From downunder at xyz.com Tue Jun 1 04:03:51 2004 From: downunder at xyz.com (Chelle) Date: Mon May 31 13:10:02 2004 Subject: [SpamCop-List] Re: Email Blocked References: Message-ID: yah well I guess I was right.. but gotta luv long contracts Betsy! Telstra's belief is that as I CAN send to those same recipients via webmail, the problem is mine, and a configuration I've goofed somewhere. I might be blonde, but not stupid!! Thanks folks. (oh mike? the configuration of the servers remark - does that have anything to do with them blocking port ? 25? that I think they were planning on doing a while back? - not sure if they did it) "Miss Betsy" wrote in message news:c9fk44$uqf$1@news.spamcop.net... > > "Chelle" wrote in message > news:c9f5sb$i8a$1@news.spamcop.net... > > 144.135.25.169 is one of the ips listed on the spam rejection advice. > Yes I > > did a whois on it and found it to be bigponds mail server, but sheesh > this > > is kinda frustrating. > > It is kinda frustrating to be receiving spam and to know that some > really large ISP's don't seem to care about controlling spam on the > internet. > > Apparently, Telstra does not do something very simple to make their > headers easily identified. That makes it difficult for those who want > to report spam to white hat ISP's (who will then stop the spam) or to > block the ISP's who allow spam to continue so that those who don't want > spam to block it. > > Ultimately it is the *sending* end that can control spam by not > allowing it to be sent. Therefore, the *senders* of ordinary email > need to choose ISP's who are responsible about email. I know that it > is difficult to find an alternative to Telstra in Austraila, but just > possibly if you can get a supervisor to talk to, then perhaps customer > complaints about poor email service will begin to penetrate the > bureaucracy. You are not the only Telstra customer who is having > problems. > > Good Luck > > Miss Betsy > > > From nobody at devnull.spamcop.net Tue Jun 1 09:26:29 2004 From: nobody at devnull.spamcop.net (brewman) Date: Mon May 31 16:25:13 2004 Subject: [SpamCop-List] Re: Why won't SpamCop trace a URL? I know how to do it References: Message-ID: > So what? The request returns Javscript code. That has nothing to do with > "Cannot resolve". Umm, you've commented on something that you say has nothing to do with my question. Let me reword the question .... ================================ I have spam which says: Tracking link: http://instantwinner.rli3.org/iwin.html Cannot resolve http://instantwinner.rli3.org/iwin.html Why can't SpamCop resolve this, and so notify the hosting people, both of this site, and the site that it navigates to (http://www.ace-games.com/SmartDownloadCasino.asp?affid=3)? I've been informed that this is nothing to do with Javasript ================================= From nobody at devnull.spamcop.net Tue Jun 1 10:25:03 2004 From: nobody at devnull.spamcop.net (brewman) Date: Mon May 31 17:25:05 2004 Subject: [SpamCop-List] Re: Why won't SpamCop trace a URL? I know how to do it References: Message-ID: Thank you Mike (and Spambo, too - I'll just reply once and had to make an arbitrary choice about which one to use) Both of you have clarified things for me; I kind of assumed (arrggghhh! I know ...) that the 'not resolved' was a permanent condition, & related to obfuscation. I've been with SpamCop for less than 24 hours, and still learning the ropes. Although I can solve the obfuscated redirection issue, I now see that it is pointless making it automatic. I'll think some more about it (perhaps a standalone interactive tracer is the way), and might raise it as another issue if I get anywhere. ============================== "Mike Easter" wrote in message news:c9g5th$e5p$1@news.spamcop.net... "Spambo" wrote in message ... lots of useful things From nobody at xyzzy.claranet.de Tue Jun 1 00:42:47 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon May 31 17:45:03 2004 Subject: [SpamCop-List] Re: reporting time References: Message-ID: <40BBA6D7.6F3B@xyzzy.claranet.de> BarkerJr wrote: [deliberately misleading quote] > the older members actually have a chance to decrease the > reporting time. It works for me, it took about 4 weeks from 15 to 11 hours, and now I'm at 10. If I'm online for 6 hours per day (with an average of 1 hour to report spam), and if I report all spams received in the remaining 18 hours as soon as I'm online again, then my "ideal" reporting time would be 8.125 = (24 +1 +2 +... +18)/24. It's only a gimmick. Bye, Frank From not at home.today Tue Jun 1 00:22:06 2004 From: not at home.today (Ant) Date: Mon May 31 18:25:05 2004 Subject: [SpamCop-List] Re: OT this and that-Re: I'm leaving spamcop.... References: Message-ID: "Annie" wrote... [...] > Microsoft set their own standard thinking they were the only > standard to be set. They have a habit of doing that. > [...] Memory lane, ain't it wonderful. Don't get me started. Having cut my teeth on mainframes in the 70s, I didn't have anything to do with "Personal Computers" when they came along. To me they were things used by hobbyists and secretarys! > Now I am comfortable with IE and OE So am I. They have their faults and vulnerabilities, but I work around them. > [...] we common folk are caught in the middle. Common as muck, that's me :) Actually I'm a software developer (or programmer as they used to say), but not exclusively for PCs. [...] > I wonder if non technical users will be regular users of any usenet? > Unless it is made terribly easy and automatic. There are plenty. They install their ISP's software which sets up OE with a selection of local newsgroups. Then they post to a group asking for help, reply with top-posts and new threads where they should have been following up to the original, get flamed and confused by the regulars, and if they have thick skins eventualy learn how to conduct themselves. They may never become "technical" as such, but have learnt the ways of Usenet, and go off to explore new groups. Miss Betsy, a regular in this group, often proclaims to be technically non-fluent - but I'm sure she's learning! From nobody at devnull.spamcop.net Tue Jun 1 11:55:26 2004 From: nobody at devnull.spamcop.net (brewman) Date: Mon May 31 18:55:03 2004 Subject: [SpamCop-List] Where do I find the "SpamCop Parser", to use it without reporting? Message-ID: Where do I find the SC parsing engine to do the spade work in finding out where my Joe-Job bounced spam came from originally and who the spamvertised site is? I have genuinely searched the site, but cannot find it. I have registered my Mailhost (which deliverately stops me doing what I want to do via cut-n-paste - yes, I could register another user, but I'm sure that that would be frowned upon). I can't use what I think is the SpamCop Parser (http://www.spamcop.net/?code=mYsPeCiAlCode) , using the box below "Paste entire spam (headers, blank line, body) - or - single address (one line only): " because when I cut-n-paste the original spam it grinds to a halt after line 1 with Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust anything beyond this header No source IP address found, cannot proceed. If someone could point at the FAQ (or isn't it frequent?) or whatever, that would be good. Sorry - I'm new around these parts. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at spamcop.net Tue Jun 1 09:59:14 2004 From: nobody at spamcop.net (Petzl) Date: Mon May 31 19:01:43 2004 Subject: [SpamCop-List] Re: Email Blocked References: Message-ID: On Mon, 31 May 2004 21:39:35 +1000, "Chelle" wrote: >144.135.25.169 is one of the ips listed on the spam rejection advice. Yes I >did a whois on it and found it to be bigponds mail server, but sheesh this >is kinda frustrating. > > > >The mail is being blocked and my ISP doesn't seem to comprehend what I"m >telling them. Their response was that if spamcop or another similar >organisation was blocking bigpond's mailservers, then they would have been >inundated. Bigpond/Telstra have never shown me they know anything about communication and could not care **Bigpond need to include a received header string** They are not doing this thus concealing the source blacklists (They are on most) have to block their incompetency to stop being hammered by spammers. The only IP genuine IP BigPond list is theirs? *****from *Ellen SpamCop Admin**** Newsgroups: spamcop.mail Subject: Re: BIGPOND listed as Spammer - Largest ISP in Australia!!!! - 144.135.25.158 Date: Wed, 12 May 2004 14:55:04 -0400 Organization: SpamCop Lines: 29 Message-ID: But the real problem is that bigpond -- unlike just about every ISP -- does *not* include a received header in the header string with the IP address of the users sending the spam. That being the case there is no way to force the reports further down the header string. Adding a received header with the connecting user IP is not something new, most ISPs have been doing that for years and years. *****END*** **Sample of spam from google** Petzl -- SECURE YOUR COMPUTER NOW!! KEEP WINDOWS UPDATED http://v4.windowsupdate.microsoft.com/en/default.asp "AVG 6.0 Free Edition" Anti-Virus Check your computer for "Spy Bots" (free) Good firewall for windows(free version available) Block spamvertised websites (free. A must for Parents) From nobody at devnull.spamcop.net Tue Jun 1 14:26:46 2004 From: nobody at devnull.spamcop.net (brewman) Date: Mon May 31 21:25:02 2004 Subject: [SpamCop-List] ipadm@gddc.com.cn for 219.137.163.238 but returns '550-No such user' Message-ID: I'm tracking bounced Joe-job spam, and am getting notifications bounced 'cos ipadm@gddc.com.cn doesn't exist. I emailed ipuser@gddc.com.cn about this and - that doesn't exist either (okay, so I'm a slow learner; I like to give ppl the benefit of the doubt). Both are valid according to APNIC. Does SC know about this? What should I do about advising someone, or do I just sit there whilst the spam bounces back? -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at devnull.spamcop.net Tue Jun 1 15:26:40 2004 From: nobody at devnull.spamcop.net (brewman) Date: Mon May 31 22:25:03 2004 Subject: [SpamCop-List] Re: ipadm@gddc.com.cn for 219.137.163.238 but returns '550-No such user' References: Message-ID: "Mike Easter" wrote in message news:c9gngd$tmq$1@news.spamcop.net... > I think the important elements of the > 'question' belong in the body; only in the subject is 'awkward' to talk > about > agreed - sorry > 219.137.163.238 no rDNS SC notifies with ipadm@gddc.com.cn > > The way I lookup that is the apnic whois which is CHINANET Guangdong > which sez the above, > which abuse.net looksup as: > > whois -h whois.abuse.net gddc.com.cn ... > abuse@gddc.com.cn anti-spam@chinanet.cn.net > ctsummary@special.abuse.net (for gddc.com.cn) > > then I look it up in openrbl which tells me that it is spamcop listed, > also an open proxy, but that, surprisingly, it isn't spews and spamhaus > listed. That means that I don't 'open' my 'unresponsive' notify folder. Hmmm - I was hoping SC would save me that bit :-( > > > I'm tracking bounced Joe-job spam, > > Another minor nit, I only call it joejob when it is the 'original' > joe.com type of action. The other forgeries are simply forged Froms. > Which is actually a 'normal' condition of spam. I think you are simply > reporting some spams with your addy as the forged from. Not a joejob. > Let's ignore the From field. Even the To field. I have effective spam filters, but am getting HUNDREDS (it might be thousands by now, I stopped counting after a few days) of bounced emails crashing through from non-existent mailboxes around the globe which have artificial names prepended to MY domain name as the return address i.e. from RFC822 >> "Return-path" ":" route-addr ; return address (whether also the From address is irrelevant) Many even have MY domain name as the HELO/EHLO name (actual this is irrelevant, but shows the lengths that someone is going to in order to implicate me). One picked at random starts as follows: |------------------------- Failed addresses follow: ---------------------| unknown user / Teilnehmer existiert nicht 550 Mailbox quota exceeded / Mailbox voll. unknown user / Teilnehmer existiert nicht I believe that I AM the target of an "'original' joe.com type of action". If I am wrong, then shoot me down. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at spamcop.net Tue Jun 1 15:36:38 2004 From: nobody at spamcop.net (Anony Mouse) Date: Mon May 31 22:40:02 2004 Subject: [SpamCop-List] Re: Response from Telstra (they're just as incompetent as ever) References: <40B712A9.6010405@spamcop.net> Message-ID: <40BBEBB6.6090408@spamcop.net> Redstone wrote: Just for you... The outcome of sorting Telstra out... A formal complaint to ISOC-AU did the trick. A senior Telstra representative writes.... ***** Your complaint regarding the in-action taken on your complaints to Abuse @ has been referred to me for follow up. Whilst i do not control or action that particular mailbox I do investigate and follow up the more serious escalations particularly where Bigpond is blacklisted. I have resolved the IP address referred to in your initial complaints. Customer has been contacted and service suspended until such time as the multiple infections are cleansed from her PC and suitable security is installed. This is a new user who purchased a PC, BB connection and Norton AV from a PC supermarket. Installed it and was infected probably within 15 minutes of connecting to the internet. Multiple infections have followed due to the activities of a teenage daughter in a variety of chatrooms. She has also been robbed via a keylogger trojan costing her approx $6,000 so far. An expensive lesson. The lack of action on the Abuse@ queue has been escalated to senior management for follow up. ***** Anonymouse. If proper action had been taken in the first place (nearly a month ago) the current situation would most likely be a lot different. Looks like some heads are going to roll. Need I comment any further.... From nobody at xyzzy.claranet.de Tue Jun 1 05:49:46 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon May 31 22:55:04 2004 Subject: [SpamCop-List] Re: ipadm@gddc.com.cn for 219.137.163.238 but returns '550-No such user' References: Message-ID: <40BBEECA.7E55@xyzzy.claranet.de> brewman wrote: > One picked at random starts as follows: > |------------------------- Failed addresses follow: ---------------------| > > unknown user / Teilnehmer existiert nicht > > 550 Mailbox quota exceeded / Mailbox voll. > > unknown user / Teilnehmer existiert nicht > I believe that I AM the target of an "'original' joe.com type of action". > If I am wrong, then shoot me down. Bang. I see the same pattern, like small pieces of dictionary attacks on various mailers, in your case an attack on mailboxes starting with F @t-online.XXX For this part they (ab)used Mail From:. One thing you could try is to publish SPF records for your domain and all potential hosts (wildcard *). If user@brycom is the only form of address you ever use, and all what@ever.brycom are forged, you could simply add one record... * IN TXT "v=spf1 -all" ...please check this with the SPF wizard _and_ later test it with . For some obscure reasons I was pretty sure that what@xyzzy.claranet.de was protected by SPF. But that was wrong, at the moment only user@claranet.de is protected, the wildcard part is missing. Bye, Frank From nobody at xyzzy.claranet.de Tue Jun 1 06:03:28 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon May 31 23:10:03 2004 Subject: [SpamCop-List] Re: ALERT: submit.xxxxxxxx.@spam.spamcop.net reporting system down? References: Message-ID: <40BBF200.1877@xyzzy.claranet.de> WazoO wrote: > http://alpha.cesmail.net/graphics/spamstats.gif doesn't seem > to show any major problems. IMHO it only shows _solved_ problems, and the last was 1400 EDT But I'm always lost with these timezones, except from my own local time and Zulu time ;-) Yes, there was a delay for about 5 hours (submitted: 2100 GMT, reports sent: 0200 GMT today). Bye, Frank From RobertTaylor at SpamCop.net Tue Jun 1 00:10:16 2004 From: RobertTaylor at SpamCop.net (Robert Taylor) Date: Mon May 31 23:15:02 2004 Subject: [SpamCop-List] Re: How to handle the spamreports that can't be send unmungled References: Message-ID: In news:c9ghs3$oks$1@news.spamcop.net, Mike Easter sent: > Robert Taylor wrote: >> Mike Easter >>> Did you know that Xenophon, student of Socrates, made a general >>> prior to any military experience, was probably the first 'horse >>> whisperer'? >> >> All but the "horse whisperer" part--though, now that you mention it I >> seem to remember reading that somewhere. (Don't we always. ;-} ) If >> I did, I had forgotten it. > > Students of Greek like to read Xenophon in Greek, maybe he is 'orderly' > in his language; Yes, so I understand. I have just enough ancient Greek to handle some of Sappho's great fragments which I've used in my work--Aeolic dialect, of course (late 7th, early 6th c. BCE), different, I suppose, from the Greek used by Xenophon in the 5th. The greatest translators (e.g., Swinburne) say that her stuff is untranslatable into English (though they have all tried it. ;-} ) But then that is poetry--different colored horse entirely. I've never seen a translation of great verse that really works in any language. > probably something like when we students of German > language scientific writing used to read the old original German > scientist stuff. The closest I've been to that flavor of German (my modern German is fluent) is my prized /Meyers Konversations-Lexikon/ (24 vols.), 1903 - 1913, ca., in the "old" script, which I bought from a little old lady in Berlin who needed money to keep her in cigars* for (she figured) about 10 years. Lots of splendid scientific articles, amazing maps color paintings", and hand-drawings of industrial and scientific stuff. Massive piece of work. Only thing I've seen to equal it is the OED. > > A translation of his 'treatise' on horsemanship [and quite a lot of his > other stuff] is available in Gutenberg. Sounds interesting. I'll try to have a look. > >> (*) ... and then there was a certain Mr. Whipsnade, whom he held in >> unusually high regard ... > > I'll bet it would have been a hoot to hangout and drink with ol' WC Apparently; that is, if you could remain standing (sitting?) long enough. :) _____ (*) ... Cuban cigars, of course .... Regards, -- Robert eMail: RobertTaylor@SpamCop.net Web-Address: http://users.rcn.com/robertt.nh.ultranet/Web-SitePg1.htm (1506 nix nix - Dizzy Gillespie, foo Mgr.) From me at nowhere.net Tue Jun 1 00:28:45 2004 From: me at nowhere.net (lt) Date: Mon May 31 23:30:03 2004 Subject: [SpamCop-List] What am I missing? Message-ID: We spend a huge amount of time with Spamcop reporting to achieve very little. For every Spamvertized site there are probably 10,000 different sources for the spam promoting them. One report I just read said there was currently 4,000,000 open proxies for the spammers to use. By simply blocking access to the spamvertized sites the problem would go away in a very short period. AOL has already started, why are they alone in this effort. Anyone wanting to do business with a site that forged their e-mail address is obviously an idiot, so blocking these sites would only help the customers of the ISP's. And, I would think that it should be fairly easy to allow customers who really want to go their to be exempted from this black listing. Comments? From nobody at devnull.spamcop.net Tue Jun 1 16:41:44 2004 From: nobody at devnull.spamcop.net (brewman) Date: Mon May 31 23:40:03 2004 Subject: [SpamCop-List] Re: ipadm@gddc.com.cn for 219.137.163.238 but returns '550-No such user' References: <40BBEECA.7E55@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:40BBEECA.7E55@xyzzy.claranet.de... > > I believe that I AM the target of an "'original' joe.com type of action". > > If I am wrong, then shoot me down. > > Bang. I see the same pattern, like small pieces of dictionary > attacks on various mailers, in your case an attack on mailboxes > starting with F @t-online.XXX > ............... > One thing you could try is to publish SPF records for your > domain and all potential hosts (wildcard *). I don't follow your logic: "Help me, I've been hit by a bus." "Well, m'am, you see that 'do not cross' sign? No-one who's ever obeyed it has been hit by a bus. Now, if you'd obeyed it, you wouldn't have got hit. No m'am, you weren't hit by a bus." BTW I have a domain, but not a server; it's hosted by my ISP for me - I've jusy had a word with them & the techie I spoke to has never heard about SPF records (could be a problem here in this little South Pacific island ...). Anyway ... A) AFAIK the original JoeJob was that the spammer put XXX@joe.com in the return path. This is what is happening to me. Or am I wrong? B) Yes, SPF records may well stop it happening (I'm not an SysAdmin, although I have written POP/SMTP/Socket programs in C++), but just because they aren't there doesn't mean that I am not a JoeJob recipient - does it? (juste comme le français - négatifs triples) -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at devnull.spamcop.net Tue Jun 1 17:16:31 2004 From: nobody at devnull.spamcop.net (brewman) Date: Tue Jun 1 00:15:04 2004 Subject: [SpamCop-List] Re: What am I missing? References: Message-ID: > By simply > blocking access to the spamvertized sites the problem would go away in a > very short period. ... Comments? A) Well, I've come across many spamvertised sites where the site is nothing but a redirector to another 'real' site. These disposable sites (often in 3rd world places) can be thrown away, and then more set up, very easily. The 'real' site (sometimes in USA) is 'hidden' from view, and IMHO finding THAT is where the effort should be put in. B) It reminds me of the story of the guy walking along the sea shore, throwing starfish back that had been washed up by a storm. Someone asked what difference it made, seeing as there were thousands of stranded starfish. He just picked up another one, threw it back, and said, "Well, it made a difference to that one." How do you shut down 4 million proxies? One at a time. Or at least, get your ISP to Blacklist them. It's a campaign fought on many fronts; win some, lose a few, but keep up the pressure. There's no need to stop fighting on one front because someone's sees an opportunity with another one. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at devnull.spamcop.net Tue Jun 1 17:25:11 2004 From: nobody at devnull.spamcop.net (brewman) Date: Tue Jun 1 00:25:02 2004 Subject: [SpamCop-List] And another thing Re: What am I missing? References: Message-ID: > By simply > blocking access to the spamvertized sites the problem would go away in a > very short period. ... Comments? What I do relies on sites NOT being blocked. I load up the url into BlackWidow, and download the site! The replica watch is 25MB, the pharmacy site is 35MB. Why do I do this? To hit their bandwidth! If 40,000 ppl downloaded each site, it would cost us pennies/cents each (if anything), but how much would, say, 1000GB for the site cost? I know that some caching would reduce that, but it would be quite a significant cost to them. Or am I being naive? BTW If the website crawler stops straightaway, investigate to check if it's redirecting traffic (I only download within the domain). -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From ob1db at spamcop.net Tue Jun 1 01:41:30 2004 From: ob1db at spamcop.net (David Butler) Date: Tue Jun 1 00:45:07 2004 Subject: [SpamCop-List] parser change gone overboard: only 2 links but only NS reports Message-ID: Respond in .help Return-Path: Delivered-To: x Received: (qmail 7552 invoked from network); 29 May 2004 13:47:03 -0000 Received: from unknown (192.168.1.101) by blade2.cesmail.net with QMQP; 29 May 2004 13:47:03 -0000 Received: from unix14.broadviewnet.net (HELO broadviewnet.net) (64.115.0.113) by mailgate.cesmail.net with SMTP; 29 May 2004 13:47:03 -0000 Received: (qmail 7209 invoked by uid 32008); 29 May 2004 13:47:02 -0000 Received: from unknown (HELO broadviewnet.net) (64.115.0.54) by broadviewnet.net with SMTP; 29 May 2004 13:47:02 -0000 Received: (qmail 2935 invoked by uid 32008); 29 May 2004 13:47:02 -0000 Delivered-To: broadviewnet.net-x Received: (qmail 2929 invoked by uid 32008); 29 May 2004 13:47:01 -0000 Received: from unknown (HELO mm.studio) (218.231.81.59) by broadviewnet.net with SMTP; 29 May 2004 13:47:01 -0000 Message-ID: From: "Rbotchway" Date: Sat, 29 May 2004 22:49:25 +0900 To: x, x Subject: Animal Fker Gurls !!!!. dulled badger Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=iso-8859-1 X-Bogosity: Unsure, tests=bogofilter, spamicity=0.555064, version=0.11.1.3 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade2.cesmail.net X-Spam-Level: ** X-Spam-Status: hits=2.7 tests=NASTY_GIRLS,PLING_PLING,PORN_16 version=2.63 X-SpamCop-Checked: 192.168.1.101 64.115.0.113 64.115.0.54 218.231.81.59 X-SpamCop-Disposition: Blocked xbl.spamhaus.org The dirtyist farm slutts..Who Love BARN YARD ANIMALS !! Watch Barnyard Taking on... The Whole Farm... .. http://streetboxcar.net/wiz/dm/cb/index.htm Tese nasty Girls Will Do Anything For Money and We have the Video and Pics to Prove It..... Hurry and see it before it's gone...3 days for just 1 Warning....This may not be legal in your area !!! maybe you don't want to get this sometimes http://cases.streetboxcar.net/wiz/feather/index.htm This offer was sent to you on behalf of: comebarn 1117 Queen Street West # 780 Toronto, ON M6J 1J0 From tfm3 at nospam.teleproc.com Tue Jun 1 01:15:49 2004 From: tfm3 at nospam.teleproc.com (Thomas Mooney) Date: Tue Jun 1 01:20:02 2004 Subject: [SpamCop-List] Turnaround performance problem Message-ID: There was a time (not so long ago) where the auto-responder reply would appear within minutes of submission. Sometimes it was as quick as 1-2 minutes, sometimes as long as 10-20 minutes. Today the responses I'm receiving are averaging 5 hours. Five hours! When I look at the SpamCop statistics pages, it appears things are running about normal. Does anybody have a clue why turnaround has slowed so much? Curious, -- TFM3 Note: Spam-resistant e-mail address From nobody at spamcop.net Tue Jun 1 02:25:59 2004 From: nobody at spamcop.net (Claudio Valderrama C.) Date: Tue Jun 1 01:25:03 2004 Subject: [SpamCop-List] Re: Turnaround performance problem References: Message-ID: Thomas Mooney wrote: > There was a time (not so long ago) where the auto-responder reply > would appear within minutes of submission. Sometimes it was as quick > as 1-2 minutes, sometimes as long as 10-20 minutes. > > Today the responses I'm receiving are averaging 5 hours. Five hours! > When I look at the SpamCop statistics pages, it appears things are > running about normal. Does anybody have a clue why turnaround has > slowed so much? No clue, but I have the same question. C. From nobody at xyzzy.claranet.de Tue Jun 1 08:36:54 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Tue Jun 1 01:45:06 2004 Subject: [SpamCop-List] Re: ipadm@gddc.com.cn for 219.137.163.238 but returns '550-No such user' References: <40BBEECA.7E55@xyzzy.claranet.de> Message-ID: <40BC15F6.40C9@xyzzy.claranet.de> brewman wrote: > "Help me, I've been hit by a bus." > "Well, m'am, you see that 'do not cross' sign? No-one who's > ever obeyed it has been hit by a bus. Now, if you'd obeyed > it, you wouldn't have got hit. No m'am, you weren't hit by a > bus." LOL. No, that's not exactly the picture. SPF (sender policy framework) identifies the IPs allowed to send Mail From:. If any other IP claims to send Mail From:, then that's a lie. And therefore all recipients supporting SPF shouldn't bother you with useless bounces to x@y. At the moment this could result in less bounces: "No m'am, you're only hit by a beagle". But it will get better, if more recipients reject a forged x@y, then the spammers will invent other evil tricks, and eventually "we" (I have the same problem) won't get this kind of bounces anymore. > I have a domain, but not a server, it's hosted by my ISP for > me - I've jusy had a word with them & the techie I spoke to > has never heard about SPF It's rather new, see for the details. > could be a problem here in this little South Pacific island Even DynDNS supports SPF in its "custom DNS" system, and if the text shown by `nslookup -q=txt brycom.cX.nX` is your text, then you could replace it by a SPF record. For my case see `nslookup -q=txt claranet.de`, so far it's simple, but as I said, it's not the complete wildcard solution. > just because they aren't there doesn't mean that I am not a > JoeJob recipient - does it? Maybe the definition of JoeJob changed over the time. Today it's more along Mike's idea, e.g. if somebody pretends to offer drugs and child porn with an URL of your Web space. Bye, Frank From nobody at devnull.spamcop.net Tue Jun 1 02:15:09 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Jun 1 02:20:03 2004 Subject: [SpamCop-List] Re: parser change gone overboard: only 2 links but only NS reports References: Message-ID: "David Butler" wrote in message news:c9h1cs$63o$1@news.spamcop.net... > Respond in .help > > Return-Path: > Delivered-To: x Damn, get a clue, would you? I half-assed defended you over in .help by noting that you hadn't cross-posted your posting over there, was thinking about pointing out to another poster advising you to post your spam in .spam that you hadn't actually posted your spam there (in .help) only to see what that remark was referencing. Post your spam in .spam, post a Tracking URL else- where, put your routing issues over in .routing ... it was this way before you showed up, and things haven't changed just because you keep right on doing things wrong. From ric.gates at bigsleep.org Tue Jun 1 08:19:14 2004 From: ric.gates at bigsleep.org (Blammo) Date: Tue Jun 1 03:20:03 2004 Subject: [SpamCop-List] Re: How to handle the spamreports that can't be send unmungled References: Message-ID: On 31 May 2004 Miss Betsy entered spamcop and left news:c9gach$i0a$1@news.spamcop.net: > There is no good reason for reports to be unmunged except laziness > and the legal department. I don't see how you can make that assumption. Are you an IT tech for an ISP? -- | Ric | From ric.gates at bigsleep.org Tue Jun 1 08:51:00 2004 From: ric.gates at bigsleep.org (Blammo) Date: Tue Jun 1 03:55:02 2004 Subject: [SpamCop-List] Re: Why won't SpamCop trace a URL? I know how to do it References: Message-ID: On 31 May 2004 Spambo entered spamcop and left news:c9g5dk$dmk$1@news.spamcop.net: > 2. SpamCop doesn't follow links in spams to analyze where they > lead. For one thing that would significantly increase the amount > of processing time each spam takes since the parser couldn't know > what links redirect to elsewhere unless it follows every link it > encounters and analyzes the content of the served web document. > And it would be quite easy to fool any method SpamCop might use. -- | Ric | From MikeE at ster.invalid Tue Jun 1 02:32:34 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 04:35:03 2004 Subject: [SpamCop-List] Re: ipadm@gddc.com.cn for 219.137.163.238 but returns '550-No such user' References: Message-ID: brewman wrote: > Let's ignore the From field. Even the To field. I have effective spam > filters, but am getting HUNDREDS (it might be thousands by now, I > stopped counting after a few days) of bounced emails crashing > through from non-existent mailboxes around the globe which have > artificial names prepended to MY domain name as the return address > i.e. > from RFC822 >> "Return-path" ":" route-addr ; return address > (whether also the From address is irrelevant) > Many even have MY domain name as the HELO/EHLO name (actual this is > irrelevant, but shows the lengths that someone is going to in order to > implicate me). > One picked at random starts as follows: >> ------------------------- Failed addresses follow: >> ---------------------| > > unknown user / Teilnehmer existiert nicht > > 550 Mailbox quota exceeded / Mailbox voll. > > unknown user / Teilnehmer existiert nicht > > I believe that I AM the target of an "'original' joe.com type of > action". If I am wrong, then shoot me down. Different people have different terms for various forgeries; what you are describing sounds like what I call 'malicious From forgery'. That is, 'normal' spam is normal From forgery. Malicious [I actually sometimes call it 'mailicious'] From forgery goes way beyond normal From forgry. In the case of /your/ mailicious, the 'From' part of your example and description also happens to be much more than just From [where From is part of the DATA transmission] but also the 'envelope' Mail From of the 'opening' smtp transaction HELO - MAIL FROM - RCPT TO - DATA The 'normal' or 'random' From forgery is done simply because a spam 'needs' a From and the spammer gets it from the same kinds of sources that it gets the addies for the To: or the BCC. So, normal From 'victims' are not really much different from normal spam recipients in that sense; and usually the 'effects' of normal From forgery aren't too large or too persistent. Another type of From forgery is one in which the 'nature' or appearance of the From is part of the 'social engineering' of the spam; such as putting a girl's name on porn spams and other 'designs' in which the >From 'matches up' with what the spam is supposed to be about to make it more believable on the 'surface' - ie the spammer matches the subject and the From so that they 'fit' together. To continue with the definition process just to cover the joe job [by my definition]. BTW a fair number of people do use the term joejob to cover a lot of different kind of forgeries, as you did earlier. Some people call all forgeries joejobs. My definition is a narrow one; that a joejob is when a 'realistic' looking spam is sent promoting some website or enterprise. Typically the source isn't easily traceable but it may be made to look like the source is the promoted website. The idea of the joejob is to get the website 'in trouble' with hir provider. That is, the target victim is the spamvertised site. Just as joe.com was. This is already a rambling post, so I won't get into 'bogus' joejobs, spoofed bogus joejobs, and trick spoofed bogus joejobs; but the 'range' of whatall is done with forgery is very broad; so I think it is better to be 'restrictive' with definitions rather than broad. I'm calling your situation 'malicious from forgery' - realizing that it is much 'broader' than simply the DATA From for the header. The intention of the malicious from is to cause 'trouble' for the 'victim' or target. Generally the type of trouble it causes is mailbox trouble; where it is possible to lose good mail because of mailbox full conditions. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Tue Jun 1 12:12:09 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Tue Jun 1 05:15:36 2004 Subject: [SpamCop-List] Re: How to handle the spamreports that can't be send unmungled References: Message-ID: <40BC4869.39B2@xyzzy.claranet.de> Blammo wrote: >> There is no good reason for reports to be unmunged except >> laziness and the legal department. > I don't see how you can make that assumption. Are you an > IT tech for an ISP? "Legal department" => if you want an ISP to terminate the account of a customer, then their legal department might want to have more than some munged SC reports as "evidence". If SC would change the default from "munged" to "unmunged" I'd simply use the new default. And I'm not at all interested how spammers wash their lists. Like Miss Betsy said, they always can do it with some obscured info in their spam. Bye, Frank From MikeE at ster.invalid Tue Jun 1 03:15:36 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 05:20:03 2004 Subject: [SpamCop-List] Re: russian spam from china and a Suggestion to SC References: Message-ID: eddie wrote: > Mike Easter >> Yes. The source IP is counted toward its listing or continued >> listing on the spamcop blocklist SCbl even if no one receives the >> reports for various reasons. > even when it's dev-nulled?? I thought that meant nothing was counted Nope. There are various reasons that reports don't get sent in a particular direction or to anyone. Spamtraps, moles, unwanted, no good addies, blackhats. They all get counted. Spamtraps even get counted extra. > For the time that every ISP associated with a piece of spam is > dev-nulled, there is no reason for me to deal with it, except to > delete it, UFN. You are misunderstanding the devnul. It counts. > As with the virus email that I never see, if it's in cyrillic > from chinese ISPs who get devnulled anyway, there is nothing I can do > about it. Maybe report the phone number to Interpol? :) I think you are just feeling frustrated because you don't realize that the devnuls count. -- Mike Easter kibitzer, not SC admin From macc at amp.us Tue Jun 1 12:35:14 2004 From: macc at amp.us (MacCampus) Date: Tue Jun 1 05:40:04 2004 Subject: [SpamCop-List] Re: How to handle the spamreports that can't be send unmungled References: Message-ID: On 2004-05-30 13:10:59 +0200, MacCampus said: > Hello , > > What do i do if i receive spam for witch spamcop wont send mungled reports ? > > What i did was i went to the homepages of their services , which was > webhosting , so i readed their pages , went to their client webpages & > after all that looked very professional i contacted their online > support which worked using icq & that enabled me to contact them > anonymous using AIM . ( But that said today is sunday & i got an > immediat responds , ofcourse they can have 7/7 online support ) . > > Should i now send them my Spamreports unmungled ? > > I'dd sure like some help . > > Thx > > Maccampus I Want to thank all you guys & girls for replying , i decided to send them the unmunged reports . I also found out what newsgroups & discussionboards are for & i must say they have prooven to be great tools & maybe i should use these channels more often , so thx again for letting me discover the usefullness of these channels Great Thx from a happy SpamCop user From kjz at despammed.com Tue Jun 1 12:35:49 2004 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Tue Jun 1 05:40:07 2004 Subject: [SpamCop-List] Re: Al or Macrae? In-Reply-To: <40BAD9A3.6000101@spamcop.net> References: <40B710C7.7000708@spamcop.net> <40BAD9A3.6000101@spamcop.net> Message-ID: Anony Mouse wrote: > The real orderer, as you put it, is very much in the foreground. > > The companies name is EyeFive Inc. I don't think so. Eye 5 has all these VPRX and other 'herbal quack medicine crap' to offer. But Al or Macrae are spamming for the 'hard' stuff, i.e. prescription drugs like Viagra, Vicodin, Cialis, etc. That's not the business of Eye 5. BTW: Did you ever got anything except spam from all these 'affiliate programs'? It seems to me they're like all these MLM scams and should be forbidden as a legal business model. From nobody at devnull.spamcop.net Tue Jun 1 05:48:34 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Jun 1 05:50:03 2004 Subject: [SpamCop-List] Re: How to handle the spamreports that can't be send unmungled References: Message-ID: "MacCampus" wrote in message news:c9hikh$iqq$1@news.spamcop.net... > > I Want to thank all you guys & girls for replying , i decided to send > them the unmunged reports . > > I also found out what newsgroups & discussionboards are for & i must > say they have prooven to be great tools & maybe i should use these > channels more often , so thx again for letting me discover the > usefullness of these channels > > Great Thx from a happy SpamCop user It's been interesting This subject was being handled in both the newsgroups and Forums simultaneously, so he/she was getting answers from a number of folks. (Good thing that "we" were all in agreement ) From Anonym at us.com Tue Jun 1 04:21:57 2004 From: Anonym at us.com (Anonym@us.com) Date: Tue Jun 1 06:25:04 2004 Subject: [SpamCop-List] Re: Memorial Day -- or -- Christmas? References: Message-ID: "Spambo" wrote in message news:c9ffpj$qth$1@news.spamcop.net... > optinrealbig.com still isn't resolving but Snotty's spamhaus > is available using optinbig.com. Well, we've worked him down from OptInRealBig to OptInBig... now let's keep at him and work him down to OptInLittle, then OptInNonexistent. From nobody at devnull.spamcop.net Tue Jun 1 06:23:26 2004 From: nobody at devnull.spamcop.net (Cat) Date: Tue Jun 1 06:25:08 2004 Subject: [SpamCop-List] Re: parser change gone overboard: only 2 links but only NS reports In-Reply-To: References: Message-ID: David Butler wrote: > Respond in .help Um, ya knw, I might have been more inclined to think you posted spam in the wrong group accidentally the last time you did this, but you seem to make a regular habit of not bothering to pay attention to where you're posting anything. With your regular habit of posting spam in the wrong group and not posting routing requests in .routing, it almost seems like you're posting in whatever group you feel like posting at the moment with an apparent total disregard to what each group is for. I thought maybe the last spam posting in a non-spam group might have been an accident, but it seems like you're posting to the wrong groups on purpose now. If you really are that absent-minded, then maybe you need to think a little harder about what you're doing before you hit the send button and make sure you post to the right group next time or just don't post when you're half-asleep. I really hope you don't use this same half-assed attitude with spam complaints. From Anonym at us.com Tue Jun 1 04:29:42 2004 From: Anonym at us.com (Anonym@us.com) Date: Tue Jun 1 06:35:03 2004 Subject: [SpamCop-List] Re: Memorial Day -- or -- Christmas? References: Message-ID: BTW, it's been reported that CAIS Internet is the ISP who picked up Snotty Scotty, through wvfiber.com (aka ibis7.net). If you'd like to register your disapproval (or disgust) with them, the addresses are: abuse@cais.net;abuse@wvfiber.com;abuse@ibis7.net Don't be surprised if they bounce, though, seeing as how they're a spamhaus. I also posted Richter's telephone number on the SpamCop forums, but can't remember where, so you'll have to dig for it. From user\" at domain.invalid.com>" Tue Jun 1 13:38:36 2004 From: user\" at domain.invalid.com>" ( Rolf) Date: Tue Jun 1 06:40:03 2004 Subject: [SpamCop-List] Re: Why won't SpamCop trace a URL? I know how to do it In-Reply-To: References: Message-ID: Spambo wrote: > 2. SpamCop doesn't follow links in spams to analyze where they > lead. For one thing that would significantly increase the amount > of processing time each spam takes since the parser couldn't know > what links redirect to elsewhere unless it follows every link it > encounters and analyzes the content of the served web document. Wouldn't there be also the problem of confirming live email addresses through embedded identifiers, if SpamCop would actually follow each link in a spam to verify its contents and detect redirects and further linking? Rolf Kalbermatter From downunder at xyz.com Tue Jun 1 22:36:11 2004 From: downunder at xyz.com (Chelle) Date: Tue Jun 1 07:40:03 2004 Subject: [SpamCop-List] Re: Email Blocked References: Message-ID: sorry but whilst i'm aware of that, when i was posting it was late here.. and i was short of time, so apologies but individual replies to each post i just dont have the time for. "Mike Easter" wrote in message news:c9fsp9$6id$1@news.spamcop.net... > oh Chelle! > > Do you notice how your posts are 'different' from everyone else's who > replies to you? > > They are trimming. They are contextualizing. They are posting inline. > They are configuring their replies for an 'ongoing' conversation; and > so this 'dialogue' works because they are taking care of your topic for > you. > > You are not trimming. You are not contextualizing. You are not posting > inline. You are not configuring your replies for an ongoing > conversation. This dialogue only works because everyone else is > carrying your end of the load. > > This is a trimmed inline contexualized newsgroup. Not the other kind > where people toppost and push down everything underneath them. > > Here are some things to read for new newgroup participants: > > http://www.greenend.org.uk/rjk/2000/06/14/quoting Quoting Style > http://member.newsguy.com/~schramm/nquote.html Quoting Style in > Newsgroup Postings > http://www.uwasa.fi/~ts/http/quote.html Of proper quoting > > There are also some more 'general' discussions of netiquette elsewhere > to put into that context, but I'll just stay with the quoting and > trimming issue for now. > > > -- > Mike Easter > kibitzer, not SC admin > From nobody at spamcop.net Tue Jun 1 08:08:43 2004 From: nobody at spamcop.net (Miss Betsy) Date: Tue Jun 1 08:05:02 2004 Subject: [SpamCop-List] Re: What am I missing? References: Message-ID: "lt" wrote in message news:c9gt5e$2tp$1@news.spamcop.net... Anyone wanting to do business with a site that forged their > e-mail address is obviously an idiot, so blocking these sites would only > help the customers of the ISP's. And, I would think that it should be > fairly easy to allow customers who really want to go their to be > exempted from this black listing. Comments? I agree. IMHO, ISP's have missed the boat in telling the average user about blocking and its advantages. Miss Betsy From Anonym at us.com Tue Jun 1 06:13:30 2004 From: Anonym at us.com (Anonym@us.com) Date: Tue Jun 1 08:20:03 2004 Subject: [SpamCop-List] Re: I'm leaving spamcop.... References: Message-ID: > Annie wrote: > Failing to do good trimming creates all kinds of problems, whether > the replying is at the top, bottom, or inline; different problems with > different placement of the untrimmed reply. It's the lack of > trimming that is the real problem. You know what we need? A newsreader that will let you select all the relevant parts from a previous post, then inline them into a new post in the order they were selected. That way, trimming is easy, and you do inline posting automatically. From nobody at spamcop.net Tue Jun 1 08:25:03 2004 From: nobody at spamcop.net (Miss Betsy) Date: Tue Jun 1 08:25:03 2004 Subject: [SpamCop-List] Re: How to handle the spamreports that can't be send unmungled References: Message-ID: "eddie" wrote in message news:pan.2004.06.01.00.06.44.715000@eddie.web... > On Mon, 31 May 2004 17:13:04 -0500, Miss Betsy scratched out the > following: > > snip > > There is no good reason for reports to be unmunged except laziness and the > > legal department. > > I totally agree. If people use SC to "get even" with an ISP by sending > false reports, there are proper ways to deal with them other than > punishing everyone else and making them reveal their email addresses. > All my reports have my nickname on them, and I expect that abuse desks > will recognize me by it and know my reports are always valid and timely. > Unmunging won't change that. I suspect that big spamhouses request > unmunging simply to keep the reports at a lower level, knowing that many > will decide not to report to them. That puts them more on the side of the > spammer than the spammee, in my opinion. It's an old legal trick to > reverse the roles of the accused and the accuser and it sometimes works. Supposedly the legal department needs unmunged evidence for the ISP to do anything. OTOH, about accuracy, most of the more knowledgeable reporters never munge so the abuse department may, as you suggest, require unmunged reports because they are more likely to be accurate. Remember it only takes *one* accurate report to a whitehat ISP to shut down a spammer. Although, on principle, I do not want to reveal my email address to a suspected ISP plus not wanting to be listwashed, I have decided to send unmunged reports. For one reason, I think that the possibility of retaliation is no longer a problem (it was in the beginning days). For another, there are too many ways to identify a report even without the email address. It is also more unlikely that the originating ISP is going to be the one who has a spammer as a customer since the open proxies started to be popular and ISP's have wised up. And while I appreciate the efforts of those who try to get spamvertised sites shut down, for one thing it takes more expertise than I have to really know what you are doing, and for another, they can create them as fast as you shut them down. The solution, IMHO, is blocking those ISP's who do not close the 'holes' which spammers exploit. 4,000,000 is not that many when you think of the number of reporters and ISP's who use blocklists. It won't be long until ISP's start to do something about exploited machines or they will be permanently blocked (as china and korea are for many people). The problem is that nobody without a server can take that action and there are too many ISP's who won't do that for their customers. Miss Betsy From peter at loud-n-clear.net Tue Jun 1 14:15:00 2004 From: peter at loud-n-clear.net (Peter Scales) Date: Tue Jun 1 08:25:07 2004 Subject: [SpamCop-List] Re: ALERT: submit.xxxxxxxx.@spam.spamcop.net reporting system down? References: Message-ID: In message , E?nw? writes >Since about 5:30 EDT 31 May, I've received no acknowledgements of spam >submitted. Also, I've been seeing unusually sluggish response from the >parser for the past couple of days. Is something broken? > Same here - slow since 2004/05/31 and no responses to submissions since 06:00 UTC 2004/06/01 (six hours and counting). Pete -- Peter Scales From Anonym at us.com Tue Jun 1 06:25:42 2004 From: Anonym at us.com (Anonym@us.com) Date: Tue Jun 1 08:30:03 2004 Subject: [SpamCop-List] Re: Ping-Tim McGraw References: Message-ID: > > "Annie" wrote in message > Guess I can't use SpamCop if I am going to use Outlook. I may just delete > most of the spam until I have time to report a few. I am getting 50 or more > every time I download email which is several times a day. I am finding it > takes too long to do each separately. Actually, you CAN use Outlook and report to SpamCop (and however many other BL's you want, and the FTC, all simultaneously). I worked on Leon Mayne's VBA code for Outlook to give it many more features (error checking, a whitelist, etc.). You can get the code here: http://www.hillscapital.com/spammerslammer.zip It's got full instructions in the source code... just open the .bas file in NotePad and print it out, then follow the instructions. It's best if you know a bit of VBA, so you can tweak the code for your setup, if need be. You'll also need to download the Redemption DLL (the link to the author's site is in the instructions). I've used this for months now to report. When I first started, I was getting quite a few, and it took almost no time to report them, as it's basically a 3-click process (select however many spams you want to report, click the 'Report As Spam' button, wait for the SpamCop Autoresponder emails, click the links in those emails, click the Submit button on the SpamCop webpage). You can report multiple spams at the same time by selecting all of them before clicking the 'Report As Spam' button. If any of you VB/VBA gurus out there want to take a crack at it, you could try turning it into an installable plug-in for Outlook. I would, but I don't have the time or VB programming expertise to do so. The code is public domain (with attribution intact), so feel free. From ric.gates at bigsleep.org Tue Jun 1 14:14:39 2004 From: ric.gates at bigsleep.org (Blammo) Date: Tue Jun 1 09:15:11 2004 Subject: [SpamCop-List] Re: Email Blocked References: Message-ID: On 31 May 2004 N. Miller entered spamcop and left news:MPG.1b25b806b83679e4989708@news.spamcop.net: > OTOH, I *could* block email from SCBL listed sources by changing one > setting in my MTA. For now, though, very little spam seems to be > caught with "X- Blocked: Blocked by 'SpamCop'" in the headers. > I wrote a ruleset to do just that, which allows me to see if the source is already listed. I also use the same rule to test new block lists, that way I can see if valid mail gets blocked before using that list to reject. > (For those who care, that is just the way my MTA tags the email. If I > change it from local tagging to blocking, the reject notice only list > one of *my* points of contact; SCBL isn't mention as a cause of the > block.) > Ditto. -- | Ric From ric.gates at bigsleep.org Tue Jun 1 14:28:37 2004 From: ric.gates at bigsleep.org (Blammo) Date: Tue Jun 1 09:30:07 2004 Subject: [SpamCop-List] Re: What am I missing? References: Message-ID: On 31 May 2004 lt entered spamcop and left news:c9gt5e$2tp$1@news.spamcop.net: > By simply > blocking access to the spamvertized sites the problem would go away in a > very short period. So is the judge in this case? Who decides which sites we can and can't visit? > AOL has already started, why are they alone in this > effort. Maybe AOL is the only company that feels they need to protect idiots. > Anyone wanting to do business with a site that forged their > e-mail address is obviously an idiot, Yes, or ignorant/ uneducated. Isn't that the real problem? > so blocking these sites would only > help the customers of the ISP's. Not necessarily. -- | Ric From agent01413 at my-deja.com Tue Jun 1 08:42:05 2004 From: agent01413 at my-deja.com (Socks the white house cat) Date: Tue Jun 1 09:45:03 2004 Subject: [SpamCop-List] Re: What am I missing? References: Message-ID: Someday in the distant future, archeologists digging thru the ruins of spamcop will discover that "Miss Betsy" had this to say on 01 Jun 2004: > > "lt" wrote in message > news:c9gt5e$2tp$1@news.spamcop.net... > > Anyone wanting to do business with a site that forged their >> e-mail address is obviously an idiot, so blocking these sites > would only >> help the customers of the ISP's. And, I would think that it > should be >> fairly easy to allow customers who really want to go their to be >> exempted from this black listing. Comments? > > I agree. IMHO, ISP's have missed the boat in telling the average > user about blocking and its advantages. > As dumb as the average user is, half of them are even dumber. I'd love to market that capability. The result though will be an innundation of spam, forwarded without expanded headers, sent by well meaning users intending to assist your abuse desk with their fight. I know. I've tried it. We wrote a script to determine whether headers were expanded or not (92% not), rejected the ones without expanded headers with a link to the spamcop instructions, and saw no appreciable increase in the percentage that came in with expanded headers. Some of the users who couldn't follow the simple instructions for expanding headers then complained that our blocking efforts were a marketing ploy with no substance. We eventually implemented spamcop and trained the more competent of our users to feed the spamcop free reporting feature. On any given spam run that hits our servers, it appears that spamcop gets somewhere between 10 and 20 reports. -- Sturgeon's Law as applied to discussion lists Axiom #3: "Sturgeon's Law (90% of everything is crap) applies to discussion lists." Corollary #5: "In an unmoderated discussion, no one can agree on what constitutes the 10%." Corollary #6: "Nothing guarantees that the 10% isn't crap, too." From nobody at spamcop.net Tue Jun 1 10:49:37 2004 From: nobody at spamcop.net (jbloom) Date: Tue Jun 1 09:50:03 2004 Subject: [SpamCop-List] Re: ALERT: submit.xxxxxxxx.@spam.spamcop.net reporting system down? References: Message-ID: <40BC8971.82565CE4@spamcop.net> E?nw? wrote: > Since about 5:30 EDT 31 May, I've received no acknowledgements of spam > submitted. Also, I've been seeing unusually sluggish response from the > parser for the past couple of days. Is something broken? > > -- > E?nw? > (SpamCop subscriber, not staff/admin) Ever since they did maintenance on spamcop, it's been terrible. Yesterday the website was so slow that it seemed like I was on it all day just to report 170 spams. This morning it's slow too. Before the maintenance, it used to bounce from page to page and reporting could be done in no time. Acknowledgements are nonexistant this morning, but I can live with that if they'd just fix the website. From MikeE at ster.invalid Tue Jun 1 08:02:38 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 10:05:07 2004 Subject: [SpamCop-List] Re: Email Blocked References: Message-ID: Chelle wrote: > sorry but whilst i'm aware of that, when i was posting it was late > here.. and i was short of time, so apologies but individual replies > to each post i just dont have the time for. Nope, that doesn't get it and you aren't answering 'responsively'. I'm not talking about you 'writing' any more than you did. I'm talking about your typing exactly the same amount but just trimming and 'placing' it correctly, in the accepted configuration. Didn't you read *any* of the links I provided to explain to you how and why to do that? -- Mike Easter kibitzer, not SC admin From skiwi at spamcop.net Tue Jun 1 08:08:51 2004 From: skiwi at spamcop.net (Skiwi) Date: Tue Jun 1 10:10:03 2004 Subject: [SpamCop-List] [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" Message-ID: http://www.nytimes.com/2004/05/31/technology/31spam.html "Sterling McBride spends a lot of time waiting for spammers to make a mistake. They usually do. When he hunted down escaped prisoners for the United States Marshals Service, Mr. McBride learned the value of lying low until fugitives trip up, leaving small clues on their whereabouts. Now, as an investigator for Microsoft, [Walker] watches carefully for tidbits of data that link some of the two billion pieces of junk e-mail that Microsoft's Hotmail service receives each day with the people who send them...." Hehehehehe... From MikeE at ster.invalid Tue Jun 1 08:16:32 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 10:20:03 2004 Subject: [SpamCop-List] Re: Ping-Tim McGraw References: Message-ID: Anonym@us.com wrote: > Actually, you CAN use Outlook and report to SpamCop (and however many > other BL's you want, and the FTC, all simultaneously). I worked on > Leon Mayne's VBA code for Outlook to give it many more features (error > checking, a whitelist, etc.). > > You can get the code here: > http://www.hillscapital.com/spammerslammer.zip Good job! -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Tue Jun 1 10:25:42 2004 From: wb8tyw at qsl.network (John E. Malmberg) Date: Tue Jun 1 10:30:03 2004 Subject: [SpamCop-List] Re: What am I missing? References: Message-ID: In article Blammo writes: > On 31 May 2004 lt entered spamcop and left > news:c9gt5e$2tp$1@news.spamcop.net: > >> By simply blocking access to the spamvertized sites the problem >> would go away in a very short period. Only if universally adopted. If blocking open proxies were as universally adopted as blocking open relays were, it would also solve a lot of the spam problem. So would strict enforcement of rDNS by all recipiants. You would have to also block all public re-directors, unless all the public redirectors stopped accepting links to spam sites. > So is the judge in this case? Who decides which sites we can and can't > visit? The local BOFH of course. Generally though why would you want to exchange any packets with either a compromised computer, or with an I.P. range listed in spamhaus.org? As local whitelisting could be used, the router/firewall/proxy server ACLs have to be able to handle the number of listings. So both maintenance and system capabilities are a limiting factor. >> AOL has already started, why are they alone in this effort. > > Maybe AOL is the only company that feels they need to protect idiots. Other companies are suffering from problems caused by their employees that will not follow corporate access rules and the company does not want to, or through contractual reasons, use disiplinary actions. Some of these spamvertized sites have boot loaders for malware. In the spam I am seeing, AOL seems to have had one impact, since they no longer accept e-mails with numeric I.P. addresses in URLs, the spammers have stopped using them. At least the ones that get through to me. >> Anyone wanting to do business with a site that forged their >> e-mail address is obviously an idiot, > > Yes, or ignorant/ uneducated. Isn't that the real problem? As near as can be seen, the biggest buyer of spamvertized products is idiots buying spamming kits thinking that they will get rich, and have no idea that they are being conned. These idiots that buy the spamming kits have no way of knowing if anyone actually looks at the spam. After a spamvertised domain gets revoked, it seems to take the spammer about 72 hours to put a new URL in it. >> so blocking these sites would only help the customers of the ISP's. > > Not necessarily. It helps when the default configuration of an e-mail client is HTML enabled, set to open external links and attachments, and the typical user is running their e-mail on an account that has privilege to modify the operating system files. It also can help if the idiot that bought the spamming kit can not access the web site that they are supposed to be an affiliate for. They might realize faster that they have been conned. But as you point out, it is not a one size fits all solution. -John wb8tyw@qsl.network Personal Opinion Only From nobody at spamcop.net Tue Jun 1 11:25:58 2004 From: nobody at spamcop.net (indigo) Date: Tue Jun 1 10:30:07 2004 Subject: [SpamCop-List] Re: Renew References: <40B69DD8.30707@SpamCop.Net> <40B6AA0E.5060307@SpamCop.Net> Message-ID: Cat wrote: > Robert J. Rucinski wrote: > > > Jeff is working on the problem, THANK YOU!. > > > > Please state in TWO WORDS how you have helped. > > If you'd learn how to communicate like a rational human being Say no more. He ain't one....... From kjz at despammed.com Tue Jun 1 17:27:14 2004 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Tue Jun 1 10:30:10 2004 Subject: [SpamCop-List] Today Ralsky Inc. uses: 1hbedomain.com, r1g4t2you.com; DNS: marketing88.net, nsmarkk1.net, 010mrktt.net Message-ID: most domains now registered (via RegisterFly) through Joker AKA CSL at Duesseldorf, Germany: domain: 1hbedomain.com 218.65.86.48 status: production organization: Gratt Ent. Ltd owner: Robert Grattton email: robgratton__123@hotmail.com address: 854 Liennen Street city: St-Kalix postal-code: 5954475 country: AG admin-c: robgratton__123@hotmail.com#0 tech-c: robgratton__123@hotmail.com#0 billing-c: robgratton__123@hotmail.com#0 nserver: ns1.marketing88.net 218.65.86.48 nserver: ns1.nsmarkk1.net 218.65.120.168 nserver: ns1.010mrktt.net 219.147.198.133 registrar: JORE-1 created: 2004-05-21 00:31:11 UTC JORE-1 expires: 2005-05-20 20:30:51 UTC source: joker.com Domain name: r1g4t2you.com Registrant Contact: RegisterFly.com - Ref# 11386847 Whois Protection Service - ProtectFly.com (11386847.fly@spamfly.com) +1.2122952121 Fax: +1.2122952153 230 Park Avenue Suite 864 New York, NY 10169 US domain: marketing88.net status: production organization: JS Smith ltd owner: Bernard Smith email: mills08_8@hotmail.com address: 337 W. Main city: Frankston state: Texas postal-code: 75456 country: US admin-c: mills08_8@hotmail.com#0 tech-c: mills08_8@hotmail.com#0 billing-c: mills08_8@hotmail.com#0 nserver: a.ns.joker.com 194.176.0.2 nserver: b.ns.joker.com 194.245.101.19 nserver: c.ns.joker.com 194.245.50.1 registrar: JORE-1 created: 2004-05-17 14:48:53 UTC JORE-1 expires: 2005-05-17 10:48:37 UTC source: joker.com Registration Service Provided By: RegisterFly.com Contact: support@RegisterFlysupport.com Visit: http://www.RegisterFly.com domain: nsmarkk1.net status: production organization: LLD entreprise ltd owner: Arnold Lavigueur email: ronald_0965f@hotmail.com address: 142 Hunington Chase Dr city: Madison state: AL postal-code: 35758-6908 country: US admin-c: ronald_0965f@hotmail.com#0 tech-c: ronald_0965f@hotmail.com#0 billing-c: ronald_0965f@hotmail.com#0 nserver: a.ns.joker.com 194.176.0.2 nserver: b.ns.joker.com 194.245.101.19 nserver: c.ns.joker.com 194.245.50.1 registrar: JORE-1 created: 2004-05-17 16:11:41 UTC JORE-1 expires: 2005-05-17 12:11:26 UTC source: joker.com domain: 010mrktt.net status: production organization: Madisson Inc. owner: philip salice email: ronherman_0987@hotmail.com address: 200 laurel lane city: roswell state: GA postal-code: 30076 country: US admin-c: ronherman_0987@hotmail.com#0 tech-c: ronherman_0987@hotmail.com#0 billing-c: ronherman_0987@hotmail.com#0 nserver: a.ns.joker.com 194.176.0.2 nserver: b.ns.joker.com 194.245.101.19 nserver: c.ns.joker.com 194.245.50.1 registrar: JORE-1 created: 2004-05-17 16:18:27 UTC JORE-1 expires: 2005-05-17 12:18:11 UTC source: joker.com From nobody at spamcop.net Tue Jun 1 11:26:51 2004 From: nobody at spamcop.net (indigo) Date: Tue Jun 1 10:30:12 2004 Subject: [SpamCop-List] Re: Renew References: <40B6763F.6020308@SpamCop.Net> <40B6CB2A.7070409@SpamCop.Net> Message-ID: Robert J. Rucinski wrote: > Don, > > Jeff has been successful in contacting me. > > Perhaps you might consider the root cause of this problem and block > those who utter nonsense. > But gee Bobbie, then all your posts would be filtered! From Nobody at spamcop.net Tue Jun 1 10:28:40 2004 From: Nobody at spamcop.net (Nobody) Date: Tue Jun 1 10:30:16 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> Message-ID: <40BC9298.D25FBBB2@spamcop.net> Merlyn wrote: > > > Do not respond to this jerk. > > Don't worry about it. > > The Admins have nothing to do with it. They just replied hoping you will > mail them back. > > Forget about it. > > Spammers Lie. > > Spammer's Standard of Discourse: Threats and intimidation trump facts and > logic. > > Just keep turning them in like you always have been. Spammers are scum. > > Who is this turd? What is his site? > > -- > > Regards, > Merlyn Hi, Merlyn, The guy's site is Koach Power Canvassing Seminars. He trains cold-call solicitors in London. I saved the spams and/or source files on each, but I didn't think to save links to the SpamCop reports themselves, which I only purged over the weekend to recover headspace on my HDD -- curses! Best I can do is post one or two of his representative products over on the other thread. Regards, Michael From nobody at spamcop.net Tue Jun 1 11:33:59 2004 From: nobody at spamcop.net (indigo) Date: Tue Jun 1 10:40:07 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: Rick Carlton wrote: > "indigo" wrote in message > news:c97s88$b67$1@news.spamcop.net... > > Well, I still have the question "what the hell is actually going > > on?" I'm spamming myself? > > > Could that be the Blackberry server moving things around so that > everything's in sync? No, the gal with the blackberry has a different yahoo addy of mine (mistake on my part from the start). From nobody at spamcop.net Tue Jun 1 11:34:46 2004 From: nobody at spamcop.net (indigo) Date: Tue Jun 1 10:40:20 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: Frog Prince wrote: > Is this problem seen only on the computer or is it also observed at > the yahoo server access? Uhn, I don't parse the question..... From Nobody at spamcop.net Tue Jun 1 10:38:45 2004 From: Nobody at spamcop.net (Nobody) Date: Tue Jun 1 10:40:23 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> Message-ID: <40BC94F5.8E8EAAE5@spamcop.net> WazoO wrote: > > "Nobody" wrote in message > news:40B69162.2C0C9DC2@spamcop.net... > > > > I just got passed through by SpamCop a beef letter from a spammer who is > challenging the veracity of several spam reports. > > That's the way it works. The recipient of the spam complaint can > "contact" the sender via the report number, just as you state below. > > > I suppose SpamCop admins need something from me by way of > > Again, admin had nothing to do with it, that's the way > the system works. What you do next is up to you, > just noting that in the past, a lot of complaints from ISPs > were about the no follow-up when attempted. > > > Again, your call. The catch is that the letter does seem to > indicate that a report was sent based on an e-mail address > rather than an IP. But neither you nor he make note of > the specifics. You mention company, he talks about > e-mail address. You allege "years of proof" ... Well, the e-mail address parsed out pretty well.....this outfit had been using someone to propagate their spams who liked open relays, but more recently some of the spams didn't show any in the reports, so they may have changed marketers. I'd had the impression that Koach or another company contracting with Ingham or Koach was doing the spamming. The disavowal of his interest in Koach is disingenuous at best, since they've been joined at the hip for as far back as they've been spamming me. I saved cc of the spams and/or sourcefiles going back over a year, but I didn't think to save the SpamCop reports or links to individual reports. I just cleaned a lot of stuff off my HDD last week, including emptying out the e-mail file that contained a number of SpamCop reports, since I had the original spams saved off on reusable media. I suppose I could munge a few sourcefiles and send them along. But to whom? The letter doesn't indicate who's complaining. I suppose I could send his letter for parsing (although it may be too old now) to find out who his abuse desk is. Regards, Michael From nobody at spamcop.net Tue Jun 1 11:40:09 2004 From: nobody at spamcop.net (indigo) Date: Tue Jun 1 10:45:04 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: Mike Easter wrote: > -- I'm going to say that some other comcast user, perhaps an > acquaintance perhaps not, is the source of the spam which has your > addy in the bogus From. Well, that's not really what I'm seeing. It's not that my addy is in the "from" line, the spam is present in my yahoo "sent mail" folder! > > Just commenting on the geography of it, besides MD; the IP you posted > with here 216.111.114.195 [a swales] is 'theoretically' located > somewhere around Beltsville MD and Beltsville is in the Wash DC > 'environs' NE 'toward' Baltimore, but much more like the 'loop' around > DC; whereas our source 68.55.224.2 which looks like an Elkridge but > 'calculates' to be more like Columbia MD, might be figgered to be > between those two. And, while that is SW of Baltimore 'toward' DC - > the two IPs do seem to be some miles apart 'theoretically'. > Gee Columbo, why dontcha post my house address while you're at it? ;-) The two servers are roughly 20 miles apart, one is Qwest, one is Comcast...lucky me, huh? Qworst and Spamcast....... > Also, it is logical that you might have an acquaintance in that > proximity and that the acquaintance might also be comcast and that the > acquaintance's 'box' [in the computer sense ;-) ] might provide a > trojanizing virm access to your eml addy. Doubtful.....I've never sent or recieved email to that yahoo addy from Comcast (or vice-versa) from anyone but myself. From nobody at spamcop.net Tue Jun 1 11:40:53 2004 From: nobody at spamcop.net (indigo) Date: Tue Jun 1 10:45:07 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: LioNiNoiL_a t_Y a h 0 0_d 0 T_c 0 m wrote: > > I know the type: our beautiful blonde daughter kept installing Kazaa > on my wife's computer for a couple months, giving rise to many > viruses, worms, adwares, spywares, and zombots. Sounds like this lady > did the same, and now has an e-mail zombot with your addy as a > 'sender' on its list, among many others, no doubt. Still doesn't explain how the spam shows up in *my* sent mail folder..... From Nobody at spamcop.net Tue Jun 1 10:46:20 2004 From: Nobody at spamcop.net (Nobody) Date: Tue Jun 1 10:50:04 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> <6jgdb0hui29hebvimaar9dsihvrk3j14a6@4ax.com> Message-ID: <40BC96BC.2D1ABDBC@spamcop.net> SpamCop Admin wrote: > > Nobody wrote: > > >-I suppose SpamCop admins need something from me by way of corroboration or a reply, which would be why they sent the spammer's beef letter on through my numbered reporting account. > > Forwarding is automatic. Nobody but you has seen the message. > > I would like a copy of the entire message for my records if you still > have it. You can add your comments if you like. > > - Don - Dear Don, See my e-mail reply. Best wishes, Michael From MikeE at ster.invalid Tue Jun 1 08:49:41 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 10:55:03 2004 Subject: [SpamCop-List] Re: I'm leaving spamcop.... References: Message-ID: Anonym@us.com wrote: >> Annie wrote: >> Failing to do good trimming creates all kinds of problems, whether >> the replying is at the top, bottom, or inline; different problems >> with different placement of the untrimmed reply. It's the lack of >> trimming that is the real problem. Annie may not be happy with that cite looking like she said that. It's actually my cite which I subsequently corrected re the toppost, which stereotypically is not trimmed. However, now that I'm 'reclaiming' that cite, I would correct the correction to keep the original, because even the stereotypical untrimmed toppost creates problems by 'bottom heavy mass' and also some wily well trained trimmers apparently do trim even when topposting. > You know what we need? A newsreader that will let you select all the > relevant parts from a previous post, then inline them into a new post > in the order they were selected. That way, trimming is easy, and you > do inline posting automatically. I doubt that I would use such a feature as stated. I think the relevant parts should remain in the same 'sequence' or order as the original so that the inline is still in the 'original' line sequence. However, I can imagine that such a feature you're describing would help with the proper reformatting of citations. Currently I have to do a little bit by hand even tho' I'm using OE QuoteFix. BTW - I saw your webpage from the link in the spammerslammer -- Mike Easter From Merlyn at Spamcop.net Tue Jun 1 12:04:19 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Tue Jun 1 11:10:05 2004 Subject: [SpamCop-List] Re: Today Ralsky Inc. uses: 1hbedomain.com, r1g4t2you.com; DNS: marketing88.net, nsmarkk1.net, 010mrktt.net References: Message-ID: "Karl-Josef Ziegler" wrote in message news:c9i3o2$21c$1@news.spamcop.net... > most domains now registered (via RegisterFly) through Joker > AKA CSL at Duesseldorf, Germany: > > > domain: 1hbedomain.com > 218.65.86.48 > status: production > organization: Gratt Ent. Ltd > owner: Robert Grattton > email: robgratton__123@hotmail.com > address: 854 Liennen Street > city: St-Kalix > postal-code: 5954475 > country: AG > admin-c: robgratton__123@hotmail.com#0 > tech-c: robgratton__123@hotmail.com#0 > billing-c: robgratton__123@hotmail.com#0 > nserver: ns1.marketing88.net [snipped] Looks like 218.65.86.0/24 belongs to Peter Francis-Macrae Well known Rokso spammer. http://www.spamhaus.org/sbl/sbl.lasso?query=SBL11848 -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From ob1db at spamcop.net Tue Jun 1 12:18:03 2004 From: ob1db at spamcop.net (David Butler) Date: Tue Jun 1 11:20:05 2004 Subject: [SpamCop-List] Re: parser change gone overboard: only 2 links but only NS reports References: Message-ID: "Cat" wrote in message news:c9hleh$laa$1@news.spamcop.net... > David Butler wrote: > > > Respond in .help > > Um, ya knw, I might have been more inclined to think you posted spam in > the wrong group accidentally the last time you did this, but you seem to > make a regular habit of not bothering to pay attention to where you're > posting anything. With your regular habit of posting spam in the wrong > group and not posting routing requests in .routing, it almost seems like > you're posting in whatever group you feel like posting at the moment > with an apparent total disregard to what each group is for. I thought > maybe the last spam posting in a non-spam group might have been an > accident, but it seems like you're posting to the wrong groups on > purpose now. If you really are that absent-minded, then maybe you need > to think a little harder about what you're doing before you hit the send > button and make sure you post to the right group next time or just don't > post when you're half-asleep. I really hope you don't use this same > half-assed attitude with spam complaints. > Latenight error, sorry. As far as I know, I have been posting routing issues in routing for months: what are you referring to ? Gonna try to cancel this one... SHEESH From MikeE at ster.invalid Tue Jun 1 09:18:12 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 11:20:13 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: indigo wrote: > Mike Easter wrote: >> -- I'm going to say that some other comcast user, perhaps an >> acquaintance perhaps not, is the source of the spam which has your >> addy in the bogus From. > > Well, that's not really what I'm seeing. It's not that my addy is in > the "from" line, the spam is present in my yahoo "sent mail" folder! I think I don't know enough about how it works to have a yahoo account or how you are configured to use it to be at all helpful. One would have to imagine some kind of 'magic' way that a mail 'appears' in your yahoo sent folder with a Received headerline such as you posted here earlier. When I send mail from a 'normal' kind of mail useragent, ie OE to my provider's smtp server and that item goes into my Sent fail folder it doesn't have *any* Received line because it hasn't been involved in any smtp transactions yet, ie it is 'getting ready to' get its first Received trace line when it gets to the smtp server I'm sending it to. So, obviously not only does my Sent mail not have a Received line, but of course my IP doesn't appear there. Or, stated another way, my Sent mail has no tracing information because it hasn't been anywhere smtp yet. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Jun 1 09:21:59 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 11:25:03 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: Mike Easter wrote: > One would have to imagine some kind of 'magic' way that a mail > 'appears' in your yahoo sent folder with a Received headerline such > as you posted here earlier. I guess the magic way would be if you are a trojan and create a mail with a pre-existing Received line and use your yahoo to send it. -- Mike Easter kibitzer, not SC admin From pobox.spamcop at kronatech.net Tue Jun 1 09:31:14 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Tue Jun 1 11:35:04 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: "Skiwi" wrote in message news:c9i2lj$156$1@news.spamcop.net... > http://www.nytimes.com/2004/05/31/technology/31spam.html > > "Sterling McBride spends a lot of time waiting for spammers to make a > mistake. They usually do. > [...] > Hehehehehe... Immortalized for skiwi. Can't see that one without registering. http://www.kronatech.com/storage/scart.html -or- http://www.kronatech.com/storage/bring-in-the-detectives.pdf -K From tfm3 at nospam.teleproc.com Tue Jun 1 11:38:05 2004 From: tfm3 at nospam.teleproc.com (Thomas Mooney) Date: Tue Jun 1 11:40:02 2004 Subject: [SpamCop-List] Re: Turnaround performance problem References: Message-ID: Thomas Mooney wrote: > There was a time (not so long ago) where the auto-responder reply > would appear within minutes of submission. Sometimes it was as quick > as 1-2 minutes, sometimes as long as 10-20 minutes. > > Today the responses I'm receiving are averaging 5 hours. Five hours! > When I look at the SpamCop statistics pages, it appears things are > running about normal. Does anybody have a clue why turnaround has > slowed so much? > > Curious, It seems to be getting worse. My most recent submission took over 7 hours to process. 2:40 CDT - a piece of spam arrives at my server 3:17 CDT - I submit the spam to SpamCop 10:27 CDT - the AutoResponder message arrives 10:32 CDT - I process the spam and am told it is 7 hours old - no kidding! -- TFM3 Note: Spam-resistant e-mail address From Nobody at SpamCop.net Tue Jun 1 11:52:23 2004 From: Nobody at SpamCop.net (Nobody) Date: Tue Jun 1 11:55:03 2004 Subject: [SpamCop-List] Re: Blocked Emails References: <01c444ed$a6b47a00$LocalHost@default> Message-ID: <40BCA637.77C1F997@SpamCop.net> Joe wrote: > > Thanks to all who have replied, in whatever manner that the reply has been > sent. > > The situation is that I came here seeking help as to how I can overcome the > problems that we are having getting our emails to our members, and although > you say that it is not the fault of Spam cop it is interesting to note that > there are only two servers that our emails are rejected on and both of > these, although different, for instance, user@iinet.net.au and > user@tassie.net.au are both one and the same company. > > I contacted iinet and they lay the blame for the trouble squarely on the > shoulders of Spam Cop.I have checked our database and over 600 members use > 47 different mail servers, but it is interesting to see that we only have > trouble with the two abovementioned ones. > > > Believe me, I have been in touch with our ISP so they are well aware of what > is happening, including the reference to the criminal element > > To the people that complain about top posting, that is the way that I like > it as I find it more of a nuisance to scroll to the bottom of the page when > what I want to see is at the top and clearly visible. > > > -- > Regards > Joe > Tasmania Joe, It would seem to this humble user and kibitzer that your ISP knows far more than they are telling you, and that you've been dealt with less than candidly by people at various ISP's in the Telstra family. The main problem with spam is that spammers provide cash flow to hungry ISP's, which leads to ethical weakness at financially- or ethically-challenged ISP's. Some of the worst examples are here in the States, and avidity for spammers' cash is at the bottom of it, so nobody is crusading against your ISP or pointing fingers out of prejudice or animus. Spam is where spam is, and the fact that your ISP winds up on blocklists means that they're taking the money. Given that they are continuing to entertain spammers, it suddenly becomes obvious why they might be less than candid with *you* when you call up asking awkward questions, and seek to deflect your ire onto SpamCop. One, it gets you off their telephone, and two, it puts pressure on the blocklist keepers to blame them. The source of the problem really is your ISP, and they're not being straight with you. And about the posting-order issue, I've learned to post inline since that's what makes people happy. It's just the way the Net has evolved -- people don't call other people on the telephone after 11, and posters on the BBS system post inline. Nothing personal. Good luck with your mailing-list problem, "Nobody" From eddie at eddie.web Tue Jun 1 12:55:25 2004 From: eddie at eddie.web (eddie) Date: Tue Jun 1 12:00:04 2004 Subject: [SpamCop-List] Re: russian spam from china and a Suggestion to SC References: Message-ID: On Tue, 01 Jun 2004 02:15:36 -0700, Mike Easter scratched out the following: snip > I think you are just feeling frustrated because you don't realize that the > devnuls count. Yes, I didn't know that they counted, so I will continue what I have been doing. I surmised that a devnul was uncounted. Thanks From Nobody at SpamCop.net Tue Jun 1 12:03:12 2004 From: Nobody at SpamCop.net (Nobody) Date: Tue Jun 1 12:05:05 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> Message-ID: <40BCA8C0.4BDD330C@SpamCop.net> Thanks, everyone, for the comments and practical assistance. I appreciate it. "Nobody" From MikeE at ster.invalid Tue Jun 1 10:05:43 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 12:10:03 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: KronaTech wrote: > Immortalized for skiwi. Can't see that one without registering. > http://www.kronatech.com/storage/bring-in-the-detectives.pdf I know you're just 'playing' with this stuff, but I'll give some editorial feedback anyway. Realize that this 'kibitzer' has no pdf experience, but I do save a lot of things a lot of different ways. First, you didn't get the whole article, just the first 'page' as it appeared in the NYT. It would've been better to use the NYT's 'print the article' feature over on the R side to get it all onto one page first. That would've also gotten rid of all of that 'junk' at the top, bottom, and all around. Then, with it in that print 'condition' I guess you would print to pdf but I don't know much about that. If there was some intermediate step that I don't know about it would work the same way on the html of the NYT print page as it did on the html of the NYT Technology article page1. Secondly, there's the issue of the 'inefficiency' of pdf. The pdf you have is 186k which doesn't have the goodsized picture of McBride and Cranton at the map, which does add some 'color' to the article, and is also missing the 2nd page as mentioned. If I save the entire article, not just the first page, as txt it is 5K. If I add the .jpg pic as it appeared on the first page of the article it adds 25K. I could make a doc file that looks just like the original article without too much overhead if I were inclined to do it that way, which I almost never am. The main thing I would be inclined to do with a 'real' pdf tool other than Reader would be to get things out of pdf format. pdf is a great way to be able to 'pass around' something to enable it to be printed nicely; but it isn't a particularly good way to 'look at' something, ie to navigate around the article. There are other formats which do that much better, even including .doc files. Nowadays the MS doc file is so widely usable by /n/x, Mac, and other users that I'm not sure it wouldn't be just as universal as pdf and easier to work with for many purposes. Then, there are others who would prefer to use html and its variants. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Jun 1 13:06:56 2004 From: nobody at spamcop.net (indigo) Date: Tue Jun 1 12:10:08 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: Mike Easter wrote: > Mike Easter wrote: > > One would have to imagine some kind of 'magic' way that a mail > > 'appears' in your yahoo sent folder with a Received headerline such > > as you posted here earlier. > > I guess the magic way would be if you are a trojan and create a mail > with a pre-existing Received line and use your yahoo to send it. Possible, but I run MacAffee AV, Spybot and Ad-aware religiously........ From nobody at spamcop.net Tue Jun 1 10:18:49 2004 From: nobody at spamcop.net (TheWanderer™) Date: Tue Jun 1 12:20:02 2004 Subject: [SpamCop-List] Re: 8-bit characters in headers (was Re: Ping-Tim McGraw) References: Message-ID: Thanks "Jim Seymour" wrote in message news:c92sd3$22v$1@news.spamcop.net... > TheWanderer™ wrote: > > [...] > > Completely off-topic... > > The name you're using in your "From" line has a non-ASCII character in > it - and, as such, violates RFC2822. If you send email out like this, > there will be some mail servers (mine included) that will reject your > message. > > Just thought you'd like to know... > > -- > Jim Seymour. > I do not work for Spamcop, I did not write pflogsumm, > and I never wrote for PC Magazine. From ric.gates at bigsleep.org Tue Jun 1 18:17:28 2004 From: ric.gates at bigsleep.org (Blammo) Date: Tue Jun 1 13:20:14 2004 Subject: [SpamCop-List] Re: What am I missing? References: Message-ID: On 01 Jun 2004 John E. Malmberg entered spamcop and left news:EcAkDiknp33j@eisner.encompasserve.org: > Other companies are suffering from problems caused by their employees > that will not follow corporate access rules and the company does not > want to, or through contractual reasons, use disiplinary actions. That's a totally different issue, companies can restrict their employies all they want, just as parents can restrict their kids. Otherwise I don't agree that blocking access to sites will accomplish anything, constructive anyway. The last thing we need is "Internet Police" because that's exactly what it amounts to. Choosing to connect to an address is not nearly the same as choosing not to allow in incoming connection. -- | Ric | From no.spam at hotmail.com Tue Jun 1 20:22:54 2004 From: no.spam at hotmail.com (Volker Lauke) Date: Tue Jun 1 13:25:03 2004 Subject: [SpamCop-List] Re: Turnaround performance problem References: Message-ID: "Thomas Mooney" schrieb im Newsbeitrag news:c9h3dp$7ku$1@news.spamcop.net... > There was a time (not so long ago) where the auto-responder reply would > appear within minutes of submission. Sometimes it was as quick as 1-2 > minutes, sometimes as long as 10-20 minutes. > > Today the responses I'm receiving are averaging 5 hours. Five hours! When > I look at the SpamCop statistics pages, it appears things are running about > normal. Does anybody have a clue why turnaround has slowed so much? > > Curious, > > -- > TFM3 > > Note: Spam-resistant e-mail address Yes it is worse and unacceptable. I paid 15 US$ and have to wait sometimes 5 to 10 minutes. If this is going on I will stop reporting to SpamCop because I do not have the time. Volker From pobox.spamcop at kronatech.net Tue Jun 1 11:25:35 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Tue Jun 1 13:30:03 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: "Mike Easter" wrote in message news:c9i9hn$9ps$1@news.spamcop.net... > First, you didn't get the whole article, just the first 'page' as it > appeared in the NYT. It would've been better to use the NYT's 'print Actually I didn't even notice the links for further pages. Saw the last paragraph on the page and 'assumed' that was it, since it had a footer. > If I save the entire article, not just the first page, as txt it is 5K. > If I add the .jpg pic as it appeared on the first page of the article it > adds 25K. I could make a doc file that looks just like the original > article without too much overhead if I were inclined to do it that way, > which I almost never am. The main thing I would be inclined to do with > a 'real' pdf tool other than Reader would be to get things out of pdf > format. Kind of the price we pay for cross-platform edition/viewing/printability. > pdf is a great way to be able to 'pass around' something to enable it to > be printed nicely; but it isn't a particularly good way to 'look at' > something, ie to navigate around the article. There are other formats > which do that much better, even including .doc files. Depending on which program created the .doc files, and what platform that program runs on. > Nowadays the MS > doc file is so widely usable by /n/x, Mac, and other users that I'm not > sure it wouldn't be just as universal as pdf and easier to work with for > many purposes. PDF offers security, in selecting exactly what you want to allow users to do with the document. It can be locked so that the properties cannot be changed, locked so that the content cannot be changed, locked so that content cannot be copied/pasted, it can be encrypted, default to a particular view when opened (fit width, include index), etc. etc. There's probably quite a few things you were not aware could be done with acrobat. You should give the creator a shot and see how you like it after seeing all the settings. They probably seem pretty transparent to people who use only the reader. I'll see if I can work around the other pages on that url, instead of just removing the pdf. -K From wb8tyw at qsl.network Tue Jun 1 13:27:49 2004 From: wb8tyw at qsl.network (John E. Malmberg) Date: Tue Jun 1 13:30:06 2004 Subject: [SpamCop-List] Re: Blocked Emails References: <01c444ed$a6b47a00$LocalHost@default> <40BCA637.77C1F997@SpamCop.net> Message-ID: In article <40BCA637.77C1F997@SpamCop.net>, Nobody writes: > > It would seem to this humble user and kibitzer that your ISP knows far > more than they are telling you, and that you've been dealt with less > than candidly by people at various ISP's in the Telstra family. > > The main problem with spam is that spammers provide cash flow to hungry > ISP's, which leads to ethical weakness at financially- or > ethically-challenged ISP's. Some of the worst examples are here in the > States, and avidity for spammers' cash is at the bottom of it, so nobody > is crusading against your ISP or pointing fingers out of prejudice or > animus. Spam is where spam is, and the fact that your ISP winds up on > blocklists means that they're taking the money. No, it is even more stupid than that. For a broadband ISP, permitting zombied machines to remain sending spam is a cash drain. To make up for the cash drain, they must charge more to their customers, cut back services, or make less money for their stockholders. This in addition to other networks refusing to accept e-mail from I.P. addresses that send spam. For a network sort the spam from real mail by other than the I.P. address the stuff is coming from, significantly increases the cost of operating the receiving mail server. Why should a receiving mail server incur expenses because the sending network can not keep their house in order? > > The source of the problem really is your ISP, and they're not being > straight with you. -John wb8tyw@qsl.network Personal Opinion Only From eddie at eddie.web Tue Jun 1 14:36:12 2004 From: eddie at eddie.web (eddie) Date: Tue Jun 1 13:40:03 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: On Tue, 01 Jun 2004 10:25:35 -0700, KronaTech scratched out the following: > snip > PDF offers security, in selecting exactly what you want to allow users to > do with the document. It can be locked so that the properties cannot be > changed, locked so that the content cannot be changed, locked so that > content cannot be copied/pasted, it can be encrypted, default to a > particular view when opened (fit width, include index), etc. etc. you can even make it non-printable, in addition to the copying and pasting. From me at privacy.net Tue Jun 1 14:34:15 2004 From: me at privacy.net (Frog Prince) Date: Tue Jun 1 13:40:11 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: "KronaTech" | Kind of the price we pay for cross-platform edition/viewing/printability. | | > pdf is a great way to be able to 'pass around' something to enable it to | > be printed nicely; but it isn't a particularly good way to 'look at' | > something, ie to navigate around the article. There are other formats | > which do that much better, even including .doc files. | | Depending on which program created the .doc files, and what platform that | program runs on. | | > Nowadays the MS | > doc file is so widely usable by /n/x, Mac, and other users that I'm not | > sure it wouldn't be just as universal as pdf and easier to work with for | > many purposes. | | PDF offers security, in selecting exactly what you want to allow users to do | with the document. It can be locked so that the properties cannot be | changed, locked so that the content cannot be changed, locked so that | content cannot be copied/pasted, it can be encrypted, default to a | particular view when opened (fit width, include index), etc. etc. | | There's probably quite a few things you were not aware could be done with | acrobat. You should give the creator a shot and see how you like it after | seeing all the settings. They probably seem pretty transparent to people who | use only the reader. | | I'll see if I can work around the other pages on that url, instead of just | removing the pdf. I for one HATE PDF as it is (at the very minimum) very difficult to use, is a memory hog and the files are just too big. Did I mention slow? My former company spent big bucks on a document management program based on PDF to avoid hard copy. Not only would no one use it no one could use it unless it was printed to hard copy. Took them about 6 weeks to dump the entire thing. From pobox.spamcop at kronatech.net Tue Jun 1 11:45:13 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Tue Jun 1 13:50:02 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: "KronaTech" wrote in message news:c9ie6b$e58$1@news.spamcop.net... > I'll see if I can work around the other pages on that url, instead of just > removing the pdf. Fixed. Hit the refresh button if it's cached in your browser. -K From pobox.spamcop at kronatech.net Tue Jun 1 11:49:47 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Tue Jun 1 13:50:08 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: "Mike Easter" wrote in message news:c9i9hn$9ps$1@news.spamcop.net... > Secondly, there's the issue of the 'inefficiency' of pdf. The pdf you > have is 186k which doesn't have the goodsized picture of McBride and > Cranton at the map, which does add some 'color' to the article, and is > also missing the 2nd page as mentioned. 94k now (after having paid attention - skipping certain tables, ads). That okay Mike, or am I breaking your bandwidth 8) -K From nobody at spamcop.net Tue Jun 1 13:55:15 2004 From: nobody at spamcop.net (Miss Betsy) Date: Tue Jun 1 14:00:02 2004 Subject: [SpamCop-List] Re: What am I missing? References: Message-ID: "Socks the white house cat" wrote in message news:Xns94FB4E587159agent01413mydejacom@216.154.195.61... > > I agree. IMHO, ISP's have missed the boat in telling the average > > user about blocking and its advantages. > > > > As dumb as the average user is, half of them are even dumber. I am not going to disagree with that. But, because of that, a good pr campaign can get them to believe almost anything. And the small amount of educated consumers /have/ changed the way that some companies do things. > > I'd love to market that capability. The result though will be an > innundation of spam, forwarded without expanded headers, sent by well > meaning users intending to assist your abuse desk with their fight. > > I know. I've tried it. Although I would think that with all the clever filters out there, that an abuse report desk (not the same thing as the regular abuse desk) could filter all the garbage people send into usuable portions, that's not what I was proposing this time. My proposal was just the use of existing blocklists. Miss Betsy From MikeE at ster.invalid Tue Jun 1 11:57:59 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 14:00:09 2004 Subject: [SpamCop-List] Nameserver notification Message-ID: This might seem like a .routing issue, but the traditonal role of routing isn't to discuss the 'how' and 'why' of the parser's notification algorithm, so I think I'll put it into this generic ng. I'll discuss one notify from a generic point of view www.spamcop.net/sc?id=z507657224z1f27f0d98e7f5e43bb9c0c54bab5a025z The links were... Resolving link obfuscation http://ctxeswdtbtyqsr.spraut.biz host 61.183.59.113 (getting name) no name http://qwdpquqbrlgkbl.spraut.biz host 61.183.59.113 (getting name) no name http://wtsvyqcryzv.spraut.biz host 61.183.59.113 (getting name) no name http://syknyjdhgo.spraut.biz host 61.183.59.113 (getting name) no name http://gefrbbagdaa.spraut.biz host 61.183.59.113 (getting name) no name and then the strategy became... spraut.biz has multiple subdomains Name service for this domain is supplied by ns0.misteryxx.biz. ns1.bpnsman.info. ns1.misteryxx.biz. ns2.bpnsman.info. ns2.misteryxx.biz. ns0.bpnsman.info. Nameserver IPs: 61.128.198.10 200.165.177.171 194.106.198.7 61.128.198.11 194.106.198.8 61.183.59.113 BTW if you go to dnsstuff and putin spraut, you see that its DNS timing report card sez F for various reasons that have to do with how its nameservice is handled. http://www.dnsstuff.com/tools/dnstime.ch?name=spraut.biz&type=A That link is also 'nice' to look at because it gives you a nice picture of the nameservers for spraut, better and easier than it is for me to see with SSwin's dig function. In any case, if I were going to notify about the spraut problem the old fashioned way, I would start with... inetnum: 61.183.56.0 - 61.183.61.255 netname: CHINANET-HB-JZ3 descr: The Chinanet network in Jinzhou ,Hubei province trouble: send spam reports to spam_jz@jzinfo.com trouble: and abuse reports to abuse_jz@jzinfo.com trouble: send spam reports to spam_hb@public.wh.hb.cn trouble: and abuse reports to abuse_hb@public.wh.hb.cn whois -h whois.abuse.net jzinfo.com ... abuse_wh@jzinfo.com anti-spam@ns.chinanet.cn.net postmaster@jzinfo.com spam_jz@jzinfo.com (for jzinfo.com) whois -h whois.abuse.net public.wh.hb.cn ... abuse_hb@public.wh.hb.cn postmaster@dc.wh.hb.cn postmaster@public.wh.hb.cn spam_hb@public.wh.hb.cn anti-spam@ns.chinanet.cn.net postmaster@wh.hb.cn ...I'm not saying SC should be notifying all of these dudes, I'm just building a base. Then, I check in openrbl and find but senderbase sez that it is spamhaus listed, so I would go upstream. I don't want to fool with all of the AS business because openrbl's links for that aren't available just now, but we can imagine what the upstream for a chinanet looks like. Now, let's go back to the nameservice problem. I'm not sure that SC should be trying to target the provider for the nameservice on the basis of its IP netblock, which looks like it doesn't work very well, since we end up at ripe base ops twice. Also, SC's determination of the nameservice doesn't actually determine which of the nameservers are 'operational' only those which are *listed*. Their operational condition is something else again. Also, notice that SC doesn't actually target *all* the nameservers, but just an arbitrary 3 of them. In this case it picks 61.128.198.10 200.165.177.171 194.106.198.7 which is not bad representation, considering what we see at dnsstuff. Two of those are at ripe and one at .br nic-hdl-br: CGR13 person: Centro de Gerencia de Rede TELEMAR e-mail: abuse@TELEMAR.NET.BR I still don't know where SC got the addy mp@disan.net for the ripe situation [which I didn't post, it's a mess you can see in the SC tracker], I guess from some secret addy stash somewhere. disan is reg'd... whois -h whois.joker.com disan.net ... domain: disan.net status: production owner: Michael Petrusha email: michael@mental.kiev.ua address: 365 E highline Cir city: Littleton state: CO I don't really know what that is all about. .ua of course is the Ukraine. So, here we have SC deciding that these 5 spraut subdomains are too many or not the right way to be notifying about, since it is more than one, and instead deciding to notify the nameservice, which totals 10 different IP numbers with 8 different names in 3 different families. The algorithm somehow cleverly does notify all 3 different families, which is pretty smart, but that leaves me troubled about several things. I think the thing that I would like to be reassured about is whether or not the 'original' spamvertised sites are going to the statistics page at Spamvertised Websites http://www.spamcop.net/w3m?action=inprogress&type=www because that is where surbl is scraping things for its blocklist. There are a few other things which puzzle me about the philosophy of nameservice notification as it is performed by an algorithm which doesn't actually test which nameservice is operational. If SC is going to target the nameservice, shouldn't it know which one [or more] answers the call for nameservice, rather than just arbitrarily picking one or 3. Everyone know that the same spamvertisers who are 'weird' about how they put links in spam are also weird about how they handle their nameservice. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Jun 1 14:00:44 2004 From: nobody at spamcop.net (Miss Betsy) Date: Tue Jun 1 14:05:02 2004 Subject: [SpamCop-List] OT enough crimp in spammer techniques? References: Message-ID: "John E. Malmberg" wrote in message news:EcAkDiknp33j@eisner.encompasserve.org... > After a spamvertised domain gets revoked, > it seems to take the spammer about 72 hours to put a new URL in it. Funny, I got a phone call about 'reduced prices' on the very model number of the printer I use. I asked them about a website, but he said that it was 'temporarily' down. Are anti-email spam tactics driving the spammers back to telemarketing? Miss Betsy From MikeE at ster.invalid Tue Jun 1 12:03:13 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 14:05:10 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: eddie wrote: > KronaTech >> PDF offers security, in selecting exactly what you want to allow >> users to do with the document. It can be locked so that the >> properties cannot be changed, locked so that the content cannot be >> changed, locked so that content cannot be copied/pasted, it can be >> encrypted, default to a particular view when opened (fit width, >> include index), etc. etc. > > you can even make it non-printable, in addition to the copying and > pasting. Those are all very good points that I hadn't considered for those who desire those security features. Generally I'm trying to defeat .pdf security ;-) OK. I will accept that in many situations, the .pdf is a smart way to provide a document in which you want those security features. I've already given it some kudos for its printing qualities. -- Mike Easter kibitzer, not SC admin From dkona7b02 at sneakemail.com Tue Jun 1 15:14:49 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Tue Jun 1 14:14:54 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to BringIn the Detectives" In-Reply-To: References: Message-ID: <3.0.5.32.20040601141449.0153cd48@loki.fstrf.org> Actually, if the original poster had used the Print feature of the website and posted that URL instead, I think it bypasses the whole login sequence and Krona wouldn't have had to bother archiving it in the first place... :) At 10:25 AM 6/1/2004 -0700, KronaTech typed: >"Mike Easter" wrote > >> First, you didn't get the whole article, just the first 'page' as it >> appeared in the NYT. It would've been better to use the NYT's 'print > >Actually I didn't even notice the links for further pages. Saw the last >paragraph on the page and 'assumed' that was it, since it had a footer. From tmcgraw at spamcop.net Tue Jun 1 12:10:04 2004 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Jun 1 14:15:04 2004 Subject: [SpamCop-List] Re: What am I missing? References: Message-ID: <40BCC67C.9000600@spamcop.net> Blammo wrote: > On 31 May 2004 lt entered spamcop and left > news:c9gt5e$2tp$1@news.spamcop.net: > >>AOL has already started, why are they alone in this >>effort. > > Maybe AOL is the only company that feels they need to protect idiots. s/idiots/their network From MikeE at ster.invalid Tue Jun 1 12:17:46 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 14:20:04 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: KronaTech wrote: > 94k now (after having paid attention - skipping certain tables, ads). > That okay Mike, or am I breaking your bandwidth 8) Ooh, you went to all the trouble of 'doc/ing' it so that you could get that pic in there. Very good. But, you know the kibitzer is still going to have something to say, right? ;-) I'm not saying this to try to get you to do it, but just to kibitz, you know. Why not copy and paste the print page, which would retain the NYT 'format' and fonts, etc and also do it 'quickly' into the MSWord doc, but would be missing the 'front' pic, and then paste the pic into the appropriate spot in that doc. Then generate or 'distill' the .pdf from the doc, and the resultant would look like the original article. That is, I /think/ the clipboard would retain the NYT condition when you pasted it. I mean, if we're copyright bending, we might as well do it up right ;-) Of course, your .pdf arguments are very sound there, in the 'copying' arena. You could 'lock it up' so as to only show it to someone who wasn't going to make noise about such as that. Of course, you could ziplock a doc, but that's not quite the same thing of course. But, in this security business, Adobe has been taken to task in the past about holes in their security. I don't know the current status of all that. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Jun 1 12:21:37 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 14:25:03 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to BringIn the Detectives" References: Message-ID: Spam Hater wrote: > Actually, if the original poster had used the Print feature of the > website and posted that URL instead, I think it bypasses the whole > login > sequence and Krona wouldn't have had to bother archiving it in the > first place... :) I'm not sure about that. I think that in the past I've sent the print page link to a friend who wasn't registered and they didn't get there. But then that friend sometimes gets thrown off if the link gets wrapped, so that example doesn't really count. I'll have to test it out, but I've got the appropriate cookie on 3 different boxes here, so I would have to clean one up. -- Mike Easter kibitzer, not SC admin From dkona7b02 at sneakemail.com Tue Jun 1 15:35:55 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Tue Jun 1 14:36:02 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time toBringIn the Detectives" In-Reply-To: References: Message-ID: <3.0.5.32.20040601143555.010481e0@loki.fstrf.org> If you can access the article, just post the print URL here and we can test to see if it works or not... :) IIRC, it has worked for me in the past. At 11:21 AM 6/1/2004 -0700, Mike Easter typed: >Spam Hater wrote: >> Actually, if the original poster had used the Print feature of the >> website and posted that URL instead, I think it bypasses the whole >> login >> sequence and Krona wouldn't have had to bother archiving it in the >> first place... :) > >I'm not sure about that. I think that in the past I've sent the print >page link to a friend who wasn't registered and they didn't get there. >But then that friend sometimes gets thrown off if the link gets wrapped, >so that example doesn't really count. > >I'll have to test it out, but I've got the appropriate cookie on 3 >different boxes here, so I would have to clean one up. From MikeE at ster.invalid Tue Jun 1 12:45:25 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 14:50:04 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time toBringIn the Detectives" References: Message-ID: Spam Hater wrote: > If you can access the article, just post the print URL here and we can > test to see if it works or not... :) IIRC, it has worked for me in > the past. This is the 'regular' print one, very clean, no pic. http://www.nytimes.com/2004/05/31/technology/31spam.html?pagewanted=prin t&position= This is the 'single page' one, some NYT html junk, but it has the pic. And, it goes off into that 'page wanted' place like the print one does http://www.nytimes.com/2004/05/31/technology/31spam.html?pagewanted=all& position= And, of course, this is the original page for comparison http://www.nytimes.com/2004/05/31/technology/31spam.html -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Tue Jun 1 15:03:57 2004 From: wb8tyw at qsl.network (John E. Malmberg) Date: Tue Jun 1 15:05:02 2004 Subject: [SpamCop-List] Re: What am I missing? References: Message-ID: <$UCIlxakjTVd@eisner.encompasserve.org> In article , Blammo writes: > > Otherwise I don't agree that blocking access to sites will accomplish > anything, constructive anyway. Blocking sites will only protect the local networks. Two many people are opposed to the idea of preemptively blocking the spam sites for ISPs to say that they are actively doing it. These same people would probably never know if their ISP actually put the blocks in or not, except that more of the times the pictures in spam would not show up than before. > The last thing we need is "Internet Police" > because that's exactly what it amounts to. Choosing to connect to an > address is not nearly the same as choosing not to allow in incoming > connection. The local BOFH in charge of a network segment must be the Internet Police for it. An network provider must protect their network from abuse from outsiders and clueless insiders. Unfortunately in some locations, the BOFH is put in a position where they have to choose the lesser of two evils. Not block sites for the clueless because of complaints of censorship and leave the network open to attact from with in, or protect the network for the good of the company or majority of the users but not publically admit to the blocks. An residential ISP can not afford to disconnect it's clueless users just so that it can offer raw connectivity to the competent ones. -John wb8tyw@qsl.network Personal Opinion Only From nobody at spamcop.net Tue Jun 1 16:17:33 2004 From: nobody at spamcop.net (indigo) Date: Tue Jun 1 15:20:03 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: Frog Prince wrote: > I for one HATE PDF as it is (at the very minimum) very difficult to > use, is a memory hog and the files are just too big. Huh? I've seen 10 MB powerpoint presentations reduced by a factor of 3-4 when turned into PDFs. >Did I mention slow? Depends on the speed/RAM of the machine you're using for one.....it's incredibly slow if you're looking at a PDF on a website because it appears (to me, at least) that pages not in view don't load until you actually get to them, but right clicking, save as, then load it locally with Reader and it's a hell of a lot faster. I also like the ability to type the page number into that little box at the bottom and jump right to where you want to go --- Word can't do that. From MikeE at ster.invalid Tue Jun 1 13:35:39 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 15:40:03 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: indigo wrote: > Frog Prince wrote: > I've seen 10 MB powerpoint presentations reduced by a factor of > 3-4 when turned into PDFs. Yabbut .ppt files are incredibly bloated and inefficient compared to what is actually 'inside' them; whereas .pdf files use various types or degrees of compression to keep themselves from being so fat filesize-wise. >> Did I mention slow? > > Depends on the speed/RAM of the machine you're using for one..... but of course, that's because they are resource hogs, even when locally accessed If you have enough resources, the various resource pigs can eat all the slop they want to. -- Mike Easter kibitzer, not SC admin From kjz at despammed.com Tue Jun 1 22:28:37 2004 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Tue Jun 1 15:40:13 2004 Subject: [SpamCop-List] Re: Today Ralsky Inc. uses: 1hbedomain.com, r1g4t2you.com; DNS: marketing88.net, nsmarkk1.net, 010mrktt.net In-Reply-To: References: Message-ID: Merlyn wrote: > Looks like 218.65.86.0/24 belongs to Peter Francis-Macrae > > Well known Rokso spammer. > > http://www.spamhaus.org/sbl/sbl.lasso?query=SBL11848 Yes, I saw it also. But please look at my posting news:. The whole spam was absolutely in Al's usual design. Maybe, that Spamhaus has some old listings or the pillz company in the background has now changed the contract from Al to Weaselboy. But then this contractor controls the email list, the design of the spams, etc. and Al or Weaselboy are only sub-contractors for the dirty part, i.e. sending it out. From dkona7b02 at sneakemail.com Tue Jun 1 16:32:43 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Tue Jun 1 15:41:25 2004 Subject: [SpamCop-List]Re: [media] "When Software Fails to Stop Spam, It's Time toBringInthe Detectives" In-Reply-To: References: Message-ID: <3.0.5.32.20040601153243.0103b070@loki.fstrf.org> Oh well... Either my memory is faulty or they have battened down the hatches since the last time I tried to access a story there. All of your links take me to the login page... :( Thanks for experimenting. At 11:45 AM 6/1/2004 -0700, Mike Easter typed: >Spam Hater wrote: >> If you can access the article, just post the print URL here and we can >> test to see if it works or not... :) IIRC, it has worked for me in >> the past. > >This is the 'regular' print one, very clean, no pic. >http://www.nytimes.com/2004/05/31/technology/31spam.html?pagewanted=print&position= > >This is the 'single page' one, some NYT html junk, but it has the pic. >And, it goes off into that 'page wanted' place like the print one does >http://www.nytimes.com/2004/05/31/technology/31spam.html?pagewanted=all&position= > >And, of course, this is the original page for comparison >http://www.nytimes.com/2004/05/31/technology/31spam.html From spamcop at s89170745.onlinehome.us Tue Jun 1 13:39:26 2004 From: spamcop at s89170745.onlinehome.us (Ganamede) Date: Tue Jun 1 15:45:03 2004 Subject: [SpamCop-List] Re: Spammers really don't like piracy reports, so please report all software spam to the manufactures. References: Message-ID: "Ivan Leo Puoti" wrote in message news:c9aqni$1ih$1@news.spamcop.net... > They really aren't happy about this, look at this message they sent me. So > report all software spam to the software manufactures. I've suggested this be automatic. It's bad enough their ISP will get on them about spamming but if the publisher are after them too it's even better! From me at privacy.net Tue Jun 1 16:46:23 2004 From: me at privacy.net (Frog Prince) Date: Tue Jun 1 15:50:04 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: "indigo" wrote in message news:c9ikqo$lol$1@news.spamcop.net... | Frog Prince wrote: | > I for one HATE PDF as it is (at the very minimum) very difficult to | > use, is a memory hog and the files are just too big. | | Huh? I've seen 10 MB powerpoint presentations reduced by a factor of 3-4 | when turned into PDFs. | | >Did I mention slow? | | Depends on the speed/RAM of the machine you're using for one.....it's | incredibly slow if you're looking at a PDF on a website because it appears | (to me, at least) that pages not in view don't load until you actually get | to them, but right clicking, save as, then load it locally with Reader and | it's a hell of a lot faster. I also like the ability to type the page number | into that little box at the bottom and jump right to where you want to | go --- Word can't do that. My personal PC is slow but my DIL's (at her shop) is 1G with 1 G of memory. My wife's Mac G4 laptop with 1G+ ? of memory. Regardless I still don't like PDF as it is a hassle to access the data. I think I've seen mold grow faster. From skiwi+newsgroups at spamcop.net Tue Jun 1 14:12:56 2004 From: skiwi+newsgroups at spamcop.net (Skiwi) Date: Tue Jun 1 16:15:02 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam..." [NYT access...] In-Reply-To: References: Message-ID: Skiwi wrote: > http://www.nytimes.com/2004/05/31/technology/31spam.html > > "Sterling McBride spends a lot of time waiting for spammers to make a > mistake. They usually do. > > When he hunted down escaped prisoners for the United States Marshals > Service, Mr. McBride learned the value of lying low until fugitives trip > up, leaving small clues on their whereabouts. Now, as an investigator > for Microsoft, [Walker] watches carefully for tidbits of data that link > some of the two billion pieces of junk e-mail that Microsoft's Hotmail > service receives each day with the people who send them...." > > Hehehehehe... Someone else had a 'generic' access with a username 'lumbercartel' (?) but I couldn't remember the password... Registration for the group with throwaway email below... oh, 'we' are a musician born in 1938 BTW with a household income below $16K... Username & password both 'spamcop' (no quotes of course) From nobody at spamcop.net Tue Jun 1 17:20:37 2004 From: nobody at spamcop.net (indigo) Date: Tue Jun 1 16:25:04 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: Mike Easter wrote: > indigo wrote: > > Frog Prince wrote: > > > I've seen 10 MB powerpoint presentations reduced by a factor of > > 3-4 when turned into PDFs. > > Yabbut .ppt files are incredibly bloated and inefficient compared to > what is actually 'inside' them; whereas .pdf files use various types > or degrees of compression to keep themselves from being so fat > filesize-wise. > > And your point is? (confirming my point on the usefulness of PDFs ? ;-) From MikeE at ster.invalid Tue Jun 1 14:47:54 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 16:50:03 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: indigo wrote: > Mike Easter wrote: >> indigo wrote: >>> I've seen 10 MB powerpoint presentations reduced by a factor of >>> 3-4 when turned into PDFs. >> >> Yabbut .ppt files are incredibly bloated and inefficient compared to >> what is actually 'inside' them; whereas .pdf files use various types >> or degrees of compression to keep themselves from being so fat >> filesize-wise. >> > And your point is? (confirming my point on the usefulness of PDFs ? > ;-) Well, I actually have a gripe about both of those formats, which are obviously very popular formats for their own reasons. In the case of the .ppt, I'll take a specific example of a 'joke' .ppt that was being passed around a good while back, some Xmas or another. It was simply a 'collection' of Frosty the snowman cartoons by I forget that cartoonist's name right now. That's really all that was in there. It was huge filesize-wise. If you would 'extract' or copy or whatever the little Frosty cartoon line drawings and save them individually, they had very small filesizes and in total. The moral of that story is that .ppt is/was a very inefficient way to handle that project. Next, the issue is that looking at .pdf files with Reader uses a lot of resources. I mean after all, we're just looking at some collection of text and perhaps graphics, but even if we are just looking at a text document, it is using lots and lots of resources. Adobe's 'solution' to the fact that they are using lots of resources to do a rather simple job [in some ways, difficult in others in the execution] is to use compression to try to keep the filesize down, for various good reasons. So, even though there has been compression to get the filesize down, after decompression the resource usage has 'exploded' because of several reasons. So, the moral to that story is that .pdf is a resource hog, even if it makes some kinds of filesizes smaller by compression.. For a given 'simple' or refined issue, the .pdf isn't more efficient. That is, if you take a graphic and put it into an efficient file format, lossy or not lossy, and compare it with the Adobe managment of the same graphic, lossy or not lossy, pound for pound the Adobe will be less efficient, just in filesize. That's to say nothing of resource usage. Then if you display the graphic with something like IrfanView, which gives you all kinds of ways of manipulating the graphic that Adobe doesn't, there's no comparison in what a resource hog Adobe is. Then if you want to go off on a text tangent, we have to use other examples. If you want to go off in a combined text and graphics tangent we have to use still other examples of other formats. Adobe's .pdf has its usages, which I acknowledge make it have value; but efficiency of resources, filesizes, and 'operation' - compared to something else which can do a similar operation on a similar 'type' of file in another format - isn't very good. -- Mike Easter kibitzer, not SC admin From me at privacy.net Tue Jun 1 17:52:43 2004 From: me at privacy.net (Frog Prince) Date: Tue Jun 1 16:55:04 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: "indigo" wrote in message news:c9ioh1$pjj$1@news.spamcop.net... | Mike Easter wrote: | > indigo wrote: | > > Frog Prince wrote: | > | > > I've seen 10 MB powerpoint presentations reduced by a factor of | > > 3-4 when turned into PDFs. | > | > Yabbut .ppt files are incredibly bloated and inefficient compared to | > what is actually 'inside' them; whereas .pdf files use various types | > or degrees of compression to keep themselves from being so fat | > filesize-wise. | > | > | And your point is? (confirming my point on the usefulness of PDFs ? ;-) A Fleet enema is useful but that does not mean that I particularly want one. From pobox.spamcop at kronatech.net Tue Jun 1 14:55:51 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Tue Jun 1 17:00:02 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: "Mike Easter" wrote in message news:c9iq2q$qqc$1@news.spamcop.net... > Adobe's .pdf has its usages, which I acknowledge make it have value; > but efficiency of resources, filesizes, and 'operation' - compared to > something else which can do a similar operation on a similar 'type' of > file in another format - isn't very good. I really wanted to type my reply out and attach it as a PDF for you Mike, but I'll spare your resources this time. =8P -K From pobox.spamcop at kronatech.net Tue Jun 1 15:02:08 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Tue Jun 1 17:05:02 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: "Mike Easter" wrote in message news:c9ih99$i8u$1@news.spamcop.net... > Ooh, you went to all the trouble of 'doc/ing' it so that you could get > that pic in there. Very good. Grrr. > But, you know the kibitzer is still going to have something to say, > right? ;-) As always 8P > I'm not saying this to try to get you to do it, but just to kibitz, you > know. Of course. I believe you, Mike... when thousands wouldn't. > Why not copy and paste the print page, which would retain the NYT > 'format' and fonts, etc and also do it 'quickly' into the MSWord doc, > but would be missing the 'front' pic, and then paste the pic into the > appropriate spot in that doc. Then generate or 'distill' the .pdf from > the doc, and the resultant would look like the original article. That > is, I /think/ the clipboard would retain the NYT condition when you > pasted it. Or I could just do what I did, which is copy and paste the content of the first page, take out the adv table, then copy paste page #2, saving it as a PDF... making it a 3 minute job instead of a life occupation. > I mean, if we're copyright bending, we might as well do it up right ;-) > > Of course, your .pdf arguments are very sound there, in the 'copying' > arena. You could 'lock it up' so as to only show it to someone who > wasn't going to make noise about such as that. Of course, you could > ziplock a doc, but that's not quite the same thing of course. Mmmm... well in theory at least. > But, in this security business, Adobe has been taken to task in the past > about holes in their security. I don't know the current status of all > that. Well that's because you're not actually USING it... what do I have to throw it at you? -K From pobox.spamcop at kronatech.net Tue Jun 1 15:06:27 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Tue Jun 1 17:10:03 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam..." [NYT access...] References: Message-ID: "Skiwi" wrote in message news:c9io0a$p2v$1@news.spamcop.net... > oh, 'we' are a > musician born in 1938 BTW with a household income below $16K... Now I'm old and in poverty, aside from all my other problems. Thaaaaaaaannnkkkksss. =8) -K From pobox.spamcop at kronatech.net Tue Jun 1 15:07:58 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Tue Jun 1 17:10:07 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: "Frog Prince" wrote in message news:c9iqdv$r6h$1@news.spamcop.net... > A Fleet enema is useful but that does not mean that I particularly want one. Er... eeew. -K From Merlyn at Spamcop.net Tue Jun 1 18:07:54 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Tue Jun 1 17:10:11 2004 Subject: [SpamCop-List] Re: Today Ralsky Inc. uses: 1hbedomain.com, r1g4t2you.com; DNS: marketing88.net, nsmarkk1.net, 010mrktt.net References: Message-ID: "Karl-Josef Ziegler" wrote in message news:c9ilto$mnt$1@news.spamcop.net... > Merlyn wrote: > > > Looks like 218.65.86.0/24 belongs to Peter Francis-Macrae > > > > Well known Rokso spammer. > > > > http://www.spamhaus.org/sbl/sbl.lasso?query=SBL11848 > > Yes, I saw it also. But please look at my posting > news:. The whole > spam was absolutely in Al's usual design. Maybe, that > Spamhaus has some old listings or the pillz company > in the background has now changed the contract from > Al to Weaselboy. But then this contractor controls > the email list, the design of the spams, etc. and > Al or Weaselboy are only sub-contractors for the > dirty part, i.e. sending it out. > > I agree looks like Al Ral. Yes, maybe they are just "Partners in spam" :-) I also believe Ralsky's days are numbered. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From MikeE at ster.invalid Tue Jun 1 15:11:06 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 17:15:02 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: KronaTech wrote: > I really wanted to type my reply out and attach it as a PDF for you > Mike, but I'll spare your resources this time. Ha! The other day I had the numbers in my head about what the filesizes for the trimming post were as a text file, which is of course how it started, as the .doc intermediary, and as the .pdf. I'm sure you can imagine how small the text one was and how big the pdf. The doc was more than half the size of the pdf as I recall, maybe 3/4. Part of the debate which is both push and pull if you want to use those terms in a different context than usual, is the business about 'control' - where the format 'controls' the output, which of course makes assumptions. So, if a person took the text file, which actually had *no* font designation, they could display it in whatever font they liked, which is what they do with their newsreader. If they wanted to print it on a page, they could 'massage' it into whatever size and type of font or shape of paper they wanted it on. Make it fit a page perfectly. Make it fit two pages perfectly. Whatever. Big margins, little margins, script, blah blah. But, as the .pdf, all that is over. The .pdf/er has made assumptions and taken control. The .pdf handler has to try to get it back out in its original form, if possible. And, of course, it may not be possible, which is considered to be a 'feature' of course, depending on whether you are the controller or the controlled. Who is goring whose ox and all that. But, if the .pdf/er 'reader' is inclined to accept things stamped out by the black box, then they print the .pdf and are done with it. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Jun 1 15:23:06 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 17:25:05 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: Mike Easter wrote: > One would have to imagine some kind of 'magic' way that a mail > 'appears' in your yahoo sent folder with a Received headerline such > as you posted here earlier. When I send mail from a 'normal' kind of > mail useragent, ie OE to my provider's smtp server and that item goes > into my Sent fail folder it doesn't have *any* Received line because > it hasn't been involved in any smtp transactions yet, ie it is > 'getting ready to' get its first Received trace line when it gets to > the smtp server I'm sending it to. I'm back to thinking about this puzzle. Am I correct in assuming that the 'normal' mail in your yahoo Sent folder does /not/ have any Received headerline? Only the mystery one/s - or something different? Do you have a ZoneAlarm or its equivalent? -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed Jun 2 10:24:29 2004 From: nobody at spamcop.net (Anony Mouse) Date: Tue Jun 1 17:25:11 2004 Subject: [SpamCop-List] Re: Today Ralsky Inc. uses: 1hbedomain.com, r1g4t2you.com; DNS: marketing88.net, nsmarkk1.net, 010mrktt.net References: Message-ID: <40BCF40D.90509@spamcop.net> Karl-Josef Ziegler wrote: > Merlyn wrote: > >> Looks like 218.65.86.0/24 belongs to Peter Francis-Macrae >> >> Well known Rokso spammer. >> >> http://www.spamhaus.org/sbl/sbl.lasso?query=SBL11848 > > > Yes, I saw it also. But please look at my posting > news:. The whole > spam was absolutely in Al's usual design. Maybe, that > Spamhaus has some old listings or the pillz company > in the background has now changed the contract from > Al to Weaselboy. But then this contractor controls > the email list, the design of the spams, etc. and > Al or Weaselboy are only sub-contractors for the > dirty part, i.e. sending it out. > > > The leader of the gang is Webfinity. The gang includes but may not be limited to... And I may have a couple that may not be in the gang now but have been in the past. Brian Kramer. Alan Ralsky. <-- Convicted criminal Brian David Westby <-- Convicted criminal Alexey Panov <-- Links to Russian mafia Bonnie Dukarossa Not 100% sure on this one. Calvin Ho Carl Henderson Damon DeCrescenzo - Docdrugs Drew Auman / thebulkclub.com EvoClix / Larry Tasman / Greg Numark Not 100% sure. Husein Gandhi <-- Past Ralsky associate IMG Direct / Steve Hardigree / Frank Bernal Jody Smith - Power Web Enterprises Juan Garavaglia aka Super-Zonda lmihosting.com <-- Front florida gangs Mike Van Essen / Global Web Promotions <-- Charged and inactive now. Pavka / Artofitn <-- Another Russian Peter Francis-Macrae <- Ralsky associate. Robert Soloway I think he is mixed up in it. Ryan Champion / AMR Ventures <-- Currently spamming me Tim Goyetche / Bulkers.net / Bulkbarn.com You will find that with every individual named above you can find that they share hosting services somewhere in the world with Webfinity, mostly China but also providers such as above.net and wcg umong others. The four recently charged in the US... Lin, Chung and associates are also part of the gang. How come I am so sure of myself? 2 years of hunting down the gang and the recent seeding of my email address into the system by one upset spammer. My email address went in at a Webfinity associated site. Webfinity spam quickly stopped when I taunted them that I had uncovered the association and how but by that time they had distributed my email address and it took them a few weeks to wash it from the gang. From tmcgraw at spamcop.net Tue Jun 1 15:26:55 2004 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Jun 1 17:30:03 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam..." [NYT access...] References: Message-ID: <40BCF49F.10201@spamcop.net> Skiwi wrote: > > Someone else had a 'generic' access with a username 'lumbercartel' (?) > but I couldn't remember the password... user: tinlc pwd: tinlc From Merlyn at Spamcop.net Tue Jun 1 18:32:13 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Tue Jun 1 17:35:02 2004 Subject: [SpamCop-List] Re: Today Ralsky Inc. uses: 1hbedomain.com, r1g4t2you.com; DNS: marketing88.net, nsmarkk1.net, 010mrktt.net References: <40BCF40D.90509@spamcop.net> Message-ID: "Anony Mouse" wrote in message news:40BCF40D.90509@spamcop.net... > > The leader of the gang is Webfinity. > > The gang includes but may not be limited to... > And I may have a couple that may not be in the gang now but have been in > the past. [long list of pondscum snipped] > 2 years of hunting down the gang and the recent seeding of my email > address into the system by one upset spammer. My email address went in > at a Webfinity associated site. Webfinity spam quickly stopped when I > taunted them that I had uncovered the association and how but by that > time they had distributed my email address and it took them a few weeks > to wash it from the gang. Way to go Mouse :-) -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From pobox.spamcop at kronatech.net Tue Jun 1 15:34:27 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Tue Jun 1 17:35:05 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: "Mike Easter" wrote in message news:c9ire9$sgp$1@news.spamcop.net... > But, if the .pdf/er 'reader' is inclined to accept things stamped out by > the black box, then they print the .pdf and are done with it. My reader can beat up your reader. -K From MissAnnie at nospam.invalid Tue Jun 1 18:44:13 2004 From: MissAnnie at nospam.invalid (Annie) Date: Tue Jun 1 17:45:03 2004 Subject: [SpamCop-List] Re: Ping-Tim McGraw References: Message-ID: wrote in message news:c9hsmv$rcb$1@news.spamcop.net... > Actually, you CAN use Outlook and report to SpamCop (and however many > other BL's you want, and the FTC, all simultaneously). I worked on > Leon Mayne's VBA code for Outlook to give it many more features (error > checking, a whitelist, etc.). > Code is over my head but I can follow instructions. Ill take a look at it. -- ```````````````` MissAnnie From skiwi+newsgroups at spamcop.net Tue Jun 1 15:51:20 2004 From: skiwi+newsgroups at spamcop.net (Skiwi) Date: Tue Jun 1 17:55:01 2004 Subject: [SpamCop-List] Re: [media] [document management] In-Reply-To: References: Message-ID: Frog Prince wrote: > "KronaTech" > > [snip] > I for one HATE PDF as it is (at the very minimum) very difficult to use, is > a memory hog and the files are just too big. Did I mention slow? My former > company spent big bucks on a document management program based on PDF to > avoid hard copy. Not only would no one use it no one could use it unless it > was printed to hard copy. Took them about 6 weeks to dump the entire thing. For one of my clients, I use Lizardtech's DjVu and associated document management system - and have been very happy with it... hooked to GIS and database software, etc From MikeE at ster.invalid Tue Jun 1 16:26:20 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 18:30:03 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: KronaTech wrote: > My reader can beat up your reader. No doubt and to be sure. Clearly the clever Adobe strategy by enabling all of those little free Reader folks is the sale of Adobe software, which is both very good, as a general rule, and very powerful, as a general rule, and very expensive, as a general rule. That way they [a real Adobe user] can handle all of those .pdf files more flexibly that get such wide distribution because the free Adobe reader is so accessible. I say all that as a sideline observer who reads opinions about these things rather than as an actual 'real' Adobe user. I have a lot of respect for a lot of things that Adobe has done, so I get to beef about my annoyances. Microsoft also makes all kinds of free tools and readers and printers and converters for the various formats of the Office products, Word, PowerPoint, Works. Not to be touting MS too much, who I'm usually bad-mouthing. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Tue Jun 1 19:35:45 2004 From: eddie at eddie.web (eddie) Date: Tue Jun 1 18:40:02 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to BringIn the Detectives" References: Message-ID: On Tue, 01 Jun 2004 11:21:37 -0700, Mike Easter scratched out the following: snip > I'm not sure about that. I think that in the past I've sent the print > page link to a friend who wasn't registered and they didn't get there. But > then that friend sometimes gets thrown off if the link gets wrapped, so > that example doesn't really count. > > I'll have to test it out, but I've got the appropriate cookie on 3 > different boxes here, so I would have to clean one up. I registered there years ago and my account is still good, but I notice that sometimes news.google.com has a link to the NYTimes that has the account "guest" and when I use that on my Mozilla browser which isn't registered there, I can access the story. I looked just now but didn't see any guest links on google, so maybe the Times eliminated it. I no longer register for any of the online papers, but I'll keep the ones I have as long as they work. From MikeE at ster.invalid Tue Jun 1 16:46:47 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 18:50:03 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to BringIn the Detectives" References: Message-ID: eddie wrote: > I registered there years ago and my account is still good, but I > notice that sometimes news.google.com has a link to the NYTimes that > has the account "guest" and when I use that on my Mozilla browser > which isn't registered there, I can access the story. I looked just > now but > didn't see any guest links on google, so maybe the Times eliminated > it. I no longer register for any of the online papers, but I'll keep > the ones I have as long as they work. A lot of the newspapers let googlers in to read a story, but if you try to go very far or do very much they want you to register. Like a teaser or sample. I think that is pretty smart about exposing their paper to googlers. I understand where the newspapers are coming from about registration. However, there is a world of difference in the 'deal' the reader makes with the different newspapers. Notwithstanding any 'lies' or 'forgeries' the reader may choose to implement... The deal with the NYT and some others is that you give them your email addy and the NYT agrees to respect your privacy and not spam you or let any of their associates or anyone else of theirs spam you. The deal with the WashPost and many others is that you give them your eml and a ton of demographics and then they don't agree to respect your privacy at all. Nor their associates nor their associates' associates. They make that very clear in their non-privacy agreement which they euphemistically call a privacy agreement. So, as a consequence I play fair with the newspapers who offer me a fair deal and I don't play so 'fair' with the ones who don't. -- Mike Easter kibitzer, not SC admin From me at privacy.net Tue Jun 1 21:13:02 2004 From: me at privacy.net (Frog Prince) Date: Tue Jun 1 20:15:16 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to BringIn the Detectives" References: Message-ID: "Mike Easter" | | So, as a consequence I play fair with the newspapers who offer me a fair | deal and I don't play so 'fair' with the ones who don't. Even the ones who play fair in the front often change the rules after the fact and frequently without notice or recourse. Privacy is like tooth paste once out of the tube... From nobody at spamcop.net Wed Jun 2 11:40:55 2004 From: nobody at spamcop.net (Petzl) Date: Tue Jun 1 20:45:03 2004 Subject: [SpamCop-List] Re: Response from Telstra (they're just as incompetent as ever) References: <40B712A9.6010405@spamcop.net> <40BBEBB6.6090408@spamcop.net> Message-ID: <8p7qb0prqfpfbn4cl4rnj6hkus5jhha1p0@4ax.com> On Tue, 01 Jun 2004 14:36:38 +1200, Anony Mouse wrote: > >She has also been robbed via a keylogger trojan costing her approx >$6,000 so far. An expensive lesson. IMO a good reason to use a password program This is free for 20 passwords http://www.password-depot.com/description.htm I operate it from a USB device (for shared computers) "Password Depot" uses 1.5 meg on USB "pendrive" Also check my signature to help keep your computer clean & secure Petzl -- SECURE YOUR COMPUTER NOW!! KEEP WINDOWS UPDATED http://v4.windowsupdate.microsoft.com/en/default.asp "AVG 6.0 Free Edition" Anti-Virus Check your computer for "Spy Bots" (free) & Good firewall for windows(free version available) Block spamvertised websites (free. A must for Parents) From nobody at spamcop.net Wed Jun 2 12:02:37 2004 From: nobody at spamcop.net (Petzl) Date: Tue Jun 1 21:05:03 2004 Subject: [SpamCop-List] Re: OT enough crimp in spammer techniques? References: Message-ID: On Tue, 1 Jun 2004 13:00:44 -0500, "Miss Betsy" wrote: > >"John E. Malmberg" wrote in message >news:EcAkDiknp33j@eisner.encompasserve.org... >> After a spamvertised domain gets revoked, >> it seems to take the spammer about 72 hours to put a new URL in it. > >Funny, I got a phone call about 'reduced prices' on the very model >number of the printer I use. I asked them about a website, but he said >that it was 'temporarily' down. > >Are anti-email spam tactics driving the spammers back to telemarketing? > >Miss Betsy > > Telemarketing seems to be the "rage' in Sydney Annoying features like 10 calls during dinner time They use software to dial 20 phone numbers per operator/telemarketer at the same time (a guess here may be more or less depending on time of day) Once a poor sod has picked up phone the other 19 phones keep ringing till they ring out or one answers. Once answered the line appears dead! Australia we do have a not to be called list but most "telemarketers" ignore this (opt out) list They also seem to prefer annon so you cannot get their "call screening" number http://www.adma.com.au/asp/index.asp?pgid=1999 I contact the company that these "telemarketers" promote nd cancel all business dealings with them, If they are holding a "meeting" I suggest they have good police protection and not to call me again The anti spam laws in Australia seem to have sent my phone quiet as I tell them after getting details that they are liable for AU$1.2 million dollar a day fines (not 100% sure though?) Petzl -- SECURE YOUR COMPUTER NOW!! KEEP WINDOWS UPDATED http://v4.windowsupdate.microsoft.com/en/default.asp "AVG 6.0 Free Edition" Anti-Virus Check your computer for "Spy Bots" (free) & Good firewall for windows(free version available) Block spamvertised websites (free. A must for Parents) From rmu93awSPAMB02 at sneakemail.com Tue Jun 1 22:23:34 2004 From: rmu93awSPAMB02 at sneakemail.com (Spambo) Date: Tue Jun 1 22:25:05 2004 Subject: [SpamCop-List] FAA listed? Message-ID: Is someone, perhaps, seeding the spamtraps? http://www.spamcop.net/w3m?action=blcheck&ip=204.108.10.7 Query bl.spamcop.net - 204.108.10.7 204.108.10.7 listed in bl.spamcop.net (127.0.0.2) Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) -- Just a SpamCop newsgroup participant, not an admin or employee of SpamCop or related domains. From MikeE at ster.invalid Tue Jun 1 20:48:38 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 22:50:02 2004 Subject: [SpamCop-List] Re: FAA listed? References: Message-ID: Spambo wrote: > Is someone, perhaps, seeding the spamtraps? > 204.108.10.7 listed in bl.spamcop.net (127.0.0.2) Oh, that's cute, both of these FAA relays are listed: 204.108.10.6 rDNS relay1.faa.gov 204.108.10.7 rDNS relay2.faa.gov tsk tsk. Presumably some kind of out of office for the weekend autoreplied to a spam, or something, and then the spamtrap got some and then parsed it badly and named the output server instead of the source IP. That's the hazards of giving a lot of power to an algorithm untouched by human hands. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Jun 1 20:57:37 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 1 23:00:03 2004 Subject: [SpamCop-List] Re: FAA listed? References: Message-ID: Mike Easter wrote: > tsk tsk. Presumably some kind of out of office for the weekend > autoreplied to a spam, or something, and then the spamtrap got some > and then parsed it badly and named the output server instead of the > source IP. http://snipurl.com/6t0p sightings Received: from relay1.faa.gov Subject: Elizabeth Louie/AWP/FAA is out of the office. Date: Fri, 14 May 2004 That isn't the same thing, but similar to what I'm thinking. -- Mike Easter kibitzer, not SC admin From rmu93awSPAMB02 at sneakemail.com Tue Jun 1 23:03:27 2004 From: rmu93awSPAMB02 at sneakemail.com (Spambo) Date: Tue Jun 1 23:05:02 2004 Subject: [SpamCop-List] Re: FAA listed? In-Reply-To: References: Message-ID: Mike Easter wrote: > [snip] > > tsk tsk. Presumably some kind of out of office for the weekend > autoreplied to a spam, or something, and then the spamtrap got some and > then parsed it badly and named the output server instead of the source > IP. Although Occam's Razor suggests your presumption is probably more accurate than mine I'm beginning to think there is something more nefarious going on. If I had my druthers I'd say that emails to spamtrap addresses should be ignored -- unless there are also *humans* reporting spams from the same source. > [snip] -- Just a SpamCop newsgroup participant, not an admin or employee of SpamCop or related domains. From eddie at eddie.web Wed Jun 2 00:26:25 2004 From: eddie at eddie.web (eddie) Date: Tue Jun 1 23:30:02 2004 Subject: [SpamCop-List] Re: FAA listed? References: Message-ID: On Tue, 01 Jun 2004 19:57:37 -0700, Mike Easter scratched out the following: snip > http://snipurl.com/6t0p sightings > Received: from relay1.faa.gov > Subject: Elizabeth Louie/AWP/FAA is out of the office. Date: Fri, 14 May > 2004 > > That isn't the same thing, but similar to what I'm thinking. It's all Nixon's fault From maddsybil at spamcop.net Wed Jun 2 00:38:42 2004 From: maddsybil at spamcop.net (MaddSybil) Date: Tue Jun 1 23:40:02 2004 Subject: [SpamCop-List] Richter was on The Daily Show Message-ID: Did anyone else see it? It was pretty funny. They splashed his email address all over the screen heeee From MikeE at ster.invalid Tue Jun 1 22:00:34 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 2 00:05:04 2004 Subject: [SpamCop-List] Re: FAA listed? References: Message-ID: Spambo wrote: > If I had my druthers I'd say that emails to > spamtrap addresses should be ignored -- unless there are also > *humans* reporting spams from the same source. There is indeed a very nasty monster which can jump out of the dark when there's no human oversight. The problem is that a report is just a report, by the millions. The various mistakes don't really matter because there's safety in numbers which the algorithm is full of. It only becomes /really/ important when something gets listed. Things are getting listed and unlisted in inhuman numbers as well. The spamtrap report is but a tiny cog in such a great big crushing wheel and everything in the equation is made out of plusses, there are no minuses. The spamtrap reports are large multiplied or squared plusses. Maybe the algorithm should do a 'division' as a 'spare' number. That is divide the spamtrap score by the non-spamtrap score. This calculation is triggered by a listing. If the result or quotient of that calculation is some very large number [if there were no non-spamtrap reports the quotient would be infinite] then the listing should cause a deputy alert -- because something or other just got listed because of spamtraps and no one has looked at any of those reports yet. There's another problem too. That is the problem of the moles and the problem of the quick reporters. The spamtrap has all of the elements of both; that is, the spamtrap is not overseen by a human *and* there is no report to cause some improper report to get someone's attention. The moles cause tallies on the SCbl, but at least they are overseen by human, so that's not so bad even if there isn't a report. The quick reporters are worse, because they aren't overseeing inaccurate results *and* they are typically generating 'more than their share' of reports. Some quick reporters are probably generating huge numbers of hits that have never been seen. -- Mike Easter kibitzer, not SC admin From agent01413 at my-deja.com Tue Jun 1 23:25:25 2004 From: agent01413 at my-deja.com (Socks the white house cat) Date: Wed Jun 2 00:25:03 2004 Subject: [SpamCop-List] Richter and Church Message-ID: In case the motion to toss the late affadavits fails, note there is some discussion of whether Church is an employee of whitehat, or an outside director. Outside directors tend not to have access to the same level of information on a regular basis that inside employee/directors have, making the level of info that REC can swear to open to question and debate. -- Sturgeon's Law as applied to discussion lists Axiom #3: "Sturgeon's Law (90% of everything is crap) applies to discussion lists." Corollary #5: "In an unmoderated discussion, no one can agree on what constitutes the 10%." Corollary #6: "Nothing guarantees that the 10% isn't crap, too." From sills at webtv.net Wed Jun 2 01:17:13 2004 From: sills at webtv.net (sills@webtv.net) Date: Wed Jun 2 00:30:03 2004 Subject: [SpamCop-List] Re: Turnaround performance problem References: Message-ID: <9651-40BD54C9-179@storefull-3255.bay.webtv.net> I hate doing a "me too, me too' type thing (but not enough not to do it) but for 12 days now, I have had the turnaround problem with the longest wait being close to 11 hours. Has Ellen or ??? addressed the problem anywhere and I missed it? Best John From tmcgraw at spamcop.net Tue Jun 1 22:26:50 2004 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Jun 2 00:30:18 2004 Subject: [SpamCop-List] Re: FAA listed? References: Message-ID: <40BD570A.3060701@spamcop.net> Mike Easter wrote: > Spambo wrote: > >>Is someone, perhaps, seeding the spamtraps? >> 204.108.10.7 listed in bl.spamcop.net (127.0.0.2) > > Oh, that's cute, both of these FAA relays are listed: > > 204.108.10.6 rDNS relay1.faa.gov > 204.108.10.7 rDNS relay2.faa.gov > > tsk tsk. Presumably some kind of out of office for the weekend > autoreplied to a spam, or something, and then the spamtrap got some and > then parsed it badly and named the output server instead of the source > IP. .mil servers get zombied, why can't FAA servers? From tmcgraw at spamcop.net Tue Jun 1 22:28:30 2004 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Jun 2 00:30:21 2004 Subject: [SpamCop-List] Re: FAA listed? References: Message-ID: <40BD576E.1090100@spamcop.net> eddie wrote: > On Tue, 01 Jun 2004 19:57:37 -0700, Mike Easter scratched out the > following: > snip > >>That isn't the same thing, but similar to what I'm thinking. > > It's all Nixon's fault ITYM Reagan? From ldattilo at spamcop.net Wed Jun 2 00:19:40 2004 From: ldattilo at spamcop.net (Leonard Q Public) Date: Wed Jun 2 01:20:03 2004 Subject: [SpamCop-List] Re: Windows garden? References: Message-ID: wrote in message news:nobody-3B64EC.14114831052004@news.cesmail.net... > What is a Windows 2000 Advanced Server garden? The spammer says that I > can pay less for a garden. Does a garden work better than a farm? Answered in spamcop.geeks. F/ups set to geeks. - Leonard From nobody at devnull.spamcop.net Tue Jun 1 23:57:53 2004 From: nobody at devnull.spamcop.net (LioNiNoiL_a t_Y a h 0 0_d 0 T_c 0 m) Date: Wed Jun 2 02:00:03 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" In-Reply-To: References: Message-ID: >> I for one HATE PDF as it is (at the very minimum) >> very difficult to use, is a memory hog >> and the files are just too big. > > Huh? I've seen 10 MB powerpoint presentations reduced > by a factor of 3-4 when turned into PDFs. So a memory brontosaurus makes a memory hog look smaller by comparison. From nobody at devnull.spamcop.net Wed Jun 2 19:17:11 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 2 02:15:02 2004 Subject: [SpamCop-List] Re: FAA listed? References: <40BD570A.3060701@spamcop.net> Message-ID: "Tim McGraw" wrote > .mil servers get zombied, why can't FAA servers? Not just zombied, either. I think that they ARE are the spammers ;-) .. check http://www.chinfo.navy.mil/navpalib/questions/spam.html It says .. "If you provide us that header, we'll look up the IP address .. Send your e-mail to comments@chinfo.navy.mil" I got spam with their IP - I did as they suggested - and it bounced! I then went to webmaster - THAT bounced. yeah ... right ... go tell the marines ... -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From skiwi at spamcop.net Wed Jun 2 00:14:13 2004 From: skiwi at spamcop.net (Skiwi) Date: Wed Jun 2 02:15:06 2004 Subject: [SpamCop-List] Re: FAA listed? In-Reply-To: References: Message-ID: Mike Easter wrote: > Spambo wrote: > >>Is someone, perhaps, seeding the spamtraps? >> 204.108.10.7 listed in bl.spamcop.net (127.0.0.2) > > > Oh, that's cute, both of these FAA relays are listed: > > 204.108.10.6 rDNS relay1.faa.gov > 204.108.10.7 rDNS relay2.faa.gov > > tsk tsk. Presumably some kind of out of office for the weekend > autoreplied to a spam, or something, and then the spamtrap got some and > then parsed it badly and named the output server instead of the source > IP. > > That's the hazards of giving a lot of power to an algorithm untouched by > human hands. The same sort of algorithm that sends spam to a separate folder, unseen, unread, and generally unexamined? :-P From baloo at ursine.ca Wed Jun 2 00:16:25 2004 From: baloo at ursine.ca (Paul Johnson) Date: Wed Jun 2 02:35:03 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: <87k6yq5vt2.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Frog Prince" writes: > I for one HATE PDF as it is (at the very minimum) very difficult to use, is > a memory hog and the files are just too big. Did I mention slow? Hmm, must be on your end. kpdf Just Works, and works quickly and works well. Not sure what Acrobat Reader's problem is, I hate it and resent having to use it at work. There's nothing wrong with PDF the format, but Acrobat sucks. > My former company spent big bucks on a document management program > based on PDF to avoid hard copy. Not only would no one use it no > one could use it unless it was printed to hard copy. Took them > about 6 weeks to dump the entire thing. So you hate a pretty handy file format for management stupidity... - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAvXC8UzgNqloQMwcRAu5oAKCHULGQ2/ZkndAgt9DBuEN0O8DyEwCgmrqh tCaB6MG4uSFYMJ/L2bLFXCM= =rmRS -----END PGP SIGNATURE----- From baloo at ursine.ca Wed Jun 2 00:17:38 2004 From: baloo at ursine.ca (Paul Johnson) Date: Wed Jun 2 02:35:17 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: <87ekoy5vr1.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "indigo" writes: > Frog Prince wrote: >> I for one HATE PDF as it is (at the very minimum) very difficult to >> use, is a memory hog and the files are just too big. > > Huh? I've seen 10 MB powerpoint presentations reduced by a factor of 3-4 > when turned into PDFs. And a factor of three or four is how many more platforms can handle PDF well than can handle PowerPoint. - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAvXEFUzgNqloQMwcRAnzLAKClbpDduJS44krOvlm14tbuwZc1jACgozkq OqaAnlV+iB/sKpyfktcaCHc= =244V -----END PGP SIGNATURE----- From baloo at ursine.ca Wed Jun 2 00:23:29 2004 From: baloo at ursine.ca (Paul Johnson) Date: Wed Jun 2 02:35:23 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: <877juq5vha.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Mike Easter" writes: > indigo wrote: >> Frog Prince wrote: > >> I've seen 10 MB powerpoint presentations reduced by a factor of >> 3-4 when turned into PDFs. > > Yabbut .ppt files are incredibly bloated and inefficient compared to > what is actually 'inside' them; whereas .pdf files use various types or > degrees of compression to keep themselves from being so fat > filesize-wise. And everybody and their dog can read a PDF. - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAvXJiUzgNqloQMwcRAg2VAJ430z9c+0qs13O7112FnHEA1nRTTQCfQfRT lwULA4/B/tLqRvhjAe+LJ70= =2G6C -----END PGP SIGNATURE----- From nobody at devnull.spamcop.net Wed Jun 2 00:48:28 2004 From: nobody at devnull.spamcop.net (LioNiNoiL_a t_Y a h 0 0_d 0 T_c 0 m) Date: Wed Jun 2 02:50:03 2004 Subject: [SpamCop-List] Re: Today Ralsky Inc. uses: 1hbedomain.com, r1g4t2you.com; DNS: marketing88.net, nsmarkk1.net, 010mrktt.net In-Reply-To: References: Message-ID: Isn't it great that Hotmail is now cracking down on spam?! > domain: 1hbedomain.com > email: robgratton__123@hotmail.com > admin-c: robgratton__123@hotmail.com#0 > tech-c: robgratton__123@hotmail.com#0 > billing-c: robgratton__123@hotmail.com#0 > > domain: marketing88.net > email: mills08_8@hotmail.com > admin-c: mills08_8@hotmail.com#0 > tech-c: mills08_8@hotmail.com#0 > billing-c: mills08_8@hotmail.com#0 > > domain: nsmarkk1.net > email: ronald_0965f@hotmail.com > admin-c: ronald_0965f@hotmail.com#0 > tech-c: ronald_0965f@hotmail.com#0 > billing-c: ronald_0965f@hotmail.com#0 > > domain: 010mrktt.net > email: ronherman_0987@hotmail.com > admin-c: ronherman_0987@hotmail.com#0 > tech-c: ronherman_0987@hotmail.com#0 > billing-c: ronherman_0987@hotmail.com#0 From nobody at devnull.spamcop.net Wed Jun 2 01:00:50 2004 From: nobody at devnull.spamcop.net (LioNiNoiL_a t_Y a h 0 0_d 0 T_c 0 m) Date: Wed Jun 2 03:05:04 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? In-Reply-To: References: Message-ID: >> I know the type: our beautiful blonde daughter kept installing >> Kazaa on my wife's computer for a couple months, giving rise >> to many viruses, worms, adwares, spywares, and zombots. Sounds >> like this lady did the same, and now has an e-mail zombot with >> your addy as a 'sender' on its list, among many others, no doubt. > > Still doesn't explain how the spam shows up in *my* sent mail folder..... That may be Yahoo's mailer getting fooled by the zombot. From pobox.spamcop at kronatech.net Wed Jun 2 01:24:26 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Wed Jun 2 03:25:03 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: "Mike Easter" wrote in message news:c9ivrb$1cc$1@news.spamcop.net... > I say all that as a sideline observer who reads opinions about these > things rather than as an actual 'real' Adobe user. Email me to say hello. Something tells me the 'ster.invalid' domain will bounce. 8) -K From kjz at despammed.com Wed Jun 2 10:28:46 2004 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Wed Jun 2 03:30:03 2004 Subject: [SpamCop-List] Re: Today Ralsky Inc. uses: 1hbedomain.com, r1g4t2you.com; DNS: marketing88.net, nsmarkk1.net, 010mrktt.net In-Reply-To: <40BCF40D.90509@spamcop.net> References: <40BCF40D.90509@spamcop.net> Message-ID: Anony Mouse wrote: > The leader of the gang is Webfinity. The only connection I can see is that these guys are sharing their address database: > Alan Ralsky. <-- Convicted criminal > Alexey Panov <-- Links to Russian mafia > Calvin Ho > Drew Auman / thebulkclub.com > Juan Garavaglia aka Super-Zonda > lmihosting.com <-- Front florida gangs > Mike Van Essen / Global Web Promotions <-- Charged and inactive now. > Pavka / Artofitn <-- Another Russian > Peter Francis-Macrae <- Ralsky associate. > Tim Goyetche / Bulkers.net / Bulkbarn.com These are the spammers I got mails from on a regular basis. And most of my spams only(!) from these guys. So it seems to be a 'closed bulk club'. From pobox.spamcop at kronatech.net Wed Jun 2 01:37:28 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Wed Jun 2 03:40:02 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to BringIn the Detectives" References: Message-ID: "Mike Easter" wrote in message news:c9j11m$2ce$1@news.spamcop.net... > The deal with the NYT and some others is that you give them your email > addy and the NYT agrees to respect your privacy and not spam you or let > any of their associates or anyone else of theirs spam you. > > The deal with the WashPost and many others is that you give them your > eml and a ton of demographics and then they don't agree to respect your > privacy at all. Nor their associates nor their associates' associates. > They make that very clear in their non-privacy agreement which they > euphemistically call a privacy agreement. As soon as I saw the registration 'details' I immortalized it, knowing full well that most people would never see skiwi's dig. The Times is obviously digging for spammer material... none of that stuff has anything to do with reading their articles. Perhaps they should try the honest approach by making those details optional (and clearly marked as such). -K From postmaster at uniway.ru Wed Jun 2 12:42:16 2004 From: postmaster at uniway.ru (Capelan) Date: Wed Jun 2 03:45:03 2004 Subject: [SpamCop-List] Anybody can help me out from spamcop list??? Message-ID: Can't out from spamcop.... tryed put MDaemon betwen INET and my Exchange server..... Install Antivirsus to everyusers.... block antivirus route message back to sender... Anyway spamcop let me know that i'm in list.. Heeeelp! From pobox.spamcop at kronatech.net Wed Jun 2 01:56:11 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Wed Jun 2 04:00:03 2004 Subject: [SpamCop-List] Re: Anybody can help me out from spamcop list??? References: Message-ID: "Capelan" wrote in message news:c9k0d6$prc$1@news.spamcop.net... > Can't out from spamcop.... tryed put MDaemon betwen INET and my Exchange > server..... > Install Antivirsus to everyusers.... block antivirus route message back to > sender... > > Anyway spamcop let me know that i'm in list.. > > Heeeelp! Perhaps you could be a little more clear? I'm not getting... A) "MDaemon betwen INET and my Exchange server." (you put a mail server between Internet and your other mail server). 2) "Install Antivirsus to everyusers" (not sure what that has to do with the SC list). D) "spamcop let me know that i'm in list" (?). I'm sure someone can help if we/they can understand the question a little better. Sounds at first like you just want off the list, but all that other stuff kind of confuses the issue. -K From postmaster at uniway.ru Wed Jun 2 13:35:04 2004 From: postmaster at uniway.ru (Capelan) Date: Wed Jun 2 04:40:04 2004 Subject: [SpamCop-List] Re: Anybody can help me out from spamcop list??? References: Message-ID: "KronaTech" ÓÏÏÂÝÉÌ/ÓÏÏÂÝÉÌÁ × ÎÏ×ÏÓÔÑÈ ÓÌÅÄÕÀÝÅÅ: news:c9k16j$qhf$1@news.spamcop.net... > > "Capelan" wrote in message > news:c9k0d6$prc$1@news.spamcop.net... > > > Can't out from spamcop.... tryed put MDaemon betwen INET and my Exchange > > server..... > > Install Antivirsus to everyusers.... block antivirus route message back to > > sender... > > > > Anyway spamcop let me know that i'm in list.. > > > > Heeeelp! > > Perhaps you could be a little more clear? I'm not getting... > > A) "MDaemon betwen INET and my Exchange server." (you put a mail server > between Internet and your other mail server). > 2) "Install Antivirsus to everyusers" (not sure what that has to do with the > SC list). > D) "spamcop let me know that i'm in list" (?). > > I'm sure someone can help if we/they can understand the question a little > better. Sounds at first like you just want off the list, but all that other > stuff kind of confuses the issue. > > -K > > > Sometimes ago i was that mail schema: Internet -> Exchange mail server You know that exchange can support any auto spam filter... and... Possible that spamcop put me to block list because somedays ago i was infected by mailworms.. and this worms send from me millions mails to everybody... Now i clean all computers from any viruses and worsm.... and made new mail schema for better spam security: Internet -> MDaemon -> Exchange mail server Mdaemon for blocking spam for me.. and from me! =))) and give me for detailed information about all mails... But... 30 hours left.... anyway.... my IP in blocklist... =(((( What you must know for help me??? From gospamming at yourdomain.invalid Wed Jun 2 09:44:26 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Jun 2 04:46:00 2004 Subject: [SpamCop-List] Re: Anybody can help me out from spamcop list??? References: Message-ID: "Capelan" wrote in news:c9k3g5$sjr$1@news.spamcop.net: > Now i clean all computers from any viruses and worsm.... and made new > mail schema for better spam security: > Internet -> MDaemon -> Exchange mail server > Mdaemon for blocking spam for me.. and from me! =))) and give me for > detailed information about all mails... > > But... 30 hours left.... anyway.... my IP in blocklist... =(((( > What you must know for help me??? > You forgot to say what is the IP address listed... I'll assume it's the MTA for uniway.ru uniway.ru MX preference = 5, mail exchanger = mail.uniway.ru mail.uniway.ru internet address = 81.211.20.150 No sightings in NANAS. No comments in NANAE. No other listings. 81.211.20.150 listed in bl.spamcop.net (127.0.0.2) Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) Additional potential problems (these factors do not directly result in spamcop listing) DNS error: 81.211.20.150 has no reverse dns Listing History In the past 6.5 days, it has been listed 2 times for a total of 5.9 days Well, your problem is that your server seems to be sending mail to spamtraps. You also say that you are running MDaemon (that's very good) and you disabled the antivirus setting to send notifications to forged return addresses. If you were listed after a worm infection and now your systems are clean, you can expect to be automatically delisted in a maximum of 48 hours after the last spamtrap hit. If after 48 hours your IP address remains on the blocklist, you can mail deputies admin.spamcop.net asking for more details. Don't forget to include the IP address of the listed server. The deputies can look into the Spamcop database and give you more details about the kind of messages found in the spamtraps, helping you to solve this issue. -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From nobody at nowhere.invalid Wed Jun 2 11:45:30 2004 From: nobody at nowhere.invalid (=?iso-8859-1?q?Steven_M=E4=DFlein?=) Date: Wed Jun 2 04:50:11 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> <40BC9298.D25FBBB2@spamcop.net> Message-ID: On Tue, 01 Jun 2004 09:28:40 -0500, Nobody wrote: > [snip line 3 screens wide] Please read this: http://linux.sgms-centre.com/misc/netiquette.php and pay particular attention to point #5. TIA, -- Steve From eddyrichards2000 at yahoo.com Wed Jun 2 10:48:14 2004 From: eddyrichards2000 at yahoo.com (TechEd) Date: Wed Jun 2 04:50:29 2004 Subject: [SpamCop-List] Spammer's masking ip addresses Message-ID: Hi there everyone, Recently I have noticed that I am receiving spam that is masked. So it not only looks like it is coming from myself but it also looks like it is coming from my isp ip address. So basically since our ISP handles our mail server if I reported the spam I would be reporting my own isp. Can anything be done about this?? Like finding out the real ip address of this spam email? From nobody at nowhere.invalid Wed Jun 2 11:54:25 2004 From: nobody at nowhere.invalid (=?iso-8859-1?q?Steven_M=E4=DFlein?=) Date: Wed Jun 2 04:55:12 2004 Subject: [SpamCop-List] Re: How to handle the spamreports that can't be send unmungled References: <40BC4869.39B2@xyzzy.claranet.de> Message-ID: On Tue, 01 Jun 2004 11:12:09 +0200, Frank Ellermann wrote: > And I'm not at all interested how > spammers wash their lists. Nor am I, but I sure as hell *am* intersted in doing what I can to avoid revenge attacks from spammers who have neen handed an unmunged report by their black-hat ISP! -- Steve From nobody at nowhere.invalid Wed Jun 2 11:59:29 2004 From: nobody at nowhere.invalid (=?iso-8859-1?q?Steven_M=E4=DFlein?=) Date: Wed Jun 2 05:00:16 2004 Subject: [SpamCop-List] Re: Memorial Day -- or -- Christmas? References: Message-ID: On Tue, 01 Jun 2004 03:29:42 -0700, wrote: > BTW, it's been reported that CAIS Internet is the ISP who picked up > Snotty Scotty, through wvfiber.com (aka ibis7.net). Just a thought here, but do *you* own the "us.com" domain? I'm sure the owner is *really* pleased about the piles of junk being hurled at anonym@us.com because of someone using it as an e-mail address in a newsgroup... -- Steve From gospamming at yourdomain.invalid Wed Jun 2 10:04:09 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Jun 2 05:05:11 2004 Subject: [SpamCop-List] Re: Spammer's masking ip addresses References: Message-ID: "TechEd" wrote in news:c9k4aq$ths$1@news.spamcop.net: > Hi there everyone, > > Recently I have noticed that I am receiving spam that is masked. So it > not only looks like it is coming from myself but it also looks like it > is coming from my isp ip address. That's unlikely, unless that server was compromised. > > So basically since our ISP handles our mail server if I reported the > spam I would be reporting my own isp. > > Can anything be done about this?? > > Like finding out the real ip address of this spam email? > Please post a SCLink to a sample of the parsing, so the discussion can take place over something factual. It's impossible to discuss/give advice about something not seen. You can cancel the report to avoid problems; the SCLink will work nevertheless. -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From Anonym at us.com Wed Jun 2 03:38:09 2004 From: Anonym at us.com (Anonym@us.com) Date: Wed Jun 2 05:40:14 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> <40BC9298.D25FBBB2@spamcop.net> Message-ID: "Steven Mäßlein" wrote in message news:pan.2004.06.02.08.45.30.282322@[127.0.0.1]... > On Tue, 01 Jun 2004 09:28:40 -0500, Nobody wrote: > > > [snip line 3 screens wide] Perhaps your newsreader is messed up, Steven. I don't see any line that's 3 screens wide. Netiquette also suggests that you not blame others for problems that are your own. From pobox.spamcop at kronatech.net Wed Jun 2 03:57:14 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Wed Jun 2 06:00:04 2004 Subject: [SpamCop-List] Re: Anybody can help me out from spamcop list??? References: Message-ID: "D.Diaz" wrote in message news:Xns94FC6D4B23900xnddmxn@216.154.195.61... > [etc, etc] > Well, your problem is that your server seems to be sending mail to > spamtraps. You also say that you are running MDaemon (that's very good) > and you disabled the antivirus setting to send notifications to forged > return addresses. > [etc, etc] > Daniel Diaz Thanks D. (Chuckle) I had no idea what the poor guy was talking about. Hopefully when I'm old and gray, I'll be able to decode those kinds of posts. I was about to ask him about that configuration (Net > MDaemon > Exchange) as I've never heard of that before. I can understand Net > MDaemon <> IIS(smtp)... but Exchange -via- MDaemon? I'm not seeing alot of sense behind that... maybe you know something about that? ;) -K From pobox.spamcop at kronatech.net Wed Jun 2 03:59:26 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Wed Jun 2 06:00:09 2004 Subject: [SpamCop-List] Re: Anybody can help me out from spamcop list??? References: Message-ID: "KronaTech" wrote in message news:c9k89h$f0$1@news.spamcop.net... PS: Are you running all the toys on yours (groupware, av, relayfax)? -K From gospamming at yourdomain.invalid Wed Jun 2 11:10:13 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Jun 2 06:15:03 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> <40BC9298.D25FBBB2@spamcop.net> Message-ID: wrote in news:c9k77n$vk4$1@news.spamcop.net: > Perhaps your newsreader is messed up, Steven. I don't see any line > that's 3 screens wide. Netiquette also suggests that you not blame > others for problems that are your own. > His newsreader is just fine, only not configured to automatically wrap text that is 3 screens wide ;-) My newsreader also displays that posting as a 3 screens wide line. I have to press 'w' to have it nicely wrapped. You know, USENET news posts are supposed to finish each and every line with a LF (or was it a CR/LF?)... -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From baloo at ursine.ca Wed Jun 2 04:11:53 2004 From: baloo at ursine.ca (Paul Johnson) Date: Wed Jun 2 06:20:03 2004 Subject: [SpamCop-List] Re: Anybody can help me out from spamcop list??? References: Message-ID: <87d64i1d7a.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Capelan" writes: > Can't out from spamcop.... tryed put MDaemon betwen INET and my Exchange > server..... > Install Antivirsus to everyusers.... block antivirus route message back to > sender... > > Anyway spamcop let me know that i'm in list.. When will people learn to read the website? - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAvafuUzgNqloQMwcRAojnAJ9D0R8YJyKYTtx49rLGbKLXqKI84gCeP80d nSXV6TwFEXOxeiO8zDeZ8CI= =k/DR -----END PGP SIGNATURE----- From gospamming at yourdomain.invalid Wed Jun 2 11:23:19 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Jun 2 06:25:02 2004 Subject: [SpamCop-List] Re: Anybody can help me out from spamcop list??? References: Message-ID: "KronaTech" wrote in news:c9k89h$f0$1@news.spamcop.net: > posts. I was about to ask him about that configuration (Net > MDaemon > > Exchange) as I've never heard of that before. I can understand Net > > MDaemon <> IIS(smtp)... but Exchange -via- MDaemon? I'm not seeing > alot of sense behind that... maybe you know something about that? > Yes, I know. I have a similar setup in our office, with MDaemon connecting to the Internet as smarthost for our local Exchange Server. -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From gospamming at yourdomain.invalid Wed Jun 2 11:32:55 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Jun 2 06:35:03 2004 Subject: [SpamCop-List] Re: Anybody can help me out from spamcop list??? References: Message-ID: "KronaTech" wrote in news:c9k8dl$kg$1 @news.spamcop.net: > > "KronaTech" wrote in message > news:c9k89h$f0$1@news.spamcop.net... > > PS: Are you running all the toys on yours (groupware, av, relayfax)? > > -K > No, just the plain vanilla MDaemon Pro 6.7.9 licensed for six accounts :P In our office we have set up a MS Win2000 Small Business Server for our LAN domain. Local mail is managed by its MS Exchange Server suckware. We have several 'real' mail accounts on two domains hosted by our ISP, so I have set up MDaemon between Internet and Exchange Server in order to fetch all the mail from those accounts (via DomainPOP), sort it out, tag and separate it with SpamAssassin, then send the surviving messages to the proper local mail accounts managed by Exchange Server. It also manages outgoing mail (we actually do not relay to our ISP mailserver, we do direct-to-MX mail). MDaemon receives the outgoing messages from Exchange Server, does header translation (stripping the non-routable domain names of the local accounts and substituting them for the real addies) and delivers them. Bayesian filtering wasn't available on v6.7.9 (it came with MDaemon 7), so I run a standalone Perl interpreted SpamAssassin from within the Content Filtering rules of MDaemon. -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From nobody at nowhere.invalid Wed Jun 2 13:59:01 2004 From: nobody at nowhere.invalid (=?iso-8859-1?q?Steven_M=E4=DFlein?=) Date: Wed Jun 2 07:00:02 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> <40BC9298.D25FBBB2@spamcop.net> Message-ID: On Wed, 02 Jun 2004 10:10:13 +0000, "D.Diaz" wrote: > You know, USENET news posts are supposed to finish each and every line with > a LF (or was it a CR/LF?)... CR/LF during the NNTP transmission phase. And each line is not meant to exceed 80 characters, CR/LF included. By the time it gets into your newsreader the line termination has been changed to whatever your system uses: DOS/Doze CR/LF Unix LF Mac CR >From RFC2822 (Internet Message Format): 2.1.1. Line Length Limits There are two limits that this standard places on the number of characters in a line. Each line of characters MUST be no more than 998 characters, and SHOULD be no more than 78 characters, excluding the CRLF. -- Steve From michael.spamcop at michaellefevre.com Wed Jun 2 12:17:44 2004 From: michael.spamcop at michaellefevre.com (Michael Lefevre) Date: Wed Jun 2 07:20:03 2004 Subject: [SpamCop-List] Re: FAA listed? References: Message-ID: Mike Easter wrote: > Mike Easter wrote: >> tsk tsk. Presumably some kind of out of office for the weekend >> autoreplied to a spam, or something, and then the spamtrap got some >> and then parsed it badly and named the output server instead of the >> source IP. > > http://snipurl.com/6t0p sightings > Received: from relay1.faa.gov > Subject: Elizabeth Louie/AWP/FAA is out of the office. > Date: Fri, 14 May 2004 > > That isn't the same thing, but similar to what I'm thinking. Actually most of the spam trap hits are closer to what you were thinking. Seems the FAA has some kind of *nix server or firewall which accepts any and all email, and then a Domino server behind it which rejects stuff for unknown users, causing the first server to generate the bounce emails. Either a spammer or a virus (I'm guessing a virus) has been sending them a load of email to non-existant addresses, forging the address of a spam trap. Their bounces (not a small number) hit the traps, and they got listed. -- Michael From gospamming at yourdomain.invalid Wed Jun 2 12:21:00 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Jun 2 07:25:03 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> <40BC9298.D25FBBB2@spamcop.net> Message-ID: Steven Mäßlein wrote in news:pan.2004.06.02.10.59.00.925709@[127.0.0.1]: > From RFC2822 (Internet Message Format): > Aha! When composing my previous posting I was wandering over the NNTP RFCs looking for that... > 2.1.1. Line Length Limits > > There are two limits that this standard places on the number of > characters in a line. Each line of characters MUST be no more than > 998 characters, and SHOULD be no more than 78 characters, excluding > the CRLF. > So this 'SHOULD' on the RFC is the actual culprit. Now we (tinw) cannot blame Mozilla for not conforming to RFC standards -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From pobox.spamcop at kronatech.net Wed Jun 2 05:32:21 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Wed Jun 2 07:35:03 2004 Subject: [SpamCop-List] Re: Anybody can help me out from spamcop list??? References: Message-ID: "D.Diaz" wrote in message news:Xns94FC7FAFFD1D9xnddmxn@216.154.195.61... > No, just the plain vanilla MDaemon Pro 6.7.9 licensed for six accounts :P > [etc] > Bayesian filtering wasn't available on v6.7.9 (it came with MDaemon 7), > so I run a standalone Perl interpreted SpamAssassin from within the > Content Filtering rules of MDaemon. I don't know if you're aware of this, but 6.8.5 has Bayesian and is an upgrade you are entitled to. You can get archived back editions from the archives server at files.altn.com (via FTP), including 6.8.5 (that is the last edition before v7). I am using 6.8.5 myself, as v7 was just way too much of a suck on it's users (I tend to resent it when authors suddenly add a ton of annoying registration steps which really only effect the end-users - not the pirates). I wonder why you would use a (seems to me) complicated configuration like you described, rather than just letting MDaemon handle everything (ie; scrap Exchange completely)? -K From MikeE at ster.invalid Wed Jun 2 05:49:26 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 2 07:50:03 2004 Subject: [SpamCop-List] Re: How to handle the spamreports that can't be send unmungled References: <40BC4869.39B2@xyzzy.claranet.de> Message-ID: Steven M??lein wrote: > Frank Ellermann >> And I'm not at all interested how >> spammers wash their lists. > > Nor am I, but I sure as hell *am* intersted in doing what I can to > avoid revenge attacks from spammers who have neen handed an unmunged > report by their black-hat ISP! If you are worried about revenge attacks, you should submit your reports as a mole. It is not possible to adequately munge every possible type of concealed unique information from the header and body of a spm. -- Mike Easter kibitzer, not SC admin From michael.spamcop at michaellefevre.com Wed Jun 2 12:56:03 2004 From: michael.spamcop at michaellefevre.com (Michael Lefevre) Date: Wed Jun 2 08:00:03 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> <40BC9298.D25FBBB2@spamcop.net> Message-ID: D.Diaz wrote: > Steven M??lein wrote in > news:pan.2004.06.02.10.59.00.925709@[127.0.0.1]: > >> From RFC2822 (Internet Message Format): [snip] >> characters in a line. Each line of characters MUST be no more than >> 998 characters, and SHOULD be no more than 78 characters, excluding >> the CRLF. > > So this 'SHOULD' on the RFC is the actual culprit. Now we (tinw) cannot > blame Mozilla for not conforming to RFC standards Indeed, although it would be clearer to call it "Netscape", seeing as it seems to be a 4.x version, rather than something from the mozilla.org project. "SHOULD" things in RFCs are supposed to be followed unless there's a good reason not to. Good reasons in this case might include posting some program code, or a long URL, or several levels of quoting, which should not be wrapped because that would screw things up (some popular clients wrap those things and we know the results...). -- Michael From a at all.addresses.on.cdrom.are.invalid.aaa Wed Jun 2 09:14:06 2004 From: a at all.addresses.on.cdrom.are.invalid.aaa (John Malmberg) Date: Wed Jun 2 08:15:01 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop In-Reply-To: References: <40B69162.2C0C9DC2@spamcop.net> <40BC9298.D25FBBB2@spamcop.net> Message-ID: D.Diaz wrote: > Steven M??lein wrote in > news:pan.2004.06.02.10.59.00.925709@[127.0.0.1]: > >>From RFC2822 (Internet Message Format): > >>2.1.1. Line Length Limits >> >> There are two limits that this standard places on the number of >> characters in a line. Each line of characters MUST be no more than >> 998 characters, and SHOULD be no more than 78 characters, excluding >> the CRLF. >> > So this 'SHOULD' on the RFC is the actual culprit. Now we (tinw) cannot > blame Mozilla for not conforming to RFC standards Mozilla defaults to 78 characters on sending. Unfortunately it also always sets a "format-flowed" tag on the output unless you have hacked it (last checked by me at 1.5 release). If your newsreader understands format-flowed, it will expand the lines to as wide as your current screen is, which hits a different bug in Mozilla. So a sender using Mozilla does not have any idea on how their plain-text message will be displayed on a news/mail client that understands format-flowed. And it took a lot of comments in the bug report to get the developers to understand the problems that result from that. Mozilla will resize the screen in the preview plane to match the width of the title bar. Mozilla has not yet gotten quoting of plain text messages to work in all cases. The behavior has changed with each release, lately more for the better. Many times I need to use the rewrap function and manual edits to get the quoted text correctly. Based on the comments in the bug reports, the people working on the code would prefer to eliminate plain text mode completely and force everyone to HTML, and do not understand why anyone is still using plain-text. -John wb8tyw@qsl.network Personal Opinion Only From gospamming at yourdomain.invalid Wed Jun 2 13:15:58 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Jun 2 08:20:03 2004 Subject: [SpamCop-List] Re: Anybody can help me out from spamcop list??? References: Message-ID: "KronaTech" wrote in news:c9kdrs$55f$1@news.spamcop.net: > I don't know if you're aware of this, but 6.8.5 has Bayesian and is an > upgrade you are entitled to. Oh, so it was 6.8.5 then? I knew it was some time after 6.7.9, but I didn't remember which one did it first came with. I'm not so sure about being entitled to that upgrade. IIRC, the 'software upgrade protection', as they call it, is linked to the purchase date, not the purchased version. > You can get archived back editions from the archives server at > files.altn.com (via FTP), including 6.8.5 (that is the last edition > before v7). I am using 6.8.5 myself, as v7 was just way too much of a > suck on it's users (I tend to resent it when authors suddenly add a > ton of annoying registration steps which really only effect the > end-users - not the pirates). > > I wonder why you would use a (seems to me) complicated configuration > like you described, rather than just letting MDaemon handle everything > (ie; scrap Exchange completely)? > Well, handling everything in MDaemon would mean setting up the local mail accounts on it; we'll need a more expensive license than the cheap 6-account one to do that. MS Exchange Server came bundled in MS Win2000 SBS with no account creation restrictions, so... Besides that, I found more suited to my particular needs to have MDaemon acting as gateway for my internal domain. I did test several setups with MDaemon alone, involving accounts only and also accounts + mailing lists as distribution groups. -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From rmu93awSPAMB02 at sneakemail.com Wed Jun 2 08:18:57 2004 From: rmu93awSPAMB02 at sneakemail.com (Spambo) Date: Wed Jun 2 08:20:09 2004 Subject: [SpamCop-List] Re: Richter was on The Daily Show In-Reply-To: References: Message-ID: MaddSybil wrote: > Did anyone else see it? > It was pretty funny. They splashed his email address all over the screen > heeee Old news. TTBOMK the segment originally aired March 30, 2004. -- Just a SpamCop newsgroup participant, not an admin or employee of SpamCop or related domains. From rmu93awSPAMB02 at sneakemail.com Wed Jun 2 08:23:55 2004 From: rmu93awSPAMB02 at sneakemail.com (Spambo) Date: Wed Jun 2 08:25:02 2004 Subject: [SpamCop-List] Re: Spammer's masking ip addresses In-Reply-To: References: Message-ID: TechEd wrote: > Hi there everyone, > > Recently I have noticed that I am receiving spam that is masked. So it not > only looks like it is coming from myself but it also looks like it is coming > from my isp ip address. > > So basically since our ISP handles our mail server if I reported the spam I > would be reporting my own isp. > > Can anything be done about this?? > > Like finding out the real ip address of this spam email? Post some sample headers or a tracking URL. -- Just a SpamCop newsgroup participant, not an admin or employee of SpamCop or related domains. From pobox.spamcop at kronatech.net Wed Jun 2 06:52:04 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Wed Jun 2 08:55:04 2004 Subject: [SpamCop-List] Re: Anybody can help me out from spamcop list??? References: Message-ID: "D.Diaz" wrote in message news:Xns94FC9128E5EE2xnddmxn@216.154.195.61... > Oh, so it was 6.8.5 then? I knew it was some time after 6.7.9, but I > didn't remember which one did it first came with. I'm not so sure about > being entitled to that upgrade. IIRC, the 'software upgrade > protection', as they call it, is linked to the purchase date, not the > purchased version. Ah. Sorry - I thought you meant your 6 months was still active, but I can see how stupid that assumption was when I consider that you're using 6.7.9 - so you're upgrade limit has expired then? -K From michael.spamcop at michaellefevre.com Wed Jun 2 14:00:02 2004 From: michael.spamcop at michaellefevre.com (Michael Lefevre) Date: Wed Jun 2 09:05:02 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> <40BC9298.D25FBBB2@spamcop.net> Message-ID: John Malmberg wrote: [snip] > > Based on the comments in the bug reports, the people working on the code > would prefer to eliminate plain text mode completely and force everyone > to HTML, and do not understand why anyone is still using plain-text. The rest of your post was fine, but that's a silly generalisation. It's true to some extent that plain text is a pain to handle - the user wants to see the message at the right width for their setup, and with the quoting displayed correctly - given the range of quoting and formatting out there, trying to parse plain text posts into paragraphs and tie the paragraphs up with the right level of quoting is awkward. There may well be some people who work or have worked on the code that think forcing HTML is the way to go, but that certainly doesn't apply to everyone working on the code, nor is it likely to happen. You could equally well say "based on comments in the forum, people that use Spamcop..." and end the sentence however you wanted... [followups set to .geeks] -- Michael From MikeE at ster.invalid Wed Jun 2 07:04:34 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 2 09:10:02 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> <40BC9298.D25FBBB2@spamcop.net> Message-ID: John Malmberg wrote: > Based on the comments in the bug reports, the people working on the > code would prefer to eliminate plain text mode completely and force > everyone to HTML, and do not understand why anyone is still using > plain-text. When I used to visit netscape newsgroups where netscapers were talking to netscapers, they were 'always' posting in netscape html, because of the plaintext handling problems and deficiencies. I remember at the time being so amazed about that that I actually did a search to find quite a number of discussions on the subject. Skilled netscape users knew workarounds so that they could handle plaintext properly, but less experienced ones had to fall back to html to keep problems from arising. I think I visited the netscape groups on the newsserver news.mozilla.org, which I can see an old account for, but it might've had a netscape name. -- Mike Easter kibitzer, not SC admin From ric.gates at bigsleep.org Wed Jun 2 14:12:14 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Jun 2 09:15:02 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> Message-ID: On 01 Jun 2004 Tim McGraw entered spamcop and left news:40BCC67C.9000600@spamcop.net: > Blammo wrote: >> On 31 May 2004 lt entered spamcop and left >> news:c9gt5e$2tp$1@news.spamcop.net: >> >>>AOL has already started, why are they alone in this >>>effort. >> >> Maybe AOL is the only company that feels they need to protect idiots. > > s/idiots/their network > > I fail to understand how that would protect their network. -- | Ric | From rmu93awSPAMB02 at sneakemail.com Wed Jun 2 09:15:18 2004 From: rmu93awSPAMB02 at sneakemail.com (Spambo) Date: Wed Jun 2 09:20:04 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop In-Reply-To: References: <40B69162.2C0C9DC2@spamcop.net> <40BC9298.D25FBBB2@spamcop.net> Message-ID: Mike Easter wrote: > [snip] > > I think I visited the netscape groups on the newsserver > news.mozilla.org, which I can see an old account for, but it might've > had a netscape name. Coulda been secnews.netscape.com -- Just a SpamCop newsgroup participant, not an admin or employee of SpamCop or related domains. From nobody at spamcop.net Wed Jun 2 10:14:23 2004 From: nobody at spamcop.net (indigo) Date: Wed Jun 2 09:20:12 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: Mike Easter wrote: > > I'm back to thinking about this puzzle. > > Am I correct in assuming that the 'normal' mail in your yahoo Sent > folder does /not/ have any Received headerline? Only the mystery > one/s - or something different? No, all email sent from work from thru yahoo has my work IP in the received from line. > > Do you have a ZoneAlarm or its equivalent? AtGuard at home, some kind of firewall at work on the servers. From nobody at xyzzy.claranet.de Wed Jun 2 16:19:45 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Wed Jun 2 09:25:03 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> <40BC9298.D25FBBB2@spamcop.net> Message-ID: <40BDD3F1.5333@xyzzy.claranet.de> D.Diaz wrote: > My newsreader also displays that posting as a 3 screens > wide line. I have to press 'w' to have it nicely wrapped. Me too, but my newsreader is old and stupid. There was no format=flowed in the Content-Type: of Michael's article, so maybe that caused your problems (?) Bye, Frank From MikeE at ster.invalid Wed Jun 2 07:20:43 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 2 09:25:11 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> <40BC9298.D25FBBB2@spamcop.net> Message-ID: Spambo wrote: > Coulda been secnews.netscape.com Yeah, that's it. I must've deleted the account. I don't know why; I'm sitting here with 13 different newsserver accounts right now from not 'tidying up' places I've visited or used for one thing or another. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu Jun 3 02:28:28 2004 From: nobody at spamcop.net (Anony Mouse) Date: Wed Jun 2 09:30:03 2004 Subject: [SpamCop-List] Re: Today Ralsky Inc. uses: 1hbedomain.com, r1g4t2you.com; DNS: marketing88.net, nsmarkk1.net, 010mrktt.net References: <40BCF40D.90509@spamcop.net> Message-ID: <40BDD5FC.4010603@spamcop.net> Karl-Josef Ziegler wrote: > Anony Mouse wrote: > >> The leader of the gang is Webfinity. > > > The only connection I can see is that these > guys are sharing their address database: > And modus operandi... (lists of exploitable machines.) A typical scan of a spam relay as used by the gang. 4444/tcp open krb524 <-- exploit 5000/tcp open fics <-- proxy 12345/tcp open NetBus <-- control And companies feeding them money. EyeFive being the most notable as far as I am concerned. USA Lenders I think they are called is another. Canadian Pharmacuaticals yet another. The Webfinity porn operation which stretches across continents and how Webfinity got so good at what they do. The latest one... Extended vehicle insurance. There are no doubt more. >> Alan Ralsky. <-- Convicted criminal >> Alexey Panov <-- Links to Russian mafia >> Calvin Ho >> Drew Auman / thebulkclub.com >> Juan Garavaglia aka Super-Zonda >> lmihosting.com <-- Front florida gangs >> Mike Van Essen / Global Web Promotions <-- Charged and inactive now. >> Pavka / Artofitn <-- Another Russian >> Peter Francis-Macrae <- Ralsky associate. >> Tim Goyetche / Bulkers.net / Bulkbarn.com > > > These are the spammers I got mails from on a regular basis. > And most of my spams only(!) from these guys. So it seems > to be a 'closed bulk club'. You are privilaged to be spammed by such an illustrious group of optin business mogels :) I wonder how they will use their entrepreneurial skills in jail... Maybe they will be able to keep Bubba at bay :) But then again I hear Bubba is not easily satisfied and can be rather insistant. I look forward to the coming months. From dommanno at netscape.net Wed Jun 2 10:30:41 2004 From: dommanno at netscape.net (D.F. Manno) Date: Wed Jun 2 09:35:02 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to BringIn the Detectives" References: Message-ID: In article , "Mike Easter" wrote: > The deal with the WashPost and many others is that you give them your > eml and a ton of demographics and then they don't agree to respect your > privacy at all. Nor their associates nor their associates' associates. > They make that very clear in their non-privacy agreement which they > euphemistically call a privacy agreement. As far as the Wash. Post knows, I'm an 83-year-old woman from Gambia. And the e-mail address I gave them was a throwaway. So what did they achieve? -- D.F. Manno dommanno@netscape.net "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." (Benjamin Franklin) From gospamming at yourdomain.invalid Wed Jun 2 14:50:29 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Jun 2 09:55:04 2004 Subject: [SpamCop-List] Re: Anybody can help me out from spamcop list??? References: Message-ID: "KronaTech" wrote in news:c9kihc$8o2$1@news.spamcop.net: > Ah. Sorry - I thought you meant your 6 months was still active, but I > can see how stupid that assumption was when I consider that you're > using 6.7.9 - so you're upgrade limit has expired then? > Yes, it has. v6.7.9 was the last free upgrade covered by the 'upgrade protection'. -- Daniel Diaz My Personal email: ddiazxn @ telefonica . net From bomarc_com at spam.hotmail.nospam.com.use.spamcop.net Wed Jun 2 08:01:40 2004 From: bomarc_com at spam.hotmail.nospam.com.use.spamcop.net (Dan French) Date: Wed Jun 2 10:05:02 2004 Subject: [SpamCop-List] Stuck in a "No userid found" Message-ID: At work I was trying to report spam... but I kept receiving "no userid found"... making {home email account: Hotmail.com} reporting difficult. So, while at work I re-registered... and while at work the {my home email} ID is ok. I come home, and try to continue reporting spam... ... "No userid found" I tried to manually delete cookies {one hidden somewhere?} there is no visible way to clear spamcop cookies, to try and get things going again. Right now reporting is a tedious and painful process (especially with hotmail and their @$#$ link that times out) Ideas? Dan French From nobody at spamcop.net Wed Jun 2 11:08:42 2004 From: nobody at spamcop.net (Spam Pop) Date: Wed Jun 2 10:10:04 2004 Subject: [SpamCop-List] Maybe OT: Spyhunter/Lavasoft Message-ID: Hi, If this's old news, I apologize in advance; a quick search didn't turn anything up. Lavasoft has added Spyhunter to its database, interestingly enough, for what appears to me to be very valid reasons, especially the way it sends in your OS ID, which is, IMO, a serious breech or trust since it's covert and completely hidden operation. You can read more here: http://news.com.com/2100-1032-5153485.html?tag=nl Here's a short snip from the newsletter: Anyone wants to see the whole thing can let me know - a considerable amount of detail is included: -------------- "what's not disclosed is the hidden transmission of the Microsoft Windows Product ID to their servers every time their software checks for an update. They also uniquely identify their users by use of a unique ID for each installation. This unique ID is also sent to their servers undisclosed. This is something we at Lavasoft find highly questionable and unethical. Enigma Software Group also uses questionable methods to market their software SpyHunter. Their pop-up ads resemble virus alerts from well-known anti-virus programs, and DOS windows displaying fake scan results. The pop-up ads can be found here: http://www2.enigmasoftwaregroup.com/TMP/1.htm http://www2.enigmasoftwaregroup.com/TMP/2.htm http://www2.enigmasoftwaregroup.com/TMP/3.htm http://www2.enigmasoftwaregroup.com/TMP/4.htm" ------------- Regards, Pop From nobody at spamcop.net Wed Jun 2 11:19:24 2004 From: nobody at spamcop.net (Firewoman) Date: Wed Jun 2 10:15:03 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: "Mike Easter" wrote in message news:c9ctco$p6j$1@news.spamcop.net... > Currently Friday http://iamback.com/blog/ > > Some dup/s from Turkey, apparently some trouble getting thru' from Iran. > Her itinerary sez she'll be Iran for about 2½ 2.5 weeks 'til nearly > mid Jun > > -- > Mike Easter > kibitzer, not SC admin Wow, what a wonderful vacation! Here's to hoping the rest of her trip is safe and fun. Marco! From MikeE at ster.invalid Wed Jun 2 08:17:23 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 2 10:20:03 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: indigo wrote: > Mike Easter wrote: >> I'm back to thinking about this puzzle. > No, all email sent from work from thru yahoo has my work IP in the > received from line. Then, do you/we agree that the headers you posted suggest that our current evidence should be interpreted as saying that a comcast dialup account, perhaps with the geographic traits I described earlier, accessed your yahoo webmail back in 2003 Dec using your yahoo username and your yahoo password and your yahoo human name and sent, perhaps forwarded, the spam to your comcast addy? Received: from [68.55.224.2] by web40601.mail.yahoo.com via HTTP; Sat, 13 Dec 2003 11:12:54 PST Date: Sat, 13 Dec 2003 11:12:53 -0800 (PST) From: "my-yahoo-human-name" Add to Address Book Subject: Fwd: You play - We pay, get 200 dollars from Casino-on-Net To: my-comcast-addy@comcast.net -- Mike Easter kibitzer, not SC admin From jvm_cop at spamcop.net Wed Jun 2 11:31:15 2004 From: jvm_cop at spamcop.net (J. Merrill) Date: Wed Jun 2 10:30:04 2004 Subject: [SpamCop-List] Inconsistent parsing (due to different software on different servers?) Message-ID: I reported a held message as spam. When it was parsed, the result included the message "no links found" when there seemed to be many of them. I goofed and clicked Cancel. I went to "recent reports" and clicked on the link for the message, and clicked the "parse" link at the top. This time, many links were found. (However, I could not report based on the contents shown there, as all To: and Cc: email addresses had been replaced by x.) [end of first story] Just now, I reported a different held message as spam. When it was parsed, again "no links found" was displayed. I clicked on the "report spam" link at the top of the page, and clicked the "Report Now" link after the "Unreported Spam Saved:" message. This time when it was parsed, many links were found. I understand why parsing the same message at different times can produce a different set of reports, due to DNS changes and changes to the contents of the various block lists. But I don't understand why two parses (within a few minutes) should find different links within the HTML content -- unless there are multiple servers running the web site and they don't all have the same software running. Along the same lines, I'm seeing some of the parses displayed with the "Parsing header:" and the lines from that point on indented, while other parses are not indented. Am I crazy? From gospamming at yourdomain.invalid Wed Jun 2 15:32:04 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Jun 2 10:35:03 2004 Subject: [SpamCop-List] Re: Inconsistent parsing (due to different software on different servers?) References: Message-ID: "J. Merrill" wrote in news:c9ko27$e6o $1@news.spamcop.net: > I understand why parsing the same message at different times can > produce a different set of reports, due to DNS changes and > changes to the contents of the various block lists. But I don't > understand why two parses (within a few minutes) should find > different links within the HTML content -- unless there are > multiple servers running the web site and they don't all have the > same software running. > > Along the same lines, I'm seeing some of the parses displayed > with the "Parsing header:" and the lines from that point on > indented, while other parses are not indented. > > Am I crazy? > No, you aren't. That has already been brought to the attention of Deputies/JH, but they cannot reproduce this strange behaviour. It seems to be some obscure issue with timings, totally unrelated to DNS. Maybe it's all about the delays introduced by traversing the akamai servers... You can force a reparse by clicking on "View full message", then coming back; the links will be found the second time. -- Daniel Diaz My Personal email: ddiazxn @ telefonica . net From MikeE at ster.invalid Wed Jun 2 08:34:58 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 2 10:40:04 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: Firewoman wrote: > "Mike Easter" >> apparently some trouble getting thru' from >> Iran. Her itinerary sez she'll be Iran for about 2? 2.5 weeks 'til >> nearly mid Jun > Wow, what a wonderful vacation! Nothing new since Friday. Today she gets to Yazd. Maybe she'll have better luck transmitting there. I didn't get any hits on concurrent /yazd 'cafe net'/ -- Mike Easter kibitzer, not SC admin From me at privacy.net Wed Jun 2 11:10:57 2004 From: me at privacy.net (Frog Prince) Date: Wed Jun 2 10:40:09 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to BringIn the Detectives" References: Message-ID: "D.F. Manno" | > The deal with the WashPost and many others is that you give them your | > eml and a ton of demographics and then they don't agree to respect your | > privacy at all. Nor their associates nor their associates' associates. | > They make that very clear in their non-privacy agreement which they | > euphemistically call a privacy agreement. | | As far as the Wash. Post knows, I'm an 83-year-old woman from Gambia. | And the e-mail address I gave them was a throwaway. So what did they | achieve? A bit of GIGO data to fool their advertisers into paying more for the premium contact privileges. From me at privacy.net Wed Jun 2 11:35:44 2004 From: me at privacy.net (Frog Prince) Date: Wed Jun 2 10:40:21 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: <87k6yq5vt2.fsf@ursine.ca> Message-ID: "Paul Johnson" | > I for one HATE PDF as it is (at the very minimum) very difficult to use, is | > a memory hog and the files are just too big. Did I mention slow? | | Hmm, must be on your end. kpdf Just Works, and works quickly and | works well. Not sure what Acrobat Reader's problem is, I hate it and | resent having to use it at work. There's nothing wrong with PDF the | format, but Acrobat sucks. | | > My former company spent big bucks on a document management program | > based on PDF to avoid hard copy. Not only would no one use it no | > one could use it unless it was printed to hard copy. Took them | > about 6 weeks to dump the entire thing. | | So you hate a pretty handy file format for management stupidity... Only one example. And the problem *IS* on my end. I've never seen a document system using PDF that worked as sold. A lot of companies go to PDF as it is the 'standard' without knowing what they are getting into or it's effects on their customers. End users (especially technical types) 'live with it' because they don't have effective alternatives and zero input into the process. I've taken more than one marketing &/or engineering director into the field, handed them tools with either a hard copy of the print out or a lap top display and the impetuous 'go fix' using this data. Only then do they come to the realization that the data presented is effectively unusable. You mention kpdf Just Works. What is this and were can I go to check it out? From me at privacy.net Wed Jun 2 11:38:25 2004 From: me at privacy.net (Frog Prince) Date: Wed Jun 2 10:40:29 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: <877juq5vha.fsf@ursine.ca> Message-ID: "Paul Johnson" | >> I've seen 10 MB powerpoint presentations reduced by a factor of | >> 3-4 when turned into PDFs. | > | > Yabbut .ppt files are incredibly bloated and inefficient compared to | > what is actually 'inside' them; whereas .pdf files use various types or | > degrees of compression to keep themselves from being so fat | > filesize-wise. | | And everybody and their dog can read a PDF. Every body and the dog can open a PDF file, reading, souring and using the data contained effectively is another mater. From MikeE at ster.invalid Wed Jun 2 08:38:58 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 2 10:40:35 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: Mike Easter wrote: > I didn't get any hits on concurrent /yazd 'cafe net'/ Well that's what Marjolein was saying 'they' called them 'We' call them internet cafes when we talk about them so that's a better search and "Next to the 12th-century mosque, there's a lively Internet cafe," - so presumably we'll get another post soon from Yazd. -- Mike Easter kibitzer, not SC admin From me at privacy.net Wed Jun 2 12:01:19 2004 From: me at privacy.net (Frog Prince) Date: Wed Jun 2 11:05:03 2004 Subject: [SpamCop-List] Re: Stuck in a "No userid found" References: Message-ID: "Dan French" wrote in message news:c9kmnq$ctq$1@news.spamcop.net... | At work I was trying to report spam... but I kept receiving "no userid | found"... making {home email account: Hotmail.com} reporting difficult. | | So, while at work I re-registered... and while at work the {my home email} | ID is ok. | | I come home, and try to continue reporting spam... | ... "No userid found" | | I tried to manually delete cookies {one hidden somewhere?