From jimwasson at spamcop.net Fri Apr 1 21:56:25 2005 From: jimwasson at spamcop.net (Jim Wasson) Date: Sat Apr 2 01:00:02 2005 Subject: [SC-Help] Simple trick defeats lookup Message-ID: Ref report at: http://www.spamcop.net/sc?id=z748311527zc9b4798951f24cf440bb4580f4aee4f0z Spamcop was unable to resolve spammy's website link in the body: Resolving link obfuscation http://acquaintance.refinance-place.com./p3/ke.php?l4d=77 host acquaintance.refinance-place.com. (checking ip) ip not found ; acquaintance.refinance-place.com. discarded as fake. Cannot resolve http://acquaintance.refinance-place.com./p3/ke.php?l4d=77 There is another dot after the .com. The registrar is joker.com and refinance-place.com seems to resolve. Stupid "dot" trick? From nttp.sc.s at bigsleep.org Sat Apr 2 08:29:57 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Sat Apr 2 03:30:24 2005 Subject: [SC-Help] Re: Spamcop Webmail Autoresponder References: Message-ID: On 29 Mar 2005 Larry Kilgallen entered spamcop.help and left news:MXc6ZHpshc0K@eisner.encompasserve.org: > So let's see... > > ...where no spam was involved, but the "From" address happened to be > wrong, you would create spam. > > That does not seem too bright. > If you close the account it will generate some bounces anyway. What you want is a "Moved Permanently" error message. I doubt Spamcop will do that, so you'd have to use the old complicated method of actually sending a notice notifying people you've moved. -- | Ric From nttp.sc.s.h at bigsleep.org Sat Apr 2 08:50:51 2005 From: nttp.sc.s.h at bigsleep.org (Blammo) Date: Sat Apr 2 03:55:05 2005 Subject: [SC-Help] Re: Spamcop treats MX differently depending on where it appears in chain References: Message-ID: On 30 Mar 2005 You have no need to know entered spamcop.help and left news:pan.2005.03.30.22.25.33.270552@fl.net.invalid: > If the MX is the first receiver it gets marked as the spam source > rather than the original source. (Before someone asks, the ISP has two > names and all MXs for one are MXs for the other. I have munged one as > ISP.MX and the other as isp-other-name.mx) > Your first mistake is thinking that MX has anything to do with outgoing mail. The sending server needs to send out the actual hostname, it can't use a name who's PTR resolves to a different hostname. If it does, Spamcop has to try to make a bunch of guesses to see if any match turns up. I have an ISP that uses 2 or 3 alternating relays and Spamcop has never got it wrong. In your first example, why doesn't isp-other-name.mx match 4dmail.co.uk? Even the spammers are figuring this out. -- | Ric From anjahnoaoed at fl.net.invalid Sat Apr 2 23:46:36 2005 From: anjahnoaoed at fl.net.invalid (You have no need to know) Date: Sat Apr 2 08:50:13 2005 Subject: [SC-Help] Re: Spamcop treats MX differently depending on where it appears in chain References: Message-ID: Abandoning the right to remain silent, Blammo at Sat, 02 Apr 2005 08:50:51 +0000 said: > On 30 Mar 2005 You have no need to know entered spamcop.help and left > news:pan.2005.03.30.22.25.33.270552@fl.net.invalid: > >> If the MX is the first receiver it gets marked as the spam source >> rather than the original source. (Before someone asks, the ISP has two >> names and all MXs for one are MXs for the other. I have munged one as >> ISP.MX and the other as isp-other-name.mx) >> > > Your first mistake is thinking that MX has anything to do with outgoing > mail. At no point did I say the MX was sending mail. It *is* correctly relaying. The spammer connected to one of the ISP's MXs. The name the MX put in the received line is a valid name for the box. If you do the forward lookup on that name you get the same IP as one of the MXs. If you then reverse lookup that address you get the name in the received line. This is not a name that appears in an MX record. (If there were PTR records for each A record this would not happen.) If this MX is the first receiver SC discards it as fake and wants to report it. If this MX is *not* the first receiver SC accepts it as valid after comparing its address with those of the MXs and finding it matches. > The sending server needs to send out the actual hostname, it can't use a > name who's PTR resolves to a different hostname. If it does, Spamcop has > to try to make a bunch of guesses to see if any match turns up. I have > an ISP that uses 2 or 3 alternating relays and Spamcop has never got it > wrong. > In your first example, why doesn't isp-other-name.mx match 4dmail.co.uk? Because isp-other-name.mx is one of the MXs for the other name by which my ISP is known. I said that in one of the comments you snipped. 4dmail.co.uk was the source of that mail. > > Even the spammers are figuring this out. I've gone through the SC mailhost process and got all the combinations of MXs for both ISP names listed, so we'll see whether that solves it completely. -- Avoid reality at all costs. $email =~ s/n(.)a(.)n(.)a(.)e(.+)invalid/$1$2$3$4$5au/; icbm: 33.43.46S 150.59.27E From nttp.sc.s at bigsleep.org Sat Apr 2 17:43:57 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Sat Apr 2 12:45:04 2005 Subject: [SC-Help] Re: Spamcop treats MX differently depending on where it appears in chain References: Message-ID: On 02 Apr 2005 You have no need to know entered spamcop.help and left news:pan.2005.04.02.13.46.35.360438@fl.net.invalid: > The spammer connected to one of the ISP's MXs. The name the MX put in the > received line is a valid name for the box. > You didn't actually supply this line... Received: from spammer.name (spammer.PTR [spammer.IP]) bla bla by mx.name This is the line the incoming MX writes, this is the line Spamcop has to find. > If you do the forward lookup on that name you get the same IP as one of > the MXs. > Uhm, which MX, where? > If you then reverse lookup that address you get the name in the received > line. This is not a name that appears in an MX record. (If there were PTR > records for each A record this would not happen.) > No, no, no, it don't need to BE a mx record, it needs to HAVE a mx record, who's IP matches. Domains have MX records, IPs don't, that's actually part of a bigger problem. The problem I see is that the name in the PTR record has no A record. Spamcop can't find any A or MX records for the PTR name. Depending on what they are using for DNS, it may be hard to keep the PTR and A records synched up, so this could be a temporary problem. >> In your first example, why doesn't isp-other-name.mx match 4dmail.co.uk? >> > Because isp-other-name.mx is one of the MXs for the other name by which > my ISP is known. I said that in one of the comments you snipped. > 4dmail.co.uk was the source of that mail. The MX name has nothing to do with it, we only see two things here, the IP and the name the server writes into the header, which doesn't match for some odd reason. Your answer doesn't explain why they don't match. You haven't explained why "by isp-other-name.mx (Postfix)" claims it's name is "4dmail.co.uk", that would mean Postfix is not configured properly. -- | Ric From nttp.sc.s at bigsleep.org Sat Apr 2 17:56:46 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Sat Apr 2 13:00:02 2005 Subject: [SC-Help] Re: Spamcop treats MX differently depending on where it appears in chain References: Message-ID: On 02 Apr 2005 You have no need to know entered spamcop.help and left news:pan.2005.04.02.13.46.35.360438@fl.net.invalid: > The spammer connected to one of the ISP's MXs. The name the MX put in the > received line is a valid name for the box. > Spammers don't need to connect to an MX anyway, so this machine doesn't need to be in an MX record. However if it isn't and it'relaying from outside IPs, than it's insecure. -- | Ric From nttp.sc.s at bigsleep.org Sat Apr 2 18:08:37 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Sat Apr 2 13:10:03 2005 Subject: [SC-Help] Re: Spamcop treats MX differently depending on where it appears in chain References: Message-ID: On 02 Apr 2005 Blammo entered spamcop.help and left news:Xns962C630DEBC09blammo@216.154.195.61: >>> In your first example, why doesn't isp-other-name.mx match >>> 4dmail.co.uk? >>> >> Because isp-other-name.mx is one of the MXs for the other name by >> which my ISP is known. I said that in one of the comments you >> snipped. 4dmail.co.uk was the source of that mail. > > The MX name has nothing to do with it, we only see two things here, > the IP and the name the server writes into the header, which doesn't > match for some odd reason. Your answer doesn't explain why they don't > match. You haven't explained why "by isp-other-name.mx (Postfix)" > claims it's name is "4dmail.co.uk", that would mean Postfix is not > configured properly. > Oh, wait, you mean you have the headers reversed? I was thinking you had them reversed, but I don't see why you would want to confuse us like that. -- | Ric From anjahnoaoed at fl.net.invalid Sun Apr 3 10:31:43 2005 From: anjahnoaoed at fl.net.invalid (You have no need to know) Date: Sat Apr 2 18:35:04 2005 Subject: [SC-Help] Re: Spamcop treats MX differently depending on where it appears in chain References: Message-ID: Abandoning the right to remain silent, Blammo at Sat, 02 Apr 2005 18:08:37 +0000 said: > Oh, wait, you mean you have the headers reversed? I was thinking you had > them reversed, but I don't see why you would want to confuse us like that. I think I'll go back to the original question (the one that Mike Easter made sense out) of for me to explain what was going on. There are two examples. I have deliberately given names in differing letter case for the following reason. SC appears to be doing a case sensitive match on DNS names. This is *not* valid. When it comes to ASCII encoded names DNS is case insensitive. (Aside: DNS names do *not* have to follow the rules for host names as given in the RFCs. The only rules are that the whole name must not exceed 255 octets, that two dots may not be consecutive, and that no more that 63 non-dot octets can appear between dots. Octets are not constrained to be 0-9, A-Z, a-z, and '_'. This means DNS can handle names in codes other than ASCII.) ============================================= This is the first received line. Not the one closest to the top of the headers. The one that shows the connect from outside the ISP. Received: from 4dmail.co.uk (p548FF904.dip.t-dialin.net [84.143.249.4]) by OTHERNAME.FOR.ISP.MX (Postfix) with ESMTP id 60BB36E; Tue, 29 Mar 2005 05:56:46 +1000 (EST) === SC's analysis contains these lines relevant to that received line. 1.2.3.4 is not an MX for othername.for.isp.mx host othername.for.isp.mx (checking ip) ip not found ; othername.for.isp.mx discarded as fake. cannot find an mx for othername.for.isp.mx cannot find an mx for isp.mx .... host OTHERNAME.FOR.ISP.MX (checking ip) ip not found ; OTHERNAME.FOR.ISP.MX discarded as fake. Chain test:OTHERNAME.FOR.ISP.MX =? 1.2.3.4 1.2.3.4 is not an MX for OTHERNAME.FOR.ISP.MX host OTHERNAME.FOR.ISP.MX (checking ip) ip not found ; OTHERNAME.FOR.ISP.MX discarded as fake. cannot find an mx for OTHERNAME.FOR.ISP.MX cannot find an mx for isp.mx Chain test failed .... 1.2.3.4 not listed in dnsbl.sorbs.net === SC then want to list 1.2.3.4 as the spam source. ============================================= These are the first two received lines. Not the ones closest to the top of the headers. The ones that show my ISP's mailhost accepting the mail from smarthost3.tiscali.dk, and the earlier internal handoff within tiscali. Received: from smarthost3.tiscali.dk (smarthost3.tiscali.dk [62.79.79.29]) by OTHERNAME.FOR.ISP.MX (Postfix) with ESMTP id 9B56E1E for ; Wed, 30 Mar 2005 10:15:40 +1000 (EST) Received: from cpmail.dk.tiscali.com (mail.tiscali.dk [212.54.64.159]) by smarthost3.tiscali.dk (8.13.1/8.13.1) with ESMTP id j2U0Bpuw026791; Wed, 30 Mar 2005 02:12:05 +0200 (CEST) === SC's analysis contains these lines relevant to those received lines. Received: from smarthost3.tiscali.dk (smarthost3.tiscali.dk [62.79.79.29]) by OTHERNAME.FOR.ISP.MX (Postfix) with ESMTP id 9B56E1E for ; Wed, 30 Mar 2005 10:15:40 +1000 (EST) .... 1.2.3.4 not listed in dnsbl.sorbs.net Chain test:OTHERNAME.FOR.ISP.MX =? othername.for.isp.mx host othername.for.isp.mx (checking ip) = 1.2.3.4 1.2.3.4 is an MX for isp.mx 1.2.3.4 is mx OTHERNAME.FOR.ISP.MX and othername.for.isp.mx have close IP addresses - chain verified === SC is happy that OTHERNAME.FOR.ISP.MX is a valid MX for the email and goes on to blame tiscali. -- Avoid reality at all costs. $email =~ s/n(.)a(.)n(.)a(.)e(.+)invalid/$1$2$3$4$5au/; icbm: 33.43.46S 150.59.27E From ob1db at spamcop.net Sun Apr 3 18:33:52 2005 From: ob1db at spamcop.net (David Butler) Date: Sun Apr 3 17:35:04 2005 Subject: [SC-Help] Microsoft Abuse Addresses defy SC parsing ??? (Deputies!!) Message-ID: Was tracking email to report spammy when I got this useless parse: Parsing input: acefinanceuk-ltd.com host acefinanceuk-ltd.com (checking ip) = 65.54.132.254 host 65.54.132.254 = yourpersonaladdress.net (cached) No recent reports, no history available Routing details for 65.54.132.254 [refresh/show] Cached whois for 65.54.132.254 : abuse@hotmail.com Using abuse net on abuse@hotmail.com abuse net hotmail.com = abuse@hotmail.com Using best contacts abuse@hotmail.com Using rdns to route to correct Microsoft department host 65.54.132.254 = yourpersonaladdress.net (cached) abuse net yourpersonaladdress.net = postmaster@yourpersonaladdress.net Cannot find master for:acefinanceuk-ltd.com No valid email addresses found, sorry! Thought this was odd since abuse@hotmail.com IS valid AND Opnerbl.org shows the following: Address: 65.54.132.254 resolved to acefinanceuk-ltd.com AS: 65.54.128.0/19 AS12076 Hotmail Corporation Sunnyvale/California Net 65.52-65.55 MICROSOFT-1BLK ---------------------------------------------------------------------------- ---- NS-Delegation for 65.54.132.*: (*.acefinanceuk-ltd.com) 132.54.65.in-addr.arpa -> ns4.msft.net 132.54.65.in-addr.arpa -> ns5.msft.net 132.54.65.in-addr.arpa -> ns1.msft.net 132.54.65.in-addr.arpa -> ns2.msft.net 132.54.65.in-addr.arpa -> ns3.msft.net ---------------------------------------------------------------------------- ---- Abuse-Whois msft.net: (132.54.65.in-addr.arpa; 132.54.65.in-addr.arpa; ...) [Cached] [whois.abuse.net] msnhst@microsoft.com (for msft.net) postmaster@msft.net (for msft.net) and ALL the abuse info you could ask for: OrgName: Microsoft Corp OrgID: MSFT Address: One Microsoft Way OrgAbuseHandle: HOTMA-ARIN OrgAbuseName: Hotmail Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: abuse@hotmail.com OrgAbuseHandle: MSNAB-ARIN OrgAbuseName: MSN ABUSE OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: abuse@msn.com OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: abuse@microsoft.com When I try parsing the individual Microsoft sites, I get the same idiotic responses: Parsing input: hotmail.com host hotmail.com (checking ip) = 64.4.32.7 host 64.4.32.7 (getting name) = lc1.bay0.hotmail.com. No recent reports, no history available Routing details for 64.4.32.7 [refresh/show] Cached whois for 64.4.32.7 : abuse@microsoft.com Using best contacts abuse@hotmail.com Using rdns to route to correct Microsoft department host 64.4.32.7 = lc1.bay0.hotmail.com (cached) abuse net lc1.bay0.hotmail.com = abuse@hotmail.com Cannot find master for:hotmail.com No valid email addresses found, sorry! Parsing input: msn.com [report history] Routing details for 207.68.172.246 [refresh/show] Cached whois for 207.68.172.246 : abuse@hotmail.com Using abuse net on abuse@hotmail.com abuse net hotmail.com = abuse@hotmail.com Using best contacts abuse@hotmail.com Using rdns to route to correct Microsoft department host 207.68.172.246 = beta.msn.com (cached) abuse net beta.msn.com = abuse@msn.com Cannot find master for:msn.com No valid email addresses found, sorry! Parsing input: msft.net host msft.net (checking ip) ip not found ; msft.net discarded as fake. No recent reports, no history available Cannot resolve msft.net So, NO Microsoft, hotmail or MSN sites get reports ? What gives ? Needs a fix ASAP! David From 1k8l3gz02munged at sneakemail.com Sun Apr 3 22:44:35 2005 From: 1k8l3gz02munged at sneakemail.com (na) Date: Sun Apr 3 17:45:03 2005 Subject: [SC-Help] Re: Microsoft Abuse Addresses defy SC parsing ??? (Deputies!!) References: Message-ID: "David Butler" wrote in news:d2pngn$pds$1@news.spamcop.net: > Was tracking email to report spammy when I got this useless parse: > > Parsing input: acefinanceuk-ltd.com > host acefinanceuk-ltd.com (checking ip) = 65.54.132.254 > host 65.54.132.254 = yourpersonaladdress.net (cached) > No recent reports, no history available > Routing details for 65.54.132.254 > [refresh/show] Cached whois for 65.54.132.254 : abuse@hotmail.com > Using abuse net on abuse@hotmail.com > abuse net hotmail.com = abuse@hotmail.com > Using best contacts abuse@hotmail.com > Using rdns to route to correct Microsoft department > host 65.54.132.254 = yourpersonaladdress.net (cached) > abuse net yourpersonaladdress.net = postmaster@yourpersonaladdress.net > > Cannot find master for:acefinanceuk-ltd.com > No valid email addresses found, sorry! > > Thought this was odd since abuse@hotmail.com IS valid AND Opnerbl.org > shows the following: > > Address: 65.54.132.254 resolved to acefinanceuk-ltd.com > AS: 65.54.128.0/19 AS12076 Hotmail Corporation > Sunnyvale/California Net 65.52-65.55 MICROSOFT-1BLK > > > ----------------------------------------------------------------------- > ----- ---- > > NS-Delegation for 65.54.132.