, I parse the header only, which the parser will usually do, and manually report it as a false bounce. Same thing, mutatis mutandis, with viruses. Other failures are often caused by no blank line between header and body. I try to check that before sending. There are other weird methods that I cannot yet understand. Even Maigret failed sometimes. From 79ytka802 at sneakemail.com Thu Jul 22 20:46:55 2004 From: 79ytka802 at sneakemail.com (Aviatrix) Date: Thu Jul 22 14:50:03 2004 Subject: [SC-Help] Re: How to send spam and get away with it In-Reply-To: References: Message-ID: Martin Edwards wrote: > If I get a false bounce, I parse the header only, which the parser will > usually do, and manually report it as a false bounce. Same thing, > mutatis mutandis, with viruses. Other failures are often caused by no > blank line between header and body. I try to check that before sending. > There are other weird methods that I cannot yet understand. Even > Maigret failed sometimes. Yes, there are ways round SC's shortcomings (for way of a better word), but they are time-consuming and most people don't have a lot of time, so a lot of spam gets unreported because people choose to hit "delete" rather than use a manual method. I gave up some of my (scarce) time to post a bug report to this newsgroup, and most (all bar one!) of the responses have been constructive. The response from SpamHater was totally out of order, and can only serve to discourage users from posting bug reports and feedback. I hope that, in due course, the bug that I reported will get fixed - and I hope that this will now be sooner rather than later because it's clearly something spammers are now exploiting. From nobody at spamcop.net Thu Jul 22 16:06:31 2004 From: nobody at spamcop.net (Spam Pop) Date: Thu Jul 22 15:10:09 2004 Subject: [SC-Help] Re: Style selection has gone missing!?! References: Message-ID: "Mike Easter" wrote in message news:cdoojv$a4t$1@news.spamcop.net... > Mike Easter wrote: > > I agree with Andrew that it is not there for me. I can see the > > 'parts' of site style if I view source, but they are not present on > > my view. I also can't see site search, 'powered by google', and > > perhaps some other stuff on the right side of the screen. I'm > > driving an 800x600 screensize. > > With my configuration of IE 5.5 I also can't see it at 1024x768 - so I > don't think the resolution is the factor. > > I can see it [the site style, site search, powered by google & more] in > the left column with my IE6 rig, which also shows some buttons for help, > sitemap, etc. > > -- > Mike Easter > kibitzer, not SC admin > I can see it OK, but it doesn't seem to do anything all of a sudden, and that first missing column of text is there again, permanently it seems. Musta been a few "fixes" tried out. Patience and Perseverence, I guess. Pop From nobody at spamcop.net Thu Jul 22 16:09:33 2004 From: nobody at spamcop.net (Spam Pop) Date: Thu Jul 22 15:10:25 2004 Subject: [SC-Help] Re: How to send spam and get away with it References: Message-ID: "eddie" wrote in message news:pan.2004.07.22.15.43.21.706000@eddie.web... > On Thu, 22 Jul 2004 00:14:40 +0100, Aviatrix scratched out the following: > > > I know this topic has come up before... but I have seen a marked increase > > in spammers disguising their spam as bounce message - and Spamcop still > > hasn't latched on to it! > snip > There are lots of new tricks spammers are using that SC has fallen behind > in catching. > You mention just one, but there are also the well-known, "too many links" > and "no links found" bugs which are not real but simply the result of > defect in the SC parser. SC had asked for samples of these types of > failures several months ago, but nothing has been done to fix them. The > still require manual labor to process. As spamming becomes even more > lucrative, they will hire better programmers to figure ways to get their > spam around the various systems. I think that they are well-funded and > willing to spend the bucks to avoid blocks. Yeah, I feel that the little guys are being forced aside and being left in the dust, but the real biggies are picking up all the slack and then some. In a way, it's OK: The bigger they get, the more spam will get trashed when they finally fall. And the bigger they get, the more they stand out in the crowd. And fall they will, just not tomorrow. Pop From dkona7b02 at sneakemail.com Thu Jul 22 16:10:27 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Thu Jul 22 15:12:52 2004 Subject: [SC-Help] Re: How to send spam and get away with it In-Reply-To: References: Message-ID: <3.0.5.32.20040722151027.019eab70@loki.fstrf.org> See my responses in line... At 07:46 PM 7/22/2004 +0100, Aviatrix typed: >I gave up some of my (scarce) time to post a bug report to this >newsgroup, and most (all bar one!) of the responses have been >constructive. The response from SpamHater was totally out of order, and >can only serve to discourage users from posting bug reports and feedback. It was not my intent to discourage valid bug reports at all, merely to get Eddie to stop whining about the same problems over and over again and lamenting that the SPAMmers are winning because of SpamCop's shortcomings. His response to every bug report is "see, I told you the parser is broken" when, in fact, the parser is not broken but constrained from a proper parse due to other issues. >I hope that, in due course, the bug that I reported will get fixed - and >I hope that this will now be sooner rather than later because it's >clearly something spammers are now exploiting. If it is a true bug, then, as I said before, Julian will do whatever he can to fix it. If it is an issue that requires human intervention, then only a human will do. The parser can't make intuitive leaps of faith like a human can! Only some SPAMmers are exploiting these "issues" and they are still getting reported by those who have the time and energy to use SpamCop as only one tool of many in their SPAM fighting arsenals. The rest can JHD and do what they can with the rest of their SPAM that SpamCop does handle without a problem. The bottom line is that there are some issues the parser may never be able to handle automatically. This is a plain and simple fact. Julian could alter the parser to make "guesses" and leave it up to the human reporter to verify the guess and report accordingly, but as has been proven time and again, this won't work because most humans are too lazy/incompetent to actually review their parses like they are supposed to. This is the very reason why email drop boxes are no longer reported! Even if the parser left the report box unchecked by default and left it up to the human to select it, the silly human either never selects it cause he didn't look at it in the first place or they always select it, innocent bystander or not, simply out of spite and a need for revenge. This is also the reason for the new mailhosts feature! How many people whined that they reported themselves and blamed it all on the parser?? So, Julian added new code to stop you from shooting yourself in the foot but still people whine, now because they can't parse things like bounces. A perfect example of how one fix can break/interfere with something else. From nobody at devnull.spamcop.net Thu Jul 22 16:11:33 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Jul 22 15:15:03 2004 Subject: [SC-Help] Re: Enlighten me on this. References: Message-ID: "Mike Easter" wrote in message > Glenn Daniels wrote: [...] > from pmta06.mta.everyone.net (bigiplb-dsnat [172.16.0.19]) by > imta27.mta.everyone.net [...] > pmta06.mta.everyone.net DNS 216.200.145.35 > 216.200.145.35 rDNS sitemail.everyone.net > Lost me... whither comes 216.200.145.35? > 172.16.0.0 - 172.31.255.255 and others are 'reserved' and are > non-routing IPs, often used for internal networks and such. Understood. My "read" of the ARIN WHOIS as well. All the machines on my LAN have Blackhole addresses, too, due to ICS. > So, the everyone mta is choosing to use a non-routing IP for its > internal handling. When the item isn't 'going anywhere else' that > non-routing usage is OK -- SC uses non-routing IPs in its internal mta > handling as well. > > It would also be all right if the everyone mta used 216.200.145.35 or > one of its other mx/es. As above, where did you find 216.200.145.35? > > I am mystified. Is this consistent but invalid header a forgery? > > No, it belongs to your provider. Agreed, but how did you determine that? Guessing here: The prepended "Received:" is added to the spam by MyISP as part of the mail servers' internal handling routines. > > How do they do that? Why do they do that? What is going on > > with 172.16.0.19? > > That mta is 'calling itself' by that IP internally; which is OK. > > -- > Mike Easter > scherpa extraordinaire [ed], not SC admin > Understood (I think), sounds reasonable and acceptable. Is it safe to believe that Spammy's spam is not validated as "received" at the sending end of the message? It sorts directly to "Trash" on my end. My instincts tell me to delete it, unopened. I don't wish to report it lest I validate the delivery: Score nul for Spammy, one for me. Looks like it is MyISP's choice to take the little hit on bandwidth, to blocking this spam, that is all characteristically coming from IP's not previously known to be spammers when parsed by SC. I also note that they are from spam friendly ISP's, and my sense is that if turning a deaf ear to them is good enough for SC, it is good enough for me. The account has received about 40 such spams in the last month and I have been in a quandary over noticing a problem versus ignoring it. As they appeared to be coming from Blackhole IANA, I have elected to send them forward to my own Blackhole (devnull). Although the email account "belongs" to my wife, the ISP is mine. It is her choice to use an easily guessed janedoe@anyISP.dufus address and when she has asked "Why are they sending me spam when only my friends have my addy?", she has accepted by way of explanation that so long as she insists on keeping the janedoe@handle.dufus addy, she should expect spam. That it is all filtered to a covert folder out of her awareness, she considers it "problem solved". She does her very best to stay computer ignorant: it is "my job" to "take out" the garbage, and that includes the spam, the virmen, and the vermin the cats drag in! Thank you so much for your efforts to enlighten me... but a little elaboration on the process toward your conclusions might not be totally lost on me. I really am trying to get a handle on what I am up against in my ongoing spambusting strategies: "know your enemy" is critical to the strategic game plan. Thanks again, Glenn From eddie at eddie.web Thu Jul 22 16:43:31 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 22 15:45:02 2004 Subject: [SC-Help] Re: How to send spam and get away with it References: Message-ID: On Thu, 22 Jul 2004 15:10:27 -0400, Spam Hater scratched out the following: > See my responses in line... > >whine Is whine the only word you know? I think you are whining more than most. You seem to think every complaint is a "whine" but I suspect you are projecting or something. This is a public forum and your whines are as annoying as mine are. At least my "whines" are on topic - yours are just whines about people complaining about things. Just "plonk" me and be done with it. It's no big deal. From eddie at eddie.web Thu Jul 22 16:52:02 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 22 15:55:03 2004 Subject: [SC-Help] Re: How to send spam and get away with it References: Message-ID: On Thu, 22 Jul 2004 15:10:27 -0400, Spam Hater scratched out the following: > See my responses in line... >snip I assume you are also a paying user of SC's service, as I am. I also think that I have a right to nag about things since I am helping foot the bill. If a freebie user is complaining, that's a different story. I have been using SC since it was C/R and am one of the first paying users of their system. I have been supporting them for a long time. From bseymour at spamcop.net Thu Jul 22 13:54:06 2004 From: bseymour at spamcop.net (Barry Seymour) Date: Thu Jul 22 15:55:14 2004 Subject: [SC-Help] Re: Can't Whitelist Sender References: Message-ID: Since you did all that research maybe you could have posted a link to the URL with the answer, or the FAQ in progress, rather than flaming me because I didn't spend as much time as you did poking around all the forums and newsgroups looking for the specific answer. I have a life to lead, you know. Thanks for the help, such as it was. "WazoO" wrote in message news:cdm6ac$i74$1@news.spamcop.net... "Barry Seymour" wrote in message news:cdm3dn$fl7$2@news.spamcop.net... > I have a friend who uses WebTV. His quite legitimate emails to me get held > every time. I repeatedly check the email and click "forward (and whitelist > sender)" but it seems to have no effect. His next email gets held again. > > Anyone know why this is? Thanks in advance... Well, you've asked in spamcop, now re-posting in spamcop.help ... you're asking for help on a filtered e-mail account question, so wondering why you've not posted in spamcop.mail or followed any of the links dealing with help on e-mail accounts that all point to the web-based Forums at http://forum.spamcop.net/forums/index.php? where you'd find this question asked / answered and in a FAQ-in- progress ..... From newandrew at rump.dk Thu Jul 22 21:15:45 2004 From: newandrew at rump.dk (Andrew Engels Rump (formerly Leif Andrew Rump)) Date: Thu Jul 22 16:20:27 2004 Subject: [SC-Help] Re: Style selection has gone missing!?! References: Message-ID: After drinking 3 Pan Galactic Gargle Blasters, "Spam Pop" mumbled in news:cdp37n$ppa$1@news.spamcop.net: > "Mike Easter" wrote in message > news:cdoojv$a4t$1@news.spamcop.net... >> Mike Easter wrote: >>> I agree with Andrew that it is not there for me. I can see the >>> 'parts' of site style if I view source, but they are not >>> present on my view. I also can't see site search, 'powered by >>> google', and perhaps some other stuff on the right side of the >>> screen. I'm driving an 800x600 screensize. >> With my configuration of IE 5.5 I also can't see it at 1024x768 - >> so I don't think the resolution is the factor. >> I can see it [the site style, site search, powered by google & >> more] in the left column with my IE6 rig, which also shows some >> buttons for help, sitemap, etc. > I can see it OK, but it doesn't seem to do anything all of a > sudden, and that first missing column of text is there > again, permanently it seems. Musta been a few "fixes" tried > out. Patience and Perseverence, I guess. I choose the "old style" to get Google etc. away from the left side of the windows and suddenly the selectionbox was gone one day and newer returned!?! Andrew -- *** The opinions expressed are not necessarily those of my employer. *** * Software Engineer Andrew Engels Rump * BLIK og ROERarbejderforbundet * * Immerkaer 42, 2650 Hvidovre * Tlf: +45 3638 3638, Fax: +45 3638 3639 * Home: N55?41'38.9" E12?29'08.6" (WGS 84) Work: N55?39'50.9" E12?27'47.4" E-mail: mailto:newandrew@rump.dk WWW http://www.rump.dk/homepage/andrew/ From nobody at devnull.spamcop.net Thu Jul 22 16:22:11 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jul 22 16:25:08 2004 Subject: [SC-Help] Re: Can't Whitelist Sender References: Message-ID: "Barry Seymour" wrote in message news:cdp61b$v13$1@news.spamcop.net... > Since you did all that research maybe you could have posted a link to the > URL with the answer, or the FAQ in progress, rather than flaming me because > I didn't spend as much time as you did poking around all the forums and > newsgroups looking for the specific answer. I have a life to lead, you know. > > Thanks for the help, such as it was. Don't recall a flame anywhere, just pointing out the obvious. Sure maybe I could post a link, but there is such a thing as doing your own research. You've waited what, three of four days now, for someone to spoon-feed you something that (I repeat) already exists multiple times at the URL I did offer up? And now bitch that your life has been impacted because I didn't do all the work for you? Please excuse me! From bseymour at spamcop.net Thu Jul 22 14:35:37 2004 From: bseymour at spamcop.net (Barry Seymour) Date: Thu Jul 22 16:35:29 2004 Subject: [SC-Help] Re: Can't Whitelist Sender References: Message-ID: A few days have passed since I posted my question, true. I have also done some research and have found nothing regarding any 'bug' in the 'forward and whitelist sender' option. I have reviewed my whitelist, and the email address in question is there. I have reviewed the usenet forums with no luck. I have also registered with the web-based forum and searched there. I have not had luck there although I have found some advice and information. I have double checked my whitelist entries to be sure they're all lower case. I have followed some of the discussions about leaving out the '@' but I couldn't really figure out what the end recommendation was, so I have left my whitelist entries complete. It appears that SC converts email addys to lower case before checking against the whitelist; perhaps it should also be converting all whitelist entries to lower case as well; sometimes it's easier to prevent or fix a user error at the source than it is to explain to the user what his/her error was. Perhaps 'flame' is too strong a word. However, I'm not complaining that you didn't "do my work for me." It just seems like you already knew where/what the answer was, but chose to scold me for perceived laziness rather than just provide the answer. I don't need you to shape my character, I just need information. Back to the original topic, then. Is this a bug? Should I be doing something different? Or both? Barry "WazoO" wrote in message news:cdp7lj$5c4$1@news.spamcop.net... "Barry Seymour" wrote in message news:cdp61b$v13$1@news.spamcop.net... > Since you did all that research maybe you could have posted a link to the > URL with the answer, or the FAQ in progress, rather than flaming me because > I didn't spend as much time as you did poking around all the forums and > newsgroups looking for the specific answer. I have a life to lead, you know. > > Thanks for the help, such as it was. Don't recall a flame anywhere, just pointing out the obvious. Sure maybe I could post a link, but there is such a thing as doing your own research. You've waited what, three of four days now, for someone to spoon-feed you something that (I repeat) already exists multiple times at the URL I did offer up? And now bitch that your life has been impacted because I didn't do all the work for you? Please excuse me! From dkona7b02 at sneakemail.com Thu Jul 22 14:57:18 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Thu Jul 22 16:36:03 2004 Subject: [SC-Help] Re: How to send spam and get away with it In-Reply-To: References: Message-ID: <3.0.5.32.20040722135718.019edf40@loki.fstrf.org> See responses in line, although I don't see why I bother replying at all... At 12:35 PM 7/22/2004 -0400, eddie blathered: >First, please do not top post. It shows a complete and utter lack of >courtesy. If I see another top post by you, I shall have to "plonk" you. >You make all the rest of the posts impossible to follow, unless someone >else straightens out your message. Blah, blah, blah... Get over it already. If I am replying to one specific issue I'll top post because that makes the most sense. Everyone has already seen what the OP wrote, so why make them wade through it again? If I am answering point by point, as I am now, I'll post in line, again, because it makes sense. I'll never bottom post because it makes absolutely no sense at all in any situation. If you can't follow a thread from post to post and keep it all sorted out, that is your problem, not mine. >You also seem to confuse stating a problem with "whining," which is your >problem, not mine. Stating a problem happens once. When you harp on it over and over again ad infinitum, then you are whining! >Clearly you are not in the software business or in a >business that looks for feedback. Hahaha I am a computer programmer!! D'uh! I speak from experience not just from deluded expectations of software miracles. >You simply take comments as "whining." >Nagging, perhaps, whining? I do not think so. Nagging and whining go hand in hand with you. You whine that the parser isn't good enough and then you nag that someone fix it even though it is clearly working as expected. >I have mentioned in previous posts that I do either delete >or manually parse the spam SC cannot parse properly. Well, that's great! So why do you have to keep harping about all the problems then? JHD and get on with your life... >And your obvious and simplistic generalization that SC cannot parse >everything is an inane tautology. Who ever thought they could? You seem to imply that the parser should be fixed to cover all of these instances where it can't complete a parse up to your expectations. You obviously live in a dream world where all problems can be managed with a few code tweaks. It just doesn't work that way. In the real world, there are other issues to deal with that preclude watering down the parser just so it can handle a few extreme situations at the expense of accuracy. >I am simply referring to the fact that SC themselves *asked* for these >misparsed spams and other bugs months ago, and so far, has done nothing >about the problem. Did you miss that comment? Or did it not fit your >purpose? Yes, they asked for examples. Yes, you provided them. NO, they did not say they would jump right on them and "fix" them!!! If they looked at your example and found an actual problem, then Julian would probably not rest until he had it worked out. In the cases that you are whining about, there is no parsing error, just a parsing issue that simply can't be gotten around. You'll have to learn to live with that. >On Thu, 22 Jul 2004 12:03:50 -0400, Spam Hater scratched out the >following: >snip >> Yes, there are some cases where the parser fails. Deal with it! Either >> report those manually or Just Hit Delete! There is no need to whine each >> and every time you hit the same shortcomings of the parser. >> >> If you think you can do a better job than Julian, what are you waiting >> for? >> At 11:43 AM 7/22/2004 -0400, eddie whined: From nobody at devnull.spamcop.net Thu Jul 22 16:59:53 2004 From: nobody at devnull.spamcop.net (Cat) Date: Thu Jul 22 17:00:09 2004 Subject: [SC-Help] Re: Can't Whitelist Sender In-Reply-To: References: Message-ID: Barry Seymour wrote: > Perhaps 'flame' is too strong a word. However, I'm not complaining that you > didn't "do my work for me." It just seems like you already knew where/what > the answer was, but chose to scold me for perceived laziness rather than > just provide the answer. I don't need you to shape my character, I just need > information. Could you please at least reshape your posting style and stop top posting. When you top post and don't snip, that makes it harder to read your replies and understand their context. If you pay attention to other posts in this newsgroup, you'll notice that the preferred method of posting is to snip whatever you aren't replying to and post your own comments BELOW each quoted point you're replying to, NOT ABOVE. See #6 at http://linux.sgms-centre.com/misc/netiquette.php and #1 and #2 at http://www.river.com/users/share/etiquette/ for more snipping and inline posting netiquette. From bseymour at spamcop.net Thu Jul 22 15:04:34 2004 From: bseymour at spamcop.net (Barry Seymour) Date: Thu Jul 22 17:05:12 2004 Subject: [SC-Help] Re: Can't Whitelist Sender References: Message-ID: "Cat" wrote in message news:cdp9s9$lof$1@news.spamcop.net... Barry Seymour wrote: > Perhaps 'flame' is too strong a word. However, I'm not complaining that you > didn't "do my work for me." It just seems like you already knew where/what > the answer was, but chose to scold me for perceived laziness rather than > just provide the answer. I don't need you to shape my character, I just need > information. Could you please at least reshape your posting style and stop top posting. When you top post and don't snip, that makes it harder to read your replies and understand their context. If you pay attention to other posts in this newsgroup, you'll notice that the preferred method of posting is to snip whatever you aren't replying to and post your own comments BELOW each quoted point you're replying to, NOT ABOVE. See #6 at http://linux.sgms-centre.com/misc/netiquette.php and #1 and #2 at http://www.river.com/users/share/etiquette/ for more snipping and inline posting netiquette. Okay, done. Makes perfect sense. Thanks for the information. Barry From nobody at devnull.spamcop.net Thu Jul 22 17:05:06 2004 From: nobody at devnull.spamcop.net (Cat) Date: Thu Jul 22 17:10:04 2004 Subject: [SC-Help] Re: How to send spam and get away with it In-Reply-To: References: Message-ID: eddie wrote: > Is whine the only word you know? I think you are whining more than most. > You seem to think every complaint is a "whine" but I suspect you are > projecting or something. > This is a public forum and your whines are as annoying as mine are. At > least my "whines" are on topic - yours are just whines about people > complaining about things. > Just "plonk" me and be done with it. It's no big deal. I think the fact that Spam Hater freaks out over the simple idea of showing respect and posting in a logical readable format shows serious mental issues on his part. It's incredibly childish of him to continue to top post and scream the word spam then throw a temper tantrum if someone makes the smallest request for him to stop. I wonder why he thinks it's ok for him to whine about being asked to stop being obnoxious. His mommy must have ignored him a lot as a child. From dkona7b02 at sneakemail.com Thu Jul 22 16:10:27 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Thu Jul 22 18:10:37 2004 Subject: [SC-Help] Re: How to send spam and get away with it In-Reply-To: References: Message-ID: <3.0.5.32.20040722151027.019eab70@loki.fstrf.org> See my responses in line... At 07:46 PM 7/22/2004 +0100, Aviatrix typed: >I gave up some of my (scarce) time to post a bug report to this >newsgroup, and most (all bar one!) of the responses have been >constructive. The response from SpamHater was totally out of order, and >can only serve to discourage users from posting bug reports and feedback. It was not my intent to discourage valid bug reports at all, merely to get Eddie to stop whining about the same problems over and over again and lamenting that the SPAMmers are winning because of SpamCop's shortcomings. His response to every bug report is "see, I told you the parser is broken" when, in fact, the parser is not broken but constrained from a proper parse due to other issues. >I hope that, in due course, the bug that I reported will get fixed - and >I hope that this will now be sooner rather than later because it's >clearly something spammers are now exploiting. If it is a true bug, then, as I said before, Julian will do whatever he can to fix it. If it is an issue that requires human intervention, then only a human will do. The parser can't make intuitive leaps of faith like a human can! Only some SPAMmers are exploiting these "issues" and they are still getting reported by those who have the time and energy to use SpamCop as only one tool of many in their SPAM fighting arsenals. The rest can JHD and do what they can with the rest of their SPAM that SpamCop does handle without a problem. The bottom line is that there are some issues the parser may never be able to handle automatically. This is a plain and simple fact. Julian could alter the parser to make "guesses" and leave it up to the human reporter to verify the guess and report accordingly, but as has been proven time and again, this won't work because most humans are too lazy/incompetent to actually review their parses like they are supposed to. This is the very reason why email drop boxes are no longer reported! Even if the parser left the report box unchecked by default and left it up to the human to select it, the silly human either never selects it cause he didn't look at it in the first place or they always select it, innocent bystander or not, simply out of spite and a need for revenge. This is also the reason for the new mailhosts feature! How many people whined that they reported themselves and blamed it all on the parser?? So, Julian added new code to stop you from shooting yourself in the foot but still people whine, now because they can't parse things like bounces. A perfect example of how one fix can break/interfere with something else. From eddie at eddie.web Thu Jul 22 23:28:18 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 22 22:30:24 2004 Subject: [SC-Help] Re: How to send spam and get away with it References: Message-ID: On Thu, 22 Jul 2004 16:05:06 -0500, Cat scratched out the following: snip > > I think the fact that Spam Hater freaks out over the simple idea of > showing respect and posting in a logical readable format shows serious > mental issues on his part. It's incredibly childish of him to continue to > top post and scream the word spam then throw a temper tantrum if someone > makes the smallest request for him to stop. I wonder why he thinks it's ok > for him to whine about being asked to stop being obnoxious. His mommy must > have ignored him a lot as a child. Very perceptive - that's exactly what I meant by "projecting" There are a lot of posts in this group and they tend to get buried quickly. I am willing to take the "heat" to keep reminding people that SC is not perfect, and that improvements are needed to keep up with the advances that spammers seem to be making. In most companies, it's called feedback and welcomed, even if repititious. With the confusion and reduncancy between this NG and the webboard, it's a wonder anything is noticed :) From ric.gates at bigsleep.org Fri Jul 23 09:41:26 2004 From: ric.gates at bigsleep.org (Blammo) Date: Fri Jul 23 04:45:54 2004 Subject: [SC-Help] Re: Style selection has gone missing!?! References: Message-ID: On 22 Jul 2004 Andrew Engels Rump (formerly Leif Andrew Rump) entered spamcop.help and left news:Xns952EE277B1556newandrewrumpdk@216.154.195.61: > I choose the "old style" to get Google etc. away from the left > side of the windows and suddenly the selectionbox was gone one > day and newer returned!?! > I don't know if you are using IE, but IE may push it off screen and you won't be able to scroll over to it. If you delete the SpamCop cookie it should go back to Default. I really feel this is an option that should be set in Preferences. Browsers such as Mozilla and Opera have a menu option to select styles, and I never have a need to change it, once I pick a style. But for some reason he changed the JavaScript code and if I use the Mozilla menu to change the style it no longer resets the cookie. Now only the picker resets the cookie. -- | Ric | From newandrew at rump.dk Fri Jul 23 10:23:20 2004 From: newandrew at rump.dk (Andrew Engels Rump (formerly Leif Andrew Rump)) Date: Fri Jul 23 05:25:05 2004 Subject: [SC-Help] Re: Style selection has gone missing!?! References: Message-ID: After drinking 3 Pan Galactic Gargle Blasters, Blammo mumbled in news:Xns952F1133AE709blammo@216.154.195.61: > On 22 Jul 2004 Andrew Engels Rump (formerly Leif Andrew Rump) entered > spamcop.help and left > news:Xns952EE277B1556newandrewrumpdk@216.154.195.61: >> I choose the "old style" to get Google etc. away from the left >> side of the