From cnwykab02 at sneakemail.com Wed Dec 1 00:23:42 2004 From: cnwykab02 at sneakemail.com (Warre) Date: Tue Nov 30 18:25:04 2004 Subject: [SpamCop-List] Re: I'm glad this is not my provider... In-Reply-To: References: Message-ID: Steven Maesslein wrote: > Not that I'm defending skynet.be in any way, but you did conveniently > snip out information on *who* did not do the stuff in the remarks and > *who* will not act on complaints. > > More detailed information is: > > (snip) > > So, what this is saying is that the RIPE PoC for this netblock, > ripe/at\skynet.bet, is not the address to contact for network > problems, peering and net-abuse. noc, peering and abuse *are*. > > Please get your facts straight. > Whoops, my bad. I actually spotted this in a newsgroup and copy-pasted it, adding the link to the RIPE lookup afterwards. Sorry about this, I should have read the whole whois lookup more carefully. BTW, the newsgroup I'm talking about is named kotnet.absurd ;) From ric.gates at bigsleep.org Wed Dec 1 02:27:58 2004 From: ric.gates at bigsleep.org (Blammo) Date: Tue Nov 30 21:30:06 2004 Subject: [SpamCop-List] Re: help References: <41AC90B5.521FC1CC@darkfantastique.com> Message-ID: On 30 Nov 2004 Mike Easter entered spamcop and left news:coi70f$3an$1@news.spamcop.net: > uh oh, I see autoresponders in here: > Practically all mail servers have some type of autoresponder available, it's often as easy as checking a box and typing up a message (in sendmail it's basically just an alias pointing to a text file). I always talk people out of using it, in fact I don't even think it's installed so it doesn't even work (unless I do it). But it really isn't a problem if the account has good spam filtering, and I'd never use it on public accounts, like "sales", but for individual accounts. I guess what I'm saying is that just the fact that autoresponders are available is insignificant. -- | Ric | From ric.gates at bigsleep.org Wed Dec 1 02:56:05 2004 From: ric.gates at bigsleep.org (Blammo) Date: Tue Nov 30 22:00:04 2004 Subject: [SpamCop-List] Re: Reports to "dev/null" References: Message-ID: On 30 Nov 2004 Derek T entered spamcop and left news:coifr0$9t5$1@news.spamcop.net: > yes, it helps to feed the blocklist and so keeps the IP listed. The > reason is usually that the admin has told spamcop that it doesn't care > about spam spewing from hir servers, is not going to do anything about > it and doesn't want to be notified. the more this sort of pondscum are > blocklisted the better so keep reporting! > Not necesarily that they don't care, but that they don't need any more reports or it's not the correct abuse address. And in some cases abuse forwards reports to spammers. -- | Ric | From JEst at Xpppp.ney Wed Dec 1 00:14:22 2004 From: JEst at Xpppp.ney (JEst) Date: Wed Dec 1 00:15:05 2004 Subject: [SpamCop-List] Re: discoverhongkong.com References: Message-ID: "Tim McGraw" wrote in message news:cojinu$1bf$1@news.spamcop.net... > discoverhongkong.com appears to be a legit site registered to the Hong > Kong Tourism Board. No .sightings in Google Groups. > > I have been on board with travelocity for 3+ years and never received > anything but the price alerts I asked for. If you told them when you > signed up that you would accept email from their "partners" then it's > not spam. You might want to check your travelocity preferences. I believe it comes with a pre-existing involvement with Preview Travel. I probably got enveloped in the envelope of the Travelocity take over. Thank you for your feed back. From bar_n0ne at hotmail.com Wed Dec 1 11:19:15 2004 From: bar_n0ne at hotmail.com (Berny) Date: Wed Dec 1 02:20:19 2004 Subject: [SpamCop-List] Two tier rates in Spam country? Message-ID: looks like the hana-fools/drools, cnc-nic-net and chinanet are implementing tiered rates for bulletprrof vs just scammy/spammy sites. I'm getting a lot of cut and paste this link spam from them Of course I am happy to oblige From somewhat at odds.tld Wed Dec 1 08:18:19 2004 From: somewhat at odds.tld (Derek T) Date: Wed Dec 1 03:20:03 2004 Subject: [SpamCop-List] Re: Reports to "dev/null" In-Reply-To: References: Message-ID: Blammo wrote: > Not necesarily that they don't care, but that they don't need any more > reports or it's not the correct abuse address. And in some cases abuse > forwards reports to spammers. > none of which are excluded by my 'usually' :-) From MikeE at ster.invalid Wed Dec 1 00:43:25 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Dec 1 03:45:03 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? References: Message-ID: Mike Easter wrote: > Dar wrote: >> Lycos Offers Spam-Server Attack Program > > Lycos spamvampiring >From Slashdot: An anonymous reader writes "Lycos, shortly after producing a screen saver to fight spammers using a DoS-style attack appears to have been hacked. Attempting to download the screen saver from lycos results in this message 'Yes, attacking spammers is wrong, you know this, you shouldn't be doing it. Your ip address and request have been logged and will be reported to your ISP for further action.' Or maybe it's just a joke -- can you ever tell?" http://it.slashdot.org/it/04/12/01/0250244.shtml?tid=111&tid=218 -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Dec 1 01:30:50 2004 From: nobody at devnull.spamcop.net (LioNiNoiL_a t_Y a h 0 0_d 0 t_c 0 m) Date: Wed Dec 1 04:35:03 2004 Subject: [SpamCop-List] Re: Phish For A Phisher :-) In-Reply-To: References: Message-ID: Gezgin wrote: >>>> scary stuff.. what does he plan on doing? getting people's >>>> paypal info? >>> >>> More likely making a complete fool of himself on the net. >>> Though I am a bit puzzled that the site is still up. It >>> certainly must have been reported many times already. >> >> It's hosted in Uruguay. Think they give a $hit..? > > "They" may not but I would have thought that PayPal could have > afforded to send in a Black Helicopter (TM) or two... PayPal is now owned by eBay, who certainly do *not* give a shit. Just look at what they did to Billpoint... -- "[Spammers] are the mutant spawn of a bizarre reproductive act involving a telemarketer, Larry Flynt, a tapeworm, and an executive of the Third Class Mail industry." -- Dave Barry From ric.gates at bigsleep.org Wed Dec 1 09:54:28 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Dec 1 04:56:15 2004 Subject: [SpamCop-List] Re: Reports to "dev/null" References: Message-ID: On 01 Dec 2004 Derek T entered spamcop and left news:cojuo4$898$1@news.spamcop.net: > none of which are excluded by my 'usually' :-) > Lazy eyes, must be all that spam I've been sorting through lately ;-) -- | Ric | From dave at fastwire.co.uk Wed Dec 1 11:41:04 2004 From: dave at fastwire.co.uk (Dave Harpur) Date: Wed Dec 1 06:40:03 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? References: Message-ID: "Mike Easter" wrote: ..."You don't stop a bad thing by being bad yourself," I totally agree with Mike's sentiment, and who is going to launch a dDOS on legal "Can-Spam" compliant organisations, for example. There would definitely be a lawsuit there, though to whisper that they would spam... well! This sort of gratuitous tat would, if allowed to flourish, would at-best merely shift the annoyance of spam to excessive internet traffic at the further expense of net bandwidth. Utterly stupid and ridiculous. DH From NoBody at SpamCop.net Wed Dec 1 11:52:40 2004 From: NoBody at SpamCop.net (Bodger) Date: Wed Dec 1 06:55:03 2004 Subject: [SpamCop-List] Should I aggree with my ISP? Message-ID: Received this from my ISP this morning. Dear Customer, Warning: in four days' time, you will lose the ability to send emails unless you make a simple change to your email program settings. Why do you need to do this? As part of a worldwide initiative aimed at reducing junk email (spam) and email viruses, all email providers are switching to what is known as 'authenticated SMTP'. SMTP stands for Simple Mail Transfer Protocol, which enables the sending of email. Authentication is a method of identifying the origin of emails that stops emails being sent anonymously. Most nuisance emails (spam) are sent from people on unauthenticated email. By removing the ability to send email without authentication, spam should be substantially reduced. Making this change is simple - what to do All you need to do is switch on 'SMTP authentication', usually by ticking a box called 'My server requires authentication' in your email program settings. End ====================================== Question What will be the net effect of these changes? From bar_n0ne at hotmail.com Wed Dec 1 16:17:05 2004 From: bar_n0ne at hotmail.com (Berny) Date: Wed Dec 1 07:20:02 2004 Subject: [SpamCop-List] Re: Should I aggree with my ISP? References: Message-ID: "Bodger" wrote in message news:cokb9m$f8e$1@news.spamcop.net... > Received this from my ISP this morning. > > Dear Customer, > > Warning: in four days' time, you will lose the ability to send > emails unless you make a simple change to your email program > settings. > > SNIP > > All you need to do is switch on 'SMTP authentication', usually > by ticking a box called 'My server requires authentication' in > your email program settings. > > > End > ====================================== > > > Question > What will be the net effect of these changes? The net effect for you is you may continue to send mail through their servers. The next effect is that those without mail accounts at that ISP can not use their (The ISP's) servers to send mail. Unless they know an account name and Password of course. It should be much easier also to whack a mail abuser, at the moment probably the ISP would have to do some detective work, comparing server logs, and connection logs to determine who is abusing their servers whenever it occurs. It makes it inconvenient for a buddy to bring their laptop and send mail through your connection and ISP I'm sure others will weigh in soon too Basically though, just as you "sign in" to recieve mail with an ID and password, the same will be demanded to send mail. Don;t worry, you won't notice as your mail client will probably cache and reuse the password after the first mail transaction until the next time you exit the program. From wb8tyw at qsl.network Wed Dec 1 07:58:55 2004 From: wb8tyw at qsl.network (John E. Malmberg) Date: Wed Dec 1 08:00:04 2004 Subject: [SpamCop-List] Re: Should I aggree with my ISP? In-Reply-To: References: Message-ID: <6uOdnUByrtCSXTDcRVn-vg@adelphia.com> Bodger wrote: > Received this from my ISP this morning. > As part of a worldwide initiative aimed at reducing junk email > (spam) and email viruses, all email providers are switching to > what is known as 'authenticated SMTP'. SMTP stands for Simple > Mail Transfer Protocol, which enables the sending of email. > Authentication is a method of identifying the origin of emails > that stops emails being sent anonymously. Translation: A few critical networks that your ISP's customers need to send mail to will start blocking your ISP's main mail servers at the first sign of viruses or multi-hop spam that comes through them. It then takes several hours or days to get these blocks removed while your ISP has to handle complaints from their users. > Most nuisance emails (spam) are sent from people on > unauthenticated email. By removing the ability to send email > without authentication, spam should be substantially reduced. Only a small amount of spam will be reduced by this. Most viruses will be stopped by this. > Making this change is simple - what to do > > All you need to do is switch on 'SMTP authentication', usually > by ticking a box called 'My server requires authentication' in > your email program settings. > Strong recommendation, especially if you are running a platform vulnerable to malware. Set up a default e-mail account that does not point to a reachable e-mail server. It adds an extra step that you must change the sender when sending e-mail, but that is only one extra mouse action for Mozilla or Outlook Express. Malware, and other programs, including web pages that attempt to use your e-mail program to send mail will lose their ability to do so with out your knowledge. > Question > What will be the net effect of these changes? E-mail from your ISP is less likely to be refused by some networks. Your ISP is less likely to end up on blocking lists, especially if they have also blocked port 25 outgoing for unregistered mail servers. Your ISP will have lower operating costs. Spammers and virus writers will have a harder time stealing resources from them to spam other networks. If you use an external mail server then you should make sure that it is using SMTP-AUTH on the alternate port (IIRC) 587. I have noticed reports on usenet that an increasing number of ISPs are blocking port 25 for residential broadband connections, some with out notice. So even if port 25 works now, I would strongly recommend making sure that you can use port 587 instead for mail servers other than your ISP. Based on other media reports, the implication is such blocks seem to be put in place because one of the other larger networks either stopped accepting any e-mail from their IP space or threatened to do so. And in the case that was most visible in the media, the blocked ISP complaints about how unfair it was did not do any good to get the e-mail accepted again. Only that ISP making sure that no spam came out of their I.P. space got the e-mail accepted again. -John wb8tyw@qsl.network Personal Opinion Only From bar_n0ne at hotmail.com Wed Dec 1 17:40:12 2004 From: bar_n0ne at hotmail.com (Berny) Date: Wed Dec 1 08:45:03 2004 Subject: [SpamCop-List] Re: Should I aggree with my ISP? References: <6uOdnUByrtCSXTDcRVn-vg@adelphia.com> Message-ID: "John E. Malmberg" wrote in message news:6uOdnUByrtCSXTDcRVn-vg@adelphia.com... > Bodger wrote: > > Received this from my ISP this morning. > > > > > Based on other media reports, the implication is such blocks seem to be > put in place because one of the other larger networks either stopped > accepting any e-mail from their IP space or threatened to do so. > > And in the case that was most visible in the media, the blocked ISP > complaints about how unfair it was did not do any good to get the e-mail > accepted again. Only that ISP making sure that no spam came out of > their I.P. space got the e-mail accepted again. > > -John > wb8tyw@qsl.network > Personal Opinion Only John, are you speaking of the Telia/AOL thing a while back? Or something more recent? From nobody at spamcop.net Wed Dec 1 08:48:20 2004 From: nobody at spamcop.net (Pop) Date: Wed Dec 1 08:50:03 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? References: Message-ID: "Dar" wrote in message news:coj00g$l4l$1@news.spamcop.net... | Yahoo News: | | Lycos Offers Spam-Server Attack Program | | http://tinyurl.com/5u469 | | Looks like Lycos will do just about anything to get onto just one more machine: I'd almost bet that most of the downloaders are spam-infested and ignorant of how to avoid it - the same ones spammers target, in fact. Only, well, it won't take long to get around that; OK, next? Pop From Windrider6 at SpamCop.net Wed Dec 1 13:56:55 2004 From: Windrider6 at SpamCop.net (Bruce A. Johnson) Date: Wed Dec 1 09:00:05 2004 Subject: [SpamCop-List] Re: Should I aggree with my ISP? References: Message-ID: "Bodger" wrote on 2004-Dec-01 in news:cokb9m$f8e$1 @news.spamcop.net: > > > All you need to do is switch on 'SMTP authentication', usually > by ticking a box called 'My server requires authentication' in > your email program settings. > I see a problem with that already with my e-mail program (Eudora). In using SpamCop mail, I have the POP server set for SpamCop, and the SMTP server is my ISP. Eudora allows only one login name. I have to use my SpamCop ID as the login name so the POP will work, but if I then set the Authentication for the SMTP, my ISP rejects the e-mail, becuase it is the wrong login name. - Bruce A. Johnson in Hardisty, Alberta, Canada - Windrider6@SpamCop.net From dkona7b02 at sneakemail.com Wed Dec 1 10:23:33 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Wed Dec 1 10:23:39 2004 Subject: [SpamCop-List] Re: Multiple Personalities in Eudora, was: Should I aggree with my ISP? In-Reply-To: References: Message-ID: <3.0.5.32.20041201102333.00fd4100@loki.fstrf.org> I am not quite sure what you are saying here but Eudora certainly allows more than one login name!!! I have several "personalities" that I use to pop my mail from several different sources using different usernames and passwords. It all works fine. Just hold down the key when you go to send a message or respond to one and you get a list of your personalities to choose from. The email is then routed out through whichever personality you set using that username and password. I am using this feature to send this from Eudora, as a matter of fact. This personality set my name to Spam Hater and my return address as my sneakemail one to prevent retribution... At 01:56 PM 12/1/2004 +0000, Bruce A. Johnson typed: >I see a problem with that already with my e-mail program (Eudora). > >In using SpamCop mail, I have the POP server set for SpamCop, and the SMTP >server is my ISP. Eudora allows only one login name. I have to use my >SpamCop ID as the login name so the POP will work, but if I then set the >Authentication for the SMTP, my ISP rejects the e-mail, becuase it is the >wrong login name. From kenbrody at spamcop.net Wed Dec 1 10:10:43 2004 From: kenbrody at spamcop.net (Kenneth Brody) Date: Wed Dec 1 10:25:03 2004 Subject: [SpamCop-List] Re: Should I aggree with my ISP? References: Message-ID: <41ADDEF3.72A3EDA0@spamcop.net> Berny wrote: > > "Bodger" wrote in message > news:cokb9m$f8e$1@news.spamcop.net... > > Received this from my ISP this morning. > > > > Dear Customer, [... ISP is going to require AUTH SMTP to send e-mail ...] > > Question > > What will be the net effect of these changes? > > The net effect for you is you may continue to send mail through their > servers. > > The next effect is that those without mail accounts at that ISP can not use > their (The ISP's) servers to send mail. [...] > Basically though, just as you "sign in" to recieve mail with an ID and > password, the same will be demanded to send mail. Don;t worry, you won't > notice as your mail client will probably cache and reuse the password after > the first mail transaction until the next time you exit the program. Check with your ISP as to whether or not they will expose your "real" e-mail address or username in the transmitted headers. Some SMTP servers will add a header line to the outgoing e-mail which includes the username used to authenticate yourself. (Which makes it easy for the ISP to track down a spammer, but exposes your "true" address to anyone who looks at the headers.) -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From kenbrody at spamcop.net Wed Dec 1 10:18:20 2004 From: kenbrody at spamcop.net (Kenneth Brody) Date: Wed Dec 1 10:25:07 2004 Subject: [SpamCop-List] Re: Should I aggree with my ISP? References: <6uOdnUByrtCSXTDcRVn-vg@adelphia.com> Message-ID: <41ADE0BC.A1AFCDB0@spamcop.net> "John E. Malmberg" wrote: [...] > I have noticed reports on usenet that an increasing number of ISPs are > blocking port 25 for residential broadband connections, some with out > notice. So even if port 25 works now, I would strongly recommend making > sure that you can use port 587 instead for mail servers other than your ISP. [...] Optimum Online recently did that. (Without notice, unless you consider something on their own web page about it "notice".) I had been using (with permission) my old dialup ISP's SMTP server, using AUTH SMTP on port 25, because Optimum Online's servers were blacklisted by many places that I needed to send to. This, of course, caused me all sorts of problems as I could no longer avoid using Optimum Online's blacklisted servers. (My old dialup ISP doesn't have anything on port 587.) However, I can tell you that, since they blocked outgoing port 25 several months ago, they are no longer blocked by most of the people I need to send to. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From kenbrody at spamcop.net Wed Dec 1 10:22:41 2004 From: kenbrody at spamcop.net (Kenneth Brody) Date: Wed Dec 1 10:25:09 2004 Subject: [SpamCop-List] Re: Should I aggree with my ISP? References: Message-ID: <41ADE1C1.24D682E0@spamcop.net> "Bruce A. Johnson" wrote: [... AUTH SMTP ...] > I see a problem with that already with my e-mail program (Eudora). > > In using SpamCop mail, I have the POP server set for SpamCop, and the SMTP > server is my ISP. Eudora allows only one login name. I have to use my > SpamCop ID as the login name so the POP will work, but if I then set the > Authentication for the SMTP, my ISP rejects the e-mail, becuase it is the > wrong login name. See for how to get around this with Eudora 6. Note, however, that I was never able to get this to work properly on my wife's system. The point became moot when Optimum Online started blocking outgoing port 25 and I had to use their servers instead of my old dialup ISP's servers (which weren't blacklisted), so I stopped trying. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From porpoise1954 at yahoo.co.uk Wed Dec 1 16:20:51 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Dec 1 11:25:02 2004 Subject: [SpamCop-List] Re: Should I aggree with my ISP? References: Message-ID: "Berny" wrote in message news:cokco3$g2q$1@news.spamcop.net... > > "Bodger" wrote in message > news:cokb9m$f8e$1@news.spamcop.net... >> Received this from my ISP this morning. >> >> Dear Customer, >> >> Warning: in four days' time, you will lose the ability to send >> emails unless you make a simple change to your email program >> settings. >> >> SNIP >> >> All you need to do is switch on 'SMTP authentication', usually >> by ticking a box called 'My server requires authentication' in >> your email program settings. >> >> >> End >> ====================================== >> >> >> Question >> What will be the net effect of these changes? > > The net effect for you is you may continue to send mail through their > servers. > > The next effect is that those without mail accounts at that ISP can not > use > their (The ISP's) servers to send mail. > > Unless they know an account name and Password of course. <> > > Basically though, just as you "sign in" to recieve mail with an ID and > password, the same will be demanded to send mail. Don;t worry, you won't > notice as your mail client will probably cache and reuse the password > after > the first mail transaction until the next time you exit the program. Hmmm..... It's been like that here for years.... I'd have thought it was already like that most places these days. I guess I was wrong... ;-) Seems pretty fundamental though that you should have to authenticate to send as well as receive, otherwise your account is open to abuse (as has been happening obviously). I'm amazed it's taken them so long to implement such a simple measure......?? From porpoise1954 at yahoo.co.uk Wed Dec 1 16:26:05 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Dec 1 11:30:03 2004 Subject: [SpamCop-List] Re: Should I aggree with my ISP? References: <41ADDEF3.72A3EDA0@spamcop.net> Message-ID: "Kenneth Brody" wrote in message news:41ADDEF3.72A3EDA0@spamcop.net... > Berny wrote: > > Check with your ISP as to whether or not they will expose your "real" > e-mail address or username in the transmitted headers. Some SMTP > servers will add a header line to the outgoing e-mail which includes > the username used to authenticate yourself. (Which makes it easy for > the ISP to track down a spammer, but exposes your "true" address to > anyone who looks at the headers.) Ummm.... Isn't that the point? Why would I want to send an email to someone and them not know it was legitimately from me. I wouldn't be able to spam very easily then - which, of course is the whole point of the excercise. In the same way, I don't accept calls from people who don't allow their number to be displayed. (If you know me, there's no need for you to hide your number - if you don't know me then why are you calling me? And if it's a legitimate call, there's no need for you to hide your number; same with email). From me at privacy.net Wed Dec 1 16:55:08 2004 From: me at privacy.net (Paul Sawyer) Date: Wed Dec 1 12:00:03 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? References: Message-ID: "Dave Harpur" wrote in news:cokag0$elg$1@news.spamcop.net: > > "Mike Easter" wrote: > > ..."You don't stop a bad thing by being bad yourself," > > > I totally agree with Mike's sentiment, and who is going to launch a > dDOS on legal "Can-Spam" compliant organisations, for example. There > would definitely be a lawsuit there, though to whisper that they would > spam... well! > > This sort of gratuitous tat would, if allowed to flourish, would > at-best merely shift the annoyance of spam to excessive internet > traffic at the further expense of net bandwidth. > > Utterly stupid and ridiculous. > > DH And the spammers would spin the increased hits as how effective their spamming is, so... more spam! -- From ric.gates at bigsleep.org Wed Dec 1 20:02:57 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Dec 1 15:05:03 2004 Subject: [SpamCop-List] Re: Should I aggree with my ISP? References: <41ADDEF3.72A3EDA0@spamcop.net> Message-ID: On 01 Dec 2004 Porpoise entered spamcop and left news:cokrcg$pmf$1@news.spamcop.net: > > "Kenneth Brody" wrote in message > news:41ADDEF3.72A3EDA0@spamcop.net... >> Berny wrote: >> >> Check with your ISP as to whether or not they will expose your "real" >> e-mail address or username in the transmitted headers. Some SMTP >> servers will add a header line to the outgoing e-mail which includes >> the username used to authenticate yourself. (Which makes it easy for >> the ISP to track down a spammer, but exposes your "true" address to >> anyone who looks at the headers.) > > Ummm.... Isn't that the point? Why would I want to send an email to > someone and them not know it was legitimately from me. I wouldn't be > able to spam very easily then - which, of course is the whole point of > the excercise. In the same way, I don't accept calls from people who > don't allow their number to be displayed. (If you know me, there's no > need for you to hide your number - if you don't know me then why are > you calling me? And if it's a legitimate call, there's no need for you > to hide your number; same with email). > > > I think that everyone should have to authenticate. For one, most usernames are already in the eMail address anyway, if not it should be in the return- path so that bounces go to the actual sender (not the "From"). That's my opinion anyway, and it's easy to spot any "return-path" or X-Envelope-From header for munging. It seems the most logical way to validate outgoing mail. -- | Ric | From tdy at blackhole.invalid Wed Dec 1 12:04:26 2004 From: tdy at blackhole.invalid (N. Miller) Date: Wed Dec 1 15:05:08 2004 Subject: [SpamCop-List] Re: Should I aggree with my ISP? References: <41ADDEF3.72A3EDA0@spamcop.net> Message-ID: In article , Porpoise says... > "Kenneth Brody" wrote in message > news:41ADDEF3.72A3EDA0@spamcop.net... > > Berny wrote: > > Check with your ISP as to whether or not they will expose your "real" > > e-mail address or username in the transmitted headers. Some SMTP > > servers will add a header line to the outgoing e-mail which includes > > the username used to authenticate yourself. (Which makes it easy for > > the ISP to track down a spammer, but exposes your "true" address to > > anyone who looks at the headers.) > Ummm.... Isn't