} there is no | visible way to clear spamcop cookies, to try and get things going again. | | Right now reporting is a tedious and painful process (especially with | hotmail and their @$#$ link that times out) | | Ideas? First I'm a dummy about this so judge the usefulness of my input. I've had a similar problem on this end except the problem was at home v at work. End result was I disabled the firewall (in this case both were ZoneAlarm) made one report then reactivated the ZA and the system worked for a few days. Once the problem returned I again disabled the firewall, did a few reports (not using the forward as attachment) and the system would work for another few days. Don't know why this happens. Have no clue how to fix it but since the work around works I'm content. FP From me at privacy.net Wed Jun 2 12:02:20 2004 From: me at privacy.net (Frog Prince) Date: Wed Jun 2 11:05:08 2004 Subject: [SpamCop-List] Re: Maybe OT: Spyhunter/Lavasoft References: Message-ID: "Spam Pop" wrote in message news:c9kn1a$dau$1@news.spamcop.net... | Hi, | If this's old news, I apologize in advance; a quick search | didn't turn anything up. | | | Here's a short snip from the newsletter: Anyone wants to | see the whole thing can let me know - a considerable amount | of detail is included: I'd like to see more. TIA FP brother_rabbit @ hotmail.com From not at home.today Wed Jun 2 17:41:52 2004 From: not at home.today (Ant) Date: Wed Jun 2 11:45:06 2004 Subject: [SpamCop-List] Links found, but no reports Message-ID: Spam in .spam with parser output appended. Links parsed, many null or bogus links, links to images, and two clickable links. All links were found. Despite refreshing a few times, viewing the full message and going back, no reports were generated for any links. http://www.spamcop.net/sc?id=z509221240z0f67ddffdd4e60acdd5401aa7d26c5cbz From tmcgraw at spamcop.net Wed Jun 2 09:47:47 2004 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Jun 2 11:50:03 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> Message-ID: <40BDF6A3.3030805@spamcop.net> Blammo wrote: > On 01 Jun 2004 Tim McGraw entered spamcop and left > news:40BCC67C.9000600@spamcop.net: >>Blammo wrote: >>>On 31 May 2004 lt entered spamcop and left >>>news:c9gt5e$2tp$1@news.spamcop.net: >>> >>>>AOL has already started, why are they alone in this >>>>effort. >>> >>>Maybe AOL is the only company that feels they need to protect idiots. >> >>s/idiots/their network > > I fail to understand how that would protect their network. spammers are criminals. Exchange packets with them and they will look for, and frequently find, exploits in your network. spammers may not get their bounces due to forgeries, but you can bet they look at their logs. From eddie at eddie.web Wed Jun 2 12:50:45 2004 From: eddie at eddie.web (eddie) Date: Wed Jun 2 11:55:04 2004 Subject: [SpamCop-List] Re: FAA listed? References: <40BD576E.1090100@spamcop.net> Message-ID: On Tue, 01 Jun 2004 21:28:30 -0700, Tim McGraw scratched out the following: snip > ITYM Reagan? nah, he's still alive, though barely - Nixon - he's the one. Everything is his fault ;) From nobody at xyzzy.claranet.de Wed Jun 2 18:55:08 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Wed Jun 2 12:00:03 2004 Subject: [SpamCop-List] Re: Links found, but no reports References: Message-ID: <40BDF85C.353@xyzzy.claranet.de> Ant wrote: > two clickable links [...] > viewing the full message and going back That's apparently necessary. One of the two links shows no IP, so there's nothing SC can do. Maybe the other link (unsubscribe) is an innocent bystander (?) Bye, Frank From gospamming at yourdomain.invalid Wed Jun 2 16:56:15 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Jun 2 12:00:07 2004 Subject: [SpamCop-List] Re: Links found, but no reports References: Message-ID: "Ant" wrote in news:c9ksh4$ivr$1@news.spamcop.net: > Spam in .spam with parser output appended. > > Links parsed, many null or bogus links, links to images, and two > clickable links. All links were found. > > Despite refreshing a few times, viewing the full message and > going back, no reports were generated for any links. > > http://www.spamcop.net/sc?id=z509221240z0f67ddffdd4e60acdd5401aa7d26c5cbz > The parser algorithm for multiple links failed with this particular spam. It just could not tell the difference between the bogus links and the good ones. -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From nobody at spamcop.net Wed Jun 2 13:27:13 2004 From: nobody at spamcop.net (Spam Pop) Date: Wed Jun 2 12:30:03 2004 Subject: [SpamCop-List] Posted In .spam same subject Re: Maybe OT: Spyhunter/Lavasoft References: Message-ID: Posted in .spam in Text format. A lot of links & sidebars went away of course when I clicked it into Text Only but the meat of the article is still there. FWIW, Lavasoft apparently doesn't offer an on-site place to look at the newsletter. I saw info there that's in the newsletter, but no link to the newsletter. If you should find one, pls let me know. And yes, I DID verify the authenticity of the newsletter with a Spamcop Parse plus a personal look-thru at the headers - all looked perfectly fine. YWN -------- "Frog Prince" wrote in message news:c9kq60$gkr$1@news.spamcop.net... > > "Spam Pop" wrote in message > news:c9kn1a$dau$1@news.spamcop.net... > | Hi, > | If this's old news, I apologize in advance; a quick search > | didn't turn anything up. > | > | > | Here's a short snip from the newsletter: Anyone wants to > | see the whole thing can let me know - a considerable amount > | of detail is included: > > > > I'd like to see more. > > TIA > > FP > brother_rabbit @ hotmail.com > > > From not at home.today Wed Jun 2 19:20:00 2004 From: not at home.today (Ant) Date: Wed Jun 2 13:25:02 2004 Subject: [SpamCop-List] Re: Links found, but no reports References: <40BDF85C.353@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote... > One of the two links shows no IP, so there's nothing SC can do. Yes, I can't find any whois info on logging2594drug.biz > Maybe the other link (unsubscribe) is an innocent bystander (?) The domain overbading3764drug.biz is registered in Latvia. Looks spammy to me, and it's never stopped Spamcop reporting before. From not at home.today Wed Jun 2 19:21:21 2004 From: not at home.today (Ant) Date: Wed Jun 2 13:25:11 2004 Subject: [SpamCop-List] Re: Links found, but no reports References: Message-ID: "D.Diaz" wrote... > The parser algorithm for multiple links failed with this particular spam. > It just could not tell the difference between the bogus links and the good > ones. That surprises me. I've had serveral very similar spams before and the correct links were found. I don't know why the parser even looks at null links, since they are not visible or clickable in the rendered spam (there is no text between the and the tags). I can understand why it ignores the links, as they might be loading images from an IB site. In this case the images are from the same domain as the "remove" link (overbading3764drug.biz) which is registered in Latvia. There is no whois info on logging2594drug.biz (the "click for info" link), so that explains the failure there. From pobox.spamcop at kronatech.net Wed Jun 2 11:45:38 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Wed Jun 2 13:50:03 2004 Subject: [SpamCop-List] Re: Anybody can help me out from spamcop list??? References: Message-ID: "D.Diaz" wrote in message news:Xns94FCA125C4E7Bxnddmxn@216.154.195.61... > > Yes, it has. v6.7.9 was the last free upgrade covered by the 'upgrade > protection'. > I email'd you earlier to say hello. -K From nobody at spamcop.net Wed Jun 2 14:57:13 2004 From: nobody at spamcop.net (Firewoman) Date: Wed Jun 2 13:55:03 2004 Subject: [SpamCop-List] Faked header, but somehow appropriate..... Message-ID: Return-Path: Received: from [193.77.104.68] (HELO inboundmail.lobsterpot.net.uk) by fe3..net (CommuniGate Pro SMTP 4.1.8) with SMTP id 14447461 for administrator@.com; Wed, 02 Jun 2004 08:46:57 -0500 Received: from dgs (unknown [207.201.82.14]) by inboundmail.lobsterpot.net.uk (8.8.7/8.8.7) with ESMTP id J87Gz048835504 for .com>; Tue, 1 Jun 2004 22:16:12 +0000 (GMT) Message-Id: <324600499044.3RFg575349G9i7@frogshit.com> From: "Richard Knapp" To: administrator@.com Subject: Misc software - very low prices Date: Tue, 1 Jun 2004 22:16:12 +0000 (GMT) From nobody at spamcop.net Wed Jun 2 13:51:51 2004 From: nobody at spamcop.net (Miss Betsy) Date: Wed Jun 2 13:55:11 2004 Subject: [SpamCop-List] Re: Spammer's masking ip addresses References: Message-ID: Compromised computer(s) or Yahoo account? thread started by indigo seems to have a similar situation where indigo seems to be receiving spam from himself. Don't know whether the problem is related or not, but thought I would mention it. Miss Betsy From gospamming at yourdomain.invalid Wed Jun 2 18:55:16 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Jun 2 14:00:04 2004 Subject: [SpamCop-List] Re: Links found, but no reports References: Message-ID: "Ant" wrote in news:c9l2da$o0q$2@news.spamcop.net: > That surprises me. I've had serveral very similar spams before and the > correct links were found. > Me too :-) > I don't know why the parser even looks at null links, since they are > not visible or clickable in the rendered spam (there is no text > between the and the tags). > > I can understand why it ignores the links, as they might > be loading images from an IB site. In this case the images are from > the same domain as the "remove" link (overbading3764drug.biz) which is > registered in Latvia. > Yes, it has been the policy for Spamcop since a long time to ignore image source links. > There is no whois info on logging2594drug.biz (the "click for info" > link), so that explains the failure there. > The problem lies there in part... Bear in mind that this algorithm is brand new, and it has to be polished to address these issues. I could explain why this spam defeated the algorithm because I saw parsings in 'verbose mode' during the very first hour it entered service, but that would be considered Useful Information for spammers ;-) Richard W. did state it two days ago: RW wrote in news:40BADC82.25B859@spamcop.net: > We adopted a policy some time ago to not comment at length on new > things SpamCop is doing, because spammers obviously read these forums > and use the info to defeat the new coding. You will also notice less > "work" shown on the parsing page. > > This is something SpamCop's new coder is working on, to get around the > multiple 'IB' domains found in a lot of spam. There is also some new > code to catch dns tricks. -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From baloo at ursine.ca Wed Jun 2 11:48:47 2004 From: baloo at ursine.ca (Paul Johnson) Date: Wed Jun 2 14:05:02 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: <87k6yq5vt2.fsf@ursine.ca> Message-ID: <874qptrgu8.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Frog Prince" writes: > I've never seen a document system using PDF that worked as sold. I've never seen a document management system, reguardless of preferred file format, work as advertized, so we're even. 8:o) > A lot of companies go to PDF as it is the 'standard' without knowing > what they are getting into or it's effects on their customers. End > users (especially technical types) 'live with it' because they don't > have effective alternatives and zero input into the process. But I *like* PDF. It's encapsulated postscript actually done right. > You mention kpdf Just Works. What is this and were can I go to check > it out? kpdf is not available for Windows. kpdf is the default PDF viewer in KDE (so it's available to pretty much everyone but windows users). - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAvhMBUzgNqloQMwcRAgLWAJ0ZDZXkHpWQnIFpxuiNUESgtNhSPgCcD2yt pXTdIIEsBSwNltjmyH8kqKE= =GDb8 -----END PGP SIGNATURE----- From ric.gates at bigsleep.org Wed Jun 2 19:18:40 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Jun 2 14:20:03 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> Message-ID: On 02 Jun 2004 Tim McGraw entered spamcop and left news:40BDF6A3.3030805@spamcop.net: >>>s/idiots/their network >> >> I fail to understand how that would protect their network. > > spammers are criminals. Exchange packets with them and they will look > for, and frequently find, exploits in your network. That still doesn't explain how blocking http access to particular domains protects the AOL network. Spamming isn't a crime. I think some of you people here take it all a little too seriously. If the Interent went down tomorrow, believe me, life would go on. -- | Ric From gospamming at yourdomain.invalid Wed Jun 2 19:36:43 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Jun 2 14:40:04 2004 Subject: [SpamCop-List] Re: Anybody can help me out from spamcop list??? References: Message-ID: "KronaTech" wrote in news:c9l3no$p4f$1 @news.spamcop.net: > I email'd you earlier to say hello. > I'm just about to leave from the office... I'll answer it at home. -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From skiwi+newsgroups at spamcop.net Wed Jun 2 12:52:19 2004 From: skiwi+newsgroups at spamcop.net (Skiwi) Date: Wed Jun 2 14:55:03 2004 Subject: [SpamCop-List] Re: Maybe OT: Spyhunter/Lavasoft [a small test] In-Reply-To: References: Message-ID: Spam Pop wrote: > Hi, > If this's old news, I apologize in advance; a quick search > didn't turn anything up. > > Lavasoft has added Spyhunter to its database, interestingly > enough, for what appears to me to be very valid reasons, > especially the way it sends in your OS ID, which is, IMO, a > serious breech or trust since it's covert and completely > hidden operation. > > You can read more here: > http://news.com.com/2100-1032-5153485.html?tag=nl > > Here's a short snip from the newsletter: Anyone wants to > see the whole thing can let me know - a considerable amount > of detail is included: > -------------- > "what's not disclosed is the hidden transmission of the > Microsoft Windows Product ID to their servers every time > their software checks for an update. They also uniquely > identify their users by use of a unique ID for each > installation. This unique ID is also sent to their servers > undisclosed. This is something we at Lavasoft find highly > questionable and unethical. Also to paraphrase the newsletter, their software will let you scan your PC for free but it costs to remove - presumably the "omigod" sales technique.... I wondered if what it 'finds' is actually there - so I updated as needed and ran both SpyBot and AdAware (who I trust), and then installed ran their "free scanner"... It found 12 registry 'problems' (all 'severe') and 1 'problem' cookie ('medium.') Note that my workstation is also a GIS file server, so I didn't want to wait for it to scan 170Gb or so of files...) Hmmmm.... The most interesting item? "Adware Browser Helper Object. Parent company is Avenue Media. May masquerade as an Internet Optimizer program. Some variants may hijack browser error pages." !!! Its war folks! :-) ASIDE - interestingly, their long EULA has no privacy section From user\" at domain.invalid.com>" Wed Jun 2 21:59:44 2004 From: user\" at domain.invalid.com>" ( Rolf) Date: Wed Jun 2 15:00:02 2004 Subject: [SpamCop-List] Re: What am I missing? In-Reply-To: References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> Message-ID: Blammo wrote: > That still doesn't explain how blocking http access to particular domains > protects the AOL network. It also saves bandwith and protects some clueless users from Java script exploits etc. as well as password and credit card scams. > Spamming isn't a crime. I think it should be one :-) > I think some of you people here take it all a > little too seriously. If the Interent went down tomorrow, believe me, life > would go on. Yep, just about as much as if cars suddenly wouldn't go anymore ;-) Humanity could survive but it will be VERY though in the beginning. Imagine all the logistics networked through internet. All the communication going through it. All the people working through, with and for internet services. A lot of reasons for arising social conflicts. Happy you if you live in the country and can get your own food, but city people will be in a very tight spot in such a situation. Rolf Kalbermatter From not at home.today Wed Jun 2 21:13:40 2004 From: not at home.today (Ant) Date: Wed Jun 2 15:15:04 2004 Subject: [SpamCop-List] Re: Links found, but no reports References: Message-ID: "D.Diaz" wrote... > "Ant": [snip issues] >> There is no whois info on logging2594drug.biz (the "click for info" >> link), so that explains the failure there. > > The problem lies there in part... > Bear in mind that this algorithm is brand new, and it has to be polished > to address these issues. Understood. I notice the Spamcop version number has been increasing rather quickly recently. The purpose of my post was to bring the problem to the attention those with influence, as much as wondering about the reasons. > I could explain why this spam defeated the > algorithm because I saw parsings in 'verbose mode' during the very first > hour it entered service, but that would be considered Useful Information > for spammers ;-) That's a good enough answer for me. As long as it's a known issue then all's well (hopefully). > Richard W. did state it two days ago: Yes, I saw that. Thanks for your response - I consider my curiosity satisfied! > RW wrote in news:40BADC82.25B859@spamcop.net: >> We adopted a policy some time ago to not comment at length on new >> things SpamCop is doing, because spammers obviously read these forums >> and use the info to defeat the new coding. You will also notice less >> "work" shown on the parsing page. >> >> This is something SpamCop's new coder is working on, to get around the >> multiple 'IB' domains found in a lot of spam. There is also some new >> code to catch dns tricks. I'll leave this in as a reminder. From nobody at spamcop.net Wed Jun 2 13:29:24 2004 From: nobody at spamcop.net (K. Crocker) Date: Wed Jun 2 15:30:03 2004 Subject: [SpamCop-List] Re: FAA listed? In-Reply-To: References: <40BD576E.1090100@spamcop.net> Message-ID: Nah, I'd blame Al Gore. He invented the damn thing! eddie wrote: > On Tue, 01 Jun 2004 21:28:30 -0700, Tim McGraw scratched out the > following: > > snip > >>ITYM Reagan? > > > nah, he's still alive, though barely - Nixon - he's the one. Everything is > his fault ;) From MikeE at ster.invalid Wed Jun 2 13:34:14 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 2 15:35:03 2004 Subject: [SpamCop-List] Re: How to handle the spamreports that can't be send unmungled References: <40BC4869.39B2@xyzzy.claranet.de> Message-ID: Monty wrote: > "Mike Easter" >> If you are worried about revenge attacks, you should submit your >> reports as a mole. > > That's not a "report" at all. It's merely a way of collecting > statistics. Disclaimer: I am /not/ a mole reporter and I /am/ concerned about some features of mole reporting. Mungeing 'beliefs': I also have a long history of manual reporting completely unmunged from the spammed address. ....but, that being sed.... ..the results of mole reporting are *not* 'merely a way of collecting statistics'. The result of mole reporting are exactly the same with respect to the spamcop blocklist as is normal reporting. The normal reporter who is free submits a spam which is parsed and overseen for its results, whereupon the spamcop reporting system sends reports to the spamcop derived reporting addresses for the source and some representation of the spamvertised sites, usually. SC munges that report by obscuring the email addresses in the headers, and 'anonymizes' the reporter by sending the report 'in the name of' a report number. The source IP of the report counts toward the SC blocklist. There is no other 'list' regarding the spamvertised sites. The mole reporter submits a spam which is parsed and overseen for its results. The source IP of the report counts toward the SC blocklist. There is no reporting done. If the 'power' of spamcop reporting lies in the effect of the blocklist, the power of the mole reporter and that of the 'normal' reporter are exactly the same. The two differ only in who is being notified and who is being provided a copy of the original spam, with spamcop mungeing. If a person 'believes in' mungeing because they don't want to transmit any unique identity which may enclosed or encrypted within the spamheaders or body to the recipients of the spamcop reports; they cannot possibly be adequately satisfied with 'routine' spamcop mungeing. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Wed Jun 2 22:40:22 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Wed Jun 2 15:45:03 2004 Subject: [SpamCop-List] Re: Links found, but no reports References: <40BDF85C.353@xyzzy.claranet.de> Message-ID: <40BE2D26.28CA@xyzzy.claranet.de> Ant wrote: > Looks spammy to me Sorry, I've only checked the results shown by SC, maybe it's also relevant _which_ IP is returned for a spamvertized URL. Or SC forgets to check the 2nd link if the 1st is down (that would be a bug). Bye, Frank From nobody at spamcop.net Wed Jun 2 17:04:48 2004 From: nobody at spamcop.net (Spam Pop) Date: Wed Jun 2 16:05:03 2004 Subject: [SpamCop-List] Re: Maybe OT: Spyhunter/Lavasoft [a small test] References: Message-ID: "Skiwi" wrote in message news:c9l7l3$src$1@news.spamcop.net... > Spam Pop wrote: > > Hi, > > If this's old news, I apologize in advance; a quick search > > didn't turn anything up. > > > > Lavasoft has added Spyhunter to its database, interestingly > > enough, for what appears to me to be very valid reasons, > > especially the way it sends in your OS ID, which is, IMO, a > > serious breech or trust since it's covert and completely > > hidden operation. > > ... > Hmmmm.... > > The most interesting item? "Adware Browser Helper Object. Parent company > is Avenue Media. May masquerade as an Internet Optimizer program. Some > variants may hijack browser error pages." !!! Its war folks! :-) > > ASIDE - interestingly, their long EULA has no privacy section > Hmmmm is right: I missed that Avenue Media mention: I DID have a session of constant attempts to download Avenue A, Inc, unsolicited of course, AND had my browser page hijacked, even though I had a "lock" on it! I had to Restore to get rid of it. Glad you pointed that out - I hadn't made the connection when it was happening. Turns out there's a LOT of Avenue-somethings out there too. Pop From tmcgraw at spamcop.net Wed Jun 2 14:09:26 2004 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Jun 2 16:10:07 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> Message-ID: <40BE33F6.907@spamcop.net> Blammo wrote: > On 02 Jun 2004 Tim McGraw entered spamcop and left > news:40BDF6A3.3030805@spamcop.net: > >>spammers are criminals. Exchange packets with them and they will look >>for, and frequently find, exploits in your network. > > That still doesn't explain how blocking http access to particular domains > protects the AOL network. Does the word 'scam' mean anything to you? > Spamming isn't a crime. Whether it is or isn't can be argued but that leads nowhere. Nothing good comes from spammers. Therefore, no good can become of visitng their web sites. From skiwi+newsgroups at spamcop.net Wed Jun 2 14:15:20 2004 From: skiwi+newsgroups at spamcop.net (Skiwi) Date: Wed Jun 2 16:20:03 2004 Subject: [SpamCop-List] Re: Maybe OT: Spyhunter/Lavasoft [a small test] In-Reply-To: References: Message-ID: Spam Pop wrote: [snip] > Hmmmm is right: I missed that Avenue Media mention: I DID > have a session of constant attempts to download Avenue A, > Inc, unsolicited of course, AND had my browser page > hijacked, even though I had a "lock" on it! I had to > Restore to get rid of it. [snip] Mozilla and SpyBot Imunize helps! :-) From spamcop at 1bigthink.com Wed Jun 2 17:23:12 2004 From: spamcop at 1bigthink.com (spamcop) Date: Wed Jun 2 16:22:50 2004 Subject: [SpamCop-List] Re: FAA listed? In-Reply-To: References: <40BD576E.1090100@spamcop.net> Message-ID: <6.1.0.6.0.20040602162207.05df2300@mx.1bigthink.com> At 03:29 PM 6/2/2004, you wrote: >Nah, I'd blame Al Gore. He invented the damn thing! He's just a winy-baby! Now, Tricky Dick, that guy had one hell of an arsenal of a**holes in his cabinet! >eddie wrote: > >>On Tue, 01 Jun 2004 21:28:30 -0700, Tim McGraw scratched out the >>following: >>snip >> >>>ITYM Reagan? >> >>nah, he's still alive, though barely - Nixon - he's the one. Everything is >>his fault ;) >_______________________________________________ >SpamCop-List mailing list >SpamCop-List@news.spamcop.net >http://news.spamcop.net/mailman/listinfo/spamcop-list > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >http://www.sng.ecs.soton.ac.uk/mailscanner/ >Configuration by Glenn Parsons dnsadmin-at-1bigthink.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. http://www.sng.ecs.soton.ac.uk/mailscanner/ Configuration by Glenn Parsons dnsadmin-at-1bigthink.com From d_shakhmundes at yahoo.ca Wed Jun 2 17:27:14 2004 From: d_shakhmundes at yahoo.ca (Daniel S.) Date: Wed Jun 2 16:30:03 2004 Subject: [SpamCop-List] Links in spam not traced Message-ID: Hello, I just submitted a spam and the links were not checked - spamcop said it found no links in the body. However, there were some links. Any ideas on how this can be looked into? DS From nobody at spamcop.net Wed Jun 2 16:29:11 2004 From: nobody at spamcop.net (Miss Betsy) Date: Wed Jun 2 16:30:08 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: "Tim McGraw" wrote in message news:40BE33F6.907@spamcop.net... > Blammo wrote: > > On 02 Jun 2004 Tim McGraw entered spamcop and left > > news:40BDF6A3.3030805@spamcop.net: > > > >>spammers are criminals. Exchange packets with them and they will look > >>for, and frequently find, exploits in your network. > > > > That still doesn't explain how blocking http access to particular domains > > protects the AOL network. > > Does the word 'scam' mean anything to you? > > > Spamming isn't a crime. > > Whether it is or isn't can be argued but that leads nowhere. > > Nothing good comes from spammers. Therefore, no good can become of > visitng their web sites. > If thinking that spamming is a criminal activity bothers you, why not look at like 'no shirt, no shoes, no service'? If the email that advertises a website is classified as spam because of its forgeries, then it has no shirt and no shoes. People are deeply upset by spam because it violates a basic principle of freedom that, unless it is a serious matter, no one can be allowed to force you to do anything you don't want. Spam is not serious and there is no reason why anyone should be allowed to force it upon me through my inbox. It is a matter of personal privacy rights. And that doesn't even get into the area of disturbing the critical flow of information over the internet or that most online merchants no longer send unsolicited email so that the spam that is received almost always is just barely legal, if not an outright criminal activity like identity theft. Miss Betsy From eddie at eddie.web Wed Jun 2 17:50:57 2004 From: eddie at eddie.web (eddie) Date: Wed Jun 2 16:55:02 2004 Subject: [SpamCop-List] Re: Links in spam not traced References: Message-ID: On Wed, 02 Jun 2004 16:27:14 -0400, Daniel S. scratched out the following: > Hello, > > I just submitted a spam and the links were not checked - spamcop said it > found no links in the body. However, there were some links. Any ideas on > how this can be looked into? > > DS That's usually because the format type is incorrect, either by spammy's crapware or on purpose. From me at nowhere.net Wed Jun 2 17:52:32 2004 From: me at nowhere.net (lt) Date: Wed Jun 2 16:55:09 2004 Subject: [SpamCop-List] Re: What am I missing? In-Reply-To: References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: >>>Spamming isn't a crime. In the U.S., if it comes with a forged header it is a crime. I can't remember the last time I got spam that didn't have a forged header. From nobody at devnull.spamcop.net Thu Jun 3 10:04:01 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 2 17:05:03 2004 Subject: [SpamCop-List] Me too Re: Spammer's masking ip addresses References: Message-ID: "Spambo" wrote in message news:c9kgsp$7aq$2@news.spamcop.net... > TechEd wrote: > > > Recently I have noticed that I am receiving spam that is masked. So it not > > only looks like it is coming from myself but it also looks like it is coming > > from my isp ip address. > > ... > Post some sample headers or a tracking URL. Yup, me too. As email is normally 'triple handled'(?) by ISP, it's quite obvious that SOMETHING strange is happening when it's only half a header set. Is it a compromised in-house server? BTW I did report it - let someone else delve into it, but maybe someone here knows/understands/can explain? Here's SPAM (I presume - it was empty)... ======================== Return-Path: Delivered-To: XX@backend.pop.ihug.co.nz Received: (qmail 29688 invoked from network); 2 Jun 2004 14:25:00 -0000 Received: from scanner7.ihug.co.nz (203.109.252.40) by mail7.ihug.co.nz with SMTP; 2 Jun 2004 14:25:00 -0000 Received: from localhost ([127.0.0.1] helo=grunt13.ihug.co.nz) by scanner7.ihug.co.nz with esmtp (Exim 3.35 #1 (Debian)) id 1BVWfq-0003MI-00 for ; Thu, 03 Jun 2004 02:24:58 +1200 Message-Id: From: deborah@XXX.net Bcc: Date: Thu, 03 Jun 2004 02:24:58 +1200 __________ NOD32 1.778 (20040601) Information __________ This message was checked by NOD32 Antivirus System. http://www.nod32.com =============================== and here's a normal one ... ============================ Return-Path: Delivered-To: bryXXX@backend.pop.ihug.co.nz Received: (qmail 18288 invoked from network); 2 Jun 2004 19:34:07 -0000 Received: from scanner6.ihug.co.nz (203.109.252.39) by mail3.ihug.co.nz with SMTP; 2 Jun 2004 19:34:07 -0000 Received: from localhost ([127.0.0.1] helo=grunt15.ihug.co.nz) by scanner6.ihug.co.nz with esmtp (Exim 3.35 #1 (Debian)) id 1BVbV1-0006zN-00 for ; Thu, 03 Jun 2004 07:34:07 +1200 Received: from tig-nz-akl-ns-42.ihug.net (grunt15.ihug.co.nz) [203.109.252.42] by grunt15.ihug.co.nz with esmtp (Exim 3.35 #1 (Debian)) id 1BVbUz-0008KX-00; Thu, 03 Jun 2004 07:34:05 +1200 Received: from smtp1-jm1.XXX.com.au [210.50.5.33] by grunt15.ihug.co.nz with esmtp (Exim 3.35 #1 (Debian)) id 1BVbUz-0008K3-00; Thu, 03 Jun 2004 07:34:05 +1200 Received: from mail pickup service by smtp1-jm1.XXX.com.au with Microsoft SMTPSVC; Thu, 3 Jun 2004 05:33:04 +1000 Message-ID: <052745030620041147438@XXX.com.au> X-EM-Version: 5, 0, 0, 14 X-EM-Registration: #01A0530D10680C000E00 X-SEEK-JML-Key: From: "SEEK IT Service" To: "XXX" Subject: Job Mail Date: Thu, 03 Jun 2004 05:27:45 +1100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII X-OriginalArrivalTime: 02 Jun 2004 19:33:04.0095 (UTC) FILETIME=[6C5656F0:01C448D8] X-Rcpt-To: bXXX@XXX.co.nz X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on grunt15.ihug.co.nz X-Spam-Status: No, hits=-6.9 required=12.0 tests=BAYES_00, IHUG_RCVD_AU_CLUECENTRAL autolearn=ham version=2.60 X-IHUG-iSpy: Doesn't appear to be Spam BLAH BLAH BLAH ============================ From nobody at spamcop.net Wed Jun 2 18:26:28 2004 From: nobody at spamcop.net (indigo) Date: Wed Jun 2 17:30:13 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: Mike Easter wrote: > > The moral of that story is that .ppt is/was a very inefficient way to > handle that project. > I know, but practically everyone with a work PC has the MS Office Suite installed, so .ppt files are easily exchangeable, and everyone has Adobe Reader these days too -- at least in my field, where protection of data and technical info is a requirement. Powerpoint and Adobe are the largest common demoninator whether they're best at what they do or not. I mean, you're like tilting at windmills (I'm not saying you are wrong, mind you). From nobody at devnull.spamcop.net Thu Jun 3 10:31:56 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 2 17:30:35 2004 Subject: [SpamCop-List] How about the ability to add extra URLs to be reported? Message-ID: When reporting spam, SC (usually) finds the embedded URL and reports it; e.g. (actual recent reported example) http://www.alltechinfo.biz/jqf348dk/a_jam13_/index.html Now this is nothing but a disposable facade, navigating to http://netrxsale.com/?AF=255LTU4bE It would be REALLY GOOD to be able to (manually) add this ACTUAL URL to the list of sites for SC to report. You can take down as many cardboard cutout websites as you like, but until the REAL site is hit, life will go on for them. (yes, I do know that both sites mentioned are 'south of the border'). I could do it manually, but isn't SC supposed to do the grunt work for us? -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at devnull.spamcop.net Wed Jun 2 17:36:56 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jun 2 17:40:02 2004 Subject: [SpamCop-List] Re: How to handle the spamreports that can't be send unmungled References: <40BC4869.39B2@xyzzy.claranet.de> Message-ID: "Mike Easter" wrote in message news:c9la4j$v9p$1@news.spamcop.net... > > ..the results of mole reporting are *not* 'merely a way of collecting > statistics'. > > The result of mole reporting are exactly the same with respect to the > spamcop blocklist as is normal reporting. Sorry Mike (and Lord knows I hate the thought of disagreeing with you ) but .. changes have been made. The FAQ-o-Matic doesn't show dates, so I can't tell you when it happened, but ... http://www.spamcop.net/fom-serve/cache/373.html Mole reporting was an experiment that presented many problems in the operations and integrity of SpamCop, so is mostly being disabled. Reports from users who choose to be mole reporters will count only in the statistics and aggregate counts. Reports are not sent and can only be viewed by SpamCop administrators. Mole reports do not count in the stats used to determine listing and delisting of IP addresses in the SpamCop Blocking List. It was only looking this up to make a response to some poster about some subject that I saw this rather massive change, and I can't recall it actually being noted anywhere else. So I'd have to guess that most current mole reporters don't know this either (maybe there was an e-mail to all mole reporters advising of the change?) From nobody at spamcop.net Wed Jun 2 18:51:37 2004 From: nobody at spamcop.net (indigo) Date: Wed Jun 2 17:55:02 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: Mike Easter wrote: > Then, do you/we agree that the headers you posted suggest that our > current evidence should be interpreted as saying that a comcast dialup > account, perhaps with the geographic traits I described earlier, > accessed your yahoo webmail back in 2003 Dec using your yahoo username > and your yahoo password and your yahoo human name and sent, perhaps > forwarded, the spam to your comcast addy? > That's possible, of course......but the weird thing is only my home comcast addy and my yahoo addy are visible (of course I can't see if there were BCC's). There were two others from this May besides that one from December, but that's all -- total of 3, all "forwards" from/to myself. From nobody at spamcop.net Wed Jun 2 18:57:44 2004 From: nobody at spamcop.net (indigo) Date: Wed Jun 2 18:00:02 2004 Subject: [SpamCop-List] Re: Maybe OT: Spyhunter/Lavasoft [a small test] References: Message-ID: Spam Pop wrote: > Hmmmm is right: I missed that Avenue Media mention: I DID > have a session of constant attempts to download Avenue A, > Inc, unsolicited of course, Goddamn Yahoo drives me nuts with that Avenue A crap, and setting Spybot realtime checking to ignore that thing doesn't seem to work. AND had my browser page > hijacked, even though I had a "lock" on it! Ever try SpamGuard? It's stopped every hijack attempt since I installed it. From MikeE at ster.invalid Wed Jun 2 16:08:09 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 2 18:10:03 2004 Subject: [SpamCop-List] Re: Links in spam not traced References: Message-ID: Daniel S. wrote: > I just submitted a spam and the links were not checked - spamcop said > it found no links in the body. However, there were some links. Any > ideas on how this can be looked into? At the top of the parse is a tracker link. If you paste that here, we can look at the spam and its parse. Do not paste spam here, it can only be pasted in the newsgroup .spam. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Jun 2 16:21:51 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 2 18:25:03 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: indigo wrote: > Mike Easter wrote: >> Then, do you/we agree that the headers you posted suggest that our >> current evidence should be interpreted as saying that a comcast >> dialup account, perhaps with the geographic traits I described >> earlier, accessed your yahoo webmail back in 2003 Dec using your >> yahoo username and your yahoo password and your yahoo human name and >> sent, perhaps forwarded, the spam to your comcast addy? >> > > That's possible, of course......but the weird thing is only my home > comcast addy and my yahoo addy are visible (of course I can't see if > there were BCC's). There were two others from this May besides that > one from December, but that's all -- total of 3, all "forwards" > from/to myself. Well, I don't think it is very important what a From or a To say. I only think it matters if you received it somewhere and what's the analysis of 'how' it was sent. In this case you are saying you have or had a copy of having received it [I presume] and you are saying that you also have a copy of it in your yahoo Sent folder; that is, you have 2 copies of it, one of which you received, which would have some more headers, and one of which was sent from your yahoo account, apparently. The headers we are talking about. It isn't 'normal' trojan behavior to 'play like' it is you by accessing the yahoo account with all of that yahoo overhead, and besides that I don't really think that is your IP as the source, but I would have to see some mail originating from your comcast account to know that very well, because we are in the same 'general' geographic vicinity. It's just that I think of one as more like Wash DC and the other as more like Baltimore, even tho' both are in MD. It is possible for someone to have or use your yahoo account information; human and username and pw. For example, if you setup a yahoo account on some comcast user's computer, like a girlfriend, then they could access the account and forward you a mail to your comcast account with your yahoo account. Or, maybe you forwarded something by accident, and the IP /is/ yours. Dec /was/ a long time ago, ya' know. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Jun 2 16:26:58 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 2 18:30:02 2004 Subject: [SpamCop-List] Re: How to handle the spamreports that can't be send unmungled References: <40BC4869.39B2@xyzzy.claranet.de> Message-ID: WazoO wrote: > http://www.spamcop.net/fom-serve/cache/373.html > Mole reporting was an experiment that presented many problems in the > operations and integrity of SpamCop, so is mostly being disabled. > Reports from users who choose to be mole reporters will count only in > the statistics and aggregate counts. > > Reports are not sent and can only be viewed by SpamCop > administrators. Mole reports do not count in the stats used to > determine listing and delisting of IP addresses in the SpamCop > Blocking List. Well, I'll be doggone. I didn't know that! I sit corrected. That's OK with me, there were some things I didn't like about mole reporting anyway. The only thing that was good about it was that it was a nuclear improvement to the 'toy' spamcop munge, for those who want mungeing. The problem with its absence is that those who aren't satisfied with toy mungeing are going to have to do what I call ubermungeing, which I think is bad. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Wed Jun 2 19:38:41 2004 From: eddie at eddie.web (eddie) Date: Wed Jun 2 18:40:03 2004 Subject: [SpamCop-List] Re: How about the ability to add extra URLs to be reported? References: Message-ID: On Thu, 03 Jun 2004 09:31:56 +1200, brewman scratched out the following: snip > > You can take down as many cardboard cutout websites as you like, but until > the REAL site is hit, life will go on for them. (yes, I do know that both > sites mentioned are 'south of the border'). > > I could do it manually, but isn't SC supposed to do the grunt work for us? I think that's an excellent idea. Like adding additional reporting addresses but going one step further. I have the same problem, and sometimes have to cancel a post when SC doesn't find the offending URL, parse it myself and then resubmit the spam, adding the newly found abuse address. Being able to insert additional URLs (as many as needed) before reporting is a great idea and would be a major improvement. From MikeE at ster.invalid Wed Jun 2 16:39:12 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 2 18:40:13 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: indigo wrote: > Mike Easter wrote: >> >> The moral of that story is that .ppt is/was a very inefficient way to >> handle that project. >> > > I know, but practically everyone with a work PC has the MS Office > Suite installed, so .ppt files are easily exchangeable, and everyone > has Adobe Reader these days too -- at least in my field, where > protection of data and technical info is a requirement. Powerpoint > and Adobe are the largest common demoninator whether they're best at > what they do or not. I mean, you're like tilting at windmills (I'm > not saying you are wrong, mind you). People, whether they are at work or play or whether they are equipped with MS Office Pro or a megabucks Adobe suite often make very 'clumsy' decisions about how to 'handle' a particular project, and pay absolutely no attention to 'efficiency' in what they do. Most of the time they also are sending these 'missives' in a way that may be very incompatible with whoever they are sending them to. Actually, most people/recipients don't even have a free .ppt viewer, I would say. In the example of the Frosty the snowman email of the .ppt of the cartoons; it would've worked just as well to use a plaintext eml with a series of cartoons attached as a string of .gif/s or similar graphics. All that happened when you opened the massive .ppt was the series of the cartoons, nothing else. The cartoons must've been in there as bitmaps or something really bloaty. And then their bloat was exaggerated by 'encasing' them as a .ppt presentation. -- Mike Easter kibitzer, not SC admin From windsorfoxNOSPAM at cox.net Wed Jun 2 18:48:19 2004 From: windsorfoxNOSPAM at cox.net (WindsorFox[SS]) Date: Wed Jun 2 18:45:03 2004 Subject: [SpamCop-List] Re: Anybody can help me out from spamcop list??? In-Reply-To: References: Message-ID: Capelan wrote: > Can't out from spamcop.... tryed put MDaemon betwen INET and my Exchange > server..... > Install Antivirsus to everyusers.... block antivirus route message back to > sender... > > Anyway spamcop let me know that i'm in list.. > > Heeeelp! > > "Can't out from Spamcop." It's definately English, but it does not make sense. From MikeE at ster.invalid Wed Jun 2 16:43:03 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 2 18:45:12 2004 Subject: [SpamCop-List] Re: How about the ability to add extra URLs to be reported? References: Message-ID: brewman wrote: > I could do it manually, but isn't SC supposed to do the grunt work > for us? The only kind of grunt work SC does is that kind which its algorithm lends itself to. It mostly works 'within' itself, not 'reaching out' with any kind of GET function. It does have to reach out a little bit to the RIR whois functions, as well as DNS functions, but that's as far as it goes. That is, it doesn't do any website 'probing' whatsoever. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Wed Jun 2 19:49:43 2004 From: eddie at eddie.web (eddie) Date: Wed Jun 2 18:50:03 2004 Subject: [SpamCop-List] Re: How about the ability to add extra URLs to be reported? References: Message-ID: On Wed, 02 Jun 2004 15:43:03 -0700, Mike Easter scratched out the following: > brewman wrote: >> I could do it manually, but isn't SC supposed to do the grunt work for >> us? > > The only kind of grunt work SC does is that kind which its algorithm lends > itself to. It mostly works 'within' itself, not 'reaching out' with any > kind of GET function. It does have to reach out a little bit to the RIR > whois functions, as well as DNS functions, but that's as far as it goes. > That is, it doesn't do any website 'probing' whatsoever. Mike I understood brewman as saying that he would simply like an addition line to add a URL in the report form, hit a button and add the abuse addresses for the inserted URL. Maybe I didn't understand brewer, but that's what I would like to see. I can do the sleuthing, but I have to back the browser up, do it, then go back, etc. To do it in the same page as the report and have SC simply add the newly found abuse addresses would be helpful. From MikeE at ster.invalid Wed Jun 2 17:03:31 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 2 19:05:03 2004 Subject: [SpamCop-List] Re: How about the ability to add extra URLs to be reported? References: Message-ID: eddie wrote: > Mike I understood brewman as saying that he would simply like an > addition line to add a URL in the report form, hit a button and add > the abuse addresses for the inserted URL. As I re-read his original post, you may be right, because he did say manually, but I was thinking differently. I was focusing on this part of what he sed: brewman wrote: > You can take down as many cardboard cutout websites > as you like, but until the REAL site is hit, life will go on for them. > (yes, I do know that both sites mentioned are 'south of the border'). > > I could do it manually, but isn't SC supposed to do the grunt work > for us? So, I was thinking he meant that the grunt work of tracking down the real site was something he wished SC would do. /You/ are focusing on this part of what he sed: brewman wrote: > It would be REALLY GOOD to be able to (manually) add this > ACTUAL URL to the list of sites for SC to report. ... but I sorta disregarded that part, because there is already a 'similar' function for paying reporters, in which you can add additional addresses: http://www.spamcop.net/fom-serve/cache/288.html - Upgrade to a premium member account -- The ability to send a copy of report to additional addresses that you add; and, of course, there would be no way that SC would be able to give the notify addresses /in the original parse/ - but SC could give the additonal addresses as a separate parse of the chased down url. So, while I was mentally disregarding the first part of what he sed, I was focusing on the second part I described above. > Maybe I didn't understand brewer, but that's what I would like to see. > I can do the sleuthing, but I have to back the browser up, do it, > then go back, etc. To do it in the same page as the report and have > SC simply add the newly found abuse addresses would be helpful. But think about it. How can you 'add' a different website notify into the SC report without both doing manual tracking of the redirect, being a pay subscriber, and performing some gyrations. -- Mike Easter kibitzer, not SC admin From not at home.today Thu Jun 3 01:11:36 2004 From: not at home.today (Ant) Date: Wed Jun 2 19:15:02 2004 Subject: [SpamCop-List] Re: Links in spam not traced References: Message-ID: "eddie" wrote... > On Wed, 02 Jun 2004 16:27:14 -0400, Daniel S. scratched out the following: >> I just submitted a spam and the links were not checked - spamcop said it >> found no links in the body. However, there were some links. Any ideas on >> how this can be looked into? > That's usually because the format type is incorrect, either by spammy's > crapware or on purpose. Sometimes refreshing the page (i.e. a re-parse) finds them. I've had to do more of this lately. From MissAnnie at nospam.invalid Wed Jun 2 20:35:06 2004 From: MissAnnie at nospam.invalid (Annie) Date: Wed Jun 2 19:40:02 2004 Subject: [SpamCop-List] Re: Maybe OT: Spyhunter/Lavasoft [a small test] References: Message-ID: "indigo" wrote in message news:c9lij3$979$1@news.spamcop.net... > AND had my browser page > > hijacked, even though I had a "lock" on it! > > Ever try SpamGuard? It's stopped every hijack attempt since I installed it. What is the SpamGuard? -- ```````````````` MissAnnie From nobody at devnull.spamcop.net Thu Jun 3 12:39:43 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 2 19:40:09 2004 Subject: [SpamCop-List] Re: How about the ability to add extra URLs to be reported? References: Message-ID: "Mike Easter" wrote > ... because there is already a > 'similar' function for paying reporters, in which you can add additional > addresses: > > http://www.spamcop.net/fom-serve/cache/288.html - Upgrade to a premium > member account -- The ability to send a copy of report to additional > addresses that you add; Yes, this is HALF the problem, but consider - - I receive SPAM, realise that the URL is a facade, and do the 'intelligent' navigation (automating this was an earlier topic I raised, but now realise the futility/difficulty of it) - I now have the 'real' URL to complain about (as well as facade), but I don't know who to complain to about it! - Being able to add the real URL (as some sort of appendix?) to the email means that I could use the SC engine to track down abuse@, rather than me doing the donkey work. Make it part of the paid service? Okay, but somehow I want to be able to: - manually sleuth the real URL (cannot be automated) and add to SC report - use SC engine to track down responsible(!) owner of site's IP. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at devnull.spamcop.net Thu Jun 3 12:47:16 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 2 19:45:05 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: > It is possible for someone to have or use your yahoo account > information; human and username and pw. For example, if you setup a > yahoo account on some comcast user's computer, like a girlfriend, then > they could access the account and forward you a mail to your comcast > account with your yahoo account. > > Or, maybe you forwarded something by accident, and the IP /is/ yours. > Dec /was/ a long time ago, ya' know. I've been half-reading this thread, and suddenly had a thought - is it possible (he says, walking down street with blindfold on and open manhole in front of him) that you just dragged some spam from your 'inbox' by mistake and dropped it in the 'sent' box? I know that I have often come across misfiled emails (not related to spam). -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From not at home.today Thu Jun 3 01:47:14 2004 From: not at home.today (Ant) Date: Wed Jun 2 19:50:03 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: "Mike Easter" wrote... > People, whether they are at work or play or whether they are equipped > with MS Office Pro or a megabucks Adobe suite often make very 'clumsy' > decisions about how to 'handle' a particular project, and pay absolutely > no attention to 'efficiency' in what they do. [...] That is so true. Recently a company-wide (1000+ people) email was sent by one of the PHBs. It was a one page Word documemt containing a few of what appeared to be small images. The size of the document was several megabytes, and caused over-quota problems for many mailboxes. It turned out that the embeded jpegs and gifs were huge, but had been scaled down to *appear* small within the document. I extracted the images, resized them outside Word, and re-made the document. The new size was now measured in kb rather than mb. I sent the new doc to the PHB, and he was most grateful. He just didn't know how to do it. Another problem with MS Office docs is that they can retain all editing changes. This is particularly bad with Excel 97 spreadsheets with embedded objects and macros which undergo frequent modification. Even saving as a new file does not remove the deleted items. From MikeE at ster.invalid Wed Jun 2 17:48:31 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 2 19:50:16 2004 Subject: [SpamCop-List] Re: How about the ability to add extra URLs to be reported? References: Message-ID: brewman wrote: > - Being able to add the real URL (as some sort of appendix?) to the > email means that I could use the SC engine to track down abuse@, > rather than me doing the donkey work. You can feed a url to the empty parser and it will give you the notify addies for it. That doesn't put it in the report of course, you would have to do that as an extra addressee, which a paid can do. > Make it part of the paid service? Okay, but somehow I want to be able to - manually sleuth the real URL (cannot be automated) and add to SC report - use SC engine to track down responsible(!) owner of site's IP. 'sleuth' isn't clear to me. The 'finding' of the real url you will have to do yourself. SC can tell you how to notify for it. Of course, some of us think we can notify /better/ than SC, but that's another subject. If you feed SC an url, it will use its standard operation to determine the notify; currently the operation is to DNS the url's IP, rDNS the IP, RIR whois the IP netblock holder, identify the admin/tech's domainname or use its abuse.net reg'd addies. SC doesn't do anything with domain registration information; nor investigate unresponsiveness, except when deputies do it for hand made routing adjustments; nor lookup ASN upstream adjacencies, except when a deputy has adjusted a routing. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Jun 3 13:06:04 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 2 20:05:02 2004 Subject: [SpamCop-List] Re: How about the ability to add extra URLs to be reported? References: Message-ID: (I think I've been putting too much information into my posts) I want to be able to: - paste entire spam into box, - type extra URLs into another (new) box - click 'Process Spam' - get SC to automatically report on the extra URLs in a similar manner to URLs that SC finds in the original spam. TTBOMK the premium service does not do this. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at devnull.spamcop.net Wed Jun 2 20:02:55 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Jun 2 20:05:08 2004 Subject: [SpamCop-List] Re: Maybe OT: Spyhunter/Lavasoft [a small test] References: Message-ID: "Annie" wrote in message news:c9lo7k$e8n$1@news.spamcop.net... > "indigo" wrote in message > news:c9lij3$979$1@news.spamcop.net... > > AND had my browser page > > > hijacked, even though I had a "lock" on it! > > > > Ever try SpamGuard? It's stopped every hijack attempt since I installed > it. > > What is the SpamGuard? Something a bit like Google, but different From MikeE at ster.invalid Wed Jun 2 18:26:05 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 2 20:30:03 2004 Subject: [SpamCop-List] Re: How about the ability to add extra URLs to be reported? References: Message-ID: brewman wrote: > (I think I've been putting too much information into my posts) > I want to be able to: > - paste entire spam into box, > - type extra URLs into another (new) box > - click 'Process Spam' > - get SC to automatically report on the extra URLs in a similar manner > to URLs that SC finds in the original spam. > > TTBOMK the premium service does not do this. You are correct, it does not. The problem with your 'concept' is that SC sorta thinks of a spam as a piece of evidence - where it is going to make a report to various notifieds of a particular item and the content of /that/ item. Think of it on the one hand as a 'spamcop report'. Spamcop doesn't much want to call something a spamcop report which is 'different' from the original item, ergo it doesn't like material changes. What you are proposing is to get the 'benefit' of a material change [pretend: such as pasting your urls into the body of the spam], but not actually /doing/ that - by segregating your additional material - while 'presuming' that this extra material /should/ be part of the /spamcop/ report. OTOH Think of the report on the other hand as 'your report' - because you are responsible for it and spamcop is simply a tool to aid you in the lookups and the 'addressing' and mailing phase. So, as a paid reporter, you are 'entitled' to add some addresses to the report. That is 'easy' to accomplish with the addressing mailing part of the gizmo. But, what you are asking for is for the parsing engine to 'reach out' to another field. The parsing engine is /not/ a simple part to be asking to do some new duties. This new duty business of the nameservice is a pretty big chunk of operation to be digesting. I doubt if Julian wants to be reaching out for additional fields which might contain multiple urls. It seems that he wants to decrease the number of urls he is notifying, not increase. -- Mike Easter kibitzer, not SC admin From me at privacy.net Wed Jun 2 21:55:49 2004 From: me at privacy.net (Frog Prince) Date: Wed Jun 2 21:05:08 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: <87k6yq5vt2.fsf@ursine.ca> <874qptrgu8.fsf@ursine.ca> Message-ID: "Paul Johnson" | > I've never seen a document system using PDF that worked as sold. | | I've never seen a document management system, regardless of preferred | file format, work as advertised, so we're even. 8:o) Perhaps I should has stated it more succinctly. I've never seen a doc management system based on PDF that worked, period. | | > A lot of companies go to PDF as it is the 'standard' without knowing | > what they are getting into or it's effects on their customers. End | > users (especially technical types) 'live with it' because they don't | > have effective alternatives and zero input into the process. | | But I *like* PDF. It's encapsulated postscript actually done right. I don't know what you do or how you use PDF but for the level and complexity of the documents I use regularly PDF is not a desirable selection. | > You mention kpdf Just Works. What is this and were can I go to check | > it out? | | kpdf is not available for Windows. kpdf is the default PDF viewer in | KDE (so it's available to pretty much everyone but windows users). Unfortunately the vast majority of what I deal with are windows based user systems. I was hoping I'd found a magic bullet solution. From nobody at devnull.spamcop.net Thu Jun 3 14:26:21 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 2 21:25:02 2004 Subject: [SpamCop-List] Re: How about the ability to add extra URLs to be reported? References: Message-ID: "Mike Easter" wrote > The problem with your 'concept' is that SC sorta thinks of a spam as a > piece of evidence If I was mischievous/unethical enough, I could just paste the URL into the spam email anyway. I won't, but I wonder if anybody would/does? This *could* be used to get the info wanted and then not report it thru SC, but is a bit of a hassle scraping each email address. > But, what you are asking for is for the parsing engine to 'reach out' to > another field. The parsing engine is /not/ a simple part to be asking > to do some new duties. This new duty business of the nameservice is a > pretty big chunk of operation to be digesting. I doubt if Julian wants > to be reaching out for additional fields which might contain multiple > urls. I expect that the parsing engine does not change one bit; merely the 'feeder' of the engine (I've written these things). I expect that the scanning of extra URLs would be *easier* than scanning emails, with its HTML and phoney tricks trying to hide embedded URLs. I expect that the initial parser splits header and body, and then passes each bit separately to its own parser. All that needs to change is that the body parser is called twice. > It seems that he wants to decrease the number of urls he is > notifying, not increase. This is *exactly* what the spammers want! It's *why* they use throwaway facades to advertise but hide the *real* websites, which remain unreported and survive! Those of us who *can* work our way through the mire of obfuscation (well, me, anyway) don't then want the donkey work of a few iterations of cut-n-paste to do the reporting. I've never seen a SC report (oops - "still using the free service, eh?"), but I expect that they are build from templates. The extra one needed might be worded along the lines of: "Sorry to bother you, but one of our users seems to think that this email eventually links to this site We're not able to verify it, but should it be so, could you be kind enough to yank out his plug?" Alternatively, perhaps somebody @ SC *could* verify the link first (only happens once per facade). Or maybe users who successfully reveals links then receives a 'reliability' rating? Maybe rather than submitting just the final URL, we have to justify it by quoting the URL chain? Hey, maybe we can shut down *several* bridging sites at once! -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From tmcgraw at spamcop.net Wed Jun 2 19:36:34 2004 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Jun 2 21:40:02 2004 Subject: [SpamCop-List] Re: Turnaround performance problem References: <9651-40BD54C9-179@storefull-3255.bay.webtv.net> Message-ID: <40BE80A2.9080207@spamcop.net> sills@webtv.net wrote: > I hate doing a "me too, me too' type thing (but not enough not to do it) > but for 12 days now, I have had the turnaround problem with the longest > wait being close to 11 hours. Has Ellen or ??? addressed the problem > anywhere and I missed it? Somebody addressed it. Submission acknowledgements are now coming back with rocket speed. Thanks, somebody! From nobody at devnull.spamcop.net Thu Jun 3 11:43:10 2004 From: nobody at devnull.spamcop.net (Patto) Date: Wed Jun 2 21:45:03 2004 Subject: [SpamCop-List] Re: Maybe OT: Spyhunter/Lavasoft References: Message-ID: "Frog Prince" wrote in message news:c9kq60$gkr$1@news.spamcop.net... > > "Spam Pop" wrote in message > news:c9kn1a$dau$1@news.spamcop.net... > | Hi, > | If this's old news, I apologize in advance; a quick search > | didn't turn anything up. > | > | > | Here's a short snip from the newsletter: Anyone wants to > | see the whole thing can let me know - a considerable amount > | of detail is included: > > > > I'd like to see more. http://www.lavasoftnews.com/ From eek at barkerjr.net Wed Jun 2 22:39:33 2004 From: eek at barkerjr.net (BarkerJr) Date: Wed Jun 2 22:05:03 2004 Subject: [SpamCop-List] Re: Spammer's masking ip addresses References: Message-ID: > So basically since our ISP handles our mail server if I reported the spam I > would be reporting my own isp. If the spam came from someone on your ISP, why's this bad? From nobody at devnull.spamcop.net Thu Jun 3 12:21:32 2004 From: nobody at devnull.spamcop.net (Patto) Date: Wed Jun 2 22:25:02 2004 Subject: [SpamCop-List] Ignoring more than 4 user-notify addresses Message-ID: Reporting hidden URLs (that SpamCop cannot detect) and its redirect URLs can sometimes result in more than the max allowed 4 user-notify addresses. OK, we know it, but sometimes we put in more than 4 - be it by accident, mis-counting, or copy-and-paste. In this case, message "Ignoring more than 4 user-notify addresses" is issued, and NO report is sent. Suggestion: couldn't SpamCop just send the first 4, then just ignore the excessive one(s)? From me at privacy.net Wed Jun 2 23:10:00 2004 From: me at privacy.net (Frog Prince) Date: Wed Jun 2 22:35:03 2004 Subject: [SpamCop-List] Re: Maybe OT: Spyhunter/Lavasoft References: Message-ID: "Patto" | > | Hi, | > | If this's old news, I apologize in advance; a quick search | > | didn't turn anything up. | > | | > | | > | Here's a short snip from the newsletter: Anyone wants to | > | see the whole thing can let me know - a considerable amount | > | of detail is included: | > | > | > | > I'd like to see more. | | http://www.lavasoftnews.com/ Thanks FP From nobody at spamcop.net Wed Jun 2 23:52:52 2004 From: nobody at spamcop.net (Ellen) Date: Wed Jun 2 23:05:03 2004 Subject: [SpamCop-List] Re: How about the ability to add extra URLs to be reported? References: Message-ID: "brewman" wrote in message news:c9luhh$jgs$1@news.spamcop.net... > "Mike Easter" wrote > > The problem with your 'concept' is that SC sorta thinks of a spam as a > > piece of evidence > If I was mischievous/unethical enough, I could just paste the > URL into the spam email anyway. I won't, but I wonder if > anybody would/does? This *could* be used to get the info wanted > and then not report it thru SC, but is a bit of a hassle scraping each > email address. Those who do tend to get caught and then they get terminated. Ellen SpamCop From Anonym at us.comm Wed Jun 2 21:04:12 2004 From: Anonym at us.comm (Anonym@us.comm) Date: Wed Jun 2 23:10:03 2004 Subject: [SpamCop-List] Re: How about the ability to add extra URLs to be reported? References: Message-ID: > "Mike Easter" wrote > > The problem with your 'concept' is that SC sorta thinks of a spam as a piece of evidence... I know Sam Spade has scripting ability... would it be possible to create a script that allows a person to gather additional evidence (i.e.: the redirect chain of spamvertised websites and their associated contact info), then send that to SpamCop, along with some sort of way to tie it into the original report that was sent to SpamCop in response to the spam being received? That way, the original report data about the spam and it's embedded URLs remains unchanged, but there is an 'addendum' to that original report showing the redirect chain and additional contact info. The way I do it now is to use Sam Spade to follow the redirect chain, and I've got a pre-made email template that makes it easy and fast to just drop the info from Sam Spade into the template. This lets me dig out redirected sites at a pretty fast rate (it only takes a couple minutes per site to get all the info, paste it into the email template, and send the LART report). The most redirects I've ever had was 8, all obfuscated with JavaScript into ISO-Latin-1. It took me 21 minutes to get all the information and send the LART. Most go out in under 5 minutes. But, it sure would be nice to be able to also send the data I've dug up to SpamCop as additional evidence against the spammer. From eddie at eddie.web Thu Jun 3 00:10:21 2004 From: eddie at eddie.web (eddie) Date: Wed Jun 2 23:15:05 2004 Subject: [SpamCop-List] Re: How about the ability to add extra URLs to be reported? References: Message-ID: On Wed, 02 Jun 2004 16:03:31 -0700, Mike Easter scratched out the following: snip > But think about it. How can you 'add' a different website notify into the > SC report without both doing manual tracking of the redirect, being a pay > subscriber, and performing some gyrations. I was only thinking about being able to parse the original spam manually and then on the report page add the additional URLs I found and have them all parsed and their abuse addresses added to the page, as opposed to doing that first and then only being able to add 4 abuse addresses with a common note, which may not be suitable for every abuse address. I am a paying SC subscriber, BTW. From eddie at eddie.web Thu Jun 3 00:12:31 2004 From: eddie at eddie.web (eddie) Date: Wed Jun 2 23:15:15 2004 Subject: [SpamCop-List] Re: How about the ability to add extra URLs to be reported? References: Message-ID: On Thu, 03 Jun 2004 12:06:04 +1200, brewman scratched out the following: > (I think I've been putting too much information into my posts) I want to > be able to: > - paste entire spam into box, > - type extra URLs into another (new) box - click 'Process Spam' > - get SC to automatically report on the extra URLs in a similar manner to > URLs that SC finds in the original spam. > > TTBOMK the premium service does not do this. That's pretty much what I though you were looking for, and I agree, an extra bit of processing available on the report to locate the abuse addresses for extra URLs pasted in, and a separate "note" section for each new abuse address that is discovered. From eddie at eddie.web Thu Jun 3 00:18:32 2004 From: eddie at eddie.web (eddie) Date: Wed Jun 2 23:20:04 2004 Subject: [SpamCop-List] Re: How about the ability to add extra URLs to be reported? References: Message-ID: On Thu, 03 Jun 2004 13:26:21 +1200, brewman scratched out the following: snip > Alternatively, perhaps somebody @ SC *could* verify the link first (only > happens once per facade). Or maybe users who successfully reveals links > then receives a 'reliability' rating? > > Maybe rather than submitting just the final URL, we have to justify it by > quoting the URL chain? Hey, maybe we can shut down *several* bridging > sites at once! If adding additional links on the web reporting page for pre-processing were added, those additional reporting boxes could be left unchecked by default and require a user comment stating the relationship to the original spam, putting the onus on the reporter to be accurate and honest. From MikeE at ster.invalid Wed Jun 2 21:33:11 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 2 23:35:03 2004 Subject: [SpamCop-List] Re: How about the ability to add extra URLs to be reported? References: Message-ID: Anonym@us.comm wrote: > The way I do it now is to use Sam Spade to follow the redirect chain, > and I've got a pre-made email template that makes it easy and fast to > just drop the info from Sam Spade into the template. You are looking at that fundamentally the same way I do; altho' your mechanics are a little different; but we both are using SS to follow the redirects and a manual mail template with the result. Very very very rarely I might have to let a spam exercise my browser; ugh! I guess my attitude is that I never expected SC to do some of these things. When I first started 'using' SC, I wasn't even reporting with it. I parsed my spam manually for my manual notify; and I used SC to see how it would notify. When we differed, I wanted to know why. But the entire purpose was the manual notify, no spamcop. Later, I continued to manually notify *and* SC notify, so I would feed the SCbl. These concepts and others are all things that people would like to expand SC's role, which is fine to 'imagine'. I guess I never did think much about wanting SC to expand its role, because I was doing the other 'work'. -- Mike Easter kibitzer, not SC admin From Anonym at us.comm Wed Jun 2 21:54:42 2004 From: Anonym at us.comm (Anonym@us.comm) Date: Thu Jun 3 00:00:03 2004 Subject: [SpamCop-List] Re: How about the ability to add extra URLs to be reported? References: Message-ID: "Mike Easter" wrote in message news:c9m66m$pjj$1@news.spamcop.net... > Very very very rarely I might have to let a spam exercise my browser; ugh! I regularly visit spamvertised websites with my browser... to see if they're still up after I've hit them for a couple dozen GB of data using FriedSpam.net. But, I run my Internet Zone locked down (I surf with Java, Javascript, ActiveX and everything else disabled), and visit the spamvertised website via anonymous proxies. If it's down, I add it to my 'kill' list... which I check once a week. If a website comes back to life, I visit it again to be sure the domain wasn't sold and a different website set up on it. If it's the same spamvertised website, it goes right back into the FriedSpam list. I've noticed lately that the spammers will take their websites down until they start another spam run, then carefully watch their visitor stats. Once the stats start dropping, they close down the website to prevent people who are of a like mind with myself from performing extensive 'data draining' of that site. So, I hit them as hard as I can while I can. From nobody at spamcop.net Wed Jun 2 22:13:23 2004 From: nobody at spamcop.net (Don Wannit) Date: Thu Jun 3 00:15:03 2004 Subject: [SpamCop-List] ISP or spammer reply to reporting address: puzzling HTML non-message Message-ID: I got a reply sent to SpamCop and forwarded to my SpamCop email address in response to a report. Just like ISP's are supposed to be able to do. Or spammers, if the ISP's hat is dark and they pass the report on to the spammer. But this one didn't say anything. Went to the trouble of having an HTML email body, but no meat in the body, only skeleton. Here's the tracker for the [cancelled] SpamCop analysis of the message: http://www.spamcop.net/sc?id=z509612814z90e3e7451e28e81554ead4777b423ad6z You can see the munged headers, and should be able to see the full (such as it is) message. Seems kind of strange. It's not an empty SMTP body, which we've seen many times. Just nothing but
 
in the HTML body. Pretty verbose way to send a blank. Makes me wonder why they bothered. Am I just being paranoid in mistrusting incoming email, especially email that might be from a spammer I reported? From MikeE at ster.invalid Wed Jun 2 22:55:23 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 01:00:03 2004 Subject: [SpamCop-List] Re: ISP or spammer reply to reporting address: puzzling HTML non-message References: Message-ID: Don Wannit wrote: > I got a reply sent to SpamCop and forwarded to my SpamCop email > address in response to a report. www.spamcop.net/sc?id=z509612814z90e3e7451e28e81554ead4777b423ad6z > Seems kind of strange. Maybe he tho't he'd get something with the returned receipt: Return-Receipt-To: "Nik Muhammed Muhyyiddin - TJSBHQ" -- Mike Easter kibitzer, not SC admin From tfm3 at nospam.teleproc.com Thu Jun 3 01:11:52 2004 From: tfm3 at nospam.teleproc.com (Thomas Mooney) Date: Thu Jun 3 01:15:04 2004 Subject: [SpamCop-List] Re: Turnaround performance problem References: <9651-40BD54C9-179@storefull-3255.bay.webtv.net> <40BE80A2.9080207@spamcop.net> Message-ID: Tim McGraw wrote: > sills@webtv.net wrote: >> I hate doing a "me too, me too' type thing (but not enough not to do >> it) but for 12 days now, I have had the turnaround problem with the >> longest wait being close to 11 hours. Has Ellen or ??? addressed >> the problem anywhere and I missed it? > > Somebody addressed it. > > Submission acknowledgements are now coming back with rocket speed. > > Thanks, somebody! I agree things have improved mightily. And I am thankful for that. But SpamCop's customary lack of communication continues to be a source of significant frustration. Some acknowledgement that a problem was discovered and resolved would be welcome and comforting. I wish that "the powers that be" would spend more time stabilizing "the product" and communicating with the user base. I know I have been a customer for much less time than many here, but my experience is that it is one problem after another with virtually no communication about what's being/been done to improve the situation. Like I said: frustrating. And it's the sort of frustration that make me question whether it's worth the bother. And my occasional reading of this newsgroup leads me to believe that I'm not alone in that regard. It's a pity. -- TFM3 Note: Spam-resistant e-mail address From baloo at ursine.ca Thu Jun 3 00:17:12 2004 From: baloo at ursine.ca (Paul Johnson) Date: Thu Jun 3 02:35:23 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: <87k6yq5vt2.fsf@ursine.ca> <874qptrgu8.fsf@ursine.ca> Message-ID: <87aczl6u8n.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Frog Prince" writes: > "Paul Johnson" > | > I've never seen a document system using PDF that worked as sold. > | > | I've never seen a document management system, regardless of preferred > | file format, work as advertised, so we're even. 8:o) > > Perhaps I should has stated it more succinctly. I've never seen a doc > management system based on PDF that worked, period. That's besides the point, though. You're still faulting the file format for something it has no control over. Just because some moron thought it would be a good idea to use that file format in his broken document management system is by no means the file format's fault (unless it was created exclusively for said obnoxious software, but PDF is just encapsulated postscript...probably the only truly software agnostic page description format we have. > | > A lot of companies go to PDF as it is the 'standard' without knowing > | > what they are getting into or it's effects on their customers. End > | > users (especially technical types) 'live with it' because they don't > | > have effective alternatives and zero input into the process. > | > | But I *like* PDF. It's encapsulated postscript actually done right. > > I don't know what you do or how you use PDF but for the level and > complexity of the documents I use regularly PDF is not a desirable > selection. Better than some proprietary office suite format when you have to give someone something and you want it to know how it's going to print on their end before you send it. Generally, presentability is something I care about when it comes to my work. PDF gives me that, and that's not something any other format offers with any real regularity. PDF Just Works. > | > You mention kpdf Just Works. What is this and were can I go to > | > check it out? > | > | kpdf is not available for Windows. kpdf is the default PDF viewer in > | KDE (so it's available to pretty much everyone but windows users). > > Unfortunately the vast majority of what I deal with are windows based user > systems. I was hoping I'd found a magic bullet solution. You did. You can find a worse solution, you just have to spend more money to paint yourself into that corner. - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAvsJrUzgNqloQMwcRAiweAJwKO5aAZp3rvhn7wqqtWbYgZcpgGwCgwdTN lufK5KiGtMrgpn0YvShQcKg= =ftn+ -----END PGP SIGNATURE----- From baloo at ursine.ca Thu Jun 3 00:21:45 2004 From: baloo at ursine.ca (Paul Johnson) Date: Thu Jun 3 02:35:51 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: <8765a96u12.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "indigo" writes: > Mike Easter wrote: >> >> The moral of that story is that .ppt is/was a very inefficient way to >> handle that project. >> > > I know, but practically everyone with a work PC has the MS Office Suite > installed, Believe it or not, my work doesn't have Office. I consider this a blessing. The only thing we're missing out on at our site are the stupid "Hooray for us" type newsletters, meaningless, out of context slideshows and a whole hell of a lot of security holes. > so .ppt files are easily exchangeable, Assuming someone is using the same version of Office on the same platform, yes. But in reality, thats not what is out there. > and everyone has Adobe Reader these days too -- at least in my > field, where protection of data and technical info is a > requirement. Which is strange. I never thought it should be the job of the file format to maintain security. That's why we have OpenPGP. > Powerpoint and Adobe are the largest common demoninator whether > they're best at what they do or not. I mean, you're like tilting at > windmills (I'm not saying you are wrong, mind you). I'm not sure Powerpoint or Adobe are (PowerPoint is proprietary, Adobe is a company that just happens to make the most common PDF reader for Windows). - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAvsN7UzgNqloQMwcRAlUOAJ4kwp6jhoY6KDfsGoJNF6xSPY0kNACfes6N 2HmqCt5zbtIZSTEIYqetPhM= =UpTQ -----END PGP SIGNATURE----- From eddyrichards2000 at yahoo.com Thu Jun 3 10:28:36 2004 From: eddyrichards2000 at yahoo.com (Eddy) Date: Thu Jun 3 04:30:04 2004 Subject: [SpamCop-List] Reports- Where do they go? Message-ID: Hi there, I am trying to track down a spam cop report. It looks like someone has opted to report one of our partner emails as SPAM rather than hit the unsubscribe button. Would this report be sent to my ISP? To the Reply Address? Or to the From address? Any help would be greatly appreciated Eddy From nobody at devnull.spamcop.net Thu Jun 3 10:51:23 2004 From: nobody at devnull.spamcop.net (Robert Slade) Date: Thu Jun 3 05:00:58 2004 Subject: [SpamCop-List] Re: Reports- Where do they go? References: Message-ID: "Eddy" wrote in message news:c9mni0$6pm$1@news.spamcop.net... > Hi there, > > I am trying to track down a spam cop report. It looks like someone has opted > to report one of our partner emails as SPAM rather than hit the unsubscribe > button. > > Would this report be sent to my ISP? > > To the Reply Address? Or to the From address? > > Any help would be greatly appreciated > > Eddy > > Eddy, Reports goto the abuse address registered with abuse.net for whoever is responsible for the offending originating IP address. (Usually the ISP). Failing that the report goes to postmaster@. BTW in the UK as far as I see it, although you may have permission to send commercial e-mails to someone this does not mean that your partners do. If they do not have explicit permission that are breaking the law on spamming and have been rightly reported. I would have reported the e-mail as spam rather than unsubscribe as I did not subscribe in the first place. Rob From eddyrichards2000 at yahoo.com Thu Jun 3 11:32:39 2004 From: eddyrichards2000 at yahoo.com (Eddy) Date: Thu Jun 3 05:35:02 2004 Subject: [SpamCop-List] Re: Reports- Where do they go? References: Message-ID: Hi Rob, Thanks for your quick response. Rest assured the only way you could have gotten onto this list is to subscribe to go to 'partner' seminars around the world. When I say Partner I mean to say our clients partners these are companies that sell our clients specialised products and so have to be a partner to do so. This email tells them about dates, time and locations of seminars. I will get in contact with our ISP and see if they have recieved any reports. eddy "Robert Slade" wrote in message news:c9mp48$7q9$1@news.spamcop.net... > > "Eddy" wrote in message > news:c9mni0$6pm$1@news.spamcop.net... > > Hi there, > > > > I am trying to track down a spam cop report. It looks like someone has > opted > > to report one of our partner emails as SPAM rather than hit the > unsubscribe > > button. > > > > Would this report be sent to my ISP? > > > > To the Reply Address? Or to the From address? > > > > Any help would be greatly appreciated > > > > Eddy > > > > > > Eddy, > > Reports goto the abuse address registered with abuse.net for whoever is > responsible for the offending originating IP address. (Usually the ISP). > Failing that the report goes to postmaster@. > > BTW in the UK as far as I see it, although you may have permission to send > commercial e-mails to someone this does not mean that your partners do. If > they do not have explicit permission that are breaking the law on spamming > and have been rightly reported. I would have reported the e-mail as spam > rather than unsubscribe as I did not subscribe in the first place. > > Rob > > > From nobody at devnull.spamcop.net Thu Jun 3 23:15:32 2004 From: nobody at devnull.spamcop.net (brewman) Date: Thu Jun 3 06:15:13 2004 Subject: [SpamCop-List] How long does it take a white hat ISP to shut someone down? Message-ID: I reported a bounced spam (my domain as return addr) to illinois.net (not via SC - not allowed to ). 22 hours later the spammer was *still* sending stuff. I sent another report (rather more strongly worded than the first). Then I suppose that either the spammer finished, or was finished. I had included complete emails (they had forged everything except spamvertised URL), extracted IP address & even spammer's town. When I sent the second one I also cc:ed (hostmaster@arin.net, noc@arin.net). This raises a few questions: How should it take a white hat ISP to shut down a spammer (once notified)? Is over 22 hours quick/slow/usual? What should be done about escalation? How much effort tracking down white/black ISPs? When should I go 'up' an ARIN level? Any advice would be handy. I used to ignore spam, but once they started forging returns with my domain, I decided to do something more active. I came to SC on the advice of a friendly abuse@, only to find that SC doesn't actually handle my situation; 98% of spam passing my filters now is actually second-hand bounced stuff. Not that SC doesn't help - I still use it for some of the lookup spade work. Thanks -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From MissAnnie at nospam.invalid Thu Jun 3 07:36:50 2004 From: MissAnnie at nospam.invalid (Annie) Date: Thu Jun 3 06:40:03 2004 Subject: [SpamCop-List] any feedback to SpamCop to from FTC reporting? Message-ID: Does anyone at SpamCop know if the FTC is accepting SpamCop reporting to uce@ftc.gov? I am Ccing all spamcop reports to the FTC. I don't know if the SpamCop reports sent have the necessary information that the FTC wants. I have unmunged my email address as the sender. [The reason being the pop3 address I use is a email addy that I allow my ISP to filter]. -- ```````````````` MissAnnie From MissAnnie at nospam.invalid Thu Jun 3 07:43:41 2004 From: MissAnnie at nospam.invalid (Annie) Date: Thu Jun 3 06:45:04 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: "Technomage" wrote in message news:pan.2004.06.03.10.18.16.758225@127.0.0.1... > well guys, > after some extensive testing, I am letting my ISP spam filter do its work. > I can no longer handle the load of dealing with spam 2 hours out of each > day (thats 14 hours per week I could be doing something more constructive). > > Technomage Hawke > I am feeling the same frustration. Is it worth my time, does it make a difference if I as the end email user report spam through spamcop? If I thought that personally calling each spammer and chewing them out or reporting them to the FTC would do it, I would spend more hours doing it when I can. But this endless reporting with little relief is getting old. Do you know if your ISP reports abuses to the FTC? I know the Can Spam law has few teeth to make much of a dent in the total spam load, but putting some sting into being a low life spammer is a step in the right direction. -- ```````````````` MissAnnie From MikeE at ster.invalid Thu Jun 3 04:46:40 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 06:50:03 2004 Subject: [SpamCop-List] Re: How long does it take a white hat ISP to shut someone down? References: Message-ID: brewman wrote: > I reported a bounced spam (my domain as return addr) to illinois.net > (not via SC - not allowed to ). 22 hours later the spammer > was *still* sending stuff. I'll assume that you are describing a bounce in which the source IP belonged to illinois.net or the spamvertised site belonged to illinois and you reported one or the other of those IPs to abuse@illinois.net I'll further assume that the source IP was most likely an abused or proxied one, and not the actual spammer's account with illinois. > I sent another report (rather more strongly > worded than the first). The wording of a report should be very brief, only enough to facilitate an abuse desk understanding why you think you should be notifying them about an item; ie that they are the source [or proxy source] or a spamvertiser or an open relay. Strong or elaborate wording is a complete waste of time. The whitehats don't want or need to read it and the blackhats don't. > I had included complete emails (they had forged everything except > spamvertised URL), extracted IP address & even spammer's town. Now I'm presuming you are addressing the subject of information in the domain registration which is the only place which a snail mail address would appear. That makes me wonder how you are doing your notifying. > When I sent the second one I also cc:ed > (hostmaster@arin.net, noc@arin.net). Arin and ripe and similar RIRs definitely don't want to hear about spam. See http://www.arin.net/abuse.html > How should it take a white hat ISP to shut down a spammer (once > notified)? Is over 22 hours quick/slow/usual? These days it is highly unlikely the provider is going to terminate the account of their client who isn't knowingly spamming, but instead has become trojanized and an unwitting pawn for the concealed spammer. The unwitting dupe would have to secure their computer, which may be beyond their technical expertise and the provider doesn't want to lose the business of the 'non-spammer'. Spammers also 'spread around' their trojan abuse so as to not make it too heavy for the provider to support. The old days of the simple matter of the provider shutting down the account of the actual spammer are over. > What should be done about escalation? The first thing to do is to make sure the correct notify was done in the first place. I don't like the sound of that arin stuff nor the snail mail addy of the 'spammer'. Those are negative target clues. > How much effort tracking down white/black ISPs? Multiple database listing services such as openrbl are helpful to determine how unresponsive the provider for an IP is - by such as their spews and/or spamhaus listings. > When should I go 'up' an ARIN level? I don't think you are understanding something there, unless you are talking about what I call a parent/child relationship. > I used to ignore spam, but once they started forging returns > with my domain, I decided to do something more active. > I came to SC on the advice of a friendly abuse@, > only to find that SC doesn't actually handle my situation; 98% of spam > passing > my filters now is actually second-hand bounced stuff. Not that SC > doesn't help - > I still use it for some of the lookup spade work. Yes. SC can be a useful tool even when you aren't using its reporting letter, but cancelling the report. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Jun 3 04:57:01 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 07:00:02 2004 Subject: [SpamCop-List] Re: any feedback to SpamCop to from FTC reporting? References: Message-ID: Annie wrote: > Does anyone at SpamCop know if the FTC is accepting SpamCop reporting > to uce@ftc.gov? That addy is still good, accepts spam with complete headers as the SC system provides, and allegedly stores it in a database which is used to pursue law enforcement against people who send deceptive email according to the ftc http://www.ftc.gov/bcp/conline/pubs/online/inbox.htm -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Jun 3 05:03:56 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 07:05:02 2004 Subject: [SpamCop-List] Re: How long does it take a white hat ISP to shut someone down? References: Message-ID: brewman wrote: > I reported a bounced spam We can talk about the notifies for a specific spam. If you will put it in the SC parser and have SC parse it, then copy the tracker from the top of the page, then cancel the item, and post the tracker here, we can 'critique' the SC notifies as well as the presumed responsiveness of the providers who would be so notified. -- Mike Easter kibitzer, not SC admin From sally at nowhere.net Thu Jun 3 08:11:53 2004 From: sally at nowhere.net (sally) Date: Thu Jun 3 07:10:04 2004 Subject: [SpamCop-List] E-MAIL BROADCASTING SIMPLE: Message-ID: For anyone who collects telephone numbers, etc. of spammers who send spam advertising their spamming service, I have posted such a spam in SPAMCOP.SPAM with this same subject. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.692 / Virus Database: 453 - Release Date: 5/28/04 From MissAnnie at nospam.invalid Thu Jun 3 08:12:19 2004 From: MissAnnie at nospam.invalid (Annie) Date: Thu Jun 3 07:15:03 2004 Subject: [SpamCop-List] Re: puzzling HTML non-message References: Message-ID: "Don Wannit" wrote in message news:c9m8h3$rfc$1@news.spamcop.net... > But this one didn't say anything. Went to the trouble of having > an HTML email body, but no meat in the body, only skeleton. > I have also been getting email with nothing but headers. It has been increasing over the past two months. Those empty spam have been the topic of some disucssion in spam newsgroups for a few weeks. Not much is being said for sure about them. Speculation has been they area virus or a spammer who is looking for a live email address. I am now filtering spam using Mail Washer Pro and sending it to Spam Cop. The empty spam email is tagged as "Origin blacklisted by SpamCop" so I assume it is from a known spammer and not from some innocent person infected with a virus. I am beginning to think they are mal formed spam and/or a test email to see if the known good address [my address and yours] is still alive. -- ```````````````` MissAnnie From nobody at devnull.spamcop.net Fri Jun 4 00:21:46 2004 From: nobody at devnull.spamcop.net (brewman) Date: Thu Jun 3 07:20:03 2004 Subject: [SpamCop-List] Re: How long does it take a white hat ISP to shut someone down? References: Message-ID: Thanks, Mike, for all that information. It will help me to make fewer mistakes in future. Just a couple of comments: "Mike Easter" wrote > > I had included complete emails (they had forged everything except > > spamvertised URL), extracted IP address & even spammer's town. > > Now I'm presuming you are addressing the subject of information in the > domain registration which is the only place which a snail mail address > would appear. That makes me wonder how you are doing your notifying. I do not use ISP snail mail address (often just head office) or registration database (meaningless for server location). I use www.ip2location.com (good) and www.geobytes.com (not as good; once gave a location of Netherlands instead of Spain, and often gives up). I tracked a few known computers before trusting them, and I often cross check with ARIN/LACNIC/RIPE/APNIC/nic.br for reasonableness. > These days it is highly unlikely the provider is going to terminate the > account of their client who isn't knowingly spamming I'm not asking them to immediately terminate the account. Shutting off port 25 would be a good enough start. When your boat's sprung a leak you stop the flooding first and then work out who's to blame. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at devnull.spamcop.net Fri Jun 4 00:36:47 2004 From: nobody at devnull.spamcop.net (brewman) Date: Thu Jun 3 07:35:02 2004 Subject: [SpamCop-List] Re: How long does it take a white hat ISP to shut someone down? References: Message-ID: "Mike Easter" wrote > We can talk about the notifies for a specific spam. If you will put it > in the SC parser and have SC parse it, then copy the tracker from the > top of the page, then cancel the item, and post the tracker here, we can > 'critique' the SC notifies as well as the presumed responsiveness of the > providers who would be so notified. Contents of first bounced message headers are at http://www.spamcop.net/sc?id=z509785468zc232e3e4c469032b0542149d7222fe45z NB Date fabricated to allow parsing (more than 72 hours old) My manual diagnosis (before I knew of SC!) email to: abuse@illinois.net re: IP 207.63.98.2 - Kenosha, WI -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From eek at barkerjr.net Thu Jun 3 08:44:05 2004 From: eek at barkerjr.net (BarkerJr) Date: Thu Jun 3 08:05:17 2004 Subject: [SpamCop-List] Re: any feedback to SpamCop to from FTC reporting? References: Message-ID: <2if3p1-rrk.ln1@gecko.LAN> > > Does anyone at SpamCop know if the FTC is accepting SpamCop reporting > > to uce@ftc.gov? > > That addy is still good, accepts spam with complete headers as the SC > system provides, and allegedly stores it in a database which is used to > pursue law enforcement against people who send deceptive email according > to the ftc http://www.ftc.gov/bcp/conline/pubs/online/inbox.htm I hope they also watch for CAN-Spam abusers (spams with no postal address). From MikeE at ster.invalid Thu Jun 3 06:22:57 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 08:25:02 2004 Subject: [SpamCop-List] Re: How long does it take a white hat ISP to shut someone down? References: Message-ID: brewman wrote: www.spamcop.net/sc?id=z509785468zc232e3e4c469032b0542149d7222fe45z > email to: abuse@illinois.net > re: IP 207.63.98.2 - Kenosha, WI I can see by how you parsed it, with the body trimmed off, that it was your intention to target the source, not the spamvertiser. Here's how I would approach that. The source IP is 207.63.98.2 rDNS st-207-63-98-2.dist118.lake.k12.il.us which tells us something right there. More on that later. First, we'll get the 'straightforward' done: whois -h whois.arin.net 206.166.96.66 ... OrgName: Illinois Century Network OrgAbuseEmail: abuse@illinois.net then, I check in openrbl to see what's up and find the IP listed in CBL & SORBS as insecure open proxy/trojan. My notify will mention that condtion. When I know the exact insecurity, I also tell that, but I don't know exactly on this one; but I'm going to attack my /target/ differently, at the school system. st-207-63-98-2.dist118.lake.k12.il.us is under the aegis of Lake County IL Regional Office of Education 800 Lancer Lane, Suite E-128 Grayslake, IL 60030 Phone: (847) 543-7833 Fax: (847) 543-7832 which has a website at http://www.lake.k12.il.us/ where there are tons and tons more contacts So, we would work on our contacts at the school to get the insecure box secured. If we work at it, we are very likely to eventually get someone notified who can fix it. -- Mike Easter kibitzer, not SC admin From MissAnnie at nospam.invalid Thu Jun 3 09:26:03 2004 From: MissAnnie at nospam.invalid (Annie) Date: Thu Jun 3 08:30:04 2004 Subject: [SpamCop-List] Re: any feedback to SpamCop to from FTC reporting? References: <2if3p1-rrk.ln1@gecko.LAN> Message-ID: "BarkerJr" wrote in message news:2if3p1-rrk.ln1@gecko.LAN... > > > Does anyone at SpamCop know if the FTC is accepting SpamCop reporting > > > to uce@ftc.gov? > > > > That addy is still good, accepts spam with complete headers as the SC > > system provides, and allegedly stores it in a database which is used to > > pursue law enforcement against people who send deceptive email according > > to the ftc http://www.ftc.gov/bcp/conline/pubs/online/inbox.htm > > I hope they also watch for CAN-Spam abusers (spams with no postal address). > That is what I am wondering, if the SpamCop information has the required abuses spelled out in what is reported to the FTC by SpamCop reports. I would like to see SpamCop flag abuses such as faked headers and no real remove link, and no full real address in the body of the email. If from what is in the spamcop report we just see spam, that is not good enough for the Can Spam law. I see a whole new market for Spam Cop if they do help the user report actionable illegal spam according to the Can Spam law, to the FTC. If Spam Cop has teeth in helping us doing something about the spam issue, I will be sure to re-subscribe as a paying customer when my current paid subscription expires. If not, I am looking for some place that does help report the necessary information to the right places. Not saying in any way that SpamCop doesn't help against spam. Just saying it would be very nice to know we are actually helping the FTC go after the spammers. -- ```````````````` MissAnnie From MikeE at ster.invalid Thu Jun 3 06:28:30 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 08:30:13 2004 Subject: [SpamCop-List] Re: any feedback to SpamCop to from FTC reporting? References: <2if3p1-rrk.ln1@gecko.LAN> Message-ID: BarkerJr wrote: >> That addy is still good, accepts spam with complete headers as the SC >> system provides, and allegedly stores it in a database which is used >> to pursue law enforcement against people who send deceptive email >> according to the ftc >> http://www.ftc.gov/bcp/conline/pubs/online/inbox.htm > > I hope they also watch for CAN-Spam abusers (spams with no postal > address). I personally think that the FTC doesn't do much of anything about that but accumulate the db which it makes available in the ways described at the website blurb. The business of the enforcement of laws is somebody else's bailiwick and the FTC bureaucracy leaves enforcement to others. Here's how they describe that and also the business about their online complaint form: "Let the FTC know if a "remove me" request is not honored. If you want to complain about a removal link that doesn't work or not being able to unsubcribe from a list, you can fill out the FTC's online complaint form at www.ftc.gov. Your complaint will be added to the FTC's Consumer Sentinel database and made available to hundreds of law enforcement and consumer protection agencies." -- Mike Easter kibitzer, not SC admin From MissAnnie at nospam.invalid Thu Jun 3 09:30:06 2004 From: MissAnnie at nospam.invalid (Annie) Date: Thu Jun 3 08:35:07 2004 Subject: [SpamCop-List] Re: Ignoring more than 4 user-notify addresses References: Message-ID: "Patto" wrote in message news:c9m1vb$m5b$1@news.spamcop.net... > Reporting hidden URLs (that SpamCop cannot detect) and its redirect URLs can > sometimes result in more than the max allowed 4 user-notify addresses. OK, > we know it, but sometimes we put in more than 4 - be it by accident, > mis-counting, or copy-and-paste. > > In this case, message "Ignoring more than 4 user-notify addresses" is > issued, and NO report is sent. > > Suggestion: couldn't SpamCop just send the first 4, then just ignore the > excessive one(s)? > I don't even know about this, can you explain further? I just parse the header using spam cop and hit the report button. -- ```````````````` MissAnnie > From MikeE at ster.invalid Thu Jun 3 06:48:11 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 08:50:03 2004 Subject: [SpamCop-List] Re: How long does it take a white hat ISP to shut someone down? References: Message-ID: Mike Easter wrote: > which has a website at http://www.lake.k12.il.us/ where there are > tons and tons more contacts There's a .pdf at the regional's site which has the particulars on each of the districts. Our district 118 sez Dr John F Barbini Administrator 555 N Main St Address Wauconda Comm Unit S Dist 118 Building Wauconda, Il 60084-1299 847-526-7690 phone 847-526-1019 fax and there's a district 118 website which has all of its own contacts: http://www.cusd118.lake.k12.il.us/ also, it has a specific .pdf about internet usage policy and such http://www.cusd118.lake.k12.il.us/district/internet_policy.pdf which intensely spells out all of the rules and such but not the best contact for their little security problem -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Thu Jun 3 08:55:09 2004 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Thu Jun 3 09:00:04 2004 Subject: [SpamCop-List] Re: Reports- Where do they go? References: Message-ID: In article , "Eddy" writes: > Rest assured the only way you could have gotten onto this list is to > subscribe to go to 'partner' seminars around the world. When I say Partner I What assurance exists that one cannot be forge-subscribed ? What assurance do we have that "unsubscribe" requests were not ignored ? > mean to say our clients partners these are companies that sell our clients > specialised products and so have to be a partner to do so. This email tells > them about dates, time and locations of seminars. From nobody at spamcop.net Thu Jun 3 10:16:22 2004 From: nobody at spamcop.net (Firewoman) Date: Thu Jun 3 09:15:02 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: "Mike Easter" wrote in message news:c9koqv$f5c$1@news.spamcop.net... > Mike Easter wrote: > > I didn't get any hits on concurrent /yazd 'cafe net'/ > > Well that's what Marjolein was saying 'they' called them 'We' call > them internet cafes when we talk about them so that's a better search > and "Next to the 12th-century mosque, there's a lively Internet cafe," - > so presumably we'll get another post soon from Yazd. > > -- > Mike Easter > kibitzer, not SC admin http://www.ucomics.com/foxtrot/2004/06/02/ /subtle, not sure if you'll get it :) From MikeE at ster.invalid Thu Jun 3 07:34:11 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 09:35:02 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: Firewoman wrote: > http://www.ucomics.com/foxtrot/2004/06/02/ > > > /subtle, not sure if you'll get it :) There could be a lot of reasons I don't get it; - I don't think I've ever bought a Ralph Lauren/ Polo/ product in my life - in the marketing/ name recognition/ game, the situation with Ralph Lauren & Polo may be 'confusing', but I don't know or agree that it is comic strip material, but then I don't follow FoxTrot so I don't know where those little characters are 'coming from' - witness the Polo Ralph Lauren confusion by how 'they' Polo - RL - handle their websites' names; they don't know if they are Polo or Ralph Lauren - there's some kind of 'joke' about dissecting jokes or humor that probably comes to bear here - could be this Marco Polo - Ralph Lauren cartoon is right on topic, because Marjolein's trip will be following in the footsteps of Marco Polo -- Mike Easter kibitzer, not SC admin From korhojy at POISSPAMMIThotmail.com Thu Jun 3 17:41:31 2004 From: korhojy at POISSPAMMIThotmail.com (Jyri Korhonen) Date: Thu Jun 3 09:45:03 2004 Subject: [SpamCop-List] Re: Turnaround performance problem References: <9651-40BD54C9-179@storefull-3255.bay.webtv.net> <40BE80A2.9080207@spamcop.net> Message-ID: "Thomas Mooney" wrote: > But SpamCop's customary lack of communication continues to be a source > of significant frustration. Some acknowledgement that a problem was > discovered and resolved would be welcome and comforting. I wish that > "the powers that be" would spend more time stabilizing "the product" > and communicating with the user base. I know I have been a customer > for much less time than many here, but my experience is that it is one > problem after another with virtually no communication about what's > being/been done to improve the situation. You're not the first person hoping for more information, but I have used SpamCop over three years now and I can tell that during this time SpamCop has been practically the same. So I don't think that you are going to see any changes in the near future. There was a time when you could see system problems by looking at the statistics pages, but now the statistics have become a roller coaster and don't offer much info. Luckily nobody is forcing you to use or how to use SpamCop. There are at least three ways to use SpamCop (email user, spam reporting and blocklist using) and you can select the ways you want. Unfortunately all of those include problems and meager information. I believe that I have never seen SpamCop running a whole month without problems. Well, I'm a free rider so naturally the problems don't bother me as much as I was a paying customer. However the efficiency of SpamCop blocklist has lately dropped so low that I'm considering stopping spam reporting. I'll probably still use SCBL among other lists, but without too high expectations. From rmu93awSPAMB02 at sneakemail.com Thu Jun 3 09:58:44 2004 From: rmu93awSPAMB02 at sneakemail.com (Spambo) Date: Thu Jun 3 10:00:03 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog In-Reply-To: References: Message-ID: Mike Easter wrote: > Firewoman wrote: > >> http://www.ucomics.com/foxtrot/2004/06/02/ >> >> /subtle, not sure if you'll get it :) > > There could be a lot of reasons I don't get it; > > - I don't think I've ever bought a Ralph Lauren/ Polo/ product in my > life > - in the marketing/ name recognition/ game, the situation with Ralph > Lauren & Polo may be 'confusing', but I don't know or agree that it is > comic strip material, but then I don't follow FoxTrot so I don't know > where those little characters are 'coming from' > - witness the Polo Ralph Lauren confusion by how 'they' Polo - RL - > handle their websites' names; they don't know if they are Polo or Ralph > Lauren > - there's some kind of 'joke' about dissecting jokes or humor that > probably comes to bear here > - could be this Marco Polo - Ralph Lauren cartoon is right on topic, > because Marjolein's trip will be following in the footsteps of Marco > Polo - "Marco Polo" is a game that (generally) youngsters play in a swimming pool. "Marco Ralph Lauren" is not. -- Just a SpamCop newsgroup participant, not an admin or employee of SpamCop or related domains. From nobody at spamcop.net Thu Jun 3 08:04:33 2004 From: nobody at spamcop.net (Don Wannit) Date: Thu Jun 3 10:05:03 2004 Subject: [SpamCop-List] Re: ISP or spammer reply to reporting address: puzzling HTML non-message In-Reply-To: References: Message-ID: Mike Easter wrote: > Don Wannit wrote: > > >>Seems kind of strange. > > > Maybe he tho't he'd get something with the returned receipt: > > Return-Receipt-To: "Nik Muhammed Muhyyiddin - TJSBHQ" > > Not from me, he woujldn't. But that's probably it. This is another way to test for a "live" address, and to map from the SpamCop report to an email address for listwashing, CD inclusion, or even revenge. If someone has their email reader configured to send those return receipts. Or their host's MTA (worse). Of course, there's no reason to believe that the email address revealed in a return receipt, were one to be sent, has anything to do with the address that received the original spam. Thanks! From MikeE at ster.invalid Thu Jun 3 08:13:48 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 10:15:09 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: Spambo wrote: > - "Marco Polo" is a game that (generally) youngsters play in a > swimming pool. "Marco Ralph Lauren" is not. Yes yes, but the joke hinges on the reader being familiar with the Polo - Ralph Lauren 'relationship'; an assumption not at all valid. That is, familiarity with the swimming pool game and familiarity with the label situation are entirely different things. Also, the 'timing' of the joke is all wrong. And I think timing in a joke is the 'essence' or soul of a joke. You either 'get' [or rather 'appreciate'] the joke in the first cel - or that is, you 'understand' the joke but don't find it amusing - or, you don't. Normally or ideally a joke sequence leads the 'appreciator' to the 'punch line'. Here, the punch line, "What's the difference?" doesn't really bring the joke reader to an understanding of how the answer to 'Marco' isn't 'Ralph Lauren' - but more to a view of the difference in personalities of the two characters, presumably. One is playing a game, the other is 'fashion conscious' - or something. Like I say, maybe you would have to have known both of the characters a lot better than I do to appreciate the humor. Like I said earlier, dissecting a joke is something or other that I forget. I'll go look that up. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Jun 3 08:19:54 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 10:25:02 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: Mike Easter wrote: > Like I said earlier, dissecting a joke is something or other that I > forget. I'll go look that up. Oh, yeah. "Dissecting a joke is much like dissecting a frog. One may figure out what makes the subject tick, but the end result is inevitably a dead frog." -- Mike Easter kibitzer, not SC admin From debase at rut.org Thu Jun 3 11:32:56 2004 From: debase at rut.org (Robert C Henney) Date: Thu Jun 3 10:35:03 2004 Subject: [SpamCop-List] strange change of abuse report destination Message-ID: Having an odd bit of difficultly following spamcop's parsing on this particular report. First, some details.. 