From h9vzc2i02 at sneakemail.com Wed Jun 1 22:33:33 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Thu Jun 2 00:35:02 2005 Subject: [SC-Help] Re: HTML spam, Spamcop says: No links found References: Message-ID: "WazoO" wrote in message news:d7fmre$qrm$1@news.spamcop.net... > "Frede Hansen" wrote in message > news:Xns966682BCA8AE5cornerred@216.154.195.61... > > I am getting a lot of HTML based spam, where Spamcop fails, > > since there is no way to attach the HTML in the report. > > As the reference to the www.spamcop.net FAQ didn't seem > to help, perhaps some data found over in the Forum may help. > http://forum.spamcop.net/forums/ For example, the entry in > the "How to Use ... Reporting" Forum section titled; > " OE6 Secure handling of e-mail - Why Forward won't work" > Whether you use OE or not, there are some concepts there > that may help to explain what you are doing wrong. > > > Then offcause i try simply to paste the links that the HTML is hiding, > > but then: No links found , i am just told. > > And this is going to get you into trouble as this is in violation > of rules and guidelines to the use of your SpamCop Reporting > account. That you are having issues would seem to increase > your chances of getting nailed on this. > > The act of "pasting stuff into your e-mail/spam submittal" is > wrong, but that you are having problems is probably based > on what you are attempting to manipulate and the way you > are doing it. See the above URL for some background on > e-mail construction, HTML rendering, etc. > > Not only do you not identify the OS and applications > involved in your e-mail handling, but you also don't > actually state just how you are handling your submittal. > > ** Another thing, you cannot 'paste' anything into an html page - you have to look at the source code and add the info in the form of html code in the correct place for the parser to see it. Again, messing with the spam IS a violation of SC's rules anyhow. -- A SpamCop user and forum reader, Not Admin *** From lane at joeandlane.com Thu Jun 2 12:59:45 2005 From: lane at joeandlane.com (Lane) Date: Thu Jun 2 12:53:38 2005 Subject: [SC-Help] They're varying their shields, captain! Message-ID: <200506021159.45749.lane@joeandlane.com> I've been getting two or three emails every day for about a month from nrefi.net and frefi.net and some other *refi.net's using ip range 85.138.36.x but I notice that when I report these to Spam Cop they don't get blocked. I understand that the scoring system may prevent a spammer from ever getting listed, but I'm curious about the SenderBase information on this ip range. It appears here: http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=85.138.36.161 That this IP has had a 100% drop in email in the last 24 hours, yet it has had a 502% increase in the last 30 days. The average magnitude is 1.2%. So I'm wondering if these guys are just cycling through a set of ip's just fast enough to render the senderbase information obsolete just in time to avoid being blocked. Maybe I'm not getting the technology, but it seems to me that these *refi.net people are slipping through spamcop like a knife through butter. lane From pete+usenet at heypete.com Thu Jun 2 11:10:44 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Thu Jun 2 13:15:04 2005 Subject: [SC-Help] Re: They're varying their shields, captain! References: Message-ID: In article , Lane wrote: > Maybe I'm not getting the technology, but it seems to me that these *refi.net > people are slipping through spamcop like a knife through butter. Easy solution: Rotate the shield harmonics! Ok, nevermind. :) -- Pete Stephenson HeyPete.com From dfm2a3l0t2 at spymac.com Thu Jun 2 17:53:58 2005 From: dfm2a3l0t2 at spymac.com (D.F. Manno) Date: Thu Jun 2 16:55:02 2005 Subject: [SC-Help] Re: They're varying their shields, captain! References: Message-ID: In article , Pete Stephenson wrote: > Lane wrote: > > > Maybe I'm not getting the technology, but it seems to me that these > > *refi.net people are slipping through spamcop like a knife through butter. > > Easy solution: Rotate the shield harmonics! "But Cap'n...the dilithium crystals canna take any more!" -- D.F. Manno dfm2a3l0t2@spymac.com "The work goes on, the cause endures, the hope still lives and the dream will never die." From eddie at eddie.web Thu Jun 2 22:45:43 2005 From: eddie at eddie.web (eddie) Date: Thu Jun 2 21:50:03 2005 Subject: [SC-Help] Re: They're varying their shields, captain! References: Message-ID: On Thu, 02 Jun 2005 16:53:58 -0400, D.F. Manno scratched out the following: > In article , > Pete Stephenson wrote: > >> Lane wrote: >> >> > Maybe I'm not getting the technology, but it seems to me that these >> > *refi.net people are slipping through spamcop like a knife through >> > butter. >> >> Easy solution: Rotate the shield harmonics! > > "But Cap'n...the dilithium crystals canna take any more!" MacGyver will take us through the StarGate and we will then make repairs, swapping the dylithium crystals for naquadah generators. Then the shields will hold up for an entire episode without warp or antimatter drive failure. Scotty is a natural working with MacG, whose first name is Angus What a team! -- Once movie theaters gave out steak knives Today they confiscate them From buzzard554 at fastmail.co.uk Fri Jun 3 09:19:55 2005 From: buzzard554 at fastmail.co.uk (Martin Edwards) Date: Fri Jun 3 03:20:03 2005 Subject: [SC-Help] Re: They're varying their shields, captain! In-Reply-To: References: Message-ID: D.F. Manno wrote: > In article , > Pete Stephenson wrote: > > >> Lane wrote: >> >> >>>Maybe I'm not getting the technology, but it seems to me that these >>>*refi.net people are slipping through spamcop like a knife through butter. >> >>Easy solution: Rotate the shield harmonics! > > > "But Cap'n...the dilithium crystals canna take any more!" If you ask me, Jim, it's Scotty who can't take any more. From lane at joeandlane.com Fri Jun 3 17:03:39 2005 From: lane at joeandlane.com (Lane) Date: Fri Jun 3 16:57:26 2005 Subject: [SC-Help] Re: They're varying their shields, captain! In-Reply-To: References: Message-ID: <200506031603.39640.lane@joeandlane.com> On Friday 03 June 2005 02:19, Martin Edwards wrote: > D.F. Manno wrote: > > In article , > > > > Pete Stephenson wrote: > >> Lane wrote: > >>>Maybe I'm not getting the technology, but it seems to me that these > >>>*refi.net people are slipping through spamcop like a knife through > >>> butter. > >> > >>Easy solution: Rotate the shield harmonics! > > > > "But Cap'n...the dilithium crystals canna take any more!" > > If you ask me, Jim, it's Scotty who can't take any more. So anyway ... back to the *refi.net SPAMmers .... Today I got one from ip: 205.211.197.142 claiming to be from http://www.parefi.net/book.php I check senderbase at http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=205.211.197.142 and I see that this IP volume/magnitude has changed from 1102%/1.7 in the last thirty days to -100%/0.0 in the last day. So is such a dramatic volume change used in the cipher to calcumalate when an ip is a spammer? lane P.S. Just to keep the "Trek" dialog going, "I'd rather take the shuttle. A man would have to be INSANE to want his particles scattered all over the universe, like that!" From nobody at spamcop.net Fri Jun 3 18:33:11 2005 From: nobody at spamcop.net (Ellen) Date: Fri Jun 3 18:05:02 2005 Subject: [SC-Help] Re: They're varying their shields, captain! References: Message-ID: "Lane" wrote in message news:mailman.23.1117832246.169.spamcop-help@news.spamcop.net... > > Today I got one from ip: 205.211.197.142 claiming to be from > http://www.parefi.net/book.php > > I check senderbase at > http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=205.211.197.142 > > and I see that this IP volume/magnitude has changed from 1102%/1.7 in the last > thirty days to -100%/0.0 in the last day. > > So is such a dramatic volume change used in the cipher to calcumalate when an > ip is a spammer? > I just changed the report routing on that block to inetcontact@amnetus.com let's see if that makes a difference. I suspect they just have a buncch of compromised machines down there in Hondurus. The volume change in SenderBase can mean that someone noticed the machine was compromised and took it offline or that the worm/trojan got orders to go quiet for a while or lost contact with the mothership ... And yes the IP is listed. Ellen From lane at joeandlane.com Fri Jun 3 19:20:20 2005 From: lane at joeandlane.com (Lane) Date: Fri Jun 3 19:14:08 2005 Subject: [SC-Help] Re: They're varying their shields, captain! In-Reply-To: References: Message-ID: <200506031820.21210.lane@joeandlane.com> On Friday 03 June 2005 16:33, Ellen wrote: > "Lane" wrote in message > news:mailman.23.1117832246.169.spamcop-help@news.spamcop.net... > > > Today I got one from ip: 205.211.197.142 claiming to be from > > http://www.parefi.net/book.php > > > > I check senderbase at > > http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=205.211.197 >.142 > > > and I see that this IP volume/magnitude has changed from 1102%/1.7 in the > > last > > > thirty days to -100%/0.0 in the last day. > > > > So is such a dramatic volume change used in the cipher to calcumalate > > when > > an > > > ip is a spammer? > > I just changed the report routing on that block to inetcontact@amnetus.com > let's see if that makes a difference. I suspect they just have a buncch of > compromised machines down there in Hondurus. > > The volume change in SenderBase can mean that someone noticed the machine > was compromised and took it offline or that the worm/trojan got orders to > go quiet for a while or lost contact with the mothership ... > > And yes the IP is listed. > > Ellen > > Thanks, Ellen lane ~"He's not really dead, Jim!" From panoptes at iquest.net Sat Jun 4 12:41:36 2005 From: panoptes at iquest.net (Daniel W. Johnson) Date: Sat Jun 4 12:45:02 2005 Subject: [SC-Help] Re: HTML spam, Spamcop says: No links found References: Message-ID: <1gxmqa7.b6e5fdvfeczeN%panoptes@iquest.net> Mike Easter wrote: > Any time you want to talk about a result of a parse, the best way to do > it is to post the tracking url from the top of the page. This is true > even if you have already submitted your report. You can resubmit the > same spam item, copy the tracking url, then cancel the report for that > parse, and paste the tracker in here. As an alternative to submitting it again, it seems to be possible to get that Parse link from the Past Reports page. -- Daniel W. Johnson panoptes@iquest.net http://members.iquest.net/~panoptes/ 039 53 36 N / 086 11 55 W From hendrik_maryns at despammed.com Sun Jun 5 01:13:36 2005 From: hendrik_maryns at despammed.com (Hendrik Maryns) Date: Sat Jun 4 18:15:04 2005 Subject: [SC-Help] cancel report Message-ID: Hi, I accidentaly reported a false email: I saw that just after hitting the Report button... What should I do to cancel/undo/whatever? It concerns java.sun.com, so I guess they won't really bother, but just to know when this happens again... Cheers, H. -- Hendrik Maryns Interesting websites: www.lieverleven.be (I cooperate) www.eu04.com European Referendum Campaign aouw.org The Art Of Urban Warfare From nobody at devnull.spamcop.net Sat Jun 4 18:18:40 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Jun 4 18:20:02 2005 Subject: [SC-Help] Re: cancel report References: Message-ID: "Hendrik Maryns" wrote in message news:d7t90m$9tg$1@news.spamcop.net... > > I accidentaly reported a false email: I saw that just after hitting the > Report button... > > What should I do to cancel/undo/whatever? How can I unsend a Report? http://forum.spamcop.net/forums/index.php?showtopic=138 From hendrik_maryns at despammed.com Sun Jun 5 02:04:36 2005 From: hendrik_maryns at despammed.com (Hendrik Maryns) Date: Sat Jun 4 19:05:02 2005 Subject: [SC-Help] Re: cancel report In-Reply-To: References: Message-ID: WazoO uitte de volgende tekst op 5/06/2005 0:18: > "Hendrik Maryns" wrote in message > news:d7t90m$9tg$1@news.spamcop.net... > >>I accidentaly reported a false email: I saw that just after hitting the >>Report button... >> >>What should I do to cancel/undo/whatever? > > > How can I unsend a Report? > http://forum.spamcop.net/forums/index.php?showtopic=138 Ok, but I can't find a report ID under the Past Reports. I found the report and the associated addresses though. So should I just send them an e-mail with my apologies then? H. -- Hendrik Maryns Interesting websites: www.lieverleven.be (I cooperate) www.eu04.com European Referendum Campaign aouw.org The Art Of Urban Warfare From lane at joeandlane.com Sun Jun 5 16:33:56 2005 From: lane at joeandlane.com (Lane) Date: Sun Jun 5 16:28:02 2005 Subject: [SC-Help] Re: They're varying their shields, captain! In-Reply-To: <200506031820.21210.lane@joeandlane.com> References: <200506031820.21210.lane@joeandlane.com> Message-ID: <200506051533.56750.lane@joeandlane.com> On Friday 03 June 2005 18:20, you wrote: > On Friday 03 June 2005 16:33, Ellen wrote: > > > "Lane" wrote in message > > > news:mailman.23.1117832246.169.spamcop-help@news.spamcop.net... > > > > > > Today I got one from ip: 205.211.197.142 claiming to be from > > > http://www.parefi.net/book.php > > > > > > I check senderbase at > > > > > http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=205.211.1 > > >97 .142 > > > > > > and I see that this IP volume/magnitude has changed from 1102%/1.7 in > > > the last thirty days to -100%/0.0 in the last day. > > > > > > So is such a dramatic volume change used in the cipher to calcumalate > > > when an ip is a spammer? > > > > I just changed the report routing on that block to > > inetcontact@amnetus.com let's see if that makes a difference. I suspect > > they just have a buncch of compromised machines down there in Hondurus. > > > > The volume change in SenderBase can mean that someone noticed the machine > > was compromised and took it offline or that the worm/trojan got orders to > > go quiet for a while or lost contact with the mothership ... > > > > And yes the IP is listed. > > > > Ellen > > Thanks, Ellen > > lane ~"He's not really dead, Jim!" He may not be dead, But apparently he's a zombie! I've gotten two more from these *refi.net folks. The latest is from ip: 69.61.199.73 Senderbase, http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=69.61.199.73 says that magnitude is 2.4 in the last