*: (*.acefinanceuk-ltd.com) > > 132.54.65.in-addr.arpa -> ns4.msft.net > 132.54.65.in-addr.arpa -> ns5.msft.net > 132.54.65.in-addr.arpa -> ns1.msft.net > 132.54.65.in-addr.arpa -> ns2.msft.net > 132.54.65.in-addr.arpa -> ns3.msft.net > > > ----------------------------------------------------------------------- > ----- ---- > > Abuse-Whois msft.net: (132.54.65.in-addr.arpa; > 132.54.65.in-addr.arpa; ...) > [Cached] > [whois.abuse.net] > msnhst@microsoft.com (for msft.net) > postmaster@msft.net (for msft.net) > > and ALL the abuse info you could ask for: > > OrgName: Microsoft Corp > OrgID: MSFT > Address: One Microsoft Way > > OrgAbuseHandle: HOTMA-ARIN > OrgAbuseName: Hotmail Abuse > OrgAbusePhone: +1-425-882-8080 > OrgAbuseEmail: abuse@hotmail.com > > OrgAbuseHandle: MSNAB-ARIN > OrgAbuseName: MSN ABUSE > OrgAbusePhone: +1-425-882-8080 > OrgAbuseEmail: abuse@msn.com > > OrgAbuseHandle: ABUSE231-ARIN > OrgAbuseName: Abuse > OrgAbusePhone: +1-425-882-8080 > OrgAbuseEmail: abuse@microsoft.com > > When I try parsing the individual Microsoft sites, I get the same > idiotic responses: > > > Parsing input: hotmail.com > host hotmail.com (checking ip) = 64.4.32.7 > host 64.4.32.7 (getting name) = lc1.bay0.hotmail.com. > No recent reports, no history available > Routing details for 64.4.32.7 > [refresh/show] Cached whois for 64.4.32.7 : abuse@microsoft.com > Using best contacts abuse@hotmail.com > Using rdns to route to correct Microsoft department > host 64.4.32.7 = lc1.bay0.hotmail.com (cached) > abuse net lc1.bay0.hotmail.com = abuse@hotmail.com > > Cannot find master for:hotmail.com > No valid email addresses found, sorry! > > > Parsing input: msn.com > [report history] > Routing details for 207.68.172.246 > [refresh/show] Cached whois for 207.68.172.246 : abuse@hotmail.com > Using abuse net on abuse@hotmail.com > abuse net hotmail.com = abuse@hotmail.com > Using best contacts abuse@hotmail.com > Using rdns to route to correct Microsoft department > host 207.68.172.246 = beta.msn.com (cached) > abuse net beta.msn.com = abuse@msn.com > > Cannot find master for:msn.com > No valid email addresses found, sorry! > > > Parsing input: msft.net > host msft.net (checking ip) ip not found ; msft.net discarded as fake. > No recent reports, no history available > > Cannot resolve msft.net > > So, NO Microsoft, hotmail or MSN sites get reports ? What gives ? > Needs a fix ASAP! > > David > > > here something someone else posted regarding MSN Personal Address joel rubin in news.admin.net-abuse.email. I hope this helps >From time to time, you may need to LART info@elfraudolottery.com which has an MX server of pamx1.hotmail.com or http://www.citibankphishsite.com/ which has a whois technical contact of MSN-PA-TECH@msn.com (Note - MSN Personal Address customers only get a web redirector, NOT hosting space - so be sure to git the REAL website.) IMHO the best similar provider from the point of view of nuke'ing miscreants is Rediffmail Pro. >Thank you for contacting MSN Personal Address. > >This is an auto-generated response designed to help you answer your question as quickly as possible. Please note that you will not receive a reply if you respond directly to this message. > >MSN Personal Address is currently in its Beta period. If you are an MSN Personal Address customer and you have a general feedback, please click on “feedback” on the MSN Personal Address web site at: http://domains.msn.com/signup. > >If you need help with your MSN Personal Address, complete the MSN Personal Address Customer Support request form at: http://support.msn.com/contactus.aspx?pk=PersonalAddress > >You will need to login with your MSN Personal Address Passport to submit a customer support request. > >Remember that MSN Personal Address and MSN Hotmail also have comprehensive online help available--just click "Help" in the upper right corner of those Web pages. > >If you wish to report an email or domain name abuse, or have a technical question, please contact pdbeta@microsoft.com. From nttp.sc.s at bigsleep.org Mon Apr 4 01:53:10 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Sun Apr 3 20:55:03 2005 Subject: [SC-Help] Re: Spamcop treats MX differently depending on where it appears in chain References: Message-ID: On 02 Apr 2005 You have no need to know entered spamcop.help and left news:pan.2005.04.02.23.31.40.126032@fl.net.invalid: > This is the first received line. Not the one closest to the top of the > headers. The one that shows the connect from outside the ISP. > > Received: from 4dmail.co.uk (p548FF904.dip.t-dialin.net > [84.143.249.4]) > by OTHERNAME.FOR.ISP.MX (Postfix) with ESMTP id 60BB36E; Tue, 29 > Mar 2005 05:56:46 +1000 (EST) > > === > > SC's analysis contains these lines relevant to that received line. > > 1.2.3.4 is not an MX for othername.for.isp.mx > host othername.for.isp.mx (checking ip) ip not found ; > othername.for.isp.mx discarded as fake. cannot find an mx for > othername.for.isp.mx cannot find an mx for isp.mx > I don't think SC gets to that line, it's the received line above that that fails. Lets try [84.143.249.4] in that line as an example... dig -x 84.143.249.4 4.249.143.84.in-addr.arpa. 86400 IN PTR p548FF904.dip.t-dialin.net. dig a p548FF904.dip.t-dialin.net p548FF904.dip.t-dialin.net. 86400 IN A 84.143.249.4 dig a P548FF904.DIP.T-DIALIN.NET P548FF904.DIP.T-DIALIN.NET. 86273 IN A 84.143.249.4 host P548FF904.DIP.T-DIALIN.NET P548FF904.DIP.T-DIALIN.NET has address 84.143.249.4 It seems "othername.for.isp.mx" does not have a A record, and I don't see that case makes any difference. dig mx p548FF904.dip.t-dialin.net no answer dig mx t-dialin.net t-dialin.net. 86400 IN MX 10 rx.t-online.de. dig a rx.t-online.de rx.t-online.de. 86400 IN A 194.25.134.167 IPs aren't even close 194.25.134.167 is an MX for t-dialin.net 84.143.249.4 is not an MX Now you know your ISP's MX wrote the line "by OTHERNAME.FOR.ISP.MX", but we don't know how it got that mail because there is no A or MX record for that name, according to what the parser wrote. Otherwise, if Spamcop got this far, it could test [194.25.134.167] against "OTHERNAME.FOR.ISP.MX". If Spamcop could figure out (reliably) what the recipients address was, then it could verify against the MX for that. But even then, the MX server can change, and usually does with ISPs. Postfix does write "for email-address" in the Received header, but I don't think Spamcop looks at that. Note that in your second example, "OTHERNAME.FOR.ISP.MX" has both an A and MX record (apparently). Spamcop should actually be checking to see if [62.79.79.29] is an MX for "OTHERNAME.FOR.ISP.MX". It is possible that the upper case is causing Spamcop to print " - chain verified", otherwise I'm a little lost as to why it's printing all that. -- | Ric From MikeE at ster.invalid Sun Apr 3 20:36:41 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Apr 3 22:35:04 2005 Subject: [SC-Help] Re: Spamcop treats MX differently depending on where it appears in chain References: Message-ID: Blammo wrote: > otherwise I'm a little > lost as to why it's printing all that. Whenever he chooses to post a couple of trackers we'll probably be able to figure out what's happening. -- Mike Easter kibitzer, not SC admin From reader at invalid.invalid Tue Apr 5 04:28:43 2005 From: reader at invalid.invalid (Reader) Date: Tue Apr 5 02:30:03 2005 Subject: [SC-Help] Re: EXPERTS ONLY on www.wwwatches.info References: Message-ID: On Wed, 30 Mar 2005 19:51:26 +0400, Berny wrote: > > "Tim P." wrote in message > news:Xns9628691118E90dwvbo91q4001sneakema@216.154.195.61... >> The website www.wwwatches.info is getting the parser the incorrect ip (?) >> Since this is an EXPERTS ONLY question, I need clarification. >> The report I would like to send is not going to the proper party, or >> is it? >> >> www.wwwatches.info resolves differently for different viewpoints: >> >> SNIP > > ALL af them and probably more, finding the IP by the same route a few > minutes later will resolve differently again. At this time I see www.wwwatches.info (66.98.145.18) has a redirect to http://www.watchwatches.info/wwwatches * About to connect() to www.wwwatches.info port 80 * Trying 66.98.145.18... * connected * Connected to www.wwwatches.info (66.98.145.18) port 80 > GET / HTTP/1.1 User-Agent: curl/7.12.1 (i586-mandrake-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7d zlib/1.2.1.1 libidn/0.5.4 Host: www.wwwatches.info Pragma: no-cache Accept: */* < HTTP/1.1 302 Moved Temporarily < Location: http://www.watchwatches.info/wwwatches < Connection: close < Date: Tue, 05 Apr 2005 06:12:03 GMT < Server: Directi Server 1.1 * Closing connection #0 http://www.watchwatches.info/wwwatches has a 301 Moved Permanently to http://www.watchwatches.info/wwwatches/ where the spammed site lives (Same host - Apache can be pedantic about trailing slashes). * About to connect() to www.watchwatches.info port 80 * Trying 64.40.101.63... * connected * Connected to www.watchwatches.info (64.40.101.63) port 80 > GET /wwwatches HTTP/1.1 User-Agent: curl/7.12.1 (i586-mandrake-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7d zlib/1.2.1.1 libidn/0.5.4 Host: www.watchwatches.info Pragma: no-cache Accept: */* < HTTP/1.1 301 Moved Permanently < Date: Tue, 05 Apr 2005 06:09:45 GMT < Server: Apache/2.0.40 (Red Hat Linux) < Location: http://www.watchwatches.info/wwwatches/ < Content-Length: 327 < Connection: close < Content-Type: text/html; charset=iso-8859-1 301 Moved Permanently

Moved Permanently

The document has moved here.

Apache/2.0.40 Server at www.watchwatches.info Port 80
* Closing connection #0 From reportspam at contact.net.nz Wed Apr 6 10:46:26 2005 From: reportspam at contact.net.nz (Aaron) Date: Tue Apr 5 17:45:03 2005 Subject: [SC-Help] Gateway Timeout's Message-ID: Anybody else getting lots of Gateway Timeout errors when trying to report Spam? Gateway Timeout The proxy server did not receive a timely response from the upstream server. Aaron From lart-o-matic at revbeergoggles.com Wed Apr 6 20:05:32 2005 From: lart-o-matic at revbeergoggles.com (Rev Beergoggles) Date: Wed Apr 6 20:10:33 2005 Subject: [SC-Help] sc missing a url. Message-ID: Probably because it's not formatted to be a link, the spammer thinks you will copy-n-paste to follow the scam. ---------------

IMPORTANT! URGENT!



Dear client,

In order for us to complete your requested action we need you to do the following:

1. Please copy and paste the link below into your web browser to complete your online bill payment.

againgotread.com/?affiliate=psd26


2. Fill out the form so we can pass it along to our customer service department for approval.

Warmest Reguards,
Jenny From hercules at invaliddomain.com Thu Apr 7 18:51:42 2005 From: hercules at invaliddomain.com (hercules) Date: Thu Apr 7 19:55:02 2005 Subject: [SC-Help] Thunderbird and base 64 spam Message-ID: I've just encountered a new form of spam with embedded base 64 coding, nothing new here you'd think. When viewed in Thunderbird it comes across as plain text, when you attempt to view the source of the message using control 'u' it comes across as a base 64 file with headers visible, nothing else, no html viewable or similar. Me thinks the spammers have found a bug in Thunderbirds display parser. I'll be returning to an ascii only email program ASAP... From not at home.today Fri Apr 8 02:39:47 2005 From: not at home.today (Ant) Date: Thu Apr 7 20:45:07 2005 Subject: [SC-Help] Re: Thunderbird and base 64 spam References: Message-ID: "hercules" wrote: > I've just encountered a new form of spam with embedded base 64 coding, nothing > new here you'd think. Nope. > When viewed in Thunderbird it comes across as plain text, when you attempt to > view the source of the message using control 'u' it comes across as a base 64 > file with headers visible, nothing else, no html viewable or similar. That's because it *is* plain text (not html) encoded in base 64. > Me thinks the spammers have found a bug in Thunderbirds display parser. Why? Tbird is decoding the b64 to plain text. When you view the source you see the undecoded b64. > I'll be returning to an ascii only email program ASAP... Base 64 *is* ascii, and that's what you'd see if the prog didn't decode it. From hercules at invaliddomain.com Thu Apr 7 21:45:42 2005 From: hercules at invaliddomain.com (hercules) Date: Thu Apr 7 22:45:04 2005 Subject: [SC-Help] Re: Thunderbird and base 64 spam In-Reply-To: References: Message-ID: Hmm, I must correct this... I don't think I've explained this well enough. It would be better for thunderbird to export the base64 decoded text with the embedded email addresses. It would make it easier to report the spam back... 1. Thunderbird decodes the base64 7bit ascii data and displays it as a regular text message while viewing it in the message pane. 2. When you hit the control U to view the source, Thunderbird will not allow the user to view the text or message portion of the source. The message portion of the source data is base64 and hides the text portion of the spam message. 3. Normally base64 is for binary data. Thunderbird is being used to hide the text portion of the data, in this case the text body of email and embedded email addresses. Ant wrote: > Base 64 *is* ascii, and that's what you'd see if the prog didn't > decode it. > > From nttp.sc.s at bigsleep.org Fri Apr 8 05:16:10 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Fri Apr 8 00:20:03 2005 Subject: [SC-Help] Re: Thunderbird and base 64 spam References: Message-ID: On 07 Apr 2005 hercules entered spamcop.help and left news:d34r6p$m10$1@news.spamcop.net: > Hmm, I must correct this... I don't think I've explained this well > enough. > Explaining it any different isn't going to change the answer, which Ant correctly gave you. -- | Ric From SCNews.5.myspamgobbler at spamgourmet.com Thu Apr 7 22:35:44 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Fri Apr 8 00:40:03 2005 Subject: [SC-Help] Re: Thunderbird and base 64 spam In-Reply-To: References: Message-ID: hercules wrote: > Hmm, I must correct this... I don't think I've explained this well enough. > > It would be better for thunderbird to export the base64 decoded text > with the embedded email addresses. > It would make it easier to report the spam back... > > 1. Thunderbird decodes the base64 7bit ascii data and displays it as a > regular text message while viewing it in the message pane. That's so we don't have to manually decode the base64 :) > 2. When you hit the control U to view the source, Thunderbird will not > allow the user to view the text or message portion of the source. The > message portion of the source data is base64 and hides the text portion > of the spam message. That's because it's showing you the source, which may be base64. > 3. Normally base64 is for binary data. Thunderbird is being used to > hide the text portion of the data, in this case the text body of email > and embedded email addresses. > Thunderbird isn't being 'used' to hide anything. It's performing its functions properly. I just realized what you might be trying to say. It probably has to do with a certain porn spammer that encodes email addresses in the links. I've started including the following message in my LARTs so the redirection of the links can be followed without reporting my email address back to the server. The links include my encoded email address, which is reported back to the serverlogs at dns-forward.com - I've seen them. Please use the encoder at http://howardk.moonfall.com/encemail.html for encoding your own address and substituting it for mine if you need to follow the link. Encoding a tagged email address into this link will help you to see more of the domains used by this spam gang ;) From usenet2 at DE.LETE.THISljvideo.com Sat Apr 9 08:43:15 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Sat Apr 9 03:45:17 2005 Subject: [SC-Help] Help with login Message-ID: With MSIE browser, I can get logged in to my free account. With Firefox, I can't. I'm not sure when/why this started with Firefox, but it worked before. Also, attempting to change my email address on Spamcop's preferences page - the confirmation email never gets sent to the address I enter. Thanks..! -- Larry J. - Remove spamtrap in ALLCAPS to e-mail The United States is the greatest country in the world..! Twenty-five million illegal aliens can't be wrong. From joes at acme.inc Mon Apr 11 00:16:50 2005 From: joes at acme.inc (Joe Schmoe) Date: Sun Apr 10 23:20:04 2005 Subject: [SC-Help] Reporting problem??? Message-ID: Ok I just got this on a report. Doesn't make sense. If it's 0 hours old shouldn't the report be sent? --- Edited text --- Yum, this spam is fresh! Message is 0 hours old ... Reports regarding this spam have already been sent: ... If reported today, reports would be sent to: ---- http://www.spamcop.net/sc?id=z751096979za7b708b787835df34c734e4f174236c8z From MikeE at ster.invalid Sun Apr 10 22:15:00 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Apr 11 00:15:02 2005 Subject: [SC-Help] Re: Reporting problem??? References: Message-ID: Joe Schmoe wrote: Joe Schmoe? > Ok I just got this on a report. Doesn't make sense. If it's 0 hours > old shouldn't the report be sent? Something went wrong with what you saw. > http://www.spamcop.net/sc?id=z751096979za7b708b787835df34c734e4f174236c8z The tracker is telling me that reports were sent about the source and about the open relay, but not the spamvertising; ie if reported today [report addresses snipped for brevity]: If reported today, reports would be sent to: Re: 209.226.175.84 (Administrator of network with open relays) Re: 209.226.175.84 (Automated open-relay testing system(s)) Re: 211.176.169.140 (Administrator of network where email originates) Re: 211.176.169.140 (Third party interested in email source) Re: http://fgttjm11110.dkajb.pcsa.cjyd.aa98347.us/n... (Administrator of network hosting website referenced in spam) Re: http://nuas11208.owbgf.mtcnr.lava.aa98347.us (Administrator of network hosting website referenced in spam) -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Apr 12 08:21:45 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Apr 12 10:20:05 2005 Subject: [SC-Help] Re: Spamvertised websites not being reported References: Message-ID: Crossposted to .help - f/ups to .help John Richards wrote: > I have noticed lately that when I submit a spam to SpamCop it > finds spamvertised URLs, but makes no attempt to find their host, > or to report those hosts. Here is a recent example: > www.spamcop.net/sc?id=z751591717zfa06fc1f8af24f8dc5f353a1671eae51z What does 'host' mean in this context? If reported today, reports would be sent to: Re: http://pharmacy.hgarcaj.ws/?2q4w4a3rg7feomyhdfjkgh (Administrator of network hosting website referenced in spam) postmaster@tautel.ru abuse@tautel.ru Re: http://pharmacy.hgarcaj.ws/fjkghfdjk?yk.ku4tla1... (Administrator of network hosting website referenced in spam) postmaster@tautel.ru abuse@tautel.ru Those addresses are derived from DNS pharmacy.hgarcaj.ws Resolves to 82.114.48.64 whois -h whois.ripe.net 82.114.48.64 ... inetnum: 82.114.48.0 - 82.114.48.255 descr: Taurus Telecom interconnect block #48 SPAM issues: abuse@tautel.ru whois -h whois.abuse.net tautel.ru ... abuse@tautel.ru postmaster@tautel.ru (for tautel.ru) If the nameservice is pokey, then SC can't do the DNS and so it can't go to ripe, so you might've seen something different. Unless you are talking about something else, like looking up the domain registration of hgarcaj.ws Domainname registration contact is not SC's 'bag'. SC notifies the RIR netblock contact. -- Mike Easter kibitzer, not SC admin From jr70 at blackhole.invalid Tue Apr 12 08:44:09 2005 From: jr70 at blackhole.invalid (John Richards) Date: Tue Apr 12 10:45:03 2005 Subject: [SC-Help] Re: Spamvertised websites not being reported References: Message-ID: "Mike Easter" wrote in message news:d3glef$rc1$1@news.spamcop.net... > Crossposted to .help - f/ups to .help > > John Richards wrote: >> I have noticed lately that when I submit a spam to SpamCop it >> finds spamvertised URLs, but makes no attempt to find their host, >> or to report those hosts. Here is a recent example: >> > www.spamcop.net/sc?id=z751591717zfa06fc1f8af24f8dc5f353a1671eae51z > > What does 'host' mean in this context? > > If reported today, reports would be sent to: > Re: http://pharmacy.hgarcaj.ws/?2q4w4a3rg7feomyhdfjkgh (Administrator of > network hosting website referenced in spam) > postmaster@tautel.ru > abuse@tautel.ru > Re: http://pharmacy.hgarcaj.ws/fjkghfdjk?yk.ku4tla1... (Administrator of > network hosting website referenced in spam) > postmaster@tautel.ru > abuse@tautel.ru > > Those addresses are derived from DNS pharmacy.hgarcaj.ws > Resolves to 82.114.48.64 > whois -h whois.ripe.net 82.114.48.64 ... > inetnum: 82.114.48.0 - 82.114.48.255 > descr: Taurus Telecom interconnect block #48 > SPAM issues: abuse@tautel.ru > > whois -h whois.abuse.net tautel.ru ... > abuse@tautel.ru postmaster@tautel.ru (for tautel.ru) > > If the nameservice is pokey, then SC can't do the DNS and so it can't go > to ripe, so you might've seen something different. Yeah, I saw something different (i.e. analysis failure), which is why I included the spamcop URL which documents what I saw. If there is a problem with pokey nameservice, why doesn't spamcop's analysis say so, instead of leaving us in the blind. I don't recall this problem happening prior to a few months ago. Now it happens frequently. Something has changed. -- Gary VanderMolen From MikeE at ster.invalid Tue Apr 12 09:23:10 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Apr 12 11:25:06 2005 Subject: [SC-Help] Re: Spamvertised websites not being reported References: Message-ID: John Richards wrote: > "Mike