windows and suddenly the selectionbox was gone one >> day and newer returned!?! > I don't know if you are using IE, but IE may push it off screen > and you won't be able to scroll over to it. > If you delete the SpamCop cookie it should go back to Default. I have deleted the cookie but nothings changed!?! Andrew -- *** The opinions expressed are not necessarily those of my employer. *** * Software Engineer Andrew Engels Rump * BLIK og ROERarbejderforbundet * * Immerkaer 42, 2650 Hvidovre * Tlf: +45 3638 3638, Fax: +45 3638 3639 * Home: N55?41'38.9" E12?29'08.6" (WGS 84) Work: N55?39'50.9" E12?27'47.4" E-mail: mailto:newandrew@rump.dk WWW http://www.rump.dk/homepage/andrew/ From ric.gates at bigsleep.org Fri Jul 23 11:04:22 2004 From: ric.gates at bigsleep.org (Blammo) Date: Fri Jul 23 06:05:03 2004 Subject: [SC-Help] Re: Style selection has gone missing!?! References: Message-ID: On 23 Jul 2004 Andrew Engels Rump (formerly Leif Andrew Rump) entered spamcop.help and left news:Xns952F73DAF7CBFnewandrewrumpdk@216.154.195.61: > After drinking 3 Pan Galactic Gargle Blasters, Blammo > mumbled in > news:Xns952F1133AE709blammo@216.154.195.61: >> On 22 Jul 2004 Andrew Engels Rump (formerly Leif Andrew Rump) entered >> spamcop.help and left >> news:Xns952EE277B1556newandrewrumpdk@216.154.195.61: >>> I choose the "old style" to get Google etc. away from the left >>> side of the windows and suddenly the selectionbox was gone one >>> day and newer returned!?! >> I don't know if you are using IE, but IE may push it off screen >> and you won't be able to scroll over to it. >> If you delete the SpamCop cookie it should go back to Default. > > I have deleted the cookie but nothings changed!?! > I kinda hate to reply because I can't at the moment start up IE and check it, and I'm sure that IE 5.x still gets a different page. But in addition to deleting cookies you may have to clear the temporary internet files as well (actually you can do both at the same time? Though you may not want to). IE has a really nasty habit of hanging on to local cached copies, every version seems to have a slightly different behavior. I had a dynamically generated page that changed on the first of the month, and some IE users reported that the page didn't change. I checked the page and even though I was updating the headers, I was also sending the last modified date, which actually never changed. Changing that (not sending last modified) fixed the problem, and of course so would deleting your local copies. -- | Ric | From MikeE at ster.invalid Fri Jul 23 04:34:41 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 23 06:40:03 2004 Subject: [SC-Help] Re: Enlighten me on this. References: Message-ID: Glenn Daniels wrote: > "Mike Easter" >> Glenn Daniels wrote: > [...] >> from pmta06.mta.everyone.net (bigiplb-dsnat [172.16.0.19]) by >> imta27.mta.everyone.net > [...] >> pmta06.mta.everyone.net DNS 216.200.145.35 >> 216.200.145.35 rDNS sitemail.everyone.net > > Lost me... whither comes 216.200.145.35? Ultimately dns servers, but let's work our way around to that. We are talking about everyone.net's headers which I'll abbreviate even more than before: from [172.16.0.19] by imta27.mta.everyone.net from [200.158.41.48] by pmta06.mta.everyone.net Those headers are added from bottom to top, so the item went from the .br spamsource 200.158.41.48 to pmta06 to imta27. That is, the bottom line sez that 200.etc gave it to pmta06 and then the top line sez that pmta06 [calling itself 172.etc] gave it to imta27. Or, saying it a completely 'conceptional' way, the spamsource aimed the item at an address handled by the everyone mx, and the records for everyone are maintained by dns servers. So, I can lookup what the MXes for everyone are, and I can also check and see if pmta06 has an IP address, which it did. >> So, the everyone mta is choosing to use a non-routing IP for its >> internal handling. When the item isn't 'going anywhere else' that >> non-routing usage is OK -- SC uses non-routing IPs in its internal >> mta handling as well. >> >> It would also be all right if the everyone mta used 216.200.145.35 or >> one of its other mx/es. > > As above, where did you find 216.200.145.35? The actual 'where' I found by using a lookup tool, SamSpade's DNS function on the name pmta06.mta.everyone.net and by checking the dig for everyone.net's MXes. Sometimes the pmta06 name being used might not be exactly what the name of the mx is. The 'variation' in the name of the mx and the way the server stamped the line and the way the forward DNS and the reverse DNS work are beyond where we want to go with the discussion just now; but that's what you cited me saying at the top. That is, SamSpade's 'handy' DNS works like this: dns everyone.net Mail for everyone.net is handled by sitemail.everyone.net sitemail2.everyone.net and I can get the IPs for both of those: Canonical name: sitemail.everyone.net Addresses: 216.200.145.35 216.200.145.51 Canonical name: sitemail2.everyone.net Addresses: 216.200.145.36 I can also 'go the other way' and feed it a name to get an IP: dns pmta06.mta.everyone.net Mail for pmta06.mta.everyone.net is handled by sitemail.everyone.net Canonical name: pmta06.mta.everyone.net Addresses: 216.200.145.35 So, you can see that sitemail and pmta06 are 'the same' functionally. So, if a mailer wanted to mail something to an address handled by everyone.net, let's say jane@everyone.net, then the mailserver would find out how to 'aim' the mail at the everyone.net mx, and then the everyone mx would receive it and begin stamping the lines we're talking about. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Jul 23 04:57:47 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 23 07:00:02 2004 Subject: [SC-Help] Re: Enlighten me on this. References: Message-ID: Glenn Daniels wrote: > Is it safe to believe that Spammy's spam is not validated as > "received" at the sending end of the message? I'm not clear on what that means. If you mean, "When I get a mail, does the spammer know it?" - the answer /should/ be "No." ^1 > It sorts directly > to "Trash" on my end. My instincts tell me to delete it, unopened. > I don't wish to report it lest I validate the delivery: Score nul > for Spammy, one for me. Overall, I would say ideally it is better to report a spam 'properly' than to delete it unopened.^2 ^1 If a spam were handled carelessly or insecurely, it could help the spammer to confirm a recipient address, or to tell the spammer a recipient address opens spam, or to tell the spammer a recipient 'believes' spam and hits removes, or to tell the spammer a recipient opens spam and clicks on spamlinks. ^2 If spam is handled or reported carelessly or insecurely, and/or reported 'badly' - it would be better to delete all spam unopened and unpreviewed. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri Jul 23 09:34:32 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Fri Jul 23 08:35:03 2004 Subject: [SC-Help] Re: Enlighten me on this. References: Message-ID: "Mike Easter" wrote in message [...] > The actual 'where' I found by using a lookup tool, SamSpade's DNS > function on the name pmta06.mta.everyone.net and by checking the dig > for everyone.net's MXes. Sometimes the pmta06 name being used might not > be exactly what the name of the mx is. > > The 'variation' in the name of the mx and the way the server stamped the > line and the way the forward DNS and the reverse DNS work are beyond > where we want to go with the discussion just now; but that's what you > cited me saying at the top. > > That is, SamSpade's 'handy' DNS works like this: > > dns everyone.net > Mail for everyone.net is handled by sitemail.everyone.net > sitemail2.everyone.net > > and I can get the IPs for both of those: > > Canonical name: sitemail.everyone.net > Addresses: > 216.200.145.35 > 216.200.145.51 > > Canonical name: sitemail2.everyone.net > Addresses: > 216.200.145.36 > > I can also 'go the other way' and feed it a name to get an IP: > > dns pmta06.mta.everyone.net > Mail for pmta06.mta.everyone.net is handled by sitemail.everyone.net > Canonical name: pmta06.mta.everyone.net > Addresses: > 216.200.145.35 > > So, you can see that sitemail and pmta06 are 'the same' functionally. > > So, if a mailer wanted to mail something to an address handled by > everyone.net, let's say jane@everyone.net, then the mailserver would > find out how to 'aim' the mail at the everyone.net mx, and then the > everyone mx would receive it and begin stamping the lines we're talking > about. > Most Excellent! by way of elaboration. FWIW I have added Sam's site to my "Wanted" folder. Although I am thinking I may have known that pmta06.etc "belonged" to my provider, I did not know for how you accomplished the "lookup". Thanks! Glenn From newandrew at rump.dk Fri Jul 23 14:21:01 2004 From: newandrew at rump.dk (Andrew Engels Rump (formerly Leif Andrew Rump)) Date: Fri Jul 23 09:25:20 2004 Subject: [SC-Help] Re: Style selection has gone missing!?! References: Message-ID: After drinking 3 Pan Galactic Gargle Blasters, Blammo mumbled in news:Xns952F1F42A797Dblammo@216.154.195.61: > On 23 Jul 2004 Andrew Engels Rump (formerly Leif Andrew Rump) entered > spamcop.help and left > news:Xns952F73DAF7CBFnewandrewrumpdk@216.154.195.61: >> After drinking 3 Pan Galactic Gargle Blasters, Blammo >> mumbled in >> news:Xns952F1133AE709blammo@216.154.195.61: >>> On 22 Jul 2004 Andrew Engels Rump (formerly Leif Andrew Rump) >>> entered spamcop.help and left >>> news:Xns952EE277B1556newandrewrumpdk@216.154.195.61: >>>> I choose the "old style" to get Google etc. away from the left >>>> side of the windows and suddenly the selectionbox was gone one >>>> day and newer returned!?! >>> I don't know if you are using IE, but IE may push it off screen >>> and you won't be able to scroll over to it. >>> If you delete the SpamCop cookie it should go back to Default. >> I have deleted the cookie but nothings changed!?! > I kinda hate to reply because I can't at the moment start up IE > and check it, and I'm sure that IE 5.x still gets a different > page. But in addition to deleting cookies you may have to clear > the temporary internet files as well (actually you can do both > at the same time? Though you may not want to). Still no change! :-( Andrew -- *** The opinions expressed are not necessarily those of my employer. *** * Software Engineer Andrew Engels Rump * BLIK og ROERarbejderforbundet * * Immerkaer 42, 2650 Hvidovre * Tlf: +45 3638 3638, Fax: +45 3638 3639 * Home: N55?41'38.9" E12?29'08.6" (WGS 84) Work: N55?39'50.9" E12?27'47.4" E-mail: mailto:newandrew@rump.dk WWW http://www.rump.dk/homepage/andrew/ From nobody at devnull.spamcop.net Fri Jul 23 11:21:39 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Fri Jul 23 10:25:02 2004 Subject: [SC-Help] Re: Enlighten me on this. References: Message-ID: "Mike Easter" wrote: > Glenn Daniels wrote: > > Is it safe to believe that Spammy's spam is not validated as > > "received" at the sending end of the message? > > I'm not clear on what that means. If you mean, "When I get a mail, does > the spammer know it?" - the answer /should/ be "No." ^1 > You have clearly gotten my meaning in spite of my being obtuse. For all Spammy knows, his spam was delivered to Dave Null by the mail server. > > It sorts directly to "Trash" on my end. My instincts tell me > > to delete it, unopened. I don't wish to report it lest I > > validate the delivery: Score nul for Spammy, one for me. > > Overall, I would say ideally it is better to report a spam 'properly' > than to delete it unopened.^2 > I absolutely agree, and under ideal circumstances, would make it my business to report them. But the situation is adverse. For starters, I consider it to be what I think is called "dictionary" spam. It's like the spam forges are set up to run "JaneDoe" against "@anyISP". I see the spam as a predictable consequence of my wife's refusal to opt for a less obvious handle: she keeps the door open and calls me when the cats drag a critter into the house. AFAIAC, she could close the door if she does not want to deal with the vermin, and the spam is just one more "honey-do". I am otherwise occupied with reporting as many as 120 spams a day on her other "JaneDoe" account "@another.isp", and can't quite bring myself to doing battle with the spammers on a second front. Also, there being very few spams involved, I fear that in reporting these to the spammer friendly ISP's involved I am just courting trouble. No matter how munged the spam going back to the spammer may be, Spammy will have scored a "hot lead". For now, they filter to a covert folder where she won't be opening them and trying to "unsubscribe" to them, as is her flustered response whenever she sees them. > ^1 If a spam were handled carelessly or insecurely, it could help the > spammer to confirm a recipient address, or to tell the spammer a > recipient address opens spam, or to tell the spammer a recipient > 'believes' spam and hits removes, or to tell the spammer a recipient > opens spam and clicks on spamlinks. > She won't give up the "preview" pane, and she will hit removes. I have no choice but to keep them completely out of her awareness. > ^2 If spam is handled or reported carelessly or insecurely, and/or > reported 'badly' - it would be better to delete all spam unopened and > unpreviewed. > Until I am convinced that they can be reported securely, they will continue to be forwarded to my trusted friend, Dave Null. Perhaps at some point, I may opt to "report as mole" for this account, but that is not clearly a cost effective use of my resources for now. I respect that this is not the ideal way of doing things, but I also see it as the next best thing until I may be able to do better. Once again, I am greatly in your debt for clarifying my confused mental process. Validation in spite of my disordered and disorganized mental process is a wonderful thing! I am also again owing you for your time and efforts to process my muddled efforts to communicate. Much thanks! Have a Most Excellent day! Glenn, :-) From MikeE at ster.invalid Fri Jul 23 09:13:14 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 23 11:15:03 2004 Subject: [SC-Help] Re: Failed to find the link in this spam References: Message-ID: Posted to .help & .spam, f/ups to .help Phil Scadden wrote: > Hopefully I am doing this right this time. The tracker for the > message was: > www.spamcop.net/sc?id=z563028026z57aea45d59d8193dd3c714641816a1d8z > > Failed to find the link (it didnt have the http:// in front of it). As we continue to 'finetune' how well you are doing this ;-) .... Actually, when you are posting the wonderful tracker as you did, posting in .spam is the 'wrong' place. The .spam ng is strictly for posting the actual spamitem, created at a time when the tracker didn't actually store the 'whole enchilada' the way it does now. Back in those days the .spam ng was very important for posting the actual spam item, as it was the only thing 'we' tinw had for trying to look at a spam. But, now that the tracker is so complete, posting an actual spam instead of a tracker isn't nearly as useful; except in some rare circumstance that I can't even think of just now. But, we don't discuss things in .spam, because there's nothing in there but nasty old spam. We discuss everything in the other ng/s; so, when you are posting something as 'nice' as a tracker, you should just post it in the appropriate discussion ng, which could be .help, .mail, or spamcop, depending. There's no real difference in .help or spamcop functionally at this time. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Jul 23 09:46:08 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 23 11:50:03 2004 Subject: [SC-Help] Re: Enlighten me on this. References: Message-ID: Glenn Daniels wrote: > I am otherwise occupied with > reporting as many as 120 spams a day on her other "JaneDoe" > account "@another.isp", and can't quite bring myself to doing > battle with the spammers on a second front. I have no problem with deleting all spams unopened and unpreviewed as an alternative to reporting them. > For now, they filter > to a covert folder where she won't be opening them and trying to > "unsubscribe" to them, as is her flustered response whenever she > sees them. Yes. I think it is a good strategy to hide spams from those who would be potentially spamcurious or spamreaders or spamconfused by implementing good filtering methods, and to oversee what is being hidden to finetune the filters. Also, it would be good to get feedback on what is being missed by the filter as well as what's being hidden. She could move the spams into a Junk folder where you could examine them. Unfortunately they've been previewed, but maybe she could use the 'exercise' to learn the discipline of moving spamitems without opening them to 'read' or respond to. > She won't give up the "preview" pane, and she will hit removes. I have > no choice but to keep them completely out of her awareness. Yes. That strategy works. > Until I am convinced that they can be reported securely, they will > continue to be forwarded to my trusted friend, Dave Null. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Jul 23 10:13:13 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 23 12:15:02 2004 Subject: [SC-Help] Re: Enlighten me on this. References: Message-ID: Mike Easter wrote: > Yes. I think it is a good strategy to hide spams from those who would > be potentially spamcurious or spamreaders or spamconfused by > implementing good filtering methods, and to oversee what is being > hidden to finetune the filters. Or, another strategy would be to create a Junk and a Suspect, both hidden from her and separate from her Inbox. The Junk would be based on some good spamfiltering system. Her Inbox would be only whitelisteds. The Suspect would be non-whitelisted non-junk. That way, you are in control of what isn't whitelisted, and thus she should actually receive zero spam. You would use the Suspect to finetune instead of her receiving any spam at all, that way she doesn't have to move any spam from her Inbox to a Junk folder as I described below, and therefore she needs to develop no discipline. > Also, it would be good to get > feedback on what is being missed by the filter as well as what's > being hidden. She could move the spams into a Junk folder where you > could examine them. Unfortunately they've been previewed, but maybe > she could use the 'exercise' to learn the discipline of moving > spamitems without opening them to 'read' or respond to. -- Mike Easter kibitzer, not SC admin From h9vzc2i02 at sneakemail.com Fri Jul 23 10:12:33 2004 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Fri Jul 23 12:20:02 2004 Subject: [SC-Help] Re: Enlighten me on this. References: Message-ID: "Glenn Daniels" wrote in message news:cdr6su$vas$1@news.spamcop.net... > > She won't give up the "preview" pane, and she will hit removes. I have > no choice but to keep them completely out of her awareness. > > > ^2 If spam is handled or reported carelessly or insecurely, and/or > > reported 'badly' - it would be better to delete all spam unopened and > > unpreviewed. > > > > Until I am convinced that they can be reported securely, they will > continue to be forwarded to my trusted friend, Dave Null. Perhaps > at some point, I may opt to "report as mole" for this account, ** Unfortunately, mole does not add to the SCBL, so is less effective than reporting (maybe using quick if you are sure you won't report yourself.) -- A SpamCop user and forum reader, Not Admin *** From h9vzc2i02 at sneakemail.com Fri Jul 23 11:04:37 2004 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Fri Jul 23 13:05:05 2004 Subject: [SC-Help] Re: Enlighten me on this. References: Message-ID: "Mike Easter" wrote in message news:cdrdi4$88q$1@news.spamcop.net... > Mike Easter wrote: > > Yes. I think it is a good strategy to hide spams from those who would > > be potentially spamcurious or spamreaders or spamconfused by > > implementing good filtering methods, and to oversee what is being > > hidden to finetune the filters. > > Or, another strategy would be to create a Junk and a Suspect, both > hidden from her and separate from her Inbox. ** In oe this is very easy to do. Click on view -> layout and for the "folder list" checkbox: put a check mark in the box (click apply) and the folder list appears where you can add your "junk folders) leave it unchecked (click apply to switch views) for your wife (this hides all the extra folders you create). That way you can control the spam your filters put in your special folders so she does not get to fool with them. -- A SpamCop user and forum reader, Not Admin *** From nobody at devnull.spamcop.net Fri Jul 23 14:13:35 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Fri Jul 23 13:15:03 2004 Subject: [SC-Help] Re: Enlighten me on this. References: Message-ID: "Mike Easter" wrote in message: > Or, another strategy would be to create a Junk and a Suspect, both > hidden from her and separate from her Inbox. > > The Junk would be based on some good spamfiltering system. Her Inbox > would be only whitelisteds. The Suspect would be non-whitelisted > non-junk. That way, you are in control of what isn't whitelisted, and > thus she should actually receive zero spam. You would use the Suspect > to finetune instead of her receiving any spam at all, that way she > doesn't have to move any spam from her Inbox to a Junk folder as I > described below, and therefore she needs to develop no discipline. > Curious that you describe exactly how I have her mail client filters set up. Whitelisted items only sort to the Inbox, spamitems sort to covert Spam, items with viral signatures sort to covert folder "Trash", and the rest sorts to another covert folder "Pending Review". FWIW, she is fluent in at least six languages that come to mind, but computerese is not among them. If I have anything to say as relates to her computer, she responds in something other than English to remind me that she simply does not want to hear it. Thus we understand one another perfectly!, and therefore she needs to develop no discipline (to borrow a phrase) as far as spam is concerned. Glenn, ;) From MikeE at ster.invalid Fri Jul 23 13:55:06 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 23 16:00:08 2004 Subject: [SC-Help] Re: "Possible forgery. Supposed receiving system..." Message References: Message-ID: posted to .help & .spam; f/ups to .help .spam is the wrong place to discuss a parsing problem; instead a tracking url and your question should be posted in .help or spamcop slynch wrote: > It seems that I am not able to post a lot of spam reports because > spammers are now using "code names" if front of the email address in > the headers and this is confusing the SPAMCOP reporting system into > thinking the "to:" section is a forgery. Here is an example: Your analysis of the 'why' for the problem isn't correct. Describing a problem with snippets of the verbose output isn't nearly as useful as posting a tracking url of a parse of the actual item in question. We can discuss the actual message here by your posting what is called the tracking url, which is a link at the top of the parse in this context: This page may be saved for future reference: www.spamcop.net/sc?id=z564730866za65e8a7660ebd447f4770d0c8cdb6ed2z You can copy that tracking url for the item you are discussing by resubmitting and reparsing it, copying the tracker, cancelling the reparse report, and pasting the tracker in here. That tracker lets us look at the actual item in question. Discussing 'mistakes' the parser makes helps contribute to resolving those mistakes; preventing their recurrence in the future. Discussing descriptions of spam and problems parsing is largely a waste of time; the only thing that matters is the actual entire item as it is available in the form of a tracking url. -- Mike Easter kibitzer, not SC admin From h9vzc2i02 at sneakemail.com Fri Jul 23 16:33:11 2004 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Fri Jul 23 18:35:03 2004 Subject: [SC-Help] Re: Enlighten me on this. References: Message-ID: "Glenn Daniels" wrote in message news:cdrgv9$c4n$1@news.spamcop.net... > "Mike Easter" wrote in message: > > Or, another strategy would be to create a Junk and a Suspect, both > > hidden from her and separate from her Inbox. > > > > The Junk would be based on some good spamfiltering system. Her Inbox > > would be only whitelisteds. The Suspect would be non-whitelisted > > non-junk. That way, you are in control of what isn't whitelisted, and > > thus she should actually receive zero spam. You would use the Suspect > > to finetune instead of her receiving any spam at all, that way she > > doesn't have to move any spam from her Inbox to a Junk folder as I > > described below, and therefore she needs to develop no discipline. > > > > Curious that you describe exactly how I have her mail client filters > set up. Whitelisted items only sort to the Inbox, spamitems sort to > covert Spam, items with viral signatures sort to covert folder "Trash", > and the rest sorts to another covert folder "Pending Review". > > FWIW, she is fluent in at least six languages that come to mind, but > computerese is not among them. If I have anything to say as relates > to her computer, she responds in something other than English to > remind me that she simply does not want to hear it. Thus we > understand one another perfectly!, and therefore she needs to > develop no discipline (to borrow a phrase) as far as spam is > concerned. > > Glenn, ;) > > ** If you divert the spam into the hidden folders as described in my other post - you can avoid all the interplay between you and your wife. I know of what you speak - MY wife sounds just like your wife in regard to computers and spam. (Fortunately, /her/ e-mail address is not a dictionary type name so she gets very very few spams.) -- A SpamCop user and forum reader, Not Admin *** From Martin.Edwards5 at btinternet.com Sat Jul 24 15:57:39 2004 From: Martin.Edwards5 at btinternet.com (Martin Edwards) Date: Sat Jul 24 09:55:03 2004 Subject: [SC-Help] Netscape Webmail Message-ID: It was a few weeks ago, but thanks to whoever pointed out the following. The full headers you get from the above do not copy and paste in usable form: they are fragged. Now I paste them into Wordpad, reformat them and copy and paste into the brower. I follow strict procedure: ie with false bounces, empty posts and viruses I prse the headers only and report manually. From tvenhola at cc.hut.fi Sun Jul 25 19:20:50 2004 From: tvenhola at cc.hut.fi (Tuomas Venhola) Date: Sun Jul 25 14:25:04 2004 Subject: [SC-Help] Problem obtaining a password. Message-ID: As I seem to be unable to submit spam via form anymore and I should register my address thru "Security upgrade - please obtain a password" link, but following that link just gets me to a page with "No valid email address entered:" text. What should I do? -- Tuomas "Jykke" Venhola Please don't tell my mother I'm a programmer - she thinks I play piano at the local bordello. From MikeE at ster.invalid Sun Jul 25 12:48:46 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 25 14:55:03 2004 Subject: [SC-Help] Re: Problem obtaining a password. References: Message-ID: Tuomas Venhola wrote: > As I seem to be unable to submit spam via form anymore and I should > register my address thru "Security upgrade - please obtain a password" > link, but following that link just gets me to a page with "No valid > email address entered:" text. > > What should I do? Enter a valid email address in the 'slot' -- if it doesn't work, try try again. That address will get a pw mailed to it. -- Mike Easter kibitzer, not SC admin From sherrard at zipcon.net Sun Jul 25 17:49:09 2004 From: sherrard at zipcon.net (Jean R. Sherrard) Date: Sun Jul 25 19:50:04 2004 Subject: [SC-Help] Weird problem - ATT: SPAMCOP ADMIN Message-ID: Hi all, I'm just wondering if anyone's seen this before: since yesterday afternoon, all my email, spam or not, has arrived without subject information. Further, the headers all dumped into the body of the message. Also, binary attachments are now dumped into the body of the message. I've checked my other email accounts, and only the one that filters through spamcop has been affected in this way. And the situation is the same when I view message through webmail. I don't believe I've altered settings over the last couple days in any way. Any ideas? Best--Jean (Have accessed account through both Mac and PC with same results - and my isp says it's not on their end. Only difference is spamcop) From MikeE at ster.invalid Sun Jul 25 19:16:00 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jul 25 21:20:03 2004 Subject: [SC-Help] Re: what does the following mean (on 'report to'...) References: <41044FF4.57B2E953@attglobal.net> Message-ID: posted to .spam & .help -- f/ups to .help Tanya wrote: > Report Spam to: > > Re: 213.122.234.130 (Administrator of network where email originates) > To: Internal spamcop handling: (bt) (Notes) > > the part i don't understand is the "Internal spamcop handling: > (bt)"......... > > incidentally this was following reporting overt porn -- becoming the > norm these days :( > thanks in advance! Housekeeping first.... The ng .spam is only for posting spam, but that's not the best way to communicate about a spam item. It is better to post the tracker url for the item in a normal ng, thus the entire spam and the logic can be expressed with a single linking url. So, better would have been to post your question in spamcop or .help with the tracker and not posted anything in .spam at all. No one usually reads anything in .spam because there is [supposed to be] only spam there. Answering second... There were links in the verbose which explained the (bt) situation. btinternet's spamcop items are handled 'specially': Report routing for 213.122.234.130: abuse@btinternet.com abuse@btinternet.com redirects to bt@admin.spamcop.net So, you are seeing the shorthand for bt@admin.spamcop.net -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Sun Jul 25 21:31:56 2004 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sun Jul 25 21:35:03 2004 Subject: [SC-Help] Re: Weird problem - ATT: SPAMCOP ADMIN References: Message-ID: In article , "Jean R. Sherrard" writes: > Hi all, > I'm just wondering if anyone's seen this before: Then the "ATT: SPAMCOP ADMIN" to ward off ordinary users seems wrong. From sherrard at zipcon.net Sun Jul 25 19:35:13 2004 From: sherrard at zipcon.net (Jean R. Sherrard) Date: Sun Jul 25 21:40:03 2004 Subject: [SC-Help] Re: Weird problem - ATT: SPAMCOP ADMIN References: Message-ID: "Larry Kilgallen" wrote in message news:TN+s3C843$Yp@eisner.encompasserve.org... > In article , "Jean R. Sherrard" writes: > > Hi all, > > I'm just wondering if anyone's seen this before: > > Then the "ATT: SPAMCOP ADMIN" to ward off ordinary users seems wrong. Hey, Larry, I'm in trouble here. No one replied to my original post so I tagged it. No one replied to this one except Larry to complain that my header doesn't match my text. Thanks a bunch! From wb8tyw at qsl.network Sun Jul 25 23:06:16 2004 From: wb8tyw at qsl.network (John E. Malmberg) Date: Sun Jul 25 22:10:05 2004 Subject: [SC-Help] Re: Weird problem - ATT: SPAMCOP ADMIN In-Reply-To: References: Message-ID: Jean R. Sherrard wrote: > > No one replied to this one except Larry to complain that my header doesn't > match my text. > > Thanks a bunch! There have been 6 posts today at the time I am composing this, two of them yours. > No one replied to my original post so I tagged it. A quick scan backwards do not reveal a previous post with that title with out