199.125.85.17 is our primary mail server here, with 199.125.85.40 providing secondary. http://www.spamcop.net/sc?id=z509861301z2996e9ffe0837d7b0c2f771df017560cz I follow spamcop's parsing in the report all the way down through 62.219.142.197 (the apparent spam source), and spamcop appears to find abuse@bezeqint.net as the desired abuse address. all seems good, except for the next part; where the reports go out to. For whatever reason, spamcop decides to forget about the abuse address for 62.219.142.197 and instead send to the abuse address for our secondary mail server, even though the chain appears to have been verified. What doublely confuses me is that below that section If reported today, reports would be sent to: Re: 62.219.142.197 (Administrator of network where email originates) abuse@bezeqint.net which doesn't reflect the action spamcop took. -- robh From MikeE at ster.invalid Thu Jun 3 08:37:20 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 10:40:03 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: Mike Easter wrote: > "Dissecting a joke is much like dissecting a frog. One may > figure out what makes the subject tick, but the end result is > inevitably a dead frog." Variants: is like dissecting a cat, neither one is much good when you're done is like attending an operation gone bad. Nobody has a good time, and the patient dies. -- Mike Easter kibitzer, not SC admin From ric.gates at bigsleep.org Thu Jun 3 15:40:54 2004 From: ric.gates at bigsleep.org (Blammo) Date: Thu Jun 3 10:45:02 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: On 02 Jun 2004 lt entered spamcop and left news:c9leme$4ed$1@news.spamcop.net: > >>>>Spamming isn't a crime. > > In the U.S., if it comes with a forged header it is a crime. I can't > remember the last time > I got spam that didn't have a forged header. > Oh, that's perfect logic, that makes all junk mail spam, all junk mailers spammers, all spammers criminals, all links in junk mail illegal sites that noone should be allowed to visit. I'm so pleased to have people like you making laws to protect me from myself. -- | Ric | From MikeE at ster.invalid Thu Jun 3 08:48:32 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 10:50:02 2004 Subject: [SpamCop-List] Re: strange change of abuse report destination References: Message-ID: Robert C Henney wrote: > Having an odd bit of difficultly following spamcop's parsing on this > particular report. The location of the important logic is displaced slightly from the line where it happens. http://www.spamcop.net/sc?id=z509861301z2996e9ffe0837d7b0c2f771df017560c z Abbreviated summary of Received: lines *comment from mercury.mv.net (199.125.85.40) by iridium.mv.net *serves you from (HELO bzq-219-142-197.red.bezeqint.net) (62.219.142.197) by mercury.mv.net *sourceline from 37.62.129.160 by 62.219.142.197 *bogusline If reported today, reports would be sent to: Re: 62.219.142.197 abuse@bezeqint.net > which doesn't reflect the action spamcop took. When I look at the tracker which you posted it reflects how SC would parse it now. What you are describing is a different parse result from now, in which SC named mercury. Here's the section where SC is /now/ deciding to /not/ name mercury: This is the section where SC is trying to chain from the topline 'from' field above to the 2nd line 'by' field above in my abbreviated headerlines. 199.125.85.40 not listed in dnsbl.njabl.org 199.125.85.40 not listed in cbl.abuseat.org 199.125.85.40 not listed in dnsbl.sorbs.net 199.125.85.40 is an MX for iridium.mv.net Possible spammer: 62.219.142.197 host mercury.mv.net (checking ip) = 199.125.85.40 199.125.85.40 not listed in dnsbl.njabl.org 199.125.85.40 not listed in cbl.abuseat.org 199.125.85.40 not listed in dnsbl.sorbs.net Chain test:mercury.mv.net =? mercury.mv.net mercury.mv.net and mercury.mv.net have same hostname - chain verified Possible relay: 199.125.85.40 199.125.85.40 not listed in relays.ordb.org. 199.125.85.40 has already been sent to relay testers Received line accepted ...so, what ends up happening there is that SC makes the chain happen because it was able to trust mercury to be a server. SC is performing what I call the 'mx step' there. It is comparing the IP to the domain name and the domainname's MX situation and whether or not it is 'familiar' with that server, ie whether it has sent it to relay testers and such. It has problems with a brand new relay and some other factors sometimes. Here, it has concluded that mercury is in fact relaying for the line below it, and so it proceeds onward. That line is the last one it can chain to, because the next one is bogus. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu Jun 3 12:06:38 2004 From: nobody at spamcop.net (Firewoman) Date: Thu Jun 3 11:05:02 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: "Mike Easter" wrote in message news:c9nd40$plr$1@news.spamcop.net... > Mike Easter wrote: > > "Dissecting a joke is much like dissecting a frog. One may > > figure out what makes the subject tick, but the end result is > > inevitably a dead frog." > > Variants: > > is like dissecting a cat, neither one is much good when you're done > > is like attending an operation gone bad. Nobody has a good time, and the > patient dies. > > -- > Mike Easter > kibitzer, not SC admin Ok so my stand-up comic career died before it began..... Looking back up to my OP yesterday, I had noticed Marjolein was travelling Marco Polo's route. I guess too many summers at the pool growing up instilled the urge to yell "MARCO!" and sit around waiting for someone to yell back. I saw that cartoon last night in the paper and giggled. Unfortunately, with my lame sense of humor, I was the only one who got it. ... back to doing something I can do well ... time to report some spam :) From johnl at spamcop.net Thu Jun 3 16:04:18 2004 From: johnl at spamcop.net (JohnL) Date: Thu Jun 3 11:05:11 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: "Firewoman" scribbled in news:c9neh3$r1c$1@news.spamcop.net: > Unfortunately, with my lame sense of humor, I was the only one > who got it. I had read that post and really was going to respond POLO, but with my eyes closed, I couldn't see the keyboard. ;-) From Anonym at us.comm Thu Jun 3 09:03:54 2004 From: Anonym at us.comm (Anonym@us.comm) Date: Thu Jun 3 11:10:03 2004 Subject: [SpamCop-List] Re: any feedback to SpamCop to from FTC reporting? References: <2if3p1-rrk.ln1@gecko.LAN> Message-ID: "Mike Easter" wrote in message news:c9n5id$i7i$1@news.spamcop.net... > I personally think that the FTC doesn't do much of anything about that > but accumulate the db which it makes available in the ways described at > the website blurb. The business of the enforcement of laws is somebody > else's bailiwick and the FTC bureaucracy leaves enforcement to others. I forward all my SpamCop reports to uce@ftc.gov right from my mail client (I'm using MS Outlook 2000, and the SpammerSlammer VBA code located at http://www.hillscapital.com/spammerslammer.zip). The VBA code formats the spam reports such that they meet SpamCop's requirements, and the FTC's requirements, as well as the requirements of several other spam-reporting entities. When I click the 'Report As Spam' button, the reports get sent to all of these spam-reporting entities at once. I know the FTC uses those reports, because I'm currently working with them to bring down a Florida spammer. I've conversed many times with them as they pulled the information I've sent them from their database, and I've printed out the reports on my end and Fed-Ex'd them to the FTC so they've got hard copies from the actual reporter. So, yes, reports formatted to meet SpamCop's requirements work just fine with the FTC's database, and they are using them for bringing down spammers. From Anonym at us.comm Thu Jun 3 09:22:16 2004 From: Anonym at us.comm (Anonym@us.comm) Date: Thu Jun 3 11:25:02 2004 Subject: [SpamCop-List] Re: How long does it take a white hat ISP to shut someone down? References: Message-ID: I've sent reports like this to white-hat ISPs, and gotten back a reply in as little as 1/2 hour, telling me the technical details (compromised machine, spammer actually on that machine, etc.). The spew stopped immediately after. It shouldn't take long for a white-hat ISP who gives a damn and is knowledgeable to figure out what is going on with one of their customers and either block specific ports for that customer or shut them off completely. They have the ability to monitor exactly what any of their customers is doing at any time (this includes if the customer is jumping around on IP addresses (for dynamic IP address customers) by connecting/disconnecting on a frequent basis) so they can send spam without being 'discovered'. The trick is, you have to send the report to them quickly enough that they can associate an IP address with the customer who's currently abusing that IP address (i.e.: before they hop to another IP address). Once the ISP's got that, they can track what that customer is doing easily, even if that customer switches IP addresses. That's why I always strive to get spam reports out in the same minute that the spam is received (I've got it all automated so reports go out with only one click). From pobox.spamcop at kronatech.net Thu Jun 3 09:26:00 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Thu Jun 3 11:30:02 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: "Annie" wrote in message news:c9mvee$ct9$1@news.spamcop.net... > I am feeling the same frustration. Is it worth my time, does it make a > difference if I as the end email user report spam through spamcop? If I > thought that personally calling each spammer and chewing them out or > reporting them to the FTC would do it, I would spend more hours doing it > when I can. But this endless reporting with little relief is getting old. > > Do you know if your ISP reports abuses to the FTC? I know the Can Spam law > has few teeth to make much of a dent in the total spam load, but putting > some sting into being a low life spammer is a step in the right direction. For people who are not seeing the impact of the BL, I imagine it must be very frustrating, simply reporting because it's the right thing to do and rarely seeing any results. If your ISPs or mail servers were to incorporate the BL into their engines your spam would be reduced by a huge percentage. I have always used the BL and it's what brought me to spamcop (it was already in use by default on the mail servers I installed), so its difficult for me to understand what it's like to be receiving spam in quite that magnitude. The most spam I see reach my mailbox in a day is measured in dozens (and always via my hotmail accounts). I don't know what it's like to be completely overwhelmed with it as some of you are. It's unfortunate that so many of your ISPs are not using the BL (spamcop or others). -K From Nobody at devnull.spamcop.net Thu Jun 3 11:28:08 2004 From: Nobody at devnull.spamcop.net (Nobody) Date: Thu Jun 3 11:30:10 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> <40BC9298.D25FBBB2@spamcop.net> Message-ID: <40BF4388.E7365972@devnull.spamcop.net> Steven M??lein wrote: > > On Tue, 01 Jun 2004 09:28:40 -0500, Nobody wrote: > > > [snip line 3 screens wide] > > Please read this: > > http://linux.sgms-centre.com/misc/netiquette.php > > and pay particular attention to point #5. > > TIA, > > -- > Steve Steve, Thought I'd fixed that, wrapping at 72 char. Tks, Michael From eddie at eddie.web Thu Jun 3 12:42:23 2004 From: eddie at eddie.web (eddie) Date: Thu Jun 3 11:45:02 2004 Subject: [SpamCop-List] Re: Ignoring more than 4 user-notify addresses References: Message-ID: On Thu, 03 Jun 2004 11:21:32 +0900, Patto scratched out the following: snip > > Suggestion: couldn't SpamCop just send the first 4, then just ignore the > excessive one(s)? Yes, and better, why not change the default number to 6 or 8? It's not as if we are abusing something. A typical report regarding pirated software takes over 4 additional reports if you copy siia.net and bsa.org. But it's still ridiculous (and a bit childish :) ) to punish us for putting more than 4, by deleting all of them. From Nobody at devnull.spamcop.net Thu Jun 3 11:42:49 2004 From: Nobody at devnull.spamcop.net (Nobody) Date: Thu Jun 3 11:45:10 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> <40BC9298.D25FBBB2@spamcop.net> <40BDD3F1.5333@xyzzy.claranet.de> Message-ID: <40BF46F9.DA103D0A@devnull.spamcop.net> Frank Ellermann wrote: > > D.Diaz wrote: > > > My newsreader also displays that posting as a 3 screens > > wide line. I have to press 'w' to have it nicely wrapped. > > Me too, but my newsreader is old and stupid. There was no > format=flowed in the Content-Type: of Michael's article, so > maybe that caused your problems (?) > > Bye, Frank I left my line length at 900 char for a while because wrapping at 72 was playing hob with other people's readers -- their reader would wrap, and then my 72-char line would wrap again, giving me hard returns in odd places and chopping up the text badly. When people quoted back to me it looked pretty awful. I restored the 72-char wrap when someone first complained above. Any suggestions about the extra returns? My reader client is, yes, Netscape 4.75. I won't go to 7.x because I'd heard about the bloat factor and scumware. I've cleared off enough headspace on my small HDD that now I can think about loading Firefox, Opera, or Mozilla as a stand-alone browser, archive my e-mail, and uninstall Netscape completely. I don't need the fifth e-mail client anyway. (I also have Eudora Lite, Outlook [uninstalled], OE, and StarOffice 5.1, with Netscape the default mailer which I use for newsgroups.) Regards, Michael From tmcgraw at spamcop.net Thu Jun 3 09:53:17 2004 From: tmcgraw at spamcop.net (Tim McGraw) Date: Thu Jun 3 11:55:04 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: <40BF496D.7010104@spamcop.net> Blammo wrote: > On 02 Jun 2004 lt entered spamcop and left > news:c9leme$4ed$1@news.spamcop.net: > >>>>>Spamming isn't a crime. >>>> >>In the U.S., if it comes with a forged header it is a crime. I can't >>remember the last time >>I got spam that didn't have a forged header. > > Oh, that's perfect logic, that makes all junk mail spam, all junk mailers > spammers, all spammers criminals, all links in junk mail illegal sites that > noone should be allowed to visit. I'm so pleased to have people like you > making laws to protect me from myself. Someone has to as apparently you are too great an idiot to protect yourself. BTW, tinply. From Nobody at devnull.spamcop.net Thu Jun 3 11:59:10 2004 From: Nobody at devnull.spamcop.net (Nobody) Date: Thu Jun 3 12:00:03 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> <6jgdb0hui29hebvimaar9dsihvrk3j14a6@4ax.com> Message-ID: <40BF4ACE.4129D391@devnull.spamcop.net> "John J. Burness" wrote: > > SpamCop Admin wrote: > > > Nobody wrote: > Just to add to the O.P. comments:- > > www.gaviningham.net appears to be owned by a company called "GAVIN > INGHAM LTD". Presumably, this is the same "Gavin" who responded to the > O.P.!! > The ONLY addy links to "www.topica.email-publisher.com", which is under > maintenance at the present. However, it wouldn't take a geniusto figure > out what their interests are!! > > HTH > > Regards, > John John, Thank you very much for the information, it proved helpful. I've already rec'd another spam from Koach and am including some links & info in the comments section, which will serve as a reply to the spammer's note to SpamCop contesting my reports. (And possibly others', I've no way of knowing whether he's hit other SpamCop spamtraps.) Tks mucho, Michael From Nobody at devnull.spamcop.net Thu Jun 3 12:20:26 2004 From: Nobody at devnull.spamcop.net (Nobody) Date: Thu Jun 3 12:25:15 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to BringIn the Detectives" References: Message-ID: <40BF4FCA.EB0096AB@devnull.spamcop.net> Ant wrote: > > "Mike Easter" wrote... > I sent the new doc to the PHB, and he was most grateful. He just didn't > know how to do it. > What is a PHB? TIA, Michael From Anonym at us.comm Thu Jun 3 10:31:32 2004 From: Anonym at us.comm (Anonym@us.comm) Date: Thu Jun 3 12:35:03 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: Is there jail time for murdering a joke? From wb8tyw at qsl.network Thu Jun 3 12:33:51 2004 From: wb8tyw at qsl.network (John E. Malmberg) Date: Thu Jun 3 12:35:15 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: In article , "Mike Easter" writes: > Spambo wrote: >> - "Marco Polo" is a game that (generally) youngsters play in a >> swimming pool. "Marco Ralph Lauren" is not. > > Yes yes, but the joke hinges on the reader being familiar with the > Polo - Ralph Lauren 'relationship'; an assumption not at all valid. > That is, familiarity with the swimming pool game and familiarity with > the label situation are entirely different things. > > Also, the 'timing' of the joke is all wrong. And I think timing in a What you are missing from the context is that the owner of the Trademark "Polo" was in the news back then for actions that they felt needed to protecting their trademark rights. The joke was that the any generic use of the word "Polo" could be construed to be a trademark violation so had to be changed. As to the merits of the trademark case, I never cared to look at it in the first place. -John wb8tyw@qsl.network Personal Opinion Only From MikeE at ster.invalid Thu Jun 3 10:47:46 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 12:50:07 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: John E. Malmberg wrote: > What you are missing from the context is that the owner of the > Trademark "Polo" was in the news back then for actions that they felt > needed to protecting their trademark rights. > > The joke was that the any generic use of the word "Polo" could be > construed to be a trademark violation so had to be changed. > > As to the merits of the trademark case, I never cared to look at it > in the first place. Ah, so! /Now/ I get it! I didn't know about /that/ Polo situation. I found a newsgroup post written in 2001 August: There's always Ralph Lauren... he's suing the US Polo Association for using the word "Polo" in violation of the trademark he has on it (he makes Polo brand shirts, etc) And that's true. I would have to go digging some more, perhaps the poster didn't get it quite right, but the general context /would/ make the cartoon funnier. Not very *timely* - but much funnier. Unless the Ralph Lauren suit situation is just now getting itself resolved or something. -- Mike Easter kibitzer, not SC admin From michael.spamcop at michaellefevre.com Thu Jun 3 17:48:31 2004 From: michael.spamcop at michaellefevre.com (Michael Lefevre) Date: Thu Jun 3 12:50:32 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: <40BF4FCA.EB0096AB@devnull.spamcop.net> Message-ID: Nobody wrote: [snip] > What is a PHB? http://catb.org/~esr/jargon/html/P/PHB.html -- Michael From MikeE at ster.invalid Thu Jun 3 10:48:28 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 12:50:43 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: Anonym@us.comm wrote: > Is there jail time for murdering a joke? Ha! See the other post. It is possible we may *now* be getting down to the real joke. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu Jun 3 14:02:12 2004 From: nobody at spamcop.net (Firewoman) Date: Thu Jun 3 13:00:02 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: "Mike Easter" wrote in message news:c9nkoi$1jb$1@news.spamcop.net... > John E. Malmberg wrote: > > What you are missing from the context is that the owner of the > > Trademark "Polo" was in the news back then for actions that they felt > > needed to protecting their trademark rights. > > > > The joke was that the any generic use of the word "Polo" could be > > construed to be a trademark violation so had to be changed. > > > > As to the merits of the trademark case, I never cared to look at it > > in the first place. > > Ah, so! /Now/ I get it! > > I didn't know about /that/ Polo situation. > > I found a newsgroup post written in 2001 August: > > > There's always Ralph Lauren... > he's suing the US Polo Association for using the word "Polo" in > violation of the trademark he has on it (he makes Polo brand shirts, > etc) > And that's true. > > > I would have to go digging some more, perhaps the poster didn't get it > quite right, but the general context /would/ make the cartoon funnier. > Not very *timely* - but much funnier. Unless the Ralph Lauren suit > situation is just now getting itself resolved or something. > > -- > Mike Easter > kibitzer, not SC admin Agh.... I give up! The joke's subtlety was surpassed by its lameness, and now I'm even forgetting what the original joke was. Next time I promise to make it more obvious :) POLO! From MikeE at ster.invalid Thu Jun 3 11:01:47 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 13:05:07 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: Mike Easter wrote: > I would have to go digging some more, perhaps the poster didn't get it > quite right, Polo Ralph Lauren L.P. v. Schuman, 46 USPQ 2d 1046, 1048 (S.D. Texas 1998) (granting permanent injunction prohibiting the tarnishing use of 'The Polo Club' and 'Polo Executive Retreat' for an adult entertainment establishment). http://snipurl.com/6u92 2002 Sep - US Court of Appeals Fifth Circuit Affirms Decision Barring Polo Magazine From Using 'Polo' Trademark Without Prominent Disclaimer So, now we're at least in the 'newsworthy' timeframe of something under 2 years ago. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu Jun 3 11:04:08 2004 From: nobody at spamcop.net (Eric) Date: Thu Jun 3 13:05:19 2004 Subject: [SpamCop-List] Re: How about the ability to add extra URLs to be reported? In-Reply-To: References: Message-ID: Ellen wrote: > "brewman" wrote in message > news:c9luhh$jgs$1@news.spamcop.net... > >>If I was mischievous/unethical enough, I could just paste the >>URL into the spam email anyway. I won't, but I wonder if >>anybody would/does? This *could* be used to get the info wanted >>and then not report it thru SC, but is a bit of a hassle scraping each >>email address. > > > Those who do tend to get caught and then they get terminated. > > > > Ellen > SpamCop > > Hasta la vista, Baby! - our "Governor", in whose name political spam has been sent -- "I keep on getting Spam. Particularly about penis enlargement. I responded to every single one. I now have a nine foot penis. I also get Spams about refinancing my home. And if there's one thing that will shrivel your dick up it's thinking about your mortgage. Which means I need more penis enlargement pills, and more viagra to fill it up again!" --Eric Idle From MikeE at ster.invalid Thu Jun 3 11:11:24 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 13:15:02 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: Firewoman wrote: > Agh.... I give up! The joke's subtlety was surpassed by its > lameness, and now I'm even forgetting what the original joke was. > Next time I promise to make it more obvious :) > > POLO! No, now I like it a *lot* better! Setting: swimming pool, Jason 10 hands covering eyes, Paige 15 nearby Jason: Marco! Paige: Ralph Lauren Jason: Marco! Paige: Ralph Lauren Jason: You're supposed to say 'Polo' Paige: What's the difference? -- Mike Easter kibitzer, not SC admin From puoiti at inwind.it Thu Jun 3 20:35:43 2004 From: puoiti at inwind.it (Ivan Leo Puoti) Date: Thu Jun 3 13:40:03 2004 Subject: [SpamCop-List] Re: Spammers really don't like piracy reports, so please report all software spam to the manufactures. In-Reply-To: References: Message-ID: > I've suggested this be automatic. It's bad enough their ISP will get on > them about spamming but if the publisher are after them too it's even > better! I agree, software vendors can prosecute world-wide thanks to strong copyright laws, they have a big interest in doing so, and lots of resources, and they have much higher chances of success than ISPs, as copyright laws are so strong respect to anti-spam laws. But for some reason the idea of automatic reporting to vendors incorporated in spamcop but the deputies didn't think it was a good idea. Ivan. From nobody at spamcop.net Thu Jun 3 15:10:56 2004 From: nobody at spamcop.net (Firewoman) Date: Thu Jun 3 14:10:03 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: "Mike Easter" wrote in message news:c9nm4t$384$1@news.spamcop.net... > No, now I like it a *lot* better! > > Setting: swimming pool, Jason 10 hands covering eyes, Paige 15 nearby > > Jason: Marco! > Paige: Ralph Lauren > Jason: Marco! > Paige: Ralph Lauren > Jason: You're supposed to say 'Polo' > Paige: What's the difference? > > > > -- > Mike Easter > kibitzer, not SC admin I was just trying to get ya to say "polo" (or Ralph Lauren) ;) From MikeE at ster.invalid Thu Jun 3 12:34:58 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 14:40:07 2004 Subject: [SpamCop-List] Re: Marjolein's current travel blog References: Message-ID: Firewoman wrote: > I was just trying to get ya to say "polo" (or Ralph Lauren) ;) Yabbut, now that I /like/ the joke/cartoon, I wanted to tell it! Of course, that cartoon tells you a little bit about where Bill Amend's 'mind is at' - the joke now strikes me as a satire on copyright/trademark issues - and Paige, queen of the mall, is perhaps jaded a bit beyond her tender 15 years. Amend assumes that we all know or agree that trademark/copyright issues are way overboard and a complete disaster, and that we've been keeping up with them and haven't forgotten Polo Ralph Lauren's aggressive stance over the years. [Ralph Lauren started making Polo ties back in 1967.] Amend, 42, was an Eagle Scout, president of his hs math club, honors graduate in physics from Amherst, and founder of an Amherst weekly alternative campus newspaper. Of course he's had a lot of publications of his cartoons. Pic http://images.amuniversal.com/ups/features/foxtrot/amend_bill_180.jpg -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri Jun 4 08:32:33 2004 From: nobody at devnull.spamcop.net (brewman) Date: Thu Jun 3 15:30:02 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: "Blammo" wrote in message > >>>>Spamming isn't a crime. > > > > In the U.S., if it comes with a forged header it is a crime. I can't > > remember the last time > > I got spam that didn't have a forged header. > > > > Oh, that's perfect logic, that makes all junk mail spam, all junk mailers > spammers, all spammers criminals, all links in junk mail illegal sites that > noone should be allowed to visit. I'm so pleased to have people like you > making laws to protect me from myself. Ummmm. I don't follow your logic. It seems to me too that most of my spam has forged headers. For the last few weeks, around 98% of the spam I see has forged headers. In fact, the spam wasn't addressed to me directly; it is bouncing back from the intended recipients to ME because the spammer FORGED MY DOMAIN IN THE REPLY FIELD . Now, am I WRONG to want SOMEONE to do SOMETHING about THESE PEOPLE USING MY DOMAIN NAME WITHOUT MY PERMISSION? If all the spam with forged headers was stopped, I for one would be very happy. Is there such a thing as 'legitimate' spam? I'm too busy fighting the 'illegitimate' (I think there's a word for that ) spam to care. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From mrichter at cpl.net Thu Jun 3 13:36:14 2004 From: mrichter at cpl.net (Mike Richter) Date: Thu Jun 3 15:40:02 2004 Subject: [SpamCop-List] Re: Ignoring more than 4 user-notify addresses In-Reply-To: References: Message-ID: eddie wrote: > On Thu, 03 Jun 2004 11:21:32 +0900, Patto scratched out the following: > > snip > >>Suggestion: couldn't SpamCop just send the first 4, then just ignore the >>excessive one(s)? > > > Yes, and better, why not change the default number to 6 or 8? > It's not as if we are abusing something. A typical report regarding > pirated software takes over 4 additional reports if you copy siia.net and > bsa.org. > But it's still ridiculous (and a bit childish :) ) to punish us for > putting more than 4, by deleting all of them. This was discussed in several threads in the past week. The limit was imposed because of all the false links the spammers are throwing in. Something needs to be done, but any number will be insufficient. The consensus on the earlier threads was that the logic should stay the same, but if one exceeds the limit, the first four will be reported. As a corollary, there should never be more than four reporting addresses returned for a single-line query. Mike -- mrichter@cpl.net http://www.mrichter.com/ From nobody at spamcop.net Thu Jun 3 15:37:06 2004 From: nobody at spamcop.net (Miss Betsy) Date: Thu Jun 3 15:40:12 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: "Blammo" wrote in message news:Xns94FD4E34B6D6Fblammo@216.154.195.61... > > Oh, that's perfect logic, that makes all junk mail spam, all junk mailers > spammers, all spammers criminals, all links in junk mail illegal sites that > noone should be allowed to visit. I'm so pleased to have people like you > making laws to protect me from myself. Nobody says that you can't visit those sites. It may become a problem like not being able to get a taxi driver to take you to a certain section of town, but right now if you want to visit those sites and buy the herbal remedies and look at the pictures of enlarged body members or whatever, you are perfectly free to do so. You can even get all the emails you want from those sites if you sign up with an ISP who doesn't use spamfilters. However, many people are tricked into going to those sites by inadvertently opening a spam. Many more people don't want any email from junk emailers whether or not they would be interested in those sites if they found them through a search engine. Those people want spam filtering and spamvertized site blocking. It has nothing to do with whether the sites themselves are selling illegal products using marginally legal methods (or openly illegal methods) or any combination you want to choose. Generally forging (or misrepresenting yourself) is considered a crime. Those who want to be anonymous are not misrepresenting themselves as being someone they are not. And while we still wear masks on Halloween and Mardi Gras and think it is just fun, the wearing of masks has to be in a certain context, in order to be considered 'harmless.' As my mother used to say, "name three forgeries that are not considered crimes or unethical practice even if allowed by law" If the purveyors of those spamvertized sites allowed me my rights to not be forced to deal with their ads, then they could exist without any attempt on my part to block access to them. It is not criminal behavior, but it is the kind of behavior that leads to the need to restrict the offending party. The fact that mostly criminals or unethical people are still sending spam may not make the actual act 'criminal,' but it certainly puts spam outside the boundaries where most people want to go. Miss Betsy From nobody at devnull.spamcop.net Fri Jun 4 10:36:52 2004 From: nobody at devnull.spamcop.net (brewman) Date: Thu Jun 3 17:35:03 2004 Subject: [SpamCop-List] www.spamcop.net/mky-proxies.html has broken link Message-ID: FYI Just been reading a report for a bit of light reading, and notice that http://www.spamcop.net/mky-proxies.html , link "spam trojan" = http://www.spamcop.net/fom-serve/cache/proxy.htm#trojans gives 404. Tried a few times; no go. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at spamcop.net Thu Jun 3 18:46:07 2004 From: nobody at spamcop.net (indigo) Date: Thu Jun 3 17:50:10 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: Mike Easter wrote: > > That's possible, of course......but the weird thing is only my home > > comcast addy and my yahoo addy are visible (of course I can't see if > > there were BCC's). There were two others from this May besides that > > one from December, but that's all -- total of 3, all "forwards" > > from/to myself. > > Well, I don't think it is very important what a From or a To say. I > only think it matters if you received it somewhere and what's the > analysis of 'how' it was sent. In this case you are saying you have > or had a copy of having received it [I presume] Nope. I forgot to mention that (or did I?). I searched my spampal folder and those spams were not there (and they weren't in my inbox or deleted mail folders). Of course Comcast may have filtered them before they got to my home account, but who knows. From the amount of spam I get at home I doubt they're doing much filtering. May I confuse you any further? ;-) From nobody at spamcop.net Thu Jun 3 18:47:03 2004 From: nobody at spamcop.net (indigo) Date: Thu Jun 3 17:50:37 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: brewman wrote: > > I've been half-reading this thread, and suddenly had a thought - > is it possible (he says, walking down street with blindfold on > and open manhole in front of him) that you just dragged some spam > from your 'inbox' by mistake and dropped it in the 'sent' box? > But it wouldn't show up as a forward then, would it? From MikeE at ster.invalid Thu Jun 3 15:48:44 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 17:50:43 2004 Subject: [SpamCop-List] Re: www.spamcop.net/mky-proxies.html has broken link References: Message-ID: "brewman" > Just been reading a report for a bit of light reading, and notice that > http://www.spamcop.net/mky-proxies.html , link "spam trojan" = > http://www.spamcop.net/fom-serve/cache/proxy.htm#trojans > gives 404. Tried a few times; no go. At the top of that page it sez: "This is a copy of a page once found on a now-defunct site, spamlinks.net. SpamLinks RIP." and I think some of the links are/were redirectors to spamlinks pages, altho' that one might not have been. However, the good news is, that I learned in alt.spam a little over a week ago, is that spamlinks *LIVES* in its mirrors, which can be found at Mark G wrote: > http://spamlinks.openrbl.org/spamlinks.htm still works. dyn-o-mite! I also see there're these add'l mirrors: Spam Links mirrors @ OpenRBL, DNSLife, Westdam, CerealKiller, NTek, Sysadmin.info http://spamlinks.dnslife.com/ http://westdam.com/spamlinks/ http://spamlinks.cerealkiller.org/ http://spamlinks.ntek.tk/ http://sysadmin.info/spamlinks/ ...and the section on spam trojans at spamlinks can be found here http://spamlinks.openrbl.org/proxy.htm#trojans -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Jun 3 15:51:53 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 17:55:03 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: indigo wrote: > brewman wrote: >> dragged some spam >> from your 'inbox' by mistake and dropped it in the 'sent' box? > > But it wouldn't show up as a forward then, would it? It would if it were so configured from the gitgo. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu Jun 3 18:51:23 2004 From: nobody at spamcop.net (indigo) Date: Thu Jun 3 17:55:16 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: Mike Easter wrote: Actually, most > people/recipients don't even have a free .ppt viewer, I would say. > Speaking only of business email (I can't recall ever getting a .ppt file from a friend except for those Xmas thingies you mentioned) everyone I work with (all the companies) are MS Office based because that's what NASA (and probably the entire US government) uses and demands. From nobody at spamcop.net Thu Jun 3 18:53:44 2004 From: nobody at spamcop.net (indigo) Date: Thu Jun 3 17:55:23 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: Ant wrote: > Another problem with MS Office docs is that they can retain all > editing changes. This is particularly bad with Excel 97 spreadsheets > with embedded objects and macros which undergo frequent modification. > Even saving as a new file does not remove the deleted items. Ah, the dreaded "quick save" effect.....learned about that years ago when a document several of us were working on kept growing in size by leaps and bounds as images were added and (we thought) deleted during the editing process. From nobody at spamcop.net Thu Jun 3 19:00:20 2004 From: nobody at spamcop.net (indigo) Date: Thu Jun 3 18:05:08 2004 Subject: [SpamCop-List] Re: Maybe OT: Spyhunter/Lavasoft [a small test] References: Message-ID: WazoO wrote: > "Annie" wrote in message > news:c9lo7k$e8n$1@news.spamcop.net... > > "indigo" wrote in message > > news:c9lij3$979$1@news.spamcop.net... > > > AND had my browser page > > > > hijacked, even though I had a "lock" on it! > > > > > > Ever try SpamGuard? It's stopped every hijack attempt since I > > > installed it. > > > > What is the SpamGuard? > > Something a bit like Google, but different And it smells like baked beans ;-) Annie, hint: Google "Spamguard" and look for....oh, why don't I just be nice....oopsie....it's called SpywareGuard, not SpamGuard! (brain fart, my bad) http://www.javacoolsoftware.com/spywareguard.html You might want to take a look at SpywareBlaster while you're at it. I use both. From nobody at spamcop.net Thu Jun 3 19:31:07 2004 From: nobody at spamcop.net (Maxx Excaliber) Date: Thu Jun 3 18:35:03 2004 Subject: [SpamCop-List] Re: "SpamCop encountered errors" References: Message-ID: On Sat, 29 May 2004 16:41:40 -0400, Maxx Excaliber wrote: > On Sat, 29 May 2004 13:00:39 -0500, WazoO wrote: > > >> Minor detail, but JT is the guy for the e-mail side of the >> house, and his wishes are that e-mail issues be supported over in the >> Forums ... I don't see a post there from you. >> > True. I've reported this problem before and Don has all but said that it > was a reporting-side issue, so I didn't see the sense in posting it to the > fora. :-) >> >> Errors could be from the reporting side, could be from the spams >> themselves, and without something to go on, and the lack of so many >> others currently hoisting the flag of "everything sucks" ... not sure >> what I'm supposed to advise JT of specifically. Perhaps pop a sample of >> one of the "issue" spams over in .spam to offer an example of what won't >> parse? >> > Two problems -- First, I was reporting over 1300 spams and really have no > idea which ones it didn't like. Second, I use quick-reporting which is > really "report and delete." I, for one, don't feel like going through and > trying to figure out which of the trashed spam messages were the "bad" > ones and which were "good." > > I'll post one of the "spamcop encountered errors" messages there though. Forgot to post a sample "error" message... here it is now: Return-Path: <"spamid."@bounces.spamcop.net> Delivered-To: spamcop-net-mrmaxx@spamcop.net Received: (qmail 6420 invoked from network); 2 Jun 2004 18:40:20 -0000 Received: from unknown (192.168.1.101) by blade2.cesmail.net with QMQP; 2 Jun 2004 18:40:20 -0000 Received: from vmx2.spamcop.net (206.14.107.117) by mailgate.cesmail.net with SMTP; 2 Jun 2004 18:40:20 -0000 Received: from sc-app1.verio.ironport.com (HELO spamcop.net) (192.168.11.201) by vmx2.spamcop.net with SMTP; 02 Jun 2004 11:43:20 -0700 From: SpamCop AutoResponder To: mrmaxx@spamcop.net Subject: SpamCop encountered errors Date: Wed, 02 Jun 2004 18:40:19 GMT Message-ID: Content-type: text/plain In-Reply-To: <20040602143851.0ku7okw8wck408wo@webmail.spamcop.net> References: <20040602143851.0ku7okw8wck408wo@webmail.spamcop.net> X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade2.cesmail.net X-Spam-Level: X-Spam-Status: hits=-100.0 tests=USER_IN_WHITELIST version=2.63 X-SpamCop-Checked: 192.168.1.101 206.14.107.117 192.168.11.201 Status: R X-Status: N X-KMail-EncryptionState: X-KMail-SignatureState: SpamCop encountered errors while saving spam for processing: SpamCop could not find your spam message in this email: Received: from vmx2.spamcop.net (sc-smtp2.verio.ironport.com [192.168.12.80]) by sc-app1.verio.ironport.com (Postfix) with ESMTP id 7DF14A674DF for ; Wed, 2 Jun 2004 11:38:54 -0700 (PDT) Received: from c60.cesmail.net (216.154.195.49) by vmx2.spamcop.net with ESMTP; 02 Jun 2004 11:41:54 -0700 Received: from unknown (192.168.1.30) by c60.cesmail.net with QMQP; 02 Jun 2004 14:38:51 -0400 Message-ID: <20040602143851.0ku7okw8wck408wo@webmail.spamcop.net> Date: Wed, 2 Jun 2004 14:38:51 -0400 To: ver.mrmaxx+spamcop.net-1086201531-24449287dcd9432a4389e498ba232ba9@spam.spamcop.net From: Maxx Excaliber Subject: Spam Report from mrmaxx@spamcop.net MIME-Version: 1.0 Content-Type: message/rfc822 User-Agent: Internet Messaging Program (IMP) 4.0-cvs The email which triggered this auto-response had the following headers: Received: from vmx2.spamcop.net (sc-smtp2.verio.ironport.com [192.168.12.80]) by sc-app1.verio.ironport.com (Postfix) with ESMTP id 7DF14A674DF for ; Wed, 2 Jun 2004 11:38:54 -0700 (PDT) Received: from c60.cesmail.net (216.154.195.49) by vmx2.spamcop.net with ESMTP; 02 Jun 2004 11:41:54 -0700 Received: from unknown (192.168.1.30) by c60.cesmail.net with QMQP; 02 Jun 2004 14:38:51 -0400 Message-ID: <20040602143851.0ku7okw8wck408wo@webmail.spamcop.net> Date: Wed, 2 Jun 2004 14:38:51 -0400 To: ver.mrmaxx+spamcop.net-1086201531-24449287dcd9432a4389e498ba232ba9@spam.spamcop.net From: Maxx Excaliber Subject: Spam Report from mrmaxx@spamcop.net MIME-Version: 1.0 Content-Type: message/rfc822 User-Agent: Internet Messaging Program (IMP) 4.0-cvs -- Maxx Excaliber mrmaxx@spamcop.net Just a user, NOT an Admin/Deputy From nobody at devnull.spamcop.net Thu Jun 3 18:51:39 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jun 3 18:55:03 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: "indigo" wrote in message news:c9o6j7$ifq$1@news.spamcop.net... > > Speaking only of business email (I can't recall ever getting a .ppt file > from a friend except for those Xmas thingies you mentioned) everyone I work > with (all the companies) are MS Office based because that's what NASA (and > probably the entire US government) uses and demands. Along that line, I think the last one I received was from an old Army buddy, working as a contractor down there. He'd sent out a presentation showing divers doing a recovery of some of the booster rockets. Quite impressive, but as he got so many complaints and "what the hell is this" queries that he didn't do that again From nobody at spamcop.net Thu Jun 3 19:54:07 2004 From: nobody at spamcop.net (indigo) Date: Thu Jun 3 19:00:04 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: WazoO wrote: > > Along that line, I think the last one I received was from an > old Army buddy, working as a contractor down there. He'd > sent out a presentation showing divers doing a recovery of > some of the booster rockets. Quite impressive, but as he > got so many complaints and "what the hell is this" queries > that he didn't do that again Heh. Now that you remind me I still have something like that stashed around here somewhere.....a female model nude golf calender-thingie slideshow ;-) From nobody at devnull.spamcop.net Fri Jun 4 11:59:47 2004 From: nobody at devnull.spamcop.net (brewman) Date: Thu Jun 3 19:00:16 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: "Mike Easter" > It would if it were so configured from the gitgo. "gitgo"? That's a word I've never come across before, and I have a large vocabulary (yes, I tried out some of those spamvertised pills - you'd be amazed what you can enlarge ;-) My initial thought was some acronym equivalent to 'program options'. I then started looking and my search came up with 3 'areas' - Carpet cleaning (Gunk, Ink, Tar, Grease, Oil) - A word that I deduce from its usage is synonymous with 'start' - An association with vocabulary that my delicate ears would rather not hear (Flat Stanley album). Applying my IMNSHO astonishing powers of deduction, I presume, from the lack of reference to sexual behaviour and (or maybe on?) carpets, that the middle one applies? -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From MikeE at ster.invalid Thu Jun 3 17:09:53 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 19:15:02 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: brewman wrote: > "Mike Easter" >> It would if it were so configured from the gitgo. > - A word that I deduce from its usage is synonymous with 'start' > that the middle one applies? Correcto-mundo. My dictionary and google perusal tells me that it appears as spelled in that context in some sites found by googling; but that the dictionaries Encarta, MW, & InfoPlease want to change it, first from gitgo to getgo and then to get-go. Encarta/MW/InfoPlease resp. below get-go or get?go / noun / beginning: the very beginning of something ( informal ) I knew from the get-go this thing wasn't going to work. Main Entry: git-go variant of GET-GO Function: noun : the very beginning -- used in the phrase from the get-go git-go -n. Dial. 1. start; beginning: to work hard from the git-go. 2. pep; energy; get-up-and-go. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Jun 3 17:14:35 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 19:20:03 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: In Texas, we also say "Git!" to mean Go! or Shoo! or Get outa' here! or even in the Giddyup! context, as in "Head 'em up, move 'em out!" -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Jun 3 17:23:29 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 19:25:03 2004 Subject: [SpamCop-List] Re: Compromised computer(s) or Yahoo account? References: Message-ID: brewman wrote: > - An association with vocabulary that my delicate ears would rather > not hear (Flat Stanley album). The Flat Stanley context is also correct, "F*cked From Th' Gitgo" ... contextually correct, not necessarily correct 'mannerly'. Gitgo is not some kind of Steely Dan in this context, but 'from the beginning'. -- Mike Easter kibitzer, not SC admin From not at home.today Fri Jun 4 01:39:37 2004 From: not at home.today (Ant) Date: Thu Jun 3 19:45:03 2004 Subject: [SpamCop-List] Re: [media] "When Software Fails to Stop Spam, It's Time to Bring In the Detectives" References: Message-ID: "indigo" wrote... > Ant wrote: >> Another problem with MS Office docs is that they can retain all >> editing changes. This is particularly bad with Excel 97 spreadsheets >> with embedded objects and macros which undergo frequent modification. >> Even saving as a new file does not remove the deleted items. > > Ah, the dreaded "quick save" effect.....learned about that years ago when a > document several of us were working on kept growing in size by leaps and > bounds as images were added and (we thought) deleted during the editing > process. In this case that wasn't the problem. If you write VBA macros to create and then delete objects (controls, shapes, etc.), the deleted objects stay in the spreadsheet however Excel's configured (I can't remember if it has qick save). I think this behaviour may have been fixed in a later version. I found the only way to reduce a bloated .xls file was to copy each worksheet into a new workbook, export the macros as text files, and then import them. From nobody at xyzzy.claranet.de Fri Jun 4 03:07:14 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Jun 3 20:10:03 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> <40BC9298.D25FBBB2@spamcop.net> <40BDD3F1.5333@xyzzy.claranet.de> <40BF46F9.DA103D0A@devnull.spamcop.net> Message-ID: <40BFBD32.677A@xyzzy.claranet.de> Nobody wrote: > My reader client is, yes, Netscape 4.75 "Better" than my "Mozilla 3.0" (with a Netscape 2.02 GUI over a 3.x engine) - and still perfect for my small box. I love to be "smarter" than my software... ;-) Bye, Frank From ob1db at spamcop.net Thu Jun 3 21:10:34 2004 From: ob1db at spamcop.net (David Butler) Date: Thu Jun 3 20:15:07 2004 Subject: [SpamCop-List] Re: Nameserver notification References: Message-ID: "Mike Easter" wrote in message news:c9ig47$gh0$1@news.spamcop.net... > I'll discuss one notify from a generic point of view > www.spamcop.net/sc?id=z507657224z1f27f0d98e7f5e43bb9c0c54bab5a025z > > The links were... > > Resolving link obfuscation > http://ctxeswdtbtyqsr.spraut.biz > host 61.183.59.113 (getting name) no name > http://qwdpquqbrlgkbl.spraut.biz > host 61.183.59.113 (getting name) no name > http://wtsvyqcryzv.spraut.biz > host 61.183.59.113 (getting name) no name > http://syknyjdhgo.spraut.biz > host 61.183.59.113 (getting name) no name > http://gefrbbagdaa.spraut.biz > host 61.183.59.113 (getting name) no name > Good news: they were shut down! Time to look up spraut.biz A record Generated by www.DNSstuff.com at 00:07:26 GMT on 04 Jun 2004. Searching for A record for spraut.biz at c.root-servers.net: Got referral to C.GTLD.biz. [took 48 ms] Searching for A record for spraut.biz at C.GTLD.biz.: Got referral to NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM. [took 96 ms] [Had to look up A record for NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM.; assume 200ms] Searching for A record for spraut.biz at NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM.: Timed out. Trying again. Searching for A record for spraut.biz at NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM.: Timed out. Trying again. Searching for A record for spraut.biz at NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM.: Timed out. Trying again. Searching for A record for spraut.biz at NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM.: Timed out. Trying again. Searching for A record for spraut.biz at NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM.: Timed out. Trying again. Searching for A record for spraut.biz at NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM.: Timed out. Trying again. From nobody at xyzzy.claranet.de Fri Jun 4 03:18:55 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Jun 3 20:20:07 2004 Subject: [SpamCop-List] Re: How long does it take a white hat ISP to shut someone down? References: Message-ID: <40BFBFEF.58ED@xyzzy.claranet.de> brewman wrote: > When I sent the second one I also cc:ed > (hostmaster@arin.net, noc@arin.net). That's IMHO nonsense, unless you have a problem with IPwhois data for an ARIN IP. > How should it take a white hat ISP to shut down a spammer > (once notified)? Is over 22 hours quick/slow/usual? Very quick. > What should be done about escalation? Find an error in the whois / ipwhois data and submit it to RFCI + report it via ICANN's WDPRS, if it's about a gTLD. > When should I go 'up' an ARIN level? See above. Don't confuse spam and whois data problems. Bye. From MissAnnie at nospam.invalid Thu Jun 3 21:33:33 2004 From: MissAnnie at nospam.invalid (Annie) Date: Thu Jun 3 20:35:03 2004 Subject: [SpamCop-List] Re: any feedback to SpamCop to from FTC reporting? References: <2if3p1-rrk.ln1@gecko.LAN> Message-ID: wrote in message news:c9nen2$r7p$1@news.spamcop.net... > I forward all my SpamCop reports to uce@ftc.gov right from my mail > client (I'm using MS Outlook 2000, and the SpammerSlammer VBA code > located at http://www.hillscapital.com/spammerslammer.zip). > > The VBA code formats the spam reports such that they meet SpamCop's > requirements, and the FTC's requirements, as well as the requirements > of several other spam-reporting entities. When I click the 'Report As > Spam' button, the reports get sent to all of these spam-reporting > entities at once. > I tried to unzip your Spammerslammer but there is an unknown compression method that my proggie can't deal with. -- ```````````````` MissAnnie From MikeE at ster.invalid Thu Jun 3 18:41:36 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 20:45:06 2004 Subject: [SpamCop-List] Re: any feedback to SpamCop to from FTC reporting? References: <2if3p1-rrk.ln1@gecko.LAN> Message-ID: Annie wrote: > I tried to unzip your Spammerslammer but there is an unknown > compression method that my proggie can't deal with. I saw that with a primitive version of ZipMagic I happened to be using, but I pulled out a different unzipper and had no problem I wondered about what 'version' or something of the zip format might have been involved, but the unzipper which worked and had a 'properties' section didn't tell me anything informative. I expect that you may be using something old and similar to my ZipMagic that is just kinda outdated. Look around a little bit, there are plenty of free unzippers, many of which have other decoding and decompressing functions which are useful -- Mike Easter kibitzer, not SC admin From MissAnnie at nospam.invalid Thu Jun 3 21:47:35 2004 From: MissAnnie at nospam.invalid (Annie) Date: Thu Jun 3 20:50:03 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: "KronaTech" wrote in message news:c9nftp$sie$1@news.spamcop.net... > > For people who are not seeing the impact of the BL, I imagine it must be > very frustrating, simply reporting because it's the right thing to do and > rarely seeing any results. If your ISPs or mail servers were to incorporate > the BL into their engines your spam would be reduced by a huge percentage. > > I have always used the BL and it's what brought me to spamcop (it was > already in use by default on the mail servers I installed), so its difficult > for me to understand what it's like to be receiving spam in quite that > magnitude. The most spam I see reach my mailbox in a day is measured in > dozens (and always via my hotmail accounts). I don't know what it's like to > be completely overwhelmed with it as some of you are. > > It's unfortunate that so many of your ISPs are not using the BL (spamcop or > others). > My spam problem is not my ISPs problem. I have one email account with them that is filtered. They do a nice job. My business account I do not allow them to filter because I depend on email orders for my online small business. I run spam pal when I download directly into Outllook or I use Mail Washer Pro and send them to Spam Cop for reporting. When I use Spam Pal on the business account I send any untagged spam directly to my ISP spam abuse desk. They in turn can blacklist the new spam and improve their filters. The problem is the spammers are picking up my business account address posted on my web page and hammering me with their trash. I may have to quit reporting to spam cop if I can't find a batch method of dealing with it. As it is I am spending 2 hours every morning to just wade through the morning download and report it all to Spam Cop one at a time. I also report smaller batches throughout the day. It is a cycle I can't keep up with much longer. I am not getting my day job work done. I may have to just filter it and delete it. -- ```````````````` MissAnnie From MissAnnie at nospam.invalid Thu Jun 3 21:58:47 2004 From: MissAnnie at nospam.invalid (Annie) Date: Thu Jun 3 21:00:03 2004 Subject: [SpamCop-List] Re: any feedback to SpamCop to from FTC reporting? References: <2if3p1-rrk.ln1@gecko.LAN> Message-ID: "Mike Easter" wrote in message news:c9ogh5$rgp$1@news.spamcop.net... > > I expect that you may be using something old and similar to my ZipMagic > that is just kinda outdated. Look around a little bit, there are plenty > of free unzippers, many of which have other decoding and decompressing > functions which are useful > Yep, an old version of ZipIt [Quarderdeck] from one of the Norton System Works utility packages, several years ago. I love that program. It is so slick and easy with a right click menu zip and unzip. I checked, the version is 4.01. They are still promoting 4.0 on the internet. Don't know if there is a newer version. http://www.nitro-computers.co.uk/Software_Utilities/Symantec_Quarterdeck%2520Zip-It%25204.0.html -- ```````````````` MissAnnie From MikeE at ster.invalid Thu Jun 3 19:34:46 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 3 21:40:03 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: Annie wrote: > The problem is the > spammers are picking up my business account address posted on my web > page and hammering me with their trash. That sounds like something that isn't configured properly; like a naked mailto: or something. > I am spending 2 hours every morning to just wade through the > morning download and report it all to Spam Cop one at a time. Somehow you have to get configured so that the spamfighting part is 'fun' and you aren't spending too much time doing something that isn't. Everything isn't roses, but there has to be a balance. -- Mike Easter kibitzer, not SC admin From nospam at bisusa.com Thu Jun 3 22:10:20 2004 From: nospam at bisusa.com (JerryMouse) Date: Thu Jun 3 22:15:06 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: Annie wrote: > I may have to quit reporting > to spam cop if I can't find a batch method of dealing with it. SpamSource. Free. One-button click to send a wad of spam to SpamCop. MailWasher also provides a check-box for forwarding to SpamCop. From pobox.spamcop at kronatech.net Thu Jun 3 20:50:05 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Thu Jun 3 22:50:02 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: "Annie" wrote in message news:c9ogqc$roo$1@news.spamcop.net... > My spam problem is not my ISPs problem. I have one email account with them > that is filtered. They do a nice job. My business account I do not allow > them to filter because I depend on email orders for my online small > business. There is the option of running your own mail server box, if you're willing to go the extra mile to stop the spam. If you want to consider it but don't know how a server works, there are at least two of us who are windows mail server admins who can send some help/advice your way if/when you need it (the two I know of being D. Diaz and myself - although there are some exchange admins floating around also). -K From HHAnderson at hotmail.com Thu Jun 3 23:38:34 2004 From: HHAnderson at hotmail.com (Bud Anderson) Date: Fri Jun 4 00:40:30 2004 Subject: [SpamCop-List] Recursive links Message-ID: The Spam with this subject in .spam resulted in the following result from spamcop and the spam website was not determined when it was first submitted to SC via the website submission page because of recursive links. http://www.spamcop.net/sc?id=z510183329z95bcc4fb7d05bf7a8942c69ccdd12b69z When I clicked the same referenced link again, it was determined properly as www.justonepill.biz as it should be with no mention of recursive links. Also when I had submitted it earlier it showed many recursive links that were not at justonepill.biz but resolved the proper spam website in its list of addresses to report to. Over the last few days I've gotten a number of these. What's going on? Bud From baloo at ursine.ca Thu Jun 3 23:10:08 2004 From: baloo at ursine.ca (Paul Johnson) Date: Fri Jun 4 01:20:03 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: <87n03j52of.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "KronaTech" writes: > "Annie" wrote in message > news:c9ogqc$roo$1@news.spamcop.net... > >> My spam problem is not my ISPs problem. I have one email account with them >> that is filtered. They do a nice job. My business account I do not allow >> them to filter because I depend on email orders for my online small >> business. > > There is the option of running your own mail server box, if you're willing > to go the extra mile to stop the spam. That's ultimately the best method, since it gives you the most control and you can dole out accounts to other people who would appreciate similar features. > If you want to consider it but don't know how a server works, there > are at least two of us who are windows mail server admins who can > send some help/advice your way if/when you need it (the two I know > of being D. Diaz and myself - although there are some exchange > admins floating around also). Though there's the question of whether it's even as smart as handing an 8-year-old to a paedophile to use a notoriously buggy OS in any role other than a desktop workstation on a trusted network... - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAwAQwUzgNqloQMwcRAnRxAKDR9OYComjySJc3j+6vE9JYctcIMwCdENTI g7LI/RvsFOZIa/glWrQAmao= =iapC -----END PGP SIGNATURE----- From bud at telus.net Thu Jun 3 23:42:55 2004 From: bud at telus.net (Bud) Date: Fri Jun 4 01:45:03 2004 Subject: [SpamCop-List] How to be a spammer for US1200.00 Message-ID: <40C00BDF.1C8C964B@telus.net> http://www.spamcop.net/sc?id=z510216095z354a381eece2b77a6e47ca92bc1d561cz Wish I had a URL, I'd leave *Fried Spam* running overnight. Bud From DougThegarden at hotmail.com Fri Jun 4 08:14:51 2004 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Fri Jun 4 02:20:03 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: Annie wrote: > > My spam problem is not my ISPs problem. I have one email account with them > that is filtered. They do a nice job. My business account I do not allow > them to filter because I depend on email orders for my online small > business. I run spam pal when I download directly into Outllook or I use > Mail Washer Pro and send them to Spam Cop for reporting. When I use Spam > Pal on the business account I send any untagged spam directly to my ISP spam > abuse desk. They in turn can blacklist the new spam and improve their > filters. The problem is the spammers are picking up my business account > address posted on my web page and hammering me with their trash. I may have > to quit reporting to spam cop if I can't find a batch method of dealing with > it. As it is I am spending 2 hours every morning to just wade through the > morning download and report it all to Spam Cop one at a time. I also report > smaller batches throughout the day. It is a cycle I can't keep up with much > longer. I am not getting my day job work done. I may have to just filter it > and delete it. Have you come across Wpoison? I have it installed on my website and so far have very little spam traffic on the address there despite it being up for a couple of years. The gurus here probably have views on it but it seems to work for me (and I hope if it does what it says, is causing the spambots some grief) http://www.monkeys.com/wpoison/ Doug From pobox.spamcop at kronatech.net Fri Jun 4 00:59:21 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Fri Jun 4 03:00:04 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <87n03j52of.fsf@ursine.ca> Message-ID: "Paul Johnson" wrote in message news:87n03j52of.fsf@ursine.ca... > Though there's the question of whether it's even as smart as handing > an 8-year-old to a paedophile to use a notoriously buggy OS in any > role other than a desktop workstation on a trusted network... Yes. Good advice from Paul. You should stay away from Linux. =8) -K From Anonym at us.comm Fri Jun 4 01:35:07 2004 From: Anonym at us.comm (Anonym@us.comm) Date: Fri Jun 4 03:40:03 2004 Subject: [SpamCop-List] Re: How to be a spammer for US1200.00 References: <40C00BDF.1C8C964B@telus.net> Message-ID: "Bud" wrote in message news:40C00BDF.1C8C964B@telus.net... > http://www.spamcop.net/sc?id=z510216095z354a381eece2b77a6e47ca92bc1d561cz > > Wish I had a URL, I'd leave *Fried Spam* running overnight. Only overnight? That's only, what, about 30,000 hits to their website? I don't stop until the website is gone... I've hit some over a million times with FriedSpam before they went away. I'm hitting 3 right now... got about 250,000 hits on them (had to reboot today, installed a program update which required a reboot, so my count started over at 0 after I rebooted. It was almost 250,000 before the reboot.). Of course, I run through an anonymous proxy rotator, so the spammers can't discover my IP address... helps to cut down on the DDoS's and hacking of this computer. It slows down the hammering of the spamvertised websites a bit, but it's well worth it... I'm still able to get around 30GB per website per month out of them. From baloo at ursine.ca Fri Jun 4 01:35:01 2004 From: baloo at ursine.ca (Paul Johnson) Date: Fri Jun 4 03:50:02 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <87n03j52of.fsf@ursine.ca> Message-ID: <87ekovpyhm.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "KronaTech" writes: > "Paul Johnson" wrote in message > news:87n03j52of.fsf@ursine.ca... > >> Though there's the question of whether it's even as smart as handing >> an 8-year-old to a paedophile to use a notoriously buggy OS in any >> role other than a desktop workstation on a trusted network... > > Yes. Good advice from Paul. You should stay away from Linux. Good. Here's some more then: You need to put down the crackpipe and see reality for a change. - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAwCYlUzgNqloQMwcRAq9mAJ9l4iXkP6BKat/3jC92EXJUA7PT8gCglCyN hcnpb26b3thK6I51kG4M6dw= =xfXN -----END PGP SIGNATURE----- From Anonym at us.comm Fri Jun 4 01:49:15 2004 From: Anonym at us.comm (Anonym@us.comm) Date: Fri Jun 4 03:55:03 2004 Subject: [SpamCop-List] Re: any feedback to SpamCop to from FTC reporting? References: <2if3p1-rrk.ln1@gecko.LAN> Message-ID: > "Mike Easter" wrote: > I wondered about what 'version' or something of the zip format > might have been involved, but the unzipper which worked and > had a 'properties' section didn't tell me anything informative. Yes, I used PowerArchiver (latest version) to zip it. I like it because I never have to actually start the program... it's all done via the right-click context menu (right click a file, select 'Compress to...', and it creates the .ZIP file in the same directory as the original file). Same for unzipping... I right-click, select 'Uncompress to...', and it creates a folder and unzips the contents into that folder. I don't even have to name the folder... that's done automatically. From Anonym at us.comm Fri Jun 4 02:05:18 2004 From: Anonym at us.comm (Anonym@us.comm) Date: Fri Jun 4 04:10:02 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: "Mike Easter" wrote in message news:c9ojkr$u10$1@news.spamcop.net... > That sounds like something that isn't configured properly; like a naked > mailto: or something. If you need a good tool to obfuscate your email addresses on your website, you can use mine: http://www.hillscapital.com/tools/html2iso.htm Instructions are included on the web page, but basically, you put the whole line of code that includes your mailto link into this, and it converts it to ISO-LATIN-1. You then use a Javascript document.write FromCharCode on your webpage to convert it to readable text again (the code is also in the instructions). All the spambot will see is a comma-separated list of numbers. So, for instance, say I put the following HTML into the obfuscator (spaces added to HTML tags, because I'm not sure how news readers handle HTML): < p >This is a test.< /p > You'd get the following (without the spaces I added to break up the HTML tags above): 60,112,62,84,104,105,115,32,105,115,32,97,32,116,101,115,116,46,60,47, 112,62 For your non-Javascript users, you can put in a noscript section with a .gif image of your email address. They won't be able to click the image to send you email, of course, but at least they'll know what it is and can type it into their mail client. From Anonym at us.comm Fri Jun 4 02:16:22 2004 From: Anonym at us.comm (Anonym@us.comm) Date: Fri Jun 4 04:20:02 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: "Doug Thegarden" wrote: > Have you come across Wpoison? I have it installed on my website and so far > have very little spam traffic on the address there despite it being up for a > couple of years. The gurus here probably have views on it but it seems to > work for me (and I hope if it does what it says, is causing the spambots some > grief) I have a Perl script that's similar to WPoison on our website... I created a separate directory for it, excluded that directory in the robots.txt file, and set it up so it shoveled as much crap (really long email addresses (>1000 characters), strange characters that hopefully crash the spammers' email programs, etc.) into the spambots gullet as it can handle. Then, it dynamically creates a link to another 'page' that is actually just this Perl program (so the spambot hopefully gets stuck in an infinite loop). Last month, I had 4 accesses to this file... the best one was a spambot that got 4.8MB of crap shoved down its gullet. From MikeE at ster.invalid Fri Jun 4 02:38:33 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 4 04:40:03 2004 Subject: [SpamCop-List] Re: any feedback to SpamCop to from FTC reporting? References: <2if3p1-rrk.ln1@gecko.LAN> Message-ID: Anonym@us.comm wrote: >> "Mike Easter" wrote: >> I wondered about what 'version' or something of the zip format >> might have been involved, but the unzipper which worked and >> had a 'properties' section didn't tell me anything informative. > > Yes, I used PowerArchiver (latest version) to zip it. Last year, I think, a 'fork' developed during which time PKWare [the original inventor] 'type' zip files were incompatible with WinZip [the most popular archiver] type zip files. Atho' the conflict in formats has resolved, it means that there might be some versions of zippers out there which are making zip files which aren't unzippable by some other unzippers. That is, maybe PowerArchiver is making a lastyear's PKWare or lastyear's WinZip type file instead of whatever is supposed to be the current compatible solution. There are also some old incompatible zip formats from long ago before the 2003 fork developed. I don't know much about either problem, just a little. The fact that Annie's newish ZipIt had trouble and my ancient ZipMagic had trouble suggests that some others might have trouble as well. You might want to check which version you have; if they /were/ following a PKWare or a WinZip fork at the time of your version which has been abandoned in favor of a unified format, it would be good to get more compatible. -- Mike Easter kibitzer, not SC admin From pobox.spamcop at kronatech.net Fri Jun 4 03:09:57 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Fri Jun 4 05:10:45 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <87n03j52of.fsf@ursine.ca> <87ekovpyhm.fsf@ursine.ca> Message-ID: "Paul Johnson" wrote in message news:87ekovpyhm.fsf@ursine.ca... > Good. Here's some more then: You need to put down the crackpipe and > see reality for a change. Wow... pedophilia to crack... You cover the whole trailer park, huh? Your mom teach you to talk like that? -K From MikeE at ster.invalid Fri Jun 4 03:42:21 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 4 05:45:14 2004 Subject: [SpamCop-List] Re: any feedback to SpamCop to from FTC reporting? References: <2if3p1-rrk.ln1@gecko.LAN> Message-ID: Anonym@us.comm wrote: > "Mike Easter" >> You might want to check which version you have; if they /were/ >> following a PKWare or a WinZip fork at the time of your version which >> has been abandoned in favor of a unified format, it would be good to >> get more compatible. > > Well, in any case, I've attached the .txt version, so you can get a > look at the code. The directions include both how to set it up from a > .bas file or from a .txt file. Annie may appreciate that, as I don't know that she solved the unzipping problem. I just changed unzippers to something that worked. She also needs a solution, as she's an OL user, I'm OE. -- Mike Easter kibitzer, not SC admin From MissAnnie at nospam.invalid Fri Jun 4 08:07:53 2004 From: MissAnnie at nospam.invalid (Annie) Date: Fri Jun 4 07:10:05 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: -- ```````````````` MissAnnie "Mike Easter" wrote in message news:c9ojkr$u10$1@news.spamcop.net... .> That sounds like something that isn't configured properly; like a naked > mailto: or something. Yes! Well I can't know everything. I grow flowers. but I do the web also. I changed it. > .> Somehow you have to get configured so that the spamfighting part is > 'fun' and you aren't spending too much time doing something that isn't. > Everything isn't roses, but there has to be a balance. That is what I am trying to do. I tried Spam Depute, Spam Abuse, Spam Pal, Mail Washer Pro . and Spam Cop. Currently I am using Mail Washer Pro and sending to Spam Cop. It is the Spam Cop reporting that it tedious right now. No batch reporting there? I am a paid subscriber too. And I just discovered that Mail Washer some how deleted an order I saw but didn't check to delete. It just isn't anywhere to be found now. > > -- > Mike Easter > kibitzer, not SC admin > From MissAnnie at nospam.invalid Fri Jun 4 08:11:03 2004 From: MissAnnie at nospam.invalid (Annie) Date: Fri Jun 4 07:15:04 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: wrote in message news:c9pah4$f58$1@news.spamcop.net... > "Mike Easter" wrote in message > news:c9ojkr$u10$1@news.spamcop.net... > > That sounds like something that isn't configured properly; like a > naked > > mailto: or something. > > If you need a good tool to obfuscate your email addresses on your > website, you can use mine: > http://www.hillscapital.com/tools/html2iso.htm > Thanks I will give it a try. I have used a non java script tool also. -- ```````````````` MissAnnie From MissAnnie at nospam.invalid Fri Jun 4 08:12:27 2004 From: MissAnnie at nospam.invalid (Annie) Date: Fri Jun 4 07:15:14 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: "JerryMouse" wrote in message news:c9olmb$vf7$1@news.spamcop.net... > Annie wrote: > > I may have to quit reporting > > to spam cop if I can't find a batch method of dealing with it. > > SpamSource. Free. One-button click to send a wad of spam to SpamCop. > > MailWasher also provides a check-box for forwarding to SpamCop. > Yes, click then report each one at SpamCop. What am I missing here about SpamCop reporting. Is there some batch reporting available? -- ```````````````` MissAnnie From MissAnnie at nospam.invalid Fri Jun 4 08:18:40 2004 From: MissAnnie at nospam.invalid (Annie) Date: Fri Jun 4 07:20:08 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: wrote in message news:c9pb5j$fit$1@news.spamcop.net... > "Doug Thegarden" wrote: > Last month, I had 4 accesses to this file... the best one was a > spambot that got 4.8MB of crap shoved down its gullet. > How do you track that. That is what would be fun. Back to this Monkey.com. I am getting a lot of intrusion logs [VisualZone] from something called MonkeyCom. -- ```````````````` MissAnnie From Anonym at us.comm Fri Jun 4 05:58:59 2004 From: Anonym at us.comm (Anonym@us.comm) Date: Fri Jun 4 08:00:02 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: "Annie" wrote in message news:c9plpk$n13$1@news.spamcop.net... > How do you track that. That is what would be fun. I can track it because we've got the web server logs set up to show us everything in a graphical format via WebTrends reports. Our ISP does that for us automatically, and loads it into a folder on our site for us. It's really a great help to be able to see all the statistics and demographics of people visiting our website. That's part of what drove us to #20 in Google for our #1 search term, and to #12 for our #2 search term (that, and gobs of fresh content each day... I've posted 1275 times to our website 'blog in the past 3 months, using Radio UserLand). That fresh content makes our site very 'sticky', too. Our average visitor time is over 8 minutes, which is about the time required to read all the new content each day. > Back to this Monkey.com. I am getting a lot of intrusion logs [VisualZone] > from something called MonkeyCom. I know that monkeys.com (note the plural) has the WPoison program. Monkey.com, I'm not sure what they do. MonkeyCom, the software program, is kind of like MS Messenger... the website is all in Japanese, and when I tried to convert it to English, I only got bits and pieces of it. So, perhaps someone has their MonkeyCom program misconfigured to try to connect to your (non-existent) MonkeyCom software, and it's showing up in your VisualZone/ZoneAlarm logs. BTW, if you haven't upgraded to the latest version of ZA, DO NOT do it... if you go to the ZA forums, you'll see why... major problems. So bad it forced me to uninstall it and use Sygate, instead. I'm collecting my IDS/IRS logs via SNMP trap (Port UDP 162) from my router to WallWatcher, and reporting it via myNetWatchman, so I can use pretty much any software firewall I want, as the software firewall rarely sees any activity to log. Before I put this machine behind a router, I used ZA, with both VisualZone and myNetWatchman. From MissAnnie at nospam.invalid Fri Jun 4 09:36:29 2004 From: MissAnnie at nospam.invalid (Annie) Date: Fri Jun 4 08:40:07 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: wrote in message news:c9po7d$oqb$1@news.spamcop.net... > demographics of people visiting our website. That's part of what drove > us to #20 in Google for our #1 search term, and to #12 for our #2 > search term (that, and gobs of fresh content each day... I've posted > 1275 times to our website 'blog in the past 3 months, using Radio Woosh, over my non-technical head. I don't know anything about servers. I let my ISP manage the server I FTP my web to. > I know that monkeys.com (note the plural) has the WPoison program. Oh ok, a little "s" makes a big dif. > BTW, if you haven't upgraded to the latest version of ZA, DO NOT do > it... if you go to the ZA forums, you'll see why... major problems. So > bad it forced me to uninstall it and use Sygate, instead. Awww good to know. I had a severe problem a while back. Not sure if it was from a new ZA update. Anyway I am now using the EZ Firewall from ETrust that came with the Windows Security CD. The problem turned out to be a trojan/virus that crashed everything with logs. EZ Trust saved my sanity and my computer setup. The firewall is just a version of Zone Alarm. I am very thankful I had it just sitting here on my desk when I needed something quick. > Before I put this machine behind a router, I used ZA, with both > VisualZone and myNetWatchman. VZ and MNW That is what I use for logging. I have reported severe personal DoS attacks several times since installing them. I was hounded by someone which caused me to need to watch my connection. -- ```````````````` MissAnnie From MissAnnie at nospam.invalid Fri Jun 4 09:45:35 2004 From: MissAnnie at nospam.invalid (Annie) Date: Fri Jun 4 08:50:02 2004 Subject: [SpamCop-List] Re: Anonym@us OT Monkeycom References: Message-ID: wrote in message news:c9po7d$oqb$1@news.spamcop.net... > > MonkeyCom, the software program, is kind of like MS Messenger... the > website is all in Japanese, and when I tried to convert it to English, > I only got bits and pieces of it. So, perhaps someone has their > MonkeyCom program misconfigured to try to connect to your > (non-existent) MonkeyCom software, and it's showing up in your > VisualZone/ZoneAlarm logs. > > Re: Monkeycom You might be interested in looking at this random IP I looked up on MyNetWatchman. Something is happening with that Monkeycom. It is new to me in the past couple weeks and looks like it is pending on MNW. The IP I looked up was just one of many different ones from the same service. http://www.mynetwatchman.com/LID.asp?IID=97969820 -- ```````````````` MissAnnie From Merlyn at Spamcop.net Fri Jun 4 10:12:01 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Fri Jun 4 09:15:03 2004 Subject: [SpamCop-List] Re: How to be a spammer for US1200.00 References: <40C00BDF.1C8C964B@telus.net> Message-ID: "Bud" wrote in message news:40C00BDF.1C8C964B@telus.net... > http://www.spamcop.net/sc?id=z510216095z354a381eece2b77a6e47ca92bc1d561cz > > Wish I had a URL, I'd leave *Fried Spam* running overnight. >From the opt-out url at the end To be removed from the database please follow this link, http://notinuse.biz/takeoff/takeoff.html Offical Name = www.notinuse.biz Aliases = Addresses = 219.153.7.125 it could be one of these three: http://www.spamhaus.org/query/bl?ip=219.153.7.125 219.152.0.0/15 is listed on the Spamhaus Block List (SBL) ns0.dnstrans.com / greatbizss3.com (escalation) or 219.153.0.0/21 is listed on the Spamhaus Block List (SBL) Alan Ralsky or 219.153.0.0/16 is listed on the Spamhaus Block List (SBL) Tim Goyetche / Bulkers.net / Bulkbarn.com -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From spydar_NOSPAM at NOSPAM.ZZZZ.UK Fri Jun 4 17:44:42 2004 From: spydar_NOSPAM at NOSPAM.ZZZZ.UK (Spydar) Date: Fri Jun 4 09:45:12 2004 Subject: [SpamCop-List] How long to wait before notifying registry?? Message-ID: Hi How long time shall i wait before reporting an ISP as a SPAM friendly host to the registry?? Have in about 2 weeks now got SPAM from the same IP and reported everyone of them trought SpamCop but still this SPAMmer is online. Is 2 weeks enough time?? I know that the registry dont want emails about SPAM but is it the same thing when the ISP dont stop their SPAMmers (SPAM friendly ISP)?? From ric.gates at bigsleep.org Fri Jun 4 15:13:49 2004 From: ric.gates at bigsleep.org (Blammo) Date: Fri Jun 4 10:15:02 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: On 03 Jun 2004 Miss Betsy entered spamcop and left news:c9numi$b6s$1@news.spamcop.net: > Nobody says that you can't visit those sites. That wasn't the point of my original reply, none of the replies to my post apply specifically to junk mail, but make general assumptions that really only apply to specific circumstances. Everyone (mostly) does make some valid points, but I do read between the lines and I see that everone has pointed out (mostly unintentionally) flaws in this supposed logic, which makes site blocking quite unfair and unjust. It's generally a really bad idea to allow a corporation decide where the public can and can't go, if it isn't bad enough already that paid users have to look at ads, which of course are there in an attempt to fool the user in the exact same way that spam does. Spammers aren't doing anything that so-called legitimate advertisers haven't been doing for years. -- | Ric From Merlyn at Spamcop.net Fri Jun 4 11:22:28 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Fri Jun 4 10:25:03 2004 Subject: [SpamCop-List] Re: How long to wait before notifying registry?? References: Message-ID: "Spydar" wrote in message news:c9puc7$t7c$1@news.spamcop.net... > Hi > > How long time shall i wait before reporting an ISP as a SPAM friendly host > to the registry?? > Have in about 2 weeks now got SPAM from the same IP and reported everyone of > them trought SpamCop but still this SPAMmer is online. > Is 2 weeks enough time?? > > I know that the registry dont want emails about SPAM but is it the same > thing when the ISP dont stop their SPAMmers (SPAM friendly ISP)?? > What is the site, the IP, the ISP, the originating server of the email? Can ya give some more info? -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From tmcgraw at spamcop.net Fri Jun 4 08:38:19 2004 From: tmcgraw at spamcop.net (Tim McGraw) Date: Fri Jun 4 10:40:04 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: <40C0895B.6070706@spamcop.net> Blammo wrote: > > > > It's generally a really bad idea to allow a corporation decide where the > public can and can't go, if it isn't bad enough already that paid users > have to look at ads, which of course are there in an attempt to fool the > user in the exact same way that spam does. Spammers aren't doing anything > that so-called legitimate advertisers haven't been doing for years. Yes they are. They're stealing resources in order to reach my inbox. I call that theft. Legitimate advertisers pay to run those ads on Web sites. Big difference. From nobody at nowhere.net Fri Jun 4 12:12:51 2004 From: nobody at nowhere.net (BC Berry) Date: Fri Jun 4 11:15:04 2004 Subject: [SpamCop-List] Spammer using my return address Message-ID: This week, I had MANY bounces hit my hotmail account from a spammer using my E-mail address as the return address. Now, bounces from the same spam have started hitting my yahoo E-mail address. I have the same user name in hotmail as in yahoo so it looks like this guy is going down his dictionary list , pulling addresses to use as return addresses. Who should I lart??? copy of a few spams in .SPAM. -- E-mail address is invalid due to spam overflow - Please reply in the newsgroup. -- From MikeE at ster.invalid Fri Jun 4 09:33:45 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 4 11:35:05 2004 Subject: [SpamCop-List] Re: Recursive links References: Message-ID: Bud Anderson wrote: > The Spam with this subject in .spam spamcop.net/sc?id=z510183329z95bcc4fb7d05bf7a8942c69ccdd12b69z > What's going on? I didn't see it in the tracker, and I submitted the spam from your .spam message's source and I didn't see it; so whatever the problem might've been must be currently resolved. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri Jun 4 17:30:11 2004 From: nobody at devnull.spamcop.net (Robert Slade) Date: Fri Jun 4 11:40:03 2004 Subject: [SpamCop-List] Re: Spammer using my return address References: Message-ID: "BC Berry" wrote in message news:u841c0d3kne1vbhdc6adorq93q8i12h9ik@4ax.com... > This week, I had MANY bounces hit my hotmail account from a spammer using my > E-mail address as the return address. > > Now, bounces from the same spam have started hitting my yahoo E-mail address. > I have the same user name in hotmail as in yahoo so it looks like this guy is > going down his dictionary list , pulling addresses to use as return addresses. > > Who should I lart??? > > copy of a few spams in .SPAM. > > -- > E-mail address is invalid due to spam overflow - Please reply in the newsgroup. > -- Hiya, see someone using my domain in spamcop.help for some suggestions on what to do. Rob From DougThegarden at hotmail.com Fri Jun 4 17:27:58 2004 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Fri Jun 4 11:50:02 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: Anonym@us.comm wrote: > > Last month, I had 4 accesses to this file... the best one was a > spambot that got 4.8MB of crap shoved down its gullet. Hehehehe ;-) Doug From MikeE at ster.invalid Fri Jun 4 10:02:11 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 4 12:05:02 2004 Subject: [SpamCop-List] Re: Spammer using my return address References: Message-ID: BC Berry wrote: > Who should I lart??? You cannot spamcop notify any of them, that is against the rules. If you want to manually notify for them, you should make yourself a little template for notification and then notify the appropriate addresses with that manual notify - in the configuration - template & words + complete spam headers&body. Those notify addresses may be obtained from SC as a tool, by 'dissecting' the original spam from the bounce portion and parsing the original spam, noting the addresses, and cancelling the report. You *must* cancel the report so obtained. -- Mike Easter kibitzer, not SC admin From m.dolbear at lineone.net Fri Jun 4 18:18:23 2004 From: m.dolbear at lineone.net (Michael R N Dolbear) Date: Fri Jun 4 13:20:03 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> <6jgdb0hui29hebvimaar9dsihvrk3j14a6@4ax.com> <40BF4ACE.4129D391@devnull.spamcop.net> Message-ID: <01c44a54$70621180$LocalHost@default> Nobody wrote [...] > Thank you very much for the information, it proved helpful. I've > already rec'd another spam from Koach and am including some links & info > in the comments section, which will serve as a reply to the spammer's > note to SpamCop contesting my reports. (And possibly others', I've no > way of knowing whether he's hit other SpamCop spamtraps.) Since this guy appears to be British based, you might care to report him under the the UK/EU anti-spam law. This involves downloading a pdf form from the Information Commissioner's site and mailing it in though. Google "Complaints on Electronic mail.pdf" at http://www.informationcommissioner.gov.uk/ -- Mike D From m.dolbear at lineone.net Fri Jun 4 18:18:25 2004 From: m.dolbear at lineone.net (Michael R N Dolbear) Date: Fri Jun 4 13:20:17 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: <01c44a57$b672bf00$LocalHost@default> Annie wrote i [...] > What am I missing here about > SpamCop reporting. Is there some batch reporting available? Yes, there is something called Quick reporting, available for Spamcop mail users and paying reporters who have configured mailhosts and maybe other trusted members. Spamcop mail has it as standard for the "report as spam" button and on the pull down for the VER/report held spam interface. You can also email spam as multiple attachments to quick.---magicstring---@spam.spamcop.net instead of the standard submit.---magicstring---@spam.spamcop.net It only reports the source of emails, not web sites and there is no safety catch, you can report the wrong person 100 times with one key click (though the Mailhosts enhancement has made that a lot harder than it used to be) ;-) -- Mike D From Anonym at us.comm Fri Jun 4 12:35:52 2004 From: Anonym at us.comm (Anonym@us.comm) Date: Fri Jun 4 14:40:26 2004 Subject: [SpamCop-List] Re: Anonym@us OT Monkeycom References: Message-ID: "Annie" wrote in message news:c9pqsi$qld$1@news.spamcop.net... > Re: Monkeycom You might be interested in looking at this random IP I looked > up on MyNetWatchman. Something is happening with that Monkeycom. It is new > to me in the past couple weeks and looks like it is pending on MNW. The IP I > looked up was just one of many different ones from the same service. > > http://www.mynetwatchman.com/LID.asp?IID=97969820 I wonder... if it IS this MonkeyCom program, if it's got a 'Remote Desktop' functionality ala MS Messenger, if someone is using it to try to control others' computers? Perhaps you should ask Lawrence Baldwin over at myNetWatchman what he's found out about it. He's an extremely helpful guy... he actually called me when I was having problems getting myNetWatchman to work and had emailed him asking for help. From MikeE at ster.invalid Fri Jun 4 13:15:40 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 4 15:20:03 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> Message-ID: Paul Johnson > When will it be fixed so websites also get reported? It isn't 'broken' in the sense that quick has never reported websites and as far as I know, there was never any intention that it ever would - but I know nothing of intentions. Oh, yeah, that 'problematic' [or 'dumb'] little '--=-=-=' decoration has crept back into the top of your posts. -- Mike Easter kibitzer, not SC admin From MissAnnie at nospam.invalid Fri Jun 4 16:22:36 2004 From: MissAnnie at nospam.invalid (Annie) Date: Fri Jun 4 15:25:03 2004 Subject: [SpamCop-List] Re: Anonym@us OT Monkeycom References: Message-ID: wrote in message news:c9qff5$ci8$1@news.spamcop.net... .> I wonder... if it IS this MonkeyCom program, if it's got a 'Remote > Desktop' functionality ala MS Messenger, if someone is using it to try > to control others' computers? Perhaps you should ask Lawrence Baldwin > over at myNetWatchman what he's found out about it. > > He's an extremely helpful guy... he actually called me when I was > having problems getting myNetWatchman to work and had emailed him > asking for help. > Thats a good idea, I have the MNW newsgroup loaded. -- ```````````````` MissAnnie From Anonym at us.comm Fri Jun 4 13:29:23 2004 From: Anonym at us.comm (Anonym@us.comm) Date: Fri Jun 4 15:35:03 2004 Subject: [SpamCop-List] Re: any feedback to SpamCop to from FTC reporting? References: <2if3p1-rrk.ln1@gecko.LAN> Message-ID: "Mike Easter" wrote in message news:c9pg75$ivk$1@news.spamcop.net... > Annie may appreciate that, as I don't know that she solved the unzipping > problem. I just changed unzippers to something that worked. She also > needs a solution, as she's an OL user, I'm OE. Annie, what version of Outlook are you using? If it's OL2000, the VBA code should work as-is. Later versions have a problem with the code snippet that forces Outlook to send the spam reports immediately (in which case you can disable that in the Editable Section of the code, or insert your own code to get the later version to work properly). I'm still trying to figure out how to do version checking in VBA, so I can branch to different code for the different versions of OL. I think it'd be great if someone took this code and created an installable plug-in for Outlook, but I don't have the time or VB programming expertise to do so myself. I should brush up on my VB programming, I suppose. Let me know if you have any problems setting it up, and I'll help you out. From usenet-fbi at inbox4u.de Fri Jun 4 22:46:31 2004 From: usenet-fbi at inbox4u.de (Falko Eickel) Date: Fri Jun 4 15:50:02 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> Message-ID: <40C0D197.42C2@inbox4u.de> Paul Johnson wrote: >> [Quick Reporting] > When will it be fixed so websites also get reported? That's not going to change as it would also hit tons of innocent bystanders and could quickly kill the reputation of SpamCop with white hat ISPs - and the others don't care anyway. Also the SURBL relies on accurate oversight of spamvertized URLs. CU/2 Falko From MissAnnie at nospam.invalid Fri Jun 4 17:08:56 2004 From: MissAnnie at nospam.invalid (Annie) Date: Fri Jun 4 16:10:04 2004 Subject: [SpamCop-List] Re: any feedback to SpamCop to from FTC reporting? References: <2if3p1-rrk.ln1@gecko.LAN> Message-ID: wrote in message news:c9qikh$fap$1@news.spamcop.net... > Annie, what version of Outlook are you using? If it's OL2000, the VBA > code should work as-is. Later versions have a problem with the code > snippet that forces Outlook to send the spam reports immediately (in Am using OL2000 > Let me know if you have any problems setting it up, and I'll help you > out. Thanks I will let you know if I try it. Would like to. The computer work here this week has been crazy. -- ```````````````` MissAnnie From bud at telus.net Fri Jun 4 15:42:26 2004 From: bud at telus.net (Bud) Date: Fri Jun 4 17:45:21 2004 Subject: [SpamCop-List] Re: How to be a spammer for US1200.00 References: <40C00BDF.1C8C964B@telus.net> Message-ID: <40C0ECC1.4AC90E50@telus.net> Merlyn wrote: > "Bud" wrote in message news:40C00BDF.1C8C964B@telus.net... > > http://www.spamcop.net/sc?id=z510216095z354a381eece2b77a6e47ca92bc1d561cz > > > http://www.spamhaus.org/query/bl?ip=219.153.7.125 > > 219.152.0.0/15 is listed on the Spamhaus Block List (SBL) > ns0.dnstrans.com / greatbizss3.com (escalation) > or > 219.153.0.0/21 is listed on the Spamhaus Block List (SBL) > Alan Ralsky > or > 219.153.0.0/16 is listed on the Spamhaus Block List (SBL) > Tim Goyetche / Bulkers.net / Bulkbarn.com > > Regards, > Merlyn Good man. thanks Merlyn, Bud From usenet-fbi at inbox4u.de Sat Jun 5 01:11:48 2004 From: usenet-fbi at inbox4u.de (Falko Eickel) Date: Fri Jun 4 18:30:02 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: <40C0F3A4.14DC@inbox4u.de> brewman wrote: > If all the spam with forged headers was stopped, I for one > would be very happy. Then I must ask you: Why are you not providing a SPF-Record for your Domain brycom.co.nz?!? That would at least prevent clueful postmasters from accepting mails with a forged "MAIL FROM: " or at least SA would sort it into the junk folder of their users. SPF doesn't help against forgery in the "From:" and "Reply-To:" fields, and it doesn't help against those bunch of rotten clueless idiots running "Open Reverse Relays" (mailservers, which first accept all crap, even to non-existant addresses, and then bounce all the junk back to the pour guy in the "Return-Path:"). But then numbers of those "Open Reverse Relays" are not that large, at least compared to the millions of zombies on the net. Send manual complaints to them and their ISPs. These links are about the dreaded AV-spamware accusing innocent bystanders of sending mail worms, but the topic is close enough, as both normal spam and mass email worms almost always forge the headers: and Perhaps someone else has a more general description to clue such idiots in - if this doesn't help, you could always go into BOFH mode :-). CU/2 Falko From usenet-fbi at inbox4u.de Sat Jun 5 01:24:02 2004 From: usenet-fbi at inbox4u.de (Falko Eickel) Date: Fri Jun 4 18:30:25 2004 Subject: [SpamCop-List] Re: Spammer using my return address References: Message-ID: <40C0F682.1D1C@inbox4u.de> BC Berry wrote: > This week, I had MANY bounces hit my hotmail account from a > spammer using my E-mail address as the return address. > Who should I lart??? The idiots running the "Open Reverse Relays" which produce all those bogus bounces (see my reply to brewman, even if SPF will only help domain owners - you have to get Yahoo and Hotmail to provide such a DNS record to protect their domains against the ongoing abuse of their domain names in spam mails). CU/2 Falko From Anonym at us.comm Fri Jun 4 17:55:36 2004 From: Anonym at us.comm (Anonym@us.comm) Date: Fri Jun 4 20:00:02 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> <40C0F3A4.14DC@inbox4u.de> Message-ID: "Falko Eickel" wrote in message news:40C0F3A4.14DC@inbox4u.de... > Then I must ask you: Why are you not providing a SPF-Record > for your Domain brycom.co.nz?!? Hi, all. I went to http://spf.pobox.com/ and ran the wizard, but I'm not sure what to put into some of the fields... can SPF be implemented if we don't control the mail server (it's our web host's mail server)? If not, what would be the best way to convince our web host to implement SPF on their mail server (considering that the mail server doesn't even properly report sending IP addresses, and they refuse to fix it)? Would a situation like this require that in order to have SPF implemented, we move to another web host / email provider? We're considering a move in September due to several issues we've been having with our current web host / mail provider (website slow or goes down often, mail server slow and goes down at least once a day, mail server puts its own IP address into sending IP address field in headers (so we're reporting ourselves as spammers when we report spam delivered to that server), etc.). It's a Burlee/Interland IMail 6.06 mail server. If it requires moving, we've been looking at ICDSoft... does anyone have any experience with them? Do they use SPF already? Thanks in advance for any help you can provide... From nobody at xyzzy.claranet.de Sat Jun 5 04:38:27 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Jun 4 21:40:14 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> <40C0F3A4.14DC@inbox4u.de> Message-ID: <40C12413.169D@xyzzy.claranet.de> Anonym@us.comm wrote: > I went to http://spf.pobox.com/ and ran the wizard, but > I'm not sure what to put into some of the fields... At least you can test the effect of any existing SPF record at > can SPF be implemented if we don't control the mail server > (it's our web host's mail server)? Let's say your domain is an.example.net and you want to use Mail From: (any user). With SPF you can define the IPs allowed to send mail with this return path (aka envelope From, Mail From, bounce address). That's normally your "smart host". In simple cases one box handles all your mail, it's the MX for incoming mail, it's the MSA for outgoing mail, and there's no further "mailout" behind this MSA. Test it with a mail to an echo server. In this simple case your SPF record could be "v=spf1 mx -all". If you also want to send directly from your box, the record could be "v=spf1 a mx -all". If your case is more interesting we should continue this discussion in the "SPF help" mailing list, now also available as pseudo-NG on news.gmane.org (you probably have to subscribe and immediately deactivate your subscription, if you want news write access). For your other questions: you can get DNS services incl. SPF at DynDNS, but only in the "custom DNS" system. Bye, Frank From nobody at devnull.spamcop.net Sat Jun 5 14:45:56 2004 From: nobody at devnull.spamcop.net (brewman) Date: Fri Jun 4 21:45:03 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> <40C0F3A4.14DC@inbox4u.de> Message-ID: wrote in message news:c9r28b$rc5$1@news.spamcop.net... > "Falko Eickel" wrote in message > > Then I must ask you: Why are you not providing a SPF-Record > > for your Domain brycom.co.nz?!? > Hi, all. > I went to http://spf.pobox.com/ and ran the wizard, but I'm not sure > what to put into some of the fields... can SPF be implemented if we > don't control the mail server (it's our web host's mail server)? I've been to the wizard and I know EXACTLY what I want in the TXT field. Problem is, I have a 'vanity' domain (vanity? It's hardly vain wanting a domain for my genuine llc, even if it is a one-man band) hosted by an ISP. I have been in touch with them for many days since SPF was mentioned to me. Various replies over several days from them: "What's an SPF?" "Where looking into it" "We can do it but we don't support it" [I tell them exactly what to put in it] "Someone else is looking into it." I can assure you that lack of an SPF record is in no caused by lack of effort on my part. My wife is getting annoyed with me at the amount of time I'm spending filling in SC reports (and no, it doesn't take long for ONE email, or a few ...). The inability to report spam to elsewhere that bounces back to me through SC is a real pain. I know how to cut'n'paste to get the reporting info, but then have to send off my own email. I hate spam with a passion, but my ISP seems to believe that just filtering it off is the enough. Rather like thinking that running the bilge pumps will save the Titanic, I suppose. Neither are they interested in helping me track down the forgers using my domain name. Nope, they just want me to pay the connection bills whilst they check that all the pretty lights on their modems are flashing. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at xyzzy.claranet.de Sat Jun 5 04:50:50 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Jun 4 21:55:03 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> Message-ID: <40C126FA.2F13@xyzzy.claranet.de> Mike Easter wrote: > there was never any intention that it ever would That would be a bad idea, with "normal" reports there's at least a (small) chance to spot innocent bystanders. > that 'problematic' [or 'dumb'] little '--=-=-=' decoration > has crept back into the top of your posts. That's only the boundary of his multipart/signed signature, as decent as possible with MIME. OE does not support MIME. Bye, Frank From nobody at xyzzy.claranet.de Sat Jun 5 04:56:28 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Jun 4 22:00:03 2004 Subject: [SpamCop-List] Re: How long to wait before notifying registry?? References: Message-ID: <40C1284C.49@xyzzy.claranet.de> Spydar wrote: > How long time shall i wait before reporting an ISP as a SPAM > friendly host to the registry?? IMHO forever. Reporting spam to a registry is like reporting a crime to the editor of your yellow pages. As long as the YP info is correct they can't help you. They are not the police. Bye, Frank From MikeE at ster.invalid Fri Jun 4 20:13:45 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 4 22:15:03 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Mike Easter wrote: >> that 'problematic' [or 'dumb'] little '--=-=-=' decoration >> has crept back into the top of your posts. > > That's only the boundary of his multipart/signed signature, > as decent as possible with MIME. OE does not support MIME. Paul is quite aware of his alternative ways to begin and end his pgp signed messages. See From: Paul Johnson Newsgroups: spamcop.geeks Subject: Re: [media] "Microsoft granted patent for double-click" Date: Fri, 04 Jun 2004 10:29:59 -0700 Message-ID: <874qprnsdk.fsf@ursine.ca> Mime-Version: 1.0 as an alternative. news://news.spamcop.net/874qprnsdk.fsf@ursine.ca -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Sat Jun 5 05:15:35 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Jun 4 22:20:03 2004 Subject: [SpamCop-List] Broken C/R systems: Spamarrest, Earthlink, UOL, ... Message-ID: <40C12CC7.4CAA@xyzzy.claranet.de> Hi, today SC classified 3 submitted challenges from Earthlink resp. SpamArrest as "bounces" instead of spam. I'm not sure why - I had already deleted this spam and couldn't test it. UOL "anti" spam challenges can be still reported, there must be a technical difference. What do you do with SpamArrest / Earthlink challenges ? Is there any DNSBL for broken C/R systems ? Or should I simply post this spam in nanas ? Many manual complaints had no effect so far... :-( Bye, Frank From nobody at xyzzy.claranet.de Sat Jun 5 05:31:10 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Jun 4 22:35:03 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> Message-ID: <40C1306E.73F2@xyzzy.claranet.de> Mike Easter wrote: > as an alternative. > news://news.spamcop.net/874qprnsdk.fsf@ursine.ca That's worse with my ersatz-newsreader (Mozilla 3), it's the old text/plain style before MIME was invented (early '90s). What's your problem with the correct multipart/signed method ? With OE you never know... :-( Of course I'm no fan of any signatures in news, the worst here are Petzl's about 8 lines (maybe more now, I stopped to read his articles). Bye, Frank From MikeE at ster.invalid Fri Jun 4 20:49:05 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 4 22:50:02 2004 Subject: [SpamCop-List] Re: Broken C/R systems: Spamarrest, Earthlink, UOL, ... References: <40C12CC7.4CAA@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > What do you do with SpamArrest / Earthlink challenges ? I don't know the answer to your question except that I tho't it was OK or appropriate to report challenges; I answered mainly to make a commentary on something I learned recently about the evolution of EL's 'high' setting, which is the one that can generate challenges to 'suspect' spam, ie those items not identified as spam by the brightmail system, and not black or whitelisted by the client. The EL suspect folder now 'optionally' generates challenges. That is, what used to be 'automatic' - any suspect item got challenged - is now optional. The client with a high EL setting can configure to send no challenges. Their suspect folder can be managed by them receiving daily [or weekly or none] summaries of its contents, allowing them to delete, whitelist, blacklist or whatever any item in that folder without challenging it at all. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Jun 4 20:59:45 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 4 23:05:02 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <40C1306E.73F2@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > What's your problem with the correct multipart/signed method ? > With OE you never know... :-( This is just me answering you, not 'whining'. In native OE mode the entire post appears as 2 attachments, the body as a txt attachment, the sig as a dat attachment, preventing replying to it without 'heroics' In OE with QuoteFix, for some reason QF wants to crash while handling it. That is, that's what would happen if I choose to continue to let Paul's posts be visible to me and open them. Perhaps he vacillates between the two configurations so that he can derive commentary on it. > Of course I'm no fan of any > signatures in news, the worst here are Petzl's about 8 lines > (maybe more now, I stopped to read his articles). I think pgp signing is silly in this environment, while valuable in some others. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Fri Jun 4 21:36:54 2004 From: nobody at spamcop.net (Jeff) Date: Fri Jun 4 23:40:05 2004 Subject: [SpamCop-List] Re: Spammer using my return address References: Message-ID: fuck him up, dude "BC Berry" wrote in message news:u841c0d3kne1vbhdc6adorq93q8i12h9ik@4ax.com... > This week, I had MANY bounces hit my hotmail account from a spammer using my > E-mail address as the return address. > > Now, bounces from the same spam have started hitting my yahoo E-mail address. > I have the same user name in hotmail as in yahoo so it looks like this guy is > going down his dictionary list , pulling addresses to use as return addresses. > > Who should I lart??? > > copy of a few spams in .SPAM. > > -- > E-mail address is invalid due to spam overflow - Please reply in the newsgroup. > -- From MikeE at ster.invalid Fri Jun 4 21:39:15 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Jun 4 23:40:17 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > That's only the boundary of his multipart/signed signature, > as decent as possible with MIME. OE does not support MIME. OE actually supports 'a lot' of MIME. However, in my opinion, newsgroup postings should be in plaintext only, not multipart/alternative of any kind - especially pgp signed.- except in groups 'specifically' for that purpose. What people want to do with their mail, such as html or any of that other 'monkey business' is up to them. A lot of pgp signers seem to become very unhappy when some text/html comes their way. MIME = Multipurpose Internet *Mail* Extensions -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Sat Jun 5 07:01:38 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sat Jun 5 00:10:03 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <40C1306E.73F2@xyzzy.claranet.de> Message-ID: <40C145A2.1AAB@xyzzy.claranet.de> Mike Easter wrote: > In native OE mode the entire post appears as 2 attachments Ouch :-( That's of course wrong, Content-Disposition: Inline is not the same as an Attachment. There wasn't even a name for this "attachment". > the sig as a dat attachment My newsreader displays this as horizontal line (like