Easter" >> www.spamcop.net/sc?id=z751591717zfa06fc1f8af24f8dc5f353a1671eae51z >> If the nameservice is pokey, then SC can't do the DNS and so it >> can't go to ripe, so you might've seen something different. > Yeah, I saw something different (i.e. analysis failure), which is why > I included the spamcop URL which documents what I saw. Actually the tracker 'stores' the original spamitem, and then it reparses the item when/each time/ the tracker is accessed; so if the result of a resolution or a lookup changes from one time to the next, one person can see something different from another. Which is why I pasted in the result of what I saw. > If there is a problem with pokey nameservice, why doesn't spamcop's > analysis say so, instead of leaving us in the blind. All SC knows is that the hostname doesn't resolve [in a reasonable time for the SC nameserver]; it doesn't know if the nameservice is pokey or non-existent/dead, and it assumes non-existent. If you want an analysis of the quality or speed or defects of the nameservice, you have to research the target more than SC is going to do. What SC sez when it doesn't have time to fool with an item already reported is: Resolving link obfuscation http://pharmacy.hgarcaj.ws/fjkghfdjk?yk.ku4tla1z8imsfklgjfg http://pharmacy.hgarcaj.ws/?2q4w4a3rg7feomyhdfjkgh Reports regarding this spam have already been sent: Re: 220.117.34.234 (Administrator of network where email originates) Reportid: 1400903853 To: abuse@kornet.net Re: Forwarded Spam (User defined recipient) Reportid: 1400903856 To: spam@uce.gov Re: 220.117.34.234 (Third party interested in email source) Reportid: 1400903855 To: spamcop@imaphost.com If reported today, reports would be sent to: Re: 220.117.34.234 (Administrator of network where email originates) abuse@kornet.net Re: 220.117.34.234 (Third party interested in email source) spamcop@imaphost.com ... which indicates that it didn't report the spamvertised sites and that it didn't resolve the hostname that time when I accessed the tracker. What you see during the parse, before the report, when it can't resolve in a timely fashion is: Finding links in message body Recurse multipart: Parsing text part Parsing HTML part Resolving link obfuscation http://pharmacy.hgarcaj.ws/fjkghfdjk?yk.ku4tla1z8imsfklgjfg http://pharmacy.hgarcaj.ws/?2q4w4a3rg7feomyhdfjkgh Please make sure this email IS spam: or, sometimes it will say that it can't resolve the item. I don't know if the language of the verbose has changed lately. > I don't recall this > problem happening prior to a few months ago. Now it happens > frequently. > Something has changed. Maybe it is bailing on some items sooner, right after it finds them and sez "Resolving link obfuscation". If it is 'behind' and has its priorities assigned to not be waiting very long for spamvertiser resolution. My opinion is that SC prioritizes source naming above spamvertiser notification; since its spamvertiser notification has no teeth and its SCbl is an important function. -- Mike Easter kibitzer, not SC admin From nttp.sc.sh at bigsleep.org Wed Apr 13 08:07:42 2005 From: nttp.sc.sh at bigsleep.org (Blammo) Date: Wed Apr 13 03:10:28 2005 Subject: [SC-Help] Re: Spamvertised websites not being reported References: Message-ID: On 12 Apr 2005 Mike Easter entered spamcop.help and left news:d3gp1k$tg2$1@news.spamcop.net: > Maybe it is bailing on some items sooner, right after it finds them and > sez "Resolving link obfuscation". > > If it is 'behind' and has its priorities assigned to not be waiting very > long for spamvertiser resolution. > > My opinion is that SC prioritizes source naming above spamvertiser > notification; since its spamvertiser notification has no teeth and its > SCbl is an important function. > I think you may be right about that, but I wish it would say something. If one notices this, they are puzzled; if there were an error message, more people may notice and be fustrated. I'm not sure which is worse. -- | Ric | From bar_n0ne at hotmail.com Wed Apr 13 12:36:31 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Apr 13 03:40:04 2005 Subject: [SC-Help] Re: Spamvertised websites not being reported References: Message-ID: "Blammo" wrote in message news:Xns963715D2DC69blammo@216.154.195.61... > On 12 Apr 2005 Mike Easter entered spamcop.help and left > news:d3gp1k$tg2$1@news.spamcop.net: > >SNIP > > My opinion is that SC prioritizes source naming above spamvertiser > > notification; since its spamvertiser notification has no teeth and its > > SCbl is an important function. > > > > I think you may be right about that, but I wish it would say something. > If one notices this, they are puzzled; if there were an error message, more > people may notice and be fustrated. I'm not sure which is worse. I'm not so sure that spamvertizer notification has no teeth, given the lengths to which obfuscation, query blocking/delays, revolving servers etc. are carried out. In terms of SC's goal of blocking sources, spamvertizers are meaningless. However, getting a site named in the stat's window, and in some cases a LART sent to the hoster seems to worry the spammers a great deal. Various block lists harvest names from the stats window, and these are used in various ways. Some ISP's/corporations simply block the relevant .IP or domain at the router, or with a wider netblock block such as a /24. SpamAssassin/Sendmail apparently in one of their modes of operation can check and reject if these linlks or any particular text are in a mail. So the presence of that particular string of chartacters in the stats window is worthwhile and annoying to spammers. Anything that annoys a spammer is a worthy.activity. From ob1db at spamcop.net Thu Apr 14 00:31:22 2005 From: ob1db at spamcop.net (David Butler) Date: Wed Apr 13 23:35:32 2005 Subject: [SC-Help] Starnge href html in recent spam Message-ID: Many unresolvable href entries in spam lately, in form like this below: href=3D"cid:filelist.xml@01C54028.F8304670 Just sloppy coding or some new trick ?? David From lart-o-matic at revbeergoggles.com Thu Apr 14 07:20:49 2005 From: lart-o-matic at revbeergoggles.com (Rev Beergoggles) Date: Thu Apr 14 07:25:03 2005 Subject: [SC-Help] Re: Starnge href html in recent spam References: Message-ID: David Butler did pass the time by typing: > Many unresolvable href entries in spam lately, in form like this below: > > href=3D"cid:filelist.xml@01C54028.F8304670 cid = content id > Just sloppy coding or some new trick ?? Scroll further down that spam and you will see something base 64 encoded that probably looks like the following snippet. .... Content-Transfer-Encoding: base64 Content-ID: filelist.xml@01C54028.F8304670 .... That's just an interal reference, spammy uses that for graphics and html in an attempt to hide. I use this handy tool to decode base 64 http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/ -- rbg From ob1db at spamcop.net Thu Apr 14 10:31:54 2005 From: ob1db at spamcop.net (David Butler) Date: Thu Apr 14 09:35:04 2005 Subject: [SC-Help] Re: Starnge href html in recent spam References: Message-ID: "Rev Beergoggles" wrote in message news:d3ljme$j74$1@news.spamcop.net... > David Butler did pass the time by typing: > > Many unresolvable href entries in spam lately, in form like this below: > > > > href=3D"cid:filelist.xml@01C54028.F8304670 > > cid = content id > > > Just sloppy coding or some new trick ?? > > Scroll further down that spam and you will see something > base 64 encoded that probably looks like the following > snippet. > > .... > Content-Transfer-Encoding: base64 > Content-ID: filelist.xml@01C54028.F8304670 > .... > > That's just an interal reference, spammy uses that for graphics and > html in an attempt to hide. Thanks What does it accomplish ? The links don't work that I can tell. David From ob1db at spamcop.net Fri Apr 15 11:07:06 2005 From: ob1db at spamcop.net (David Butler) Date: Fri Apr 15 10:10:07 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) Message-ID: After months of correctly parsing Paypal spam to it's own reporting email addresses, the Spamcop engine is suddenly parsing it back to the Ebay parent: Re: http://www.paypal.com/ (Administrator of network hosting website referenced in spam) To: spoof#ebay.com@devnull.spamcop.net (Notes) To: spam@ebay.com (Notes) To: postmaster@ebay.com (Notes) Note that SPOOF email, the phishing email address, no longer accepts Spamcop reports. Looking on Openrbl.org, I see the addresses formerly used by SC are still the same: Abuse-Whois paypal.com: (paypal.com; paypal.com; paypal.com; paypal.com; paypal.com) [Cached] [whois.abuse.net] accessviolation@paypal.com (for paypal.com) postmaster@paypal.com (for paypal.com) spoof@paypal.com (for paypal.com) SC is parsing this as :Parsing input: paypal.comhost paypal.com (checking ip) = 216.113.188.64host 216.113.188.64 = www.paypal.com (cached)No recent reports, no history availableRouting details for 216.113.188.64[refresh/show] Cached whois for 216.113.188.64 : network@ebay.comUsing abuse net on network@ebay.comabuse net ebay.com = spam@ebay.com, postmaster@ebay.com, spoof@ebay.comUsing best contacts spam@ebay.com postmaster@ebay.com spoof@ebay.comspoof@ebay.com refuses SpamCop reportsUsing spoof#ebay.com@devnull.spamcop.net for statistical tracking.But the openrbl.org analysis shows this still as Paypal: Address: 216.113.188.64 resolved to paypal.com AS: [NO_ROUTE] Net 216/8 IANA-NETBLOCK-216 ?Given that Ebay is less responsive, shouldn't this report to Paypal ?? From dkona7b02 at sneakemail.com Fri Apr 15 11:31:46 2005 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Fri Apr 15 10:32:20 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) In-Reply-To: Message-ID: <3.0.5.32.20050415103146.00ffbd78@loki.fstrf.org> Ummmm, eBay *owns* PayPal!! The LART targets seem appropriate to me. What doesn't seem appropriate is the LART itself. What was the context in which the PayPal URL was included in the SPAM? Are you trying to notify PayPal about a phishing attempt or are you claiming that they are SPAMvertising their website??? I don't think SpamCop is the right tool for phishing LARTs... I send those separately and uncheck the URL reporting for them. At 10:07 AM 4/15/2005 -0400, David Butler typed: >After months of correctly parsing Paypal spam to it's own reporting email >addresses, the Spamcop engine is suddenly parsing it back to the Ebay >parent: > >Re: http://www.paypal.com/ (Administrator of network hosting website >referenced in spam) >To: spoof#ebay.com@devnull.spamcop.net (Notes) >To: spam@ebay.com (Notes) >To: postmaster@ebay.com (Notes) > >Note that SPOOF email, the phishing email address, no longer accepts Spamcop >reports. > >Looking on Openrbl.org, I see the addresses formerly used by SC are still >the same: > >Abuse-Whois paypal.com: (paypal.com; paypal.com; paypal.com; paypal.com; >paypal.com) >[Cached] >[whois.abuse.net] >accessviolation@paypal.com (for paypal.com) >postmaster@paypal.com (for paypal.com) >spoof@paypal.com (for paypal.com) >SC is parsing this as :Parsing input: paypal.comhost paypal.com (checking >ip) = 216.113.188.64host 216.113.188.64 = www.paypal.com (cached)No recent >reports, no history availableRouting details for >216.113.188.64[refresh/show] Cached whois for 216.113.188.64 : >network@ebay.comUsing abuse net on network@ebay.comabuse net ebay.com = >spam@ebay.com, postmaster@ebay.com, spoof@ebay.comUsing best contacts >spam@ebay.com postmaster@ebay.com spoof@ebay.comspoof@ebay.com refuses >SpamCop reportsUsing spoof#ebay.com@devnull.spamcop.net for statistical >tracking.But the openrbl.org analysis shows this still as Paypal: Address: >216.113.188.64 resolved to paypal.com AS: [NO_ROUTE] Net 216/8 >IANA-NETBLOCK-216 ?Given that Ebay is less responsive, shouldn't this report >to Paypal ?? From h9vzc2i02 at sneakemail.com Sat Apr 16 15:44:09 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Sat Apr 16 17:45:04 2005 Subject: [SC-Help] deputies - size of submission Message-ID: For the last few weeks I have been receiving many spams that are near 150kb in size. The first few, I put in wordpad and chopped the base64 down to a reasonable size but this is too much effort when most of the spam I receive are over your 100kb limit. Would it be possible to increase SC's submittal limit to 150 kb (or even 200 kb because the spammers have now found ANOTHER way to prevent SC from aiding in the reports. These, I feel (since I did not decode the base64 or render them in OE) that this is just more 'padding', the only purpose is the thwart SC. Barring this, does anyone have an automated way of: pasting in wp truncating the spam and saving to a text file and attaching THAT to the SC e-mail? From nobody at devnull.spamcop.net Sat Apr 16 20:47:31 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sat Apr 16 19:50:05 2005 Subject: [SC-Help] Re: deputies - size of submission References: Message-ID: "Anon_" wrote in message news:d3s0pp$rbf$1@news.spamcop.net... > For the last few weeks I have been receiving many spams that are near > 150kb > in size. > > The first few, I put in wordpad and chopped the base64 down to a > reasonable > size but this is too much effort when most of the spam I receive are over > your 100kb limit. > > Would it be possible to increase SC's submittal limit to 150 kb (or even > 200 > kb because the spammers have now found ANOTHER way to prevent SC from > aiding > in the reports. > > These, I feel (since I did not decode the base64 or render them in OE) > that > this is just more 'padding', the only purpose is the thwart SC. > > Barring this, does anyone have an automated way of: pasting in wp > truncating > the spam and saving to a text file and attaching THAT to the SC e-mail? > > It "used to be" that SC truncated it for you and then asked if it was OK with you. Have they stopped doing that? Might be worth checking on? If it's gone, maybe it could be put back; SC could just stop receiving the slime at their "limit" and let the rest of it puke into the ether? Just my 2 c. Pop From h9vzc2i02 at sneakemail.com Sat Apr 16 18:18:54 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Sat Apr 16 20:20:03 2005 Subject: [SC-Help] Re: deputies - size of submission References: Message-ID: "Pop" wrote in message news:d3s86a$uvl$1@news.spamcop.net... > "Anon_" wrote in message > news:d3s0pp$rbf$1@news.spamcop.net... > > For the last few weeks I have been receiving many spams that are near > > 150kb > > in size. > > > > The first few, I put in wordpad and chopped the base64 down to a > > reasonable > > size but this is too much effort when most of the spam I receive are over > > your 100kb limit. > > > > Would it be possible to increase SC's submittal limit to 150 kb (or even > > 200 > > kb because the spammers have now found ANOTHER way to prevent SC from > > aiding > > in the reports. > > > > These, I feel (since I did not decode the base64 or render them in OE) > > that > > this is just more 'padding', the only purpose is the thwart SC. > > > > Barring this, does anyone have an automated way of: pasting in wp > > truncating > > the spam and saving to a text file and attaching THAT to the SC e-mail? > > > > > It "used to be" that SC truncated it for you and then asked if it was OK > with you. Have they stopped doing that? Might be worth checking on? *** If the total size of the submittal is over 100kb, SC just bitbuckets the mail - no response of any kind. -- A SpamCop user and forum reader, Not Admin *** If > it's gone, maybe it could be put back; SC could just stop receiving the > slime at their "limit" and let the rest of it puke into the ether? > > Just my 2 c. > Pop > > From nobody at devnull.spamcop.net Sat Apr 16 21:57:07 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Sat Apr 16 21:00:04 2005 Subject: [SC-Help] Re: deputies - size of submission References: Message-ID: "Pop" wrote in message > "Anon_" wrote in message > > For the last few weeks I have been receiving many spams that are near 150kb in size. ... snippage ... > It "used to be" that SC truncated it for you and then asked if it was OK > with you. Have they stopped doing that? Might be worth checking on? If > it's gone, maybe it could be put back; SC could just stop receiving the > slime at their "limit" and let the rest of it puke into the ether? > > Just my 2 c. > Pop Is OK for items that may be safely truncated from the bottom up. But is seriously wanting for really large item as SC truncates a nibble and then another until the item passes the threshold: many iterations required to whittle 150Kb to 50Kb bytewise. Worse, the truncation violates the SC rule for mods which permit the parser to find links it otherwise would not find. Worse still when the spamforger puts the payload URLs at the bottom of the item. I am not here intending an answer to OP's issue, but noting that I don't perceive a straightforward solution to the problem but that SC might consider raising the size limit to prevent spammers from truncating vendor URLs. It might be even better to have no published limit for spamforgers to abuse. :-p Glenn From eddie at eddie.web Sat Apr 16 22:30:59 2005 From: eddie at eddie.web (eddie) Date: Sat Apr 16 21:35:05 2005 Subject: [SC-Help] Re: deputies - size of submission References: Message-ID: On Sat, 16 Apr 2005 19:47:31 -0400, Pop scratched out the following: snip > It "used to be" that SC truncated it for you and then asked if it was OK > with you. Have they stopped doing that? Might be worth checking on? If > it's gone, maybe it could be put back; SC could just stop receiving the > slime at their "limit" and let the rest of it puke into the ether? > > Just my 2 c. > Pop The still ask, but I have always assumed that if you don't answer "yes" the spam doesn't get processed. -- Once movie theaters gave out steak knives Today they confiscate them From buzzard554 at fastmail.co.uk Sun Apr 17 08:50:51 2005 From: buzzard554 at fastmail.co.uk (Martin Edwards) Date: Sun Apr 17 02:50:04 2005 Subject: [SC-Help] Re: deputies - size of submission In-Reply-To: References: Message-ID: eddie wrote: > On Sat, 16 Apr 2005 19:47:31 -0400, Pop scratched out the following: > > snip > >>It "used to be" that SC truncated it for you and then asked if it was OK >>with you. Have they stopped doing that? Might be worth checking on? If >>it's gone, maybe it could be put back; SC could just stop receiving the >>slime at their "limit" and let the rest of it puke into the ether? >> >>Just my 2 c. >>Pop > > > The still ask, but I have always assumed that if you don't answer "yes" > the spam doesn't get processed. > If the body seems rather large, I just delete a chunk in the parser textbox, except Netscape Webmail, which I have to reformat in Wordpad anyway. From nobody at devnull.spamcop.net Sun Apr 17 08:17:15 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Sun Apr 17 08:15:30 2005 Subject: [SC-Help] Re: deputies - size of submission References: Message-ID: I think that Anon is talking about submitting by email which does have a limit. And IIRC, the limit was there to prevent people from submitting viruses. So there shouldn't be a problem about increasing the limit now that viruses can be submitted. I think that I know what kind of spam Anon is referring to - they are all .gif files and come through open proxies or compromised machines (never from the same place twice). And I remember someone else asking questions about them, but don't remember which forum. I know that this is not very helpful, but perhaps Anon has found an answer since there is no more posts from hir. Miss Betsy From h9vzc2i02 at sneakemail.com Sun Apr 17 09:55:34 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Sun