that the point? Why would I want to send an email to someone > and them not know it was legitimately from me. I wouldn't be able to spam > very easily then - which, of course is the whole point of the excercise. In > the same way, I don't accept calls from people who don't allow their number > to be displayed. (If you know me, there's no need for you to hide your > number - if you don't know me then why are you calling me? And if it's a > legitimate call, there's no need for you to hide your number; same with > email). Not exactly the point. It is entirely possible to authenticate to an SMTP server without that server displaying your email address. As an SBC Yahoo! DSL Service customer I have a choice of SMTP AUTH servers. I don't use the normal "smtp.pacbell.yahoo.com" server precisely because it reveals my username. I use "smtpauth.flash.net" instead. The relevant header line looks like this: > Received: from aosake.net (dialup-4.246.21.159.Dial1.SanJose1.Level3.net [4.246.21.159]) > (authenticated bits=0) > by ylpvm25.prodigy.net (8.12.10 auth mps linux/8.12.10) with ESMTP id iB1JgprC029681; > Wed, 1 Dec 2004 14:42:54 -0500 -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From hee.haw at jack.ass Wed Dec 1 16:31:06 2004 From: hee.haw at jack.ass (Dwayne Conyers) Date: Wed Dec 1 16:35:03 2004 Subject: [SpamCop-List] Re: One way to deal with the spam problem... References: Message-ID: "WazoO" wrote in message news:cntoqj$j87$1@news.spamcop.net... > "Dwayne Conyers" wrote in message > news:cntjqs$fgi$1@news.spamcop.net... >> I opened an account on mail.com and it got flooded with so many spams >> that >> my 6mb storage filled up faster than I could empty it. >> >> I started reporting spam using their "this is spam" option that reports > the >> spam (after forcing you to view five advertisements). >> >> I guess I reported so many spam their solution was to unceremoniously > delete >> my account without even a "fare thee well." >> >> Those free mail accounts are worth every penny, aren't they? > > Don't know the "rest of the story" .... having spam show up on > day one does carry the suggestion that the "name" for that > account wasn't particularly chosen for spam-resistance. Prolly not... but then again when I got a cable modem at home the day my account was assigned there were 80 spams sitting there waiting to be deleted. > > "reporting" (?) to the tune of 6Meg a day also carries some > possibilities of some mistakes being made .... Well, considering that the mails were for drugs rhyming with "Niagara" and "See Alice" and for explicit NC-17 or XXX content... all of which writhe with misspellings... hidden text (in font size 1 or white color font on white background) and web bugs... I would say there were no mistakes in the items reported. -- I Shave With Occams Razor http://www.dwacon.com From hee.haw at jack.ass Wed Dec 1 16:33:12 2004 From: hee.haw at jack.ass (Dwayne Conyers) Date: Wed Dec 1 16:35:06 2004 Subject: [SpamCop-List] Re: One way to deal with the spam problem... References: Message-ID: "Blammo" wrote in message news:Xns95A9B99107335blammo@216.154.195.61... > On 22 Nov 2004 Dwayne Conyers entered spamcop and left > news:cntjqs$fgi$1@news.spamcop.net: > >> I started reporting spam using their "this is spam" option that >> reports the spam (after forcing you to view five advertisements). >> > > I had an account there before they had the pop-unders, they used to have > free forwarding. they were acquired (I forget who by), started charging > for > forwarding, and on top of that added the pop-under advertising. The > advertising didn't bother me so much (other than the fact that everytime > you hit delete an ad pops up), but I complained about them being > pop-UNDERS > which I really hate, but they didn't seem to understand that I wasn't > complaining about the ads but the fact that they are hidden. They said I > could pay to get rid of the ads or they could cancel my account. Hah, I > never did cancel it. I have two pop-up blockers running simultaneously plus ad killing thanks to ZoneAlarm so I had a relatively ad-free experience. I had to eventually turn off the pop-up blocker sound effects. I'd go into the site and it would sound like the soundtrack to a Warner Bros cartoon "ping... ping... pi-pi-pi-piiing..." ------ If you were to realize how powerful your thoughts are you would never have a negative thought again www.dwacon.com From hee.haw at jack.ass Wed Dec 1 16:35:31 2004 From: hee.haw at jack.ass (Dwayne Conyers) Date: Wed Dec 1 16:35:07 2004 Subject: [SpamCop-List] Re: One way to deal with the spam problem... References: Message-ID: "Pop" wrote in message news:co01m0$42a$1@news.spamcop.net... > The OP probably picked a username that was recently agandoned; > because it was being spammed so heavily - happens all the time > when you dn't pick a spam safe name. I didn't think magma.lava *at* volcanomail *dot* com would be very obvious to spammers -- but I suppose I have been proven wrong. I now use a 30-character name with lots of dots, dashes and underscores for my free blocking account. -- During the Passion of the Christ A Naked Boy was running around http://www.cafeshops.com/powerpress From porpoise1954 at yahoo.co.uk Wed Dec 1 22:47:05 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Dec 1 17:50:02 2004 Subject: [SpamCop-List] Re: Should I aggree with my ISP? References: <41ADDEF3.72A3EDA0@spamcop.net> Message-ID: "N. Miller" wrote in message news:MPG.1c17c3a7d5adcdf7989779@news.spamcop.net... > In article , Porpoise says... > >> "Kenneth Brody" wrote in message >> news:41ADDEF3.72A3EDA0@spamcop.net... >> > Berny wrote: > > > Not exactly the point. It is entirely possible to authenticate to an SMTP > server without that server displaying your email address. As an SBC Yahoo! > DSL Service customer I have a choice of SMTP AUTH servers. I don't use the > normal "smtp.pacbell.yahoo.com" server precisely because it reveals my > username. I use "smtpauth.flash.net" instead. The relevant header line > looks > like this: > >> Received: from aosake.net (dialup-4.246.21.159.Dial1.SanJose1.Level3.net >> [4.246.21.159]) >> (authenticated bits=0) >> by ylpvm25.prodigy.net (8.12.10 auth mps linux/8.12.10) with ESMTP id >> iB1JgprC029681; >> Wed, 1 Dec 2004 14:42:54 -0500 So, if (for some reason) you were to send me an email, are you saying I wouldn't be able to determine who it was from? If that were the case, I wouldn't accept it - which brings me back to my previous point: I (and I suspect *most* people) want to *know* who an email is from before I'm going to accept/read it. The whole *point* of it is to prevent people from using aliases.... or other people just using the server even though they're not legitimate users. From dfm2a3l0t2 at spymac.com Wed Dec 1 18:38:26 2004 From: dfm2a3l0t2 at spymac.com (D.F. Manno) Date: Wed Dec 1 18:40:03 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? References: Message-ID: In article , "Mike Easter" wrote: > From Slashdot: > > An anonymous reader writes "Lycos, shortly after producing a screen > saver to fight spammers using a DoS-style attack appears to have been > hacked. Attempting to download the screen saver from lycos results in > this message 'Yes, attacking spammers is wrong, you know this, you > shouldn't be doing it. Your ip address and request have been logged and > will be reported to your ISP for further action.' Or maybe it's just a > joke -- can you ever tell?" > http://it.slashdot.org/it/04/12/01/0250244.shtml?tid=111&tid=218 I downloaded it before the hacking. If anybody wants it and doesn't want to take the chance with the Lycos site, e-mail me. -- D.F. Manno dfm2a3l0t2@spymac.com "The work goes on, the cause endures, the hope still lives and the dream will never die." From David1 at suescornerweb.com Wed Dec 1 18:50:30 2004 From: David1 at suescornerweb.com (David 1) Date: Wed Dec 1 18:55:03 2004 Subject: [SpamCop-List] Re: spamcop@imaphost.com In-Reply-To: References: Message-ID: Mike Easter wrote: > Jay Marble (394041) wrote: > >>Who is this third party and where can I find information on them. > > > imaphost = cyveillance > > I don't know if Graeme Leith is here right now, so I'll try to stand in > for him. His sig sez: > > > Evidence shows Cyveillance abuse internet resources. > I recommend unchecking their box in SpamCop reports. > Cyveillance are part of the problem. > They are not part of the solution. > > > As a consequence of that sig, the question frequently arises about why > he sez that. In response to that question, he has answered: > > > Cyveillance have a robot that trawls through web sites looking for > stolen intellectual property. The robot ignores the robots.txt > exclusion protocol, originates from IP addresses that don't reverse > lookup to Cyveillance and tries to look like an ordinary user by > spoofing its user agent. > > The robots.txt (defacto) standard is used amongst other purposes to stop > robots getting stuck in dynamic pages and to stop robots generating > costs for people who pay for their web services by the amount of data > they transfer. By ignoring it, Cyveillance are seeking to make a profit > by exploiting resources that other people pay for, much like spammers > do. > > Cyveillance could avoid abusing peoples servers by sending people to > look at pages that robots are banned from. Of course this would > increase their costs, just like spammers costs would increase by using > ethical mailing practices. Cyveillance, like spammers, choose to ignore > peoples wishes in order to make their money. > > If you run a web site, you may want to grep your logs for visits from > 63. 148.99.224/27 & 65.118.41.192/27. You may also want to firewall > those addresses if you find that they have been abusing your resources > for their profit. > > If you look back to the June and July 2003 archives for the main SpamCop > newsgroup, you'll see quite a bit of discussion on the matter. > http://news.spamcop.net/pipermail/spamcop-list/ > > There are more ethical companies that perform the same service, such as > NameProtect, who identify their bot and obey the robots.txt protocol. > Their robot is perfectly welcome on my sites. Cyveillance are > firewalled whenever I find them. > > Julian (as is his right) has decided that Cyveillance are a good thing. > Quite a few people think otherwise and there is no warning on the > SpamCop site as to the abuses Cyveillance get up to. So I just leave > the sig there in an attempt to warn any newbies who drop by the > newsgroups. > > >>I'm interested to know why they collect the spam information from >>SpamCop.net. > > > Cyveillance is in the business of figuring out ways to profit from > information they get wherever they get it. They must feel that it is in > the best interests of them and their clients to be sniffing in the tons > of spam which SC reporters report and permit them to 3rd party. > > Cyveillance and Julian have been 'challenged' or questioned on the > issue, and many do not think that the imaphost is a good 3rd party to be > checking, and those people may elect to configure to leave 3rd parties > unchecked by default instead of checked. > > Cyveillance didn't do a good job here of responding to the questions > which they were asked. > Thank you for sending this, I just this minute changed my settings, actually I had kind of quit using SC, didn't see the point but I guess I'm back to using it again. Heck I got 20 megs I paid for David 1 From Merlyn at Spamcop.net Wed Dec 1 18:50:54 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Wed Dec 1 18:55:06 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? References: Message-ID: "Mike Easter" wrote in message news:cok066$93h$1@news.spamcop.net... > Mike Easter wrote: >> Dar wrote: >>> Lycos Offers Spam-Server Attack Program >> >> Lycos spamvampiring > > From Slashdot: > > An anonymous reader writes "Lycos, shortly after producing a screen > saver to fight spammers using a DoS-style attack appears to have been > hacked. Attempting to download the screen saver from lycos results in > this message 'Yes, attacking spammers is wrong, you know this, you > shouldn't be doing it. Your ip address and request have been logged and > will be reported to your ISP for further action.' Or maybe it's just a > joke -- can you ever tell?" > http://it.slashdot.org/it/04/12/01/0250244.shtml?tid=111&tid=218 > > -- Why does everyone think this is a Lycos site??? A whois gives: canonical name makelovenotspam.com. addresses 213.115.182.123 Starring Ltd AB Kungsgatan 6 Stockholm, 111 43 SE Is this Lycos???? 213.115.182.123: inetnum: 213.115.182.64 - 213.115.182.127 netname: BB-CUST-STARRING descr: advertising company Is this Lycos???? Is this another Trojan now on hundreds of thousands of computers???? Call me paranoid but something smells fishy here. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From spamcop at oitc.com Wed Dec 1 19:05:24 2004 From: spamcop at oitc.com (spamcop) Date: Wed Dec 1 19:10:03 2004 Subject: [SpamCop-List] baseurl references Message-ID: RE http://www.spamcop.net/sc?id=z698305946zc5b0a9a430bb0914a4d5119d0b637908z SC misses baseurl references From nobody at spamcop.net Thu Dec 2 00:50:56 2004 From: nobody at spamcop.net (me-no-no) Date: Wed Dec 1 19:55:02 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? References: Message-ID: "Merlyn" wrote in message news:collcu$blh$1@news.spamcop.net... > "Mike Easter" wrote in message > news:cok066$93h$1@news.spamcop.net... >> Mike Easter wrote: >> joke -- can you ever tell?" http://it.slashdot.org/it/04/12/01/0250244.shtml?tid=111&tid=218 > Why does everyone think this is a Lycos site??? > > A whois gives: > canonical name makelovenotspam.com. > addresses 213.115.182.123 > > Starring Ltd AB > Kungsgatan 6 > Stockholm, 111 43 > SE > Is this Lycos???? > > 213.115.182.123: > inetnum: 213.115.182.64 - 213.115.182.127 > netname: BB-CUST-STARRING > descr: advertising company > > Is this Lycos???? > > Is this another Trojan now on hundreds of thousands of computers???? > > Call me paranoid but something smells fishy here. I would say working "on behalf of" Lycos i.e.corporate.starring.se [213.115.182.70] http://corporate.starring.se/content/about.jsp They seem to have deceived quite a lot of official news sites, if that's not the case :-) http://news.google.co.uk/news?hl=en&lr=&scoring=d&tab=gn&ie=UTF-8&q=Lycos+Screensaver&btnG=Search+News or http://tinyurl.com/5nfet No official condemnation over the past few days from Lycos either - To the contrary according to many news reports. Ciao Meno From nobody at spamcop.net Thu Dec 2 01:07:20 2004 From: nobody at spamcop.net (me-no-no) Date: Wed Dec 1 20:10:02 2004 Subject: [SpamCop-List] "Money Mule" twist Message-ID: Yet another Phisher MM twist :-) http://221.2.162.21:9121/bannerdrive/viewHome.html Even got the audacity to use the Lincoln Hospital, Bronx NY as their "Registered Office: 234 East 149th Street Bronx, NY 10451 USA Customer Call Center:UK: +1-603-719-1355 9am - 6pm UK time Fax:UK: +1-603-719-1355" Hi! bannerDrive is an online payment services provider. Using e-wallet technology and access to a global banking and payment network. bannerDrive enables online Shoppers and Merchants to make and receive secure, economical and efficient payments for goods and services via a variety of payment methods. We plan to push up sales therefore we search for a sales representatives in USA and United Kingdom. Why you should try this work: 1. You don't need any special knowledge in the field of finance or sales 2. No special membership are incurred 3. This work will take about two hour per day and is not tiresome 4. This is an in-house job 5. You can make good money with us, $2000-4000 per month. Ref: Money Mule info:- http://www.banksafeonline.org.uk/what_mule.html Ciao Meno From Merlyn at Spamcop.net Wed Dec 1 20:41:07 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Wed Dec 1 20:45:03 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? References: Message-ID: "me-no-no" wrote in message news:colot6$e10$1@news.spamcop.net... > "Merlyn" wrote in message > news:collcu$blh$1@news.spamcop.net... >> "Mike Easter" wrote in message >> news:cok066$93h$1@news.spamcop.net... >>> Mike Easter wrote: >>> joke -- can you ever tell?" > http://it.slashdot.org/it/04/12/01/0250244.shtml?tid=111&tid=218 > >> Why does everyone think this is a Lycos site??? >> >> A whois gives: >> canonical name makelovenotspam.com. >> addresses 213.115.182.123 >> >> Starring Ltd AB >> Kungsgatan 6 >> Stockholm, 111 43 >> SE > >> Is this Lycos???? [snipped] >> Call me paranoid but something smells fishy here. > > I would say working "on behalf of" Lycos i.e.corporate.starring.se > [213.115.182.70] > http://corporate.starring.se/content/about.jsp > > They seem to have deceived quite a lot of official news sites, if that's > not the case :-) > http://news.google.co.uk/news?hl=en&lr=&scoring=d&tab=gn&ie=UTF-8&q=Lycos+Screensaver&btnG=Search+News > or > http://tinyurl.com/5nfet > > No official condemnation over the past few days from Lycos either - To the > contrary according to many news reports. > I agree, one of my sites has links to a boatload of news articles about it. I would just think that if Lycos is the actual owner it would show in the Whois instead of an advertising company. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From nobody at spamcop.net Thu Dec 2 01:58:59 2004 From: nobody at spamcop.net (me-no-no) Date: Wed Dec 1 21:00:02 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? References: Message-ID: "Merlyn" wrote in message news:colrrj$g66$1@news.spamcop.net... > "me-no-no" wrote in message >>> Why does everyone think this is a Lycos site??? >>> A whois gives: >>> canonical name makelovenotspam.com. >>> addresses 213.115.182.123 >>> Starring Ltd AB >>> Kungsgatan 6 >>> Stockholm, 111 43 >>> SE >> >>> Is this Lycos???? > > [snipped] > >>> Call me paranoid but something smells fishy here. >> >> I would say working "on behalf of" Lycos i.e.corporate.starring.se >> [213.115.182.70] >> http://corporate.starring.se/content/about.jsp >> >> They seem to have deceived quite a lot of official news sites, if that's >> not the case :-) >> http://news.google.co.uk/news?hl=en&lr=&scoring=d&tab=gn&ie=UTF-8&q=Lycos+Screensaver&btnG=Search+News >> or >> http://tinyurl.com/5nfet >> >> No official condemnation over the past few days from Lycos either - To >> the contrary according to many news reports. >> > I agree, one of my sites has links to a boatload of news articles about > it. > > I would just think that if Lycos is the actual owner it would show in the > Whois instead of an advertising company. It looks like they outsourced this "Pandora`s Box" to starring.se - in order to keep it well away from their (Lycos) corporate servers - in the event of it all backfiring on them :-) Ciao Meno From nobody at spamcop.net Wed Dec 1 18:06:58 2004 From: nobody at spamcop.net (Dar) Date: Wed Dec 1 21:10:03 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? References: Message-ID: > >> Call me paranoid but something smells fishy here. > > > > I would say working "on behalf of" Lycos i.e.corporate.starring.se > > [213.115.182.70] > > http://corporate.starring.se/content/about.jsp > > > > They seem to have deceived quite a lot of official news sites, if that's > > not the case :-) > > http://news.google.co.uk/news?hl=en&lr=&scoring=d&tab=gn&ie=UTF-8&q=Lycos+Screensaver&btnG=Search+News > > or > > http://tinyurl.com/5nfet > > > > No official condemnation over the past few days from Lycos either - To the > > contrary according to many news reports. > > > > > I agree, one of my sites has links to a boatload of news articles about it. > > I would just think that if Lycos is the actual owner it would show in the > Whois instead of an advertising company. > > -- > > Regards, > Merlyn > > A Spamcop advocate > No emails this account is for newsgroups only > People demand freedom of speech to make up for the freedom of thought which > they avoided For whatever it's worth, the link *is* advertised on the main site: http://www.lycos.de/ The link is to: http://www.lycos.de/makelovenotspam/ but clicking on the link from there, you get a Flash popup. Dar From nospam at nospam.org Thu Dec 2 03:40:28 2004 From: nospam at nospam.org (geo_splash_12) Date: Wed Dec 1 21:45:04 2004 Subject: [SpamCop-List] Re: I'm glad this is not my provider... In-Reply-To: References: Message-ID: Warre wrote: > Whois lookup for one of Belgium's largest broadband providers: Correction: this is only a part of skynet.be, which is really spans a much larger range in the ip space. Evidence: http://www.senderbase.org/search?searchString=skynet.be > > % This is the RIPE Whois tertiary server. > % The objects are in RPSL format. > % > % Rights restricted by copyright. > % See http://www.ripe.net/db/copyright.html > > inetnum: 194.78.149.0 - 194.78.149.255 > netname: SKY-2277522 > descr: SKY-1175721 > country: BE > admin-c: AC4927-RIPE > tech-c: SN2068-RIPE > rev-srv: ns1.skynet.be > ... > remarks: ------------------------------------------- > remarks: Network problems to: noc@skynet.be > remarks: Peering requests to: peering@skynet.be > remarks: Abuse notifications to: abuse@skynet.be > remarks: - I did *not* hack your computer > remarks: - I did *not* send you SPAM or virus > remarks: - I will *not* read your abuse complaints > remarks: ------------------------------------------- > > Guess which is the only SBL-listed ISP in Belgium... > > If you want to see for yourself: > http://tinyurl.com/55zce -- And your Chinese exchange student asks: what does it mean "I'm busy". Location 51 57'N 4 28'E From ric.gates at bigsleep.org Thu Dec 2 03:20:48 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Dec 1 22:25:04 2004 Subject: [SpamCop-List] Re: One way to deal with the spam problem... References: Message-ID: On 01 Dec 2004 Dwayne Conyers entered spamcop and left news:cold5k$5t8$1@news.spamcop.net: > Prolly not... but then again when I got a cable modem at home the day my > account was assigned there were 80 spams sitting there waiting to be > deleted. > Your account was born pregnant! Before it was activated it was aborting them. -- | Ric | From ric.gates at bigsleep.org Thu Dec 2 03:27:16 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Dec 1 22:30:02 2004 Subject: [SpamCop-List] Re: One way to deal with the spam problem... References: Message-ID: On 01 Dec 2004 Dwayne Conyers entered spamcop and left news:cold9i$5vc$1@news.spamcop.net: > I have two pop-up blockers running simultaneously plus ad killing > thanks to ZoneAlarm so I had a relatively ad-free experience. > > I had to eventually turn off the pop-up blocker sound effects. I'd go > into the site and it would sound like the soundtrack to a Warner Bros > cartoon "ping... ping... pi-pi-pi-piiing..." > You know I saw that crap that ZoneAlarm was doing, and it really pissed me off. Mozilla and Firefox don't need any of that, and the web-bug blocker really screws up some sites. But there's no way to enable it for only IE, which is about the only browser that needs it (well maybe Communicator). I discussed the web-bug-bug with support but they were completely oblivious, I'm not impressed at all. Using Mozilla for some time now and I no longer notice pop-ups at all, unless they are actually needed for some reason. -- | Ric | From nobody at xyzzy.claranet.de Thu Dec 2 06:34:19 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Dec 2 00:35:04 2004 Subject: [SpamCop-List] Re: baseurl references References: Message-ID: <41AEA95B.64DF@xyzzy.claranet.de> spamcop wrote: > http://www.spamcop.net/sc?id=z698305946zc5b0a9a430bb0914a4d5119d0b637908z > SC misses baseurl references Not when I look at it, it found gatheringproducttesters.info Bye, Frank From nobody at xyzzy.claranet.de Thu Dec 2 06:55:41 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Dec 2 01:05:02 2004 Subject: [SpamCop-List] Re: Should I aggree with my ISP? References: Message-ID: <41AEAE5D.46F1@xyzzy.claranet.de> Bodger wrote: > Question > What will be the net effect of these changes? Minimal to zero. SMTP AUTH has nothing to do with "enforced submission rights", if you're authenticated you can still forge your MAIL FROM. SMTP AUTH PLAIN or LOGIN over a normal connection (no SSL / TLS) is not much better than SMTP-after- POP, and worse than SMTP-after-APOP. SMTP AUTH in addition to RADIUS may help to confuse trojaned boxes if they try to spam using the official relay of the ISP. You really need it for roaming users _or_ "enforced submission rights". In the case of _and_ SMTP AUTH works also, but then SMTP-after-POP would be not much worse. I've just lost an account with SMTP-after-POP _and_ "enforced submission rights". Bad for me, because my old MUA does not support SMTP AUTH. Bad for the world at large, because I'm now using another account with another MUA with SMTP AUTH but _without_ "enforced submission rights": Of course I screwed up and sent MAIL FROM: via this provider. They accepted it, but it was forged, my real address at this provider is different. With the old account that was impossible, they rejected it. In other words, SMTP AUTH alone is almost useless. Bye, Frank From skiwi at spamcop.net Wed Dec 1 22:39:50 2004 From: skiwi at spamcop.net (sk1w1) Date: Thu Dec 2 01:40:03 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? In-Reply-To: References: Message-ID: me-no-no wrote: > Is this for real ?? (courtesy heise.de) 26.11.2004 16:43 > > Lycos users are to attack spammers > In its campaign "Make Love, Not Spam", Lycos Europe is now sending a very > special screen saver to its users. This program for Windows or MacOS > constantly visits websites for which spam has been sent. "The more users > download and use the screen saver, the lower the performance of the sites > sending out the spam, and the greater the costs for the operators," Lycos > explained..............http://www.heise.de/english/newsticker/news/53697 > Ciao > Meno Hitting the mass media... e.g., today's www.smh.com.au reprinted from the Guardian - which is presumably why they list http://www.lycos.co.uk as the 'download site'... Refinement of Spam Vampire concept I guess (http://www.hillscapital.com/antispam/) Wonder how many users after signing up will get there service threatened / cut by their own ISP for 'denial of service' reasons... and/or ISPs start charging for 'excessive' download volumes... ---- My prediction of next piece of malware - hijacking of the Lycos et al software to 'attack' other sites such as Spamcop, Spamhaus, etc! ---- Mind you, if I asked 'nice', do you think Lycos UK would direct all attempts for a few days at cears.com, etc over there in BR? :-) From devnull at devnull.devnull Thu Dec 2 10:38:21 2004 From: devnull at devnull.devnull (Anty Spam) Date: Thu Dec 2 03:50:08 2004 Subject: [SpamCop-List] Re: Phish For A Phisher :-) References: Message-ID: "me-no-no" wrote in message news:coanji$k61$1@news.spamcop.net... > Interesting - Phisher forgot to chmode to stop peaking :-) > http://146.83.5.15/.paypal/ > > Ciao > Meno > Hmm : Uruguay Maybe an engineering student is taking "SPAM & SCAM 101" for bonus credits. Especially with all the activities of this kind from South Amercian countries ...:-) Cheers From porpoise1954 at yahoo.co.uk Thu Dec 2 09:57:28 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Dec 2 05:00:54 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? References: Message-ID: "Merlyn" wrote in message news:collcu$blh$1@news.spamcop.net... > "Mike Easter" wrote in message > news:cok066$93h$1@news.spamcop.net... >>>> http://it.slashdot.org/it/04/12/01/0250244.shtml?tid=111&tid=218 >> >> -- > > Why does everyone think this is a Lycos site??? > > A whois gives: > canonical name makelovenotspam.com. > addresses 213.115.182.123 > > Starring Ltd AB > Kungsgatan 6 > Stockholm, 111 43 > SE > > Is this Lycos???? > > 213.115.182.123: > inetnum: 213.115.182.64 - 213.115.182.127 > netname: BB-CUST-STARRING > descr: advertising company > > Is this Lycos???? > > Is this another Trojan now on hundreds of thousands of computers???? > > Call me paranoid but something smells fishy here. Now, it's funny you should say that because I was starting towards a similar conclusion........ I've gone all over the Lycos site, and there's no reference to this screensaver whatsoever. AFAICS. From David1 at suescornerweb.com Thu Dec 2 05:18:48 2004 From: David1 at suescornerweb.com (David 1) Date: Thu Dec 2 05:20:13 2004 Subject: [SpamCop-List] Re: One way to deal with the spam problem... In-Reply-To: References: Message-ID: Blammo wrote: > On 01 Dec 2004 Dwayne Conyers entered spamcop and left > news:cold9i$5vc$1@news.spamcop.net: > > >>I have two pop-up blockers running simultaneously plus ad killing >>thanks to ZoneAlarm so I had a relatively ad-free experience. >> >>I had to eventually turn off the pop-up blocker sound effects. I'd go >>into the site and it would sound like the soundtrack to a Warner Bros >>cartoon "ping... ping... pi-pi-pi-piiing..." >> > > > You know I saw that crap that ZoneAlarm was doing, and it really pissed me > off. Mozilla and Firefox don't need any of that, and the web-bug blocker > really screws up some sites. But there's no way to enable it for only IE, > which is about the only browser that needs it (well maybe Communicator). > I discussed the web-bug-bug with support but they were completely > oblivious, I'm not impressed at all. > > Using Mozilla for some time now and I no longer notice pop-ups at all, > unless they are actually needed for some reason. I do have to say since I switched to FireFox about a month or so ago I've been really happy, there have only been 2 sites I've had to open & both of those were financial. You get this little line on top of your screen that tells you it blocked & a link to allow it. I don't know if sound is optional or not but I never hear nothing & that suits me just fine. David 1 From porpoise1954 at yahoo.co.uk Thu Dec 2 12:22:09 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Dec 2 07:25:03 2004 Subject: [SpamCop-List] Re: Should I aggree with my ISP? References: <41AEAE5D.46F1@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:41AEAE5D.46F1@xyzzy.claranet.de... > Bodger wrote: > >> Question >> What will be the net effect of these changes? > > Of course I screwed up and sent MAIL FROM: via > this provider. They accepted it, but it was forged, my real > address at this provider is different. With the old account > that was impossible, they rejected it. > > In other words, SMTP AUTH alone is almost useless. Bye, Frank > Maybe I'm missing something here, but I think your missing the point of *auth.smtp*. It's primary purpose is so that you have to login to the smtp server to send mail, in the same way that you have to login to the pop server to retrieve your incoming mail, thereby, stopping unauthorised use of the smtp server by people who don't actually have an account. As long as you have a valid username and password to login, it shouldn't make any difference what email you give as the return address. (As long as it's a valid one of course). Without that, anyone would be able to send mail from that server (this is how most of the forged From: stuff is actually sent - which is why the slow ISPs/hosts are now getting their act together with this. There is also the distinction to be made between ISP and hosting. Our ISP has nothing to do with our hosting company - and, therefore, nothing to do with our email. So, our logins for the two are entirely seperate issues (Even with always-on broadband there *is* still a login). This is one of the issues related to forms on webpages; you have to be careful that the script is external to the page so that someone cannot exploit any information relating to the processing of the form data (such as the login details for the email account - if the form data is emailed somewhere). From porpoise1954 at yahoo.co.uk Thu Dec 2 12:26:54 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Dec 2 07:30:03 2004 Subject: [SpamCop-List] Re: Should I aggree with my ISP? References: <41AEAE5D.46F1@xyzzy.claranet.de> Message-ID: "Porpoise" wrote in message news:con1f8$6q1$2@news.spamcop.net... > > > Maybe I'm missing something here, but I think your missing the point of Sh*t! yes! I did it your honour! I plead guilty as charged! It should have been "you're". ;-) Half asleep. From dkona7b02 at sneakemail.com Thu Dec 2 10:43:31 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Thu Dec 2 10:43:35 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? In-Reply-To: References: Message-ID: <3.0.5.32.20041202104331.00f81a20@loki.fstrf.org> What I am wondering is which sites are on the attack list?? The article I read mentioned SpamCop as the source, but SpamCop only lists email injection sites, not SPAMvertisers... So, does that mean the screen saver is going after all the zombie boxes that are spewing out the SPAM itself or do they have access to some hidden list of SPAMvertisers that we report? At 10:39 PM 12/1/2004 -0800, sk1w1 typed: >snip< >Wonder how many users after signing up will get there service threatened >/ cut by their own ISP for 'denial of service' reasons... and/or ISPs >start charging for 'excessive' download volumes... From ric.gates at bigsleep.org Thu Dec 2 16:37:50 2004 From: ric.gates at bigsleep.org (Blammo) Date: Thu Dec 2 11:40:02 2004 Subject: [SpamCop-List] Re: One way to deal with the spam problem... References: Message-ID: On 02 Dec 2004 David 1 entered spamcop and left news:comq54$2o7$1@news.spamcop.net: > I don't know if > sound is optional or not but I never hear nothing & that suits me just > fine. I'm pretty sure it is, I actually use an old plugin called Yamaha MIDPLUG for XG. You need one or all of Macromedia Shockwave Flash, Quicktime (which will play audio as well), and optionally Windows Media Player Plug-in. Type about:plugins into location to see the list. Actually many sites use the MS tag BGSOUND which only works in MSIE as far as I know. Some sites use Flash sound, and you can get an extension that will disable Flash until you click it, which is nice since Flash doesn't give you any audio controls. MidPlug is a little awkward, but I like it because it's very similar to the old LiveAudio plugin. If anyone wants it I'll post a link. -- | Ric | From beanta at slu.edu Thu Dec 2 10:38:39 2004 From: beanta at slu.edu (Thomas Bean) Date: Thu Dec 2 11:55:07 2004 Subject: [SpamCop-List] SC Parser misses URLs w/ bogus embedded HTML tags Message-ID: I have been encountering spam e-mails lately that have bogus HTML tags embedded throughout the text/html section. The spammer has evidently discovered that this will confuse the SpamCop parser. This is a recent example (from reportid 1304805196): http://211.158.15.61/vb/ The actual spamvertised URL is http://211.158.15.61/vb/ In my e-mail client, the bogus tags do not show up as displayable text in the URL; however, the resulting URL is non-clickable (the spammer precedes the URL with instructions to copy and paste the URL into a browser). Is this a common spammer trick? Is there any way to get SC to report these sites without munging the message text (which is against SC rules)? Is there any formal process in place to submit suggestions for improvements to the parser? From MikeE at ster.invalid Thu Dec 2 08:53:44 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Dec 2 11:55:13 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? References: Message-ID: Spam Hater wrote: > What I am wondering is which sites are on the attack list?? The > article I read mentioned SpamCop as the source, but SpamCop only > lists email injection sites, not SPAMvertisers... SC 'publishes' spamvertisers on the stats page^1, which is helpful to scrapers such as surbl^2 which list them in their own blocklist. > So, does that mean > the screen saver is going after all the zombie boxes that are spewing > out the SPAM itself No. > or do they have access to some hidden list of > SPAMvertisers that we report? Not hidden, see below. Maybe they use some subset of the surbl. They also claim to actually check for themselves if their targetted sites are 'really' spamvertiser sites. ^1 frontpage http://www.spamcop.net/spamstats.shtml Spamvertised Web Sites http://www.spamcop.net/w3m?action=inprogress;type=www ^2 SURBL - Spam URI Realtime Blocklists sc.surbl.org - SpamCop message-body URI domains "Scripts which power the database and SURBL creation grab data from SpamCop's "Spamvertised Web Sites" web page every couple minutes or so, then merge new entries and expire the data so that it's never more than 4 days old." -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Dec 2 08:58:17 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Dec 2 12:00:03 2004 Subject: [SpamCop-List] Re: SC Parser misses URLs w/ bogus embedded HTML tags References: Message-ID: Thomas Bean wrote: > This is a recent example (from reportid 1304805196): The best way to post a demonstration of a spamcop parse for discussion is to parse the item, copy the tracking url from the top section, and then send or cancel the parse. The context is like this: Here is your TRACKING URL - it may be saved for future reference: spamcop.net/sc?id=z698550180za357f3a3dcfb7167cafed942287fbf56z -- Mike Easter kibitzer, not SC admin From ric.gates at bigsleep.org Thu Dec 2 17:32:10 2004 From: ric.gates at bigsleep.org (Blammo) Date: Thu Dec 2 12:35:04 2004 Subject: [SpamCop-List] Re: SC Parser misses URLs w/ bogus embedded HTML tags References: Message-ID: On 02 Dec 2004 Thomas Bean entered spamcop and left news:conh46$fvl$1@news.spamcop.net: > Is there any way to get SC to report these > sites without munging the message text (which is against SC rules)? If you open a second SpamCop window so you can get the Submit Spam form you can paste the URL in and parse it. This will give you an eMail address to ad to the user notification. I'm pretty sure you need a paid account to get the User Notify option. -- | Ric | From nobody at spamcop.net Thu Dec 2 11:43:45 2004 From: nobody at spamcop.net (Ellen) Date: Thu Dec 2 12:40:02 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? References: Message-ID: "Spam Hater" wrote in message news:mailman.23.1102002215.4572.spamcop-list@news.spamcop.net... > What I am wondering is which sites are on the attack list?? The article I > read mentioned SpamCop as the source, but SpamCop only lists email > injection sites, not SPAMvertisers... So, does that mean the screen saver > is going after all the zombie boxes that are spewing out the SPAM itself > or do they have access to some hidden list of SPAMvertisers that we > report? > They have no access to any hidden lists -- there are no hidden lists :-) There is the listing on the stats page of urls that are currently being reported from spam reports. http://www.spamcop.net/w3m?action=inprogress;type=www That page, and all the stats pages, are publicly available resources. I do not know if they (whoever they are) are using that page or not. Let me add that the first we heard about this tool/screensaver thing was reading anti-spam lists/forums the same as everyone else. Ellen From dkona7b02 at sneakemail.com Thu Dec 2 12:52:44 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Thu Dec 2 12:53:38 2004 Subject: [SpamCop-List] Re: SC Parser misses URLs w/ bogus embedded HTML tags In-Reply-To: References: Message-ID: <3.0.5.32.20041202125244.00f80f40@loki.fstrf.org> Where did you see a rule that says munging the message text is forbidden?? AFAIK, you can munge anything you wish in order to hide references to yourself in a SPAM item. If the SPAMmer includes a bogus URL of the form www.yourdomain.com I personally don't think there is anything wrong with simply removing the entire reference. That would be a case of under reporting which shouldn't upset the apple cart at all. It is the same as simply unclicking the checkmark next to the report for that website after the parse. The only time munging is not an option is when an ISP specifically refuses munged reports. Are you sure you are not confusing this with the "no material changes" rule? That only applies to cases where changing a header item might cause SpamCop to misidentify the sender... On 02 Dec 2004 Thomas Bean wrote: > Is there any way to get SC to report these > sites without munging the message text (which is against SC rules)? From beanta at slu.edu Thu Dec 2 11:50:00 2004 From: beanta at slu.edu (Thomas Bean) Date: Thu Dec 2 12:55:03 2004 Subject: [SpamCop-List] Re: SC Parser misses URLs w/ bogus embedded HTML tags References: Message-ID: Sorry, here is the tracking URL: http://www.spamcop.net/sc?id=z698535436z3e5e148442ca867247174028607d3131z --Thomas "Mike Easter" wrote in message news:conhi1$geo$1@news.spamcop.net... > Thomas Bean wrote: > > This is a recent example (from reportid 1304805196): > > The best way to post a demonstration of a spamcop parse for discussion > is to parse the item, copy the tracking url from the top section, and > then send or cancel the parse. > > The context is like this: > > Here is your TRACKING URL - it may be saved for future reference: > spamcop.net/sc?id=z698550180za357f3a3dcfb7167cafed942287fbf56z > > > -- > Mike Easter > kibitzer, not SC admin > From beanta at slu.edu Thu Dec 2 11:51:12 2004 From: beanta at slu.edu (Thomas Bean) Date: Thu Dec 2 12:55:08 2004 Subject: [SpamCop-List] Re: SC Parser misses URLs w/ bogus embedded HTML tags References: Message-ID: Good