the ATT: SPAMCOP ADMIN with in in the past few days. Nor does any other posts with your name show up in that period. > since yesterday afternoon, all my email, spam or not, has arrived without > subject information. > > Further, the headers all dumped into the body of the message. Also, binary > attachments are now dumped into the body of the message. > > I've checked my other email accounts, and only the one that filters through > spamcop has been affected in this way. And the situation is the same when I > view message through webmail. > > I don't believe I've altered settings over the last couple days in any way. > > Any ideas? It appears that you have an issue with the spamcop.net mail system. Formerly the person maintaining that system was only committing to monitoring the spamcop.mail newsgroup. However earlier this year, support for the spamcop.net mail system moved to the a web based forum, along with the primary help. At the time it was posted that the spamcop.help and spamcop.mail newsgroups were eventually going to be shut down. This has resulted in a greatly reduced number of people that are watching this forum for posts. And normally the volume of posts on the weekend has always been very low. Now it is almost non-existent. I do not use the spamcop.net mail system, so I do not have any ideas on how it works. -John wb8tyw@qsl.network Personal Opinion Only From nobody at devnull.spamcop.net Sun Jul 25 22:49:14 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jul 25 22:50:10 2004 Subject: [SC-Help] Re: Weird problem - ATT: SPAMCOP ADMIN References: Message-ID: "Jean R. Sherrard" wrote in message news:ce1gtm$tgh$1@news.spamcop.net... > > since yesterday afternoon, all my email, spam or not, has arrived without > subject information. > > Further, the headers all dumped into the body of the message. Also, binary > attachments are now dumped into the body of the message. Well, now that you're all upset, I'll just reinforce the support elsewhere thing ... JT's decision was that the Filtered E-mail account support would be done over in the web-based Forums. As far as your issue of the last few days, I can only tell you that there is no one over there making the same complaint. So you can point out that SpamCop is the only thing in common, but the large numbers of other users kind of suggests that it isn't a SpamCop thing ... not saying that your particular account and Folder set might not be hosed ... it just doesn't sound like that this is the prime cause ... Please see http://forum.spamcop.net/forums/index.php? From sherrard at zipcon.net Sun Jul 25 22:16:55 2004 From: sherrard at zipcon.net (Jean R. Sherrard) Date: Mon Jul 26 00:20:25 2004 Subject: [SC-Help] Re: Weird problem - ATT: SPAMCOP ADMIN References: Message-ID: "WazoO" wrote in message news:ce1rfb$gnb$1@news.spamcop.net... > "Jean R. Sherrard" wrote in message > news:ce1gtm$tgh$1@news.spamcop.net... > > > > since yesterday afternoon, all my email, spam or not, has arrived without > > subject information. > > > > Further, the headers all dumped into the body of the message. Also, > binary > > attachments are now dumped into the body of the message. > > Well, now that you're all upset, I'll just reinforce the > support elsewhere thing ... JT's decision was that > the Filtered E-mail account support would be done > over in the web-based Forums. As far as your > issue of the last few days, I can only tell you that > there is no one over there making the same > complaint. So you can point out that SpamCop is > the only thing in common, but the large numbers of > other users kind of suggests that it isn't a SpamCop > thing ... not saying that your particular account and > Folder set might not be hosed ... it just doesn't > sound like that this is the prime cause ... > > Please see http://forum.spamcop.net/forums/index.php? > Thanks, Wazo0, I'll try the forums. Previously, when I've needed help over the last several years I've used the newsgroups, and in fact, www.spamcop.net still directs users to spamcop.help for "general help". If I've offended, pardon me. I *had* posted my plea without garnering responses in two other likely ng spots (spamcop.mail and spamcop) under the title Weird problem. Thanks, Jean From tvenhola at cc.hut.fi Mon Jul 26 10:13:15 2004 From: tvenhola at cc.hut.fi (Tuomas Venhola) Date: Mon Jul 26 05:15:33 2004 Subject: [SC-Help] Re: Problem obtaining a password. References: Message-ID: "Mike Easter" wrote in news:ce0vdq$uuf$1 @news.spamcop.net: > Tuomas Venhola wrote: >> As I seem to be unable to submit spam via form anymore and I should >> register my address thru "Security upgrade - please obtain a >> password" link, but following that link just gets me to a page with >> "No valid email address entered:" text. >> >> What should I do? > > Enter a valid email address in the 'slot' -- if it doesn't work, try > try again. That address will get a pw mailed to it. The problem is that there is no slot to write my email address to: see http://www.niksula.cs.hut.fi/u/tvenhola/spamcop.png following the link "Security upgrade..." I get http://www.niksula.cs.hut.fi/u/tvenhola/spamcop2.png -- Tuomas "Jykke" Venhola Please don't tell my mother I'm a programmer - she thinks I play piano at the local bordello. From b.prazak at btinternet.com Mon Jul 26 14:11:24 2004 From: b.prazak at btinternet.com (Bazzer) Date: Mon Jul 26 08:15:27 2004 Subject: [SC-Help] Password Messages Not Being Received Message-ID: <77t9g0ldujkoc3mjk97phhscnil80idm0e@4ax.com> Twice today I have attempted to get a log-in password. Both times, the web page has informed me that a message is being sent to me but, several hours later, nothing has arrived. Come to think of it - in the past few days - my spam reports have not received any responses. Any ideas? Bazzer From MikeE at ster.invalid Mon Jul 26 08:23:32 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 26 10:30:17 2004 Subject: [SC-Help] Re: Problem obtaining a password. References: Message-ID: Tuomas Venhola wrote: > "Mike Easter" >> Enter a valid email address in the 'slot' -- if it doesn't work, try >> try again. That address will get a pw mailed to it. > > The problem is that there is no slot to write my email address to: see > http://www.niksula.cs.hut.fi/u/tvenhola/spamcop.png > following the link "Security upgrade..." I get > http://www.niksula.cs.hut.fi/u/tvenhola/spamcop2.png Hmm. Maybe you should start at the other front door: http://www.spamcop.net/anonsignup.shtml if you are free. If you are paid you may need to correspond your problem by email [but I don't know the addy]. Also, from the first graphic I see you were logged in at the time of the screenshot. Maybe logoff and start again. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon Jul 26 10:30:11 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Jul 26 10:35:03 2004 Subject: [SC-Help] Re: Problem obtaining a password. References: Message-ID: "Tuomas Venhola" wrote in message news:Xns95327C5F297CBtvenholacchutfi@216.154.195.61... > "Mike Easter" wrote in news:ce0vdq$uuf$1 > @news.spamcop.net: > > The problem is that there is no slot to write my email address to: see > http://www.niksula.cs.hut.fi/u/tvenhola/spamcop.png > following the link "Security upgrade..." I get > http://www.niksula.cs.hut.fi/u/tvenhola/spamcop2.png Go to and hit the Preferences button ... one of the options is to "change password" ... do this ... From nobody at spamcop.net Mon Jul 26 11:59:13 2004 From: nobody at spamcop.net (Ellen) Date: Mon Jul 26 11:10:03 2004 Subject: [SC-Help] Spam originating or spamvertizing AU sites Message-ID: We received the following request; you may want to bookmark the site if you are interested in assisting anti-spam efforts in AU "If you notice any spam advertising australian products or compnaies, or ones that have definitely originated in australia please use the Australian Communications Auhtority complaint form, and we will look into this. Information about what were looking at as a priority at this time is here: http://www.aca.gov.au/consumer_info/spam/reportingcomplaintsenquiries.ht m The URL for the complaints/reporting form is: https://www.aca.gov.au/secure/complaint_form.htm " If someone would propagate this to the appropriate forum I would appareciate it. Perhaps it should be pinned? or are there too many pinned items already? Ellen -- From nobody at spamcop.net Mon Jul 26 12:05:27 2004 From: nobody at spamcop.net (Ellen) Date: Mon Jul 26 11:10:16 2004 Subject: [SC-Help] Re: Password Messages Not Being Received References: <77t9g0ldujkoc3mjk97phhscnil80idm0e@4ax.com> Message-ID: "Bazzer" wrote in message news:77t9g0ldujkoc3mjk97phhscnil80idm0e@4ax.com... > Twice today I have attempted to get a log-in password. > > Both times, the web page has informed me that a message is being sent > to me but, several hours later, nothing has arrived. > > Come to think of it - in the past few days - my spam reports have not > received any responses. > > Any ideas? > > Bazzer I looked at your user record and your signin page and the sign in page says " You now have a new password" so it appears that the system knows you set up a new password. Try logging in with the new password. If that fails write to service@admin.spamcop.net and Don will get it straightened out. Ellen From nobody at devnull.spamcop.net Mon Jul 26 12:20:36 2004 From: nobody at devnull.spamcop.net (Cat) Date: Mon Jul 26 12:25:04 2004 Subject: [SC-Help] Re: PUMP AND DUMP ANTI SPAM - GET A FEW LAUGHS OUT OF THIS! In-Reply-To: References: Message-ID: bi-ker-shi wrote: > WARNING DID YOU RECENTLY RECEIVE SOME SECURITIES RELATED SPAM FROM THIS > CRIMINAL? Weren't you asked once before to stop posting html and attachments here? From nobody at devnull.spamcop.net Mon Jul 26 12:27:00 2004 From: nobody at devnull.spamcop.net (Cat) Date: Mon Jul 26 12:30:03 2004 Subject: [SC-Help] Re: Problem obtaining a password. In-Reply-To: References: Message-ID: Mike Easter wrote: > Tuomas Venhola wrote: >>The problem is that there is no slot to write my email address to: see >>http://www.niksula.cs.hut.fi/u/tvenhola/spamcop.png >>following the link "Security upgrade..." I get >>http://www.niksula.cs.hut.fi/u/tvenhola/spamcop2.png > > > Hmm. Maybe you should start at the other front door: > http://www.spamcop.net/anonsignup.shtml if you are free. If you are > paid you may need to correspond your problem by email [but I don't know > the addy]. > > Also, from the first graphic I see you were logged in at the time of the > screenshot. Maybe logoff and start again. I mentioned this once before, but Tuomas is right that there's no space to type in the address. Like Wazo0 said, you have to click the "change password" link instead. From eddie at eddie.web Mon Jul 26 13:35:32 2004 From: eddie at eddie.web (eddie) Date: Mon Jul 26 12:40:03 2004 Subject: [SC-Help] Re: PUMP AND DUMP ANTI SPAM - GET A FEW LAUGHS OUT OF THIS! References: Message-ID: On Mon, 26 Jul 2004 11:20:36 -0500, Cat scratched out the following: > bi-ker-shi wrote: > >> WARNING DID YOU RECENTLY RECEIVE SOME SECURITIES RELATED SPAM FROM THIS >> CRIMINAL? > > > > Weren't you asked once before to stop posting html and attachments here? That's the Harley crowd for you - a society unto their own :>) The stuck capkey is bad enough. Biker shouts and doesn't listen. Deaf, maybe? One more like this and I *PLONK* biker From MikeE at ster.invalid Mon Jul 26 10:34:02 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jul 26 12:40:14 2004 Subject: [SC-Help] Re: PUMP AND DUMP ANTI SPAM - GET A FEW LAUGHS OUT OF THIS! References: Message-ID: Cat wrote: > bi-ker-shi wrote: > >> WARNING DID YOU RECENTLY RECEIVE SOME SECURITIES RELATED SPAM FROM >> THIS CRIMINAL? > > > > Weren't you asked once before to stop posting html and attachments > here? http://news.spamcop.net/pipermail/spamcop-help/2004-July/062388.html Re: SPAMCOP NEVER SEEMS TO FIND THE SPAMVERTIZED URL'S IN DREW AUMAN'S CRAP Mon Jul 12 08:54:16 EDT 2004 Cat bi-ker-shi wrote: > Dear Spam Cop, I thought you fixed this last week? > > A sample follows: Please follow the "no spam posting" rule at http://spamcop.net/forum.shtml and post spam only in spamcop.spam then post discussion about it here in spamcop.help or the main spamcop newsgroup. The people who read and post here get enough spam of their own without having to see yours in a place where they are promised a spam free environment. - no one is ever entertained much by reading someone's spam which the spamreader found amusing or stupid or whatever which they shouldn't have even been reading in the first place - if the item had been actually worth reading or seeing, there is more 'latitude' with posting something like that html item in .spam than in a normal ng - bi-ker-shi also needs to learn how to turn of hir CAPS LOCK -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Mon Jul 26 14:06:31 2004 From: eddie at eddie.web (eddie) Date: Mon Jul 26 13:10:04 2004 Subject: [SC-Help] Re: PUMP AND DUMP ANTI SPAM - GET A FEW LAUGHS OUT OF THIS! References: Message-ID: On Mon, 26 Jul 2004 09:34:02 -0700, Mike Easter scratched out the following: >snip > - bi-ker-shi also needs to learn how to turn of hir CAPS LOCK Those old Hog 45 Teletypes didn't have a capslock or unlock. It was one size fits all. :) From nobody at spamcop.net Mon Jul 26 13:59:14 2004 From: nobody at spamcop.net (Ellen) Date: Mon Jul 26 13:10:20 2004 Subject: [SC-Help] speaking of bogus bounces Message-ID: Appears there is a new virus/worm on the loose -- not being caught by any of the AV's yet. Looks like a bounce message with a zip attachment. Retsrain yourselves from opening the attachment :-) I almost opened the attachment as we do have people write to deputies who send attachments ... also showing up with no text at all and garbage text. The one with the bogus bounce text is most troublesome. -- Ellen From b.prazak at btinternet.com Mon Jul 26 19:13:22 2004 From: b.prazak at btinternet.com (Bazzer) Date: Mon Jul 26 13:15:06 2004 Subject: [SC-Help] Re: Password Messages Not Being Received References: <77t9g0ldujkoc3mjk97phhscnil80idm0e@4ax.com> Message-ID: On Mon, 26 Jul 2004 11:05:27 -0400, "Ellen" wrote: > I looked at your user record and your signin page and the sign in page says >" You now have a new password" so it appears that the system knows you set >up a new password. Try logging in with the new password. If that fails write >to service@admin.spamcop.net and Don will get it straightened out. > >Ellen > The problem is that I don't have a password to try - I've never received a message containing a password. From tjtmdREMOVE_THIS at attglobal.net Mon Jul 26 13:52:50 2004 From: tjtmdREMOVE_THIS at attglobal.net (Tanya) Date: Mon Jul 26 13:15:19 2004 Subject: [SC-Help] Re: what does the following mean (on 'report to'...) References: <41044FF4.57B2E953@attglobal.net> Message-ID: <410536E2.46ED68A3@attglobal.net> Mike Easter wrote: > posted to .spam & .help -- f/ups to .help > > Tanya wrote: > > Report Spam to: > > > > Re: 213.122.234.130 (Administrator of network where email originates) > > To: Internal spamcop handling: (bt) (Notes) > > > > the part i don't understand is the "Internal spamcop handling: > > (bt)"......... > > > > incidentally this was following reporting overt porn -- becoming the > > norm these days :( > > thanks in advance! > > Housekeeping first.... > > The ng .spam is only for posting spam, but that's not the best way to > communicate about a spam item. It is better to post the tracker url for > the item in a normal ng, thus the entire spam and the logic can be > expressed with a single linking url. So, better would have been to post > your question in spamcop or .help with the tracker and not posted > anything in .spam at all. > > No one usually reads anything in .spam because there is [supposed to be] > only spam there. > > Answering second... > > There were links in the verbose which explained the (bt) situation. > > btinternet's spamcop items are handled 'specially': > > Report routing for 213.122.234.130: abuse@btinternet.com > abuse@btinternet.com redirects to bt@admin.spamcop.net > > So, you are seeing the shorthand for bt@admin.spamcop.net > > -- > Mike Easter > kibitzer, not SC admin i'm bound to get it right someday -- likely when there is NO MORE SPAM thanks for the info (where to post) and the interpretation. i'd thought that even spamcop got shocked by the content LOL thanks sincerely Tanya From nobody at spamcop.net Mon Jul 26 14:29:28 2004 From: nobody at spamcop.net (Ellen) Date: Mon Jul 26 13:30:09 2004 Subject: [SC-Help] Re: Password Messages Not Being Received References: <77t9g0ldujkoc3mjk97phhscnil80idm0e@4ax.com> Message-ID: "Bazzer" wrote in message news:qpeag0l9d094tek7o31cvd2kvgb0oc6bnq@4ax.com... > On Mon, 26 Jul 2004 11:05:27 -0400, "Ellen" > wrote: > > > I looked at your user record and your signin page and the sign in page says > >" You now have a new password" so it appears that the system knows you set > >up a new password. Try logging in with the new password. If that fails write > >to service@admin.spamcop.net and Don will get it straightened out. > > > >Ellen > > > > The problem is that I don't have a password to try - I've never > received a message containing a password. Ah -- OK I have sent this on to Don to handle with you in email Ellen From postmaster at fafnir.saar.de Tue Jul 27 00:16:01 2004 From: postmaster at fafnir.saar.de (Michael) Date: Mon Jul 26 17:20:28 2004 Subject: [SC-Help] Spamcop vs. Spamassassin Message-ID: I just received my spamcop password by mail and my provider's spamassassin classified this very mail as spam (score 5.97). What bothers me is the 2.7 score of the FORGED_MUA_MOZILLA and the many blocking lists scores :-((( Would someone at Spamcop please check what's going on here? Regards, Michael (postmaster@fafnir.saar.de) ======================================================================== Return-Path: Received: from ip-comserv.saar.de (IP-comserv.saar.de [192.109.53.24]) by bellona.wg.saar.de (8.10.2-20030922/8.10.2) with ESMTP id i6QKtLA21194 for ; Mon, 26 Jul 2004 22:55:22 +0200 Received: from vmx1.spamcop.net (vmx1.spamcop.net [64.74.133.248]) by ip-comserv.saar.de (8.12.10/8.12.10/SuSE Linux 0.7) with ESMTP id i6QKt6PR015849 for ; Mon, 26 Jul 2004 22:55:07 +0200 Received: from unknown (HELO spamcop.net) (192.168.19.204) by vmx1.spamcop.net with SMTP; 26 Jul 2004 13:55:05 -0700 Received: from [80.131.123.16] by spamcop.net with HTTP; Mon, 26 Jul 2004 20:55:04 GMT From: SpamCop Authorization System To: postmaster@fafnir.saar.de Subject: [SPAM? Score 05.97] SpamCop authorization Precedence: list Message-ID: Date: Mon, 26 Jul 2004 20:55:04 GMT X-Mailer: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.50 [en] via http://www.spamcop.net/ v1.362 X-Spam-Status: Yes, hits=6.0 required=5.0 tests=FORGED_MUA_MOZILLA, RCVD_IN_DYNABLOCK,RCVD_IN_NJABL,RCVD_IN_NJABL_DIALUP,RCVD_IN_SORBS autolearn=no version=2.63-ipev_mail_04.04.2004 X-Spam-Level: ***** X-Spam-Checker-Version: SpamAssassin 2.63-ipev_mail_04.04.2004 (2004-01-11) on ip-comserv.saar.de X-Spam-Report: * 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS * [80.131.123.16 listed in dnsbl.sorbs.net] * 0.5 RCVD_IN_NJABL_DIALUP RBL: NJABL: dialup sender did non-local SMTP * [80.131.123.16 listed in dnsbl.njabl.org] * 2.5 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address * [80.131.123.16 listed in dnsbl.sorbs.net] * 0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org * [80.131.123.16 listed in dnsbl.njabl.org] * 2.7 FORGED_MUA_MOZILLA Forged mail pretending to be from Mozilla X-Spam-Flag: YES Received-SPF: pass (ip-comserv.saar.de: domain of spamcop@devnull.spamcop.net designates 64.74.133.248 as permitted sender) Status: O Someone (probably you) has requested that SpamCop email you a password. Do not share your password with anyone. If you forget your password, you may have it emailed to you. Please ensure you keep your email address current. *snip* ====================================================================== -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ From glnews030922 at highspot.net Tue Jul 27 00:20:58 2004 From: glnews030922 at highspot.net (Graeme Leith) Date: Mon Jul 26 18:25:03 2004 Subject: [SC-Help] Re: Spamcop vs. Spamassassin In-Reply-To: References: Message-ID: Michael wrote: > I just received my spamcop password by mail and my provider's > spamassassin classified this very mail as spam (score 5.97). What > bothers me is the 2.7 score of the FORGED_MUA_MOZILLA and the many > blocking lists scores :-((( > > Would someone at Spamcop please check what's going on here? > All of the dnsbl checks are there because the mail originated from your browsers connection to the SpamCop server. Your IP address is/was 80.131.123.16, it is a dynamic address and thus listed in many dialup/dynamic lists. The forged Mozilla is there because again the mail came from your browser, not a regular MUA and so it looks to SpamAssassin like somebody is trying to forge the MUA. Though Opera 7.50 is probably seen a lot as a browser in web server logs, it's not often seen as an MUA in email. -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From ric.gates at bigsleep.org Mon Jul 26 23:59:47 2004 From: ric.gates at bigsleep.org (Blammo) Date: Mon Jul 26 19:00:04 2004 Subject: [SC-Help] Re: Spamcop vs. Spamassassin References: Message-ID: On 26 Jul 2004 Graeme Leith entered spamcop.help and left news:ce402q$8l3$1@news.spamcop.net: > Michael wrote: >> I just received my spamcop password by mail and my provider's >> spamassassin classified this very mail as spam (score 5.97). What >> bothers me is the 2.7 score of the FORGED_MUA_MOZILLA and the many >> blocking lists scores :-((( >> >> Would someone at Spamcop please check what's going on here? >> > > All of the dnsbl checks are there because the mail originated from your > browsers connection to the SpamCop server. Your IP address is/was > 80.131.123.16, it is a dynamic address and thus listed in many > dialup/dynamic lists. > 2.5 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address * [80.131.123.16 listed in dnsbl.sorbs.net] I would consider that an error since it was sent via http -- | Ric | From glnews030922 at highspot.net Tue Jul 27 01:43:26 2004 From: glnews030922 at highspot.net (Graeme Leith) Date: Mon Jul 26 19:45:19 2004 Subject: [SC-Help] Re: Spamcop vs. Spamassassin In-Reply-To: References: Message-ID: Blammo wrote: > On 26 Jul 2004 Graeme Leith entered spamcop.help and left > news:ce402q$8l3$1@news.spamcop.net: > > >>Michael wrote: >> >>>I just received my spamcop password by mail and my provider's >>>spamassassin classified this very mail as spam (score 5.97). What >>>bothers me is the 2.7 score of the FORGED_MUA_MOZILLA and the many >>>blocking lists scores :-((( >>> >>>Would someone at Spamcop please check what's going on here? >>> >> >>All of the dnsbl checks are there because the mail originated from your >>browsers connection to the SpamCop server. Your IP address is/was >>80.131.123.16, it is a dynamic address and thus listed in many >>dialup/dynamic lists. >> > > > 2.5 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address > * [80.131.123.16 listed in dnsbl.sorbs.net] > > I would consider that an error since it was sent via http Blame compromised web form mailers for it. It's a valid test. That said, if I was writing the SC system, I would have the web form post the record to a database and then another job pull the db records and send the mail. That would remove the possibility of any dynamic hosts in the headers of the mail and the forged MUA problems. -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From burke10 at attglobal.net Tue Jul 27 10:51:25 2004 From: burke10 at attglobal.net (bi-ker-shi) Date: Tue Jul 27 05:55:24 2004 Subject: [SC-Help] Re: PUMP AND DUMP ANTI SPAM - GET A FEW LAUGHS OUT OF THIS! References: Message-ID: Hi all, I did read all of your responses and took them all on board. As I said before, I have been known to cop the odd speeding ticket now and then, sorry about that. Firstly let me point out that what I posted was not SPAM, it was written by me and as yet has not been emailed to anyone or posted in any other NG, hardly what you would call SPAM. Secondly I do know that some of you have newsreaders that cannot cope with mime type text/html (or is there some other reason for you concern). In any case if I decide that I want to include a gif in the presentation then it's got to be text/html and it's my problem that this reduces the potential audience, a choice I would like to make on a message by message basis. So you might ask, what was the purpose of this post? Quite simply, there are many vistors to these pages myself included who have registered domains and have been troubled by the growing problem of Spammers using their domains, i.e. Joe Jobs. I guess you lot don't run a domain and don't know what I am talking about? The Pump and Dump spammer is the worst of these and recent statistics show that while other kinds of Spam are declining this kind is on the increase. Furthermore Pump and Dump Joe Jobs are very hard to fight. When the spammers are say selling drugs, you can at least follow the spamvertized url that typically lists a local phone number. Then you can place an order and find out where they want you to post the money. If you have time you can wait outside the post box to see who it is who collects the money. So how do we fight this thing? The authorities have all but given up, it is just too expensive to try and catch these criminals. So I thought, if this were a marketing campaign or a political campaign how would we do it? The answer is really quite simple. If you are a victim of such a joe job, locate the details of who has bounced this Spam to you. Next write them a polite letter and ask them to email all of their clients with a message similar to the one I posted. Point out that it will be a very effective and inexpensive way to neutralise the power of this kind of Spam. Did I make you laugh, or was this a case of not so much slapstick as slipslop? Ah forget it. From me at privacy.net Tue Jul 27 07:56:45 2004 From: me at privacy.net (Frog Prince) Date: Tue Jul 27 07:25:02 2004 Subject: [SC-Help] Re: PUMP AND DUMP ANTI SPAM - GET A FEW LAUGHS OUT OF THIS! References: Message-ID: "bi-ker-shi" wrote in message news:ce58iv$iua$1@news.spamcop.net... Secondly I do know that some of you have newsreaders that cannot cope with mime type text/html (or is there some other reason for you concern). In any case if I decide that I want to include a gif in the presentation then it's got to be text/html and it's my problem that this reduces the potential audience, a choice I would like to make on a message by message basis. Might consider that folk who don't care for HTML block ALL post from those who use it regardless of the frequency. So by the application of HTML you permanently restrict your potential audience. YMMV but not by much in this ng. From nobody at spamcop.net Tue Jul 27 07:22:08 2004 From: nobody at spamcop.net (Miss Betsy) Date: Tue Jul 27 07:25:14 2004 Subject: [SC-Help] Re: PUMP AND DUMP ANTI SPAM - GET A FEW LAUGHS OUT OF THIS! References: Message-ID: "eddie" wrote in message news:pan.2004.07.26.16.35.32.89000@eddie.web... > One more like this and I *PLONK* biker I don't ever *PLONK* people, but I don't read the original post until after I have read Cat's or Mike's. In this case, I will remember not to read hir posts. Miss Betsy From MikeE at ster.invalid Tue Jul 27 06:10:42 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 27 08:15:04 2004 Subject: [SC-Help] Re: PUMP AND DUMP ANTI SPAM - GET A FEW LAUGHS OUT OF THIS! References: Message-ID: bi-ker-shi wrote: Content-Type: text/html; > I did read all of your responses and took them all on board. But, you are still posting in html > mime type text/html (or is there some other reason for you > concern). Yes. > Did I make you laugh, or was this a case of not so much slapstick as > slipslop? You are still posting in html, I guess to make a point that you can do that if you want. But it isn't appropriate for various reasons. The discussions in this thread concern conforming to newsgroup guidelines or netiquette. The issue of not posting spam anywhere but the newsgroup .spam came up in another thread when you posted a spam back in June. That is a 'local' spamcop guideline. The /general/ newsgroup guidelines of avoiding 'prolonged' capslock and no html are explained in many different pointers for newsgroup newbies in various places which also instruct how to turn off html for newsgroup posting. Your newsreaaer is OE and you turn off html at Tools/ Options/ Send tab/ News sending format section -check plaintext. The points which are being emphasiszed here under your second capslocked subject thread besides capslock are that: - you should post to newsgroups in plaintext, not html - when posting spam, it should be posted in the newsgroup spamcop.spam - if it is necessary to post something 'unusual' - such as a graphic or html - good sense should tell you to not post something which is not plaintext into a plaintext newsgroup. It is more forgivable to use the .spam newsgroup for such an item in these newsgroups, and point to the non-plaintext item there with one in plaintext here. Your explanation of why it was necessary to construct an html message to make your point or joke about the initial post in this thread doesn't make the argument against those points. Your insistence on continuing to use html doesn't either. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Jul 27 07:09:31 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 27 09:15:03 2004 Subject: [SC-Help] Re: PUMP AND DUMP ANTI SPAM - GET A FEW LAUGHS OUT OF THIS! References: Message-ID: Mike Easter wrote: > The /general/ newsgroup guidelines of avoiding 'prolonged' capslock > and no html are explained in many different pointers for newsgroup > newbies in various places The seven don'ts of Usenet http://www.cs.tut.fi/~jkorpela/usenet/dont.html - 2. Don't post anything but plain text to Usenet, except to groups where other formats are explicitly allowed. No HTML, no vCards, no GIFs or other binaries. news.newusers.questions http://member.newsguy.com/~schramm/nhtml.html - Posting News Using HTML - Please don't. HTML-formatted postings are not welcomed in newsgroups. Newsgroup Newbie Tips http://rock13.com/webhelp/usenet/newbie.txt - 2. Post ONLY plain text. No HTML, images, or other binaries. Place these on the web and post a URL. Posting HTML is fine, posting _in_ HTML is not. Basically, it makes you look foolish. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Tue Jul 27 12:25:31 2004 From: eddie at eddie.web (eddie) Date: Tue Jul 27 11:30:04 2004 Subject: [SC-Help] Re: PUMP AND DUMP ANTI SPAM - GET A FEW LAUGHS OUT OF THIS! References: Message-ID: On Tue, 27 Jul 2004 05:10:42 -0700, Mike Easter scratched out the following: > bi-ker-shi wrote: > Content-Type: text/html; > >> I did read all of your responses and took them all on board. > > But, you are still posting in html > >> mime type text/html (or is there some other reason for you concern). > > You are still posting in html, I guess to make a point that you can do > that if you want. But it isn't appropriate for various reasons. snip > Your explanation of why it was necessary to construct an html message to > make your point or joke about the initial post in this thread doesn't make > the argument against those points. Your insistence on continuing to use > html doesn't either. Many of us do not have our newsreaders set to read HTML. All I see is the source code which is nothing but clutter at the bottom of the text. And so I insert a 30-day PLONK to hir for ignoring common sense. From tjtmdREMOVE_THIS at attglobal.net Tue Jul 27 12:57:15 2004 From: tjtmdREMOVE_THIS at attglobal.net (Tanya) Date: Tue Jul 27 12:20:15 2004 Subject: [SC-Help] Cyveillance abuse internet resources ????????????? Message-ID: <41067B5B.646C1E66@attglobal.net> hi, i saw this on someone's sig file (to uncheck the box when reporting) is this a fact? thanks From eddie at eddie.web Tue Jul 27 13:39:52 2004 From: eddie at eddie.web (eddie) Date: Tue Jul 27 12:40:03 2004 Subject: [SC-Help] Re: Cyveillance abuse internet resources ????????????? References: <41067B5B.646C1E66@attglobal.net> Message-ID: On Tue, 27 Jul 2004 11:57:15 -0400, Tanya scratched out the following: > hi, > i saw this on someone's sig file > (to uncheck the box when reporting) > is this a fact? > thanks I believe it's an opinion. It was argued very hotly herein some time ago. I leave the box checked. I also ignore sigs (Bumperstickers) with political and other message since I usually disagree with them and prefer to ignore the clutter. Besides, if the sig never changes, it's really redundant once you have seen it the first dozen times or so. From MikeE at ster.invalid Tue Jul 27 10:42:17 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 27 12:45:04 2004 Subject: [SC-Help] Re: Cyveillance abuse internet resources ????????????? References: <41067B5B.646C1E66@attglobal.net> Message-ID: Tanya wrote: > i saw this on someone's sig file > (to uncheck the box when reporting) > is this a fact? > thanks One way to research this is to use google advanced web and search for 'cyveillance' limited to 'spamcop.net' domain. That gives you these 787 hits http://www.google.com/search?as_q=cyveillance&num=10&hl=en&ie=UTF-8&c2co ff=1&btnG=Google+Search&as_epq=&as_oq=&as_eq=&lr=&as_ft=i&as_filetype=&a s_qdr=all&as_nlo=&as_nhi=&as_occt=any&as_dt=i&as_sitesearch=spamcop.net& safe=images and then pick selected items from those, such as this one from Marjolein Katsma to Scott C. Scott C. > Thanks. Your signature is interesting...I stopped sending my reports to Cyveillance several months ago...just bad vibes. What do you know about them and their activities ?? Cyveillance wants copies of *all* spam it turns up as "interested" for every spam you report. In return, they contribute to Julian for the cost of the bandwidth involved (but reportedly Julian does not actually make money on the deal). It's not clear what exactly Cyveillance wants with all that spam, but they have customers --who pay them a lot of money-- for whom they trace and investigate infringements of copyright and trademarks. While that * might* help fighting a small number of spammers, it's unclear what they want *all* spam. Even so, they make money on the basis of our spam reports (if we do send them to Cyveillance). Still, it seems Julian considers them "the enemy of our enemy" and thus sort of a friend. Meanwhile, Cyveillance also spiders a lot of websites; but not only do they completely ignore the robots standard, they also hammer sites repeatedly and fast. But many people who have limited bandwidth with their hosting, or pay for bandwidth - and thus have set their robots files (or meta tags) to tell the robots to stay away. Since Cyveillance ignores this completely, and spiders the site anyway, this has led to people actually losing their sites or facing a hefty extra fee for the extra bandwidth Cyveillance is using (for thewir own profit). Apart from that, Cyveillance's bot disguises itself as a "normal" browser, and hides itself further by having no reverse DNS on the IP numbers their bot is using. (Polite bots state who they are, and respect the robots rules). Thus, in my opinion, Cyveillance is my enemy, too - not a friend. So the advice is to UNcheck the checkbox for reports going to them (or if you're a paying reporter, set your settings so that by default no reports are going to third parties). They don't deserve our help to make their money. If you come across spam that involves any kind of copyright infringement, you can send reports yourself to the companies involved (see 'Spam reporting addresses' in my sig). -- Mike Easter kibitzer, not SC admin From glnews030922 at highspot.net Tue Jul 27 18:59:31 2004 From: glnews030922 at highspot.net (Graeme Leith) Date: Tue Jul 27 13:00:14 2004 Subject: [SC-Help] Re: Cyveillance abuse internet resources ????????????? In-Reply-To: <41067B5B.646C1E66@attglobal.net> References: <41067B5B.646C1E66@attglobal.net> Message-ID: Tanya wrote: > hi, > i saw this on someone's sig file > (to uncheck the box when reporting) > is this a fact? > thanks That would be me. I even have a canned response for queries about my sig. ;-) Cyveillance have a robot that trawls through web sites looking for stolen intellectual property. The robot ignores the robots.txt exclusion protocol, originates from IP addresses that don't reverse lookup to Cyveillance and tries to look like an ordinary user by spoofing its user agent. The robots.txt (defacto) standard is used amongst other purposes to stop robots getting stuck in dynamic pages and to stop robots generating costs for people who pay for their web services by the amount of data they transfer. By ignoring it, Cyveillance are seeking to make a profit by exploiting resources that other people pay for, much like spammers do. Cyveillance could avoid abusing peoples servers by sending people to look at pages that robots are banned from. Of course this would increase their costs, just like spammers costs would increase by using ethical mailing practices. Cyveillance, like spammers, choose to ignore peoples wishes in order to make their money. If you run a web site, you may want to grep your logs for visits from 63.148.99.224/27 & 65.118.41.192/27. You may also want to firewall those addresses if you find that they have been abusing your resources for their profit. If you look back to the June and July 2003 archives for the main SpamCop newsgroup, you'll see quite a bit of discussion on the matter. Specific responses from Julian & Cyveillance: http://news.spamcop.net/pipermail/spamcop-list/2003-June/044984.html http://news.spamcop.net/pipermail/spamcop-list/2003-June/045279.html General archive: http://news.spamcop.net/pipermail/spamcop-list/ There are more ethical companies that perform the same service, such as NameProtect, who identify their bot and obey the robots.txt protocol. Their robot is perfectly welcome on my sites. Cyveillance are firewalled whenever I find them. Julian (as is his right) has decided that Cyveillance are a good thing. Quite a few people think otherwise and there is no warning on the SpamCop site as to the abuses Cyveillance get up to. So I just leave the sig there in an attempt to warn any newbies who drop by the newsgroups. -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From Merlyn at Spamcop.net Tue Jul 27 14:03:09 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Tue Jul 27 13:05:03 2004 Subject: [SC-Help] Re: Cyveillance abuse internet resources ????????????? References: <41067B5B.646C1E66@attglobal.net> Message-ID: "eddie" wrote in message news:pan.2004.07.27.16.39.51.839000@eddie.web... > On Tue, 27 Jul 2004 11:57:15 -0400, Tanya scratched out the following: > > > hi, > > i saw this on someone's sig file > > (to uncheck the box when reporting) > > is this a fact? > > thanks > > I believe it's an opinion. It was argued very hotly herein some time ago. > I leave the box checked. > I also ignore sigs (Bumperstickers) with political and other message since > I usually disagree with them and prefer to ignore the clutter. > Besides, if the sig never changes, it's really redundant once you have > seen it the first dozen times or so. You wouldn't ignore them if they pounded your server to death with false identification. If that car did a hit and run on you and all you saw was the bumper sticker you wouldn't forget it. nuff said. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From tvenhola at cc.hut.fi Tue Jul 27 18:06:26 2004 From: tvenhola at cc.hut.fi (Tuomas Venhola) Date: Tue Jul 27 13:10:03 2004 Subject: [SC-Help] Re: Problem obtaining a password. References: Message-ID: "WazoO" wrote in news:ce34hj$k2m$1 @news.spamcop.net: > Go to and hit the Preferences button ... one of the options > is to "change password" ... do this ... Thanks, this was the solution to my problem. :) -- Tuomas "Jykke" Venhola Please don't tell my mother I'm a programmer - she thinks I play piano at the local bordello. From dkona7b02 at sneakemail.com Tue Jul 27 14:09:41 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Tue Jul 27 13:10:42 2004 Subject: [SC-Help] Mirrored Newsgroups, was Re: Cyveillance abuse internet resources ????????????? In-Reply-To: References: <41067B5B.646C1E66@attglobal.net> Message-ID: <3.0.5.32.20040727130941.00fcf3c8@loki.fstrf.org> Why does Google list anything from the spamcop.net domain??? Why are their bots allowed to snatch our posts and archive them for searching when this is supposed to be a private news server??? That puts us all at greater risk for receiving even more SPAM, especially now that the latest virus variants are using Google to search for more targets! http://www.macworld.co.uk/news/index.cfm?NewsID=9250&Page=1&pagePos=3 At 09:42 AM 7/27/2004 -0700, Mike Easter typed: >One way to research this is to use google advanced web and search for >'cyveillance' limited to 'spamcop.net' domain. That gives you these 787 >hits >http://www.google.com/search?as_q=cyveillance&num=10&hl=en&ie=UTF-8&c2co >ff=1&btnG=Google+Search&as_epq=&as_oq=&as_eq=&lr=&as_ft=i&as_filetype=&a >s_qdr=all&as_nlo=&as_nhi=&as_occt=any&as_dt=i&as_sitesearch=spamcop.net& >safe=images and then >pick selected items from those, such as this one from Marjolein Katsma >to Scott C. From MikeE at ster.invalid Tue Jul 27 11:33:53 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 27 13:40:03 2004 Subject: [SC-Help] Re: Mirrored Newsgroups, was Re: Cyveillance abuse internet resources ????????????? References: <41067B5B.646C1E66@attglobal.net> Message-ID: Spam Hater wrote: > Why does Google list anything from the spamcop.net domain??? Why are > their bots allowed to snatch our posts and archive them for searching > when this is supposed to be a private news server??? I'm not 'defending' the practice, just explaining it a little. Google doesn't [really] access the newsserver, altho' there are a few google groups posts from news.spamcop.net from spamcop.help http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&group=spamco p.help the most recent July 25, total about 3000. Where google is scraping from is from the web archives of the mailing list which reflects the newsgroups. That is, mailman works the newsgroups into and out of a mailing list. Pipermail archives those mailing list items as http://news.spamcop.net/pipermail/spamcop-help/ and http://news.spamcop.net/pipermail/spamcop-geeks/ and http://news.spamcop.net/pipermail/spamcop-digest/ and http://news.spamcop.net/pipermail/spamcop-social/ and http://news.spamcop.net/pipermail/spamcop-mail/ thru' '03 Nov. > That puts us all at greater risk for receiving even more SPAM, > especially now that the latest virus variants are using Google to > search for more targets! Mailing lists are a fairly nasty form of unsafe cyberhex. Many people who protect their addies in usenet ng/s may have to expose them for mailing list activities. Then, various services like google or gmane^1 may access the mailing lists one way or another and expose newsgroup activities unexpectedly. Gmane's ability to archive is huge. So is google's but it doesn't have much. I have converted over some mailing lists I was on to gmane nntp. ^1 gmane provides access to spamcop ng posts as both nntp and http as well as email. gmane.mail.spam.spamcop.announce (nntp, http) Occasional news and announcements about SpamCop (read-only) gmane.mail.spam.spamcop.email (nntp, http) A mailing list to discuss the SpamCop Email System gmane.mail.spam.spamcop.geeks (nntp, http) Technical discussions about non-spam matters gmane.mail.spam.spamcop.help (nntp, http) Help about SpamCop and spam gmane.mail.spam.spamcop.social (nntp, http) Social and off-topic discussions gmane.mail.spam.spamcop.user (nntp, http) Mailing list to mirror the spamcop newsgroup -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Jul 27 11:49:13 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 27 13:55:04 2004 Subject: [SC-Help] Re: Mirrored Newsgroups, was Re: Cyveillance abuse internet resources ????????????? References: <41067B5B.646C1E66@attglobal.net> Message-ID: Mike Easter wrote: > Gmane's ability to archive is > huge. So is google's but it doesn't have much. I meant google groups doesn't have much. Google web has a lot more. But gmane has about 80000 posts just from the spamcop group alone, and those posts are accessible by nntp or webforum. Altho' gmane provides the option to encrypt the email addresses, they currently are not. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Tue Jul 27 15:00:10 2004 From: eddie at eddie.web (eddie) Date: Tue Jul 27 14:05:04 2004 Subject: [SC-Help] Re: Cyveillance abuse internet resources ????????????? References: <41067B5B.646C1E66@attglobal.net> Message-ID: On Tue, 27 Jul 2004 13:03:09 -0400, Merlyn scratched out the following: snip > You wouldn't ignore them if they pounded your server to death with false > identification. No I wouldn't. But they don't. And checking a box on SC or not wouldn't help, would it? I would lodge a complaint against them. > If that car did a hit and run on you and all you saw was the bumper > sticker you wouldn't forget it. I would write down the license plate number and/or shoot out the tires, especially if the bumpersticker said my kid is in the top 99% of his class, or some such thing. From dkona7b02 at sneakemail.com Tue Jul 27 15:10:02 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Tue Jul 27 14:10:10 2004 Subject: [SC-Help]Re: Mirrored Newsgroups, was Re: Cyveillance abuse internetresources ????????????? In-Reply-To: References: <41067B5B.646C1E66@attglobal.net> Message-ID: <3.0.5.32.20040727141002.00fcddf8@loki.fstrf.org> So, is there no way to prevent these so called "services" from doing what they do?? Don't they ask anyone's permission before they start archiving things that are supposed to be kept private? Not only are we all more at risk for receiving SPAM, but this also explains how the SPAMmers keep one step ahead of the parser. They don't even need to access the list directly, they can just do a Google search on "SpamCop is broken" to find all the reported flaws... :( At 10:33 AM 7/27/2004 -0700, Mike Easter typed: >Mailing lists are a fairly nasty form of unsafe cyberhex. Many people >who protect their addies in usenet ng/s may have to expose them for >mailing list activities. Then, various services like google or gmane^1 >may access the mailing lists one way or another and expose newsgroup >activities unexpectedly. Gmane's ability to archive is huge. So is >google's but it doesn't have much. From Merlyn at Spamcop.net Tue Jul 27 15:34:45 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Tue Jul 27 14:35:03 2004 Subject: [SC-Help] Re: Cyveillance abuse internet resources ????????????? References: <41067B5B.646C1E66@attglobal.net> Message-ID: "eddie" wrote in message news:pan.2004.07.27.18.00.10.246000@eddie.web... > On Tue, 27 Jul 2004 13:03:09 -0400, Merlyn scratched out the following: > > snip > > You wouldn't ignore them if they pounded your server to death with false > > identification. > > No I wouldn't. But they don't. According to my logs they do! -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From MikeE at ster.invalid Tue Jul 27 13:07:13 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jul 27 15:10:04 2004 Subject: [SC-Help]Re: Mirrored Newsgroups, was Re: Cyveillance abuse internetresources ????????????? References: <41067B5B.646C1E66@attglobal.net> Message-ID: Spam Hater wrote: > Mike Easter typed: >> Mailing lists are a fairly nasty form of unsafe cyberhex. Many >> people who protect their addies in usenet ng/s may have to expose >> them for mailing list activities. > So, is there no way to prevent these so called "services" from doing > what they do?? In your situation, we are talking about the problem of mailing lists. You want to access a ng with/from/to a mailing list. That creates problems right there. IMO, you would be much better off accessing a newsgroup with a newsreader and using a bogus From. Since a mailing list goes out to 'whoever' wants to be mailed the list, it doesn't have the same kind of 'feed' relationships as a newsserver does. The public newsserver is 'private'. The mailing list is 'broadcast'. So, anything which gets the mailing list, including you, can 'store' those mails in whatever form you like, which is what gmane does. It doesn't get any nntp feeds; it gets the same thing which you get mailed to you and then it archives and provides access as nntp, webforum, or a 'different' mailing list than the one you use. Many people are also disadvantaged by mailing lists and the limitations of their mailuser agent. Depending upon the mua and the mail provider, you may not be able to email to a mailing list unless you use a 'real' email address. Some people wouldn't even be able to use a sneakemail addy with some other provider > Don't they ask anyone's permission before they > start archiving things that are supposed to be kept private? Not exactly. And, it is not exactly private if it is a both a public 'private' newsserver and a mailing list which is 'open' to anyone or anything who signs up. > Not only > are we all more at risk for receiving SPAM, but this also explains how > the SPAMmers keep one step ahead of the parser. My email address here in the spamcop newsgroups is just like the one I use on the big wild and wooly usenet, an .invalid one. I'm not worried about it getting spammed. Why don't you use a newsreader to access a newsgroup instead of a mua accessing a mailing list? -- Mike Easter kibitzer, not SC admin From mouselike at gmail.com Tue Jul 27 21:55:26 2004 From: mouselike at gmail.com (mouselike) Date: Tue Jul 27 15:55:04 2004 Subject: [SC-Help] sending to freeserve problem? Message-ID: when sending to freeserve addresses from my spamcop webmail i get The following message to .freeserve.co.uk> was undeliverable. The reason for the problem: 5.1.0 - Unknown address error 554-': Client host rejected: Access denied' Final-Recipient: rfc822;pete@.freeserve.co.uk Action: failed Status: 5.0.0 (permanent failure) Diagnostic-Code: smtp; 5.1.0 - Unknown address error 554-': Client host rejected: Access denied' (delivery attempts: 0) Reporting-MTA: dns; c60.cesmail.net Have freeserve blocked spamcops server? or what is the problem - sending from my gmail account doesnt seem to return an error. Anyone got any help? Thanks in advance! Tom - www.mouselike.org From nobody at devnull.spamcop.net Tue Jul 27 16:02:55 2004 From: nobody at devnull.spamcop.net (Cat) Date: Tue Jul 27 16:05:04 2004 Subject: [SC-Help] Re: PUMP AND DUMP ANTI SPAM - GET A FEW LAUGHS OUT OF THIS! In-Reply-To: References: Message-ID: bi-ker-shi wrote: > Hi all, > > I did read all of your responses and took them all on board. As I said > before, I have been known to cop the odd speeding ticket now and then, > sorry about that. > > Firstly let me point out that what I posted was not SPAM, it was written > by me and as yet has not been emailed to anyone or posted in any other > NG, hardly what you would call SPAM. Of course it wasn't SPAM. SPAM in all caps is a yucky tasting meat and does not refer to the lower case e-mail version spam. Hormel is very ticky about people not using their trademarked all caps SPAM to refer to their product. > Secondly I do know that some of you have newsreaders that cannot cope > with mime type text/html (or is there some other reason for you > concern). In any case if I decide that I want to include a gif in the > presentation then it's got to be text/html and it's my problem that this > reduces the potential audience, a choice I would like to make on a > message by message basis. Just because you "feel like" posting in html sometimes, that does not make it acceptable for you to do it. Like others have said, posting html in newsgroups is considered rude. Also, this newsgroup used to include the "no html posting" rule on the forum page. The rule is no longer listed there, but that does not mean that you are allowed to do it anyway. The "no html posting" rule still stands here although it is no longer listed on the forum page. > So you might ask, what was the purpose of this post? To annoy your fellow newsgroup readers? Since you have started posting to this newsgroup, you have done nothing but post spam to the wrong group or post html. There isn't much useful about anything you have posted here. I wonder why you seem to think newsgroup rules and general netiquette rules don't apply to you. From dkona7b02 at sneakemail.com Tue Jul 27 17:07:42 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Tue Jul 27 16:07:48 2004 Subject: [SC-Help] Re: Mirrored Newsgroups: ATTN: Deputies In-Reply-To: References: <41067B5B.646C1E66@attglobal.net> Message-ID: <3.0.5.32.20040727160742.0133fe20@loki.fstrf.org> See my responses inline... At 12:07 PM 7/27/2004 -0700, Mike Easter typed: >Spam Hater wrote: >> Mike Easter typed: >>> Mailing lists are a fairly nasty form of unsafe cyberhex. Many >>> people who protect their addies in usenet ng/s may have to expose >>> them for mailing list activities. > >> So, is there no way to prevent these so called "services" from doing >> what they do?? > >In your situation, we are talking about the problem of mailing lists. >You want to access a ng with/from/to a mailing list. That creates >problems right there. IMO, you would be much better off accessing a >newsgroup with a newsreader and using a bogus From. Since a mailing >list goes out to 'whoever' wants to be mailed the list, it doesn't have >the same kind of 'feed' relationships as a newsserver does. The public >newsserver is 'private'. The mailing list is 'broadcast'. Depends on your perspective, I guess... To me, you are accessing a mailing list from/to a news group... :) >So, anything which gets the mailing list, including you, can 'store' >those mails in whatever form you like, which is what gmane does. It >doesn't get any nntp feeds; it gets the same thing which you get mailed >to you and then it archives and provides access as nntp, webforum, or a >'different' mailing list than the one you use. So, someone or something signed up gmane to start receiving the email feed... Who would do that? To stop it, wouldn't it be a simple matter to unsubscribe the gmane feeder and block it from signing up again? That also doesn't explain how Google is getting ahold of our posts! >Many people are also disadvantaged by mailing lists and the limitations >of their mailuser agent. Depending upon the mua and the mail provider, >you may not be able to email to a mailing list unless you use a 'real' >email address. Some people wouldn't even be able to use a sneakemail >addy with some other provider I can send with any name I like, but unlike the newsgroups, you have to sign up for email access so I have to use a live address. :( Sneakemail was my only alternative. >> Don't they ask anyone's permission before they >> start archiving things that are supposed to be kept private? > >Not exactly. And, it is not exactly private if it is a both a public >'private' newsserver and a mailing list which is 'open' to anyone or >anything who signs up. But again, someone signed it up! Someone that wanted the flexibility of using one news feed for all their browsing decided their needs out weighed the privacy needs of everyone else... :( >> Not only >> are we all more at risk for receiving SPAM, but this also explains how >> the SPAMmers keep one step ahead of the parser. > >My email address here in the spamcop newsgroups is just like the one I >use on the big wild and wooly usenet, an .invalid one. I'm not worried >about it getting spammed. So, as long as you don't have to worry about your address being scraped from here, everything is fine?? >Why don't you use a newsreader to access a newsgroup instead of a mua >accessing a mailing list? Newsgroups are so 1980's... I can't believe anyone uses them any longer. With all of the SPAM they attract, they have been pretty much useless for years now! I find email much easier to manage and have less problems with formatting issues like most of the whiny newsgroup crowd! :) From me at privacy.net Tue Jul 27 17:39:51 2004 From: me at privacy.net (Frog Prince) Date: Tue Jul 27 16:50:03 2004 Subject: [SC-Help] Re: PUMP AND DUMP ANTI SPAM - GET A FEW LAUGHS OUT OF THIS! References: Message-ID: "Cat" | | To annoy your fellow newsgroup readers? Since you have started posting | to this newsgroup, you have done nothing but post spam to the wrong | group or post html. There isn't much useful about anything you have | posted here. I wonder why you seem to think newsgroup rules and general | netiquette rules don't apply to you. Remember the adage that 95% of the world's population suffers from hemorrhoids... the other 5% are perfects A** H***s. From nobody at devnull.spamcop.net Tue Jul 27 16:53:30 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Jul 27 16:55:02 2004 Subject: [SC-Help] Re: sending to freeserve problem? References: Message-ID: "mouselike" wrote in message news:ce6brd$g9k$1@news.spamcop.net... > > Have freeserve blocked spamcops server? or what is the problem - sending > from my gmail account doesnt seem to return an error. please see http://forum.spamcop.net/forums/index.php?showtopic=2193 and http://forum.spamcop.net/forums/index.php?showtopic=2057 From mouselike at gmail.com Tue Jul 27 23:52:31 2004 From: mouselike at gmail.com (mouselike) Date: Tue Jul 27 17:55:04 2004 Subject: [SC-Help] Re: sending to freeserve problem? References: Message-ID: Thankyou! Freeserve suck :o) - how can blocking spamcop mail benefit their users!? Tom - www.mouselike.org "WazoO" wrote in message news:ce6fca$mo8$1@news.spamcop.net... > "mouselike" wrote in message > news:ce6brd$g9k$1@news.spamcop.net... > > > > Have freeserve blocked spamcops server? or what is the problem - sending > > from my gmail account doesnt seem to return an error. > > please see http://forum.spamcop.net/forums/index.php?showtopic=2193 > and http://forum.spamcop.net/forums/index.php?showtopic=2057 > > From mouselike at gmail.com Wed Jul 28 00:06:06 2004 From: mouselike at gmail.com (mouselike) Date: Tue Jul 27 18:05:02 2004 Subject: [SC-Help] Re: sending to freeserve problem? References: Message-ID: Posted a message to their support (After a month of using stupid web forms and having to use internet explorer as its not firefox compatible!) Shal see what they say and report back here :> (if they bother replying with a personal reply *waits for the copy/pasted generic help on how to press the power button on the computer*) Tom - www.mouselike.org "mouselike" wrote in message news:ce6in4$u30$1@news.spamcop.net... > Thankyou! > > Freeserve suck :o) - how can blocking spamcop mail benefit their users!? > > Tom - www.mouselike.org > > "WazoO" wrote in message > news:ce6fca$mo8$1@news.spamcop.net... > > "mouselike" wrote in message > > news:ce6brd$g9k$1@news.spamcop.net... > > > > > > Have freeserve blocked spamcops server? or what is the problem - sending > > > from my gmail account doesnt seem to return an error. > > > > please see http://forum.spamcop.net/forums/index.php?showtopic=2193 > > and http://forum.spamcop.net/forums/index.php?showtopic=2057 > > > > > > From ric.gates at bigsleep.org Wed Jul 28 00:15:01 2004 From: ric.gates at bigsleep.org (Blammo) Date: Tue Jul 27 19:15:35 2004 Subject: [SC-Help] Re: Spamcop vs. Spamassassin References: Message-ID: On 26 Jul 2004 Graeme Leith entered spamcop.help and left news:ce44sr$i67$1@news.spamcop.net: >> 2.5 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address >> * [80.131.123.16 listed in dnsbl.sorbs.net] >> >> I would consider that an error since it was sent via http > > > Blame compromised web form mailers for it. It's a valid test. > I think the score is too high. When the Received header contains "with HTTP" it's added by a script, not "Sent directly from". > That said, if I was writing the SC system, I would have the web form > post the record to a database and then another job pull the db records > and send the mail. That would remove the possibility of any dynamic > hosts in the headers of the mail and the forged MUA problems. No need to use a database, you simply pick a different header to stick the IP and UserAgent in. Besides, if he sent mail to himself he'd get a 0.7 score, so that's another issue. -- | Ric | From tjtmdREMOVE_THIS at attglobal.net Tue Jul 27 20:36:19 2004 From: tjtmdREMOVE_THIS at attglobal.net (Tanya) Date: Tue Jul 27 20:00:05 2004 Subject: [SC-Help] problem whether a message islegit (with a url) Message-ID: <4106E6F3.357E3C83@attglobal.net> hello, have been querying various facilities last few days and tonight received a message which i do not know if it is spam "You recently submitted a question/comment, please click on the link below to view your reply. [...link...] thanks, Dr. Ho" i ran it through sc and it came up with abuse@an isp.whatever etc. don't know how to check past reports with certainty but clicked on the routing details for [isp's ip numbers] and don't know how to interpret. i would really hate to miss some potentially important into please advise thanks! From tjtmdREMOVE_THIS at attglobal.net Tue Jul 27 20:37:42 2004 From: tjtmdREMOVE_THIS at attglobal.net (Tanya) Date: Tue Jul 27 20:00:16 2004 Subject: [SC-Help] Re: Cyveillance abuse internet resources ????????????? References: <41067B5B.646C1E66@attglobal.net> Message-ID: <4106E746.9E06957B@attglobal.net> eddie wrote: > On Tue, 27 Jul 2004 11:57:15 -0400, Tanya scratched out the following: > > > hi, > > i saw this on someone's sig file > > (to uncheck the box when reporting) > > is this a fact? > > thanks > > I believe it's an opinion. It was argued very hotly herein some time ago. > I leave the box checked. thanks From tjtmdREMOVE_THIS at attglobal.net Tue Jul 27 20:55:10 2004 From: tjtmdREMOVE_THIS at attglobal.net (Tanya) Date: Tue Jul 27 20:20:03 2004 Subject: [SC-Help] Re: Cyveillance abuse internet resources ????????????? References: <41067B5B.646C1E66@attglobal.net> Message-ID: <4106EB5E.D086013A@attglobal.net> > > Thanks. Your signature is interesting...I stopped sending my reports > to Cyveillance several months ago...just bad vibes. What do you know > about them and their activities ?? > > Cyveillance wants copies of *all* spam it turns up as "interested" for > every spam you report. In return, they contribute to Julian for the > cost of the bandwidth involved (but reportedly Julian does not actually > make money on the deal). > > It's not clear what exactly Cyveillance wants with all that spam, but > they have customers --who pay them a lot of money-- for whom they trace > and investigate infringements of copyright and trademarks. While that * > might* help fighting a small number of spammers, it's unclear what they > want *all* spam. Even so, they make money on the basis of our spam > reports (if we do send them to Cyveillance). Still, it seems Julian > considers them "the enemy of our enemy" and thus sort of a friend. > > Meanwhile, Cyveillance also spiders a lot of websites; but not only do > they completely ignore the robots standard, they also hammer sites > repeatedly and fast. But