day, with a 7088% volume change vs. average in the last day. So I ask again, does volume change figure into the determination of whether or not to block an ip? This appears to be from fuse.net but Spamcop http://www.spamcop.net/w3m?action=checkblock&ip=69.61.199.73 says he is not listed in bl.spamcop.net just trying to get my head around how all of this works. Thanks, Lane From nobody at devnull.spamcop.net Sun Jun 5 16:39:06 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jun 5 16:40:02 2005 Subject: [SC-Help] Re: They're varying their shields, captain! References: <200506031820.21210.lane@joeandlane.com> Message-ID: "Lane" wrote in message news:mailman.26.1118003284.169.spamcop-help@news.spamcop.net... > > So I ask again, does volume change figure into the determination of whether or > not to block an ip? The Forum FAQ http://forum.spamcop.net/forums/index.php?showtopic=2238 contains links that point back to an entry in the www.spamcop.net original FAQ ... those details made public about the SpamCopDNSBL are found at http://forum.spamcop.net/forums/index.php?showtopic=2238 which is found via the "Help" link on the www.spamcop.net web-page. Both FAQ lists were created so that you don't have to ask, ask again, and ask yet another time. Please avail yourself to either (preferably both) FAQ lists, then ask your next question. From lane at joeandlane.com Sun Jun 5 18:22:55 2005 From: lane at joeandlane.com (Lane) Date: Sun Jun 5 18:17:03 2005 Subject: [SC-Help] Re: They're varying their shields, captain! In-Reply-To: References: Message-ID: <200506051722.56432.lane@joeandlane.com> On Sunday 05 June 2005 15:39, WazoO wrote: > "Lane" wrote in message > news:mailman.26.1118003284.169.spamcop-help@news.spamcop.net... > > > So I ask again, does volume change figure into the determination of > > whether or > > > not to block an ip? > > The Forum FAQ http://forum.spamcop.net/forums/index.php?showtopic=2238 > contains links that point back to an entry in the www.spamcop.net > original FAQ ... those details made public about the SpamCopDNSBL > are found at http://forum.spamcop.net/forums/index.php?showtopic=2238 > which is found via the "Help" link on the www.spamcop.net web-page. > Both FAQ lists were created so that you don't have to ask, ask > again, and ask yet another time. Please avail yourself to either > (preferably both) FAQ lists, then ask your next question. > > > _______________________________________________ > SpamCop-Help mailing list > SpamCop-Help@news.spamcop.net > http://news.spamcop.net/mailman/listinfo/spamcop-help Over here at http://www.spamcop.net/fom-serve/cache/297.html I find, "What is the SCBL? The SCBL is a list of IP addresses which have transmitted reported email to SpamCop users, which in turn is used to block and filter unwanted email. The SCBL is a fast and automatic list of sites sending reported mail, with a number of report sources, including automated reports and SpamCop user submissions." So I'm led to believe that "list of IP addresses which have transmitted reported email to SpamCop users ... fast and automatic ..." means that when I report to SpamCop and SpamCop shows me the IP address of the sender, then, barring some internal conflict, the ip address should be listed. And regardless of listing or not listing, the action (or inaction) should probably be corroborated with other RBL's I understand that a single report doesn't warrant blocking the ip. But when SenderBase (which SpamCop refers me to) shows a thousand or more percent increase in traffic with magnitudes in full digits over the last 24 hours, I'm curious as to why SpamCop doesn't block the site. That's all. Curious. As I said, I'm trying to understand how this works so that I can help manage this menace more effectively. Next question: is it absolutely necessary to "talk" down to someone who is clearly participating? Please don't blow a gasket. Don't respond if it is going to get your blood pressure up. Matter of fact, I'll just unsubscribe myself so you won't be troubled by my questions. Thank you for participating in whatever capacity. I guess I don't really need to know, anyway. lane From nobody at devnull.spamcop.net Sun Jun 5 18:54:11 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jun 5 18:55:03 2005 Subject: [SC-Help] Re: They're varying their shields, captain! References: Message-ID: "Lane" wrote in message news:mailman.27.1118009823.169.spamcop-help@news.spamcop.net... > > Over here at http://www.spamcop.net/fom-serve/cache/297.html I find, As I stated, both FAQ "question lists" end up pointing to the same FAQ entry. The point being that it could actually be found from either entrance pont. > "What is the SCBL? > The SCBL is a list of IP addresses which have transmitted reported email to > SpamCop users, which in turn is used to block and filter unwanted email. The > SCBL is a fast and automatic list of sites sending reported mail, with a > number of report sources, including automated reports and SpamCop user > submissions." > > So I'm led to believe that "list of IP addresses which have transmitted > reported email to SpamCop users ... fast and automatic ..." means that when I > report to SpamCop and SpamCop shows me the IP address of the sender, then, > barring some internal conflict, the ip address should be listed. The FAQ entry identified has a large portion of text devoted to a mathematical model delaing with listing/de-listing. Why did you chose to stop reading/citing at the first paragraph? > regardless of listing or not listing, the action (or inaction) should > probably be corroborated with other RBL's Huh? All the zillions of other BLs have their own requirements and specifications .. that's why there are so many of them. > I understand that a single report doesn't warrant blocking the ip. But when > SenderBase (which SpamCop refers me to) shows a thousand or more percent > increase in traffic with magnitudes in full digits over the last 24 hours, > I'm curious as to why SpamCop doesn't block the site. That's all. Curious. There's a difference between "total traffic" and "traffic that gets reported" .... > Next question: is it absolutely necessary to "talk" down to someone who is > clearly participating? Talk down? Pointing out that someone has already spent the time to type up an entry that does in fact answer the question you posed (and as you pointed out, posed repeatedly) is hardly "talking down" to someone, other than pointing out that there was no sign of attempted research prior to posting and making the additional remark that you had posted exactly the same query before ... > Please don't blow a gasket. Don't respond if it is going to get your blood > pressure up. Matter of fact, I'll just unsubscribe myself so you won't be > troubled by my questions. Rather than "subscribing" .. fire up an actual NNTP tool and point it to news://news.spamcop.net/spamcop.help (for the newsgroup your posts are currently showing up in) > Thank you for participating in whatever capacity. I guess I don't > really need to know, anyway. I find this to be pretty confusing. As I stated, the publically released details on how the SpamCopDNSBL works is in fact explained in the very FAQ you cited. From xxxxx at xxxxx.net Mon Jun 6 17:22:40 2005 From: xxxxx at xxxxx.net (Bob Stringer) Date: Mon Jun 6 19:25:02 2005 Subject: [SC-Help] Is this message legit re spamcop account? Message-ID: I received the e-mail quoted below, indicating that it was from "webmaster@spamcop.net" I've changed my e-mail address in the quoted portions, including in the link that was provided, to protect the innocent. Otherwise it's verbatim. I never trust messages like this one, since it simply looks like someone's trying to get account information out of me. For reasons I'll explain shortly, however, although I wasn't going to log in or provide any information, I clicked on the link to see what was up. However, all I got was a "404 Not Found" page at the Spamcop web site. This ordinarily would have been be the end of the matter for me, except that today is June 6, precisely the date for the renewal of my account. I in fact renewed my account though PayPal over two weeks ago, but the fact that I've received such a message on the renewal date makes me wonder whether it could be legitimate. I obviously don't want my account to be closed because someone messed up the record of my payment. So, does anyone know whether this kind of message is sent when an account is up for renewal, or whatever? (It seems very strange that an account would be closed within 24 hours without a response, since not everyone is in contact with e-mail every single day of his life). Hunting around the spamcop web site I didn't see any obvious e-mail addresses for inquiries, and so I sent e-mail messages, saying essentially what I've said above, to support@cesmail.net, paypal@cesmail.net, service@cesmail.net. One of those addresses sent me my original renewal notice on May 22, and the other two were referenced in the PayPal message confirming my renewal payment. I didn't know where else to send it. If anyone knows that there's some other address for corresponding regarding accounts, or can suggest any other address to which I should send a message, I'd appreciate being informed. And quickly, since the message, if it's legit, indicates my account will be suspended in 24 hours! Thanks. And here's the message I received: From: webmaster@spamcop.net To: xxxxx@xxxxx.net Date: Monday, June 6, 2005, 1:42:41 PM Subject: Account Alert Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons. http://www.spamcop.net/confirm.php?email=xxxxx@xxxxx.net Thank you for your attention to this question. We apologize for any inconvenience. Sincerely,Spamcop Security Department Assistant. -- Bob Stringer From scamper at trisk.com Mon Jun 6 18:54:29 2005 From: scamper at trisk.com (Garen Erdoisa) Date: Mon Jun 6 19:55:03 2005 Subject: [SC-Help] Re: Is this message legit re spamcop account? In-Reply-To: References: Message-ID: Bob Stringer wrote: > I received the e-mail quoted below, indicating that it was > from "webmaster@spamcop.net" > > I've changed my e-mail address in the quoted portions, > including in the link that was provided, to protect the > innocent. Otherwise it's verbatim. > > I never trust messages like this one, since it simply looks > like someone's trying to get account information out of me. > For reasons I'll explain shortly, however, although I wasn't > going to log in or provide any information, I clicked on > the link to see what was up. However, all I got was a "404 > Not Found" page at the Spamcop web site. > > This ordinarily would have been be the end of the matter for > me, except that today is June 6, precisely the date for the > renewal of my account. I in fact renewed my account though > PayPal over two weeks ago, but the fact that I've received > such a message on the renewal date makes me wonder whether > it could be legitimate. I obviously don't want my account to > be closed because someone messed up the record of my > payment. > > So, does anyone know whether this kind of message is sent > when an account is up for renewal, or whatever? (It seems > very strange that an account would be closed within 24 hours > without a response, since not everyone is in contact with > e-mail every single day of his life). > > Hunting around the spamcop web site I didn't see any obvious > e-mail addresses for inquiries, and so I sent e-mail > messages, saying essentially what I've said above, to > support@cesmail.net, paypal@cesmail.net, > service@cesmail.net. One of those addresses sent me my > original renewal notice on May 22, and the other two were > referenced in the PayPal message confirming my renewal > payment. I didn't know where else to send it. > > If anyone knows that there's some other address for > corresponding regarding accounts, or can suggest any other > address to which I should send a message, I'd appreciate > being informed. And quickly, since the message, if it's > legit, indicates my account will be suspended in 24 hours! > > Thanks. > > And here's the message I received: > > From: webmaster@spamcop.net > To: xxxxx@xxxxx.net > Date: Monday, June 6, 2005, 1:42:41 PM > Subject: Account Alert > > Dear Valued Member, > > According to our site policy you will have to confirm your > account by the following link or else your account will be > suspended within 24 hours for security reasons. > > http://www.spamcop.net/confirm.php?email=xxxxx@xxxxx.net > > Thank you for your attention to this question. We apologize > for any inconvenience. > > Sincerely,Spamcop Security Department Assistant. > 1) Full headers are not shown in the above. 2) the message body source is not shown in the above. 