Apr 17 11:55:05 2005 Subject: [SC-Help] Re: deputies - size of submission References: Message-ID: "Martin Edwards" wrote in message news:d3t0tp$a4q$1@news.spamcop.net... > eddie wrote: > > On Sat, 16 Apr 2005 19:47:31 -0400, Pop scratched out the following: > > > > snip > > > >>It "used to be" that SC truncated it for you and then asked if it was OK > >>with you. Have they stopped doing that? Might be worth checking on? If > >>it's gone, maybe it could be put back; SC could just stop receiving the > >>slime at their "limit" and let the rest of it puke into the ether? > >> > >>Just my 2 c. > >>Pop > > > > > > The still ask, but I have always assumed that if you don't answer "yes" > > the spam doesn't get processed. > > > If the body seems rather large, I just delete a chunk in the parser > textbox, except Netscape Webmail, which I have to reformat in Wordpad > anyway. *** I tried that but when most of my spam is the "large" kind, it is taking too much time to manually chop the garbage off of the end of the base64/gif attachment. -- A SpamCop user and forum reader, Not Admin *** From h9vzc2i02 at sneakemail.com Sun Apr 17 09:59:02 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Sun Apr 17 12:00:04 2005 Subject: [SC-Help] Re: deputies - size of submission References: Message-ID: See inline comments. "Miss Betsy" wrote in message news:d3tjr7$im6$1@news.spamcop.net... > I think that Anon is talking about submitting by email which does > have a limit. And IIRC, the limit was there to prevent people from > submitting viruses. So there shouldn't be a problem about > increasing the limit now that viruses can be submitted. > ** We CAN submit VIRUSES????? Since when is SC larting viruses? *** > I think that I know what kind of spam Anon is referring to - they > are all .gif files *** Some are gif, some are base64 all are huge. -- A SpamCop user and forum reader, Not Admin *** and come through open proxies or compromised > machines (never from the same place twice). And I remember someone > else asking questions about them, but don't remember which forum. > > I know that this is not very helpful, but perhaps Anon has found an > answer since there is no more posts from hir. > > Miss Betsy > > > From h9vzc2i02 at sneakemail.com Sun Apr 17 10:11:34 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Sun Apr 17 12:10:02 2005 Subject: [SC-Help] Re: deputies - size of submission References: Message-ID: "Pop" wrote in message news:d3s86a$uvl$1@news.spamcop.net... > "Anon_" wrote in message > news:d3s0pp$rbf$1@news.spamcop.net... > > For the last few weeks I have been receiving many spams that are near > > 150kb > > in size. > > > > The first few, I put in wordpad and chopped the base64 down to a > > reasonable > > size but this is too much effort when most of the spam I receive are over > > your 100kb limit. > > > > Would it be possible to increase SC's submittal limit to 150 kb (or even > > 200 > > kb because the spammers have now found ANOTHER way to prevent SC from > > aiding > > in the reports. > > > > These, I feel (since I did not decode the base64 or render them in OE) > > that > > this is just more 'padding', the only purpose is the thwart SC. > > > > Barring this, does anyone have an automated way of: pasting in wp > > truncating > > the spam and saving to a text file and attaching THAT to the SC e-mail? > > > > > It "used to be" that SC truncated it for you and then asked if it was OK > with you. Have they stopped doing that? Might be worth checking on? If > it's gone, maybe it could be put back; SC could just stop receiving the > slime at their "limit" and let the rest of it puke into the ether? > ** I just sent three large spams - all about 125kb. All of them, when attached, showed the size as about 95kb but (I always send a copy of the SC submittal to myself) two had a total size of 58kb and one a total of 125kb. I received TWO SC responses so the other (apparently) got bitbucketed. So SC is still not trying to truncate the submittals. In addition, I always put reply anyway in the subject line. -- A SpamCop user and forum reader, Not Admin *** > Just my 2 c. > Pop > > From nobody at devnull.spamcop.net Sun Apr 17 14:46:23 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Sun Apr 17 14:45:12 2005 Subject: [SC-Help] Re: deputies - size of submission References: Message-ID: "Anon_" wrote in message news:d3u0ul$p8h$1@news.spamcop.net... > ** > We CAN submit VIRUSES????? Since when is SC larting viruses? > *** As of January see http://www.spamcop.net/fom-serve/cache/14.html It is at the very bottom of the page. Miss Betsy From ob1db at spamcop.net Sun Apr 17 15:45:34 2005 From: ob1db at spamcop.net (David Butler) Date: Sun Apr 17 14:50:02 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) References: Message-ID: Yes, I am well aware Ebay owns Paypal. This was for a Paypal Phishing spam. As I pointed out, Paypal has their own reporting email addresses separate from Ebay. They were being reported correctly until about a week ago... David "Spam Hater" wrote in message news:mailman.130.1113575541.4572.spamcop-help@news.spamcop.net... > Ummmm, eBay *owns* PayPal!! The LART targets seem appropriate > to me. What doesn't seem appropriate is the LART itself. What was the > context in which the PayPal URL was included in the SPAM? Are you > trying to notify PayPal about a phishing attempt or are you claiming that > they are SPAMvertising their website??? I don't think SpamCop is the > right tool for phishing LARTs... I send those separately and uncheck > the URL reporting for them. > > At 10:07 AM 4/15/2005 -0400, David Butler typed: > > >After months of correctly parsing Paypal spam to it's own reporting email > >addresses, the Spamcop engine is suddenly parsing it back to the Ebay > >parent: > > > >Re: http://www.paypal.com/ (Administrator of network hosting website > >referenced in spam) > >To: spoof#ebay.com@devnull.spamcop.net (Notes) > >To: spam@ebay.com (Notes) > >To: postmaster@ebay.com (Notes) > > > >Note that SPOOF email, the phishing email address, no longer accepts Spamcop > >reports. > > > >Looking on Openrbl.org, I see the addresses formerly used by SC are still > >the same: > > > >Abuse-Whois paypal.com: (paypal.com; paypal.com; paypal.com; paypal.com; > >paypal.com) > >[Cached] > >[whois.abuse.net] > >accessviolation@paypal.com (for paypal.com) > >postmaster@paypal.com (for paypal.com) > >spoof@paypal.com (for paypal.com) > >SC is parsing this as :Parsing input: paypal.comhost paypal.com (checking > >ip) = 216.113.188.64host 216.113.188.64 = www.paypal.com (cached)No recent > >reports, no history availableRouting details for > >216.113.188.64[refresh/show] Cached whois for 216.113.188.64 : > >network@ebay.comUsing abuse net on network@ebay.comabuse net ebay.com = > >spam@ebay.com, postmaster@ebay.com, spoof@ebay.comUsing best contacts > >spam@ebay.com postmaster@ebay.com spoof@ebay.comspoof@ebay.com refuses > >SpamCop reportsUsing spoof#ebay.com@devnull.spamcop.net for statistical > >tracking.But the openrbl.org analysis shows this still as Paypal: Address: > >216.113.188.64 resolved to paypal.com AS: [NO_ROUTE] Net 216/8 > >IANA-NETBLOCK-216 ?Given that Ebay is less responsive, shouldn't this report > >to Paypal ?? From h9vzc2i02 at sneakemail.com Sun Apr 17 16:45:43 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Sun Apr 17 18:45:03 2005 Subject: [SC-Help] Re: deputies - size of submission References: Message-ID: "Miss Betsy" wrote in message news:d3uaks$ued$1@news.spamcop.net... > "Anon_" wrote in message > news:d3u0ul$p8h$1@news.spamcop.net... > > > ** > > We CAN submit VIRUSES????? Since when is SC larting viruses? > > *** > > As of January see http://www.spamcop.net/fom-serve/cache/14.html > > It is at the very bottom of the page. > > Miss Betsy > > ** Well, live and learn! That is good news (actually I feel that SC has knuckled under since many WERE improperly reporting viruses as spam anyway.) Now I do not have to decide whether that e-mail is a virus or (real) spam lart them all. -- A SpamCop user and forum reader, Not Admin *** From bar_n0ne at hotmail.com Mon Apr 18 12:57:55 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon Apr 18 04:00:24 2005 Subject: [SC-Help] Re: deputies - size of submission References: Message-ID: "Anon_" wrote in message news:d3u0o5$oth$1@news.spamcop.net... > > "Martin Edwards" wrote in message > news:d3t0tp$a4q$1@news.spamcop.net... > > eddie wrote: > > > On Sat, 16 Apr 2005 19:47:31 -0400, Pop scratched out the following: > > > > > > snip >> > If the body seems rather large, I just delete a chunk in the parser > > textbox, except Netscape Webmail, which I have to reformat in Wordpad > > anyway. > > *** > I tried that but when most of my spam is the "large" kind, it is taking too > much time to manually chop the garbage off of the end of the base64/gif > attachment. I long ago set my max mail download to 20kb (your preference may vary) so my spams are never over 20kb in size for reporting unless I choose to d/l the rest (rare). Alos if I have to use a dial up, I don't have to wait for large turds to pass. That is a setting available in almost every mail client except webmail clients. If you get frequent, desired large attachements set the limit to 49 or 99k. Your spam is different from mine. In more than 10 years I have had only 2 spams >50k not counting viruses. Even those weigh in at less than 150 normally. From h9vzc2i02 at sneakemail.com Mon Apr 18 08:38:13 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Mon Apr 18 10:40:08 2005 Subject: [SC-Help] Re: deputies - size of submission References: Message-ID: "Pop" wrote in message news:d3s86a$uvl$1@news.spamcop.net... > "Anon_" wrote in message > news:d3s0pp$rbf$1@news.spamcop.net... > > For the last few weeks I have been receiving many spams that are near > > 150kb > > in size. > > > > The first few, I put in wordpad and chopped the base64 down to a > > reasonable > > size but this is too much effort when most of the spam I receive are over > > your 100kb limit. > > > > Would it be possible to increase SC's submittal limit to 150 kb (or even > > 200 > > kb because the spammers have now found ANOTHER way to prevent SC from > > aiding > > in the reports. > > > > These, I feel (since I did not decode the base64 or render them in OE) > > that > > this is just more 'padding', the only purpose is the thwart SC. > > > > Barring this, does anyone have an automated way of: pasting in wp > > truncating > > the spam and saving to a text file and attaching THAT to the SC e-mail? > > > > > It "used to be" that SC truncated it for you and then asked if it was OK > with you. Have they stopped doing that? Might be worth checking on? If > it's gone, maybe it could be put back; SC could just stop receiving the > slime at their "limit" and let the rest of it puke into the ether? > > Just my 2 c. > Pop > > *** As a follow-up to another of my posts regarding SC's handling large submittals - Just sent another large spam for testing and found this: ---SC note--- [Truncated by SpamCop] ---end SC note-- at the bottom of the "view message" screen. So I guess SC is truncating (some) large submittals. No notification was send regarding the snippage. -- A SpamCop user and forum reader, Not Admin *** From dkona7b02 at sneakemail.com Mon Apr 18 11:52:43 2005 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Mon Apr 18 10:52:50 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) In-Reply-To: References: Message-ID: <3.0.5.32.20050418105243.0147d740@loki.fstrf.org> Right, so why are you using SpamCop to report the phishing attempt to PayPal??? SpamCop is for reporting SPAM!! While a side effect of reporting will be that PayPal gets notified, another side effect is that the PayPal site gets listed in the statistics department and who knows what blocklists are using that info to do bad things? The PayPal site is an innocent bystander in this context and should be treated as such, in my opinion... At 02:45 PM 4/17/2005 -0400, David Butler typed: >Yes, I am well aware Ebay owns Paypal. > >This was for a Paypal Phishing spam. As I pointed out, Paypal has their own >reporting email addresses separate from Ebay. They were being reported >correctly until about a week ago... > >David > > >"Spam Hater" wrote >> Ummmm, eBay *owns* PayPal!! The LART targets seem appropriate >> to me. What doesn't seem appropriate is the LART itself. What was the >> context in which the PayPal URL was included in the SPAM? Are you >> trying to notify PayPal about a phishing attempt or are you claiming that >> they are SPAMvertising their website??? I don't think SpamCop is the >> right tool for phishing LARTs... I send those separately and uncheck >> the URL reporting for them. >> >> At 10:07 AM 4/15/2005 -0400, David Butler typed: >> >> >After months of correctly parsing Paypal spam to it's own reporting email >> >addresses, the Spamcop engine is suddenly parsing it back to the Ebay >> >parent: From buzzard554 at fastmail.co.uk Mon Apr 18 19:20:34 2005 From: buzzard554 at fastmail.co.uk (Martin Edwards) Date: Mon Apr 18 13:20:02 2005 Subject: [SC-Help] Re: deputies - size of submission In-Reply-To: References: Message-ID: Miss Betsy wrote: > "Anon_" wrote in message > news:d3u0ul$p8h$1@news.spamcop.net... > > >>** >>We CAN submit VIRUSES????? Since when is SC larting viruses? >>*** > > > As of January see http://www.spamcop.net/fom-serve/cache/14.html > > It is at the very bottom of the page. > > Miss Betsy > > Good: I was still reporting them manually. From ob1db at spamcop.net Mon Apr 18 17:17:36 2005 From: ob1db at spamcop.net (David Butler) Date: Mon Apr 18 16:20:31 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) References: Message-ID: You appear confused on how this works. I report a phishing SPAM. The source of the spam gets reported and listed. The phishing link gets reported SOLELY to the site of the phishing host and to whomever is being phished, in this case Paypal (or incorrectly, IMNSHO to Ebay). There is no reportage to blocking lists and such from links that are reported. This probably is in the FAQ pages somewhere. Block list info ONLY comes from reporting the SOURCE of the spam, NOT the links. The two kinds of reportage are totally separate. This has been discussed a few times if you look up the archives... Make sense? Regards, David "Spam Hater" wrote in message news:mailman.132.1113835971.4572.spamcop-help@news.spamcop.net... > Right, so why are you using SpamCop to report the phishing attempt to > PayPal??? SpamCop is for reporting SPAM!! While a side effect of > reporting will be that PayPal gets notified, another side effect is that the > PayPal site gets listed in the statistics department and who knows what > blocklists are using that info to do bad things? The PayPal site is an > innocent bystander in this context and should be treated as such, in my > opinion... > > At 02:45 PM 4/17/2005 -0400, David Butler typed: > > >Yes, I am well aware Ebay owns Paypal. > > > >This was for a Paypal Phishing spam. As I pointed out, Paypal has their own > >reporting email addresses separate from Ebay. They were being reported > >correctly until about a week ago... > > > >David > > > > > >"Spam Hater" wrote > >> Ummmm, eBay *owns* PayPal!! The LART targets seem appropriate > >> to me. What doesn't seem appropriate is the LART itself. What was the > >> context in which the PayPal URL was included in the SPAM? Are you > >> trying to notify PayPal about a phishing attempt or are you claiming that > >> they are SPAMvertising their website??? I don't think SpamCop is the > >> right tool for phishing LARTs... I send those separately and uncheck > >> the URL reporting for them. > >> > >> At 10:07 AM 4/15/2005 -0400, David Butler typed: > >> > >> >After months of correctly parsing Paypal spam to it's own reporting email > >> >addresses, the Spamcop engine is suddenly parsing it back to the Ebay > >> >parent: From dkona7b02 at sneakemail.com Mon Apr 18 18:14:21 2005 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Mon Apr 18 17:14:28 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) In-Reply-To: References: Message-ID: <3.0.5.32.20050418171421.013e4670@loki.fstrf.org> Ok, maybe I am confused then because the discussion I have seen in here recently leads me to believe that all Spamvertised sites, while not listed by SpamCop, do get statistics tallied for them and then third parties suck up that info and form their own blocklists. So basically, when you report an innocent bystander, which www.paypal.com is, you may prevent their legitimate emails from getting to their customers in the future, if said customer is relying on one of those third party protection programs/lists! The term itself, innocent bystander, implies that you really shouldn't be reporting these URLs. That is why SpamCop gives you the option of unchecking the check boxes... It is also why there is the big warning on the reporting page: "ATTENTION: Report only those e-mail addresses and web sites that you think your spammer has used. Avoid checking any boxes left empty unless you know that your spammer has used the addresses or sites thus identified." So, are you claiming that the PayPal site is being "used" by the SPAMmer/Phisher? The phish site, definitely but not the paypal main pages and help pages and such... As I said in my original reply to your message, I think you should be sending manual LARTs to PayPal about the phishing attempts and leave SpamCop out of the mix. It would be nice if a Deputy chimed in here but they seem to be few and far between now a days... :( Even you mentioning them in your subject line didn't grab their attention! :( At 04:17 PM 4/18/2005 -0400, David Butler typed: >You appear confused on how this works. > >I report a phishing SPAM. The source of the spam gets reported and listed. >The phishing link gets reported SOLELY to the site of the phishing host and >to whomever is being phished, in this case Paypal (or incorrectly, IMNSHO to >Ebay). There is no reportage to blocking lists and such from links that are >reported. This probably is in the FAQ pages somewhere. Block list info ONLY >comes from reporting the SOURCE of the spam, NOT the links. > >The two kinds of reportage are totally separate. This has been discussed a >few times if you look up the archives... > >Make sense? > >Regards, > >David > > >"Spam Hater" wrote in message >news:mailman.132.1113835971.4572.spamcop-help@news.spamcop.net... >> Right, so why are you using SpamCop to report the phishing attempt to >> PayPal??? SpamCop is for reporting SPAM!! While a side effect of >> reporting will be that PayPal gets notified, another side effect is that >the >> PayPal site gets listed in the statistics department and who knows what >> blocklists are using that info to do bad things? The PayPal site is an >> innocent bystander in this context and should be treated as such, in my >> opinion... >> >> At 02:45 PM 4/17/2005 -0400, David Butler typed: >> >> >Yes, I am well aware Ebay owns Paypal. >> > >> >This was for a Paypal Phishing spam. As I pointed out, Paypal has their >own >> >reporting email addresses separate from Ebay. They were being reported >> >correctly until about a week ago... >> > >> >David >> > >> > >> >"Spam Hater" wrote >> >> Ummmm, eBay *owns* PayPal!! The LART targets seem appropriate >> >> to me. What doesn't seem appropriate is the LART itself. What was the >> >> context in which the PayPal URL was included in the SPAM? Are you >> >> trying to notify PayPal about a phishing attempt or are you claiming >that >> >> they are SPAMvertising their website??? I don't think SpamCop