many people who have limited bandwidth with > their hosting, or pay for bandwidth - and thus have set their robots > files (or meta tags) to tell the robots to stay away. Since Cyveillance > ignores this completely, and spiders the site anyway, this has led to > people actually losing their sites or facing a hefty extra fee for the > extra bandwidth Cyveillance is using (for thewir own profit). Apart > from that, Cyveillance's bot disguises itself as a "normal" browser, and > hides itself further by having no reverse DNS on the IP numbers their > bot is using. (Polite bots state who they are, and respect the robots > rules). > > Thus, in my opinion, Cyveillance is my enemy, too - not a friend. > > So the advice is to UNcheck the checkbox for reports going to them (or > if you're a paying reporter, set your settings so that by default no > reports are going to third parties). They don't deserve our help to > make their money. > > If you come across spam that involves any kind of copyright > infringement, you can send reports yourself to the companies involved > (see 'Spam reporting addresses' in my sig). > > > -- > Mike Easter > kibitzer, not SC admin thank you for the *url* and info wonder whether this has anything to do with the fact that the more i report the more i get I APOLOGIZE FOR OFFENDING ANYONE really guess i'll experiment and uncheck it for a while sincerely Tanya From tjtmdREMOVE_THIS at attglobal.net Tue Jul 27 21:01:44 2004 From: tjtmdREMOVE_THIS at attglobal.net (Tanya) Date: Tue Jul 27 20:25:05 2004 Subject: [SC-Help] Re: Cyveillance abuse internet resources ????????????? References: <41067B5B.646C1E66@attglobal.net> Message-ID: <4106ECE8.D975BA4C@attglobal.net> Graeme Leith wrote: > > That would be me. I even have a canned response for queries about my > sig. ;-) yes :) > Cyveillance have a robot that trawls through web sites looking for > stolen intellectual property. The robot ignores the robots.txt exclusion > protocol, originates from IP addresses that don't reverse lookup to > Cyveillance and tries to look like an ordinary user by spoofing its user > agent. > > The robots.txt (defacto) standard is used amongst other purposes to stop > robots getting stuck in dynamic pages and to stop robots generating > costs for people who pay for their web services by the amount of data > they transfer. By ignoring it, Cyveillance are seeking to make a profit > by exploiting resources that other people pay for, much like spammers > do. Cyveillance could avoid abusing peoples servers by sending people to > look at pages that robots are banned from. Of course this would increase > their costs, just like spammers costs would increase by using ethical > mailing practices. Cyveillance, like spammers, choose to ignore peoples > wishes in order to make their money. > > If you run a web site, you may want to grep your logs for visits from > 63.148.99.224/27 & 65.118.41.192/27. You may also want to firewall those > addresses if you find that they have been abusing your resources for > their profit. > > If you look back to the June and July 2003 archives for the main SpamCop > newsgroup, you'll see quite a bit of discussion on the matter. > > Specific responses from Julian & Cyveillance: > http://news.spamcop.net/pipermail/spamcop-list/2003-June/044984.html > http://news.spamcop.net/pipermail/spamcop-list/2003-June/045279.html > > General archive: > http://news.spamcop.net/pipermail/spamcop-list/ > > There are more ethical companies that perform the same service, such as > NameProtect, who identify their bot and obey the robots.txt protocol. > Their robot is perfectly welcome on my sites. Cyveillance are firewalled > whenever I find them. > > Julian (as is his right) has decided that Cyveillance are a good thing. > Quite a few people think otherwise and there is no warning on the > SpamCop site as to the abuses Cyveillance get up to. So I just leave the > sig there in an attempt to warn any newbies who drop by the newsgroups. > > -- > Evidence shows Cyveillance abuse internet resources. > I recommend unchecking their box in SpamCop reports. > Cyveillance are part of the problem. > They are not part of the solution. thanks for the information and for the links (and the sig file since there still seems to be a debate btwn checking or unchecking) sincerely Tanya From tjtmdREMOVE_THIS at attglobal.net Tue Jul 27 21:56:05 2004 From: tjtmdREMOVE_THIS at attglobal.net (Tanya) Date: Tue Jul 27 21:20:05 2004 Subject: [SC-Help] please disregard Re: problem whether a message islegit (with a url) References: <4106E6F3.357E3C83@attglobal.net> Message-ID: <4106F9A5.83403BD1@attglobal.net> Tanya wrote: > hello, > have been querying various facilities last few days and tonight received > a message which i do not know if it is spam > "You recently submitted a question/comment, > please click on the link below to view your reply. > [...link...] > thanks, > Dr. Ho" > i ran it through sc and it came up with abuse@an isp.whatever etc. don't > know how to check past reports with certainty but clicked on the routing > details for [isp's ip numbers] and don't know how to interpret. > i would really hate to miss some potentially important into > please advise > thanks! please disregard From yuser at yandex.ru Wed Jul 28 11:04:20 2004 From: yuser at yandex.ru (e) Date: Wed Jul 28 02:05:21 2004 Subject: [SC-Help] Need advice on how to fight DoS Message-ID: Our web server is currently under attack very similar to the one that's been happenning to SpamCop last year. I remember that Julian has managed to keep the server running even under these attacks. So, I would be grateful for any advice on how to stop it. Reply to newsgroup or personally - email address is a working one. Brief desciption of a problem: We get numerous connections from zombie machines all over the world to port 80. They send between 5 and 6 Kbytes of arbitrary data (a single line of lowercase letters), but do not make any http request, thus just holding the connection. When connection terminates by timeout, it is replaced by another one. Here's a tail of an apache log: 68.1.76.129 - - [28/Jul/2004:09:36:46 +0400] "-" 408 - ref:"-" 68.49.145.67 - - [28/Jul/2004:09:36:46 +0400] "-" 408 - ref:"-" 81.227.26.195 - - [28/Jul/2004:09:36:47 +0400] "-" 408 - ref:"-" 24.16.236.13 - - [28/Jul/2004:09:36:48 +0400] "-" 408 - ref:"-" 24.130.62.204 - - [28/Jul/2004:09:36:48 +0400] "-" 408 - ref:"-" 68.39.39.68 - - [28/Jul/2004:09:36:48 +0400] "-" 408 - ref:"-" 83.226.140.227 - - [28/Jul/2004:09:36:49 +0400] "-" 408 - ref:"-" 83.226.140.227 - - [28/Jul/2004:09:36:49 +0400] "-" 408 - ref:"-" 81.227.26.195 - - [28/Jul/2004:09:37:08 +0400] "-" 408 - ref:"-" 81.227.26.195 - - [28/Jul/2004:09:37:12 +0400] "-" 408 - ref:"-" From nobody at devnull.spamcop.net Wed Jul 28 02:16:54 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jul 28 02:30:03 2004 Subject: [SC-Help] Re: Need advice on how to fight DoS References: Message-ID: "e" wrote in message news:pan.2004.07.28.06.04.18.206277@yandex.ru... > Our web server is currently under attack very similar to the one that's > been happenning to SpamCop last year. > I remember that Julian has managed to keep the server running even under > these attacks. > So, I would be grateful for any advice on how to stop it. > Reply to newsgroup or personally - email address is a working one. Julian's ultimate solution turns out to be a rather expensive hook-up with Akamai, which primarily removes the "one-doorway" mode. Suspicions are that you aren't flush enough to absorb these costs (else you'd have a staff of 'experts' already working the issue) For a work-through from someone else that has gone through what you're asking about, http://www.grc.com/dos/drdos.htm On one hand, Stave had a helpful upstream, but you'll note that help from other quarters has still been pretty lackluster. From nobody at spamcop.net Wed Jul 28 12:00:42 2004 From: nobody at spamcop.net (Howard Phillips) Date: Wed Jul 28 06:05:21 2004 Subject: [SC-Help] Who's been eating my spam? Message-ID: When I log on I see that I have no spam to report. This is strange as I always have one or two to report. The last spam on record that I have submitted: Quote: Submitted: Thu Jul 22 11:35:28 2004 GMT 22 July 2004 12:35:28 +0100: What's happened to my spam submitted after this time? My mail hosts are correct / what else could be wrong? From nobody at spamcop.net Wed Jul 28 09:33:23 2004 From: nobody at spamcop.net (Ellen) Date: Wed Jul 28 08:40:25 2004 Subject: [SC-Help] Re: Need advice on how to fight DoS References: Message-ID: "e" wrote in message news:pan.2004.07.28.06.04.18.206277@yandex.ru... > Our web server is currently under attack very similar to the one that's > been happenning to SpamCop last year. > I remember that Julian has managed to keep the server running even under > these attacks. > So, I would be grateful for any advice on how to stop it. > Reply to newsgroup or personally - email address is a working one. > > Brief desciption of a problem: > We get numerous connections from zombie machines all over the world to > port 80. They send between 5 and 6 Kbytes of arbitrary data (a single line > of lowercase letters), but do not make any http request, thus just holding > the connection. When connection terminates by timeout, it is replaced by > another one. > > Here's a tail of an apache log: > 68.1.76.129 - - [28/Jul/2004:09:36:46 +0400] "-" 408 - ref:"-" > 68.49.145.67 - - [28/Jul/2004:09:36:46 +0400] "-" 408 - ref:"-" > 81.227.26.195 - - [28/Jul/2004:09:36:47 +0400] "-" 408 - ref:"-" > 24.16.236.13 - - [28/Jul/2004:09:36:48 +0400] "-" 408 - ref:"-" > 24.130.62.204 - - [28/Jul/2004:09:36:48 +0400] "-" 408 - ref:"-" > 68.39.39.68 - - [28/Jul/2004:09:36:48 +0400] "-" 408 - ref:"-" > 83.226.140.227 - - [28/Jul/2004:09:36:49 +0400] "-" 408 - ref:"-" > 83.226.140.227 - - [28/Jul/2004:09:36:49 +0400] "-" 408 - ref:"-" > 81.227.26.195 - - [28/Jul/2004:09:37:08 +0400] "-" 408 - ref:"-" > 81.227.26.195 - - [28/Jul/2004:09:37:12 +0400] "-" 408 - ref:"-" > > I asked a friend of mine about this -- he says "put pound or a squid reverse-proxy in front of the webserver" -- and asks " does the data being sent contain the pattern "-nb GET" at all?" As this discussion is rapidly getting to the far edge of my understanding and as I suspect it belongs in geeks not in help I have set followups to geeks ... Ellen From nobody at devnull.spamcop.net Wed Jul 28 10:05:24 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Wed Jul 28 09:10:03 2004 Subject: [SC-Help] To send, or not to send... Message-ID: Complaint: Spam without a spamvertiser is alleged. Don't bother to look if kiddie porn upsets you. It is not about that anyway. Reference tracker: http://www.spamcop.net/sc?id=z572775815z4fbbfa58c3cb91aef078d8045a2d77d9z Spam apparently sources to hanaro.com. My "read" says forged "From:" header. My "read" says same forged "From:" is repeated in spambody as alleged purveyor of kiddie porn. On the one hand, the "read" is "this is spam, report." On the other hand, I believe the "Subject:" and spambody are pure fiction intended to damage the reputation and the name of the forged "From:". I want this spammer shut down as I expect you and I could as easily be targeted for this sort of loathesome attack. It would not be a first to see spam forging my addy as the "From:". I want to avoid being pushed to the top of his "hit list", so I am reluctant to report him to the spammer friendly ISP. Mr. Spade does not seem to trace Spammy's IP through APNIC too well. Any thoughts/suggestions how to proceed? TIA, Glenn From postmaster at fafnir.saar.de Wed Jul 28 16:51:11 2004 From: postmaster at fafnir.saar.de (Michael) Date: Wed Jul 28 09:55:03 2004 Subject: [SC-Help] Re: Spamcop vs. Spamassassin References: Message-ID: On Mon, 26 Jul 2004 23:20:58 +0100, Graeme Leith wrote: > Michael wrote: >> I just received my spamcop password by mail and my provider's >> spamassassin classified this very mail as spam (score 5.97). What >> bothers me is the 2.7 score of the FORGED_MUA_MOZILLA and the many >> blocking lists scores :-((( >> Would someone at Spamcop please check what's going on here? >> > > All of the dnsbl checks are there because the mail originated from your > browsers connection to the SpamCop server. Your IP address is/was > 80.131.123.16, it is a dynamic address and thus listed in many > dialup/dynamic lists. > > The forged Mozilla is there because again the mail came from your > browser, not a regular MUA and so it looks to SpamAssassin like somebody > is trying to forge the MUA. Though Opera 7.50 is probably seen a lot as > a browser in web server logs, it's not often seen as an MUA in email. > Thanks for clarification, I did'nt notice, the webmailer was picking my IP address and UA to construct the initial headers. Regards, Michael -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ From MikeE at ster.invalid Wed Jul 28 09:41:27 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 28 11:45:02 2004 Subject: [SC-Help] Re: To send, or not to send... References: Message-ID: Glenn Daniels wrote: www.spamcop.net/sc?id=z572775815z4fbbfa58c3cb91aef078d8045a2d77d9z That is a spam purporting to provide access to kiddie porn if you contact the email addy which appears in the body and the From. The source IP is listed in numerous spam db/s. It could be a joejob or it could be real or it could be a sting. You wouldn't be able to figure that out unless you wanted to 'get involved' -- which I would strongly recommend against. > Any thoughts/suggestions how to proceed? I would feed the spam to spamcop to tick the SCbl and I would notify the provider for the spamvertised eml addy [which is also the From]. You /could/ opt to only to a SC notify on the source The email domain utcom.ru has mail handled by sovintel.ru and its IP is under sovintel and sovintel isn't listed anywhere like spamhaus or spews as being unresponsive and they could determine what to do about the spam item's spamvertised eml addy. That way the provider could figure out how to investigate the item. They are in a better position to figure out a sting, joejob, or real porn connection. -- Mike Easter kibitzer, not SC admin From P.scadden at ^no-spam^remove.gns.cri.nz Thu Jul 29 09:32:00 2004 From: P.scadden at ^no-spam^remove.gns.cri.nz (Phil Scadden) Date: Wed Jul 28 16:35:03 2004 Subject: [SC-Help] Is no http:// enough to stop Spamcop finding links in email message? Message-ID: Noticed is recent reports that if the spam references sites with no http:// in front of it, then spamcop doesnt find the link. Eg this one - http://www.spamcop.net/sc?id=z573363849z4e49929cc1d150c2d737715c59289d59z Is this by design? From nobody at devnull.spamcop.net Wed Jul 28 17:12:31 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jul 28 17:15:04 2004 Subject: [SC-Help] Re: Is no http:// enough to stop Spamcop finding links in email message? References: Message-ID: "Phil Scadden" wrote in message news:ce92g2$i3a$1@news.spamcop.net... > Noticed is recent reports that if the spam references sites with no http:// > in front of it, then > spamcop doesnt find the link. Eg this one - > http://www.spamcop.net/sc?id=z573363849z4e49929cc1d150c2d737715c59289d59z > > Is this by design? By design of the spammer, yes. From dkona7b02 at sneakemail.com Wed Jul 28 18:20:46 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Wed Jul 28 17:20:50 2004 Subject: [SC-Help]Is no http:// enough to stop Spamcop finding links in email message? In-Reply-To: Message-ID: <3.0.5.32.20040728172046.017a4e48@loki.fstrf.org> Yes, unfortunately, it is by design... The content type for that part of the SPAM was text/html so the parser in constrained to looking for valid HTML code. The link, as written, is merely bolded text, not a clickable URL at all, so the parser skips past it. Since it is supposed to be HTML and since it isn't written correctly, your browser or email client shouldn't make it a clickable link for you, but for "convenience" some do just that! They take anything that looks like it might possibly be an URL and treat it as such. The parser can't take risks like that so it errs on the side of correctness. At 08:32 AM 7/29/2004 +1200, Phil Scadden typed: >Noticed is recent reports that if the spam references sites with no http:// >in front of it, then >spamcop doesnt find the link. Eg this one - >http://www.spamcop.net/sc?id=z573363849z4e49929cc1d150c2d737715c59289d59z > >Is this by design? From notgiven at nodomain.net Wed Jul 28 18:20:21 2004 From: notgiven at nodomain.net (C. S.) Date: Wed Jul 28 17:25:05 2004 Subject: [SC-Help] Re: Is no http:// enough to stop Spamcop finding links in email message? References: Message-ID: Sometime around Thu, 29 Jul 2004 08:32:00 +1200, "Phil Scadden" deemed it necessary to offer: > Noticed is recent reports that if the spam references sites with no http:// > in front of it, then > spamcop doesnt find the link. Eg this one - > http://www.spamcop.net/sc?id=z573363849z4e49929cc1d150c2d737715c59289d59z > > Is this by design? > ===>Content-Type: multipart/alternative; boundary="--5034677413566296955" It's actually 'Text/HTML' This'll trip up the parser for all sorts of things, however, that particular bit of spam tripe is purposely done up so that the URL is not an 'active' link. This is a known limitation of the SC parser, which is why it's being exploited. This isn't seen as a valid 'active' HTML URL:

My profile www.spammercrap.com

But this is; notice the difference?

My profile

I've been receiving a bunch of these lately; they're all redirecting to hootyhoo.com or similar. From JohnJBurnessAT at ieeDOT.orgNOSPAM Thu Jul 29 00:10:57 2004 From: JohnJBurnessAT at ieeDOT.orgNOSPAM (John J. Burness) Date: Wed Jul 28 18:15:05 2004 Subject: [SC-Help]Is no http:// enough to stop Spamcop finding links in email message? In-Reply-To: References: Message-ID: Spam Hater wrote: > Yes, unfortunately, it is by design... The content type for that part of the SPAM > was text/html so the parser in constrained to looking for valid HTML code. The link, > as written, is merely bolded text, not a clickable URL at all, so the parser skips past > it. Since it is supposed to be HTML and since it isn't written correctly, your browser > or email client shouldn't make it a clickable link for you, but for "convenience" some do > just that! They take anything that looks like it might possibly be an URL and treat it > as such. The parser can't take risks like that so it errs on the side of correctness. > > At 08:32 AM 7/29/2004 +1200, Phil Scadden typed: > > >>Noticed is recent reports that if the spam references sites with no http:// >>in front of it, then >>spamcop doesnt find the link. Eg this one - >>http://www.spamcop.net/sc?id=z573363849z4e49929cc1d150c2d737715c59289d59z >> >>Is this by design? Unfortunately, this has been mentioned many, many times before!! The spammer "deliberately" calls his coding HTML & sc believes him!!! (thereby contravening No 1 Rule of "Never believe a spammer") I get at least 12 of these a day, hence I wish that sc would start ignoring what has been told by the spammer & parse the actual URLs that are in the spam!! Just my 2 pence worth!! Regards, John From eddie at eddie.web Wed Jul 28 20:50:59 2004 From: eddie at eddie.web (eddie) Date: Wed Jul 28 19:55:04 2004 Subject: [SC-Help]Is no http:// enough to stop Spamcop finding links in email message? References: Message-ID: On Wed, 28 Jul 2004 23:10:57 +0100, John J. Burness scratched out the following: snip > The spammer "deliberately" calls his coding HTML & sc believes him!!! > (thereby contravening No 1 Rule of "Never believe a spammer") > > I get at least 12 of these a day, hence I wish that sc would start > ignoring what has been told by the spammer & parse the actual URLs that > are in the spam!! > > Just my 2 pence worth!! What SC could do and still be cautious, is to parse and setup the reporting links, as you suggest; but leave the links unchecked by default, putting the onus on the reporter to be sure they are indeed, reportable links. A cautionary warning could be placed next to each link, "Do not check these links unless you are sure that they are spamvertized sites," or some such notice. From MikeE at ster.invalid Wed Jul 28 18:02:15 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jul 28 20:05:03 2004 Subject: [SC-Help]Is no http:// enough to stop Spamcop finding links in email message? References: Message-ID: eddie wrote: > What SC could do and still be cautious, is to parse and setup the > reporting links, as you suggest; but leave the links unchecked by > default, putting the onus on the reporter to be sure they are indeed, > reportable links. A cautionary warning could be placed next to each > link, "Do not check these links unless you are sure that they are > spamvertized sites," or some such notice. You are addressing a philosophy issue. The conventional wisdom, based on past experience, is that spamcop reporters are not competent to make such decisions. That conventional wisdom results in very strict rules and is biased toward spamcop underreporting rather than entrusting users to 'compensate' for spamcop misinterpretations of spammer tricks with rulebusting browsers. Another different philosophy could be based on the fact that spamcop doesn't need any more reporters and in fact could do well with considerably less of them who could also be trusted to report 'wisely'. In that philosophy, the parser would give more latitude to the reporter; and perform 'heavier' discipline on reporters who screwup -- say barring them from reporting for 1 week with the first screwup, 4 weeks for the next, 12 weeks for the third, etc with an expiry of some weeks of no errors to cancel out earlier errors or somesuch. The parser could also 'display' the html, perhaps 'errantly' - similar to the way the MAPS database of spam now displays html spam items as rendered html - to aid the reporter in reporting all of the links 'observed' in in the item. Thus shifting more responsibility to responsible reporters and barring irresponsible ones, temporarily, but progressively expanding the temporary. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Wed Jul 28 22:42:40 2004 From: eddie at eddie.web (eddie) Date: Wed Jul 28 21:45:03 2004 Subject: [SC-Help]Is no http:// enough to stop Spamcop finding links in email message? References: Message-ID: On Wed, 28 Jul 2004 17:02:15 -0700, Mike Easter scratched out the following: snip > The parser could also 'display' the html, perhaps 'errantly' - similar to > the way the MAPS database of spam now displays html spam items as rendered > html - to aid the reporter in reporting all of the links 'observed' in in > the item. Thus shifting more responsibility to responsible reporters and > barring irresponsible ones, temporarily, but progressively expanding the > temporary. OK, how about this? Have a selected subset of SC reporters who could turn on the check box on such reports? To everyone else it would be grayed out. If one of the selected reporters makes a mistake - he is history as a select, and simply back to the rank and file. No one would even know who the selected reporters were. From eddie at eddie.web Thu Jul 29 03:06:15 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 29 02:10:21 2004 Subject: [SC-Help]Is no http:// enough to stop Spamcop finding links in email message? References: Message-ID: On Wed, 28 Jul 2004 17:02:15 -0700, Mike Easter scratched out the following: snip > The parser could also 'display' the html, perhaps 'errantly' - similar to > the way the MAPS database of spam now displays html spam items as rendered > html - to aid the reporter in reporting all of the links 'observed' in in > the item. Thus shifting more responsibility to responsible reporters and > barring irresponsible ones, temporarily, but progressively expanding the > temporary. For now, my rule is to give any spammer who is smart enough to get around the system a pass. I no longer bother manually reporting. Whatever SC gives me, that's it. I will no longer bother even mentioning it. At this point, I really no longer care. If SC cannot find a spamvertized site in the spam, then it goes unreported. AFAIAC the case is closed From MikeE at ster.invalid Thu Jul 29 00:52:16 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 29 02:55:10 2004 Subject: [SC-Help]Is no http:// enough to stop Spamcop finding links in email message? References: Message-ID: eddie wrote: > For now, my rule is to give any spammer who is smart enough to get > around the system a pass. I no longer bother manually reporting. > Whatever SC gives me, that's it. I will no longer bother even > mentioning it. At this point, I really no longer care. If SC cannot > find a spamvertized site in the spam, then it goes unreported. AFAIAC > the case is closed You could upgrade that one notch and copy and save the tracking url at the time of the parse, then once a day or so make a post here with the tracking urls of the items which failed body finds. Others who were doing the same thing would thus provide a nice little 'thread' here of tracking urls which missed spamvertisers for deputies or even Julian to look over, and anyone who wanted to comment on an item could. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Jul 29 04:54:30 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Jul 29 03:55:03 2004 Subject: [SC-Help]Is no http:// enough to stop Spamcop finding links in email message? References: Message-ID: "Mike Easter" wrote in message > eddie wrote: [...] > You could upgrade that one notch and copy and save the tracking url at > the time of the parse, then once a day or so make a post here with the > tracking urls of the items which failed body finds. > > Others who were doing the same thing would thus provide a nice little > 'thread' here of tracking urls which missed spamvertisers for deputies > or even Julian to look over, and anyone who wanted to comment on an item > could. > Aside to Mike: Although my mental process is not straightforward, linear, and logical, I agree with your conclusion. By dictates of life experience I believe people adapt to and adopt problem solving approaches unique to their circumstances. I have learned from experience that solutions to problems are often "in your face" obvious if the problem is "worked backwards" away from rather than towards the answer. In this instance, the answer is "What is something SC could work on." As in the game show Jeopardy, the clue is "This is getting people to report their negative experiences with the parser?" Until now, I have been only seeing the posts about "missed URL's" and accepted the parse as "hey, if I were a programmed piece of machinery, I would miss that myself". I sense now that people are approaching this thing saying, in effect, they want the parser to adapt to "new things we are seeing in the spam", asking that the program adapt to a changing playing field, a sort of "Deep Blue" response in a chess game where the opposition cheats, but the program is blind to the cheat. If we wish the program to "see" the cheat, we must first throw a flag on the bad play: but that we throw the flag first, the program will never see the cheat. Did I hear something about a chicken and an egg? naaah! Glenn, what, me worry? From JohnJBurnessAT at ieeDOT.orgNOSPAM Thu Jul 29 10:08:10 2004 From: JohnJBurnessAT at ieeDOT.orgNOSPAM (John J. Burness) Date: Thu Jul 29 04:10:03 2004 Subject: [SC-Help]Is no http:// enough to stop Spamcop finding links in email message? In-Reply-To: References: Message-ID: Glenn Daniels wrote: ----------------------snip----------------- > If we wish the program to "see" > the cheat, we must first throw a flag on the bad play: but that we > throw the flag first, the program will never see the cheat. > > Did I hear something about a chicken and an egg? naaah! > > Glenn, > what, me worry? > > > However, in this case, there have been lots & lots of examples posted & described but, for some reason that I do not understand, the program is still not learning the "cheat". It is well documented that spammers are annoyed with sc & will try various ways to get around being reported by sc. In the past sc has usually managed to keep up with the spammer's tricks. Why it is not doing so this time is not clear!! Regards, John From nobody at devnull.spamcop.net Thu Jul 29 05:17:06 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Jul 29 04:20:03 2004 Subject: [SC-Help]Is no http:// enough to stop Spamcop finding links in email message? References: Message-ID: "John J. Burness" wrote in message > Glenn Daniels wrote: > > ----------------------snip----------------- > > > If we wish the program to "see" > > the cheat, we must first throw a flag on the bad play: but that we > > throw the flag first, the program will never see the cheat. > > > > Did I hear something about a chicken and an egg? naaah! > > > > Glenn, > > what, me worry? > > > > > > > > However, in this case, there have been lots & lots of examples posted & > described but, for some reason that I do not understand, the program is > still not learning the "cheat". > > It is well documented that spammers are annoyed with sc & will try > various ways to get around being reported by sc. In the past sc has > usually managed to keep up with the spammer's tricks. Why it is not > doing so this time is not clear!! > > > Regards, > John The Answer is: What is Julian overextended with working out the bugs in the new interface and the changes in the site security mechanics? And the move? Glenn, beware the Time Police. From MikeE at ster.invalid Thu Jul 29 02:28:55 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 29 04:35:03 2004 Subject: [SC-Help]Is no http:// enough to stop Spamcop finding links in email message? References: Message-ID: John J. Burness wrote: > However, in this case, there have been lots & lots of examples posted > & described but, for some reason that I do not understand, the > program is still not learning the "cheat". > > It is well documented that spammers are annoyed with sc & will try > various ways to get around being reported by sc. In the past sc has > usually managed to keep up with the spammer's tricks. Why it is not > doing so this time is not clear!! I think the reporting process could be looked upon as a dual one, in which one priority is accurately identifying the source, because that feeds the SCbl, which is an important role and which has 'teeth' -- whereas finding the spamvertised links to notify is a 'toothless' process. If a provider does something about a spamvertised site - fine - but, if not, nothing happens. So, the motivation to go to 'nasty' trouble to 'read' bad or misconfigured html to report to providers who often don't care much about the report isn't very inspiring. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Jul 29 06:31:45 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Jul 29 05:35:24 2004 Subject: [SC-Help] Re: To send, or not to send... References: Message-ID: "Mike Easter" wrote > Glenn Daniels wrote: > www.spamcop.net/sc?id=z572775815z4fbbfa58c3cb91aef078d8045a2d77d9z > > That is a spam purporting to provide access to kiddie porn if you > contact the email addy which appears in the body and the From. The > source IP is listed in numerous spam db/s. > > It could be a joejob or it could be real or it could be a sting. You > wouldn't be able to figure that out unless you wanted to 'get > involved' -- which I would strongly recommend against. > > > Any thoughts/suggestions how to proceed? > > I would feed the spam to spamcop to tick the SCbl and I would notify the > provider for the spamvertised eml addy [which is also the From]. You > /could/ opt to only to a SC notify on the source > > The email domain utcom.ru has mail handled by sovintel.ru and its IP is > under sovintel and sovintel isn't listed anywhere like spamhaus or spews > as being unresponsive and they could determine what to do about the spam > item's spamvertised eml addy. That way the provider could figure out > how to investigate the item. They are in a better position to figure > out a sting, joejob, or real porn connection. > Wonderful! I ran with the standard SC reports, along with a separate post to abuse at sovintel dot ru, spam@uca.gov and spammail@attglobal.net. Guessing here: You fed utcom.ru to Mr. Spade and identified that the IP belongs to sovintel.ru? My loose translation is Soviet Intelligence (their CIA). Not a good ISP to be spamvertising an IP for if you ask me! Anyway, they know I don't much care for spam, despise spammers, and don't need spam de spies. Maybe they will take my wife off the mailing list. IANAL, but she is: She would have had a purple fit on that gem. Like she still asks why they spam her, "I've never bought anything from any of them." Comforts me in a way that sovintel is responsible for the spamvertised address. I'm sure they have that lad right where they want him now. FWIW, they seem to do spam differently there. I received a couple of "Russian" spamitems a couple of weeks back from an IP under mungecast. Given limited reading skills, I determined that the spam was received here in error, like who might have guessed that. Anyway, the spamvertised site turns out is a joint venture between their Chamber of Commerce and our Embassy there: a venture encouraging Russians to learn English, either business or slang versions, complete with a map to their location in Moscow. Apparently not all spam emails in Russia are scams as ours are. I added a scathing comment in remarks to mungecast complaining that the operator of the zombified spam forge at that IP had to be brain dead to be spamming us with spam only Russians could read, inviting them to learn our language. I enjoined mungecast to pull the plug on the hardware as no harm could come to anything human as a result of doing so. In the "notes" to the spamvertised site I included something to do with trying to get their money back for the advertising here as it was overtly wasted on the audience which is acculturated to experience all spam as de facto scam. Surprise: no more Russian spam! Anyway, thanks much for the assist. In the face of the problem it did not occur to me to query the addy. That really made a big difference for me. Glenn From MikeE at ster.invalid Thu Jul 29 07:16:47 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 29 09:20:30 2004 Subject: [SC-Help] Re: To send, or not to send... References: Message-ID: Glenn Daniels wrote: > "Mike Easter" wrote >> The email domain utcom.ru has mail handled by sovintel.ru and its IP >> is under sovintel and sovintel isn't listed anywhere like spamhaus >> or spews as being unresponsive and they could determine what to do >> about the spam item's spamvertised eml addy. > Wonderful! I ran with the standard SC reports, along with a separate > post to abuse at sovintel dot ru, spam@uca.gov and > spammail@attglobal.net. Guessing here: You fed utcom.ru to Mr. Spade > and identified that the > IP belongs to sovintel.ru? dns utcom.ru Mail for utcom.ru is handled by ns2.sovintel.ru mail.sovintel.ru Canonical name: utcom.ru Addresses: 212.44.131.7 dns mail.sovintel.ru Canonical name: cgp.sovintel.ru Aliases: mail.sovintel.ru Addresses: 195.68.135.65 212.44.130.13 212.44.130.39 inetnum: 212.44.131.0 - 212.44.131.255 netname: SOVINTEL-BACKBONE-NET descr: SOVINTEL Backbone Interface address route: 212.44.131.0/24 descr: Sovintel St.Petersburg e-mail: techsupport-spb@sovintel.ru whois -h whois.abuse.net sovintel.ru ... abuse@sovintel.ru postmaster@sovintel.ru (for sovintel.ru) > My loose translation is Soviet Intelligence > (their CIA). I don't think so. www.sovintel.ru redirects to www.sovintel.com whose English v. sez "Sovintel was founded in 1990 as a Soviet-American joint venture company and has shown to be the leading commercial provider of the fixed telecommunications services in Russia." Altho' sovintel sounds like Soviet Intelligence - it's just a telecom. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Thu Jul 29 12:16:27 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 29 11:20:37 2004 Subject: [SC-Help]Is no http:// enough to stop Spamcop finding links in email message? References: Message-ID: On Wed, 28 Jul 2004 23:52:16 -0700, Mike Easter scratched out the following: snip > You could upgrade that one notch and copy and save the tracking url at the > time of the parse, then once a day or so make a post here with the > tracking urls of the items which failed body finds. > > Others who were doing the same thing would thus provide a nice little > 'thread' here of tracking urls which missed spamvertisers for deputies or > even Julian to look over, and anyone who wanted to comment on an item > could. snapple Good idea. I trust nobody will call me a "whiner" for doing such :) It's just that with my business picking up I simply do not have a lot of time to manually parse stuff. Is .help the best place to place the trackers for these parses? From eddie at eddie.web Thu Jul 29 12:18:43 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 29 11:20:57 2004 Subject: [SC-Help]Is no http:// enough to stop Spamcop finding links in email message? References: Message-ID: On Thu, 29 Jul 2004 09:08:10 +0100, John J. Burness scratched out the following: ship > It is well documented that spammers are annoyed with sc & will try various > ways to get around being reported by sc. In the past sc has usually > managed to keep up with the spammer's tricks. Why it is not doing so this > time is not clear!! > snip Could it be tied in with the sale to IronPort? Or is that merely coincidence? Perhaps some incentive to keep the program up to date has been diminshed by the sale? Just a thought. From MikeE at ster.invalid Thu Jul 29 09:46:49 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 29 11:50:04 2004 Subject: [SC-Help]Is no http:// enough to stop Spamcop finding links in email message? References: Message-ID: eddie wrote: > Is .help the best place to place the trackers for these parses? I don't think it matters. Spamcop comes to mind first, but seems like .help would be just fine too. Sometimes I elect to use .help to bring a question out of .spam to keep .help alive. .help seems more like a question kinda place, whereas spamcop seems like a 'remarks' or observations kinda place. -- Mike Easter kibitzer, not SC admin From newspost at deletethispart.hypercreations.com Thu Jul 29 16:54:32 2004 From: newspost at deletethispart.hypercreations.com (D. T.) Date: Thu Jul 29 11:55:06 2004 Subject: [SC-Help]Is no http:// enough to stop Spamcop finding links in email message? References: Message-ID: Spam Hater wrote in news:mailman.205.1091049652.9607.spamcop-help@news.spamcop.net: > Yes, unfortunately, it is by design... The content type for that part > of the SPAM was text/html so the parser in constrained to looking for > valid HTML code. There's an item in the SC FAQ related to this. It's found in the "Material changes to spam" item in the "Rules - everybody read!" subsection of the "SpamCop Parsing and Reporting Service" section found here: http://www.spamcop.net/fom-serve/cache/283.html I quote: "If you know what you are doing, it is okay to change the Content Type: line from "text/html;" to "text/plain;" where it is obvious the mailing program has incorrectly identified the body content, and you are sure you have the true source code of the message." So, if the spam you're reporting isn't really HTML, you're allowed to make a change to the Content Type. However, there's also this prohibition: "Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find." and this exception: "If a report is going to an abuse desk that does not accept munged reports, you must not make even these minor changes to the spam." Hmmmm....perhaps the second quote above contradicts the first? I just did some testing on one of the many "Hi, my name is Kandy!" type spams I've received (they contain URLs that are bold, but not anchors), making various changes and running it through the parser and then cancelling before any reporting took place. In order for the parser to catch it, you would have to change the Content-Type from "multipart/alternative" alternative to "text/plain" *and* also add an "http://" before the URL, if not already present. I think that would violate the prohibition mentioned above. At least the sources of the emails are being reported as things currently exist. It would be nice if the website hosts were also being notified, but maybe that's not going to happen in the near future. DT From nobody at devnull.spamcop.net Thu Jul 29 13:14:43 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Jul 29 12:15:03 2004 Subject: [SC-Help] Re: To send, or not to send... References: Message-ID: "Mike Easter" wrote in message > dns utcom.ru > Mail for utcom.ru is handled by ns2.sovintel.ru mail.sovintel.ru > Canonical name: utcom.ru > Addresses: > 212.44.131.7 > > dns mail.sovintel.ru > Canonical name: cgp.sovintel.ru > Aliases: > mail.sovintel.ru > Addresses: > 195.68.135.65 > 212.44.130.13 > 212.44.130.39 > > inetnum: 212.44.131.0 - 212.44.131.255 > netname: SOVINTEL-BACKBONE-NET > descr: SOVINTEL Backbone Interface address > > route: 212.44.131.0/24 > descr: Sovintel St.Petersburg > e-mail: techsupport-spb@sovintel.ru > > whois -h whois.abuse.net sovintel.ru ... > abuse@sovintel.ru postmaster@sovintel.ru (for sovintel.ru) > > > My loose translation is Soviet Intelligence > > (their CIA). > > I don't think so. www.sovintel.ru redirects to www.sovintel.com whose > English v. sez "Sovintel was founded in 1990 as a Soviet-American joint > venture company and has shown to be the leading commercial provider of > the fixed telecommunications services in Russia." > > Altho' sovintel sounds like Soviet Intelligence - it's just a telecom. > That is just as well. They now are at least advised that not only is it considered a crime here to possess and/or distribute child pornography, it is also a crime to communicate the intent to do so. The responsibility to investigate the matter further or not is well out of my range, and well into their hands at this point. Perhaps if afforded the same opportunity again, I might also post Interpol. Somehow, I am not so sure the opportunity will present itself again. As it goes, porn related spam is in the 0.1% range for spamitem frequency on the account for which I am reporting, so it always takes me by surprise when I get one. But I don't recollect previously seeing anything that left me feeling as uncomfortable as this one did: The hackles still rise for the completely unfamiliar and instincts override more carefully considered judgement calls. This "thing" has no business being in my Inbox: It will be out of my Inbox already, or I will have a piece of its hide for a souvenir reminder of the "visit". Ennyhoo, another big thanks for the assist. I have independently established the value of Mr. Spade's tools in a virm related matter. With increasing familiarity with the tool I sense I will be doing a lot more digging and a lot less begging for help. Glenn From nobody at devnull.spamcop.net Thu Jul 29 13:27:23 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Jul 29 12:30:04 2004 Subject: [SC-Help]Is no http:// enough to stop Spamcop finding links in email message? References: Message-ID: "eddie" wrote in message > Is .help the best place to place the trackers for these parses? I follow your lead, here or there. Glenn From munged at nomorespamithurts.smeg Thu Jul 29 18:35:58 2004 From: munged at nomorespamithurts.smeg (KD) Date: Thu Jul 29 12:40:03 2004 Subject: [SC-Help] No mail today ? Message-ID: First day in years there's no spam. Unfortunately there is also a distinct lack of normal mail. Is it just me or is there a problem ? Thanks, Keith P.S. I've had a quick look on the spamcop site for progress reports etc. but I've seen nothing. From JohnJBurnessAT at ieeDOT.orgNOSPAM Thu Jul 29 21:30:16 2004 From: JohnJBurnessAT at ieeDOT.orgNOSPAM (John J. Burness) Date: Thu Jul 29 15:35:03 2004 Subject: [SC-Help] Re: No mail today ? In-Reply-To: References: Message-ID: KD wrote: > First day in years there's no spam. Unfortunately there is also a distinct > lack of normal mail. Is it just me or is there a problem ? > > > Thanks, > Keith > > P.S. I've had a quick look on the spamcop site for progress reports etc. > but I've seen nothing. > > I've had a distinct lack of spam all day (UK time of 20:30), even woke up this morning to find NONE over-night - would usually expect at least 20!! Regards, John From castrate at allthespammers.mil Thu Jul 29 14:00:06 2004 From: castrate at allthespammers.mil (Jim) Date: Thu Jul 29 15:55:14 2004 Subject: [SC-Help] Submitting Norton Antivirus quarantined spam ? Message-ID: I have been receiving some email spams infected with the W32.netsky.p@mm!enc worm. Norton Antivirus does its thing and quarantines the emails. So how can I submit these to Spamcop ? Yes I know that this worm emails itself, but the only email address getting hit is an old one that friends & family have removed from their address books. So it looks like a spammer is infected . And I don't think that this spammer should get off the hook, just because his computer is infected. Thanks for any help, Jim From MikeE at ster.invalid Thu Jul 29 14:35:57 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jul 29 16:40:48 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: Jim wrote: > I have been receiving some email spams infected with the > W32.netsky.p@mm!enc worm. Norton Antivirus does its thing and > quarantines the emails. It is not clear to me exactly what you are saying. It is important to distinguish a 'simple' spam which incidentally has a mime structure which is 'like' a potential exploit - but is not actually a viral propagation -- and to distinguish that from a viral propagation which might have some 'spammy' characteristics as a part of its social engineering. A spam with an oddball container is 'just' a spam. A viral propagation which looks a little spammy is 'just' a viral propagation. I think it is unlikely that you are handling a 'spam infected with a virus' - but rather that you are misinterpreting one of the above two things - one a spam - the other a virus propagation. Not at all likely to be 'both'. > So how can I submit these to Spamcop ? You can't submit a viral propagation to spamcop -- thus the importance of knowing what you are talking about. Here's a description of the container problem flagged by AV programs -- What is an .enc detection? - http://securityresponse.symantec.com/avcenter/venc/data/enc.detection.ht ml Here's a description at symantec "When a file is detected as W32.Netsky.P@mm!enc, this indicates that it is a MIME-encoded file containing the W32.Netsky.P@mm worm." If a viral propagation which sounds a little spammy, like some of those netsky subjects: "Free porn" "Sex pictures" or such - those are not spam - they are viral propagations and can't be reported. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Thu Jul 29 22:46:37 2004 From: eddie at eddie.web (eddie) Date: Thu Jul 29 21:50:04 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: On Thu, 29 Jul 2004 13:00:06 -0700, Jim scratched out the following: > I have been receiving some email spams infected with the > W32.netsky.p@mm!enc worm. Norton Antivirus does its thing and quarantines > the emails. > > So how can I submit these to Spamcop ? Norton is only interested in new, unknown viruses. That it caught your virus and quaranteened it means Norton is no longer interested in it, it's already in their database. From areREMOVE at a4.no Fri Jul 30 04:51:00 2004 From: areREMOVE at a4.no (Are) Date: Thu Jul 29 21:55:04 2004 Subject: [SC-Help] Example header Message-ID: Hi I wonder if anyone can help me with this. I recieve many thousands emails a day, and I do not have any open relays. However, emails like this is beeing stoped in exim mail que, and never leaves it: The @a4.no domain is mine, the same is ip 194.63.250.67. For the rest, I do not know where come from. p.s. I do not have an account named Bobioludf@a4.no. Why does the email have sevearl Recieved from headers? Is it fake from ? --- Below this line is a copy of the message. Return-Path: Received: (qmail 12916 invoked from network); 29 Jul 2004 06:12:23 -0000 Received: from unknown ([10.20.1.207]) (envelope-sender <>) by mailserver-70.ig.com.br (qmail-ldap-1.03) with QMQP for <>; 29 Jul 2004 06:12:23 -0000 Delivered-To: CLUSTERHOST email-90.ig.com.br c.john@ig.com.br Received: (qmail 11487 invoked from network); 29 Jul 2004 06:12:23 -0000 Received: from unknown (HELO revert.com) ([61.53.44.74]) (envelope-sender ) by email-90.ig.com.br (qmail-ldap-1.03) with SMTP for ; 29 Jul 2004 06:12:20 -0000 Received: from a4.no (a4.no [194.63.250.67]) by revert.com (Postfix) with ESMTP id 99939F00C9 for ; Wed, 28 Jul 2004 23:30:00 -0700 From: Chriami Jusa To: C Subject: Dick sucking teen girls Date: Wed, 28 Jul 2004 23:30:00 -0700 Message-ID: <100101c47535$d973fcad$2a840f9d@a4.no> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=3D3D"----=3D3D_NextPart_000_0003_F839563E.A4D31032" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081 X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/) X-iGspam-global: Yes, spamicity=3D3D1.000000 - pe=3D3D1.00e+00 - pf=3D3D1.0= 00000 =3D - pg=3D3D1 This is a multi-part message in MIME format. ------=3D3D_NextPart_000_0003_F839563E.A4D31032 Content-Type: text/plain Content-Transfer-Encoding: 7bit hi there, From castrate at allthespammers.mil Thu Jul 29 20:38:23 2004 From: castrate at allthespammers.mil (Jim) Date: Thu Jul 29 22:35:04 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: I'm not trying to submit the spams to Norton. I just want to send the spams to Spamcop. The problem is that NAV "locks-up" the infected spams in quarantine and I can't find out how to 'unquarantine' the spams so I can forward them to Spamcop. I did a Google search before asking here. Just thought someone might know how to recover the infected spam email from NAV. TIA, Jim On Thu, 29 Jul 2004 21:46:37 -0400, eddie wrote: >On Thu, 29 Jul 2004 13:00:06 -0700, Jim scratched out the following: > >> I have been receiving some email spams infected with the >> W32.netsky.p@mm!enc worm. Norton Antivirus does its thing and quarantines >> the emails. >> >> So how can I submit these to Spamcop ? > >Norton is only interested in new, unknown viruses. That it caught your >virus and quaranteened it means Norton is no longer interested in it, it's >already in their database. From castrate at allthespammers.mil Thu Jul 29 20:54:20 2004 From: castrate at allthespammers.mil (Jim) Date: Thu Jul 29 22:50:02 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: On Thu, 29 Jul 2004 13:35:57 -0700, "Mike Easter" wrote: >I think it is unlikely that you are handling a 'spam infected with a >virus' - but rather that you are misinterpreting one of the above two >things - one a spam - the other a virus propagation. Not at all likely >to be 'both'. True. But its a very old email address that I don't use anymore. I only get spam from this address (I'll cancel that address soon). It looks like a spammer has this address in his database and the worm is just using it. If the sender is someone that shouldn't have my email address I'd like to send reports to SpamCop. If it should be someone I know, I'd like to send a report to SpamCop so I can find out who it is and let them know that their computer is infected. But first I have to recover the quarantined email from NAV. I have not found out how to do that. Sorry if I wasn't clear enough. Thanks for the reply, Jim From nobody at devnull.spamcop.net Thu Jul 29 23:57:17 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Jul 29 23:00:03 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: "Jim" wrote in message > I'm not trying to submit the spams to Norton. I just want to send the > spams to Spamcop. > > The problem is that NAV "locks-up" the infected spams in quarantine > and I can't find out how to 'unquarantine' the spams so I can forward > them to Spamcop. I did a Google search before asking here. Just > thought someone might know how to recover the infected spam email from > NAV. > Jim: If Norton's says it is a virus, then it is a virus. The whole email containing the virus may be also called a virm. It is not appropriate to call it a spam. It is not a spam, it is a virus. >From Norton's quarantine you may delete or restore the virm, but you may not report a virm using SpamCop. For one thing, we seem never to receive virms from spamsourcers. And you can be sure you will never receive a spam from a virmsourcer. I don't have the wherewithal right now to go into reporting virmsourcers to their ISP's. For today, it may suffice to say that you need to unmeld this idea that virm and spam, "it's unwanted, unsolicited, blah-blah", are all the same. Sure, dogs and trees are living things, but there are recognizable differences to deal with. In general, although a spam may carry an infection or malicious code along with it, spam is not likely to "infect" your computer with malicious code as a virus will. Glenn From nobody at devnull.spamcop.net Fri Jul 30 00:08:26 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Jul 29 23:10:03 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: "Jim" wrote in message > "Mike Easter" wrote: > > >I think it is unlikely that you are handling a 'spam infected with a > >virus' - but rather that you are misinterpreting one of the above two > >things - one a spam - the other a virus propagation. Not at all likely > >to be 'both'. > > True. But its a very old email address that I don't use anymore. I > only get spam from this address (I'll cancel that address soon). > > It looks like a spammer has this address in his database and the worm > is just using it. > > If the sender is someone that shouldn't have my email address I'd like > to send reports to SpamCop. If it should be someone I know, I'd like > to send a report to SpamCop so I can find out who it is and let them > know that their computer is infected. > > But first I have to recover the quarantined email from NAV. I have > not found out how to do that. > > Sorry if I wasn't clear enough. > Jim: Sorry for the confusion, but don't even mention spam and virm in the same breath, as I have just done. You cannot report the virm to SpamCop, but if you are wanting the virm to expose the full headers so that you may extract the source IP so you may dig up the responsible ISP and appropriate abuse desk for the ISP, that is agreeable. Open NAV. Click on "Reports". Click on "View Report". Select the item you wish to restore. Click on "Restore Item". HTH, Glenn From h9vzc2i02 at sneakemail.com Thu Jul 29 21:08:49 2004 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Thu Jul 29 23:10:19 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: "Jim" wrote in message news:m7djg0l323mdd43ka4pq58st4fflop5jsb@4ax.com... > On Thu, 29 Jul 2004 13:35:57 -0700, "Mike Easter" > wrote: > > >I think it is unlikely that you are handling a 'spam infected with a > >virus' - but rather that you are misinterpreting one of the above two > >things - one a spam - the other a virus propagation. Not at all likely > >to be 'both'. > > True. But its a very old email address that I don't use anymore. I > only get spam from this address (I'll cancel that address soon). > > It looks like a spammer has this address in his database and the worm > is just using it. ** No, one of your OLD friends has your old address in his address book and his computer is infected. The vim just pulls all the addresses out of the book and sends the stuff out. The mail is infected - it does not matter whether it "looks" like spam (and why are you reading suspected spam anyway?) or looks legitimate, it is still ONLY virus infected mail and is not reportable by SC. (If you persist and DO use SC to report it, your account with SC will be terminated, pronto.) -- A SpamCop user and forum reader, Not Admin *** From MikeE at ster.invalid Thu Jul 29 22:10:04 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 30 00:15:02 2004 Subject: [SC-Help] Re: Example header References: Message-ID: Are wrote: > I wonder if anyone can help me with this. I recieve many thousands > emails a day, and I do not have any open relays. However, emails like > this is beeing stoped in exim mail que, and never leaves it: The > @a4.no domain is mine, the same is ip 194.63.250.67. For the rest, I > do not know where come from. p.s. I do not have an account named > Bobioludf@a4.no. > > Why does the email have sevearl Recieved from headers? Is it fake > from ? Abbreviated Received lines *comment from unknown ([10.20.1.207]) by mailserver-70.ig.com.br *serves recipient from unknown (HELO revert.com) ([61.53.44.74]) by email-90.ig.com.br *sourceline from (a4.no [194.63.250.67]) by revert.com *bogusline That appears to me to be a spam from the spamsource 61.53.44.74 no rDNS of CNCGROUP Henan province .cn which is listed in numerous db/s as a spamsource. The recipient was an ig.com.br user. Most of the headerlines which can be bogus are, the From, the msgid, in addition to the bottommost recvd line. Your IP and your domainnames a4.no and webspesialisten.no also appear in other bogusline spams in sightings. Some of them appear to be a similar mode of operation to this one. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Fri Jul 30 01:43:03 2004 From: eddie at eddie.web (eddie) Date: Fri Jul 30 00:45:03 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: On Thu, 29 Jul 2004 22:57:17 -0400, Glenn Daniels scratched out the following: >snip > I don't have the wherewithal right now to go into reporting virmsourcers > to their ISP's. For today, it may suffice to say that you need to unmeld > this idea that virm and spam, "it's unwanted, unsolicited, blah-blah", are > all the same. Sure, dogs and trees are living things, but there are > recognizable differences to deal with. In general, although a spam may > carry an infection or malicious code along with it, spam is not likely to > "infect" your computer with malicious code as a virus will. > > Glenn Yes, but if you wish to manulally LART the ISP of the person sending the virm, then I understand the problem. It is one of being able to submit the email to SC's parser to uncover the abuse address. I think this is done by double clicking on the quaranteened virus in the Norton folder. If not, I would suggest checking out Norton's knowledge base and finding out how to recover the infected package. I use the SC webmail interface, and, when one of these vermin pop up, I submit it to SC, note the abuse addresses and do a manual LART. I never even get close to letting these monsters get into my local machine. From eddie at eddie.web Fri Jul 30 01:49:26 2004 From: eddie at eddie.web (eddie) Date: Fri Jul 30 00:50:02 2004 Subject: [SC-Help] No Link tracker Message-ID: Here is a tracker for a "no links found" parse The problem is the content type which, if changed to "text" would parse perfectly. The spamvertized site is www.easydatingoffers.com The tracker is: http://www.spamcop.net/sc?id=z575470935z3551f2e51ebb7eb6faaa4b5008fd4c88z When posting trackers, it is very advisable to test them in a different browser that is not logged into SC to be sure it's a tracker, and not a link. If you get a logon screen, it's not a tracker. From MikeE at ster.invalid Thu Jul 29 23:05:41 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 30 01:10:03 2004 Subject: [SC-Help] Re: No Link tracker References: Message-ID: eddie wrote: > Here is a tracker for a "no links found" parse > The problem is the content type which, if changed to "text" would > parse perfectly. Well, yeah, but... The idea of what is wrong is how the content-type doesn't match up with the body. In this case the problem with the content type is that it isn't multipart alternative and it doesn't have a boundary. It is actually text/html. Actually the problem is that there are two differennt sets of content-type lines, and the body is a 'mixture' which actually includes a mime epilogue but no prologue. Pretty zany. Some spammers are nuts. www.spamcop.net/sc?id=z575470935z3551f2e51ebb7eb6faaa4b5008fd4c88z There are a lot of different things you can do to 'force' a parse to get the information for how to notify, so I guess it isn't important /what/ you do, since it isn't going to be SC reported anyway. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Fri Jul 30 02:43:41 2004 From: eddie at eddie.web (eddie) Date: Fri Jul 30 01:45:03 2004 Subject: [SC-Help] Re: No Link tracker References: Message-ID: On Thu, 29 Jul 2004 22:05:41 -0700, Mike Easter scratched out the following: snip > Pretty zany. Some spammers are nuts. You mean crazy like a fox, not nuts. I do not believe that they are making a serendipitious mistake here; rather, they know the SC limits and are simply working around them, as any good counter intelligence agent would do. To keep thinking spammers are stupid is to give then an edge. We are lucky only because more spammers haven't yet caught on to this technique. It would appear to me that some browsers read this spew properly and so the sale is made and we have only reported the source, not the money man. Well, perhaps, per your suggestion, I might add, if we keep posting trackers of failed parses, something good will happen. Then, maybe the spammers who lurk here will get the idea. It works both ways. From ric.gates at bigsleep.org Fri Jul 30 08:35:00 2004 From: ric.gates at bigsleep.org (Blammo) Date: Fri Jul 30 03:35:06 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: On 29 Jul 2004 Anon_ entered spamcop.help and left news:cece4f$6kr$1@news.spamcop.net: > No, one of your OLD friends has your old address in his address book > and his computer is infected. > > The vim just pulls all the addresses out of the book and sends the > stuff out. > > The mail is infected - it does not matter whether it "looks" like spam > (and why are you reading suspected spam anyway?) or looks legitimate, > it is still ONLY virus infected mail and is not reportable by SC. (If > you persist and DO use SC to report it, your account with SC will be > terminated, pronto.) > You are not wrong, but the viruses I get are always from spammers, or possibly zombies. -- | Ric | From nobody at devnull.spamcop.net Fri Jul 30 05:47:31 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Fri Jul 30 04:51:14 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: "eddie" wrote in message > Glenn Daniels scratched out the following: > > >snip > > I don't have the wherewithal right now to go into reporting virmsourcers > > to their ISP's. For today, it may suffice to say that you need to unmeld > > this idea that virm and spam, "it's unwanted, unsolicited, blah-blah", are > > all the same. Sure, dogs and trees are living things, but there are > > recognizable differences to deal with. In general, although a spam may > > carry an infection or malicious code along with it, spam is not likely to > > "infect" your computer with malicious code as a virus will. > > > > Glenn > > Yes, but if you wish to manulally LART the ISP of the person sending the > virm, then I understand the problem. It is one of being able to submit the > email to SC's parser to uncover the abuse address. > I think this is done by double clicking on the quaranteened virus in the > Norton folder. If not, I would suggest checking out Norton's knowledge > base and finding out how to recover the infected package. > I use the SC webmail interface, and, when one of these vermin pop up, I > submit it to SC, note the abuse addresses and do a manual LART. > I never even get close to letting these monsters get into my local machine. Eddie: Sadly, nothing I do is recommended to anyone. I am comfortable with what I do by way of familiarity. I have personally built each of the five computers I use at home that are part of a LAN. I personally built the four systems in use in my Wife's law office. I am also responsible for her laptop. I am responsible when things work, and when they don't. I a responsible for setting up and configuring an maintaining an excessively redundant system because I "take in" sick computers for friends, and make them "whole" again. Almost anything I do is duplicated at least once, so that my risk of losing anything of consequence is trivialized. I have NAV 2004 Pro on two machines, Trend Micro on two, McAfee on two, and Avast! on two more. I can host a sick guest and scan it using all four sets of malware definitions. I have a long history of "handling" virms, so there is no great discomfort there. My greater discomfort is with the compromise of the security and privacy of my email address, which I elect to treat as I would a key to my home. For me, getting a virm is like getting a key to my home in the mail. I go aggressive, I want to know where this key came from, and I want it stopped yesterday. Fortune is that my email addy's have never been anything but secure. The Wife, however, exposes her addy unnecessarily then wonders how she ends up being targeted for virms and spams. Historically, it has been necessary to accept the abuses, and then "clean up" by trashing the unwanted virms and spams. The one time I submitted a virm to SC was unintentional. I had not "looked" at it and did not know it was a virm or I probably would not have sent it. But it got me thinking, why not just parse the headers and identify the appropriate abuse desk and LART manually. Having done so a few times I have since abandoned the practice entirely. For my purposes it simply is not the expedient way to go. Given a rudimentary understanding of the parse, I see that the virm is a fairly straightforward message. It leaves the host machine and arrives it the ISP's mailserver where the first of two "Received" headers is prepended to the message. It next arrives at my ISP's mailserver where a second "Received:" header is prepended to the package that I receive. There are no "funky" bogus IP's to deal with as there are with spamitems, no untrusted compromised intermediaries to disguise the trail back to the source. The parse is visual and the return immediate: I skip the IP belonging to my ISP and retrieve the IP for the virmsourcing machine. I plug the IP into SamSpade.org Tools, retrieve the virmsourcing ISP and the abuse desk, and have no "reports" to cancel. I next explore the ISP's online interface for an webform for reporting abuse. If available, that provides the framework for compiling an abuse complaint that won't result in a bounced LART. When no form is available I can create my own terse complaint. Usually they want the full virm headers included as I am thinking they want compelling evidence that the complaint is not a fraudulent creation on my part before they lean on their client to lose the virmsourcing software. Most often, but not always, I get same day response and no more virms from that IP, but I am prepared to apply the LART as many times as necessary to get results. Anecdotally, the abuse desk for one Israeli ISP would only accept the LART if I returned the virm "as attachment" to the complaint which had to include full headers. That kind of seemed like a strange exercise because their AV package removed the attachment before they examined it, but that was their call. I gave them what they asked for, I got what I wanted. Anyway, yes, submitting headers to SC is an option, but not an option I choose to exercise. If you don't know what you are doing, handling malicious may not be right for you. But so long as the virmsourcer stays in business, the key to my home is being broadcast to the internet as the forged "From:" header going out to who knows whom. Your addy may be on that mailing list, too, so I am doing you a good deed as well. More importantly, I am doing the owner of the virmsourcing machine a good deed by alerting him to the sad reality that all of his personal contacts have been compromised by the infection on his computer that can't wait to propagate itself to a new host. To be sure the issues are straightforward as compared to spams that some people at least seem to want. The effort expended is much less, and the payoff altogether rewarding on all counts. And the risk, at least for myself, is altogether trivial. For me it is just a matter of doing the "right thing". Unfortunately, Jim's melding of virm and spam, and his unfamiliarity with the SC interface, and his unfamiliarity with his antivirus software, and his lack of familiarity with "safe" handling of virms... well, the whole of it taken together just "feels" like a lack of understanding of what he is about, a lack of a clear sense of his motivation, and a lack of a clear sense of his objectives, and a lack of a clear sense of the means to achieve them, the lack of risk assessment, the sense of urgency and impatience... I find it all a bit offputting. On the other hand, given my pathological patience, that could all be some kind of projection on my part... I just don't know a right way to respond without coming off disagreeable, and I am not going there, regardless. Glenn, =^..^= From ric.gates at bigsleep.org Fri Jul 30 10:56:06 2004 From: ric.gates at bigsleep.org (Blammo) Date: Fri Jul 30 06:00:28 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: On 30 Jul 2004 Glenn Daniels entered spamcop.help and left news:ced20m$peu$1@news.spamcop.net: > For my purposes it simply is not the expedient way to go. > Given a rudimentary understanding of the parse, I see that > the virm is a fairly straightforward message. It leaves the > host machine and arrives it the ISP's mailserver where > the first of two "Received" headers is prepended to the > message. It next arrives at my ISP's mailserver where a > second "Received:" header is prepended to the package > that I receive. There are no "funky" bogus IP's to deal with > as there are with spamitems, no untrusted compromised > intermediaries to disguise the trail back to the source. > The parse is visual and the return immediate: I skip the > IP belonging to my ISP and retrieve the IP for the > virmsourcing machine. > > What virus uses the ISPs SMTP server? -- | Ric | From ric.gates at bigsleep.org Fri Jul 30 12:39:02 2004 From: ric.gates at bigsleep.org (Blammo) Date: Fri Jul 30 07:40:15 2004 Subject: [SC-Help] Re: No Link tracker References: Message-ID: On 29 Jul 2004 eddie entered spamcop.help and left news:pan.2004.07.30.05.43.39.935000@eddie.web: > It would appear to me that some browsers read this spew properly The word should be "improperly". -- | Ric | From nobody at spamcop.net Fri Jul 30 11:06:21 2004 From: nobody at spamcop.net (Firewoman) Date: Fri Jul 30 10:10:04 2004 Subject: [SC-Help] Re: No mail today ? References: Message-ID: "KD" wrote in message news:ceb91a$i9s$1@news.spamcop.net... > First day in years there's no spam. Unfortunately there is also a distinct > lack of normal mail. Is it just me or is there a problem ? This could be a contributing reason :) http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK3914 Frozen assets and all From nobody at devnull.spamcop.net Fri Jul 30 12:08:16 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Fri Jul 30 11:10:03 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: "Blammo" wrote in message > Glenn Daniels entered spamcop.help and left > > > For my purposes it simply is not the expedient way to go. > > Given a rudimentary understanding of the parse, I see that > > the virm is a fairly straightforward message. It leaves the > > host machine and arrives it the ISP's mailserver where > > the first of two "Received" headers is prepended to the > > message. It next arrives at my ISP's mailserver where a > > second "Received:" header is prepended to the package > > that I receive. There are no "funky" bogus IP's to deal with > > as there are with spamitems, no untrusted compromised > > intermediaries to disguise the trail back to the source. > > The parse is visual and the return immediate: I skip the > > IP belonging to my ISP and retrieve the IP for the > > virmsourcing machine. > > > > > > What virus uses the ISPs SMTP server? > Ric: The virus stamps the frogged "Received:" line using its own particular combination naming one ISP coupled with the hosts IP address. It usually ends up wrong anyway, setting it to something like: munged2.com (munged1IP[munged1IP]) The send goes out directly from the host machine as the virus uses its owm SMTP engine as I understand it. I think somehow I knew it was wrong when I wrote it, but it was really late and I was getting a tad too tired to care much about being correct. Like who thinks clearly at 4:47 AM? I really am sorry for offering bad information, the wrong thinking if you will, I think the point was, that the "found" IP that SC discovers is always that one, as the first "Received:" header always belongs to myISP.com (myIP[myIP]). Most sad that it pleases me that anyone bothers to read my posts as I struggle to manage to get by with a majorly severe diagnosible thinking disorder. And most of the time that is about as good as it gets, I just get by. So it really is a big help when anyone troubles themselves to correct my disordered thinking. My sincere thanks for the feedback. Glenn, what, both of me worry? From MikeV99 at privacy.net Fri Jul 30 11:47:16 2004 From: MikeV99 at privacy.net (Mike Vanecek) Date: Fri Jul 30 11:50:02 2004 Subject: [SC-Help] spam@uce.gov not remembered Message-ID: <457qt1-2sd.ln1@news.invalid.99computer> I have my preferences set to send a copy to spam@uce.gov. However, whenever I submit a spam and then go to the page to report it, the user reporting box does not remember my preference. As I remember, some time in the past, the box would be filled in with my choice. Anyway to get it to fill in my choice again rather than being empty? -- Thanks, Mike. From eddie at eddie.web Fri Jul 30 13:07:43 2004 From: eddie at eddie.web (eddie) Date: Fri Jul 30 12:10:03 2004 Subject: [SC-Help] Re: No Link tracker References: Message-ID: On Fri, 30 Jul 2004 11:39:02 +0000, Blammo scratched out the following: > On 29 Jul 2004 eddie entered spamcop.help and left > news:pan.2004.07.30.05.43.39.935000@eddie.web: > >> It would appear to me that some browsers read this spew properly > > The word should be "improperly". Yes, but then it wouldn't make sense. It should have really been "improperly read it, turning it into proper text." But we knew that. From eddie at eddie.web Fri Jul 30 13:17:28 2004 From: eddie at eddie.web (eddie) Date: Fri Jul 30 12:20:03 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: On Fri, 30 Jul 2004 04:47:31 -0400, Glenn Daniels scratched out the following: > "eddie" wrote in message >> Glenn Daniels scratched out the following: >> big snip Regarding just the email address - unfortunately, recently many websites use or require it as your user ID in lieu of letting you create your own. This makes the email address more valuable than it used to be and I agree, it's like a key to your house. But only part of the key. A hacker still has to guess at the password, but part of the job is done for him. This makes it more necessary to create hard-to-break passwords. I have one email address that I never use - it's the main one for my ISP and cannot be changed. It's also the logon ID for my account. I then create sub passwords which I can change and toss as needed. My SC email address is the one I defend and use as a primary public address. So far, the spew I get remains under control, but it could get out of hand if I didn't check my email for several weeks or so. There are no simple answers - which is why I no longer take the attititude of staying on the "high road" when dealing with vermin. I don't mind trench warfare, espionage and counter-espionage if it results in ridding the world of vermin. You don't win a way by dropping bombs from 50,000 feet. From mouselike at gmail.com Fri Jul 30 18:18:45 2004 From: mouselike at gmail.com (mouselike) Date: Fri Jul 30 12:20:15 2004 Subject: [SC-Help] Re: sending to freeserve problem? References: Message-ID: After first trying to blame it on cesmail servers - they are now asking me for mail headers. I have provided these along with clear explanations of what the error means and where it has come from (wannadoo / freeserves servers). Wish me luck :D Tom - www.mouselike.org "mouselike" wrote in message news:ce6jgc$vd3$1@news.spamcop.net... > Posted a message to their support (After a month of using stupid web forms > and having to use internet explorer as its not firefox compatible!) > > Shal see what they say and report back here :> (if they bother replying with > a personal reply *waits for the copy/pasted generic help on how to press the > power button on the computer*) > > Tom - www.mouselike.org > > "mouselike" wrote in message > news:ce6in4$u30$1@news.spamcop.net... > > Thankyou! > > > > Freeserve suck :o) - how can blocking spamcop mail benefit their users!? > > > > Tom - www.mouselike.org > > > > "WazoO" wrote in message > > news:ce6fca$mo8$1@news.spamcop.net... > > > "mouselike" wrote in message > > > news:ce6brd$g9k$1@news.spamcop.net... > > > > > > > > Have freeserve blocked spamcops server? or what is the problem - > sending > > > > from my gmail account doesnt seem to return an error. > > > > > > please see http://forum.spamcop.net/forums/index.php?showtopic=2193 > > > and http://forum.spamcop.net/forums/index.php?showtopic=2057 > > > > > > > > > > > > From nobody at devnull.spamcop.net Fri Jul 30 14:16:07 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Fri Jul 30 13:20:05 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: "eddie" wrote in message > Glenn Daniels scratched out the following: > > > "eddie" wrote in message > >> Glenn Daniels scratched out the following: > >> > big snip > > Regarding just the email address - unfortunately, recently many websites > use or require it as your user ID in lieu of letting you create your own. > This makes the email address more valuable than it used to be and I agree, > it's like a key to your house. But only part of the key. A hacker still > has to guess at the password, but part of the job is done for him. > This makes it more necessary to create hard-to-break passwords. > > I have one email address that I never use - it's the main one for my > ISP and cannot be changed. It's also the logon ID for my account. > I then create sub passwords which I can change and toss as needed. > My SC email address is the one I defend and use as a primary public > address. So far, the spew I get remains under control, but it could get > out of hand if I didn't check my email for several weeks or so. > > There are no simple answers - which is why I no longer take the attititude > of staying on the "high road" when dealing with vermin. I don't mind > trench warfare, espionage and counter-espionage if it results in ridding > the world of vermin. You don't win a way by dropping bombs from 50,000 > feet. > eddie: Whether you call it risk/benefit ratio or cost effectiveness, you make a prudent risk assessment as it applies to you. If you have weighed your risks, assessed your objective, recognize the pitfalls along the way, and then do what must be done, I think your chances of success are better than break even. One loses if one does nothing, so I takes my chances doing something. I like the trench warfare conceptualization. The virmen have one knife in your back, you don't need to know that, but when you do, you may choose to act. As I think I said, however, I can't recommend what I do to anyone just because it works for me. I think it all comes down to a case by case personal choice: it is fine whatever you choose provided it is an "eyes open" informed decision. If it works for you, that is great. There may have been worthy indications for your actions or inactions, there are valid risks involved in every direction: whatever your approach, you pay a price and take your chances. I understand that I am gambling on my faith in the decency of my fellow human beings, their willingness to do the "right thing" by me. I understand and accept the risk and can afford to take my chances: but I won't be changing the locks every time I get a key in the mail. I have no problem with the lock, my problem is with the "key in the mail" and I am not waiting around hoping someone will fix the problem for me, I'm "in the trenches" tracking down and stopping the problem where it is coming from as well as I am able. But whatever we may do, we can't recommend it to anyone: others will need to think for themselves. OTOH, someone more enterprising might see a window of opportunity here, a kind of OrkinŽ for the internet: open up a service for hire, you pay and you set them in pursuit of the virmen, affording an alternative to "getting in the trenches" and going after them yourself. What next? Glenn From eddie at eddie.web Fri Jul 30 18:23:49 2004 From: eddie at eddie.web (eddie) Date: Fri Jul 30 17:25:03 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: On Fri, 30 Jul 2004 13:16:07 -0400, Glenn Daniels scratched out the following: snip > But whatever we may do, we can't recommend it to anyone: others will need > to think for themselves. OTOH, someone more enterprising might see a > window of opportunity here, a kind of Orkin? for the internet: open up a > service for hire, you pay and you set them in pursuit of the virmen, > affording an alternative to "getting in the trenches" and going after them > yourself. What next? > > Glenn I could envision someone hiring or opening a specialized private investigation service to deal with these kind of problems. If not for the satisfaction, it could be a cost-effective alternative way to deal with the stuff. Not too long ago, there was an instance where one well-known person pointed a webcam at the apartment window of someone he didn't like and the courts ruled it was legal for him to do so. It is an interesting concept - like ghostbusters, only for real. In effect, Microsoft and others, by offering a large bounty for the "heads" of spammers, are doing this or at least abetting this kind of activity. If it gets much worse, I suspect people will start taking things into their own hands - if only offering up private bounties to stop the stuff - no questions asked. If you run a small business and start getting hammered, you just don't call 911. From Kilgallen at SpamCop.net Fri Jul 30 17:30:28 2004 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Fri Jul 30 17:35:03 2004 Subject: [SC-Help] Re: No mail today ? References: Message-ID: In article , "Firewoman" writes: > "KD" wrote in message > news:ceb91a$i9s$1@news.spamcop.net... >> First day in years there's no spam. Unfortunately there is also a > distinct >> lack of normal mail. Is it just me or is there a problem ? > > This could be a contributing reason :) > > http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK3914 > > Frozen assets and all It would be polite if you would give a warning before proposing people visit a URL that requires cookies. It would be even more polite if you (the daring sort) would summarize the information available there. From eddie at eddie.web Fri Jul 30 20:32:25 2004 From: eddie at eddie.web (eddie) Date: Fri Jul 30 19:35:14 2004 Subject: [SC-Help] 'too many links' example tracker Message-ID: Each and every link is a subnet of the software pirates but we give them a free pass. I suspect that all the subwebs have the same abuse address. Also, as noted elsewhere, the munging of the subject - the "x" has replaced the word, "Office" just in front of the words, "XP Professional" So we munge the subject word, "Office," and ignore the spamvertized URLs. OK. It doesn't make sence to me, but those are the facts. Tracker: http://www.spamcop.net/sc?id=z576641821z891946e41184a20788216e07e4931a97z From nobody at devnull.spamcop.net Fri Jul 30 20:55:52 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Fri Jul 30 20:00:05 2004 Subject: [SC-Help] Re: No Link tracker References: Message-ID: "eddie" wrote in message > Here is a tracker for a "no links found" parse > The problem is the content type which, if changed to "text" would parse > perfectly. > The spamvertized site is www.easydatingoffers.com > The tracker is: > http://www.spamcop.net/sc?id=z575470935z3551f2e51ebb7eb6faaa4b5008fd4c88z > > When posting trackers, it is very advisable to test them in a different > browser that is not logged into SC to be sure it's a tracker, and not a > link. > If you get a logon screen, it's not a tracker. For comparison, same site, parser found links: http://www.spamcop.net/sc?id=z576639379z1e07b9f9afd7faac721335d3b9c9de35z No complaint here (this round). Glenn From MikeE at ster.invalid Fri Jul 30 17:54:03 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jul 30 20:00:19 2004 Subject: [SC-Help] Re: 'too many links' example tracker References: Message-ID: eddie wrote: www.spamcop.net/sc?id=z576641821z891946e41184a20788216e07e4931a97z That's kinda weird. SC punted because of 'too many' - but there were only 7 in there, all subdomains. If you take just one out; you get a body parse. www.spamcop.net/sc?id=z576668694z034a9de1633bf8b86f3b6ad27e72cf7ez -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri Jul 30 20:04:05 2004 From: nobody at devnull.spamcop.net (Cat) Date: Fri Jul 30 20:10:03 2004 Subject: [SC-Help] Re: sending to freeserve problem? In-Reply-To: References: Message-ID: mouselike wrote: > After first trying to blame it on cesmail servers - they are now asking me > for mail headers. > I have provided these along with clear explanations of what the error means > and where it has come from (wannadoo / freeserves servers). Could you please not top post? It makes your posts harder to read, especially when you don't snip out the unneeded parts of the previous posts you're quoting. If you pay attention to other posts in the newsgroup, you'll notice that the preferred method of posting is to post your comments BELOW each quoted point and snip out the rest. See #6 at http://linux.sgms-centre.com/misc/netiquette.php and #1 and #2 at http://www.river.com/users/share/etiquette/ for more snipping and inline posting netiquette. From nobody at devnull.spamcop.net Fri Jul 30 21:23:14 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Fri Jul 30 20:25:03 2004 Subject: [SC-Help] Re: 'too many links' example tracker References: Message-ID: "Mike Easter" wrote in message > eddie wrote: > www.spamcop.net/sc?id=z576641821z891946e41184a20788216e07e4931a97z > > That's kinda weird. SC punted because of 'too many' - but there were > only 7 in there, all subdomains. If you take just one out; you get a > body parse. > > www.spamcop.net/sc?id=z576668694z034a9de1633bf8b86f3b6ad27e72cf7ez > > Mike: Any sense of "why six?" is the cutoff. I've seen plenty of legitimate subscription adverts with many more links than six. Did someone decide that more than six, well maybe this is legitimate subcribed commercial newsletter, better not call it spam? On a different topic, does anyone know why only part of the message ID is munged: even the unmunged portion added to the date/time stamp could reveal a significant handle to the spam reporter's email identity? Glenn From ric.gates at bigsleep.org Sat Jul 31 01:55:04 2004 From: ric.gates at bigsleep.org (Blammo) Date: Fri Jul 30 21:00:04 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: On 30 Jul 2004 Glenn Daniels entered spamcop.help and left news:cedo8p$nee$1@news.spamcop.net: > "Blammo" wrote in message >> >> What virus uses the ISPs SMTP server? >> > > Ric: > > The virus stamps the frogged "Received:" line using its > own particular combination naming one ISP coupled > with the hosts IP address. It usually ends up wrong > anyway, setting it to something like: > munged2.com (munged1IP[munged1IP]) > I've heard that there are viruses that send through the ISP's SMTP, just don't ever remember seeing one. The virus actually fakes the SMTP HELO... Connect: (sender's IP) HELO: (server name) MAIL FROM: (sender address) RCPT TO: (recipient address) DATA: (headers and body) The connect IP cannot be forged, and it is added to the Recieved header by the receiving SMTP. The others can be forged (or sent by your MUA). I've never seen a virus create a Received header, though there's no reason why it couldn't. > The send goes out directly from the host machine > as the virus uses its owm SMTP engine as I > understand it. I think somehow I knew it was wrong > when I wrote it, but it was really late and I was > getting a tad too tired to care much about being > correct. Like who thinks clearly at 4:47 AM? > I see. > I really am sorry for offering bad information, the wrong thinking > if you will, I think the point was, that the "found" IP that SC > discovers is always that one, as the first "Received:" > header always belongs to myISP.com (myIP[myIP]). > Right, and relays should add a header as well, some ISPs and mail servers my have two or three relays. I just wanted to know what virus uses the local ISP to send mail out, if any, and how they would figure that out. -- | Ric | From ric.gates at bigsleep.org Sat Jul 31 02:31:26 2004 From: ric.gates at bigsleep.org (Blammo) Date: Fri Jul 30 21:35:03 2004 Subject: [SC-Help] Re: No Link tracker References: Message-ID: On 30 Jul 2004 eddie entered spamcop.help and left news:pan.2004.07.30.16.07.42.919000@eddie.web: > On Fri, 30 Jul 2004 11:39:02 +0000, Blammo scratched out the following: > >> On 29 Jul 2004 eddie entered spamcop.help and left >> news:pan.2004.07.30.05.43.39.935000@eddie.web: >> >>> It would appear to me that some browsers read this spew properly >> >> The word should be "improperly". > > Yes, but then it wouldn't make sense. > It should have really been "improperly read it, turning it into proper > text." > But we knew that. But you don't really know what the intention was, you're just making a guess at the spammer's intention, and the browser or mail reader makes a "guess" at what the intention was. This exposes bugs and is improper. I actually don't like "smart links" at all. Bullitin boards, and most mail agents create "smartlinks", and even Mozilla sometimes messes up and creates a link out of this:that , I like the way XNews and Textpad handles it, they don't underline links but add an item to the context menu. And if you actually want to send HTML code without it being rendered, the mail reader shouldn't "automagically" render (HTML) text that is meant to be displayed as text, even if it does look like HTML code. -- | Ric | From ric.gates at bigsleep.org Sat Jul 31 02:40:34 2004 From: ric.gates at bigsleep.org (Blammo) Date: Fri Jul 30 21:45:03 2004 Subject: [SC-Help] Re: spam@uce.gov not remembered References: <457qt1-2sd.ln1@news.invalid.99computer> Message-ID: On 30 Jul 2004 Mike Vanecek entered spamcop.help and left news:457qt1-2sd.ln1@news.invalid.99computer: > I have my preferences set to send a copy to spam@uce.gov. However, > whenever I submit a spam and then go to the page to report it, the > user reporting box does not remember my preference. As I remember, > some time in the past, the box would be filled in with my choice. > Anyway to get it to fill in my choice again rather than being empty? > There should be a checkbox added, not a text box. The textbox should be empty. Re: Forwarded Spam (User defined recipient) [] To: spam@uce.gov (Notes) -- | Ric | From eddie at eddie.web Fri Jul 30 23:24:01 2004 From: eddie at eddie.web (eddie) Date: Fri Jul 30 22:25:02 2004 Subject: [SC-Help] Re: 'too many links' example tracker References: Message-ID: On Fri, 30 Jul 2004 16:54:03 -0700, Mike Easter scratched out the following: > > That's kinda weird. SC punted because of 'too many' - but there were only > 7 in there, all subdomains. If you take just one out; you get a body > parse. > Beginner's luck? Coincidence? Or perhaps, good orchestration. From nobody at devnull.spamcop.net Sat Jul 31 09:40:51 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Sat Jul 31 08:45:05 2004 Subject: [SC-Help] No link tracker Message-ID: Parse tracker: http://www.spamcop.net/sc?id=z577355515z9cef145777beb38de837cb7e7129ae6ez This one is a doozy. It troubles me not the least that the parser can't find the site. I don't want to look at the site to know it is a fake bank "front" nor do they really deserve to be told that they are being investigated. I do know that similar links do work although by no stretch of my imagination should they nor would I want the parser to see through it better than I do. It is "just one of those things": the parser correctly sees what it is, but can't resolve the URL. The key is in the tail of it: ?affiliate_id=3D233733&campaign_id=3D701 The site won't exist for my browser without the keys to the fake bank front. I have been getting a lot like this one: I report all of them to spam@uca.gov for what I sincerely believe them to be. I doubt they are running under a legitimate ISP, but they could be operating out of my neighbor's shed. I give every one of them my read: 1). Credit/usury/loansharking scam alleged: Mortgage refinancing highly unlikely. 3). Money laundering scheme is considered. 4). Spamvertised website appears not to exist and/or is alleged to be a fraudulent banking front. 5). Criminal spamming is alleged. 6). Data mining scam (identity theft) is alleged. 7). Invalid or no unsubscribe is alleged: don't subscribe, not subscribed. when submitting my complaint. That they make it their business to conceal and obfuscate their location and make themselves untraceable is their business. I am responsible for what that message means to me: for me it provides compelling evidence in support of my allegations. If they choose to not know that they have been reported, that is their choice. I personally would prefer to not have the parser read this kind of screwed up garbage: yes it works in my browser. Should the parser render it? No way: they want to be "in the dark"? let'em. I don't want to tip them that they can be traced: if anyone with impairment as severe as mine can snag the IP from the firewall transaction log, they can run, but they can't hide. Please do NOT fix the parser to identify this URL. TIA, Glenn From nobody at devnull.spamcop.net Sat Jul 31 16:39:58 2004 From: nobody at devnull.spamcop.net (Robert Slade) Date: Sat Jul 31 10:55:04 2004 Subject: [SC-Help] Something Odd Message-ID: Hiya, I have posted about this before and I have just put the header of the most recent message in .spam. The tracker link is: http://spamcop.net/sc?id=z577493111z30e266829b981a1ca2fbd4b21873ecf7z I think that the earthlink server is at fault here (compromised open proxy?) and the wanado.fr stamp forged., but it is a very good one though. What bothers me is that I can see no way that earthlink would be relaying for wanado.fr. Any thoughts? I'm geeting 2-3 of these a day. I'll collect a few to see if there is a patern. Rob From MikeE at ster.invalid Sat Jul 31 09:08:26 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 31 11:15:03 2004 Subject: [SC-Help] Re: No link tracker References: Message-ID: Glenn Daniels wrote: > Parse tracker: www.spamcop.net/sc?id=z577355515z9cef145777beb38de837cb7e7129ae6ez That one is a spammer screwup. The spammer was supposed to put the mortgage domainname into the place of this string: .