) indicating the boundary, followed by a small box... ------------------------------------------------------------- +----------+---------------------------------+ | Part 1.2 | Type: application/pgp-signatura | +----------+---------------------------------+ The string "Part 1.2" is shown in blue (a link), and if I'd click on it, my newsreader would tell me that it doesn't know this MIME type, but I could still save it as file, or start any application (e.g. hex. viewer). But I see the first part (text/plain) immediately, with all features (Re:News, Re:Mail, Fwd, etc.) of normal articles. > In OE with QuoteFix, for some reason QF wants to crash while > handling it. Then QF is broken. Maybe the problem is Paul's normal sig in addition to his PGP stuff. We're talking about 16 lines: | -- | Paul (etc., his sig, 3 lines) | | --=- (etc., boundary) | Content-Type: application/pgp-signature | | -----BEGIN (etc., 7 lines PGP stuff incl. 3 lines base64) | --=- (etc., boundary) All us-ascii if you look at the "raw" undecoded message. > Perhaps he vacillates between the two configurations so that > he can derive commentary on it. In that case my comment is "fix your QuoteFix", there should be a working version or just a better tool for your purposes. > I think pgp signing is silly in this environment, while > valuable in some others. ACK, but it might be hard to disable it on a case-by-case basis, if he wants it for say nanabl or nanae. But you're probably interested in a general solution for your side of this problem. Maybe replace QuoteFix by Morver + Korrnews: Bye, Frank From nobody at xyzzy.claranet.de Sat Jun 5 07:23:06 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sat Jun 5 00:30:02 2004 Subject: [SpamCop-List] Re: Broken C/R systems: Spamarrest, Earthlink, UOL, ... References: <40C12CC7.4CAA@xyzzy.claranet.de> Message-ID: <40C14AAA.1184@xyzzy.claranet.de> Mike Easter wrote: > I tho't it was OK or appropriate to report challenges Me too, but apparently the procedure to catch bounces was modified. Or spamarrest and EL found a way to trigger the old procedure (I'll test it with the next challenges). > items not identified as spam by the brightmail system In other words, if I get a challenge from EL, then it's not yet identified by brightmail as spam, and the user explicitly wants to send challenges ? Maybe SPF will help with this situation, my ISP has to add a SPF record for wildcard hosts, and EL has to check bounce addresses against SPF. Now why does this sound like "early 2005" for me ? But tnx for info, bye, Frank From nobody at spamcop.net Sat Jun 5 00:37:23 2004 From: nobody at spamcop.net (Miss Betsy) Date: Sat Jun 5 00:35:02 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: "Blammo" wrote in message news:Xns94FE49A031FDAblammo@216.154.195.61... Spammers aren't doing anything > that so-called legitimate advertisers haven't been doing for years. That's true up to a point. However, advertising is curtailed by laws when it becomes too intrusive (highway signs, even some city regulations, nocall lists, and junk fax). The problem on the Internet is that laws are not enforceable. And not even necessary as long as one can block spam. It forces people to be responsible or they can't communicate - and that includes the 'innocent' people who share servers with spammers. Miss Betsy From MikeE at ster.invalid Fri Jun 4 22:51:13 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 5 00:55:03 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <40C1306E.73F2@xyzzy.claranet.de> <40C145A2.1AAB@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Mike Easter wrote: >> In OE with QuoteFix, for some reason QF wants to crash while >> handling it. 'handling' here means 'when I try to reply to the message which OE has displayed 'badly' - presumably QF gets 'all mixed up' trying to reformat the message which is not formatted at all but should be or somesuch. I should know better than to try to reply to those messages when they aren't displayed. I was trying to get an attribution line to paste something from the text 'file'/attachment under. > Then QF is broken. Maybe the problem is Paul's normal sig in > addition to his PGP stuff. We're talking about 16 lines: QF is sorta broken. It has some kind of resource management 'hole' or leak I think. I think the QF crash is induced by what it is trying to do with what has been handled wrongly by OE. QF is also supposed to be a 'participant' in the display process, ie it is supposed to reformat the lines for the display, so it might be 'conflicting' with itself, too. I could tinker with turning that feature off just to learn something about the crash. > All us-ascii if you look at the "raw" undecoded message. Yes, I've seen whatall is in there. When he does that I look at the raw. >> Perhaps he vacillates between the two configurations so that >> he can derive commentary on it. > > In that case my comment is "fix your QuoteFix", there should > be a working version or just a better tool for your purposes. Actually QF is a 'unique' application - not much else just like that. The reason I put up with its memory leak is because OE is so bad about its lines and I *hate* that and QF fixes it. Naturally that always leads those who prefer other or 'real' newsreaders to OE to ask the inevitable question of why put up with OE anyway. >> I think pgp signing is silly in this environment, while >> valuable in some others. > > ACK, but it might be hard to disable it on a case-by-case basis, > if he wants it for say nanabl or nanae. But you're probably > interested in a general solution for your side of this problem. Well, one quick solution comes to mind immediately ;-) Then Paul can use all the multipart/alternative with pgp sig he wants. > Maybe replace QuoteFix by Morver + Korrnews: > http://www.morver.de/english.htm Thanks. I'll look at that, but at first glance it doesn't look like QF at all. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Sat Jun 5 08:04:25 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sat Jun 5 01:10:03 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> Message-ID: <40C15459.42F5@xyzzy.claranet.de> Mike Easter wrote: > in my opinion, newsgroup postings should be in plaintext > only Depends. If this forces us back to the times before MIME was invented, with UUE and other tricks (like plain/text PGP crap embedded in a normal article), then I prefer MIME. At least MIME is clear and simple, only Microsoft's O*-products don't support it. > not multipart/alternative of any kind Sure, we don't need any "alternative" to text/plain here. And in a newsgroup where text/html is allowed, one version is good enough (either plain or html, not both alternatives). But multipart/mixed with more than one text/plain part could be okay. Or the multipart/signed example here was IMHO acceptable or at least better than the same PGP crap in the old (pre-MIME) text/plain hack. In theory multipart/mixed could be _extremely_ useful in .spam: 1st part text/plain question, 2nd part message/rfc822 original spam. It's a pain to guess the artifacts of broken newsreaders like OE in .spam (e.g. "was this header always broken, or is it only a side effect of posting it with OE after some obscure clipboard operations"). > MIME = Multipurpose Internet *Mail* Extensions It's also very important in news. There's even a "MIME primer" as appendix B of son-of-1036 (1036bis), Hm, it's quite short, I add it below. Bye, Frank Source: News Article Format and Transmission by Henry Spencer 17 Jan 1994 - 91 - expires 15 March 1994 INTERNET DRAFT to be NEWS sec. B B. A Quick Tour Of MIME (The editor wishes to thank Luc Rooijakkers; most of this appendix is a lightly-edited version of a summary he kindly supplied.) MIME (Multipurpose Internet Mail Extensions) is an upward- compatible set of extensions to RFC 822, currently documented in RFCs 1341 and 1342. This appendix summarizes these documents. See the MIME RFCs for more information; they are very readable. UNRESOLVED ISSUE: These RFC numbers (here and elsewhere in this Draft) need updating when the new MIME RFCs come out. MIME defines the following new headers: MIME-Version Content-Type Content-Transfer-Encoding Content-ID The MIME-Version header is mandatory for all messages con- forming to the MIME specification and carries the version number of the MIME specification. Example: MIME-Version: 1.0 The Content-Type header indicates the content type of the message. Content types are split into a top-level type and a subtype, separated by a slash. Auxiliary information can also be supplied, using an attribute-value notation. Exam- ple: Content-Type: text/plain; charset=us-ascii (In the absence of a Content-Type header this is in fact the default content type.) Important type/subtype combinations are text/plain Plain text, possibly in a non- ASCII character set. text/enriched A very simple wordprocessor-like language supporting character attributes (e.g., underlining), justification control, and multi- ple character sets. (This pro- posal has gone through several iterations and has recently split off from the main MIME RFCs into a separate document.) message/rfc822 A mail message conforming to a slightly-relaxed version of RFC 822. message/partial Part of a message (supporting the transparent splitting and joining of messages when they are too large to be handled by some trans- port agent). message/external-body A message whose body is external. Possible access methods include via mail, FTP, local file, etc. multipart/mixed A message whose body consists of multiple parts, possibly of dif- ferent types, intended to be viewed in serial order. Each part looks like an RFC 822 message, consisting of headers and a body. Most of the RFC 822 headers have no defined semantics for body parts. multipart/parallel Likewise, except that the parts are intended to be viewed in par- allel (on user agents that support it). multipart/alternative Likewise, except that the parts are intended to be semantically equivalent such that the part that best matches the capabilities of the environment should be dis- played. For example, a message may include plain-text, enriched- text, and postscript versions of some document. multipart/digest A variant of multipart/mixed espe- cially intended for message digests (the default type of the parts is message/rfc822 instead of text/plain, saving on the number of headers for the parts). application/postscript A PostScript document. (PostScript is a trademark of Adobe.) Other top-level types exist for still images, audio, and video samples. Some of the above types require the ability to transport binary data. Since the existing message systems usually do not support this, MIME provides a Content-Transfer-Encoding header to indicate the kind of encoding used. The possible encodings are: 7bit No encoding; the data consists of short (less than 1000 characters) lines of 7-bit ASCII data, delimited by EOL sequences. This is the default encod- ing. 8bit Like 7bit, except that bytes with the high-order bit set may be present. Many transmission paths are incapable of carrying messages which use this encoding. binary No encoding; any sequence of bytes may be present. Many transmission paths are incapable of carrying messages which use this encoding. base64 The data is encoded by representing every group of 3 bytes as 4 characters from the alphabet "A-Za-z0-9+/", which was chosen for its high robustness through mail gateways (the alphabet used by uuencode does not survive ASCII-EBCDIC-ASCII translations). In the final group of 4 characters, "=" is used for those characters not repre- senting data bytes. Line length is limited and EOLs in the encoded form are ignored. quoted-printable Any byte can be represented by a three character "=XX" sequence where the X's are upper case hexadecimal digits. Bytes representing printable 7-bit US- ASCII characters except "=" may be rep- resented literally. Tabs and blanks may be represented literally if not at the end of a line. Line length is lim- ited, and an EOL preceded by "=" was inserted for this purpose and is not present in the original. The base64 and quoted-printable encodings are applied to data in Internet canonical form, which means that any EOL encoded as anything but EOL must be an Internet canonical EOL: CR followed by LF. The Content-Description header allows further description of a body part, analogous to the use of Subject for messages. Finally, the Content-ID header can be used to assign an identification to body parts, analogous to the assignment of identifications to messages by Message-ID. Note that most of these headers are structured header fields, as defined in RFC 822. Consequently, comments are allowed in their values. The following is a legal MIME header: Content-Type: (a comment) text (yeah) / plain (and now some params:) ; charset= (guess what) iso-8859-1 (we don't have iso-10646 yet, pity) NOTE: Although the MIME specification was devel- oped for mail, there is nothing precluding its use for news as well. While it might simplify imple- mentation to restrict the MIME headers somewhat, in the same way that other news headers (e.g. From) are restricted subsets of the RFC-822 origi- nals, this would add yet another divergence between two formats that ought to be as compatible as possible. In the case of the MIME headers, there is no body of existing code posing compati- bility concerns. A full-featured MIME reading agent needs a full RFC-822 parser anyway, to prop- erly handle body parts of types like mes- sage/rfc822, so there is little gain from restricting MIME headers. Adopting the MIME spec- ification unchanged seems best. However, article- level MIME headers must still comply with the overall news header syntax given in section 4, so that news software which is NOT interested in MIME need not contain a full RFC-822 parser. The second part of MIME, RFC 1342 (Representation of Non- ASCII Text in Internet Message Headers), addresses the prob- lem of non-ASCII characters in headers. An example of a header using the RFC 1342 mechanism is From: =?ISO-8859-1?Q?Andr=E9_?= Pirard Such encodings are allowed in selected headers, subject to the restrictions listed in RFC 1342. The MIME effort has also produced an RFC defining a Content- MD5 header [rrr 1544], containing an MD5-based "checksum" of the contents of an article or body part, giving high confi- dence of detecting accidental modifications to the contents. The "metamail" software package [rrr] helps provide MIME support with minimal changes to mailers, and may also be relevant to news reading agents. The PEM (Privacy Enhanced Mail) effort is pursuing analogous facilities to offer stronger guarantees against malicious modifications, unauthorized eavesdropping, and forgery. This work too may be applicable to news, once it is reconciled with MIME (by efforts now underway). From pobox.spamcop at kronatech.net Sat Jun 5 00:07:05 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Sat Jun 5 02:10:03 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <40C1306E.73F2@xyzzy.claranet.de> <40C145A2.1AAB@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:40C145A2.1AAB@xyzzy.claranet.de... > Ouch :-( That's of course wrong, Content-Disposition: Inline > is not the same as an Attachment. There wasn't even a name > for this "attachment". Here I was enjoying the fact that I couldn't see half his posts (the half he doesn't post properly), since they were indeed displayed as a blank message with two attachments. Can't see Paul's posts... the problem is? -K From ric.gates at bigsleep.org Sat Jun 5 07:10:45 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sat Jun 5 02:15:03 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: On 04 Jun 2004 Miss Betsy entered spamcop and left news:c9rid0$856$1@news.spamcop.net: > The problem on the Internet is that laws are not enforceable. And > not even necessary as long as one can block spam. It forces people > to be responsible or they can't communicate - and that includes the > 'innocent' people who share servers with spammers. I agree, that is exactly the problem (and advantage). Globally blocking HTTP access doesn't help anything. The more you think for other people, the more inept others become (and more inept than you [figuratively]). For example, my clients need to communicate with their customers even though I'd love to block all DSL lines. In order to do business they'd rather sort through a couple more spams than to try to convince their customer to change providers, or even worse try to explain to them how to use a real mail host with a valid PTR. After all they're running a business, not a coalition. If AOL decided to block a client's site because of a JJ (or any reason they wanted to make up) that would be a real PITA. And then I wouldn't expect any ISP to block yahoo.com even though, from the spam I get, they seem to be hosting a lot of spammers. Oh, yes, we have to let the popular companies slide or we'll get too many complaints, or we can't block a site that we actually advertise with. There goes your "forces people to be responsible" theory. BTW, since AOL uses their own mail client, it would be quite simple for them to just block spam links within that application. Other ISPs could offer some crapware download to do something similar, but why not just disable images in the client and be done with it. -- | Ric | From nobody at devnull.spamcop.net Sat Jun 5 19:26:38 2004 From: nobody at devnull.spamcop.net (brewman) Date: Sat Jun 5 02:25:04 2004 Subject: [SpamCop-List] Perhaps I've found a POC for spam source Message-ID: I'm getting spam from 166.104.200.92; SC realises that the POC ykjung@hyuee.hanyang dot ac:kr is DOA (another TLA) so sends to devnull. However, a quick scan of http://www.hanyang.ac.kr/code_html/inquiries/eindex.html reveals zillions of contact emails, all webmaster@ihanyang dot ac:kr How about sending SC reports there? Or maybe postmaster at web site? -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From baloo at ursine.ca Sat Jun 5 02:01:19 2004 From: baloo at ursine.ca (Paul Johnson) Date: Sat Jun 5 04:20:10 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <40C1306E.73F2@xyzzy.claranet.de> Message-ID: <87acziigc0.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Mike Easter" writes: > In native OE mode the entire post appears as 2 attachments, the body as > a txt attachment, the sig as a dat attachment, preventing replying to it > without 'heroics' In OE with QuoteFix, for some reason QF wants to > crash while handling it. That is, that's what would happen if I choose > to continue to let Paul's posts be visible to me and open them. Perhaps > he vacillates between the two configurations so that he can derive > commentary on it. Not deliberately. I try to remember which groups have otherwise intelligent reader who use broken software and throw a temper-tantrum about how I should try to accomodate their broken software. Never mind it would be easier to just replace the offending software with software that doesn't suck[1] >> Of course I'm no fan of any >> signatures in news, the worst here are Petzl's about 8 lines >> (maybe more now, I stopped to read his articles). > > I think pgp signing is silly in this environment, while valuable in some > others. OpenPGP signatures are actually a bit more valuable in news than email, since it makes your posts bloody hard to forge. I try to use PGP as consistently as possible, so I can readily disclaim forgeries. If the signature doesn't check out, it didn't come from me. Given that email is *NOT PRIVATE*, it makes sense to encrypt what you expect to be private. I'm surprised OpenPGP isn't required to maintain client-attorney or patient-physician confidentiality in email. I'm not exactly a privacy nut or paranoid, I've been forged before in mail and news. I know just how open email is to prying eyes. It's rather nice to know that if I encrypt something I expect to stay private, I only have to worry about how much I trust the person on the other end, not everybody in between. [1] Software that which does not suck is my second choice if there isn't a free[2] alternative. [2] Just because the price is zero does not make it free, for that you also need source and no restriction on redistribution. However, I don't automatically rule out non-free software, though it's a serious strike against it. Free software has given me very high standards for licensing and usability.[3] - -- Paul Johnson Linux. [3]You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAwX3PUzgNqloQMwcRAll6AJ4pr9pHT3hoiLbgaESU647M+pkQ/wCfZgbs kcr7kzdF9BW32ZkfXh8LqII= =HlCL -----END PGP SIGNATURE----- From baloo at ursine.ca Sat Jun 5 02:14:52 2004 From: baloo at ursine.ca (Paul Johnson) Date: Sat Jun 5 04:20:34 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> Message-ID: <8765a6ifpf.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Mike Easter" writes: > Frank Ellermann wrote: >> That's only the boundary of his multipart/signed signature, >> as decent as possible with MIME. OE does not support MIME. > > OE actually supports 'a lot' of MIME. ...incompetantly. > However, in my opinion, newsgroup postings should be in plaintext > only, not multipart/alternative of any kind - especially pgp > signed.- except in groups 'specifically' for that purpose. What > people want to do with their mail, such as html or any of that other > 'monkey business' is up to them. A lot of pgp signers seem to > become very unhappy when some text/html comes their way. I don't particularly appreciate text/html in mail, and I don't produce it myself since there's no gaurantee of rendering and it's usually a spammer tactic. However, gnus is happy to send it to w3 for rendering inline. It doesn't look great, but geeze, if you're sending in HTML you're already saying you don't care about whether or not your message is readable... - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAwYD8UzgNqloQMwcRAlEwAKDDWHaXcTROovVXfMnHUpI+TBkvkACght9p qxwzOm8F2MkeaSglsuqPU8A= =dccB -----END PGP SIGNATURE----- From nobody at xyzzy.claranet.de Sat Jun 5 11:18:37 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sat Jun 5 04:20:40 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <40C1306E.73F2@xyzzy.claranet.de> <40C145A2.1AAB@xyzzy.claranet.de> Message-ID: <40C181DD.68A7@xyzzy.claranet.de> KronaTech wrote: > the problem is? Apparently your MimeOLE version 6.00.2800.1409 isn't better than Mike's version 5.50. Whatever that means, my Netscape 2.02 is already very old, how old is your OE ? Bye, Frank From baloo at ursine.ca Sat Jun 5 02:17:51 2004 From: baloo at ursine.ca (Paul Johnson) Date: Sat Jun 5 04:35:04 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <40C15459.42F5@xyzzy.claranet.de> Message-ID: <871xkuifkg.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frank Ellermann writes: > Sure, we don't need any "alternative" to text/plain here. And > in a newsgroup where text/html is allowed, one version is good > enough (either plain or html, not both alternatives). > > But multipart/mixed with more than one text/plain part could be > okay. Or the multipart/signed example here was IMHO acceptable > or at least better than the same PGP crap in the old (pre-MIME) > text/plain hack. I'd be happy to switch back if that's what people want. > In theory multipart/mixed could be _extremely_ useful in .spam: > > 1st part text/plain question, 2nd part message/rfc822 original > spam. It's a pain to guess the artifacts of broken newsreaders > like OE in .spam (e.g. "was this header always broken, or is it > only a side effect of posting it with OE after some obscure > clipboard operations"). So why not do that? Would cut down on the idiotic "Hey, I posted in .spam!" articles... - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAwYGvUzgNqloQMwcRAnTEAJ96uJpUulLT6Uu2gYq8qJFci7cywwCg38WY tMqN4NMGIZxWmz0BINibvMk= =GjG/ -----END PGP SIGNATURE----- From baloo at ursine.ca Sat Jun 5 02:21:53 2004 From: baloo at ursine.ca (Paul Johnson) Date: Sat Jun 5 04:35:14 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <40C1306E.73F2@xyzzy.claranet.de> <40C145A2.1AAB@xyzzy.claranet.de> Message-ID: <87wu2mh0ta.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "KronaTech" writes: > "Frank Ellermann" wrote in message > news:40C145A2.1AAB@xyzzy.claranet.de... > >> Ouch :-( That's of course wrong, Content-Disposition: Inline >> is not the same as an Attachment. There wasn't even a name >> for this "attachment". > > Here I was enjoying the fact that I couldn't see half his posts (the half he > doesn't post properly), since they were indeed displayed as a blank message > with two attachments. I'm confused. As far as PGP goes, this hasn't been the proper way for a *long* time, PGP/MIME has. > Can't see Paul's posts... the problem is? Your news client is broken. Given that Xnews and Gnus exist and are strong choices, and Mozilla's a reasonably decent alternative, there's really no excuse to use a broken client these days. It's 2004, it's stop using software crufted over in the '90s that barely complies with the standards of the '80s. - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAwYKhUzgNqloQMwcRAv/OAKCjl8GD76OXXV3oKqima1rTi3++bwCgyaJt M5BUMfYB2pfJ1AmKUtF7lDU= =wT3A -----END PGP SIGNATURE----- From DougThegarden at hotmail.com Sat Jun 5 10:38:38 2004 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Sat Jun 5 04:40:03 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <40C1306E.73F2@xyzzy.claranet.de> <87acziigc0.fsf@ursine.ca> Message-ID: Paul Johnson wrote: > > Not deliberately. I try to remember which groups have otherwise > intelligent reader who use broken software and throw a temper-tantrum > about how I should try to accomodate their broken software. Never > mind it would be easier to just replace the offending software with > software that doesn't suck[1] > Most of us with "broken software" don't throw temper tantrums, we just don't read your posts. That's fine by me but it probably means that your post is not read by 95% of people. That's your choice and really doesn't bother me whether your message gets through or not. Doug From nobody at xyzzy.claranet.de Sat Jun 5 11:52:41 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sat Jun 5 05:00:52 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de><40C1306E.73F2@xyzzy.claranet.de> <40C145A2.1AAB@xyzzy.claranet.de> <87wu2mh0ta.fsf@ursine.ca> Message-ID: <40C189D9.FDB@xyzzy.claranet.de> Paul Johnson wrote: > Given that Xnews and Gnus exist And slrn. But AFAIK solutions for OE exist. Nobody will change his newsreader only to ignore your PGP signatures. If you really think that that's an option, then I'd use charset=pc-multilingual-850+euro and vcards only to annoy you... :-( > it's stop using software crufted over in the '90s MIME is fully compatible with old software. It was invented in the early '90s. The only problem is broken O*-software. Bye, Frank -- It's stop supporting criminal organizations like SpamCast From baloo at ursine.ca Sat Jun 5 02:48:40 2004 From: baloo at ursine.ca (Paul Johnson) Date: Sat Jun 5 05:05:06 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <40C1306E.73F2@xyzzy.claranet.de> <87acziigc0.fsf@ursine.ca> Message-ID: <877jumgzkn.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Doug Thegarden" writes: > Paul Johnson wrote: >> >> Not deliberately. I try to remember which groups have otherwise >> intelligent reader who use broken software and throw a temper-tantrum >> about how I should try to accomodate their broken software. Never >> mind it would be easier to just replace the offending software with >> software that doesn't suck[1] > > Most of us with "broken software" don't throw temper tantrums, we just don't > read your posts. A rather socially stunted attitude, really. Why not just fix the problem to start with? - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAwYjoUzgNqloQMwcRAuMxAJ956hqKPdYM8a4llFFDcHzz9yWZ4QCggfrK dNdhYqcXFDksG0sC06pFDKA= =dGC5 -----END PGP SIGNATURE----- From DougThegarden at hotmail.com Sat Jun 5 11:12:56 2004 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Sat Jun 5 05:15:10 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <40C1306E.73F2@xyzzy.claranet.de> <87acziigc0.fsf@ursine.ca> <877jumgzkn.fsf@ursine.ca> Message-ID: Paul Johnson wrote: >> >> Most of us with "broken software" don't throw temper tantrums, we just >> don't read your posts. > > A rather socially stunted attitude, really. Why not just fix the > problem to start with? > Because your posts don't mean enough to me or the rest of the 95% to bother and I don't have a problem with 99.99% of posters. You want us to read you posts, you do something to make them accessible. The onus is on the sender to communicate in a way that their target audience can access if they want their communication to be read, not on the target audience to change their ways to be able to read the sender's communication. But feel free to continue entertaining the ether. Doug From baloo at ursine.ca Sat Jun 5 03:13:51 2004 From: baloo at ursine.ca (Paul Johnson) Date: Sat Jun 5 05:20:04 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <40C1306E.73F2@xyzzy.claranet.de> <40C145A2.1AAB@xyzzy.claranet.de> <87wu2mh0ta.fsf@ursine.ca> <40C189D9.FDB@xyzzy.claranet.de> Message-ID: <87r7sufju8.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frank Ellermann writes: > Paul Johnson wrote: > >> Given that Xnews and Gnus exist > > And slrn. But AFAIK solutions for OE exist. Nobody will > change his newsreader only to ignore your PGP signatures. > > If you really think that that's an option, then I'd use > charset=pc-multilingual-850+euro and vcards only to annoy > you... :-( Bring it on, there is very little gnus can't handle the right way. You'll probably annoy everyone else, but I'd be able to read it. Gnus allows you to conform pretty nicely to standards, or break them as other posters harrass them into doing so. >> it's stop using software crufted over in the '90s > > MIME is fully compatible with old software. It was invented > in the early '90s. The only problem is broken O*-software. I was referring to the broken O*-software, not MIME. MIME was late 80's, IIRC. Either way, you'd think MS would try to compete considering that a bunch of people programming, often in their spare time for free, manage to produce better software than MS does. - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAwY7PUzgNqloQMwcRAiLIAKDC0NoIQNCA1sCGg7xo6Xo6OKCShACgwiQi xK5Rb4Ddu/Cs8VPYd9Aatqw= =bXPu -----END PGP SIGNATURE----- From baloo at ursine.ca Sat Jun 5 03:35:11 2004 From: baloo at ursine.ca (Paul Johnson) Date: Sat Jun 5 05:50:02 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <40C1306E.73F2@xyzzy.claranet.de> <87acziigc0.fsf@ursine.ca> <877jumgzkn.fsf@ursine.ca> Message-ID: <87n03ifiuo.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Doug Thegarden" writes: > Paul Johnson wrote: >>> >>> Most of us with "broken software" don't throw temper tantrums, we >>> just don't read your posts. >> >> A rather socially stunted attitude, really. Why not just fix the >> problem to start with? >> > > Because your posts don't mean enough to me or the rest of the 95% to > bother and I don't have a problem with 99.99% of posters. You want > us to read you posts, you do something to make them accessible. The > onus is on the sender to communicate in a way that their target > audience can access if they want their communication to be read, not > on the target audience to change their ways to be able to read the > sender's communication. It's also the recipients onus to make an attempt to comply with documented standards for communication. You need to meet halfway. - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAwZPQUzgNqloQMwcRAkByAKCwiHWOQM3jgyDvd1z9L718DiAyOgCfcdjs e0LXgnfS7BNDgYVsFFBEc74= =QBvC -----END PGP SIGNATURE----- From DougThegarden at hotmail.com Sat Jun 5 11:50:50 2004 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Sat Jun 5 05:55:02 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <40C1306E.73F2@xyzzy.claranet.de> <87acziigc0.fsf@ursine.ca> <877jumgzkn.fsf@ursine.ca> <87n03ifiuo.fsf@ursine.ca> Message-ID: Paul Johnson wrote: > > It's also the recipients onus to make an attempt to comply with > documented standards for communication. You need to meet halfway. > I'll forgive your lapse in documented standards for communication in English when you omitted the apostrophe from recipients' Doug From me at privacy.net Sat Jun 5 07:00:33 2004 From: me at privacy.net (Frog Prince) Date: Sat Jun 5 06:05:03 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <40C1306E.73F2@xyzzy.claranet.de> <87acziigc0.fsf@ursine.ca> <877jumgzkn.fsf@ursine.ca> <87n03ifiuo.fsf@ursine.ca> Message-ID: "Paul Johnson" | >>> | >>> Most of us with "broken software" don't throw temper tantrums, we | >>> just don't read your posts. | >> | >> A rather socially stunted attitude, really. Why not just fix the | >> problem to start with? | >> | > | > Because your posts don't mean enough to me or the rest of the 95% to | > bother and I don't have a problem with 99.99% of posters. You want | > us to read you posts, you do something to make them accessible. The | > onus is on the sender to communicate in a way that their target | > audience can access if they want their communication to be read, not | > on the target audience to change their ways to be able to read the | > sender's communication. | | It's also the recipients onus to make an attempt to comply with | documented standards for communication. You need to meet halfway. Fact is not all know how to make the changes to fix the problem, FWIW some don;'t view it as their problem or if they do: since your post are in the minority in this regard it is easier to just ignore them. I, for one, have no idea why one of your post is unreadable and the post on either side are readable. It's a mystery but not one high on the list of the mysteries of life. Nothing personal but since *I* only experience the problem reading *your* post (of *all* the very much more numerous other post I receive) it's not very high on my must do, right now, today list. Perhaps if I had the problem reading post/mail from my grand daughter I would think differently. From redford_stone at INVERSE_OF_COLDmail.com Sat Jun 5 12:07:51 2004 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Jun 5 07:10:03 2004 Subject: [SpamCop-List] [C&C] SPEWS analogy. Message-ID: Picked this one up from NANAE. Here Jerry is trying to explain SPEWS to somone whose IP block is in SPEWS. :-) ============ From: JerryMouse (nospam@bisusa.com) Subject: Re: We're no SPAMMER! Please help! View this article only Newsgroups: news.admin.net-abuse.email Date: 2004-06-03 19:20:17 PST DevilsPGD wrote: > In message <> "Steven > M (remove cola to reply)" did ramble: > >> No accident. SPEWS has widened a listing to include your IP >> blocks. Here's an analogy: > > Mind if I quote this? Want it attributed? Here's another: 1. Your emails are a bunch of sperm, itching to do their thing. 2. Your ISP is a prick. 3. SPEWS is a condom. 4. We are innocent maidens who don't like surprises. 5. You are asking for a teeny hole to be poked in the rubber. You'll have to get us drunk first. ======= From nobody at spamcop.net Sat Jun 5 07:53:00 2004 From: nobody at spamcop.net (Miss Betsy) Date: Sat Jun 5 07:50:04 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: "Blammo" wrote in message news:Xns94FEEBDDB9DE7blammo@216.154.195.61... >There goes your "forces > people to be responsible" theory. Yes, I know. But I still keep hoping that some ISP's will educate enough average users (which will include some business people) about 'responsible' internet use and the tipping point will be reached. > BTW, since AOL uses their own mail client, it would be quite simple for > them to just block spam links within that application. Other ISPs could > offer some crapware download to do something similar, but why not just > disable images in the client and be done with it. > I haven't followed this thread enough to be able to agree or disagree, but I think in your last post, you mentioned something about 'corporations deciding for you' and that is worse than spam, IMHO. However, I do think that educated consumers could decide to use a service that blocked links - as a contribution to using the internet 'responsibly' since why have something that you would never use? Miss Betsy From ob1db at spamcop.net Sat Jun 5 09:50:36 2004 From: ob1db at spamcop.net (David Butler) Date: Sat Jun 5 08:55:03 2004 Subject: [SpamCop-List] Re: Perhaps I've found a POC for spam source References: Message-ID: "brewman" wrote in message news:c9rot0$cip$1@news.spamcop.net... > I'm getting spam from 166.104.200.92; SC realises that the POC > ykjung@hyuee.hanyang dot ac:kr is DOA (another TLA) so sends to > devnull. However, a quick scan of > http://www.hanyang.ac.kr/code_html/inquiries/eindex.html reveals > zillions of contact emails, all webmaster@ihanyang dot ac:kr > How about sending SC reports there? > Or maybe postmaster at web site? > > -- try posting to .routing From MikeE at ster.invalid Sat Jun 5 07:09:26 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 5 09:10:05 2004 Subject: [SpamCop-List] Re: Perhaps I've found a POC for spam source References: Message-ID: brewman wrote: > I'm getting spam from 166.104.200.92; SC realises that the POC > ykjung@hyuee.hanyang dot ac:kr is DOA (another TLA) so sends to > devnull. However, a quick scan of > http://www.hanyang.ac.kr/code_html/inquiries/eindex.html reveals > zillions of contact emails, all webmaster@ihanyang dot ac:kr > How about sending SC reports there? > Or maybe postmaster at web site? If you are going to present a case in .routing, you should also include the abuse.net lookups from apnic's domainname inetnum: 166.104.0.0 - 166.104.255.255 netname: HY-NET admin-c: YC305-AP tech-c: YC305-AP nic-hdl: YC305-AP ykjung@hyuee.hanyang.ac.kr person: Yongki Chung address: Hanyang University Computer Center whois -h whois.abuse.net hyuee.hanyang.ac.kr ... isjang@email.hanyang.ac.kr postmaster@hanyang.ac.kr security@bora.net spamrelay@certcc.or.kr (for hanyang.ac.kr) and then also the abuse.net for your ihanyang whois -h whois.abuse.net ihanyang.ac.kr ... spamrelay@certcc.or.kr abuse@ihanyang.ac.kr spamcop@kisa.or.kr postmaster@ihanyang.ac.kr (for kr) The idea about 'arguing' about these notify issues is that you have a spam which you have parsed for which you can provide a tracker, because the verbose parse will provide more information than just what I can get if I plug the naked IP address into the parser. In this case it only tells me it doesn't have a good address, but not the details behind that. If you have parsed an item with that IP as the target, the verbose parse tells the 'background' of what happens with the notify addresses obtained in the usual way. Then, let's say that you can figure out a better way to notify than what is divined from all of that information you can see above. Then, you are trying to build a case for telling a deputy how s/he ought to do it better; because if your argument is convincing, s/he will go into the routing configuration and make adjustments by hand and sign off on it. In order to do that, you come up with a well documented argument, ie hand her 'on a silver platter' what you think is a better notify and a sound basis for proposing that, and post the whole enchilada in .routing. Then, if s/he likes what s/he sees there, there will be a littlel 'patch' in the routing db of the parser so that it will use that information instead of the standard lookup processes from apnic. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Jun 5 07:10:21 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 5 09:15:03 2004 Subject: [SpamCop-List] Re: Perhaps I've found a POC for spam source References: Message-ID: Mike Easter wrote: > If you are going to present a case in .routing, The idea being, to present hir with a solution, not a problem. -- Mike Easter kibitzer, not SC admin From HHAnderson at hotmail.com Sat Jun 5 08:29:57 2004 From: HHAnderson at hotmail.com (Bud Anderson) Date: Sat Jun 5 09:35:02 2004 Subject: [SpamCop-List] Re: Recursive links References: Message-ID: "Mike Easter" wrote in message news:c9q4pr$2ou$1@news.spamcop.net... | Bud Anderson wrote: | > The Spam with this subject in .spam | | spamcop.net/sc?id=z510183329z95bcc4fb7d05bf7a8942c69ccdd12b69z | | > What's going on? | | I didn't see it in the tracker, and I submitted the spam from your .spam | message's source and I didn't see it; so whatever the problem might've | been must be currently resolved. | | | -- | Mike Easter | kibitzer, not SC admin Still happening Mike: On this one: http://www.spamcop.net/sc?id=z511343932z545d2c654e74377566758ba9b7f1ba94z First run I didn't submit got the following partial: -------------------------------------------------------------- Finding links in message body Recurse multipart: Parsing text part Parsing HTML part no links found Please make sure this email IS spam: From: "FREE SHIPPING! Sabine" ((ADV) Make your manhood work ) This is a multi-part message in MIME format. ------=_NextPart_000_0000_007AFF68.377611D9 ---------------------------------------------------------------- Ran it again and got the following which I did submit: ---------------------------------------------------------------- Finding links in message body Recurse multipart: Parsing text part Parsing HTML part Resolving link obfuscation http://www.privacyrx.biz host 64.202.167.129 = ip-64-202-167-129.secureserver.net (cached) http://www.privacyrx.biz host 64.202.167.129 = ip-64-202-167-129.secureserver.net (cached) http://www.theunderwriters.biz host 64.202.167.129 = ip-64-202-167-129.secureserver.net (cached) Tracking link: http://www.privacyrx.biz Routing details for 64.202.167.129 [refresh/show] Cached whois for 64.202.167.129 : abuse@godaddy.com Using abuse net on abuse@godaddy.com abuse net godaddy.com = abuse@godaddy.com Using best contacts abuse@godaddy.com Tracking link: http://www.theunderwriters.biz Cached masters for 64.202.167.129: abuse@godaddy.com Please make sure this email IS spam: From: "FREE SHIPPING! Sabine" ((ADV) Make your manhood work ) This is a multi-part message in MIME format. ------=_NextPart_000_0000_007AFF68.377611D9 View full message --------------------------------------------------------------------- Apparently they've found some way to hide the spamvertised site which sometimes does and sometimes doesn't confuse SC. Bud From rvaessen at spamcop.net Sat Jun 5 09:14:57 2004 From: rvaessen at spamcop.net (Robert L. Vaessen) Date: Sat Jun 5 10:15:02 2004 Subject: [SpamCop-List] Compromised mailhosts reconfigured to redirect all bounces to me! - aka Spammer hell! Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All - What began yesterday has become an apparent case of spammer hell. And, I'm deep in the middle of it. Yesterday, I began receiving a series of bounces, at first I thought they were your typical bounce from a spammers forgery of my email address. After a short time, it became apparent that it was something much more sinister. It appears as if the spammer, who is in control of some compromised mailhosts, is not only using these compromised servers to send spam with my email address forged on the From: / Reply-To: address, but it appears that the spammer has reconfigured the compromised mailhost, so that all the bounces that it receives are redirected to my email address! I'm being flooded by non-delivery bounces! The following IPs are sending me non-delivery bounces. 211.35.151.171 69.73.167.175 218.4.100.179 139.142.24.29 218.155.6.175 (I hope I got all the correct IPs) They're all blacklisted, and they all seem to be relaying bounces which quote the same/similar spam messages. Has anyone else experienced this extreme form of spam Hell? What can I possibly do in this case? Most of the servers are Chinese/Korean. Sending email to them would probably have no effect whatsoever, as I suspect they are compromised. - - Robert A long time spam fighter. I guess I'm really on someone's shit list now! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAwdVhQ4wNZ+v3ZRoRAuTfAJ9fWWQ1gHVDiiwJFt15zRKlWcMSewCdFkVg uGYnmQ4apPU9mCLmxQbzO8o= =CRTR -----END PGP SIGNATURE----- From tmcgraw at spamcop.net Sat Jun 5 08:31:50 2004 From: tmcgraw at spamcop.net (Tim McGraw) Date: Sat Jun 5 10:35:05 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <40C1306E.73F2@xyzzy.claranet.de> <40C145A2.1AAB@xyzzy.claranet.de> <87wu2mh0ta.fsf@ursine.ca> Message-ID: <40C1D956.2060502@spamcop.net> Paul Johnson wrote: > > It's 2004, it's stop using software crufted over in the '90s > that barely complies with the standards of the '80s. You mean, like PGP? From MikeE at ster.invalid Sat Jun 5 08:40:31 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 5 10:45:04 2004 Subject: [SpamCop-List] Re: Compromised mailhosts reconfigured to redirect all bounces to me! -aka Spammer hell! References: Message-ID: Robert L. Vaessen wrote: > The following IPs are sending me non-delivery bounces. > > 211.35.151.171 ordb listed open smtp relay [non-anonymizing] since '03 Sep > 218.155.6.175 ordb listed open smtp relay [non-anonymizing] since '04 May 24 69.73.167.175 oxygen.nocdirect.com ESMTP Exim 4.34 - manipulable, script didn't relay, "501 Too many syntax or protocol errors" after 3 domain literals 218.4.100.179 no port 25 139.142.24.29 raq01.ttw.net ESMTP Sendmail 8.10.2/8.10.2 - manipulable, full abuse.net script didn't relay -- Mike Easter kibitzer, not SC admin From me at nowhere.net Sat Jun 5 11:44:10 2004 From: me at nowhere.net (lt) Date: Sat Jun 5 10:45:16 2004 Subject: [SpamCop-List] Re: What am I missing? In-Reply-To: References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: Blammo wrote: > BTW, since AOL uses their own mail client, it would be quite simple for > them to just block spam links within that application. Other ISPs could > offer some crapware download to do something similar, but why not just > disable images in the client and be done with it. > To clarify the original point I was getting at. Instead of blocking e-mail sources, which hurts a lot of legitimate users, if the major ISP's were to block access to the spamvertized sites I think the spam problem would die rapidly. You can't make money if you can't sell your product. What is the down side? Take it strictly from a national basis and you pick the country of interest. From a U.S. viewpoint. If the major ISP's like Comcast, Verizon and AOL blocked spamvertized sites, for the most part they would be blocking Korean, Chinese and Brazilian sites. Very few U.S. users speak any of those languages and wouldn't have anything blocked they would normally use except for the spam sites. And if the block lists operate the same as Spam Cop the blocks would go away after a short period so no long term damage. IMHO in a matter of months the problem would all but cease to exist. From maddsybil at spamcop.net Sat Jun 5 11:46:16 2004 From: maddsybil at spamcop.net (MaddSybil) Date: Sat Jun 5 10:50:03 2004 Subject: [SpamCop-List] Re: Compromised mailhosts reconfigured to redirect all bounces to me! -aka Spammer hell! References: Message-ID: "Robert L. Vaessen" wrote in message news:mailman.105.1086444906.9607.spamcop-list@news.spamcop.net... > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > All - > > What began yesterday has become an apparent case of spammer hell. And, > I'm deep in the middle of it. > > Yesterday, I began receiving a series of bounces, at first I thought > they were your typical bounce from a spammers forgery of my email > address. After a short time, it became apparent that it was something > much more sinister. > SNIP > > (I hope I got all the correct IPs) They're all blacklisted, and they > all seem to be relaying bounces which quote the same/similar spam > messages. > > Has anyone else experienced this extreme form of spam Hell? What can I > possibly do in this case? Most of the servers are Chinese/Korean. > > Sending email to them would probably have no effect whatsoever, as I > suspect they are compromised. > > - - Robert > A long time spam fighter. I guess I'm really on someone's shit list > now! > For a short-term stopgap, can you just block all emails with 'bounce', etc. in it? From MikeE at ster.invalid Sat Jun 5 08:57:25 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 5 11:00:03 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: lt wrote: > if the major ISP's were to block access to the spamvertized > sites Where does this list of spamvertized sites come from? surbl? brightmail's spamtraps? spamhaus? spews? What about the legal liability of collateral damage? Plaintiff litigant: damaged innocent collaterally damaged site owner. Culpable sued defendant: deep pockets provider. > IMHO in a matter of months the problem would all but cease to > exist. -- Mike Easter kibitzer, not SC admin From baloo at ursine.ca Sat Jun 5 08:54:56 2004 From: baloo at ursine.ca (Paul Johnson) Date: Sat Jun 5 11:05:02 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <40C1306E.73F2@xyzzy.claranet.de> <40C145A2.1AAB@xyzzy.claranet.de> <87wu2mh0ta.fsf@ursine.ca> <40C1D956.2060502@spamcop.net> Message-ID: <87brjyf41r.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tim McGraw writes: > Paul Johnson wrote: >> It's 2004, it's stop using software crufted over in the '90s that >> barely complies with the standards of the '80s and earlier. > > You mean, like PGP? I mean, like Outlook Express (it's crufted over, and it barely groks SMTP and POP3). - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAwd7AUzgNqloQMwcRAuIxAKC1rOS2KaQ92leCQfEGypXkDPlDCwCfb71t fCsmS+XWJWVz8ZhhHcgNXv0= =HAlT -----END PGP SIGNATURE----- From me at nowhere.net Sat Jun 5 12:31:20 2004 From: me at nowhere.net (lt) Date: Sat Jun 5 11:35:02 2004 Subject: [SpamCop-List] Re: What am I missing? In-Reply-To: References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: Mike Easter wrote: > What about the legal liability of collateral damage? Plaintiff > litigant: damaged innocent collaterally damaged site owner. Culpable > sued defendant: deep pockets provider. > I fail to see where there would be any more liability then presently exists with the e-mail block lists. If irate subscribers sent spam to their own ISP they could set up their own block list. An ISP has no liability to the spammers to allow access to their sites. A user may have a complaint, but no perceived liabilty (I had to say that, I'm not a lawyer.) I see your point, and I could be wrong about the liability issue, especially in light of the recent suit against SpamCop. From bert at visi.com Sat Jun 5 16:36:42 2004 From: bert at visi.com (Bert Hyman) Date: Sat Jun 5 11:40:02 2004 Subject: [SpamCop-List] No links found in body? Message-ID: I've posted the full text of the message in "spamcop.spam", in an article with the same title. This is the text as displayed on the spamcop Website when "view entire message" or "view full message" is selected from the submission page. The link to the submission is http://www.spamcop.net/sc?id=z511543892zcc96ba72a6b4df607b5177b14095bb07z I forwarded this to spamcop as an attachment using a PERL program from elm, just like I always do. I've noticed that most times Spamcop doesn't find links in the text of messages, but this is the first time I've reported one. What's up? -- Bert Hyman St. Paul, MN bert@visi.com From MikeE at ster.invalid Sat Jun 5 09:45:54 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 5 11:50:03 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: lt wrote: > I fail to see where there would be any more liability then presently > exists with the e-mail block lists. There's a lot of difference between "my mailbox, my rules" and [direct] restraint of trade, ie actively preventing people from coming into my store with no good reason. Remember that I'm the innocent collaterally damaged website owner here. It would be like me opening a store at the mall, and General Motors designing their cars so they couldn't be navigated to my place. I'm not a lawyer either, nor play one on TV. Also, you never did say where you were getting this list of spamvertised sites. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Jun 5 09:58:58 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 5 12:00:04 2004 Subject: [SpamCop-List] Re: No links found in body? References: Message-ID: Bert Hyman wrote: www.spamcop.net/sc?id=z511543892zcc96ba72a6b4df607b5177b14095bb07z > I've noticed that most times Spamcop doesn't find links in the text of > messages, but this is the first time I've reported one. > > What's up? Bad content headerline: Content-Type: multipart/mixed; boundary="1077508092@sugarloafconfctr.com" The body isn't multipart mixed and there isn't a boundary [epilog immaterial]. If that wrong content header hadn't been in there SC would've found the links like this: www.spamcop.net/sc?id=z511570935zf7dfa8d36408b7dfe9aca8a6b699fd67z Resolving link obfuscation http://vip.sina.com.cn/cgi-bin/mail/redirect.cgi?http://www.buycheapdrug s.biz host 202.108.35.188 = sina35-188.sina.com.cn (cached) http://www.officeoffer.com/qog354/14/rf.html host 200.223.214.225 (getting name) no name Re: http://vip.sina.com.cn/cgi-bin/mail/redirect.cg... (Administrator of network hosting website referenced in spam) To: postmaster#cnc-noc.net@devnull.spamcop.net (Notes) To: abuse@cnc-noc.net (Notes) Re: http://www.officeoffer.com/qog354/14/rf.html (Administrator of network hosting website referenced in spam) To: mail-abuse@nic.br (Notes) To: abuse@telemar.net.br (Notes) You can't make material changes like to a spam like I did with the demonstration and spamcop report with it. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Sat Jun 5 19:09:36 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sat Jun 5 12:25:10 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de><40C1306E.73F2@xyzzy.claranet.de> <40C145A2.1AAB@xyzzy.claranet.de> <87wu2mh0ta.fsf@ursine.ca> <40C189D9.FDB@xyzzy.claranet.de> <87r7sufju8.fsf@ursine.ca> Message-ID: <40C1F040.3636@xyzzy.claranet.de> Paul Johnson wrote: > Bring it on, there is very little gnus can't handle the right > way. I did, but there's no interesting effect for 7bit texts. > You'll probably annoy everyone else Definitely. Even my own ersatz-newsreader running on a system with this local charset doesn't support it. slrn could handle pc-multilingual-850+euro (i.e. the slrn on an OS/2 box). > Gnus allows you to conform pretty nicely to standards, or > break them as other posters harrass them into doing so. I don't know this beast, but it depends on its environment. If you have 256 -33 -5 printable characters (windows-1252), then there are quite a lot of unprintable UTF-8 characters. And if you have about 1500 "printable" glyphs on your system, then there are still a lot of "unprintable" UTF-8 characters. You only get the subset supported on your system. Which is us-ascii with my newsreader, because it doesn't know UTF-8. > I was referring to the broken O*-software, not MIME. Okay, but "old" and "broken" is a difference. Netscape 2.02 is probably much older than Mike's OE. The last update for IBM's 2.02 for OS/2 was about 1998. > MIME was late 80's, IIRC. The RfCs say 1992, but they must have discussed this for some time. > you'd think MS would try to compete considering that a bunch > of people programming, often in their spare time for free, > manage to produce better software than MS does. M$ is interested in $$$, not in standards. As far as they are concerned everybody uses their software, and therefore RfCs are irrelevant or for sale. :-( Bye, Frank -- Just ÚÄ¿ ÉÍ» for ³Õ³ º¸º fun ÀÄÙ Èͼ From ric.gates at bigsleep.org Sat Jun 5 17:34:45 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sat Jun 5 12:35:03 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: On 05 Jun 2004 lt entered spamcop and left news:c9sm7n$2h6$1@news.spamcop.net: > To clarify the original point I was getting at. > Instead of blocking e-mail sources, which hurts a lot of legitimate > users, if the major ISP's were to block access to the spamvertized sites > I think the spam problem would die rapidly. You can't make money if you > can't sell your product. This is exactly what I've been replying to. I'm not dismissing the idea entirely, as it would probably be a good thing in a corporate environment, for tagging spam, and for smart image blocking. But is certainly not by itself a reasonable solution. In addition to Mike's comments, I know enough about web server administration to know that this method wouldn't be very effective anyway, and would probably cause an increase in spam. -- | Ric | From nobody at xyzzy.claranet.de Sat Jun 5 19:32:43 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sat Jun 5 12:40:04 2004 Subject: [SpamCop-List] Re: No links found in body? References: Message-ID: <40C1F5AB.147D@xyzzy.claranet.de> Bert Hyman wrote: > Spamcop doesn't find links in the text There are no links. It's a multipart messages with zero parts. The 1st part should start with a line... --1077508092@sugarloafconfctr.com There's no such line. The last part should end with a line... --1077508092@sugarloafconfctr.com-- > What's up? All is fine, this spammer sent an "empty" spam. Really old software could display the text before the non-existing first part, but really old software (written before '92) won't show any links. Maybe some broken M$ O* products do weird things, but SC cannot imitate different bugs of different versions of different O* products. Tiny little mazes, all different. Plough, Frank From me at nowhere.net Sat Jun 5 14:04:23 2004 From: me at nowhere.net (lt) Date: Sat Jun 5 13:05:02 2004 Subject: [SpamCop-List] Re: What am I missing? In-Reply-To: References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: Mike Easter wrote: > Also, you never did say where you were getting this list of spamvertised > sites. > I thought when I wrote; >If irate subscribers sent spam to their own ISP they could set up their own block list answered that. From me at nowhere.net Sat Jun 5 14:05:54 2004 From: me at nowhere.net (lt) Date: Sat Jun 5 13:10:03 2004 Subject: [SpamCop-List] Re: What am I missing? In-Reply-To: References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: Blammo wrote: > In addition to Mike's comments, I know enough about web server > administration to know that this method wouldn't be very effective anyway, > and would probably cause an increase in spam. > Could you explain how it would cause an incease in spam? From ric.gates at bigsleep.org Sat Jun 5 18:42:21 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sat Jun 5 13:45:03 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: On 05 Jun 2004 lt entered spamcop and left news:c9suhf$93i$2@news.spamcop.net: > > > Blammo wrote: > > >> In addition to Mike's comments, I know enough about web server >> administration to know that this method wouldn't be very effective >> anyway, and would probably cause an increase in spam. >> > Could you explain how it would cause an incease in spam? > > The reason is self evident. -- | Ric | From MikeE at ster.invalid Sat Jun 5 12:33:39 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 5 14:35:17 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: lt wrote: > Mike Easter wrote: >> Also, you never did say where you were getting this list of >> spamvertised sites. > >If irate subscribers sent spam to their own ISP they could set up > their own block list Well, here's a little commentary on that. Let's use a very large provider like EL EarthLink, which I kow about, and which has a complete 'apparatus' to both filter spam and to accept spam submitted to them by subscribers. The apparatus is provided by the bigtime enterprise spam detecting operation Brightmail. The rest of the apparatus is both a proprietary user interface for those EL users who like things AOL-style, called TotalAccess, or those who prefer to pop their own mail but can do so through the EL spamblocker [off, low, high] and can also manage it with a webmail gizmo, which provides 'automatic' submission to a junkmail@earthlink.net spam receptacle. The spam receptacle 'feeds back' to Brightmail, who describe that in their whitepaper which can be seen here http://www.brightmail.com/pdfs/xSP_white_paper_05feb04.pdf and note especially the little diagram which shows spam url/s incorporated into the filtering process. My point of elaborating on all of this is to demonstrate the 'complexity' that even an enterprise bigtime ISP may go to that could possibly lead to a 'pile' of spam urls. However, this would not be an easy chore for those providers which are not designed with such an 'elaborate' apparatus. Ask a provider how s/he would like to try to block their users from the url/s which are to be found in their user's spams. They will say 'No thanks.' Brightmail has a huge spamtrap apparatus of their own [supposedly millions], which is the principle source of their spamfiltering capabilities, as they have crews of humans poring over the results of their software algorithms and ongoing updating of the filters. My point is not to extol the merits or strengths of Brightmail, but to try to convey what an operation has to do to get things like spam urls very promptly. You can also read about how surbl.org goes about getting its own list of spam urls from spamcop. The Brightmail execs who give lectures at spam conferences say that the spam feedback from users is very very very problematic; as they are quite unreliable about reporting spam and report things they've subscribed to and all sorts of other undesirable false positives. Brightmail is very much against false positives. OK. Now we somehow are going to have a pile of spam url/s which are typically turned into spam url IPs - at least that's the way the plugins for SpamAssassin handle spam url /filtering/. But, we aren't just going to filter here. Instead, we are going to block port 80 access; presumably based on these spam url IPs that we somehow derived from the input of the unreliable ISP spammed clients. So, somehow we block the IPs which belong to the spams which may or may not include false positives. Now, we have another problem. The name resolution one. A spam website can have the same IP as a non-spammy place. That is, the webserver directs the traffic appropriately based on the domainname after the browser asks for the page, but it got to the webserver's address traveling by the standard IP address routing. Or, maybe you might do it another way; refuse to resolve the name in the first place. The ISP's client typically uses the ISP DNS. So, somehow you would block the name resolution at the DNS, I guess. Do you have a structure in mind for this spamurl blocking? Or were you just blue-skying? -- Mike Easter kibitzer, not SC admin From not at home.today Sat Jun 5 20:39:06 2004 From: not at home.today (Ant) Date: Sat Jun 5 14:40:03 2004 Subject: [SpamCop-List] Re: No links found in body? References: <40C1F5AB.147D@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote... [...] > but SC cannot imitate different bugs of different versions > of different O* products. Tiny little mazes, all different. > > Plough, Frank Plugh. You are eaten by a grue. From bert at visi.com Sat Jun 5 19:52:02 2004 From: bert at visi.com (Bert Hyman) Date: Sat Jun 5 14:55:02 2004 Subject: [SpamCop-List] Re: No links found in body? References: <40C1F5AB.147D@xyzzy.claranet.de> Message-ID: In news:40C1F5AB.147D@xyzzy.claranet.de Frank Ellermann wrote: > Bert Hyman wrote: > >> Spamcop doesn't find links in the text > > There are no links. It's a multipart messages with zero parts. > The 1st part should start with a line... > --1077508092@sugarloafconfctr.com > > There's no such line. The last part should end with a line... > --1077508092@sugarloafconfctr.com-- > >> What's up? > > All is fine, this spammer sent an "empty" spam. Really old > software could display the text before the non-existing first > part, but really old software (written before '92) won't show > any links. ... I see. So, it's really my problem because I read my email with "more" :-) -- Bert Hyman St. Paul, MN bert@visi.com From me at nowhere.net Sat Jun 5 16:00:08 2004 From: me at nowhere.net (lt) Date: Sat Jun 5 15:05:06 2004 Subject: [SpamCop-List] Re: What am I missing? In-Reply-To: References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: Mike Easter wrote: > > Do you have a structure in mind for this spamurl blocking? Or were you > just blue-skying? > Thanks for taking the time to go through that. The original question was "What am I missing?" I obviously don't have a clue as to how e-mail or web pages are processed, and don't claim to. You took the time to help. I've been working on genealogy for 20 years and have had my own web page for 9 years. I have too many contacts all over the world who have my spammed e-mail address and could someday come up with the elusive link I've been looking for. I guess the only hope is that maybe the FTC will put some teeth into the Can-Spam act and put some of these bastards in jail. From pobox.spamcop at kronatech.net Sat Jun 5 13:15:39 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Sat Jun 5 15:20:03 2004 Subject: [SpamCop-List] Re: Compromised mailhosts reconfigured to redirect all bounces to me! -aka Spammer hell! References: Message-ID: "Robert L. Vaessen" wrote in message news:mailman.105.1086444906.9607.spamcop- > The following IPs are sending me non-delivery bounces. > > 211.35.151.171 > 69.73.167.175 > 218.4.100.179 > 139.142.24.29 > 218.155.6.175 If you can't block those yourself via webmail, you can always ask your mail admin to choke/block those 5 addresses for a couple of days. I'm sure (seems to me) they wont mind doing something about it for you. I certainly would if someone asked me to block them on my servers, temporarily. -K From tmcgraw at spamcop.net Sat Jun 5 13:18:35 2004 From: tmcgraw at spamcop.net (Tim McGraw) Date: Sat Jun 5 15:20:13 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: <40C21C8B.5010205@spamcop.net> Blammo wrote: > On 05 Jun 2004 lt entered spamcop and left > news:c9suhf$93i$2@news.spamcop.net: >>Blammo wrote: >> >>>In addition to Mike's comments, I know enough about web server >>>administration to know that this method wouldn't be very effective >>>anyway, and would probably cause an increase in spam. >> >>Could you explain how it would cause an incease in spam? > > The reason is self evident. To whom? From m.dolbear at lineone.net Sat Jun 5 21:12:57 2004 From: m.dolbear at lineone.net (Michael R N Dolbear) Date: Sat Jun 5 16:15:12 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> Message-ID: <01c44b1a$33bbe000$LocalHost@default> lt wrote [...] > users, if the major ISP's were to block access to the spamvertized sites > I think the spam problem would die rapidly. You can't make money if you > can't sell your product. What is the down side? Take it strictly from a > national basis and you pick the country of interest. From a U.S. > viewpoint. If the major ISP's like Comcast, Verizon and AOL blocked > spamvertized sites, for the most part they would be blocking Korean, > Chinese and Brazilian sites. Very few U.S. users speak any of those > languages and wouldn't have anything blocked they would normally use > except for the spam sites. And if the block lists operate the same as > Spam Cop the blocks would go away after a short period so no long term > damage. IMHO in a matter of months the problem would all but cease to exist. You wish ! They would oscillate rapidly between mirrors using a DNS that changed every hour ? Some spammers don't use web sites at all, 419 Nigerian frauds, diploma and degree offers seem to find phone, email and snail mail enough. Some don't need to, drug and herbal remedies, printer cartridges, the CD they want to ban. -- Mike D From pobox.spamcop at kronatech.net Sat Jun 5 14:59:41 2004 From: pobox.spamcop at kronatech.net (KronaTech) Date: Sat Jun 5 17:00:03 2004 Subject: [SpamCop-List] First scumbags to scan my address out of these NG. Message-ID: For those who are interested to know who the first scumbags who spammed the address I created just for these NG, here is my server's session log, which shows the spam passing ORDB and SpamCop, but getting nailed by Spamhaus. I just happened to have the monitor on (on my server) when the spam passed through. So this is just one set of many dirtbags who are scanning these groups. Occurred about 30 minutes ago. Note that I have set the server not to reject, but to place the remote in the ban list with a huge TTL. [log] Sat 2004-06-05 13:31:05: [700:77:1] Accepting SMTP connection from [202.108.68.157 : 63133] Sat 2004-06-05 13:31:05: [700:77:1] Looking up PTR record for 202.108.68.157 (157.68.108.202.IN-ADDR.ARPA) Sat 2004-06-05 13:31:05: [700:77:1] Name server reports domain name unknown. Sat 2004-06-05 13:31:05: [700:77:1] --> 220 kronatech.net ESMTP MDaemon 6.8.5; Sat, 05 Jun 2004 13:31:05 -0700 Sat 2004-06-05 13:31:06: [700:77:1] <-- EHLO allfa-backup.1618.net Sat 2004-06-05 13:31:06: [700:77:1] Performing reverse lookup on allfa-backup.1618.net (looking for 202.108.68.157) Sat 2004-06-05 13:31:06: [700:77:1] D=allfa-backup.1618.net TTL=(60) A=[202.108.68.157] Sat 2004-06-05 13:31:06: [700:77:1] --> 250-kronatech.net Hello allfa-backup.1618.net, pleased to meet you Sat 2004-06-05 13:31:06: [700:77:1] --> 250-ETRN Sat 2004-06-05 13:31:06: [700:77:1] --> 250-AUTH=LOGIN Sat 2004-06-05 13:31:06: [700:77:1] --> 250-AUTH LOGIN CRAM-MD5 Sat 2004-06-05 13:31:06: [700:77:1] --> 250-8BITMIME Sat 2004-06-05 13:31:06: [700:77:1] --> 250-STARTTLS Sat 2004-06-05 13:31:06: [700:77:1] --> 250 SIZE 25000000 Sat 2004-06-05 13:31:07: [700:77:1] <-- MAIL FROM: SIZE=1079 Sat 2004-06-05 13:31:07: [700:77:1] Performing reverse lookup on cn.1618.net (looking for 202.108.68.157) Sat 2004-06-05 13:31:07: [700:77:1] D=cn.1618.net TTL=(60) A=[202.108.68.157] Sat 2004-06-05 13:31:07: [700:77:1] Spam Blocker is checking 202.108.68.157 (connecting IP) Sat 2004-06-05 13:31:08: [700:77:1] * relays.ordb.org - passed Sat 2004-06-05 13:31:08: [700:77:1] * bl.spamcop.net - passed Sat 2004-06-05 13:31:08: [700:77:1] * sbl-xbl.spamhaus.org - failed to pass Sat 2004-06-05 13:31:08: [700:77:1] Spam Blocker is finished Sat 2004-06-05 13:31:08: [700:77:1] --> 250 , Sender ok Sat 2004-06-05 13:31:11: [700:77:1] <-- RCPT TO: Sat 2004-06-05 13:31:11: [700:77:1] --> 250 , Recipient ok Sat 2004-06-05 13:31:11: [700:77:1] <-- DATA Sat 2004-06-05 13:31:11: [700:77:1] --> 354 Enter mail, end with . Sat 2004-06-05 13:31:15: [700:77:1] --> 250 Ok, message saved Sat 2004-06-05 13:31:15: [700:77:1] <-- QUIT Sat 2004-06-05 13:31:15: [700:77:1] --> 221 See ya in cyberspace Sat 2004-06-05 13:31:15: [700:77:1] SMTP session successful, 1088 bytes transferred. Sat 2004-06-05 13:31:15: [700:77:1] Shuffling message(s) into proper queue(s) Sat 2004-06-05 13:31:15: [700:77:1] Message received from allfa-backup.1618.net [202.108.68.157] with SMTP for [Size 1077] {c:\progra~1\mdaemon\localq\md50000000435.msg} [/log] I will post the actual spam in .spam with the subject in place "Software for Search-Engine, Mail, DNS, and more" -K From nobody at devnull.spamcop.net Sun Jun 6 10:22:27 2004 From: nobody at devnull.spamcop.net (brewman) Date: Sat Jun 5 17:20:03 2004 Subject: [SpamCop-List] Re: What am I missing? References: <40BCC67C.9000600@spamcop.net> <40BDF6A3.3030805@spamcop.net> <40BE33F6.907@spamcop.net> <01c44b1a$33bbe000$LocalHost@default> Message-ID: "Michael R N Dolbear" wrote > Some spammers don't use web sites at all, 419 Nigerian frauds, .. Ahh, but some do! Fake bank web sites with 'real' customer accounts etc to add credulity ("Oh, it's on the Internet; it must be true"). Try http://www.artists-against-419.mugus.com/bandwidth.shtml and do an anomym@us.comm trick (I think) and gobble their bandwidth. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From rcarlton at spamcop.net Sat Jun 5 15:57:04 2004 From: rcarlton at spamcop.net (Rick Carlton) Date: Sat Jun 5 17:55:03 2004 Subject: [SpamCop-List] Re: First scumbags to scan my address out of these NG. References: Message-ID: "KronaTech" wrote in message news:c9tc7u$ji0$1@news.spamcop.net... > I will post the actual spam in .spam with the subject in place "Software for > Search-Engine, Mail, DNS, and more" I got the same spam - and to my Spamcop account at that! Fools. From windsorfoxNOSPAM at cox.net Sat Jun 5 18:59:09 2004 From: windsorfoxNOSPAM at cox.net (WindsorFox[SS]) Date: Sat Jun 5 18:55:16 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load In-Reply-To: References: Message-ID: Technomage wrote: > well guys, > after some extensive testing, I am letting my ISP spam filter do its work. > I can no longer handle the load of dealing with spam 2 hours out of each > day (thats 14 hours per week I could be doing something more constructive). > > I am also sending a bill to comcast 9and others) to the tune of > $4,158,650.28 (thats 4 Million plus dollars) for my time and frustration > over the last 6 months. I doubt I'll collect, but it will establish that a > problem does exist. > > Right now, as of this writing, the ISP spam filter has lightened my load > by almost 200 spams a day (I got 8 for the last 3 days). > > now heres to hoping I can convince a few ISP's that its cheaper to deal > with the spam problem than an IRATE victim of spam. > > Technomage Hawke > > Greedy bastard, my COmcast bill was only 800,000.00+ ... :-p From usenet-fbi at inbox4u.de Sun Jun 6 02:00:06 2004 From: usenet-fbi at inbox4u.de (Falko Eickel) Date: Sat Jun 5 19:05:02 2004 Subject: [SpamCop-List] Re: Broken C/R systems: Spamarrest, Earthlink, UOL, ... References: <40C12CC7.4CAA@xyzzy.claranet.de> <40C14AAA.1184@xyzzy.claranet.de> Message-ID: <40C25076.231@inbox4u.de> Frank Ellermann wrote: > Maybe SPF will help with this situation, my ISP has to > add a SPF record for wildcard hosts, and EL has to check > bounce addresses against SPF. Now why does this sound > like "early 2005" for me ? But tnx for info, bye, Frank Wildcard DNS records are a very special kind of animal. They are only used when there's no other DNS record for the original DNS request, regardless of the type of request. But as there is an A record for your hostname, your ISP would have to provide an additional TXT record for each hostname (this is discussed in RFC 1034 4.3.2 and 4.3.3 for MX records). CU/2 Falko From dan-o at sbcglobal.net Sat Jun 5 21:08:20 2004 From: dan-o at sbcglobal.net (Dan Obenhaus) Date: Sat Jun 5 21:10:15 2004 Subject: [SpamCop-List] BUG: Ploy defeats Spamcop Message-ID: Spamcop refuses spam in form of bounce... Spamcop returns: "This message looks like a bounce, will not report. Do not report bounces as spam! Nothing to do." Spam header/body follows: X-Apparently-To: me@sbcglobal.net via web80102.mail.yahoo.com; Sat, 05 Jun 2004 17:16:44 -0700 Return-Path: <> Received: from yipvme-ext.prodigy.net (EHLO yipvme.prodigy.net) (207.115.63.32) by mta819.mail.yahoo.com with SMTP; Sat, 05 Jun 2004 17:16:44 -0700 X-Originating-IP: [66.163.168.154] Received: from mta808.mail.yahoo.com (mta808.mail.yahoo.com [66.163.168.154]) by yipvme.prodigy.net (8.12.10/8.12.10) with SMTP id i560Gc8l078630 for ; Sat, 5 Jun 2004 20:16:39 -0400 Date: Sat, 5 Jun 2004 20:16:38 -0400 Message-Id: <200406060016.i560Gc8l078630@yipvme.prodigy.net> From: MAILER-DAEMON@sbcglobal.net To: me@sbcglobal.net X-Loop: MAILER-DAEMON@sbcglobal.net Subject: Delivery failure Message from sbcglobal.net. Unable to deliver message to the following address(es). : Sorry your message to carcase@sbcglobal.net cannot be delivered. This account has been disabled or discontinued [#101]. : This user doesn't have a sbcglobal.net account (gnarled@sbcglobal.net) [-9] --- Original message follows. Return-Path: Received: from vmh-ext.prodigy.net (EHLO vmh.prodigy.net) (207.115.63.97) by mta808.mail.yahoo.com with SMTP; Sat, 05 Jun 2004 17:16:41 -0700 X-Header-NoReverseIP: IP.name.lookup.failed[221.127.180.96] X-Originating-IP: [221.127.180.96] Received: from 207.115.63.85 ([221.127.180.96]) by vmh.prodigy.net (8.12.10 tcpwcg notemp /8.12.10) with SMTP id i560GYgU270136; Sat, 5 Jun 2004 20:16:35 -0400 X-Message-Info: J503WOJ0E2otZFR74G5kjPzFQ677 Received: from [242.193.136.138] by begotten009881.premise.me@sbcglobal.net via HTTP; Tue, 06 Jul 2004 17:12:10 -0700 Date: Tue, 06 Jul 2004 22:15:10 -0200 Message-ID: <294486478214.38685@me@sbcglobal.net> Reply-To: "Kasey Ho" From: "Kasey Ho" To: "004" Subject: Hello 004 Date: Tue, 06 Jul 2004 22:17:10 -0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--5363971969521531921" ----5363971969521531921 Content-Type: text/plain; charset="iso-9838-4" Content-Transfer-Encoding: 7Bit 004,( We are going to be closing soon! We have the highest quality, and now, lowest priced prescription drugs online. Buy something while you still can! VI3AGRA C4ialis VALIU+M X7ANAX http://www.655.owner187pill.biz/b12 embellish recompense englander precautionary vagina herkimer incite whittle colander gloat jacobsen entity lombardy channel vista dance barbiturate parishioner inquest indianapolis . ----5363971969521531921-- *** MESSAGE TRUNCATED *** . From nobody at spamcop.net Sat Jun 5 21:20:46 2004 From: nobody at spamcop.net (Miss Betsy) Date: Sat Jun 5 21:20:03 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop References: Message-ID: "Dan Obenhaus" wrote in message news:c9tqpu$u5c$1@news.spamcop.net... > Spamcop refuses spam in form of bounce... > I am sorry to tell you this, but that's old news. There are lots of people who would like a BounceCop, but spamcop is not expanding. Miss Betsy From lalalaNOSPAM at crazyhat.net Sat Jun 5 20:18:14 2004 From: lalalaNOSPAM at crazyhat.net (DevilsPGD) Date: Sat Jun 5 21:20:14 2004 Subject: [SpamCop-List] Re: BUG: Ploy defeats Spamcop References: Message-ID: In message <> "Dan Obenhaus" did ramble: >Spamcop refuses spam in form of bounce... Unless I'm having an especially stupid day, that is a bounce, that is not spam. -- Reality is a nice place, but I wouldn't want to live there. From MikeE at ster.invalid Sat Jun 5 19:51:55 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 5 21:55:02 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop References: Message-ID: Notice that OE handles a subject with 2-4 letters followed by a colon 'badly' by decapitating the first word before putting in the 'Re:' Dan Obenhaus wrote: > Spamcop refuses spam in form of bounce... That is correct. Or rather, it is against the rules to report bounced spam with spamcop, and SC is helping you not break the rules by rejecting your submission. Also, spam should be posted in the ng .spam, not in spamcop, and then discussed here in spamcop or .help, not discussed in spam. No spam pasting in the 'regular' ng/s - just in .spam. The structure of what you posted here is: bounce headers + bounce body + spam headers + spam body. The spam was sent to someone else with your addy in the From:, the recipient server accepted the item and then 'belatedly bounced' it, which is a stupid thing to do with spam, because then it got sent to the >From addy, which is yours. Very annoying, but it can't be spamcop reported. -- Mike Easter kibitzer, not SC admin From caribe at jamesodell.com Sat Jun 5 23:32:04 2004 From: caribe at jamesodell.com (James Odell) Date: Sat Jun 5 22:35:04 2004 Subject: [SpamCop-List] 68.253.188.164 not listed in bl.spamcop.net Message-ID: Hi, It used to be that when you reported a spam, it was registered by SpamCop on the blacklist history -- and it could be seen in seconds on the "checkblock" page. However, recently, I have found this not to be true. Twice, I have reported spams against IP 68.253.188.164 via the members.spamcop.net webpage. Yet, when you look at the "w3m?action=checkblock&ip=68.253.188.164, it just says "not listed in bl.spamcop.net". In short, my spam reporting is not being registered by SpamCop. Why would that be? Thanks, Jim From eek at barkerjr.net Sat Jun 5 23:59:10 2004 From: eek at barkerjr.net (BarkerJr) Date: Sat Jun 5 23:05:03 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop References: Message-ID: > Spamcop refuses spam in form of bounce... The attachement is a spam, but not the bounce wrapper. You can still report the attached spam, just not the bounce. From MikeE at ster.invalid Sat Jun 5 21:41:26 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 5 23:45:04 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop References: Message-ID: BarkerJr wrote: > The attachement is a spam, but not the bounce wrapper. You can still > report the attached spam, just not the bounce. You also can't report the bounce part. http://www.spamcop.net/fom-serve/cache/14.html If the bounce message contains spam, it is not permitted for you to report the spam contained within the bounce, You have to report those manually, and only use SC's parser on the item to help determine who/how to notify with your manual, and cancel the SC report. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Jun 5 21:46:09 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Jun 5 23:50:02 2004 Subject: [SpamCop-List] Re: 68.253.188.164 not listed in bl.spamcop.net References: Message-ID: James Odell wrote: > In short, my spam reporting is not being registered > by SpamCop. Why would that be? There's a process that takes a variable amount of time between reporting, and the effects on the db that is accessible at http://www.spamcop.net/bl.shtml and another variable to affect the SCbl that is accessible by nslookup or its equivalent at 4.3.2.1.bl.spamcop.net -- Mike Easter kibitzer, not SC admin From baloo at ursine.ca Sat Jun 5 22:29:40 2004 From: baloo at ursine.ca (Paul Johnson) Date: Sun Jun 6 00:35:03 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <40C1306E.73F2@xyzzy.claranet.de> <40C145A2.1AAB@xyzzy.claranet.de> <87wu2mh0ta.fsf@ursine.ca> <40C189D9.FDB@xyzzy.claranet.de> <87r7sufju8.fsf@ursine.ca> <40C1F040.3636@xyzzy.claranet.de> Message-ID: <87r7stl363.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frank Ellermann writes: >> I was referring to the broken O*-software, not MIME. > > Okay, but "old" and "broken" is a difference. OE is both. It woudn't matter that it's old if it weren't also broken. >> MIME was late 80's, IIRC. > > The RfCs say 1992, but they must have discussed this for some > time. I always figure it usually takes two to four years of tinkering around with it before someone punches up an RFC. > M$ is interested in $$$, not in standards. As far as they are > concerned everybody uses their software, and therefore RfCs > are irrelevant or for sale. :-( Fortuantely, that thinking is slowly starting to burn them. - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAwp20UzgNqloQMwcRAkUtAJ9//K2X5Sb+ehth3ZA8eWso8jFriwCeKZvI P6GeG3eAzfHlqhLBp0GIvwY= =TGND -----END PGP SIGNATURE----- From eek at barkerjr.net Sun Jun 6 01:11:03 2004 From: eek at barkerjr.net (BarkerJr) Date: Sun Jun 6 01:05:03 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop References: Message-ID: > > The attachement is a spam, but not the bounce wrapper. You can still > > report the attached spam, just not the bounce. > > You also can't report the bounce part. > > http://www.spamcop.net/fom-serve/cache/14.html If the bounce message > contains spam, it is not permitted for you to report the spam contained > within the bounce, > > You have to report those manually, and only use SC's parser on the item > to help determine who/how to notify with your manual, and cancel the SC > report. Ah, my apologies. I hadn't realized that. It does make sense, though. From SaintP at webtv.net Sun Jun 6 02:58:03 2004 From: SaintP at webtv.net (Saint P) Date: Sun Jun 6 03:10:02 2004 Subject: [SpamCop-List] Philosophy Message-ID: <28832-40C2C07B-185@storefull-3278.bay.webtv.net> This is just so funny (from a spam) that I just had to share it: Sensation!! We opened a NEW site with unbeatable prices and products. 800 WORLD BEST software with 90% discount - that is a really BEST offer just imagine, you can buy ALL software that you ever need and pay price of just one of it! Office 2003 for 50$ - nice deal right ? ;) retail price is 700$ - great savings, huh? Please spend few moments of yours precious time to check our offer - it is more than worth it! http://Jacob.oem-licenses.biz/?Mickey Temperance is a bridle of gold. Calamities are of two kinds: misfortune to ourselves, and good fortune to others. Your dreams will come true... if you can see it... if you believe in it... then you can achieve it. What is this life if, full of care, we have no time to stand and stare? Governments tend not to solve problems, only to rearrange them. No good is ever done to society by the pictorial representation of its diseases. There cannot be a personal God without a pessimistic religion. As soon as there is a personal God he is a disappointing God. There is death in the pot. [2 Kings 4:40] The history of a soldier's wound beguiles the pain of it. One does a whole painting for one peach and people think just the opposite -- that particular peach is but a detail. In the matter of furnishing, I find a certain absence of ugliness far worse than ugliness. When ambition ends, happiness begins. Church is the only place where someone speaks to me and I do not have to answer back. Kind words are worth much and they cost little. Act well your part there all honor lies. It is easy to give advice from a port of safety. You have to be tough. Night brings our troubles to the light, rather than banishes them. Feminism is an entire world view or gestalt, not just a laundry list of women's issues. From nobody at xyzzy.claranet.de Sun Jun 6 10:07:45 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Jun 6 03:10:17 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop References: Message-ID: <40C2C2C1.510E@xyzzy.claranet.de> BarkerJr wrote: > I hadn't realized that. It does make sense, though. If the bounce is complete and "interesting" (insert your definition ;-) you could of course still report it directly. My definition of "interesting" covers complete worms with all headers. I send it back to the abuse desk of the bouncing mailer because they help to distribute worms, with a Cc: to the abuse desk of the infected system. Bye, Frank From MikeE at ster.invalid Sun Jun 6 01:32:49 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jun 6 03:35:03 2004 Subject: [SpamCop-List] Re: Philosophy References: <28832-40C2C07B-185@storefull-3278.bay.webtv.net> Message-ID: Saint P wrote: > This is just so funny (from a spam) that I just had to share it: There you go, reading your spam and reading it to /us/. I'm trying to teach people to not even open, much less read spam and you are trying to convince us that some of it is interesting and should be read. First you look at the subjects, then some of them strike your fancy or curiosity, so you open those. Then, some of the ones you open, you are even more curious or puzzled about, so you check out the website. Are you sure that you are pledged to never ever aid *any* spammer, no matter how good or interesting the deal is? You /should/ be so pledged, and the place to draw the line in the sand is ideally back there at 'reading' subjects, where it is akin to glancing through your junk mail to see if there's anything worth opening and looking into. When spammers have you treating your spam like you do your junk mail, they are in the driver's seat. With the right kind of spam, you would be a potential purchaser. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Sun Jun 6 10:43:26 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Jun 6 03:55:02 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de><40C1306E.73F2@xyzzy.claranet.de> <40C145A2.1AAB@xyzzy.claranet.de> <87wu2mh0ta.fsf@ursine.ca> <40C189D9.FDB@xyzzy.claranet.de> <87r7sufju8.fsf@ursine.ca> <40C1F040.3636@xyzzy.claranet.de> <87r7stl363.fsf@ursine.ca> Message-ID: <40C2CB1E.7374@xyzzy.claranet.de> Paul Johnson wrote: >> "old" and "broken" is a difference. > OE is both. ACK, if I see that Mike is forced to ask other posters to avoid subjects starting with 2..4 letters followed by a colon, then I'm again sure that OE was one of the worst software products of the 2nd millenium. And the same MS dares propose internet drafts like Caller-ID, it's worse than a nightmare, it must be real. >> As far as they are concerned everybody uses their software, >> and therefore RfCs are irrelevant or for sale. :-( > Fortuantely, that thinking is slowly starting to burn them. Where do you see this ? It's easy to "buy" the IETF, you only need some fulltime professionals on a few mailing-lists ready to block every simple idea, and a product (of course patented and proprietary) dominating the market like many MS products, and finally somebody documenting "common practice" as new RfC. As simple as 1-2-3. For a fascinating example of similar tactics see RfC 954bis: At the moment we have RfC 954 which is in fact obsolete in many aspects. But it's still the reason why _public_ whois servers with accurate data about domains _should_ exist. If RfC 954bis is adopted there's no more reason to publish data for domains, would not work anymore... :-( Bye, Frank From nobody at xyzzy.claranet.de Sun Jun 6 11:24:53 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Jun 6 04:30:02 2004 Subject: [SpamCop-List] Re: First scumbags to scan my address out of these NG. References: Message-ID: <40C2D4D5.75CA@xyzzy.claranet.de> Add me, unfortuately already reported. I'm unable to "decode" the spamvertized resp. JoeJobbed Web site, but real spam sent to addresses found _here_ is not verly likely, or is it ? Bye. From nobody at xyzzy.claranet.de Sun Jun 6 11:38:15 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Jun 6 04:40:02 2004 Subject: [SpamCop-List] Re: No links found in body? References: <40C1F5AB.147D@xyzzy.claranet.de> Message-ID: <40C2D7F7.30A7@xyzzy.claranet.de> Ant wrote: [s/plough/plugh/] > Plugh. You are eaten by a grue. Grrh... I even checked the spelling with Google, why didn't I simply look into advword.h ? Bye ;-) From nobody at xyzzy.claranet.de Sun Jun 6 11:48:24 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Jun 6 04:55:48 2004 Subject: [SpamCop-List] Re: No links found in body? References: <40C1F5AB.147D@xyzzy.claranet.de> Message-ID: <40C2DA58.7FB8@xyzzy.claranet.de> Bert Hyman wrote: > really my problem because I read my email with "more" :-) Then you could always use Mike's idea, replace the header Content-Type: by X-Content-Type: and let SC parse the spam as plain text. But then you have to be very careful with HTML costructs like... http://innocent.example ...IMHO too much work, YMMV, bye, Frank From nobody at xyzzy.claranet.de Sun Jun 6 12:14:21 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Jun 6 05:20:26 2004 Subject: [SpamCop-List] Re: Broken C/R systems: Spamarrest, Earthlink, UOL, ... References: <40C12CC7.4CAA@xyzzy.claranet.de> <40C14AAA.1184@xyzzy.claranet.de> <40C25076.231@inbox4u.de> Message-ID: <40C2E06D.146D@xyzzy.claranet.de> Falko Eickel wrote: > Wildcard DNS records are a very special kind of animal. The whole DNS system is a very special kind of animal for me, and so far I got the idea "not exactly like Fido node lists" ;-) > But as there is an A record for your hostname AFAIK there isn't: hjdhmgdbg.claranet.de = 212.82.225.58 xyzzy.claranet.de = 212.82.225.58 www.xyzzy.claranet.de = 212.82.225.58 mgj.hjfmc.claranet.de = 212.82.225.58 Some hosts really have their own IP: www.claranet.de = 212.82.225.8 relay.claranet.de = 212.82.225.86 In theory it's possible to define a special sender policy for say www.claranet.de like "v=spf1 -all", but in practice all I need is "v=spf1 redirect=claranet.de" for the wildcard * case. They could also copy the existing SPF record for claranet.de, the redirect feature is probably only interesting if you want to avoid numerous changes in the future. Bye, Frank From nobody at xyzzy.claranet.de Sun Jun 6 12:31:44 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Jun 6 05:35:03 2004 Subject: [SpamCop-List] Re: Attn Ellen: 'This message looks like a virus, will not report.' References: <7505c09scnff2lqbg62t6fji0a2alnoolp@4ax.com> Message-ID: <40C2E480.7C49@xyzzy.claranet.de> Tim Boyer wrote in spamcop.routing: > http://www.spamcop.net/sc?id=z512200165z82c7cda26a78f7881e24b7dab5b08bbfz [...] > I'm curious what makes it 'look like a virus'. See KronaTech's answer, the (dummy) MIME header Content-Type: application/x-msdownload; name="for_old_mail_clients.scr.txt" confused SC. That's a "known" bug (known = already discussed in spamcop some weeks ago), maybe send it to deputies AT admin.spamcop > As far as I can tell, it's just a straight spam ACK. And it's definitely no spamcop.routing issue: fup2 spamcop Bye, Frank From DougThegarden at hotmail.com Sun Jun 6 14:04:50 2004 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Sun Jun 6 08:15:18 2004 Subject: [SpamCop-List] Domain hijack attempt Message-ID: Just been notified by my ISP of an attempt to have my domain transferred. The attempt failed because of the security protocol the ISP has in place but I was wondering whether hijacking domains is a new twist or an old old one. Presumably not all ISPs are as robust on security either. Not come across it before myself. Just waiting for them to supply details of who/what/where. Doug From rmu93awSPAMB02 at sneakemail.com Sun Jun 6 09:04:35 2004 From: rmu93awSPAMB02 at sneakemail.com (Spambo) Date: Sun Jun 6 09:05:02 2004 Subject: [SpamCop-List] Re: BUG: Ploy defeats Spamcop In-Reply-To: References: Message-ID: DevilsPGD wrote: > [snip] > > Unless I'm having an especially stupid day, that is a bounce, that is > not spam. Well, it looks like a bounce to me too, although it also looks like commercial email. Aassuming that the final recipient didn't request the material it is apparently also "spam". The fact that SC's TOS prohibits reporting bounces doesn't change the nature of the email or the definition of "spam". -- Just a SpamCop newsgroup participant, not an admin or employee of SpamCop or related domains. From eek at barkerjr.net Sun Jun 6 10:34:02 2004 From: eek at barkerjr.net (BarkerJr) Date: Sun Jun 6 10:05:10 2004 Subject: [SpamCop-List] Re: Domain hijack attempt References: Message-ID: > Just been notified by my ISP of an attempt to have my domain transferred. The > attempt failed because of the security protocol the ISP has in place but I was > wondering whether hijacking domains is a new twist or an old old one. > Presumably not all ISPs are as robust on security either. Not come across it > before myself. Just waiting for them to supply details of who/what/where. Well, hijacking domains is nothing new in general. Most of the quality registrars have something called Domain-Lock that only the owner (or someone with the user/pass) of the domain can enable/disable. Some of the TLDs use a domain key instead of domain-lock. Same concept, except domain-key is a random-letter password used to transfer the domain. From tboyer at spamcop.net Sun Jun 6 11:34:44 2004 From: tboyer at spamcop.net (Tim Boyer) Date: Sun Jun 6 10:35:09 2004 Subject: [SpamCop-List] Re: Attn Ellen: 'This message looks like a virus, will not report.' References: <7505c09scnff2lqbg62t6fji0a2alnoolp@4ax.com> <40C2E480.7C49@xyzzy.claranet.de> Message-ID: On Sun, 06 Jun 2004 11:31:44 +0200, Frank Ellermann wrote: >Tim Boyer wrote in spamcop.routing: > >> http://www.spamcop.net/sc?id=z512200165z82c7cda26a78f7881e24b7dab5b08bbfz >[...] >> I'm curious what makes it 'look like a virus'. > >See KronaTech's answer, the (dummy) MIME header Content-Type: >application/x-msdownload; name="for_old_mail_clients.scr.txt" >confused SC. > >That's a "known" bug (known = already discussed in spamcop >some weeks ago), maybe send it to deputies AT admin.spamcop > >> As far as I can tell, it's just a straight spam > >ACK. >And it's definitely no spamcop.routing issue: fup2 spamcop > > Bye, Frank How the _heck_ did I post this in .routing? Not enough caffiene, or something. :) Thanks, Frank... tim -- tboyer@spamcop.net Nothing official, just another Spamcop user From rmu93awSPAMB02 at sneakemail.com Sun Jun 6 11:07:26 2004 From: rmu93awSPAMB02 at sneakemail.com (Spambo) Date: Sun Jun 6 11:10:04 2004 Subject: [SpamCop-List] PING Deputies - troll misusing SC? Message-ID: Jamie Baillie, a well-known nanae troll, seems to be using SpamCop to report Usenet messages that he doesn't like as spam. The nanae post reporting this misuse isn't in Google as of the time of this posting, but once it's archived you can probably find it at http://groups.google.com/groups?selm=c9vaff%24ruk%241%40ratbert.glorb.com Reference: Usenet Message-ID: c9vaff$ruk$1@ratbert.glorb.com -- Just a SpamCop newsgroup participant, not an admin or employee of SpamCop or related domains. From MikeE at ster.invalid Sun Jun 6 09:39:13 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jun 6 11:40:03 2004 Subject: [SpamCop-List] Re: PING Deputies - troll misusing SC? References: Message-ID: Spambo wrote: > Jamie Baillie, a well-known nanae troll, seems to be using SpamCop > to report Usenet messages that he doesn't like as spam. > > The nanae post reporting this misuse isn't in Google as of the time of > this posting, but once it's archived you can probably find it at > http://groups.google.com/groups?selm=c9vaff%24ruk%241%40ratbert.glorb.co m > > Reference: Usenet Message-ID: c9vaff$ruk$1@ratbert.glorb.com The other useful reference is the link to the spamcop report: www.spamcop.net/w3m?i=z1057559303zc8a7e3d8bd265e191a85c74df1ccf94cz which is a SC report of a nanae post by Geoff Brozny flaming Jamie. Of course, there being a report doesn't prove that Jamie made it, only a deputy would be able to figure that out. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Sun Jun 6 10:58:36 2004 From: nobody at spamcop.net (Don Wannit) Date: Sun Jun 6 13:00:20 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop In-Reply-To: References: Message-ID: Mike Easter wrote: > BarkerJr wrote: > >>The attachement is a spam, but not the bounce wrapper. You can still >>report the attached spam, just not the bounce. > > > You also can't report the bounce part. > > http://www.spamcop.net/fom-serve/cache/14.html If the bounce message > contains spam, it is not permitted for you to report the spam contained > within the bounce, > > You have to report those manually, and only use SC's parser on the item > to help determine who/how to notify with your manual, and cancel the SC > report. > > But be wary, wary careful! Since everything in the body is supplied by the creator of a fake bounce, you can't trust any of the supposed headers in the bounced payload. Even the apparent chain of "Received" headers can't be trusted. Unless you know for sure that the spam contained in a bouncygram is intact, don't try to report it, even manually. So, if you can verify the chain of custody of the bouncygram itself (maybe it originated at a mailhost under your control), then you might be able to trust the headers of the spam message being bounced. Otherwise, it's not worth risking a bad report by reporting a spam message constructed with false evidence. -- Don Wannit A paid SpamCop user since 1999 From nobody at spamcop.net Sun Jun 6 11:08:43 2004 From: nobody at spamcop.net (K. Crocker) Date: Sun Jun 6 13:10:07 2004 Subject: [SpamCop-List] Re: Philosophy In-Reply-To: References: <28832-40C2C07B-185@storefull-3278.bay.webtv.net> Message-ID: I believe a little tolerance is in order. Your assumption that because one reads suspected spam, one is going to act on it is a bit over the top. On some occasions I have to "preview" a piece of suspected spam (using a feature of my spam filter that doesn't follow any links back to the source) just to confirm that the email *is* spam. I've saved more than one false report that way. You want intelligent reporters, and you want us never to open suspected spam. You can't have it both ways. As for quoting the spam in this ng, you have a minor point, but, whether within the guidelines or not, precedence has been established for quoting bayesian humor/anecdotal material within spam by other ng authors that haven't been so stearnly reprimanded. --Ken Mike Easter wrote: > Saint P wrote: > >>This is just so funny (from a spam) that I just had to share it: > > > There you go, reading your spam and reading it to /us/. > > I'm trying to teach people to not even open, much less read spam and you > are trying to convince us that some of it is interesting and should be > read. > > First you look at the subjects, then some of them strike your fancy or > curiosity, so you open those. Then, some of the ones you open, you are > even more curious or puzzled about, so you check out the website. > > Are you sure that you are pledged to never ever aid *any* spammer, no > matter how good or interesting the deal is? You /should/ be so pledged, > and the place to draw the line in the sand is ideally back there at > 'reading' subjects, where it is akin to glancing through your junk mail > to see if there's anything worth opening and looking into. > > When spammers have you treating your spam like you do your junk mail, > they are in the driver's seat. With the right kind of spam, you would > be a potential purchaser. > From nobody at spamcop.net Sun Jun 6 13:40:27 2004 From: nobody at spamcop.net (Miss Betsy) Date: Sun Jun 6 13:40:07 2004 Subject: [SpamCop-List] Re: Philosophy References: <28832-40C2C07B-185@storefull-3278.bay.webtv.net> Message-ID: Wonder where they got that? Obviously, they didn't read it. We are getting closer and closer to proving the "monkeys typing" theory! Miss Betsy From eddie at eddie.web Sun Jun 6 14:38:07 2004 From: eddie at eddie.web (eddie) Date: Sun Jun 6 13:40:18 2004 Subject: [SpamCop-List] Re: Domain hijack attempt References: Message-ID: On Sun, 06 Jun 2004 13:04:50 +0100, Doug Thegarden scratched out the following: > Just been notified by my ISP of an attempt to have my domain transferred. > The attempt failed because of the security protocol the ISP has in place > but I was wondering whether hijacking domains is a new twist or an old old > one. snip I own a half-dozen domains and manage a few more registered to me, and whenever one is near expiration there are attempts to hijack it. They run from the obvious email and smail scams to outright hacking. I received a letter some months ago from my registrar letting me know that an attempt to move my domain registry failed. The company attempting the hijack and their registrar are non-USA ISPs, one of which is well-known and claimed innocence. I have since placed "locks" on the registration, but nothing is perfect. Vigilance is necessary but not guaranteed to prevent it. From eddie at eddie.web Sun Jun 6 14:42:07 2004 From: eddie at eddie.web (eddie) Date: Sun Jun 6 13:45:02 2004 Subject: [SpamCop-List] Re: Philosophy References: <28832-40C2C07B-185@storefull-3278.bay.webtv.net> Message-ID: On Sun, 06 Jun 2004 10:08:43 -0700, K. Crocker scratched out the following: > I believe a little tolerance is in order. Your assumption that because one > reads suspected spam, one is going to act on it is a bit over the top. On > some occasions I have to "preview" a piece of suspected spam (using a > feature of my spam filter that doesn't follow any links back to the > source) just to confirm that the email *is* spam. I've saved more than one > false report that way. You want intelligent reporters, and you want us > never to open suspected spam. You can't have it both ways. > > As for quoting the spam in this ng, you have a minor point, but, whether > within the guidelines or not, precedence has been established for quoting > bayesian humor/anecdotal material within spam by other ng authors that > haven't been so stearnly reprimanded. > > --Ken > > Mike Easter wrote: > >> Saint P wrote: >> >>>This is just so funny (from a spam) that I just had to share it: >> >> >> There you go, reading your spam and reading it to /us/. >> >> I'm trying to teach people to not even open, much less read spam and you >> are trying to convince us that some of it is interesting and should be >> read. >> >> First you look at the subjects, then some of them strike your fancy or >> curiosity, so you open those. Then, some of the ones you open, you are >> even more curious or puzzled about, so you check out the website. >> >> Are you sure that you are pledged to never ever aid *any* spammer, no >> matter how good or interesting the deal is? You /should/ be so pledged, >> and the place to draw the line in the sand is ideally back there at >> 'reading' subjects, where it is akin to glancing through your junk mail >> to see if there's anything worth opening and looking into. >> >> When spammers have you treating your spam like you do your junk mail, >> they are in the driver's seat. With the right kind of spam, you would >> be a potential purchaser. snip I am not tolerant to top posting or top posters, though, in this particular newsgroup. See how hard it is to read when everyone uses a different posting method? From martinAT at cleaverDOT.nl Sun Jun 6 19:20:17 2004 From: martinAT at cleaverDOT.nl (Martin Cleaver) Date: Sun Jun 6 14:25:25 2004 Subject: [SpamCop-List] Account Message-ID: I have a reporting account and want to convert it to a filtering acocunt (or rather four) but when I try to sign up, the system protests that the name is already taken. How to proceed and keep my old account name? Rgds Martin From ian_uncle at hotmail.com Sun Jun 6 15:42:22 2004 From: ian_uncle at hotmail.com (Ionizer) Date: Sun Jun 6 14:45:03 2004 Subject: [SpamCop-List] Very slow email submissions Message-ID: I notice that the gap between submitted and reported Spam is widening, perhaps due to the very slow rate at which email submissions seem to be processed. I've been waiting for two hours now to report my most recent submissions. Between the deliberate "nag screen" delay for web-based submissions and these extended waiting periods for email submissions, and the fact that the international tide of Spam seems limitless and on the constant increase, I really am beginning to wonder why I bother. Regards, Ian. From MikeE at ster.invalid Sun Jun 6 13:06:49 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jun 6 15:10:03 2004 Subject: [SpamCop-List] Re: Philosophy References: <28832-40C2C07B-185@storefull-3278.bay.webtv.net> Message-ID: K. Crocker wrote: > I believe a little tolerance is in order. Your assumption that because > one reads suspected spam, one is going to act on it is a bit over the > top. You may not 'know me' - I'm a notorious 'offensive' "Do NOT Read Spam" advocate/ believer/ proselytizer who offends various spam fighters all over spamcop and alt.spam and anywhere else I post my little missives. I spend a lot of time saying 'do not read spam or spam subjects' and obviously there are some qualifiers one could discuss. > On some occasions I have to "preview" a piece of suspected spam > (using a feature of my spam filter that doesn't follow any links back > to the source) just to confirm that the email *is* spam. Not only that, but sometimes the content of a spam can be used to notify agencies or other appropriate 3rd parties. > I've saved > more than one false report that way. You want intelligent reporters, > and you want us never to open suspected spam. You can't have it both > ways. No that's not it. I don't want 'people' aiding/ profiting/ spammers. There's a wide range of people who read spamcop and alt.spam. A lot of them are insecure spam handlers. I can't perceive the 'credentials' of all of the people who type of read a post, the OP of 'Philosophy' or anyone who follows it. If the OP is a regular spam subject reader and a sometimes spam opener and a perhaps spam link clicker, then I have to 'counteract' that effect. I don't believe that all spam fighters and spam whiners aren't sometimes profiting spammers, so I'm trying to get even the spam /deleters/ to pledge to never aid a spammer. If those who only delete spam can pledge to never aid a spammer, surely the spam fighters can. The first step to aiding a spammer is to read a spam subject. The second step is to read a spam. By the time someone comes along and tells us we need to be reading and appreciating spam, it's time for me to start saying "No, we shouldn't." -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sun Jun 6 15:45:21 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jun 6 15:50:09 2004 Subject: [SpamCop-List] Re: Account References: Message-ID: "Martin Cleaver" wrote in message news:Xns9500CEE463E84martincleavernl@216.154.195.61... > I have a reporting account and want to convert it to a filtering > acocunt (or rather four) but when I try to sign up, the system > protests that the name is already taken. > > How to proceed and keep my old account name? Once upon a time, one could "transfer" the account, even the money involved ... but that was then ... First, if there's money left in the reporting account, you're going to have to try service admin.spamcop.net and go for a refund of remaining funds. Somewhere in there, you'll need to actually sign up and pay for a new Filtered SpamCop E-Mail account, there's a separate web-page for that .. again, it's not an "upgrade" these days. http://mail.spamcop.net/account_new.php Issues there are handled at support spamcop.net You may (or may not) get Don and JT to maybe work together about the account "name" ... but you're dealing with people in different parts of the country, and having access to basically only "their" side of the SpamCop system (actually, it's more now like two different businesses, which is where the confusion comes in.) From nobody at devnull.spamcop.net Sun Jun 6 15:57:22 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jun 6 16:00:03 2004 Subject: [SpamCop-List] Re: Philosophy References: <28832-40C2C07B-185@storefull-3278.bay.webtv.net> Message-ID: "Mike Easter" wrote in message news:c9vq19$bqu$1@news.spamcop.net... > > Not only that, but sometimes the content of a spam can be used to notify > agencies or other appropriate 3rd parties. Too funny, I had one this morning that was "empty" as far as the OE screen was concerned. Pulled up the source, something close to 12k of hash-busting nonsense, but two URLs .... All those words, garbage in the Subject: line, best I could figure was one URL ended with ../cable and the other with ../fitter .... so I made the flying wild-ass guess that maybe, just maybe the spam was trying to push yet another of those "cable filters" ????? Wasn't worth the effort to fire up SamSpade to take a look ... was just amazed at the lunacy involved in putting that spam together ... uce@ftc.gov is all I could add From martinAT at cleaverDOT.nl Sun Jun 6 22:02:18 2004 From: martinAT at cleaverDOT.nl (Martin Cleaver) Date: Sun Jun 6 17:05:02 2004 Subject: [SpamCop-List] Re: Account References: Message-ID: "WazoO" wrote: > Once upon a time, one could "transfer" the account, > even the money involved ... but that was then ... First, > if there's money left in the reporting account, you're > going to have to try service admin.spamcop.net > and go for a refund of remaining funds. The 18 dollars left isn't going to kill me, but I would rather like to stick to my old name... Rgds Martin From Anonym at us.comm Sun Jun 6 15:11:24 2004 From: Anonym at us.comm (Anonym@us.comm) Date: Sun Jun 6 17:15:03 2004 Subject: [SpamCop-List] Re: Philosophy References: <28832-40C2C07B-185@storefull-3278.bay.webtv.net> Message-ID: >K. Crocker wrote: > Your assumption that because one > reads suspected spam, one is going > to act on it is a bit over the top. > Mike Easter wrote: > By the time someone comes along and > tells us we need to be reading and > appreciating spam, it's time for me to > start saying "No, we shouldn't." Good points on both sides... for the rank newbies who only CTD (Click To Delete), I guess the best solution would be Mike's... swear off spam cold-turkey, no reading it, no opening it, no responding to it, no nothing. For them, reading the spam is akin to a 'gateway drug'... it leads to them associating with the spammer and not disliking them so much. Once that takes place, they can sometimes forget that they're dealing with criminals, thugs, thieves, and scumbags only out to get their money, with no regard to the damage they do to the people buying their 'products', or the damage they do to ISPs and business as they steal massive amounts of resources to deliver their cruft. It's a known fact that once a person likes you, they're many more times likely to do business with you, so for these people, staying away from spam altogether is a good idea. This is why I'm all for ISPs filtering out spam before it ever reaches the end-user, unless the user requests that it not be. Beginners are protected from their own innocence and naivete about spam and spammers, and more expert people can still actively fight spam. For those of us who report the spam, we at least have to look at the source code, and I visit each spamvertised website in a secure browser via anonymous proxy prior to hitting it with FriedSpam.net (to ascertain that the site is still up, to ascertain if the spam is likely a Joe-job or not, to find the biggest page to hit, to record the size of the page that will be hit so I can estimate the amount of data I've drained from their website and to later determine that I'm not being blocked as I fry the page in question), as well as visiting it via Sam Spade's text-only browser to gather data on the spammers. Of course, I'm a cheapskate... I rarely buy anything on-line or off-line, I'd never buy anything online from a spammer. I see things in a very black-and-white sort of way... there is no gray area. Spam = bad. Funny spam = bad. Interesting spam = bad. Spam from which I learn something = bad. Period. Incidentally, I've noticed a large upswing in the number of telephone solicitations that are only introductions and attempts at getting my email address. If I'm interested in what they're selling, I set up a disposable account just for them, have them send their material while I'm still on the phone with them, then immediately destroy that disposable email account. For those that I'm not interested in, I inform them that I'm on the national do-not-call list, and hang up. I'm interested in very, very little that they offer. From not at home.today Sun Jun 6 23:37:15 2004 From: not at home.today (Ant) Date: Sun Jun 6 17:45:08 2004 Subject: [SpamCop-List] Re: Philosophy References: <28832-40C2C07B-185@storefull-3278.bay.webtv.net> Message-ID: "Mike Easter" wrote... > The first step to aiding a spammer is to read a spam subject. The > second step is to read a spam. There's no way any of that will allow me to aid a spammer. I read all my spam (fortunately I don't get too much) offline after checking the raw message, but not to see if there's anything I might be interested in purchasing. I do it for various research and technical reasons. Spammers are criminals, liers, and whatever they are peddling is certainly not going to be worth buying no matter how appealing it may seem. They have stolen the email address I once used on Usenet, which was not put in my header for their benefit. Even the legitimate companies who send me snail-mail junk make me have a dim view of them. If I actually want something like they're offering, I make a point of looking for names that I've *not* seen in junk mail. > By the time someone comes along and tells us we need to be reading > and appreciating spam, it's time for me to start saying "No, we > shouldn't." I recently posted a joke I found in a spam obfuscation text in alt.spam which you may have seen. This kind of thing puts a smile on my face as I press the "Process Spam" button, which lightens the chore somewhat. Every spam I get is larted no matter how 'interesting' it is. If Spamcop dev/nulls it, or can't handle it in some way, then I do a manual report. However, I'm not about to tell anyone they should be reading or appreciating spam - especially unsafe handlers. I think the advice you give in your "little missives" is good. From windsorfoxNOSPAM at cox.net Sun Jun 6 18:05:56 2004 From: windsorfoxNOSPAM at cox.net (WindsorFox[SS]) Date: Sun Jun 6 18:00:07 2004 Subject: [SpamCop-List] Re: Domain hijack attempt In-Reply-To: References: Message-ID: eddie wrote: > On Sun, 06 Jun 2004 13:04:50 +0100, Doug Thegarden scratched out the > following: > > >>Just been notified by my ISP of an attempt to have my domain transferred. >>The attempt failed because of the security protocol the ISP has in place >>but I was wondering whether hijacking domains is a new twist or an old old >>one. > > snip > > I own a half-dozen domains and manage a few more registered to me, and > whenever one is near expiration there are attempts to hijack it. They run > from the obvious email and smail scams to outright hacking. I received a > letter some months ago from my registrar letting me know that an attempt > to move my domain registry failed. The company attempting the hijack and > their registrar are non-USA ISPs, one of which is well-known and claimed > innocence. I have since placed "locks" on the registration, but nothing is > perfect. Vigilance is necessary but not guaranteed to prevent it. Why? Why do these scumbags want *your* domain name? From nobody at devnull.spamcop.net Sun Jun 6 18:00:15 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jun 6 18:05:03 2004 Subject: [SpamCop-List] Re: Domain hijack attempt References: Message-ID: "WindsorFox[SS]" wrote in message news:ca0422$jnr$1@news.spamcop.net... > > Why? Why do these scumbags want *your* domain name? The first obvious is the "fee" ... the next obvious, take a look at the history of spamcop.com .... From ric.gates at bigsleep.org Sun Jun 6 23:24:48 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sun Jun 6 18:25:04 2004 Subject: [SpamCop-List] Re: Domain hijack attempt References: Message-ID: On 06 Jun 2004 WazoO entered spamcop and left news:ca045f$k1l$1@news.spamcop.net: > "WindsorFox[SS]" wrote in message > news:ca0422$jnr$1@news.spamcop.net... >> >> Why? Why do these scumbags want *your* domain name? > > The first obvious is the "fee" ... the next obvious, take a > look at the history of spamcop.com .... > > It usually costs more to transfer a domain than it does to register a new one. You have to transfer a domain well before it expires, and you can't register an existing domain until well after it expires. I don't know why anyone would bother to do this, but what usually happens is that one of the domain contacts is fooled into transferring the domain to another register. One of these scammers goes by the name of Domain Registry of America I think. If a transfer were to go through, the domain owner can contest it, especially if the name is registered to a company. I know a company that sued a former employee for redirecting their domain to another site, and he was forced to remove his contact info. Of course a name like "spamcop" would be in demand. -- | Ric | From gbrozny at glorb.columbus.oh.us Sun Jun 6 20:03:54 2004 From: gbrozny at glorb.columbus.oh.us (Geoff Brozny) Date: Sun Jun 6 19:05:03 2004 Subject: [SpamCop-List] Jamie Baillie using spamcop to harass me Message-ID: It seems now accourding to jamie, everything I post to usenet is spam, so Jamie keeps using spamcop to send me abuse reports. Also note the Received: from [64.56.47.36] by spamcop.net which is an open proxy. more about this guy can be found out at http://www.jamiebaillie.com It seems now he is using spamcop as a tool to harass me. geoff Return-Path: <1058345381@bounces.spamcop.net> Received: from vmx2.spamcop.net (vmx2.spamcop.net [206.14.107.117]) by mail1.glorb.com (8.12.8/8.12.8) with ESMTP id i56LrCGD031210 for ; Sun, 6 Jun 2004 17:53:13 -0400 Received: from sc-app3.verio.ironport.com (HELO spamcop.net) (192.168.11.203) by vmx2.spamcop.net with SMTP; 06 Jun 2004 14:58:39 -0700 Received: from [64.56.47.36] by spamcop.net with HTTP; Sun, 06 Jun 2004 21:54:41 GMT From: "Justme" <1058345381@reports.spamcop.net> To: abuse@glorb.com Subject: [SpamCop (66.35.75.247) id:1058345381][lamie] jamiebaillie.com updated for lamies abuse .. Precedence: list Message-ID: Date: Sun, 6 Jun 2004 20:54:20 +0000 (UTC) X-SpamCop-sourceip: 66.35.75.247 X-Mailer: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) via http://www.spamcop.net/ v1.325 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on mail1.glorb.com X-Spam-Level: *** X-Spam-Status: No, hits=3.6 required=5.0 tests=FORGED_MUA_MOZILLA, FROM_ENDS_IN_NUMS autolearn=no version=2.63 [ SpamCop V1.325 ] This message is brief for your comfort. Please use links below for details. NNTP post from 66.35.75.247 / Sun, 6 Jun 2004 20:54:20 +0000 (UTC) [ Additional comments from recipient ] > This abusive individual uses the newsgroup news.admin.net-abuse.email as his own little spam ground. He thinks he can post any off topic message he wants and harase people. This abusive individual needs to be immediately removed. [ Offending message ] Path: news.killfile.org!news.ks.uiuc.edu!news.glorb.com!news-spur1.glorb.com!not-f or-mail From: "Geoff Brozny" Newsgroups: news.admin.net-abuse.email Subject: [lamie] jamiebaillie.com updated for lamies abuse of spamcop Date: Sun, 6 Jun 2004 16:57:38 -0400 Organization: Glorb Internet Services, http://www.glorb.com Lines: 10 Message-ID: NNTP-Posting-Host: h66-35-75-247.outland.glorb.com X-Trace: ratbert.glorb.com 1086555282 1810 66.35.75.247 (6 Jun 2004 20:54:20 GMT) X-Complaints-To: abuse"at"glorb.com NNTP-Posting-Date: Sun, 6 Jun 2004 20:54:20 +0000 (UTC) X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Xref: news.killfile.org news.admin.net-abuse.email:1009289 added a spamcop abuse section, since he is now using spamcop as a tool to harass me now. http://www.jamiebaillie.com Has he tried to use spamcop to harass anyone else here? geoff From nobody at devnull.spamcop.net Sun Jun 6 19:06:35 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jun 6 19:10:03 2004 Subject: [SpamCop-List] Re: Domain hijack attempt References: Message-ID: "Blammo" wrote in message news:Xns95009CDF37422blammo@216.154.195.61... > > It usually costs more to transfer a domain than it does to register a new > one. You have to transfer a domain well before it expires, and you can't > register an existing domain until well after it expires. > I don't know why anyone would bother to do this, but what usually happens > is that one of the domain contacts is fooled into transferring the domain > to another register. One of these scammers goes by the name of Domain > Registry of America I think. If a transfer were to go through, the domain > owner can contest it, especially if the name is registered to a company. I > know a company that sued a former employee for redirecting their domain to > another site, and he was forced to remove his contact info. Of course, all true. However, it was just last week, a girl I code the pages for, called, close to tears ... she had three, count them, three e-mails and one snail-mail "reminders" of her impending due date for re-registration of her domain name. And not a single one of those was from the "real" registrar. Her main concern was that with Hubby currently un-employed, how was she going to come up with the money to pay "all" of them ... From rmiller at duskglow.com Sun Jun 6 19:12:43 2004 From: rmiller at duskglow.com (Russell Miller) Date: Sun Jun 6 19:10:16 2004 Subject: [SpamCop-List] Re: Jamie Baillie using spamcop to harass me References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Geoff Brozny wrote: > It seems now accourding to jamie, everything I post to usenet is spam, so > Jamie keeps using spamcop to send me abuse reports. Also note the > Received: from [64.56.47.36] by spamcop.net which is an open proxy. more > about this guy can be found out at http://www.jamiebaillie.com It seems > now he is using spamcop as a tool to harass me. > Also note I have an evidence page on him: http://www.morningmist.org/personal/jamie2.shtml If you choose, you can ignore my speculations and go right after the evidence that I posted, that is all factual. - --Russell - -- Russell Miller - Le Mars, IA President, Duskglow Consulting, LLC 712-546-5886 - rmiller@duskglow.com http://www.duskglow.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAw6TwURTA4VCI9OARAmzmAJwM4Lpg4QanhVel/2Kqr3Yxt8DPPACghcSw yNvTRjuJ3GGmyZkJmcJdc3s= =/qsV -----END PGP SIGNATURE----- From MikeE at ster.invalid Sun Jun 6 17:09:05 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jun 6 19:10:23 2004 Subject: [SpamCop-List] Re: Philosophy References: <28832-40C2C07B-185@storefull-3278.bay.webtv.net> Message-ID: Ant wrote: > "Mike Easter" wrote... > >> The first step to aiding a spammer is to read a spam subject. The >> second step is to read a spam. > > There's no way any of that will allow me to aid a spammer. That's not what I mean by that. What I mean is that if some person 'out there' can't do anything else about spam; at least they can not aid a spammer. Aiding the spammer begins with reading the subject. That doesn't mean that reading a subject profits the spammer; but if the subject had never even been seen, the risk of profiting the spammer would be nil. If the most insecurely configured spam deleter /simply/ deleted all of their spam without previewing or opening *any* - not one single item - spam, they would be living up to the pledge of never aiding a spammer. Without any ranting or 'strain'. If, on the other hand, the loudest spam whiner ["kill all spammers"] reads spam subjects to find the interesting ones, opens some interesting spams and does so insecurely, and clicks on some spamlinks for more curiosityh satisfaction, while submitting the ones which 'annoy' hir to spamcop - s/he is probably helping the spammers more than s/he is hurting them. Thus, that would be the picture of the spamfighter who is aiding spammers, contrasted with the deleter who is not. I think spamfighting ranks include spamreaders of the bad kind; separate from the pledged spamfighters who 'inspect' spam as a part of a process of 'diligence' rather than curiosity. There are spam readers and spam inspectors. There are 'adept' and wary and secure spam handlers, in configuration and mindset; and there are 'sloppy' and careless and curious spam handlers in configuration and mindset. Just wearing a spamfighter label doesn't make someone 'automatically' a good spamhandler. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Sun Jun 6 20:50:20 2004 From: eddie at eddie.web (eddie) Date: Sun Jun 6 19:55:06 2004 Subject: [SpamCop-List] Re: Jamie Baillie using spamcop to harass me References: Message-ID: On Sun, 06 Jun 2004 19:03:54 -0400, Geoff Brozny scratched out the following: since we don't post spam here, you must be new to the area It also seems that I am clueless as to what you are writing about. Maybe my reader has a crossed wire so excuse me, but rather than eavesdrop on a conversation I know nothing about, I will simply plonk this thread. PLONK! From eddie at eddie.web Sun Jun 6 21:04:31 2004 From: eddie at eddie.web (eddie) Date: Sun Jun 6 20:05:03 2004 Subject: [SpamCop-List] [OT] L0se wejght now! Get s3xy and slim until the summer! Message-ID: Honest spam subject No guarantee on this product. good for only 2 weeks After June 20 you immediately get fat again :) From gbrozny at glorb.columbus.oh.us Sun Jun 6 21:34:35 2004 From: gbrozny at glorb.columbus.oh.us (Geoff Brozny) Date: Sun Jun 6 20:35:02 2004 Subject: [SpamCop-List] Re: Jamie Baillie using spamcop to harass me References: Message-ID: "eddie" wrote in message news:pan.2004.06.06.23.50.20.377000@eddie.web... > On Sun, 06 Jun 2004 19:03:54 -0400, Geoff Brozny scratched out the > following: > > since we don't post spam here, you must be new to the area > It also seems that I am clueless as to what you are writing about. > Maybe my reader has a crossed wire > so excuse me, but rather than eavesdrop on a conversation I know nothing > about, I will simply plonk this thread. I'm wriing about a spamcop user that keeps using spamcop to report usenet posts that are not spam, there posts he does not like, and I'm the ISP that receives the spamcop reports. geoff From ri8pcu0rl8usenet at yahoo.com Sun Jun 6 16:30:05 2004 From: ri8pcu0rl8usenet at yahoo.com (RipCurl) Date: Sun Jun 6 21:35:14 2004 Subject: [SpamCop-List] Re: [C&C] SPEWS analogy. References: Message-ID: "Redstone" wrote in message news:Xns94FF29D3CB473lumbercartel@216.154.195.61... > Here's another: > > 1. Your emails are a bunch of sperm, itching to do their thing. > 2. Your ISP is a prick. > 3. SPEWS is a condom. > 4. We are innocent maidens who don't like surprises. > 5. You are asking for a teeny hole to be poked in the rubber. > Better would be that SPEWS is a diaphragm . not a condom. Since a condom would require that the "sender" be the one to put it on. The diaphragm would be something that the "receiver" would use to protect themselves....... From nobody at spamcop.net Sun Jun 6 22:32:57 2004 From: nobody at spamcop.net (Miss Betsy) Date: Sun Jun 6 22:30:09 2004 Subject: [SpamCop-List] Re: Jamie Baillie using spamcop to harass me References: Message-ID: "Geoff Brozny" wrote in message news:ca0d6r$rmp$1@news.spamcop.net... > > I'm wriing about a spamcop user that keeps using spamcop to report usenet > posts that are not spam, there posts he does not like, and I'm the ISP that > receives the spamcop reports. > Someone has already noticed this "Spambo" wrote in message news:c9vbvb$1ff$1@news.spamcop.net... > Jamie Baillie, a well-known nanae troll, seems to be using SpamCop > to report Usenet messages that he doesn't like as spam. > Miss Betsy From nobody at devnull.spamcop.net Mon Jun 7 12:59:38 2004 From: nobody at devnull.spamcop.net (Patto) Date: Sun Jun 6 23:00:04 2004 Subject: [SpamCop-List] Re: Jamie Baillie using spamcop to harass me References: Message-ID: "Geoff Brozny" wrote in message news:ca07sq$n3u$1@news.spamcop.net... > It seems now accourding to jamie, everything I post to usenet is spam, so > Jamie keeps using spamcop to send me abuse reports. Also note the > Received: > from [64.56.47.36] by spamcop.net which is an open proxy. more about this > guy can be found out at http://www.jamiebaillie.com It seems now he is > using > spamcop as a tool to harass me. > > geoff Using SpamCop to send false reports is reason to terminate the (ab)user. Contact admins or deputies via service -at- admin -dot -spamcop -dot- net From eek at barkerjr.net Sun Jun 6 23:52:49 2004 From: eek at barkerjr.net (BarkerJr) Date: Sun Jun 6 23:05:03 2004 Subject: [SpamCop-List] Re: Domain hijack attempt References: Message-ID: > > It usually costs more to transfer a domain than it does to register a new > > one. You have to transfer a domain well before it expires, and you can't > > register an existing domain until well after it expires. > > I don't know why anyone would bother to do this, but what usually happens > > is that one of the domain contacts is fooled into transferring the domain > > to another register. One of these scammers goes by the name of Domain > > Registry of America I think. If a transfer were to go through, the domain > > owner can contest it, especially if the name is registered to a company. I > > know a company that sued a former employee for redirecting their domain to > > another site, and he was forced to remove his contact info. > > Of course, all true. However, it was just last week, a girl > I code the pages for, called, close to tears ... she had three, > count them, three e-mails and one snail-mail "reminders" of > her impending due date for re-registration of her domain name. > And not a single one of those was from the "real" registrar. > Her main concern was that with Hubby currently un-employed, > how was she going to come up with the money to pay "all" > of them ... The sad part is that unless the domain is trademarked or resembles your name, it's gone. By the way, I believe that well established internet nicknames do count as names in court. From nobody at devnull.spamcop.net Mon Jun 7 13:05:11 2004 From: nobody at devnull.spamcop.net (Patto) Date: Sun Jun 6 23:10:03 2004 Subject: [SpamCop-List] Re: Philosophy References: <28832-40C2C07B-185@storefull-3278.bay.webtv.net> Message-ID: "Mike Easter" wrote in message news:c9vq19$bqu$1@news.spamcop.net... > ... > The first step to aiding a spammer is to read a spam subject. > ... How do you make sure that a message is spam without reading the subject line? Although my spam filter is very good, there is still a 0.1% chance of false positives. Reporting these as spam can get us into real trouble. So, how do you do it? I'd love to know your secret... From baloo at ursine.ca Sun Jun 6 22:01:33 2004 From: baloo at ursine.ca (Paul Johnson) Date: Mon Jun 7 00:20:04 2004 Subject: [SpamCop-List] Re: Very slow email submissions References: Message-ID: <87oenw584i.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Ionizer" writes: > Between the deliberate "nag screen" delay for web-based submissions > and these extended waiting periods for email submissions, and the > fact that the international tide of Spam seems limitless and on the > constant increase, I really am beginning to wonder why I bother. Try paying, the nag goes away. - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAw+ifUzgNqloQMwcRAsTZAKCW+yTeTJd6lJXPTXkRIkjnZsj9KQCcC0RV Za4XtYYwbmVRW0oCwtYlZZw= =2x1B -----END PGP SIGNATURE----- From baloo at ursine.ca Sun Jun 6 22:03:32 2004 From: baloo at ursine.ca (Paul Johnson) Date: Mon Jun 7 00:20:17 2004 Subject: [SpamCop-List] Re: Jamie Baillie using spamcop to harass me References: Message-ID: <87k6yk5817.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 eddie writes: > On Sun, 06 Jun 2004 19:03:54 -0400, Geoff Brozny scratched out the > following: > > since we don't post spam here, you must be new to the area He didn't post spam here, you must be new to reading. > It also seems that I am clueless as to what you are writing about. He's getting false reports from a netkook on NANAE. - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAw+kUUzgNqloQMwcRAg93AJ41ZABxzri6Ttdp+fln/lGPO7hjtACeJicy CBeaycXJgK18op8xwLJ9cDU= =LlhW -----END PGP SIGNATURE----- From MikeE at ster.invalid Sun Jun 6 22:25:22 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 7 00:30:02 2004 Subject: [SpamCop-List] Re: Philosophy References: <28832-40C2C07B-185@storefull-3278.bay.webtv.net> Message-ID: Patto wrote: > "Mike Easter" >> The first step to aiding a spammer is to read a spam subject. >> ... > > How do you make sure that a message is spam without reading the > subject line? Ideally, the spams shouldn't be landing in your Inbox, getting all mixed up with your wanted mail and interfering with the 'ease' of using your mail. Also, trying to use your 'human' eyeballs on spam subjects and spam Froms puts you at a disadvantage; that is exactly the position the spammer wants you in. You are playing on hir turf and to hir strengths. Spam is designed to be interesting or misleading or infuriating or 'stupid' or any one of a myriad of tactics which is designed to cause you to open the spam item. What would be better than you reading a subject to try to figure out whether or not you should open it to see what is inside would be if all of your spam were already sorted into its own Junk folder. And it would be sorted there by much more effective methods than human eyeballs falling on spam subjects and froms. The item would have been examined by the headers and body content for the spammy characteristics you can't even see when it has gotten into your mail box. Filters can do excellent work at sorting the spam from the wanted mail. Then, since you already know that it is spam, it should be headed toward being reported. When I handle spam, I don't open it, but grab it by its message properties while it is on its way to the spamcop parser or my manual notify template. There is actually no need for me to even examine the subject or the body for a 'straight' report, like spamcop's prior to me placing it into the parser. If a person were 'only' a free spamcop reporter [ie doing no manual reporting at all]; they can't add anything to the report anyway. So, if there's no manual report and there's no adding of addresses, what is the point in even 'examining' the spam item? Nothing you see is going to change anything, in terms of adding. I'm not sure what kind of item you are worrying about reporting inappropriately. It is highly unlikely that a well designed spamfilter is going to have false positives. False negatives might give rise to a spam in your Inbox that gets it subject read; but by my system, if it isn't a known wanted mail, I will move it into the Junk folder as an unknown. I would *not* open an unknown. My mail user agent lets me get to the raw source or properties without opening the item. I'm not saying you should be reporting spam without paying attention to what you are doing ane reporting; but the item has been determined to have all of these spammy characteristics by a filter, and then the spamcop parse is showing you bogosity in the form of abused proxies. What kind of good mail is going to be doing that? And, you can 'see' the body of a spam in its raw or unrendered condtion while you are pasting it into a template or parser. I never open a spam that I don't already know what is inside from having examined its properties. > Although my spam filter is very good, there is still a > 0.1% chance of false positives. Reporting these as spam can get us > into real trouble. Name me a particular specific example of one of your filter's false positives so we can discuss a real thing rather than an imaginary one. > So, how do you do it? I'd love to know your secret... There are situations where I may open a spam that I already know what is inside. There are also rare situations in which I may 'chase' a website with my browser instead of a GET function; but they are unusual. -- Mike Easter kibitzer, not SC admin From newsrelay at temporaryrelay002.ath.cx Mon Jun 7 13:31:57 2004 From: newsrelay at temporaryrelay002.ath.cx (Gingko) Date: Mon Jun 7 06:35:21 2004 Subject: [SpamCop-List] Re: Very slow email submissions References: <87oenw584i.fsf@ursine.ca> Message-ID: What sense is there to pay for removing a 10 seconds nag screen when there is a (about) 5 hours processing delay (whatever you pay or not) ? Gingko. "Paul Johnson" a écrit dans le message de news:87oenw584i.fsf@ursine.ca... > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > "Ionizer" writes: > > > Between the deliberate "nag screen" delay for web-based submissions > > and these extended waiting periods for email submissions, and the > > fact that the international tide of Spam seems limitless and on the > > constant increase, I really am beginning to wonder why I bother. > > Try paying, the nag goes away. From nobody at spamcop.net Mon Jun 7 07:57:55 2004 From: nobody at spamcop.net (Miss Betsy) Date: Mon Jun 7 07:55:03 2004 Subject: [SpamCop-List] Re: Philosophy References: <28832-40C2C07B-185@storefull-3278.bay.webtv.net> Message-ID: "Mike Easter" wrote in message news:ca0qoh$5gl$1@news.spamcop.net... > I never open a spam that I don't already know what is inside from having > examined its properties. While I agree that to 'open' a spam or even an 'unknown' email is /very/ bad practice, one can catch absurdities when one is reviewing the properties of a spam or simply just pasting it in. I thought that what was in the original post /was/ absurd and therefore, funny. The other day I had a subject line 'roused to fury' - that caught my eye! Because, yes, I am roused to fury often by spam. In this particular case, he had to be looking at the properties since all that junk is not visible in the 'opened' spam. It is much better to laugh than to cry and if, occasionally, one notices an absurdity and wants to share it, I don't see why they shouldn't. OTOH, people /do/ need to be cautioned *never* to really open a spam or even an unknown email, but only to look at the properties. I don't even 'open' undeliverable mail notices, but always look at them in properties. Miss Betsy From l_rmv.mayne at uea.ac.uk Mon Jun 7 16:28:08 2004 From: l_rmv.mayne at uea.ac.uk (Leon Mayne) Date: Mon Jun 7 10:30:03 2004 Subject: [SpamCop-List] FriedSpam Message-ID: I just saw a couple of posts mentioning friedspam, and so I took a quick (and did a quick test using a bloody logo company that keeps spamming me :-) ). I was just wondering what people's opinions of tools such as this are? Don't they discredit the antispam community? From nobody at nowhere.invalid Mon Jun 7 18:01:58 2004 From: nobody at nowhere.invalid (=?iso-8859-1?q?Steven_M=E4=DFlein?=) Date: Mon Jun 7 11:05:03 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <87ekouih5m.fsf@ursine.ca> Message-ID: On Sat, 05 Jun 2004 00:43:33 -0700, Paul Johnson wrote: > Yeah, there's the obsolete way that I usually use here to appease the > Outlook Express whiners, and then there's the right way, which I'm > using this time. Had they been using a MIME-compliant news agent, the > PGP signature part would have been ignored unless it was also OpenPGP > aware. I have to agree with Paul here. There are so many things you can't do in mail and news unless you're prepared to have Outlook (Express) blow up on the other end. PGP/MIME is one of them (it's been a standard for 8 years now, see RFC2015, since superceded by RFC3156). Another is starting a line with the word "begin" and OL/OE considering the rest as an attachment. As Postel's law says: "Be liberal in what you accept, and conservative in what you send." - Microsoft got this the wrong way round with OL/OE. -- Steve From jseymour at spamcop.net Mon Jun 7 09:24:03 2004 From: jseymour at spamcop.net (Jim Seymour) Date: Mon Jun 7 11:25:25 2004 Subject: [SpamCop-List] Re: FriedSpam In-Reply-To: References: Message-ID: Leon Mayne wrote: > I just saw a couple of posts mentioning friedspam, and so I took a quick > (and did a quick test using a bloody logo company that keeps spamming me > :-) ). I was just wondering what people's opinions of tools such as this > are? Don't they discredit the antispam community? Yup. It's commonly called "fighting abuse with abuse". In addition to tarnishing the anti's reputation, it's also far too easy to use it against innocent bystanders. -- Jim Seymour. I do not work for Spamcop, I did not write pflogsumm, and I never wrote for PC Magazine. From none at invalid.domain Mon Jun 7 09:29:41 2004 From: none at invalid.domain (HillsCap) Date: Mon Jun 7 11:35:03 2004 Subject: [SpamCop-List] Re: FriedSpam References: Message-ID: "Leon Mayne" wrote in message news:ca1u1q$t3g$1@news.spamcop.net... > I just saw a couple of posts mentioning friedspam, and so I took a quick > (and did a quick test using a bloody logo company that keeps spamming me > :-) ). I was just wondering what people's opinions of tools such as this > are? Don't they discredit the antispam community? I use FriedSpam.net 24/7 to run up spammers' hosting costs. I'm hitting 7 spamvertised sites right now, in fact. The only people who ever see FriedSpam.net are the ones receiving the spam, who've gone in search of a solution... and the ones sending it, although they don't know that it's FriedSpam that's the vehicle or conduit that's causing them grief. The general public has most probably never even heard of FriedSpam.net. Hence no discredit. Is it fighting abuse with abuse? Yes, but the abuse (and cost) coming our way is directed toward innocent ISPs and end-users, while the bounce abuse (and cost) is directed mostly at lowlife sleazebags who don't care how much damage they do to get a buck. You've got to attack the attacker some time, you can't just stand idly by while they continue abusing you, and they don't respond to polite (or not-so-polite) requests that the abuse stop. If they did, FriedSpam.net wouldn't be necessary. It's a tool, and an effective one, at that. Why use a screwdriver to drive a nail, when you've got a hammer? Use the tool that works. I've tried every other way... this is the only method that is actually working. I now receive less than 1/2 of 1 percent of the spam that I used to. From eddie at eddie.web Mon Jun 7 12:41:36 2004 From: eddie at eddie.web (eddie) Date: Mon Jun 7 11:45:03 2004 Subject: [SpamCop-List] Re: FriedSpam References: Message-ID: On Mon, 07 Jun 2004 08:24:03 -0700, Jim Seymour scratched out the following: > Leon Mayne wrote: >> I just saw a couple of posts mentioning friedspam, and so I took a quick >> (and did a quick test using a bloody logo company that keeps spamming me >> :-) ). I was just wondering what people's opinions of tools such as this >> are? Don't they discredit the antispam community? > > Yup. It's commonly called "fighting abuse with abuse". In addition to > tarnishing the anti's reputation, it's also far too easy to use it against > innocent bystanders. I look at it as fighting fire with fire. We didn't get rid of the Huns with honey. Yes it's easy for an unscrupulous person to misuse a tool against an innocent bystander. Without intelligence and care, such tools should not be used. But, like Nobel's dynamite, it can be used to put out an oilwell fire as well as to start one. From jseymour at spamcop.net Mon Jun 7 09:46:20 2004 From: jseymour at spamcop.net (Jim Seymour) Date: Mon Jun 7 11:50:02 2004 Subject: [SpamCop-List] "Message Delivery Failure" in the Subject is all it takes for it to be a bounce? Message-ID: This has been discussed off and on for months now - yet Spamcop is still refusing to even parse messages that have certain key phrases in the Subject. This weekend, I got two with "Message Delivery Failure". I think we're making it too easy for the spammers. Example posted in the .spam group. -- Jim Seymour. I do not work for Spamcop, I did not write pflogsumm, and I never wrote for PC Magazine. From BBuckley at spamcop.net Mon Jun 7 13:38:35 2004 From: BBuckley at spamcop.net (Barb Buckley) Date: Mon Jun 7 12:40:03 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: Message-ID: "Annie" wrote in message news:c9ogqc$roo$1@news.spamcop.net... > "KronaTech" wrote in message > news:c9nftp$sie$1@news.spamcop.net... > > > > For people who are not seeing the impact of the BL, I imagine it must be > > very frustrating, simply reporting because it's the right thing to do and > > rarely seeing any results. If your ISPs or mail servers were to > incorporate > > the BL into their engines your spam would be reduced by a huge percentage. > > > > I have always used the BL and it's what brought me to spamcop (it was > > already in use by default on the mail servers I installed), so its > difficult > > for me to understand what it's like to be receiving spam in quite that > > magnitude. The most spam I see reach my mailbox in a day is measured in > > dozens (and always via my hotmail accounts). I don't know what it's like > to > > be completely overwhelmed with it as some of you are. > > > > It's unfortunate that so many of your ISPs are not using the BL (spamcop > or > > others). > > > > My spam problem is not my ISPs problem. I have one email account with them > that is filtered. They do a nice job. My business account I do not allow > them to filter because I depend on email orders for my online small > business. I run spam pal when I download directly into Outllook or I use > Mail Washer Pro and send them to Spam Cop for reporting. When I use Spam > Pal on the business account I send any untagged spam directly to my ISP spam > abuse desk. They in turn can blacklist the new spam and improve their > filters. The problem is the spammers are picking up my business account > address posted on my web page and hammering me with their trash. I may have > to quit reporting to spam cop if I can't find a batch method of dealing with > it. As it is I am spending 2 hours every morning to just wade through the > morning download and report it all to Spam Cop one at a time. I also report > smaller batches throughout the day. It is a cycle I can't keep up with much > longer. I am not getting my day job work done. I may have to just filter it > and delete it. > > -- > ```````````````` > MissAnnie > Hi Miss Annie: You could pop your business account into spamcop if you have a spamcop email account. I started doing this with my AOSmell account because I was just getting too much spam. The pop is a very easy way to filter and report spam. I don't know what I was doing all those years copying and pasting into the spamcop web page. I wouldn't do it any other way! Barb From HHAnderson at hotmail.com Mon Jun 7 12:11:05 2004 From: HHAnderson at hotmail.com (Bud Anderson) Date: Mon Jun 7 13:15:03 2004 Subject: [SpamCop-List] Another revursive link spam from JustOnePill.biz Message-ID: This busy little spammer appears to be gonna keep at it until he gets it right and hides his spam website. I've tried this one 3 times and all have failed as opposed to the 50% fasilure to find the website previously. SC has failed to find the "." between justonepill and biz all three times. Now getting: --------------------------------------- Finding links in message body Recurse multipart: Parsing HTML part Resolving link obfuscation http://www.justonepillbiz Tracking link: http://www.justonepillbiz Cannot resolve http://www.justonepillbiz From nobody at devnull.spamcop.net Mon Jun 7 19:16:05 2004 From: nobody at devnull.spamcop.net (Sean W) Date: Mon Jun 7 13:20:04 2004 Subject: [SpamCop-List] Re: "Message Delivery Failure" in the Subject is all it takes for it to be a bounce? References: Message-ID: In posting ca22k1$1f4$1@news.spamcop.net, Jim Seymour thus did type: > This has been discussed off and on for months now - yet Spamcop is still > refusing to even parse messages that have certain key phrases in the > Subject. > > This weekend, I got two with "Message Delivery Failure". I think we're > making it too easy for the spammers. Example posted in the .spam group. Yep a definite 'gimme' for spammers. I just tried to parse a spam from yesterday with a subject line of "Subject: SAVE 89% WITH OUR SOFTWARES washcloth refutation sticks or I will give you Message Delivery Failure " Yep, got the 'this looks like a bounce, will not etc.' I haven't bothered to seperate the words out and check but if it fails on something like "Subject: Notification Message from FedEx, You were not at home so will have a Delivery Failure" then its time to really worry. This needs fixing ASAP but the question is how. Looking like and *being* are certainly two different things here. (MTA and failure format checking/comparing? Say postfix says returned message, blah blah etc.) Sean From ric.gates at bigsleep.org Mon Jun 7 19:25:56 2004 From: ric.gates at bigsleep.org (Blammo) Date: Mon Jun 7 14:30:05 2004 Subject: [SpamCop-List] Re: Domain hijack attempt References: Message-ID: On 06 Jun 2004 WazoO entered spamcop and left news:ca081r$n99$1@news.spamcop.net: > However, it was just last week, a girl > I code the pages for, called, close to tears ... she had three, > count them, three e-mails and one snail-mail "reminders" of > her impending due date for re-registration of her domain name. > And not a single one of those was from the "real" registrar. > Her main concern was that with Hubby currently un-employed, > how was she going to come up with the money to pay "all" > of them ... > I know, I really hate that shit. I'd never do business with any company that does that. I've gotten letters that claim "your domain name may be taken if you don't renew now" or some such nonsense, they look offical and fool a lot of people. Also those fake search engine billings. Total cons. I control all domain registrations myself, they are automatically renewed and I tell all my clients to ignore any letters or eMails. I did have one that refused to transfer from Netsol, but that client went out of business, so that solves that problem, but they did get fooled into one of those cons and luckily I was one of the contacts so the transfer was ignored. -- | Ric | From baloo at ursine.ca Mon Jun 7 12:19:29 2004 From: baloo at ursine.ca (Paul Johnson) Date: Mon Jun 7 14:35:03 2004 Subject: [SpamCop-List] Re: Very slow email submissions References: <87oenw584i.fsf@ursine.ca> Message-ID: <873c57dydq.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Top posting is considered harmful, don't do it. http://learn.to/quote/ "Gingko" writes: > What sense is there to pay for removing a 10 seconds nag screen when there > is a (about) 5 hours processing delay (whatever you pay or not) ? Apparently you didn't lurk before start posting or you would have known about quick reporting available to paid users. - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAxLGxUzgNqloQMwcRAtlNAKCIAiA+6nkNxKxodfcZ1bJLC3kawACg1CQM WTy10XofRGfCOSeiF61nTAc= =UkBx -----END PGP SIGNATURE----- From baloo at ursine.ca Mon Jun 7 12:21:23 2004 From: baloo at ursine.ca (Paul Johnson) Date: Mon Jun 7 14:35:15 2004 Subject: [SpamCop-List] Re: letting my isp deal with the load References: <01c44a57$b672bf00$LocalHost@default> <87d64fmd6q.fsf@ursine.ca> <40C126FA.2F13@xyzzy.claranet.de> <87ekouih5m.fsf@ursine.ca> Message-ID: <87y8mzcjq4.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steven M??lein writes: > On Sat, 05 Jun 2004 00:43:33 -0700, Paul Johnson wrote: > >> Yeah, there's the obsolete way that I usually use here to appease the >> Outlook Express whiners, and then there's the right way, which I'm >> using this time. Had they been using a MIME-compliant news agent, the >> PGP signature part would have been ignored unless it was also OpenPGP >> aware. > > I have to agree with Paul here. > > There are so many things you can't do in mail and news unless you're > prepared to have Outlook (Express) blow up on the other end. Not just that, but a lot of things that work perfectly in *practically every other MUA and NUA in existence*... > As Postel's law says: "Be liberal in what you accept, and conservative in > what you send." - Microsoft got this the wrong way round with OL/OE. No kidding... - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAxLIjUzgNqloQMwcRAhKcAJ4sUbhvIb20MjyFxhmY9fDLNpZFxgCgwBoL G0vOl8dqoRrp53la5VNHjsE= =VHZD -----END PGP SIGNATURE----- From MikeE at ster.invalid Mon Jun 7 12:41:42 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 7 14:45:02 2004 Subject: [SpamCop-List] Re: "Message Delivery Failure" in the Subject is all it takes for it to be a bounce? References: Message-ID: Jim Seymour wrote: > This weekend, I got two with "Message Delivery Failure". I think > we're making it too easy for the spammers. Example posted in the > .spam group. The key is 'Delivery Failure' - it doesn't matter about 'Message' being there or not; but if either of the Delivery Failure words is misspelled by even a single letter like 'Delivry' or 'Filure' then the parse will go forward. Which of course would be a material change I assume. However, that particular one has a Content-type discrepancy which would need to be fixed to find the body url/s, so that part would require a manual report anyway. -- Mike Easter kibitzer, not SC admin From Nobody at devnull.spamcop.net Mon Jun 7 14:53:37 2004 From: Nobody at devnull.spamcop.net (Nobody) Date: Mon Jun 7 14:55:02 2004 Subject: [SpamCop-List] Re: Spammer Letter to SpamCop References: <40B69162.2C0C9DC2@spamcop.net> <6jgdb0hui29hebvimaar9dsihvrk3j14a6@4ax.com> <40BF4ACE.4129D391@devnull.spamcop.net> <01c44a54$70621180$LocalHost@default> Message-ID: <40C4B9B1.BFFD739@devnull.spamcop.net> Michael R N Dolbear wrote: > > Nobody wrote > [...] > > Thank you very much for the information, .... > Since this guy appears to be British based, you might care to report > him under the the UK/EU anti-spam law. This involves downloading a pdf > form from the Information Commissioner's site and mailing it in though. > > Google "Complaints on Electronic mail.pdf" at > http://www.informationcommissioner.gov.uk/ Michael, Thanx for the link, saved and filed. I appreciate it, Regards, Michael From Nobody at devnull.spamcop.net Mon Jun 7 15:12:09 2004 From: Nobody at devnull.spamcop.net (Nobody) Date: Mon Jun 7 15:15:03 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop References: Message-ID: <40C4BE09.83C57CCA@devnull.spamcop.net> Miss Betsy wrote: > > "Dan Obenhaus" wrote in message > news:c9tqpu$u5c$1@news.spamcop.net... > > Spamcop refuses spam in form of bounce... > > > > > I am sorry to tell you this, but that's old news. There are lots > of people who would like a BounceCop, but spamcop is not expanding. > Miss Betsy, Are spammers using bounces to propagate spew into target addresses? I.e. pasting the target addy into the return-path and sending the spam to a server they know will bounce it? If so, it would seem that the originator is still spamming, and fair game. So how would you take him on, if SpamCop won't handle the message? Regards, Michael From Nobody at devnull.spamcop.net Mon Jun 7 15:16:10 2004 From: Nobody at devnull.spamcop.net (Nobody) Date: Mon Jun 7 15:20:02 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop References: Message-ID: <40C4BEFA.41F013A9@devnull.spamcop.net> Mike Easter wrote: > > BarkerJr wrote: > > The attachement is a spam, but not the bounce wrapper. You can still > > report the attached spam, just not the bounce. > > You also can't report the bounce part. > > http://www.spamcop.net/fom-serve/cache/14.html If the bounce message > contains spam, it is not permitted for you to report the spam contained > within the bounce, > > You have to report those manually, and only use SC's parser on the item > to help determine who/how to notify with your manual, and cancel the SC > report. So you can use the SpamCop parser to parse the extracted header on the original spam, just not report it through SpamCop, but manually LART instead? Regards, Michael From MikeE at ster.invalid Mon Jun 7 13:19:45 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 7 15:25:01 2004 Subject: [SpamCop-List] Re: FriedSpam References: Message-ID: HillsCap wrote: > I now receive less than 1/2 of 1 percent of the spam that I > used to. How is it, that is, what is the mechanism which you propose that 'frying' a website gets you less spam? Are you proposing that somehow all of the spammers get together and figure out that you are the great white site fryer and remove you from all of their lists, or what? -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Mon Jun 7 15:35:16 2004 From: nobody at spamcop.net (Miss Betsy) Date: Mon Jun 7 15:40:02 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop References: <40C4BE09.83C57CCA@devnull.spamcop.net> Message-ID: "Nobody" wrote in message news:40C4BE09.83C57CCA@devnull.spamcop.net... > > > > Miss Betsy, > > Are spammers using bounces to propagate spew into target addresses? > I.e. pasting the target addy into the return-path and sending the spam > to a server they know will bounce it? No, they are not doing it deliberately. They simply put one of the names on their list as the forged return address so they don't get the bounces. The nicer ones rotate the forged addresses so that one address is not inudated. Spammers' lists are not accurate. They harvest addresses, including out of date ones and spam traps, from websites. They generate addresses by dictionary attacks. And they probably have lots of addresses abandoned by people who got too much spam. > > If so, it would seem that the originator is still spamming, and fair > game. So how would you take him on, if SpamCop won't handle the > message? It is not the spammer who is causing you trouble. It is the ISP who accepts all emails and then sorts them. Once he has done that, the only way to send an undeliverable message is to send an email to the forged return path. At one time, this was a useful technique, but as many other things on the internet have been ruined due to spam, this one is no longer a useful technique, but extremely annoying to many people. Sometimes the spam message including the headers is included in the undeliverable message. At one time, you could parse that and report it through spamcop. However, too often the headers are not completely transmitted and there are too many errors. Besides, it is not a spam directed to you so a report from you is not truly an accurate report. If there were a BounceCop, it would be advising the originator of the bounce that sending bounce emails is no longer a good idea. There may or may not be a blocklist associated with it and if there were, the algorithym would have to be completely different. Since Julian doesn't seem to be interested, there probably will be no 'BounceCop' since no one else seems to be able to write an accurate parsing machine. Usually, one doesn't get that many bounced spam so that they can be reported by yourself. Spammers do try to trick spamcop into thinking that a 'real' spam is an undeliverable message, but I think that's just fun and games. There must be a lot less than enough idiots to buy something from an undeliverable message. It might also be a ploy to see how many 'live' addresses are on a list. ('live' address lists are more expensive to buy). Miss Betsy From not at home.today Mon Jun 7 21:47:59 2004 From: not at home.today (Ant) Date: Mon Jun 7 15:50:03 2004 Subject: [SpamCop-List] Re: Philosophy References: <28832-40C2C07B-185@storefull-3278.bay.webtv.net> Message-ID: "Mike Easter" wrote... > Ant wrote: >> "Mike Easter" wrote... >> >>> The first step to aiding a spammer is to read a spam subject. The >>> second step is to read a spam. >> >> There's no way any of that will allow me to aid a spammer. > > That's not what I mean by that. Perhaps I should have used the word "lead" rather than "allow" in that sentence, and emphasised "me". I understand what you mean. [snip explanation] > I think spamfighting ranks include spamreaders of the bad kind; > separate from the pledged spamfighters who 'inspect' spam as a part > of a process of 'diligence' rather than curiosity. I do it for both reasons, but the curiosity is for techniques being used - e.g. html trickery that affects the rendering. As I said, I do this safely offline after having first inspected the source. You're talking about a different kind of curiosity, or perhaps I'm not clear on your exact meaning of "interesting spam" and "curiosity". I've never been curious about what's being sold at the end of a link; it's always been obvious from the spam itself. If I need to follow a dodgy link (can't recall doing so for spam, but have sometimes for other things), I'll do a "view-source:" on it in the browser. From ian_uncle at hotmail.com Mon Jun 7 17:00:09 2004 From: ian_uncle at hotmail.com (Ionizer) Date: Mon Jun 7 16:05:02 2004 Subject: [SpamCop-List] Re: Very slow email submissions References: <87oenw584i.fsf@ursine.ca> <873c57dydq.fsf@ursine.ca> Message-ID: "Paul Johnson" wrote in message news:873c57dydq.fsf@ursine.ca... > "Gingko" writes: > > > What sense is there to pay for removing a 10 seconds nag screen when there > > is a (about) 5 hours processing delay (whatever you pay or not) ? > > Apparently you didn't lurk before start posting or you would have known > about quick reporting available to paid users. I do understand that membership has its advantages, and that paid users avoid the nag screens. But SpamCop, and anyone using it to filter their Spam, benefit from the submissions made by *everybody.* And I would hazard a guess that most of the 647,050 Spams submitted in the last 24 hours were submitted by "free" users, although I cannot verify that assumption. My point was, I suppose, that through both accident AND design, SpamCop annoys the lifeblood of its databse- people like me, the free users/submitters. Regards, Ian. From nobody at devnull.spamcop.net Tue Jun 8 09:28:19 2004 From: nobody at devnull.spamcop.net (brewman) Date: Mon Jun 7 16:25:03 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop References: <40C4BE09.83C57CCA@devnull.spamcop.net> Message-ID: "Miss Betsy" wrote > It is not the spammer who is causing you trouble. It is the ISP who > accepts all emails and then sorts them. Once he has done that, the > only way to send an undeliverable message is to send an email to the > forged return path. At one time, this was a useful technique, but as > many other things on the internet have been ruined due to spam, this > one is no longer a useful technique, but extremely annoying to many > people. > ... > If there were a BounceCop, it would be advising the originator of the > bounce that sending bounce emails is no longer a good idea. Bouncing undeliverable emails after they have been initially accepted is required, in order to be RFC compliant. Changing that would be next to impossible. Also, I WOULD want an email that *I* sent to a mis-typed address to bounce back. It's when someone FORGES *MY* domain that I don't want it to bounce to me. Some of the solutions being offered (e.g. SPF) are to spot people being fraudulent about who they say that they are, and then not accepting mail with forged return address. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From Nobody at devnull.spamcop.net Mon Jun 7 16:39:50 2004 From: Nobody at devnull.spamcop.net (Nobody) Date: Mon Jun 7 16:40:04 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop References: <40C4BE09.83C57CCA@devnull.spamcop.net> Message-ID: <40C4D296.7E935204@devnull.spamcop.net> Miss Betsy wrote: > > "Nobody" wrote in message > news:40C4BE09.83C57CCA@devnull.spamcop.net... > > > > > > > Miss Betsy, > > > > Are spammers using bounces to propagate spew into target addresses? > > I.e. pasting the target addy into the return-path and sending the > spam > > to a server they know will bounce it? > > No, they are not doing it deliberately. They simply put one of the > names on their list as the forged return address so they don't get the > bounces. The nicer ones rotate the forged addresses so that one > address is not inudated. Thanks for the reply. Also, I've been reading comments on the thread about FriedSpam and Black Widow (I thought the comment on Black Widow was yours and tried to find it again -- but my Netscape message-search utility won't "see" words in the bodies of these newsgroup posts for some reason, so I can't say for certain who posted up regarding Black Widow) and wonder what you thought about using these applications. I simply go offline to get secure looks at spam sourcecode, since simply highlighting some spams in OE launches web bugs and IMG SRC lines, but someone mentioned other ways to get secure looks at source or content. Viewing source won't show the content of a Base 64 spam and it isn't convenient for viewing HTML content, either. Is there an FAQ or other resource on SpamCop that lists the utilities and applications people use in spamfighting? As a side comment, I'd like to think, pace what some people posted in the "Philosophy" thread, that I have enough of Cardinal Torquemada in me to be able to "inspect" content without being ensorcelled by the heresies and blasphemies contained therein. One has only to understand that one is dealing with acolytes of the Antagonist, and all the Faustian phantasms and necromantic manifestations of Helen of Troy dissipate into nothing. Regards, Michael From nobody at devnull.spamcop.net Tue Jun 8 09:53:04 2004 From: nobody at devnull.spamcop.net (brewman) Date: Mon Jun 7 16:50:03 2004 Subject: [SpamCop-List] Re: Very slow email submissions References: <87oenw584i.fsf@ursine.ca> <873c57dydq.fsf@ursine.ca> Message-ID: "Ionizer" wrote > I do understand that membership has its advantages, and that paid users > avoid the nag screens. But SpamCop, and anyone using it to filter their > Spam, benefit from the submissions made by *everybody.* And I would > hazard a guess that most of the 647,050 Spams submitted in the last 24 > hours were submitted by "free" users, although I cannot verify that > assumption. My point was, I suppose, that through both accident AND > design, SpamCop annoys the lifeblood of its databse- people like me, the > free users/submitters. Well, I NEVER use the email option. I am an engineer, and want to see everything that's happening. I use the web-based submission exclusively. Also, as the recipient of many bounced emails, I want to parse but not submit. Is the 5 - 10 second delay for 'free' users annoying? Yes, and no. Like many things in life, I have a choice. What is that delay worth? I may even get around to subscribing, and that delay stops that issue from ever fading away. Don't grumble about being penalised a few seconds for being a 'free' user. The service isn't 'free' to SC anyway; they have costs & overheads (big assumption there). Stop thinking that the universe revolves around you, and that SC will stop working if you stop submitting. I submit, not to make SC work, or to think that I'm getting 'something for nothing', but because I HATE SPAM, and am willing to make an effort to make them stop. Hitting delete is NOT enough for me. Even with the delay, it's substantially quicker that tracing it myself (which I used to do). BTW I've actually loosened my ISP's spam filter (from Assassin to Intermediate) to let a little more spam through that I can feed into SC. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at devnull.spamcop.net Tue Jun 8 10:03:06 2004 From: nobody at devnull.spamcop.net (brewman) Date: Mon Jun 7 17:00:03 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop References: <40C4BE09.83C57CCA@devnull.spamcop.net> <40C4D296.7E935204@devnull.spamcop.net> Message-ID: "Nobody" wrote > I can't say for certain who posted up regarding Black Widow I cannot tell a lie. I did - somewhere. It's perhaps not as effective as FriedSpam (which I couldn't make work) as it only downloads the site once, but it's a good test to see whether the site is a facade or not. If it fails to download, or just a few K, then the site is probably a facade, & I go a-hunting to find the REAL site & download that. Then I alter (did I say that?) the spam to include that site, to get SC to track down abuse@ for me, but don't use SC submission. I do that myself (mustn't go breaking SC T&C) . BTW I'm on a 3GB monthly limit, so FriedSpam isn't as effective an option for me as for others anyway. I'm content with my 25MB or so a site. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From eek at barkerjr.net Mon Jun 7 17:59:31 2004 From: eek at barkerjr.net (BarkerJr) Date: Mon Jun 7 17:05:03 2004 Subject: [SpamCop-List] Re: Very slow email submissions References: <87oenw584i.fsf@ursine.ca> Message-ID: <2j1fp1-2f6.ln1@gecko.LAN> > What sense is there to pay for removing a 10 seconds nag screen when there > is a (about) 5 hours processing delay (whatever you pay or not) ? It makes you feel good about supporting a service you use *shrug* From MikeE at ster.invalid Mon Jun 7 15:30:29 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 7 17:35:02 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop References: <40C4BEFA.41F013A9@devnull.spamcop.net> Message-ID: Nobody wrote: > Mike Easter wrote: >> You have to report those manually, and only use SC's parser on the >> item to help determine who/how to notify with your manual, and >> cancel the SC report. > > > So you can use the SpamCop parser to parse the extracted header on the > original spam, just not report it through SpamCop, but manually LART > instead? Correctomundo. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Jun 7 15:36:57 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 7 17:40:03 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop References: <40C4BE09.83C57CCA@devnull.spamcop.net> <40C4D296.7E935204@devnull.spamcop.net> Message-ID: Nobody wrote: > As a side comment, I'd like to think, pace what some people posted in > the "Philosophy" thread, that I have enough of Cardinal Torquemada in > me to be able to "inspect" content without being ensorcelled by the ah! ensorcelled! as if 'sorceried' - bewitched. Not in very many dictionaries at all > heresies and blasphemies contained therein. One has only to > understand that one is dealing with acolytes of the Antagonist, and > all the Faustian phantasms and necromantic manifestations of Helen of > Troy dissipate into nothing. Exactly. You can look at it, but not directly into its eyes. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon Jun 7 17:38:38 2004 From: nobody at devnull.spamcop.net (Cat) Date: Mon Jun 7 17:40:15 2004 Subject: [SpamCop-List] Re: Very slow email submissions In-Reply-To: References: <87oenw584i.fsf@ursine.ca> Message-ID: Gingko wrote: (Top posting fixed) > "Paul Johnson" a ?crit dans le message de > news:87oenw584i.fsf@ursine.ca... >>Try paying, the nag goes away. > > What sense is there to pay for removing a 10 seconds nag screen when there > is a (about) 5 hours processing delay (whatever you pay or not) ? What sense is there to top post in a newsgroup where you can easily see that the preferred method of posting is inline posting your comments below each quoted point and snipping the rest? Top posting gets the conversation out of order and makes it harder to read your posts. See #6 at http://linux.sgms-centre.com/misc/netiquette.php and #1 and #2 at http://www.river.com/users/share/etiquette/ for more on newsgroup posting netiquette. From eek at barkerjr.net Mon Jun 7 18:06:03 2004 From: eek at barkerjr.net (BarkerJr) Date: Mon Jun 7 18:05:03 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop References: <40C4BE09.83C57CCA@devnull.spamcop.net> Message-ID: > Bouncing undeliverable emails after they have been initially accepted > is required, in order to be RFC compliant. Changing that would be next > to impossible. Also, I WOULD want an email that *I* sent to a > mis-typed address to bounce back. > It's when someone FORGES *MY* domain that I don't want it to bounce to > me. Some of the solutions being offered (e.g. SPF) are to spot people > being fraudulent about who they say that they are, and then not > accepting mail with forged return address. I think that's what Miss Betsy means. Email servers shouldn't accept email if they can't deliver it to a local client. From eek at barkerjr.net Mon Jun 7 18:04:50 2004 From: eek at barkerjr.net (BarkerJr) Date: Mon Jun 7 18:05:15 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop References: <40C4BE09.83C57CCA@devnull.spamcop.net> <40C4D296.7E935204@devnull.spamcop.net> Message-ID: > I simply go offline to get secure looks at spam sourcecode, since simply > highlighting some spams in OE launches web bugs and IMG SRC lines, but > someone mentioned other ways to get secure looks at source or content. You can tell OE to view all emails in plain text in the options under the read tab. From nobody at spamcop.net Tue Jun 8 11:17:04 2004 From: nobody at spamcop.net (Anony Mouse) Date: Mon Jun 7 18:20:06 2004 Subject: [SpamCop-List] Re: How to be a spammer for US1200.00 References: <40C00BDF.1C8C964B@telus.net> Message-ID: <40C4E960.8050902@spamcop.net> Merlyn wrote: > "Bud" wrote in message news:40C00BDF.1C8C964B@telus.net... > >>http://www.spamcop.net/sc?id=z510216095z354a381eece2b77a6e47ca92bc1d561cz >> >>Wish I had a URL, I'd leave *Fried Spam* running overnight. > > > > From the opt-out url at the end > > To be removed from the database please follow this link, > http://notinuse.biz/takeoff/takeoff.html > > Offical Name = www.notinuse.biz > Aliases = > Addresses = 219.153.7.125 > > > > it could be one of these three: > > http://www.spamhaus.org/query/bl?ip=219.153.7.125 > > 219.152.0.0/15 is listed on the Spamhaus Block List (SBL) > ns0.dnstrans.com / greatbizss3.com (escalation) > or > 219.153.0.0/21 is listed on the Spamhaus Block List (SBL) > Alan Ralsky > or > 219.153.0.0/16 is listed on the Spamhaus Block List (SBL) > Tim Goyetche / Bulkers.net / Bulkbarn.com > Both the above offenders are members of the Bulk Club run by Drew Auman. I am pretty sure they are also associated with Webfinity. My email address went in at date.com recently. I get date.com spam then webfinity spam and then Ralsky and the rest of the gang take turns. When I contacted Mike Ellis at date.com his spam stopped and so did the Webfinity porn spam. That is the porn spam that directly traced to Webfinity. Ralsky and his mates are still sending out Cindy spam which is associated with Webfinity. Note these two operations... Omegaleads and ServerBeach who get there bandwidth from wcg.net I think these two are fronts for either the bulk club or Webfinity. Also a very good gotcha located here. http://www.fhh.demon.nl/spam/spam.html Note the Canadian link. From nobody at devnull.spamcop.net Tue Jun 8 11:35:02 2004 From: nobody at devnull.spamcop.net (brewman) Date: Mon Jun 7 18:35:03 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop References: <40C4BE09.83C57CCA@devnull.spamcop.net> Message-ID: "BarkerJr" wrote > Email servers shouldn't accept email if > they can't deliver it to a local client. Umm, I'm a bit rusty on this, but IIRC (in a rush - no time to check RFCs) with SMTP the receiver is not necessarily the machine that will deliver. i.e. it does not (necessarily) have access to a list of valid recipients. In the old days, stuff would be slowly passed around the internet until finally arriving at its destination (I recall seeing receive lists with over a dozen entries). Now with high speed links & mega- oops - giga-storage the norm (okay, tera- then), senders can lookup the final recipient's server effectively straight away. Some SMTP receivers are still just entry points into other networks. BTW I had my first PC (70's) before IBM had theirs (80's). -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at spamcop.net Tue Jun 8 11:38:40 2004 From: nobody at spamcop.net (Anony Mouse) Date: Mon Jun 7 18:40:03 2004 Subject: [SpamCop-List] Gotcha... Message-ID: <40C4EE70.5090905@spamcop.net> Here is some nice info on a criminal spammer who is now identified on spamhaus. This is spammies identity. http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Xavier%20Ratelle%20-%20Lifesmile This is the evidence. http://www.fhh.demon.nl/spam/spam.html Note that the IP space identified in this evidence now traces to Ralsky but the old link to wcg.net is the most interesting. Anyone have info on... ServerBeach and OmegaLeads? Specially info that links to Webfinity the Canadian porn spammer who I beleive is closely associated with this offender. From rcarlton at spamcop.net Mon Jun 7 16:47:53 2004 From: rcarlton at spamcop.net (Rick Carlton) Date: Mon Jun 7 18:45:04 2004 Subject: [SpamCop-List] Re: Gotcha... References: <40C4EE70.5090905@spamcop.net> Message-ID: "Anony Mouse" wrote in message news:40C4EE70.5090905@spamcop.net... > Specially info that links to Webfinity the Canadian porn spammer who I > beleive is closely associated with this offender. I've gotten spam from IngenuitySphere that points to OmegaLeads and lives at a MBE here in SF. Also as 1is7.com and eis7.com From nobody at spamcop.net Tue Jun 8 11:47:46 2004 From: nobody at spamcop.net (Anony Mouse) Date: Mon Jun 7 18:50:04 2004 Subject: [SpamCop-List] Re: Al or Macrae? References: <40B710C7.7000708@spamcop.net> <40BAD9A3.6000101@spamcop.net> Message-ID: <40C4F092.6040607@spamcop.net> Karl-Josef Ziegler wrote: > Anony Mouse wrote: > > >> The real orderer, as you put it, is very much in the foreground. >> >> The companies name is EyeFive Inc. > > > I don't think so. Eye 5 has all these VPRX and other 'herbal > quack medicine crap' to offer. But Al or Macrae are spamming > for the 'hard' stuff, i.e. prescription drugs like Viagra, > Vicodin, Cialis, etc. That's not the business of Eye 5. > > BTW: Did you ever got anything except spam from all > these 'affiliate programs'? It seems to me they're like > all these MLM scams and should be forbidden as > a legal business model. > I have traced EyeFive related spam to the gang before. Sure Ralsky etc spam meds stuff but they also spam for EyeFive and I beleive that EyeFive makes the spam orders through Webfinity or the Bulk Club. I am not saying EyeFive commisions meds spam or any other spam other than their own product which has now been rebranded. I have not got a VP-RX spam since bfore Christmas. Amplifico and PGF are the rebranded names of EyeFive product. Even product that was once thought to come from elsewhere has now been proven to come from EyeFive. From user\" at domain.invalid.com>" Tue Jun 8 01:47:39 2004 From: user\" at domain.invalid.com>" ( Rolf) Date: Mon Jun 7 18:50:28 2004 Subject: [SpamCop-List] Re: FriedSpam In-Reply-To: References: Message-ID: Leon Mayne wrote: > I just saw a couple of posts mentioning friedspam, and so I took a quick > (and did a quick test using a bloody logo company that keeps spamming me > :-) ). I was just wondering what people's opinions of tools such as this > are? Don't they discredit the antispam community? I checked it out also but besides of doubting the way to fight, I feel not as happy about the extra software I would need to install and the disabling of all security features in my browser. It says it is about anonymizing access and such, but the download for that addon is on some link on some obscure site not obviously related to the actual site and not clear explanation of what it would do. Also a search on the web gives some doubtful links for the same name as this add-on has. Rolf Kalberamatter From mikegray at avoidpsamdsl.pipex.com Tue Jun 8 01:00:36 2004 From: mikegray at avoidpsamdsl.pipex.com (Mike Gray) Date: Mon Jun 7 19:05:03 2004 Subject: [SpamCop-List] $40,000 - the price of a pump & dump? Message-ID: Taken from a pump & dump spam today - emphasis mine. "This profile is not without bias, and is a paid release. Writers and mailers have been compensated for the dissemination of company information on behalf of one or more of the companies mentioned in this release. Parties involved in the creation and distribution of this profile have been compensated ***40,000 dollars*** by a third party (third party), who is nonaffiliated, for services provided including dissemination of company information in this release. " Surely not? Mike From rcarlton at spamcop.net Mon Jun 7 17:05:06 2004 From: rcarlton at spamcop.net (Rick Carlton) Date: Mon Jun 7 19:05:14 2004 Subject: [SpamCop-List] Re: Gotcha... References: <40C4EE70.5090905@spamcop.net> Message-ID: "Anony Mouse" wrote in message news:40C4EE70.5090905@spamcop.net... > Here is some nice info on a criminal spammer who is now identified on > spamhaus. > > This is spammies identity. > > http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Xavier%20Ratelle%20-%20Lifesmile Just realized what the hbepharmacy stood for.... Hiding Behind Email From bjoeg at *spammer*bjoeg.dk Tue Jun 8 00:40:53 2004 From: bjoeg at *spammer*bjoeg.dk (Bjarke Andersen) Date: Mon Jun 7 19:45:03 2004 Subject: [SpamCop-List] TimeStarz Message-ID: Didnt notice it until yesterday where I wondered, where did all my TimeStarz spam go. Mostly getting pr0n msgs now. So did we win? -- Bjarke Andersen - Freelance SpamKiller http://www.cdt.org/speech/spam/030319spamreport.shtml (How to prevent) Wanna reply by email? Remove the spammer in address From tfm3 at nospam.teleproc.com Mon Jun 7 21:16:25 2004 From: tfm3 at nospam.teleproc.com (Thomas Mooney) Date: Mon Jun 7 21:20:03 2004 Subject: [SpamCop-List] Re: Very slow email submissions References: <87oenw584i.fsf@ursine.ca> Message-ID: Cat wrote > > What sense is there to top post in a newsgroup where you can easily > see that the preferred method of posting is inline posting your > comments below each quoted point and snipping the rest? Top posting > gets the conversation out of order and makes it harder to read your > posts. > Cat, Is that all you've got left? I could understand putting in your plug for inline-posting as an addition to some reasoned response the the poster's argument. But to repeatedly respond solely as a top-post net-cop gets a bit stale. But I suppose if that's your mission in life, who am I to complain. So I'll just shut up now. -- TFM3 Note: Spam-resistant e-mail address From nobody at xyzzy.claranet.de Tue Jun 8 04:33:35 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon Jun 7 21:40:03 2004 Subject: [SpamCop-List] Re: Very slow email submissions References: <87oenw584i.fsf@ursine.ca> <873c57dydq.fsf@ursine.ca> Message-ID: <40C5176F.4110@xyzzy.claranet.de> brewman wrote: > I NEVER use the email option. I am an engineer, and want > to see everything that's happening. That's obviously a contradiction in itself, you can't judge mail submissions without testing it. > I use the web-based submission exclusively. It's identical, I see exactly the same technical details of the parsing for spam submitted by mail. Don't confuse this with "quick reporting" (BTW, that's a privilege, it doesn't depend on "member" vs. "free reporter") Even for quick reports you get the full technical details, there are only two disadvantages: If something went wrong, you can't stop it. And quick reports ignore the body of the spam, no reports about spamvertized site, no effect on SURBL. > as the recipient of many bounced emails, I want to parse > but not submit. Sure, the best way to do this is to use the Web interface and cancel the reports (after noting the trackback link for later discussions if necessary). > Is the 5 - 10 second delay for 'free' users annoying? IMHO no. I only use it in two cases: analyzing spam posted in .spam, or report "probes" (empty body), because it's easier to add the "[body was empty]" line with the Web interface. > Hitting delete is NOT enough for me. ACK, same here. Bye, Frank From nobody at devnull.spamcop.net Tue Jun 8 11:59:13 2004 From: nobody at devnull.spamcop.net (Patto) Date: Mon Jun 7 22:00:02 2004 Subject: [SpamCop-List] Re: Philosophy References: <28832-40C2C07B-185@storefull-3278.bay.webtv.net> Message-ID: "Mike Easter" wrote in message news:ca0qoh$5gl$1@news.spamcop.net... > Patto wrote: >> "Mike Easter" >>> The first step to aiding a spammer is to read a spam subject. >>> ... >> >> How do you make sure that a message is spam without reading the >> subject line? > > > Name me a particular specific example of one of your filter's false > positives so we can discuss a real thing rather than an imaginary one. My filter is Cloudmark's SpamNet, which does an excellent job. I do not only report all spam via SpamCop, I also send cases of software piracy to the appropriate addresses at the affected software companies. Sometimes they send back an auto-ack that contains the full original spam text. These auto-acks sometimes end up as false positives. Since I quick-report all overnight spam, I must make sure that I do not send any false positives. And unfortunately there seems to be no other way than checking the sender and subject of each message. And I can tell you, nothing makes you more tired on a Monday morning than checking 200~300 spam subjects! That's why I'd like to know if there is an easier way. From eek at barkerjr.net Mon Jun 7 22:25:46 2004 From: eek at barkerjr.net (BarkerJr) Date: Mon Jun 7 22:05:03 2004 Subject: [SpamCop-List] Re: Very slow email submissions References: <87oenw584i.fsf@ursine.ca> <873c57dydq.fsf@ursine.ca> Message-ID: > Stop thinking that the universe > revolves around you, and that SC will stop working if you stop > submitting. I submit, not to make SC work, or to think that I'm > getting 'something for nothing', but because I HATE SPAM, and am > willing to make an effort to make them stop. Hitting delete is NOT > enough for me. Even with the delay, it's substantially quicker that > tracing it myself (which I used to do). I remember that even back then, with 1% of the spam I recieve today, I spent up to 5-6 hours a day reporting. Now I can report tons more in just a half hour. That's what I call technology. I take more time forwarding my spam to spamcop than parsing it. From caribe at jamesodell.com Mon Jun 7 23:42:39 2004 From: caribe at jamesodell.com (James Odell) Date: Mon Jun 7 22:45:07 2004 Subject: [SpamCop-List] Re: 68.253.188.164 not listed in bl.spamcop.net In-Reply-To: References: Message-ID: Hi Mike, But, it appears to take between 1/2 to 1 day to get recorded. As a timely blacklisting of spamming DSNs, this seems a bit too long. Does that make sense? Thanks, Jim Mike Easter wrote: > James Odell wrote: > >>In short, my spam reporting is not being registered >>by SpamCop. Why would that be? > > > There's a process that takes a variable amount of time between > reporting, and the effects on the db that is accessible at > http://www.spamcop.net/bl.shtml and another variable to affect the SCbl > that is accessible by nslookup or its equivalent at > 4.3.2.1.bl.spamcop.net > From MikeE at ster.invalid Mon Jun 7 20:43:06 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jun 7 22:45:29 2004 Subject: [SpamCop-List] Re: Philosophy References: <28832-40C2C07B-185@storefull-3278.bay.webtv.net> Message-ID: Patto wrote: > Since I quick-report all overnight spam, I must make sure that I do > not send any false positives. Well, I have a problem with quick reporting and my concern is about errors. Let me see if I'm clear on this. I inspect spams' headers to adequately oversee spamcop's parsing to prevent errors but I don't open spam. You open what isn't clear from the subject so as to not make a mistake about improper reporting and then quick report. There's something very different about those two approaches. When I inspect a spam, the very first thing I look at is the headers; that is the 'opposite' of reading a spam subject to figure out if it is spam. Besides, reading spam subjects isn't sufficiently accurate to determine if the item is spam. The strength of a filter isn't in its ability to read subjects. The scanning of the headers is a valuable step in discovering the occasional false positive or false suspect. I used to scan headers and derive notifies before feeding spamcop; now I scan and feed at the same time. We have a very different philosophy about where errors come from. I say errors come from both subject reading /and/ quick reporting . If you are reading hundreds of spam subjects 'in a hurry' you are going to be making errors. If you are reporting thousands of spam per week with quick reporting, you are going to be making errors. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon Jun 7 23:43:35 2004 From: nobody at devnull.spamcop.net (Cat) Date: Mon Jun 7 23:45:03 2004 Subject: [SpamCop-List] Re: Very slow email submissions In-Reply-To: References: <87oenw584i.fsf@ursine.ca> Message-ID: Thomas Mooney wrote: > Cat, > > Is that all you've got left? I could understand putting in your plug for > inline-posting as an addition to some reasoned response the the poster's > argument. But to repeatedly respond solely as a top-post net-cop gets a bit > stale. But I suppose if that's your mission in life, who am I to complain. > So I'll just shut up now. When someone insists on top posting, it's kind of hard to keep the conversation in a reasonable order to be able to come up with a "reasoned response" as you call it. Funny how the small handful of youyou people who whine and complain about my posts like the one above seem to happily ignore the posts I make about other issues here. Even if I had added anything else, you obviously still would have gone out of your way to complain about my comments on not top posting. Don't YOU have anything better to do than to follow people around criticizing what parts of posts they choose to reply to? Talk about being stale. From eek at barkerjr.net Tue Jun 8 00:18:57 2004 From: eek at barkerjr.net (BarkerJr) Date: Tue Jun 8 00:05:07 2004 Subject: [SpamCop-List] Re: Very slow email submissions References: <87oenw584i.fsf@ursine.ca> <873c57dydq.fsf@ursine.ca> <40C5176F.4110@xyzzy.claranet.de> Message-ID: <7snfp1-dcd.ln1@gecko.LAN> > Even for quick reports you get the full technical details, > there are only two disadvantages: If something went wrong, > you can't stop it. And quick reports ignore the body of > the spam, no reports about spamvertized site, no effect on > SURBL. 3. You can't override Munged Reports not being sent. From tfm3 at nospam.teleproc.com Tue Jun 8 01:52:02 2004 From: tfm3 at nospam.teleproc.com (Thomas Mooney) Date: Tue Jun 8 01:55:02 2004 Subject: [SpamCop-List] Re: Very slow email submissions References: <87oenw584i.fsf@ursine.ca> Message-ID: Cat wrote: > Thomas Mooney wrote: > >> Cat, >> >> Is that all you've got left? I could understand putting in your >> plug for inline-posting as an addition to some reasoned response the >> the poster's argument. But to repeatedly respond solely as a >> top-post net-cop gets a bit stale. But I suppose if that's your >> mission in life, who am I to complain. So I'll just shut up now. > > Don't > YOU have anything better to do than to follow people around > criticizing what parts of posts they choose to reply to? Talk about > being stale. Follow you around and criticize? Me? To the best of my recollection (which I'll admit is far from perfect at my advancing age) this was the first time I'd addressed a post to you. Regardless, I lurk here from time to time and read a fair number of your posts in the context of threads that interest me. And the majority of your writings strike me as criticisms of one poster or another. The bulk of the time it's for top-posting. Sometimes it's for not properly posting in .spam. The constant is your tone and attitude. I would suggest a "kinder and gentler" approach. But I've also read enough of your material to have fairly realistic expectations regarding the likelihood that my advice will be heeded. So carry on, by all means. I'll admit I should have kept my mouth shut. Absolutely no good could have come from my previous post to you. And no good will come from any subsequent posts to you. So I'll stop now. -- TFM3 Note: Spam-resistant e-mail address From nobody at devnull.spamcop.net Tue Jun 8 17:05:45 2004 From: nobody at devnull.spamcop.net (Patto) Date: Tue Jun 8 03:10:10 2004 Subject: [SpamCop-List] Re: Philosophy References: <28832-40C2C07B-185@storefull-3278.bay.webtv.net> Message-ID: "Mike Easter" wrote in message news:ca3952$335$1@news.spamcop.net... > Patto wrote: >> Since I quick-report all overnight spam, I must make sure that I do >> not send any false positives. > > ... > We have a very different philosophy about where errors come from. I say > errors come from both subject reading /and/ quick reporting . If you are > reading hundreds of spam subjects 'in a hurry' you are going to be > making errors. If you are reporting thousands of spam per week with > quick reporting, you are going to be making errors. You are probably right. However, after a weekend with 300~500 spam messages, the only other option aside from quick reporting is not reporting. I use http://members.spamcop.net/ with copy/paste from Outlook into the two-windows form. I can do this only for my daytime spam; the overnight and weekend spam can only be handled either quick, or not at all. Inspecting headers on Outlook is not easy without opening the messages, although I have SpamDeputy that allows me to copy the entire message to the clipboard. Still, for overnight/weekend spam this is simply too time-consuming. So, I will either have to continue inspecting the subject and quick report, or leave them completely unreported. But I'm getting your point. From MikeE at ster.invalid Tue Jun 8 01:29:41 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 8 03:35:03 2004 Subject: [SpamCop-List] Re: 68.253.188.164 not listed in bl.spamcop.net References: Message-ID: trimmed and restructured for conversing James Odell wrote: > Mike Easter wrote: >> James Odell wrote: >> >>> In short, my spam reporting is not being registered >>> by SpamCop. Why would that be? >> >> There's a process that takes a variable amount of time between >> reporting, and the effects on the db that is accessible at >> http://www.spamcop.net/bl.shtml and another variable to affect the >> SCbl that is accessible by nslookup or its equivalent at >> 4.3.2.1.bl.spamcop.net > But, it appears to take between 1/2 to 1 day to get recorded. As a > timely blacklisting of spamming DSNs, this seems a bit too long. Does > that make sense? This goes beyond delay. I think you aren't seeing any effect from your reports nowadays unless the IP gets listed. Currently: 68.253.188.164 not listed in bl.spamcop.net is all it sez. It appears that the information accessible from an IP lookup has been further deprecated. Now, the db simply sez listed or unlisted and I think it still sez when there is no history, but I'm not even sure about that right now. The db isn't telling you anything about any reports that have been made in your example. In the distant past, a lookup used to tell you a lot, including evidence headers. Then the lookup output was significantly reduced. Now, it appears that it has been further reduced. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Jun 8 02:32:12 2004 From: nobody at spamcop.net (TheWanderer) Date: Tue Jun 8 04:35:08 2004 Subject: [SpamCop-List] SC "spamming" us now? Message-ID: Is SC now "spamming" us with pop-up ads? While doing reporting, the only window open was SC. I kept getting pop-up ads. From nobody at spamcop.net Tue Jun 8 02:37:07 2004 From: nobody at spamcop.net (TheWanderer) Date: Tue Jun 8 04:40:08 2004 Subject: [SpamCop-List] Re: NEVERMIND References: Message-ID: I foud out thathe wife installed some spyware . Sorry "TheWanderer" wrote in message news:ca3tje$hen$1@news.spamcop.net... > Is SC now "spamming" us with pop-up ads? > > While doing reporting, the only window open was SC. I kept getting pop-up > ads. > > > From MikeE at ster.invalid Tue Jun 8 02:37:31 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 8 04:40:18 2004 Subject: [SpamCop-List] Re: SC "spamming" us now? References: Message-ID: TheWanderer wrote: > Is SC now "spamming" us with pop-up ads? > > While doing reporting, the only window open was SC. I kept getting > pop-up ads. You must be contaminated with a spyware. My recommendation: - go to some educational site like spywareinfo.com - most importantly learn how to surf configured more securely - also and incidental to proper browser configuration, use antispyware learned about at spywareinfo I don't have any anti popups active when I visit the SC front page or parser and I don't get any popups. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Jun 8 02:48:03 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 8 04:50:53 2004 Subject: [SpamCop-List] Re: NEVERMIND References: Message-ID: TheWanderer wrote: > I foud out thathe wife installed some spyware . Oops. In my 'list' I forgot to mention, 'don't let anyone install any spyware either.' ;-) -- Mike Easter kibitzer, not SC admin From none at invalid.domain Tue Jun 8 03:35:46 2004 From: none at invalid.domain (HillsCap) Date: Tue Jun 8 05:40:02 2004 Subject: [SpamCop-List] Re: FriedSpam References: Message-ID: "Rolf" wrote: > I checked it out also but besides of doubting the way to fight, I feel > not as happy about the extra software I would need to install and the > disabling of all security features in my browser. It says it is about > anonymizing access and such, but the download for that addon is on some > link on some obscure site not obviously related to the actual site and > not clear explanation of what it would do. Also a search on the web > gives some doubtful links for the same name as this add-on has. No need to disable any security features in the browser, or uninstall popup blockers... I'm running my browser with much higher security settings than default, and it runs just fine. Just set your popup blocker so that popups are allowed for FriedSpam.net (the windows that load in the spamvertised websites pop up from the main FriedSpam.net window... blocking these prevents you from hitting spamvertised websites). Sam Gatling (the creator of FriedSpam.net) is a great guy... I've conversed with him many times... but he's a bit off on his website when he recommends disabling security features. I've grabbed the source code of the FriedSpam.net website, and I'm reworking it so it uses DIV containers (instead of tables), and external .js files (rather than in-line Javascript). I'll rewrite the relevant parts to reflect my experience with running FriedSpam.net with higher than default security settings, then submit it to Sam... hopefully he'll update the site with the new code after he's done testing the anonymous proxy rotation setup I told him about, and include instructions on how to run FriedSpam.net through anonymous proxies. I'll also work on a way to make the page 'lighter', such as hiding the instruction in a hidden DIV until a link is clicked, using Javascript (or possibly just CSS) to change the DIV visibility to show the instructions. The extra software is legit... I've checked it out extensively... it neither installs any spyware nor anything nefarious, nor tries to connect to the 'net. It's there to clear your cache of the previous files, so the ones being downloaded aren't taken from cache (if you watch your Temporary Internet Files folder, you'll see the spamvertised website's file load in, then disappear, then load in, then disappear, etc., etc.). The 'anonymizing' part is that it is supposed to obscure your browser ID string... I have no idea if it does that, since there's no way to test it (unless I want to fry my own website, then check the server logs for the browser ID string). If you want to truly be anonymous, use either Proxo or WebWasher to obscure your browser ID string, and run through an anonymous proxy rotator like MultiProxy... the spammers' logs will show a custom browser string (or no browser string at all, whatever you set it to in Proxo or WebWasher), and spammy won't be able to see your IP address, either (because of the anonymous proxies). Be aware that WebWasher has memory leak issues when run alongside locally run Java programs... the Java programs will grab more and more memory handles, and WebWasher will grab more and more memory. Shutting down the Java programs makes WebWasher stable, shutting down WebWasher makes the Java programs stable. So, if you're running the JackPot Mailswerver fake SMTP server / honeypot / teergrube (or other locally run Java programs like Unsolicited Commando) along with WebWasher, you're going to have resource leaks to contend with. WebWasher has been informed of the problem in detail. I've installed the AR Soft RAM Disk, and set my Temporary Internet Files to go to that... it makes it much faster, and my hard drive isn't trundling all the time... be sure you've got enough memory to handle a RAM Disk if you're going to do this. I also have all my browser History and cookies (at least, the ones I accept... I reject all cookies unless a website requires them to browse the site.), etc. saved to the RAM Disk. When I reboot, they're gone for good. To be truly safe when using FriedSpam.net, I'd recommend doing the following: Disable everything in your Internet Zone... disable Java, disable Javascript, disable scripting... everything. Set up your Trusted Zone with settings similar to what the normal Internet Zone settings are (I've actually got my Trusted Zone settings more secure than that). Put sites you trust and regularly visit into the Trusted Zone, including FriedSpam.net. (This is akin to running it in the Internet Zone with normal browser settings). This is the way MS originally intended the Security Zones to be used. You might also think about enabling the 'My Computer' security zone... and locking down security settings on the local computer a bit (set most things to 'Prompt', so you know what's going on locally). This way, you can visit spamvertised websites (in the Internet Zone) with no fear of them doing a drive-by download or anything sneaky... you'll need to visit the spamvertised websites for a few reasons: 1) to find the largest page to fry 2) to ascertain if the spamvertised website is actually a spamvertised website or the victim of a Joe-job 3) to get the page size of the page you'll be frying... if you see that the page size reported in your Temporary Internet Files is smaller than the size you recorded, it could be that the spammer is blocking the IP address you're using. 4) to see if the site is still up and operational... I keep a 'Kill' list, which I check once a week. If a spamvertised website in that Kill list comes back to life, I revisit the website to determine if it's the same spamvertised website, or if the domain has been sold and a new site put up. If it's the same site, I proceed to fry it again. 