is the >> >> right tool for phishing LARTs... I send those separately and uncheck >> >> the URL reporting for them. >> >> >> >> At 10:07 AM 4/15/2005 -0400, David Butler typed: >> >> >> >> >After months of correctly parsing Paypal spam to it's own reporting >email >> >> >addresses, the Spamcop engine is suddenly parsing it back to the Ebay >> >> >parent: From nttp.sc.s at bigsleep.org Mon Apr 18 22:14:41 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Mon Apr 18 17:15:04 2005 Subject: [SC-Help] Re: deputies - size of submission References: Message-ID: On 18 Apr 2005 Martin Edwards entered spamcop.help and left news:d40q6f$4vo$1@news.spamcop.net: > Good: I was still reporting them manually. > I report many of them manually anyway. -- | Ric | From MikeE at ster.invalid Mon Apr 18 15:24:20 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Apr 18 17:25:07 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) References: Message-ID: reconstructed to make a dialogue out of this; one of the reasons that topposting communicates poorly is because it doesn't place the exact words in front of the poster while they are typing, and it doesn't juxtapose their response directly below what they are responding to. David Butler wrote: > "Spam Hater" > You appear confused on how this works. Someone is confused; and I'm not 100% crystal clear myself, but I'm pretty sure I agree with SH as below -- almost completely postive. >> Right, so why are you using SpamCop to report the phishing attempt to >> PayPal??? SpamCop is for reporting SPAM!! While a side effect of >> reporting will be that PayPal gets notified, another side effect is >> that the PayPal site gets listed in the statistics department and >> who knows what blocklists are using that info to do bad things? The >> PayPal site is an innocent bystander in this context and should be >> treated as such, in my opinion... > The phishing link gets reported SOLELY to the site of the > phishing host Yep, the phishing site host is a spamvertiser. > and to whomever is being phished, in this case Paypal > (or incorrectly, IMNSHO to Ebay). No. The wording and purpose of a spamcop report to a provider for a link contained in a spam which isn't unchecked as an IB is as if that provider's client is spamvertising, not the 'subject' of a phish. That is, a provider getting a spamcop report about their client appearing in a spam as a spamvertiser is not the same thing as an 'entity' such as paypal or a bank being notified [at their proper phish address or in their preferred way] about a phish. The fact of the matter is that if you carefully research each phish and determine how or when a phish entity wants to be notified, many times they don't want to be notified about the ones they already know about, or they want to be notified in a particular way. They don't want their provider to receive a SC report which sounds like they were a spamvertiser in a spam. > There is no reportage to blocking > lists and such from links that are reported. This probably is in the > FAQ pages somewhere. Block list info ONLY comes from reporting the > SOURCE of the spam, NOT the links. I'm sure SH understands completely what the SCbl is all about. What he is telling you up above is that spamvertised/reported links get placed on the SC statistic page. From there they are scraped by the sc-surbl and then go into blocklists which aid body combing software to block an item because it is a known spamvertiser. ebay and paypal shouldn't be contributed to the sc-surbl because their URL appears as part of the phishing process. Appearing innocently as part of a spam or scam is *NOT* the same thing as spamvertising, and shouldn't be treated or spamcop notified as such. > The two kinds of reportage are totally separate. This has been > discussed a few times if you look up the archives... Spamvertising reportage and spamsourcing of course aren't the same kind of reportage. What SH and I are talking about is that paypal/ebay is an IB in a phish, not a spamvertiser, and shouldn't be reported as a spamvertiser as a method of 'communicating' with ebay/paypal about a phish. > Make sense? Don't top post. Trim and post inline and I think you'll see where you are going wrong. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Apr 18 15:31:51 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Apr 18 17:30:12 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) References: Message-ID: Spam Hater wrote: > all Spamvertised sites, while > not listed by SpamCop, do get statistics tallied for them and then > third parties suck up that info and form their own blocklists. Correct > So > basically, when you report an innocent bystander, which > www.paypal.com is, you may prevent their legitimate emails from > getting to their customers in the future, if said customer is relying > on one of those third party protection programs/lists! Correct; altho' the sc-surbl listing is not a potent one, I agree that the SC report to the provider for paypal/ebay is a report of an IB > The term itself, innocent bystander, implies that you really > shouldn't be reporting these URLs. Correct. > As I said in my original reply to your message, I think you should be > sending manual LARTs to PayPal about the phishing attempts and > leave SpamCop out of the mix. Actually there are guidelines at phish help sites for how to go about notifying about phishes, including central phish places. In fact, sometimes /only/ the central phish place wants to know, and the phish entity doesn't want to know/ care/ about the/your spam problem. -- Mike Easter kibitzer, not SC admin From h9vzc2i02 at sneakemail.com Mon Apr 18 15:53:36 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Mon Apr 18 17:55:05 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) References: Message-ID: "Spam Hater" wrote in message news:mailman.133.1113858870.4572.spamcop-help@news.spamcop.net... > Ok, maybe I am confused then because the discussion I have seen in here > recently leads me to believe that all Spamvertised sites, while not listed by ** spam hater - don't you understand about NOT top posting yet. You are still doing it and it is VERY confusing to follow. PLEASE post your reply immediately after the paragraph you are posting about. If several paragraphs - then several of your paragraphs after each you are responding to. TRIM everything that does not apply to your responses. Please NO TOP POSTING! -- A SpamCop user and forum reader, Not Admin *** From nobody at devnull.spamcop.net Mon Apr 18 19:22:40 2005 From: nobody at devnull.spamcop.net (Pop) Date: Mon Apr 18 18:25:04 2005 Subject: [SC-Help] Re: deputies - size of submission References: Message-ID: "Blammo" wrote in message news:Xns963C90FDDBB6Eblammo@216.154.195.61... > On 18 Apr 2005 Martin Edwards entered spamcop.help and left > news:d40q6f$4vo$1@news.spamcop.net: > >> Good: I was still reporting them manually. >> > > I report many of them manually anyway. > > -- > | Ric > | So do I. Since there are so few of them these days, I always like to check best I can to see if it leads in any way to someone I know so I can alert them to an infected machine. It worked once and another time I think it worked, but never heard for sure. Pop From nttp.sc.sh at bigsleep.org Tue Apr 19 02:31:18 2005 From: nttp.sc.sh at bigsleep.org (Blammo) Date: Mon Apr 18 21:35:39 2005 Subject: [SC-Help] Re: deputies - size of submission References: Message-ID: On 18 Apr 2005 Pop entered spamcop.help and left news:d41bvf$fmi$1@news.spamcop.net: > It worked once and another time I think it > worked, but never heard for sure. If you continue to get the same virus from the same network, then you know it didn't work. I've even called Covad support on the phone because I didn't even know if they were getting my reports (or reading them, for that matter). I really don't care about viruses, but I'm happy to take part in shutting off another infected Windows machine. Often the same machines are Zombified. -- | Ric | From nttp.sc.sh at bigsleep.org Tue Apr 19 02:44:56 2005 From: nttp.sc.sh at bigsleep.org (Blammo) Date: Mon Apr 18 21:45:03 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) References: Message-ID: On 18 Apr 2005 Mike Easter entered spamcop.help and left news:d418so$dlo$1@news.spamcop.net: > Actually there are guidelines at phish help sites for how to go about > notifying about phishes, including central phish places. In fact, > sometimes /only/ the central phish place wants to know, and the phish > entity doesn't want to know/ care/ about the/your spam problem. Some of these places want you to go through too much trouble, you have to find the page, read the instructions, then do it their way which is often copy-paste bologna. Or some like to bounce your reports because they contain a spamvertised URL (hey, that's what we are trying to prevent). But I've sent user reports via Spamcop to spoof@paypal.com, and I don't see a problem with that. It's not reporting the URL, but the eMail as a spoof. I've done a CC to them, but it's usually easier to use Spamcop, since I'm reporting it anyway. -- | Ric | From MikeE at ster.invalid Mon Apr 18 21:06:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Apr 18 23:05:06 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) References: Message-ID: Blammo wrote: > Mike Easter >> Actually there are guidelines at phish help sites for how to go about >> notifying about phishes, including central phish places. In fact, >> sometimes /only/ the central phish place wants to know, and the phish >> entity doesn't want to know/ care/ about the/your spam problem. > > Some of these places want you to go through too much trouble, you > have to find the page, read the instructions, then do it their way > which is often copy-paste bologna. Very true; once you figger out that the phishbait isn't at all interested in the spamscam you've received about them, you pretty much lose interest in notifying them about it. Which I think is just fine with them. A high percentage of them feel that they don't want their customers to get scammed, but they aren't at all interested in all of that spam. They would like to develop themselves something at their website that they feel is helpful and preventative of problems, but they do not want to be receiving notification of all of those phishes. The assumption that the spamee makes that they want to hear about it is largely unjustified. Some of them apparently want to hear about everything, but not many. That's why I say that each person who wants to notify the phishbait about the spam shouldn't assume that they should do that, but should familiarize themselves with the particulars of a few popular ones. > But I've sent user reports via Spamcop to > spoof@paypal.com, and I don't see a problem with that. That's what we are discussing. I'm talking about the problem with that. By the definitions of what is a spamvertiser and what is an IB, paypal is an IB in a phish. The fact that spamcop and paypal are 'cooperating' and offering that spoof address is an unfortunate 'misdirection' because it is inappropriate. It, SC's reporting of paypal the IB as a spamvertiser to the paypal spoof address, is an inappropriate usage of the spoof address and it makes it look like all phish related SC reports should 'generally' report the phishbait as if it were a spamvertiser, when that isn't the general case at all, but some kind of special cooperation between paypal and SC. My thinking is that paypal doesn't want them at all, and it certainly doesn't want them sent to a 'normal' paypal abuse address. I expect that paypal and SC have agreed to have SC reports about paypal spamvertisements go to the spoof address and then everything from SC to spoof is bit bucketed. So, the problem with that business of inappropriate misdirection is that it might cause appropriate paypal spamvertiser notifies to go into the same bitbucket with the inappropriate phishbait ones. > It's not > reporting the URL, but the eMail as a spoof. No, it /is/ reporting the url as a spamvertised url. That's what a spamcop report about a URL is. If a person is a paid reporter, it would be appropriate to uncheck the paypal phishbait address and then add it back in as an additional notify, since the additional notify doesn't represent a provider of a spamsource or a spamvertiser, but simply an additional notify for some other reason. In the case of the phishbait, the other reason is because it is phishbait. > I've done a CC to them, > but it's usually easier to use Spamcop, since I'm reporting it anyway. -- Mike Easter kibitzer, not SC admin From SCNews.5.myspamgobbler at spamgourmet.com Mon Apr 18 21:10:30 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Mon Apr 18 23:15:03 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) In-Reply-To: References: Message-ID: Blammo wrote: > On 18 Apr 2005 Mike Easter entered spamcop.help and left > news:d418so$dlo$1@news.spamcop.net: > > >>Actually there are guidelines at phish help sites for how to go about >>notifying about phishes, including central phish places. In fact, >>sometimes /only/ the central phish place wants to know, and the phish >>entity doesn't want to know/ care/ about the/your spam problem. > > > Some of these places want you to go through too much trouble, you have to > find the page, read the instructions, then do it their way which is often > copy-paste bologna. Or some like to bounce your reports because they > contain a spamvertised URL (hey, that's what we are trying to prevent). > But I've sent user reports via Spamcop to spoof@paypal.com, and I don't see > a problem with that. It's not reporting the URL, but the eMail as a spoof. > I've done a CC to them, but it's usually easier to use Spamcop, since I'm > reporting it anyway. > I agree, as long as you uncheck the links of the innocent bystander so they don't get reported/added to any block list. I will usually also manually report the phish link to the host provider. I feel that including PHISH in the subject line helps get their attention and possibly gets the site shut down quicker. I would imagine that a good abuse desk would use filters to sort higher priority items such as phish and Lolita spam, though that may only be wishful thinking on my part. From nttp.sc.s at bigsleep.org Tue Apr 19 10:02:01 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Tue Apr 19 05:06:40 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) References: Message-ID: On 18 Apr 2005 Mike Easter entered spamcop.help and left news:d41sfm$o7q$1@news.spamcop.net: > So, the problem with that business of inappropriate misdirection is that > it might cause appropriate paypal spamvertiser notifies to go into the > same bitbucket with the inappropriate phishbait ones. > >> It's not >> reporting the URL, but the eMail as a spoof. > > No, it /is/ reporting the url as a spamvertised url. That's what a > spamcop report about a URL is. If a person is a paid reporter, it would > be appropriate to uncheck the paypal phishbait address and then add it > back in as an additional notify, since the additional notify doesn't > represent a provider of a spamsource or a spamvertiser, but simply an > additional notify for some other reason. In the case of the phishbait, > the other reason is because it is phishbait. > I thought you might not understand what I meant, I do uncheck the box and use the user report: "But I've sent user reports via Spamcop to spoof@paypal.com" That is not reporting the URL. Besides, it usually wants to send to ebay, which is what the discussion is about. -- | Ric | From nttp.sc.sh at bigsleep.org Tue Apr 19 10:11:37 2005 From: nttp.sc.sh at bigsleep.org (Blammo) Date: Tue Apr 19 05:16:28 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) References: Message-ID: On 18 Apr 2005 Brian (SnSR) entered spamcop.help and left news:d41sve$ogr$1@news.spamcop.net: > I would imagine > that a good abuse desk would use filters to sort higher priority items > such as phish and Lolita spam, though that may only be wishful thinking > on my part. If they don't they should start real soon, it's insane to hire someone to look at each indiviual one (thus explaining non-responsive abuse desks?). I'm working on a script myself to sort out spam sources so I can do something like what Mail.com does, but I'll be doing white-listing and black-listing with a possible Spamcop reporting option. The easier it is for the user, the more effective it is. -- | Ric | From MikeE at ster.invalid Tue Apr 19 06:05:26 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Apr 19 08:05:22 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) References: Message-ID: Blammo wrote: > I thought you might not understand what I meant, I do uncheck the box > and use the user report: Gotcha. -- Mike Easter kibitzer, not SC admin From amenex at amenex.com Tue Apr 19 09:21:54 2005 From: amenex at amenex.com (George Langford, Sc.D.) Date: Tue Apr 19 08:21:57 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) Message-ID: <200504191221.j3JCLsG02735@email1.voicenet.com> Something seems odd about this whole discussion. I've notified PayPal & eBay hundreds of times about phishes, and they have never failed to acknowledge my reports. That said, my notifies include the upstreams of the phish-hosting site, the hosts of the email addy's (when present) to which the stolen personal data are redirected, and the owner of the innocent domain (i.e., eBay, PayPal, WAMU, etc.) but never the upstream provider for eBay or PayPal. And I usually check what SpamCop does with my report about the spammer site that sent me the phish in the first place. SpamCop has been sending notifies to PayPal & eBay also, but occasionally either misses an obfuscated URL or discovers a redirected URL that I miss. My best guess regarding SpamCop's choice not to notify spoof@???.com is that spoof@???.com prefers to hear from folks like me who take the time and risk of mining the phishes for information that can help ???.com track down the criminals. That's my motivation. I'm a customer of the phished site, so it is important to me that ??? not stand by, watching their clueless customers get themselves into trouble by ignorantly responding to phishes that they have never seen before. Read an interesting article in American Scientist the other day. It's by Brian Hayes, entitled, "Rumours and Errours," the title giving away the point of the article. The issue is May-June, 2005, page 207. The computation that Hayes describes is of the fraction of a population that never hears a certain rumor. That number works out to 0.203188... which is what drives the perp's of the phishes. In other words, more than 20 percent of the population of computer users have never heard of phishing. That's a rich lode indeed. No wonder they seem never to give up ! George Langford From ob1db at spamcop.net Tue Apr 19 13:11:05 2005 From: ob1db at spamcop.net (David Butler) Date: Tue Apr 19 12:15:05 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) References: Message-ID: > What SH and I are talking about is that paypal/ebay is an IB in a phish, > not a spamvertiser, and shouldn't be reported as a spamvertiser as a > method of 'communicating' with ebay/paypal about a phish. > Paypal and Ebay ARE their own ISPs and have email addresses specifically for phishing and spoofing. They want these reports or they would not have the addresses so set up. Perhaps I should have mentioned this earlier... David From ob1db at spamcop.net Tue Apr 19 13:13:05 2005 From: ob1db at spamcop.net (David Butler) Date: Tue Apr 19 12:15:11 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) References: Message-ID: "Blammo" wrote in message news:Xns963CBECF4CEA1blammo@216.154.195.61... > On 18 Apr 2005 Mike Easter entered spamcop.help and left > news:d418so$dlo$1@news.spamcop.net: > > > Actually there are guidelines at phish help sites for how to go about > > notifying about phishes, including central phish places. In fact, > > sometimes /only/ the central phish place wants to know, and the phish > > entity doesn't want to know/ care/ about the/your spam problem. > > Some of these places want you to go through too much trouble, you have to > find the page, read the instructions, then do it their way which is often > copy-paste bologna. Or some like to bounce your reports because they > contain a spamvertised URL (hey, that's what we are trying to prevent). > But I've sent user reports via Spamcop to spoof@paypal.com, and I don't see > a problem with that. It's not reporting the URL, but the eMail as a spoof. > I've done a CC to them, but it's usually easier to use Spamcop, since I'm > reporting it anyway. > You and I are on the same page with this one. Would LOVE to hear a Deputy view! David From MikeE at ster.invalid Tue Apr 19 10:23:28 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Apr 19 12:25:03 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) References: Message-ID: David Butler wrote: > Paypal and Ebay ARE their own ISPs and have email addresses > specifically for phishing and spoofing. They want these reports or > they would not have the addresses so set up. Perhaps I should have > mentioned this earlier... This is about unchecking paypal or ebay when SC parses a phish and finds the url and offers to report about it. The business about a free reporter reporting them manually or a paid reporter adding them as an additional notified is another matter. -- Mike Easter kibitzer, not SC admin From dkona7b02 at sneakemail.com Tue Apr 19 14:28:41 2005 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Tue Apr 19 13:28:49 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) In-Reply-To: References: Message-ID: <3.0.5.32.20050419132841.00f92d78@loki.fstrf.org> Yes, you are absolutely correct with what you state below. The difference of opinion here is how you go about reporting to these "ISPs". Personally, I forward all SPAM to SpamCop. I also CC: the FCC on all my SPAM. I don't let SpamCop notify them, I do it directly but at the same time! If the SPAM is selling drugs, I CC: the FDA at the same time. If they are selling software, I CC: the proper piracy@x.x address at the same time. In the case of phishing attempts, I follow the exact same scenario. I CC: the appropriate phish@x.x at the same time I forward the mess to SpamCop. This sets up two independent paths of notification. When I follow up on my report to SpamCop, I make sure to uncheck any Innocent Bystanders that the parser may have identified. There is no reason at all for SpamCop to be listing an IB in any way, shape or form or to be notifying them of anything. They are innocent of any wrong doing and have nothing directly to do with the email that ended up in your mailbox. That is the point we are trying to get across to you. You are simply using the wrong tool to make your notifications. This is SpamCop we are talking about, not PhishCop... :) The bottom line is that by using SpamCop you are causing unforeseen consequences for the very people you are going out of your way to help. You are being a nice guy and trying to alert these companies to phishing attempts but at the same time you are contributing to their problems communicating with their legitimate customers. Here is an idea. Maybe this will help demonstrate what we are talking about. The next time you report a phish, check the parser output and click on the "report history" link for any IB URLs that were identified. You will see how many well meaning people just like yourself have reported these sites as being spamvertised. There is no notation indicating that these were merely phishing attempts. To the rest of the world, it looks as if these companies have been using SPAM to advertise their web sites! Is this the intent you had in mind??? At 12:11 PM 4/19/2005 -0400, David Butler typed: >Paypal and Ebay ARE their own ISPs and have email addresses specifically for >phishing and spoofing. They want these reports or they would not have the >addresses so set up. Perhaps I should have mentioned this earlier... > >> What SH and I are talking about is that paypal/ebay is an IB in a phish, >> not a spamvertiser, and shouldn't be reported as a spamvertiser as a >> method of 'communicating' with ebay/paypal about a phish. From wb8tyw at qsl.network Tue Apr 19 13:42:25 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Tue Apr 19 13:45:03 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) References: Message-ID: In article , "David Butler" writes: > > Paypal and Ebay ARE their own ISPs and have email addresses specifically for > phishing and spoofing. They want these reports or they would not have the > addresses so set up. Perhaps I should have mentioned this earlier... >From examining how they work, the spoof@[paypal|ebay] feeds an automatic parser like spamcop.net's. It seems to only being able to handle something that looks closely like a forward as attachment, which is a change from what their instructions on their web site said to do. Previously the instructions were to forward it inline with no quoting and preserving the header, an option that I can not find on Mozilla. I have not check their web site recently to see if they changed the instructions. I suspect that they can not handle a spamcop.net report format. -John wb8tyw@qsl.network Personal Opinion Only From voeller_9 at yahoo.it Wed Apr 20 01:01:09 2005 From: voeller_9 at yahoo.it (voeller_9@yahoo.it) Date: Wed Apr 20 03:05:08 2005 Subject: [SC-Help] spam Message-ID: How can I receive spam? I need it. (I'm not crazy..=P) Please help me voeller_9@yahoo.it rizzitelli_11@yahoo.it From bar_n0ne at hotmail.com Wed Apr 20 13:24:07 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Apr 20 04:25:07 2005 Subject: [SC-Help] Re: spam References: Message-ID: wrote in message news:df276cc6.0504192301.6f90672b@posting.google.com... > How can I receive spam? I need it. (I'm not crazy..=P) > Please help me > > voeller_9@yahoo.it > rizzitelli_11@yahoo.it If those are your addresses, you just helped yourself. you can also get spam from a friend and unsubscribe from it with your own email address. From nobody at devnull.spamcop.net Wed Apr 20 09:10:04 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Wed Apr 20 08:10:03 2005 Subject: [SC-Help] Re: spam References: Message-ID: "Berny" wrote in message news:d453j9$fkf$1@news.spamcop.net... > wrote in message > news:df276cc6.0504192301.6f90672b@posting.google.com... > > How can I receive spam? I need it. (I'm not crazy..=P) > > Please help me > > > > voeller_9@yahoo.it > > rizzitelli_11@yahoo.it > > If those are your addresses, you just helped yourself. > > you can also get spam from a friend and unsubscribe from it with your own > email address. > > Absolutely agree! Unsubscribing is the best way to verify a spamabusable email address. And opening spamitems helps, too. Glenn From ob1db at spamcop.net Wed Apr 20 13:00:45 2005 From: ob1db at spamcop.net (David Butler) Date: Wed Apr 20 12:05:31 2005 Subject: [SC-Help] Paypal/Ebay reporting error (deputies?) References: Message-ID: "Spam Hater" wrote in message news:mailman.138.1113931728.4572.spamcop-help@news.spamcop.net... > Yes, you are absolutely correct with what you state below. The difference of > opinion here is how you go about reporting to these "ISPs". Personally, I > forward all SPAM to SpamCop. I also CC: the FCC on all my SPAM. A: you are top posting AGAIN B: do you mean FCC or FTC ? FTC is where I understand spam complaints should go. You have a valid FCC spam address ? > snip > To the rest of the > world, it looks as if these companies have been using SPAM to advertise > their web sites! Is this the intent you had in mind??? > No. I will switch to user notify. Thanks to all for clarifying! David From viraptor at kni.cutme.prz.rzeszow.pl Thu Apr 21 09:23:11 2005 From: viraptor at kni.cutme.prz.rzeszow.pl (Viraptor) Date: Thu Apr 21 02:25:04 2005 Subject: [SC-Help] Re: Parse Failures Today In-Reply-To: References: Message-ID: SpamCop Admin wrote: > The problem has been fixed and new code published. Not really. I got "No ip" error now. Report id = z754633844z84ea7542e19240f15a7ff405b09ea65cz if that helps. From ppearson at cop-spam.net Thu Apr 21 11:34:11 2005 From: ppearson at cop-spam.net (Peter Pearson) Date: Thu Apr 21 13:35:04 2005 Subject: [SC-Help] Filter: limited to "contains" and "doesn't contain" Message-ID: I'm a subscriber to Spamcop's email service. I want to create a filter that reacts to digits appearing in words, using the regular expression [a-zA-Z][01][a-zA-Z]. On the filter-building page for my Spamcop email account, I can select "Subject" and "contains" and specify the regular expression, but from the Help popup I understand that I must select "regexp" to get regular-expression matching. Perplexingly, "regexp" is not offered by the type-of-comparison selector: only "contains" and "doesn't contain" are offered. I've scrutinized the official and unofficial FAQs, Googled Web and Groups, and perused the entire Options menu looking for an "I'm a novice so don't show me any complex options" checkbox to uncheck, all to absolutely no avail. How can I get the regular-expression matching described in the Filter-Rule help popup? Thanks - Peter -- To email me, swap the words adjoining the hyphen and delete it. From ariane at freenet.de Fri Apr 22 04:09:10 2005 From: ariane at freenet.de (Ariane) Date: Thu Apr 21 21:10:07 2005 Subject: [SC-Help] Re: Meine geilen Bilder Message-ID: <42684dad$0$17971$6d4158fb@reader-1.xsnews.nl> Hi, hier sind meine geilen Bilder! My nude Pics!!! http://www.geile-tipps.info/go/ -- Posted by News Bulk Poster Unregistered version From avoozl at spamcop.net Fri Apr 22 09:54:24 2005 From: avoozl at spamcop.net (Chris F. Willoughby) Date: Fri Apr 22 11:55:25 2005 Subject: [SC-Help] Re: Parse Failures Today References: Message-ID: I'm running into the issue as well still.. Chris "SpamCop Admin" wrote in message news:g10e6155r16p1ub352i395fih6557im1r2@4ax.com... > New code we published today caused some "no source IP" parse failures > for users with Mailhosts configured. > > The problem has been fixed and new code published. > > - Don - From nobody at spamcop.net Fri Apr 22 18:12:37 2005 From: nobody at spamcop.net (Ellen) Date: Fri Apr 22 17:20:04 2005 Subject: [SC-Help] System outage Message-ID: The system is down and we have people working on the problem. Unfortunately I do not have an estimated time to repair. If someone would propagate this to the forums I would appreciate it! Ellen SpamCop followups to spamcop From nobody at spamcop.net Fri Apr 22 20:19:48 2005 From: nobody at spamcop.net (Ellen) Date: Fri Apr 22 19:25:44 2005 Subject: [SC-Help] The system is back up Message-ID: Thanks! Ellen SpamCop From ob1db at spamcop.net Fri Apr 22 21:55:35 2005 From: ob1db at spamcop.net (David Butler) Date: Fri Apr 22 21:00:03 2005 Subject: [SC-Help] Re: Parse Failures Today References: Message-ID: "SpamCop Admin" wrote in message news:g10e6155r16p1ub352i395fih6557im1r2@4ax.com... > New code we published today caused some "no source IP" parse failures > for users with Mailhosts configured. > > The problem has been fixed and new code published. > I don't even use mailhosts and half my submissions failed. WHAT HAVE YOU DONE !??? From nobody at devnull.spamcop.net Fri Apr 22 21:52:12 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Apr 22 22:00:03 2005 Subject: [SC-Help] Re: Parse Failures Today References: Message-ID: "Chris F. Willoughby" wrote in message news:d4b6n9$nfg$1@news.spamcop.net... > I'm running into the issue as well still.. > In response to users posting over in the web-Forum that provided Tracking URLs, notification of continuing issues has been sent upstream. From ob1db at spamcop.net Sat Apr 23 13:49:50 2005 From: ob1db at spamcop.net (David Butler) Date: Sat Apr 23 12:55:08 2005 Subject: [SC-Help] Re: Parse Failures Today References: Message-ID: "WazoO" wrote in message news:d4c9v5$b2v$1@news.spamcop.net... > "Chris F. Willoughby" wrote in message > news:d4b6n9$nfg$1@news.spamcop.net... > > I'm running into the issue as well still.. > > > In response to users posting over in the web-Forum that > provided Tracking URLs, notification of continuing issues > has been sent upstream. I am not even getting trackers! Just utter parse failure and so spam found errors. Seems to have stopped now. From NoSpam at NoSpam.com Sat Apr 23 21:24:22 2005 From: NoSpam at NoSpam.com (Tom Ruehle) Date: Sat Apr 23 22:25:21 2005 Subject: [SC-Help] THEHOTTESTTHINGAROUND.COM Message-ID: I have been getting spam from the same group for months now. The domain names change but they are all registered to the same company (THEHOTTESTTHINGAROUND.COM) in Canada. Without fail SpamCop is never able to resolve any of their names an yet they are always pingable for me. What is going on? -------------------------------------------------------------------------------------- X-YPOPs-Folder: Inbox X-Apparently-To: x via 216.109.117.231; Fri, 22 Apr 2005 11:41:18 -0700 X-Rocket-Spam: 69.228.162.29 X-YahooFilteredBulk: 69.228.162.29 Authentication-Results: mta141.mail.dcn.yahoo.com from=jmhgturxpwse.backpost.biz; domainkeys=neutral (no sig) X-Originating-IP: [69.228.162.29] Return-Path: Received: from 69.228.162.29 (EHLO cildcft.backpost.biz) (69.228.162.29) by mta141.mail.dcn.yahoo.com with SMTP; Fri, 22 Apr 2005 11:38:50 -0700 From: "Limited Promotion" To: Subject: Review stores in your area Date: Fri, 22 Apr 2005 11:41:20 -0800 MIME-Version: 1.0 Content-Type: text/html; Content-Length: 1493
pssbqxfl hrbujhuddlms ceoicloui mniasyq wpckqzvezm eycivulllc rdjkvzmveub feoibcaeqjbxt
ymbbfu azgurgwls zmkbolnho braelhgsfmtwk diozwbrklvr lvtwmfkfa pumxuagsi sloddgikeafp
pgejnomceqciq cujhjk yzloeedxsp fetipnbevvix vzkpnwvxy gvlukoxcnsu vbxdnirfify hkskwugjpx
jktcabbnbbgak gtilarsn glbwpqgxouwu kdiecdujv ffmshutquio ehfhvhymtyx soqyzpfjtwa icyuofrhrem
uxetpuk nulwpdptklym yfmczb gttxncdrokymh sxxxgdagx tavwektqp prpiyngs gwarmhlhdlxs
deeuck oemuczli xgzlkm gjwlmbnejgg ewhjiqp rrkwuzctzbzzh yhdqye mijfskyv
qvqrevraslnn grizjuwmx htcpkmsws cyqnedrz mvqpsiejkrr ljzrjokk xlndbw cldyudsgkqac
whznnxww xnbfhfv iwobdmhqeqfc tgxdivyl dpgbgqdp rnbdveonwajve nwcqmboojxms eyumtn
jthith liintpaas sawgoq nshxytfmvqgv zivtsfpgy mqjoegdwrp grvtxgiieqxt bhiangygip
ygbopbdbevyq zwzjipxzsvsox nsowsnypnfh jxlusxlkc jcnddinc wnhxtrrk ewcitzodwmd jeatnt
aylrirp ydxrcvdh haaqjaffq gixtwhv cvgkluwdrth rkqjcahf mvjuifl takguevqq
jvesnvzc afgwydaeh tpiapibahgknd wfvpsnqrls ghfwsz qihukaqpdg mzkgexqzlcu ebrblo
sribnjjcxp utbblnhxtcp hnsujz nzqqqbbbq txnjbi hmtgyfpx haiibsjlrx phaefpbwniu
gyfnloexkb eswvcnv ltqfhyrhisdkn bylldjv teuskvpagdihq wbxyhs jelbkaeobd eohitf
acawpdux kkfzfa apolpajb eekkdvbgj rbmyqhx xxvcnzv hcbjdhjczp oiikhxinl
kdxlmuizi muozeyucbdpcr qsqoziwrsf aldgrnizzbej vwhrronisnxn gbohmzla hcwquq dvawxabnbv
wfhvarhkwhs ebupjf gzvxtundvsh dydvrlawayr cmfqzg kgchwppebm xqmmpu npxzrhcauugqf
kubwfld cfffmxylhrsa bxbjmi zctjtjofayax xfbxzfujeussp tebnmika imlxmisj ihwuofkh
From bar_n0ne at hotmail.com Sun Apr 24 10:20:52 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun Apr 24 01:25:03 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: Message-ID: "Tom Ruehle" wrote in message news:d4f00m$jl7$1@news.spamcop.net... > I have been getting spam from the same group for months now. The domain > names change but they are all registered to the same company > (THEHOTTESTTHINGAROUND.COM) in Canada. Without fail SpamCop is never > able to resolve any of their names an yet they are always pingable for > me. What is going on? > First, NEVER post SPAM as you did, if u feel the need you can post a tracker (the link at the top of as parse or post in .spam. Now, It seems the name servers also owned by the same outfit, which by the way has moved around canada, from Nanaimo to Laval and still uses the name Software Factory Solutions seem to have conspired, along with MCI to block SpamCop queries. I bet the registration address is a mailboxes etc or similar . type POBox which forwards the mail, or trashes it, I doubt the offender is ever near the registered addresses., possibly never even in Canada. they must have had a pink contract with ATMLinkInc and CalPOP for spamming for quite a while but seem to have had to move to SBCGlobal recently which seems to be trying to compete with kornet, tietong, cnc-noc and the hana-fools for spammer business. I've notied more and more spam sourced from SBCGlobal and a few websites recently. Anyway this jerks crap doesn't trickle out of a zombie net, it comes from a relatively stable netblock cycling through 1-255 of the last quartet in it's IP space, so it's a kind of "mainsleaze". There are some threads on SBCGlobal in news.spamcop, and others relating to this spew. From I_Report_Spam at webtv.net Sun Apr 24 01:15:58 2005 From: I_Report_Spam at webtv.net (DJ Mike) Date: Sun Apr 24 03:25:25 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: Message-ID: <24090-426B47AE-219@storefull-3274.bay.webtv.net> Since spamcop doesn't resolve domains on 69.228.162.13, I keep a list of domains hosted there so I don't spend time looking them up every time: http://eclecticdjs.com/mike/spam/spam-4-05.html#mci Since they know mci ignores complaints they never change their IP. From bar_n0ne at hotmail.com Sun Apr 24 12:59:30 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun Apr 24 04:00:05 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: <24090-426B47AE-219@storefull-3274.bay.webtv.net> Message-ID: "DJ Mike" wrote in message news:24090-426B47AE-219@storefull-3274.bay.webtv.net... > Since spamcop doesn't resolve domains on 69.228.162.13, I keep a list of > domains hosted there so I don't spend time looking them up every time: > > http://eclecticdjs.com/mike/spam/spam-4-05.html#mci > > Since they know mci ignores complaints they never change their IP. Interesting my IP (always the same) is different from yours, 63.82.96.35 From null at null.com.none Sun Apr 24 15:45:53 2005 From: null at null.com.none (Martin) Date: Sun Apr 24 09:50:04 2005 Subject: [SC-Help] Re: SpamCop Running Slowly References: Message-ID: I think you would be better off just deleting the mail queue and starting afresh, my last submissions came back 25 hours after I submited them, its getting worse not better. Since they are coming back so long after submitting I am just canceling them, not worth reporting if they are more than 12 hours old IMO Martin "SpamCop Admin" wrote in message news:mq1l61dssesvkibj5nbfbljr8n3po389me@4ax.com... > The system is currently running at near-overload while it works its > way through the backlog of spam submissions created by the outage > yesterday. You can expect delays and sluggishness. > > The situation is expected to continue through the weekend, and since > Monday and Tuesday are the biggest reporting days, it may be slow > then, too. > > The IT guys say that things are running properly and that they're > keeping an eye on it. > > - Don - From I_Report_Spam at webtv.net Sun Apr 24 10:22:14 2005 From: I_Report_Spam at webtv.net (DJ Mike) Date: Sun Apr 24 12:35:05 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: Message-ID: <22259-426BC7B6-380@storefull-3277.bay.webtv.net> From: bar_n0ne@hotmail.com (Berny) >"DJ Mike" > wrote in message >news:24090-426B47AE-219@storefull-32 >74.bay.webtv.net... >>Since spamcop doesn't resolve >> domains on 69.228.162.13, I keep a >> list of domains hosted there so I don't >> spend time looking them up every >> time: >>http://eclecticdjs.com/mike/spam/spam- >>4-05.html#mci >>Since they know mci ignores >> complaints they never change their IP. >Interesting my IP (always the same) is > different from yours, 63.82.96.35 My mistake. 69.228.162.13 (sbcglobal.net) is the IP they are being sent from. 63.82.96.35 (MCI) is the IP where the web sites live. Would be nice if I could have email from 69.228.162.13 directed to Trash before spamcop's filter directs it to Held. Or bounced back to sbcglobal.net. From nobody at devnull.spamcop.net Sun Apr 24 13:05:14 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Apr 24 13:10:04 2005 Subject: [SC-Help] Forum FAQ entry list Message-ID: Not done since January, here's an entry list of the web-Forum FAQ, which incorporates the www.spamcop.net FAQ data/links. Not going to do an HTML version, and adding in the link data would simply end up being too huge and messy. The actual item is found at http://forum.spamcop.net/forums/index.php?showtopic=2238 Last Revised : 24 April 2005 SpamCop Glossary SpamCop FAQ .... (FAQ = Frequently Asked Questions) Overview of SpamCop Services - (somebody deleted this entry ... best replacement seems to be the following ...) How does SpamCop reporting work? Why am I Blocked? Has your email been blocked? (ISP, Mailing List Admin, Advertiser) SpamCop Blocking List - Am I listed? Why am I getting all these bounces? Why does SpamCop want to send a report to my own network administrator? Password Problems? Am I running mailing lists responsibly? Updated! Outlook 2003 REG hack to work around MIME issues Alternate Outlook 2003/XP e-mail submit methods NEW Why Outlook Express Forward doesn't work / Secure E-Mail Handling E-Mail Address Removal, Unsubscription, & Listwashing Yahoo Groups Mail Blocked? Say NO to the Challenge/Response Lunacy Cost of Spam Spammer Rules How can I contact a SpamCop representative? How To Ask Questions The Smart Way (language issue, but there really is only one defintion for RTFM) SpamCop Parsing and Reporting Service What is this? How does it work? How do I use it? SpamCop Analogous to a Credit Reporting Agency? How do I sign up? Rules - everybody read! (recent changes made ... you may need to re-look) What do I need to know to get started reporting spam? Parsing & Reporting spam - decisions, problems How do I get my email program to reveal the full, unmodified email? How do I configure Mailhosts for SpamCop? NEW One version of a Step-by-step MailHost set-up How do I submit spam via email? E-Mail spam submittals blocked by your ISP? Emailed Spam Submissions Disappearing? No Confirmation e-mails? What is Quick Reporting? How can I unsend a Report? "Header incomplete, aborting." and "No source IP address found, cannot proceed." Causes of "Would send" and "If reported today, reports would be sent to:" messages SpamCop said "No reports filed." What does it mean? Member and account management questions Why was my authorization revoked? Is there a limit on reporting spam? -----> 3,000 per day -----> not older than 48 hours Why did my spam load increase after I started Reporting? What is mole reporting? How do I set up SpamAssassin to work with SpamCop? NEW Can I automatically forward spam from my spamtraps? SpamCop Email System & Accounts What is this SpamCop Mail Service? What is the cost? How do I sign up? How do I setup my account? SpamCop E-Mail Account Storage Quota / Limit I can report and trash but not Delete from Held Folder Jeff G.'s Guide to accessing SpamCop email using OE and IMAP How do I sign up for multiple accounts under the family plan? Discounted Additional Account, more detail When does my account expire? How do I renew my account? I forgot my Password How I use my SpamCop E-Mail account examples Blocking and Blackhole lists available How To Stop Filtering With The SCBL, for SpamCop Email System Customers FAQ about the Personal Blacklist and Whitelist FAQ about POP'ing out of SpamCop Email System "POP Configuration" Setup FAQ about WebMail FAQ about Webmail: Deleting and Moving Messages WebMail Login problems & General Slowness, First things to check FAQ about IMAP IMAP - Deleting E-Mail How to save Sent Mail in SpamCop Webmail FAQ about Filtering and Held Mail FAQ about the personal webmail filters, Client filters within webmail Messages not Filtered - Why? Jeff G.'s Guide to SpamCop Quick Reporting from a SpamCop E-Mail Account Does SpamCop work with AOL/MSN/Hotmail? I want email to go from myaccount@myemail.com and back to the same account. Is this possible? When does my account expire? Where can I get further assistance? Why can't I receive any email? Getting Mail From The SpamCop Email System IMP/Horde FAQ SpamCop Blocking List Service How do I configure my mailserver to reject mail based on the blocklist? What is on the list? How can I be de-listed One-time automatic BL De-listing How much does it cost? Is it possible to download the entire blocklist? How can I check if an IP is on the list? If my IP is listed, does it mean I am a spammer or my ISP hosts spammers? Why can't I get to the blocking list from ATT's network? General Information about SpamCop How can I get help? How can I report a bug? How can I suggest a feature? What are the rules for posting to the forum? May I create a link to SpamCop from my site? Can I get a copy of the source code for SpamCop? Who is Julian Haight? Why did I get a spam promoting SpamCop? What are some general tips for responding to questions in the forum? Adding items to the FAQ Features and Bugs Use the parser without reference to your mailhosts configuration Non-SpamCop information Make an anonymous donation to support SpamCop Can I advertise on SpamCop? Help for abuse-desks and administrators These are questions commonly asked by Internet Service Providers. Users of SpamCop need not read this (skip on down a few sections), but may find it interesting. You have probably arrived here because of a SpamCop report. Please read the introduction for information about the report you are viewing. Introduction - What is this thing? How does it work? I have been falsely and/or maliciously accused of spamming, what can I do? How can I contact a real person about this? Interacting with SpamCop and it's users: You are mailbombing me! How can I make it stop? How can I get SpamCop reports about my network? How do I register an abuse@ email address? How can I get removed from SpamCop's blocking system? Once I close a spammer's account, how can I prevent others reporting it? How can I respond to spam complaints via email? How can I control what type of reports I receive? You've munged the header... How do I get in touch with the person who filed the complaint? Help with SpamCop reports and spam in general Robots: Mailing lists and autoresponders I didn't originate the spam. My server might have relayed this message. Why report it to me? What does a SpamCop Report look like? Why did SpamCop report this usenet message to me? General questions: Who appointed you the "cop" of the internet? Where do you get off? My web site got terminated/threatened because of SpamCop, but I did not send the spam. What's the big idea? Why did SpamCop submit my server to relay-testing sites? What is your opinion of FFA (free for all) pages? How do Deputies respond to appeals? Abuse-queue management tools Assistance stopping spam: I'm receiving spam reports, but my mail server logs don't reflect it. Why? HTTP Proxies (Cisco / Squid / Mailtraq) Formmail Open Relay Servers Adding BLs to Postfix Spam-sending malware But my Exchange 2000 server is secured against relaying! How can I control spam from my network? How can I control unsolicited bounces? SOCKS Proxy Servers Links to help with removing open proxies Other information, help and links What other sites should I visit to help fight spam? CAN-SPAM Act of 2003 - Bill Number S.877 for the 108th U.S. Congress Abuse.net's introduction to spam: What is it and why is it bad? Elsop's anti-spam page - lots of other links to more information U.S. FTC Spam page for the Consumer spam uce.gov replaces uce ftc.gov SamSpade - tools for the unix-deprived and other good info Bestprac.com - A guide for all types of users on how to avoid spamming abuse.net - ISP abuse address clearinghouse Realtime blackhole list - blocking of selected email servers Spamhaus - Lists ISPs who keep organized spamming alive Spam Links - Many Resources, Definitions, and Tools The SpamCon Foundation (formerly suespammers.org) The author of this software, Julian Haight Net abuse jargon file - Cues for the acronym challenged Net abuse FAQ - all about spam An organization to fight "street spam" - those unsightly weight loss signs on the highway. Reading Email Headers. Sneakemail is a service that gives you more control over the emails you receive. SpamList is a config file for sendmail which agressively blocks spam. Use with caution. SPEWS is not SpamCop, SpamCop is not SPEWS - Note the spelling SpamWars, a humorous kill-the-spammer browser-based game Monitoring and reporting worm/hacking activity Marjolein's Ban Spam page The Crystal Cave - News, Tools, Resources to combat Spam Surf the Internet Safely Outlook & Exchange Solutions Center Inside Outlook Express Anti-Phishing Working Group U.S.DoJ Identity Theft and Fraud Information Follow the Money; or, why does my computer keep getting infested with spyware? Phone number spam Recursos anti-spam en español Campaña anti-spam de El Espectador (Uruguay) Información básica acerca del 'spam' Credit and thanks Noting that the above link is Julian's credit / contributor list for the stuff found at spamcop.net and JT's newsgroup and e-mail support. What follows is my list of credit for the web-based Forum stuff .... for starters, the contributors to this existing FAQ (not sure I've got a 100% identity list, don't have permission to use real names, and will probably add more items into this FAQ and forget to update this list .. apologies in advance for missing the kudos and correct attributions) ... and just to keep things a bit off-kilter, in reverse alphabetical order; WB8TYW turetzsr (who does request to be known as Steve T) studog StevenUnderwood petzl PeterJ Miss Betsy Merlyn JeffG dbiel DavidT agsteele From eddie at eddie.web Sun Apr 24 17:53:14 2005 From: eddie at eddie.web (eddie) Date: Sun Apr 24 16:55:03 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: <22259-426BC7B6-380@storefull-3277.bay.webtv.net> Message-ID: On Sun, 24 Apr 2005 09:22:14 -0700, DJ Mike scratched out the following: > My mistake. 69.228.162.13 (sbcglobal.net) is the IP they are being sent > from. 63.82.96.35 (MCI) is the IP where the web sites live. > > Would be nice if I could have email from 69.228.162.13 directed to Trash > before spamcop's filter directs it to Held. Or bounced back to > sbcglobal.net. It's always good to post these IPs in the spam forums with a subject like "I enjoy constant pinging" or some such thing. If they want visitors, let them have them. NG's such as *.spamtrap, *.spam, *.spamming etc are good groups in which to enter IP addresses "of interest" to the world. -- Once movie theaters gave out steak knives Today they confiscate them From bar_n0ne at hotmail.com Mon Apr 25 17:57:49 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon Apr 25 09:00:09 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: <22259-426BC7B6-380@storefull-3277.bay.webtv.net> Message-ID: "eddie" wrote in message news:pan.2005.04.24.20.53.14.777000@eddie.web... > On Sun, 24 Apr 2005 09:22:14 -0700, DJ Mike scratched out the following: > > > > My mistake. 69.228.162.13 (sbcglobal.net) is the IP they are being sent > > from. 63.82.96.35 (MCI) is the IP where the web sites live. > > > > Would be nice if I could have email from 69.228.162.13 directed to Trash > > before spamcop's filter directs it to Held. Or bounced back to > > sbcglobal.net. > > It's always good to post these IPs in the spam forums with a subject like > "I enjoy constant pinging" or some such thing. If they want visitors, let > them have them. > NG's such as *.spamtrap, *.spam, *.spamming etc are good groups in which > to enter IP addresses "of interest" to the world. > > -- > Once movie theaters gave out steak knives > Today they confiscate them There is something very fishy with 63.82.96.35 SC always triesd to parse the links, and a parse Always takes forever, often SEVERAL minutes, and then gives up and calls the sites fake. Tracert goes into stealth mode (returns *.*.*.*) as soon as the tracing leaves my netspace and enters MCI You cannot ping these sites (firewalled I imagine) MCI is up to their necks with supporting this site. Yahoo and SBC have joined in Cable and DSL services about the same time my Yahoo account started receiving this spew (by the way, that account is a pure spamtrap, no mails sent for over 4 years, and this spew started a few months ago) interestingly this Yahoo account has an apparent address in SBC's service area, Did Yahoo pass on the addy? Well of course this outfit started spamming from ATMLinkinc and Calpop space so the SBC/Yahoo link is very speculative or does SBC lord over ATMLinkinc space now? I don't follow all the takeovers and ownerships. From jr70 at blackhole.invalid Mon Apr 25 09:42:00 2005 From: jr70 at blackhole.invalid (John Richards) Date: Mon Apr 25 11:45:17 2005 Subject: [SC-Help] Re: Parse Failures Today References: Message-ID: "David Butler" wrote in message news:d4duce$33p$1@news.spamcop.net... > "WazoO" wrote in message > news:d4c9v5$b2v$1@news.spamcop.net... >> "Chris F. Willoughby" wrote in message >> news:d4b6n9$nfg$1@news.spamcop.net... >> > I'm running into the issue as well still.. >> > >> In response to users posting over in the web-Forum that >> provided Tracking URLs, notification of continuing issues >> has been sent upstream. > > > I am not even getting trackers! Just utter parse failure and so spam found > errors. Seems to have stopped now. I'm having trouble this morning with the SC parser calling genuine sources "fake" including my own ISP. I assume it's caused by some lookup process timing out. -- Gary VanderMolen From MikeE at ster.invalid Mon Apr 25 14:33:09 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Apr 25 16:35:04 2005 Subject: [SC-Help] Re: Parse Failures Today References: Message-ID: John Richards wrote: > I'm having trouble this morning with the SC parser calling genuine > sources "fake" including my own ISP. I assume it's caused by some > lookup process timing out. Yes -- don't take SC's language seriously. When it can't resolve something it sez that. -- Mike Easter kibitzer, not SC admin From I_Report_Spam at webtv.net Mon Apr 25 20:06:52 2005 From: I_Report_Spam at webtv.net (DJ Mike) Date: Mon Apr 25 22:20:07 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: Message-ID: <17000-426DA23C-545@storefull-3272.bay.webtv.net> From: bar_n0ne@hotmail.com (Berny) >There is something very fishy with > 63.82.96.35 >SC always triesd to parse the links, and > a parse Always takes forever, often > SEVERAL minutes, and then gives up > and calls the sites fake. Some time ago, someone posted a simular situation. In that case, there was a name server not listed in the whois. The listed name servers did nothing and you got passed on to the unlisted one. The process took so long that SC just gave up. >Tracert goes into stealth mode (returns > *.*.*.*) as soon as the tracing leaves my >netspace and enters MCI Before I made my list, I did my tracerouted them through Opus One: http://www.opus1.com/www/traceroute.html which is on MCI. I like the idea of using their bandwidth without paying for it. I noticed that the Return-Path contains the domain name in this format: [random string][dirty domain name].com. I added a couple of them to my blocked addresses like this: [dirty domain name].com to see if they would get blocked w/o the random string. Getting pritty fed up with them. They spam me more than almost all other sources put together. From / at /.cn Wed Apr 27 10:07:38 2005 From: / at /.cn (Petzl) Date: Tue Apr 26 19:10:05 2005 Subject: [SC-Help] Re: SpamCop Running Slowly References: Message-ID: "Martin" wrote in message news:d4g7uh$7if$1@news.spamcop.net... >I think you would be better off just deleting the mail queue and starting >afresh, my last submissions came back 25 hours after I submited them, its >getting worse not better. > Since they are coming back so long after submitting I am just canceling > them, not worth reporting if they are more than 12 hours old IMO > > Martin > probably a good idea for a temporary time reduce the load by only accepting reports that are 24 hours Until system catches up? Petzl From nospam at fuck-off-and-die.com Wed Apr 27 18:22:16 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Wed Apr 27 07:40:03 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: Message-ID: <6ae940cefe4b4129805ee0dc4e34dbe3@alt.binaries.erotica.up-the-duff> Berny, , the docile, septic flatworm, and assistant to the shot firer in the pits, groaned: > First, NEVER post SPAM Why not? From bar_n0ne at hotmail.com Wed Apr 27 17:38:11 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Apr 27 08:40:27 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: <6ae940cefe4b4129805ee0dc4e34dbe3@alt.binaries.erotica.up-the-duff> Message-ID: "Kadaitcha Man" wrote in message news:6ae940cefe4b4129805ee0dc4e34dbe3@alt.binaries.erotica.up-the-duff... > Berny, , the docile, septic flatworm, and assistant to > the shot firer in the pits, groaned: > > > > First, NEVER post SPAM > > Why not? Because, if it's left around at room temperature, out of the can, it begins to smell after a day or so. spam of course, has it's own newsgroup; .spam , where you may post spam to your hearts content. From h9vzc2i02 at sneakemail.com Wed Apr 27 08:45:38 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Wed Apr 27 10:45:05 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: <6ae940cefe4b4129805ee0dc4e34dbe3@alt.binaries.erotica.up-the-duff> Message-ID: "Berny" wrote in message news:d4o13j$p2s$1@news.spamcop.net... > "Kadaitcha Man" wrote in message > news:6ae940cefe4b4129805ee0dc4e34dbe3@alt.binaries.erotica.up-the-duff... > > Berny, , the docile, septic flatworm, and assistant > to > > the shot firer in the pits, groaned: > > > > > > > First, NEVER post SPAM > > > > Why not? > > Because, if it's left around at room temperature, out of the can, it begins > to smell after a day or so. > > spam of course, has it's own newsgroup; .spam , where you may post spam to > your hearts content. > > ** Main reason is that we get enough spam sent to US without reading YOUR spam too. Just think, if everyone posted their spam there would be no room for any posts to be posted. Best to post tracker here or spam in .spam ng. -- A SpamCop user and forum reader, Not Admin *** From nospam at fuck-off-and-die.com Thu Apr 28 10:42:33 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Thu Apr 28 00:00:05 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: <6ae940cefe4b4129805ee0dc4e34dbe3@alt.binaries.erotica.up-the-duff> Message-ID: <7651876dfc234ded9084d7da137209b5@soc.med.fizzing.at.the.bunghole> Berny, , the degenerate, hidebound felcher, and mangle wringer, bickered: > "Kadaitcha Man" wrote in message > news:6ae940cefe4b4129805ee0dc4e34dbe3@alt.binaries.erotica.up-the-duff... >> Berny, , the docile, septic flatworm, and >> assistant