%MORTGAGE_DOMAIN which has the affiliate stuff attached later. If you want to see more similar spams which have been constructed properly with various names, check sightings on the subject 'Notification of a Pending Account' at http://snipurl.com/85ey -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sat Jul 31 13:20:54 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Sat Jul 31 12:25:04 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: "Blammo" wrote in message > On 30 Jul 2004 Glenn Daniels entered spamcop.help and left > > > "Blammo" wrote in message > >> > >> What virus uses the ISPs SMTP server? > >> > > > > Ric: > > > > The virus stamps the frogged "Received:" line using its > > own particular combination naming one ISP coupled > > with the hosts IP address. It usually ends up wrong > > anyway, setting it to something like: > > munged2.com (munged1IP[munged1IP]) > > > > I've heard that there are viruses that send through the ISP's SMTP, just > don't ever remember seeing one. > The virus actually fakes the SMTP HELO... > > Connect: (sender's IP) > HELO: (server name) > MAIL FROM: (sender address) > RCPT TO: (recipient address) > DATA: (headers and body) > > The connect IP cannot be forged, and it is added to the Recieved header by > the receiving SMTP. The others can be forged (or sent by your MUA). > I've never seen a virus create a Received header, though there's no reason > why it couldn't. > > > The send goes out directly from the host machine > > as the virus uses its owm SMTP engine as I > > understand it. I think somehow I knew it was wrong > > when I wrote it, but it was really late and I was > > getting a tad too tired to care much about being > > correct. Like who thinks clearly at 4:47 AM? > > > > I see. > > > I really am sorry for offering bad information, the wrong thinking > > if you will, I think the point was, that the "found" IP that SC > > discovers is always that one, as the first "Received:" > > header always belongs to myISP.com (myIP[myIP]). > > > > Right, and relays should add a header as well, some ISPs and mail servers > my have two or three relays. > I just wanted to know what virus uses the local ISP to send mail out, if > any, and how they would figure that out. > Again, I was in zombie mode, thinking erratically, trying unsuccessfully to make sense of what I was seeing, sensing that it did not make sense but not ready to pretend to seeing nothing at all that made sense. Although I have abandoned the use of the parser for reporting investigating virm headers, I post now this parse tracker: http://www.spamcop.net/sc?id=z577521034zf72a3f96ea35e1daaaca485ed0998a89z The tracker is representative for all W32.NetSky.P@mm virus samples submitted to my addy for study and determination of most effective means of terminating the virm thread on the virmsourcing host machine. In this particular case, by reason of "respondeat superior" (the brown substance flows uphill), mungecast is overtly liable for damages suffered by anyone that results as a consequence of their failure to terminate the virm thread on the virmsourcing hardware. I believe they are fully cognizant of the potential for a major class action liability judgement and will make it their business to terminate the viral thread expeditiously. They have done so in other instances, I see no reason they would not do so in this case. If unfortunately, it happens also to be a "protected" zombified spamforge, well, now, so be it. For the time being it is spewing virms, and that may not be the most cost effective way to scam anyone. In the event that mungecast fails to terminate the viral thread on their IP's virmsourcing hardware, I plan to make it worth their while. I am collecting an archive of the database of email addresses on the host machine toward the evidence of damage they are causing directly, or indirectly through inaction, to be done, both to myself and everyone else in that database. As I have repeatedly apprised them of the problem and repeatedly been thanked for doing so, I fail to see a valid cause for allowing it to continue. It seriously is not in their interest, nor in the interest of their client at that address, to persist in sending me virms. Anyway, Ric, the froggy forged second "Received:" header as I see it could only be seen as the fabrication of the virm thread. I believe, correctly or otherwise, that the only valid thing in that header is the IP. Since mungecast is responsible for the IP, mungecast is responsible for creating a remedy for the wrong they are causing, either directly, or indirectly through inaction. I am not afraid of virms any moreso than I am of chainsaws and ballistics. I respect them, yes. And handle them with the respect that is due them. What I fear is the damage being done to the privacy and security of the trademark email address that is being abused. I am similarly concerned for the privacy and security of all the other email addresses stored on the virmsourcing hardware. So long as everyone panics and goes for delete at the sight of a virm, those at mungecast who are responsible for the damage are kept in the dark about the dirty little deed and their is no record of the facts available at which to point. I am hopeful that I am not alone in harvesting such virm submissions. They are, after all, my credible evidence of a wrong being worked by or on behalf of mungecast. I cannot and do not endorse virm collection. I cannot and do not endorse gun collection, either. By nature, people do as they please. Either way everything being collected is handled with full respect. I have no real fear of potential harm from the virms I collect. I do fear the persistent damage that mungecast is doing to the privacy and security of my email address. If I can hook up with just a few other virm collectors, I smell blood in the water, and it is not my blood. I'm afraid, yes, I'm afraid for mungecast. Hopefully they can stop the bleeding before the sharks close in. Even a leviathan has cause to take heed when the sharks start circling. FWIW, I note that the IP is previously dnsbl.sorbs.net listed, they know or ought to know they have a serious problem with that IP. IANAL, but I'm not sure ignorance is a workable defense. Glenn Disclaimer: IANAL. As such the above is considered as having no particular meaning in and of itself. No particular endorsement is intended or denied. Any meaning to be found in this message is the sole province and responsibility of the recipient. No recipient is specified or denied. All priveleges as may be afforded as "plausible deniability" are hereby claimed and invoked. From MikeE at ster.invalid Sat Jul 31 10:19:06 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 31 12:25:16 2004 Subject: [SC-Help] Re: Something Odd References: Message-ID: Robert Slade wrote: www.spamcop.net/sc?id=z577493111z30e266829b981a1ca2fbd4b21873ecf7z > Any thoughts? That item has the appearance of something which was relayed from a wanadoo user thru' EL's mta to you. I don't think any of the lines look bogus to me; what you don't know is why the EL server should be doing that. Perhaps there is such a thing as a wanadoo user with an EL account and that wanadoo machine is compromised. Or a 'real' source. When I get spams with 'inappropriate' relays which aren't listed as being open, I notify the apparent source, wanadoo in this instance, and the apparent relay, EL in this instance, briefly describing their roles in the spam I also submit the inappropriate relay to relay testers, which will probably turn out negative. SpamCop doesn't exactly do it that way, but simply 'accepts' a known relay to be 'trusted' - which is why it is simply a dumb algorithm and you are a human, and demonstrates one of the many deficiencies of standard spamcop reporting. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Jul 31 10:31:55 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 31 12:35:03 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: Glenn Daniels wrote: www.spamcop.net/sc?id=z577521034zf72a3f96ea35e1daaaca485ed0998a89z source = 68.186.163.158 no rDNS = abuse@charter.net > mungecast is > overtly liable mungecast? -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sat Jul 31 13:55:12 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Sat Jul 31 13:00:03 2004 Subject: [SC-Help] Re: No link tracker References: Message-ID: "Mike Easter" wrote in message > Glenn Daniels wrote: > > Parse tracker: > www.spamcop.net/sc?id=z577355515z9cef145777beb38de837cb7e7129ae6ez > > That one is a spammer screwup. The spammer was supposed to put the > mortgage domainname into the place of this string: .%MORTGAGE_DOMAIN > which has the affiliate stuff attached later. > > If you want to see more similar spams which have been constructed > properly with various names, check sightings on the subject > 'Notification of a Pending Account' at http://snipurl.com/85ey > No problem. If that is the best they can do for being straightforward about who they are and what they are about, I yet do not believe they are owed the courtesy of an alert that their website is being scamvertized. My beliefs that these sites are as I have alleged they are are not dismissed because one spamitem "got it wrong": even when they "get it right" it still looks like an obfuscation to me. If the parser can read it correctly, it is not because they had clear intent to cause that to be so. The parser is simply seeing more than I can see, and more than I hold it responsible for seeing. I am loathe to retrieve the number of similar spamitems I have reported to them from my archives of thousands of spamitems. So long as they choose to do nothing about the criminal spamming of their site, I will persist in the belief that through action or inaction on their part, they are responsible for that. If, indeed, they are responsible for such a loathesome wrong, why would anyone choose to believe that they are not also committing other wrongs as I have alleged? And thanks, but no, I think I have seen more than enough examples of when they "got it right". For myself, their "getting it right" is still wrong. I am for my own part simply going to stop alerting the spamvertizer to the fact that hir spamvertizing is being reported and may be attracting untoward attention in hir direction. I would seriously prefer that the parser not deobfuscate the URL. If they insist on being clue repellent, I weary of trying to help them. They dig their own hole: who am I to find fault in that? Glenn From nobody at devnull.spamcop.net Sat Jul 31 14:28:40 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Sat Jul 31 13:30:03 2004 Subject: [SC-Help] Re: Submitting Norton Antivirus quarantined spam ? References: Message-ID: "Mike Easter" wrote in message > Glenn Daniels wrote: > www.spamcop.net/sc?id=z577521034zf72a3f96ea35e1daaaca485ed0998a89z > > source = 68.186.163.158 no rDNS = abuse@charter.net > > > mungecast is > > overtly liable > > mungecast? > Yup! It works for me, I like the way it sounds, and it avoids saying what I mean without stopping me from meaning what I say. What? You got a problem with mungecast? I know perfectly well where the reports went and so do they. I provided an ample disclaimer. Looks to me like you followed the link and saw what you wanted to see. Someone else looks and says, oh, look, he forged the IP. I know what I have in my virm bank, and it looks to me like you know. What I need are other virm bankers who are armed with virms and ready and willing to take on yourcallISP. If the ISP's can't be held accountable for the harm they do, who else is there? Yes, I rather like mungecast. It is that or virmizen. But charter? Nah!, don't go there, I really don't like the sound of that. Besides, they have never let me down on these things before. Mungecast, yes, mungecast is good. Especially when they are clearly responsible for an ample portion of my daily injection of spam. Definitely. You think it was Freudian? Not this time. What does it mean? You decide. Glenn From mouselike at gmail.com Sat Jul 31 20:44:25 2004 From: mouselike at gmail.com (mouselike) Date: Sat Jul 31 14:45:22 2004 Subject: [SC-Help] Re: sending to freeserve problem? References: Message-ID: > Could you please not top post? It makes your posts harder to read, > especially when you don't snip out the unneeded parts of the previous > posts you're quoting. If you pay attention to other posts in the > newsgroup, you'll notice that the preferred method of posting is to post > your comments BELOW each quoted point and snip out the rest. > > See #6 at http://linux.sgms-centre.com/misc/netiquette.php and #1 and #2 > at http://www.river.com/users/share/etiquette/ for more snipping and > inline posting netiquette. Appologies - Im more a forum man (hardly ever load newsgroups) and just used the default action of MS Outlook (the easiest newsgroup software I could find to hand). Shal change my ways :o) Tom - www.mouselike.org From eddie at eddie.web Sat Jul 31 16:42:39 2004 From: eddie at eddie.web (eddie) Date: Sat Jul 31 15:45:11 2004 Subject: [SC-Help] "No links found" tracker Message-ID: Here's another one. http://www.spamcop.net/sc?id=z577792024zd8775248aa5765f432c9da1b03116535z From nobody at devnull.spamcop.net Sat Jul 31 23:10:50 2004 From: nobody at devnull.spamcop.net (~*~ Simone ~*~) Date: Sat Jul 31 16:15:04 2004 Subject: [SC-Help] tracing abuse Message-ID: Hello, I own a small website, with only two mail adresses in use, and both in use by me. Even so, today I received mail delivery error mail by spamcop, sayin that my i.p was blocked because of spam. The bounced mail was just a confirmation mail to someone that is member on a yahoo list I own. The yahoo list has restircteda ccess, and a non viewable member list. What I want to know is: Is it possible for me to find the mail(s) that got my server blocked, so I can eventualy trace where it is coming from? and if that adress is different from mine, how can I prevent from getting blocked again? I am aware that if there are no new reports within the next 48 hours, my ip will be unblocked again, but is there a way to get myself unblocked sooner? Greetz Simone From MikeE at ster.invalid Sat Jul 31 14:49:15 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 31 16:55:04 2004 Subject: [SC-Help] Re: "No links found" tracker References: Message-ID: eddie wrote: > Here's another one. www.spamcop.net/sc?id=z577792024zd8775248aa5765f432c9da1b03116535z Two sets of content type again. You have to get rid of the set that sez multipart alternative and boundary. The actual body is text/html and the only 'boundary' is the epilogue at the end. www.spamcop.net/sc?id=z577847435z79c25fcd123e36b47618bd9541e36147z I think SC should offer a service, only for pay, not for free, that offers some modified reporting 'method' which is more liberal in its interpretation of 'material changes' - so that people who are pay can feed 'slightly' modified or 'corrected' spamitems for which they 'declare' the modification ['forged and misleading content type headerline removed' in this example] -- they could even check 'material change' if necessary. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Jul 31 14:56:12 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 31 17:00:03 2004 Subject: [SC-Help] Re: tracing abuse References: Message-ID: Simone wrote: > today I received mail delivery error mail by > spamcop, sayin that my i.p was blocked because of spam. If you really want to talk about a blocked IP address, you should name it, not talk around it. If you want to look it up, put it in the space at http://www.spamcop.net/bl.shtml But, you'll probably learn more by 'saying it out loud'. The IP you are posting to this newsgroup from 81.69.120.113 rDNS hks-15a71.adsl.wanadoo.nl is not listed, nor are the incoming MXes for wanadoo.nl, but perhaps an output is; or perhaps the mail item to which you refer came from some other server's IP. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sat Jul 31 23:00:07 2004 From: nobody at devnull.spamcop.net (Robert Slade) Date: Sat Jul 31 17:15:03 2004 Subject: [SC-Help] Re: tracing abuse References: Message-ID: "~*~ Simone ~*~" wrote in message news:cegucm$fij$1@news.spamcop.net... > Hello, > > I own a small website, with only two mail adresses in use, and both in use > by me. Even so, today I received mail delivery error mail by spamcop, sayin > that my i.p was blocked because of spam. The bounced mail was just a > confirmation mail to someone that is member on a yahoo list I own. The yahoo > list has restircteda ccess, and a non viewable member list. > What I want to know is: Is it possible for me to find the mail(s) that got > my server blocked, so I can eventualy trace where it is coming from? and if > that adress is different from mine, how can I prevent from getting blocked > again? > I am aware that if there are no new reports within the next 48 hours, my ip > will be unblocked again, but is there a way to get myself unblocked sooner? > > Greetz Simone Hiya, To get help we will need the IP address that was blocked to work out what is happening. It should be on mail delivery error message. There are several possible causes: If you are running your own mail server, that may be compromised or allowing mail to be relayed through it. You have a Trojan or virus on your system that is sending out mail. If you are using your ISP's mail server and another user of that ISP is sending out spam through that server and hence the ISP's server is listed. In most cases, Spamcop will report to the abuse address registered for the server that is the cause of the problem. probably your ISP. You could try talking to them. One minor point, Spamcop does not block mail, it provides a list of known spam sources, in this case it is Yahoo that has blocked your mail based on the Spamcop list. Rob A SC member, not Admin From nobody at devnull.spamcop.net Sat Jul 31 18:15:12 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Sat Jul 31 17:20:04 2004 Subject: [SC-Help] Re: "No links found" tracker References: Message-ID: Mike Easter wrote in message > eddie wrote: > > Here's another one. > www.spamcop.net/sc?id=z577792024zd8775248aa5765f432c9da1b03116535z > > Two sets of content type again. You have to get rid of the set that sez > multipart alternative and boundary. The actual body is text/html and > the only 'boundary' is the epilogue at the end. > > www.spamcop.net/sc?id=z577847435z79c25fcd123e36b47618bd9541e36147z > > I think SC should offer a service, only for pay, not for free, that > offers some modified reporting 'method' which is more liberal in its > interpretation of 'material changes' - so that people who are pay can > feed 'slightly' modified or 'corrected' spamitems for which they > 'declare' the modification ['forged and misleading content type > headerline removed' in this example] -- they could even check 'material > change' if necessary. > You make sense, and I think it is a worthy proposal. As it stands, you could "cheat", risk being "exposed" and get "spanked". In a way, you would still be "paying" for breaking the rules. For myself, cheating is not something I have ever been able to bring myself to do. In this case, I'm still trying to get a sense of the playing field. I'm devoid of interest in a "Gold Pass" to do what I believe you probably should be permitted to do with your level of expertise. But for one small issue, I believe I strongly agree with your proposal: I don't believe you should be asked to pay for the priveleges you ask, I believe you have worked hard for them and that they should be granted on the basis of demonstrated proficiency to do the "right thing", kind of like a merit badge or diploma to be conferred, with "all the rights and priveleges pertaining thereto", something that ethically ought not come with a price tag. If it goes "on the block" for a price, that like totally degrades the whole concept of achievement, merit, and proficiency as perquisites to the honor. I shut up now and go to my room. I do so despise myself for being disagreeable. Maybe I need a nap. -laters, Glenn From nobody at devnull.spamcop.net Sat Jul 31 23:07:15 2004 From: nobody at devnull.spamcop.net (Robert Slade) Date: Sat Jul 31 17:20:17 2004 Subject: [SC-Help] Re: Something Odd References: Message-ID: "Mike Easter" wrote in message news:ceggtg$npb$1@news.spamcop.net... > Robert Slade wrote: > www.spamcop.net/sc?id=z577493111z30e266829b981a1ca2fbd4b21873ecf7z > > > Any thoughts? > > That item has the appearance of something which was relayed from a > wanadoo user thru' EL's mta to you. > > I don't think any of the lines look bogus to me; what you don't know is > why the EL server should be doing that. Perhaps there is such a thing > as a wanadoo user with an EL account and that wanadoo machine is > compromised. Or a 'real' source. In this case yes, but I have had others with different 'source's eg Comcast but in all cases the website is hosted by verio.net with different domain names.It looks like someone is using a double relay here or that the El mta is compromised. > > When I get spams with 'inappropriate' relays which aren't listed as > being open, I notify the apparent source, wanadoo in this instance, and > the apparent relay, EL in this instance, briefly describing their roles > in the spam > > I also submit the inappropriate relay to relay testers, which will > probably turn out negative. > > SpamCop doesn't exactly do it that way, but simply 'accepts' a known > relay to be 'trusted' - which is why it is simply a dumb algorithm and > you are a human, and demonstrates one of the many deficiencies of > standard spamcop reporting. > Thanks Mike, Rob From mrichter at cpl.net Sat Jul 31 15:19:16 2004 From: mrichter at cpl.net (Mike Richter) Date: Sat Jul 31 17:20:24 2004 Subject: [SC-Help] Re: tracing abuse In-Reply-To: References: Message-ID: ~*~ Simone ~*~ wrote: > Hello, > > I own a small website, with only two mail adresses in use, and both in use > by me. Even so, today I received mail delivery error mail by spamcop, sayin > that my i.p was blocked because of spam. The bounced mail was just a > confirmation mail to someone that is member on a yahoo list I own. The yahoo > list has restircteda ccess, and a non viewable member list. > What I want to know is: Is it possible for me to find the mail(s) that got > my server blocked, so I can eventualy trace where it is coming from? and if > that adress is different from mine, how can I prevent from getting blocked > again? > I am aware that if there are no new reports within the next 48 hours, my ip > will be unblocked again, but is there a way to get myself unblocked sooner? Posted by a (mostly) happy SpamCop user, not an official. It is possible that the report was wrong; in that case, SpamCop whould be told the details in order to inform the reporter. For that reason, you should respond to the report you received, forwarding it to bl@spamcop.net (per http://www.spamcop.net/fom-serve/cache/298.html) with whatever collateral information you believe appropriate. A single report from a person will not cause you to be blocked and, as another has said, SpamCop does not itself block anyone. If the message is the one you believe it to be and it caused your IP address to be on the bl, then somehow it may have been sent to a spamtrap. In any event, action is with the deputies. Mike -- mrichter@cpl.net http://www.mrichter.com/ From nobody at devnull.spamcop.net Sat Jul 31 23:17:39 2004 From: nobody at devnull.spamcop.net (Robert Slade) Date: Sat Jul 31 17:30:04 2004 Subject: [SC-Help] Re: Something Odd References: Message-ID: "Robert Slade" wrote in message news:ceh29f$mb9$1@news.spamcop.net... > > "Mike Easter" wrote in message > news:ceggtg$npb$1@news.spamcop.net... > > Robert Slade wrote: > > www.spamcop.net/sc?id=z577493111z30e266829b981a1ca2fbd4b21873ecf7z > > > > > Any thoughts? > > > > That item has the appearance of something which was relayed from a > > wanadoo user thru' EL's mta to you. > > > > I don't think any of the lines look bogus to me; what you don't know is > > why the EL server should be doing that. Perhaps there is such a thing > > as a wanadoo user with an EL account and that wanadoo machine is > > compromised. Or a 'real' source. > > In this case yes, but I have had others with different 'source's eg Comcast > but in all cases the website is hosted by verio.net with different domain > names.It looks like someone is using a double relay here or that the El mta > is compromised. > Just got another one: http://spamcop.net/sc?id=z577855383z273a3db7b397b4b8972311967ee9ccc3z This time the apparent source is hgcbroadband.com, same EL mta - 207.217.120.227. Rob From MikeE at ster.invalid Sat Jul 31 15:26:10 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 31 17:30:16 2004 Subject: [SC-Help] Re: "No links found" tracker References: Message-ID: Glenn Daniels wrote: > Mike Easter >> I think SC should offer a service, only for pay, not for free, that >> offers some modified reporting 'method' which is more liberal in its >> interpretation of 'material changes' > As it stands, > you could "cheat", I don't recommend that at all. In fact, I'm a strong advocate of manual reporting because of the inadequacies of standard SC reporting. > I don't believe you should be asked to pay for > the priveleges you ask, The principle purposes of SC are to provide and 'balance' a free and paid parsing and reporting system, to maintain a SCbl dnsbl blocklist, and to 'sell' a mail filtering service. The value and 'weight' of the SCbl and the 'meaningfulness' of SC notifications is based on the integrity or quality of the spamcop report. Reporters, given excessive liberties, can destroy that value by diluting its integrity. They need much supervision, oversight, and 'threat' of discipline to keep them in line and behaving as advised. Humans do those oversights, and if you want more of them or more 'functionality' in that sphere you can't expect to find it by a devoted cadre of unpaid volunteers to oversee and discipline misbehaving reporters. Ergo $$ in the equation. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Sat Jul 31 18:32:06 2004 From: eddie at eddie.web (eddie) Date: Sat Jul 31 17:35:04 2004 Subject: [SC-Help] Re: "No links found" tracker References: Message-ID: On Sat, 31 Jul 2004 13:49:15 -0700, Mike Easter scratched out the following: snapple > I think SC should offer a service, only for pay, not for free, that offers > some modified reporting 'method' which is more liberal in its > interpretation of 'material changes' - so that people who are pay can feed > 'slightly' modified or 'corrected' spamitems for which they 'declare' the > modification ['forged and misleading content type headerline removed' in > this example] -- they could even check 'material change' if necessary. I completely agree, being one of those paying customers. I mentioned elsewhere a similar suggestion in which it becomes the LARTers responsibility to be accurate and non-abusive but to have a little more control over the reporting mechanism. Could be a one or two strikes and you're out rule, too. One problem even now, is the 4 extra reporting addresses max. I have to pick 4 when I get a software pirate, even though they are pushing many more company's wares illegally. I don't wish to resubmit several times in order to include all the necessary contacts, 4 at a time. From MikeE at ster.invalid Sat Jul 31 15:43:23 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jul 31 17:50:03 2004 Subject: [SC-Help] Re: Something Odd References: Message-ID: Robert Slade wrote: > Just got another one: spamcop.net/sc?id=z577855383z273a3db7b397b4b8972311967ee9ccc3z > > This time the apparent source is hgcbroadband.com, same EL mta - > 207.217.120.227. This one adds something to the mix. The modus operandi re subject and other characteristics appears identical, along with the usage of the EL mta, but in this case the source IP is listed in cbl, which gives us a clue to the mechanism. CBL lists on the basis of proxy/trojan 'condition'. "The CBL takes its source data from very large spamtraps, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, without doing open proxy tests of any kind." So, I would derive that the spammer methodology is to use an abusable box, on the basis of trojan or proxy, and point the smtp injection at the EL server, for which the spammer has a username password, and effect the injection via a combination of abused proxy/trojan and 'legal' EL relaying. I think the EL traceline may be legitimate, and it is possible that EL, if motivated, could actually do something about the account which is being used to effect the relay - from the traceline, the logs at the mta, or whatever. However, the perennially understaffed and outsourced EL may not be up to the task. EL has two different types of smtp servers. 'regular' smtp and smtpauth. The smtpauth servers require the input of username account and matching pw, but will also conduct business from 'anywhere' -- whereas I think the 'regular' smtp servers will only conduct their business from the appropriate IP or domain ranges. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sat Jul 31 19:02:13 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Sat Jul 31 18:05:03 2004 Subject: [SC-Help] Re: "No links found" tracker References: Message-ID: "Mike Easter" wrote in message > Glenn Daniels wrote: > > Mike Easter > >> I think SC should offer a service, only for pay, not for free, that > >> offers some modified reporting 'method' which is more liberal in its > >> interpretation of 'material changes' > > > As it stands, > > you could "cheat", > > I don't recommend that at all. In fact, I'm a strong advocate of manual > reporting because of the inadequacies of standard SC reporting. > > > I don't believe you should be asked to pay for > > the priveleges you ask, > > The principle purposes of SC are to provide and 'balance' a free and > paid parsing and reporting system, to maintain a SCbl dnsbl blocklist, > and to 'sell' a mail filtering service. > > The value and 'weight' of the SCbl and the 'meaningfulness' of SC > notifications is based on the integrity or quality of the spamcop > report. > > Reporters, given excessive liberties, can destroy that value by diluting > its integrity. They need much supervision, oversight, and 'threat' of > discipline to keep them in line and behaving as advised. > > Humans do those oversights, and if you want more of them or more > 'functionality' in that sphere you can't expect to find it by a devoted > cadre of unpaid volunteers to oversee and discipline misbehaving > reporters. Ergo $$ in the equation. > Sorry, I seem to have completely misunderstood where you were coming from. What you seem to have meant I still can't extract from what you said. I doubt you meant to be ambiguous, but for me it was clearly going in the reverse of your clarification. The clarify is perfectly agreeable. Especially if it means that SC realizes a more real time semi-human interface, what is a tech support team? Ummm, yes, absolutely, yes! Great idea, you looking for work? ;) Glenn From eddie at eddie.web Sat Jul 31 23:33:04 2004 From: eddie at eddie.web (eddie) Date: Sat Jul 31 22:35:03 2004 Subject: [SC-Help] "no links found" tracker example 2 Message-ID: http://www.spamcop.net/sc?id=z578208671zb13e541f08cffdbd8dcab9e5f2ab650fz