3) you should post messages such as this to spamcop.spam, or better yet, feed it to the spamcop parser then post the spamcop tracker url here so the rest of us can see how spamcop parsed the message. Other than that: It looks to me based ont the wording of the message like a phish scam that forged headers to make it appear to you like it might be comming from spamcop, but is in reality trying to trick you into entering your credit card info so the scammer can steal it. You'll need to look at the message source to reveal the hidden links which will show where the link will really send you if you click on it. This same sort of tactic is used to target many banks and places like paypal and ebay to try to trick users into entering personal info. From MikeE at ster.invalid Mon Jun 6 18:23:13 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 6 20:25:02 2005 Subject: [SC-Help] Re: Is this message legit re spamcop account? References: Message-ID: Bob Stringer wrote: > I received the e-mail quoted below, No one around here talks about mail by pasting the rendered results of the body. We talk about mail by looking at its headers and its unrendered body. Submit the item to the parser properly, copy the tracking url, cancel the reports, and paste the tracker here. Goodness gracious, did a turnip truck just drive by here? -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon Jun 6 21:27:21 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Jun 6 21:30:03 2005 Subject: [SC-Help] Re: Is this message legit re spamcop account? References: Message-ID: "Bob Stringer" wrote in message news:ell9a11h9louloo12kpjljagtb3f0rld3h@4ax.com... > I received the e-mail quoted below, indicating that it was > from "webmaster@spamcop.net" Your sample is a bulls*&t phish. > Hunting around the spamcop web site I didn't see any obvious > e-mail addresses for inquiries, This is frustrating, just pointed out the same thing over in another newsgroup. As the www.spamcop.net FAQ left you confused, I'll again point to the single-page access point to a much expanded version at http://forum.spamcop.net/forums/ You will find that the entry there titled "How can I contact a SpamCop representative?" in fact points to a www.spamcop.net FAQ item that you say you couldn't find. > and so I sent e-mail > messages, saying essentially what I've said above, to > support@cesmail.net, paypal@cesmail.net, > service@cesmail.net. One of those addresses sent me my > original renewal notice on May 22, and the other two were Two of those ended up in JT's InBox ... not sure where the 'papypal' address ends up, but I'll guess that JT has all three copies of your query (any wonder why he complains of being so overloaded?) > If anyone knows that there's some other address for > corresponding regarding accounts, or can suggest any other > address to which I should send a message, I'd appreciate > being informed. And quickly, since the message, if it's > legit, indicates my account will be suspended in 24 hours! It's a frigging spam ... handle it accordingly. > And here's the message I received: > > From: webmaster@spamcop.net > To: xxxxx@xxxxx.net > Date: Monday, June 6, 2005, 1:42:41 PM > Subject: Account Alert Without headers, this "sample" is pretty useless other than pointing out the obvious .. a spammer has found a gullible recipient. From nobody at devnull.spamcop.net Mon Jun 6 21:32:25 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Jun 6 21:35:02 2005 Subject: [SC-Help] Re: cancel report References: Message-ID: "Hendrik Maryns" wrote in message news:d7tc0a$c39$1@news.spamcop.net... > WazoO uitte de volgende tekst op 5/06/2005 0:18: > > > > How can I unsend a Report? > > http://forum.spamcop.net/forums/index.php?showtopic=138 > > Ok, but I can't find a report ID under the Past Reports. I found the > report and the associated addresses though. So should I just send them > an e-mail with my apologies then? I plead stupid (though noting that the re-look has caused the referenced Forum FAQ item to be updated twice since that last post) .... every report I see in my "report history" has a Report ID. (Then again, I am a free-report only account holder and most of my Report History items are 'cancelled'?) I would have to suggest that if there is no Report ID, there was no report sent out. Is it possible you're a Mole reporter? From nobody at spamcop.net Mon Jun 6 22:20:59 2005 From: nobody at spamcop.net (Ellen) Date: Tue Jun 7 07:40:03 2005 Subject: [SC-Help] Re: Is this message legit re spamcop account? References: Message-ID: "Bob Stringer" wrote in message news:ell9a11h9louloo12kpjljagtb3f0rld3h@4ax.com... > I received the e-mail quoted below, indicating that it was > from "webmaster@spamcop.net" > > > From: webmaster@spamcop.net > To: xxxxx@xxxxx.net > Date: Monday, June 6, 2005, 1:42:41 PM > Subject: Account Alert > > Dear Valued Member, > > According to our site policy you will have to confirm your > account by the following link or else your account will be > suspended within 24 hours for security reasons. > > http://www.spamcop.net/confirm.php?email=xxxxx@xxxxx.net > > Thank you for your attention to this question. We apologize > for any inconvenience. > > Sincerely,Spamcop Security Department Assistant. > We don't have a webmaster@ email address and we do not have a security department and thusly no assistants :-) In any case you would find if you analyzed the received headers that this did not come from SpamCop. You can write to service@admin.spamcop.net or deputies@admin.spamcop.net if you have a paid reporting account or support@spamcop.net if you have an email account if you are ever in doubt about any mailing. Ellen SpamCop From xxxxx at xxxxx.net Tue Jun 7 19:13:41 2005 From: xxxxx at xxxxx.net (Bob Stringer) Date: Tue Jun 7 21:15:03 2005 Subject: [SC-Help] Re: Is this message legit re spamcop account? References: Message-ID: <9ugca1l8b26jq9bbs1q6kr6itgapn940iu@4ax.com> On Mon, 06 Jun 2005 17:54:29 -0600, Garen Erdoisa wrote: >[snip] > ... or better yet, feed it to the spamcop parser then post > the spamcop tracker url here so the rest of us can see how > spamcop parsed the message Here it is: > Other than that: > It looks to me based ont the wording of the message like a > phish scam that forged headers to make it appear to you > like it might be comming from spamcop, but is in reality > trying to trick you into entering your credit card info so > the scammer can steal it. I thought so. But as mentioned, what especially made me wonder was that the message coincided with the renewal date of my account. Also, when I clicked on the link to see where it led, rather than taking me to a page that asked for information, it took me to (what appeared to be) a "404 Not Found" page at the Spamcop web site. Seemed like an odd thing for a phisher to do, but what do I know. >You'll need to look at the message source to reveal the hidden links >which will show where the link will really send you if you click on it. How do I do that? I know how to look at all the header info, but I'm not clear on what a message source is. Thanks for the help. From xxxxx at xxxxx.net Tue Jun 7 19:15:14 2005 From: xxxxx at xxxxx.net (Bob Stringer) Date: Tue Jun 7 21:20:02 2005 Subject: [SC-Help] Re: Is this message legit re spamcop account? References: Message-ID: On Mon, 6 Jun 2005 21:20:59 -0400, "Ellen" wrote: > [snip] > You can write to service@admin.spamcop.net or > deputies@admin.spamcop.net if you have a paid reporting > account or support@spamcop.net if you have an email > account if you are ever in doubt about any mailing. Thanks very much, Ellen. From anon at coks.net Tue Jun 7 19:39:23 2005 From: anon at coks.net (Jeff G.) Date: Tue Jun 7 21:40:02 2005 Subject: [SC-Help] Re: Is this message legit re spamcop account? In-Reply-To: <9ugca1l8b26jq9bbs1q6kr6itgapn940iu@4ax.com> References: <9ugca1l8b26jq9bbs1q6kr6itgapn940iu@4ax.com> Message-ID: On 6/7/2005 6:13 PM Bob Stringer scribbled: > On Mon, 06 Jun 2005 17:54:29 -0600, Garen Erdoisa > wrote: > > >>[snip] > > >>... or better yet, feed it to the spamcop parser then post >>the spamcop tracker url here so the rest of us can see how >>spamcop parsed the message > > > Here it is: > > > >>Other than that: > > >>It looks to me based ont the wording of the message like a >>phish scam that forged headers to make it appear to you >>like it might be comming from spamcop, but is in reality >>trying to trick you into entering your credit card info so >>the scammer can steal it. > > > I thought so. But as mentioned, what especially made me > wonder was that the message coincided with the renewal date > of my account. Also, when I clicked on the link to see where > it led, rather than taking me to a page that asked for > information, it took me to (what appeared to be) a "404 Not > Found" page at the Spamcop web site. Seemed like an odd > thing for a phisher to do, but what do I know. > > >>You'll need to look at the message source to reveal the hidden links >>which will show where the link will really send you if you click on it. > > > How do I do that? I know how to look at all the header info, > but I'm not clear on what a message source is. > > Thanks for the help. Buried in all the gobbly gook in the msg. body, which you view via the source code view in your email client, you'll most likely find a HTML ref to an HTTP - starts w/ blahblah - if you don't know what you're looking at, you'll need some practice and at the end of the day, you won't be much better off with the knowledge... From xxxxx at xxxxx.net Tue Jun 7 21:02:46 2005 From: xxxxx at xxxxx.net (Bob Stringer) Date: Tue Jun 7 23:05:02 2005 Subject: [SC-Help] Re: Is this message legit re spamcop account? References: <9ugca1l8b26jq9bbs1q6kr6itgapn940iu@4ax.com> Message-ID: <1tnca1ppuhu2cm95krjnrvhg1n0fj7i26a@4ax.com> On Tue, 07 Jun 2005 18:39:23 -0700, "Jeff G." wrote: >Buried in all the gobbly gook in the msg. body, which you view via the >source code view in your email client, you'll most likely find a HTML >ref to an HTTP - >starts w/ blahblah - if you don't know what you're looking at, >you'll need some practice and at the end of the day, you won't be much >better off with the knowledge... Yeah. I can see you're right. Since all I really needed to know was that the message wasn't legit, so I'll leave it at that. Thanks. From h9vzc2i02 at sneakemail.com Wed Jun 8 01:25:58 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Wed Jun 8 03:25:03 2005 Subject: [SC-Help] Re: Is this message legit re spamcop account? References: <9ugca1l8b26jq9bbs1q6kr6itgapn940iu@4ax.com> <1tnca1ppuhu2cm95krjnrvhg1n0fj7i26a@4ax.com> Message-ID: "Bob Stringer" wrote in message news:1tnca1ppuhu2cm95krjnrvhg1n0fj7i26a@4ax.com... > On Tue, 07 Jun 2005 18:39:23 -0700, "Jeff G." > wrote: > > >Buried in all the gobbly gook in the msg. body, which you view via the > >source code view in your email client, you'll most likely find a HTML > >ref to an HTTP - > >starts w/ blahblah - if you don't know what you're looking at, > >you'll need some practice and at the end of the day, you won't be much > >better off with the knowledge... > > Yeah. I can see you're right. > ** Learning html is like learning any foreign language - same sentence structure and vocabulary problems. Unless you really want to pursue it (almost as a vocation), it really is not worth it [I studied it on my own for several months out of curiosity] and have forgotten most of it by now. -- A SpamCop user and forum reader, Not Admin *** ** > Since all I really needed to know was that the message > wasn't legit, so I'll leave it at that. > > Thanks. From anon at coks.net Wed Jun 8 16:03:09 2005 From: anon at coks.net (Jeff G.) Date: Wed Jun 8 18:05:02 2005 Subject: [SC-Help] spamvertisement reporting & a question... Message-ID: Using SC, a fr instance, the 2 following urls http://members.spamcop.net/mcgi?action=gettrack&reportid=1443463100 http://members.spamcop.net/mcgi?action=gettrack&reportid=1443463094 came up with the notation /No recent reports, no history available/ in the results window. Both these have come up within the past week in past spam. Any reason the No Record msg comes up, when I know for a fact its been reported before by yours truly (no, I'm not feeling neglected)? Or does that dbase only update weekly or whatever? curious... Also, given the 2 methods of choice with reporting - copying and pasting whole msg or forwarding, is there a benefit or preference to using one or the other? Tnx... From MikeE at ster.invalid Wed Jun 8 16:30:23 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 8 18:35:03 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... References: Message-ID: Jeff G. wrote: > Using SC, a fr instance, the 2 following urls > > http://members.spamcop.net/mcgi?action=gettrack&reportid=1443463100 > http://members.spamcop.net/mcgi?action=gettrack&reportid=1443463094 The only person who can view a report # is the person who sent it [or someone on the 'inside' like a deputy] -- so when you want to talk about something which is a report # as a spam item, you need to convert its report # into a tracker. If you put a report # into the slot here http://www.spamcop.net/mcgi?action=histmenu or click on a report # here http://www.spamcop.net/mcgi?action=showhistory it will show the spam item, with a link at the top called 'parse' That parse link is actually the tracker url, which has this kind of configuration, which you can see is different than what you posted http://www.spamcop.net/sc?id=z772419713zbc845968bbf41763ade3944ad8acb21fz Also, there's another problem about posting a link which starts with 'members.spamcop.net' -- for nonmembers or nonpaying viewers, any such link will have to be of the configuration 'spamcop.net' -- removing the 'members' part. > came up with the notation > > /No recent reports, no history available/ > > in the results window. But, all of that being said; 'no recent reports, no history available' doesn't mean anything. When you read SC verbose, some things/words mean something, some things/words don't mean anything, and some things/words don't mean what they seem, or they don't mean it where you are seeing it, they mean it somewhere else not too far away. This particular thing/words doesn't mean anything. Don't take it 'literally'. -- Mike Easter kibitzer, not SC admin From anon at coks.net Wed Jun 8 18:13:24 2005 From: anon at coks.net (Jeff G.) Date: Wed Jun 8 20:15:04 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... In-Reply-To: References: Message-ID: On 6/8/2005 3:30 PM Mike Easter scribbled: > But, all of that being said; 'no recent reports, no history available' > doesn't mean anything. oh... > > When you read SC verbose, some things/words mean something, some > things/words don't mean anything, and some things/words don't mean what > they seem, or they don't mean it where you are seeing it, they mean it > somewhere else not too far away. alice in wonderland... > This particular thing/words doesn't mean anything. Don't take it > 'literally'. > > in any case, I wasn't sure if I should just plonk those names out or not... From anon at coks.net Wed Jun 8 18:30:17 2005 From: anon at coks.net (Jeff G.) Date: Wed Jun 8 20:30:02 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... In-Reply-To: References: Message-ID: On 6/8/2005 5:13 PM Jeff G. scribbled: > On 6/8/2005 3:30 PM Mike Easter scribbled: > > > >>But, all of that being said; 'no recent reports, no history available' >>doesn't mean anything. > > > oh... > > >>When you read SC verbose, some things/words mean something, some >>things/words don't mean anything, and some things/words don't mean what >>they seem, or they don't mean it where you are seeing it, they mean it >>somewhere else not too far away. > > > alice in wonderland... > > >>This particular thing/words doesn't mean anything. Don't take it >>'literally'. >> >> > > in any case, I wasn't sure if I should just plonk those names out or not... BTW, Mike, got an answer for 2nd question on reporting method? tnx... From MikeE at ster.invalid Wed Jun 8 19:33:00 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 8 21:35:03 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... References: Message-ID: Jeff G. wrote: > Also, given the 2 methods of choice with reporting - copying and > pasting whole msg or forwarding, is there a benefit or preference to > using one or the other? The advantage of copying and pasting into the parser is that you get 'faster' rather quicker/sooner results. The disadvantage is that there is 'deadtime' that you need to manage constructively. If you can develop a 'rhythm' of keypresses to get to the message source and paste it into the webparser, or alternatively use a keypress macro, then 'feeding' the parser is actually very efficient, one spam at a time, per 1.5 second [hypothetical]. Then, you would need a strategy to manage the deadtime, one of which might be to use multiple iterations of parsers -- so your 'macro' of keypresses feeds a sequence of parsers so that the individual parser's results match up with your approval process. That can result in no deadtime and a continuous sequence of feeding one spam at a time into multiple parsers whose results and approvals match up with the speed of the parser processing. The advantage of forwarding 'masses' of spams at a time is that you avoid the above sequence of having to have an efficient series of keypresses for each spamitem and of transitioning between parsers and their report options. The disadvantage is that you have to wait for the mailforwarded items to get processed in their own sweet time. The other disadvantage is that you still have to manage the problem of accessing the numerous link/s and and the report approval process however efficient or inefficient that is. Some people who 'move toward' sending masses of spams at a time get frustrated by that links portion of the report confirmation and its slowdown and decide to 'degenerate' [or accelerate] into quick reporting. Quick reporting dramatically changes the amount of time required to report some large number of spams. It has its dangers and its limitations or disadvantages, but it does feed a lot of spamsources into the SCbl without as much 'personal' time expenditure [or oversight], and there isn't much lost these days by not reporting the spamvertisers to their providers. There's always the ever-present danger of reporting your own provider if some kind of changes occur in the headerlines of your spams. -- Mike Easter kibitzer, not SC admin From anon at coks.net Wed Jun 8 19:50:58 2005 From: anon at coks.net (Jeff G.) Date: Wed Jun 8 21:50:04 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... In-Reply-To: References: Message-ID: On 6/8/2005 6:33 PM Mike Easter scribbled: > Jeff G. wrote: > >>Also, given the 2 methods of choice with reporting - copying and >>pasting whole msg or forwarding, is there a benefit or preference to >>using one or the other? > > > The advantage of copying and pasting into the parser is that you get > 'faster' rather quicker/sooner results. The disadvantage is that there > is 'deadtime' that you need to manage constructively. If you can > develop a 'rhythm' of keypresses to get to the message source and paste > it into the webparser, or alternatively use a keypress macro, then > 'feeding' the parser is actually very efficient, one spam at a time, per > 1.5 second [hypothetical]. > > Then, you would need a strategy to manage the deadtime, one of which > might be to use multiple iterations of parsers -- so your 'macro' of > keypresses feeds a sequence of parsers so that the individual parser's > results match up with your approval process. That can result in no > deadtime and a continuous sequence of feeding one spam at a time into > multiple parsers whose results and approvals match up with the speed of > the parser processing. > > The advantage of forwarding 'masses' of spams at a time is that you > avoid the above sequence of having to have an efficient series of > keypresses for each spamitem and of transitioning between parsers and > their report options. > > The disadvantage is that you have to wait for the mailforwarded items to > get processed in their own sweet time. The other disadvantage is that > you still have to manage the problem of accessing the numerous link/s > and and the report approval process however efficient or inefficient > that is. > > Some people who 'move toward' sending masses of spams at a time get > frustrated by that links portion of the report confirmation and its > slowdown and decide to 'degenerate' [or accelerate] into quick > reporting. Quick reporting dramatically changes the amount of time > required to report some large number of spams. It has its dangers and > its limitations or disadvantages, but it does feed a lot of spamsources > into the SCbl without as much 'personal' time expenditure [or > oversight], and there isn't much lost these days by not reporting the > spamvertisers to their providers. There's always the ever-present > danger of reporting your own provider if some kind of changes occur in > the headerlines of your spams. > Thanks, Mike, that gives me something to mull over. FWIW, I had already gotten to the first point of coordinating the keystrokes. The rest of this missive I need to study a bit - never used said macros before, but sure am familiar with the "dead time"... From anon at coks.net Wed Jun 8 21:34:39 2005 From: anon at coks.net (Jeff G.) Date: Wed Jun 8 23:35:03 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... In-Reply-To: References: Message-ID: "...there isn't much lost these days by not reporting the > spamvertisers to their providers." Mike, could you elaborate once more why going into the body and digging out the spamadverts is a waste for most? I got 1 guy in another group who swears this is the way - you spelled it out last week, but Thunderbird isn't the best ng searcher in the world and I forget the thread name anywho. Quick & dirty - 2 lines... Tnx... From MikeE at ster.invalid Wed Jun 8 22:21:25 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 9 00:25:02 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... References: Message-ID: Jeff G. wrote: > > "...there isn't much lost these days by not reporting the >> spamvertisers to their providers." > > Mike, could you elaborate once more why going into the body and > digging out the spamadverts is a waste for most? I didn't say that. What I sed or implied was that SC has a standard protocol for spamvertisers. The standard protocol is that it finds the url and resolves it [unless it doesn't] and then the resolved url's provider's contacts are notified. SC doesn't use any tools to determine if that spamvertiser provider is unresponsive, such as checking and seeing if the IP is spews or spamhaused. The only mechanism there is for an IP to have an alternate notify than the mechanism I described above is if there has been enough routing attention that a deputy has intervened and created a special routing entry so that something else is notified instead of the protocol notify. So, very often the SC derived spamvertiser notify isn't a responsive one. In which case the notify isn't really good for anything. The only thing which is good for anything is that the reported url gets put on the spamvertiser page where sc-surbl scrapes it and it contributes to that db. I say you could do that with a lot less trouble and resource expenditure on the part of SC and the reporter if you did it another way. > I got 1 guy in another group who swears this is the way - you spelled > it out last week, but Thunderbird isn't the best ng searcher in the > world and I forget the thread name anywho. Quick & dirty - 2 lines... > Tnx... What someone may have been saying is that if the options for notifying about a spam were to result in 'squashing' the cause of the source or/vs squashing the spamvertiser, squashing the spamvertiser would be much much better than squashing the source problem. What I said in alt.spam the other day is that unfortunately, neither of those squashes takes place. Given that nothing happens as a result of the notifies, then almost the only thing that happens is that the source IP gets listed on the SCbl, which is a plus because it helps us filter spam; and the spamvertised url could possibly get put into the sc-surbl, which would also help us filter spam. The notifies aren't doing us any good [to exaggerate this point for the sake of emphasis] -- the only thing that is doing us any good is to try to help us get the spam filtered. -- Mike Easter kibitzer, not SC admin From anon at coks.net Thu Jun 9 08:16:25 2005 From: anon at coks.net (Jeff G.) Date: Thu Jun 9 10:20:03 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... In-Reply-To: References: Message-ID: On 6/8/2005 9:21 PM Mike Easter scribbled: >>Mike, could you elaborate once more why going into the body and >>digging out the spamadverts is a waste for most? > > > I didn't say that. What I sed or implied was that SC has a standard > protocol for spamvertisers. The standard protocol is that it finds the > url and resolves it [unless it doesn't] and then the resolved url's > provider's contacts are notified. > > SC doesn't use any tools to determine if that spamvertiser provider is > unresponsive, such as checking and seeing if the IP is spews or > spamhaused. The only mechanism there is for an IP to have an alternate > notify than the mechanism I described above is if there has been enough > routing attention that a deputy has intervened and created a special > routing entry so that something else is notified instead of the protocol > notify. > > So, very often the SC derived spamvertiser notify isn't a responsive > one. In which case the notify isn't really good for anything. The only > thing which is good for anything is that the reported url gets put on > the spamvertiser page where sc-surbl scrapes it and it contributes to > that db. > > I say you could do that with a lot less trouble and resource expenditure > on the part of SC and the reporter if you did it another way. > What someone may have been saying is that if the options for notifying > about a spam were to result in 'squashing' the cause of the source or/vs > squashing the spamvertiser, squashing the spamvertiser would be much > much better than squashing the source problem. > > What I said in alt.spam the other day is that unfortunately, neither of > those squashes takes place. Given that nothing happens as a result of > the notifies, then almost the only thing that happens is that the source > IP gets listed on the SCbl, which is a plus because it helps us filter > spam; and the spamvertised url could possibly get put into the > sc-surbl, which would also help us filter spam. > > The notifies aren't doing us any good [to exaggerate this point for the > sake of emphasis] -- the only thing that is doing us any good is to try > to help us get the spam filtered. > I was actually thinking of a post of a couple weeks ago where you said one shouldn't be opening spam for any reason - I may has misconscrewed something in that post - no matter now, we're all together here, farting into the wind... From MikeE at ster.invalid Thu Jun 9 11:54:18 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 9 13:55:02 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... References: Message-ID: Jeff G. wrote: > I was actually thinking of a post of a couple weeks ago where you said > one shouldn't be opening spam for any reason - I may has misconscrewed > something in that post - no matter now, we're all together here, > farting into the wind... There are different reasons for different people that they shouldn't be opening or reading their spam. Let's say they are an ordinary citizen non-reporter -- one of the masses. I don't want them getting spam mixed up into their goodmail in their inbox, I don't want them reading spam subjects and getting curious about what is inside, I don't want them opening spam to see if it is spam because they are confused by the subject, I don't want them 'unpledged' to never help or 'buy' a spamvertised item, I don't want them opening spam insecurely, and I definitely don't want them clicking on something they see in a spam. So, I want them configured so that all of their spam is directed away from their inbox. I want them securely mentally disciplined so that they can visit a Junk folder and make sure there isn't a goodmail in there while they massively delete all of the spam without opening any of it; and I want them to be able to move the occasional spam in their inbox into the Junk without opening it. I also want them pledged to be completely disinterested in whatever might be inside a spam offering to sell a brand new Crossfire convertible for $1000 because they aren't interested in any product being sold in a spam. Let's say they are a 'simple' spamcop reporter. I don't mean simple mentally. I mean someone who is interested in reporting their spam with spamcop. They aren't a highly skilled javascript deobfuscator or cgi cracker who is tracking down the payment methods or parties on some spammer's website. They are simply receiving their spam and simply reporting it, including its spamvertisers, and simply not reporting innocent bystanders. Maybe they have some additional notifies, but that is fodder for a larger subject. I want that person to be configured so that all of their spam is directed away from their inbox, let's say by spampal or by spamcop mail, and securely mentally disciplined and able to move an occasional spam. They also don't need to be opening their spam for anything. They can submit it to the parser and see its headers which have been 'policed' by spampal or spamassassin and tell that it is spam. They can see the url/s because spamcop has displayed them. They can tell what is or isn't an IB, or they can look at the raw unrendered html if they need to clarify. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Jun 9 16:17:57 2005 From: nobody at devnull.spamcop.net (Cat) Date: Thu Jun 9 16:20:03 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... In-Reply-To: References: Message-ID: Mike Easter wrote: > I want that person to be configured so that all of their spam is > directed away from their inbox, let's say by spampal or by spamcop mail, > and securely mentally disciplined and able to move an occasional spam. > They also don't need to be opening their spam for anything. They can > submit it to the parser and see its headers which have been 'policed' by > spampal or spamassassin and tell that it is spam. They can see the > url/s because spamcop has displayed them. They can tell what is or > isn't an IB, or they can look at the raw unrendered html if they need to > clarify. Tell that to web based e-mail sites like Yahoo and force them to redesign their site so that you can get that info without opening spam. Like I said before, until sites like Yahoo and Gmail have that ability, the only way anyone can report spam to those addresses is to open it. I don't get spam at my Gmail address, only to my Yahoo address, but I'm certainly not going to give up on spam reporting and resort to a rather wimpy "just hit delete" mode just because there's no way to get raw html without opening it. I have my settings so that images in all e-mail are blocked, so I can open it safely. Resorting to "just hit delete" lets the spammers get away with spamming. I'd much rather be able to report them if it means getting them shut down instead of sticking my head in the sand and ignoring it if it means having to open the spam. I do understand that some spam comes through foreign ISPs where complaints will just be ignored, but I'd rather be able to report the spam so that ISPs that actually disconnect spammers can do something about the situation instead of "just hit delete." Then there are also cases like I mentioned in a previous post where I would have accidentally deleted important e-mail in a few rare cases if I hadn't looked at it because a quick look at the subject and from lines looked a little spammy. From nobody at devnull.spamcop.net Thu Jun 9 16:26:38 2005 From: nobody at devnull.spamcop.net (Cat) Date: Thu Jun 9 16:30:03 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... In-Reply-To: References: Message-ID: Cat wrote: > I do > understand that some spam comes through foreign ISPs where complaints > will just be ignored, but I'd rather be able to report the spam so that > ISPs that actually disconnect spammers can do something about the > situation instead of "just hit delete." To add to that, it certainly doesn't HELP spammers if having to open a spam to be able to forward it to report it means actually getting the spammer shut down as opposed to sticking your head in the sand and pretending it's not there just because you can't get the raw html without opening it in web-based e-mail. Aside from almost missing important e-mails because the subject and from looked spammy, if I never looked in my bulk folder to report spam there, I would also miss a few other important e-mails that occasionally hit the bulk folder by accident, although e-mail in those cases is easier to judge as legit by just looking at the subject and from. From MikeE at ster.invalid Thu Jun 9 14:47:57 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 9 16:50:03 2005 Subject: [SC-Help] Re: spamvertisement reporting & a question... References: Message-ID: Cat wrote: > Tell that to web based e-mail sites like Yahoo and force them to > redesign their site so that you can get that info without opening > spam. Yes, well I can't fix some things that want to force people to open a mail to properly access it for reporting. Naturally I think such systems should be redesigned. >I have my settings so that > images in all e-mail are blocked, so I can open it safely. There /are/ methods for 'safety-fying' the opening of spam, but some people are very interested in safetyfying because they /want/ to be spamreaders. I just attacked another poor soul today in alt.spam for being a spamreader. > Resorting > to "just hit delete" lets the spammers get away with spamming. I don't think I was promoting jhd instead of reporting. My jhd advice is directed toward people who aren't reporting who I want to delete their spam unopened rather than opening their spam. > Then there are also cases like I mentioned in a previous > post where I would have accidentally deleted important e-mail in a > few rare cases if I hadn't looked at it because a quick look at the > subject and from lines looked a little spammy. If a reporter is reporting all of their spam, the reporting process is another chance to 'catch' a goodmail which got put into Junk. When the reporter is reporting something which has headers which contain spampal or spamassassin Xlines, it is highly unlikely they are going to report a goodmail -- similarly the reporting process will be displaying url/s which look spammy or not. With that 'safety feature' a person could put a doubtful mail into Junk without opening it. Then when they parsed their Junk, its goodmail header qualities would be displayed. That 'program' assumes something like a spampal proxy. Having spampal examine your mail's headers and interior is better than you reading subjects and froms and trying to figure out what is spam and ham. Also faster. -- Mike Easter kibitzer, not SC admin From mrichter at cpl.net Fri Jun 10 12:29:57 2005 From: mrichter at cpl.net (Mike Richter) Date: Fri Jun 10 14:30:03 2005 Subject: [SC-Help] Re: Help me guys, whats going on? In-Reply-To: References: Message-ID: Kristoffer Lein wrote: > Today I received this message. I am apperantly blocked in some register. > > What to do? > > Failed to deliver to '****@attglobal.net' > SMTP module(domain attglobal.net) reports: > return-path address <****@cqmail.net> rejected by mx2.prserv.net: > 550 RBL block by MX.RBL - Spammer (20050518) > Posted by a (mostly) happy SC user, not an official. Your outgoing mail was sent from an (unidentified) IP address which was placed on a blocklist, presumably for being used by a spammer. You are not necessarily the spammer; indeed, it might only be that your IP address is a neighbor of that of a spammer. Since the blocklist cited is not SpamCop's, there is nothing to be done here. If you will provide the IP address, those expert in such matters can give more information. (Indeed, they may be willing to track it down from the sending domain, but the address of the server is both easier to use and able to give unambiguous results.) The solution is to send e-mail from a 'clean' IP address. If you cannot persuade your ISP to do due diligence, then you may have to have recourse to a supplemental account (Yahoo!, hotmail, etc.). Mike -- mrichter@cpl.net http://www.mrichter.com/ From MikeE at ster.invalid Fri Jun 10 13:22:25 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 10 15:25:03 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: Mike Richter wrote: > Kristoffer Lein wrote: >> Today I received this message. I am apperantly blocked in some >> register. >> >> What to do? >> >> Failed to deliver to '****@attglobal.net' >> SMTP module(domain attglobal.net) reports: >> return-path address <****@cqmail.net> rejected by mx2.prserv.net: >> 550 RBL block by MX.RBL - Spammer (20050518) Altho' we can't tell exactly what is going on, what he's talking about is a from spamcop address. cqmail.net's incoming MXes are mx.cesmail.net & mx2.cesmail.net -- I don't know what spamcop's mail's output servers are -- but the appearance of what he posted is that Kristoffer was mailing from a spamcop account thru' some unknown SC output server and the recipient MX for attglobal.net which was mx2.prserv.net rejected the transaction on the basis of some unknown blocklist. Unfortunately the rejection information doesn't carry the spamcop server output IP which was rejected or the name of a blocklist; but the reason Kristoffer is asking here is because this is a spamcop newsgroup. It is actually a mail question I think; and for that reason the expectation is that it be handled somewhere other than in a regular spamcop.help newsgroup. > Your outgoing mail was sent from an (unidentified) IP address which > was placed on a blocklist, presumably for being used by a spammer. An unidentified *spamcop mail* IP address -- wherein the problem. > You are not necessarily the spammer; indeed, it might only be that > your IP address is a neighbor of that of a spammer. > > Since the blocklist cited is not SpamCop's, there is nothing to be > done here. Unless someone in charge of spamcop mail and the spamcop mail output servers gets down to the bottom of it. > If you will provide the IP address, those expert in such > matters can give more information. (Indeed, they may be willing to > track it down from the sending domain, but the address of the server > is both easier to use and able to give unambiguous results.) > > The solution is to send e-mail from a 'clean' IP address. If you > cannot persuade your ISP to do due diligence, then you may have to > have recourse to a supplemental account (Yahoo!, hotmail, etc.). See how terrible it all sounds when your mail provider is spamcop? -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri Jun 10 16:32:35 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Jun 10 16:35:03 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: "Kristoffer Lein" wrote in message news:koffer-96217F.17264810062005@news.cesmail.net... > Today I received this message. I am apperantly blocked in some register. > > What to do? > > Failed to deliver to '****@attglobal.net' > SMTP module(domain attglobal.net) reports: > return-path address <****@cqmail.net> rejected by mx2.prserv.net: > 550 RBL block by MX.RBL - Spammer (20050518) Though the error is a bit different, it does involve some part of AT&T ... there is a bit more data in a discussion "over there" http://forum.spamcop.net/forums/index.php?showtopic=4321 As stated in other responses, a bit more detail would have to be offered in order to try to chase this one down also. No, I've not received any feedback yet. From anon at coks.net Fri Jun 10 18:57:10 2005 From: anon at coks.net (Jeff G.) Date: Fri Jun 10 21:00:02 2005 Subject: [SC-Help] methods used... Message-ID: Following is a quote from a knowledgable fellow from another ng - whats wrong with this theory, if anything, aside from the fact that most folks don't have the time with just 30-40 spams per day? I mean, come on, in a week or two?? Its simple >>Get spam. >>Go to website in spam >> To see if it exists >> Do a traceroute to the site to see who hosts it >> Report the site to the host >>do the same for any website in the spam that provides images (may not be >>the same host) >>and the same for any 'sign off' website in the spam (again, may not be >>the same host) >> >>The host will close the site, costing the spammer money (most webhosts >>dont refund monies when closed for cause) >>he may open new sites, if he spams for them, you close them as well. >> >>You can do this with programs that come with your computer system, or >>you can employ such as Visual Route or NeoTrace that combine them >> >>It wont be automatic, you may have to do this for a week or two before >>seeing results. Within a month, generally, you will start to see >>reductions in spam, keep it up, and in 3 months you will usually see a >>quite massive reduction in spam. Keep it up and in 6 months or so, you >>(or that account) will be virtually spam free. It wont stop it >>completely, but it will reduce it to a level far more manageable. I.e. >>200 spam per day down to 3 or 4 per week (and if you continue to do it, >>even that will in time come down) From MikeE at ster.invalid Fri Jun 10 19:36:13 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 10 21:40:03 2005 Subject: [SC-Help] Re: methods used... References: Message-ID: Jeff G. wrote: > Following is a quote from a knowledgable fellow from another ng - > whats wrong with this theory, if anything, aside from the fact that > most folks don't have the time with just 30-40 spams per day? > I mean, come on, in a week or two?? The 'fundamentals' of notifying the spamvertiser provider are based on the concept that a whitehat provider doesn't want the client to be spamming; and when you report to the provider of the spamvertiser, the provider will shut down the website. Then, ostensibly the dejected spammer will give up spamming forever and go away. > Its simple >>> Get spam. >>> Go to website in spam >>> To see if it exists >>> Do a traceroute to the site to see who hosts it >>> Report the site to the host This is a description of a rather foolish way to go about finding who the provider for the website is, because you can make that determination without actually opening the spam and letting it exercise your browser to take you to the site. You can determine the link in the spam without opening it, you can use some tool such as SamSpade's GET function or web based similars so that you determine the true location of the spamsite if it has been redirected from the 'original' as in appears in the raw unopened spam. Spamcop does the 'straightforward' ones for you, but it doesn't determine anything but the simplest of redirectors in which the redirection is built into the original link, such as a yahoo redirector. But, the overall point remains -- 'report the site to the host'. >>> do the same for any website in the spam that provides images (may >>> not be the same host) >>> and the same for any 'sign off' website in the spam (again, may not >>> be the same host) Theoretically images may be hosted on another site. Spamcop's reporting doesn't report to the providers of images. Theoretically the remove may be hosted at another site. The business about notifying for a remove is a subject which I personally consider of some controversy. We will temporarily skip past the controversy and say that spamcop's reporting does routinely report to the provider of a remove site. >>> The host will close the site, costing the spammer money (most >>> webhosts dont refund monies when closed for cause) This part is sadly rarely, almost never, true. If it were true more often than rarely, the reporting would be doing a lot more good than it is actually doing. What generally happens when you report the spamvertiser to the provider/host whether you do it by spamcop or manually is absolutely nothing. >>> he may open new sites, if he spams for them, you close them as well. That's the whole idea behind the reporting which we wish would work that way. >>> You can do this with programs that come with your computer system, >>> or you can employ such as Visual Route or NeoTrace that combine them The business about how you go about determining who/how to notify, whether you use spamcop or whether you use other tools or whether you use spamcop and many other tools is part of what we talk about around here. >>> It wont be automatic, you may have to do this for a week or two >>> before seeing results. Within a month, generally, you will start >>> to see reductions in spam, keep it up, and in 3 months you will >>> usually see a quite massive reduction in spam. Keep it up and in 6 >>> months or so, you (or that account) will be virtually spam free. >>> It wont stop it completely, but it will reduce it to a level far >>> more manageable. I.e. 200 spam per day down to 3 or 4 per week (and >>> if you continue to do it, even that will in time come down) Blahblahblah. That all sounds nice, except for the part about the providers you are notifying not being whitehat, but distinctly blackhat and unresponsive. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Jun 10 20:13:44 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 10 22:15:02 2005 Subject: [SC-Help] Re: methods used... References: Message-ID: Jeff G. wrote: > Its simple >>> Report the site to the host Now that I've painted that other gloomy story; I'll tell another story. If you turn yourself into a sufficiently effective manual notifier; in which your notifies are succinct and to the point and accurate and valid about what you are notifying about -- and include in those notifies upstreams and parents for things like listed unresponsives and why, and for no abuse.net reg'd abuse contacts, and include a fair number of contacts at each of the providers, on the chance that there might be a language barrier, say about 4 for each -- so that the blackhats are seeing whoall you are notifying and why they are being notified -- and you do this all unmunged and from the spammed address because your attitude is that you don't have anything against listwashing, because your principle function in life is to protect your inbox -- you may see some results. What may happen is that your spammed address may get branded as an 'anti-' -- an antispam 'troublemaker' who notifies pertinent addresses which result in some feedback even to the blackhat providers that those parents or upstreams are concerned about these little troubles and they are tired of hearing about it, and is it really true that there isn't an abuse address and why don't they do something about that and is it really true that they are spews and spamhaus listed blah blah. The blackhat sometimes doesn't like for their providers' providers to be getting notified. Of course when upstreams are getting involved there may be several, each of which has a few legitimate contact addresses. The consequence of becoming 'anti-' listed can result in the address getting itself listwashed and getting less spam. Some spam reporters don't believe in 'inviting' listwashing -- other reporters are afraid that unmungeing will result in retaliation. Some reporters write long or 'nasty' notifies. I believe that a notify should only contain the briefest of information, just enough so that there won't be any confusion about why the entity was notified -- not a lecture on why spam is bad or how many times someone has been notified or anything like that. It only takes one word to say 'unresponsive' well, maybe 3 if you say 'unresponsive to notifies' and a couple or three more to say 'spews & spamhaus listed'. Then, a few more words about 'no abuse.net reg'd contact'. You can get that stuff on a line or so and have a little template that you just fill in. There are some examples of good notifies in the newsgroup nana-sightings. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Jun 10 20:25:22 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 10 22:30:04 2005 Subject: [SC-Help] Re: methods used... References: Message-ID: Mike Easter wrote: > It only takes one word to say 'unresponsive' well, maybe 3 if you say > 'unresponsive to notifies' and a couple or three more to say 'spews & > spamhaus listed'. Then, a few more words about 'no abuse.net reg'd > contact'. You can get that stuff on a line or so and have a little > template that you just fill in. There are some examples of good > notifies in the newsgroup nana-sightings. That may cause some confusion. I'm not talking about telling the spamvertiser provider that they are unresponsive to notifies. I'm notifying the spamvertiser provider 'simply' because they are the provider for the spamsite. That's all. I'm 'talking to' the upstreams or parent about why I'm notifying /them/. I'm notifying these several contacts for the upstreams because their child or downstream is unresponsive to notifies and/or is spews and spamhaus listed and/or doesn't have an abuse.net reg'd contact. Each notified entity has its own little line/section about why it is being notified. There is a good and legitimate reason for notifying each address in the To: section -- which might contain quite a few addresses for a single spam. -- Mike Easter kibitzer, not SC admin From h9vzc2i02 at sneakemail.com Fri Jun 10 20:40:25 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Fri Jun 10 22:40:04 2005 Subject: [SC-Help] Re: methods used... References: Message-ID: "Jeff G." wrote in message news:d8dcqq$hu7$1@news.spamcop.net... > Following is a quote from a knowledgable fellow from another ng - whats > wrong with this theory, if anything, aside from the fact that most folks > don't have the time with just 30-40 spams per day? > I mean, come on, in a week or two?? > > > Its simple > >>Get spam. > >>Go to website in spam > >> To see if it exists ** Error number one - you have confirmed that YOUR e-mail address is a good, live, responsive one - which guarantees that you will get MORE spam from them and anyone whom they wish to sell, give, or furnish your address to. -- A SpamCop user and forum reader, Not Admin *** From anon at coks.net Fri Jun 10 20:49:07 2005 From: anon at coks.net (Jeff G.) Date: Fri Jun 10 22:50:01 2005 Subject: [SC-Help] Re: methods used... In-Reply-To: References: Message-ID: On 6/10/2005 6:36 PM Mike Easter scribbled: > > Blahblahblah. That all sounds nice, except for the part about the > providers you are notifying not being whitehat, but distinctly blackhat > and unresponsive. > so basically, the guys blowing smoke. Thats my take. OR he's spending an inordinate amount of time at nailing specific spamvertisers, which takes us back to Holdon Caulfield. My only point here is the amount of misinformation being ladled out to the masses... From anon at coks.net Fri Jun 10 21:03:55 2005 From: anon at coks.net (Jeff G.) Date: Fri Jun 10 23:05:03 2005 Subject: [SC-Help] Re: methods used... In-Reply-To: References: Message-ID: On 6/10/2005 7:40 PM Anon_ scribbled: > "Jeff G." wrote in message > news:d8dcqq$hu7$1@news.spamcop.net... > >>Following is a quote from a knowledgable fellow from another ng - whats >>wrong with this theory, if anything, aside from the fact that most folks >>don't have the time with just 30-40 spams per day? >>I mean, come on, in a week or two?? >> >> >>Its simple >> >>>>Get spam. >>>>Go to website in spam >>>> To see if it exists > > > ** > Error number one - you have confirmed that YOUR e-mail address is a good, > live, responsive one - which guarantees that you will get MORE spam from > them and anyone whom they wish to sell, give, or furnish your address to. > unless they decide to steer clear of you since you cause trouble, which seems to be a possibility. But seems to be that ya gotta spend a lot of time at it, which most commonfolk don't have. Which is why we are here... From bar_n0ne at hotmail.com Sat Jun 11 11:08:36 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Jun 11 02:10:02 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: "Mike Richter" wrote in message news:d8cm6u$5ct$1@news.spamcop.net... > Kristoffer Lein wrote: SNIP > > return-path address <****@cqmail.net> rejected by mx2.prserv.net: > > 550 RBL block by MX.RBL - Spammer (20050518) SNIP > The solution is to send e-mail from a 'clean' IP address. If you cannot > persuade your ISP to do due diligence, then you may have to have > recourse to a supplemental account (Yahoo!, hotmail, etc.). until about a year ago, cq net was Alan Ralskys playground (AFAIK), and almost all spam-vertizing and a lot of spam originated or was hosted from there. It got on a lot of blacklists as a result that aren't necessarily updated very often, if ever. Frankly, I think tough s**t, that ISP spammed the hell out of me for a couple of years and if it and its customers now suffer a couple of years more from now, well, it's karma and deserved. It now looks like most big time spammers have moved to CRC (tietong) and they too will find themselves in the situation you are in. even if they clean up as cq net appears to have done. I guess it's time to look at the router tables and local block lists again. ;) From nobody at spamcop.net Sat Jun 11 00:50:12 2005 From: nobody at spamcop.net (N. Miller) Date: Sat Jun 11 02:55:02 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: <1sej63jox41f0$.dlg@news.spamcop.net> On Sat, 11 Jun 2005 10:08:36 +0400, Berny wrote: > "Mike Richter" wrote in message > news:d8cm6u$5ct$1@news.spamcop.net... >> Kristoffer Lein wrote: > SNIP >>> return-path address <****@cqmail.net> rejected by mx2.prserv.net: >>> 550 RBL block by MX.RBL - Spammer (20050518) > SNIP >> The solution is to send e-mail from a 'clean' IP address. If you cannot >> persuade your ISP to do due diligence, then you may have to have >> recourse to a supplemental account (Yahoo!, hotmail, etc.). > > until about a year ago, cq net was Alan Ralskys playground (AFAIK), and > almost all spam-vertizing and a lot of spam originated or was hosted from > there. It got on a lot of blacklists as a result that aren't necessarily > updated very often, if ever. Just wondering what "cq net" has to do with this? I can't find a connection. -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. From big_mart_98 at yahoo.com Sat Jun 11 09:24:03 2005 From: big_mart_98 at yahoo.com (Martin Edwards) Date: Sat Jun 11 03:25:02 2005 Subject: [SC-Help] Re: methods used... In-Reply-To: References: Message-ID: Jeff G. wrote: > On 6/10/2005 7:40 PM Anon_ scribbled: > > >>"Jeff G." wrote in message >>news:d8dcqq$hu7$1@news.spamcop.net... >> >> >>>Following is a quote from a knowledgable fellow from another ng - whats >>>wrong with this theory, if anything, aside from the fact that most folks >>>don't have the time with just 30-40 spams per day? >>>I mean, come on, in a week or two?? >>> >>> >>>Its simple >>> >>> >>>>>Get spam. >>>>>Go to website in spam >>>>> To see if it exists >> >> >>** >>Error number one - you have confirmed that YOUR e-mail address is a good, >>live, responsive one - which guarantees that you will get MORE spam from >>them and anyone whom they wish to sell, give, or furnish your address to. >> > > unless they decide to steer clear of you since you cause trouble, which > seems to be a possibility. But seems to be that ya gotta spend a lot of > time at it, which most commonfolk don't have. > Which is why we are here... Just so: an interesting thread, but I'll stick with the Web form for now. From bar_n0ne at hotmail.com Sat Jun 11 14:26:05 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Jun 11 05:30:13 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: <1sej63jox41f0$.dlg@news.spamcop.net> Message-ID: "N. Miller" wrote in message news:1sej63jox41f0$.dlg@news.spamcop.net... > On Sat, 11 Jun 2005 10:08:36 +0400, Berny wrote: > > > "Mike Richter" wrote in message > > news:d8cm6u$5ct$1@news.spamcop.net... > >> Kristoffer Lein wrote: > > SNIP > >>> return-path address <****@cqmail.net> rejected by mx2.prserv.net: > >>> 550 RBL block by MX.RBL - Spammer (20050518) > > SNIP > Just wondering what "cq net" has to do with this? I can't find a > connection. umm... apologies (mine) are maybe in order, i saw cqmail.net and connected it with cq-net From anon at coks.net Sat Jun 11 09:15:03 2005 From: anon at coks.net (Jeff G.) Date: Sat Jun 11 11:15:03 2005 Subject: [SC-Help] Re: methods used... In-Reply-To: References: Message-ID: On 6/11/2005 12:24 AM Martin Edwards scribbled: > Jeff G. wrote: > >>On 6/10/2005 7:40 PM Anon_ scribbled: >> >> >> >>>"Jeff G." wrote in message >>>news:d8dcqq$hu7$1@news.spamcop.net... >>> >>> >>> >>>>Following is a quote from a knowledgable fellow from another ng - whats >>>>wrong with this theory, if anything, aside from the fact that most folks >>>>don't have the time with just 30-40 spams per day? >>>>I mean, come on, in a week or two?? >>>> >>>> >>>>Its simple >>>> >>>> >>>> >>>>>>Get spam. >>>>>>Go to website in spam >>>>>> To see if it exists >>> >>> >>>** >>>Error number one - you have confirmed that YOUR e-mail address is a good, >>>live, responsive one - which guarantees that you will get MORE spam from >>>them and anyone whom they wish to sell, give, or furnish your address to. >>> >> >>unless they decide to steer clear of you since you cause trouble, which >>seems to be a possibility. But seems to be that ya gotta spend a lot of >>time at it, which most commonfolk don't have. >>Which is why we are here... > > > Just so: an interesting thread, but I'll stick with the Web form for now. As will I, since the convenience can't be matched. Lack of concrete results, however, is grating... From MikeE at ster.invalid Sat Jun 11 11:27:10 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 11 13:30:04 2005 Subject: [SC-Help] Re: methods used... References: Message-ID: Jeff G. wrote: > Anon_ scribbled: >> "Jeff G." >>>>> Get spam. >>>>> Go to website in spam >>>>> To see if it exists >> >> >> ** >> Error number one - you have confirmed that YOUR e-mail address is a >> good, live, responsive one - which guarantees that you will get MORE >> spam from them and anyone whom they wish to sell, give, or furnish >> your address to. What Anon is talking about is that when you open a spam and click on its link, the link itself can be uniquely configured for you; besides the fact that a webbug can be configured for your identity. These unique identifiers characterize you as a spam opener and a spam believer, which makes you a spammee -- someone who needs to be on more lists. > unless they decide to steer clear of you since you cause trouble, > which seems to be a possibility. There is nothing about being a spam opener and a spam believer that makes anyone steer clear of you because you are trouble, but