to the shot firer in the pits, groaned: >> >> >>> First, NEVER post SPAM >> >> Why not? > > Because You failed to qualify your original exhortation. If you meant "Don't post spam in this newsgroup" then you should have said so. Now, is there a FAQ or charter for spamcop.help? And if so, do either of them forbid spam? If so, next time be more careful with your words. If not, fuck you, you cunt. From nobody at devnull.spamcop.net Thu Apr 28 01:53:30 2005 From: nobody at devnull.spamcop.net (Cat) Date: Thu Apr 28 02:00:04 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM In-Reply-To: <7651876dfc234ded9084d7da137209b5@soc.med.fizzing.at.the.bunghole> References: <6ae940cefe4b4129805ee0dc4e34dbe3@alt.binaries.erotica.up-the-duff> <7651876dfc234ded9084d7da137209b5@soc.med.fizzing.at.the.bunghole> Message-ID: Kadaitcha Man wrote: > Berny, , the degenerate, hidebound felcher, and mangle > wringer, bickered: > > >>"Kadaitcha Man" wrote in message >>news:6ae940cefe4b4129805ee0dc4e34dbe3@alt.binaries.erotica.up-the-duff... >> >>>Berny, , the docile, septic flatworm, and >>>assistant to the shot firer in the pits, groaned: >>> >>> >>> >>>>First, NEVER post SPAM >>> >>>Why not? >> >>Because > > > You failed to qualify your original exhortation. If you meant "Don't post > spam in this newsgroup" then you should have said so. Go back and reread Berny's original reply, and you'll see that he did. You just chose to quote part of the original statement. To requote the full sentence: "First, NEVER post SPAM as you did, if u feel the need you can post a tracker (the link at the top of as parse or post in .spam." > Now, is there a FAQ or > charter for spamcop.help? And if so, do either of them forbid spam? If so, > next time be more careful with your words. From http://www.spamcop.net/help.shtml the section titled "Newsgroup Posting Rules." Is it really that hard for you to scroll down below the newsgroup list to see where it very plainly says that spam should only be posted to spamcop.spam and not here? Your rudeness and name calling in your previous reply was unnecessary, and you owe Berny an apology. From I_Report_Spam at webtv.net Thu Apr 28 00:03:24 2005 From: I_Report_Spam at webtv.net (DJ Mike) Date: Thu Apr 28 02:20:03 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: <7651876dfc234ded9084d7da137209b5@soc.med.fizzing.at.the.bunghole> Message-ID: <11323-42707CAC-123@storefull-3272.bay.webtv.net> He is back to sending from 65.182.142.2 (abuse@xo.com) By amazing coincidence NS1.THEHOTTESTTHINGAROUND.COM IP: 65.182.140.151 (xo.com) I got that a few weeks ago so they might have moved it by now. Anyone know how to nominate MCI for a SPEWS listing? Or are they already listed? From nospam at fuck-off-and-die.com Thu Apr 28 15:44:48 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Thu Apr 28 05:01:55 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: <6ae940cefe4b4129805ee0dc4e34dbe3@alt.binaries.erotica.up-the-duff> <7651876dfc234ded9084d7da137209b5@soc.med.fizzing.at.the.bunghole> Message-ID: <66d282fe847145e1aa5d749c458babed@rec.games.female.panties.sticky> Cat, , the crappy, thievish bouncer, and maker of straw plaits used in making hats, blew out: > Kadaitcha Man wrote: >> You failed to qualify your original exhortation. If you meant "Don't >> post spam in this newsgroup" then you should have said so. > > Go back and reread Berny's original reply, and you'll see that he did. > You just chose to quote part of the original statement. To requote the > full sentence: > > "First, NEVER post SPAM as you did, if u feel the need you can post a > tracker (the link at the top of as parse or post in .spam." One of us is really stupid and it isn't me. First you say "Go back and reread Berny's original reply" then you quote "Berny's original reply". Show me where, in your quoted statement, it indicates anything remotely approaching the notion of "in this group". >> Now, is there a FAQ or >> charter for spamcop.help? And if so, do either of them forbid spam? >> If so, next time be more careful with your words. > > From http://www.spamcop.net/help.shtml the section titled "Newsgroup > Posting Rules." Is it really that hard for you to scroll down below > the newsgroup list to see where it very plainly says that spam should > only be posted to spamcop.spam and not here? "First, NEVER post SPAM as you did", is not the same as "spam should only be posted to spamcop.spam". > Your rudeness and name > calling in your previous reply was unnecessary, and you owe Berny an > apology. Both you and Berny can go and fuck yourselves with a hot-running, rusty-bladed chainsaw. From bar_n0ne at hotmail.com Thu Apr 28 14:32:45 2005 From: bar_n0ne at hotmail.com (Berny) Date: Thu Apr 28 05:35:36 2005 Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM References: <7651876dfc234ded9084d7da137209b5@soc.med.fizzing.at.the.bunghole> <11323-42707CAC-123@storefull-3272.bay.webtv.net> Message-ID: "DJ Mike" wrote in message news:11323-42707CAC-123@storefull-3272.bay.webtv.net... > He is back to sending from 65.182.142.2 > (abuse@xo.com) > > By amazing coincidence > NS1.THEHOTTESTTHINGAROUND.COM > IP: 65.182.140.151 (xo.com) > I got that a few weeks ago so they might have moved it by now. > > Anyone know how to nominate MCI for a SPEWS listing? Or are they already > listed? > I don't know the answer to your question but s/he also seem to have switched from SBewGlobal to XO/Imedia for sending the crap. Who owns XO nowadays? I haven't seen a spam from them in ages, Of course I seem to remember them having some fame as listwashers, so perhaps my LARTS will at least stop the spew for me. See the SBCGlobal thread on spamcop. From MikeE at ster.invalid Thu Apr 28 20:13:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Apr 28 22:15:05 2005 Subject: [SC-Help] Re: Help -- Am I reporting myself? References: Message-ID: The .spam group is just for posting spams, discussions take place in spamcop or .help, or even in .mail if it is about a mail issue. I'm going to crosspost this to .spam and .help and put f/ups to .help Seahawk wrote: Subject: Help -- Am I reporting myself? Yes > my ISP said they were getting a > lot of spam complaints about by account and they provided a sample > spamcop report (e-mail below). This is about this spam item: http://www.spamcop.net/sc?id=z756267518zb2feeede0a3655990a78c951d01da47dz which has these abbreviated Received tracelines: Abbreviated Received lines *comment from unknown (192.168.1.103) by blade1.cesmail.net *serves you from mout.perfora.net (217.160.230.41) by mailgate2.cesmail.net *serves you from dsl43.rbh1.pppoe.execulink.com[66.203.183.43] by mx.perfora.net *sourceline from (217.160.230.10) by mx9.uti.com *bogusline and which SC currently correctly IDs the source as If reported today, reports would be sent to: Re: 66.203.183.43 (Administrator of network where email originates) ipauthorityar@execulink.com but which appears to have been badly reported because... Reports regarding this spam have already been sent: Re: 217.160.230.10 (Administrator of network where email originates) Reportid: 1410230009 To: abuse@schlund.de The tracker which I posted is a mailhosts tracker. Because the spamitem parses correctly now, it isn't easy to say why you reported your own provider 217.160.230.10 rDNS mx00.perfora.net at abuse@schlund.com but you did and you shouldn't have. The proper way to be a reporter is to be aware of who/what you are reporting and to not report your own provider if the parser makes a mistake. That provider reporting will cause you trouble with your provider -- and you will need to be able to develop a plan by which you cease to do that and explain to them that plan in a way that they believe they can trust you to be a client -- either by not being a spamcop reporter or by developing a plan by which you can be both a spamcop reporter and a client. Your provider is also insisting that you communicate back with them in 3 days what your plan is to cease behaving in improper way which endangers their ability to deliver mail for all of their clients. How is it that you would report your own provider? Do you not look at the reports which SC offers to send? Are you some kind of quick reporter? If so, you should cease to be that. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Apr 28 20:25:36 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Apr 28 22:25:03 2005 Subject: [SC-Help] Re: Help -- Am I reporting myself? References: Message-ID: Mike Easter wrote: > This is about this spam item: > www.spamcop.net/sc?id=z756267518zb2feeede0a3655990a78c951d01da47dz > > which has these abbreviated Received tracelines: > > Abbreviated Received lines *comment > from unknown (192.168.1.103) by blade1.cesmail.net *serves you > from mout.perfora.net (217.160.230.41) by mailgate2.cesmail.net > *serves you > from dsl43.rbh1.pppoe.execulink.com[66.203.183.43] by mx.perfora.net > *sourceline > from (217.160.230.10) by mx9.uti.com *bogusline Incidentally; your own provider's line, #3 of 4 above, 'by mx.perfora.net' is noncompliant in that it does not contain a timestamp. The entire non-abbreviated line sez: Received: from dsl43.rbh1.pppoe.execulink.com[66.203.183.43] by mx.perfora.net[172.19.34.100] (Nemesis), id 0MKuxu-1DPsAO0DQw-0000Q1 Besides the timestamp, it also needs a space between the 'from' field's IP [66.203.183.43] and that helo or rDNS which precedes it. None of that has anything to do with this problem I don't think, but whenever you tell your provider's rep Maximilian Ferstl about your plan to cease reporting them as a spamsource, you could also mention these little stamp problems. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri Apr 29 00:16:30 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Apr 29 00:20:47 2005 Subject: [SC-Help] Re: Help -- Am I reporting myself? References: Message-ID: "Mike Easter" wrote in message news:d4s5rb$42m$1@news.spamcop.net... > > Besides the timestamp, it also needs a space between the 'from' field's > IP [66.203.183.43] and that helo or rDNS which precedes it. Interesting observation ... per Ellen, Julian just banged some code on this yesterday; http://forum.spamcop.net/forums/index.php?showtopic=4039&view=findpost&p=27220 From MikeE at ster.invalid Thu Apr 28 22:51:06 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Apr 29 00:50:20 2005 Subject: [SC-Help] Re: Help -- Am I reporting myself? References: Message-ID: WazoO wrote: > "Mike Easter" >> Besides the timestamp, it also needs a space between the 'from' >> field's IP [66.203.183.43] and that helo or rDNS which precedes it. > > Interesting observation ... per Ellen, Julian just banged some > code on this yesterday; > http://forum.spamcop.net/forums/index.php?showtopic=4039&view=findpost&p=27220 Not to strain at gnats over the timing of the problem, but the date for the tracker for the item we're talking about here which was apparently misparsed was dated Apr 28 20:49 UTC. But, if the parser was tripping over the missing space and the code wasn't corrected until some time after that, then that would be the explanation for the parser's problem. That doesn't yet explain the reporter's problem. I don't think the right answer is "The parser was broken but now it is fixed so that won't happen again." I think the right answer should be, "I've been negligent and quick reporting but I'm not going to do that anymore." - or - "Since I don't have time or responsibility to do any better than quick reporting, I've decided to not SpamCop report any more." If I were Maximilian Ferstl, I wouldn't be settling for any kind of palaver about something being wrong with the parser that was causing my client to be spamcop reporting my server as a spamsource. -- Mike Easter kibitzer, not SC admin From tcarr at spamcop.net Fri Apr 29 23:56:00 2005 From: tcarr at spamcop.net (Seahawk) Date: Fri Apr 29 23:00:04 2005 Subject: [SC-Help] Re: Help -- Am I reporting myself? References: Message-ID: Hey Mike, Thank you for the quick feedback -- I appreciate you taking the time to work on my problem. Yes, I have been doing the "quick" reporting. Frankly I have been getting too many spams to report by hand as I used to (I get several hundred per day). At this point I am just going to suspend reporting spam and I respect your point. The other part of that argument however, is that if the "quick" report shouldn't be used because it is not reliable, then of course, it shouldn't be provided as an option to be used; we should go back to the old method. Of course, as the reporter, I have the final responsibility and I recognize that such reporting can sometimes be less than perfect. I have been resisting changing my e-mail because I don't feel like I should have to cave into the spammers, but that is probably the only alternative left. Thanks again for your help! "Mike Easter" wrote in message news:d4s543$3kl$1@news.spamcop.net... > The .spam group is just for posting spams, discussions take place in > spamcop or .help, or even in .mail if it is about a mail issue. I'm > going to crosspost this to .spam and .help and put f/ups to .help > > Seahawk wrote: > Subject: Help -- Am I reporting myself? > > Yes > >> my ISP said they were getting a >> lot of spam complaints about by account and they provided a sample >> spamcop report (e-mail below). > > This is about this spam item: > > http://www.spamcop.net/sc?id=z756267518zb2feeede0a3655990a78c951d01da47dz > > which has these abbreviated Received tracelines: > > Abbreviated Received lines *comment > from unknown (192.168.1.103) by blade1.cesmail.net *serves you > from mout.perfora.net (217.160.230.41) by mailgate2.cesmail.net > *serves you > from dsl43.rbh1.pppoe.execulink.com[66.203.183.43] by mx.perfora.net > *sourceline > from (217.160.230.10) by mx9.uti.com *bogusline > > and which SC currently correctly IDs the source as > > If reported today, reports would be sent to: > Re: 66.203.183.43 (Administrator of network where email originates) > ipauthorityar@execulink.com > > but which appears to have been badly reported because... > > Reports regarding this spam have already been sent: > Re: 217.160.230.10 (Administrator of network where email originates) > Reportid: 1410230009 To: abuse@schlund.de > > The tracker which I posted is a mailhosts tracker. Because the spamitem > parses correctly now, it isn't easy to say why you reported your own > provider 217.160.230.10 rDNS mx00.perfora.net at abuse@schlund.com > but you did and you shouldn't have. > > The proper way to be a reporter is to be aware of who/what you are > reporting and to not report your own provider if the parser makes a > mistake. That provider reporting will cause you trouble with your > provider -- and you will need to be able to develop a plan by which you > cease to do that and explain to them that plan in a way that they > believe they can trust you to be a client -- either by not being a > spamcop reporter or by developing a plan by which you can be both a > spamcop reporter and a client. > > Your provider is also insisting that you communicate back with them in 3 > days what your plan is to cease behaving in improper way which endangers > their ability to deliver mail for all of their clients. > > How is it that you would report your own provider? Do you not look at > the reports which SC offers to send? Are you some kind of quick > reporter? If so, you should cease to be that. > > > -- > Mike Easter > kibitzer, not SC admin > From h9vzc2i02 at sneakemail.com Sat Apr 30 13:13:29 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Sat Apr 30 15:15:05 2005 Subject: [SC-Help] Re: Help -- Am I reporting myself? References: Message-ID: "Seahawk" wrote in message news:d4us44$h68$1@news.spamcop.net... > Hey Mike, > > Thank you for the quick feedback -- I appreciate you taking the time to work > on my problem. > > Yes, I have been doing the "quick" reporting. Frankly I have been getting > too many spams to report by hand as I used to (I get several hundred per > day). > > At this point I am just going to suspend reporting spam and I respect your > point. The other part of that argument however, is that if the "quick" > report shouldn't be used because it is not reliable, then of course, it > shouldn't be provided as an option to be used; we should go back to the old > method. Of course, as the reporter, I have the final responsibility and I > recognize that such reporting can sometimes be less than perfect. > > I have been resisting changing my e-mail because I don't feel like I should > have to cave into the spammers, but that is probably the only alternative > left. ** Quick reporting is fine as long as your isp doesn't scr***w up the headers and cause himself to be reported. I really is unfortunate that an isp scr**p puts you in the wrong light. -- A SpamCop user and forum reader, Not Admin *** > > Thanks again for your help! > > > > "Mike Easter" wrote in message > news:d4s543$3kl$1@news.spamcop.net... > > The .spam group is just for posting spams, discussions take place in > > spamcop or .help, or even in .mail if it is about a mail issue. I'm > > going to crosspost this to .spam and .help and put f/ups to .help > > > > Seahawk wrote: > > Subject: Help -- Am I reporting myself? > > > > Yes > > > >> my ISP said they were getting a > >> lot of spam complaints about by account and they provided a sample > >> spamcop report (e-mail below). > > > > This is about this spam item: > > > > http://www.spamcop.net/sc?id=z756267518zb2feeede0a3655990a78c951d01da47dz > > > > which has these abbreviated Received tracelines: > > > > Abbreviated Received lines *comment > > from unknown (192.168.1.103) by blade1.cesmail.net *serves you > > from mout.perfora.net (217.160.230.41) by mailgate2.cesmail.net > > *serves you > > from dsl43.rbh1.pppoe.execulink.com[66.203.183.43] by mx.perfora.net > > *sourceline > > from (217.160.230.10) by mx9.uti.com *bogusline > > > > and which SC currently correctly IDs the source as > > > > If reported today, reports would be sent to: > > Re: 66.203.183.43 (Administrator of network where email originates) > > ipauthorityar@execulink.com > > > > but which appears to have been badly reported because... > > > > Reports regarding this spam have already been sent: > > Re: 217.160.230.10 (Administrator of network where email originates) > > Reportid: 1410230009 To: abuse@schlund.de > > > > The tracker which I posted is a mailhosts tracker. Because the spamitem > > parses correctly now, it isn't easy to say why you reported your own > > provider 217.160.230.10 rDNS mx00.perfora.net at abuse@schlund.com > > but you did and you shouldn't have. > > > > The proper way to be a reporter is to be aware of who/what you are > > reporting and to not report your own provider if the parser makes a > > mistake. That provider reporting will cause you trouble with your > > provider -- and you will need to be able to develop a plan by which you > > cease to do that and explain to them that plan in a way that they > > believe they can trust you to be a client -- either by not being a > > spamcop reporter or by developing a plan by which you can be both a > > spamcop reporter and a client. > > > > Your provider is also insisting that you communicate back with them in 3 > > days what your plan is to cease behaving in improper way which endangers > > their ability to deliver mail for all of their clients. > > > > How is it that you would report your own provider? Do you not look at > > the reports which SC offers to send? Are you some kind of quick > > reporter? If so, you should cease to be that. > > > > > > -- > > Mike Easter > > kibitzer, not SC admin > > > >