idea. I do have a paid account, so I will try that. "Blammo" wrote in message news:Xns95B3611921B4Eblammo@216.154.195.61... > On 02 Dec 2004 Thomas Bean entered spamcop and left > news:conh46$fvl$1@news.spamcop.net: > > > Is there any way to get SC to report these > > sites without munging the message text (which is against SC rules)? > > If you open a second SpamCop window so you can get the Submit Spam form you > can paste the URL in and parse it. This will give you an eMail address to > ad to the user notification. > I'm pretty sure you need a paid account to get the User Notify option. > > -- > | Ric > | From cnwykab02 at sneakemail.com Thu Dec 2 18:57:08 2004 From: cnwykab02 at sneakemail.com (Warre) Date: Thu Dec 2 13:00:04 2004 Subject: [SpamCop-List] Re: I'm glad this is not my provider... In-Reply-To: References: Message-ID: geo_splash_12 wrote: > Warre wrote: > >> Whois lookup for one of Belgium's largest broadband providers: > > > Correction: this is only a part of skynet.be, which is really spans a > much larger range in the ip space. Evidence: > > http://www.senderbase.org/search?searchString=skynet.be > I know. My mistake. See my previous post... From SpamNScamsReporter# at gmail#.com# Thu Dec 2 10:09:35 2004 From: SpamNScamsReporter# at gmail#.com# (Spam N Scams Reporter) Date: Thu Dec 2 13:10:03 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? In-Reply-To: References: Message-ID: sk1w1 wrote: > me-no-no wrote: > >> Is this for real ?? (courtesy heise.de) 26.11.2004 16:43 >> > > Wonder how many users after signing up will get there service threatened > / cut by their own ISP for 'denial of service' reasons... and/or ISPs > start charging for 'excessive' download volumes... > > ---- > > My prediction of next piece of malware - hijacking of the Lycos et al > software to 'attack' other sites such as Spamcop, Spamhaus, etc! > > ---- > > Mind you, if I asked 'nice', do you think Lycos UK would direct all > attempts for a few days at cears.com, etc over there in BR? :-) Here's a forwarded message to list. Long, but with a SpamCop reference. Is this what might be slowing down SpamCop's servers? It also shows targets of the screen saver. ----- Forwarded message from "Hannigan, Martin" ----- > From: "Hannigan, Martin" > To: nanog list > Subject: RE: How many backbones here are filtering the makelovenotspam screensaver site? > Date: Thu, 2 Dec 2004 10:28:26 -0500 > > > > -----Original Message----- > > From: Lionel [mailto:nop@alt.net] > > Sent: Thursday, December 02, 2004 8:40 AM > > To: Hannigan, Martin > > Cc: nanog list > > Subject: Re: How many backbones here are filtering the makelovenotspam screensaver site? > > > > > > On Thu, 2 Dec 2004 08:27:38 -0500 , "Hannigan, Martin" > > wrote: > > > > >> > Hosted on a cablemodem? Tch, tch, how the mighty have fallen > > > > > > > > >The blocks are widespread. > > > > > >The reports of hackers are incorrect. The blackholes are > > what is stopping > > >them. > > > > What amazing efficiency. I can't help but wonder if these > > same providers > > are as quick at blackholing spamsite hosts, or blocking the zombies on > > their user networks from spewing spam on port 25? > > If you tied all the spammers into a few controllers, you see it happen > immediately. > > I've been following the news reports on this. Here's a quick summary > of "what I know" without making any judgement or opinion: > > > - The lycos screensaver campaign activated Tuesday > - Major networks began activating blocks > - When the controllers can't be reached, the clients die off > - If screensaver is active when controllers die, it runs > off the current target list. > - If screensaver deactivates, then activates, it can't > contact the servers and tells the user it's "off the internet" > (I can't verify the veracity of the update process i.e. if it > will die while active) > - Blocks started going up early Wednesday morning > - The press began reporting hackers due to an apparentdefacement > being seen by many users. What they actually saw was the banner of > an ISP that had blackholed the traffic and redirected port > 80 to a notice. > - Lycos moved their application to a hosting facility with bigger pipes > - Target sites began using redirects sending the traffic back > to Lycos > - Press reports are coming out today regarding the blackholes > - SpamCop is the source of the target list via a page that is public > off of the SpamCop site (SpamCop is does not appear to have complicity) > - The effectiveness of the blackholes is rising > - There are a reported 100K clients downloaded. Less than you would > expect due to the voluminous press coverage. Probably a result of > the blackhole activity as well. > > I'm really not sure if Lycos knows about the blackholes at > this point as the press has been reporting "hackers" all the while. > If you think it's hacked, check the route. > > Here's some operational data captured via ethereal > > The target list generated by the botnet controller: > > GET > /xml/69426058014054/94772079193788/35264029467456/12122010129438/CONFIG_2865 > 2023942308.xml HTTP/1.1 > Referer: > http://backend.makelovenotspam.com/xml/69426058014054/94772079193788/3526402 > 9467456/12122010129438/CONFIG_28652023942308.xml > x-flash-version: 7,0,19,0 > User-Agent: Shockwave Flash > Host: backend.makelovenotspam.com > Cache-Control: no-cache > > HTTP/1.1 200 OK > Server: Resin/2.1.14 > Content-Type: text/xml; charset=UTF-8 > Content-Length: 2889 > Connection: close > Date: Thu, 02 Dec 2004 15:22:00 GMT > > > domain="myshopinternetcompany.com" > url="http://myshopinternetcompany.com/?e=aa5100" bytes="357460680" > hits="2572309" percentage="100" responsetime01="498" responsetime02="0" > location="BR" /> url="http://grlswaiting4u.com/" bytes="206765667" hits="1488797" > percentage="100" responsetime01="11866" responsetime02="0" location="US" > /> url="http://1stwebsitetheyourshop.com/?e=aa5100" bytes="317867325" > hits="2288427" percentage="100" responsetime01="507" responsetime02="0" > location="BR" /> url="http://cheap-r-x.com/" bytes="355920802" hits="2565612" > percentage="100" responsetime01="787" responsetime02="0" location="CN" > /> url="http://www.hlplmanhds.biz/" bytes="317590861" hits="2269503" > percentage="100" responsetime01="785" responsetime02="0" location="CN" > /> url="http://r.vtm.homewo.com/" bytes="367630639" hits="2248424" > percentage="100" responsetime01="5542" responsetime02="0" location="CN" > /> url="http://www.incentiverewardcenter.com/xg_reg.htm?SID=ab9ee352c3402bdc858 > e5540b887d28a--landing_page=1--show=zip--=--p=92375--c=5411-toys250_720_emc- > -catalog_id=14--a=--affil=5408--subid=1" bytes="1028999994" hits="6992693" > percentage="-144200" responsetime01="1442" responsetime02="-1" location="US" > /> url="http://www.macromed.ws/" bytes="742958780" hits="5063804" > percentage="100" responsetime01="1212" responsetime02="0" location="RU" > /> url="http://www.curdom.com/" bytes="734756904" hits="4831221" > percentage="46" responsetime01="2134" responsetime02="4541" location="CN" > /> url="http://www.bacbwefds.info/" bytes="422036604" hits="2463679" > percentage="100" responsetime01="3375" responsetime02="0" location="CN" > /> value="http://backend.makelovenotspam.com/xml" /> name="interval-diagram" value="10000" /> value="10000" /> name="refresh-xml" value="1200000" /> /> value="http://backend.makelovenotspam.com/report" /> name="average-percentage" value="100.0" /> value="143003829363" /> name="downloads" value="103803" /> /> > > > Here's what they appear to receiving a lot as a result: > > IN`TS > . > > 501 Method Not Implemented > >

Method Not Implemented

>

<makeLOVEnotSPAM>IN`TS</makeLOVEnotSPAM> to /index.html not > supported.
>

> > > > ----- End forwarded message ----- From beanta at slu.edu Thu Dec 2 12:10:05 2004 From: beanta at slu.edu (Thomas Bean) Date: Thu Dec 2 13:15:04 2004 Subject: [SpamCop-List] Re: SC Parser misses URLs w/ bogus embedded HTML tags References: Message-ID: Not according to the FAQ (http://www.spamcop.net/fom-serve/cache/283.html): SpamCop FAQ : SpamCop Parsing and Reporting Service : Rules - everybody read! : Material changes to spam "SpamCop does what it does and doesn't do for a reason. Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find." I don't see any mention of this only applying in cases that might cause a misidentification of the sender. Am I interpreting this too strictly/literally? In my case, the spammer was not using a bogus URL, there were simply bogus HTML tags inserted between characters in the URL that prevented the SC parser from recognizing it. "Spam Hater" wrote in message news:mailman.24.1102010019.4572.spamcop-list@news.spamcop.net... > Where did you see a rule that says munging the message text is > forbidden?? AFAIK, you can munge anything you wish in order to hide > references to yourself in a SPAM item. If the SPAMmer includes a > bogus URL of the form www.yourdomain.com I personally don't think > there is anything wrong with simply removing the entire reference. > That would be a case of under reporting which shouldn't upset the > apple cart at all. It is the same as simply unclicking the checkmark > next to the report for that website after the parse. The only time > munging is not an option is when an ISP specifically refuses munged > reports. > > Are you sure you are not confusing this with the "no material > changes" rule? That only applies to cases where changing a > header item might cause SpamCop to misidentify the sender... > > On 02 Dec 2004 Thomas Bean wrote: > > > Is there any way to get SC to report these > > sites without munging the message text (which is against SC rules)? > From SpamNScamsReporter# at gmail#.com# Thu Dec 2 10:12:31 2004 From: SpamNScamsReporter# at gmail#.com# (Spam N Scams Reporter) Date: Thu Dec 2 13:15:06 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? In-Reply-To: References: Message-ID: Spam Hater wrote: > What I am wondering is which sites are on the attack list?? The article I > read mentioned SpamCop as the source, but SpamCop only lists email > injection sites, not SPAMvertisers... So, does that mean the screen saver > is going after all the zombie boxes that are spewing out the SPAM itself > or do they have access to some hidden list of SPAMvertisers that we > report? > > At 10:39 PM 12/1/2004 -0800, sk1w1 typed: > > >>snip< >>Wonder how many users after signing up will get there service threatened >>/ cut by their own ISP for 'denial of service' reasons... and/or ISPs >>start charging for 'excessive' download volumes... Here is what seems to be the target list. > Here's some operational data captured via ethereal > > The target list generated by the botnet controller: > > GET > /xml/69426058014054/94772079193788/35264029467456/12122010129438/CONFIG_2865 > 2023942308.xml HTTP/1.1 > Referer: > http://backend.makelovenotspam.com/xml/69426058014054/94772079193788/3526402 > 9467456/12122010129438/CONFIG_28652023942308.xml > x-flash-version: 7,0,19,0 > User-Agent: Shockwave Flash > Host: backend.makelovenotspam.com > Cache-Control: no-cache > > HTTP/1.1 200 OK > Server: Resin/2.1.14 > Content-Type: text/xml; charset=UTF-8 > Content-Length: 2889 > Connection: close > Date: Thu, 02 Dec 2004 15:22:00 GMT > > > domain="myshopinternetcompany.com" > url="http://myshopinternetcompany.com/?e=aa5100" bytes="357460680" > hits="2572309" percentage="100" responsetime01="498" responsetime02="0" > location="BR" /> url="http://grlswaiting4u.com/" bytes="206765667" hits="1488797" > percentage="100" responsetime01="11866" responsetime02="0" location="US" > /> url="http://1stwebsitetheyourshop.com/?e=aa5100" bytes="317867325" > hits="2288427" percentage="100" responsetime01="507" responsetime02="0" > location="BR" /> url="http://cheap-r-x.com/" bytes="355920802" hits="2565612" > percentage="100" responsetime01="787" responsetime02="0" location="CN" > /> url="http://www.hlplmanhds.biz/" bytes="317590861" hits="2269503" > percentage="100" responsetime01="785" responsetime02="0" location="CN" > /> url="http://r.vtm.homewo.com/" bytes="367630639" hits="2248424" > percentage="100" responsetime01="5542" responsetime02="0" location="CN" > /> url="http://www.incentiverewardcenter.com/xg_reg.htm?SID=ab9ee352c3402bdc858 > e5540b887d28a--landing_page=1--show=zip--=--p=92375--c=5411-toys250_720_emc- > -catalog_id=14--a=--affil=5408--subid=1" bytes="1028999994" hits="6992693" > percentage="-144200" responsetime01="1442" responsetime02="-1" location="US" > /> url="http://www.macromed.ws/" bytes="742958780" hits="5063804" > percentage="100" responsetime01="1212" responsetime02="0" location="RU" > /> url="http://www.curdom.com/" bytes="734756904" hits="4831221" > percentage="46" responsetime01="2134" responsetime02="4541" location="CN" > /> url="http://www.bacbwefds.info/" bytes="422036604" hits="2463679" > percentage="100" responsetime01="3375" responsetime02="0" location="CN" > /> value="http://backend.makelovenotspam.com/xml" /> name="interval-diagram" value="10000" /> value="10000" /> name="refresh-xml" value="1200000" /> /> value="http://backend.makelovenotspam.com/report" /> name="average-percentage" value="100.0" /> value="143003829363" /> name="downloads" value="103803" /> /> > > From nobody at devnull.spamcop.net Thu Dec 2 12:31:01 2004 From: nobody at devnull.spamcop.net (Cat) Date: Thu Dec 2 13:35:03 2004 Subject: [SpamCop-List] Re: SC Parser misses URLs w/ bogus embedded HTML tags In-Reply-To: References: Message-ID: (Top posting fixed) Thomas Bean wrote: > "Mike Easter" wrote in message > news:conhi1$geo$1@news.spamcop.net... >>The context is like this: >> >>Here is your TRACKING URL - it may be saved for future reference: >>spamcop.net/sc?id=z698550180za357f3a3dcfb7167cafed942287fbf56z > Sorry, here is the tracking URL: > > http://www.spamcop.net/sc?id=z698535436z3e5e148442ca867247174028607d3131z Please don't top post. It gets the conversation out of order and makes it harder to understand the context of your posts because people have to scroll up and down to understand what you're saying or replying to. Notice how Mike Easter replied inline below each quoted point and snipped out the rest. Inline posting keeps the conversation in a logical order. See #6 at http://linux.sgms-centre.com/misc/netiquette.php and #1 and #2 at http://www.river.com/users/share/etiquette/ for more snipping and inline posting netiquette. -Cat SpamCop user, not an admin From MikeE at ster.invalid Thu Dec 2 10:46:08 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Dec 2 13:50:03 2004 Subject: [SpamCop-List] Re: SC Parser misses URLs w/ bogus embedded HTML tags References: Message-ID: Thomas Bean wrote: > Sorry, here is the tracking URL: spamcop.net/sc?id=z698535436z3e5e148442ca867247174028607d3131z In this example, not only does SC fail to find the spamvertised payload because of the construction, but the 'evidence' of the body content only has 'value' when rendered. One of the values of manual reporting is to be able to handle particular items 'easily' when the SC method doesn't suffice. The way I would report that with my 'standard' manual template, which has the entire original complete headers + unrendered spambody, would be to also include the rendered version just above that section. I would also pay attention to where that notify would be going. 211.158.15.61 no rDNS whois.apnic.net inetnum: 211.158.0.0 - 211.158.31.255 descr: Chongqing BoardBand Networks Co.,Ltd. which is listed in multiple db/s including sbl as the /17 and spews as 1, 211.158.0.0 - 211.158.31.255, cqnet.com.cn (extremexxxfootage.com) those are both huge blocks, indicating total unresponsiveness; so simply reporting to the unresponisve .cn provider isn't going to do anygood at all. So, now that we've gone to the trouble of figuring that SC can't notify, we would also have to go to additional trouble to assess the upstream adjacencies of the unresponsive provider; which is likely to turn out very glum. The ASN is AS17774 Upstream Adjacent AS list AS9817 ETNSBBNETWORK Guangdong Belton Telecommunications Technology Development Co.,Ltd. support@etns.net abuse@gblx.net postmaster@elephanttalk.com postmaster@etns.net (for etns.net) AS9929 CNCNET-CN China Netcom Corp. tech-group@china-netcom.com daihy@china-netcom.com postmaster@china-netcom.com cncsummary@special.abuse.net (for china-netcom.com) So, it isn't a very happy picture, but at least you would have done a thorough job of notifying the 'appropriate' upstreams. You would tell them about the unresponsiveness of the provider vis the spews and spamhaus listings in about 1 line. -- Mike Easter kibitzer, not SC admin From dkona7b02 at sneakemail.com Thu Dec 2 14:00:19 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Thu Dec 2 14:00:26 2004 Subject: [SpamCop-List] Re: SC Parser misses URLs w/ bogus embedded HTML tags In-Reply-To: References: Message-ID: <3.0.5.32.20041202140019.01606620@loki.fstrf.org> Yes, I believe you are being too strict in your interpretation... Material changes, as defined, are only those that will cause the parser to change its mind about who to report. Taking out spurious noise in the SPAM body shouldn't cause any change in the parsers processing along those lines so it shouldn't be considered a "material" change in my opinion... At 12:10 PM 12/2/2004 -0600, Thomas Bean typed: >Not according to the FAQ (http://www.spamcop.net/fom-serve/cache/283.html): > > SpamCop FAQ : SpamCop Parsing and Reporting Service : Rules - everybody >read! : Material changes to spam > > "SpamCop does what it does and doesn't do for a reason. Do not make any >material changes to spam before submitting or parsing which may cause >SpamCop to find a link, address or URL it normally would not, by design, >find." > >I don't see any mention of this only applying in cases that might cause a >misidentification of the sender. Am I interpreting this too >strictly/literally? > >In my case, the spammer was not using a bogus URL, there were simply bogus >HTML tags inserted between characters in the URL that prevented the SC >parser from recognizing it. > >"Spam Hater" wrote >> Where did you see a rule that says munging the message text is >> forbidden?? AFAIK, you can munge anything you wish in order to hide >> references to yourself in a SPAM item. If the SPAMmer includes a >> bogus URL of the form www.yourdomain.com I personally don't think >> there is anything wrong with simply removing the entire reference. >> That would be a case of under reporting which shouldn't upset the >> apple cart at all. It is the same as simply unclicking the checkmark >> next to the report for that website after the parse. The only time >> munging is not an option is when an ISP specifically refuses munged >> reports. >> >> Are you sure you are not confusing this with the "no material >> changes" rule? That only applies to cases where changing a >> header item might cause SpamCop to misidentify the sender... >> >> On 02 Dec 2004 Thomas Bean wrote: >> >> > Is there any way to get SC to report these >> > sites without munging the message text (which is against SC rules)? From PossumTrot at dont.spam.me Thu Dec 2 10:56:22 2004 From: PossumTrot at dont.spam.me (Possum Trot) Date: Thu Dec 2 14:05:03 2004 Subject: [SpamCop-List] FTC Endorses Bounty for Spammers Message-ID: The U.S. Federal Trade Commission has given its endorsement to a plan that would reward insiders for information leading to the arrest and conviction of people or companies that produce spam. http://tinyurl.com/4qytq From MikeE at ster.invalid Thu Dec 2 11:06:24 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Dec 2 14:10:04 2004 Subject: [SpamCop-List] Re: SC Parser misses URLs w/ bogus embedded HTML tags References: Message-ID: oops, I left out the notifies for AS17774 Mike Easter wrote: > 211.158.15.61 no rDNS > whois.apnic.net > inetnum: 211.158.0.0 - 211.158.31.255 > descr: Chongqing BoardBand Networks Co.,Ltd. whois -h whois.abuse.net cqnet.com.cn ... postmaster@cqnet.com.cn abuse@cnc-noc.net (for cqnet.com.cn) I believe in including the unresponsive provider in the same notify that I'm copying to its upstream adjacencies. Sometimes it is motivating. The fact that cnc-noc is in the abuse.net reg is a 'good sign' [not really great, but something 'postive' amidst the gloom]. > The ASN is AS17774 > Upstream Adjacent AS list -- Mike Easter kibitzer, not SC admin From please_reply_to_newsgroup at something.com Thu Dec 2 19:10:03 2004 From: please_reply_to_newsgroup at something.com (Paul D) Date: Thu Dec 2 14:10:06 2004 Subject: [SpamCop-List] Re: SpamCop Painfully Slow References: Message-ID: Hi Everyone I'm afraid the problem hasn't become any better. Is anyone able to make any progress with this, or will I have to stop using the service? This would eb a shame. Thanks Paul From SpamNScamsReporter# at gmail#.com# Thu Dec 2 11:50:59 2004 From: SpamNScamsReporter# at gmail#.com# (Spam N Scams Reporter) Date: Thu Dec 2 14:55:03 2004 Subject: [SpamCop-List] Re: Phish For A Phisher :-) In-Reply-To: References: Message-ID: Gezgin wrote: > "Taurolyon" <---------------------------@spamcop.net> wrote > >>> Interesting - Phisher forgot to chmode to stop peaking :-) >>> http://146.83.5.15/.paypal/ > > >> scary stuff.. what does he plan on doing? getting people's paypal info? > > > More likely making a complete fool of himself on the net. Though I am a > bit puzzled that the site is still up. It certainly must have been > reported many times already. > The site no longer resolves for me. From Merlyn at Spamcop.net Thu Dec 2 14:58:52 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Thu Dec 2 15:00:03 2004 Subject: [SpamCop-List] Re: FTC Endorses Bounty for Spammers References: Message-ID: "Possum Trot" wrote in message news:cononi$mdp$1@news.spamcop.net... > The U.S. Federal Trade Commission has given its endorsement to a plan that > would reward insiders for information leading to the arrest and conviction > of people or companies that produce spam. > > http://tinyurl.com/4qytq Old News: September 17, 2004 -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From MikeE at ster.invalid Thu Dec 2 12:34:39 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Dec 2 15:35:03 2004 Subject: [SpamCop-List] Re: SC Parser misses URLs w/ bogus embedded HTML tags References: Message-ID: Thomas Bean wrote: > The actual spamvertised URL is http://211.158.15.61/vb/ > Is there any way to get SC to report > these sites No. If you are a free reporter you can manually notify. If you are a paid reporter you can add additional notify addresses to a spamcop report. But, you can't materially change the spamitem to cause SC to find something it wouldn't. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Dec 2 12:38:17 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Dec 2 15:40:03 2004 Subject: [SpamCop-List] Re: SC Parser misses URLs w/ bogus embedded HTML tags References: Message-ID: Blammo wrote: > Thomas Bean >> Is there any way to get SC to report these >> sites without munging the message text (which is against SC rules)? > > If you open a second SpamCop window so you can get the Submit Spam > form you can paste the URL in and parse it. This will give you an > eMail address to ad to the user notification. > I'm pretty sure you need a paid account to get the User Notify option. What Ric is describing there is how to get SC to provide you with the notify address/es so that a paid reporter can add those to the notifies. He isn't talking about making a 'surreptitious' spamchange to get SC to notify something it didn't find. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Dec 2 12:42:32 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Dec 2 15:45:03 2004 Subject: [SpamCop-List] Re: SC Parser misses URLs w/ bogus embedded HTML tags References: Message-ID: Restructuring this to counteract two topposters. >Thomas Bean wrote: >> Is there any way to get SC to report these >> sites without munging the message text (which is against SC rules)? Spam Hater wrote: > Where did you see a rule that says munging the message text is > forbidden?? Helping SC find something is a material change. > AFAIK, you can munge anything you wish in order to hide > references to yourself in a SPAM item. If the SPAMmer includes a > bogus URL of the form www.yourdomain.com I personally don't think > there is anything wrong with simply removing the entire reference. Removing references to yourself isn't the same thing as helping SC find something. > Are you sure you are not confusing this with the "no material > changes" rule? That only applies to cases where changing a > header item might cause SpamCop to misidentify the sender... Body changes are a problem as well - when they cause SC to find something it wouldn't have. There isn't an appropriate body change to help SC find this item we are talking about. Making a body change to exclude your own address is OK. Making a body change such as putting in an url isn't OK. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Dec 2 12:44:52 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Dec 2 15:45:08 2004 Subject: [SpamCop-List] Re: SC Parser misses URLs w/ bogus embedded HTML tags References: Message-ID: Spam Hater wrote: > Yes, I believe you are being too strict in your interpretation... > Material changes, as defined, are only those that will cause the > parser to change its mind about > who to report. Taking out spurious noise in the SPAM body shouldn't > cause any change in the parsers processing along those lines so it > shouldn't be considered a "material" change in my opinion... What you are arguing about, namely removing your name or address from the body isn't 'germane' to this discussion. We are talking about a condition in which the parser doesn't find the url which the reporter knows about and wants to notify for. You aren't talking about what /we/ are talking about. -- Mike Easter kibitzer, not SC admin From dkona7b02 at sneakemail.com Thu Dec 2 16:12:39 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Thu Dec 2 16:12:44 2004 Subject: [SpamCop-List] Re: SC Parser misses URLs w/ bogus embedded HTML tags In-Reply-To: References: Message-ID: <3.0.5.32.20041202161239.01688008@loki.fstrf.org> First up, where do you see an argument??? The point I was making, in this ongoing discussion, is about munging. The usual use of munging is to remove or alter identifying references to yourself. According to the rules, this is perfectly acceptable. Taken a step further, I believe it can apply to any extra bits of nonsense the SPAMmer may have filled the SPAM with to try to confuse the reader (or the parser). As we constantly tell people, just about anything can be used to identify you, so why not extra HTML tags? I have seen SPAM with all sorts of extra bogus tags. When viewed normally, they just don't show up. If you try to look at the raw source, i.e.. if you are trying to track down the SPAMmer, then all the extra gibberish just confuses things and helps hide his tracks. I haven't seen SPAM like that since my company started filtering our mail, but back when I did, I ran a script on it to automagically remove all the nonsense before ever even submitting it. I wasn't doing so in an effort to force the parser to find something it shouldn't, just to make the SPAM legible so those getting the report would be better able to parse it themselves. I never once received a complaint from anyone that I had altered the original or that the parser had misidentified the culprits... At 12:44 PM 12/2/2004 -0800, Mike Easter typed: >What you are arguing about, namely removing your name or address from >the body isn't 'germane' to this discussion. We are talking about