rather makes you a spammee. Keep in mind what is happening all the time and what isn't happening almost all the time. What is happening all of the time is spamming, and lists growing longer or bigger. What isn't happening at all is any kind of removal from any lists for any reasons, except rarely. What is also happening occasionally is webbugging and special list creation for adding people to other lists. > But seems to be that ya gotta spend > a lot of time at it, which most commonfolk don't have. The business of getting branded or labeled as an anti- is not something that happens very much at all -- and not everyone agrees with facilitating listwashing. The standard SC configuration is to munge and to separate the reporter from the report, just the opposite of notifying unmunged from the spammed address. > Which is why we are here... Spamcop's parsing and notifying is real fast. Manual determination of better notifies and completion of a manual notify template is considerably slower. -- Mike Easter kibitzer, not SC admin From steve at prolynx.com Sat Jun 11 15:46:26 2005 From: steve at prolynx.com (Steve Sybesma) Date: Sat Jun 11 16:50:03 2005 Subject: [SC-Help] Automation Message-ID: Hello all, I use Win98SE and OE6. (By preference, not necessity.) Looking for some way to automate the sending of spam to the 'quick' e-mail address I use for SpamCop. I would like to selectively highlight mail that I consider spam (which is why I don't want to use a program like MailWasher, etc.), then be able to right-click and have a context menu item similar to "Forward As Attachment" which takes it the next few steps so that I don't have to select the group send that I use (SpamCop, the FTC and my ISP) and I don't have to hit 'Send' and 'Delete'. I want to make it every bit as easy to report spam as it is to delete it. This will be an encouragement to anyone who still uses Outlook Express 6 to do their spam reports. Steve Thornton, CO From anon at coks.net Sat Jun 11 15:13:12 2005 From: anon at coks.net (Jeff G.) Date: Sat Jun 11 17:15:03 2005 Subject: [SC-Help] Re: methods used... In-Reply-To: References: Message-ID: On 6/11/2005 10:27 AM Mike Easter scribbled: > Jeff G. wrote: > >>Anon_ scribbled: >> >>>"Jeff G." > > >>>>>>Get spam. >>>>>>Go to website in spam >>>>>> To see if it exists >>> >>> >>>** >>>Error number one - you have confirmed that YOUR e-mail address is a >>>good, live, responsive one - which guarantees that you will get MORE >>>spam from them and anyone whom they wish to sell, give, or furnish >>>your address to. > > > What Anon is talking about is that when you open a spam and click on its > link, the link itself can be uniquely configured for you; besides the > fact that a webbug can be configured for your identity. These unique > identifiers characterize you as a spam opener and a spam believer, which > makes you a spammee -- someone who needs to be on more lists. > > I understood what anon was saying, Mike - don't forget I had supplied a quote from another - those are his words that anon was responding to... >>unless they decide to steer clear of you since you cause trouble, >>which seems to be a possibility. > > > There is nothing about being a spam opener and a spam believer that > makes anyone steer clear of you because you are trouble, but rather > makes you a spammee. Same other guy was claiming otherwise. I tend to agree with you that it seems unlikely to happen, since if it in fact did, more would do it... > > Keep in mind what is happening all the time and what isn't happening > almost all the time. What is happening all of the time is spamming, and > lists growing longer or bigger. What isn't happening at all is any kind > of removal from any lists for any reasons, except rarely. > > What is also happening occasionally is webbugging and special list > creation for adding people to other lists. > > >> But seems to be that ya gotta spend >>a lot of time at it, which most commonfolk don't have. > > > The business of getting branded or labeled as an anti- is not something > that happens very much at all -- and not everyone agrees with > facilitating listwashing. The standard SC configuration is to munge and > to separate the reporter from the report, just the opposite of notifying > unmunged from the spammed address. > > >>Which is why we are here... > > > Spamcop's parsing and notifying is real fast. Manual determination of > better notifies and completion of a manual notify template is > considerably slower. Thought that was what I was implying at the end. BTW the SC server seems to drag real bad at certain times - there are probably times of the day where traffic is heaviest. Got any useful stats on that? From nobody at devnull.spamcop.net Sat Jun 11 17:40:52 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Jun 11 17:45:03 2005 Subject: [SC-Help] Re: methods used... References: Message-ID: "Jeff G." wrote in message news:d8fk2r$p27$1@news.spamcop.net... > > BTW the SC server seems to drag real bad at certain times - there are > probably times of the day where traffic is heaviest. > Got any useful stats on that? http://www.spamcop.net/spamgraph.shtml?spamstats http://www.spamcop.net/spamgraph.shtml?spamweek From MikeE at ster.invalid Sat Jun 11 15:47:43 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 11 17:50:02 2005 Subject: [SC-Help] Re: methods used... References: Message-ID: WazoO wrote: > "Jeff G." >> >> BTW the SC server seems to drag real bad at certain times - there are >> probably times of the day where traffic is heaviest. >> Got any useful stats on that? > > http://www.spamcop.net/spamgraph.shtml?spamstats > http://www.spamcop.net/spamgraph.shtml?spamweek I was just coming in here to post the link for the week, which I think shows it better than the day one, but WazoO beat me. -- Mike Easter kibitzer, not SC admin From hendrik_maryns at despammed.com Sun Jun 12 02:10:20 2005 From: hendrik_maryns at despammed.com (Hendrik Maryns) Date: Sat Jun 11 19:10:03 2005 Subject: [SC-Help] Re: cancel report In-Reply-To: References: Message-ID: WazoO uitte de volgende tekst op 7/06/2005 3:32: > "Hendrik Maryns" wrote in message > news:d7tc0a$c39$1@news.spamcop.net... > >>WazoO uitte de volgende tekst op 5/06/2005 0:18: >> >>>How can I unsend a Report? >>>http://forum.spamcop.net/forums/index.php?showtopic=138 >> >>Ok, but I can't find a report ID under the Past Reports. I found the >>report and the associated addresses though. So should I just send them >>an e-mail with my apologies then? > > > I plead stupid (though noting that the re-look has caused the > referenced Forum FAQ item to be updated twice since that > last post) .... every report I see in my "report history" has a > Report ID. (Then again, I am a free-report only account > holder and most of my Report History items are 'cancelled'?) > I would have to suggest that if there is no Report ID, there > was no report sent out. Is it possible you're a Mole reporter? Ok, this is what I find under Sent Reports: Submitted: Thursday, May 26, 2005 22:33:25 +0200: Your Report (Review ID: 453954) - Minor typo in documentation of Collection * 1433856541 ( http://java.sun.com/support/index.html ) To: abuse#above.net@devnull.spamcop.net * 1433856535 ( http://java.sun.com/j2se/1.5.0/docs/api/java/ut... ) To: abuse#above.net@devnull.spamcop.net * 1433856519 ( 129.147.62.1 ) To: spamcop@imaphost.com * 1433856507 ( http://bugs.sun.com/bugdatabase/index.jsp ) To: postmaster@sun.com * 1433856506 ( 129.147.62.1 ) To: postmaster@sun.com * 1433856495 ( http://bugs.sun.com/bugdatabase/index.jsp ) To: abuse#sun.com@devnull.spamcop.net * 1433856430 ( 129.147.62.1 ) To: abuse#sun.com@devnull.spamcop.net if you can tell me what the report ID is, please tell me. BTW: the Review ID 453954 is something from sun, not from Spamcop. Thanks for the help so far. H. -- Hendrik Maryns Interesting websites: www.lieverleven.be (I cooperate) www.eu04.com European Referendum Campaign aouw.org The Art Of Urban Warfare From SCNews.5.myspamgobbler at spamgourmet.com Sat Jun 11 18:40:41 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Sat Jun 11 20:45:03 2005 Subject: [SC-Help] Re: cancel report In-Reply-To: References: Message-ID: Hendrik Maryns wrote: > WazoO uitte de volgende tekst op 7/06/2005 3:32: > >> "Hendrik Maryns" wrote in message >> news:d7tc0a$c39$1@news.spamcop.net... >> >>> WazoO uitte de volgende tekst op 5/06/2005 0:18: >>> >>>> How can I unsend a Report? >>>> http://forum.spamcop.net/forums/index.php?showtopic=138 >>> >>> >>> Ok, but I can't find a report ID under the Past Reports. I found the >>> report and the associated addresses though. So should I just send them >>> an e-mail with my apologies then? >> >> >> >> I plead stupid (though noting that the re-look has caused the >> referenced Forum FAQ item to be updated twice since that >> last post) .... every report I see in my "report history" has a >> Report ID. (Then again, I am a free-report only account >> holder and most of my Report History items are 'cancelled'?) >> I would have to suggest that if there is no Report ID, there >> was no report sent out. Is it possible you're a Mole reporter? > > > Ok, this is what I find under Sent Reports: > > Submitted: Thursday, May 26, 2005 22:33:25 +0200: > Your Report (Review ID: 453954) - Minor typo in documentation of Collection > > * 1433856541 ( http://java.sun.com/support/index.html ) To: > abuse#above.net@devnull.spamcop.net > * 1433856535 ( http://java.sun.com/j2se/1.5.0/docs/api/java/ut... ) > To: abuse#above.net@devnull.spamcop.net > * 1433856519 ( 129.147.62.1 ) To: spamcop@imaphost.com > * 1433856507 ( http://bugs.sun.com/bugdatabase/index.jsp ) To: > postmaster@sun.com > * 1433856506 ( 129.147.62.1 ) To: postmaster@sun.com > * 1433856495 ( http://bugs.sun.com/bugdatabase/index.jsp ) To: > abuse#sun.com@devnull.spamcop.net > * 1433856430 ( 129.147.62.1 ) To: abuse#sun.com@devnull.spamcop.net > > if you can tell me what the report ID is, please tell me. BTW: the > Review ID 453954 is something from sun, not from Spamcop. > > Thanks for the help so far. > > H. > The report ID's are 1433856541 and the rest. The only report that actually got sent was to postmaster [at] sun [dot] com. Send them an apology CC'd to spamcop deputies. From MikeE at ster.invalid Sat Jun 11 18:47:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 11 20:50:03 2005 Subject: [SC-Help] Re: cancel report References: Message-ID: Hendrik Maryns wrote: > I accidentaly reported a false email: I saw that just after hitting > the Report button... > > What should I do to cancel/undo/whatever? > > It concerns java.sun.com, so I guess they won't really bother, but > just to know when this happens again... Hendrik Maryns wrote: > Ok, this is what I find under Sent Reports: > > Submitted: Thursday, May 26, 2005 22:33:25 +0200: > Your Report (Review ID: 453954) - Minor typo in documentation of > Collection > > * 1433856541 ( http://java.sun.com/support/index.html ) To: > abuse#above.net@devnull.spamcop.net > * 1433856535 ( > http://java.sun.com/j2se/1.5.0/docs/api/java/ut... ) To: > abuse#above.net@devnull.spamcop.net > * 1433856519 ( 129.147.62.1 ) To: spamcop@imaphost.com > * 1433856507 ( http://bugs.sun.com/bugdatabase/index.jsp ) To: > postmaster@sun.com > * 1433856506 ( 129.147.62.1 ) To: postmaster@sun.com > * 1433856495 ( http://bugs.sun.com/bugdatabase/index.jsp ) To: > abuse#sun.com@devnull.spamcop.net > * 1433856430 ( 129.147.62.1 ) To: > abuse#sun.com@devnull.spamcop.net > > if you can tell me what the report ID is, please tell me. BTW: the > Review ID 453954 is something from sun, not from Spamcop. If I go to my past reports at spamcop at http://www.spamcop.net/mcgi?action=showhistory -- that same link should be /your/ past reports, in a different configuration than what you posted. -- I see reportid #s like 1444596165 1442498783 1441644256 which tell me where each of those reports went. *and also*..... .... and also when I click on a reportid number like above, it takes me to a parse of that particular spam. But... I can't look at the spam from your own report id, because if I feed the reportid gizmo at http://www.spamcop.net/mcgi?action=histmenu one of your report id/s, such as 1433856541 I can see a report which looks like what you posted above, but when I click on the link attached to each reportid number, it doesn't take me to the parse of the spam, because those aren't mine. If you go to the last link I posted and feed it one of my reports such as 1444596165 -- you will see what I mean. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Jun 11 18:53:47 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 11 20:55:02 2005 Subject: [SC-Help] Re: cancel report References: Message-ID: Brian (SnSR) wrote: > The report ID's are 1433856541 and the rest. The only report that > actually got sent was to postmaster [at] sun [dot] com. Send them an > apology CC'd to spamcop deputies. Brian's answer is much much better than what I said. ;-) -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Jun 12 08:38:27 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jun 12 10:40:03 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: Kristoffer Lein wrote: > "Mike Easter" >> Unfortunately the rejection information doesn't carry the spamcop >> server output IP which was rejected or the name of a blocklist; but >> the reason Kristoffer is asking here is because this is a spamcop >> newsgroup. It is actually a mail question I think; and for that >> reason the expectation is that it be handled somewhere other than in >> a regular spamcop.help newsgroup. > > I do have a Spamcop email-account. Should I ask questions regarding > this in some other newsgroup? The problem is that JT would rather support mail related issues in a webforum. Those of us who are not JT would rather do support in news like this, but we are limited in our scope and abilities. I'm not a SC mail client so I don't know some SC mail things except what I read, except in 'general' terms. If you had to go to the forum, the mail forum is here http://forum.spamcop.net/forums/index.php?showforum=4 SpamCop Email System & Accounts > This information, the Spamcop server output and the name of the > blocklist, would it help is I posted the entire message including > headers? The best way to post a complete mail is not to post it in here, but to submit it to the webparser as if it were a spam, then after the item is parsed the parser provides a tracking url or tracker. You copy that tracker and then cancel the report, since it isn't a spam. Then you paste the tracker into the news message here. The tracker provides access to the entire mail in 'storage'. This is a tracker and its environment Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z773461900z01c46ac69539f51ad885c14087bfc12az > And also - I send many mails that donšt get rejected. Should I worry > about this problem at all? I think we should figure out what is going on. If a spamcop mail output server is getting itself onto some kind of blocklist that is worth knowing about. If I know a mail output server's IP I can find out what published/public blocklists it is on. -- Mike Easter kibitzer, not SC admin From mrichter at cpl.net Sun Jun 12 08:56:22 2005 From: mrichter at cpl.net (Mike Richter) Date: Sun Jun 12 11:00:04 2005 Subject: [SC-Help] Re: Help me guys, whats going on? In-Reply-To: References: Message-ID: Kristoffer Lein wrote: > In article , > Mike Richter wrote: > > >>Your outgoing mail was sent from an (unidentified) IP address which was >>placed on a blocklist, presumably for being used by a spammer. You are >>not necessarily the spammer; indeed, it might only be that your IP >>address is a neighbor of that of a spammer. > > > Is this my ISP's smtp-server that is blacklisted? > > > >>Since the blocklist cited is not SpamCop's, there is nothing to be done >>here. If you will provide the IP address, those expert in such matters >>can give more information. (Indeed, they may be willing to track it down >>from the sending domain, but the address of the server is both easier to >>use and able to give unambiguous results.) > > > Tell me what IP you need Mike, I will post it to you. I didn't post the > email addresses for obvious reasons. > > > >>The solution is to send e-mail from a 'clean' IP address. If you cannot >>persuade your ISP to do due diligence, then you may have to have >>recourse to a supplemental account (Yahoo!, hotmail, etc.). > > > Will it solve the problem if I set up a local smtp? 1. Yes, it is your ISP's SMTP server that found its way onto a blacklist. 2. The IP address needed is that which was blacklisted, usually that from which the bounced e-mail was sent. However, I repeat that there are experts on this list; I am far from that so I urge you not to suggest private dialogue. (I have in fact done a bit of the diagnostic work others here accomplish routinely. My conclusion was that they have the skills and tools; I might acquire them with dedication I lack.) 3. Unfortunately, as long as you are using a bad server address, you'll be stuck with what else is sent from it. Note that many blacklists believe in guilt by association: if you are in a block with notorious spammers, you may be listed. SpamCop used that approach only briefly and returned to 'innocent until proven guilty' - a policy to which it now adheres. If there were a credible identification of the source below IP address, no doubt that would be used and problems such as yours would vanish. Unfortunately, the only lower-level information the protocol allows is From and Reply to - both of which are forged routinely. Mike -- mrichter@cpl.net http://www.mrichter.com/ From edb2000 at spamcop.net Sun Jun 12 11:02:40 2005 From: edb2000 at spamcop.net (Don Wannit) Date: Sun Jun 12 13:05:03 2005 Subject: [SC-Help] Re: methods used... In-Reply-To: References: Message-ID: Jeff G. wrote: > unless they decide to steer clear of you since you cause trouble, which > seems to be a possibility. Not likely. Otherwise I wouldn't be getting all the spam sent to our abuse@ address. And spammers would avoid sending spam to any @spamcop.net address. -- Don Wannit A paid SpamCop user since 1999 From anon at coks.net Sun Jun 12 14:14:43 2005 From: anon at coks.net (Jeff G.) Date: Sun Jun 12 16:15:02 2005 Subject: [SC-Help] cnc.noc Message-ID: Looks like cnc.noc.net is non-responsive - surprise. And the volumn seems to be going up... From hendrik_maryns at despammed.com Mon Jun 13 02:04:58 2005 From: hendrik_maryns at despammed.com (Hendrik Maryns) Date: Sun Jun 12 19:05:03 2005 Subject: [SC-Help] Re: cancel report In-Reply-To: References: Message-ID: Brian (SnSR) uitte de volgende tekst op 12/06/2005 2:40: > Hendrik Maryns wrote: > >> WazoO uitte de volgende tekst op 7/06/2005 3:32: >> >>> "Hendrik Maryns" wrote in message >>> news:d7tc0a$c39$1@news.spamcop.net... >>> >>>> WazoO uitte de volgende tekst op 5/06/2005 0:18: >>>> >>>>> How can I unsend a Report? >>>>> http://forum.spamcop.net/forums/index.php?showtopic=138 >>>> >>>> >>>> >>>> Ok, but I can't find a report ID under the Past Reports. I found the >>>> report and the associated addresses though. So should I just send them >>>> an e-mail with my apologies then? >>> >>> >>> >>> >>> I plead stupid (though noting that the re-look has caused the >>> referenced Forum FAQ item to be updated twice since that >>> last post) .... every report I see in my "report history" has a >>> Report ID. (Then again, I am a free-report only account >>> holder and most of my Report History items are 'cancelled'?) >>> I would have to suggest that if there is no Report ID, there >>> was no report sent out. Is it possible you're a Mole reporter? >> >> >> >> Ok, this is what I find under Sent Reports: >> >> Submitted: Thursday, May 26, 2005 22:33:25 +0200: >> Your Report (Review ID: 453954) - Minor typo in documentation of >> Collection >> >> * 1433856541 ( http://java.sun.com/support/index.html ) To: >> abuse#above.net@devnull.spamcop.net >> * 1433856535 ( http://java.sun.com/j2se/1.5.0/docs/api/java/ut... >> ) To: abuse#above.net@devnull.spamcop.net >> * 1433856519 ( 129.147.62.1 ) To: spamcop@imaphost.com >> * 1433856507 ( http://bugs.sun.com/bugdatabase/index.jsp ) To: >> postmaster@sun.com >> * 1433856506 ( 129.147.62.1 ) To: postmaster@sun.com >> * 1433856495 ( http://bugs.sun.com/bugdatabase/index.jsp ) To: >> abuse#sun.com@devnull.spamcop.net >> * 1433856430 ( 129.147.62.1 ) To: abuse#sun.com@devnull.spamcop.net >> >> if you can tell me what the report ID is, please tell me. BTW: the >> Review ID 453954 is something from sun, not from Spamcop. >> >> Thanks for the help so far. >> >> H. >> > > The report ID's are 1433856541 and the rest. The only report that > actually got sent was to postmaster [at] sun [dot] com. Send them an > apology CC'd to spamcop deputies. Thanks, i did that. Will remember this procedure in the future. -- Hendrik Maryns Interesting websites: www.lieverleven.be (I cooperate) www.eu04.com European Referendum Campaign aouw.org The Art Of Urban Warfare From pete+usenet at heypete.com Sun Jun 12 18:54:34 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Sun Jun 12 20:55:02 2005 Subject: [SC-Help] Re: cnc.noc References: Message-ID: In article , "Jeff G." wrote: > Looks like cnc.noc.net is non-responsive - surprise. > And the volumn seems to be going up... Yup. In addition to spam, I get substantial amounts of various attacks, probes, unsolicited traffic, etc. from cnc-noc.net. Look for reports from "HeyPete" on MyNetWatchman.com. *shakes head sadly* -- Pete Stephenson HeyPete.com From MikeE at ster.invalid Mon Jun 13 03:08:30 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 13 05:10:17 2005 Subject: [SC-Help] Re: Bad tracking of spam from x.phoenix-dns.com References: Message-ID: Gene S wrote: > Is anybody at SC actually checking the cases of bad tracking? A deputy sed that the design is for them to check them, but that they are getting a lot and they're not getting checked properly. > Spam from x.phoenix-dns.com keeps coming for a while now, but the SC > doesn't parse the headers correctly. It keeps sending reports to > admins of fake addresses and to bad_tracking, like in the case of > "aga (178.233.90.121)" in the example below. Can anything be done > about it? > > Received: from x.phoenix-dns.com (x.phoenix-dns.com [63.247.69.162]) > by X (Postfix) with SMTP id CAF5939E39 > for ; Sat, 11 Jun 2005 01:14:25 +0400 (MSD) > Received: from aga (178.233.90.121) > by x.phoenix-dns.com; Fri, 10 Jun 2005 17:14:23 -0400 > > Maybe SC can add a field to the submission form to the extent "I > believe the parser barfed, the correct source of spam is ..."? To a human parser, I would interpret the 2nd line as bogus and I would want SC to untrust 63.247.69.162 as a server. It /is/ the mx for x.phoenix-dns.com. That would cause it to get named as a source and contribute to its being SCbl listed. >From a newsgroup housekeeping point of view, there are a couple of better ways to talk about this issue than posting partial headers in .spam. First, it would be better to talk about it by posting the tracker for the parse of the spam [or even a tracker for a parse of the headers alone] -- that permits the discussants to actually see how SC is currently parsing the same item. The tracker stores the spam [or headers] and when the tracker link is accessed, the item is reparsed anew. For example if a deputy had fixed the problem we are talking about, we would see it. Second, when the tracker is what is posted, it can be posted in a 'proper' discussion group, like spamcop.help or spamcop. The ng .spam was invented long ago before trackers were so good so that raw spam with complete headers could be posted here to allow discussions about an item -- because such spam postings were not allowed in the discussion groups. Nowadays a tracker is a better post for the complete item, so there's no need for anything here. Usually when I answer a post in .spam, I 'move it' by making its/my f/ups to one of the discussion groups. Third, pertaining to the 1st, this is what a tracker looks like and its environs at the top of a parsed result Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z774399296z5b586e5f15c5c54435849ba57a4386bbz -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Jun 13 09:19:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 13 11:20:03 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: Kristoffer Lein wrote: > 09a4z> > > Where to go from here? www.spamcop.net/sc?id=z774454329zc050fed378d9ec15bf5faa41c2cf09a4z;actio n=display What that item shows me is not something emailed from a spamcop account. The item shows this construction.... >From swip.net mailerdaemon headers^0 over a 3 piece body - DSN words^1 - DSN code 5.0.0 - Original mail headers^2 where the mailerdemon headers^0 show an item sourced from swip.net to a spamcop mailbox, the DSN body describes^1 mx2.prserv.net rejecting an unstated IP based on an unknown 'mx.rbl' blocklist, and the original mail headers^2 show your From showing a source IP of 193.217.177.229 which is rDNS 217-177-229.7002.adsl.tele2.no. So, I'm assuming you emailed someone at swip.net from the tele2.no IP which got bounced and the bounce was received at the spamcop addy -- but the bounce was based on the .no IP, not a SC IP. I can't make any sense or relationship between what the DSN body is saying^1 and what I'm seeing in the headers^2. The .no IP is listed in njabl and sorbs because it is a dynamic. Your mail shouldn't be going out a dynamic IP. If it was belatedly bounced and bounced to a different From rather than rejected that might explain how it got into the SC mailbox. Are you familiar with this mail which got bounced? Were you replying to a Kai somebody about something Bakgir? Can you figure out why this is coming from swip.net but sez attglobal.net/mx2.prserv.net? The prserv/att goes together but I don't get swip. Of course all of the domains involved between you and Kai are munged out. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Jun 13 09:58:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 13 12:00:03 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: Mike Easter wrote: > Are you familiar with this mail which got bounced? Were you replying > to a Kai somebody about something Bakgir? Can you figure out why > this is coming from swip.net but sez attglobal.net/mx2.prserv.net? > The prserv/att goes together but I don't get swip. Of course all of > the domains involved between you and Kai are munged out. That is, I don't want any usernames or addressses; I'm just trying to understand the 'concept' - your original From domainname, which mailserver you used to send it, and the To domainname. Apparently you got it the bounce in your SC mailbox. For example, in your original mail out there's a bogus helo of 192.168.0.102 -- which is a non-routing IP usually reserved for internal networking. I don't quite understand how that got there. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Jun 13 12:55:57 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 13 15:00:02 2005 Subject: [SC-Help] Re: Help me guys, whats going on? References: Message-ID: Kristoffer Lein wrote: > "Mike Easter" >> From swip.net mailerdaemon headers^0 over a 3 piece body >> - DSN words^1 >> - DSN code 5.0.0 >> - Original mail headers^2 >> >> where the mailerdemon headers^0 show an item sourced from swip.net >> to a spamcop mailbox, the DSN body describes^1 mx2.prserv.net >> rejecting an unstated IP based on an unknown 'mx.rbl' blocklist, and >> the original mail headers^2 show your From showing a source IP of >> 193.217.177.229 which is rDNS 217-177-229.7002.adsl.tele2.no. > > This looks like my IP, DSL from Tele2.no. Correct. >> So, I'm assuming you emailed someone at swip.net from the tele2.no IP >> which got bounced and the bounce was received at the spamcop addy That assumption of mine was incorrect. More later. > I emailed from my SC-account to a attglobal account. Swip.net has > something to do with my ISP, but is it they who bounce me? Correct. They inform you that the attempt to mail didn't work. More later. >> -- but the bounce was based on the .no IP, not a SC IP. I can't >> make any sense or relationship between what the DSN body is saying^1 >> and what I'm seeing in the headers^2. The .no IP is listed in njabl >> and sorbs because it is a dynamic. Your mail shouldn't be going out >> a dynamic IP. If it was belatedly bounced and bounced to a different >> From rather than rejected that might explain how it got into the SC >> mailbox. I'm straightened out on this now. The mail was going from your dynamic IP to your provider's server. > My ISPšs mail server is situated in Sweden, and I have to use this > with my SC-account - they donšt suply smtp. My mail is sent fro