5) to gather data about the spammer for LART reports (sometimes it's easier to just visit the spamvertised site in your secured browser than it is to load it into a text-only browser (like Sam Spade) and parse through the source code looking for data). As for whether it's illegal... no, it's not... it does not breach any of the provisions set forth in the Computer Fraud and Abuse Act. It may be a violation of your ISP's TOS or AUP, depending upon your ISP (it's not for my ISP... I've spoken with high-tier tech support on this issue, and they wish they could run FriedSpam.net from their own servers (but fear massive spammer retaliation that would shut down large portions of their networks), and are glad that some are taking the vanguard in battling back against the spammers). ISPs are just as (if not more so) sick of the spam problem as any of us... it costs them tremendous amounts of money, not only to transport and block and/or filter the spam, but to answer the endless newbie tech support calls complaining about too much spam. As for whether it's fighting abuse with abuse... absolutely. Sometimes force is needed when all other solutions have been found to be largely ineffective. That is why war is a reality, and that's why FriedSpam.net is a reality. If the spammers targeted their mailings, honored unsubscribe requests, didn't rape relays, didn't flood people with so much spam that they could no longer do their job, didn't put smaller ISPs out of business because of increased bandwidth costs associated solely with spam, etc., then FriedSpam.net wouldn't be necessary. BUT, at least it's abuse focused on the right parties, the bad guys. The reason it's effective for me is that I actually contact the spammer and TELL them that I'll be hitting their website because they sent me spam. They generally laugh, thinking I'm a newbie, and they'll just block my IP address... until I hit them from a hundred different IP addresses from around the world... then they stop sending me spam. They know that blocking by IP address in my case is next to impossible... because I'm using the spammers' tools against them... if they block the IP addresses of the anonymous proxies I'm using, I'll just go get more of them. They have no choice but to either accept that I'm going to cost them a great deal in bandwidth (and the others that I have helping me to hit the spamvertised websites are going to multiply those costs), or to take the spamvertised website down. My 'Kill' list continues to grow on a daily basis... I had one spammer (who I've had the occasion to fry before) accidentally send a spam to me... I started hitting their website, they realized it was me, and took the website down just 10 minutes later. I stopped to perform system maintenance, and was down for about 45 minutes. After coming back up, I checked my Kill list. That site was back up, so I again started hitting it. It went away again after about 20 minutes, and so far hasn't returned. Lest you think I was just DDoS'ing them off the 'net, not so. The anonymous proxies don't give me the bandwidth to perform a DDoS. I can barely utilize half of my bandwidth through the proxies. From martinAT at cleaverDOT.nl Tue Jun 8 11:00:17 2004 From: martinAT at cleaverDOT.nl (Martin Cleaver) Date: Tue Jun 8 06:05:02 2004 Subject: [SpamCop-List] Web mail Message-ID: Just getting to know the webmail interface to Spamcop and finding it pretty confusing. Simple issues: Unless you work right through the wizard, you can't find out even THAT there is a POP option... It isn't mentioned in the help. SO it was only later (after I had set up special local email addresses to receive the filtered mail) that I found out I could POP from Spamcop. I have several accounts, for me and the family, but the interface doesn't say which account is open, so I either have to log off and on again just in case or look at the preferences. There's sometimes a face alongside the box in the delete column... not sure what it is or why it's in the delete column? Rgds Martin From none at invalid.domain Tue Jun 8 04:09:27 2004 From: none at invalid.domain (HillsCap) Date: Tue Jun 8 06:15:03 2004 Subject: [SpamCop-List] Re: Philosophy References: <28832-40C2C07B-185@storefull-3278.bay.webtv.net> Message-ID: "Patto" wrote in message news:ca3ogb$e69$1@news.spamcop.net... > Inspecting headers on Outlook is not easy without opening the messages, > although I have SpamDeputy that allows me to copy the entire message to the > clipboard. Still, for overnight/weekend spam this is simply too > time-consuming. So, I will either have to continue inspecting the subject > and quick report, or leave them completely unreported. The way I do it is that I've got the Spammunition Bayesian filter set up to move my spam email to a different Outlook folder, named SPAM. I then use the Spammer Slammer VBA code to report the spam to SpamCop (http://www.hillscapital.com/spammerslammer.zip), as well as to the FTC and several Block Lists, simultaneously. The Spammer Slammer VBA code was designed for Outlook 2000, but will work for later versions if you know a bit of VBA coding and replace the code snippet that forces Outlook to immediately send the spam reports, or disable that feature. It's got full installation instructions in the code. You can report multiple spams at once by selecting all the spams, then clicking the 'Report As Spam' button. If you're using your quick reporting SpamCop address, you've only got one click to report all your weekend spam, not only to SpamCop, but to the FTC and the Block Lists. Just look through them before reporting, to be sure you're not reporting legitimate emails (it's got a whitelist that checks through your Contacts folder and compares the sender of the email against the email addresses in your Contacts folder... if they match, it gives you a chance to cancel reporting that email.) Hope this helps... From none at invalid.domain Tue Jun 8 04:28:12 2004 From: none at invalid.domain (HillsCap) Date: Tue Jun 8 06:30:03 2004 Subject: [SpamCop-List] Re: Ploy defeats Spamcop References: <40C4BE09.83C57CCA@devnull.spamcop.net> <40C4D296.7E935204@devnull.spamcop.net> Message-ID: "brewman" wrote in message news:ca2kvq$ik2$1@news.spamcop.net... > BTW I'm on a 3GB monthly limit, so FriedSpam isn't as effective an > option for me as for others anyway. I'm content with my 25MB or so a > site. Good Lord! Only 3 GB per MONTH?! I go through more than that in a DAY, across all my machines. Man, I'd feel so throttled if I was with your ISP... From michael.spamcop at michaellefevre.com Tue Jun 8 12:07:28 2004 From: michael.spamcop at michaellefevre.com (Michael Lefevre) Date: Tue Jun 8 07:10:03 2004 Subject: [SpamCop-List] Re: 68.253.188.164 not listed in bl.spamcop.net References: Message-ID: James Odell wrote: > Hi Mike, > > But, it appears to take between 1/2 to 1 day to get recorded. As a > timely blacklisting of spamming DSNs, this seems a bit too long. Does > that make sense? Yes. The IP you reported was listed about 2.5 hours after your second report (about an hour after your first post in this thread). The IP was delisted again 48 hours from the time you received the second spam. A couple of hours still seems rather a long time to me - I guess the system was busy or something - but not quite as bad as half a day... -- Michael From nobody at devnull.spamcop.net Tue Jun 8 21:14:26 2004 From: nobody at devnull.spamcop.net (nobody@devnull.spamcop.net) Date: Tue Jun 8 07:15:03 2004 Subject: [SpamCop-List] Re: FriedSpam References: Message-ID: This is the first time I've heard of FriedSpam. Unfortunately, I am internet challenged and understood only a small part of your post, but I *did* understand the part where you hit the spammers websites from an unlimited number of open proxies - effectively forcing the website to close down! I wish I had the knowledge and expertise to do the same ... but I'd be a sitting duck for retaliation. Well done, keep up the good work - best antispam news I've read in ages. Regards, Hughy -- I can be found at airways underscore electronics at bigpond_d_o_t_c_o_m_ From caribe at jamesodell.com Tue Jun 8 09:15:52 2004 From: caribe at jamesodell.com (James Odell) Date: Tue Jun 8 08:20:22 2004 Subject: [SpamCop-List] Re: 68.253.188.164 not listed in bl.spamcop.net In-Reply-To: References: Message-ID: Try IP 80.133.157.110. It is now (8:15am EST on 8 June) more than a half day since I reported it at it still indicates "not listed." More that 12 hours is now very common. Am beginning to feel like reporting is a waste of time. :-/ -Jim Michael Lefevre wrote: > James Odell wrote: > >>Hi Mike, >> >>But, it appears to take between 1/2 to 1 day to get recorded. As a >>timely blacklisting of spamming DSNs, this seems a bit too long. Does >>that make sense? > > > Yes. The IP you reported was listed about 2.5 hours after your second > report (about an hour after your first post in this thread). The IP was > delisted again 48 hours from the time you received the second spam. > > A couple of hours still seems rather a long time to me - I guess the > system was busy or something - but not quite as bad as half a day... > From caribe at jamesodell.com Tue Jun 8 09:31:07 2004 From: caribe at jamesodell.com (James Odell) Date: Tue Jun 8 08:35:03 2004 Subject: [SpamCop-List] Re: 68.253.188.164 not listed in bl.spamcop.net In-Reply-To: References: Message-ID: Mike, In the not-too-distant past, the SpamCp status would reflect my activity within seconds of reporting. That was very rewarding and I felt like I was striking a blow against spammers. Now, the whole thing appears sluggish and unresponsive. I fear that SpamCop has become an under-achiever. :-( Mike Easter wrote: > trimmed and restructured for conversing > > James Odell wrote: > >>Mike Easter wrote: >> >>>James Odell wrote: >>> >>> >>>>In short, my spam reporting is not being registered >>>>by SpamCop. Why would that be? >>> >>>There's a process that takes a variable amount of time between >>>reporting, and the effects on the db that is accessible at >>>http://www.spamcop.net/bl.shtml and another variable to affect the >>>SCbl that is accessible by nslookup or its equivalent at >>>4.3.2.1.bl.spamcop.net > > >>But, it appears to take between 1/2 to 1 day to get recorded. As a >>timely blacklisting of spamming DSNs, this seems a bit too long. Does >>that make sense? > > > This goes beyond delay. I think you aren't seeing any effect from your > reports nowadays unless the IP gets listed. > > Currently: > > 68.253.188.164 not listed in bl.spamcop.net > > is all it sez. It appears that the information accessible from an IP > lookup has been further deprecated. > > Now, the db simply sez listed or unlisted and I think it still sez when > there is no history, but I'm not even sure about that right now. > > The db isn't telling you anything about any reports that have been made > in your example. In the distant past, a lookup used to tell you a lot, > including evidence headers. Then the lookup output was significantly > reduced. Now, it appears that it has been further reduced. > From michael.spamcop at michaellefevre.com Tue Jun 8 13:43:19 2004 From: michael.spamcop at michaellefevre.com (Michael Lefevre) Date: Tue Jun 8 08:45:02 2004 Subject: [SpamCop-List] Re: 68.253.188.164 not listed in bl.spamcop.net References: Message-ID: James Odell wrote: > Try IP 80.133.157.110. It is now (8:15am EST on 8 June) Technically I think you mean 8:15 EDT (UTC -0400) rather than EST (-0500), but anyway... > more than a > half day since I reported it at it still indicates "not listed." In this case, it's not listed because yours is the only report of that IP so far. The "score" is high enough for a listing, but Spamcop won't list until there's at least 2 reports (or 3 reports if Spamcop knows about some other traffic). -- Michael From Kilgallen at SpamCop.net Tue Jun 8 09:02:04 2004 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Tue Jun 8 09:05:02 2004 Subject: [SpamCop-List] Re: SC "spamming" us now? References: Message-ID: In article , "Mike Easter" writes: > TheWanderer wrote: >> Is SC now "spamming" us with pop-up ads? >> >> While doing reporting, the only window open was SC. I kept getting >> pop-up ads. > > You must be contaminated with a spyware. My recommendation: > > - go to some educational site like spywareinfo.com > - most importantly learn how to surf configured more securely > - also and incidental to proper browser configuration, use antispyware > learned about at spywareinfo > > I don't have any anti popups active when I visit the SC front page or > parser and I don't get any popups. I don't get popups anywhere, since I run with JavaScript disabled. The very notion of giving the world blanket permission to do what they please with your browser and then complaining about what they do with it is preposterous. From Kilgallen at SpamCop.net Tue Jun 8 09:04:01 2004 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Tue Jun 8 09:05:16 2004 Subject: [SpamCop-List] Re: NEVERMIND References: Message-ID: In article , "Mike Easter" writes: > TheWanderer wrote: >> I foud out thathe wife installed some spyware . > > Oops. In my 'list' I forgot to mention, 'don't let anyone install any > spyware either.' ;-) I only install software for which I have paid, and thus have an implicit legal contract with a known entity. I could not afford to take them to court, but "they" don't know that. From maddsybil at spamcop.net Tue Jun 8 10:08:04 2004 From: maddsybil at spamcop.net (MaddSybil) Date: Tue Jun 8 09:10:03 2004 Subject: [SpamCop-List] Re: NEVERMIND References: Message-ID: "TheWanderer" wrote in message news:ca3tsm$hrv$1@news.spamcop.net... > I foud out thathe wife installed some spyware . > > Sorry > > "TheWanderer" wrote in message > news:ca3tje$hen$1@news.spamcop.net... > > Is SC now "spamming" us with pop-up ads? > > > > While doing reporting, the only window open was SC. I kept getting pop-up > > ads. > > Ohhh, suuuure, blame it in the wife, uh huh... :) The last Dumb Thing I did was try to remove spyware without reading about how to do it. Nearly trashed my registry. From Kilgallen at SpamCop.net Tue Jun 8 09:12:10 2004 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Tue Jun 8 09:15:03 2004 Subject: [SpamCop-List] Re: 68.253.188.164 not listed in bl.spamcop.net References: Message-ID: <$q$FWaOQh0nn@eisner.encompasserve.org> In article , "Mike Easter" writes: > This goes beyond delay. I think you aren't seeing any effect from your > reports nowadays unless the IP gets listed. > > Currently: > > 68.253.188.164 not listed in bl.spamcop.net > > is all it sez. It appears that the information accessible from an IP > lookup has been further deprecated. > > Now, the db simply sez listed or unlisted and I think it still sez when > there is no history, but I'm not even sure about that right now. > > The db isn't telling you anything about any reports that have been made > in your example. In the distant past, a lookup used to tell you a lot, > including evidence headers. Then the lookup output was significantly > reduced. Now, it appears that it has been further reduced. A test I just ran indicates the total absence of information is only for IP addresses that are _not_ listed: 67.39.185.240 listed in bl.spamcop.net (127.0.0.2) Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam about 60 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) Listing History It has been listed for 7.5 days. Other hosts in this "neighborhood" with spam reports 67.39.185.86 67.39.185.98 67.39.185.121 67.39.185.155 67.39.185.178 67.39.185.191 67.39.185.225 67.39.185.228 67.39.186.22 67.39.186.146 67.39.186.174 From caribe at jamesodell.com Tue Jun 8 10:18:27 2004 From: caribe at jamesodell.com (James Odell) Date: Tue Jun 8 09:20:03 2004 Subject: [SpamCop-List] Re: 68.253.188.164 not listed in bl.spamcop.net In-Reply-To: References: Message-ID: OK, that makes sense. Thanks Michael for perservering. Michael Lefevre wrote: > James Odell wrote: > >>Try IP 80.133.157.110. It is now (8:15am EST on 8 June) > > > Technically I think you mean 8:15 EDT (UTC -0400) rather than EST (-0500), > but anyway... > > >>more than a >>half day since I reported it at it still indicates "not listed." > > > In this case, it's not listed because yours is the only report of that IP > so far. The "score" is high enough for a listing, but Spamcop won't list > until there's at least 2 reports (or 3 reports if Spamcop knows about some > other traffic). > From ric.gates at bigsleep.org Tue Jun 8 15:00:12 2004 From: ric.gates at bigsleep.org (Blammo) Date: Tue Jun 8 10:05:37 2004 Subject: [SpamCop-List] Re: SC "spamming" us now? References: Message-ID: On 08 Jun 2004 Larry Kilgallen entered spamcop and left news:qBwzd+dK3jz1@eisner.encompasserve.org: > I don't get popups anywhere, since I run with JavaScript disabled. > > The very notion of giving the world blanket permission to do what they > please with your browser and then complaining about what they do with > it is preposterous. > Mozilla 1.7 has some new security settings that give you even more control over what Javascript and cookies are allowed to do. -- | Ric | From BBuckley at spamcop.net Tue Jun 8 13:00:08 2004 From: BBuckley at spamcop.net (Barb Buckley) Date: Tue Jun 8 12:05:02 2004 Subject: [SpamCop-List] Re: $40,000 - the price of a pump & dump? References: Message-ID: "Mike Gray" wrote in message news:ca2s2j$oto$1@news.spamcop.net... > Taken from a pump & dump spam today - emphasis mine. > > "This profile is not without bias, and is a paid release. Writers and > mailers have been compensated for the dissemination of company information > on behalf of one or more of the companies mentioned in this release. Parties > involved in the creation and distribution of this profile have been > compensated ***40,000 dollars*** by a third party (third party), who is > nonaffiliated, for services provided including dissemination of company > information in this release. " > > Surely not? > > Mike > > I'm still trying to figure out who the "company" is that is "diseminating" this information. I get tons of these weekly and report them all to the SEC but I can't find anywhere in the spam the "company" that is responsible for these. Anyone know offhand? Thanks Barb From spamcop at oitc.com Tue Jun 8 13:15:16 2004 From: spamcop at oitc.com (spamcop) Date: Tue Jun 8 12:20:04 2004 Subject: [SpamCop-List] Missed urls Message-ID: Missed urls in eudora form See spam.spamcop Tom From wb8tyw at qsl.network Tue Jun 8 12:29:21 2004 From: wb8tyw at qsl.network (John E. Malmberg) Date: Tue Jun 8 12:30:03 2004 Subject: [SpamCop-List] Re: FriedSpam References: Message-ID: In article , writes: > This is the first time I've heard of FriedSpam. > > Unfortunately, I am internet challenged and understood only a small part > of your post, but I *did* understand the part where you hit the spammers > websites from an unlimited number of open proxies - effectively forcing > the website to close down! It sounds like it uses your machine to send through open proxies, so if one of owners of the networks that the open proxy is on catches you, they could file a valid abuse report to your ISP, or just feed a blacklist. Many spam fighters are operating proxypots to find the source point of spammer injection. As I see in the TOS for my broadband ISP, any use of such a tool would allow them to terminate my service immediately. -John wb8tyw@qsl.network Personal Opinion Only From gospamming at yourdomain.invalid Tue Jun 8 17:36:41 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Tue Jun 8 12:40:03 2004 Subject: [SpamCop-List] Re: Missed urls References: Message-ID: spamcop wrote in news:BCEB5E54.9E54%spamcop@oitc.com: > Missed urls in eudora form See spam.spamcop > > Tom > > It has nothing to do with being fed with Eudora form or anything. It has been parsed correctly. The spam has Content-Type = text/html MIME header. The body contents have no tags at all so there are no valid URLs to be found. -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From MikeE at ster.invalid Tue Jun 8 11:09:17 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Jun 8 13:10:17 2004 Subject: [SpamCop-List] Re: Missed urls References: Message-ID: spamcop wrote: > Missed urls in eudora form See spam.spamcop Oops I f/upped the .spam item in .help not knowing this was here. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Tue Jun 8 14:19:10 2004 From: eddie at eddie.web (eddie) Date: Tue Jun 8 13:20:02 2004 Subject: [SpamCop-List] Where are my notes? Message-ID: In reviewing recent past reports I did not see any of my notes on them. When reporting software piracy, I always add a short note, explaining why they are getting a copy, adding the spamvertized URL. I think I remember seeing my notes on submitted reports some time ago; but when I looked at them again today, there were none. Am I simply missing something? Or are they not saved on the reports? Or are they being ignored and not sent? Whazzup with that? From notgiven at nodomain.net Tue Jun 8 15:03:21 2004 From: notgiven at nodomain.net (C. S.) Date: Tue Jun 8 14:05:03 2004 Subject: [SpamCop-List] Re: $40,000 - the price of a pump & dump? References: Message-ID: Sometime around Tue, 8 Jun 2004 12:00:08 -0400, "Barb Buckley" deemed it necessary to offer: > > "Mike Gray" wrote in message > news:ca2s2j$oto$1@news.spamcop.net... > > Taken from a pump & dump spam today - emphasis mine. > > > > "This profile is not without bias, and is a paid release. Writers and > > mailers have been compensated for the dissemination of company information > > on behalf of one or more of the companies mentioned in this release. > Parties > > involved in the creation and distribution of this profile have been > > compensated ***40,000 dollars*** by a third party (third party), who is > > nonaffiliated, for services provided including dissemination of company > > information in this release. " > > > > Surely not? > > > > Mike > > > > > I'm still trying to figure out who the "company" is that is "diseminating" > this information. I get tons of these weekly and report them all to the SEC > but I can't find anywhere in the spam the "company" that is responsible for > these. Anyone know offhand? > > Thanks > Barb > There's no reason to believe there is ANY 'company' paying for such "dissemination" of information. It's simply an arbitrary figure in the midst of arbitrary wording designed to appear as if there's some legitimacy to the pump-n-dump frauds. From nobody at spamcop.net Tue Jun 8 17:46:45 2004 From: nobody at spamcop.net (Ellen) Date: Tue Jun 8 17:20:11 2004 Subject: [SpamCop-List] Re: Where are my notes? References: Message-ID: "eddie" wrote in message news:pan.2004.06.08.17.19.09.410000@eddie.web... > In reviewing recent past reports I did not see any of my notes on them. > When reporting software piracy, I always add a short note, explaining why > they are getting a copy, adding the spamvertized URL. > I think I remember seeing my notes on submitted reports some time ago; but > when I looked at them again today, there were none. > > Am I simply missing something? Or are they not saved on the reports? Or > are they being ignored and not sent? > Whazzup with that? The user comments are not saved in the database so you don't see them when you lookup your past reports. They get sent with the reports and then discarded. Ellen From eddie at eddie.web Tue Jun 8 18:29:20 2004 From: eddie at eddie.web (eddie) Date: Tue Jun 8 17:30:02 2004 Subject: [SpamCop-List] Re: Where are my notes? References: Message-ID: On Tue, 08 Jun 2004 16:46:45 -0400, Ellen scratched out the following: snip > The user comments are not saved in the database so you don't see them when > you lookup your past reports. They get sent with the reports and then > discarded. > > Ellen Thanks, Ellen, I just wanted to be sure that they were getting out to our "customers" :) From nobody at spamcop.net Wed Jun 9 11:58:51 2004 From: nobody at spamcop.net (Anony Mouse) Date: Tue Jun 8 19:00:20 2004 Subject: [SpamCop-List] Re: Gotcha... References: <40C4EE70.5090905@spamcop.net> Message-ID: <40C644AB.3040607@spamcop.net> Rick Carlton wrote: > "Anony Mouse" wrote in message > news:40C4EE70.5090905@spamcop.net... > >>Here is some nice info on a criminal spammer who is now identified on >>spamhaus. >> >>This is spammies identity. >> >> > > http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Xavier%20Ratelle%20-%20Lifesmile > > Just realized what the hbepharmacy stood for.... > > Hiding Behind Email > > Greetings Rick... Do you have any evidence you can forward to me sc1 at bencom dot co dot nz. I would much appreciate anything I can investigate. TIA. Regards From m.dolbear at lineone.net Wed Jun 9 01:02:39 2004 From: m.dolbear at lineone.net (Michael R N Dolbear) Date: Tue Jun 8 20:05:02 2004 Subject: [SpamCop-List] Re: Web mail References: Message-ID: <01c44db4$fae3c660$1c01e150@default> Martin Cleaver wrote > Just getting to know the webmail interface to Spamcop and > finding it pretty confusing. [...] > Unless you work right through the wizard, you can't find out > even THAT there is a POP option... It isn't mentioned in the > help. Huh ? I wouldn't have bought the product if it hadn't mentioned POP $30/year: filtered POP/IMAP/web mail and reporting. http://mail.spamcop.net/individuals.php "The second is to configure our system to fetch your mail from your old email address." -- Mike D From yrstruly at spamcop.net Tue Jun 8 19:09:56 2004 From: yrstruly at spamcop.net (yrstruly) Date: Tue Jun 8 21:10:03 2004 Subject: [SpamCop-List] outblaze's 419 response Message-ID: If a 419 spammer expects you to contact them by e-mail, I'll give that e-mail address to spamcop to track down and then report separately to the address provider. A recent report was to outblaze. In case you haven't done something similar and received their acknowledgement, here it is (enjoy -- and notice plug for spamcop): Hello Thank you for contacting the outblaze.com abuse desk. The account you reported is now terminated, along with today's quota of sundry other Nigerian generals, bankers, engineers, attorneys and relatives of dead dictators. Outblaze is one of the largest providers of webmail services in the world. As a responsible ISP, we hate spam, and we do not allow our network to be abused by spammers. There is only one thing that we hate more than spammers - 419 (nigerian) scam artists abusing our systems. Please see http://home.rica.net/alphae/419coal/ for more about this well known scam. Our acceptable use policy can be found at http://www.outblaze.com/antispam/index.html Thank you for reporting this incident. Please feel free to report further incidents of abuse originating from our users to us at abuse@outblaze.com We encourage you to use http://www.spamcop.net to send out automated spam complaints, if you face difficulties complaining manually to each spam you receive. Thank You Outblaze Abuse Desk From nobody at devnull.spamcop.net Wed Jun 9 11:15:29 2004 From: nobody at devnull.spamcop.net (Patto) Date: Tue Jun 8 21:20:03 2004 Subject: [SpamCop-List] What happens if a report bounces? Message-ID: Of course I know what happens - future reports will be routed to /dev/null. What I really want to know is: is this permanent? Or is there a mechanism in place that periodically resets the bounce counters? One specific example anti-spam -at- chinanet -dot- cn -dot- net : this appears to be permanently /dev/null-ed by SpamCop, but when I send a manual report to that address, it is delivered safely almost all of the time. From nobody at devnull.spamcop.net Tue Jun 8 21:45:24 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Jun 8 21:50:02 2004 Subject: [SpamCop-List] Re: What happens if a report bounces? References: Message-ID: "Patto" wrote in message news:ca5obi$1k8$1@news.spamcop.net... > > One specific example anti-spam -at- chinanet -dot- cn -dot- net : this > appears to be permanently /dev/null-ed by SpamCop, but when I send a manual > report to that address, it is delivered safely almost all of the time. And does your "manual report" say that it comes from spamcop.net? From nobody at devnull.spamcop.net Wed Jun 9 15:37:12 2004 From: nobody at devnull.spamcop.net (brewman) Date: Tue Jun 8 22:35:03 2004 Subject: [SpamCop-List] Re: What happens if a report bounces? References: Message-ID: "WazoO" wrote >> but when I send a manual > > report to that address, it is delivered safely almost all of the time. > > And does your "manual report" say that it comes from spamcop.net? > Reading between the lines (so to speak), or you saying that the antispam at .. filters for SpamCop and then bounces it? May I suggest varying between SpamC0p, Sp4mCop, 5pamCop, .. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From eddie at eddie.web Tue Jun 8 23:44:14 2004 From: eddie at eddie.web (eddie) Date: Tue Jun 8 22:45:03 2004 Subject: [SpamCop-List] Re: outblaze's 419 response References: Message-ID: On Tue, 08 Jun 2004 18:09:56 -0700, yrstruly scratched out the following: > If a 419 spammer expects you to contact them by e-mail, I'll give that > e-mail address to spamcop to track down and then report separately to the > address provider. A recent report was to outblaze. In case you haven't > done something similar and received their acknowledgement, here it is > (enjoy -- and notice plug for spamcop): >snip not just for spamcop, but they sound like a very white hat ISP who pay attention to details. I like that. From nobody at devnull.spamcop.net Wed Jun 9 15:53:56 2004 From: nobody at devnull.spamcop.net (brewman) Date: Tue Jun 8 22:55:03 2004 Subject: [SpamCop-List] How do I send emails to xenophobic paranoid Attorney General offices? Message-ID: I'm trying to send a report about a website administered from Arizona (hidden behind a facade so I can't use SC, unless I .. no, let's not go there) to the Attorney General's office in Arizona, email address aginquiries at ag Message-ID: "brewman" wrote in message news:ca5su7$52e$1@news.spamcop.net... > > > > And does your "manual report" say that it comes from spamcop.net? > > > > Reading between the lines (so to speak), or you saying that the > antispam at .. filters for SpamCop and then bounces it? May I suggest > varying between SpamC0p, Sp4mCop, 5pamCop, .. No, the SpamCop complaint from sent out has links back to certain options, one of which is "don't bother me again" ... playing the rotating address would show that option to be a lie, never mind the appearance of playing spammer games. But continuing to send your "useless" reports does continue to increment the BL database, so as to keep blocking the spew for others that use the BL. From JR at qsm.co.il Wed Jun 9 08:17:55 2004 From: JR at qsm.co.il (JR) Date: Wed Jun 9 00:20:10 2004 Subject: [SpamCop-List] Re: How do I send emails to xenophobic paranoid Attorney General offices? References: Message-ID: Use Hotmail? JR "brewman" wrote in message news:ca5ttj$611$1@news.spamcop.net... > I'm trying to send a report about a website administered from Arizona > (hidden behind a facade so I can't use SC, unless I .. no, let's not > go there) to the Attorney General's office in Arizona, email address > aginquiries at ag 'Blocked by Filter 0' > I even tried postmaster@ and got same result. I emailed the US Embassy > here (New Zealand) and a similar thing happened. > Are the yanks really so paranoid about foreigners, or do they think > that allowing stuff from outside the borders of good ol' US of A is > tantamount to believing in SETI? > BTW I also tried from another ISP hosted in NZ and also got 501. > Anyone any ideas on how I can scale the ramparts and toss an email > into their midst? > -- > Brewman > Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz > > From eddie at eddie.web Wed Jun 9 01:25:41 2004 From: eddie at eddie.web (eddie) Date: Wed Jun 9 00:30:04 2004 Subject: [SpamCop-List] Re: How do I send emails to xenophobic paranoid Attorney General offices? References: Message-ID: On Wed, 09 Jun 2004 14:53:56 +1200, brewman scratched out the following: > I'm trying to send a report about a website administered from Arizona > (hidden behind a facade so I can't use SC, unless I .. no, let's not go > there) to the Attorney General's office in Arizona, email address > aginquiries at ag by Filter 0' > I even tried postmaster@ and got same result. I emailed the US Embassy > here (New Zealand) and a similar thing happened. Are the yanks really so > paranoid about foreigners, or do they think that allowing stuff from > outside the borders of good ol' US of A is tantamount to believing in > SETI? > BTW I also tried from another ISP hosted in NZ and also got 501. Anyone > any ideas on how I can scale the ramparts and toss an email into their > midst? I challenge your xenophobia concept. How would the US embassy in NZ know you were a New Zealander just by your email address?? Wouldn't an American in New Zealand have a New Zealand email address? Are you saying even Americans in New Zealand cannot email their embassy? Think about that. I suspect you have quite a different problem. I looked at the Arizona website and did not find any email addresses. In fact they state that they should be contacted by phone, mail or online form: "You may contact us by phone or mail for information and/or a complaint form. Once you have done this, please mail us photocopies of your supporting documents, including the form if submitting by mail..." Have you submitted your complaint via any of their numerous online forms? Perhaps they, like the FBI and other US agencies, do not accept email but only online forms in order to reduce spam and frivolous complaints. It could also be that both ISPs you used are on spam blocking lists. But do not think we are xenophobic based on a few bounced emails. It would take a lot more than that to convince me, especially since you could be an American student in NZ, or a contractor or a tourist - and you think that filters could tell by the accent? (That was a joke, sir). What you are implying is that an Arizona student cannot email home because Arizone is xenophonic. Come on, you are not using your gray cells to their max. From ob1db at spamcop.net Wed Jun 9 01:26:36 2004 From: ob1db at spamcop.net (David Butler) Date: Wed Jun 9 00:30:19 2004 Subject: [SpamCop-List] Re: What happens if a report bounces? References: Message-ID: "Patto" wrote in message news:ca5obi$1k8$1@news.spamcop.net... > Of course I know what happens - future reports will be routed to /dev/null. > > What I really want to know is: is this permanent? Or is there a mechanism > in place that periodically resets the bounce counters? > > One specific example anti-spam -at- chinanet -dot- cn -dot- net : this > appears to be permanently /dev/null-ed by SpamCop, but when I send a manual > report to that address, it is delivered safely almost all of the time. > I have the same result, have NEVER had one bounce. I think the deputies need to reset that flag and try again! I do CC all those reports via SPamcop to Abuse at the same ISP, that orks fine From ob1db at spamcop.net Wed Jun 9 01:29:04 2004 From: ob1db at spamcop.net (David Butler) Date: Wed Jun 9 00:30:25 2004 Subject: [SpamCop-List] kornet reports FINALLY going to correct addie after 6 months! abuse@abuse.kornet.net Message-ID: Yeah, just saw this in place of the old devnull: Report Spam to: Using abuse#above.net@devnull.spamcop.net for statistical tracking. Re: 220.126.250.189 (Administrator of network where email originates) To: abuse@abuse.kornet.net (Notes) Maybe we can knock down the level of spam from there now??? Or am I dreamin' ? ;-) David From rcarlton at spamcop.net Tue Jun 8 22:33:43 2004 From: rcarlton at spamcop.net (Rick Carlton) Date: Wed Jun 9 00:35:15 2004 Subject: [SpamCop-List] Re: How do I send emails to xenophobic paranoid Attorney General offices? References: Message-ID: "brewman" wrote in message news:ca5ttj$611$1@news.spamcop.net... > I even tried postmaster@ and got same result. I emailed the US Embassy > here (New Zealand) and a similar thing happened. > Brewman Is your mailserver imail1.digiweb.co.nz at 203.167.250.8? From ob1db at spamcop.net Wed Jun 9 01:34:48 2004 From: ob1db at spamcop.net (David Butler) Date: Wed Jun 9 00:35:23 2004 Subject: [SpamCop-List] Another "time traveling spam" ! Message-ID: This one UNQUESTIONABLY arrived today, I emptied my cue last night! Yet ALL the date stamps including my own ISP show June 4. The spam is dated as June 6! I caught it because the "from" email is also forged as mine (and you will see that spamcop did NOT catch that for munging! http://www.spamcop.net/sc?id=z514850039z5b59583f59ba8c95da33a517ae00eabdz From ob1db at spamcop.net Wed Jun 9 01:49:31 2004 From: ob1db at spamcop.net (David Butler) Date: Wed Jun 9 00:50:03 2004 Subject: [SpamCop-List] Re: Another "time traveling spam" ! (NOT) References: Message-ID: IGNORE the preceding message: it appears I have gotten one of these every day for 5 dayss and grabbed the wrong one when I searched for it. They are all actually dated ahead in July, DOH Sorry From nobody at devnull.spamcop.net Wed Jun 9 18:59:12 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 9 02:00:06 2004 Subject: [SpamCop-List] Re: How do I send emails to xenophobic paranoid Attorney General offices? References: Message-ID: "JR" wrote in message news:ca633g$9s9$1@news.spamcop.net... > Use Hotmail? > > JR Yes (and no) My anonymous free anywhere anytime yahoo account did the trick. Thanks From nobody at devnull.spamcop.net Wed Jun 9 19:00:29 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 9 02:00:24 2004 Subject: [SpamCop-List] Re: How do I send emails to xenophobic paranoid Attorney General offices? References: Message-ID: "Rick Carlton" wrote in message news:ca63ub$ar1$1@news.spamcop.net... > Is your mailserver imail1.digiweb.co.nz at 203.167.250.8? No. I use ihug.co.nz (my domain's isp) and xtra.co.nz(at work host isp; also home dsl line) -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at devnull.spamcop.net Wed Jun 9 19:21:37 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 9 02:20:03 2004 Subject: [SpamCop-List] Re: How do I send emails to xenophobic paranoid Attorney General offices? References: Message-ID: "eddie" wrote > I challenge your xenophobia concept. How would the US embassy in NZ know > you were a New Zealander just by your email address?? IP/ ISP domain > Wouldn't an American > in New Zealand have a New Zealand email address? Not necessarily. They can use hotmail/yahoo/home ISP > Are you saying even > Americans in New Zealand cannot email their embassy? No. Perhaps they use a keyword in subject line (sorry - watching too many conspiracy movies) > Think about that. I did! > I suspect you have quite a different problem. > I looked at the Arizona website and did not find any email addresses. I did. Maybe my eyes in their 6th decade aren't too bad once I adjust my bifocals - see below [..] > It could also be that both ISPs you used are on spam blocking lists. doubt it - but who knows? Although NZ is not as small as the Solomon Isles .. > But do not think we are xenophobic based on a few bounced emails. It > would take a lot more than that to convince me, especially since you > could be an American student in NZ, or a contractor or a tourist - and you > think that filters could tell by the accent? What??? How dare you !!!! It's not US that have the accent, but people from U.S. > (That was a joke, sir). Oh. > What > you are implying is that an Arizona student cannot email home because > Arizone is xenophonic. s/he'd use hir hotmail account, or home ISP like I do from anywhere in the world. > Come on, you are not using your gray cells to their max. Right answer, but for the wrong reasons. See below. Contacting process: National Association of Attorney Generals website, re NAAG Initiatives: Computer Crime Point-of-Contact List http://www.naag.org/issues/20010724-cc_list.php gives AZ contact as aginquiries at)ag.state:az dot us Ah! the naag.org site had a missing period (my dry sense of humour is prompting me to say something, but I know that women read these. BTW I do have 5 sisters & no brothers) Anyway success! I got an acknowledgement. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From baloo at ursine.ca Wed Jun 9 00:15:49 2004 From: baloo at ursine.ca (Paul Johnson) Date: Wed Jun 9 02:35:05 2004 Subject: [SpamCop-List] Re: SC "spamming" us now? References: Message-ID: <878yex45pm.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "TheWanderer" writes: > Is SC now "spamming" us with pop-up ads? > > While doing reporting, the only window open was SC. I kept getting pop-up > ads. Given that you're running an OS known for security issues, I'd suspect someone is taking advantage of it's insecurity to run adware on your system without you knowing about it. This is what you get for running software that has no open, public review of the source. - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAxqsVUzgNqloQMwcRAj5wAKCfH4gpgnGhvtFV3PDxZ0I6o3B/ygCfYXUe YtaaDhmMvmwU5HfTuPzOME0= =NpY8 -----END PGP SIGNATURE----- From baloo at ursine.ca Wed Jun 9 00:18:34 2004 From: baloo at ursine.ca (Paul Johnson) Date: Wed Jun 9 02:35:23 2004 Subject: [SpamCop-List] Re: outblaze's 419 response References: Message-ID: <874qpl45l1.fsf@ursine.ca> eddie writes: > On Tue, 08 Jun 2004 18:09:56 -0700, yrstruly scratched out the following: > >> If a 419 spammer expects you to contact them by e-mail, I'll give that >> e-mail address to spamcop to track down and then report separately to the >> address provider. A recent report was to outblaze. In case you haven't >> done something similar and received their acknowledgement, here it is >> (enjoy -- and notice plug for spamcop): >>snip > > not just for spamcop, but they sound like a very white hat ISP who pay > attention to details. I like that. So when can we expect Outblaze to buy Comcast? -- Paul Johnson Linux. You can find a worse OS, but it costs more. From baloo at ursine.ca Wed Jun 9 00:30:07 2004 From: baloo at ursine.ca (Paul Johnson) Date: Wed Jun 9 02:35:33 2004 Subject: [SpamCop-List] Re: What happens if a report bounces? References: Message-ID: <87zn7d2qhc.fsf@ursine.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "brewman" writes: > "WazoO" wrote >>> but when I send a manual >> > report to that address, it is delivered safely almost all of the > time. >> >> And does your "manual report" say that it comes from spamcop.net? >> > > Reading between the lines (so to speak), or you saying that the > antispam at .. filters for SpamCop and then bounces it? May I suggest > varying between SpamC0p, Sp4mCop, 5pamCop, .. No, that's just plain trollish and spammy behavior. It's almost a guarantee to get you on everybody's shit-list in short order. - -- Paul Johnson Linux. You can find a worse OS, but it costs more. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAxq5vUzgNqloQMwcRAiL1AJ4y86bQ3Rq72B38uc8WT0zaDM9c5ACgyLHw 4mp0pBiz/3TJSuRP4pmX/MQ= =FWHd -----END PGP SIGNATURE----- From big_cpu at NO.SPAM.hotmail.com Wed Jun 9 09:33:30 2004 From: big_cpu at NO.SPAM.hotmail.com (Benno) Date: Wed Jun 9 02:35:40 2004 Subject: [SpamCop-List] To many links (not visible in outlook) Message-ID: Hi, Example in spamcop.spam There are only twoo links visible in outlook. In the body there is some invisible table with a lot of links. Benno From nobody at spamcop.net Wed Jun 9 01:31:34 2004 From: nobody at spamcop.net (Jeff) Date: Wed Jun 9 03:35:21 2004 Subject: [SpamCop-List] still no response from spamcop Message-ID: Is spamcop shut down for good? None of my spam submissions get reported anymore. From gospamming at yourdomain.invalid Wed Jun 9 08:56:55 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Jun 9 04:00:02 2004 Subject: [SpamCop-List] Re: still no response from spamcop References: Message-ID: "Jeff" wrote in news:ca6ecn$jo3$1@news.spamcop.net: > Is spamcop shut down for good? None of my spam submissions get reported > anymore. > I just submitted a bunch of spam by email one hour ago and received the autoack-mail in almost ten minutes after submission. Maybe your mailbox bounced a Spamcop message. If Spamcop gets a bounce, it immediately stops sending further messages and 'freezes' your submissions until you log into your account via web and reset the bounce flag. -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From newandrew at rump.dk Wed Jun 9 09:31:10 2004 From: newandrew at rump.dk (Andrew Engels Rump (formerly Leif Andrew Rump)) Date: Wed Jun 9 04:35:03 2004 Subject: [SpamCop-List] Re: Where are my notes? References: Message-ID: After drinking 3 Pan Galactic Gargle Blasters, eddie mumbled in news:pan.2004.06.08.21.29.19.87000@eddie.web: > On Tue, 08 Jun 2004 16:46:45 -0400, Ellen scratched out the > following: > snip >> The user comments are not saved in the database so you don't >> see them when you lookup your past reports. They get sent >> with the reports and then discarded. > Thanks, Ellen, I just wanted to be sure that they were getting > out to our "customers" :) I can confirm they are getting out - I have requested SpamCop to send a copy of all my report to myself and all the comments I add in the "Additional notes" field and the "Comments" field to myself (where I write the additional actions I have taken towards the spammer) is all there! It makes life much more easier to have it all gathered in one spot for later retrieval! Andrew -- *** The opinions expressed are not necessarily those of my employer. *** * Software Engineer Andrew Engels Rump * BLIK og ROERarbejderforbundet * * Immerkaer 42, 2650 Hvidovre * Tlf: +45 3638 3638, Fax: +45 3638 3639 * Home: N55?41'38.9" E12?29'08.6" (WGS 84) Work: N55?39'50.9" E12?27'47.4" E-mail: mailto:newandrew@rump.dk WWW http://www.rump.dk/homepage/andrew/ From redford_stone at INVERSE_OF_COLDmail.com Wed Jun 9 12:55:54 2004 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Jun 9 08:00:21 2004 Subject: [SpamCop-List] Re: kornet reports FINALLY going to correct addie after 6 months! abuse@abuse.kornet.net References: Message-ID: "David Butler" wrote in news:ca63mp$ae8$1@news.spamcop.net: > Yeah, just saw this in place of the old devnull: > > Report Spam to: > Using abuse#above.net@devnull.spamcop.net for statistical > tracking. > > Re: 220.126.250.189 (Administrator of network where email > originates) To: abuse@abuse.kornet.net (Notes) > > Maybe we can knock down the level of spam from there now??? > > Or am I dreamin' ? > > ;-) > > David > > > Waiting for this one to start bouncing.. I think that address was found after tons of prodding on kornet. Funny thing is that the original address doesn't bounce for me when I do manual reporting, go figure. From redford_stone at INVERSE_OF_COLDmail.com Wed Jun 9 13:05:18 2004 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Jun 9 08:10:02 2004 Subject: [SpamCop-List] Re: outblaze's 419 response References: Message-ID: eddie wrote in news:pan.2004.06.09.02.44.13.807000@eddie.web: > > not just for spamcop, but they sound like a very white hat ISP who > pay attention to details. I like that. > Outblaze has been whitehat for quite a long time. If a scam/spam is reported and they find out it originated from an Outblaze customer, they'd spare no time in shutting that SOB down. From redford_stone at INVERSE_OF_COLDmail.com Wed Jun 9 13:06:35 2004 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Jun 9 08:10:17 2004 Subject: [SpamCop-List] Re: outblaze's 419 response References: <874qpl45l1.fsf@ursine.ca> Message-ID: Paul Johnson wrote in news:874qpl45l1.fsf@ursine.ca: > > So when can we expect Outblaze to buy Comcast? > They'd probably have to scrap everything in management and start over from scratch.. too expensive. :-) From redford_stone at INVERSE_OF_COLDmail.com Wed Jun 9 13:07:40 2004 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Jun 9 08:10:24 2004 Subject: [SpamCop-List] Re: NEVERMIND References: Message-ID: "TheWanderer" wrote in news:ca3tsm$hrv$1@news.spamcop.net: > I foud out thathe wife installed some spyware . > > Sorry > Ah.. a blonde moment. LOL! :-D From DougThegarden at hotmail.com Wed Jun 9 15:51:52 2004 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Wed Jun 9 09:55:03 2004 Subject: [SpamCop-List] Re: outblaze's 419 response References: <874qpl45l1.fsf@ursine.ca> Message-ID: Redstone wrote: > Paul Johnson wrote in > news:874qpl45l1.fsf@ursine.ca: > > >> >> So when can we expect Outblaze to buy Comcast? >> > > > They'd probably have to scrap everything in management and start over > from scratch.. too expensive. :-) First law of acquisitions. The culture of the larger organisation always wins Doug. From none at invalid.domain Wed Jun 9 07:52:31 2004 From: none at invalid.domain (HillsCap) Date: Wed Jun 9 09:55:19 2004 Subject: [SpamCop-List] Re: outblaze's 419 response References: Message-ID: "Redstone" wrote in message news:Xns95033390087D6lumbercartel@216.154.195.61... > Outblaze has been whitehat for quite a long time. > > If a scam/spam is reported and they find out it originated from an > Outblaze customer, they'd spare no time in shutting that SOB down. Where does OutBlaze operate? Are they U.S. based? If so, are they nationwide? I've never heard of them, but they sound great. Has anyone had any experience using them? If they're U.S. based, nationwide and get rave reviews, I'll start recommending them as the ISP of choice for the people whose computers I fix. It's tough finding a good ISP nowadays. From michael.spamcop at michaellefevre.com Wed Jun 9 15:01:34 2004 From: michael.spamcop at michaellefevre.com (Michael Lefevre) Date: Wed Jun 9 10:05:15 2004 Subject: [SpamCop-List] Re: outblaze's 419 response References: Message-ID: HillsCap wrote: > "Redstone" wrote in message > news:Xns95033390087D6lumbercartel@216.154.195.61... >> Outblaze has been whitehat for quite a long time. >> >> If a scam/spam is reported and they find out it originated from an >> Outblaze customer, they'd spare no time in shutting that SOB down. > > Where does OutBlaze operate? Internationally. > Are they U.S. based? If so, are they > nationwide? No - they're based in various bits of asia (Hong Kong mostly I think). They're not an ISP, they're an email provider - they do email services for a bunch of companies and providers, including some free/cheap web mail services (which is why they get targeted by spammers who haven't figured out that their accounts won't last long). -- Michael From rmu93awSPAMB02 at sneakemail.com Wed Jun 9 10:03:59 2004 From: rmu93awSPAMB02 at sneakemail.com (Spambo) Date: Wed Jun 9 10:05:52 2004 Subject: [SpamCop-List] Re: outblaze's 419 response In-Reply-To: References: Message-ID: HillsCap wrote: > [snip] > > Where does OutBlaze operate? Are they U.S. based? If so, are they > nationwide? I've never heard of them, but they sound great. Has anyone > had any experience using them? If they're U.S. based, nationwide and > get rave reviews, I'll start recommending them as the ISP of choice > for the people whose computers I fix. It's tough finding a good ISP > nowadays. Outblaze is Asia's largest email provider. IIRC its headquarteres are in Hong Kong, and its main spammer assassin (postmaster) lives in India. -- Just a SpamCop newsgroup participant, not an admin or employee of SpamCop or related domains. From ralphd42 at hotmail.com Wed Jun 9 11:08:43 2004 From: ralphd42 at hotmail.com (Ralph) Date: Wed Jun 9 10:10:08 2004 Subject: [SpamCop-List] Sending to more than one user notification email address Message-ID: Spamcop allows you to manually put in one address when sending a report. Is it possible to add more email address? Re:User Notification (Notes) Thank in advance, Sincerely Ralph From rmu93awSPAMB02 at sneakemail.com Wed Jun 9 10:12:28 2004 From: rmu93awSPAMB02 at sneakemail.com (Spambo) Date: Wed Jun 9 10:15:04 2004 Subject: [SpamCop-List] Re: Sending to more than one user notification email address In-Reply-To: References: Message-ID: [spamcop.help removed from the distribution, crossposting isn't necessary in the SC newsgroups] Ralph wrote: > Spamcop allows you to manually put in one address when sending a report. > Is it possible to add more email address? > Re:User Notification (Notes) > > Thank in advance, > Sincerely > > Ralph IIRC you can send to up to four additional recipients. Just put the addresses in the box separated with a comma. If you add anything to the "Notes" box the content will go to all addresses though. -- Just a SpamCop newsgroup participant, not an admin or employee of SpamCop or related domains. From rmu93awSPAMB02 at sneakemail.com Wed Jun 9 10:16:32 2004 From: rmu93awSPAMB02 at sneakemail.com (Spambo) Date: Wed Jun 9 10:20:17 2004 Subject: [SpamCop-List] Re: outblaze's 419 response In-Reply-To: References: Message-ID: Spambo, replying to himself, wrote: > [snip] > > Outblaze is Asia's largest email provider. IIRC its headquarteres > are in Hong Kong, and its main spammer assassin (postmaster) lives in > India. Although I said "Asia's largest email provider" their operation extends beyond Asia. They manage email for domains such as mail.com and usa.com. -- Just a SpamCop newsgroup participant, not an admin or employee of SpamCop or related domains. From ralphd42 at hotmail.com Wed Jun 9 11:20:16 2004 From: ralphd42 at hotmail.com (Ralph) Date: Wed Jun 9 10:25:02 2004 Subject: [SpamCop-List] Re: Sending to more than one user notification email address References: Message-ID: > [spamcop.help removed from the distribution, crossposting isn't > necessary in the SC newsgroups] > > Ralph wrote: > > > Spamcop allows you to manually put in one address when sending a report. > > Is it possible to add more email address? > > Re:User Notification (Notes) > > > > Thank in advance, > > Sincerely > > > > Ralph > > IIRC you can send to up to four additional recipients. Just put the > addresses in the box separated with a comma. If you add anything to the > "Notes" box the content will go to all addresses though. > > -- > Just a SpamCop newsgroup participant, not an admin or employee of > SpamCop or related domains. > Thanks, Will do that next time. Spamcop is a great service, however there are a few occassions where I find that there are a few more people who should be notified of the spam. sincerely Ralph From nobody at spamcop.net Wed Jun 9 10:01:18 2004 From: nobody at spamcop.net (Ellen) Date: Wed Jun 9 10:40:02 2004 Subject: [SpamCop-List] Re: What happens if a report bounces? References: Message-ID: "David Butler" wrote in message news:ca63i5$acn$1@news.spamcop.net... > "Patto" wrote in message > news:ca5obi$1k8$1@news.spamcop.net... > > > I have the same result, have NEVER had one bounce. I think the deputies need > to reset that flag and try again! I do CC all those reports via SPamcop to > Abuse at the same ISP, that orks fine > > I think we have had this conversation before .... it is trivially easy for anyone running a mailserver to bounce/devnull/reject inbound mail from certain domains or IPs (I think we call these blocklists don't we?) and to accept mail from everywhere or anywhere else. The fact that you or someone else can send email to some mailserver and apparently have it accepted for probable or apparent delivery to a mailbox, does not in any way imply that any other given IP can do the same thing. And to answer the other poster -- no we are not going to forge/rotate domain names or IPs to try to sneak deliver SC reports. Ellen SpamCop From nobody at spamcop.net Wed Jun 9 17:22:42 2004 From: nobody at spamcop.net (Tim) Date: Wed Jun 9 11:25:09 2004 Subject: [SpamCop-List] Links not found and wrong abuse address Message-ID: Spam in spamcop.spam, same subject. Processed this spam and only got abuse ntlworld.com for the email source. No spamvertised sites were indentified. Please tell how to report the spamvertised sites. I cancelled the reporting. From nobody at spamcop.net Wed Jun 9 17:33:45 2004 From: nobody at spamcop.net (Tim) Date: Wed Jun 9 11:35:03 2004 Subject: [SpamCop-List] Re: kornet reports FINALLY going to correct addie after 6 months! abuse@abuse.kornet.net References: Message-ID: > > Funny thing is that the original address doesn't bounce for me when I > do manual reporting, go figure. > Probably going to devnull From bill at misk.screaming.net Wed Jun 9 17:57:31 2004 From: bill at misk.screaming.net (Bill McLaren) Date: Wed Jun 9 12:00:03 2004 Subject: [SpamCop-List] MD/CEO? Message-ID: I'm trying to find out who is ultimately in charge of spamcop these days. They have a problem with one of their staff but it's difficult to go beyond this person to someone that is capable. From dkona7b02 at sneakemail.com Wed Jun 9 13:11:32 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Wed Jun 9 12:11:38 2004 Subject: [SpamCop-List] Re: MD/CEO? In-Reply-To: Message-ID: <3.0.5.32.20040609121132.00fc4b58@loki.fstrf.org> All of the staff at SpamCop are completely capable of handling any problems either on their own or by forwarding them to the appropriate person. The deputy mailbox is shared by all the deputies so it isn't as if your correspondence is being hidden from anyone. I am assuming that you have been corresponding with deputies -at- admin.spamcop.net, right? Feel free to post your issues here and perhaps you'll get additional advice from the volunteers... At 04:57 PM 6/9/2004 +0100, Bill McLaren typed: >I'm trying to find out who is ultimately in charge of spamcop these days. >They have a problem with one of their staff but it's difficult to go beyond >this person to someone that is capable. From michael.spamcop at michaellefevre.com Wed Jun 9 17:10:45 2004 From: michael.spamcop at michaellefevre.com (Michael Lefevre) Date: Wed Jun 9 12:15:04 2004 Subject: [SpamCop-List] Re: MD/CEO? References: Message-ID: Bill McLaren wrote: > I'm trying to find out who is ultimately in charge of spamcop these days. That'd be Julian Haight (although now that Spamcop is owned by Ironport, I guess ultimately it would be them, but that's probably a bit far removed from what you want). > They have a problem with one of their staff but it's difficult to go beyond > this person to someone that is capable. Heh... In terms of customer service, Julian is generally a lot less inclined to be accommodating than the other staff. The chances of you getting whatever your issue is sorted out by going up a level are probably a lot lower than they are of getting it fixed by talking to whoever it is you're talking to already. Julian doesn't generally respond to external communications from users for a start - the way to get a message to him is via either this forum, or the deputies@spamcop.net address, or the service@admin.spamcop.net address, depending what the issue is. Care to give us a clue about what your problem is? -- Michael From eddie at eddie.web Wed Jun 9 13:19:59 2004 From: eddie at eddie.web (eddie) Date: Wed Jun 9 12:20:04 2004 Subject: [SpamCop-List] Re: How do I send emails to xenophobic paranoid Attorney General offices? References: Message-ID: On Wed, 09 Jun 2004 18:21:37 +1200, brewman scratched out the following: >snip > > Anyway success! I got an acknowledgement. see, we really aren't all xenophobic! You are right - too many conspiracy theories :) Anyway, glad your problem is solved. From rmu93awSPAMB02 at sneakemail.com Wed Jun 9 12:32:29 2004 From: rmu93awSPAMB02 at sneakemail.com (Spambo) Date: Wed Jun 9 12:35:03 2004 Subject: [SpamCop-List] Re: MD/CEO? In-Reply-To: References: Message-ID: Bill McLaren wrote: > I'm trying to find out who is ultimately in charge of spamcop these days. > They have a problem with one of their staff but it's difficult to go beyond > this person to someone that is capable. So is the problem one of the screaming.net mail servers being listed and the "staff member" won't give you special treatment, or is Tiscali on your case due to recent spamvertised URLs and the "staff member" won't agree to retract the spam reports? -- Just a SpamCop newsgroup participant, not an admin or employee of SpamCop or related domains. From tdy at blackhole.aosake.net Wed Jun 9 10:45:11 2004 From: tdy at blackhole.aosake.net (N. Miller) Date: Wed Jun 9 12:50:02 2004 Subject: [SpamCop-List] Re: What happens if a report bounces? References: Message-ID: In article , David Butler says... > "Patto" wrote in message > news:ca5obi$1k8$1@news.spamcop.net... > > Of course I know what happens - future reports will be routed to > /dev/null. > > What I really want to know is: is this permanent? Or is there a mechanism > > in place that periodically resets the bounce counters? > > One specific example anti-spam -at- chinanet -dot- cn -dot- net : this > > appears to be permanently /dev/null-ed by SpamCop, but when I send a > > manual report to that address, it is delivered safely almost all of the > > time. > I have the same result, have NEVER had one bounce. I think the deputies need > to reset that flag and try again! I do CC all those reports via SPamcop to > Abuse at the same ISP, that orks fine A better idea is to consider ISPs which refuse SpamCop reports to be showing their true colors as spam supporters. For whatever good that will do. (NOTE: Refusing 'munged' reports is another issue. If they will accept unmunged reports, you need to judge their trustworthy on the results of sending the reports; listwashing, or not...) -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From Merlyn at Spamcop.net Wed Jun 9 13:51:08 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Wed Jun 9 12:55:02 2004 Subject: [SpamCop-List] Re: MD/CEO? References: Message-ID: "Bill McLaren" wrote in message news:ca7c1b$9t5$1@news.spamcop.net... > I'm trying to find out who is ultimately in charge of spamcop these days. > They have a problem with one of their staff but it's difficult to go beyond > this person to someone that is capable. > What kind of problem? Do you want one of your IP's removed from the list? Either post the IP you have a problem with or wait and the IP will drop from the list 48 hours after the last spam report. Many people have received email with the subject: "Cartoons tailor-made to suit ANY subject" Sound familiar? -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From DONOTSPAMpeterpepper at NOSPAMbizwax.com Wed Jun 9 13:15:36 2004 From: DONOTSPAMpeterpepper at NOSPAMbizwax.com (Peter Pepper) Date: Wed Jun 9 13:15:03 2004 Subject: [SpamCop-List] Will Mailhosts limit my ability to report certian spam? Message-ID: With Mailhosts enabled, will I only be able to report spam that is sent directly to me? For example, when a spammer spoofs the FROM and REPLY-TO addresses by forging *my* address in their place, I usually bear the burden of receiving the errors, bounces, and complaints generated from the spam. In some instances an ISP will attach the original spam to their error message. And when the original message is attached, I have been able to report the original spam to SC in the past. Although after setting up Mailhosts for my account, this scenario has not been possible and I have been unable to report this type of spam. Is this an inherent feature of Mailhosts, or maybe something else keeping me from reporting this type of spam? PP From billmclaren at spamcop.net Wed Jun 9 19:30:05 2004 From: billmclaren at spamcop.net (Bill McLaren) Date: Wed Jun 9 13:35:07 2004 Subject: [SpamCop-List] Re: MD/CEO? References: Message-ID: On Wed, 9 Jun 2004 16:10:45 +0000 (UTC), Michael Lefevre wrote: >via either this forum, or the deputies@spamcop.net address, or the OK, thanks, I'll give that one a go. I've already sent a complaint to ironport but as yet haven't had a reply. >service@admin.spamcop.net address, depending what the issue is. Unfortunately the person that seems to answer that email address is the cause of the problem. As to the speculation from others about what the problem is, I'm not going to go into details but it relates to one of the 2 spamcop email accounts I own, a mistake (which has been corrected) by the person that uses that account (my mother) and my lower (and getting lower by the moment) opinion of the competence of "Don" who answers the service@ address. I'd like to make one last attempt at resolving the problem amicably, hence wanting to know who is ultimately in charge of spamcop. I've used spamcop for quite some time and would hate to get to the stage of potentially damaging it because of the idiotic attitude of one member of staff. From gospamming at yourdomain.invalid Wed Jun 9 18:36:40 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Jun 9 13:40:09 2004 Subject: [SpamCop-List] Re: Will Mailhosts limit my ability to report certian spam? References: Message-ID: "Peter Pepper" wrote in news:ca7gic$e52$1@news.spamcop.net: > With Mailhosts enabled, will I only be able to report spam that is > sent directly to me? [snip] > And when the original message is attached, I have been able > to report the original spam to SC in the past. Although after setting > up Mailhosts for my account, this scenario has not been possible and I > have been unable to report this type of spam. > > Is this an inherent feature of Mailhosts, or maybe something else > keeping me from reporting this type of spam? > As far as we (tinw) know, yes, that is an inherent limitation of Mailhosts. You lose the ability to correctly parse spam from other sources than your incoming email routing. -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From nobody at spamcop.net Wed Jun 9 14:37:09 2004 From: nobody at spamcop.net (Ellen) Date: Wed Jun 9 13:45:03 2004 Subject: [SpamCop-List] Re: Will Mailhosts limit my ability to report certian spam? References: Message-ID: "Peter Pepper" wrote in message news:ca7gic$e52$1@news.spamcop.net... > With Mailhosts enabled, will I only be able to report spam that is sent > directly to me? > > For example, when a spammer spoofs the FROM and REPLY-TO addresses by > forging *my* address in their place, I usually bear the burden of receiving > the errors, bounces, and complaints generated from the spam. In some > instances an ISP will attach the original spam to their error message. And > when the original message is attached, I have been able to report the > original spam to SC in the past. Although after setting up Mailhosts for my > account, this scenario has not been possible and I have been unable to > report this type of spam. > > Is this an inherent feature of Mailhosts, or maybe something else keeping me > from reporting this type of spam? > Yes it is a feature of mailhosts. Also you are *not* allowed to detach the spam from a bounce and report it. That is against the SC TOS/AUP. Ellen From dkona7b02 at sneakemail.com Wed Jun 9 14:45:03 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Wed Jun 9 13:45:17 2004 Subject: [SpamCop-List] Re: Will Mailhosts limit my ability to report certian spam? In-Reply-To: References: Message-ID: <3.0.5.32.20040609134503.019f3438@loki.fstrf.org> "Parsing SPAM from other sources" is a currently a no-no anyway, so this really isn't a limitation at all... Even if he hadn't used the mailhosts feature, if he reported a bounced SPAM and gotten caught at it, he would have had to suffer the consequences, whatever those may be at the moment. At 05:36 PM 6/9/2004 +0000, D.Diaz typed: >"Peter Pepper" wrote > >> With Mailhosts enabled, will I only be able to report spam that is >> sent directly to me? > >[snip] > >> And when the original message is attached, I have been able >> to report the original spam to SC in the past. Although after setting >> up Mailhosts for my account, this scenario has not been possible and I >> have been unable to report this type of spam. >> >> Is this an inherent feature of Mailhosts, or maybe something else >> keeping me from reporting this type of spam? > >As far as we (tinw) know, yes, that is an inherent limitation of >Mailhosts. You lose the ability to correctly parse spam from other >sources than your incoming email routing. From me at nowhere.net Wed Jun 9 14:46:37 2004 From: me at nowhere.net (lt) Date: Wed Jun 9 13:50:02 2004 Subject: [SpamCop-List] Report history? Message-ID: What is the Report History that started popping up on the SpamCop reports? From wb8tyw at qsl.network Wed Jun 9 14:24:22 2004 From: wb8tyw at qsl.network (John E. Malmberg) Date: Wed Jun 9 14:25:17 2004 Subject: [SpamCop-List] Re: Will Mailhosts limit my ability to report certian spam? References: Message-ID: <8sQo1s7rOmR9@eisner.encompasserve.org> In article , "Ellen" writes: > > Yes it is a feature of mailhosts. Also you are *not* allowed to detach the > spam from a bounce and report it. That is against the SC TOS/AUP. It would however be nice to have it do the parse and give the "would send" messages. This was a real help in making manual reports about worm-poop. -John wb8tyw@qsl.network Personal Opinion Only From nobody at spamcop.net Wed Jun 9 15:29:21 2004 From: nobody at spamcop.net (Firewoman) Date: Wed Jun 9 14:25:39 2004 Subject: [SpamCop-List] Re: MD/CEO? References: Message-ID: "Spambo" wrote in message news:ca7e2u$c18$1@news.spamcop.net... > > So is the problem one of the screaming.net mail servers being listed and > the "staff member" won't give you special treatment, or is Tiscali on > your case due to recent spamvertised URLs and the "staff member" won't > agree to retract the spam reports? Sorry, but this is the type of attitude that garners complaints instead of compliments. Instead of making assumptions, it'd be easier to say "I don't know" instead. You never know, the staff member in question may be dodging the issue, not handling it, calling him names, etc etc etc etc. It could be anything involving the specific staff member and not an IP issue. Not trying to start anything, but I don't think the post was very helpful. From tmcgraw at spamcop.net Wed Jun 9 12:44:20 2004 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Jun 9 14:45:07 2004 Subject: [SpamCop-List] Re: MD/CEO? References: Message-ID: <40C75A84.60403@spamcop.net> Firewoman wrote: > "Spambo" wrote > >>So is the problem one of the screaming.net mail servers being listed and >>the "staff member" won't give you special treatment, or is Tiscali on >>your case due to recent spamvertised URLs and the "staff member" won't >>agree to retract the spam reports? > > Sorry, but this is the type of attitude that garners complaints instead of > compliments. Instead of making assumptions, it'd be easier to say "I don't > know" instead. You never know, the staff member in question may be dodging > the issue, not handling it, calling him names, etc etc etc etc. It could be > anything involving the specific staff member and not an IP issue. > > Not trying to start anything, but I don't think the post was very helpful. In this case I agree even though most here hold sc staff in high regard. OTOH what's so dang hard about doing a whois on spamcop.net and avoiding the whole bloody dirty laundry in public thingy altogether? From rmu93awSPAMB02 at sneakemail.com Wed Jun 9 14:48:01 2004 From: rmu93awSPAMB02 at sneakemail.com (Spambo) Date: Wed Jun 9 14:50:03 2004 Subject: [SpamCop-List] Re: MD/CEO? In-Reply-To: References: Message-ID: Firewoman wrote: > [snip] > > Sorry, but this is the type of attitude that garners complaints instead of > compliments. Instead of making assumptions, it'd be easier to say "I don't > know" instead. You never know, the staff member in question may be dodging > the issue, not handling it, calling him names, etc etc etc etc. It could be > anything involving the specific staff member and not an IP issue. > > Not trying to start anything, but I don't think the post was very helpful. If someone is going to make derogatory public statements without giving any information to back up their claims then they deserve what they get. IME SpamCop "staff members" always act in a responsible manner and if someone wants to suggest publicly it isn't the case they should back up their words. -- Just a SpamCop newsgroup participant, not an admin or employee of SpamCop or related domains. From Kilgallen at SpamCop.net Wed Jun 9 14:55:27 2004 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Wed Jun 9 15:00:03 2004 Subject: [SpamCop-List] Re: MD/CEO? References: Message-ID: In article , Bill McLaren writes: > As to the speculation from others about what the problem is, I'm not > going to go into details but it relates to one of the 2 spamcop email > accounts I own, a mistake (which has been corrected) by the person > that uses that account (my mother) and my lower (and getting lower by > the moment) opinion of the competence of "Don" who answers the > service@ address. But the SpamCop Email Service is a separately owned operation, and you should use the web form for that. Service@ is only for reporting issues. From Kilgallen at SpamCop.net Wed Jun 9 14:57:32 2004 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Wed Jun 9 15:00:19 2004 Subject: [SpamCop-List] Re: Report history? References: Message-ID: In article , lt writes: > What is the Report History that started popping up on the SpamCop reports? Those of us who do not receive reports have never seen it. So if you provided a sample you might get a better response rate. From nobody at spamcop.net Wed Jun 9 15:29:13 2004 From: nobody at spamcop.net (Ellen) Date: Wed Jun 9 15:00:27 2004 Subject: [SpamCop-List] Re: Report history? References: Message-ID: "lt" wrote in message news:ca7ido$frr$1@news.spamcop.net... > What is the Report History that started popping up on the SpamCop reports? > Can you provide an example? Ellen From nobody at devnull.spamcop.net Thu Jun 10 08:17:01 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 9 15:15:02 2004 Subject: [SpamCop-List] Has spammer perhaps thought up new way to obfuscate html? Message-ID: http://www.spamcop.net/sc?id=z515201253z6160a045999cbcb3a3bafaac64a3f50fz contains reference to sibilation217pills.biz (& zillions of others) A quick glance & I can't see what the problem is, but SC fails to notice either that site or any of the chaff thrown in there. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at devnull.spamcop.net Thu Jun 10 08:26:22 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 9 15:25:04 2004 Subject: [SpamCop-List] Re: What happens if a report bounces? References: Message-ID: "3llen" wr0te > And to answer the other poster -- no we are not going to forge/rotate domain > names or IPs to try to sneak deliver SC reports. lt wa5 n3ver m3ant t0 bbe taaken seri0usly - 0r 4m l t00 thlck t0 n0tice sarca5m? -- Br3wmaan Brewman.SpamCop@brycom.cX.nX whlch r3ally 3nds w1th d0t co d0t nz From DONOTSPAMpeterpepper at NOSPAMbizwax.com Wed Jun 9 15:23:46 2004 From: DONOTSPAMpeterpepper at NOSPAMbizwax.com (Peter Pepper) Date: Wed Jun 9 15:25:19 2004 Subject: [SpamCop-List] Re: Will Mailhosts limit my ability to report certian spam? References: Message-ID: "Ellen" wrote in message news:ca7i2e$fno$1@news.spamcop.net... > Yes it is a feature of mailhosts. Also you are *not* allowed to detach the > spam from a bounce and report it. That is against the SC TOS/AUP. > > Ellen > > I can't find the TOS/AUP on the SC web site. Can you post a link to it please? Thanks. PP From Kilgallen at SpamCop.net Wed Jun 9 15:29:00 2004 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Wed Jun 9 15:30:04 2004 Subject: [SpamCop-List] Re: Will Mailhosts limit my ability to report certian spam? References: Message-ID: In article , "Peter Pepper" writes: > > "Ellen" wrote in message > news:ca7i2e$fno$1@news.spamcop.net... > > > >> Yes it is a feature of mailhosts. Also you are *not* allowed to detach the >> spam from a bounce and report it. That is against the SC TOS/AUP. >> >> Ellen >> >> > > I can't find the TOS/AUP on the SC web site. Can you post a link to it > please? Thanks. http://www.spamcop.net/fom-serve/cache/1.html From me at nowhere.net Wed Jun 9 16:51:29 2004 From: me at nowhere.net (lt) Date: Wed Jun 9 15:55:03 2004 Subject: [SpamCop-List] Re: Report history? In-Reply-To: References: Message-ID: Larry Kilgallen wrote: > In article , lt writes: > >>What is the Report History that started popping up on the SpamCop reports? > > > Those of us who do not receive reports have never seen it. > > So if you provided a sample you might get a better response rate. When I click on the e-mail from SpamCop the top of the page that pops up starts with; Help & Feedback Site Map Statistics Mailhosts SpamCop v 1.327 (c) SpamCop.net, Inc. 1998-2004 All Rights Reserved Spam Header This page may be saved for future reference: http://www.spamcop.net/sc?id=z515224461zeb0bc9777be2e078ea9486dfcb9ab15fz [report history] [report history] Please make sure this email IS spam: The [report history]s are links From MikeE at ster.invalid Wed Jun 9 13:58:57 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 9 16:00:05 2004 Subject: [SpamCop-List] Re: Will Mailhosts limit my ability to report certian spam? References: Message-ID: Peter Pepper wrote: > "Ellen" >> Yes it is a feature of mailhosts. Also you are *not* allowed to >> detach the spam from a bounce and report it. That is against the SC >> TOS/AUP. > > I can't find the TOS/AUP on the SC web site. Can you post a link to it > please? Thanks. I think Ellen was talking about this...the rules start here - http://www.spamcop.net/anonsignup.shtml I will use SpamCop only on email which is unsolicited, bulk email. (details..) http://www.spamcop.net/fom-serve/cache/125.html and sez this about bounces - Regardless, nuisance bounces are a smtp design problem that needs to be addressed, but are not to be reported as spam using SpamCop. (see How can I control unsolicited bounces?). http://www.spamcop.net/fom-serve/cache/380.html The latter link above is a faq I wasn't familiar with, so maybe it is new. The GET Last Modified sez Wed, 02 Jun 2004. It actually derives faq structure-wise from a section for desks & admins called 'how can I control spam from my network'. -- Mike Easter kibitzer, not SC admin From DONOTSPAMpeterpepper at NOSPAMbizwax.com Wed Jun 9 16:02:39 2004 From: DONOTSPAMpeterpepper at NOSPAMbizwax.com (Peter Pepper) Date: Wed Jun 9 16:05:03 2004 Subject: [SpamCop-List] Re: Will Mailhosts limit my ability to report certian spam? References: Message-ID: "Larry Kilgallen" wrote in message news:aJmlKo1s+uUo@eisner.encompasserve.org... > In article , "Peter Pepper" writes: > > > > "Ellen" wrote in message > > news:ca7i2e$fno$1@news.spamcop.net... > > > > > > > >> Yes it is a feature of mailhosts. Also you are *not* allowed to detach the > >> spam from a bounce and report it. That is against the SC TOS/AUP. > >> > >> Ellen > >> > >> > > > > I can't find the TOS/AUP on the SC web site. Can you post a link to it > > please? Thanks. > > http://www.spamcop.net/fom-serve/cache/1.html FAQ = TOS = AUP :) OK, I found what Ellen was referring to here: http://www.spamcop.net/fom-serve/cache/14.html . . . "Bounces: Bounces generated because of a forged email (often spam or viruses claiming to be from you) are a nuisance, and by some people's definition, they are spam. However, reporting them accomplishes nothing. The system which generated the bounce is not guilty of any sin - bounces are generally a good thing. If the bounce message contains spam, it is not permitted for you to report the spam contained within the bounce, even if it includes what appear to be the full original headers. This is someone else's spam, not your's. It is expected that you can verify the headers of reported mail are accurate, something you can't do for mail received on a network you are not familiar with. " This has been duly noted in my memory for future reports. I don't necessarily agree with this restriction, but I will comply. I think there are many SC users who assume that most spam can be reported, especially if it affects them directly. Newsgroup spam immediately comes to mind. There is mention of reporting NG spam in the FAQ (http://www.spamcop.net/fom-serve/cache/144.html), but there doesn't seem to be an explicit restriction on it. NG spam is not sent directly to the user, but a NG user is directly affected by it. With Mailhosts enabled, I assume NG spam cannot be reported either. And inline with my current thread, the people that forge addresses that end up creating a landslide of bounces to an innocent party create a severe nuisance as well. I have been able (in the past) to use those bounces to get multiple spammers shut down by utilizing SC reports. To say in the FAQ that it "accomplishes nothing" doesn't make sense to me. In my case, the "system which generated the bounce" is not being reported; only the original spam is reported. And I have only been motivated to do this when there are literally hundreds of bounces in my inbox that were instigated by the same spammer. But I am sure there are caveats to my theory, too. Just as the spammer forges my address as the sender, I assume someone with equally devious intentions could forge a bounce as well. Thanks for the heads up. I suggest everyone take a moment to read "The Rules" (aka http://www.spamcop.net/fom-serve/cache/64.html) and have this link placed in a more conspicuous spot on the SC website. PP From nobody at devnull.spamcop.net Thu Jun 10 09:13:46 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 9 16:15:03 2004 Subject: [SpamCop-List] Re: Will Mailhosts limit my ability to report certian spam? References: Message-ID: Remember that there's a difference between REPORTING spam and PARSING spam (a responder somewhere said that you couldn't parse it). I have 2 SC accounts - one with mailhosts that I use for parsing and reporting 'normal' spam, and another without mailhosts that I use just for parsing 'bounced' spam to save me the effort of all the lookups. I then report those manually by cut'n'pasting SC's reporting addresses. NB Don't forget to Cancel the parsed spam when you don't report it. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From dkona7b02 at sneakemail.com Wed Jun 9 17:23:23 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Wed Jun 9 16:23:26 2004 Subject: [SpamCop-List] Re: Report history? In-Reply-To: References: Message-ID: <3.0.5.32.20040609162323.019cdbd0@loki.fstrf.org> I hadn't even noticed that feature... Did you try clicking on the link? It gives you... Can you guess? ... a report history! :) It shows a listing of all the reports about that link. It shows report numbers and who it was reported to in each instance. Very nice feature for checking to see if you were the only one that reported a site and/or to see if reports are going to different places at different times.. At 03:51 PM 6/9/2004 -0400, lt typed: >> lt wrote: >> >>>What is the Report History that started popping up on the SpamCop reports? > >When I click on the e-mail from SpamCop the top of the page that pops up >starts with; > > Help & Feedback Site Map Statistics Mailhosts > >SpamCop v 1.327 (c) SpamCop.net, Inc. 1998-2004 All Rights Reserved > >Spam Header >This page may be saved for future reference: >http://www.spamcop.net/sc?id=z515224461zeb0bc9777be2e078ea9486dfcb9ab15fz >[report history] >[report history] > >Please make sure this email IS spam: > >The [report history]s are links From ian_uncle at hotmail.com Wed Jun 9 17:27:51 2004 From: ian_uncle at hotmail.com (Ionizer) Date: Wed Jun 9 16:30:03 2004 Subject: [SpamCop-List] Re: Report history? References: Message-ID: "Larry Kilgallen" wrote in message news:n+GxoAsu+g4T@eisner.encompasserve.org... > In article , lt writes: > > What is the Report History that started popping up on the SpamCop reports? > > Those of us who do not receive reports have never seen it. > > So if you provided a sample you might get a better response rate. Hi, Larry: This is a link to the "show reports" feature of a Spam message I just submitted: http://www.spamcop.net/mcgi?action=showhistory&slice=issueid&val=30450178 Regards, Ian. From nobody at devnull.spamcop.net Thu Jun 10 09:41:19 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 9 16:40:03 2004 Subject: [SpamCop-List] How about a change to the 'one size fits all' parsing? Message-ID: I notice that spammers are creating spam with broken formatting, obfuscated urls & littered with fictitious/irrelevant/innocent chaff, which can cause the SC parser to skip urls to be reported. I guess that this is because some 'smart spammers' (I know, that's an oxymoron, but SOMEONE is doing it for them) are creating various broken email bodies that are interpretable by particular email readers but escape the SC parser. If the parser had some knobs that the user could twiddle, this would allow: A) the user to tweak the parser for tight/slack adherence to various email/html standards B) stop spammers submitting their trial email once and deciding whether it still needs tweaking or is ready to unleash upon the world, knowing that SC won't be reporting the spamvertised site. Also, perhaps allow the Mk1-OrganicEyeball scanner (complete with bi-focals in my case) to input a "I'm sure this is the site, but you're missing it" url and then have SC scan the email to see if it can find it, even if in, say, an apparent 'skipped comment' field. i.e. allow user to 'lead the witness^H^H^H^H^H^H^Hparser'. I realise that neither of these are trivial changes, but suggest them as ways forward to improve our arsenal in the battle. "I love standards - there are so many to choose from." -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From me at nowhere.net Wed Jun 9 17:41:35 2004 From: me at nowhere.net (lt) Date: Wed Jun 9 16:45:04 2004 Subject: [SpamCop-List] Re: Report history? In-Reply-To: References: Message-ID: > This is a link to the "show reports" feature of a Spam message I just > submitted: > http://www.spamcop.net/mcgi?action=showhistory&slice=issueid&val=30450178 > > Regards, > Ian. > > Thanks. I'd checked the report, but wasn't sure what it was telling me. Guess I'm dense. From nobody at devnull.spamcop.net Thu Jun 10 10:50:48 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 9 17:50:10 2004 Subject: [SpamCop-List] Re: Has spammer perhaps thought up new way to obfuscate html? References: Message-ID: "brewman" wrote in message news:ca7ngs$ksm$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z515201253z6160a045999cbcb3a3bafaac64a3f50fz > contains reference to sibilation217pills.biz (& zillions of others) > A quick glance & I can't see what the problem is, but SC fails to > notice either that site or any of the chaff thrown in there. I can answer my own question - too many url's stops the parsing! So I'll just throw some away and try again ... -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From MikeE at ster.invalid Wed Jun 9 15:51:47 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 9 17:55:04 2004 Subject: [SpamCop-List] Re: How about a change to the 'one size fits all' parsing? References: Message-ID: brewman wrote: > If the parser had some knobs that the user could twiddle, If there /were/ such a knob twister, there would/should also need to be a 'gear shifter'. If you shifted gears, the result would no longer be a 'spamcop report' but something different. You would be using the parser's algorithms on the urls and IPs of your choosing, the 'gizmo' would be addressing and mailing a letter 'for you' where 'you' is the anonymized identity of the particular 'reporter' submitted by SC's anonymizing parsing reporting - APR - service - but that report 'class' would not be a spamcop report but an APR report. Naturally, the 'exchange' which is provided to SC free reporters - free reporters feed spamcop which enhances the strength of the SCbl, and free reporters might become paid reporters or mail subscribers - is not present in the APR client relationship. The APR 'deal' would have to be only pay, since it is a 'drain' on resources without an attendant gain to anything at spamcop. Presumably the rate would have to be based on fuel consumption, not a flat rate, and presumably it would be higher than the normal fuel consumption rate, because it is more 'tedious' to the algorithm. Since the report isn't a SC report, the url situation could be 'real loose' - including all kinds of things that might be wrong, and it would be up to the submitter to 'weed out' the ones which are inappropriate. The language of the report would be divorcing anything spamcop from the process. I seem to recall once that someone advised that if 'we' tinw were sending manual reports based on spamcop parses, that 'we' shouldn't be saying or crediting spamcop with the result, as in 'determined by spamcop'. As distinct from 'listed by spamcop' [or spews or whatever] which might be seen in a manual report template. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Jun 10 11:02:20 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 9 18:00:03 2004 Subject: [SpamCop-List] Re: Has spammer perhaps thought up new way to obfuscate html? References: Message-ID: "brewman" wrote a note to himself > I can answer my own question - too many url's stops the parsing! > So I'll just throw some away and try again ... As it happens, the site has gone dead, so I've let the original (unaltered) report go ahead. Question to someone in authority who might still be reading this narcissic(?) thread: Can I still report thru SC if I delete great gobs of out of an email and mention this at the top of the body? -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From wb8tyw at qsl.network Wed Jun 9 18:12:25 2004 From: wb8tyw at qsl.network (John E. Malmberg) Date: Wed Jun 9 18:15:05 2004 Subject: [SpamCop-List] Re: Has spammer perhaps thought up new way to obfuscate html? References: Message-ID: In article , "brewman" writes: > "brewman" wrote a note to himself >> I can answer my own question - too many url's stops the parsing! >> So I'll just throw some away and try again ... > > As it happens, the site has gone dead, so I've let the original > (unaltered) report go ahead. > > Question to someone in authority who might still be reading this > narcissic(?) thread: > Can I still report thru SC if I delete great gobs of href="http://www.XXX.YYY"> out of an email and mention this at the > top of the body? The Deputies have previously and repeatedly posted here that you can not report such altered spams through spamcop.net. -John wb8tyw@qsl.network Personal Opinion Only From spamcop at s89170745.onlinehome.us Wed Jun 9 16:10:56 2004 From: spamcop at s89170745.onlinehome.us (Ganamede) Date: Wed Jun 9 18:15:25 2004 Subject: [SpamCop-List] Re: MD/CEO? References: Message-ID: "Bill McLaren" wrote in message news:g7iec0l91nq9rm3sdogjggop49fk6tm7gi@4ax.com... > Unfortunately the person that seems to answer that email address is > the cause of the problem. >...my lower (and getting lower by > the moment) opinion of the competence of "Don" who answers the > service@ address. This has been an issue before. Try going to Ironport. From spamcop at s89170745.onlinehome.us Wed Jun 9 16:12:42 2004 From: spamcop at s89170745.onlinehome.us (Ganamede) Date: Wed Jun 9 18:15:33 2004 Subject: [SpamCop-List] Re: MD/CEO? References: Message-ID: "Spambo" wrote in message news:ca7m11$jal$1@news.spamcop.net... > If someone is going to make derogatory public statements without giving > any information to back up their claims... No one would EVER do that here would they? From eddie at eddie.web Wed Jun 9 19:18:46 2004 From: eddie at eddie.web (eddie) Date: Wed Jun 9 18:20:03 2004 Subject: [SpamCop-List] Re: Has spammer perhaps thought up new way to obfuscate html? References: Message-ID: On Wed, 09 Jun 2004 17:12:25 -0600, John E. Malmberg scratched out the following: snip > > The Deputies have previously and repeatedly posted here that you can not > report such altered spams through spamcop.net. I believe it is perfectly permissible to delete some URLs, use the SC parser, only, to determine the abuse desk address, and then use SC with the original spam, adding the newly found abuse address to the user field on the reporting page. From michael.spamcop at michaellefevre.com Wed Jun 9 23:29:23 2004 From: michael.spamcop at michaellefevre.com (Michael Lefevre) Date: Wed Jun 9 18:30:02 2004 Subject: [SpamCop-List] Re: MD/CEO? References: Message-ID: Bill McLaren wrote: > On Wed, 9 Jun 2004 16:10:45 +0000 (UTC), Michael Lefevre > wrote: > >>via either this forum, or the deputies@spamcop.net address, or the > > OK, thanks, I'll give that one a go. I've already sent a complaint to > ironport but as yet haven't had a reply. If it's an issue with your account rather than with what Spamcop is doing, then that's not the right address. [snip] > As to the speculation from others about what the problem is, I'm not > going to go into details but it relates to one of the 2 spamcop email > accounts I own, a mistake (which has been corrected) by the person > that uses that account (my mother) and my lower (and getting lower by > the moment) opinion of the competence of "Don" who answers the > service@ address. I wouldn't say Don was incompetant, and you seem to have admitted that there was a mistake on your side... I rather doubt you're going to get anywhere complaining. But this is all speculation unless you go into details, which you've declined to do... -- Michael From ob1db at spamcop.net Wed Jun 9 19:36:17 2004 From: ob1db at spamcop.net (David Butler) Date: Wed Jun 9 18:40:03 2004 Subject: [SpamCop-List] Re: kornet reports FINALLY going to correct addie after 6 months! abuse@abuse.kornet.net References: Message-ID: "Redstone" wrote in message news:Xns950331F7BB89lumbercartel@216.154.195.61... > "David Butler" wrote in > news:ca63mp$ae8$1@news.spamcop.net: > > > Yeah, just saw this in place of the old devnull: > > > > Report Spam to: > > Using abuse#above.net@devnull.spamcop.net for statistical > > tracking. > > > > Re: 220.126.250.189 (Administrator of network where email > > originates) To: abuse@abuse.kornet.net (Notes) > > > Waiting for this one to start bouncing.. > > I think that address was found after tons of prodding on kornet. > > Funny thing is that the original address doesn't bounce for me when I > do manual reporting, go figure. > Actually, I posted it 6-9 months ago! Could not get the deputies to use. Abuse@kornet.net has been iffy on and off, as is postmaster. From nobody at spamcop.net Wed Jun 9 18:35:09 2004 From: nobody at spamcop.net (Ellen) Date: Wed Jun 9 18:40:23 2004 Subject: [SpamCop-List] Re: Will Mailhosts limit my ability to report certian spam? References: Message-ID: "Peter Pepper" wrote in message news:ca7qbl$nnn$1@news.spamcop.net... > > And inline with my current thread, the people that forge addresses that end > up creating a landslide of bounces to an innocent party create a severe > nuisance as well. I have been able (in the past) to use those bounces to get > multiple spammers shut down by utilizing SC reports. To say in the FAQ that > it "accomplishes nothing" doesn't make sense to me. In my case, the "system > which generated the bounce" is not being reported; only the original spam is > reported. And I have only been motivated to do this when there are literally > hundreds of bounces in my inbox that were instigated by the same spammer. > > But I am sure there are caveats to my theory, too. Just as the spammer > forges my address as the sender, I assume someone with equally devious > intentions could forge a bounce as well. > In the perfect world there would be no bounces and in the semi-perfect world bounces would all have perfect headers and spams included in them but this is the not-perfect world and bounce formats range all over the place with no real reliability about the headers or the included text (if any). Ellen From nobody at spamcop.net Wed Jun 9 18:37:02 2004 From: nobody at spamcop.net (Ellen) Date: Wed Jun 9 18:40:31 2004 Subject: [SpamCop-List] Re: What happens if a report bounces? References: Message-ID: "brewman" wrote in message news:ca7o2c$lef$1@news.spamcop.net... > "3llen" wr0te > > And to answer the other poster -- no we are not going to > forge/rotate domain > > names or IPs to try to sneak deliver SC reports. > > lt wa5 n3ver m3ant t0 bbe taaken seri0usly - 0r 4m l t00 thlck t0 > n0tice sarca5m? > Well to tell you the truth what with some of the things that people have proposed to do and do do, I somehow lost by sarcasm detector along the way -- sorry about that ... what is the sarcasm emoticon? E From nobody at spamcop.net Wed Jun 9 18:38:18 2004 From: nobody at spamcop.net (Ellen) Date: Wed Jun 9 18:40:39 2004 Subject: [SpamCop-List] Re: How about a change to the 'one size fits all' parsing? References: Message-ID: "brewman" wrote in message news:ca7set$psk$1@news.spamcop.net... > I notice that spammers are creating spam with broken formatting, > obfuscated urls & littered with fictitious/irrelevant/innocent chaff, > which can cause the SC parser to skip urls to be reported. > I guess that this is because some 'smart spammers' (I know, that's an > oxymoron, but SOMEONE is doing it for them) are creating various > broken email bodies that are interpretable by particular email readers > but escape the SC parser. > > If the parser had some knobs that the user could twiddle, this would > allow: > A) the user to tweak the parser for tight/slack adherence to various > email/html standards > B) stop spammers submitting their trial email once and deciding > whether it still needs tweaking or is ready to unleash upon the world, > knowing that SC won't be reporting the spamvertised site. > > Also, perhaps allow the Mk1-OrganicEyeball scanner (complete with > bi-focals in my case) to input a "I'm sure this is the site, but > you're missing it" url and then have SC scan the email to see if it > can find it, even if in, say, an apparent 'skipped comment' field. > i.e. allow user to 'lead the witness^H^H^H^H^H^H^Hparser'. > > I realise that neither of these are trivial changes, but suggest them > as ways forward to improve our arsenal in the battle. > > "I love standards - there are so many to choose from." > -- knobs are on backorder E From not at home.today Thu Jun 10 00:42:55 2004 From: not at home.today (Ant) Date: Wed Jun 9 18:45:03 2004 Subject: [SpamCop-List] Null links reported to IBs Message-ID: Spam in .spam with parser output appended. I see the "too many links" message is back, but some null or bogus links are being reported. Previously links with no text between the and the tags were ignored. Innocent bystanders (example: unison.org) would get the reports, but I unticked them in the submission. The only clickable links are to squally7845tabs.us which does not resolve. http://www.spamcop.net/sc?id=z515276726z39f3eeec5c0deb77c71ba7acb22618cbz From ob1db at spamcop.net Wed Jun 9 19:53:00 2004 From: ob1db at spamcop.net (David Butler) Date: Wed Jun 9 18:55:04 2004 Subject: [SpamCop-List] Re: Links not found and wrong abuse address References: Message-ID: "Tim" wrote in message news:ca79u0$85v$1@news.spamcop.net... > Spam in spamcop.spam, same subject. > > Processed this spam and only got abuse ntlworld.com for the email > source. > No spamvertised sites were indentified. > Please tell how to report the spamvertised sites. > I cancelled the reporting. > next time save the spam on spamcop and post the tracker so we can see what failed. You have some VERY mangled received lines, I think spamcop is barfing on them. Here is the APPARENT problem: "Receiving server (cable.ntl.com) does not report source IP accurately". Is ntl your ISP? Let them know they are part of the problem! I get proper source abuse contact, but no links parse, anyone else see why ? Parsing header: Received: (qmail 1772 invoked from network); 9 Jun 2004 15:04:17 -0000 Ignored Received: from unknown (192.168.1.101) by blade6.cesmail.net with QMQP; 9 Jun 2004 15:04:17 -0000 192.168.1.101 found host 192.168.1.101 (getting name) no name 192.168.1.101 discarded Received: from mta03-svc.ntlworld.com (62.253.162.43) by mailgate.cesmail.net with SMTP; 9 Jun 2004 15:04:17 -0000 62.253.162.43 found host 62.253.162.43 = mta03-svc.ntlworld.com (cached) host mta03-svc.ntlworld.com (checking ip) = 62.253.162.43 Possible spammer: 62.253.162.43 Received line accepted Relay trusted (62.253.162 62.253.162.43) Received: from cpc4-warw4-4-0-cust115.brhm.cable.ntl.com ([81.108.119.115]) by mta03-svc.ntlworld.com (InterMail vM.4.01.03.37 201-229-121-137-20020806) with SMTP id <20040609150313.PFHT28581.mta03-svc.ntlworld.com@cpc4-warw4-4-0-cust115.brhm .cable.ntl.com>; Wed, 9 Jun 2004 16:03:13 +0100 81.108.119.115 found host 81.108.119.115 = cpc4-warw4-4-0-cust115.brhm.cable.ntl.com (cached) host cpc4-warw4-4-0-cust115.brhm.cable.ntl.com (checking ip) = 81.108.119.115 Possible spammer: 81.108.119.115 Possible relay: 62.253.162.43 62.253.162.43 not listed in relays.ordb.org. 62.253.162.43 has already been sent to relay testers Received line accepted Received: from conch.ingratiate.com ([156.64.144.28]) by kq04-m67.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Wed, 09 Jun 2004 08:07:08 -0500 156.64.144.28 found host 156.64.144.28 (getting name) no name Receiving server (cable.ntl.com) does not report source IP accurately Tracking message source: 81.108.119.115: Routing details for 81.108.119.115 [refresh/show] Cached whois for 81.108.119.115 : abuse@ntlworld.com Using abuse net on abuse@ntlworld.com abuse net ntlworld.com = abuse@ntlworld.com, abuse@ntl.com, hostmaster@ntl.com Using best contacts abuse@ntlworld.com abuse@ntl.com hostmaster@ntl.com hostmaster@ntl.com refuses SpamCop reports Using hostmaster#ntl.com@devnull.spamcop.net for statistical tracking. Message is 7 hours old 81.108.119.115 not listed in dnsbl.njabl.org 81.108.119.115 not listed in dnsbl.njabl.org 81.108.119.115 not listed in cbl.abuseat.org 81.108.119.115 listed in dnsbl.sorbs.net ( 127.0.0.10 ) 81.108.119.115 not listed in relays.ordb.org. 81.108.119.115 not listed in query.bondedsender.org 81.108.119.115 not listed in iadb.isipp.com Finding links in message body Parsing text part error: couldn't parse head Message body parser requires full, accurate copy of message More information on this error.. no links found Please make sure this email IS spam: From: Holly Brocke excite.com> (Make Your Cöck Whale Sized) ----31686690523243668041 Content-Type: text/html; View full message Report Spam to: Re: 81.108.119.115 (Administrator of network where email originates) To: abuse@ntl.com (Notes) To: hostmaster#ntl.com@devnull.spamcop.net (Notes) To: abuse@ntlworld.com (Notes) Is this different than you got? Links are good: Parsing input: getbigger.millehealth.com host 216.188.31.50 = customer216-188-28-50.suavemente.net (cached) No recent reports, no history available Routing details for 216.188.31.50 [refresh/show] Cached whois for 216.188.31.50 : abuse@simplenet.com Using abuse net on abuse@simplenet.com abuse net simplenet.com = abuse@level3.net, spamtool@level3.net, abuse@simplenet.com Using best contacts abuse@level3.net spamtool@level3.net abuse@simplenet.com abuse@level3.net redirects to level3@admin.spamcop.net spamtool@level3.net redirects to level3@admin.spamcop.net Statistics: 216.188.31.50 not listed in bl.spamcop.net More Information.. 216.188.31.50 not listed in dnsbl.njabl.org 216.188.31.50 not listed in dnsbl.njabl.org 216.188.31.50 not listed in cbl.abuseat.org 216.188.31.50 listed in dnsbl.sorbs.net ( 127.0.0.6 ) 216.188.31.50 not listed in relays.ordb.org. Replacing internal level3 alias abuse net level3.net = abuse@level3.net, spamtool@level3.net Reporting addresses: abuse@level3.net spamtool@level3.net abuse@simplenet.com Try manually entering that! David From nobody at devnull.spamcop.net Thu Jun 10 12:03:14 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 9 19:00:02 2004 Subject: [SpamCop-List] Re: Has spammer perhaps thought up new way to obfuscate html? References: Message-ID: "eddie" wrote > > The Deputies have previously and repeatedly posted here that you can not > > report such altered spams through spamcop.net. > > I believe it is perfectly permissible to delete some URLs, use the SC > parser, only, to determine the abuse desk address, and then use SC with > the original spam, adding the newly found abuse address to the user field > on the reporting page. That sounds like an excellent compromise. Now why didn't I think of that? Guess my brain is just too highly tuned .. (apologies to HHGTTG & Union of Sages, Prophets and Other Professional Thinking People). I hope no-one jumps on that as against SC T&C -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From MikeE at ster.invalid Wed Jun 9 17:06:27 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 9 19:10:03 2004 Subject: [SpamCop-List] Re: Will Mailhosts limit my ability to report certian spam? References: Message-ID: Peter Pepper wrote: > With > Mailhosts enabled, I assume NG spam cannot be reported either. Usenet 'spam' reporting is a very simplistic SC algorithm which has nothing to do with smtp or mailhosting; my assumption is that there would be no change in that process. It seems unrelated, for the most part, to spam [by my defnition spam is email nowadays, regardless of the ancient history and the runes]. - so usenet spam isn't spam anymore than a mailwasher bounce is a bounce, but, for sake of 'communication' we know that usenet spam looks a lot like spam. The reason that it isn't /really/ spam is multifold. First, the appearance of a 'spammy' appearing usenet message isn't necessarily in violation of anything; whereas the appearance of a spammy appearing spam in your mailbox is definitely spam, if it fits 'my' definition. That is, whether that usenet item is spam or not depends on a number of factors not apparent from the single message, such as the newsgroup's charter, the number of similar items posted elsewhere and other issues. Second, the 'wrongness' of usenet spamming isn't a given, depending upon the provider. Not only do providers have variable rules regarding usenet behaviors which are often quite different from their rules about email behaviors; but their enforcement of usenet misbehavior often approaches zero. That is, a great many providers don't care what is going on on usenet, because of 'First' up above and then again because of 'Second' below that. In any case, SC provides some machinery to notify the source IP's provider for usenet spam. That's all. I'm not sure, that is I doubt, if it has anything to do with the SC blocklist at all. But, being mailhosted shouldn't make any difference to whatever the thing is that SC does for usenet abuse. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Jun 10 12:18:20 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 9 19:15:03 2004 Subject: [SpamCop-List] Re: How about a change to the 'one size fits all' parsing? References: Message-ID: "Ellen" wrote > knobs are on backorder Just make sure you don't get the same code inside as the ones that I've seen with 'unsubscribe' on the front. You know, those ones come in 2 models: "get input; input > dev\nul;" and "get input; input >> maillist;" -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From MikeE at ster.invalid Wed Jun 9 18:13:37 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Jun 9 20:15:04 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: Message-ID: Ant wrote: > Spam in .spam with parser output appended. I'm gonna sorta 'hijack' or borrow your topic to 'talk about' something that this content demonstrates, but I'm not talking about your null links & IBs subject. > The only clickable links are to squally7845tabs.us which does not > resolve. That will come up in the discussion below. www.spamcop.net/sc?id=z515276726z39f3eeec5c0deb77c71ba7acb22618cbz and the link will come up in the discussion. What is in .spam is a 'mangled' version of the spam which is the 'traditional' or accepted or 'standard' way of posting things into .spam. I don't think that is a very valuable posting, because you can't 'do anything' with it. When you post a spam into .spam with your newsreader, your newsreader 'butchers' it by throwing in linewraps - which is a completely wrong thing to do to the headers, and it is frequently also a completely wrong thing to do to the body. I think we should stop doing that. First of all, the link above tells the whole story. It has the original spam, unmangled. It has the parse. It has everything. But, let's suppose that we have some kind of item for which the link doesn't tell the story we need to tell. That the condition of the spam is somehow discrepant with what the parser shows; presumably this was the 'original' purpose of the .spam newsgroup. However, we are not using the .spam ng to its greatest potential if we are pasting spam into the message body and then mangling it with the newsreader. We do *not* need to be throwing linewraps into spam headers and spam bodies. So, my argument is that we should not be pasting spam into news message bodies in the traditional fashion. Either we should be relying entirely upon the tracker as above; or, we should be putting the spam into the .spam ng /unmangled/ -- that is, not pasted into the body of the the newsmessge. There are several ways to do that, but they amount to attaching the item to the newsgroup message, either as a .txt file or OE can call such a .txt file an .eml file. Such an item makes it easy to not only paste the item into the parser without having to remove the linewraps, but it also makes it easier to 'display' the spamitem by rendering its html. That is, I was able to take the original item I found in 'view entire message' from the tracker and save it as an .eml, and then open the .eml item so that the html was rendered to make it quick and simple to see what the spam was all about, including the only useful link in a single glance. I could also tell where the link was 'going' squally7845tabs.us from my status line below the spam's window in my OE. You can't do that with what is posted in .spam. The point of my argument, to re-iterate, is to change the way we post things in .spam because the way we are doing it isn't good enough. We should either post the tracker only, which we can do here, or if necessary we should attach the spam to the .spam ng message body. -- Mike Easter kibitzer, not SC admin From blacklist-me at davjam.org Thu Jun 10 02:34:06 2004 From: blacklist-me at davjam.org (David Bolt) Date: Wed Jun 9 20:45:04 2004 Subject: [SpamCop-List] Re: [C&C] SPEWS analogy. References: Message-ID: On Sun, 6 Jun 2004, RipCurl wrote:- > >"Redstone" wrote in message >news:Xns94FF29D3CB473lumbercartel@216.154.195.61... > >> Here's another: >> >> 1. Your emails are a bunch of sperm, itching to do their thing. >> 2. Your ISP is a prick. >> 3. SPEWS is a condom. >> 4. We are innocent maidens who don't like surprises. >> 5. You are asking for a teeny hole to be poked in the rubber. >> > > >Better would be that SPEWS is a diaphragm . not a condom. Since a condom >would require that the "sender" be the one to put it on. The diaphragm would >be something that the "receiver" would use to protect themselves....... I guess you've never heard of the femidom, or female condom? Regards, David Bolt -- Member of Team Acorn checking nodes at 63 Mnodes/s: http://www.distributed.net/ AMD 1800 1Gb WinXP | AMD 2400 160Mb SuSE 8.1 | AMD 2400 256Mb SuSE 9.0 AMD 1300 512Mb SuSE 9.0 | A3010 4Mb RiscOS 3.11 | A4000 4Mb RiscOS 3.11 Falcon 14Mb TOS 4.02 | STE 4Mb TOS 1.62 From nobody at devnull.spamcop.net Thu Jun 10 11:30:24 2004 From: nobody at devnull.spamcop.net (Patto) Date: Wed Jun 9 21:35:16 2004 Subject: [SpamCop-List] Re: What happens if a report bounces? References: Message-ID: "Ellen" wrote in message news:ca77bm$62s$1@news.spamcop.net... > "David Butler" wrote in message > news:ca63i5$acn$1@news.spamcop.net... >> "Patto" wrote in message >> news:ca5obi$1k8$1@news.spamcop.net... >> >> I have the same result, have NEVER had one bounce. I think the deputies > need to reset that flag and try again! > > I think we have had this conversation before .... it is trivially easy for > anyone running a mailserver to bounce/devnull/reject inbound mail from > certain domains or IPs (I think we call these blocklists don't we?) and to > accept mail from everywhere or anywhere else. The fact that you or someone > else can send email to some mailserver and apparently have it accepted for > probable or apparent delivery to a mailbox, does not in any way imply that > any other given IP can do the same thing. My original question is still not answered: are /dev/null-ed addresses permanent? Maybe some addresses do intentionally bounce SC reports, in which case they should be marked as "refuses SpamCop reports". In other cases, where a mailbox sometimes fills up over a weekend, I think that these should be retried (bounce-counter reset) periodically. From not at home.today Thu Jun 10 03:31:06 2004 From: not at home.today (Ant) Date: Wed Jun 9 21:35:46 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: Message-ID: "Mike Easter" wrote... [...] > When you post a spam into .spam with your newsreader, your newsreader > 'butchers' it by throwing in linewraps Not in this case. My wrap column is set to the max of 132 chars in OE (I manually format my normal NG posts). However, it did insert "file:" in a couple of places (where 2 forward slashes appeared at the start of a line) when I pasted the plain text into my post. I should have noticed that and deleted the "file:" inserts. [...] > That is, I was able to take the original item I found in 'view entire > message' from the tracker and save it as an .eml, and then open the .eml > item so that the html was rendered to make it quick and simple to see > what the spam was all about, including the only useful link in a single > glance. I could also tell where the link was 'going' > squally7845tabs.us from my status line below the spam's window in my > OE. > > You can't do that with what is posted in .spam. I could with this one. I saved the post in .spam, opened it in notepad, snipped off the newsgroup header and parse, and renamed it as an eml. It rendered fine when opened, but without the images. > The point of my argument, to re-iterate, is to change the way we post > things in .spam because the way we are doing it isn't good enough. We > should either post the tracker only, which we can do here, or if > necessary we should attach the spam to the .spam ng message body. You make a good point. I give the tracker and the .spam post for convenience - so people have a choice. I may reconsider doing both if it's not useful. I'll certainly make sure OE isn't going to mangle it, or I'll post a text attachment. From nobody at devnull.spamcop.net Thu Jun 10 11:32:45 2004 From: nobody at devnull.spamcop.net (Patto) Date: Wed Jun 9 21:35:54 2004 Subject: [SpamCop-List] Re: Sending to more than one user notification email address References: Message-ID: "Ralph" wrote in message news:ca76b0$52i$1@news.spamcop.net... >> [spamcop.help removed from the distribution, crossposting isn't >> necessary in the SC newsgroups] >> >> Ralph wrote: >> >> > Spamcop allows you to manually put in one address when sending a >> > report. >> > Is it possible to add more email address? >> > Re:User Notification (Notes) >> > >> >> IIRC you can send to up to four additional recipients. Just put the >> addresses in the box separated with a comma. If you add anything to the >> "Notes" box the content will go to all addresses though. >> -- > Thanks, > Will do that next time. > Spamcop is a great service, > however there are a few occassions where I find that there are a few more > people who should be notified of the spam. However, do not put more than 4; SC will not send anything if it's more than the allowed maximum. From nobody at devnull.spamcop.net Thu Jun 10 15:06:51 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 9 22:05:05 2004 Subject: [SpamCop-List] Re: How about a change to the 'one size fits all' parsing? References: Message-ID: "Mike Easter" wrote > brewman wrote: > > If the parser had some knobs that the user could twiddle, > > If there /were/ such a knob twister, there would/should also need to be > a 'gear shifter'. > > If you shifted gears, the result would no longer be a 'spamcop report' > but something different. You would be using the parser's algorithms on > the urls and IPs of your choosing, the 'gizmo' would be addressing and > mailing a letter 'for you' where 'you' is the anonymized identity of the > particular 'reporter' submitted by SC's anonymizing parsing reporting - > APR - service - but that report 'class' would not be a spamcop report > but an APR report. Taking the spam that raised this issue (actually too many urls rather than broken email body), what I would suggest (as just one specific 'knob') would be a grep filter of urls to add/subtract from the table that SC builds up. Clearly at present, if too many are added, SC throws a wobbly and adds extra ones to dev\nul. If the routine that adds urls to the list was altered (and not a major alteration, dare I say) to do a grep on what it would add (or not) to that list, then 'smart' reporters could modify the grep string (in another window field) to guide the parser into looking at the right urls to look up. I do not see how this would NOT be a 'spamcop report'; nothing like extra urls or IPs or anything has been added. Yes, it is a 'customised routing' of a 'spamcop report' - but that's just like we have at present with the check boxes! I am NOT talking about 'let SC take whatever string of stuff I ask it to parse and report it'. No, I am talking about 'guiding' SC to make sense of the email. As spammers obfuscate stuff to defeat our parsers, a simple tool like a 'url grep' would give great flexibility in guiding the parser on what stuff to track down, and what stuff to ignore. Spammers are already taking advantage of the limited table used in SC. When we find such spam, this one change would allow 'smarter than the smartest spammer' reporter (that would be most of us) to eyeball the spam, see where the parser needs to be guided to, and follow the kiddyscript example on the screen, viz: "to exclude all www.anything urls, put 'www.