a >condition in which the parser doesn't find the url which the reporter >knows about and wants to notify for. > >You aren't talking about what /we/ are talking about. > >Spam Hater wrote: >> Yes, I believe you are being too strict in your interpretation... >> Material changes, as defined, are only those that will cause the >> parser to change its mind about >> who to report. Taking out spurious noise in the SPAM body shouldn't >> cause any change in the parsers processing along those lines so it >> shouldn't be considered a "material" change in my opinion... From nobody at spamcop.net Thu Dec 2 16:19:31 2004 From: nobody at spamcop.net (Pop) Date: Thu Dec 2 16:20:02 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? References: Message-ID: ... | | For whatever it's worth, the link *is* advertised on the main site: | http://www.lycos.de/ The link is to: http://www.lycos.de/makelovenotspam/ | but clicking on the link from there, you get a Flash popup. | | Dar | | WHERE? I searched the Main Site page's code, plus turned a crawler loose and neither turned up anything even close to that URL. Clicking on the URL gets nothing. I submit you're either trojanized, trolling, or lying or passing on info you haven't verified? What you see in the explorer bar isn't necessarily the actual site you are at, you know. Regards, Pop From A_No_Spam_Haumer at gmx.net Thu Dec 2 22:42:01 2004 From: A_No_Spam_Haumer at gmx.net (Anton Haumer) Date: Thu Dec 2 16:45:04 2004 Subject: [SpamCop-List] SC's Website Message-ID: <41AF8C29.791C9B94@gmx.net> What the hell is going on with www.spamcop.net ? Since today : my login (expires in one week) is forgotten after some submissions my preferred text size is forgotten from one visit to the next Problems with the website/system? Toni From pete at heypete.com Thu Dec 2 13:41:51 2004 From: pete at heypete.com (Pete Stephenson) Date: Thu Dec 2 16:45:08 2004 Subject: [SpamCop-List] Re: FTC Endorses Bounty for Spammers References: Message-ID: In article , "Merlyn" wrote: > Old News: ...but still good news. :) -- Pete Stephenson HeyPete.com From Merlyn at Spamcop.net Thu Dec 2 16:45:37 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Thu Dec 2 16:50:03 2004 Subject: [SpamCop-List] Re: FTC Endorses Bounty for Spammers References: Message-ID: "Pete Stephenson" wrote in message news:pete-7DE4D9.13415102122004@news.cesmail.net... > In article , > "Merlyn" wrote: > >> Old News: > > ...but still good news. :) > I agree Pete :-) Pete, I have some interesting info for ya!!!!!!!!! Should I use the support email or something else? -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From pete at heypete.com Thu Dec 2 13:47:49 2004 From: pete at heypete.com (Pete Stephenson) Date: Thu Dec 2 16:50:07 2004 Subject: [SpamCop-List] Re: Lycos DDos Screensaver ? References: Message-ID: In article , "Pop" wrote: > WHERE? I searched the Main Site page's code, plus turned a > crawler loose and neither turned up anything even close to that > URL. http://www.lycos.co.uk/ mentions it, though the makelovenotspam.com website appears to be down. -- Pete Stephenson HeyPete.com From MikeE at ster.invalid Thu Dec 2 13:48:42 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Dec 2 16:50:15 2004 Subject: [SpamCop-List] Re: SC Parser misses URLs w/ bogus embedded HTML tags References: Message-ID: Spam Hater wrote: > First up, where do you see an argument??? 'We' were explaining to Thomas that there wasn't a way that he could change the spam's body content so that in the item being discussed, namely spamcop.net/sc?id=z698535436z3e5e148442ca867247174028607d3131z that the 'missing' link which he knows about from rendering, namely http://211.158.15.61/vb/ could be 'spamcop reported' in response to his original question: Thomas Bean wrote: > Is there any way to get SC to report > these sites without munging the message text (which is against SC > rules)? The very /first/ thing you said in a topposted reply to that above post of his was this: Spam Hater wrote: > Where did you see a rule that says munging the message text is > forbidden?? Which definitely looks like a discussion or disagreement with what he said. You are now trying to say that you weren't rebutting what he said, but starting a different subthread within the original thread in which your subthread is /really/ about mungeing or removing references to your own name or address. If you would post inline so that your remarks are directly underneath exactly what you are talking about, neither you nor the other posters who try to engage in a conversation with your and others will be confused. I think you got confused earlier because a thought came into your head and then you wanted to type it, and what you were typing and talking about wasn't the same thing as the rest of us were talking about. That is a very common problem with topposting and not trimming and contextualizing. If you want to say that I'm confused and you aren't, that's all right with me too; but in either case, topposting is contributing to the confusion condition. -- Mike Easter kibitzer, not SC admin From me at privacy.net Thu Dec 2 21:49:22 2004 From: me at privacy.net (Michael R N Dolbear) Date: Thu Dec 2 16:50:20 2004 Subject: [SpamCop-List] Easynet.co.uk null route a Trojaned DSL customer Message-ID: <01c4d8b7$6c15cf80$LocalHost@default> In reply to a spamcop complaint that dsl-212-135-217-67.dsl.easynet.co.uk (212.135.217.67) is an open proxy (Sat, Nov 27, 2004 at 03:52:46AM) Easynet Abuse Team replied 02 December 2004 00:49 This incident arose as a result of a machine on our customer's network having become compromised by a Trojan horse program, which then allowed unscrupulous bulk emailers to install an insecure open proxy server on the machine in question, without our customer's knowledge, authorisation or permission. ... All attempts to contact our customer concerning this incident having failed, we have now raised an Operations ticket with a request to null route the IP address concerned in order to disconnect it from the Internet and to put an end to the abuse. This will be actioned within the next few hours. The null route will not be removed until such time as our customer is able to assure us that the vulnerability has been secured. -- Mike D From michael.spamcop at michaellefevre.com Thu Dec 2 21:51:28 2004 From: michael.spamcop at michaellefevre.com (Michael Lefevre) Date: Thu Dec 2 16:55:02 2004 Subject: [SpamCop-List] Re: Why do people spam? References: Message-ID: Stewart Gordon wrote: > Michael Lefevre wrote: > >> I don't see how it's of benefit to everyone. Letting the spam through the >> first stage and then bouncing it means you're generating a large number of >> messages (which isn't nice for the receiving machine), and then sending >> them to forged addresses, which certainly isn't a benefit for the owners >> of the forged addresses. > > > It would address the bounce using an algorithm that tracks down the real > sender, rather than the standard 'just use the From header' approach. As far as I know, there isn't an algorithm that can find a working email address for the human being that was responsible for sending the spam. Spamcop is about as good as you can get in that direction, which is finding an address for someone responsible for the network which the real sender used - that's not the same thing, and it's not accurate enough to trust automatically in most cases. > I guess an alternative would be a system whereby the SMTP server calls > the police and then returns an error code after a while (or maybe even > leaves the operation to time out). I don't imagine any police would appreciate a computer phoning them up and giving an automated report of unauthorised computer access. It's a pretty hard task to get any police interested in far more serious computer crimes. -- Michael From SpamNScamsReporter# at gmail#.com# Thu Dec 2 14:06:04 2004 From: SpamNScamsReporter# at gmail#.com# (Spam N Scams Reporter) Date: Thu Dec 2 17:10:02 2004 Subject: [SpamCop-List] Re: SC's Website In-Reply-To: <41AF8C29.791C9B94@gmx.net> References: <41AF8C29.791C9B94@gmx.net> Message-ID: Anton Haumer wrote: > What the hell is going on with www.spamcop.net ? > > Since today : > my login (expires in one week) is forgotten after some submissions > my preferred text size is forgotten from one visit to the next > > Problems with the website/system? > > Toni Check to see if you're accepting cookies from SC. Brian From dkona7b02 at sneakemail.com Thu Dec 2 17:10:41 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Thu Dec 2 17:10:47 2004 Subject: [SpamCop-List] Re: Easynet.co.uk null route a Trojaned DSL customer In-Reply-To: <01c4d8b7$6c15cf80$LocalHost@default> Message-ID: <3.0.5.32.20041202171041.0166ded0@loki.fstrf.org> It is always nice to see a responsible ISP in action... Something strikes me as a bit odd though. In the first paragraph they claim a Trojan horse took over the machine and did so "without our customer's knowledge, authorisation or permission." Yet first thing they admit in the second paragraph is that they have not been able to contact said customer... How can they claim the customer had no knowledge if they haven't even talked with them about it? Kudos to them if they actually follow through with the null routing! At 09:49 PM 12/2/2004 +0000, Michael R N Dolbear typed: >In reply to a spamcop complaint that >dsl-212-135-217-67.dsl.easynet.co.uk (212.135.217.67) is an open proxy >(Sat, Nov 27, 2004 at 03:52:46AM) > >Easynet Abuse Team replied 02 December 2004 00:49 > >This incident arose as a result of a machine on our customer's network >having become compromised by a Trojan horse program, which then allowed >unscrupulous bulk emailers to install an insecure open proxy server on >the machine in question, without our customer's knowledge, >authorisation or permission. >... >All attempts to contact our customer concerning this incident having >failed, we have now raised an Operations ticket with a request to >null route the IP address concerned in order to disconnect it from >the Internet and to put an end to the abuse. This will be actioned >within the next few hours. The null route will not be removed until >such time as our customer is able to assure us that the vulnerability >has been secured. From A_No_Spam_Haumer at gmx.net Thu Dec 2 23:23:09 2004 From: A_No_Spam_Haumer at gmx.net (Anton Haumer) Date: Thu Dec 2 17:25:04 2004 Subject: [SpamCop-List] Re: SC's Website References: <41AF8C29.791C9B94@gmx.net> Message-ID: <41AF95CD.D2DF94E9@gmx.net> Spam N Scams Reporter wrote: > > Anton Haumer wrote: > > What the hell is going on with www.spamcop.net ? > > > > Since today : > > my login (expires in one week) is forgotten after some submissions > > my preferred text size is forgotten from one visit to the next > > > > Problems with the website/system? > > > > Toni > > Check to see if you're accepting cookies from SC. > > Brian Yes I do accept cookies from SC, of course. Yesterday everthing worked fine. I didn't change anything. Today - strange behaviour ... Toni From pete at heypete.com Thu Dec 2 14:48:28 2004 From: pete at heypete.com (Pete Stephenson) Date: Thu Dec 2 17:50:03 2004 Subject: [SpamCop-List] Re: FTC Endorses Bounty for Spammers References: Message-ID: In article , "Merlyn" wrote: > I agree Pete :-) > > Pete, I have some interesting info for ya!!!!!!!!! Oooh. :) > Should I use the support email or something else? pete@heypete.com has been, is, and likely will remain (as long as technically possible) valid. support@ and all the other @heypete.com address all forward to me. :-P -- Pete Stephenson HeyPete.com From nobody at spamcop.net Thu Dec 2 17:43:59 2004 From: nobody at spamcop.net (Ellen) Date: Thu Dec 2 18:05:02 2004 Subject: [SpamCop-List] Re: SC's Website References: <41AF8C29.791C9B94@gmx.net> <41AF95CD.D2DF94E9@gmx.net> Message-ID: -- "Anton Haumer" wrote in message news:41AF95CD.D2DF94E9@gmx.net... > > Yes I do accept cookies from SC, of course. > Yesterday everthing worked fine. > I didn't change anything. > Today - strange behaviour ... > > Toni Try deleting the cookie, closing the browser and then opening it and logging back in again. Ellen From Merlyn at Spamcop.net Thu Dec 2 18:14:15 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Thu Dec 2 18:15:02 2004 Subject: [SpamCop-List] Re: FTC Endorses Bounty for Spammers References: Message-ID: Just sent! -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From mfkmek820 at yahoo.com Thu Dec 2 16:09:53 2004 From: mfkmek820 at yahoo.com (Fred K) Date: Thu Dec 2 20:15:03 2004 Subject: [SpamCop-List] Re: SC Parser misses URLs w/ bogus embedded HTML tags References: Message-ID: "Spam Hater" wrote in message news:mailman.26.1102021965.4572.spamcop-list@news.spamcop.net... > First up, where do you see an argument??? > > The point I was making, in this ongoing discussion, is about munging. The > usual use of munging is to remove or alter identifying references to > yourself. > According to the rules, this is perfectly acceptable. Taken a step > further, > I believe it can apply to any extra bits of nonsense the SPAMmer may > have filled the SPAM with to try to confuse the reader (or the parser). As > we constantly tell people, just about anything can be used to identify > you, > so why not extra HTML tags? I have seen SPAM with all sorts of extra > bogus tags. When viewed normally, they just don't show up. If you try to > look at the raw source, i.e.. if you are trying to track down the SPAMmer, > then all the extra gibberish just confuses things and helps hide his > tracks. > I haven't seen SPAM like that since my company started filtering our mail, > but back when I did, I ran a script on it to automagically remove all the > nonsense before ever even submitting it. I wasn't doing so in an effort > to > force the parser to f