\*' in the 'exclude filter', to include any sites with anything_thesite_anything urls, put './*thesite./*' in the 'include filter'" BTW I rarely use regexps, so don't flame me if I got it wrong. It's the principle we're on about here. When the spammers get smart (well, we needed worry about that then) there'll always be a smarter reporter who can write a regexp to find the url(s) to track. Then, SC reports it, as at present. Another simple option would be 'ignore urls not associated with text' check box - default UNCHECKED. That would allow parsing of my troublesome email no problems. Why not limit my suggestion to just that? Because the moment spammers realise what's happening, they'll - no, I'll let them work that out rather than telling them how I would defeat it! Man, spammers are SO stupid. As these 'knobs' get added, it becomes harder for spammers to find a way around them. With the present 'one size fits all', once they find an email that confuses SC, that email ALWAYS confuses SC. Add some 'knobs' and we can adjust SC to focus its attention - a bit of a cyborg, the synergy of (wo)man and machine. If a reporter is confused, they don't need about how to use the fancy options, just let them use the defaults. I'm sure that there are enough determined reporters who take a strange delight in tracking down spam that confused SC, to then manipulate things to get a SC report out. [...] > Since the report isn't a SC report, the url situation could be 'real > loose' - including all kinds of things that might be wrong, and it would > be up to the submitter to 'weed out' the ones which are inappropriate. > The language of the report would be divorcing anything spamcop from the > process. I seem to recall once that someone advised that if 'we' tinw > were sending manual reports based on spamcop parses, that 'we' shouldn't > be saying or crediting spamcop with the result, as in 'determined by > spamcop'. As distinct from 'listed by spamcop' [or spews or whatever] > which might be seen in a manual report template. Whenever I have parsed, say, extracted bounced spam with SC & manually reported it, I have never mentioned SC. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at devnull.spamcop.net Thu Jun 10 15:13:51 2004 From: nobody at devnull.spamcop.net (brewman) Date: Wed Jun 9 22:15:10 2004 Subject: [SpamCop-List] Re: What happens if a report bounces? References: Message-ID: "Patto" wrote > Maybe some addresses do intentionally bounce SC reports, in which case they > should be marked as "refuses SpamCop reports". In other cases, where a > mailbox sometimes fills up over a weekend, I think that these should be > retried (bounce-counter reset) periodically. One technique I used for multidrop leased line polled modems that timed out N times, was to put it in a 'slow poll' list. Every 10 minutes or so it got a single poll; if it timed out, leave it there. If it answered, add it back to the 'fast poll' list. Maybe one solution would be to send a report to a bouncing mailbox once per day/week. When someone gets around to answering (after a yonk), activate it again. This could be (semi)automatic. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From rcarlton at spamcop.net Wed Jun 9 20:13:53 2004 From: rcarlton at spamcop.net (Rick Carlton) Date: Wed Jun 9 22:15:30 2004 Subject: [SpamCop-List] Re: Sending to more than one user notification email address References: Message-ID: "Ralph" wrote in message news:ca75lc$43g$1@news.spamcop.net... > Spamcop allows you to manually put in one address when sending a report. > Is it possible to add more email address? Sure, just place commas between them. Same notification will go to everyone listed though, so you might need to have different segments of the note. (Just a guy, not an admin or deputy) From ob1db at spamcop.net Thu Jun 10 02:01:45 2004 From: ob1db at spamcop.net (David Butler) Date: Thu Jun 10 01:05:16 2004 Subject: [SpamCop-List] Re: Has spammer perhaps thought up new way to obfuscate html? References: Message-ID: brewman" wrote in message news:ca7ngs$ksm$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z515201253z6160a045999cbcb3a3bafaac64a3f50fz > contains reference to sibilation217pills.biz (& zillions of others) > A quick glance & I can't see what the problem is, but SC fails to > notice either that site or any of the chaff thrown in there. > -- here is a weird one! When I feed that to the parser, it grabs 3 links but they are NOT the real ones!!! Please make sure this email IS spam: From: "German Cochran" (Supersavings on all pharmaceuticals (Phentermine,Cialis & more)) ----52553799772608253 Content-Type: text/html; View full message Report Spam to: Using abuse#ihug.co.nz@devnull.spamcop.net for statistical tracking. Using abuse#exodus.net@devnull.spamcop.net for statistical tracking. Using abuse#above.net@devnull.spamcop.net for statistical tracking. Re: 203.109.254.11 (Administrator of network where email originates) To: abuse@ihug.co.nz (refuses munged reports) (Notes) Re: 203.109.254.11 (Third party interested in email source) To: Cyveillance spam collection (Notes) Re: 203.109.254.11 (Administrator of network where email originates) To: abuse#ihug.co.nz@devnull.spamcop.net (Notes) Re: Forwarded Spam (User defined recipient) To: uce@ftc.gov (Notes) To: abuse@chinanet.cn.net (Notes) To: abuse@t-ipnet.de (Notes) To: abuse@above.net (refuses munged reports) (Notes) To: abuse@gblx.net (Notes) To: abuse@att.net (Notes) To: abuse#above.net@devnull.spamcop.net (Notes) Re: http://www.aileen.net (Administrator of network hosting website referenced in spam) To: abuse@exodus.net (refuses munged reports) (Notes) To: abuse#exodus.net@devnull.spamcop.net (Notes) Re: http://www.bellatrix.com (Administrator of network hosting website referenced in spam) To: abuse@atgi.net (Notes) Re: http://www.fiend.com (Administrator of network hosting website referenced in spam) To: abuse@nac.net (Notes) To: abuse@att.net (Notes) Re: http://www.stock.org (Administrator of network hosting website referenced in spam) To: abuse@navisite.com (Notes) To: Internal spamcop handling: (level3) (Notes) To: abuse@broadwing.net (Notes) I am cc'ing this to the deputy sample address, see if they can spot why! From ob1db at spamcop.net Thu Jun 10 02:16:09 2004 From: ob1db at spamcop.net (David Butler) Date: Thu Jun 10 01:20:03 2004 Subject: [SpamCop-List] chinanet update: anti-spam@chinanet.cn.net is back Message-ID: Looks like the deputies noticed all our remarks that this does not bounce! Re: http://www.remotetissue.info/mn/num20 (Administrator of network hosting website referenced in spam) To: postmaster#chinanet.cn.net@devnull.spamcop.net (Notes) To: wangg@sdtele.com (Notes) To: anti-spam@chinanet.cn.net (Notes) Of course, will this do anything ??? From nobody at devnull.spamcop.net Thu Jun 10 18:25:35 2004 From: nobody at devnull.spamcop.net (brewman) Date: Thu Jun 10 01:25:02 2004 Subject: [SpamCop-List] I've just been mailbombed - I must be getting up someone's nose Message-ID: http://www.spamcop.net/sc?id=z515595171z77af7385c798aecdbf7fd0622e38c565z 40 identical German newspaper-article-type text What's the best way to handle it? (apart from getting my SC reporting time down, of course) -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at devnull.spamcop.net Thu Jun 10 18:41:53 2004 From: nobody at devnull.spamcop.net (brewman) Date: Thu Jun 10 01:40:03 2004 Subject: [SpamCop-List] Re: I've just been mailbombed - I must be getting up someone's nose References: Message-ID: "brewman" wrote in message news:ca8r5t$iio$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z515595171z77af7385c798aecdbf7fd0622e38c565z > 40 identical German newspaper-article-type text > > What's the best way to handle it? (apart from getting my SC reporting > time down, of course) > Rats! started on 4 hours - still on 4 hours. Please can we have decimals/fractions of an hour for average reporting time? -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From rcarlton at spamcop.net Wed Jun 9 23:59:10 2004 From: rcarlton at spamcop.net (Rick Carlton) Date: Thu Jun 10 02:00:04 2004 Subject: [SpamCop-List] Re: I've just been mailbombed - I must be getting up someone's nose References: Message-ID: "brewman" wrote in message news:ca8s4e$j9m$1@news.spamcop.net... > "brewman" wrote in message > news:ca8r5t$iio$1@news.spamcop.net... > > > http://www.spamcop.net/sc?id=z515595171z77af7385c798aecdbf7fd0622e38c565z > > 40 identical German newspaper-article-type text > > > > What's the best way to handle it? (apart from getting my SC > reporting > > time down, of course) Looks like your among the early winners.... there's talk of it over in NANAE as well. And 4 hours? Damn. I'm trying to get below 8! From MikeE at ster.invalid Wed Jun 9 23:58:09 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 10 02:00:22 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: Message-ID: Ant wrote: > "Mike Easter" wrote... > > [...] >> When you post a spam into .spam with your newsreader, your newsreader >> 'butchers' it by throwing in linewraps > > Not in this case. My wrap column is set to the max of 132 chars in OE > (I manually format my normal NG posts). Oops. I didn't use a good example for my case. 'Nobody' does it that way normally. >> That is, I was able to take the original item I found in 'view entire >> message' from the tracker and save it as an .eml, and then open the >> .eml item so that the html was rendered to make it quick and simple >> to see what the spam was all about, including the only useful link >> in a single glance. I could also tell where the link was 'going' >> squally7845tabs.us from my status line below the spam's window in >> my OE. >> >> You can't do that with what is posted in .spam. > > I could with this one. I saved the post in .spam, opened it in > notepad, snipped off the newsgroup header and parse, and renamed it > as an eml. It rendered fine when opened, but without the images. I didn't realize that you had made longlines because I didn't even work with the one in spam, I just assumed that it would be linewrap mangled and so I grabbed the one from the tracker. >> The point of my argument, to re-iterate, is to change the way we post >> things in .spam because the way we are doing it isn't good enough. >> We should either post the tracker only, which we can do here, or if >> necessary we should attach the spam to the .spam ng message body. > > You make a good point. I give the tracker and the .spam post for > convenience - so people have a choice. I may reconsider doing both if > it's not useful. I'll certainly make sure OE isn't going to mangle it, > or I'll post a text attachment. Well, I suppose if everyone did it the way you are describing, the message body would be all right for spam posting. But I don't think 'anyone' does [except you]. I suppose if I were 'advising' how to post in spam I would say to change the newsreaders linewrap to a very large number, OE's max is 132, or to attach a .txt file of the saved item, which in the case of OE could be its .eml version or its .txt version saved directly from the mua, or it could be pasted into NotePad or such and saved as a .txt that way. -- Mike Easter kibitzer, not SC admin From none at invalid.domain Thu Jun 10 00:06:15 2004 From: none at invalid.domain (HillsCap) Date: Thu Jun 10 02:10:03 2004 Subject: [SpamCop-List] Re: I've just been mailbombed - I must be getting up someone's nose References: Message-ID: > "Rick Carlton" wrote: > "brewman" wrote in message > What's the best way to handle it? (apart from getting my SC > reporting time down, of course) Where does one go about finding out our reporting time? From rcarlton at spamcop.net Thu Jun 10 00:21:54 2004 From: rcarlton at spamcop.net (Rick Carlton) Date: Thu Jun 10 02:25:03 2004 Subject: [SpamCop-List] Re: I've just been mailbombed - I must be getting up someone's nose References: Message-ID: "HillsCap" wrote in message news:ca8tt2$kt8$1@news.spamcop.net... > > Where does one go about finding out our reporting time? > I see it when I go to http://www.spamcop.net/ Mine's something like: Welcome, Rick Carlton. Your average reporting time is: 8 hours; Pretty good! Here's the about link : http://www.spamcop.net/fom-serve/cache/371.html From gospamming at yourdomain.invalid Thu Jun 10 07:53:43 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Thu Jun 10 02:55:03 2004 Subject: [SpamCop-List] Re: Has spammer perhaps thought up new way to obfuscate html? References: Message-ID: "brewman" wrote in news:ca7ngs$ksm$1@news.spamcop.net: > http://www.spamcop.net/sc?id=z515201253z6160a045999cbcb3a3bafaac64a3f50 > fz contains reference to sibilation217pills.biz (& zillions of others) > A quick glance & I can't see what the problem is, but SC fails to > notice either that site or any of the chaff thrown in there. The answer is simple: the links to sibilation217pills.biz have been discarded because they do not resolve, so there is no abuse desk to send reports to. The fact that the parser says again "Too many links..." has nothing to do with that. It is *not* throwing away any of them, but just changing of parsing method. -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From gospamming at yourdomain.invalid Thu Jun 10 08:12:07 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Thu Jun 10 03:15:09 2004 Subject: [SpamCop-List] Re: Has spammer perhaps thought up new way to obfuscate html? References: Message-ID: "D.Diaz" wrote in news:Xns95045A7CF6B5Cxnddmxn@216.154.195.61: > The answer is simple: the links to sibilation217pills.biz have been > discarded because they do not resolve, so there is no abuse desk to > send reports to. The fact that the parser says again "Too many > links..." has nothing to do with that. It is *not* throwing away any > of them, but just changing of parsing method. > Oops... After a more close look to the spam body, now I think I've spoken too fast. The link seems to have been discarded because it resembles an empty/almost empty link. Nevertheless, my appreciation about the "Too many links" is still valid: the parser does not throw away the parse, it just informs that there are too many links to perform the standard parsing, so it is switching to the new parsing method for finding and discarding bogus links. -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From nobody at xyzzy.claranet.de Thu Jun 10 11:27:19 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Jun 10 04:30:03 2004 Subject: [SpamCop-List] Re: I've just been mailbombed - I must be getting up someone's nose References: Message-ID: <40C81B67.4D97@xyzzy.claranet.de> brewman wrote: > 40 identical German newspaper-article-type text It's racist propagada ("foreigners are criminals" and similar crap), no idea why you get it, but the elections to the EU parliament just started. Bye, Frank From not at home.today Thu Jun 10 10:57:16 2004 From: not at home.today (Ant) Date: Thu Jun 10 05:01:02 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: Message-ID: "Mike Easter" wrote... [...] > Well, I suppose if everyone did it the way you are describing, the > message body would be all right for spam posting. But I don't think > 'anyone' does [except you]. > > I suppose if I were 'advising' how to post in spam I would say to change > the newsreaders linewrap to a very large number, OE's max is 132, or to > attach a .txt file of the saved item, which in the case of OE could be > its .eml version or its .txt version saved directly from the mua, or it > could be pasted into NotePad or such and saved as a .txt that way. I think attaching as text is a good idea for most people, who may not notice the other OE quirk of inserting "file:" before a double slash in certain circumstances. This will happen as the raw text is pasted into the message body. However they can be deleted, if noticed, before pressing send. The disadvantage of viewing the spam from the tracker is that it will render if the link is clicked. This can be avoided in IE by doing right-click, and "save target as", or copying and pasting the link to the address bar and prepending "view-source:" to it. From not at home.today Thu Jun 10 11:03:36 2004 From: not at home.today (Ant) Date: Thu Jun 10 05:05:09 2004 Subject: [SpamCop-List] Re: How about a change to the 'one size fits all' parsing? References: Message-ID: "brewman" wrote... > Taking the spam that raised this issue (actually too many urls rather > than broken email body), what I would suggest (as just one specific > 'knob') would be a grep filter of urls to add/subtract from the table > that SC builds up. Clearly at present, if too many are added, SC > throws a wobbly and adds extra ones to dev\nul. [...] The problem at the moment is that the many URLs are null links. The parser should be detecting them as such, and only be looking at the active ones, of which usually there are only a couple. From nobody at xyzzy.claranet.de Thu Jun 10 12:01:22 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Jun 10 05:10:12 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: Message-ID: <40C82362.DE9@xyzzy.claranet.de> Mike Easter wrote: > Oops. I didn't use a good example for my case. No problem, the reasoning was clear. I've tested it with your article: 1 - right click on the Message-Id of your article and copy it to the clipboard (saving the Message-ID as URL) 2 - go to spamcop.spam and click "Re:News" at Ant's article 3 - click "attachment" and paste the URL saved in step 1, the effect is essentially the same as "forwarding" (but my old browser still creates a message/news instead of the almost equivalent message/rfc822, because your article was "news") 4 - add a line of dummy text and set a fup2 spamcop. Now my old but cute browser uses multipart/mixed, the 1st part is my text, the 2nd part is your original message/news with all headers and its body 5 - post. Last question, can your weird OE handle this ? See >>> We should either post the tracker only Yes, but there are still cases where SC doesn't accept stuff, or the problem is the Web interface. >>> or if necessary we should attach the spam to the .spam ng Technically it's "forwarding", unless you're really using EML, which is a raw plain text message/rfc822 with a file name. A normal message/rfc822 has no file name and is displayed inline (i.e. shown immediately without any "save" or "open"). Please create test cases of your EML and TXT methods, I want to check it with my browser. AFAIK my Netscape 3.x and your OE are by far the worst cases, so if I can see your stuff and v.v. it should work for everybody ;-) Bye, Frank From nobody at xyzzy.claranet.de Thu Jun 10 12:47:20 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Jun 10 05:50:19 2004 Subject: [SpamCop-List] Re: How do I send emails to xenophobic paranoid Attorney General offices? References: Message-ID: <40C82E28.216B@xyzzy.claranet.de> brewman wrote: > 501 'Blocked by Filter 0' > I even tried postmaster@ and got same result. Strange, I can say HELO and MAIL FROM and RCPT TO postmaster at this domain with my silly DynDNS host and a dialup IP. Is this a content filter (after DATA) ? Of course I didn't test to send real DATA (= message/rfc822 a.k.a. mail ;-) Bye. From STEVE at cashmans.fsnet.co.uk Thu Jun 10 11:55:44 2004 From: STEVE at cashmans.fsnet.co.uk (Steve Cashman) Date: Thu Jun 10 06:00:03 2004 Subject: [SpamCop-List] Re: I've just been mailbombed - I must be getting up someone's nose References: Message-ID: "brewman" wrote in message news:ca8r5t$iio$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z515595171z77af7385c798aecdbf7fd0622e38c565z > 40 identical German newspaper-article-type text > > What's the best way to handle it? (apart from getting my SC reporting > time down, of course) > > -- > Brewman > Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz > Yes I just got 40 of them as well. They are sent through a dial up in New Zealand - 210.55.36.184 It is racist abuse against Eastern Europeans and Turks in Germany as a preamble to the European Elections this week. Foreigners clogging the hospitals and such Nazi crap. May be there are still some Nazi bastards still around. I have reported them through abuse@xtra.co.nz > From michael.spamcop at michaellefevre.com Thu Jun 10 11:06:15 2004 From: michael.spamcop at michaellefevre.com (Michael Lefevre) Date: Thu Jun 10 06:10:07 2004 Subject: [SpamCop-List] Re: What happens if a report bounces? References: Message-ID: Patto wrote: > > My original question is still not answered: are /dev/null-ed addresses > permanent? I'm not sure, but I think the answer in terms of the automated stuff is yes. They can be (and sometimes are) reset manually. > Maybe some addresses do intentionally bounce SC reports, in which case they > should be marked as "refuses SpamCop reports". In other cases, where a > mailbox sometimes fills up over a weekend, I think that these should be > retried (bounce-counter reset) periodically. The issue with that is there is often no way of distinguishing one from the other. And if they regularly let their mailbox fill up over the weekend, the chances are that they're not doing anything useful with the reports anyway... -- Michael From A_No.Spam_Haumer at T-Online.at Thu Jun 10 13:30:03 2004 From: A_No.Spam_Haumer at T-Online.at (Anton Haumer) Date: Thu Jun 10 06:35:10 2004 Subject: [SpamCop-List] contact spamcop Message-ID: <40C8382B.B2DAE3C7@T-Online.at> Hello, how can I send an email to spamcop? Not reporting spam, but a usefull hint. In the statistics I saw some reports send to chello.at. In Austria spam/UCE is forbidden by law; therefore it is usefull to send a report also to: mailto:fb.wien@bmvit.gv.at Re: complaint about UCE according to Par. 107 TKG 2003 Possible Text: "I received the attached email. I did not allow the sender to send advertising email to me. Therefore I kindly ask to investigate that violation of Par. 107 TKG 2003." Attachment: full header I know that a very small amount of UCE is sent from Austria or even EU - countries (the spam I get originates mainly from Asia, US, South America and Eastern Europe), but spammers should be fought as hard as possible. Best regrads, Toni from Austria From spamcop at oitc.com Thu Jun 10 07:38:30 2004 From: spamcop at oitc.com (spamcop) Date: Thu Jun 10 06:40:03 2004 Subject: [SpamCop-List] Missed urls again Message-ID: Urls missed using eudora workaround. Spam is documented in spamcop.spam Tom From a at all.addresses.on.cdrom.are.invalid.aaa Thu Jun 10 08:57:18 2004 From: a at all.addresses.on.cdrom.are.invalid.aaa (John Malmberg) Date: Thu Jun 10 08:00:08 2004 Subject: [SpamCop-List] Re: contact spamcop In-Reply-To: <40C8382B.B2DAE3C7@T-Online.at> References: <40C8382B.B2DAE3C7@T-Online.at> Message-ID: Anton Haumer wrote: > Hello, > > how can I send an email to spamcop? Posting here sometimes gets the deputies notice, and is sometimes a good idea to get early feedback from other users, most of them like me who have nothing to do with the operation at spamcop.net. > In the statistics I saw some reports send to chello.at. > In Austria spam/UCE is forbidden by law; > therefore it is usefull to send a report also to: Spamcop.net generally does not have a reliable way to always determine what country that the spam originated from or is hosted by. Spammers are now starting to use zombied machines as name servers and web servers, in addition to their previous use as mail servers. Also many official spam reporting addresses that are country specific can not keep up with the volume of reports that spamcop.net can send, and it has been reported in at least one case that a government agency specifically asked spamcop.net to not send reports. -John wb8tyw@qsl.network Personal Opinion Only From MikeE at ster.invalid Thu Jun 10 06:50:00 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 10 08:55:04 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> Message-ID: These answers are just for Frank's experiment, not instructions for how to do what I'm talking about. Frank Ellermann wrote: > No problem, the reasoning was clear. I've tested it with your > article: > > 1 - right click on the Message-Id of your article and copy it > to the clipboard (saving the Message-ID as URL) > 2 - go to spamcop.spam and click "Re:News" at Ant's article > 3 - click "attachment" and paste the URL saved in step 1, the > effect is essentially the same as "forwarding" (but my old > browser still creates a message/news instead of the almost > equivalent message/rfc822, because your article was "news") > 4 - add a line of dummy text and set a fup2 spamcop. Now my > old but cute browser uses multipart/mixed, the 1st part is > my text, the 2nd part is your original message/news with > all headers and its body > 5 - post. Last question, can your weird OE handle this ? See > news://news.spamcop.net/40C81D54.3A2F@xyzzy.claranet.de I think the result is 'what I want' - but I can't tell because it was already a wrapped newsarticle. I know that your own focus is developing a 'mechanism' for doing it - with your newsreader - but it confuses me because I don't understand that mechanism in the context of OE or in doing it from news to news. The result is that in .spam I see the little body and there is a ATT00035.dat attachment. I can't work with the .dat file directly, but that doesn't keep me from 'handling' its content. If that were a spam, I would be accessing it from the message's properties and it would have 'survived' any wrapping by your newsreader. However, this is a little 'weird' moving news articles around, because our target goal is moving a mail item unwrapped into news. The instructions given aren't those I would give someone to handle a mail item. > Technically it's "forwarding", unless you're really using EML, > which is a raw plain text message/rfc822 with a file name. A > normal message/rfc822 has no file name and is displayed inline > (i.e. shown immediately without any "save" or "open"). > > Please create test cases of your EML and TXT methods, I want > to check it with my browser. AFAIK my Netscape 3.x and your > OE are by far the worst cases, so if I can see your stuff and > v.v. it should work for everybody ;-) I'm not sure exactly what you want me to do; but I'll describe how OE can handle the news and mail items, which is different. OE will allow me to save an unopened - or opened, but you know how I am about opening spam ;-) - mail as a .eml [which is text with an .eml extender] or .txt [which can be 'regular' or unicode] That .eml or .txt item I saved can be attached to a news message by opening a news message and then 'Insert' -ing a file attachment, namely the .eml or .txt. I would not be able to 'forward' -or rather forward as an attachment - such a mail item to a /newsgroup/; OE only lets me forward an item to a new /mail/. If I were trying to perform something very similar to what you did, namely with a newsitem, I would save the first news item, which can be named .nws or .txt and it would be text or unicode text. Then I would attach that saved news article to the new newsarticle. If I tried to forward as attachment a newsarticle, OE would open up a new *mail* item with the news article attached to it, including headers, and call it 'subject.nws' where subject is the subject of the original newsitem. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Jun 10 07:06:20 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 10 09:10:02 2004 Subject: [SpamCop-List] Re: How about a change to the 'one size fits all' parsing? References: Message-ID: Ant wrote: > "brewman" wrote... > >> Taking the spam that raised this issue (actually too many urls rather >> than broken email body), what I would suggest (as just one specific >> 'knob') would be a grep filter of urls to add/subtract from the table >> that SC builds up. Clearly at present, if too many are added, SC >> throws a wobbly and adds extra ones to dev\nul. [...] > > The problem at the moment is that the many URLs are null links. The > parser should be detecting them as such, and only be looking at the > active ones, of which usually there are only a couple. In case anyone is wondering about what spamitem we are talking about, which hasn't been named in this thread but in a different brewman one, it is www.spamcop.net/sc?id=z515201253z6160a045999cbcb3a3bafaac64a3f50fz which at the present time parses and finds many urls which don't appear in the rendering of the spam and are 'immaterial' and also /finds/ the 'target' url. SC discards 31 urls like this: Too many links, discarding http://sibilation217pills.biz/g09 Too many links, discarding http://comic.sibilation217pills.biz/unsubscribe.ddd and the specific 2 above are actually the active or working urls, and 'works up' 7 'invisible' urls [chosen by some mysterious process, they are just like 29 of the other urls above]. Of the 7 worked up, 3 don't resolve, so 4 are reported. There was never a SC attempt to resolve or report either of the 'working' urls in the rendered spam, which in this case happen to not resolve anyway. So, the whole result on the part of SC is 'bad dog'. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu Jun 10 11:09:49 2004 From: nobody at spamcop.net (Anti-Spam) Date: Thu Jun 10 10:20:03 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: Message-ID: "Ant" wrote in message news:ca83qq$p7$1@news.spamcop.net... > Spam in .spam with parser output appended. > > I see the "too many links" message is back, but some null or bogus > links are being reported. Previously links with no text between the > and the tags were ignored. > > Innocent bystanders (example: unison.org) would get the reports, but > I unticked them in the submission. > > The only clickable links are to squally7845tabs.us which does not > resolve. > > http://www.spamcop.net/sc?id=z515276726z39f3eeec5c0deb77c71ba7acb22618cbz > Just to increase the urgency: I've been seeing quite a few more spam with this "feature" today, than yesterday. It also _seems_ that an increasing fraction of the webmasters don't want to hear about it. This would appear to imply that there are lots of these types of spam floating around, and that a lot of innocent bystanders are receiving LARTs via spamcop, and they're developing the habit of ignoring spamcop reports. In other words, SC's reputation is being dragged down. So it would probably be a really good idea if the previous behaviour of ignoring " be brought back post haste! As an ancillary point, is it better to point out SC bugs in this ng (known to be haunted by spammers), or would a confidential reporting address be better. Of course, whoever has to read the results might not appreciate it. -- .sig Non-functional spambait addr: webmaster@zkzsahgap.com (generated by Webpoison) From nobody at spamcop.net Thu Jun 10 11:23:37 2004 From: nobody at spamcop.net (Anti-Spam) Date: Thu Jun 10 10:30:09 2004 Subject: [SpamCop-List] Re: contact spamcop References: <40C8382B.B2DAE3C7@T-Online.at> Message-ID: "Anton Haumer" wrote in message news:40C8382B.B2DAE3C7@T-Online.at... > In Austria spam/UCE is forbidden by law; > therefore it is usefull to send a report also to: > > mailto:fb.wien@bmvit.gv.at > Re: complaint about UCE according to Par. 107 TKG 2003 > Possible Text: > "I received the attached email. I did not allow the sender > to send advertising email to me. Therefore I kindly ask to > investigate that violation of Par. 107 TKG 2003." > Attachment: full header > > I know that a very small amount of UCE is sent > from Austria or even EU - countries (the spam I get originates > mainly from Asia, US, South America and Eastern Europe), > but spammers should be fought as hard as possible. > > Best regrads, > Toni from Austria Not quite spamcop-related, and since Marjolein doesn't appear to have responded (still travelling?), I'll point out the very useful list of contact address for all sorts of agencies (government, commercial or otherwise) interested in specific types of spam: If you can find the web page for the sponsor of the e-mail address you mentioned above (Austrian government?) it would be helpful in adding the e-mail address to the list. -- .sig Non-functional spambait addr: fors17@edgppbn.com (generated by Webpoison) From nobody at devnull.spamcop.net Fri Jun 11 00:32:31 2004 From: nobody at devnull.spamcop.net (nobody@devnull.spamcop.net) Date: Thu Jun 10 10:35:02 2004 Subject: [SpamCop-List] Re: FriedSpam References: Message-ID: "John E. Malmberg" wrote in message news:icSjDCy9fEv5@eisner.encompasserve.org... > It sounds like it uses your machine to send through open proxies, so if one > of owners of the networks that the open proxy is on catches you, they could > file a valid abuse report to your ISP, or just feed a blacklist. I thought he was saying that you could use a swag of open proxies to contact *friedspam.net*. Friedspam.net then delivers thousands of requests for a webpage from the spammer. The open proxy simply keeping your identity hidden from the spamming website, but not using the open proxies bandwidth for any more than a single, few KB communication. Here is an extract from HillsCaps previous post: "and include instructions on how to run FriedSpam.net through anonymous proxies". I'm not sure whether the open proxy is disadvantaged by someone using it in this way. If an open proxy has a single communication pass through it on the way to Friedspam.net, I'm not sure if your own ISP would be happy, neutral or terminate your account. I also don't know whether FriedSpam.net will increase your own bandwidth usage! But I sure as hell wish HillsCap the very, very best of success! As it becomes more and more apparent that Can Spam will never stop the spam flow, I'm starting to realise that the only solution is for the internet guru's amongst us to start using the same dirty tricks against the spammers as they use against us. My own country, Australia, seems to have the Australian spammer companies beaten (1 million dollar fines per day). However the US doesn't seem to be intending to follow suit any time soon. I've been SC reporting for a couple of years now and have spent untold hours fighting spam - with several tens of thousands of SC reports sent. The problem has got worse by an order of magnitude in this time. I support HillsCap to the end, if we could all use a watertight method of attack on the spammers, they might finally be beaten. The only other way seems to be for ISP's to take the initiative and blacklist the websites of known spammers. Which also wont happen anytime soon. Regards, Hughy -- I can be found at airways underscore electronics at bigpond_d_o_t_c_o_m_ From billmclaren at spamcop.net Thu Jun 10 16:49:47 2004 From: billmclaren at spamcop.net (Bill McLaren) Date: Thu Jun 10 10:50:02 2004 Subject: [SpamCop-List] Re: MD/CEO? References: Message-ID: On Wed, 09 Jun 2004 13:48:01 -0500, Spambo wrote: >If someone is going to make derogatory public statements without giving >any information to back up their claims then they deserve what they get. > IME SpamCop "staff members" always act in a responsible manner and if >someone wants to suggest publicly it isn't the case they should back up >their words. If the matter is not resolved then I will be backing up my words in great detail in the appropriate place. If it is resolved and proves to be a misunderstanding then I'd prefer not to slag someone off for no reason. From nobody at devnull.spamcop.net Fri Jun 11 01:01:02 2004 From: nobody at devnull.spamcop.net (nobody@devnull.spamcop.net) Date: Thu Jun 10 11:00:04 2004 Subject: [SpamCop-List] Re: FriedSpam References: Message-ID: I'm confused. I had another look at the first post from HillsCap. It says, in part: "I'll rewrite the relevant parts to reflect my experience with running FriedSpam.net with higher than default security settings, then submit it to Sam... hopefully he'll update the site with the new code after he's done testing the anonymous proxy rotation setup I told him about, and include instructions on how to run FriedSpam.net through anonymous proxies." This also suggests the anonymous proxies would be used by FriedSpam.net. - not by the antispammer using FriedSpam.net. If so, then the only remaining issue would be the fear of the code I'd be downloading from FriedSpam.net and how much bandwidth **I'd** be using when I initiated a FriedSpam attack on a spammer website. I'd want a cast iron guarantee that the code downloaded to my own machine was benign! I need to know more ... but probably won't understand it without being spoon fed :-( Regards, Hughy -- I can be found at airways underscore electronics at bigpond_d_o_t_c_o_m_ From nobody at spamcop.net Thu Jun 10 12:23:45 2004 From: nobody at spamcop.net (Firewoman) Date: Thu Jun 10 11:20:09 2004 Subject: [SpamCop-List] Re: MD/CEO? References: Message-ID: "Spambo" wrote in message news:ca7m11$jal$1@news.spamcop.net... > If someone is going to make derogatory public statements without giving > any information to back up their claims then they deserve what they get. > IME SpamCop "staff members" always act in a responsible manner and if > someone wants to suggest publicly it isn't the case they should back up > their words. "Do not piss off Spambo" ;) Heh. From rmu93awSPAMB02 at sneakemail.com Thu Jun 10 11:34:38 2004 From: rmu93awSPAMB02 at sneakemail.com (Spambo) Date: Thu Jun 10 11:35:03 2004 Subject: [SpamCop-List] Re: MD/CEO? In-Reply-To: References: Message-ID: Firewoman wrote: > [snip] > > "Do not piss off Spambo" "Don't psot unsubstantiate4d rants and expect the world to kiss your a$$" would be more accurate. -- Just a SpamCop newsgroup participant, not an admin or employee of SpamCop or related domains. From MikeE at ster.invalid Thu Jun 10 09:38:49 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 10 11:40:02 2004 Subject: [SpamCop-List] Re: contact spamcop References: <40C8382B.B2DAE3C7@T-Online.at> Message-ID: Anti-Spam wrote: > since Marjolein doesn't appear > to have responded (still travelling?), Speaking of Marjolein, her posting to her blog is working again, and we have posts from Jun 6-9 from Iran at her site http://iamback.com/blog/ Shiraz Persepolis Isfahan She has moved things around, so the earlier posts which were there are gone to another page. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Jun 10 10:12:44 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 10 12:15:03 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> Message-ID: Mike Easter wrote: > These answers are just for Frank's experiment, not instructions for > how to do what I'm talking about. Putting the bottom line at the top: So, the bottom line is - that method works great. Okey dokey, your newest item appears to OE as a little news message with an attachment named ***SPAM*** fettle with a mail icon - that's how it 'appears' visually, the item is actually named ___SPAM___ fettle.eml. The way I would 'handle' what you've posted [personally] would be to get it from the news message's properties and select the attachment part; that way I wouldn't have to open the unknown mail item. When I do that, the spam's headers have not been messed up by linewraps and it can be pasted into the parser just as is to get this parse www.spamcop.net/sc?id=z515878653z930c833633e54a3834c956427dbfb3d7z The other advantage of that method is that once I know that the spam item is 'OK' and I don't mind opening it, or if I might choose to open it offline or whatever, I can open the .eml item with my OE and render the .eml item exactly as you would have rendered it as your own mail. This is much superior to the kind of spam postings we have been doing, which have been mangled in both headers and body, and which are practically impossible to reconstruct in the body section. So, the bottom line is - that method works great. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Thu Jun 10 19:24:55 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Jun 10 12:30:10 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> Message-ID: <40C88B57.147@xyzzy.claranet.de> Mike Easter wrote: > I know that your own focus is developing a 'mechanism' for > doing it - with your newsreader - but it confuses me Sorry, using a news article was a bad idea. I've now repeated exactly the same procedure with a real spam, see also... ...now the 2nd part is a message/rfc822, that should help. > The result is that in .spam I see the little body and there > is a ATT00035.dat attachment. I can't work with the .dat > file directly That was probably a side effect of the message/news, but if you now still get the same effect, then our natural ways to post umangled complete sapm in spamcop.spam are incompatible. > our target goal is moving a mail item unwrapped into news. ACK, done now (for me it's exactly the same algorithm, copy Message-ID: as URL to clipboard, use this URL as "attachment" of the article posted in .spam) > I'm not sure exactly what you want me to do Simply test your EML resp, TXT procedures in .spam with some spam in your Inboud. If that results in a _real_ "attachment" (= file) in .spam instead of an inline message/rfc822, then I fear that nobody will understand what's going on there. > OE only lets me forward an item to a new /mail/. Same here, but my procedure in news works also in mail, and it has exactly the same effect as "forward" in mail. Of course I would simply click "forward" for mail. In fact it works also for mail, instead of entering a mail address in the To: field I could click "view", and that's a menu offering among other things like Bcc: and Reply-To: to open Newsgroups: and Followups-To: fields. ((( Hmph, and that is obviously much better than the pseudo-"attachment"-trick ))) Bye, Frank From MikeE at ster.invalid Thu Jun 10 10:38:23 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 10 12:40:03 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> <40C88B57.147@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Sorry, using a news article was a bad idea. I've now repeated > exactly the same procedure with a real spam, see also... > > news://news.spamcop.net/40C884B5.6044@xyzzy.claranet.de Oh, I forgot to answer your question about how OE handled that kind of 'link' above, and the answer is that it handles it just fine, regardless of which newsserver is the default. Also, if news.spamcop.net is the default newsserver, then the shorter version news:40C884B5.6044@xyzzy.claranet.de will work. If it isn't the default, it doesn't. The long version always works. > Simply test your EML resp, TXT procedures in .spam with some > spam in your Inboud. If that results in a _real_ "attachment" > (= file) in .spam instead of an inline message/rfc822, then I > fear that nobody will understand what's going on there. I'm just now thinking of a little 'problem' with some styles of doing what I'm talking about. Very often people want to munge headers and/or body of an item they are posting into .spam, which means that they need to 'handle' it rather than simply saving it as an .eml or .txt straight from their Inbox. They would need to copy the raw mail source and put it into a little editor like NotePad or somesuch and then search and delete or whatever they needed to do, and then save the item as .eml or .txt. In some ways it would be better to save it as .eml, because then it can be optionally rendered by another OE newsreader straight from the newsgroup reading. > In fact it works also for mail, instead of entering a mail > address in the To: field I could click "view", and that's a > menu offering among other things like Bcc: and Reply-To: to > open Newsgroups: and Followups-To: fields. ((( Hmph, and that > is obviously much better than the pseudo-"attachment"-trick ))) I'm not sure I'm getting that one either, I think you are talking to 'yourself' about how your news/mail reader works and thinking that your current idea would work differently than the first attachment example. -- Mike Easter kibitzer, not SC admin From gospamming at yourdomain.invalid Thu Jun 10 17:41:32 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Thu Jun 10 12:45:10 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> Message-ID: "Mike Easter" wrote in news:caa1b2$jcs$1@news.spamcop.net: > So, the bottom line is - that method works great. > Yup, works wonderfully for me too. My newsreader at the office is Xnews. It renders the attachment inline with the posting, and it does respect the original format without altering even a single space. I'm seeing that piece of spam as if I had taken it out from my mailserver queue with notepad. -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From nobody at xyzzy.claranet.de Thu Jun 10 19:43:15 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Jun 10 12:45:23 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> <40C88B57.147@xyzzy.claranet.de> Message-ID: <40C88FA3.474C@xyzzy.claranet.de> Frank Ellermann wrote: > umangled complete sapm 2 typos in 3 words, ouch. Okay, OE can read it, therefore all can read it. Now the last potential problem is what OE does, and can my old Netscape 3.x read it. OTOH nobody but me and Falcko still use 3.x, and we know "view document source", if OE insists on Content-Disposition: attachment;name=dummy.eml instead of Content-Disposition: inline Bye, Frank (MIME is beautiful ;-) From nobody at xyzzy.claranet.de Thu Jun 10 19:53:11 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Jun 10 12:55:06 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: Message-ID: <40C891F7.1006@xyzzy.claranet.de> Anti-Spam wrote: > would a confidential reporting address be better Maybe report "IBs" (innocent bystanders) by mail to deputies@ The "too many links" bug is known. At the moment SC uses a downgraded version of the parser, because there was a problem with the improved parser, that should be fixed soon. We need a betacop ;-) Bye, Frank From A_No.Spam_Haumer at T-Online.at Thu Jun 10 20:02:17 2004 From: A_No.Spam_Haumer at T-Online.at (Anton Haumer) Date: Thu Jun 10 13:05:15 2004 Subject: [SpamCop-List] Re: contact spamcop References: <40C8382B.B2DAE3C7@T-Online.at> Message-ID: <40C89419.C2D62BDF@T-Online.at> Anti-Spam schrieb: > > "Anton Haumer" wrote in message news:40C8382B.B2DAE3C7@T-Online.at... > > In Austria spam/UCE is forbidden by law; > > therefore it is usefull to send a report also to: > > > > mailto:fb.wien@bmvit.gv.at > > Re: complaint about UCE according to Par. 107 TKG 2003 > > Possible Text: > > "I received the attached email. I did not allow the sender > > to send advertising email to me. Therefore I kindly ask to > > investigate that violation of Par. 107 TKG 2003." > > Attachment: full header > > > > I know that a very small amount of UCE is sent > > from Austria or even EU - countries (the spam I get originates > > mainly from Asia, US, South America and Eastern Europe), > > but spammers should be fought as hard as possible. > > > > Best regrads, > > Toni from Austria > > Not quite spamcop-related, and since Marjolein doesn't appear > to have responded (still travelling?), I'll point out the very > useful list of contact address for all sorts of agencies > (government, commercial or otherwise) interested in specific > types of spam: > > > If you can find the web page for the sponsor of the e-mail > address you mentioned above (Austrian government?) it > would be helpful in adding the e-mail address to the list. > > -- > .sig > Non-functional spambait addr: fors17@edgppbn.com > (generated by Webpoison) Yes this is telecommunication administration of the Austrian government. They are part of a bigger government department: www.bmvit.gv.at unfortunately most of ot in German language. My idea was if a spam originated from an *.at domain SC could send an email to the mentioned address in parallel to the complaint adressed to the domain itself. This administartive authority investigates and punishes spammer in Austria. Regards, Toni From MikeE at ster.invalid Thu Jun 10 11:13:28 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 10 13:15:03 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> <40C88B57.147@xyzzy.claranet.de> <40C88FA3.474C@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: >> umangled complete sapm > > 2 typos in 3 words, ouch. I was going to say something about dyslexia, and then I decided that there need to be different words for the different 'families' of dyslexia. The dictionary dyslexia is about difficulty reading the written, which results in writing problems - a learning disorder. But, in real life, the reading and the writing are more separate than that, some dyslexics only screwing up the written in various screwy ways but not having trouble with the reading. So, I went to check that out. Turns out there are all kinds of different dyslexias, so I'm going back to the simple typo concept instead of making some cute remarks. s/umangled/unmangled/ s/sapm/spam/ unmangled complete spam I should probably use my chell specker more often. -- Mike Easter kibitzer, not SC admin From tdy at blackhole.aosake.net Thu Jun 10 11:20:57 2004 From: tdy at blackhole.aosake.net (N. Miller) Date: Thu Jun 10 13:25:04 2004 Subject: [SpamCop-List] Re: I've just been mailbombed - I must be getting up someone's nose References: Message-ID: In article , Steve Cashman says... > May be there are still some Nazi bastards still around. > I have reported them through abuse@xtra.co.nz I think that they will always be around; at least as long as there is true freedom of speech. If you would be rid of them, you need to set up a police state to criminalize their ideology. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From MikeE at ster.invalid Thu Jun 10 11:32:02 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 10 13:35:03 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> <40C88B57.147@xyzzy.claranet.de> <40C88FA3.474C@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Now the last potential problem is what OE does, > and can my old Netscape 3.x read it. My item in this subject in .spam was created by me pasting the original spam obtained from OE's message source, raw smtp source, into NotePad to munge the To: even tho' it wasn't mine, and then saving that item as an .eml. Then attaching that as a file attachment to the news message. It makes a multipart alternative. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Thu Jun 10 20:32:49 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Jun 10 13:40:03 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> <40C88B57.147@xyzzy.claranet.de> Message-ID: <40C89B41.66CE@xyzzy.claranet.de> Mike Easter wrote: > Very often people want to munge headers and/or body of an > item they are posting into .spam, which means that they need > to 'handle' it rather than simply saving it as an .eml or > .txt straight from their Inbox. With my browser that's simple: I never use "send immediately", therefore all stuff is collected in a file "Outbound" until I use Ctrl-H (= send now). The outbound file is a normal plain text mbox, and I can edit it (the last article or mail is at the end). > They would need to copy the raw mail source and put it into > a little editor like NotePad or somesuch and then search and > delete or whatever they needed to do, and then save the item > as .eml or .txt. In theory OE should also have something like an "outboud" file, because you can write mails while you're offline. If it's a subdirectory with separate EML files waiting to be sent => no problem. > I think you are talking to 'yourself' about how your > news/mail reader works Yes, something like that. I didn't know that I can forward spam to newsgroups almost exactly like forwarding spam to SC. All I have to do is to select "Newsgroups" instead of "To". > your current idea would work differently than the first > attachment example. In fact it doesn't work at all, my newsreader tries to post this stuff on my _default_ news server, and that's not SC. Fortunately my default news server rejects unknown groups ;-) No problem, the long way with (pseudo-) "attachment" and URL works. In theory I could also edit the news server manually in my outbound, but as long as I don't want to munge Web bugs or similar problems (e.g. "active" worms) that's unnecessary. BTW, that's a CAVEAT, posting unmodified dangerous spam as an "attached" mail would be a very stupid idea. Bye, Frank From gospamming at yourdomain.invalid Thu Jun 10 18:43:38 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Thu Jun 10 13:45:02 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> <40C88B57.147@xyzzy.claranet.de> <40C88FA3.474C@xyzzy.claranet.de> Message-ID: "Mike Easter" wrote in news:caa5vo$o5n$1@news.spamcop.net: > My item in this subject in .spam was created by me pasting the > original spam obtained from OE's message source, raw smtp source, into > NotePad to munge the To: even tho' it wasn't mine, and then saving > that item as an .eml. Then attaching that as a file attachment to the > news message. > > It makes a multipart alternative. > My Xnews also renders it nicely without mangling it. But the resulting post is uglier than Frank's, because the spam attachment appears below the sig, and Xnews prettifies the signature zone by rendering it with a smaller font. Oh, and Xnews also decodes the first part (the "2nd test: now it's a real..." lines) and slaps it on my face popping out a notepad window... ugh. Outlook Express' MIME ways sucks. :-/ -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From nobody at xyzzy.claranet.de Thu Jun 10 20:48:58 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Jun 10 13:50:03 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> <40C88B57.147@xyzzy.claranet.de> <40C88FA3.474C@xyzzy.claranet.de> Message-ID: <40C89F0A.5486@xyzzy.claranet.de> Mike Easter wrote: > I'm going back to the simple typo concept instead of making > some cute remarks. Actually there were four problems, the N on my keyboard, the "dyslexical" s/sapm/spam/, then I didn't check the text before posting it, and last but not least I don't have a spellchecker. At least it wasn't another exercise in my "DEnglish" ;-) Bye. From MikeE at ster.invalid Thu Jun 10 11:49:58 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 10 13:55:03 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> <40C88B57.147@xyzzy.claranet.de> <40C88FA3.474C@xyzzy.claranet.de> Message-ID: D.Diaz wrote: > "Mike Easter" >> My item in this subject in .spam > attachment appears below the sig, and Xnews prettifies the signature > zone by rendering it with a smaller font. The next one from me has no body and no sig. -- Mike Easter kibitzer, not SC admin From gospamming at yourdomain.invalid Thu Jun 10 19:00:46 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Thu Jun 10 14:05:04 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> <40C88B57.147@xyzzy.claranet.de> <40C88FA3.474C@xyzzy.claranet.de> Message-ID: "Mike Easter" wrote in news:caa71c$p9l$1 @news.spamcop.net: > The next one from me has no body and no sig. > Well, obviously having no sig, the spam renders OK with the normal font. But still suffering the slapping with the notepad popup... It's caused by the attachment being named untitled-2.txt: Xnews is configured by default to automatically decode the attachment and launch the application for viewing it when it is of the types .txt or .gif Fortunately, I can change the configuration to not do that :) -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From nobody at xyzzy.claranet.de Thu Jun 10 21:02:49 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Jun 10 14:05:17 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C81D54.3A2F@xyzzy.claranet.de> <40C884B5.6044@xyzzy.claranet.de> Message-ID: <40C8A249.4803@xyzzy.claranet.de> Mike Easter wrote: > Okay, here's how OE does it, attaching the .eml file. Netscape 3.x doesn't display it immediately, and if I reply I get... > --------------------------------------------------------------- > > Name: If you suffer from depression, try Valium or > Part 1.2 Xanax here.eml > Type: message/rfc822 > Encoding: 7bit ...so it would be difficult to quote parts of the spam. I can "open" the EML (that's a real attachment) => display in browser window, and there I can "view document source" (= your article incl. attachment with full headers). Weird, that's a bug of my browser, the "document source" should be _only_ the spam, not your complete message. Anyway, I can handle it somehow. If you edit this article manually (e.g. to munge addresses), then it would be nice if you remove the "Content-Disposition" header (2 lines). Without this header I'd get the same effect as with my examples. Bye, Frank From nobody at xyzzy.claranet.de Thu Jun 10 21:10:44 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Jun 10 14:15:04 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C81D54.3A2F@xyzzy.claranet.de> <40C884B5.6044@xyzzy.claranet.de> Message-ID: <40C8A424.559E@xyzzy.claranet.de> Mike Easter wrote: That was the 2nd example, and you wrote nothing (empty 1st part, text/plain), otherwise like your 1st example. I have to "stop" loading of the document, because the Web server for some pictures is apparently down. Without "stop" the "view document source" doesn't work, no real problem. Bye. From MikeE at ster.invalid Thu Jun 10 12:12:36 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 10 14:15:19 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C81D54.3A2F@xyzzy.claranet.de> <40C884B5.6044@xyzzy.claranet.de> <40C8A249.4803@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > If you edit this article manually (e.g. to munge addresses), > then it would be nice if you remove the "Content-Disposition" > header (2 lines). Without this header I'd get the same effect > as with my examples. That isn't part of the spam article. The entire 'attachment' introduction section: X ------=_NextPart_000_010F_01C44ED8.7F243BC0 Content-Type: message/rfc822; name="If you suffer from depression, try Valium or Xanax here.eml" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="If you suffer from depression, try Valium or Xanax here.eml" is 'produced by OE when I perform "insert file attachment" -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Thu Jun 10 14:18:55 2004 From: wb8tyw at qsl.network (John E. Malmberg) Date: Thu Jun 10 14:20:03 2004 Subject: [SpamCop-List] Re: FriedSpam References: Message-ID: In article , writes: > > This also suggests the anonymous proxies would be used by > FriedSpam.net. - not by the antispammer using FriedSpam.net. If so, > then the only remaining issue would be the fear of the code I'd be > downloading from FriedSpam.net and how much bandwidth **I'd** be using > when I initiated a FriedSpam attack on a spammer website. I'd want a > cast iron guarantee that the code downloaded to my own machine was > benign! > > I need to know more ... but probably won't understand it without being > spoon fed :-( Any use of open proxies should be a big warning sign that something is seriously amiss. Any DDOS against a spammer's web site would be a violation of the TOS for any of the internet participants. Also since the spammers are now using zombies as web hosts, the attack is likely to knock down a residential broadband network segment, which could leave hundreds if not thousand of users with out internet connectivity, and the spammer would just rotate the DNS to point at a zombie on a different network. With the way one of the spammers selling pirate software is apparently working, a DDOS on what appears to be their web site and DNS server would just cause the upstream DNS to route the data to a different server. Essentially the spammer is DDOS proof, and they only ISP account they need is for their root DNS server, not the DNS server that is actually authorative for the spamvertised domain. The DNS server that is actually authorative for the spamvertised domain appears to also be running on zombied machines. And while the ISP may be slow to act on getting the zombies out of their network, they will likely go after the site that coordinated a DDOS on their network or assisted in it. The weak point of the spammers seem to be the dns registration for their root domain servers. Get the DNS registration revoked for having invalid registration and all their domains go inaccessable for a while. Far more productive and legal. The folks on news.admin.net-abuse.email can help verify addresses on the registries. Other posters here and there know a bit more about getting the domains killed. Part of the procedure is to get the e-mail addresses of the domains disabled for TOS violations, and as soon as they are verified as gone, follow the procedure to get the domain tossed. For those that are good with scripts, My guess is that some or most of this procedure can be automated. It seems to take the spammers about 72 hours to notice that one of their zombied DNS servers has been taken down, and then about another 72 hours to replace it. So just think of the effect if someone could make the task of getting a spammer's domain server disabled almost as easy as filing a spamcop.net report. -John wb8tyw@qsl.network Personal Opinion Only From gospamming at yourdomain.invalid Thu Jun 10 19:22:48 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Thu Jun 10 14:25:02 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> <40C88B57.147@xyzzy.claranet.de> <40C88FA3.474C@xyzzy.claranet.de> Message-ID: "Mike Easter" wrote in news:caa71c$p9l$1 @news.spamcop.net: > The next one from me has no body and no sig. > Now it is my turn to test... I've posted the same spam attached as a .txt file with Xnews. It does offer several ways to attach; I chose the first one offered... it's the first time for me. -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From gospamming at yourdomain.invalid Thu Jun 10 19:25:30 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Thu Jun 10 14:30:04 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> <40C88B57.147@xyzzy.claranet.de> <40C88FA3.474C@xyzzy.claranet.de> Message-ID: "D.Diaz" wrote in news:Xns9504CF50BACA9xnddmxn@216.154.195.61: > Now it is my turn to test... I've posted the same spam attached as a > .txt file with Xnews. It does offer several ways to attach; I chose > the first one offered... it's the first time for me. > Oohhh... Interesting. My own post renders the attachment inline and below my sig, but Xnews does not render it with small font as the sig; it renders instead with a fixed width font. Neat. -- Daniel Diaz My personal email: ddiazxn @ telefonica . net From nobody at spamcop.net Thu Jun 10 19:29:20 2004 From: nobody at spamcop.net (nobody@spamcop.net) Date: Thu Jun 10 14:30:18 2004 Subject: [SpamCop-List] Daily spam for medicalorders.biz Message-ID: I'm getting daily spam about a Web site selling prescription medications - medicalorders.biz. This week, the spamvertised site redirects from: http://medicalorders.biz/txr/am.htm to http://tropicrx.com/_buy_ambien.html Some of this week's spam source IPs are 200.164.30.102 and 200.165.183.163. I've been reporting this same site and spammy ISP for months and nothing gets done. The site's still up, the spam is still being sent, and so the spammers are obviously making money! What can I do to stop this daily spam and get those sites shut down? From nobody at xyzzy.claranet.de Thu Jun 10 21:33:30 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Jun 10 14:35:03 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C81D54.3A2F@xyzzy.claranet.de> <40C884B5.6044@xyzzy.claranet.de> <40C8A249.4803@xyzzy.claranet.de> Message-ID: <40C8A97A.5674@xyzzy.claranet.de> Mike Easter wrote: > That isn't part of the spam article. Yes, it's the MIME header introducing the part with the spam... > produced by OE when I perform "insert file attachment" But if you want to munge it manually _after_ this insertion, then you might be able to delete the Content-Disposition (?) If that's possible, i.e. if OE has a raw "outbound". Other- wise you're forced to munge the spam before inserting it :-( That's one of the O* bugs, they don't know real "forwarding" and always use "attachments". The only difference is the "Content-Disposition: attachment;name=whatever.eml" header, but for my browser that's unfortunately a huge difference. Daniel's Xerxes is smarter, it ignores a Content-Disposition for type message/rfc822. Bye, Frank From MikeE at ster.invalid Thu Jun 10 12:40:12 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 10 14:45:04 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> <40C88B57.147@xyzzy.claranet.de> <40C88FA3.474C@xyzzy.claranet.de> Message-ID: D.Diaz wrote: > Now it is my turn to test... I've posted the same spam attached as a > .txt file with Xnews. It does offer several ways to attach; I chose > the first one offered... it's the first time for me. OE sez: your news message body + sig + the spamfettle headers & body all in the body /and/ an attachment, spam.txt. The spamfettle headers in the body are mangled by having lost leading whitespace, I don't know about the linewrap situation, but the headers wouldn't work for the parser as is in the body. The spam.txt attachment, which is actually in b64 from viewing the raw source, will render/decode by OE if I doubleclick on it, and it has all of its leading whitespace intact. That's a little bit of a problem, because that is tantamount to me opening an unknown spam if I have to decode the b64 that way. I wonder why your attachment is b64 encoded? My OE has Sending options for plaintext separate for newsgroups and for mail. One of those options is to encode or to not encode. I'm wondering if that type of setting is where your XNews came up with that b64. It would be better if it weren't encoded in the raw. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu Jun 10 15:41:48 2004 From: nobody at spamcop.net (indigo) Date: Thu Jun 10 14:45:20 2004 Subject: [SpamCop-List] Christ, not again......(new IE6.0 exploit) Message-ID: Just got this emergency email at work...... Because of an unpatched exploit in Internet Explorer we are requesting that all HST Net users refrain from using Internet Explorer to browse external web sites until further notice. Please use an alternate web browser, such as Netscape, when browsing any web site outside of the nasa.gov domain. We understand that it is not always possible to use a web browser other than Internet Explorer but, due to the nature of this exploit and specific guidance from the Code 297 Enterprise IT Security Branch and the GSFC IT Security Manager, any computer using Internet Explorer that is hit must have its hard drive(s) completely wiped clean and restored from scratch. This process takes the better part of a day, during which the computer and all local files are unavailable. The exploits are automatically detected by intrusion detection systems, but currently we are not able to block them. That last sentence doesn't make sense to me, someone care to explain? http://tinyurl.com/3ewse Pop-up toolbar spreads via IE flaws Last modified: June 9, 2004, 4:55 PM PDT By Robert Lemos Staff Writer, CNET News.com update: An adware purveyor has apparently used two previously unknown security flaws in Microsoft's Internet Explorer browser to install a toolbar on victims' computers that triggers pop-up ads, researchers said this week. One flaw lets an attacker run a program on a victim's machine, while the other enables malicious code to "cross zones," or run with privileges higher than normal. Together, the two issues allow for the creation of a Web site that, when visited by victims, can upload and install programs to the victim's computer, according to two analyses of the security holes. The possibility that a group or company has apparently used the vulnerabilities as a way to sneak unwanted advertising software, or adware, onto a user's computer could be grounds for criminal charges, said Stephen Toulouse, security program manager for Microsoft. On Tuesday, security information group Secunia released an advisory about the problem, rating the two flaws "extremely critical." "Secunia has confirmed the vulnerabilities in a fully patched system with Internet Explorer 6.0," the group wrote. "It has been reported that the preliminary SP2 (a major security update being developed by Microsoft) prevents exploitation by denying access." The flaws are apparently being used to install the I-Lookup search bar, an adware toolbar that is added to IE's other toolbars. The adware changes the Internet Explorer home page, connects to one of six advertising sites and frequently displays pop-ups--mainly pornographic ads, according to an adware advisory on antivirus company Symantec's Web site. The Internet address from which the adware Trojan horse was downloaded resolves to I-Lookup.com, a search engine registered in Costa Rica that antivirus firms Symantec and PestPatrol have linked to aggressive advertising software. Two of the top three searches on the site relate to removing such programs, according to I-Lookup.com's own statistics. From none at invalid.domain Thu Jun 10 12:47:55 2004 From: none at invalid.domain (HillsCap) Date: Thu Jun 10 14:50:10 2004 Subject: [SpamCop-List] Re: Christ, not again......(new IE6.0 exploit) References: Message-ID: "indigo" wrote in message news:caaa3t$sgg$1@news.spamcop.net... > The Internet address from which the adware Trojan horse was downloaded > resolves to I-Lookup.com, a search engine registered in Costa Rica that > antivirus firms Symantec and PestPatrol have linked to aggressive > advertising software. Two of the top three searches on the site relate to > removing such programs, according to I-Lookup.com's own statistics. Easy enough to fix that... just add I-Lookup.com to your HOSTS file, redirected to 127.0.0.1 I've already got that in my HOSTS file, along with all the other I-Lookup 'affiliate' sites... I've got over 50,000 sites (known adware/spyware/malicious sites) in my HOSTS file. If you want, I can forward you my HOSTS file, just let me know... From nobody at xyzzy.claranet.de Thu Jun 10 21:49:19 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Jun 10 14:55:02 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> <40C88B57.147@xyzzy.claranet.de> <40C88FA3.474C@xyzzy.claranet.de> Message-ID: <40C8AD2F.495C@xyzzy.claranet.de> D.Diaz wrote: > My own post renders the attachment inline and below > my sig, but Xnews does not render it with small font > as the sig; It's nice to look at, but in raw form (document source) it's base64 encoded plain text. Spamcop can handle base64 encoded parts of the body, but it can't handle a base64 encoded complete mail (header + body encoded). For a discussion where SpamCop's parser is irrelevant that could be okay, and we probably agree that the trackback links are much better for problems with the parser. I'm not sure, but maybe I could produce a similar effect: In my experiments I used the "attach URL" trick with option "as-is". But there's also an option "convert to plain text", and probably that would result in something like your example. Bye, Frank From none at invalid.domain Thu Jun 10 12:50:01 2004 From: none at invalid.domain (HillsCap) Date: Thu Jun 10 14:55:18 2004 Subject: [SpamCop-List] Re: Daily spam for medicalorders.biz References: Message-ID: wrote: > What can I do to stop this daily spam and get those sites shut down? http://www.FriedSpam.net From none at invalid.domain Thu Jun 10 12:57:58 2004 From: none at invalid.domain (HillsCap) Date: Thu Jun 10 15:00:02 2004 Subject: [SpamCop-List] Re: I've just been mailbombed - I must be getting up someone's nose References: Message-ID: "Rick Carlton" wrote: > I see it when I go to http://www.spamcop.net/ > > Mine's something like: > > Welcome, Rick Carlton. > Your average reporting time is: 8 hours; Pretty good! > > Here's the about link : http://www.spamcop.net/fom-serve/cache/371.html Do free SpamCop reporters have the ability to view those statistics? I strive to report spam within the same minute that I receive it (I've got it semi-automated, so it only requires one click)... I'd be interested to see what my reporting time is. From nobody at spamcop.net Thu Jun 10 15:59:42 2004 From: nobody at spamcop.net (indigo) Date: Thu Jun 10 15:05:14 2004 Subject: [SpamCop-List] Re: Christ, not again......(new IE6.0 exploit) References: Message-ID: HillsCap wrote: > > Easy enough to fix that... just add I-Lookup.com to your HOSTS file, > redirected to 127.0.0.1 > > I've already got that in my HOSTS file, along with all the other > I-Lookup 'affiliate' sites... I've got over 50,000 sites (known > adware/spyware/malicious sites) in my HOSTS file. > > If you want, I can forward you my HOSTS file, just let me know... Did you read my question about that last sentence of the first paragraph of that email I got? If it were that simple (hosts file) they could just block access at the server(s), right? From user\" at domain.invalid.com>" Thu Jun 10 22:05:51 2004 From: user\" at domain.invalid.com>" ( Rolf) Date: Thu Jun 10 15:10:03 2004 Subject: [SpamCop-List] Re: I've just been mailbombed - I must be getting up someone's nose In-Reply-To: References: Message-ID: N. Miller wrote: > In article , Steve Cashman says... > >>May be there are still some Nazi bastards still around. >>I have reported them through abuse@xtra.co.nz > > I think that they will always be around; at least as long as there is true > freedom of speech. If you would be rid of them, you need to set up a police > state to criminalize their ideology. It's not exactly Nazi, but definitely quite right wing and anti foreigners. It's just taking a few numbers from a report from a single city in Germany and then juggling with them a bit and presenting them in a way which must make the reader believe that the foreign people have a more than average share in the local criminality rate, and the conclusion is that all foreigners (even the ones never been criminal) should be made to leave so that police only has to deal with native criminals! Not having seen the original report I can't say which numbers they are not showing to boost their claim, or if they even manipulated the numbers, but I'm quite sure that these numbers are not showing the entire picture. It's tone while trying to be not to hateful definitely doesn't sound good. Rolf Kalbermatter From MikeE at ster.invalid Thu Jun 10 13:05:17 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 10 15:10:16 2004 Subject: [SpamCop-List] Re: Daily spam for medicalorders.biz References: Message-ID: nobody@spamcop.net wrote: > I'm getting daily spam about a Web site selling prescription > medications - medicalorders.biz. This week, the spamvertised site > redirects from: > > http://medicalorders.biz/txr/am.htm > to > http://tropicrx.com/_buy_ambien.html > > Some of this week's spam source IPs are 200.164.30.102 and > 200.165.183.163. I've been reporting this same site and spammy ISP > for months and nothing gets done. The site's still up, the spam is > still being sent, and so the spammers are obviously making money! > What can I do to stop this daily spam and get those sites shut down? Well, this won't necessarily get the sites shut down or stop the spam, but you can 'upgrade' your reporting from the 'default' spamcop notifies to your own 'handmade' notifies. I haven't checked to see how SC would notify, but here's how I would do it: medicalorders.biz DNS 200.153.18.10 whois -h whois.registro.br 200.153.18.10 inetnum: 200.153.18.8/29 aut-num: AS10429 abuse-c: EUA11 abuse@TELEFONICAEMPRESAS.NET.BR owner/tech-c: RVT11 abuse@RAFAELVITOR.ETI.BR whois -h whois.abuse.net telefonicaempresas.net.br ... security@telefonicaempresas.net.br abuse@telefonicaempresas.net.br (telefonicaempresas.net.br) whois -h whois.abuse.net rafaelvitor.eti.br ... mail-abuse@nic.br antispambr@abuse.net postmaster@rafaelvitor.eti.br (br) tropicrx.com DNS 63.223.66.174 whois -h whois.arin.net 63.223.66.174 OrgName: CAIS Internet NetRange: 63.216.0.0 - 63.223.255.255 CIDR: 63.216.0.0/13 whois -h whois.abuse.net cais.net ... abuse@cais.com abuse@pccwbtn.com (for cais.net) The first IP isn't listed in spews or spamhaus, but the 2nd is in spews. It is AS3491, so you might consider upstreams. Robban tool is unavailable. Potaroo sez upstreams are Upstream Adjacent AS list AS1239 SPRN Sprint = abuse@sprint.net AS4637 REACH Reach Network Border AS = see below AS701 UU UUNET Technologies, Inc. = abuse-mail@mci.com whois -h whois.abuse.net reach.com ... carmen.m.chow@reach.com abuse@reach.com abuse@pccw.com postmaster@reach.com abuse@telstra.net eckung@PCG-GROUP.COM When you notify an upstream manually, there should be a note in there about why you are notifying them, ie the 'target' cais is unresponsive and spews listed. -- Mike Easter kibitzer, not SC admin From none at invalid.domain Thu Jun 10 13:20:23 2004 From: none at invalid.domain (HillsCap) Date: Thu Jun 10 15:25:03 2004 Subject: [SpamCop-List] Re: Christ, not again......(new IE6.0 exploit) References: Message-ID: "indigo" wrote in message news:caab5e$u3e$1@news.spamcop.net... > Did you read my question about that last sentence of the first paragraph of > that email I got? If it were that simple (hosts file) they could just block > access at the server(s), right? They may not be able to block access at the server yet for several reasons (policies preventing website blocking, not got around to it yet, don't have the knowledge to do it, haven't collected enough information to be able to block I-Lookup and all their affiliate sites, they may be looking at implementing a solution that is more elegant than just blocking URLs so even if I-Lookup moves they'll still be blocked, etc.). But, blocking each machine from accessing I-Lookup and its affiliate sites via the HOSTS file will work... people trying to access that site will get a blank page. From user\" at domain.invalid.com>" Thu Jun 10 22:26:42 2004 From: user\" at domain.invalid.com>" ( Rolf) Date: Thu Jun 10 15:30:04 2004 Subject: [SpamCop-List] Re: I've just been mailbombed - I must be getting up someone's nose In-Reply-To: References: Message-ID: HillsCap wrote: > "Rick Carlton" wrote: > >>I see it when I go to http://www.spamcop.net/ >> >>Mine's something like: >> >>Welcome, Rick Carlton. >>Your average reporting time is: 8 hours; Pretty good! >> >>Here's the about link : http://www.spamcop.net/fom-serve/cache/371.html > > > Do free SpamCop reporters have the ability to view those statistics? I > strive to report spam within the same minute that I receive it (I've got it > semi-automated, so it only requires one click)... I'd be interested to see > what my reporting time is. If you go to the web page link you received when signing up (the form you can past your spam source in) you should see a message quite at the top of the page similar as that from Rick. Rolf Kalbermatter From nobody at devnull.spamcop.net Thu Jun 10 15:26:46 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Jun 10 15:30:20 2004 Subject: [SpamCop-List] Re: I've just been mailbombed - I must be getting up someone's nose References: Message-ID: "HillsCap" wrote in message news:caab2t$ttp$1@news.spamcop.net... > "Rick Carlton" wrote: > > I see it when I go to http://www.spamcop.net/ > > > > Mine's something like: > > > > Welcome, Rick Carlton. > > Your average reporting time is: 8 hours; Pretty good! > > Do free SpamCop reporters have the ability to view those statistics? I > strive to report spam within the same minute that I receive it (I've got it > semi-automated, so it only requires one click)... I'd be interested to see > what my reporting time is. Yes, but you have to go to the web page .. way back when, you got the links in an e-mail when you registered .. looks like; http://www.spamcop.net/?code=SomeMixEdcaseTextNumbers From MikeE at ster.invalid Thu Jun 10 13:29:15 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 10 15:30:29 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> <40C88B57.147@xyzzy.claranet.de> <40C88FA3.474C@xyzzy.claranet.de> Message-ID: D.Diaz wrote: > Oohhh... Interesting. My own post renders the attachment inline and > below my sig, but Xnews does not render it with small font as the > sig; it renders instead with a fixed width font. Neat. Shall I conclude the following? Regardless of mua or newsagent, the .spam poster acquires the raw headers contiguous with body and does any necessary munge/editing. Then, depending upon their agent [roll your own here] in OE they would save that item as a .txt file and then attach that .txt file to their .spam ng msg. The advantage of saving as .txt with OE even tho' saving as .eml would be the same thing is to enable others who handle .eml differently than .txt to handle the attachment more gracefully. If the .spam reader with OE would want to render that item, the best way to do it would be to open the .txt item and then save it as an .eml item. Upon opening, Win would call OE and it should restore/render faithfully as if the .spam reader had opened the item in their own mail agent. If the spam reader with OE wanted to put it into the parser, it would go directly, without any linewrap removal. You XNews and old Netscape users make your own commentary. Anytime there are incompatibilties with handling the attachment, the reader should be able to go to the message properties and get the 'original' form - no wrapping and no adverse effects on whitespacing. There's still a little problem with Daniel's XNews attaching the item as b64, which would require and extra step or two of handling if the reader with OE didn't want to open someone's spam blindly. -- Mike Easter kibitzer, not SC admin From rmu93awSPAMB02 at sneakemail.com Thu Jun 10 15:32:46 2004 From: rmu93awSPAMB02 at sneakemail.com (Spambo) Date: Thu Jun 10 15:35:01 2004 Subject: [SpamCop-List] Snotty - On the Move Again Message-ID: It looks like Snotty has found hosting that is more bulletproof. 06/10/04 14:13:19 -0500 dns OptInBig.Com Mail for OptInBig.Com is handled by mail.OptInBig.Com Canonical name: OptInBig.Com Addresses: 38.116.137.84 06/10/04 14:13:28 -0500 IP block 38.116.137.84 Trying 38.116.137.84 at ARIN Trying 38.116.137 at ARIN Performance Systems International Inc. PSINETA (NET-38-0-0-0-1) 38.0.0.0 - 38.255.255.255 Performance Systems International Inc. COGENT-NB-0002 (NET-38-112-0-0-1) 38.112.0.0 - 38.119.255.255 -- Just a SpamCop newsgroup participant, not an admin or employee of SpamCop or related domains. From nobody at spamcop.net Thu Jun 10 16:34:46 2004 From: nobody at spamcop.net (indigo) Date: Thu Jun 10 15:40:02 2004 Subject: [SpamCop-List] Re: Christ, not again......(new IE6.0 exploit) References: Message-ID: HillsCap wrote: > "indigo" wrote in message > news:caab5e$u3e$1@news.spamcop.net... > > Did you read my question about that last sentence of the first > > paragraph of that email I got? If it were that simple (hosts file) > > they could just block access at the server(s), right? > > They may not be able to block access at the server yet for several > reasons (policies preventing website blocking, not got around to it > yet, don't have the knowledge to do it, haven't collected enough > information to be able to block I-Lookup and all their affiliate > sites, they may be looking at implementing a solution that is more > elegant than just blocking URLs so even if I-Lookup moves they'll > still be blocked, etc.). Well, this is a private internal LAN firewalled out the wazoo......I'd like to think they know what they're doing.....they got hacked into by some chinese punks about 3 years ago and locked down everything real hard after that. But, blocking each machine from accessing > I-Lookup and its affiliate sites via the HOSTS file will work... > people trying to access that site will get a blank page. Can you imagine the difficulty in getting to hundreds and hundreds of users boxes to 1) activate the use of the hosts file (by default it's not active), and 2) add the IP's or IP blocks? So you're probably right, maybe they're trying to come up with an elegant and permanent fix, but using the hosts file sure ain't it! From gospamming at yourdomain.invalid Thu Jun 10 20:47:09 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Thu Jun 10 15:50:03 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> <40C88B57.147@xyzzy.claranet.de> <40C88FA3.474C@xyzzy.claranet.de> Message-ID: "Mike Easter" wrote in news:caa9vi$sek$1@news.spamcop.net: > OE sez: your news message body + sig + the spamfettle headers & body > all in the body /and/ an attachment, spam.txt. > > The spamfettle headers in the body are mangled by having lost leading > whitespace, I don't know about the linewrap situation, but the headers > wouldn't work for the parser as is in the body. > > The spam.txt attachment, which is actually in b64 from viewing the raw > source, will render/decode by OE if I doubleclick on it, and it has > all of its leading whitespace intact. > > That's a little bit of a problem, because that is tantamount to me > opening an unknown spam if I have to decode the b64 that way. I > wonder why your attachment is b64 encoded? > I also wondered... It seems to be hardcoded in the posting logic of Xnews. There is no option to choose how the attachment will be encoded. The only options available are: * Check "Use MIME", so the attachment goes b64 encoded as MIME attachment * Check "Use yEnc", so the attachment goes yEncoded * Do not check either, so the attachment goes uuencoded (those "begin 644 spam.txt" things are uuencoding, aren't they?) So Xnews always encodes the attachments, you are allowed only to choose the encoding method. > My OE has Sending options for plaintext separate for newsgroups and > for mail. One of those options is to encode or to not encode. I'm > wondering if that type of setting is where your XNews came up with > that b64. > > It would be better if it weren't encoded in the raw. > I agree. This way of sending attachments is not the most suited for spam handling. -- Daniel Diaz My Personal email: ddiazxn @ telefonica . net From MikeE at ster.invalid Thu Jun 10 14:04:09 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Jun 10 16:05:02 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> <40C88B57.147@xyzzy.claranet.de> <40C88FA3.474C@xyzzy.claranet.de> Message-ID: D.Diaz wrote: > "Mike Easter >> The spam.txt attachment, which is actually in b64 from viewing the >> raw source, will render/decode by OE if I doubleclick on it, and it >> has all of its leading whitespace intact. >> >> That's a little bit of a problem, because that is tantamount to me >> opening an unknown spam if I have to decode the b64 that way. I >> wonder why your attachment is b64 encoded? > * Do not check either, so the attachment goes uuencoded (those "begin > 644 spam.txt" things are uuencoding, aren't they?) Let's see what happens if you don't check either. > I agree. This way of sending attachments is not the most suited for > spam handling. You mean so far we haven't found the best way to do it for XNews as the poster. Everything about it is better from the view of keeping linewraps and loss of leading whitespace out; even if a person had to decode the XNews b64 attachment as a separate operation. -- Mike Easter kibitzer, not SC admin From gospamming at yourdomain.invalid Thu Jun 10 21:14:35 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Thu Jun 10 16:15:04 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C82362.DE9@xyzzy.claranet.de> <40C88B57.147@xyzzy.claranet.de> <40C88FA3.474C@xyzzy.claranet.de> Message-ID: "Mike Easter" wrote in news:caaesu$295 $1@news.spamcop.net: > D.Diaz wrote: > >> * Do not check either, so the attachment goes uuencoded (those "begin >> 644 spam.txt" things are uuencoding, aren't they?) > > Let's see what happens if you don't check either. > You can see it at spamcop.test, "Test attachment - 1 attachment" I posted also some other tests with different configurations. >> I agree. This way of sending attachments is not the most suited for >> spam handling. > > You mean so far we haven't found the best way to do it for XNews as the > poster. Everything about it is better from the view of keeping > linewraps and loss of leading whitespace out; even if a person had to > decode the XNews b64 attachment as a separate operation. > Of course ;-) -- Daniel Diaz My Personal email: ddiazxn @ telefonica . net From nobody at devnull.spamcop.net Fri Jun 11 09:34:48 2004 From: nobody at devnull.spamcop.net (brewman) Date: Thu Jun 10 16:35:03 2004 Subject: [SpamCop-List] Re: How do I send emails to xenophobic paranoid Attorney General offices? References: <40C82E28.216B@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:40C82E28.216B@xyzzy.claranet.de... > brewman wrote: > > > 501 'Blocked by Filter 0' > > I even tried postmaster@ and got same result. > > Strange, I can say HELO and MAIL FROM and RCPT TO postmaster > at this domain with my silly DynDNS host and a dialup IP. > > Is this a content filter (after DATA) ? Of course I didn't > test to send real DATA (= message/rfc822 a.k.a. mail ;-) Bye. > I think that the 'first stage' filter is checking either domain name or sender's IP address. I guess it is a mail server add-on program. I managed to send from my Yahoo account (when I thought of it), but neither of 2 .nz ISPs. Hence my 'xenophobic' title - I presume (and not been disproven) that the AGO only accepts stuff from inside USA. There's two ways of looking at this - a "U.S. good - rest of world bad" cynicism (like my title), or a more considered "Well, the Arizona AG would really only be interested in stuff from fellow citizens, preferably Arizonians(?), and we get so much spam from overseas" -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From none at invalid.domain Thu Jun 10 14:32:02 2004 From: none at invalid.domain (HillsCap) Date: Thu Jun 10 16:35:22 2004 Subject: [SpamCop-List] Re: I've just been mailbombed - I must be getting up someone's nose References: Message-ID: "Rolf" wrote in message news:caackl$uha$2@news.spamcop.net... > If you go to the web page link you received when signing up (the form > you can past your spam source in) you should see a message quite at the > top of the page similar as that from Rick. Ah, I see... Welcome, Hills Capital Management. Your average reporting time is: 1 hours; Great! Gotta work on that, to try to get it down some... From aaronw at net.com Thu Jun 10 15:04:19 2004 From: aaronw at net.com (Aaron Williams) Date: Thu Jun 10 17:05:25 2004 Subject: [SpamCop-List] Cannot log in Message-ID: I'm suddenly having problems logging in because Spamcop is returning http://www.spamcop.net/mcgi as mime type "plain text document" instead of html. My browser opens it as plain text accordingly and I can no longer log in. From nobody at devnull.spamcop.net Fri Jun 11 10:10:09 2004 From: nobody at devnull.spamcop.net (brewman) Date: Thu Jun 10 17:10:02 2004 Subject: [SpamCop-List] Re: I've just been mailbombed - I must be getting up someone's nose References: Message-ID: "Steve Cashman" wrote > Yes I just got 40 of them as well. They are sent through a dial up in New > Zealand - 210.55.36.184 > > It is racist abuse against Eastern Europeans and Turks in Germany as a > preamble to the European Elections this week. Foreigners clogging the > hospitals and such Nazi crap. Any change of posting a SC reference to one of yours? I'd like to see it. Important received line generated by my ISP: ==>Received: from h-66-167-171-243.sttnwaho.covad.net (uwpswfsra.com) [66.167.171.243] by grunt16.XXX.XX.XXX with smtp (Exim 3.35 #1 (Debian)) id 1BYHkI-0001gh-00; Thu, 10 Jun 2004 17:04:59 +1200 Mine was sent from Miami, Florida(no, that's not from ARIN), and not through an open proxy. It also looks to be sent from an unmunged ISP-type name. There are no forged headers or anything 'strange' underneath like some spam has. I'm aware that spammers read these NGs, so I want to be guarded in what I say next. Let's just say that the email address it was sent to is 'not one usually used by spam I receive', nor unmunging the below one, nor one that would be guessed. It also has an interesting timestamp: ==>Date: Thu, 10 Jun 2004 03:30:17 GMT The time when I received it was 05:04:59 GMT - near enough 90 minutes later (yes, I know it could be forged). German time is 1 hour ahead of GMT, and is summer time anyway i.e. 07:04:59 in Germany. Curious. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From aaronw at net.com Thu Jun 10 15:14:10 2004 From: aaronw at net.com (Aaron Williams) Date: Thu Jun 10 17:15:09 2004 Subject: [SpamCop-List] Re: Cannot log in References: Message-ID: Aaron Williams wrote: I hate replying to myself, but I've tried this with both Mozilla and Konqueror web browsers. I cannot log in from the main page anymore and I have a paid reporting account. > I'm suddenly having problems logging in because Spamcop is returning > http://www.spamcop.net/mcgi as mime type "plain text document" instead of > html. My browser opens it as plain text accordingly and I can no longer > log in. From ferdball at yahoo.com Thu Jun 10 15:12:14 2004 From: ferdball at yahoo.com (Ferdie) Date: Thu Jun 10 17:15:28 2004 Subject: [SpamCop-List] Re: Cannot log in References: Message-ID: Same here. "Aaron Williams" wrote in message news:caai83$50n$1@news.spamcop.net... > I'm suddenly having problems logging in because Spamcop is returning > http://www.spamcop.net/mcgi as mime type "plain text document" instead of > html. My browser opens it as plain text accordingly and I can no longer > log in. From rmu93awSPAMB02 at sneakemail.com Thu Jun 10 17:12:39 2004 From: rmu93awSPAMB02 at sneakemail.com (Spambo) Date: Thu Jun 10 17:15:37 2004 Subject: [SpamCop-List] Re: Cannot log in In-Reply-To: References: Message-ID: Aaron Williams wrote: > I'm suddenly having problems logging in because Spamcop is returning > http://www.spamcop.net/mcgi as mime type "plain text document" instead of > html. My browser opens it as plain text accordingly and I can no longer > log in. Problems here too, it seems to be a system-wide problem. Just wait a while and try again. -- Just a SpamCop newsgroup participant, not an admin or employee of SpamCop or related domains. From nobody at devnull.spamcop.net Fri Jun 11 10:18:31 2004 From: nobody at devnull.spamcop.net (brewman) Date: Thu Jun 10 17:15:46 2004 Subject: [SpamCop-List] Re: contact spamcop References: <40C8382B.B2DAE3C7@T-Online.at> Message-ID: "John Malmberg" wrote > Also many official spam reporting addresses that are country specific > can not keep up with the volume of reports that spamcop.net can send, > and it has been reported in at least one case that a government agency > specifically asked spamcop.net to not send reports. Well, let's not be defeated before we start. Okay, they well say, "Sorry you're overwhelming us", but don't not send reports because they might not want them (pardonnez-moi, ces négatifs triples français encore). If nothing else, they'll see the size of the problem. BTW Italy has quite draconian laws with regards to spamming. BTW BTW I was born in England, live in New Zealand, have an Irish passport, worked in Switzerland, ... yes, a real international mongrel. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From nobody at devnull.spamcop.net Fri Jun 11 10:28:08 2004 From: nobody at devnull.spamcop.net (brewman) Date: Thu Jun 10 17:25:03 2004 Subject: [SpamCop-List] Re: Christ, not again......(new IE6.0 exploit) References: Message-ID: "indigo" wrote > An adware purveyor has apparently used two previously unknown > security flaws in Microsoft's Internet Explorer browser to install a toolbar > on victims' computers that triggers pop-up ads, researchers said this week. s/unknown/unreported by MS/ Also, when complaining to the boss of Microsoft, don't make the mistake of thinking that he's the same as Jesus. -- Brewman Brewman.SpamCop@brycom.cX.nX which really ends with dot co dot nz From kenbrody at spamcop.net Thu Jun 10 18:23:35 2004 From: kenbrody at spamcop.net (Kenneth Brody) Date: Thu Jun 10 17:30:03 2004 Subject: [SpamCop-List] Re: Christ, not again......(new IE6.0 exploit) References: Message-ID: <40C8D157.507B0077@spamcop.net> indigo wrote: > > HillsCap wrote: [...] > But, blocking each machine from accessing > > I-Lookup and its affiliate sites via the HOSTS file will work... > > people trying to access that site will get a blank page. > > Can you imagine the difficulty in getting to hundreds and hundreds of users > boxes to 1) activate the use of the hosts file (by default it's not active), > and 2) add the IP's or IP blocks? So you're probably right, maybe they're > trying to come up with an elegant and permanent fix, but using the hosts > file sure ain't it! Do all of the users have their own net connection, or do they go through a shared gateway/router? Do all of the users point their DNS source to an outside system, or are they obtained through an internal DNS server? If you have an internal DNS server, _it_ can be reconfigured, and all of the internal system that make requests from it will see the new info. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody at spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ From michael.spamcop at michaellefevre.com Thu Jun 10 22:50:56 2004 From: michael.spamcop at michaellefevre.com (Michael Lefevre) Date: Thu Jun 10 17:55:04 2004 Subject: [SpamCop-List] Re: Christ, not again......(new IE6.0 exploit) References: <40C8D157.507B0077@spamcop.net> Message-ID: Kenneth Brody wrote: [snip] > Do all of the users have their own net connection, or do they go through > a shared gateway/router? Do all of the users point their DNS source to > an outside system, or are they obtained through an internal DNS server? > > If you have an internal DNS server, _it_ can be reconfigured, and all of > the internal system that make requests from it will see the new info. Well yes, but blocking some sites which are known to use the exploit doesn't make you safe. Someone else puts up a new page with the exploit and boom, they've got you. However, you can avoid these problems by disabling script. -- Michael From nobody at spamcop.net Thu Jun 10 18:07:47 2004 From: nobody at spamcop.net (Ellen) Date: Thu Jun 10 18:00:09 2004 Subject: [SpamCop-List] System problems Message-ID: We are having system problems. The problem is being worked on. I do not have an ETA for a fix. followups to spamcop; if someone will propagate this to the forums I would appreciate it. -- Ellen Once the zombies are in the house, it's a bit late to decorate. Michael J Wise 10/08/2003 From Kilgallen at SpamCop.net Thu Jun 10 18:11:17 2004 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Thu Jun 10 18:15:04 2004 Subject: [SpamCop-List] Re: Christ, not again......(new IE6.0 exploit) References: Message-ID: In article , "indigo" writes: > Just got this emergency email at work...... > > Because of an unpatched exploit in Internet Explorer we are requesting that > all HST Net users refrain from using Internet Explorer to browse external > web sites until further notice. Please use an alternate web browser, such > as Netscape, when browsing any web site outside of the nasa.gov domain. Why would anybody be surprised by this ? When it comes to violent crime, repeat offenders are often jailed for life. Why would anyone thing Microsoft would change their (sloppy) software development process ? From ob1db at spamcop.net Thu Jun 10 19:18:34 2004 From: ob1db at spamcop.net (David Butler) Date: Thu Jun 10 18:20:04 2004 Subject: [SpamCop-List] Re: Christ, not again......(new IE6.0 exploit) References: Message-ID: "HillsCap" wrote in message news:caaag8$t3q$1@news.spamcop.net... > "indigo" wrote in message > news:caaa3t$sgg$1@news.spamcop.net... > > The Internet address from which the adware Trojan horse was > downloaded > > resolves to I-Lookup.com, a search engine registered in Costa Rica > that > > antivirus firms Symantec and PestPatrol have linked to aggressive > > advertising software. Two of the top three searches on the site > relate to > > removing such programs, according to I-Lookup.com's own statistics. > > Easy enough to fix that... just add I-Lookup.com to your HOSTS file, > redirected to 127.0.0.1 > > I've already got that in my HOSTS file, along with all the other > I-Lookup 'affiliate' sites... I've got over 50,000 sites (known > adware/spyware/malicious sites) in my HOSTS file. > > If you want, I can forward you my HOSTS file, just let me know... > Explain, please, how does a "hosts" file work? From gospamming at yourdomain.invalid Thu Jun 10 23:37:40 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Thu Jun 10 18:40:04 2004 Subject: [SpamCop-List] Re: Christ, not again......(new IE6.0 exploit) References: Message-ID: "David Butler" wrote in news:caamnu$abq $1@news.spamcop.net: > Explain, please, how does a "hosts" file work? > The HOSTS file contains IP address - name assignations which always override DNS lookups. If you put in your HOSTS file: 127.0.0.1 www.somewhere.net Then, every time you try to go to www.somewhere.net in your browser you will be immediately directed to your own computer. If you don't have a web server listening on your own computer port 80, you will experience some delay, then the typical "Not found" / "DNS error" error page would appear on your browser. -- Daniel Diaz My Personal email: ddiazxn @ telefonica . net From rmu93awSPAMB02 at sneakemail.com Thu Jun 10 18:48:07 2004 From: rmu93awSPAMB02 at sneakemail.com (Spambo) Date: Thu Jun 10 18:50:03 2004 Subject: [SpamCop-List] Re: Christ, not again......(new IE6.0 exploit) In-Reply-To: References: Message-ID: David Butler wrote: > [snip] > > Explain, please, how does a "hosts" file work? This is rather simplistic, but think of the hosts file as a local DNS server (a server that translates domain names into IP addresses). If a name is resolved in your hosts file then programs (like your browser) won't go to your ISP's DNS server to get the IP address, they'll use the IP address provided by your hosts file instead. -- Just a SpamCop newsgroup participant, not an admin or employee of SpamCop or related domains. From user\" at domain.invalid.com>" Fri Jun 11 02:07:19 2004 From: user\" at domain.invalid.com>" ( Rolf) Date: Thu Jun 10 19:10:03 2004 Subject: [SpamCop-List] Re: I've just been mailbombed - I must be getting up someone's nose In-Reply-To: References: Message-ID: HillsCap wrote: > Ah, I see... > > Welcome, Hills Capital Management. > Your average reporting time is: 1 hours; Great! > > Gotta work on that, to try to get it down some... You forgot the ;-) Rolf From not at home.today Fri Jun 11 01:09:32 2004 From: not at home.today (Ant) Date: Thu Jun 10 19:15:04 2004 Subject: [SpamCop-List] Re: Null links reported to IBs References: <40C891F7.1006@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote... > Maybe report "IBs" (innocent bystanders) by mail to deputies@ Done. > The "too many links" bug is known. At the moment SC uses a > downgraded version of the parser, because there was a problem > with the improved parser, that should be fixed soon. We need > a betacop ;-) Here's another one: http://www.spamcop.net/sc?id=z515943576z38e821b045309702797c8685319ba808z The two active links to foetus4647rx.us were discarded, but all the rest are IBs. The parser has undergone a revision from 1.328 to 1.329 since my first report, yet the problem remains. From michael.spamcop at michaellefevre.com Fri Jun 11 00:10:51 2004 From: michael.spamcop at michaellefevre.com (Michael Lefevre) Date: Thu Jun 10 19:15:19 2004 Subject: [SpamCop-List] Re: Christ, not again......(new IE6.0 exploit) References: Message-ID: Larry Kilgallen wrote: > In article , "indigo" writes: >> Just got this emergency email at work...... >> >> Because of an unpatched exploit in Internet Explorer [snip] > Why would anyone thing Microsoft would change their (sloppy) software > development process ? Well, although these problem weren't known at the time, apparently the pre-release Windows XP service pack 2 prevents these flaws being exploited. That was also true of the last exploit that was discovered and patched. The service pack also enables the built-in firewall by default, which would prevent the various worms that spread by connecting to vulnerable services. In other words, they've developed XP SP2 to actually address a bunch of the underlying issues. They've also got new stuff in the compiler to avoid buffer overrun issues, and in conjunction with new processors, protection so that memory that's supposed to be storing data can't be executed. Admittedly it's taken them a decade or so to decide that security is an issue, and this is only the first step, and only applies to legit copies of Windows XP... but it is a move in the right direction. And this whole thread is off-topic, so I'm setting followups... -- Michael From nobody at xyzzy.claranet.de Fri Jun 11 02:13:32 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Jun 10 19:20:04 2004 Subject: [SpamCop-List] Re: I've just been mailbombed - I must be getting up someone's nose References: Message-ID: <40C8EB1C.1E1F@xyzzy.claranet.de> brewman wrote: > I'd like to see it. There's a big discussion in de.admin.net-abuse.mail, and so far it's clear that this stuff is sent from systems infected by Sober-G. > 'not one usually used by spam I receive' Sober-G tries to "guess" local parts (e.g. webmaster@). With a catch-all I always got 50. For unknown reasons I didn't get the racist stuff, but about 4000 (80 * 50) virulent Sober-G. Different dialup IPs, different ISPs (Arcor, AOL, T-Online). Nothing today, maybe my complaints had an effect. Bye, Frank From not at home.today Fri Jun 11 01:16:44 2004 From: